From c90d637a48cdac86363e4937bdd787db8bc94c37 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Thu, 16 Feb 2023 15:32:53 +0100
Subject: [PATCH 001/378] [Web] redirect to sogo after failed sogo-auth

---
 data/web/sogo-auth.php | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/data/web/sogo-auth.php b/data/web/sogo-auth.php
index 40fff5856..c34a60def 100644
--- a/data/web/sogo-auth.php
+++ b/data/web/sogo-auth.php
@@ -65,8 +65,7 @@ elseif (isset($_GET['login'])) {
       }
     }
   }
-  header('HTTP/1.0 403 Forbidden');
-  echo "Forbidden";
+  header("Location: /SOGo/");
   exit;
 }
 // only check for admin-login on sogo GUI requests

From cfce7086a578bc4d3883527b969d80a3067b00fb Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Thu, 16 Feb 2023 15:34:47 +0100
Subject: [PATCH 002/378] [Web] few style changes

---
 data/web/css/build/013-datatables.css |  3 ---
 data/web/css/build/014-mailcow.css    | 20 ++++++++++++++++++++
 2 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/data/web/css/build/013-datatables.css b/data/web/css/build/013-datatables.css
index 57e2b6d94..2b19ba24e 100644
--- a/data/web/css/build/013-datatables.css
+++ b/data/web/css/build/013-datatables.css
@@ -8,9 +8,6 @@
 .dtr-details {
     width: 100%;
 }
-.table-striped>tbody>tr:nth-of-type(odd) {
-    background-color: #F2F2F2;
-}
 td.child>ul>li {
     display: flex;
 }
diff --git a/data/web/css/build/014-mailcow.css b/data/web/css/build/014-mailcow.css
index 6c70a2a55..8c1d7c2af 100644
--- a/data/web/css/build/014-mailcow.css
+++ b/data/web/css/build/014-mailcow.css
@@ -33,6 +33,13 @@
        url('/fonts/noto-sans-v12-latin_greek_cyrillic-700italic.woff2') format('woff2'),
        url('/fonts/noto-sans-v12-latin_greek_cyrillic-700italic.woff') format('woff');
 }
+
+body {
+  min-height: 100vh;
+  display: flex;
+  flex-direction: column;
+  background-color: #fbfbfb;
+}
 #maxmsgsize { min-width: 80px; }
 #slider1 .slider-selection {
 	background: #FFD700;
@@ -78,6 +85,19 @@
 .navbar-fixed-top .navbar-collapse {
   max-height: 1000px
 }
+.nav-tabs .nav-link, .nav-tabs .nav-link.disabled, .nav-tabs .nav-link.disabled:hover, .nav-tabs .nav-link.disabled:focus {
+  border-color: #dfdfdf;
+}
+.nav-tabs .nav-link.active, .nav-tabs .nav-item.show .nav-link {
+  border-color: #dfdfdf;
+  border-bottom: 1px solid #ffffff;
+}
+.nav-tabs .nav-link:hover, .nav-tabs .nav-link:focus {
+  border-color: #dfdfdf;
+}
+.nav-tabs {
+  border-bottom: 1px solid #dfdfdf;
+}
 .bi {
   display: inline-block;
   font-size: 12pt;

From 415c1d057499a4f927d4eb4edbca467785fee6a7 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Thu, 16 Feb 2023 15:39:12 +0100
Subject: [PATCH 003/378] [Web] add seperate link for logged in users

---
 data/web/inc/functions.customize.inc.php      | 25 +++++++++--
 data/web/inc/header.inc.php                   |  9 ++++
 data/web/js/site/admin.js                     |  1 +
 .../templates/admin/tab-config-customize.twig |  5 ++-
 data/web/templates/base.twig                  | 41 +++++++++++--------
 data/web/templates/index.twig                 |  4 +-
 6 files changed, 64 insertions(+), 21 deletions(-)

diff --git a/data/web/inc/functions.customize.inc.php b/data/web/inc/functions.customize.inc.php
index b72923573..c4df924d9 100644
--- a/data/web/inc/functions.customize.inc.php
+++ b/data/web/inc/functions.customize.inc.php
@@ -122,10 +122,14 @@ function customize($_action, $_item, $_data = null) {
         case 'app_links':
           $apps = (array)$_data['app'];
           $links = (array)$_data['href'];
+          $user_links = (array)$_data['user_href'];
           $out = array();
-          if (count($apps) == count($links)) {
+          if (count($apps) == count($links) && count($apps) == count($user_links)) {
             for ($i = 0; $i < count($apps); $i++) {
-              $out[] = array($apps[$i] => $links[$i]);
+              $out[] = array($apps[$i] => array(
+                'link' => $links[$i],
+                'user_link' => $user_links[$i]
+              ));
             }
             try {
               $redis->set('APP_LINKS', json_encode($out));
@@ -256,7 +260,22 @@ function customize($_action, $_item, $_data = null) {
             );
             return false;
           }
-          return ($app_links) ? $app_links : false;
+
+          if (empty($app_links)){
+            return false;
+          }
+
+          foreach($app_links as $key => $value){
+            foreach($value as $app => $details){
+              if (empty($details['user_link']) || empty($_SESSION['mailcow_cc_username'])){
+                $app_links[$key][$app]['user_link'] = $app_links[$key][$app]['link'];
+              } else {
+                $app_links[$key][$app]['user_link'] = str_replace('%u', $_SESSION['mailcow_cc_username'], $app_links[$key][$app]['user_link']);
+              }
+            }
+          }
+
+          return $app_links;
         break;
         case 'main_logo':
         case 'main_logo_dark':
diff --git a/data/web/inc/header.inc.php b/data/web/inc/header.inc.php
index 9afc288dd..c0e166403 100644
--- a/data/web/inc/header.inc.php
+++ b/data/web/inc/header.inc.php
@@ -30,6 +30,14 @@ if(!file_exists($CSSPath)) {
   cleanupCSS($hash);
 }
 
+$mailcow_apps_processed = $MAILCOW_APPS;
+for ($i = 0; $i < count($mailcow_apps_processed); $i++) {
+  if (!empty($_SESSION['mailcow_cc_username'])){
+    $mailcow_apps_processed[$i]['user_link'] = str_replace('%u', $_SESSION['mailcow_cc_username'], $mailcow_apps_processed[$i]['user_link']);
+  }
+}
+
+
 $globalVariables = [
   'mailcow_hostname' => getenv('MAILCOW_HOSTNAME'),
   'mailcow_locale' => @$_SESSION['mailcow_locale'],
@@ -45,6 +53,7 @@ $globalVariables = [
   'lang' => $lang,
   'skip_sogo' => (getenv('SKIP_SOGO') == 'y'),
   'allow_admin_email_login' => (getenv('ALLOW_ADMIN_EMAIL_LOGIN') == 'n'),
+  'mailcow_apps_processed' => $mailcow_apps_processed,
   'mailcow_apps' => $MAILCOW_APPS,
   'app_links' => customize('get', 'app_links'),
   'is_root_uri' => (parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH) == '/'),
diff --git a/data/web/js/site/admin.js b/data/web/js/site/admin.js
index 80da64167..095557311 100644
--- a/data/web/js/site/admin.js
+++ b/data/web/js/site/admin.js
@@ -711,6 +711,7 @@ jQuery(function($){
     if (type == "app_link") {
       cols = '<td><input class="input-sm input-xs-lg form-control" data-id="app_links" type="text" name="app" required></td>';
       cols += '<td><input class="input-sm input-xs-lg form-control" data-id="app_links" type="text" name="href" required></td>';
+      cols += '<td><input class="input-sm input-xs-lg form-control" data-id="app_links" type="text" name="user_href" required></td>';
       cols += '<td><a href="#" role="button" class="btn btn-sm btn-xs-lg btn-secondary h-100 w-100" type="button">' + lang.remove_row + '</a></td>';
     } else if (type == "f2b_regex") {
       cols = '<td><input style="text-align:center" class="input-sm input-xs-lg form-control" data-id="f2b_regex" type="text" value="+" disabled></td>';
diff --git a/data/web/templates/admin/tab-config-customize.twig b/data/web/templates/admin/tab-config-customize.twig
index 7fc990a64..4b8f53231 100644
--- a/data/web/templates/admin/tab-config-customize.twig
+++ b/data/web/templates/admin/tab-config-customize.twig
@@ -58,13 +58,15 @@
           <tr>
             <th>{{ lang.admin.app_name }}</th>
             <th>{{ lang.admin.link }}</th>
+            <th>{{ lang.admin.user_link }}</th>
             <th style="width:100px;">&nbsp;</th>
           </tr>
           {% for row in app_links %}
             {% for key, val in row %}
               <tr>
                 <td><input class="input-sm input-xs-lg form-control" data-id="app_links" type="text" name="app" required value="{{ key }}"></td>
-                <td><input class="input-sm input-xs-lg form-control" data-id="app_links" type="text" name="href" required value="{{ val }}"></td>
+                <td><input class="input-sm input-xs-lg form-control" data-id="app_links" type="text" name="href" required value="{{ val.link }}"></td>
+                <td><input class="input-sm input-xs-lg form-control" data-id="app_links" type="text" name="user_href" required value="{{ val.user_link }}"></td>
                 <td><a href="#" role="button" class="btn btn-sm btn-xs-lg btn-secondary h-100 w-100" type="button">{{ lang.admin.remove_row }}</a></td>
               </tr>
             {% endfor %}
@@ -73,6 +75,7 @@
             <tr>
               <td><input class="input-sm input-xs-lg form-control" value="{{ app.name }}" disabled></td>
               <td><input class="input-sm input-xs-lg form-control" value="{{ app.link }}" disabled></td>
+              <td><input class="input-sm input-xs-lg form-control" value="{{ app.user_link }}" disabled></td>
               <td><a href="#" role="button" class="btn btn-sm btn-xs-lg btn-secondary h-100 w-100 disabled" type="button">{{ lang.admin.remove_row }}</a></td>
             </tr>
           {% endfor %}
diff --git a/data/web/templates/base.twig b/data/web/templates/base.twig
index ca744d2a3..1c027138c 100644
--- a/data/web/templates/base.twig
+++ b/data/web/templates/base.twig
@@ -29,7 +29,7 @@
 <body>
 <div class="overlay"></div>
 {% block navbar %}
-<nav class="navbar navbar-expand-lg navbar-light bg-light navbar-fixed-top p-0">
+<nav class="navbar navbar-expand-lg navbar-light bg-light sticky-top p-0">
   <div class="container-fluid">
     <a class="navbar-brand" href="/">
       <img class="main-logo" alt="mailcow-logo" src="{{ logo|default('/img/cow_mailcow.svg') }}">
@@ -60,49 +60,58 @@
           </ul>
         </li>
         {% endif %}
+
         {% if mailcow_cc_role %}
+        {% if mailcow_cc_role == 'admin' %}
         <li class="nav-item dropdown">
           <a href="#" class="nav-link dropdown-toggle" data-bs-toggle="dropdown" role="button" aria-expanded="false">{{ lang.header.mailcow_system }}</a>
           <ul class="dropdown-menu">
-            {% if mailcow_cc_role == 'admin' %}
             <li><a href="/debug" class="dropdown-item {% if is_uri('debug') %}active{% endif %}">{{ lang.header.debug }}</a></li>
             <li><a href="/admin" class="dropdown-item {% if is_uri('admin') %}active{% endif %}">{{ lang.header.mailcow_config }}</a></li>
-            {% endif %}
-            {% if mailcow_cc_role != 'admin' %}
-            <li><a href="/user" class="dropdown-item {% if is_uri('user') %}active{% endif %}">{{ lang.header.user_settings }}</a></li>
-            {% endif %}
           </ul>
         </li>
+        {% endif %}
+        {% if mailcow_cc_role != 'admin' %}
+        <li class="nav-item dropdown">
+          <a href="/user" class="nav-link" role="button" aria-expanded="false">{{ lang.header.user_settings }}</a>
+        </li>
+        {% endif %}
+
+        {% if mailcow_cc_role == 'admin' or mailcow_cc_role == 'domainadmin' %}
         <li class="nav-item dropdown">
           <a href="#" class="nav-link dropdown-toggle" data-bs-toggle="dropdown" role="button" aria-expanded="false">{{ lang.header.email }}</a>
           <ul class="dropdown-menu">
-            {% if mailcow_cc_role == 'admin' or mailcow_cc_role == 'domainadmin' %}
             <li><a href="/mailbox" class="dropdown-item {% if is_uri('mailbox') %}active{% endif %}">{{ lang.header.mailcow_config }}</a></li>
-            {% endif %}
             <li><a href="/quarantine" class="dropdown-item {% if is_uri('quarantine') %}active{% endif %}">{{ lang.header.quarantine }}</a></li>
             {% if mailcow_cc_role == 'admin' %}
             <li><a href="/queue" class="dropdown-item {% if is_uri('queue') %}active{% endif %}">{{ lang.queue.queue_manager }}</a></li>
-            {% endif %}
-            {% if mailcow_cc_role == 'admin' %}
             <li><a href="#" class="dropdown-item" data-bs-toggle="modal" data-container="sogo-mailcow" data-bs-target="#RestartContainer">{{ lang.header.restart_sogo }}</a></li>
             {% endif %}
           </ul>
         </li>
         {% endif %}
-        {% if mailcow_apps or app_links %}
+
+        {% if mailcow_cc_role == 'user' %}
+        <li class="nav-item dropdown">
+          <a href="/quarantine" class="nav-link">{{ lang.header.quarantine }}</a>
+        </li>
+        {% endif %}
+        {% endif %}
+
+        {% if mailcow_apps_processed or app_links %}
         <li class="nav-item dropdown">
           <a href="#" class="nav-link dropdown-toggle" data-bs-toggle="dropdown" role="button" aria-expanded="false"><i class="bi bi-link-45deg me-2"></i> {{ ui_texts.apps_name|raw }}</a>
           <ul class="dropdown-menu">
-            {% for app in mailcow_apps %}
-              {% if not skip_sogo or not is_uri('SOGo', app.link) %}
+            {% for app in mailcow_apps_processed %}
+              {% if not skip_sogo or not is_uri('SOGo', app.user_link) %}
               <li {% if app.description %}title="{{ app.description }}"{% endif %}>
-                <a href="{{ app.link }}" class="dropdown-item">{{ app.name }}</a>
+                <a href="{{ app.user_link }}" class="dropdown-item">{{ app.name }}</a>
               </li>
               {% endif %}
             {% endfor %}
             {% for row in app_links %}
               {% for key, val in row %}
-              <li><a href="{{ val }}" class="dropdown-item">{{ key }}</a></li>
+              <li><a href="{{ val.user_link }}" class="dropdown-item">{{ key }}</a></li>
               {% endfor %}
             {% endfor %}
           </ul>
@@ -132,7 +141,7 @@
 </div>
 {% endif %}
 
-<div class="container my-4">
+<div class="container flex-grow-1 my-4">
 {% block content %}{% endblock %}
 </div>
 
diff --git a/data/web/templates/index.twig b/data/web/templates/index.twig
index aa282547c..bd4f87818 100644
--- a/data/web/templates/index.twig
+++ b/data/web/templates/index.twig
@@ -77,7 +77,9 @@
           {% endfor %}
           {% for row in app_links %}
             {% for key, val in row %}
-              <a href="{{ val }}" role="button" class="btn btn-primary">{{ key }}</a>
+              <div class="m-2">
+                <a href="{{ val.link }}" role="button" class="btn btn-primary btn-block">{{ key }}</a>
+              </div>
             {% endfor %}
           {% endfor %}
         </div>

From 6e35574c721971216aa10da1ba6ace663ad4ca13 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 10 Mar 2023 15:53:09 +0100
Subject: [PATCH 004/378] [Web] add app hide option

---
 data/web/inc/functions.customize.inc.php      |  6 +++--
 data/web/inc/header.inc.php                   | 24 +++++++++++++++++--
 data/web/inc/vars.inc.php                     |  4 +++-
 data/web/js/site/admin.js                     | 14 +++++++++++
 .../templates/admin/tab-config-customize.twig | 12 ++++++++++
 data/web/templates/index.twig                 | 12 +++++++---
 6 files changed, 64 insertions(+), 8 deletions(-)

diff --git a/data/web/inc/functions.customize.inc.php b/data/web/inc/functions.customize.inc.php
index c4df924d9..5aef7d720 100644
--- a/data/web/inc/functions.customize.inc.php
+++ b/data/web/inc/functions.customize.inc.php
@@ -123,12 +123,14 @@ function customize($_action, $_item, $_data = null) {
           $apps = (array)$_data['app'];
           $links = (array)$_data['href'];
           $user_links = (array)$_data['user_href'];
+          $hide = (array)$_data['hide'];
           $out = array();
-          if (count($apps) == count($links) && count($apps) == count($user_links)) {
+          if (count($apps) == count($links) && count($apps) == count($user_links) && count($apps) == count($hide)) {
             for ($i = 0; $i < count($apps); $i++) {
               $out[] = array($apps[$i] => array(
                 'link' => $links[$i],
-                'user_link' => $user_links[$i]
+                'user_link' => $user_links[$i],
+                'hide' => ($hide[$i] === '0' || $hide[$i] === 0) ? false : true
               ));
             }
             try {
diff --git a/data/web/inc/header.inc.php b/data/web/inc/header.inc.php
index c0e166403..3f80423ec 100644
--- a/data/web/inc/header.inc.php
+++ b/data/web/inc/header.inc.php
@@ -31,11 +31,29 @@ if(!file_exists($CSSPath)) {
 }
 
 $mailcow_apps_processed = $MAILCOW_APPS;
+$app_links = customize('get', 'app_links');
+$app_links_processed = $app_links;
+$hide_mailcow_apps = true;
 for ($i = 0; $i < count($mailcow_apps_processed); $i++) {
+  if ($hide_mailcow_apps && !$mailcow_apps_processed[$i]['hide']){
+    $hide_mailcow_apps = false;
+  }
   if (!empty($_SESSION['mailcow_cc_username'])){
     $mailcow_apps_processed[$i]['user_link'] = str_replace('%u', $_SESSION['mailcow_cc_username'], $mailcow_apps_processed[$i]['user_link']);
   }
 }
+if ($app_links_processed){
+  for ($i = 0; $i < count($app_links_processed); $i++) {
+    $key = array_key_first($app_links_processed[$i]);
+    if ($hide_mailcow_apps && !$app_links_processed[$i][$key]['hide']){
+      $hide_mailcow_apps = false;
+    }
+    if (!empty($_SESSION['mailcow_cc_username'])){
+      $app_links_processed[$i][$key]['user_link'] = str_replace('%u', $_SESSION['mailcow_cc_username'], $app_links_processed[$i][$key]['user_link']);
+    }
+  }
+}
+
 
 
 $globalVariables = [
@@ -53,9 +71,11 @@ $globalVariables = [
   'lang' => $lang,
   'skip_sogo' => (getenv('SKIP_SOGO') == 'y'),
   'allow_admin_email_login' => (getenv('ALLOW_ADMIN_EMAIL_LOGIN') == 'n'),
-  'mailcow_apps_processed' => $mailcow_apps_processed,
+  'hide_mailcow_apps' => $hide_mailcow_apps,
   'mailcow_apps' => $MAILCOW_APPS,
-  'app_links' => customize('get', 'app_links'),
+  'mailcow_apps_processed' => $mailcow_apps_processed,
+  'app_links' => $app_links,
+  'app_links_processed' => $app_links_processed,
   'is_root_uri' => (parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH) == '/'),
   'uri' => $_SERVER['REQUEST_URI'],
   'last_login' => last_login('get', $_SESSION['mailcow_cc_username'], 7, 0)['ui']['time']
diff --git a/data/web/inc/vars.inc.php b/data/web/inc/vars.inc.php
index afc801e44..18bc63285 100644
--- a/data/web/inc/vars.inc.php
+++ b/data/web/inc/vars.inc.php
@@ -122,7 +122,9 @@ $SHOW_DKIM_PRIV_KEYS = false;
 $MAILCOW_APPS = array(
   array(
     'name' => 'Webmail',
-    'link' => '/SOGo/',
+    'link' => '/SOGo/so/',
+    'user_link' => '/sogo-auth.php?login=%u',
+    'hide' => true
   )
 );
 
diff --git a/data/web/js/site/admin.js b/data/web/js/site/admin.js
index 095557311..dd6dcce4b 100644
--- a/data/web/js/site/admin.js
+++ b/data/web/js/site/admin.js
@@ -706,20 +706,34 @@ jQuery(function($){
     }
   })
   // App links
+  // setup eventlistener
+  setAppHideEvent();
+  function setAppHideEvent(){ 
+    $('.app_hide').off('change');
+    $('.app_hide').on('change', function (e) {
+      var value = $(this).is(':checked') ? '1' : '0';
+      console.log(value)
+      $(this).parent().children(':first-child').val(value);
+    })
+  }
   function add_table_row(table_id, type) {
     var row = $('<tr />');
     if (type == "app_link") {
       cols = '<td><input class="input-sm input-xs-lg form-control" data-id="app_links" type="text" name="app" required></td>';
       cols += '<td><input class="input-sm input-xs-lg form-control" data-id="app_links" type="text" name="href" required></td>';
       cols += '<td><input class="input-sm input-xs-lg form-control" data-id="app_links" type="text" name="user_href" required></td>';
+      cols += '<td><div class="d-flex align-items-center justify-content-center" style="height: 33.5px"><input data-id="app_links" type="hidden" name="hide" value="0"><input class="form-check-input app_hide" type="checkbox" value="1"></div></td>';
       cols += '<td><a href="#" role="button" class="btn btn-sm btn-xs-lg btn-secondary h-100 w-100" type="button">' + lang.remove_row + '</a></td>';
     } else if (type == "f2b_regex") {
       cols = '<td><input style="text-align:center" class="input-sm input-xs-lg form-control" data-id="f2b_regex" type="text" value="+" disabled></td>';
       cols += '<td><input class="input-sm input-xs-lg form-control regex-input" data-id="f2b_regex" type="text" name="regex" required></td>';
       cols += '<td><a href="#" role="button" class="btn btn-sm btn-xs-lg btn-secondary h-100 w-100" type="button">' + lang.remove_row + '</a></td>';
     }
+
     row.append(cols);
     table_id.append(row);
+    if (type == "app_link")
+      setAppHideEvent();
   }
   $('#app_link_table').on('click', 'tr a', function (e) {
     e.preventDefault();
diff --git a/data/web/templates/admin/tab-config-customize.twig b/data/web/templates/admin/tab-config-customize.twig
index 4b8f53231..93da2bfdb 100644
--- a/data/web/templates/admin/tab-config-customize.twig
+++ b/data/web/templates/admin/tab-config-customize.twig
@@ -59,6 +59,7 @@
             <th>{{ lang.admin.app_name }}</th>
             <th>{{ lang.admin.link }}</th>
             <th>{{ lang.admin.user_link }}</th>
+            <th>{{ lang.admin.app_hide }}</th>
             <th style="width:100px;">&nbsp;</th>
           </tr>
           {% for row in app_links %}
@@ -67,6 +68,12 @@
                 <td><input class="input-sm input-xs-lg form-control" data-id="app_links" type="text" name="app" required value="{{ key }}"></td>
                 <td><input class="input-sm input-xs-lg form-control" data-id="app_links" type="text" name="href" required value="{{ val.link }}"></td>
                 <td><input class="input-sm input-xs-lg form-control" data-id="app_links" type="text" name="user_href" required value="{{ val.user_link }}"></td>
+                <td>
+                  <div class="d-flex align-items-center justify-content-center" style="height: 33.5px">
+                    <input data-id="app_links" type="hidden" name="hide" {% if val.hide %}value="1"{% else %}value="0"{% endif %}>
+                    <input class="form-check-input app_hide" type="checkbox" value="1" {% if val.hide %}checked{% endif %}>
+                  </div>
+                </td>
                 <td><a href="#" role="button" class="btn btn-sm btn-xs-lg btn-secondary h-100 w-100" type="button">{{ lang.admin.remove_row }}</a></td>
               </tr>
             {% endfor %}
@@ -76,6 +83,11 @@
               <td><input class="input-sm input-xs-lg form-control" value="{{ app.name }}" disabled></td>
               <td><input class="input-sm input-xs-lg form-control" value="{{ app.link }}" disabled></td>
               <td><input class="input-sm input-xs-lg form-control" value="{{ app.user_link }}" disabled></td>
+              <td>
+                <div class="d-flex align-items-center justify-content-center" style="height: 33.5px">
+                  <input class="form-check-input" data-id="app_links" type="checkbox" name="hide" value="1" disabled {% if app.hide %}checked{% endif %}>
+                </div>
+              </td>
               <td><a href="#" role="button" class="btn btn-sm btn-xs-lg btn-secondary h-100 w-100 disabled" type="button">{{ lang.admin.remove_row }}</a></td>
             </tr>
           {% endfor %}
diff --git a/data/web/templates/index.twig b/data/web/templates/index.twig
index bd4f87818..420bd5318 100644
--- a/data/web/templates/index.twig
+++ b/data/web/templates/index.twig
@@ -67,19 +67,25 @@
         <p><div class="my-4 alert alert-info">{{ lang.login.delayed|format(login_delay) }}</b></div></p>
         {% endif %}
         <div class="my-4" id="fido2-alerts"></div>
-        {% if not oauth2_request and (mailcow_apps or app_links) %}
+        {% if not oauth2_request and (mailcow_apps or app_links) and not hide_mailcow_apps %}
         <legend><i class="bi bi-link-45deg"></i> {{ ui_texts.apps_name|raw }}</legend><hr />
         <div class="my-2 d-grid gap-2 d-sm-block apps">
           {% for app in mailcow_apps %}
-            {% if not skip_sogo or not is_uri('SOGo', app.link) %}
-              <a href="{{ app.link }}" role="button" {% if app.description %}title="{{ app.description }}"{% endif %} class="btn btn-primary">{{ app.name }}</a>
+            {% if not app.hide %}
+              {% if not skip_sogo or not is_uri('SOGo', app.link) %}
+              <div class="m-2">
+                <a href="{{ app.link }}" role="button" {% if app.description %}title="{{ app.description }}"{% endif %} class="btn btn-primary btn-block">{{ app.name }}</a>
+              </div>
             {% endif %}
+          {% endif %}
           {% endfor %}
           {% for row in app_links %}
             {% for key, val in row %}
+            {% if not val.hide %}
               <div class="m-2">
                 <a href="{{ val.link }}" role="button" class="btn btn-primary btn-block">{{ key }}</a>
               </div>
+            {% endif %}
             {% endfor %}
           {% endfor %}
         </div>

From 84ff6ff2c5b591bbbc693e22e739e51cff835cca Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 10 Mar 2023 15:53:59 +0100
Subject: [PATCH 005/378] [Web] fix user login history

---
 data/web/inc/functions.inc.php | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index 3cff09b95..ee1aab236 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -960,12 +960,16 @@ function check_login($user, $pass, $app_passwd_data = false) {
           );
           return "pending";
         } else if (!isset($authenticators['additional']) || !is_array($authenticators['additional']) || count($authenticators['additional']) == 0) {
+          unset($_SESSION['ldelay']);
           // no authenticators found, login successfull
           // Reactivate TFA if it was set to "deactivate TFA for next login"
           $stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user");
           $stmt->execute(array(':user' => $user));
-
-          unset($_SESSION['ldelay']);
+          $_SESSION['return'][] =  array(
+            'type' => 'success',
+            'log' => array(__FUNCTION__, $user, '*'),
+            'msg' => array('logged_in_as', $user)
+          );
           return "user";
         }
       } elseif ($app_passwd_data['eas'] === true || $app_passwd_data['dav'] === true) {

From 56a9f1a4115194c63d37ee8c451c7e432a3291c5 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 10 Mar 2023 17:10:05 +0100
Subject: [PATCH 006/378] [Web] organize user landing

---
 data/web/css/build/014-mailcow.css         |   1 +
 data/web/js/site/user.js                   |  30 +-
 data/web/templates/domainadmin.twig        | 141 +++++-----
 data/web/templates/user.twig               |   1 -
 data/web/templates/user/Spamfilter.twig    |   8 +-
 data/web/templates/user/tab-user-auth.twig | 310 ++++++++++++---------
 6 files changed, 271 insertions(+), 220 deletions(-)

diff --git a/data/web/css/build/014-mailcow.css b/data/web/css/build/014-mailcow.css
index 8c1d7c2af..d1d6ac45d 100644
--- a/data/web/css/build/014-mailcow.css
+++ b/data/web/css/build/014-mailcow.css
@@ -386,6 +386,7 @@ button[aria-expanded='true'] > .caret {
     background-color: #f0f0f0;
 }
 .btn.btn-outline-secondary {
+  color: #000000 !important;
   border-color: #cfcfcf !important;  
 }
 .btn-check:checked+.btn-outline-secondary, .btn-check:active+.btn-outline-secondary, .btn-outline-secondary:active, .btn-outline-secondary.active, .btn-outline-secondary.dropdown-toggle.show {
diff --git a/data/web/js/site/user.js b/data/web/js/site/user.js
index 088321cd3..850570ef4 100644
--- a/data/web/js/site/user.js
+++ b/data/web/js/site/user.js
@@ -77,11 +77,11 @@ jQuery(function($){
   acl_data = JSON.parse(acl);
 
   $('.clear-last-logins').on('click', function () {if (confirm(lang.delete_ays)) {last_logins('reset');}})
-  $(".login-history").on('click', function(e) {e.preventDefault(); last_logins('get', $(this).data('days'));$(this).addClass('active').siblings().removeClass('active');});
+  $(".login-history").on('click', function(e) {e.preventDefault(); last_logins('get', $(this).data('days'));$(this).parent().find('li a').removeClass('active');$(this).children(':first-child').addClass('active')});
 
   function last_logins(action, days = 7) {
     if (action == 'get') {
-      $('.last-login').html('<i class="bi bi-hourglass"></i>' +  lang.waiting);
+      $('#spinner-last-login').removeClass('d-none');
       $.ajax({
         dataType: 'json',
         url: '/api/v1/get/last-login/' + encodeURIComponent(mailcow_cc_username) + '/' + days,
@@ -90,26 +90,38 @@ jQuery(function($){
           console.log('error reading last logins');
         },
         success: function (data) {
-          $('.last-login').html();
+          $('.last-ui-login').html('');
+          $('.last-sasl-login').html('');
           if (data.ui.time) {
-            $('.last-login').html('<i class="bi bi-person-fill"></i> ' + lang.last_ui_login + ': ' + unix_time_format(data.ui.time));
+            $('.last-ui-login').html('<i class="bi bi-person-fill"></i> ' + lang.last_ui_login + ': ' + unix_time_format(data.ui.time));
           } else {
-            $('.last-login').text(lang.no_last_login);
+            $('.last-ui-login').text(lang.no_last_login);
           }
           if (data.sasl) {
-            $('.last-login').append('<ul class="list-group">');
+            $('.last-sasl-login').append('<ul class="list-group">');
             $.each(data.sasl, function (i, item) {
               var datetime = new Date(item.datetime.replace(/-/g, "/"));
               var local_datetime = datetime.toLocaleDateString(undefined, {year: "numeric", month: "2-digit", day: "2-digit", hour: "2-digit", minute: "2-digit", second: "2-digit"});
-              var service = '<div class="badge fs-6 bg-secondary">' + item.service.toUpperCase() + '</div>';
+              var service = '<div class="badge bg-secondary">' + item.service.toUpperCase() + '</div>';
               var app_password = item.app_password ? ' <a href="/edit/app-passwd/' + item.app_password + '"><i class="bi bi-app-indicator"></i> ' + escapeHtml(item.app_password_name || "App") + '</a>' : '';
               var real_rip = item.real_rip.startsWith("Web") ? item.real_rip : '<a href="https://bgp.he.net/ip/' + item.real_rip + '" target="_blank">' + item.real_rip + "</a>";
               var ip_location = item.location ? ' <span class="flag-icon flag-icon-' + item.location.toLowerCase() + '"></span>' : '';
               var ip_data = real_rip + ip_location + app_password;
-              $(".last-login").append('<li class="list-group-item">' + local_datetime + " " + service + " " + lang.from + " " + ip_data + "</li>");
+
+              $(".last-sasl-login").append(`
+                <li class="list-group-item d-flex justify-content-between align-items-start">
+                  <div class="ms-2 me-auto d-flex flex-column">
+                    <div class="fw-bold">` + real_rip + `</div>
+                    <small class="fst-italic mt-2">` + service + ` ` + local_datetime + `</small>
+                  </div>
+                  <span>` + ip_location + `</span>
+                </li>
+              `);
             })
-            $('.last-login').append('</ul>');
+            $('.last-sasl-login').append('</ul>');
           }
+
+          $('#spinner-last-login').addClass('d-none');
         }
       })
     } else if (action == 'reset') {
diff --git a/data/web/templates/domainadmin.twig b/data/web/templates/domainadmin.twig
index 070bf00cd..9cfd25599 100644
--- a/data/web/templates/domainadmin.twig
+++ b/data/web/templates/domainadmin.twig
@@ -1,80 +1,83 @@
 {% extends 'base.twig' %}
 
 {% block content %}
-<h3>{{ lang.user.user_settings }}</h3>
-<div class="card">
-  <div class="card-header">{{ lang.user.user_settings }}</div>
-  <div class="card-body">
-    <div class="row">
-      <div class="offset-sm-3 col-sm-9">
-        <p><a href="#pwChangeModal" data-bs-toggle="modal">[{{ lang.user.change_password }}]</a></p>
-        <div class="last-login"></div>
-        <span class="clear-last-logins">{{ lang.user.clear_recent_successful_connections }}</span>
-      </div>
-    </div>
-    <hr>
+<div class="row">
+  <div class="col-md-12">
+    <div class="card">
+      <div class="card-header">{{ lang.user.user_settings }}</div>
+      <div class="card-body">
+        <div class="row">
+          <div class="offset-sm-3 col-sm-9">
+            <p><a href="#pwChangeModal" data-bs-toggle="modal">[{{ lang.user.change_password }}]</a></p>
+            <div class="last-ui-login"></div>
+            <span class="clear-last-logins">{{ lang.user.clear_recent_successful_connections }}</span>
+          </div>
+        </div>
+        <hr>
 
-    {# TFA #}
-    <div class="row">
-      <div class="col-sm-3 col-5 text-end">{{ lang.tfa.tfa }}</div>
-      <div class="col-sm-9 col-7">
-        <p id="tfa_pretty">{{ tfa_data.pretty }}</p>
-        {% include 'tfa_keys.twig' %}
-        <br>
-      </div>
-    </div>
-    <div class="row">
-      <div class="col-sm-3 col-5 text-end">{{ lang.tfa.set_tfa }}</div>
-      <div class="col-sm-9 col-7">
-        <select id="selectTFA" class="selectpicker" title="{{ lang.tfa.select }}">
-          <option value="yubi_otp">{{ lang.tfa.yubi_otp }}</option>
-          <option value="webauthn">{{ lang.tfa.webauthn }}</option>
-          <option value="totp">{{ lang.tfa.totp }}</option>
-          <option value="none">{{ lang.tfa.none }}</option>
-        </select>
-      </div>
-    </div>
+        {# TFA #}
+        <div class="row">
+          <div class="col-sm-3 col-5 text-end">{{ lang.tfa.tfa }}</div>
+          <div class="col-sm-9 col-7">
+            <p id="tfa_pretty">{{ tfa_data.pretty }}</p>
+            {% include 'tfa_keys.twig' %}
+            <br>
+          </div>
+        </div>
+        <div class="row">
+          <div class="col-sm-3 col-5 text-end">{{ lang.tfa.set_tfa }}</div>
+          <div class="col-sm-9 col-7">
+            <select id="selectTFA" class="selectpicker" title="{{ lang.tfa.select }}">
+              <option value="yubi_otp">{{ lang.tfa.yubi_otp }}</option>
+              <option value="webauthn">{{ lang.tfa.webauthn }}</option>
+              <option value="totp">{{ lang.tfa.totp }}</option>
+              <option value="none">{{ lang.tfa.none }}</option>
+            </select>
+          </div>
+        </div>
 
-    <hr>
-    {# FIDO2 #}
-    <div class="row">
-      <div class="col-sm-3 col-5 text-end">
-        <p><i class="bi bi-shield-fill-check"></i> {{ lang.fido2.fido2_auth }}</p>
-      </div>
-    </div>
-    <div class="row">
-      <div class="col-sm-3 col-5 text-end">{{ lang.fido2.known_ids }}:</div>
-      <div class="col-sm-9 col-7">
-        <div class="table-responsive">
-          <table class="table table-striped table-hover table-condensed w-100" id="fido2_keys">
-            <tr>
-              <th>ID</th>
-              <th style="min-width:240px;text-align: right">{{ lang.admin.action }}</th>
-            </tr>
-            {% include 'fido2.twig' %}
-        </table>
-      </div>
-      <br>
-    </div>
-  </div>
-    <div class="row">
-      <div class="offset-sm-3 col-sm-9">
-        <div class="btn-group">
-          <button class="btn btn-sm btn-primary" id="register-fido2">{{ lang.fido2.set_fido2 }}</button>
-          <button type="button" class="btn btn-sm btn-xs-lg btn-primary dropdown-toggle" data-bs-toggle="dropdown" aria-haspopup="true" aria-expanded="false"></button>
-          <ul class="dropdown-menu">
-            <li><a class="dropdown-item" href="#" id="register-fido2-touchid"><i class="bi bi-shield-fill-check"></i> {{ lang.fido2.set_fido2_touchid }}</a></li>
-          </ul>
+        <hr>
+        {# FIDO2 #}
+        <div class="row">
+          <div class="col-sm-3 col-5 text-end">
+            <p><i class="bi bi-shield-fill-check"></i> {{ lang.fido2.fido2_auth }}</p>
+          </div>
+        </div>
+        <div class="row">
+          <div class="col-sm-3 col-5 text-end">{{ lang.fido2.known_ids }}:</div>
+          <div class="col-sm-9 col-7">
+            <div class="table-responsive">
+              <table class="table table-striped table-hover table-condensed w-100" id="fido2_keys">
+                <tr>
+                  <th>ID</th>
+                  <th style="min-width:240px;text-align: right">{{ lang.admin.action }}</th>
+                </tr>
+                {% include 'fido2.twig' %}
+            </table>
+          </div>
+          <br>
         </div>
       </div>
-    </div>
-    <br>
-    <div class="row" id="status-fido2">
-      <div class="col-sm-3 col-5 text-end">{{ lang.fido2.register_status }}:</div>
-      <div class="col-sm-9 col-7">
-        <div id="fido2-alerts">-</div>
+        <div class="row">
+          <div class="offset-sm-3 col-sm-9">
+            <div class="btn-group">
+              <button class="btn btn-sm btn-primary" id="register-fido2">{{ lang.fido2.set_fido2 }}</button>
+              <button type="button" class="btn btn-sm btn-xs-lg btn-primary dropdown-toggle" data-bs-toggle="dropdown" aria-haspopup="true" aria-expanded="false"></button>
+              <ul class="dropdown-menu">
+                <li><a class="dropdown-item" href="#" id="register-fido2-touchid"><i class="bi bi-shield-fill-check"></i> {{ lang.fido2.set_fido2_touchid }}</a></li>
+              </ul>
+            </div>
+          </div>
+        </div>
+        <br>
+        <div class="row" id="status-fido2">
+          <div class="col-sm-3 col-5 text-end">{{ lang.fido2.register_status }}:</div>
+          <div class="col-sm-9 col-7">
+            <div id="fido2-alerts">-</div>
+          </div>
+          <br>
+        </div>
       </div>
-      <br>
     </div>
   </div>
 </div>
diff --git a/data/web/templates/user.twig b/data/web/templates/user.twig
index 5536abe4e..a79c5a2c5 100644
--- a/data/web/templates/user.twig
+++ b/data/web/templates/user.twig
@@ -43,7 +43,6 @@
       </div>
     </div>
   </div>
-  <div style="margin-bottom:200px;"></div>
   {% include 'user_domainadmin_common.twig' %}
 </div>
   {% endblock %}
diff --git a/data/web/templates/user/Spamfilter.twig b/data/web/templates/user/Spamfilter.twig
index 280b90032..1f69df95f 100644
--- a/data/web/templates/user/Spamfilter.twig
+++ b/data/web/templates/user/Spamfilter.twig
@@ -39,10 +39,10 @@
       </div>
       <hr>
       <div class="row">
-        <div class="col-lg-6 my-3">
+        <div class="col-lg-6 my-3 d-flex flex-column">
           <h4>{{ lang.user.spamfilter_wl }}</h4>
           <p>{{ lang.user.spamfilter_wl_desc|raw }}</p>
-          <form class="form-inline mb-4" data-id="add_wl_policy_mailbox">
+          <form class="form-inline mb-4 mt-auto" data-id="add_wl_policy_mailbox">
             <div class="input-group" data-acl="{{ acl.spam_policy }}">
               <input type="text" class="form-control" name="object_from" placeholder="*@example.org" required>
               <button class="btn btn-secondary" data-action="add_item" data-id="add_wl_policy_mailbox" data-api-url='add/mailbox-policy' data-api-attr='{"username": {{ mailcow_cc_username|json_encode|raw }},"object_list":"wl"}' href="#"><i class="bi bi-plus-lg"></i> {{ lang.user.spamfilter_table_add }}</button>
@@ -61,10 +61,10 @@
             </div>
           </div>
         </div>
-        <div class="col-lg-6 my-3">
+        <div class="col-lg-6 my-3 d-flex flex-column">
           <h4>{{ lang.user.spamfilter_bl }}</h4>
           <p>{{ lang.user.spamfilter_bl_desc|raw }}</p>
-          <form class="form-inline mb-4" data-id="add_bl_policy_mailbox">
+          <form class="form-inline mb-4 mt-auto" data-id="add_bl_policy_mailbox">
             <div class="input-group" data-acl="{{ acl.spam_policy }}">
               <input type="text" class="form-control" name="object_from" placeholder="*@example.org" required>
               <button class="btn btn-secondary" data-action="add_item" data-id="add_bl_policy_mailbox" data-api-url='add/mailbox-policy' data-api-attr='{"username": {{ mailcow_cc_username|json_encode|raw }},"object_list":"bl"}' href="#"><i class="bi bi-plus-lg"></i> {{ lang.user.spamfilter_table_add }}</button>
diff --git a/data/web/templates/user/tab-user-auth.twig b/data/web/templates/user/tab-user-auth.twig
index 4d55b7090..c39f10086 100644
--- a/data/web/templates/user/tab-user-auth.twig
+++ b/data/web/templates/user/tab-user-auth.twig
@@ -8,157 +8,193 @@
     </div>
     <div id="collapse-tab-user-auth" class="card-body collapse" data-bs-parent="#user-content">
       {% if mailboxdata.attributes.force_pw_update == '1' %}
-          <div class="alert alert-danger">{{ lang.user.force_pw_update|raw }}</div>
+        <div class="alert alert-danger">{{ lang.user.force_pw_update|raw }}</div>
       {% endif %}
-      {% if not skip_sogo %}
       <div class="row">
-        <div class="hidden-xs col-md-3 col-xs-5 text-right"></div>
-        <div class="col-md-3 col-xs-12">
-          {% if dual_login and allow_admin_email_login == 'n' or mailboxdata.attributes.force_pw_update == '1' %}
-            <button disabled class="btn btn-secondary btn-block btn-xs-lg">
-              <i class="bi bi-inbox-fill"></i> {{ lang.user.open_webmail_sso }}
-            </button>
-          {% else %}
-            <a target="_blank" href="/sogo-auth.php?login={{ mailcow_cc_username }}" role="button" class="btn btn-secondary btn-block btn-xs-lg">
-              <i class="bi bi-inbox-fill"></i> {{ lang.user.open_webmail_sso }}
-            </a>
+        <div class="col-xl-9 col-lg-7 col-md-12 col-12 d-flex flex-column mb-4">
+          {% if not skip_sogo %}
+          <div class="row mb-4">
+            <div class="col-12 col-lg-6 col-xl-4">
+              {% if dual_login and allow_admin_email_login == 'n' or mailboxdata.attributes.force_pw_update == '1' %}
+                <button disabled class="btn btn-secondary btn-block btn-xs-lg w-100">
+                  {{ lang.user.open_webmail_sso }} <i class="bi bi-arrow-right"></i>
+                </button>
+              {% else %}
+                <a target="_blank" href="/sogo-auth.php?login={{ mailcow_cc_username }}" role="button" class="btn btn-primary btn-lg btn-block btn-xs-lg w-100">
+                  {{ lang.user.open_webmail_sso }} <i class="bi bi-arrow-right"></i>
+                </a>
+              {% endif %}
+            </div>
+          </div>
           {% endif %}
-        </div>
-      </div>
-      <hr>
-      <div class="row">
-        <div class="d-none d-sm-flex col-md-3 col-5 text-end"></div>
-        <div class="col-md-9 col-12">
-          <p class="text-muted text-muted-mt-0">{{ lang.user.direct_protocol_access|raw }}</p>
-          {% if mailboxdata.attributes.imap_access == 1 %}<div class="badge fs-6 bg-success mb-2">IMAP <i class="bi bi-check-lg"></i></div>{% else %}<div class="badge fs-6 bg-danger">IMAP <i class="bi bi-x-lg"></i></div>{% endif %}
-          {% if mailboxdata.attributes.smtp_access == 1 %}<div class="badge fs-6 bg-success mb-2">SMTP <i class="bi bi-check-lg"></i></div>{% else %}<div class="badge fs-6 bg-danger">SMTP <i class="bi bi-x-lg"></i></div>{% endif %}
-          {% if mailboxdata.attributes.sieve_access == 1 %}<div class="badge fs-6 bg-success mb-2">Sieve <i class="bi bi-check-lg"></i></div>{% else %}<div class="badge fs-6 bg-danger">Sieve <i class="bi bi-x-lg"></i></div>{% endif %}
-          {% if mailboxdata.attributes.pop3_access == 1 %}<div class="badge fs-6 bg-success mb-2">POP3 <i class="bi bi-check-lg"></i></div>{% else %}<div class="badge fs-6 bg-danger">POP3 <i class="bi bi-x-lg"></i></div>{% endif %}
-          {% if mailboxdata.attributes.sogo_access == 1 %}<div class="badge fs-6 bg-success mb-2">SOGo <i class="bi bi-check-lg"></i></div>{% else %}<div class="badge fs-6 bg-danger">SOGo <i class="bi bi-x-lg"></i></div>{% endif %}
-        </div>
-      </div>
-      <hr>
-      {% endif %}
-      <div class="row">
-        <div class="col-md-3 col-12 text-sm-end text-start mb-4">{{ lang.user.in_use }}:</div>
-        <div class="col-md-5 col-12">
-          <div class="progress">
+
+          <legend>{{ lang.user.overview }}</legend>
+          <hr>
+          <div class="d-flex">
+            <h5><i class="bi bi-envelope-fill"></i> {{ mailboxdata.messages }} {{ lang.user.messages }}</h5>
+            <h5 class="ms-auto">{{ mailboxdata.quota_used|formatBytes(2) }} / {% if mailboxdata.quota == 0 %}∞{% else %}{{ mailboxdata.quota|formatBytes(2) }}{% endif %}</h5>
+          </div>
+          <div class="progress mb-4" style="height: 20px";>
             <div class="progress-bar bg-{{ mailboxdata.percent_class }}" role="progressbar" aria-valuenow="{{ mailboxdata.percent_in_use }}" aria-valuemin="0" aria-valuemax="100" style="min-width:2em;width: {{ mailboxdata.percent_in_use }}%;">
               {{ mailboxdata.percent_in_use }}%
             </div>
           </div>
-          <p>{{ mailboxdata.quota_used|formatBytes(2) }} / {% if mailboxdata.quota == 0 %}∞{% else %}{{ mailboxdata.quota|formatBytes(2) }}{% endif %}<br>{{ mailboxdata.messages }} {{ lang.user.messages }}</p>
+          
+          <div class="row">
+            <div class="col-12 col-md-3 d-flex">
+              <span class="mt-2 w-100 text-md-end">{{ lang.user.protocols }}:</span>
+            </div>
+            <div class="col-12 col-md-9 d-flex">
+              <i style="font-size: 16px; cursor: pointer;" class="bi bi-patch-question-fill m-2 ms-0" data-bs-toggle="tooltip" data-bs-html="true" data-bs-placement="bottom" title="{{ lang.user.direct_protocol_access|raw }}"></i>
+              <div class="d-flex flex-wrap">
+              {% if mailboxdata.attributes.imap_access == 1 %}<div class="badge fs-6 bg-success m-2">IMAP <i class="bi bi-check-lg"></i></div>{% else %}<div class="badge fs-6 bg-danger">IMAP <i class="bi bi-x-lg"></i></div>{% endif %}
+              {% if mailboxdata.attributes.smtp_access == 1 %}<div class="badge fs-6 bg-success m-2">SMTP <i class="bi bi-check-lg"></i></div>{% else %}<div class="badge fs-6 bg-danger">SMTP <i class="bi bi-x-lg"></i></div>{% endif %}
+              {% if mailboxdata.attributes.sieve_access == 1 %}<div class="badge fs-6 bg-success m-2">Sieve <i class="bi bi-check-lg"></i></div>{% else %}<div class="badge fs-6 bg-danger">Sieve <i class="bi bi-x-lg"></i></div>{% endif %}
+              {% if mailboxdata.attributes.pop3_access == 1 %}<div class="badge fs-6 bg-success m-2">POP3 <i class="bi bi-check-lg"></i></div>{% else %}<div class="badge fs-6 bg-danger">POP3 <i class="bi bi-x-lg"></i></div>{% endif %}
+              {% if not skip_sogo %}{% if mailboxdata.attributes.sogo_access == 1 %}<div class="badge fs-6 bg-success m-2">SOGo <i class="bi bi-check-lg"></i></div>{% else %}<div class="badge fs-6 bg-danger">SOGo <i class="bi bi-x-lg"></i></div>{% endif %}{% endif %}       
+              </div>
+            </div>
+          </div>
+          <div class="row mt-2">
+            <div class="col-12 col-md-3 d-flex">
+              <span class="mt-2 w-100 text-md-end">{{ lang.user.apple_connection_profile }}:</span>
+            </div>
+            <div class="col-12 col-md-8">
+              <div class="d-flex">
+                <i style="font-size: 16px; cursor: pointer;" class="bi bi-patch-question-fill me-2" data-bs-toggle="tooltip" data-bs-html="true" data-bs-placement="bottom" title="{{ lang.user.apple_connection_profile_mailonly }}"></i> 
+                <a href="/mobileconfig.php?only_email">{{ lang.user.email }} <small>[IMAP, SMTP]</small></a>
+              </div> 
+              {% if not skip_sogo %}
+              <div class="d-flex">
+                <i style="font-size: 16px; cursor: pointer;" class="bi bi-patch-question-fill me-2" data-bs-toggle="tooltip" data-bs-html="true" data-bs-placement="bottom" title="{{ lang.user.apple_connection_profile_complete }}"></i>  
+                <a href="/mobileconfig.php">{{ lang.user.email_and_dav }} <small>[IMAP, SMTP, Cal/CardDAV]</small></a>
+              </div>
+              {% endif %}
+            </div>
+          </div>
+          <div class="row mt-2">
+            <div class="col-12 col-md-3 d-flex">
+              <span class="mt-2 w-100 text-md-end">{{ lang.user.apple_connection_profile }}<br>{{ lang.user.with_app_password }}:</span>
+            </div>
+            <div class="col-12 col-md-9">
+              <div class="d-flex">
+                <i style="font-size: 16px; cursor: pointer;" class="bi bi-patch-question-fill me-2" data-bs-toggle="tooltip" data-bs-html="true" data-bs-placement="bottom" title="{{ lang.user.apple_connection_profile_mailonly }} {{ lang.user.apple_connection_profile_with_app_password }}"></i> 
+                <a href="/mobileconfig.php?only_email&amp;app_password">{{ lang.user.email }} <small>[IMAP, SMTP]</small></a>
+              </div>
+              {% if not skip_sogo %}
+              <div class="d-flex">
+                <i style="font-size: 16px; cursor: pointer;" class="bi bi-patch-question-fill me-2" data-bs-toggle="tooltip" data-bs-html="true" data-bs-placement="bottom" title="{{ lang.user.apple_connection_profile_complete }} {{ lang.user.apple_connection_profile_with_app_password }}"></i> 
+                <a href="/mobileconfig.php?app_password">{{ lang.user.email_and_dav }} <small>[IMAP, SMTP, Cal/CardDAV]</small></a>
+              </div>
+              {% endif %}
+            </div>
+          </div>
+          <div class="row">
+            <div class="col-12 d-flex flex-column text-center align-items-center mt-4">
+              <a target="_blank" href="https://mailcow.github.io/mailcow-dockerized-docs/client/client/#{{ clientconfigstr }}">{{ lang.user.client_configuration }}</a>
+              <a class="mt-2" href="#userFilterModal" data-bs-toggle="modal">{{ lang.user.show_sieve_filters }}</a>
+            </div>
+          </div>
+
+          {# TFA #}
+          <legend class="mt-4">{{ lang.user.authentication }}</legend>
           <hr>
-          <p><a href="#pwChangeModal" data-bs-toggle="modal"><i class="bi bi-pencil-fill"></i> {{ lang.user.change_password }}</a></p>
-        </div>
-      </div>
-      <hr>
-      {# TFA #}
-      <div class="row">
-        <div class="col-sm-3 col-xs-5 text-right">{{ lang.tfa.tfa }}:</div>
-        <div class="col-sm-9 col-xs-7">
-          <p id="tfa_pretty">{{ tfa_data.pretty }}</p>
-          {% include 'tfa_keys.twig' %}
-          <br>
-        </div>
-      </div>
-      <div class="row">
-        <div class="col-sm-3 col-xs-5 text-right">{{ lang.tfa.set_tfa }}:</div>
-        <div class="col-sm-9 col-xs-7">
-          <select data-style="btn btn-sm dropdown-toggle bs-placeholder btn-secondary" data-width="fit" id="selectTFA" class="selectpicker" title="{{ lang.tfa.select }}">
-            <option value="yubi_otp">{{ lang.tfa.yubi_otp }}</option>
-            <option value="webauthn">{{ lang.tfa.webauthn }}</option>
-            <option value="totp">{{ lang.tfa.totp }}</option>
-            <option value="none">{{ lang.tfa.none }}</option>
-          </select>
-        </div>
-      </div>
-      <hr>
-      {# FIDO2 #}
-      <div class="row">
-        <div class="col-sm-3 col-12 text-sm-end text-start">
-          <p><i class="bi bi-shield-fill-check"></i> {{ lang.fido2.fido2_auth }}</p>
-        </div>
-      </div>
-      <div class="row">
-        <div class="col-sm-3 col-12 text-sm-end text-start mb-4">
-          {{ lang.fido2.known_ids }}:
-        </div>
-        <div class="col-sm-9 col-12">
-          <div class="table-responsive">
-            <table class="table table-striped table-hover table-condensed" id="fido2_keys">
-              <tr>
-                <th>ID</th>
-                <th style="min-width:240px;text-align: right">{{ lang.admin.action }}</th>
-              </tr>
-              {% include 'fido2.twig' %}
-            </table>
+          <div class="row">
+            <div class="col-12 col-md-3 d-flex"></div>
+            <div class="col-12 col-md-9 d-flex flex-wrap justify-content-center justify-content-sm-start">
+              <a class="btn btn-secondary" href="#pwChangeModal" data-bs-toggle="modal"><i class="bi bi-pencil-fill"></i> {{ lang.user.change_password }}</a>
+            </div>
+          </div>
+          <div class="row mt-4">
+            <div class="col-12 col-md-3 d-flex">
+              <span class="mt-2 w-100 text-md-end">{{ lang.tfa.tfa }}:</span>
+            </div>
+            <div class="col-12 col-md-9 d-flex flex-wrap justify-content-center justify-content-sm-start">
+              <span id="tfa_pretty">{{ tfa_data.pretty }}</span>
+              {% include 'tfa_keys.twig' %}
+            </div>
+          </div>
+          <div class="row mt-2 mb-4">
+            <div class="col-12 col-md-3 d-flex">
+              <span class="mt-2 w-100 text-md-end">{{ lang.tfa.set_tfa }}:</span>
+            </div>
+            <div class="col-12 col-md-9 d-flex flex-wrap align-items-center justify-content-center justify-content-sm-start">
+              <i style="font-size: 16px; cursor: pointer;" class="bi bi-patch-question-fill m-2 ms-0" data-bs-toggle="tooltip" data-bs-html="true" data-bs-placement="bottom" title="{{ lang.user.tfa_info|raw }}"></i>
+              <select data-style="ms-2 btn btn-sm dropdown-toggle bs-placeholder btn-secondary" data-width="fit" id="selectTFA" class="selectpicker" title="{{ lang.tfa.select }}">
+                <option value="yubi_otp">{{ lang.tfa.yubi_otp }}</option>
+                <option value="webauthn">{{ lang.tfa.webauthn }}</option>
+                <option value="totp">{{ lang.tfa.totp }}</option>
+                <option value="none">{{ lang.tfa.none }}</option>
+              </select>
+            </div>
+          </div>
+          {# FIDO2 #}
+          <div class="row mt-4">
+            <div class="col-sm-3 col-12 text-sm-end text-start">
+              <p><i class="bi bi-shield-fill-check"></i> {{ lang.fido2.fido2_auth }}</p>
+            </div>
+          </div>
+          <div class="row">
+            <div class="col-sm-3 col-12 text-sm-end text-start mb-4">
+              {{ lang.fido2.known_ids }}:
+            </div>
+            <div class="col-sm-9 col-12">
+              <div class="table-responsive">
+                <table class="table table-striped table-hover table-condensed" id="fido2_keys">
+                  <tr>
+                    <th>ID</th>
+                    <th style="min-width:240px;text-align: right">{{ lang.admin.action }}</th>
+                  </tr>
+                  {% include 'fido2.twig' %}
+                </table>
+              </div>
+              <br>
+            </div>
+          </div>
+          <div class="row">
+            <div class="offset-sm-3 col-sm-9">
+              <div class="btn-group nowrap">
+                <button class="btn btn-sm btn-primary d-block d-sm-inline" id="register-fido2">{{ lang.fido2.set_fido2 }}</button>
+                <button type="button" class="btn btn-sm btn-xs-lg btn-primary dropdown-toggle" data-bs-toggle="dropdown" aria-haspopup="true" aria-expanded="false"></button>
+                <ul class="dropdown-menu">
+                  <li><a class="dropdown-item" href="#" id="register-fido2-touchid"><i class="bi bi-apple"></i> {{ lang.fido2.set_fido2_touchid }}</a></li>
+                </ul>
+              </div>
+            </div>
           </div>
           <br>
-        </div>
-      </div>
-      <div class="row">
-        <div class="offset-sm-3 col-sm-9">
-          <div class="btn-group nowrap">
-            <button class="btn btn-sm btn-primary d-block d-sm-inline" id="register-fido2">{{ lang.fido2.set_fido2 }}</button>
-            <button type="button" class="btn btn-sm btn-xs-lg btn-primary dropdown-toggle" data-bs-toggle="dropdown" aria-haspopup="true" aria-expanded="false"></button>
-            <ul class="dropdown-menu">
-              <li><a class="dropdown-item" href="#" id="register-fido2-touchid"><i class="bi bi-apple"></i> {{ lang.fido2.set_fido2_touchid }}</a></li>
-            </ul>
+          <div class="row" id="status-fido2">
+            <div class="col-sm-3 col-5 text-end">{{ lang.fido2.register_status }}:</div>
+            <div class="col-sm-9 col-7">
+              <div id="fido2-alerts">-</div>
+            </div>
+            <br>
           </div>
         </div>
-      </div>
-      <br>
-      <div class="row" id="status-fido2">
-        <div class="col-sm-3 col-5 text-end">{{ lang.fido2.register_status }}:</div>
-        <div class="col-sm-9 col-7">
-          <div id="fido2-alerts">-</div>
-        </div>
-        <br>
-      </div>
-      <hr>
-      <div class="row">
-        <div class="col-md-3 col-12 text-sm-end text-start mb-4"><i class="bi bi-file-earmark-text"></i> {{ lang.user.apple_connection_profile }}:</div>
-        <div class="col-md-9 col-12">
-          <p><i class="bi bi-file-earmark-post"></i> <a href="/mobileconfig.php?only_email">{{ lang.user.email }}</a> <small>IMAP, SMTP</small></p>
-          <p class="text-muted">{{ lang.user.apple_connection_profile_mailonly }}</p>
-          {% if not skip_sogo %}
-          <p><i class="bi bi-file-earmark-post"></i> <a href="/mobileconfig.php">{{ lang.user.email_and_dav }}</a> <small>IMAP, SMTP, Cal/CardDAV</small></p>
-          <p class="text-muted">{{ lang.user.apple_connection_profile_complete }}</p>
-          {% endif %}
-        </div>
-      </div>
-      <div class="row">
-        <div class="col-md-3 col-12 text-sm-end text-start mb-4"><i class="bi bi-file-earmark-text"></i> {{ lang.user.apple_connection_profile }}<br class="d-none d-lg-block" />{{ lang.user.with_app_password }}:</div>
-        <div class="col-md-9 col-12">
-          <p><i class="bi bi-file-earmark-post"></i> <a href="/mobileconfig.php?only_email&amp;app_password">{{ lang.user.email }}</a> <small>IMAP, SMTP</small></p>
-          <p class="text-muted">{{ lang.user.apple_connection_profile_mailonly }}<br /> {{ lang.user.apple_connection_profile_with_app_password }}</p>
-          {% if not skip_sogo %}
-          <p><i class="bi bi-file-earmark-post"></i> <a href="/mobileconfig.php?app_password">{{ lang.user.email_and_dav }}</a> <small>IMAP, SMTP, Cal/CardDAV</small></p>
-          <p class="text-muted">{{ lang.user.apple_connection_profile_complete }}<br /> {{ lang.user.apple_connection_profile_with_app_password }}</p>
-          {% endif %}
-        </div>
-      </div>
-      <hr>
-      <div class="row">
-        <div class="offset-sm-3 col-sm-9">
-          <p><a target="_blank" href="https://docs.mailcow.email/client/client/#{{ clientconfigstr }}">[{{ lang.user.client_configuration }}]</a></p>
-          <p><a href="#userFilterModal" data-bs-toggle="modal">[{{ lang.user.show_sieve_filters }}]</a></p>
+        <div class="ms-auto col-xl-3 col-lg-5 col-md-12 col-12 d-flex flex-column well flex-grow-1">
+          <legend class="d-flex">
+            <span>{{ lang.user.recent_successful_connections }}</span>
+            <div id="spinner-last-login" class="ms-auto my-auto spinner-border spinner-border-sm d-none" role="status">
+              <span class="visually-hidden">Loading...</span>
+            </div>
+          </legend>
           <hr>
-          <h4 class="recent-login-success">{{ lang.user.recent_successful_connections }}</h4>
-          <div class="dropdown mt-2">
-            <button class="btn btn-secondary btn-xs btn-xs-lg dropdown-toggle" type="button" id="history_sasl_days" data-bs-toggle="dropdown">{{ lang.user.login_history }}</button>
-            <ul class="dropdown-menu">
-              <li class="login-history" data-days="1"><a class="dropdown-item" href="#">1 {{ lang.user.day }}</a></li>
-              <li class="login-history" data-days="7"><a class="dropdown-item active" href="#">1 {{ lang.user.week }}</a></li>
-              <li class="login-history" data-days="14"><a class="dropdown-item" href="#">2 {{ lang.user.weeks }}</a></li>
-              <li class="login-history" data-days="31"><a class="dropdown-item" href="#">1 {{ lang.user.month }}</a></li>
-            </ul>
+          <h6 class="last-ui-login"></h6>
+          <div class="d-flex">
+            <span class="clear-last-logins mt-auto mb-2">
+              {{ lang.user.clear_recent_successful_connections }}
+            </span>
+            <div class="dropdown mt-4 mb-2 ms-auto">
+              <button class="btn btn-secondary btn-xs btn-xs-lg dropdown-toggle" type="button" id="history_sasl_days" data-bs-toggle="dropdown">{{ lang.user.login_history }}</button>
+              <ul class="dropdown-menu">
+                <li class="login-history" data-days="1"><a class="dropdown-item" href="#">1 {{ lang.user.day }}</a></li>
+                <li class="login-history" data-days="7"><a class="dropdown-item active" href="#">1 {{ lang.user.week }}</a></li>
+                <li class="login-history" data-days="14"><a class="dropdown-item" href="#">2 {{ lang.user.weeks }}</a></li>
+                <li class="login-history" data-days="31"><a class="dropdown-item" href="#">1 {{ lang.user.month }}</a></li>
+              </ul>
+            </div>
           </div>
-          <div class="last-login mt-4"></div>
-          <span class="clear-last-logins mt-2">
-            {{ lang.user.clear_recent_successful_connections }}
-          </span>
+          <ul class="list-group last-sasl-login overflow-auto" style="flex: 1 1 0; min-height: 400px;"></ul>
         </div>
       </div>
     </div>

From 50d4d596266eb32fab55aec6d085689390bbcd50 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 10 Mar 2023 17:18:00 +0100
Subject: [PATCH 007/378] [Web] update de-de + en-gb lang

---
 data/web/lang/lang.de-de.json                      | 5 +++++
 data/web/lang/lang.en-gb.json                      | 6 ++++++
 data/web/templates/admin/tab-config-customize.twig | 2 +-
 3 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/data/web/lang/lang.de-de.json b/data/web/lang/lang.de-de.json
index ddadfac63..3813871ce 100644
--- a/data/web/lang/lang.de-de.json
+++ b/data/web/lang/lang.de-de.json
@@ -138,6 +138,7 @@
         "api_info": "Die API befindet sich noch in Entwicklung, die Dokumentation kann unter <a href=\"/api\">/api</a> abgerufen werden.",
         "api_key": "API-Key",
         "api_skip_ip_check": "IP-Check für API nicht ausführen",
+        "app_hide": "Für Login verstecken",
         "app_links": "App-Links",
         "app_name": "App-Name",
         "apps_name": "\"mailcow Apps\" Name",
@@ -1146,6 +1147,7 @@
         "apple_connection_profile_mailonly": "Dieses Verbindungsprofil beinhaltet IMAP- und SMTP-Konfigurationen für ein Apple-Gerät.",
         "apple_connection_profile_with_app_password": "Es wird ein neues App-Passwort erzeugt und in das Profil eingefügt, damit bei der Einrichtung kein Passwort eingegeben werden muss. Geben Sie das Profil nicht weiter, da es einen vollständigen Zugriff auf Ihr Postfach ermöglicht.",
         "attribute": "Attribut",
+        "authentication": "Authentifizierung",
         "change_password": "Passwort ändern",
         "change_password_hint_app_passwords": "Ihre Mailbox hat %d App-Passwörter, die nicht geändert werden. Um diese zu verwalten, gehen Sie bitte zum App-Passwörter-Tab.",
         "clear_recent_successful_connections": "Alle erfolgreichen Verbindungen bereinigen",
@@ -1199,9 +1201,11 @@
         "no_last_login": "Keine letzte UI-Anmeldung gespeichert",
         "no_record": "Kein Eintrag",
         "open_webmail_sso": "In Webmail einloggen",
+        "overview": "Übersicht",
         "password": "Passwort",
         "password_now": "Aktuelles Passwort (Änderungen bestätigen)",
         "password_repeat": "Passwort (Wiederholung)",
+        "protocols": "Protokolle",
         "pushover_evaluate_x_prio": "Hohe Priorität eskalieren [<code>X-Priority: 1</code>]",
         "pushover_info": "Push-Benachrichtungen werden angewendet auf alle nicht-Spam Nachrichten zugestellt an <b>%s</b>, einschließlich Alias-Adressen (shared, non-shared, tagged).",
         "pushover_only_x_prio": "Nur Mail mit hoher Priorität berücksichtigen [<code>X-Priority: 1</code>]",
@@ -1258,6 +1262,7 @@
         "tag_in_subfolder": "In Unterordner",
         "tag_in_subject": "In Betreff",
         "text": "Text",
+        "tfa_info": "Zwei-Faktor-Authentifizierung hilft dabei, Ihr Konto zu schützen. Wenn Sie sie aktivieren, benötigen Sie möglicherweise App-Passwörter, um sich bei Apps oder Diensten anzumelden, die die Zwei-Faktor-Authentifizierung nicht unterstützen (z.B. Mailclients).",
         "title": "Title",
         "tls_enforce_in": "TLS eingehend erzwingen",
         "tls_enforce_out": "TLS ausgehend erzwingen",
diff --git a/data/web/lang/lang.en-gb.json b/data/web/lang/lang.en-gb.json
index ec97d0aef..851b98aa1 100644
--- a/data/web/lang/lang.en-gb.json
+++ b/data/web/lang/lang.en-gb.json
@@ -142,6 +142,7 @@
         "api_read_only": "Read-Only Access",
         "api_read_write": "Read-Write Access",
         "api_skip_ip_check": "Skip IP check for API",
+        "app_hide": "Hide for login",
         "app_links": "App links",
         "app_name": "App name",
         "apps_name": "\"mailcow Apps\" name",
@@ -349,6 +350,7 @@
         "unchanged_if_empty": "If unchanged leave blank",
         "upload": "Upload",
         "username": "Username",
+        "user_link": "User-Link",
         "validate_license_now": "Validate GUID against license server",
         "verify": "Verify",
         "yes": "&#10003;"
@@ -1153,6 +1155,7 @@
         "apple_connection_profile_mailonly": "This connection profile includes IMAP and SMTP configuration parameters for an Apple device.",
         "apple_connection_profile_with_app_password": "A new app password is generated and added to the profile so that no password needs to be entered when setting up your device. Please do not share the file as it grants full access to your mailbox.",
         "attribute": "Attribute",
+        "authentication": "Authentication",
         "change_password": "Change password",
         "change_password_hint_app_passwords": "Your account has %d app passwords that will not be changed. To manage these, go to the App passwords tab.",
         "clear_recent_successful_connections": "Clear seen successful connections",
@@ -1207,9 +1210,11 @@
         "no_record": "No record",
         "open_logs": "Open logs",
         "open_webmail_sso": "Login to webmail",
+        "overview": "Overview",
         "password": "Password",
         "password_now": "Current password (confirm changes)",
         "password_repeat": "Password (repeat)",
+        "protocols": "Protocols",
         "pushover_evaluate_x_prio": "Escalate high priority mail [<code>X-Priority: 1</code>]",
         "pushover_info": "Push notification settings will apply to all clean (non-spam) mail delivered to <b>%s</b> including aliases (shared, non-shared, tagged).",
         "pushover_only_x_prio": "Only consider high priority mail [<code>X-Priority: 1</code>]",
@@ -1276,6 +1281,7 @@
         "tag_in_subfolder": "In subfolder",
         "tag_in_subject": "In subject",
         "text": "Text",
+        "tfa_info": "Two-factor authentication helps protect your account. If you enable it, you may need app passwords to log in to apps or services that don't support two-factor authentication (e.g. Mailclients).",
         "title": "Title",
         "tls_enforce_in": "Enforce TLS incoming",
         "tls_enforce_out": "Enforce TLS outgoing",
diff --git a/data/web/templates/admin/tab-config-customize.twig b/data/web/templates/admin/tab-config-customize.twig
index 93da2bfdb..c2071c399 100644
--- a/data/web/templates/admin/tab-config-customize.twig
+++ b/data/web/templates/admin/tab-config-customize.twig
@@ -59,7 +59,7 @@
             <th>{{ lang.admin.app_name }}</th>
             <th>{{ lang.admin.link }}</th>
             <th>{{ lang.admin.user_link }}</th>
-            <th>{{ lang.admin.app_hide }}</th>
+            <th style="width:125px;">{{ lang.admin.app_hide }}</th>
             <th style="width:100px;">&nbsp;</th>
           </tr>
           {% for row in app_links %}

From 6adad79e5cd50ae11bfc975ebb1ee7486e37a1a7 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Sun, 12 Mar 2023 19:06:03 +0100
Subject: [PATCH 008/378] [Web] organize auth functions+api auth w/ dovecot

---
 data/Dockerfiles/dovecot/Dockerfile           |   1 +
 data/Dockerfiles/dovecot/docker-entrypoint.sh | 150 ++++------
 data/web/inc/functions.auth.inc.php           | 278 ++++++++++++++++++
 data/web/inc/functions.inc.php                | 198 -------------
 data/web/inc/functions.mailbox.inc.php        |  25 +-
 data/web/inc/init_db.inc.php                  |   1 +
 data/web/inc/prerequisites.inc.php            |   1 +
 data/web/json_api.php                         |  20 ++
 data/web/sogo-auth.php                        |   3 +-
 data/web/templates/edit/mailbox.twig          |   8 +-
 data/web/templates/modals/mailbox.twig        |   9 +
 11 files changed, 400 insertions(+), 294 deletions(-)
 create mode 100644 data/web/inc/functions.auth.inc.php

diff --git a/data/Dockerfiles/dovecot/Dockerfile b/data/Dockerfiles/dovecot/Dockerfile
index 9433dd2ea..a35589689 100644
--- a/data/Dockerfiles/dovecot/Dockerfile
+++ b/data/Dockerfiles/dovecot/Dockerfile
@@ -26,6 +26,7 @@ RUN addgroup -g 5000 vmail \
   curl \
   jq \
   lua \
+  lua-json \
   lua-cjson \
   lua-socket \
   lua-sql-mysql \
diff --git a/data/Dockerfiles/dovecot/docker-entrypoint.sh b/data/Dockerfiles/dovecot/docker-entrypoint.sh
index a9545f338..f146a8a01 100755
--- a/data/Dockerfiles/dovecot/docker-entrypoint.sh
+++ b/data/Dockerfiles/dovecot/docker-entrypoint.sh
@@ -129,114 +129,86 @@ iterate_query = SELECT username FROM mailbox WHERE active = '1' OR active = '2';
 EOF
 
 cat <<EOF > /etc/dovecot/lua/passwd-verify.lua
-function auth_password_verify(req, pass)
-
-  if req.domain == nil then
+function auth_password_verify(request, password)
+  if request.domain == nil then
     return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, "No such user"
   end
 
-  if cur == nil then
-    script_init()
-  end
-
-  if req.user == nil then
-    req.user = ''
-  end
-
-  respbody = {}
+  json = require "json"
+  ltn12 = require "ltn12"
+  http = require "socket.http"
+  http.TIMEOUT = 5
+  mysql = require "luasql.mysql"
+  env  = mysql.mysql()
+  con = env:connect("__DBNAME__","__DBUSER__","__DBPASS__","localhost")
 
+  local req = {
+    username = request.user,
+    password = password
+  }
+  local req_json = json.encode(req)
+  local res = {} 
+  
   -- check against mailbox passwds
-  local cur,errorString = con:execute(string.format([[SELECT password FROM mailbox
-    WHERE username = '%s'
-      AND active = '1'
-      AND domain IN (SELECT domain FROM domain WHERE domain='%s' AND active='1')
-      AND IFNULL(JSON_UNQUOTE(JSON_VALUE(mailbox.attributes, '$.force_pw_update')), 0) != '1'
-      AND IFNULL(JSON_UNQUOTE(JSON_VALUE(attributes, '$.%s_access')), 1) = '1']], con:escape(req.user), con:escape(req.domain), con:escape(req.service)))
-  local row = cur:fetch ({}, "a")
-  while row do
-    if req.password_verify(req, row.password, pass) == 1 then
-      con:execute(string.format([[REPLACE INTO sasl_log (service, app_password, username, real_rip)
-        VALUES ("%s", 0, "%s", "%s")]], con:escape(req.service), con:escape(req.user), con:escape(req.real_rip)))
-      cur:close()
-      con:close()
-      return dovecot.auth.PASSDB_RESULT_OK, ""
-    end
-    row = cur:fetch (row, "a")
+  local b, c = http.request {
+    method = "POST",
+    url = "https://nginx/api/v1/process/login",
+    source = ltn12.source.string(req_json),
+    headers = {
+      ["content-type"] = "application/json",
+      ["content-length"] = tostring(#req_json)
+    },
+    sink = ltn12.sink.table(res)
+  }
+  local api_response = json.decode(table.concat(res))
+  if api_response.role == 'user' then
+    con:execute(string.format([[REPLACE INTO sasl_log (service, app_password, username, real_rip)
+      VALUES ("%s", 0, "%s", "%s")]], con:escape(request.service), con:escape(request.user), con:escape(request.real_rip)))
+    con:close()
+    return dovecot.auth.PASSDB_RESULT_OK, "password=" .. password
   end
 
+  
   -- check against app passwds for imap and smtp
   -- app passwords are only available for imap, smtp, sieve and pop3 when using sasl
-  if req.service == "smtp" or req.service == "imap" or req.service == "sieve" or req.service == "pop3" then
-    local cur,errorString = con:execute(string.format([[SELECT app_passwd.id, %s_access AS has_prot_access, app_passwd.password FROM app_passwd
-      INNER JOIN mailbox ON mailbox.username = app_passwd.mailbox
-      WHERE mailbox = '%s'
-        AND app_passwd.active = '1'
-        AND mailbox.active = '1'
-        AND app_passwd.domain IN (SELECT domain FROM domain WHERE domain='%s' AND active='1')]], con:escape(req.service), con:escape(req.user), con:escape(req.domain)))
-    local row = cur:fetch ({}, "a")
-    while row do
-      if req.password_verify(req, row.password, pass) == 1 then
-        -- if password is valid and protocol access is 1 OR real_rip matches SOGo, proceed
-        if tostring(req.real_rip) == "__IPV4_SOGO__" then
-          cur:close()
-          con:close()
-          return dovecot.auth.PASSDB_RESULT_OK, ""
-        elseif row.has_prot_access == "1" then
-          con:execute(string.format([[REPLACE INTO sasl_log (service, app_password, username, real_rip)
-            VALUES ("%s", %d, "%s", "%s")]], con:escape(req.service), row.id, con:escape(req.user), con:escape(req.real_rip)))
-          cur:close()
-          con:close()
-          return dovecot.auth.PASSDB_RESULT_OK, ""
-        end
+  if request.service == "smtp" or request.service == "imap" or request.service == "sieve" or request.service == "pop3" then
+    req.protocol = {}
+    req.protocol[request.service] = true
+    req_json = json.encode(req)
+
+    req.protocol.ignore_hasaccess = false
+    if tostring(req.real_rip) == "__IPV4_SOGO__" then
+      req.protocol.ignore_hasaccess = true
+    end
+
+    local b, c = http.request {
+      method = "POST",
+      url = "https://nginx/api/v1/process/login",
+      source = ltn12.source.string(req_json),
+      headers = {
+        ["content-type"] = "application/json",
+        ["content-length"] = tostring(#req_json)
+      },
+      sink = ltn12.sink.table(res)
+    }
+    local api_response = json.decode(table.concat(res))
+    if api_response.role == 'user' then
+      if req.protocol.ignore_hasaccess == false then
+        con:execute(string.format([[REPLACE INTO sasl_log (service, app_password, username, real_rip)
+          VALUES ("%s", %d, "%s", "%s")]], con:escape(req.service), row.id, con:escape(req.user), con:escape(req.real_rip)))
       end
-      row = cur:fetch (row, "a")
+      con:close()
+      return dovecot.auth.PASSDB_RESULT_OK, "password=" .. password
     end
   end
-
-  cur:close()
+  
   con:close()
-
   return dovecot.auth.PASSDB_RESULT_PASSWORD_MISMATCH, "Failed to authenticate"
-
-  -- PoC
-  -- local reqbody = string.format([[{
-  --   "success":0,
-  --   "service":"%s",
-  --   "app_password":false,
-  --   "username":"%s",
-  --   "real_rip":"%s"
-  -- }]], con:escape(req.service), con:escape(req.user), con:escape(req.real_rip))
-  -- http.request {
-  --   method = "POST",
-  --   url = "http://nginx:8081/sasl_log.php",
-  --   source = ltn12.source.string(reqbody),
-  --   headers = {
-  --     ["content-type"] = "application/json",
-  --     ["content-length"] = tostring(#reqbody)
-  --   },
-  --   sink = ltn12.sink.table(respbody)
-  -- }
-
 end
 
 function auth_passdb_lookup(req)
    return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, ""
 end
-
-function script_init()
-  mysql = require "luasql.mysql"
-  http = require "socket.http"
-  http.TIMEOUT = 5
-  ltn12 = require "ltn12"
-  env  = mysql.mysql()
-  con = env:connect("__DBNAME__","__DBUSER__","__DBPASS__","localhost")
-  return 0
-end
-
-function script_deinit()
-  con:close()
-  env:close()
-end
 EOF
 
 # Replace patterns in app-passdb.lua
diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php
new file mode 100644
index 000000000..3f4f2f3b7
--- /dev/null
+++ b/data/web/inc/functions.auth.inc.php
@@ -0,0 +1,278 @@
+<?php
+function check_login($user, $pass, $app_passwd_data = false) {
+  global $pdo;
+  global $redis;
+
+  if (!filter_var($user, FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $user))) {
+    $_SESSION['return'][] =  array(
+      'type' => 'danger',
+      'log' => array(__FUNCTION__, $user, '*'),
+      'msg' => 'malformed_username'
+    );
+    return false;
+  }
+
+  // Validate admin
+  $result = mailcow_admin_login($user, $pass);
+  if ($result){
+    return $result;
+  }
+
+  // Validate domain admin
+  $result = mailcow_domainadmin_login($user, $pass);
+  if ($result){
+    return $result;
+  }
+
+  // Validate mailbox user
+  // skip log & ldelay if requests comes from dovecot
+  $is_dovecot = false;
+  $request_ip =  ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR']);
+  if ($request_ip == getenv('IPV4_NETWORK').'.250'){
+    $is_dovecot = true;
+  }
+  // check authsource
+  $stmt = $pdo->prepare("SELECT authsource FROM `mailbox`
+      INNER JOIN domain on mailbox.domain = domain.domain
+      WHERE `kind` NOT REGEXP 'location|thing|group'
+        AND `mailbox`.`active`='1'
+        AND `domain`.`active`='1'
+        AND `username` = :user");
+  $stmt->execute(array(':user' => $user));
+  $row = $stmt->fetch(PDO::FETCH_ASSOC);
+  if ($row['authsource'] == 'keycloak'){
+    $result = keycloak_mbox_login($user, $pass, $is_dovecot);
+    if ($result){
+      return $result;
+    }
+  } else {
+    $result = mailcow_mbox_login($user, $pass, $app_passwd_data, $is_dovecot);
+    if ($result){
+      return $result;
+    }
+  }
+
+  // skip log and only return false
+  // netfilter uses dovecot error log for banning
+  if ($is_dovecot){
+    return false;
+  }
+  if (!isset($_SESSION['ldelay'])) {
+    $_SESSION['ldelay'] = "0";
+    $redis->publish("F2B_CHANNEL", "mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);
+    error_log("mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);
+  }
+  elseif (!isset($_SESSION['mailcow_cc_username'])) {
+    $_SESSION['ldelay'] = $_SESSION['ldelay']+0.5;
+    $redis->publish("F2B_CHANNEL", "mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);
+    error_log("mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);
+  }
+  $_SESSION['return'][] =  array(
+    'type' => 'danger',
+    'log' => array(__FUNCTION__, $user, '*'),
+    'msg' => 'login_failed'
+  );
+
+  sleep($_SESSION['ldelay']);
+  return false;
+}
+
+function mailcow_mbox_login($user, $pass, $app_passwd_data = false, $is_internal = false){
+  global $pdo;
+
+  $stmt = $pdo->prepare("SELECT * FROM `mailbox`
+      INNER JOIN domain on mailbox.domain = domain.domain
+      WHERE `kind` NOT REGEXP 'location|thing|group'
+        AND `mailbox`.`active`='1'
+        AND `domain`.`active`='1'
+        AND (`mailbox`.`authsource`='mailcow' OR `mailbox`.`authsource` IS NULL)
+        AND `username` = :user");
+  $stmt->execute(array(':user' => $user));
+  $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
+
+  // check if password is app password
+  $is_app_passwd = false;
+  if ($app_passwd_data['eas']){
+    $is_app_passwd = 'eas';
+  } else if ($app_passwd_data['dav']){
+    $is_app_passwd = 'dav';
+  } else if ($app_passwd_data['smtp']){
+    $is_app_passwd = 'smtp';
+  } else if ($app_passwd_data['imap']){
+    $is_app_passwd = 'imap';
+  } else if ($app_passwd_data['sieve']){
+    $is_app_passwd = 'sieve';
+  } else if ($app_passwd_data['pop3']){
+    $is_app_passwd = 'pop3';
+  }
+  if ($is_app_passwd){
+    // fetch app password data
+    $app_passwd_query = "SELECT `app_passwd`.`password` as `password`, `app_passwd`.`id` as `app_passwd_id` FROM `app_passwd`
+      INNER JOIN `mailbox` ON `mailbox`.`username` = `app_passwd`.`mailbox`
+      INNER JOIN `domain` ON `mailbox`.`domain` = `domain`.`domain`
+      WHERE `mailbox`.`kind` NOT REGEXP 'location|thing|group'
+        AND `mailbox`.`active` = '1'
+        AND `domain`.`active` = '1'
+        AND `app_passwd`.`active` = '1'
+        AND `app_passwd`.`mailbox` = :user";
+    // check if app password has protocol access
+    // skip if $app_passwd_data['ignore_hasaccess'] is true and the call is not external
+    if (!$app_passwd_data['ignore_hasaccess'] || !$is_internal){
+      $app_passwd_query = $app_passwd_query . " AND `app_passwd`.`" . $is_app_passwd . "_access` = '1'";
+    }
+    // fetch password data
+    $stmt = $pdo->prepare($app_passwd_query);
+    $stmt->execute(array(':user' => $user));
+    $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
+  }
+
+  foreach ($rows as $row) { 
+    // verify password
+    if (verify_hash($row['password'], $pass) !== false) {
+      if (!$is_app_passwd){ 
+        // password is not a app password
+        // check for tfa authenticators
+        $authenticators = get_tfa($user);
+        if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 && !$is_internal) {
+          // authenticators found, init TFA flow
+          $_SESSION['pending_mailcow_cc_username'] = $user;
+          $_SESSION['pending_mailcow_cc_role'] = "user";
+          $_SESSION['pending_tfa_methods'] = $authenticators['additional'];
+          unset($_SESSION['ldelay']);
+          $_SESSION['return'][] =  array(
+            'type' => 'success',
+            'log' => array(__FUNCTION__, $user, '*'),
+            'msg' => array('logged_in_as', $user)
+          );
+          return "pending";
+        } else if (!isset($authenticators['additional']) || !is_array($authenticators['additional']) || count($authenticators['additional']) == 0) {
+          // no authenticators found, login successfull
+          if (!$is_internal){
+            unset($_SESSION['ldelay']);
+            // Reactivate TFA if it was set to "deactivate TFA for next login"
+            $stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user");
+            $stmt->execute(array(':user' => $user));
+              // skip log
+              $_SESSION['return'][] =  array(
+                'type' => 'success',
+                'log' => array(__FUNCTION__, $user, '*'),
+                'msg' => array('logged_in_as', $user)
+              );
+          }
+          return "user";
+        }
+      } elseif ($is_app_passwd) {
+        // password is a app password
+        if ($is_internal){
+          // skip log
+          return "user";
+        }
+
+        $service = strtoupper($is_app_passwd);
+        $stmt = $pdo->prepare("REPLACE INTO sasl_log (`service`, `app_password`, `username`, `real_rip`) VALUES (:service, :app_id, :username, :remote_addr)");
+        $stmt->execute(array(
+          ':service' => $service,
+          ':app_id' => $row['app_passwd_id'],
+          ':username' => $user,
+          ':remote_addr' => ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR'])
+        ));
+
+        unset($_SESSION['ldelay']);
+        return "user";
+      }
+    }
+  }
+
+  return false;
+}
+function mailcow_domainadmin_login($user, $pass){
+  global $pdo;
+
+  $stmt = $pdo->prepare("SELECT `password` FROM `admin`
+      WHERE `superadmin` = '0'
+      AND `active`='1'
+      AND `username` = :user");
+  $stmt->execute(array(':user' => $user));
+  $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
+  foreach ($rows as $row) {
+    // verify password
+    if (verify_hash($row['password'], $pass) !== false) {
+      // check for tfa authenticators
+      $authenticators = get_tfa($user);
+      if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0) {
+        $_SESSION['pending_mailcow_cc_username'] = $user;
+        $_SESSION['pending_mailcow_cc_role'] = "domainadmin";
+        $_SESSION['pending_tfa_methods'] = $authenticators['additional'];
+        unset($_SESSION['ldelay']);
+        $_SESSION['return'][] =  array(
+          'type' => 'info',
+          'log' => array(__FUNCTION__, $user, '*'),
+          'msg' => 'awaiting_tfa_confirmation'
+        );
+        return "pending";
+      }
+      else {
+        unset($_SESSION['ldelay']);
+        // Reactivate TFA if it was set to "deactivate TFA for next login"
+        $stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user");
+        $stmt->execute(array(':user' => $user));
+        $_SESSION['return'][] =  array(
+          'type' => 'success',
+          'log' => array(__FUNCTION__, $user, '*'),
+          'msg' => array('logged_in_as', $user)
+        );
+        return "domainadmin";
+      }
+    }
+  }
+
+  return false;
+}
+function mailcow_admin_login($user, $pass){
+  global $pdo;
+
+  $user = strtolower(trim($user));
+  $stmt = $pdo->prepare("SELECT `password` FROM `admin`
+      WHERE `superadmin` = '1'
+      AND `active` = '1'
+      AND `username` = :user");
+  $stmt->execute(array(':user' => $user));
+  $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
+  foreach ($rows as $row) {
+    // verify password
+    if (verify_hash($row['password'], $pass)) {
+      // check for tfa authenticators
+      $authenticators = get_tfa($user);
+      if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0) {
+        // active tfa authenticators found, set pending user login
+        $_SESSION['pending_mailcow_cc_username'] = $user;
+        $_SESSION['pending_mailcow_cc_role'] = "admin";
+        $_SESSION['pending_tfa_methods'] = $authenticators['additional'];
+        unset($_SESSION['ldelay']);
+        $_SESSION['return'][] =  array(
+          'type' => 'info',
+          'log' => array(__FUNCTION__, $user, '*'),
+          'msg' => 'awaiting_tfa_confirmation'
+        );
+        return "pending";
+      } else {
+        unset($_SESSION['ldelay']);
+        // Reactivate TFA if it was set to "deactivate TFA for next login"
+        $stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user");
+        $stmt->execute(array(':user' => $user));
+        $_SESSION['return'][] =  array(
+          'type' => 'success',
+          'log' => array(__FUNCTION__, $user, '*'),
+          'msg' => array('logged_in_as', $user)
+        );
+        return "admin";
+      }
+    }
+  }
+
+  return false;
+}
+
+function keycloak_mbox_login($user, $pass, $is_internal = false){
+  return false;
+}
diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index ee1aab236..28cdc1797 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -811,204 +811,6 @@ function verify_hash($hash, $password) {
   }
   return false;
 }
-function check_login($user, $pass, $app_passwd_data = false) {
-  global $pdo;
-  global $redis;
-  global $imap_server;
-
-  if (!filter_var($user, FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $user))) {
-    $_SESSION['return'][] =  array(
-      'type' => 'danger',
-      'log' => array(__FUNCTION__, $user, '*'),
-      'msg' => 'malformed_username'
-    );
-    return false;
-  }
-
-  // Validate admin
-  $user = strtolower(trim($user));
-  $stmt = $pdo->prepare("SELECT `password` FROM `admin`
-      WHERE `superadmin` = '1'
-      AND `active` = '1'
-      AND `username` = :user");
-  $stmt->execute(array(':user' => $user));
-  $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
-  foreach ($rows as $row) {
-    // verify password
-    if (verify_hash($row['password'], $pass)) {
-      // check for tfa authenticators
-      $authenticators = get_tfa($user);
-      if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0) {
-        // active tfa authenticators found, set pending user login
-        $_SESSION['pending_mailcow_cc_username'] = $user;
-        $_SESSION['pending_mailcow_cc_role'] = "admin";
-        $_SESSION['pending_tfa_methods'] = $authenticators['additional'];
-        unset($_SESSION['ldelay']);
-        $_SESSION['return'][] =  array(
-          'type' => 'info',
-          'log' => array(__FUNCTION__, $user, '*'),
-          'msg' => 'awaiting_tfa_confirmation'
-        );
-        return "pending";
-      } else {
-        unset($_SESSION['ldelay']);
-        // Reactivate TFA if it was set to "deactivate TFA for next login"
-        $stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user");
-        $stmt->execute(array(':user' => $user));
-        $_SESSION['return'][] =  array(
-          'type' => 'success',
-          'log' => array(__FUNCTION__, $user, '*'),
-          'msg' => array('logged_in_as', $user)
-        );
-        return "admin";
-      }
-    }
-  }
-
-  // Validate domain admin
-  $stmt = $pdo->prepare("SELECT `password` FROM `admin`
-      WHERE `superadmin` = '0'
-      AND `active`='1'
-      AND `username` = :user");
-  $stmt->execute(array(':user' => $user));
-  $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
-  foreach ($rows as $row) {
-    // verify password
-    if (verify_hash($row['password'], $pass) !== false) {
-      // check for tfa authenticators
-      $authenticators = get_tfa($user);
-      if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0) {
-        $_SESSION['pending_mailcow_cc_username'] = $user;
-        $_SESSION['pending_mailcow_cc_role'] = "domainadmin";
-        $_SESSION['pending_tfa_methods'] = $authenticators['additional'];
-        unset($_SESSION['ldelay']);
-        $_SESSION['return'][] =  array(
-          'type' => 'info',
-          'log' => array(__FUNCTION__, $user, '*'),
-          'msg' => 'awaiting_tfa_confirmation'
-        );
-        return "pending";
-      }
-      else {
-        unset($_SESSION['ldelay']);
-        // Reactivate TFA if it was set to "deactivate TFA for next login"
-        $stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user");
-        $stmt->execute(array(':user' => $user));
-        $_SESSION['return'][] =  array(
-          'type' => 'success',
-          'log' => array(__FUNCTION__, $user, '*'),
-          'msg' => array('logged_in_as', $user)
-        );
-        return "domainadmin";
-      }
-    }
-  }
-
-  // Validate mailbox user
-  $stmt = $pdo->prepare("SELECT `password` FROM `mailbox`
-      INNER JOIN domain on mailbox.domain = domain.domain
-      WHERE `kind` NOT REGEXP 'location|thing|group'
-        AND `mailbox`.`active`='1'
-        AND `domain`.`active`='1'
-        AND `username` = :user");
-  $stmt->execute(array(':user' => $user));
-  $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
-  if ($app_passwd_data['eas'] === true) {
-    $stmt = $pdo->prepare("SELECT `app_passwd`.`password` as `password`, `app_passwd`.`id` as `app_passwd_id` FROM `app_passwd`
-        INNER JOIN `mailbox` ON `mailbox`.`username` = `app_passwd`.`mailbox`
-        INNER JOIN `domain` ON `mailbox`.`domain` = `domain`.`domain`
-        WHERE `mailbox`.`kind` NOT REGEXP 'location|thing|group'
-          AND `mailbox`.`active` = '1'
-          AND `domain`.`active` = '1'
-          AND `app_passwd`.`active` = '1'
-          AND `app_passwd`.`eas_access` = '1'
-          AND `app_passwd`.`mailbox` = :user");
-    $stmt->execute(array(':user' => $user));
-    $rows = array_merge($rows, $stmt->fetchAll(PDO::FETCH_ASSOC));
-  }
-  elseif ($app_passwd_data['dav'] === true) {
-    $stmt = $pdo->prepare("SELECT `app_passwd`.`password` as `password`, `app_passwd`.`id` as `app_passwd_id` FROM `app_passwd`
-        INNER JOIN `mailbox` ON `mailbox`.`username` = `app_passwd`.`mailbox`
-        INNER JOIN `domain` ON `mailbox`.`domain` = `domain`.`domain`
-        WHERE `mailbox`.`kind` NOT REGEXP 'location|thing|group'
-          AND `mailbox`.`active` = '1'
-          AND `domain`.`active` = '1'
-          AND `app_passwd`.`active` = '1'
-          AND `app_passwd`.`dav_access` = '1'
-          AND `app_passwd`.`mailbox` = :user");
-    $stmt->execute(array(':user' => $user));
-    $rows = array_merge($rows, $stmt->fetchAll(PDO::FETCH_ASSOC));
-  }
-  foreach ($rows as $row) { 
-    // verify password
-    if (verify_hash($row['password'], $pass) !== false) {
-      if (!array_key_exists("app_passwd_id", $row)){ 
-        // password is not a app password
-        // check for tfa authenticators
-        $authenticators = get_tfa($user);
-        if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 &&
-            $app_passwd_data['eas'] !== true && $app_passwd_data['dav'] !== true) {
-          // authenticators found, init TFA flow
-          $_SESSION['pending_mailcow_cc_username'] = $user;
-          $_SESSION['pending_mailcow_cc_role'] = "user";
-          $_SESSION['pending_tfa_methods'] = $authenticators['additional'];
-          unset($_SESSION['ldelay']);
-          $_SESSION['return'][] =  array(
-            'type' => 'success',
-            'log' => array(__FUNCTION__, $user, '*'),
-            'msg' => array('logged_in_as', $user)
-          );
-          return "pending";
-        } else if (!isset($authenticators['additional']) || !is_array($authenticators['additional']) || count($authenticators['additional']) == 0) {
-          unset($_SESSION['ldelay']);
-          // no authenticators found, login successfull
-          // Reactivate TFA if it was set to "deactivate TFA for next login"
-          $stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user");
-          $stmt->execute(array(':user' => $user));
-          $_SESSION['return'][] =  array(
-            'type' => 'success',
-            'log' => array(__FUNCTION__, $user, '*'),
-            'msg' => array('logged_in_as', $user)
-          );
-          return "user";
-        }
-      } elseif ($app_passwd_data['eas'] === true || $app_passwd_data['dav'] === true) {
-        // password is a app password
-        $service = ($app_passwd_data['eas'] === true) ? 'EAS' : 'DAV';
-        $stmt = $pdo->prepare("REPLACE INTO sasl_log (`service`, `app_password`, `username`, `real_rip`) VALUES (:service, :app_id, :username, :remote_addr)");
-        $stmt->execute(array(
-          ':service' => $service,
-          ':app_id' => $row['app_passwd_id'],
-          ':username' => $user,
-          ':remote_addr' => ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR'])
-        ));
-
-        unset($_SESSION['ldelay']);
-        return "user";
-      }
-    }
-  }
-
-  if (!isset($_SESSION['ldelay'])) {
-    $_SESSION['ldelay'] = "0";
-    $redis->publish("F2B_CHANNEL", "mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);
-    error_log("mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);
-  }
-  elseif (!isset($_SESSION['mailcow_cc_username'])) {
-    $_SESSION['ldelay'] = $_SESSION['ldelay']+0.5;
-    $redis->publish("F2B_CHANNEL", "mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);
-    error_log("mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);
-  }
-
-  $_SESSION['return'][] =  array(
-    'type' => 'danger',
-    'log' => array(__FUNCTION__, $user, '*'),
-    'msg' => 'login_failed'
-  );
-
-  sleep($_SESSION['ldelay']);
-  return false;
-}
 function formatBytes($size, $precision = 2) {
   if(!is_numeric($size)) {
     return "0";
diff --git a/data/web/inc/functions.mailbox.inc.php b/data/web/inc/functions.mailbox.inc.php
index 0f48efbd5..a38094022 100644
--- a/data/web/inc/functions.mailbox.inc.php
+++ b/data/web/inc/functions.mailbox.inc.php
@@ -1002,6 +1002,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
           $local_part   = strtolower(trim($_data['local_part']));
           $domain       = idn_to_ascii(strtolower(trim($_data['domain'])), 0, INTL_IDNA_VARIANT_UTS46);
           $username     = $local_part . '@' . $domain;
+          $authsource   = 'mailcow';
           if (!filter_var($username, FILTER_VALIDATE_EMAIL)) {
             $_SESSION['return'][] = array(
               'type' => 'danger',
@@ -1018,6 +1019,9 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             );
             return false;
           }
+          if (in_array($_data['authsource'], array('mailcow', 'keycloak'))){
+            $authsource = $_data['authsource'];
+          }
           if (empty($name)) {
             $name = $local_part;
           }
@@ -1035,6 +1039,11 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
           $name         = ltrim(rtrim($_data['name'], '>'), '<');
           $tags         = (isset($_data['tags'])) ? $_data['tags'] : $MAILBOX_DEFAULT_ATTRIBUTES['tags'];
           $quota_m      = (isset($_data['quota'])) ? intval($_data['quota']) : intval($MAILBOX_DEFAULT_ATTRIBUTES['quota']) / 1024 ** 2;
+          if ($authsource != 'mailcow'){
+            $password = '';
+            $password2 = '';
+            $password_hashed = '';
+          }
           if ((!isset($_SESSION['acl']['unlimited_quota']) || $_SESSION['acl']['unlimited_quota'] != "1") && $quota_m === 0) {
             $_SESSION['return'][] = array(
               'type' => 'danger',
@@ -1153,10 +1162,12 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             );
             return false;
           }
-          if (password_check($password, $password2) !== true) {
-            return false;
+          if ($authsource == 'mailcow'){
+            if (password_check($password, $password2) !== true) {
+              return false;
+            }
+            $password_hashed = hash_password($password);
           }
-          $password_hashed = hash_password($password);
           if ($MailboxData['count'] >= $DomainData['mailboxes']) {
             $_SESSION['return'][] = array(
               'type' => 'danger',
@@ -1182,8 +1193,8 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             );
             return false;
           }
-          $stmt = $pdo->prepare("INSERT INTO `mailbox` (`username`, `password`, `name`, `quota`, `local_part`, `domain`, `attributes`, `active`)
-            VALUES (:username, :password_hashed, :name, :quota_b, :local_part, :domain, :mailbox_attrs, :active)");
+          $stmt = $pdo->prepare("INSERT INTO `mailbox` (`username`, `password`, `name`, `quota`, `local_part`, `domain`, `attributes`, `authsource`, `active`)
+            VALUES (:username, :password_hashed, :name, :quota_b, :local_part, :domain, :mailbox_attrs, :authsource, :active)");
           $stmt->execute(array(
             ':username' => $username,
             ':password_hashed' => $password_hashed,
@@ -1192,6 +1203,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             ':local_part' => $local_part,
             ':domain' => $domain,
             ':mailbox_attrs' => $mailbox_attrs,
+            ':authsource' => $authsource,
             ':active' => $active
           ));
           $stmt = $pdo->prepare("UPDATE `mailbox` SET
@@ -4422,6 +4434,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               `mailbox`.`quota`,
               `mailbox`.`created`,
               `mailbox`.`modified`,
+              `mailbox`.`authsource`,
               `quota2`.`bytes`,
               `attributes`,
               `custom_attributes`,
@@ -4443,6 +4456,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               `mailbox`.`quota`,
               `mailbox`.`created`,
               `mailbox`.`modified`,
+              `mailbox`.`authsource`,
               `quota2replica`.`bytes`,
               `attributes`,
               `custom_attributes`,
@@ -4472,6 +4486,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
           $mailboxdata['percent_in_use'] = ($row['quota'] == 0) ? '- ' : round((intval($row['bytes']) / intval($row['quota'])) * 100);
           $mailboxdata['created'] = $row['created'];
           $mailboxdata['modified'] = $row['modified'];
+          $mailboxdata['authsource'] = ($row['authsource']) ? $row['authsource'] : 'mailcow';
 
           if ($mailboxdata['percent_in_use'] === '- ') {
             $mailboxdata['percent_class'] = "info";
diff --git a/data/web/inc/init_db.inc.php b/data/web/inc/init_db.inc.php
index 6fec0c2f8..f7bd86d2d 100644
--- a/data/web/inc/init_db.inc.php
+++ b/data/web/inc/init_db.inc.php
@@ -362,6 +362,7 @@ function init_db_schema() {
           "custom_attributes" => "JSON NOT NULL DEFAULT ('{}')",
           "kind" => "VARCHAR(100) NOT NULL DEFAULT ''",
           "multiple_bookings" => "INT NOT NULL DEFAULT -1",
+          "authsource" => "ENUM('mailcow', 'keycloak') DEFAULT 'mailcow'",
           "created" => "DATETIME(0) NOT NULL DEFAULT NOW(0)",
           "modified" => "DATETIME ON UPDATE CURRENT_TIMESTAMP",
           "active" => "TINYINT(1) NOT NULL DEFAULT '1'"
diff --git a/data/web/inc/prerequisites.inc.php b/data/web/inc/prerequisites.inc.php
index 9c5203e7f..1a18ba92c 100644
--- a/data/web/inc/prerequisites.inc.php
+++ b/data/web/inc/prerequisites.inc.php
@@ -177,6 +177,7 @@ function get_remote_ip() {
 
 // Load core functions first
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.inc.php';
+require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.auth.inc.php';
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/sessions.inc.php';
 
 // IMAP lib
diff --git a/data/web/json_api.php b/data/web/json_api.php
index 28f8cac56..0b80bafd9 100644
--- a/data/web/json_api.php
+++ b/data/web/json_api.php
@@ -401,6 +401,26 @@ if (isset($_GET['query'])) {
           );
           echo json_encode($return);
         break;
+        case "login":
+          header('Content-Type: application/json');
+          $post = trim(file_get_contents('php://input'));
+          if ($post) {
+            $post = json_decode($post, true);
+          }
+
+          $return = array("success" => false, "role" => false);
+          if(!isset($post['username']) || !isset($post['password'])){
+            echo json_encode($return); 
+            return;
+          }
+          $result = check_login($post['username'], $post['password'], $post['protocol']);
+          if ($result) {
+            $return = array("success" => true, "role" => $result);
+          }
+
+          echo json_encode($return); 
+          return;
+        break;
       }
     break;
     case "get":
diff --git a/data/web/sogo-auth.php b/data/web/sogo-auth.php
index c34a60def..af6f851ba 100644
--- a/data/web/sogo-auth.php
+++ b/data/web/sogo-auth.php
@@ -11,7 +11,8 @@ $session_var_pass = 'sogo-sso-pass';
 // validate credentials for basic auth requests
 if (isset($_SERVER['PHP_AUTH_USER'])) {
   // load prerequisites only when required
-  require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php';
+  require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.inc.php';
+  require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.auth.inc.php';
   $username = $_SERVER['PHP_AUTH_USER'];
   $password = $_SERVER['PHP_AUTH_PW'];
   $is_eas = false;
diff --git a/data/web/templates/edit/mailbox.twig b/data/web/templates/edit/mailbox.twig
index 8960ee938..52b4096cc 100644
--- a/data/web/templates/edit/mailbox.twig
+++ b/data/web/templates/edit/mailbox.twig
@@ -24,7 +24,13 @@
                   <input type="hidden" value="default" name="sender_acl">
                   <input type="hidden" value="0" name="force_pw_update">
                   <input type="hidden" value="0" name="sogo_access">
-                  <input type="hidden" value="0" name="protocol_access">
+                  <input type="hidden" value="0" name="protocol_access">      
+                  <div class="row mb-2">
+                    <label class="control-label col-sm-2">{{ lang.edit.full_name }}</label>
+                    <div class="col-sm-10">
+                      <span>{{ result.authsource }}</span>
+                    </div>
+                  </div>
                   <div class="row mb-2">
                     <label class="control-label col-sm-2" for="name">{{ lang.edit.full_name }}</label>
                     <div class="col-sm-10">
diff --git a/data/web/templates/modals/mailbox.twig b/data/web/templates/modals/mailbox.twig
index 22807c8d3..5d6ea535b 100644
--- a/data/web/templates/modals/mailbox.twig
+++ b/data/web/templates/modals/mailbox.twig
@@ -28,6 +28,15 @@
               </select>
             </div>
           </div>
+          <div class="row mb-2">
+            <label class="control-label col-sm-2 text-sm-end text-sm-end" for="authsource">{{ lang.add.domain }}</label>
+            <div class="col-sm-10">
+              <select class="full-width-select" data-live-search="true" id="addAuthsource" name="authsource" required>
+                <option selected>mailcow</option>
+                <option>keycloak</option>
+              </select>
+            </div>
+          </div>
           <div class="row mb-4">
             <label class="control-label col-sm-2 text-sm-end text-sm-end" for="name">{{ lang.add.full_name }}</label>
             <div class="col-sm-10">

From f6869da3a02b937d8f498476be1d7e95ab418e33 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Sun, 12 Mar 2023 19:08:09 +0100
Subject: [PATCH 009/378] [Web] manage keycloak identity provider

---
 data/web/admin.php                            |  3 +
 data/web/inc/functions.inc.php                | 68 +++++++++++++++++++
 data/web/inc/init_db.inc.php                  | 14 ++++
 data/web/inc/prerequisites.inc.php            | 18 +++++
 data/web/json_api.php                         |  4 ++
 data/web/templates/admin.twig                 |  2 +
 .../admin/tab-config-identity-providers.twig  | 58 ++++++++++++++++
 7 files changed, 167 insertions(+)
 create mode 100644 data/web/templates/admin/tab-config-identity-providers.twig

diff --git a/data/web/admin.php b/data/web/admin.php
index d0fcbc992..278ab61b8 100644
--- a/data/web/admin.php
+++ b/data/web/admin.php
@@ -86,6 +86,8 @@ $cors_settings['allowed_origins'] = str_replace(", ", "\n", $cors_settings['allo
 $cors_settings['allowed_methods'] = explode(", ", $cors_settings['allowed_methods']);
 
 $f2b_data = fail2ban('get');
+// identity provider
+$identity_provider_settings = identity_provider('get');
 
 $template = 'admin.twig';
 $template_data = [
@@ -117,6 +119,7 @@ $template_data = [
   'show_rspamd_global_filters' => @$_SESSION['show_rspamd_global_filters'],
   'cors_settings' => $cors_settings,
   'is_https' => isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on',
+  'identity_provider_settings' => $identity_provider_settings,
   'lang_admin' => json_encode($lang['admin']),
   'lang_datatables' => json_encode($lang['datatables'])
 ];
diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index 28cdc1797..11e0b5053 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -2067,6 +2067,74 @@ function uuid4() {
 
   return vsprintf('%s%s-%s-%s-%s-%s%s%s', str_split(bin2hex($data), 4));
 }
+function identity_provider($_action, $_data = null) {
+  global $pdo;
+
+  if ($_SESSION['mailcow_cc_role'] != "admin") {
+    $_SESSION['return'][] = array(
+      'type' => 'danger',
+      'log' => array(__FUNCTION__, $_action, $_data),
+      'msg' => 'access_denied'
+    );
+    return false;
+  }
+
+  switch ($_action) {
+    case 'get':
+      $settings = array();
+      $stmt = $pdo->prepare("SELECT * FROM `identity_provider`;");
+      $stmt->execute();
+      $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
+      foreach($rows as $row){
+        $settings[$row["key"]] = $row["value"];
+      }
+      $_SESSION['return'][] =  array(
+        'type' => 'success',
+        'log' => array(__FUNCTION__, $_action, $settings),
+        'msg' => 'admin_api_modified'
+      );
+      return $settings;
+    case 'edit':
+      $required_settings = array('server_url', 'authsource', 'realm', 'client_id', 'client_secret', 'redirect_url', 'version');
+      foreach($required_settings as $setting){
+        if (!$_data[$setting]){
+          return false;
+        }
+      }
+      try {
+        $_SESSION['return'][] =  array(
+          'type' => 'success',
+          'log' => array(__FUNCTION__, $_action, $_data),
+          'msg' => '2'
+        );
+        $stmt = $pdo->prepare("INSERT INTO identity_provider (`key`, `value`) VALUES (:key, :value) ON DUPLICATE KEY UPDATE `value` = VALUES(`value`);");
+        $_SESSION['return'][] =  array(
+          'type' => 'success',
+          'log' => array(__FUNCTION__, $_action, $_data),
+          'msg' => '3'
+        );
+      } catch (Exception $e){
+        $_SESSION['return'][] =  array(
+          'type' => 'success',
+          'log' => array(__FUNCTION__, $_action, $_data, $e->getMessage()),
+          'msg' => 'post'
+        );
+        return;
+      }
+
+      foreach($_data as $key => $value){
+        if (!in_array($key, $required_settings)){
+          continue;
+        }
+
+        $stmt->bindParam(':key', $key);
+        $stmt->bindParam(':value', $value);
+        $stmt->execute();
+      }
+      return true;
+    break;
+  }
+}
 
 function get_logs($application, $lines = false) {
   if ($lines === false) {
diff --git a/data/web/inc/init_db.inc.php b/data/web/inc/init_db.inc.php
index f7bd86d2d..5cfb1cd62 100644
--- a/data/web/inc/init_db.inc.php
+++ b/data/web/inc/init_db.inc.php
@@ -568,6 +568,20 @@ function init_db_schema() {
         ),
         "attr" => "ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=DYNAMIC"
       ),
+      "identity_provider" => array(
+        "cols" => array(
+          "key" => "VARCHAR(255) NOT NULL",
+          "value" => "VARCHAR(255) NOT NULL",
+          "created" => "DATETIME(0) NOT NULL DEFAULT NOW(0)",
+          "modified" => "DATETIME ON UPDATE CURRENT_TIMESTAMP"
+        ),
+        "keys" => array(
+          "primary" => array(
+            "" => array("key")
+          )
+        ),
+        "attr" => "ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=DYNAMIC"
+      ),
       "logs" => array(
         "cols" => array(
           "id" => "INT NOT NULL AUTO_INCREMENT",
diff --git a/data/web/inc/prerequisites.inc.php b/data/web/inc/prerequisites.inc.php
index 1a18ba92c..eac35be77 100644
--- a/data/web/inc/prerequisites.inc.php
+++ b/data/web/inc/prerequisites.inc.php
@@ -180,6 +180,24 @@ require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.inc.php';
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.auth.inc.php';
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/sessions.inc.php';
 
+// Init Keycloak Provider
+$identity_provider_settings = identity_provider('get');
+$keycloak_provider = null;
+if ($identity_provider_settings['server_url'] && $identity_provider_settings['realm'] && $identity_provider_settings['client_id'] &&
+    $identity_provider_settings['client_secret'] && $identity_provider_settings['redirect_url'] && $identity_provider_settings['version']){
+  $keycloak_provider = new Stevenmaguire\OAuth2\Client\Provider\Keycloak([
+    'authServerUrl'         => $identity_provider_settings['server_url'],
+    'realm'                 => $identity_provider_settings['realm'],
+    'clientId'              => $identity_provider_settings['client_id'],
+    'clientSecret'          => $identity_provider_settings['client_secret'],
+    'redirectUri'           => $identity_provider_settings['redirect_url'],
+    'version'               => $identity_provider_settings['version'],                            
+    // 'encryptionAlgorithm'   => 'RS256',                             // optional
+    // 'encryptionKeyPath'     => '../key.pem'                         // optional
+    // 'encryptionKey'         => 'contents_of_key_or_certificate'     // optional
+  ]);
+}
+
 // IMAP lib
 // use Ddeboer\Imap\Server;
 // $imap_server = new Server('dovecot', 143, '/imap/tls/novalidate-cert');
diff --git a/data/web/json_api.php b/data/web/json_api.php
index 0b80bafd9..769775cee 100644
--- a/data/web/json_api.php
+++ b/data/web/json_api.php
@@ -1710,6 +1710,8 @@ if (isset($_GET['query'])) {
             if ($score)
               $score = array("score" => preg_replace("/\s+/", "", $score));
             process_get_return($score);
+          case "identity_provider":
+            process_get_return(identity_provider('get'));
           break;
         break;
         // return no route found if no case is matched
@@ -2082,6 +2084,8 @@ if (isset($_GET['query'])) {
         break;
         case "cors":
           process_edit_return(cors('edit', $attr));
+        case "identity_provider":
+          process_edit_return(identity_provider('edit', $attr));
         break;
         // return no route found if no case is matched
         default:
diff --git a/data/web/templates/admin.twig b/data/web/templates/admin.twig
index 33f2422b5..53fdeadc1 100644
--- a/data/web/templates/admin.twig
+++ b/data/web/templates/admin.twig
@@ -7,6 +7,7 @@
       <a class="nav-link dropdown-toggle active" data-bs-toggle="dropdown" href="#" role="button" aria-expanded="false">{{ lang.admin.access }}</a>
       <ul class="dropdown-menu">
         <li><button class="dropdown-item active" data-bs-target="#tab-config-admins" aria-selected="false" aria-controls="tab-config-admins" role="tab" data-bs-toggle="tab">{{ lang.admin.admins }}</button></li>
+        <li><button class="dropdown-item" data-bs-target="#tab-config-identity-providers" aria-selected="false" aria-controls="tab-config-identity-providers" role="tab" data-bs-toggle="tab">Identity Providers</button></li>
         <!-- <li><button class="dropdown-item" data-bs-target="#tab-config-ldap-admins" aria-controls="tab-config-ldap-admins" role="tab" data-bs-toggle="tab">{{ lang.admin.admins_ldap }}</button></li> -->
         <li><button class="dropdown-item" data-bs-target="#tab-config-oauth2" aria-selected="false" aria-controls="tab-config-oauth2" role="tab" data-bs-toggle="tab">{{ lang.admin.oauth2_apps }}</button></li>
         <li><button class="dropdown-item" data-bs-target="#tab-config-rspamd" aria-selected="false" aria-controls="tab-config-rspamd" role="tab" data-bs-toggle="tab">Rspamd UI</button></li>
@@ -40,6 +41,7 @@
     <div class="col-md-12">
       <div class="tab-content" style="padding-top:20px">
         {% include 'admin/tab-config-admins.twig' %}
+        {% include 'admin/tab-config-identity-providers.twig' %}
         {# {% include 'admin/tab-ldap.twig' %} #}
         {% include 'admin/tab-config-oauth2.twig' %}
         {% include 'admin/tab-config-rspamd.twig' %}
diff --git a/data/web/templates/admin/tab-config-identity-providers.twig b/data/web/templates/admin/tab-config-identity-providers.twig
new file mode 100644
index 000000000..c81978db9
--- /dev/null
+++ b/data/web/templates/admin/tab-config-identity-providers.twig
@@ -0,0 +1,58 @@
+<div role="tabpanel" class="tab-pane fade" id="tab-config-identity-providers" role="tabpanel" aria-labelledby="tab-config-identity-providers">
+  <div class="card mb-4">
+    <div class="card-header d-flex fs-5">
+      <button class="btn d-md-none flex-grow-1 text-start" data-bs-target="#collapse-tab-config-identity-providers" data-bs-toggle="collapse" aria-controls="collapse-tab-config-identity-providers">
+        {{ lang.admin.oauth2_apps }}
+      </button>
+      <span class="d-none d-md-block">{{ lang.admin.oauth2_apps }}</span>
+    </div>
+    <div id="collapse-tab-config-identity-providers" class="card-body collapse" data-bs-parent="#admin-content">
+      <form class="form-horizontal" autocapitalize="none" data-id="keycloak_sso" autocorrect="off" role="form" method="post">
+        <input type="hidden" name="authsource" value="keycloak">
+        <div class="row mb-2">
+          <label class="control-label col-sm-3 text-sm-end" for="keycloak_url">Server URL:</label>
+          <div class="col-sm-4">
+            <input type="text" class="form-control" id="keycloak_url" name="server_url" value="{{ identity_provider_settings.server_url }}" required>
+          </div>
+        </div>
+        <div class="row mb-2">
+          <label class="control-label col-sm-3 text-sm-end" for="keycloak_realm">Realm:</label>
+          <div class="col-sm-4">
+            <input type="text" class="form-control" id="keycloak_realm" name="realm" value="{{ identity_provider_settings.realm }}" required>
+          </div>
+        </div>
+        <div class="row mb-2">
+          <label class="control-label col-sm-3 text-sm-end" for="keycloak_client_id">Client Id:</label>
+          <div class="col-sm-4">
+            <input type="text" class="form-control" id="keycloak_client_id" name="client_id" value="{{ identity_provider_settings.client_id }}" required>
+          </div>
+        </div>
+        <div class="row mb-2">
+          <label class="control-label col-sm-3 text-sm-end" for="keycloak_client_secret">Client Secret:</label>
+          <div class="col-sm-4">
+            <input type="text" class="form-control" id="keycloak_client_secret" name="client_secret" value="{{ identity_provider_settings.client_secret }}" required>
+          </div>
+        </div>
+        <div class="row mb-2">
+          <label class="control-label col-sm-3 text-sm-end" for="keycloak_redirect_url">Redirect Url:</label>
+          <div class="col-sm-4">
+            <input type="text" class="form-control" id="keycloak_redirect_url" name="redirect_url" value="{{ identity_provider_settings.redirect_url }}" required>
+          </div>
+        </div>
+        <div class="row mb-2">
+          <label class="control-label col-sm-3 text-sm-end" for="keycloak_version">Keycloak Version:</label>
+          <div class="col-sm-4">
+            <input type="text" class="form-control" id="keycloak_version" name="version" value="{{ identity_provider_settings.version }}" required>
+          </div>
+        </div>
+        <div class="row mt-4 mb-2">
+          <div class="offset-sm-3 col-sm-9">
+            <div class="btn-group">
+              <button class="btn btn-sm d-block d-sm-inline btn-success" data-item="keycloak_sso" data-action="edit_selected" data-id="keycloak_sso" data-api-url='edit/identity_provider' data-api-attr='{}' href="#"><i class="bi bi-check-lg"></i> {{ lang.admin.save }}</button>
+            </div>
+          </div>
+        </div>
+      </form>
+    </div>
+  </div>
+</div>

From 0a77cad2dd7285b3cde1d5b382870e4e9fc1c21b Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Mon, 13 Mar 2023 08:54:50 +0100
Subject: [PATCH 010/378] [Web] limit identity_provider function better

---
 data/web/inc/functions.inc.php | 26 +++++++++++++-------------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index 11e0b5053..793e3e6b1 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -2068,16 +2068,9 @@ function uuid4() {
   return vsprintf('%s%s-%s-%s-%s-%s%s%s', str_split(bin2hex($data), 4));
 }
 function identity_provider($_action, $_data = null) {
+function identity_provider($_action, $_data = null, $hide_secret = false) {
   global $pdo;
 
-  if ($_SESSION['mailcow_cc_role'] != "admin") {
-    $_SESSION['return'][] = array(
-      'type' => 'danger',
-      'log' => array(__FUNCTION__, $_action, $_data),
-      'msg' => 'access_denied'
-    );
-    return false;
-  }
 
   switch ($_action) {
     case 'get':
@@ -2088,13 +2081,20 @@ function identity_provider($_action, $_data = null) {
       foreach($rows as $row){
         $settings[$row["key"]] = $row["value"];
       }
-      $_SESSION['return'][] =  array(
-        'type' => 'success',
-        'log' => array(__FUNCTION__, $_action, $settings),
-        'msg' => 'admin_api_modified'
-      );
+      if ($hide_secret){
+        $settings['client_secret'] = '***********************';
+      }
       return $settings;
     case 'edit':
+      if ($_SESSION['mailcow_cc_role'] != "admin") {
+        $_SESSION['return'][] = array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $_action, $_data),
+          'msg' => 'access_denied'
+        );
+        return false;
+      }
+
       $required_settings = array('server_url', 'authsource', 'realm', 'client_id', 'client_secret', 'redirect_url', 'version');
       foreach($required_settings as $setting){
         if (!$_data[$setting]){

From 9d8c1a01ace42d30710e7d301e81c0becaeab152 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Mon, 13 Mar 2023 08:58:39 +0100
Subject: [PATCH 011/378] [Web] remove u2f lib

---
 data/web/inc/lib/composer.lock                |  93 +--
 .../lib/vendor/composer/autoload_classmap.php |   5 -
 .../lib/vendor/composer/autoload_static.php   |   5 -
 .../inc/lib/vendor/composer/installed.json    |  93 ---
 .../web/inc/lib/vendor/composer/installed.php |  22 +-
 .../vendor/paragonie/random_compat/LICENSE    |  22 -
 .../paragonie/random_compat/build-phar.sh     |   5 -
 .../paragonie/random_compat/composer.json     |  34 -
 .../dist/random_compat.phar.pubkey            |   5 -
 .../dist/random_compat.phar.pubkey.asc        |  11 -
 .../paragonie/random_compat/lib/random.php    |  32 -
 .../random_compat/other/build_phar.php        |  57 --
 .../random_compat/psalm-autoload.php          |   9 -
 .../vendor/paragonie/random_compat/psalm.xml  |  19 -
 .../vendor/yubico/u2flib-server/.gitignore    |   7 -
 .../vendor/yubico/u2flib-server/.travis.yml   |  23 -
 .../inc/lib/vendor/yubico/u2flib-server/BLURB |   9 -
 .../lib/vendor/yubico/u2flib-server/COPYING   |  26 -
 .../inc/lib/vendor/yubico/u2flib-server/NEWS  |  34 -
 .../lib/vendor/yubico/u2flib-server/README    |  34 -
 .../vendor/yubico/u2flib-server/README.adoc   |   1 -
 .../vendor/yubico/u2flib-server/apigen.neon   |  13 -
 .../vendor/yubico/u2flib-server/composer.json |  18 -
 .../yubico/u2flib-server/do-source-release.sh |  40 --
 .../u2flib-server/examples/assets/u2f-api.js  | 651 ------------------
 .../examples/cli/u2f-server.phps              |  83 ---
 .../examples/localstorage/index.phps          | 186 -----
 .../u2flib-server/examples/pdo/index.phps     | 204 ------
 .../vendor/yubico/u2flib-server/phpunit.xml   |   9 -
 .../lib/vendor/yubico/u2flib-server/psalm.xml |  48 --
 .../u2flib-server/src/u2flib_server/U2F.php   | 563 ---------------
 31 files changed, 3 insertions(+), 2358 deletions(-)
 delete mode 100644 data/web/inc/lib/vendor/paragonie/random_compat/LICENSE
 delete mode 100755 data/web/inc/lib/vendor/paragonie/random_compat/build-phar.sh
 delete mode 100644 data/web/inc/lib/vendor/paragonie/random_compat/composer.json
 delete mode 100644 data/web/inc/lib/vendor/paragonie/random_compat/dist/random_compat.phar.pubkey
 delete mode 100644 data/web/inc/lib/vendor/paragonie/random_compat/dist/random_compat.phar.pubkey.asc
 delete mode 100644 data/web/inc/lib/vendor/paragonie/random_compat/lib/random.php
 delete mode 100644 data/web/inc/lib/vendor/paragonie/random_compat/other/build_phar.php
 delete mode 100644 data/web/inc/lib/vendor/paragonie/random_compat/psalm-autoload.php
 delete mode 100644 data/web/inc/lib/vendor/paragonie/random_compat/psalm.xml
 delete mode 100644 data/web/inc/lib/vendor/yubico/u2flib-server/.gitignore
 delete mode 100644 data/web/inc/lib/vendor/yubico/u2flib-server/.travis.yml
 delete mode 100644 data/web/inc/lib/vendor/yubico/u2flib-server/BLURB
 delete mode 100644 data/web/inc/lib/vendor/yubico/u2flib-server/COPYING
 delete mode 100644 data/web/inc/lib/vendor/yubico/u2flib-server/NEWS
 delete mode 100644 data/web/inc/lib/vendor/yubico/u2flib-server/README
 delete mode 120000 data/web/inc/lib/vendor/yubico/u2flib-server/README.adoc
 delete mode 100644 data/web/inc/lib/vendor/yubico/u2flib-server/apigen.neon
 delete mode 100644 data/web/inc/lib/vendor/yubico/u2flib-server/composer.json
 delete mode 100755 data/web/inc/lib/vendor/yubico/u2flib-server/do-source-release.sh
 delete mode 100644 data/web/inc/lib/vendor/yubico/u2flib-server/examples/assets/u2f-api.js
 delete mode 100755 data/web/inc/lib/vendor/yubico/u2flib-server/examples/cli/u2f-server.phps
 delete mode 100644 data/web/inc/lib/vendor/yubico/u2flib-server/examples/localstorage/index.phps
 delete mode 100644 data/web/inc/lib/vendor/yubico/u2flib-server/examples/pdo/index.phps
 delete mode 100644 data/web/inc/lib/vendor/yubico/u2flib-server/phpunit.xml
 delete mode 100644 data/web/inc/lib/vendor/yubico/u2flib-server/psalm.xml
 delete mode 100644 data/web/inc/lib/vendor/yubico/u2flib-server/src/u2flib_server/U2F.php

diff --git a/data/web/inc/lib/composer.lock b/data/web/inc/lib/composer.lock
index 758535375..7be7a7d43 100644
--- a/data/web/inc/lib/composer.lock
+++ b/data/web/inc/lib/composer.lock
@@ -4,7 +4,7 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
         "This file is @generated automatically"
     ],
-    "content-hash": "139c1e5dec323144cd778ce80fd1847e",
+    "content-hash": "6c4a1dce9b5f22b95c5cd87ecf0eb333",
     "packages": [
         {
             "name": "bshaffer/oauth2-server-php",
@@ -541,56 +541,6 @@
             ],
             "time": "2022-02-13T18:13:33+00:00"
         },
-        {
-            "name": "paragonie/random_compat",
-            "version": "v9.99.100",
-            "source": {
-                "type": "git",
-                "url": "https://github.com/paragonie/random_compat.git",
-                "reference": "996434e5492cb4c3edcb9168db6fbb1359ef965a"
-            },
-            "dist": {
-                "type": "zip",
-                "url": "https://api.github.com/repos/paragonie/random_compat/zipball/996434e5492cb4c3edcb9168db6fbb1359ef965a",
-                "reference": "996434e5492cb4c3edcb9168db6fbb1359ef965a",
-                "shasum": ""
-            },
-            "require": {
-                "php": ">= 7"
-            },
-            "require-dev": {
-                "phpunit/phpunit": "4.*|5.*",
-                "vimeo/psalm": "^1"
-            },
-            "suggest": {
-                "ext-libsodium": "Provides a modern crypto API that can be used to generate random bytes."
-            },
-            "type": "library",
-            "notification-url": "https://packagist.org/downloads/",
-            "license": [
-                "MIT"
-            ],
-            "authors": [
-                {
-                    "name": "Paragon Initiative Enterprises",
-                    "email": "security@paragonie.com",
-                    "homepage": "https://paragonie.com"
-                }
-            ],
-            "description": "PHP 5.x polyfill for random_bytes() and random_int() from PHP 7",
-            "keywords": [
-                "csprng",
-                "polyfill",
-                "pseudorandom",
-                "random"
-            ],
-            "support": {
-                "email": "info@paragonie.com",
-                "issues": "https://github.com/paragonie/random_compat/issues",
-                "source": "https://github.com/paragonie/random_compat"
-            },
-            "time": "2020-10-15T08:29:30+00:00"
-        },
         {
             "name": "php-mime-mail-parser/php-mime-mail-parser",
             "version": "7.0.0",
@@ -1677,47 +1627,6 @@
                 }
             ],
             "time": "2022-09-28T08:42:51+00:00"
-        },
-        {
-            "name": "yubico/u2flib-server",
-            "version": "1.0.2",
-            "source": {
-                "type": "git",
-                "url": "https://github.com/Yubico/php-u2flib-server.git",
-                "reference": "55d813acf68212ad2cadecde07551600d6971939"
-            },
-            "dist": {
-                "type": "zip",
-                "url": "https://api.github.com/repos/Yubico/php-u2flib-server/zipball/55d813acf68212ad2cadecde07551600d6971939",
-                "reference": "55d813acf68212ad2cadecde07551600d6971939",
-                "shasum": ""
-            },
-            "require": {
-                "ext-openssl": "*",
-                "paragonie/random_compat": ">= 1",
-                "php": ">=5.6"
-            },
-            "require-dev": {
-                "phpunit/phpunit": "~5.7",
-                "vimeo/psalm": "^0|^1|^2"
-            },
-            "type": "library",
-            "autoload": {
-                "classmap": [
-                    "src/"
-                ]
-            },
-            "notification-url": "https://packagist.org/downloads/",
-            "license": [
-                "BSD-2-Clause"
-            ],
-            "description": "Library for U2F implementation",
-            "homepage": "https://developers.yubico.com/php-u2flib-server",
-            "support": {
-                "issues": "https://github.com/Yubico/php-u2flib-server/issues",
-                "source": "https://github.com/Yubico/php-u2flib-server/tree/1.0.2"
-            },
-            "time": "2018-09-07T08:16:44+00:00"
         }
     ],
     "packages-dev": [],
diff --git a/data/web/inc/lib/vendor/composer/autoload_classmap.php b/data/web/inc/lib/vendor/composer/autoload_classmap.php
index f3327f110..a986241bd 100644
--- a/data/web/inc/lib/vendor/composer/autoload_classmap.php
+++ b/data/web/inc/lib/vendor/composer/autoload_classmap.php
@@ -11,9 +11,4 @@ return array(
     'Stringable' => $vendorDir . '/symfony/polyfill-php80/Resources/stubs/Stringable.php',
     'UnhandledMatchError' => $vendorDir . '/symfony/polyfill-php80/Resources/stubs/UnhandledMatchError.php',
     'ValueError' => $vendorDir . '/symfony/polyfill-php80/Resources/stubs/ValueError.php',
-    'u2flib_server\\Error' => $vendorDir . '/yubico/u2flib-server/src/u2flib_server/U2F.php',
-    'u2flib_server\\RegisterRequest' => $vendorDir . '/yubico/u2flib-server/src/u2flib_server/U2F.php',
-    'u2flib_server\\Registration' => $vendorDir . '/yubico/u2flib-server/src/u2flib_server/U2F.php',
-    'u2flib_server\\SignRequest' => $vendorDir . '/yubico/u2flib-server/src/u2flib_server/U2F.php',
-    'u2flib_server\\U2F' => $vendorDir . '/yubico/u2flib-server/src/u2flib_server/U2F.php',
 );
diff --git a/data/web/inc/lib/vendor/composer/autoload_static.php b/data/web/inc/lib/vendor/composer/autoload_static.php
index 94606e831..a819adf63 100644
--- a/data/web/inc/lib/vendor/composer/autoload_static.php
+++ b/data/web/inc/lib/vendor/composer/autoload_static.php
@@ -174,11 +174,6 @@ class ComposerStaticInit873464e4bd965a3168f133248b1b218b
         'Stringable' => __DIR__ . '/..' . '/symfony/polyfill-php80/Resources/stubs/Stringable.php',
         'UnhandledMatchError' => __DIR__ . '/..' . '/symfony/polyfill-php80/Resources/stubs/UnhandledMatchError.php',
         'ValueError' => __DIR__ . '/..' . '/symfony/polyfill-php80/Resources/stubs/ValueError.php',
-        'u2flib_server\\Error' => __DIR__ . '/..' . '/yubico/u2flib-server/src/u2flib_server/U2F.php',
-        'u2flib_server\\RegisterRequest' => __DIR__ . '/..' . '/yubico/u2flib-server/src/u2flib_server/U2F.php',
-        'u2flib_server\\Registration' => __DIR__ . '/..' . '/yubico/u2flib-server/src/u2flib_server/U2F.php',
-        'u2flib_server\\SignRequest' => __DIR__ . '/..' . '/yubico/u2flib-server/src/u2flib_server/U2F.php',
-        'u2flib_server\\U2F' => __DIR__ . '/..' . '/yubico/u2flib-server/src/u2flib_server/U2F.php',
     );
 
     public static function getInitializer(ClassLoader $loader)
diff --git a/data/web/inc/lib/vendor/composer/installed.json b/data/web/inc/lib/vendor/composer/installed.json
index e21edcc68..d910fa544 100644
--- a/data/web/inc/lib/vendor/composer/installed.json
+++ b/data/web/inc/lib/vendor/composer/installed.json
@@ -551,59 +551,6 @@
             ],
             "install-path": "../nesbot/carbon"
         },
-        {
-            "name": "paragonie/random_compat",
-            "version": "v9.99.100",
-            "version_normalized": "9.99.100.0",
-            "source": {
-                "type": "git",
-                "url": "https://github.com/paragonie/random_compat.git",
-                "reference": "996434e5492cb4c3edcb9168db6fbb1359ef965a"
-            },
-            "dist": {
-                "type": "zip",
-                "url": "https://api.github.com/repos/paragonie/random_compat/zipball/996434e5492cb4c3edcb9168db6fbb1359ef965a",
-                "reference": "996434e5492cb4c3edcb9168db6fbb1359ef965a",
-                "shasum": ""
-            },
-            "require": {
-                "php": ">= 7"
-            },
-            "require-dev": {
-                "phpunit/phpunit": "4.*|5.*",
-                "vimeo/psalm": "^1"
-            },
-            "suggest": {
-                "ext-libsodium": "Provides a modern crypto API that can be used to generate random bytes."
-            },
-            "time": "2020-10-15T08:29:30+00:00",
-            "type": "library",
-            "installation-source": "dist",
-            "notification-url": "https://packagist.org/downloads/",
-            "license": [
-                "MIT"
-            ],
-            "authors": [
-                {
-                    "name": "Paragon Initiative Enterprises",
-                    "email": "security@paragonie.com",
-                    "homepage": "https://paragonie.com"
-                }
-            ],
-            "description": "PHP 5.x polyfill for random_bytes() and random_int() from PHP 7",
-            "keywords": [
-                "csprng",
-                "polyfill",
-                "pseudorandom",
-                "random"
-            ],
-            "support": {
-                "email": "info@paragonie.com",
-                "issues": "https://github.com/paragonie/random_compat/issues",
-                "source": "https://github.com/paragonie/random_compat"
-            },
-            "install-path": "../paragonie/random_compat"
-        },
         {
             "name": "php-mime-mail-parser/php-mime-mail-parser",
             "version": "7.0.0",
@@ -1730,46 +1677,6 @@
                 }
             ],
             "install-path": "../twig/twig"
-        },
-        {
-            "name": "yubico/u2flib-server",
-            "version": "1.0.2",
-            "version_normalized": "1.0.2.0",
-            "source": {
-                "type": "git",
-                "url": "https://github.com/Yubico/php-u2flib-server.git",
-                "reference": "55d813acf68212ad2cadecde07551600d6971939"
-            },
-            "dist": {
-                "type": "zip",
-                "url": "https://api.github.com/repos/Yubico/php-u2flib-server/zipball/55d813acf68212ad2cadecde07551600d6971939",
-                "reference": "55d813acf68212ad2cadecde07551600d6971939",
-                "shasum": ""
-            },
-            "require": {
-                "ext-openssl": "*",
-                "paragonie/random_compat": ">= 1",
-                "php": ">=5.6"
-            },
-            "require-dev": {
-                "phpunit/phpunit": "~5.7",
-                "vimeo/psalm": "^0|^1|^2"
-            },
-            "time": "2018-09-07T08:16:44+00:00",
-            "type": "library",
-            "installation-source": "dist",
-            "autoload": {
-                "classmap": [
-                    "src/"
-                ]
-            },
-            "notification-url": "https://packagist.org/downloads/",
-            "license": [
-                "BSD-2-Clause"
-            ],
-            "description": "Library for U2F implementation",
-            "homepage": "https://developers.yubico.com/php-u2flib-server",
-            "install-path": "../yubico/u2flib-server"
         }
     ],
     "dev": true,
diff --git a/data/web/inc/lib/vendor/composer/installed.php b/data/web/inc/lib/vendor/composer/installed.php
index c45f177e2..fa2ed8e5e 100644
--- a/data/web/inc/lib/vendor/composer/installed.php
+++ b/data/web/inc/lib/vendor/composer/installed.php
@@ -3,7 +3,7 @@
         'name' => '__root__',
         'pretty_version' => 'dev-master',
         'version' => 'dev-master',
-        'reference' => '8e0b1d8aee4af02311692cb031695cc2ac3850fd',
+        'reference' => 'a7e309f1c89c5579653fae00ec9655bb5f992ec6',
         'type' => 'library',
         'install_path' => __DIR__ . '/../../',
         'aliases' => array(),
@@ -13,7 +13,7 @@
         '__root__' => array(
             'pretty_version' => 'dev-master',
             'version' => 'dev-master',
-            'reference' => '8e0b1d8aee4af02311692cb031695cc2ac3850fd',
+            'reference' => 'a7e309f1c89c5579653fae00ec9655bb5f992ec6',
             'type' => 'library',
             'install_path' => __DIR__ . '/../../',
             'aliases' => array(),
@@ -103,15 +103,6 @@
             'aliases' => array(),
             'dev_requirement' => false,
         ),
-        'paragonie/random_compat' => array(
-            'pretty_version' => 'v9.99.100',
-            'version' => '9.99.100.0',
-            'reference' => '996434e5492cb4c3edcb9168db6fbb1359ef965a',
-            'type' => 'library',
-            'install_path' => __DIR__ . '/../paragonie/random_compat',
-            'aliases' => array(),
-            'dev_requirement' => false,
-        ),
         'php-mime-mail-parser/php-mime-mail-parser' => array(
             'pretty_version' => '7.0.0',
             'version' => '7.0.0.0',
@@ -253,14 +244,5 @@
             'aliases' => array(),
             'dev_requirement' => false,
         ),
-        'yubico/u2flib-server' => array(
-            'pretty_version' => '1.0.2',
-            'version' => '1.0.2.0',
-            'reference' => '55d813acf68212ad2cadecde07551600d6971939',
-            'type' => 'library',
-            'install_path' => __DIR__ . '/../yubico/u2flib-server',
-            'aliases' => array(),
-            'dev_requirement' => false,
-        ),
     ),
 );
diff --git a/data/web/inc/lib/vendor/paragonie/random_compat/LICENSE b/data/web/inc/lib/vendor/paragonie/random_compat/LICENSE
deleted file mode 100644
index 45c7017df..000000000
--- a/data/web/inc/lib/vendor/paragonie/random_compat/LICENSE
+++ /dev/null
@@ -1,22 +0,0 @@
-The MIT License (MIT)
-
-Copyright (c) 2015 Paragon Initiative Enterprises
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
-
diff --git a/data/web/inc/lib/vendor/paragonie/random_compat/build-phar.sh b/data/web/inc/lib/vendor/paragonie/random_compat/build-phar.sh
deleted file mode 100755
index b4a5ba31c..000000000
--- a/data/web/inc/lib/vendor/paragonie/random_compat/build-phar.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/usr/bin/env bash
-
-basedir=$( dirname $( readlink -f ${BASH_SOURCE[0]} ) )
-
-php -dphar.readonly=0 "$basedir/other/build_phar.php" $*
\ No newline at end of file
diff --git a/data/web/inc/lib/vendor/paragonie/random_compat/composer.json b/data/web/inc/lib/vendor/paragonie/random_compat/composer.json
deleted file mode 100644
index f2b9c4e51..000000000
--- a/data/web/inc/lib/vendor/paragonie/random_compat/composer.json
+++ /dev/null
@@ -1,34 +0,0 @@
-{
-  "name":         "paragonie/random_compat",
-  "description":  "PHP 5.x polyfill for random_bytes() and random_int() from PHP 7",
-  "keywords": [
-    "csprng",
-    "random",
-    "polyfill",
-    "pseudorandom"
-  ],
-  "license":      "MIT",
-  "type":         "library",
-  "authors": [
-    {
-      "name":     "Paragon Initiative Enterprises",
-      "email":    "security@paragonie.com",
-      "homepage": "https://paragonie.com"
-    }
-  ],
-  "support": {
-    "issues":     "https://github.com/paragonie/random_compat/issues",
-    "email":      "info@paragonie.com",
-    "source":     "https://github.com/paragonie/random_compat"
-  },
-  "require": {
-    "php": ">= 7"
-  },
-  "require-dev": {
-    "vimeo/psalm": "^1",
-    "phpunit/phpunit": "4.*|5.*"
-  },
-  "suggest": {
-    "ext-libsodium": "Provides a modern crypto API that can be used to generate random bytes."
-  }
-}
diff --git a/data/web/inc/lib/vendor/paragonie/random_compat/dist/random_compat.phar.pubkey b/data/web/inc/lib/vendor/paragonie/random_compat/dist/random_compat.phar.pubkey
deleted file mode 100644
index eb50ebfcd..000000000
--- a/data/web/inc/lib/vendor/paragonie/random_compat/dist/random_compat.phar.pubkey
+++ /dev/null
@@ -1,5 +0,0 @@
------BEGIN PUBLIC KEY-----
-MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEEd+wCqJDrx5B4OldM0dQE0ZMX+lx1ZWm
-pui0SUqD4G29L3NGsz9UhJ/0HjBdbnkhIK5xviT0X5vtjacF6ajgcCArbTB+ds+p
-+h7Q084NuSuIpNb6YPfoUFgC/CL9kAoc
------END PUBLIC KEY-----
diff --git a/data/web/inc/lib/vendor/paragonie/random_compat/dist/random_compat.phar.pubkey.asc b/data/web/inc/lib/vendor/paragonie/random_compat/dist/random_compat.phar.pubkey.asc
deleted file mode 100644
index 6a1d7f300..000000000
--- a/data/web/inc/lib/vendor/paragonie/random_compat/dist/random_compat.phar.pubkey.asc
+++ /dev/null
@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v2.0.22 (MingW32)
-
-iQEcBAABAgAGBQJWtW1hAAoJEGuXocKCZATaJf0H+wbZGgskK1dcRTsuVJl9IWip
-QwGw/qIKI280SD6/ckoUMxKDCJiFuPR14zmqnS36k7N5UNPnpdTJTS8T11jttSpg
-1LCmgpbEIpgaTah+cELDqFCav99fS+bEiAL5lWDAHBTE/XPjGVCqeehyPYref4IW
-NDBIEsvnHPHPLsn6X5jq4+Yj5oUixgxaMPiR+bcO4Sh+RzOVB6i2D0upWfRXBFXA
-NNnsg9/zjvoC7ZW73y9uSH+dPJTt/Vgfeiv52/v41XliyzbUyLalf02GNPY+9goV
-JHG1ulEEBJOCiUD9cE1PUIJwHA/HqyhHIvV350YoEFiHl8iSwm7SiZu5kPjaq74=
-=B6+8
------END PGP SIGNATURE-----
diff --git a/data/web/inc/lib/vendor/paragonie/random_compat/lib/random.php b/data/web/inc/lib/vendor/paragonie/random_compat/lib/random.php
deleted file mode 100644
index c7731a56f..000000000
--- a/data/web/inc/lib/vendor/paragonie/random_compat/lib/random.php
+++ /dev/null
@@ -1,32 +0,0 @@
-<?php
-/**
- * Random_* Compatibility Library
- * for using the new PHP 7 random_* API in PHP 5 projects
- *
- * @version 2.99.99
- * @released 2018-06-06
- *
- * The MIT License (MIT)
- *
- * Copyright (c) 2015 - 2018 Paragon Initiative Enterprises
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-// NOP
diff --git a/data/web/inc/lib/vendor/paragonie/random_compat/other/build_phar.php b/data/web/inc/lib/vendor/paragonie/random_compat/other/build_phar.php
deleted file mode 100644
index 70ef4b2ed..000000000
--- a/data/web/inc/lib/vendor/paragonie/random_compat/other/build_phar.php
+++ /dev/null
@@ -1,57 +0,0 @@
-<?php
-$dist = dirname(__DIR__).'/dist';
-if (!is_dir($dist)) {
-    mkdir($dist, 0755);
-}
-if (file_exists($dist.'/random_compat.phar')) {
-    unlink($dist.'/random_compat.phar');
-}
-$phar = new Phar(
-    $dist.'/random_compat.phar',
-    FilesystemIterator::CURRENT_AS_FILEINFO | \FilesystemIterator::KEY_AS_FILENAME,
-    'random_compat.phar'
-);
-rename(
-    dirname(__DIR__).'/lib/random.php', 
-    dirname(__DIR__).'/lib/index.php'
-);
-$phar->buildFromDirectory(dirname(__DIR__).'/lib');
-rename(
-    dirname(__DIR__).'/lib/index.php', 
-    dirname(__DIR__).'/lib/random.php'
-);
-
-/**
- * If we pass an (optional) path to a private key as a second argument, we will
- * sign the Phar with OpenSSL.
- * 
- * If you leave this out, it will produce an unsigned .phar!
- */
-if ($argc > 1) {
-    if (!@is_readable($argv[1])) {
-        echo 'Could not read the private key file:', $argv[1], "\n";
-        exit(255);
-    }
-    $pkeyFile = file_get_contents($argv[1]);
-    
-    $private = openssl_get_privatekey($pkeyFile);
-    if ($private !== false) {
-        $pkey = '';
-        openssl_pkey_export($private, $pkey);
-        $phar->setSignatureAlgorithm(Phar::OPENSSL, $pkey);
-        
-        /**
-         * Save the corresponding public key to the file
-         */
-        if (!@is_readable($dist.'/random_compat.phar.pubkey')) {
-            $details = openssl_pkey_get_details($private);
-            file_put_contents(
-                $dist.'/random_compat.phar.pubkey',
-                $details['key']
-            );
-        }
-    } else {
-        echo 'An error occurred reading the private key from OpenSSL.', "\n";
-        exit(255);
-    }
-}
diff --git a/data/web/inc/lib/vendor/paragonie/random_compat/psalm-autoload.php b/data/web/inc/lib/vendor/paragonie/random_compat/psalm-autoload.php
deleted file mode 100644
index d71d1b818..000000000
--- a/data/web/inc/lib/vendor/paragonie/random_compat/psalm-autoload.php
+++ /dev/null
@@ -1,9 +0,0 @@
-<?php
-
-require_once 'lib/byte_safe_strings.php';
-require_once 'lib/cast_to_int.php';
-require_once 'lib/error_polyfill.php';
-require_once 'other/ide_stubs/libsodium.php';
-require_once 'lib/random.php';
-
-$int = random_int(0, 65536);
diff --git a/data/web/inc/lib/vendor/paragonie/random_compat/psalm.xml b/data/web/inc/lib/vendor/paragonie/random_compat/psalm.xml
deleted file mode 100644
index 596d99dd6..000000000
--- a/data/web/inc/lib/vendor/paragonie/random_compat/psalm.xml
+++ /dev/null
@@ -1,19 +0,0 @@
-<?xml version="1.0"?>
-<psalm
-    autoloader="psalm-autoload.php"
-    stopOnFirstError="false"
-    useDocblockTypes="true"
->
-    <projectFiles>
-        <directory name="lib" />
-    </projectFiles>
-    <issueHandlers>
-        <RedundantConditionGivenDocblockType errorLevel="info" />
-        <UnresolvableInclude errorLevel="info" />
-        <DuplicateClass errorLevel="info" />
-        <InvalidOperand errorLevel="info" />
-        <UndefinedConstant errorLevel="info" />
-        <MissingReturnType errorLevel="info" />
-        <InvalidReturnType errorLevel="info" />
-    </issueHandlers>
-</psalm>
diff --git a/data/web/inc/lib/vendor/yubico/u2flib-server/.gitignore b/data/web/inc/lib/vendor/yubico/u2flib-server/.gitignore
deleted file mode 100644
index 0d968f1a6..000000000
--- a/data/web/inc/lib/vendor/yubico/u2flib-server/.gitignore
+++ /dev/null
@@ -1,7 +0,0 @@
-composer.lock
-vendor/
-.*.swp
-php-u2flib-server-*.tar.gz
-php-u2flib-server-*.tar.gz.sig
-apidocs/
-build/
diff --git a/data/web/inc/lib/vendor/yubico/u2flib-server/.travis.yml b/data/web/inc/lib/vendor/yubico/u2flib-server/.travis.yml
deleted file mode 100644
index beade3b00..000000000
--- a/data/web/inc/lib/vendor/yubico/u2flib-server/.travis.yml
+++ /dev/null
@@ -1,23 +0,0 @@
-language: php
-sudo: false
-php:
-  - 7.0
-  - 7.1
-  - 7.2
-  - hhvm
-matrix:
-  include:
-    - php: 5.6
-      env: COVERALLS=true
-  allow_failures:
-    - php: hhvm
-
-before_script:
-  - composer install
-
-script:
-  - ./vendor/bin/psalm
-  - ./vendor/phpunit/phpunit/phpunit -c phpunit.xml
-
-after_success:
-  - test -z $COVERALLS || (composer require satooshi/php-coveralls && vendor/bin/coveralls -v)
diff --git a/data/web/inc/lib/vendor/yubico/u2flib-server/BLURB b/data/web/inc/lib/vendor/yubico/u2flib-server/BLURB
deleted file mode 100644
index c57974215..000000000
--- a/data/web/inc/lib/vendor/yubico/u2flib-server/BLURB
+++ /dev/null
@@ -1,9 +0,0 @@
-Author: Yubico
-Basename: php-u2flib-server
-Homepage: https://developers.yubico.com/php-u2flib-server
-License: BSD-2-Clause
-Name: Native U2F library in PHP
-Project: php-u2flib-server
-Summary: Native U2F library in PHP
-Yubico-Category: U2F projects
-Travis: https://travis-ci.org/Yubico/php-u2flib-server
diff --git a/data/web/inc/lib/vendor/yubico/u2flib-server/COPYING b/data/web/inc/lib/vendor/yubico/u2flib-server/COPYING
deleted file mode 100644
index 427c91756..000000000
--- a/data/web/inc/lib/vendor/yubico/u2flib-server/COPYING
+++ /dev/null
@@ -1,26 +0,0 @@
-Copyright (c) 2014 Yubico AB
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are
-met:
-
-    * Redistributions of source code must retain the above copyright
-      notice, this list of conditions and the following disclaimer.
-
-    * Redistributions in binary form must reproduce the above
-      copyright notice, this list of conditions and the following
-      disclaimer in the documentation and/or other materials provided
-      with the distribution.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/data/web/inc/lib/vendor/yubico/u2flib-server/NEWS b/data/web/inc/lib/vendor/yubico/u2flib-server/NEWS
deleted file mode 100644
index 496175edf..000000000
--- a/data/web/inc/lib/vendor/yubico/u2flib-server/NEWS
+++ /dev/null
@@ -1,34 +0,0 @@
-php-u2flib-server NEWS -- History of user-visible changes.
-
-* Version 1.0.2 (released 2018-09-07)
- ** Additional error checks.
- ** Add user presence check.
- ** Support single files for attestation root.
- ** Type safety, CSPRNG, avoid chr().
-
-* Version 1.0.1 (released 2017-05-09)
- ** Move examples to phps so they don't execute by default
- ** Use common challenge for multiple registrations
-
-* Version 1.0.0 (released 2016-02-19)
- ** Give an early error on openssl < 1.0
- ** Support devices with initial counter 0
- ** Fixes to examples
- ** Handle errorCode: 0 correctly
-
-* Version 0.1.0 (released 2015-03-03)
- ** Use openssl for all crypto instead of third party extensions.
- ** Properly check the request challenge on authenticate.
- ** Switch from returning error codes to throwing exceptions.
- ** Stop recommending composer for installation.
-
-* Version 0.0.2 (released 2014-10-24)
- ** Refactor the API to return objects instead of encoded objects.
- ** Add a second example that uses PDO to store registrations.
- ** Add documentation to the API.
- ** Check that randomness returned is good.
- ** Drop the unneeded mcrypt extension.
- ** More tests.
-
-* Version 0.0.1 (released 2014-10-16)
- ** Initial release.
diff --git a/data/web/inc/lib/vendor/yubico/u2flib-server/README b/data/web/inc/lib/vendor/yubico/u2flib-server/README
deleted file mode 100644
index 0116a270c..000000000
--- a/data/web/inc/lib/vendor/yubico/u2flib-server/README
+++ /dev/null
@@ -1,34 +0,0 @@
-php-u2flib-server
------------------
-
-image:https://travis-ci.org/Yubico/php-u2flib-server.svg?branch=master["Build Status", link="https://travis-ci.org/Yubico/php-u2flib-server"]
-image:https://coveralls.io/repos/Yubico/php-u2flib-server/badge.svg?branch=master&service=github["Coverage", link="https://coveralls.io/github/Yubico/php-u2flib-server?branch=master"]
-image:https://scrutinizer-ci.com/g/Yubico/php-u2flib-server/badges/quality-score.png?b=master["Scrutinizer Code Quality", link="https://scrutinizer-ci.com/g/Yubico/php-u2flib-server/?branch=master"]
-
-=== Introduction ===
-
-Serverside U2F library for PHP. Provides functionality for registering
-tokens and authentication with said tokens.
-
-To read more about U2F and how to use a U2F library, visit
-link:http://developers.yubico.com/U2F[developers.yubico.com/U2F].
-
-=== License ===
-
-The project is licensed under a BSD license.  See the file COPYING for
-exact wording.  For any copyright year range specified as YYYY-ZZZZ in
-this package note that the range specifies every single year in that
-closed interval.
-
-=== Dependencies ===
-
-The only dependency is the openssl extension to PHP that has to be enabled.
-
-A composer.json is included in the distribution to make things simpler for
-other project using composer.
-
-=== Tests ===
-
-To run the test suite link:https://phpunit.de[PHPUnit] is required. To run it, type:
-
- $ phpunit
diff --git a/data/web/inc/lib/vendor/yubico/u2flib-server/README.adoc b/data/web/inc/lib/vendor/yubico/u2flib-server/README.adoc
deleted file mode 120000
index 100b93820..000000000
--- a/data/web/inc/lib/vendor/yubico/u2flib-server/README.adoc
+++ /dev/null
@@ -1 +0,0 @@
-README
\ No newline at end of file
diff --git a/data/web/inc/lib/vendor/yubico/u2flib-server/apigen.neon b/data/web/inc/lib/vendor/yubico/u2flib-server/apigen.neon
deleted file mode 100644
index bbb7071b5..000000000
--- a/data/web/inc/lib/vendor/yubico/u2flib-server/apigen.neon
+++ /dev/null
@@ -1,13 +0,0 @@
-destination: apidocs
-
-source:
-  - src/u2flib_server
-
-exclude:
-  - "*/tests/*"
-
-groups: none
-
-tree: false
-
-title: php-u2flib-server API
diff --git a/data/web/inc/lib/vendor/yubico/u2flib-server/composer.json b/data/web/inc/lib/vendor/yubico/u2flib-server/composer.json
deleted file mode 100644
index 3f2d9eab7..000000000
--- a/data/web/inc/lib/vendor/yubico/u2flib-server/composer.json
+++ /dev/null
@@ -1,18 +0,0 @@
-{
-  "name":"yubico/u2flib-server",
-  "description":"Library for U2F implementation",
-  "homepage":"https://developers.yubico.com/php-u2flib-server",
-  "license":"BSD-2-Clause",
-  "require": {
-    "ext-openssl":"*",
-    "paragonie/random_compat": ">= 1",
-    "php": ">=5.6"
-  },
-  "autoload": {
-    "classmap": ["src/"]
-  },
-  "require-dev": {
-    "phpunit/phpunit": "~5.7",
-    "vimeo/psalm": "^0|^1|^2"
-  }
-}
diff --git a/data/web/inc/lib/vendor/yubico/u2flib-server/do-source-release.sh b/data/web/inc/lib/vendor/yubico/u2flib-server/do-source-release.sh
deleted file mode 100755
index 7e5017364..000000000
--- a/data/web/inc/lib/vendor/yubico/u2flib-server/do-source-release.sh
+++ /dev/null
@@ -1,40 +0,0 @@
-#!/bin/sh
-
-set -e
-
-VERSION=$1
-PGP_KEYID=$2
-
-if [ "x$PGP_KEYID" = "x" ]; then
-  echo "try with $0 VERSION PGP_KEYID"
-  echo "example: $0 0.0.1 B2168C0A"
-  exit
-fi
-
-if ! head -3 NEWS  | grep -q "Version $VERSION .released `date -I`"; then
-  echo "You need to update date/version in NEWS"
-  exit
-fi
-
-if [ "x$YUBICO_GITHUB_REPO" = "x" ]; then
-  echo "you need to define YUBICO_GITHUB_REPO"
-  exit
-fi
-
-releasename=php-u2flib-server-${VERSION}
-
-git push
-git tag -u ${PGP_KEYID} -m $VERSION $VERSION
-git push --tags
-tmpdir=`mktemp -d /tmp/release.XXXXXX`
-releasedir=${tmpdir}/${releasename}
-mkdir -p $releasedir
-git archive $VERSION --format=tar | tar -xC $releasedir
-git2cl > $releasedir/ChangeLog
-cd $releasedir
-apigen generate
-cd -
-tar -cz --directory=$tmpdir --file=${releasename}.tar.gz $releasename
-gpg --detach-sign --default-key $PGP_KEYID ${releasename}.tar.gz
-$YUBICO_GITHUB_REPO/publish php-u2flib-server $VERSION ${releasename}.tar.gz*
-rm -rf $tmpdir
diff --git a/data/web/inc/lib/vendor/yubico/u2flib-server/examples/assets/u2f-api.js b/data/web/inc/lib/vendor/yubico/u2flib-server/examples/assets/u2f-api.js
deleted file mode 100644
index 0f06f50d6..000000000
--- a/data/web/inc/lib/vendor/yubico/u2flib-server/examples/assets/u2f-api.js
+++ /dev/null
@@ -1,651 +0,0 @@
-// Copyright 2014-2015 Google Inc. All rights reserved.
-//
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file or at
-// https://developers.google.com/open-source/licenses/bsd
-
-/**
- * @fileoverview The U2F api.
- */
-
-'use strict';
-
-/** Namespace for the U2F api.
- * @type {Object}
- */
-var u2f = u2f || {};
-
-/**
- * The U2F extension id
- * @type {string}
- * @const
- */
-u2f.EXTENSION_ID = 'kmendfapggjehodndflmmgagdbamhnfd';
-
-/**
- * Message types for messsages to/from the extension
- * @const
- * @enum {string}
- */
-u2f.MessageTypes = {
-    'U2F_REGISTER_REQUEST': 'u2f_register_request',
-    'U2F_SIGN_REQUEST': 'u2f_sign_request',
-    'U2F_REGISTER_RESPONSE': 'u2f_register_response',
-    'U2F_SIGN_RESPONSE': 'u2f_sign_response'
-};
-
-/**
- * Response status codes
- * @const
- * @enum {number}
- */
-u2f.ErrorCodes = {
-    'OK': 0,
-    'OTHER_ERROR': 1,
-    'BAD_REQUEST': 2,
-    'CONFIGURATION_UNSUPPORTED': 3,
-    'DEVICE_INELIGIBLE': 4,
-    'TIMEOUT': 5
-};
-
-/**
- * A message type for registration requests
- * @typedef {{
- *   type: u2f.MessageTypes,
- *   signRequests: Array<u2f.SignRequest>,
- *   registerRequests: ?Array<u2f.RegisterRequest>,
- *   timeoutSeconds: ?number,
- *   requestId: ?number
- * }}
- */
-u2f.Request;
-
-/**
- * A message for registration responses
- * @typedef {{
- *   type: u2f.MessageTypes,
- *   responseData: (u2f.Error | u2f.RegisterResponse | u2f.SignResponse),
- *   requestId: ?number
- * }}
- */
-u2f.Response;
-
-/**
- * An error object for responses
- * @typedef {{
- *   errorCode: u2f.ErrorCodes,
- *   errorMessage: ?string
- * }}
- */
-u2f.Error;
-
-/**
- * Data object for a single sign request.
- * @typedef {{
- *   version: string,
- *   challenge: string,
- *   keyHandle: string,
- *   appId: string
- * }}
- */
-u2f.SignRequest;
-
-/**
- * Data object for a sign response.
- * @typedef {{
- *   keyHandle: string,
- *   signatureData: string,
- *   clientData: string
- * }}
- */
-u2f.SignResponse;
-
-/**
- * Data object for a registration request.
- * @typedef {{
- *   version: string,
- *   challenge: string,
- *   appId: string
- * }}
- */
-u2f.RegisterRequest;
-
-/**
- * Data object for a registration response.
- * @typedef {{
- *   registrationData: string,
- *   clientData: string
- * }}
- */
-u2f.RegisterResponse;
-
-
-// Low level MessagePort API support
-
-/**
- * Sets up a MessagePort to the U2F extension using the
- * available mechanisms.
- * @param {function((MessagePort|u2f.WrappedChromeRuntimePort_))} callback
- */
-u2f.getMessagePort = function(callback) {
-    if (typeof chrome != 'undefined' && chrome.runtime) {
-        // The actual message here does not matter, but we need to get a reply
-        // for the callback to run. Thus, send an empty signature request
-        // in order to get a failure response.
-        var msg = {
-            type: u2f.MessageTypes.U2F_SIGN_REQUEST,
-            signRequests: []
-        };
-        chrome.runtime.sendMessage(u2f.EXTENSION_ID, msg, function() {
-            if (!chrome.runtime.lastError) {
-                // We are on a whitelisted origin and can talk directly
-                // with the extension.
-                u2f.getChromeRuntimePort_(callback);
-            } else {
-                // chrome.runtime was available, but we couldn't message
-                // the extension directly, use iframe
-                u2f.getIframePort_(callback);
-            }
-        });
-    } else if (u2f.isAndroidChrome_()) {
-        u2f.getAuthenticatorPort_(callback);
-    } else {
-        // chrome.runtime was not available at all, which is normal
-        // when this origin doesn't have access to any extensions.
-        u2f.getIframePort_(callback);
-    }
-};
-
-/**
- * Detect chrome running on android based on the browser's useragent.
- * @private
- */
-u2f.isAndroidChrome_ = function() {
-    var userAgent = navigator.userAgent;
-    return userAgent.indexOf('Chrome') != -1 &&
-        userAgent.indexOf('Android') != -1;
-};
-
-/**
- * Connects directly to the extension via chrome.runtime.connect
- * @param {function(u2f.WrappedChromeRuntimePort_)} callback
- * @private
- */
-u2f.getChromeRuntimePort_ = function(callback) {
-    var port = chrome.runtime.connect(u2f.EXTENSION_ID,
-        {'includeTlsChannelId': true});
-    setTimeout(function() {
-        callback(new u2f.WrappedChromeRuntimePort_(port));
-    }, 0);
-};
-
-/**
- * Return a 'port' abstraction to the Authenticator app.
- * @param {function(u2f.WrappedAuthenticatorPort_)} callback
- * @private
- */
-u2f.getAuthenticatorPort_ = function(callback) {
-    setTimeout(function() {
-        callback(new u2f.WrappedAuthenticatorPort_());
-    }, 0);
-};
-
-/**
- * A wrapper for chrome.runtime.Port that is compatible with MessagePort.
- * @param {Port} port
- * @constructor
- * @private
- */
-u2f.WrappedChromeRuntimePort_ = function(port) {
-    this.port_ = port;
-};
-
-/**
- * Format a return a sign request.
- * @param {Array<u2f.SignRequest>} signRequests
- * @param {number} timeoutSeconds
- * @param {number} reqId
- * @return {Object}
- */
-u2f.WrappedChromeRuntimePort_.prototype.formatSignRequest_ =
-    function(signRequests, timeoutSeconds, reqId) {
-        return {
-            type: u2f.MessageTypes.U2F_SIGN_REQUEST,
-            signRequests: signRequests,
-            timeoutSeconds: timeoutSeconds,
-            requestId: reqId
-        };
-    };
-
-/**
- * Format a return a register request.
- * @param {Array<u2f.SignRequest>} signRequests
- * @param {Array<u2f.RegisterRequest>} signRequests
- * @param {number} timeoutSeconds
- * @param {number} reqId
- * @return {Object}
- */
-u2f.WrappedChromeRuntimePort_.prototype.formatRegisterRequest_ =
-    function(signRequests, registerRequests, timeoutSeconds, reqId) {
-        return {
-            type: u2f.MessageTypes.U2F_REGISTER_REQUEST,
-            signRequests: signRequests,
-            registerRequests: registerRequests,
-            timeoutSeconds: timeoutSeconds,
-            requestId: reqId
-        };
-    };
-
-/**
- * Posts a message on the underlying channel.
- * @param {Object} message
- */
-u2f.WrappedChromeRuntimePort_.prototype.postMessage = function(message) {
-    this.port_.postMessage(message);
-};
-
-/**
- * Emulates the HTML 5 addEventListener interface. Works only for the
- * onmessage event, which is hooked up to the chrome.runtime.Port.onMessage.
- * @param {string} eventName
- * @param {function({data: Object})} handler
- */
-u2f.WrappedChromeRuntimePort_.prototype.addEventListener =
-    function(eventName, handler) {
-        var name = eventName.toLowerCase();
-        if (name == 'message' || name == 'onmessage') {
-            this.port_.onMessage.addListener(function(message) {
-                // Emulate a minimal MessageEvent object
-                handler({'data': message});
-            });
-        } else {
-            console.error('WrappedChromeRuntimePort only supports onMessage');
-        }
-    };
-
-/**
- * Wrap the Authenticator app with a MessagePort interface.
- * @constructor
- * @private
- */
-u2f.WrappedAuthenticatorPort_ = function() {
-    this.requestId_ = -1;
-    this.requestObject_ = null;
-}
-
-/**
- * Launch the Authenticator intent.
- * @param {Object} message
- */
-u2f.WrappedAuthenticatorPort_.prototype.postMessage = function(message) {
-    var intentLocation = /** @type {string} */ (message);
-    document.location = intentLocation;
-};
-
-/**
- * Emulates the HTML 5 addEventListener interface.
- * @param {string} eventName
- * @param {function({data: Object})} handler
- */
-u2f.WrappedAuthenticatorPort_.prototype.addEventListener =
-    function(eventName, handler) {
-        var name = eventName.toLowerCase();
-        if (name == 'message') {
-            var self = this;
-            /* Register a callback to that executes when
-             * chrome injects the response. */
-            window.addEventListener(
-                'message', self.onRequestUpdate_.bind(self, handler), false);
-        } else {
-            console.error('WrappedAuthenticatorPort only supports message');
-        }
-    };
-
-/**
- * Callback invoked  when a response is received from the Authenticator.
- * @param function({data: Object}) callback
- * @param {Object} message message Object
- */
-u2f.WrappedAuthenticatorPort_.prototype.onRequestUpdate_ =
-    function(callback, message) {
-        var messageObject = JSON.parse(message.data);
-        var intentUrl = messageObject['intentURL'];
-
-        var errorCode = messageObject['errorCode'];
-        var responseObject = null;
-        if (messageObject.hasOwnProperty('data')) {
-            responseObject = /** @type {Object} */ (
-                JSON.parse(messageObject['data']));
-            responseObject['requestId'] = this.requestId_;
-        }
-
-        /* Sign responses from the authenticator do not conform to U2F,
-         * convert to U2F here. */
-        responseObject = this.doResponseFixups_(responseObject);
-        callback({'data': responseObject});
-    };
-
-/**
- * Fixup the response provided by the Authenticator to conform with
- * the U2F spec.
- * @param {Object} responseData
- * @return {Object} the U2F compliant response object
- */
-u2f.WrappedAuthenticatorPort_.prototype.doResponseFixups_ =
-    function(responseObject) {
-        if (responseObject.hasOwnProperty('responseData')) {
-            return responseObject;
-        } else if (this.requestObject_['type'] != u2f.MessageTypes.U2F_SIGN_REQUEST) {
-            // Only sign responses require fixups.  If this is not a response
-            // to a sign request, then an internal error has occurred.
-            return {
-                'type': u2f.MessageTypes.U2F_REGISTER_RESPONSE,
-                'responseData': {
-                    'errorCode': u2f.ErrorCodes.OTHER_ERROR,
-                    'errorMessage': 'Internal error: invalid response from Authenticator'
-                }
-            };
-        }
-
-        /* Non-conformant sign response, do fixups. */
-        var encodedChallengeObject = responseObject['challenge'];
-        if (typeof encodedChallengeObject !== 'undefined') {
-            var challengeObject = JSON.parse(atob(encodedChallengeObject));
-            var serverChallenge = challengeObject['challenge'];
-            var challengesList = this.requestObject_['signData'];
-            var requestChallengeObject = null;
-            for (var i = 0; i < challengesList.length; i++) {
-                var challengeObject = challengesList[i];
-                if (challengeObject['keyHandle'] == responseObject['keyHandle']) {
-                    requestChallengeObject = challengeObject;
-                    break;
-                }
-            }
-        }
-        var responseData = {
-            'errorCode': responseObject['resultCode'],
-            'keyHandle': responseObject['keyHandle'],
-            'signatureData': responseObject['signature'],
-            'clientData': encodedChallengeObject
-        };
-        return {
-            'type': u2f.MessageTypes.U2F_SIGN_RESPONSE,
-            'responseData': responseData,
-            'requestId': responseObject['requestId']
-        }
-    };
-
-/**
- * Base URL for intents to Authenticator.
- * @const
- * @private
- */
-u2f.WrappedAuthenticatorPort_.INTENT_URL_BASE_ =
-    'intent:#Intent;action=com.google.android.apps.authenticator.AUTHENTICATE';
-
-/**
- * Format a return a sign request.
- * @param {Array<u2f.SignRequest>} signRequests
- * @param {number} timeoutSeconds (ignored for now)
- * @param {number} reqId
- * @return {string}
- */
-u2f.WrappedAuthenticatorPort_.prototype.formatSignRequest_ =
-    function(signRequests, timeoutSeconds, reqId) {
-        if (!signRequests || signRequests.length == 0) {
-            return null;
-        }
-        /* TODO(fixme): stash away requestId, as the authenticator app does
-         * not return it for sign responses. */
-        this.requestId_ = reqId;
-        /* TODO(fixme): stash away the signRequests, to deal with the legacy
-         * response format returned by the Authenticator app. */
-        this.requestObject_ = {
-            'type': u2f.MessageTypes.U2F_SIGN_REQUEST,
-            'signData': signRequests,
-            'requestId': reqId,
-            'timeout': timeoutSeconds
-        };
-
-        var appId = signRequests[0]['appId'];
-        var intentUrl =
-            u2f.WrappedAuthenticatorPort_.INTENT_URL_BASE_ +
-            ';S.appId=' + encodeURIComponent(appId) +
-            ';S.eventId=' + reqId +
-            ';S.challenges=' +
-            encodeURIComponent(
-                JSON.stringify(this.getBrowserDataList_(signRequests))) + ';end';
-        return intentUrl;
-    };
-
-/**
- * Get the browser data objects from the challenge list
- * @param {Array} challenges list of challenges
- * @return {Array} list of browser data objects
- * @private
- */
-u2f.WrappedAuthenticatorPort_
-    .prototype.getBrowserDataList_ = function(challenges) {
-    return challenges
-        .map(function(challenge) {
-            var browserData = {
-                'typ': 'navigator.id.getAssertion',
-                'challenge': challenge['challenge']
-            };
-            var challengeObject = {
-                'challenge' : browserData,
-                'keyHandle' : challenge['keyHandle']
-            };
-            return challengeObject;
-        });
-};
-
-/**
- * Format a return a register request.
- * @param {Array<u2f.SignRequest>} signRequests
- * @param {Array<u2f.RegisterRequest>} enrollChallenges
- * @param {number} timeoutSeconds (ignored for now)
- * @param {number} reqId
- * @return {Object}
- */
-u2f.WrappedAuthenticatorPort_.prototype.formatRegisterRequest_ =
-    function(signRequests, enrollChallenges, timeoutSeconds, reqId) {
-        if (!enrollChallenges || enrollChallenges.length == 0) {
-            return null;
-        }
-        // Assume the appId is the same for all enroll challenges.
-        var appId = enrollChallenges[0]['appId'];
-        var registerRequests = [];
-        for (var i = 0; i < enrollChallenges.length; i++) {
-            var registerRequest = {
-                'challenge': enrollChallenges[i]['challenge'],
-                'version': enrollChallenges[i]['version']
-            };
-            if (enrollChallenges[i]['appId'] != appId) {
-                // Only include the appId when it differs from the first appId.
-                registerRequest['appId'] = enrollChallenges[i]['appId'];
-            }
-            registerRequests.push(registerRequest);
-        }
-        var registeredKeys = [];
-        if (signRequests) {
-            for (i = 0; i < signRequests.length; i++) {
-                var key = {
-                    'keyHandle': signRequests[i]['keyHandle'],
-                    'version': signRequests[i]['version']
-                };
-                // Only include the appId when it differs from the appId that's
-                // being registered now.
-                if (signRequests[i]['appId'] != appId) {
-                    key['appId'] = signRequests[i]['appId'];
-                }
-                registeredKeys.push(key);
-            }
-        }
-        var request = {
-            'type': u2f.MessageTypes.U2F_REGISTER_REQUEST,
-            'appId': appId,
-            'registerRequests': registerRequests,
-            'registeredKeys': registeredKeys,
-            'requestId': reqId,
-            'timeoutSeconds': timeoutSeconds
-        };
-        var intentUrl =
-            u2f.WrappedAuthenticatorPort_.INTENT_URL_BASE_ +
-            ';S.request=' + encodeURIComponent(JSON.stringify(request)) +
-            ';end';
-        /* TODO(fixme): stash away requestId, this is is not necessary for
-         * register requests, but here to keep parity with sign.
-         */
-        this.requestId_ = reqId;
-        return intentUrl;
-    };
-
-
-/**
- * Sets up an embedded trampoline iframe, sourced from the extension.
- * @param {function(MessagePort)} callback
- * @private
- */
-u2f.getIframePort_ = function(callback) {
-    // Create the iframe
-    var iframeOrigin = 'chrome-extension://' + u2f.EXTENSION_ID;
-    var iframe = document.createElement('iframe');
-    iframe.src = iframeOrigin + '/u2f-comms.html';
-    iframe.setAttribute('style', 'display:none');
-    document.body.appendChild(iframe);
-
-    var channel = new MessageChannel();
-    var ready = function(message) {
-        if (message.data == 'ready') {
-            channel.port1.removeEventListener('message', ready);
-            callback(channel.port1);
-        } else {
-            console.error('First event on iframe port was not "ready"');
-        }
-    };
-    channel.port1.addEventListener('message', ready);
-    channel.port1.start();
-
-    iframe.addEventListener('load', function() {
-        // Deliver the port to the iframe and initialize
-        iframe.contentWindow.postMessage('init', iframeOrigin, [channel.port2]);
-    });
-};
-
-
-// High-level JS API
-
-/**
- * Default extension response timeout in seconds.
- * @const
- */
-u2f.EXTENSION_TIMEOUT_SEC = 30;
-
-/**
- * A singleton instance for a MessagePort to the extension.
- * @type {MessagePort|u2f.WrappedChromeRuntimePort_}
- * @private
- */
-u2f.port_ = null;
-
-/**
- * Callbacks waiting for a port
- * @type {Array<function((MessagePort|u2f.WrappedChromeRuntimePort_))>}
- * @private
- */
-u2f.waitingForPort_ = [];
-
-/**
- * A counter for requestIds.
- * @type {number}
- * @private
- */
-u2f.reqCounter_ = 0;
-
-/**
- * A map from requestIds to client callbacks
- * @type {Object.<number,(function((u2f.Error|u2f.RegisterResponse))
- *                       |function((u2f.Error|u2f.SignResponse)))>}
- * @private
- */
-u2f.callbackMap_ = {};
-
-/**
- * Creates or retrieves the MessagePort singleton to use.
- * @param {function((MessagePort|u2f.WrappedChromeRuntimePort_))} callback
- * @private
- */
-u2f.getPortSingleton_ = function(callback) {
-    if (u2f.port_) {
-        callback(u2f.port_);
-    } else {
-        if (u2f.waitingForPort_.length == 0) {
-            u2f.getMessagePort(function(port) {
-                u2f.port_ = port;
-                u2f.port_.addEventListener('message',
-                    /** @type {function(Event)} */ (u2f.responseHandler_));
-
-                // Careful, here be async callbacks. Maybe.
-                while (u2f.waitingForPort_.length)
-                    u2f.waitingForPort_.shift()(u2f.port_);
-            });
-        }
-        u2f.waitingForPort_.push(callback);
-    }
-};
-
-/**
- * Handles response messages from the extension.
- * @param {MessageEvent.<u2f.Response>} message
- * @private
- */
-u2f.responseHandler_ = function(message) {
-    var response = message.data;
-    var reqId = response['requestId'];
-    if (!reqId || !u2f.callbackMap_[reqId]) {
-        console.error('Unknown or missing requestId in response.');
-        return;
-    }
-    var cb = u2f.callbackMap_[reqId];
-    delete u2f.callbackMap_[reqId];
-    cb(response['responseData']);
-};
-
-/**
- * Dispatches an array of sign requests to available U2F tokens.
- * @param {Array<u2f.SignRequest>} signRequests
- * @param {function((u2f.Error|u2f.SignResponse))} callback
- * @param {number=} opt_timeoutSeconds
- */
-u2f.sign = function(signRequests, callback, opt_timeoutSeconds) {
-    u2f.getPortSingleton_(function(port) {
-        var reqId = ++u2f.reqCounter_;
-        u2f.callbackMap_[reqId] = callback;
-        var timeoutSeconds = (typeof opt_timeoutSeconds !== 'undefined' ?
-            opt_timeoutSeconds : u2f.EXTENSION_TIMEOUT_SEC);
-        var req = port.formatSignRequest_(signRequests, timeoutSeconds, reqId);
-        port.postMessage(req);
-    });
-};
-
-/**
- * Dispatches register requests to available U2F tokens. An array of sign
- * requests identifies already registered tokens.
- * @param {Array<u2f.RegisterRequest>} registerRequests
- * @param {Array<u2f.SignRequest>} signRequests
- * @param {function((u2f.Error|u2f.RegisterResponse))} callback
- * @param {number=} opt_timeoutSeconds
- */
-u2f.register = function(registerRequests, signRequests,
-                        callback, opt_timeoutSeconds) {
-    u2f.getPortSingleton_(function(port) {
-        var reqId = ++u2f.reqCounter_;
-        u2f.callbackMap_[reqId] = callback;
-        var timeoutSeconds = (typeof opt_timeoutSeconds !== 'undefined' ?
-            opt_timeoutSeconds : u2f.EXTENSION_TIMEOUT_SEC);
-        var req = port.formatRegisterRequest_(
-            signRequests, registerRequests, timeoutSeconds, reqId);
-        port.postMessage(req);
-    });
-};
\ No newline at end of file
diff --git a/data/web/inc/lib/vendor/yubico/u2flib-server/examples/cli/u2f-server.phps b/data/web/inc/lib/vendor/yubico/u2flib-server/examples/cli/u2f-server.phps
deleted file mode 100755
index 8acb66a4d..000000000
--- a/data/web/inc/lib/vendor/yubico/u2flib-server/examples/cli/u2f-server.phps
+++ /dev/null
@@ -1,83 +0,0 @@
-#!/usr/bin/php
-<?php
-
- /* Copyright (c) 2015 Yubico AB
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are
- * met:
- *
- *   * Redistributions of source code must retain the above copyright
- *     notice, this list of conditions and the following disclaimer.
- *
- *   * Redistributions in binary form must reproduce the above
- *     copyright notice, this list of conditions and the following
- *     disclaimer in the documentation and/or other materials provided
- *     with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
- * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
- * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
- * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/**
- * This is a basic example of a u2f-server command line that can be used 
- * with the u2f-host binary to perform regitrations and authentications.
- */ 
-
-require_once('../../src/u2flib_server/U2F.php');
-
-$options = getopt("rao:R:");
-$mode;
-$challenge;
-$response;
-$result;
-$regs;
-
-if(array_key_exists('r', $options)) {
-  $mode = "register";
-} elseif(array_key_exists('a', $options)) {
-  if(!array_key_exists('R', $options)) {
-    print "a registration must be supplied with -R";
-    exit(1);
-  }
-  $regs = json_decode('[' . $options['R'] . ']');
-  $mode = "authenticate";
-} else {
-  print "-r or -a must be used\n";
-  exit(1);
-}
-if(!array_key_exists('o', $options)) {
-  print "origin must be supplied with -o\n";
-  exit(1);
-}
-
-$u2f = new u2flib_server\U2F($options['o']);
-
-if($mode === "register") {
-  $challenge = $u2f->getRegisterData();
-} elseif($mode === "authenticate") {
-  $challenge = $u2f->getAuthenticateData($regs);
-}
-
-print json_encode($challenge[0]) . "\n";
-$response = fgets(STDIN);
-
-if($mode === "register") {
-  $result = $u2f->doRegister($challenge[0], json_decode($response));
-} elseif($mode === "authenticate") {
-  $result = $u2f->doAuthenticate($challenge, $regs, json_decode($response));
-}
-
-print json_encode($result) . "\n";
-
-?>
diff --git a/data/web/inc/lib/vendor/yubico/u2flib-server/examples/localstorage/index.phps b/data/web/inc/lib/vendor/yubico/u2flib-server/examples/localstorage/index.phps
deleted file mode 100644
index d840dd36a..000000000
--- a/data/web/inc/lib/vendor/yubico/u2flib-server/examples/localstorage/index.phps
+++ /dev/null
@@ -1,186 +0,0 @@
-<?php
-/**
- * Copyright (c) 2014 Yubico AB
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are
- * met:
- *
- *   * Redistributions of source code must retain the above copyright
- *     notice, this list of conditions and the following disclaimer.
- *
- *   * Redistributions in binary form must reproduce the above
- *     copyright notice, this list of conditions and the following
- *     disclaimer in the documentation and/or other materials provided
- *     with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
- * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
- * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
- * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/**
- * This is a minimal example of U2F registration and authentication.
- * The data that has to be stored between registration and authentication
- * is stored in browser localStorage, so there's nothing real-world
- * about this.
- */
-require_once('../../src/u2flib_server/U2F.php');
-$scheme = isset($_SERVER['HTTPS']) ? "https://" : "http://";
-$u2f = new u2flib_server\U2F($scheme . $_SERVER['HTTP_HOST']);
-?>
-<html>
-<head>
-    <title>PHP U2F Demo</title>
-
-    <script src="../assets/u2f-api.js"></script>
-
-    <script>
-        function addRegistration(reg) {
-            var existing = localStorage.getItem('u2fregistration');
-            var regobj = JSON.parse(reg);
-            var data = null;
-            if(existing) {
-                data = JSON.parse(existing);
-                if(Array.isArray(data)) {
-                    for (var i = 0; i < data.length; i++) {
-                        if(data[i].keyHandle === regobj.keyHandle) {
-                            data.splice(i,1);
-                            break;
-                        }
-                    }
-                    data.push(regobj);
-                } else {
-                    data = null;
-                }
-            }
-            if(data == null) {
-                data = [regobj];
-            }
-            localStorage.setItem('u2fregistration', JSON.stringify(data));
-        }
-        <?php
-        function fixupArray($data) {
-            $ret = array();
-            $decoded = json_decode($data);
-            foreach ($decoded as $d) {
-                $ret[] = json_encode($d);
-            }
-            return $ret;
-        }
-        if($_SERVER['REQUEST_METHOD'] === 'POST') {
-            if(isset($_POST['startRegister'])) {
-                $regs = json_decode($_POST['registrations']) ? : array();
-                list($data, $reqs) = $u2f->getRegisterData($regs);
-                echo "var request = " . json_encode($data) . ";\n";
-                echo "var signs = " . json_encode($reqs) . ";\n";
-        ?>
-        setTimeout(function() {
-            console.log("Register: ", request);
-            u2f.register([request], signs, function(data) {
-                var form = document.getElementById('form');
-                var reg = document.getElementById('doRegister');
-                var req = document.getElementById('request');
-                console.log("Register callback", data);
-                if(data.errorCode && data.errorCode != 0) {
-                    alert("registration failed with errror: " + data.errorCode);
-                    return;
-                }
-                reg.value=JSON.stringify(data);
-                req.value=JSON.stringify(request);
-                form.submit();
-            });
-        }, 1000);
-        <?php
-            } else if($_POST['doRegister']) {
-                try {
-                    $data = $u2f->doRegister(json_decode($_POST['request']), json_decode($_POST['doRegister']));
-                    echo "var registration = '" . json_encode($data) . "';\n";
-        ?>
-        addRegistration(registration);
-        alert("registration successful!");
-        <?php
-                } catch(u2flib_server\Error $e) {
-                    echo "alert('error:" . $e->getMessage() . "');\n";
-                }
-            } else if(isset($_POST['startAuthenticate'])) {
-                $regs = json_decode($_POST['registrations']);
-                $data = $u2f->getAuthenticateData($regs);
-                echo "var registrations = " . $_POST['registrations'] . ";\n";
-                echo "var request = " . json_encode($data) . ";\n";
-        ?>
-        setTimeout(function() {
-            console.log("sign: ", request);
-            u2f.sign(request, function(data) {
-                var form = document.getElementById('form');
-                var reg = document.getElementById('doAuthenticate');
-                var req = document.getElementById('request');
-                var regs = document.getElementById('registrations');
-                console.log("Authenticate callback", data);
-                reg.value=JSON.stringify(data);
-                req.value=JSON.stringify(request);
-                regs.value=JSON.stringify(registrations);
-                form.submit();
-            });
-        }, 1000);
-        <?php
-            } else if($_POST['doAuthenticate']) {
-                $reqs = json_decode($_POST['request']);
-                $regs = json_decode($_POST['registrations']);
-                try {
-                    $data = $u2f->doAuthenticate($reqs, $regs, json_decode($_POST['doAuthenticate']));
-                    echo "var registration = '" . json_encode($data) . "';\n";
-                    echo "addRegistration(registration);\n";
-                    echo "alert('Authentication successful, counter:" . $data->counter . "');\n";
-                } catch(u2flib_server\Error $e) {
-                    echo "alert('error:" . $e->getMessage() . "');\n";
-                }
-            }
-        }
-        ?>
-    </script>
-
-</head>
-<body>
-<form method="POST" id="form">
-    <button name="startRegister" type="submit">Register</button>
-    <input type="hidden" name="doRegister" id="doRegister"/>
-    <button name="startAuthenticate" type="submit" id="startAuthenticate">Authenticate</button>
-    <input type="hidden" name="doAuthenticate" id="doAuthenticate"/>
-    <input type="hidden" name="request" id="request"/>
-    <input type="hidden" name="registrations" id="registrations"/>
-</form>
-
-<p>
-    <span id="registered">0</span> Authenticators currently registered.
-</p>
-
-<script>
-    var reg = localStorage.getItem('u2fregistration');
-    var auth = document.getElementById('startAuthenticate');
-    if(reg == null) {
-        auth.disabled = true;
-    } else {
-        var regs = document.getElementById('registrations');
-        decoded = JSON.parse(reg);
-        if(!Array.isArray(decoded)) {
-            auth.disabled = true;
-        } else {
-            regs.value = reg;
-            console.log("set the registrations to : ", reg);
-            var regged = document.getElementById('registered');
-            regged.innerHTML = decoded.length;
-        }
-    }
-</script>
-</body>
-</html>
diff --git a/data/web/inc/lib/vendor/yubico/u2flib-server/examples/pdo/index.phps b/data/web/inc/lib/vendor/yubico/u2flib-server/examples/pdo/index.phps
deleted file mode 100644
index c04d63e24..000000000
--- a/data/web/inc/lib/vendor/yubico/u2flib-server/examples/pdo/index.phps
+++ /dev/null
@@ -1,204 +0,0 @@
-<?php
-/**
- * Copyright (c) 2014 Yubico AB
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are
- * met:
- *
- *   * Redistributions of source code must retain the above copyright
- *     notice, this list of conditions and the following disclaimer.
- *
- *   * Redistributions in binary form must reproduce the above
- *     copyright notice, this list of conditions and the following
- *     disclaimer in the documentation and/or other materials provided
- *     with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
- * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
- * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
- * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/**
- * This is a simple example using PDO and a sqlite database for storing
- * registrations. It supports multiple registrations associated with each user.
- */
-
-require_once('../../src/u2flib_server/U2F.php');
-
-$dbfile = '/var/tmp/u2f-pdo.sqlite';
-
-$pdo = new PDO("sqlite:$dbfile");
-$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
-$pdo->setAttribute(PDO::ATTR_DEFAULT_FETCH_MODE, PDO::FETCH_OBJ);
-
-$pdo->exec("create table if not exists users (id integer primary key, name varchar(255))");
-$pdo->exec("create table if not exists registrations (id integer primary key, user_id integer, keyHandle varchar(255), publicKey varchar(255), certificate text, counter integer)");
-
-$scheme = isset($_SERVER['HTTPS']) ? "https://" : "http://";
-$u2f = new u2flib_server\U2F($scheme . $_SERVER['HTTP_HOST']);
-
-session_start();
-
-function createAndGetUser($name) {
-    global $pdo;
-    $sel = $pdo->prepare("select * from users where name = ?");
-    $sel->execute(array($name));
-    $user = $sel->fetch();
-    if(!$user) {
-        $ins = $pdo->prepare("insert into users (name) values(?)");
-        $ins->execute(array($name));
-        $sel->execute(array($name));
-        $user = $sel->fetch();
-    }
-    return $user;
-}
-
-function getRegs($user_id) {
-    global $pdo;
-    $sel = $pdo->prepare("select * from registrations where user_id = ?");
-    $sel->execute(array($user_id));
-    return $sel->fetchAll();
-}
-
-function addReg($user_id, $reg) {
-    global $pdo;
-    $ins = $pdo->prepare("insert into registrations (user_id, keyHandle, publicKey, certificate, counter) values (?, ?, ?, ?, ?)");
-    $ins->execute(array($user_id, $reg->keyHandle, $reg->publicKey, $reg->certificate, $reg->counter));
-}
-
-function updateReg($reg) {
-    global $pdo;
-    $upd = $pdo->prepare("update registrations set counter = ? where id = ?");
-    $upd->execute(array($reg->counter, $reg->id));
-}
-
-?>
-
-<html>
-<head>
-    <title>PHP U2F example</title>
-
-    <script src="../assets/u2f-api.js"></script>
-
-    <script>
-        <?php
-
-        if($_SERVER['REQUEST_METHOD'] === 'POST') {
-          if(!$_POST['username']) {
-            echo "alert('no username provided!');";
-          } else if(!isset($_POST['action']) && !isset($_POST['register2']) && !isset($_POST['authenticate2'])) {
-            echo "alert('no action provided!');";
-          } else {
-            $user = createAndGetUser($_POST['username']);
-
-            if(isset($_POST['action'])) {
-              switch($_POST['action']):
-                case 'register':
-                  try {
-                    $data = $u2f->getRegisterData(getRegs($user->id));
-
-                    list($req,$sigs) = $data;
-                    $_SESSION['regReq'] = json_encode($req);
-                    echo "var req = " . json_encode($req) . ";";
-                    echo "var sigs = " . json_encode($sigs) . ";";
-                    echo "var username = '" . $user->name . "';";
-        ?>
-        setTimeout(function() {
-            console.log("Register: ", req);
-            u2f.register([req], sigs, function(data) {
-                var form = document.getElementById('form');
-                var reg = document.getElementById('register2');
-                var user = document.getElementById('username');
-                console.log("Register callback", data);
-                if(data.errorCode && errorCode != 0) {
-                    alert("registration failed with errror: " + data.errorCode);
-                    return;
-                }
-                reg.value = JSON.stringify(data);
-                user.value = username;
-                form.submit();
-            });
-        }, 1000);
-        <?php
-                  } catch( Exception $e ) {
-                    echo "alert('error: " . $e->getMessage() . "');";
-                  }
-
-                  break;
-
-                case 'authenticate':
-                  try {
-                    $reqs = json_encode($u2f->getAuthenticateData(getRegs($user->id)));
-
-                    $_SESSION['authReq'] = $reqs;
-                    echo "var req = $reqs;";
-                    echo "var username = '" . $user->name . "';";
-        ?>
-        setTimeout(function() {
-            console.log("sign: ", req);
-            u2f.sign(req, function(data) {
-                var form = document.getElementById('form');
-                var auth = document.getElementById('authenticate2');
-                var user = document.getElementById('username');
-                console.log("Authenticate callback", data);
-                auth.value=JSON.stringify(data);
-                user.value = username;
-                form.submit();
-            });
-        }, 1000);
-        <?php
-                  } catch( Exception $e ) {
-                    echo "alert('error: " . $e->getMessage() . "');";
-                  }
-
-                  break;
-
-              endswitch;
-            } else if($_POST['register2']) {
-              try {
-                $reg = $u2f->doRegister(json_decode($_SESSION['regReq']), json_decode($_POST['register2']));
-                addReg($user->id, $reg);
-              } catch( Exception $e ) {
-                echo "alert('error: " . $e->getMessage() . "');";
-              } finally {
-                $_SESSION['regReq'] = null;
-              }
-            } else if($_POST['authenticate2']) {
-              try {
-                $reg = $u2f->doAuthenticate(json_decode($_SESSION['authReq']), getRegs($user->id), json_decode($_POST['authenticate2']));
-                updateReg($reg);
-                echo "alert('success: " . $reg->counter . "');";
-              } catch( Exception $e ) {
-                echo "alert('error: " . $e->getMessage() . "');";
-              } finally {
-                $_SESSION['authReq'] = null;
-              }
-            }
-          }
-        }
-        ?>
-    </script>
-</head>
-<body>
-
-<form method="POST" id="form">
-    username: <input name="username" id="username"/><br/>
-    register: <input value="register" name="action" type="radio"/><br/>
-    authenticate: <input value="authenticate" name="action" type="radio"/><br/>
-    <input type="hidden" name="register2" id="register2"/>
-    <input type="hidden" name="authenticate2" id="authenticate2"/>
-    <button type="submit">Submit!</button>
-</form>
-
-</body>
-</html>
diff --git a/data/web/inc/lib/vendor/yubico/u2flib-server/phpunit.xml b/data/web/inc/lib/vendor/yubico/u2flib-server/phpunit.xml
deleted file mode 100644
index fa6f08e83..000000000
--- a/data/web/inc/lib/vendor/yubico/u2flib-server/phpunit.xml
+++ /dev/null
@@ -1,9 +0,0 @@
-<phpunit
-    colors="true">
-    <testsuite name="tests">
-        <directory suffix="test.php">tests</directory>
-    </testsuite>
-    <logging>
-        <log type="coverage-clover" target="build/logs/clover.xml"/>
-    </logging>
-</phpunit>
diff --git a/data/web/inc/lib/vendor/yubico/u2flib-server/psalm.xml b/data/web/inc/lib/vendor/yubico/u2flib-server/psalm.xml
deleted file mode 100644
index 6b6234cfb..000000000
--- a/data/web/inc/lib/vendor/yubico/u2flib-server/psalm.xml
+++ /dev/null
@@ -1,48 +0,0 @@
-<?xml version="1.0"?>
-<psalm
-    totallyTyped="false"
-    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xmlns="https://getpsalm.org/schema/config"
-    xsi:schemaLocation="https://getpsalm.org/schema/config file:///mnt/share/php-u2flib-server/vendor/vimeo/psalm/config.xsd"
->
-    <projectFiles>
-        <directory name="src" />
-        <ignoreFiles>
-            <directory name="vendor" />
-        </ignoreFiles>
-    </projectFiles>
-
-    <issueHandlers>
-        <LessSpecificReturnType errorLevel="info" />
-
-        <!-- level 3 issues - slightly lazy code writing, but provably low false-negatives -->
-
-        <DeprecatedMethod errorLevel="info" />
-        <DeprecatedProperty errorLevel="info" />
-        <DeprecatedClass errorLevel="info" />
-        <DeprecatedInterface errorLevel="info" />
-
-        <MissingClosureReturnType errorLevel="info" />
-        <MissingReturnType errorLevel="info" />
-        <MissingPropertyType errorLevel="info" />
-        <InvalidDocblock errorLevel="info" />
-        <MisplacedRequiredParam errorLevel="info" />
-
-        <PropertyNotSetInConstructor errorLevel="info" />
-        <MissingConstructor errorLevel="info" />
-        <MissingClosureParamType errorLevel="info" />
-        <MissingParamType errorLevel="info" />
-
-        <RedundantCondition errorLevel="info" />
-
-        <DocblockTypeContradiction errorLevel="suppress" />
-        <RedundantConditionGivenDocblockType errorLevel="suppress" />
-
-        <UnresolvableInclude errorLevel="info" />
-
-        <RawObjectIteration errorLevel="info" />
-
-        <!-- psalm seems to wrongly complain about this, set the errorLevel to info for now -->
-        <UndefinedConstant errorLevel="info" />
-    </issueHandlers>
-</psalm>
diff --git a/data/web/inc/lib/vendor/yubico/u2flib-server/src/u2flib_server/U2F.php b/data/web/inc/lib/vendor/yubico/u2flib-server/src/u2flib_server/U2F.php
deleted file mode 100644
index 8583fff2e..000000000
--- a/data/web/inc/lib/vendor/yubico/u2flib-server/src/u2flib_server/U2F.php
+++ /dev/null
@@ -1,563 +0,0 @@
-<?php
-/* Copyright (c) 2014 Yubico AB
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are
- * met:
- *
- *   * Redistributions of source code must retain the above copyright
- *     notice, this list of conditions and the following disclaimer.
- *
- *   * Redistributions in binary form must reproduce the above
- *     copyright notice, this list of conditions and the following
- *     disclaimer in the documentation and/or other materials provided
- *     with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
- * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
- * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
- * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-namespace u2flib_server;
-
-/** Constant for the version of the u2f protocol */
-const U2F_VERSION = "U2F_V2";
-
-/** Constant for the type value in registration clientData */
-const REQUEST_TYPE_REGISTER = "navigator.id.finishEnrollment";
-
-/** Constant for the type value in authentication clientData */
-const REQUEST_TYPE_AUTHENTICATE = "navigator.id.getAssertion";
-
-/** Error for the authentication message not matching any outstanding
- * authentication request */
-const ERR_NO_MATCHING_REQUEST = 1;
-
-/** Error for the authentication message not matching any registration */
-const ERR_NO_MATCHING_REGISTRATION = 2;
-
-/** Error for the signature on the authentication message not verifying with
- * the correct key */
-const ERR_AUTHENTICATION_FAILURE = 3;
-
-/** Error for the challenge in the registration message not matching the
- * registration challenge */
-const ERR_UNMATCHED_CHALLENGE = 4;
-
-/** Error for the attestation signature on the registration message not
- * verifying */
-const ERR_ATTESTATION_SIGNATURE = 5;
-
-/** Error for the attestation verification not verifying */
-const ERR_ATTESTATION_VERIFICATION = 6;
-
-/** Error for not getting good random from the system */
-const ERR_BAD_RANDOM = 7;
-
-/** Error when the counter is lower than expected */
-const ERR_COUNTER_TOO_LOW = 8;
-
-/** Error decoding public key */
-const ERR_PUBKEY_DECODE = 9;
-
-/** Error user-agent returned error */
-const ERR_BAD_UA_RETURNING = 10;
-
-/** Error old OpenSSL version */
-const ERR_OLD_OPENSSL = 11;
-
-/** Error for the origin not matching the appId */
-const ERR_NO_MATCHING_ORIGIN = 12;
-
-/** Error for the type in clientData being invalid */
-const ERR_BAD_TYPE = 13;
-
-/** Error for bad user presence byte value */
-const ERR_BAD_USER_PRESENCE = 14;
-
-/** @internal */
-const PUBKEY_LEN = 65;
-
-class U2F
-{
-    /** @var string  */
-    private $appId;
-
-    /** @var null|string */
-    private $attestDir;
-
-    /** @internal */
-    private $FIXCERTS = array(
-        '349bca1031f8c82c4ceca38b9cebf1a69df9fb3b94eed99eb3fb9aa3822d26e8',
-        'dd574527df608e47ae45fbba75a2afdd5c20fd94a02419381813cd55a2a3398f',
-        '1d8764f0f7cd1352df6150045c8f638e517270e8b5dda1c63ade9c2280240cae',
-        'd0edc9a91a1677435a953390865d208c55b3183c6759c9b5a7ff494c322558eb',
-        '6073c436dcd064a48127ddbf6032ac1a66fd59a0c24434f070d4e564c124c897',
-        'ca993121846c464d666096d35f13bf44c1b05af205f9b4a1e00cf6cc10c5e511'
-    );
-
-    /**
-     * @param string $appId Application id for the running application
-     * @param string|null $attestDir Directory where trusted attestation roots may be found
-     * @throws Error If OpenSSL older than 1.0.0 is used
-     */
-    public function __construct($appId, $attestDir = null)
-    {
-        if(OPENSSL_VERSION_NUMBER < 0x10000000) {
-            throw new Error('OpenSSL has to be at least version 1.0.0, this is ' . OPENSSL_VERSION_TEXT, ERR_OLD_OPENSSL);
-        }
-        $this->appId = $appId;
-        $this->attestDir = $attestDir;
-    }
-
-    /**
-     * Called to get a registration request to send to a user.
-     * Returns an array of one registration request and a array of sign requests.
-     *
-     * @param array $registrations List of current registrations for this
-     * user, to prevent the user from registering the same authenticator several
-     * times.
-     * @return array An array of two elements, the first containing a
-     * RegisterRequest the second being an array of SignRequest
-     * @throws Error
-     */
-    public function getRegisterData(array $registrations = array())
-    {
-        $challenge = $this->createChallenge();
-        $request = new RegisterRequest($challenge, $this->appId);
-        $signs = $this->getAuthenticateData($registrations);
-        return array($request, $signs);
-    }
-
-    /**
-     * Called to verify and unpack a registration message.
-     *
-     * @param RegisterRequest $request this is a reply to
-     * @param object $response response from a user
-     * @param bool $includeCert set to true if the attestation certificate should be
-     * included in the returned Registration object
-     * @return Registration
-     * @throws Error
-     */
-    public function doRegister($request, $response, $includeCert = true)
-    {
-        if( !is_object( $request ) ) {
-            throw new \InvalidArgumentException('$request of doRegister() method only accepts object.');
-        }
-
-        if( !is_object( $response ) ) {
-            throw new \InvalidArgumentException('$response of doRegister() method only accepts object.');
-        }
-
-        if( property_exists( $response, 'errorCode') && $response->errorCode !== 0 ) {
-            throw new Error('User-agent returned error. Error code: ' . $response->errorCode, ERR_BAD_UA_RETURNING );
-        }
-
-        if( !is_bool( $includeCert ) ) {
-            throw new \InvalidArgumentException('$include_cert of doRegister() method only accepts boolean.');
-        }
-
-        $rawReg = $this->base64u_decode($response->registrationData);
-        $regData = array_values(unpack('C*', $rawReg));
-        $clientData = $this->base64u_decode($response->clientData);
-        $cli = json_decode($clientData);
-
-        if($cli->challenge !== $request->challenge) {
-            throw new Error('Registration challenge does not match', ERR_UNMATCHED_CHALLENGE );
-        }
-
-        if(isset($cli->typ) && $cli->typ !== REQUEST_TYPE_REGISTER) {
-            throw new Error('ClientData type is invalid', ERR_BAD_TYPE);
-        }
-
-        if(isset($cli->origin) && $cli->origin !== $request->appId) {
-            throw new Error('App ID does not match the origin', ERR_NO_MATCHING_ORIGIN);
-        }
-
-        $registration = new Registration();
-        $offs = 1;
-        $pubKey = substr($rawReg, $offs, PUBKEY_LEN);
-        $offs += PUBKEY_LEN;
-        // decode the pubKey to make sure it's good
-        $tmpKey = $this->pubkey_to_pem($pubKey);
-        if($tmpKey === null) {
-            throw new Error('Decoding of public key failed', ERR_PUBKEY_DECODE );
-        }
-        $registration->publicKey = base64_encode($pubKey);
-        $khLen = $regData[$offs++];
-        $kh = substr($rawReg, $offs, $khLen);
-        $offs += $khLen;
-        $registration->keyHandle = $this->base64u_encode($kh);
-
-        // length of certificate is stored in byte 3 and 4 (excluding the first 4 bytes)
-        $certLen = 4;
-        $certLen += ($regData[$offs + 2] << 8);
-        $certLen += $regData[$offs + 3];
-
-        $rawCert = $this->fixSignatureUnusedBits(substr($rawReg, $offs, $certLen));
-        $offs += $certLen;
-        $pemCert  = "-----BEGIN CERTIFICATE-----\r\n";
-        $pemCert .= chunk_split(base64_encode($rawCert), 64);
-        $pemCert .= "-----END CERTIFICATE-----";
-        if($includeCert) {
-            $registration->certificate = base64_encode($rawCert);
-        }
-        if($this->attestDir) {
-            if(openssl_x509_checkpurpose($pemCert, -1, $this->get_certs()) !== true) {
-                throw new Error('Attestation certificate can not be validated', ERR_ATTESTATION_VERIFICATION );
-            }
-        }
-
-        if(!openssl_pkey_get_public($pemCert)) {
-            throw new Error('Decoding of public key failed', ERR_PUBKEY_DECODE );
-        }
-        $signature = substr($rawReg, $offs);
-
-        $dataToVerify  = pack('C', 0);
-        $dataToVerify .= hash('sha256', $request->appId, true);
-        $dataToVerify .= hash('sha256', $clientData, true);
-        $dataToVerify .= $kh;
-        $dataToVerify .= $pubKey;
-
-        if(openssl_verify($dataToVerify, $signature, $pemCert, 'sha256') === 1) {
-            return $registration;
-        } else {
-            throw new Error('Attestation signature does not match', ERR_ATTESTATION_SIGNATURE );
-        }
-    }
-
-    /**
-     * Called to get an authentication request.
-     *
-     * @param array $registrations An array of the registrations to create authentication requests for.
-     * @return array An array of SignRequest
-     * @throws Error
-     */
-    public function getAuthenticateData(array $registrations)
-    {
-        $sigs = array();
-        $challenge = $this->createChallenge();
-        foreach ($registrations as $reg) {
-            if( !is_object( $reg ) ) {
-                throw new \InvalidArgumentException('$registrations of getAuthenticateData() method only accepts array of object.');
-            }
-            /** @var Registration $reg */
-
-            $sig = new SignRequest();
-            $sig->appId = $this->appId;
-            $sig->keyHandle = $reg->keyHandle;
-            $sig->challenge = $challenge;
-            $sigs[] = $sig;
-        }
-        return $sigs;
-    }
-
-    /**
-     * Called to verify an authentication response
-     *
-     * @param array $requests An array of outstanding authentication requests
-     * @param array $registrations An array of current registrations
-     * @param object $response A response from the authenticator
-     * @return Registration
-     * @throws Error
-     *
-     * The Registration object returned on success contains an updated counter
-     * that should be saved for future authentications.
-     * If the Error returned is ERR_COUNTER_TOO_LOW this is an indication of
-     * token cloning or similar and appropriate action should be taken.
-     */
-    public function doAuthenticate(array $requests, array $registrations, $response)
-    {
-        if( !is_object( $response ) ) {
-            throw new \InvalidArgumentException('$response of doAuthenticate() method only accepts object.');
-        }
-
-        if( property_exists( $response, 'errorCode') && $response->errorCode !== 0 ) {
-            throw new Error('User-agent returned error. Error code: ' . $response->errorCode, ERR_BAD_UA_RETURNING );
-        }
-
-        /** @var object|null $req */
-        $req = null;
-
-        /** @var object|null $reg */
-        $reg = null;
-
-        $clientData = $this->base64u_decode($response->clientData);
-        $decodedClient = json_decode($clientData);
-
-        if(isset($decodedClient->typ) && $decodedClient->typ !== REQUEST_TYPE_AUTHENTICATE) {
-            throw new Error('ClientData type is invalid', ERR_BAD_TYPE);
-        }
-
-        foreach ($requests as $req) {
-            if( !is_object( $req ) ) {
-                throw new \InvalidArgumentException('$requests of doAuthenticate() method only accepts array of object.');
-            }
-
-            if($req->keyHandle === $response->keyHandle && $req->challenge === $decodedClient->challenge) {
-                break;
-            }
-
-            $req = null;
-        }
-        if($req === null) {
-            throw new Error('No matching request found', ERR_NO_MATCHING_REQUEST );
-        }
-        if(isset($decodedClient->origin) && $decodedClient->origin !== $req->appId) {
-            throw new Error('App ID does not match the origin', ERR_NO_MATCHING_ORIGIN);
-        }
-        foreach ($registrations as $reg) {
-            if( !is_object( $reg ) ) {
-                throw new \InvalidArgumentException('$registrations of doAuthenticate() method only accepts array of object.');
-            }
-
-            if($reg->keyHandle === $response->keyHandle) {
-                break;
-            }
-            $reg = null;
-        }
-        if($reg === null) {
-            throw new Error('No matching registration found', ERR_NO_MATCHING_REGISTRATION );
-        }
-        $pemKey = $this->pubkey_to_pem($this->base64u_decode($reg->publicKey));
-        if($pemKey === null) {
-            throw new Error('Decoding of public key failed', ERR_PUBKEY_DECODE );
-        }
-
-        $signData = $this->base64u_decode($response->signatureData);
-        $dataToVerify  = hash('sha256', $req->appId, true);
-        $dataToVerify .= substr($signData, 0, 5);
-        $dataToVerify .= hash('sha256', $clientData, true);
-        $signature = substr($signData, 5);
-
-        if(openssl_verify($dataToVerify, $signature, $pemKey, 'sha256') === 1) {
-            $upb = unpack("Cupb", substr($signData, 0, 1)); 
-            if($upb['upb'] !== 1) { 
-                throw new Error('User presence byte value is invalid', ERR_BAD_USER_PRESENCE );
-            }
-            $ctr = unpack("Nctr", substr($signData, 1, 4));
-            $counter = $ctr['ctr'];
-            /* TODO: wrap-around should be handled somehow.. */
-            if($counter > $reg->counter) {
-                $reg->counter = $counter;
-                return self::castObjectToRegistration($reg);
-            } else {
-                throw new Error('Counter too low.', ERR_COUNTER_TOO_LOW );
-            }
-        } else {
-            throw new Error('Authentication failed', ERR_AUTHENTICATION_FAILURE );
-        }
-    }
-
-    /**
-     * @param object $object
-     * @return Registration
-     */
-    protected static function castObjectToRegistration($object)
-    {
-        $reg = new Registration();
-        if (property_exists($object, 'publicKey')) {
-            $reg->publicKey = $object->publicKey;
-        }
-        if (property_exists($object, 'certificate')) {
-            $reg->certificate = $object->certificate;
-        }
-        if (property_exists($object, 'counter')) {
-            $reg->counter = $object->counter;
-        }
-        if (property_exists($object, 'keyHandle')) {
-            $reg->keyHandle = $object->keyHandle;
-        }
-        return $reg;
-    }
-
-    /**
-     * @return array
-     */
-    private function get_certs()
-    {
-        $files = array();
-        $dir = $this->attestDir;
-        if($dir !== null && is_dir($dir) && $handle = opendir($dir)) {
-            while(false !== ($entry = readdir($handle))) {
-                if(is_file("$dir/$entry")) {
-                    $files[] = "$dir/$entry";
-                }
-            }
-            closedir($handle);
-        } elseif (is_file("$dir")) {
-            $files[] = "$dir";
-        }
-        return $files;
-    }
-
-    /**
-     * @param string $data
-     * @return string
-     */
-    private function base64u_encode($data)
-    {
-        return trim(strtr(base64_encode($data), '+/', '-_'), '=');
-    }
-
-    /**
-     * @param string $data
-     * @return string
-     */
-    private function base64u_decode($data)
-    {
-        return base64_decode(strtr($data, '-_', '+/'));
-    }
-
-    /**
-     * @param string $key
-     * @return null|string
-     */
-    private function pubkey_to_pem($key)
-    {
-        if(strlen($key) !== PUBKEY_LEN || $key[0] !== "\x04") {
-            return null;
-        }
-
-        /*
-         * Convert the public key to binary DER format first
-         * Using the ECC SubjectPublicKeyInfo OIDs from RFC 5480
-         *
-         *  SEQUENCE(2 elem)                        30 59
-         *   SEQUENCE(2 elem)                       30 13
-         *    OID1.2.840.10045.2.1 (id-ecPublicKey) 06 07 2a 86 48 ce 3d 02 01
-         *    OID1.2.840.10045.3.1.7 (secp256r1)    06 08 2a 86 48 ce 3d 03 01 07
-         *   BIT STRING(520 bit)                    03 42 ..key..
-         */
-        $der  = "\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01";
-        $der .= "\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42";
-        $der .= "\0".$key;
-
-        $pem  = "-----BEGIN PUBLIC KEY-----\r\n";
-        $pem .= chunk_split(base64_encode($der), 64);
-        $pem .= "-----END PUBLIC KEY-----";
-
-        return $pem;
-    }
-
-    /**
-     * @return string
-     * @throws Error
-     */
-    private function createChallenge()
-    {
-        $challenge = random_bytes(32);
-        $challenge = $this->base64u_encode( $challenge );
-
-        return $challenge;
-    }
-
-    /**
-     * Fixes a certificate where the signature contains unused bits.
-     *
-     * @param string $cert
-     * @return mixed
-     */
-    private function fixSignatureUnusedBits($cert)
-    {
-        if(in_array(hash('sha256', $cert), $this->FIXCERTS, true)) {
-            $cert[strlen($cert) - 257] = "\0";
-        }
-        return $cert;
-    }
-}
-
-/**
- * Class for building a registration request
- *
- * @package u2flib_server
- */
-class RegisterRequest
-{
-    /** @var string Protocol version */
-    public $version = U2F_VERSION;
-
-    /** @var string Registration challenge */
-    public $challenge;
-
-    /** @var string Application id */
-    public $appId;
-
-    /**
-     * @param string $challenge
-     * @param string $appId
-     * @internal
-     */
-    public function __construct($challenge, $appId)
-    {
-        $this->challenge = $challenge;
-        $this->appId = $appId;
-    }
-}
-
-/**
- * Class for building up an authentication request
- *
- * @package u2flib_server
- */
-class SignRequest
-{
-    /** @var string Protocol version */
-    public $version = U2F_VERSION;
-
-    /** @var string Authentication challenge */
-    public $challenge = '';
-
-    /** @var string Key handle of a registered authenticator */
-    public $keyHandle = '';
-
-    /** @var string Application id */
-    public $appId = '';
-}
-
-/**
- * Class returned for successful registrations
- *
- * @package u2flib_server
- */
-class Registration
-{
-    /** @var string The key handle of the registered authenticator */
-    public $keyHandle = '';
-
-    /** @var string The public key of the registered authenticator */
-    public $publicKey = '';
-
-    /** @var string The attestation certificate of the registered authenticator */
-    public $certificate = '';
-
-    /** @var int The counter associated with this registration */
-    public $counter = -1;
-}
-
-/**
- * Error class, returned on errors
- *
- * @package u2flib_server
- */
-class Error extends \Exception
-{
-    /**
-     * Override constructor and make message and code mandatory
-     * @param string $message
-     * @param int $code
-     * @param \Exception|null $previous
-     */
-    public function __construct($message, $code, \Exception $previous = null) {
-        parent::__construct($message, $code, $previous);
-    }
-}

From cd3660a96d4cfb7158ede6a282378de23bbac98e Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Mon, 13 Mar 2023 09:02:32 +0100
Subject: [PATCH 012/378] [Web] add oauth2-keycloak lib

---
 data/web/inc/lib/composer.json                |    4 +-
 data/web/inc/lib/composer.lock                |  841 ++++++++-
 .../lib/vendor/composer/autoload_files.php    |    4 +
 .../inc/lib/vendor/composer/autoload_psr4.php |    8 +
 .../lib/vendor/composer/autoload_static.php   |   51 +
 .../inc/lib/vendor/composer/installed.json    |  875 ++++++++++
 .../web/inc/lib/vendor/composer/installed.php |  130 +-
 .../lib/vendor/composer/platform_check.php    |    4 +-
 .../inc/lib/vendor/firebase/php-jwt/LICENSE   |   30 +
 .../inc/lib/vendor/firebase/php-jwt/README.md |  289 ++++
 .../lib/vendor/firebase/php-jwt/composer.json |   36 +
 .../php-jwt/src/BeforeValidException.php      |    7 +
 .../firebase/php-jwt/src/ExpiredException.php |    7 +
 .../lib/vendor/firebase/php-jwt/src/JWK.php   |  172 ++
 .../lib/vendor/firebase/php-jwt/src/JWT.php   |  611 +++++++
 .../lib/vendor/firebase/php-jwt/src/Key.php   |   59 +
 .../php-jwt/src/SignatureInvalidException.php |    7 +
 .../lib/vendor/guzzlehttp/guzzle/CHANGELOG.md | 1519 +++++++++++++++++
 .../inc/lib/vendor/guzzlehttp/guzzle/LICENSE  |   27 +
 .../lib/vendor/guzzlehttp/guzzle/README.md    |   94 +
 .../lib/vendor/guzzlehttp/guzzle/UPGRADING.md | 1253 ++++++++++++++
 .../vendor/guzzlehttp/guzzle/composer.json    |  105 ++
 .../guzzlehttp/guzzle/src/BodySummarizer.php  |   28 +
 .../guzzle/src/BodySummarizerInterface.php    |   13 +
 .../vendor/guzzlehttp/guzzle/src/Client.php   |  477 ++++++
 .../guzzlehttp/guzzle/src/ClientInterface.php |   84 +
 .../guzzlehttp/guzzle/src/ClientTrait.php     |  241 +++
 .../guzzle/src/Cookie/CookieJar.php           |  317 ++++
 .../guzzle/src/Cookie/CookieJarInterface.php  |   79 +
 .../guzzle/src/Cookie/FileCookieJar.php       |  101 ++
 .../guzzle/src/Cookie/SessionCookieJar.php    |   77 +
 .../guzzle/src/Cookie/SetCookie.php           |  446 +++++
 .../src/Exception/BadResponseException.php    |   39 +
 .../guzzle/src/Exception/ClientException.php  |   10 +
 .../guzzle/src/Exception/ConnectException.php |   56 +
 .../guzzle/src/Exception/GuzzleException.php  |    9 +
 .../Exception/InvalidArgumentException.php    |    7 +
 .../guzzle/src/Exception/RequestException.php |  166 ++
 .../guzzle/src/Exception/ServerException.php  |   10 +
 .../Exception/TooManyRedirectsException.php   |    7 +
 .../src/Exception/TransferException.php       |    7 +
 .../guzzle/src/Handler/CurlFactory.php        |  595 +++++++
 .../src/Handler/CurlFactoryInterface.php      |   25 +
 .../guzzle/src/Handler/CurlHandler.php        |   49 +
 .../guzzle/src/Handler/CurlMultiHandler.php   |  262 +++
 .../guzzle/src/Handler/EasyHandle.php         |  112 ++
 .../guzzle/src/Handler/HeaderProcessor.php    |   42 +
 .../guzzle/src/Handler/MockHandler.php        |  211 +++
 .../guzzlehttp/guzzle/src/Handler/Proxy.php   |   51 +
 .../guzzle/src/Handler/StreamHandler.php      |  593 +++++++
 .../guzzlehttp/guzzle/src/HandlerStack.php    |  275 +++
 .../guzzle/src/MessageFormatter.php           |  198 +++
 .../guzzle/src/MessageFormatterInterface.php  |   18 +
 .../guzzlehttp/guzzle/src/Middleware.php      |  260 +++
 .../lib/vendor/guzzlehttp/guzzle/src/Pool.php |  125 ++
 .../guzzle/src/PrepareBodyMiddleware.php      |  104 ++
 .../guzzle/src/RedirectMiddleware.php         |  228 +++
 .../guzzlehttp/guzzle/src/RequestOptions.php  |  264 +++
 .../guzzlehttp/guzzle/src/RetryMiddleware.php |  116 ++
 .../guzzlehttp/guzzle/src/TransferStats.php   |  133 ++
 .../vendor/guzzlehttp/guzzle/src/Utils.php    |  385 +++++
 .../guzzlehttp/guzzle/src/functions.php       |  167 ++
 .../guzzle/src/functions_include.php          |    6 +
 .../vendor/guzzlehttp/promises/CHANGELOG.md   |  110 ++
 .../lib/vendor/guzzlehttp/promises/LICENSE    |   24 +
 .../lib/vendor/guzzlehttp/promises/README.md  |  546 ++++++
 .../vendor/guzzlehttp/promises/composer.json  |   58 +
 .../promises/src/AggregateException.php       |   17 +
 .../promises/src/CancellationException.php    |   10 +
 .../guzzlehttp/promises/src/Coroutine.php     |  169 ++
 .../vendor/guzzlehttp/promises/src/Create.php |   84 +
 .../vendor/guzzlehttp/promises/src/Each.php   |   90 +
 .../guzzlehttp/promises/src/EachPromise.php   |  247 +++
 .../promises/src/FulfilledPromise.php         |   84 +
 .../lib/vendor/guzzlehttp/promises/src/Is.php |   46 +
 .../guzzlehttp/promises/src/Promise.php       |  278 +++
 .../promises/src/PromiseInterface.php         |   97 ++
 .../promises/src/PromisorInterface.php        |   16 +
 .../promises/src/RejectedPromise.php          |   91 +
 .../promises/src/RejectionException.php       |   48 +
 .../guzzlehttp/promises/src/TaskQueue.php     |   67 +
 .../promises/src/TaskQueueInterface.php       |   24 +
 .../vendor/guzzlehttp/promises/src/Utils.php  |  276 +++
 .../guzzlehttp/promises/src/functions.php     |  363 ++++
 .../promises/src/functions_include.php        |    6 +
 .../lib/vendor/guzzlehttp/psr7/CHANGELOG.md   |  402 +++++
 .../inc/lib/vendor/guzzlehttp/psr7/LICENSE    |   26 +
 .../inc/lib/vendor/guzzlehttp/psr7/README.md  |  880 ++++++++++
 .../lib/vendor/guzzlehttp/psr7/composer.json  |   96 ++
 .../guzzlehttp/psr7/src/AppendStream.php      |  248 +++
 .../guzzlehttp/psr7/src/BufferStream.php      |  149 ++
 .../guzzlehttp/psr7/src/CachingStream.php     |  153 ++
 .../guzzlehttp/psr7/src/DroppingStream.php    |   49 +
 .../src/Exception/MalformedUriException.php   |   14 +
 .../vendor/guzzlehttp/psr7/src/FnStream.php   |  180 ++
 .../lib/vendor/guzzlehttp/psr7/src/Header.php |  134 ++
 .../guzzlehttp/psr7/src/HttpFactory.php       |  100 ++
 .../guzzlehttp/psr7/src/InflateStream.php     |   37 +
 .../guzzlehttp/psr7/src/LazyOpenStream.php    |   49 +
 .../guzzlehttp/psr7/src/LimitStream.php       |  157 ++
 .../vendor/guzzlehttp/psr7/src/Message.php    |  246 +++
 .../guzzlehttp/psr7/src/MessageTrait.php      |  264 +++
 .../vendor/guzzlehttp/psr7/src/MimeType.php   | 1237 ++++++++++++++
 .../guzzlehttp/psr7/src/MultipartStream.php   |  159 ++
 .../guzzlehttp/psr7/src/NoSeekStream.php      |   28 +
 .../vendor/guzzlehttp/psr7/src/PumpStream.php |  179 ++
 .../lib/vendor/guzzlehttp/psr7/src/Query.php  |  113 ++
 .../vendor/guzzlehttp/psr7/src/Request.php    |  157 ++
 .../vendor/guzzlehttp/psr7/src/Response.php   |  160 ++
 .../vendor/guzzlehttp/psr7/src/Rfc7230.php    |   23 +
 .../guzzlehttp/psr7/src/ServerRequest.php     |  344 ++++
 .../lib/vendor/guzzlehttp/psr7/src/Stream.php |  282 +++
 .../psr7/src/StreamDecoratorTrait.php         |  155 ++
 .../guzzlehttp/psr7/src/StreamWrapper.php     |  175 ++
 .../guzzlehttp/psr7/src/UploadedFile.php      |  211 +++
 .../lib/vendor/guzzlehttp/psr7/src/Uri.php    |  740 ++++++++
 .../guzzlehttp/psr7/src/UriComparator.php     |   52 +
 .../guzzlehttp/psr7/src/UriNormalizer.php     |  220 +++
 .../guzzlehttp/psr7/src/UriResolver.php       |  211 +++
 .../lib/vendor/guzzlehttp/psr7/src/Utils.php  |  459 +++++
 .../lib/vendor/league/oauth2-client/LICENSE   |   21 +
 .../lib/vendor/league/oauth2-client/README.md |   58 +
 .../vendor/league/oauth2-client/composer.json |   58 +
 .../oauth2-client/src/Grant/AbstractGrant.php |   80 +
 .../src/Grant/AuthorizationCode.php           |   41 +
 .../src/Grant/ClientCredentials.php           |   39 +
 .../Grant/Exception/InvalidGrantException.php |   26 +
 .../oauth2-client/src/Grant/GrantFactory.php  |  104 ++
 .../oauth2-client/src/Grant/Password.php      |   42 +
 .../oauth2-client/src/Grant/RefreshToken.php  |   41 +
 .../HttpBasicAuthOptionProvider.php           |   42 +
 .../OptionProviderInterface.php               |   30 +
 .../OptionProvider/PostAuthOptionProvider.php |   51 +
 .../src/Provider/AbstractProvider.php         |  843 +++++++++
 .../Exception/IdentityProviderException.php   |   48 +
 .../src/Provider/GenericProvider.php          |  233 +++
 .../src/Provider/GenericResourceOwner.php     |   61 +
 .../src/Provider/ResourceOwnerInterface.php   |   36 +
 .../oauth2-client/src/Token/AccessToken.php   |  243 +++
 .../src/Token/AccessTokenInterface.php        |   74 +
 .../ResourceOwnerAccessTokenInterface.php     |   25 +
 .../src/Tool/ArrayAccessorTrait.php           |   52 +
 .../src/Tool/BearerAuthorizationTrait.php     |   36 +
 .../src/Tool/GuardedPropertyTrait.php         |   70 +
 .../src/Tool/MacAuthorizationTrait.php        |   83 +
 .../src/Tool/ProviderRedirectTrait.php        |  122 ++
 .../src/Tool/QueryBuilderTrait.php            |   33 +
 .../oauth2-client/src/Tool/RequestFactory.php |   87 +
 .../src/Tool/RequiredParameterTrait.php       |   56 +
 .../vendor/paragonie/random_compat/LICENSE    |   22 +
 .../paragonie/random_compat/build-phar.sh     |    5 +
 .../paragonie/random_compat/composer.json     |   34 +
 .../dist/random_compat.phar.pubkey            |    5 +
 .../dist/random_compat.phar.pubkey.asc        |   11 +
 .../paragonie/random_compat/lib/random.php    |   32 +
 .../random_compat/other/build_phar.php        |   57 +
 .../random_compat/psalm-autoload.php          |    9 +
 .../vendor/paragonie/random_compat/psalm.xml  |   19 +
 .../lib/vendor/psr/http-client/CHANGELOG.md   |   23 +
 .../inc/lib/vendor/psr/http-client/LICENSE    |   19 +
 .../inc/lib/vendor/psr/http-client/README.md  |   12 +
 .../lib/vendor/psr/http-client/composer.json  |   27 +
 .../src/ClientExceptionInterface.php          |   10 +
 .../psr/http-client/src/ClientInterface.php   |   20 +
 .../src/NetworkExceptionInterface.php         |   24 +
 .../src/RequestExceptionInterface.php         |   24 +
 .../lib/vendor/psr/http-factory/.gitignore    |    2 +
 .../vendor/psr/http-factory/.pullapprove.yml  |    7 +
 .../inc/lib/vendor/psr/http-factory/LICENSE   |   21 +
 .../inc/lib/vendor/psr/http-factory/README.md |   10 +
 .../lib/vendor/psr/http-factory/composer.json |   35 +
 .../src/RequestFactoryInterface.php           |   18 +
 .../src/ResponseFactoryInterface.php          |   18 +
 .../src/ServerRequestFactoryInterface.php     |   24 +
 .../src/StreamFactoryInterface.php            |   45 +
 .../src/UploadedFileFactoryInterface.php      |   34 +
 .../http-factory/src/UriFactoryInterface.php  |   17 +
 .../lib/vendor/psr/http-message/CHANGELOG.md  |   36 +
 .../inc/lib/vendor/psr/http-message/LICENSE   |   19 +
 .../inc/lib/vendor/psr/http-message/README.md |   13 +
 .../lib/vendor/psr/http-message/composer.json |   26 +
 .../psr/http-message/src/MessageInterface.php |  187 ++
 .../psr/http-message/src/RequestInterface.php |  129 ++
 .../http-message/src/ResponseInterface.php    |   68 +
 .../src/ServerRequestInterface.php            |  261 +++
 .../psr/http-message/src/StreamInterface.php  |  158 ++
 .../src/UploadedFileInterface.php             |  123 ++
 .../psr/http-message/src/UriInterface.php     |  323 ++++
 .../vendor/ralouphie/getallheaders/LICENSE    |   21 +
 .../vendor/ralouphie/getallheaders/README.md  |   27 +
 .../ralouphie/getallheaders/composer.json     |   26 +
 .../getallheaders/src/getallheaders.php       |   46 +
 .../stevenmaguire/oauth2-keycloak/.gitignore  |    4 +
 .../oauth2-keycloak/.scrutinizer.yml          |   35 +
 .../stevenmaguire/oauth2-keycloak/.travis.yml |   26 +
 .../oauth2-keycloak/CHANGELOG.md              |   74 +
 .../oauth2-keycloak/CONTRIBUTING.md           |   42 +
 .../stevenmaguire/oauth2-keycloak/LICENSE     |   21 +
 .../stevenmaguire/oauth2-keycloak/README.md   |  175 ++
 .../oauth2-keycloak/composer.json             |   44 +
 .../oauth2-keycloak/examples/index.php        |   53 +
 .../oauth2-keycloak/phpunit.xml.dist          |   38 +
 .../EncryptionConfigurationException.php      |   22 +
 .../oauth2-keycloak/src/Provider/Keycloak.php |  387 +++++
 .../src/Provider/KeycloakResourceOwner.php    |   65 +
 .../test/src/Provider/KeycloakTest.php        |  306 ++++
 .../deprecation-contracts/CHANGELOG.md        |    5 +
 .../symfony/deprecation-contracts/LICENSE     |   19 +
 .../symfony/deprecation-contracts/README.md   |   26 +
 .../deprecation-contracts/composer.json       |   35 +
 .../deprecation-contracts/function.php        |   27 +
 211 files changed, 29545 insertions(+), 7 deletions(-)
 create mode 100644 data/web/inc/lib/vendor/firebase/php-jwt/LICENSE
 create mode 100644 data/web/inc/lib/vendor/firebase/php-jwt/README.md
 create mode 100644 data/web/inc/lib/vendor/firebase/php-jwt/composer.json
 create mode 100644 data/web/inc/lib/vendor/firebase/php-jwt/src/BeforeValidException.php
 create mode 100644 data/web/inc/lib/vendor/firebase/php-jwt/src/ExpiredException.php
 create mode 100644 data/web/inc/lib/vendor/firebase/php-jwt/src/JWK.php
 create mode 100644 data/web/inc/lib/vendor/firebase/php-jwt/src/JWT.php
 create mode 100644 data/web/inc/lib/vendor/firebase/php-jwt/src/Key.php
 create mode 100644 data/web/inc/lib/vendor/firebase/php-jwt/src/SignatureInvalidException.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/guzzle/CHANGELOG.md
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/guzzle/LICENSE
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/guzzle/README.md
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/guzzle/UPGRADING.md
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/guzzle/composer.json
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/guzzle/src/BodySummarizer.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/guzzle/src/BodySummarizerInterface.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Client.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/guzzle/src/ClientInterface.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/guzzle/src/ClientTrait.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Cookie/CookieJar.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Cookie/CookieJarInterface.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Cookie/FileCookieJar.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Cookie/SessionCookieJar.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Cookie/SetCookie.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Exception/BadResponseException.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Exception/ClientException.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Exception/ConnectException.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Exception/GuzzleException.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Exception/InvalidArgumentException.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Exception/RequestException.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Exception/ServerException.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Exception/TooManyRedirectsException.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Exception/TransferException.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Handler/CurlFactoryInterface.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Handler/CurlHandler.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Handler/CurlMultiHandler.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Handler/EasyHandle.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Handler/HeaderProcessor.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Handler/MockHandler.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Handler/Proxy.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Handler/StreamHandler.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/guzzle/src/HandlerStack.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/guzzle/src/MessageFormatter.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/guzzle/src/MessageFormatterInterface.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Middleware.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Pool.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/guzzle/src/PrepareBodyMiddleware.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/guzzle/src/RedirectMiddleware.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/guzzle/src/RequestOptions.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/guzzle/src/RetryMiddleware.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/guzzle/src/TransferStats.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Utils.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/guzzle/src/functions.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/guzzle/src/functions_include.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/promises/CHANGELOG.md
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/promises/LICENSE
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/promises/README.md
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/promises/composer.json
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/promises/src/AggregateException.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/promises/src/CancellationException.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/promises/src/Coroutine.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/promises/src/Create.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/promises/src/Each.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/promises/src/EachPromise.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/promises/src/FulfilledPromise.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/promises/src/Is.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/promises/src/Promise.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/promises/src/PromiseInterface.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/promises/src/PromisorInterface.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/promises/src/RejectedPromise.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/promises/src/RejectionException.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/promises/src/TaskQueue.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/promises/src/TaskQueueInterface.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/promises/src/Utils.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/promises/src/functions.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/promises/src/functions_include.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/psr7/CHANGELOG.md
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/psr7/LICENSE
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/psr7/README.md
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/psr7/composer.json
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/psr7/src/AppendStream.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/psr7/src/BufferStream.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/psr7/src/CachingStream.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/psr7/src/DroppingStream.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/psr7/src/Exception/MalformedUriException.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/psr7/src/FnStream.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/psr7/src/Header.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/psr7/src/HttpFactory.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/psr7/src/InflateStream.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/psr7/src/LazyOpenStream.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/psr7/src/LimitStream.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/psr7/src/Message.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/psr7/src/MessageTrait.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/psr7/src/MimeType.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/psr7/src/MultipartStream.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/psr7/src/NoSeekStream.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/psr7/src/PumpStream.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/psr7/src/Query.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/psr7/src/Request.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/psr7/src/Response.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/psr7/src/Rfc7230.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/psr7/src/ServerRequest.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/psr7/src/Stream.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/psr7/src/StreamDecoratorTrait.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/psr7/src/StreamWrapper.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/psr7/src/UploadedFile.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/psr7/src/Uri.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/psr7/src/UriComparator.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/psr7/src/UriNormalizer.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/psr7/src/UriResolver.php
 create mode 100644 data/web/inc/lib/vendor/guzzlehttp/psr7/src/Utils.php
 create mode 100644 data/web/inc/lib/vendor/league/oauth2-client/LICENSE
 create mode 100644 data/web/inc/lib/vendor/league/oauth2-client/README.md
 create mode 100644 data/web/inc/lib/vendor/league/oauth2-client/composer.json
 create mode 100644 data/web/inc/lib/vendor/league/oauth2-client/src/Grant/AbstractGrant.php
 create mode 100644 data/web/inc/lib/vendor/league/oauth2-client/src/Grant/AuthorizationCode.php
 create mode 100644 data/web/inc/lib/vendor/league/oauth2-client/src/Grant/ClientCredentials.php
 create mode 100644 data/web/inc/lib/vendor/league/oauth2-client/src/Grant/Exception/InvalidGrantException.php
 create mode 100644 data/web/inc/lib/vendor/league/oauth2-client/src/Grant/GrantFactory.php
 create mode 100644 data/web/inc/lib/vendor/league/oauth2-client/src/Grant/Password.php
 create mode 100644 data/web/inc/lib/vendor/league/oauth2-client/src/Grant/RefreshToken.php
 create mode 100644 data/web/inc/lib/vendor/league/oauth2-client/src/OptionProvider/HttpBasicAuthOptionProvider.php
 create mode 100644 data/web/inc/lib/vendor/league/oauth2-client/src/OptionProvider/OptionProviderInterface.php
 create mode 100644 data/web/inc/lib/vendor/league/oauth2-client/src/OptionProvider/PostAuthOptionProvider.php
 create mode 100644 data/web/inc/lib/vendor/league/oauth2-client/src/Provider/AbstractProvider.php
 create mode 100644 data/web/inc/lib/vendor/league/oauth2-client/src/Provider/Exception/IdentityProviderException.php
 create mode 100644 data/web/inc/lib/vendor/league/oauth2-client/src/Provider/GenericProvider.php
 create mode 100644 data/web/inc/lib/vendor/league/oauth2-client/src/Provider/GenericResourceOwner.php
 create mode 100644 data/web/inc/lib/vendor/league/oauth2-client/src/Provider/ResourceOwnerInterface.php
 create mode 100644 data/web/inc/lib/vendor/league/oauth2-client/src/Token/AccessToken.php
 create mode 100644 data/web/inc/lib/vendor/league/oauth2-client/src/Token/AccessTokenInterface.php
 create mode 100644 data/web/inc/lib/vendor/league/oauth2-client/src/Token/ResourceOwnerAccessTokenInterface.php
 create mode 100644 data/web/inc/lib/vendor/league/oauth2-client/src/Tool/ArrayAccessorTrait.php
 create mode 100644 data/web/inc/lib/vendor/league/oauth2-client/src/Tool/BearerAuthorizationTrait.php
 create mode 100644 data/web/inc/lib/vendor/league/oauth2-client/src/Tool/GuardedPropertyTrait.php
 create mode 100644 data/web/inc/lib/vendor/league/oauth2-client/src/Tool/MacAuthorizationTrait.php
 create mode 100644 data/web/inc/lib/vendor/league/oauth2-client/src/Tool/ProviderRedirectTrait.php
 create mode 100644 data/web/inc/lib/vendor/league/oauth2-client/src/Tool/QueryBuilderTrait.php
 create mode 100644 data/web/inc/lib/vendor/league/oauth2-client/src/Tool/RequestFactory.php
 create mode 100644 data/web/inc/lib/vendor/league/oauth2-client/src/Tool/RequiredParameterTrait.php
 create mode 100644 data/web/inc/lib/vendor/paragonie/random_compat/LICENSE
 create mode 100755 data/web/inc/lib/vendor/paragonie/random_compat/build-phar.sh
 create mode 100644 data/web/inc/lib/vendor/paragonie/random_compat/composer.json
 create mode 100644 data/web/inc/lib/vendor/paragonie/random_compat/dist/random_compat.phar.pubkey
 create mode 100644 data/web/inc/lib/vendor/paragonie/random_compat/dist/random_compat.phar.pubkey.asc
 create mode 100644 data/web/inc/lib/vendor/paragonie/random_compat/lib/random.php
 create mode 100644 data/web/inc/lib/vendor/paragonie/random_compat/other/build_phar.php
 create mode 100644 data/web/inc/lib/vendor/paragonie/random_compat/psalm-autoload.php
 create mode 100644 data/web/inc/lib/vendor/paragonie/random_compat/psalm.xml
 create mode 100644 data/web/inc/lib/vendor/psr/http-client/CHANGELOG.md
 create mode 100644 data/web/inc/lib/vendor/psr/http-client/LICENSE
 create mode 100644 data/web/inc/lib/vendor/psr/http-client/README.md
 create mode 100644 data/web/inc/lib/vendor/psr/http-client/composer.json
 create mode 100644 data/web/inc/lib/vendor/psr/http-client/src/ClientExceptionInterface.php
 create mode 100644 data/web/inc/lib/vendor/psr/http-client/src/ClientInterface.php
 create mode 100644 data/web/inc/lib/vendor/psr/http-client/src/NetworkExceptionInterface.php
 create mode 100644 data/web/inc/lib/vendor/psr/http-client/src/RequestExceptionInterface.php
 create mode 100644 data/web/inc/lib/vendor/psr/http-factory/.gitignore
 create mode 100644 data/web/inc/lib/vendor/psr/http-factory/.pullapprove.yml
 create mode 100644 data/web/inc/lib/vendor/psr/http-factory/LICENSE
 create mode 100644 data/web/inc/lib/vendor/psr/http-factory/README.md
 create mode 100644 data/web/inc/lib/vendor/psr/http-factory/composer.json
 create mode 100644 data/web/inc/lib/vendor/psr/http-factory/src/RequestFactoryInterface.php
 create mode 100644 data/web/inc/lib/vendor/psr/http-factory/src/ResponseFactoryInterface.php
 create mode 100644 data/web/inc/lib/vendor/psr/http-factory/src/ServerRequestFactoryInterface.php
 create mode 100644 data/web/inc/lib/vendor/psr/http-factory/src/StreamFactoryInterface.php
 create mode 100644 data/web/inc/lib/vendor/psr/http-factory/src/UploadedFileFactoryInterface.php
 create mode 100644 data/web/inc/lib/vendor/psr/http-factory/src/UriFactoryInterface.php
 create mode 100644 data/web/inc/lib/vendor/psr/http-message/CHANGELOG.md
 create mode 100644 data/web/inc/lib/vendor/psr/http-message/LICENSE
 create mode 100644 data/web/inc/lib/vendor/psr/http-message/README.md
 create mode 100644 data/web/inc/lib/vendor/psr/http-message/composer.json
 create mode 100644 data/web/inc/lib/vendor/psr/http-message/src/MessageInterface.php
 create mode 100644 data/web/inc/lib/vendor/psr/http-message/src/RequestInterface.php
 create mode 100644 data/web/inc/lib/vendor/psr/http-message/src/ResponseInterface.php
 create mode 100644 data/web/inc/lib/vendor/psr/http-message/src/ServerRequestInterface.php
 create mode 100644 data/web/inc/lib/vendor/psr/http-message/src/StreamInterface.php
 create mode 100644 data/web/inc/lib/vendor/psr/http-message/src/UploadedFileInterface.php
 create mode 100644 data/web/inc/lib/vendor/psr/http-message/src/UriInterface.php
 create mode 100644 data/web/inc/lib/vendor/ralouphie/getallheaders/LICENSE
 create mode 100644 data/web/inc/lib/vendor/ralouphie/getallheaders/README.md
 create mode 100644 data/web/inc/lib/vendor/ralouphie/getallheaders/composer.json
 create mode 100644 data/web/inc/lib/vendor/ralouphie/getallheaders/src/getallheaders.php
 create mode 100644 data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/.gitignore
 create mode 100644 data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/.scrutinizer.yml
 create mode 100644 data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/.travis.yml
 create mode 100644 data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/CHANGELOG.md
 create mode 100644 data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/CONTRIBUTING.md
 create mode 100644 data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/LICENSE
 create mode 100644 data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/README.md
 create mode 100644 data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/composer.json
 create mode 100644 data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/examples/index.php
 create mode 100644 data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/phpunit.xml.dist
 create mode 100644 data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/src/Provider/Exception/EncryptionConfigurationException.php
 create mode 100644 data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/src/Provider/Keycloak.php
 create mode 100644 data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/src/Provider/KeycloakResourceOwner.php
 create mode 100644 data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/test/src/Provider/KeycloakTest.php
 create mode 100644 data/web/inc/lib/vendor/symfony/deprecation-contracts/CHANGELOG.md
 create mode 100644 data/web/inc/lib/vendor/symfony/deprecation-contracts/LICENSE
 create mode 100644 data/web/inc/lib/vendor/symfony/deprecation-contracts/README.md
 create mode 100644 data/web/inc/lib/vendor/symfony/deprecation-contracts/composer.json
 create mode 100644 data/web/inc/lib/vendor/symfony/deprecation-contracts/function.php

diff --git a/data/web/inc/lib/composer.json b/data/web/inc/lib/composer.json
index 78033ec9b..cc1fc7dd4 100644
--- a/data/web/inc/lib/composer.json
+++ b/data/web/inc/lib/composer.json
@@ -1,7 +1,6 @@
 {
     "require": {
         "robthree/twofactorauth": "^1.6",
-        "yubico/u2flib-server": "^1.0",
         "phpmailer/phpmailer": "^6.1",
         "php-mime-mail-parser/php-mime-mail-parser": "^7",
         "soundasleep/html2text": "^0.5.0",
@@ -10,6 +9,7 @@
         "bshaffer/oauth2-server-php": "^1.11",
         "mustangostang/spyc": "^0.6.3",
         "directorytree/ldaprecord": "^2.4",
-        "twig/twig": "^3.0"
+        "twig/twig": "^3.0",
+        "stevenmaguire/oauth2-keycloak": "^3.2"
     }
 }
diff --git a/data/web/inc/lib/composer.lock b/data/web/inc/lib/composer.lock
index 7be7a7d43..c03fe1c29 100644
--- a/data/web/inc/lib/composer.lock
+++ b/data/web/inc/lib/composer.lock
@@ -4,7 +4,7 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
         "This file is @generated automatically"
     ],
-    "content-hash": "6c4a1dce9b5f22b95c5cd87ecf0eb333",
+    "content-hash": "65fe6638523a3a93c55e67a061725223",
     "packages": [
         {
             "name": "bshaffer/oauth2-server-php",
@@ -216,6 +216,394 @@
             ],
             "time": "2022-02-25T16:00:51+00:00"
         },
+        {
+            "name": "firebase/php-jwt",
+            "version": "v5.5.1",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/firebase/php-jwt.git",
+                "reference": "83b609028194aa042ea33b5af2d41a7427de80e6"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/firebase/php-jwt/zipball/83b609028194aa042ea33b5af2d41a7427de80e6",
+                "reference": "83b609028194aa042ea33b5af2d41a7427de80e6",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=5.3.0"
+            },
+            "require-dev": {
+                "phpunit/phpunit": ">=4.8 <=9"
+            },
+            "suggest": {
+                "paragonie/sodium_compat": "Support EdDSA (Ed25519) signatures when libsodium is not present"
+            },
+            "type": "library",
+            "autoload": {
+                "psr-4": {
+                    "Firebase\\JWT\\": "src"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "BSD-3-Clause"
+            ],
+            "authors": [
+                {
+                    "name": "Neuman Vong",
+                    "email": "neuman+pear@twilio.com",
+                    "role": "Developer"
+                },
+                {
+                    "name": "Anant Narayanan",
+                    "email": "anant@php.net",
+                    "role": "Developer"
+                }
+            ],
+            "description": "A simple library to encode and decode JSON Web Tokens (JWT) in PHP. Should conform to the current spec.",
+            "homepage": "https://github.com/firebase/php-jwt",
+            "keywords": [
+                "jwt",
+                "php"
+            ],
+            "support": {
+                "issues": "https://github.com/firebase/php-jwt/issues",
+                "source": "https://github.com/firebase/php-jwt/tree/v5.5.1"
+            },
+            "time": "2021-11-08T20:18:51+00:00"
+        },
+        {
+            "name": "guzzlehttp/guzzle",
+            "version": "7.5.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/guzzle/guzzle.git",
+                "reference": "b50a2a1251152e43f6a37f0fa053e730a67d25ba"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/guzzle/guzzle/zipball/b50a2a1251152e43f6a37f0fa053e730a67d25ba",
+                "reference": "b50a2a1251152e43f6a37f0fa053e730a67d25ba",
+                "shasum": ""
+            },
+            "require": {
+                "ext-json": "*",
+                "guzzlehttp/promises": "^1.5",
+                "guzzlehttp/psr7": "^1.9 || ^2.4",
+                "php": "^7.2.5 || ^8.0",
+                "psr/http-client": "^1.0",
+                "symfony/deprecation-contracts": "^2.2 || ^3.0"
+            },
+            "provide": {
+                "psr/http-client-implementation": "1.0"
+            },
+            "require-dev": {
+                "bamarni/composer-bin-plugin": "^1.8.1",
+                "ext-curl": "*",
+                "php-http/client-integration-tests": "^3.0",
+                "phpunit/phpunit": "^8.5.29 || ^9.5.23",
+                "psr/log": "^1.1 || ^2.0 || ^3.0"
+            },
+            "suggest": {
+                "ext-curl": "Required for CURL handler support",
+                "ext-intl": "Required for Internationalized Domain Name (IDN) support",
+                "psr/log": "Required for using the Log middleware"
+            },
+            "type": "library",
+            "extra": {
+                "bamarni-bin": {
+                    "bin-links": true,
+                    "forward-command": false
+                },
+                "branch-alias": {
+                    "dev-master": "7.5-dev"
+                }
+            },
+            "autoload": {
+                "files": [
+                    "src/functions_include.php"
+                ],
+                "psr-4": {
+                    "GuzzleHttp\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Graham Campbell",
+                    "email": "hello@gjcampbell.co.uk",
+                    "homepage": "https://github.com/GrahamCampbell"
+                },
+                {
+                    "name": "Michael Dowling",
+                    "email": "mtdowling@gmail.com",
+                    "homepage": "https://github.com/mtdowling"
+                },
+                {
+                    "name": "Jeremy Lindblom",
+                    "email": "jeremeamia@gmail.com",
+                    "homepage": "https://github.com/jeremeamia"
+                },
+                {
+                    "name": "George Mponos",
+                    "email": "gmponos@gmail.com",
+                    "homepage": "https://github.com/gmponos"
+                },
+                {
+                    "name": "Tobias Nyholm",
+                    "email": "tobias.nyholm@gmail.com",
+                    "homepage": "https://github.com/Nyholm"
+                },
+                {
+                    "name": "Márk Sági-Kazár",
+                    "email": "mark.sagikazar@gmail.com",
+                    "homepage": "https://github.com/sagikazarmark"
+                },
+                {
+                    "name": "Tobias Schultze",
+                    "email": "webmaster@tubo-world.de",
+                    "homepage": "https://github.com/Tobion"
+                }
+            ],
+            "description": "Guzzle is a PHP HTTP client library",
+            "keywords": [
+                "client",
+                "curl",
+                "framework",
+                "http",
+                "http client",
+                "psr-18",
+                "psr-7",
+                "rest",
+                "web service"
+            ],
+            "support": {
+                "issues": "https://github.com/guzzle/guzzle/issues",
+                "source": "https://github.com/guzzle/guzzle/tree/7.5.0"
+            },
+            "funding": [
+                {
+                    "url": "https://github.com/GrahamCampbell",
+                    "type": "github"
+                },
+                {
+                    "url": "https://github.com/Nyholm",
+                    "type": "github"
+                },
+                {
+                    "url": "https://tidelift.com/funding/github/packagist/guzzlehttp/guzzle",
+                    "type": "tidelift"
+                }
+            ],
+            "time": "2022-08-28T15:39:27+00:00"
+        },
+        {
+            "name": "guzzlehttp/promises",
+            "version": "1.5.2",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/guzzle/promises.git",
+                "reference": "b94b2807d85443f9719887892882d0329d1e2598"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/guzzle/promises/zipball/b94b2807d85443f9719887892882d0329d1e2598",
+                "reference": "b94b2807d85443f9719887892882d0329d1e2598",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=5.5"
+            },
+            "require-dev": {
+                "symfony/phpunit-bridge": "^4.4 || ^5.1"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "1.5-dev"
+                }
+            },
+            "autoload": {
+                "files": [
+                    "src/functions_include.php"
+                ],
+                "psr-4": {
+                    "GuzzleHttp\\Promise\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Graham Campbell",
+                    "email": "hello@gjcampbell.co.uk",
+                    "homepage": "https://github.com/GrahamCampbell"
+                },
+                {
+                    "name": "Michael Dowling",
+                    "email": "mtdowling@gmail.com",
+                    "homepage": "https://github.com/mtdowling"
+                },
+                {
+                    "name": "Tobias Nyholm",
+                    "email": "tobias.nyholm@gmail.com",
+                    "homepage": "https://github.com/Nyholm"
+                },
+                {
+                    "name": "Tobias Schultze",
+                    "email": "webmaster@tubo-world.de",
+                    "homepage": "https://github.com/Tobion"
+                }
+            ],
+            "description": "Guzzle promises library",
+            "keywords": [
+                "promise"
+            ],
+            "support": {
+                "issues": "https://github.com/guzzle/promises/issues",
+                "source": "https://github.com/guzzle/promises/tree/1.5.2"
+            },
+            "funding": [
+                {
+                    "url": "https://github.com/GrahamCampbell",
+                    "type": "github"
+                },
+                {
+                    "url": "https://github.com/Nyholm",
+                    "type": "github"
+                },
+                {
+                    "url": "https://tidelift.com/funding/github/packagist/guzzlehttp/promises",
+                    "type": "tidelift"
+                }
+            ],
+            "time": "2022-08-28T14:55:35+00:00"
+        },
+        {
+            "name": "guzzlehttp/psr7",
+            "version": "2.4.4",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/guzzle/psr7.git",
+                "reference": "3cf1b6d4f0c820a2cf8bcaec39fc698f3443b5cf"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/guzzle/psr7/zipball/3cf1b6d4f0c820a2cf8bcaec39fc698f3443b5cf",
+                "reference": "3cf1b6d4f0c820a2cf8bcaec39fc698f3443b5cf",
+                "shasum": ""
+            },
+            "require": {
+                "php": "^7.2.5 || ^8.0",
+                "psr/http-factory": "^1.0",
+                "psr/http-message": "^1.0",
+                "ralouphie/getallheaders": "^3.0"
+            },
+            "provide": {
+                "psr/http-factory-implementation": "1.0",
+                "psr/http-message-implementation": "1.0"
+            },
+            "require-dev": {
+                "bamarni/composer-bin-plugin": "^1.8.1",
+                "http-interop/http-factory-tests": "^0.9",
+                "phpunit/phpunit": "^8.5.29 || ^9.5.23"
+            },
+            "suggest": {
+                "laminas/laminas-httphandlerrunner": "Emit PSR-7 responses"
+            },
+            "type": "library",
+            "extra": {
+                "bamarni-bin": {
+                    "bin-links": true,
+                    "forward-command": false
+                },
+                "branch-alias": {
+                    "dev-master": "2.4-dev"
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "GuzzleHttp\\Psr7\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Graham Campbell",
+                    "email": "hello@gjcampbell.co.uk",
+                    "homepage": "https://github.com/GrahamCampbell"
+                },
+                {
+                    "name": "Michael Dowling",
+                    "email": "mtdowling@gmail.com",
+                    "homepage": "https://github.com/mtdowling"
+                },
+                {
+                    "name": "George Mponos",
+                    "email": "gmponos@gmail.com",
+                    "homepage": "https://github.com/gmponos"
+                },
+                {
+                    "name": "Tobias Nyholm",
+                    "email": "tobias.nyholm@gmail.com",
+                    "homepage": "https://github.com/Nyholm"
+                },
+                {
+                    "name": "Márk Sági-Kazár",
+                    "email": "mark.sagikazar@gmail.com",
+                    "homepage": "https://github.com/sagikazarmark"
+                },
+                {
+                    "name": "Tobias Schultze",
+                    "email": "webmaster@tubo-world.de",
+                    "homepage": "https://github.com/Tobion"
+                },
+                {
+                    "name": "Márk Sági-Kazár",
+                    "email": "mark.sagikazar@gmail.com",
+                    "homepage": "https://sagikazarmark.hu"
+                }
+            ],
+            "description": "PSR-7 message implementation that also provides common utility methods",
+            "keywords": [
+                "http",
+                "message",
+                "psr-7",
+                "request",
+                "response",
+                "stream",
+                "uri",
+                "url"
+            ],
+            "support": {
+                "issues": "https://github.com/guzzle/psr7/issues",
+                "source": "https://github.com/guzzle/psr7/tree/2.4.4"
+            },
+            "funding": [
+                {
+                    "url": "https://github.com/GrahamCampbell",
+                    "type": "github"
+                },
+                {
+                    "url": "https://github.com/Nyholm",
+                    "type": "github"
+                },
+                {
+                    "url": "https://tidelift.com/funding/github/packagist/guzzlehttp/psr7",
+                    "type": "tidelift"
+                }
+            ],
+            "time": "2023-03-09T13:19:02+00:00"
+        },
         {
             "name": "illuminate/contracts",
             "version": "v9.3.0",
@@ -264,6 +652,76 @@
             },
             "time": "2022-02-22T14:45:39+00:00"
         },
+        {
+            "name": "league/oauth2-client",
+            "version": "2.6.1",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/thephpleague/oauth2-client.git",
+                "reference": "2334c249907190c132364f5dae0287ab8666aa19"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/thephpleague/oauth2-client/zipball/2334c249907190c132364f5dae0287ab8666aa19",
+                "reference": "2334c249907190c132364f5dae0287ab8666aa19",
+                "shasum": ""
+            },
+            "require": {
+                "guzzlehttp/guzzle": "^6.0 || ^7.0",
+                "paragonie/random_compat": "^1 || ^2 || ^9.99",
+                "php": "^5.6 || ^7.0 || ^8.0"
+            },
+            "require-dev": {
+                "mockery/mockery": "^1.3.5",
+                "php-parallel-lint/php-parallel-lint": "^1.3.1",
+                "phpunit/phpunit": "^5.7 || ^6.0 || ^9.5",
+                "squizlabs/php_codesniffer": "^2.3 || ^3.0"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-2.x": "2.0.x-dev"
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "League\\OAuth2\\Client\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Alex Bilbie",
+                    "email": "hello@alexbilbie.com",
+                    "homepage": "http://www.alexbilbie.com",
+                    "role": "Developer"
+                },
+                {
+                    "name": "Woody Gilk",
+                    "homepage": "https://github.com/shadowhand",
+                    "role": "Contributor"
+                }
+            ],
+            "description": "OAuth 2.0 Client Library",
+            "keywords": [
+                "Authentication",
+                "SSO",
+                "authorization",
+                "identity",
+                "idp",
+                "oauth",
+                "oauth2",
+                "single sign on"
+            ],
+            "support": {
+                "issues": "https://github.com/thephpleague/oauth2-client/issues",
+                "source": "https://github.com/thephpleague/oauth2-client/tree/2.6.1"
+            },
+            "time": "2021-12-22T16:42:49+00:00"
+        },
         {
             "name": "matthiasmullie/minify",
             "version": "1.3.66",
@@ -541,6 +999,56 @@
             ],
             "time": "2022-02-13T18:13:33+00:00"
         },
+        {
+            "name": "paragonie/random_compat",
+            "version": "v9.99.100",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/paragonie/random_compat.git",
+                "reference": "996434e5492cb4c3edcb9168db6fbb1359ef965a"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/paragonie/random_compat/zipball/996434e5492cb4c3edcb9168db6fbb1359ef965a",
+                "reference": "996434e5492cb4c3edcb9168db6fbb1359ef965a",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">= 7"
+            },
+            "require-dev": {
+                "phpunit/phpunit": "4.*|5.*",
+                "vimeo/psalm": "^1"
+            },
+            "suggest": {
+                "ext-libsodium": "Provides a modern crypto API that can be used to generate random bytes."
+            },
+            "type": "library",
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Paragon Initiative Enterprises",
+                    "email": "security@paragonie.com",
+                    "homepage": "https://paragonie.com"
+                }
+            ],
+            "description": "PHP 5.x polyfill for random_bytes() and random_int() from PHP 7",
+            "keywords": [
+                "csprng",
+                "polyfill",
+                "pseudorandom",
+                "random"
+            ],
+            "support": {
+                "email": "info@paragonie.com",
+                "issues": "https://github.com/paragonie/random_compat/issues",
+                "source": "https://github.com/paragonie/random_compat"
+            },
+            "time": "2020-10-15T08:29:30+00:00"
+        },
         {
             "name": "php-mime-mail-parser/php-mime-mail-parser",
             "version": "7.0.0",
@@ -763,6 +1271,166 @@
             },
             "time": "2021-11-05T16:47:00+00:00"
         },
+        {
+            "name": "psr/http-client",
+            "version": "1.0.1",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/php-fig/http-client.git",
+                "reference": "2dfb5f6c5eff0e91e20e913f8c5452ed95b86621"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/php-fig/http-client/zipball/2dfb5f6c5eff0e91e20e913f8c5452ed95b86621",
+                "reference": "2dfb5f6c5eff0e91e20e913f8c5452ed95b86621",
+                "shasum": ""
+            },
+            "require": {
+                "php": "^7.0 || ^8.0",
+                "psr/http-message": "^1.0"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "1.0.x-dev"
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "Psr\\Http\\Client\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "PHP-FIG",
+                    "homepage": "http://www.php-fig.org/"
+                }
+            ],
+            "description": "Common interface for HTTP clients",
+            "homepage": "https://github.com/php-fig/http-client",
+            "keywords": [
+                "http",
+                "http-client",
+                "psr",
+                "psr-18"
+            ],
+            "support": {
+                "source": "https://github.com/php-fig/http-client/tree/master"
+            },
+            "time": "2020-06-29T06:28:15+00:00"
+        },
+        {
+            "name": "psr/http-factory",
+            "version": "1.0.1",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/php-fig/http-factory.git",
+                "reference": "12ac7fcd07e5b077433f5f2bee95b3a771bf61be"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/php-fig/http-factory/zipball/12ac7fcd07e5b077433f5f2bee95b3a771bf61be",
+                "reference": "12ac7fcd07e5b077433f5f2bee95b3a771bf61be",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=7.0.0",
+                "psr/http-message": "^1.0"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "1.0.x-dev"
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "Psr\\Http\\Message\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "PHP-FIG",
+                    "homepage": "http://www.php-fig.org/"
+                }
+            ],
+            "description": "Common interfaces for PSR-7 HTTP message factories",
+            "keywords": [
+                "factory",
+                "http",
+                "message",
+                "psr",
+                "psr-17",
+                "psr-7",
+                "request",
+                "response"
+            ],
+            "support": {
+                "source": "https://github.com/php-fig/http-factory/tree/master"
+            },
+            "time": "2019-04-30T12:38:16+00:00"
+        },
+        {
+            "name": "psr/http-message",
+            "version": "1.0.1",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/php-fig/http-message.git",
+                "reference": "f6561bf28d520154e4b0ec72be95418abe6d9363"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/php-fig/http-message/zipball/f6561bf28d520154e4b0ec72be95418abe6d9363",
+                "reference": "f6561bf28d520154e4b0ec72be95418abe6d9363",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=5.3.0"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "1.0.x-dev"
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "Psr\\Http\\Message\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "PHP-FIG",
+                    "homepage": "http://www.php-fig.org/"
+                }
+            ],
+            "description": "Common interface for HTTP messages",
+            "homepage": "https://github.com/php-fig/http-message",
+            "keywords": [
+                "http",
+                "http-message",
+                "psr",
+                "psr-7",
+                "request",
+                "response"
+            ],
+            "support": {
+                "source": "https://github.com/php-fig/http-message/tree/master"
+            },
+            "time": "2016-08-06T14:39:51+00:00"
+        },
         {
             "name": "psr/log",
             "version": "3.0.0",
@@ -864,6 +1532,50 @@
             },
             "time": "2021-10-29T13:22:09+00:00"
         },
+        {
+            "name": "ralouphie/getallheaders",
+            "version": "3.0.3",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/ralouphie/getallheaders.git",
+                "reference": "120b605dfeb996808c31b6477290a714d356e822"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/ralouphie/getallheaders/zipball/120b605dfeb996808c31b6477290a714d356e822",
+                "reference": "120b605dfeb996808c31b6477290a714d356e822",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=5.6"
+            },
+            "require-dev": {
+                "php-coveralls/php-coveralls": "^2.1",
+                "phpunit/phpunit": "^5 || ^6.5"
+            },
+            "type": "library",
+            "autoload": {
+                "files": [
+                    "src/getallheaders.php"
+                ]
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Ralph Khattar",
+                    "email": "ralph.khattar@gmail.com"
+                }
+            ],
+            "description": "A polyfill for getallheaders.",
+            "support": {
+                "issues": "https://github.com/ralouphie/getallheaders/issues",
+                "source": "https://github.com/ralouphie/getallheaders/tree/develop"
+            },
+            "time": "2019-03-08T08:55:37+00:00"
+        },
         {
             "name": "robthree/twofactorauth",
             "version": "1.8.1",
@@ -989,6 +1701,133 @@
             },
             "time": "2017-04-19T22:01:50+00:00"
         },
+        {
+            "name": "stevenmaguire/oauth2-keycloak",
+            "version": "3.2.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/stevenmaguire/oauth2-keycloak.git",
+                "reference": "34e4824f5fa26aa8e90f1258859c75570c12d27a"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/stevenmaguire/oauth2-keycloak/zipball/34e4824f5fa26aa8e90f1258859c75570c12d27a",
+                "reference": "34e4824f5fa26aa8e90f1258859c75570c12d27a",
+                "shasum": ""
+            },
+            "require": {
+                "firebase/php-jwt": "~4.0|~5.0",
+                "league/oauth2-client": "^2.0"
+            },
+            "require-dev": {
+                "mockery/mockery": "~0.9",
+                "phpunit/phpunit": "~4.0",
+                "squizlabs/php_codesniffer": "~2.0"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "1.0.x-dev"
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "Stevenmaguire\\OAuth2\\Client\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Steven Maguire",
+                    "email": "stevenmaguire@gmail.com",
+                    "homepage": "https://github.com/stevenmaguire"
+                }
+            ],
+            "description": "Keycloak OAuth 2.0 Client Provider for The PHP League OAuth2-Client",
+            "keywords": [
+                "authorisation",
+                "authorization",
+                "client",
+                "keycloak",
+                "oauth",
+                "oauth2"
+            ],
+            "support": {
+                "issues": "https://github.com/stevenmaguire/oauth2-keycloak/issues",
+                "source": "https://github.com/stevenmaguire/oauth2-keycloak/tree/3.2.0"
+            },
+            "time": "2022-12-16T12:46:38+00:00"
+        },
+        {
+            "name": "symfony/deprecation-contracts",
+            "version": "v3.2.1",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/symfony/deprecation-contracts.git",
+                "reference": "e2d1534420bd723d0ef5aec58a22c5fe60ce6f5e"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/symfony/deprecation-contracts/zipball/e2d1534420bd723d0ef5aec58a22c5fe60ce6f5e",
+                "reference": "e2d1534420bd723d0ef5aec58a22c5fe60ce6f5e",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=8.1"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-main": "3.3-dev"
+                },
+                "thanks": {
+                    "name": "symfony/contracts",
+                    "url": "https://github.com/symfony/contracts"
+                }
+            },
+            "autoload": {
+                "files": [
+                    "function.php"
+                ]
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Nicolas Grekas",
+                    "email": "p@tchwork.com"
+                },
+                {
+                    "name": "Symfony Community",
+                    "homepage": "https://symfony.com/contributors"
+                }
+            ],
+            "description": "A generic function and convention to trigger deprecation notices",
+            "homepage": "https://symfony.com",
+            "support": {
+                "source": "https://github.com/symfony/deprecation-contracts/tree/v3.2.1"
+            },
+            "funding": [
+                {
+                    "url": "https://symfony.com/sponsor",
+                    "type": "custom"
+                },
+                {
+                    "url": "https://github.com/fabpot",
+                    "type": "github"
+                },
+                {
+                    "url": "https://tidelift.com/funding/github/packagist/symfony/symfony",
+                    "type": "tidelift"
+                }
+            ],
+            "time": "2023-03-01T10:25:55+00:00"
+        },
         {
             "name": "symfony/polyfill-ctype",
             "version": "v1.24.0",
diff --git a/data/web/inc/lib/vendor/composer/autoload_files.php b/data/web/inc/lib/vendor/composer/autoload_files.php
index 502893f7d..2730ec34b 100644
--- a/data/web/inc/lib/vendor/composer/autoload_files.php
+++ b/data/web/inc/lib/vendor/composer/autoload_files.php
@@ -7,6 +7,10 @@ $baseDir = dirname($vendorDir);
 
 return array(
     '0e6d7bf4a5811bfa5cf40c5ccd6fae6a' => $vendorDir . '/symfony/polyfill-mbstring/bootstrap.php',
+    '7b11c4dc42b3b3023073cb14e519683c' => $vendorDir . '/ralouphie/getallheaders/src/getallheaders.php',
+    'c964ee0ededf28c96ebd9db5099ef910' => $vendorDir . '/guzzlehttp/promises/src/functions_include.php',
+    '6e3fae29631ef280660b3cdad06f25a8' => $vendorDir . '/symfony/deprecation-contracts/function.php',
+    '37a3dc5111fe8f707ab4c132ef1dbc62' => $vendorDir . '/guzzlehttp/guzzle/src/functions_include.php',
     'a4a119a56e50fbb293281d9a48007e0e' => $vendorDir . '/symfony/polyfill-php80/bootstrap.php',
     'a1105708a18b76903365ca1c4aa61b02' => $vendorDir . '/symfony/translation/Resources/functions.php',
     '667aeda72477189d0494fecd327c3641' => $vendorDir . '/symfony/var-dumper/Resources/functions/dump.php',
diff --git a/data/web/inc/lib/vendor/composer/autoload_psr4.php b/data/web/inc/lib/vendor/composer/autoload_psr4.php
index 83d1f5655..6112acbac 100644
--- a/data/web/inc/lib/vendor/composer/autoload_psr4.php
+++ b/data/web/inc/lib/vendor/composer/autoload_psr4.php
@@ -14,17 +14,25 @@ return array(
     'Symfony\\Contracts\\Translation\\' => array($vendorDir . '/symfony/translation-contracts'),
     'Symfony\\Component\\VarDumper\\' => array($vendorDir . '/symfony/var-dumper'),
     'Symfony\\Component\\Translation\\' => array($vendorDir . '/symfony/translation'),
+    'Stevenmaguire\\OAuth2\\Client\\' => array($vendorDir . '/stevenmaguire/oauth2-keycloak/src'),
     'RobThree\\Auth\\' => array($vendorDir . '/robthree/twofactorauth/lib'),
     'Psr\\SimpleCache\\' => array($vendorDir . '/psr/simple-cache/src'),
     'Psr\\Log\\' => array($vendorDir . '/psr/log/src'),
+    'Psr\\Http\\Message\\' => array($vendorDir . '/psr/http-message/src', $vendorDir . '/psr/http-factory/src'),
+    'Psr\\Http\\Client\\' => array($vendorDir . '/psr/http-client/src'),
     'Psr\\Container\\' => array($vendorDir . '/psr/container/src'),
     'PhpMimeMailParser\\' => array($vendorDir . '/php-mime-mail-parser/php-mime-mail-parser/src'),
     'PHPMailer\\PHPMailer\\' => array($vendorDir . '/phpmailer/phpmailer/src'),
     'MatthiasMullie\\PathConverter\\' => array($vendorDir . '/matthiasmullie/path-converter/src'),
     'MatthiasMullie\\Minify\\' => array($vendorDir . '/matthiasmullie/minify/src'),
+    'League\\OAuth2\\Client\\' => array($vendorDir . '/league/oauth2-client/src'),
     'LdapRecord\\' => array($vendorDir . '/directorytree/ldaprecord/src'),
     'Illuminate\\Contracts\\' => array($vendorDir . '/illuminate/contracts'),
     'Html2Text\\' => array($vendorDir . '/soundasleep/html2text/src'),
+    'GuzzleHttp\\Psr7\\' => array($vendorDir . '/guzzlehttp/psr7/src'),
+    'GuzzleHttp\\Promise\\' => array($vendorDir . '/guzzlehttp/promises/src'),
+    'GuzzleHttp\\' => array($vendorDir . '/guzzlehttp/guzzle/src'),
+    'Firebase\\JWT\\' => array($vendorDir . '/firebase/php-jwt/src'),
     'Ddeboer\\Imap\\' => array($vendorDir . '/ddeboer/imap/src'),
     'Carbon\\' => array($vendorDir . '/nesbot/carbon/src/Carbon'),
 );
diff --git a/data/web/inc/lib/vendor/composer/autoload_static.php b/data/web/inc/lib/vendor/composer/autoload_static.php
index a819adf63..440edffbc 100644
--- a/data/web/inc/lib/vendor/composer/autoload_static.php
+++ b/data/web/inc/lib/vendor/composer/autoload_static.php
@@ -8,6 +8,10 @@ class ComposerStaticInit873464e4bd965a3168f133248b1b218b
 {
     public static $files = array (
         '0e6d7bf4a5811bfa5cf40c5ccd6fae6a' => __DIR__ . '/..' . '/symfony/polyfill-mbstring/bootstrap.php',
+        '7b11c4dc42b3b3023073cb14e519683c' => __DIR__ . '/..' . '/ralouphie/getallheaders/src/getallheaders.php',
+        'c964ee0ededf28c96ebd9db5099ef910' => __DIR__ . '/..' . '/guzzlehttp/promises/src/functions_include.php',
+        '6e3fae29631ef280660b3cdad06f25a8' => __DIR__ . '/..' . '/symfony/deprecation-contracts/function.php',
+        '37a3dc5111fe8f707ab4c132ef1dbc62' => __DIR__ . '/..' . '/guzzlehttp/guzzle/src/functions_include.php',
         'a4a119a56e50fbb293281d9a48007e0e' => __DIR__ . '/..' . '/symfony/polyfill-php80/bootstrap.php',
         'a1105708a18b76903365ca1c4aa61b02' => __DIR__ . '/..' . '/symfony/translation/Resources/functions.php',
         '667aeda72477189d0494fecd327c3641' => __DIR__ . '/..' . '/symfony/var-dumper/Resources/functions/dump.php',
@@ -31,6 +35,7 @@ class ComposerStaticInit873464e4bd965a3168f133248b1b218b
             'Symfony\\Contracts\\Translation\\' => 30,
             'Symfony\\Component\\VarDumper\\' => 28,
             'Symfony\\Component\\Translation\\' => 30,
+            'Stevenmaguire\\OAuth2\\Client\\' => 28,
         ),
         'R' => 
         array (
@@ -40,6 +45,8 @@ class ComposerStaticInit873464e4bd965a3168f133248b1b218b
         array (
             'Psr\\SimpleCache\\' => 16,
             'Psr\\Log\\' => 8,
+            'Psr\\Http\\Message\\' => 17,
+            'Psr\\Http\\Client\\' => 16,
             'Psr\\Container\\' => 14,
             'PhpMimeMailParser\\' => 18,
             'PHPMailer\\PHPMailer\\' => 20,
@@ -51,6 +58,7 @@ class ComposerStaticInit873464e4bd965a3168f133248b1b218b
         ),
         'L' => 
         array (
+            'League\\OAuth2\\Client\\' => 21,
             'LdapRecord\\' => 11,
         ),
         'I' => 
@@ -61,6 +69,16 @@ class ComposerStaticInit873464e4bd965a3168f133248b1b218b
         array (
             'Html2Text\\' => 10,
         ),
+        'G' => 
+        array (
+            'GuzzleHttp\\Psr7\\' => 16,
+            'GuzzleHttp\\Promise\\' => 19,
+            'GuzzleHttp\\' => 11,
+        ),
+        'F' => 
+        array (
+            'Firebase\\JWT\\' => 13,
+        ),
         'D' => 
         array (
             'Ddeboer\\Imap\\' => 13,
@@ -104,6 +122,10 @@ class ComposerStaticInit873464e4bd965a3168f133248b1b218b
         array (
             0 => __DIR__ . '/..' . '/symfony/translation',
         ),
+        'Stevenmaguire\\OAuth2\\Client\\' => 
+        array (
+            0 => __DIR__ . '/..' . '/stevenmaguire/oauth2-keycloak/src',
+        ),
         'RobThree\\Auth\\' => 
         array (
             0 => __DIR__ . '/..' . '/robthree/twofactorauth/lib',
@@ -116,6 +138,15 @@ class ComposerStaticInit873464e4bd965a3168f133248b1b218b
         array (
             0 => __DIR__ . '/..' . '/psr/log/src',
         ),
+        'Psr\\Http\\Message\\' => 
+        array (
+            0 => __DIR__ . '/..' . '/psr/http-message/src',
+            1 => __DIR__ . '/..' . '/psr/http-factory/src',
+        ),
+        'Psr\\Http\\Client\\' => 
+        array (
+            0 => __DIR__ . '/..' . '/psr/http-client/src',
+        ),
         'Psr\\Container\\' => 
         array (
             0 => __DIR__ . '/..' . '/psr/container/src',
@@ -136,6 +167,10 @@ class ComposerStaticInit873464e4bd965a3168f133248b1b218b
         array (
             0 => __DIR__ . '/..' . '/matthiasmullie/minify/src',
         ),
+        'League\\OAuth2\\Client\\' => 
+        array (
+            0 => __DIR__ . '/..' . '/league/oauth2-client/src',
+        ),
         'LdapRecord\\' => 
         array (
             0 => __DIR__ . '/..' . '/directorytree/ldaprecord/src',
@@ -148,6 +183,22 @@ class ComposerStaticInit873464e4bd965a3168f133248b1b218b
         array (
             0 => __DIR__ . '/..' . '/soundasleep/html2text/src',
         ),
+        'GuzzleHttp\\Psr7\\' => 
+        array (
+            0 => __DIR__ . '/..' . '/guzzlehttp/psr7/src',
+        ),
+        'GuzzleHttp\\Promise\\' => 
+        array (
+            0 => __DIR__ . '/..' . '/guzzlehttp/promises/src',
+        ),
+        'GuzzleHttp\\' => 
+        array (
+            0 => __DIR__ . '/..' . '/guzzlehttp/guzzle/src',
+        ),
+        'Firebase\\JWT\\' => 
+        array (
+            0 => __DIR__ . '/..' . '/firebase/php-jwt/src',
+        ),
         'Ddeboer\\Imap\\' => 
         array (
             0 => __DIR__ . '/..' . '/ddeboer/imap/src',
diff --git a/data/web/inc/lib/vendor/composer/installed.json b/data/web/inc/lib/vendor/composer/installed.json
index d910fa544..cec6e781d 100644
--- a/data/web/inc/lib/vendor/composer/installed.json
+++ b/data/web/inc/lib/vendor/composer/installed.json
@@ -215,6 +215,406 @@
             ],
             "install-path": "../directorytree/ldaprecord"
         },
+        {
+            "name": "firebase/php-jwt",
+            "version": "v5.5.1",
+            "version_normalized": "5.5.1.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/firebase/php-jwt.git",
+                "reference": "83b609028194aa042ea33b5af2d41a7427de80e6"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/firebase/php-jwt/zipball/83b609028194aa042ea33b5af2d41a7427de80e6",
+                "reference": "83b609028194aa042ea33b5af2d41a7427de80e6",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=5.3.0"
+            },
+            "require-dev": {
+                "phpunit/phpunit": ">=4.8 <=9"
+            },
+            "suggest": {
+                "paragonie/sodium_compat": "Support EdDSA (Ed25519) signatures when libsodium is not present"
+            },
+            "time": "2021-11-08T20:18:51+00:00",
+            "type": "library",
+            "installation-source": "dist",
+            "autoload": {
+                "psr-4": {
+                    "Firebase\\JWT\\": "src"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "BSD-3-Clause"
+            ],
+            "authors": [
+                {
+                    "name": "Neuman Vong",
+                    "email": "neuman+pear@twilio.com",
+                    "role": "Developer"
+                },
+                {
+                    "name": "Anant Narayanan",
+                    "email": "anant@php.net",
+                    "role": "Developer"
+                }
+            ],
+            "description": "A simple library to encode and decode JSON Web Tokens (JWT) in PHP. Should conform to the current spec.",
+            "homepage": "https://github.com/firebase/php-jwt",
+            "keywords": [
+                "jwt",
+                "php"
+            ],
+            "support": {
+                "issues": "https://github.com/firebase/php-jwt/issues",
+                "source": "https://github.com/firebase/php-jwt/tree/v5.5.1"
+            },
+            "install-path": "../firebase/php-jwt"
+        },
+        {
+            "name": "guzzlehttp/guzzle",
+            "version": "7.5.0",
+            "version_normalized": "7.5.0.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/guzzle/guzzle.git",
+                "reference": "b50a2a1251152e43f6a37f0fa053e730a67d25ba"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/guzzle/guzzle/zipball/b50a2a1251152e43f6a37f0fa053e730a67d25ba",
+                "reference": "b50a2a1251152e43f6a37f0fa053e730a67d25ba",
+                "shasum": ""
+            },
+            "require": {
+                "ext-json": "*",
+                "guzzlehttp/promises": "^1.5",
+                "guzzlehttp/psr7": "^1.9 || ^2.4",
+                "php": "^7.2.5 || ^8.0",
+                "psr/http-client": "^1.0",
+                "symfony/deprecation-contracts": "^2.2 || ^3.0"
+            },
+            "provide": {
+                "psr/http-client-implementation": "1.0"
+            },
+            "require-dev": {
+                "bamarni/composer-bin-plugin": "^1.8.1",
+                "ext-curl": "*",
+                "php-http/client-integration-tests": "^3.0",
+                "phpunit/phpunit": "^8.5.29 || ^9.5.23",
+                "psr/log": "^1.1 || ^2.0 || ^3.0"
+            },
+            "suggest": {
+                "ext-curl": "Required for CURL handler support",
+                "ext-intl": "Required for Internationalized Domain Name (IDN) support",
+                "psr/log": "Required for using the Log middleware"
+            },
+            "time": "2022-08-28T15:39:27+00:00",
+            "type": "library",
+            "extra": {
+                "bamarni-bin": {
+                    "bin-links": true,
+                    "forward-command": false
+                },
+                "branch-alias": {
+                    "dev-master": "7.5-dev"
+                }
+            },
+            "installation-source": "dist",
+            "autoload": {
+                "files": [
+                    "src/functions_include.php"
+                ],
+                "psr-4": {
+                    "GuzzleHttp\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Graham Campbell",
+                    "email": "hello@gjcampbell.co.uk",
+                    "homepage": "https://github.com/GrahamCampbell"
+                },
+                {
+                    "name": "Michael Dowling",
+                    "email": "mtdowling@gmail.com",
+                    "homepage": "https://github.com/mtdowling"
+                },
+                {
+                    "name": "Jeremy Lindblom",
+                    "email": "jeremeamia@gmail.com",
+                    "homepage": "https://github.com/jeremeamia"
+                },
+                {
+                    "name": "George Mponos",
+                    "email": "gmponos@gmail.com",
+                    "homepage": "https://github.com/gmponos"
+                },
+                {
+                    "name": "Tobias Nyholm",
+                    "email": "tobias.nyholm@gmail.com",
+                    "homepage": "https://github.com/Nyholm"
+                },
+                {
+                    "name": "Márk Sági-Kazár",
+                    "email": "mark.sagikazar@gmail.com",
+                    "homepage": "https://github.com/sagikazarmark"
+                },
+                {
+                    "name": "Tobias Schultze",
+                    "email": "webmaster@tubo-world.de",
+                    "homepage": "https://github.com/Tobion"
+                }
+            ],
+            "description": "Guzzle is a PHP HTTP client library",
+            "keywords": [
+                "client",
+                "curl",
+                "framework",
+                "http",
+                "http client",
+                "psr-18",
+                "psr-7",
+                "rest",
+                "web service"
+            ],
+            "support": {
+                "issues": "https://github.com/guzzle/guzzle/issues",
+                "source": "https://github.com/guzzle/guzzle/tree/7.5.0"
+            },
+            "funding": [
+                {
+                    "url": "https://github.com/GrahamCampbell",
+                    "type": "github"
+                },
+                {
+                    "url": "https://github.com/Nyholm",
+                    "type": "github"
+                },
+                {
+                    "url": "https://tidelift.com/funding/github/packagist/guzzlehttp/guzzle",
+                    "type": "tidelift"
+                }
+            ],
+            "install-path": "../guzzlehttp/guzzle"
+        },
+        {
+            "name": "guzzlehttp/promises",
+            "version": "1.5.2",
+            "version_normalized": "1.5.2.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/guzzle/promises.git",
+                "reference": "b94b2807d85443f9719887892882d0329d1e2598"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/guzzle/promises/zipball/b94b2807d85443f9719887892882d0329d1e2598",
+                "reference": "b94b2807d85443f9719887892882d0329d1e2598",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=5.5"
+            },
+            "require-dev": {
+                "symfony/phpunit-bridge": "^4.4 || ^5.1"
+            },
+            "time": "2022-08-28T14:55:35+00:00",
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "1.5-dev"
+                }
+            },
+            "installation-source": "dist",
+            "autoload": {
+                "files": [
+                    "src/functions_include.php"
+                ],
+                "psr-4": {
+                    "GuzzleHttp\\Promise\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Graham Campbell",
+                    "email": "hello@gjcampbell.co.uk",
+                    "homepage": "https://github.com/GrahamCampbell"
+                },
+                {
+                    "name": "Michael Dowling",
+                    "email": "mtdowling@gmail.com",
+                    "homepage": "https://github.com/mtdowling"
+                },
+                {
+                    "name": "Tobias Nyholm",
+                    "email": "tobias.nyholm@gmail.com",
+                    "homepage": "https://github.com/Nyholm"
+                },
+                {
+                    "name": "Tobias Schultze",
+                    "email": "webmaster@tubo-world.de",
+                    "homepage": "https://github.com/Tobion"
+                }
+            ],
+            "description": "Guzzle promises library",
+            "keywords": [
+                "promise"
+            ],
+            "support": {
+                "issues": "https://github.com/guzzle/promises/issues",
+                "source": "https://github.com/guzzle/promises/tree/1.5.2"
+            },
+            "funding": [
+                {
+                    "url": "https://github.com/GrahamCampbell",
+                    "type": "github"
+                },
+                {
+                    "url": "https://github.com/Nyholm",
+                    "type": "github"
+                },
+                {
+                    "url": "https://tidelift.com/funding/github/packagist/guzzlehttp/promises",
+                    "type": "tidelift"
+                }
+            ],
+            "install-path": "../guzzlehttp/promises"
+        },
+        {
+            "name": "guzzlehttp/psr7",
+            "version": "2.4.4",
+            "version_normalized": "2.4.4.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/guzzle/psr7.git",
+                "reference": "3cf1b6d4f0c820a2cf8bcaec39fc698f3443b5cf"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/guzzle/psr7/zipball/3cf1b6d4f0c820a2cf8bcaec39fc698f3443b5cf",
+                "reference": "3cf1b6d4f0c820a2cf8bcaec39fc698f3443b5cf",
+                "shasum": ""
+            },
+            "require": {
+                "php": "^7.2.5 || ^8.0",
+                "psr/http-factory": "^1.0",
+                "psr/http-message": "^1.0",
+                "ralouphie/getallheaders": "^3.0"
+            },
+            "provide": {
+                "psr/http-factory-implementation": "1.0",
+                "psr/http-message-implementation": "1.0"
+            },
+            "require-dev": {
+                "bamarni/composer-bin-plugin": "^1.8.1",
+                "http-interop/http-factory-tests": "^0.9",
+                "phpunit/phpunit": "^8.5.29 || ^9.5.23"
+            },
+            "suggest": {
+                "laminas/laminas-httphandlerrunner": "Emit PSR-7 responses"
+            },
+            "time": "2023-03-09T13:19:02+00:00",
+            "type": "library",
+            "extra": {
+                "bamarni-bin": {
+                    "bin-links": true,
+                    "forward-command": false
+                },
+                "branch-alias": {
+                    "dev-master": "2.4-dev"
+                }
+            },
+            "installation-source": "dist",
+            "autoload": {
+                "psr-4": {
+                    "GuzzleHttp\\Psr7\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Graham Campbell",
+                    "email": "hello@gjcampbell.co.uk",
+                    "homepage": "https://github.com/GrahamCampbell"
+                },
+                {
+                    "name": "Michael Dowling",
+                    "email": "mtdowling@gmail.com",
+                    "homepage": "https://github.com/mtdowling"
+                },
+                {
+                    "name": "George Mponos",
+                    "email": "gmponos@gmail.com",
+                    "homepage": "https://github.com/gmponos"
+                },
+                {
+                    "name": "Tobias Nyholm",
+                    "email": "tobias.nyholm@gmail.com",
+                    "homepage": "https://github.com/Nyholm"
+                },
+                {
+                    "name": "Márk Sági-Kazár",
+                    "email": "mark.sagikazar@gmail.com",
+                    "homepage": "https://github.com/sagikazarmark"
+                },
+                {
+                    "name": "Tobias Schultze",
+                    "email": "webmaster@tubo-world.de",
+                    "homepage": "https://github.com/Tobion"
+                },
+                {
+                    "name": "Márk Sági-Kazár",
+                    "email": "mark.sagikazar@gmail.com",
+                    "homepage": "https://sagikazarmark.hu"
+                }
+            ],
+            "description": "PSR-7 message implementation that also provides common utility methods",
+            "keywords": [
+                "http",
+                "message",
+                "psr-7",
+                "request",
+                "response",
+                "stream",
+                "uri",
+                "url"
+            ],
+            "support": {
+                "issues": "https://github.com/guzzle/psr7/issues",
+                "source": "https://github.com/guzzle/psr7/tree/2.4.4"
+            },
+            "funding": [
+                {
+                    "url": "https://github.com/GrahamCampbell",
+                    "type": "github"
+                },
+                {
+                    "url": "https://github.com/Nyholm",
+                    "type": "github"
+                },
+                {
+                    "url": "https://tidelift.com/funding/github/packagist/guzzlehttp/psr7",
+                    "type": "tidelift"
+                }
+            ],
+            "install-path": "../guzzlehttp/psr7"
+        },
         {
             "name": "illuminate/contracts",
             "version": "v9.3.0",
@@ -266,6 +666,79 @@
             },
             "install-path": "../illuminate/contracts"
         },
+        {
+            "name": "league/oauth2-client",
+            "version": "2.6.1",
+            "version_normalized": "2.6.1.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/thephpleague/oauth2-client.git",
+                "reference": "2334c249907190c132364f5dae0287ab8666aa19"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/thephpleague/oauth2-client/zipball/2334c249907190c132364f5dae0287ab8666aa19",
+                "reference": "2334c249907190c132364f5dae0287ab8666aa19",
+                "shasum": ""
+            },
+            "require": {
+                "guzzlehttp/guzzle": "^6.0 || ^7.0",
+                "paragonie/random_compat": "^1 || ^2 || ^9.99",
+                "php": "^5.6 || ^7.0 || ^8.0"
+            },
+            "require-dev": {
+                "mockery/mockery": "^1.3.5",
+                "php-parallel-lint/php-parallel-lint": "^1.3.1",
+                "phpunit/phpunit": "^5.7 || ^6.0 || ^9.5",
+                "squizlabs/php_codesniffer": "^2.3 || ^3.0"
+            },
+            "time": "2021-12-22T16:42:49+00:00",
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-2.x": "2.0.x-dev"
+                }
+            },
+            "installation-source": "dist",
+            "autoload": {
+                "psr-4": {
+                    "League\\OAuth2\\Client\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Alex Bilbie",
+                    "email": "hello@alexbilbie.com",
+                    "homepage": "http://www.alexbilbie.com",
+                    "role": "Developer"
+                },
+                {
+                    "name": "Woody Gilk",
+                    "homepage": "https://github.com/shadowhand",
+                    "role": "Contributor"
+                }
+            ],
+            "description": "OAuth 2.0 Client Library",
+            "keywords": [
+                "Authentication",
+                "SSO",
+                "authorization",
+                "identity",
+                "idp",
+                "oauth",
+                "oauth2",
+                "single sign on"
+            ],
+            "support": {
+                "issues": "https://github.com/thephpleague/oauth2-client/issues",
+                "source": "https://github.com/thephpleague/oauth2-client/tree/2.6.1"
+            },
+            "install-path": "../league/oauth2-client"
+        },
         {
             "name": "matthiasmullie/minify",
             "version": "1.3.66",
@@ -551,6 +1024,59 @@
             ],
             "install-path": "../nesbot/carbon"
         },
+        {
+            "name": "paragonie/random_compat",
+            "version": "v9.99.100",
+            "version_normalized": "9.99.100.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/paragonie/random_compat.git",
+                "reference": "996434e5492cb4c3edcb9168db6fbb1359ef965a"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/paragonie/random_compat/zipball/996434e5492cb4c3edcb9168db6fbb1359ef965a",
+                "reference": "996434e5492cb4c3edcb9168db6fbb1359ef965a",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">= 7"
+            },
+            "require-dev": {
+                "phpunit/phpunit": "4.*|5.*",
+                "vimeo/psalm": "^1"
+            },
+            "suggest": {
+                "ext-libsodium": "Provides a modern crypto API that can be used to generate random bytes."
+            },
+            "time": "2020-10-15T08:29:30+00:00",
+            "type": "library",
+            "installation-source": "dist",
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Paragon Initiative Enterprises",
+                    "email": "security@paragonie.com",
+                    "homepage": "https://paragonie.com"
+                }
+            ],
+            "description": "PHP 5.x polyfill for random_bytes() and random_int() from PHP 7",
+            "keywords": [
+                "csprng",
+                "polyfill",
+                "pseudorandom",
+                "random"
+            ],
+            "support": {
+                "email": "info@paragonie.com",
+                "issues": "https://github.com/paragonie/random_compat/issues",
+                "source": "https://github.com/paragonie/random_compat"
+            },
+            "install-path": "../paragonie/random_compat"
+        },
         {
             "name": "php-mime-mail-parser/php-mime-mail-parser",
             "version": "7.0.0",
@@ -782,6 +1308,175 @@
             },
             "install-path": "../psr/container"
         },
+        {
+            "name": "psr/http-client",
+            "version": "1.0.1",
+            "version_normalized": "1.0.1.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/php-fig/http-client.git",
+                "reference": "2dfb5f6c5eff0e91e20e913f8c5452ed95b86621"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/php-fig/http-client/zipball/2dfb5f6c5eff0e91e20e913f8c5452ed95b86621",
+                "reference": "2dfb5f6c5eff0e91e20e913f8c5452ed95b86621",
+                "shasum": ""
+            },
+            "require": {
+                "php": "^7.0 || ^8.0",
+                "psr/http-message": "^1.0"
+            },
+            "time": "2020-06-29T06:28:15+00:00",
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "1.0.x-dev"
+                }
+            },
+            "installation-source": "dist",
+            "autoload": {
+                "psr-4": {
+                    "Psr\\Http\\Client\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "PHP-FIG",
+                    "homepage": "http://www.php-fig.org/"
+                }
+            ],
+            "description": "Common interface for HTTP clients",
+            "homepage": "https://github.com/php-fig/http-client",
+            "keywords": [
+                "http",
+                "http-client",
+                "psr",
+                "psr-18"
+            ],
+            "support": {
+                "source": "https://github.com/php-fig/http-client/tree/master"
+            },
+            "install-path": "../psr/http-client"
+        },
+        {
+            "name": "psr/http-factory",
+            "version": "1.0.1",
+            "version_normalized": "1.0.1.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/php-fig/http-factory.git",
+                "reference": "12ac7fcd07e5b077433f5f2bee95b3a771bf61be"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/php-fig/http-factory/zipball/12ac7fcd07e5b077433f5f2bee95b3a771bf61be",
+                "reference": "12ac7fcd07e5b077433f5f2bee95b3a771bf61be",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=7.0.0",
+                "psr/http-message": "^1.0"
+            },
+            "time": "2019-04-30T12:38:16+00:00",
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "1.0.x-dev"
+                }
+            },
+            "installation-source": "dist",
+            "autoload": {
+                "psr-4": {
+                    "Psr\\Http\\Message\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "PHP-FIG",
+                    "homepage": "http://www.php-fig.org/"
+                }
+            ],
+            "description": "Common interfaces for PSR-7 HTTP message factories",
+            "keywords": [
+                "factory",
+                "http",
+                "message",
+                "psr",
+                "psr-17",
+                "psr-7",
+                "request",
+                "response"
+            ],
+            "support": {
+                "source": "https://github.com/php-fig/http-factory/tree/master"
+            },
+            "install-path": "../psr/http-factory"
+        },
+        {
+            "name": "psr/http-message",
+            "version": "1.0.1",
+            "version_normalized": "1.0.1.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/php-fig/http-message.git",
+                "reference": "f6561bf28d520154e4b0ec72be95418abe6d9363"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/php-fig/http-message/zipball/f6561bf28d520154e4b0ec72be95418abe6d9363",
+                "reference": "f6561bf28d520154e4b0ec72be95418abe6d9363",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=5.3.0"
+            },
+            "time": "2016-08-06T14:39:51+00:00",
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "1.0.x-dev"
+                }
+            },
+            "installation-source": "dist",
+            "autoload": {
+                "psr-4": {
+                    "Psr\\Http\\Message\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "PHP-FIG",
+                    "homepage": "http://www.php-fig.org/"
+                }
+            ],
+            "description": "Common interface for HTTP messages",
+            "homepage": "https://github.com/php-fig/http-message",
+            "keywords": [
+                "http",
+                "http-message",
+                "psr",
+                "psr-7",
+                "request",
+                "response"
+            ],
+            "support": {
+                "source": "https://github.com/php-fig/http-message/tree/master"
+            },
+            "install-path": "../psr/http-message"
+        },
         {
             "name": "psr/log",
             "version": "3.0.0",
@@ -889,6 +1584,53 @@
             },
             "install-path": "../psr/simple-cache"
         },
+        {
+            "name": "ralouphie/getallheaders",
+            "version": "3.0.3",
+            "version_normalized": "3.0.3.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/ralouphie/getallheaders.git",
+                "reference": "120b605dfeb996808c31b6477290a714d356e822"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/ralouphie/getallheaders/zipball/120b605dfeb996808c31b6477290a714d356e822",
+                "reference": "120b605dfeb996808c31b6477290a714d356e822",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=5.6"
+            },
+            "require-dev": {
+                "php-coveralls/php-coveralls": "^2.1",
+                "phpunit/phpunit": "^5 || ^6.5"
+            },
+            "time": "2019-03-08T08:55:37+00:00",
+            "type": "library",
+            "installation-source": "dist",
+            "autoload": {
+                "files": [
+                    "src/getallheaders.php"
+                ]
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Ralph Khattar",
+                    "email": "ralph.khattar@gmail.com"
+                }
+            ],
+            "description": "A polyfill for getallheaders.",
+            "support": {
+                "issues": "https://github.com/ralouphie/getallheaders/issues",
+                "source": "https://github.com/ralouphie/getallheaders/tree/develop"
+            },
+            "install-path": "../ralouphie/getallheaders"
+        },
         {
             "name": "robthree/twofactorauth",
             "version": "1.8.1",
@@ -1015,6 +1757,139 @@
             ],
             "install-path": "../soundasleep/html2text"
         },
+        {
+            "name": "stevenmaguire/oauth2-keycloak",
+            "version": "3.2.0",
+            "version_normalized": "3.2.0.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/stevenmaguire/oauth2-keycloak.git",
+                "reference": "34e4824f5fa26aa8e90f1258859c75570c12d27a"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/stevenmaguire/oauth2-keycloak/zipball/34e4824f5fa26aa8e90f1258859c75570c12d27a",
+                "reference": "34e4824f5fa26aa8e90f1258859c75570c12d27a",
+                "shasum": ""
+            },
+            "require": {
+                "firebase/php-jwt": "~4.0|~5.0",
+                "league/oauth2-client": "^2.0"
+            },
+            "require-dev": {
+                "mockery/mockery": "~0.9",
+                "phpunit/phpunit": "~4.0",
+                "squizlabs/php_codesniffer": "~2.0"
+            },
+            "time": "2022-12-16T12:46:38+00:00",
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "1.0.x-dev"
+                }
+            },
+            "installation-source": "dist",
+            "autoload": {
+                "psr-4": {
+                    "Stevenmaguire\\OAuth2\\Client\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Steven Maguire",
+                    "email": "stevenmaguire@gmail.com",
+                    "homepage": "https://github.com/stevenmaguire"
+                }
+            ],
+            "description": "Keycloak OAuth 2.0 Client Provider for The PHP League OAuth2-Client",
+            "keywords": [
+                "authorisation",
+                "authorization",
+                "client",
+                "keycloak",
+                "oauth",
+                "oauth2"
+            ],
+            "support": {
+                "issues": "https://github.com/stevenmaguire/oauth2-keycloak/issues",
+                "source": "https://github.com/stevenmaguire/oauth2-keycloak/tree/3.2.0"
+            },
+            "install-path": "../stevenmaguire/oauth2-keycloak"
+        },
+        {
+            "name": "symfony/deprecation-contracts",
+            "version": "v3.2.1",
+            "version_normalized": "3.2.1.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/symfony/deprecation-contracts.git",
+                "reference": "e2d1534420bd723d0ef5aec58a22c5fe60ce6f5e"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/symfony/deprecation-contracts/zipball/e2d1534420bd723d0ef5aec58a22c5fe60ce6f5e",
+                "reference": "e2d1534420bd723d0ef5aec58a22c5fe60ce6f5e",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=8.1"
+            },
+            "time": "2023-03-01T10:25:55+00:00",
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-main": "3.3-dev"
+                },
+                "thanks": {
+                    "name": "symfony/contracts",
+                    "url": "https://github.com/symfony/contracts"
+                }
+            },
+            "installation-source": "dist",
+            "autoload": {
+                "files": [
+                    "function.php"
+                ]
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Nicolas Grekas",
+                    "email": "p@tchwork.com"
+                },
+                {
+                    "name": "Symfony Community",
+                    "homepage": "https://symfony.com/contributors"
+                }
+            ],
+            "description": "A generic function and convention to trigger deprecation notices",
+            "homepage": "https://symfony.com",
+            "support": {
+                "source": "https://github.com/symfony/deprecation-contracts/tree/v3.2.1"
+            },
+            "funding": [
+                {
+                    "url": "https://symfony.com/sponsor",
+                    "type": "custom"
+                },
+                {
+                    "url": "https://github.com/fabpot",
+                    "type": "github"
+                },
+                {
+                    "url": "https://tidelift.com/funding/github/packagist/symfony/symfony",
+                    "type": "tidelift"
+                }
+            ],
+            "install-path": "../symfony/deprecation-contracts"
+        },
         {
             "name": "symfony/polyfill-ctype",
             "version": "v1.24.0",
diff --git a/data/web/inc/lib/vendor/composer/installed.php b/data/web/inc/lib/vendor/composer/installed.php
index fa2ed8e5e..07db23e07 100644
--- a/data/web/inc/lib/vendor/composer/installed.php
+++ b/data/web/inc/lib/vendor/composer/installed.php
@@ -3,7 +3,7 @@
         'name' => '__root__',
         'pretty_version' => 'dev-master',
         'version' => 'dev-master',
-        'reference' => 'a7e309f1c89c5579653fae00ec9655bb5f992ec6',
+        'reference' => 'ea394d702dd7fe05f9b28c818fd912c5a60e71f4',
         'type' => 'library',
         'install_path' => __DIR__ . '/../../',
         'aliases' => array(),
@@ -13,7 +13,7 @@
         '__root__' => array(
             'pretty_version' => 'dev-master',
             'version' => 'dev-master',
-            'reference' => 'a7e309f1c89c5579653fae00ec9655bb5f992ec6',
+            'reference' => 'ea394d702dd7fe05f9b28c818fd912c5a60e71f4',
             'type' => 'library',
             'install_path' => __DIR__ . '/../../',
             'aliases' => array(),
@@ -52,6 +52,42 @@
                 0 => '*',
             ),
         ),
+        'firebase/php-jwt' => array(
+            'pretty_version' => 'v5.5.1',
+            'version' => '5.5.1.0',
+            'reference' => '83b609028194aa042ea33b5af2d41a7427de80e6',
+            'type' => 'library',
+            'install_path' => __DIR__ . '/../firebase/php-jwt',
+            'aliases' => array(),
+            'dev_requirement' => false,
+        ),
+        'guzzlehttp/guzzle' => array(
+            'pretty_version' => '7.5.0',
+            'version' => '7.5.0.0',
+            'reference' => 'b50a2a1251152e43f6a37f0fa053e730a67d25ba',
+            'type' => 'library',
+            'install_path' => __DIR__ . '/../guzzlehttp/guzzle',
+            'aliases' => array(),
+            'dev_requirement' => false,
+        ),
+        'guzzlehttp/promises' => array(
+            'pretty_version' => '1.5.2',
+            'version' => '1.5.2.0',
+            'reference' => 'b94b2807d85443f9719887892882d0329d1e2598',
+            'type' => 'library',
+            'install_path' => __DIR__ . '/../guzzlehttp/promises',
+            'aliases' => array(),
+            'dev_requirement' => false,
+        ),
+        'guzzlehttp/psr7' => array(
+            'pretty_version' => '2.4.4',
+            'version' => '2.4.4.0',
+            'reference' => '3cf1b6d4f0c820a2cf8bcaec39fc698f3443b5cf',
+            'type' => 'library',
+            'install_path' => __DIR__ . '/../guzzlehttp/psr7',
+            'aliases' => array(),
+            'dev_requirement' => false,
+        ),
         'illuminate/contracts' => array(
             'pretty_version' => 'v9.3.0',
             'version' => '9.3.0.0',
@@ -61,6 +97,15 @@
             'aliases' => array(),
             'dev_requirement' => false,
         ),
+        'league/oauth2-client' => array(
+            'pretty_version' => '2.6.1',
+            'version' => '2.6.1.0',
+            'reference' => '2334c249907190c132364f5dae0287ab8666aa19',
+            'type' => 'library',
+            'install_path' => __DIR__ . '/../league/oauth2-client',
+            'aliases' => array(),
+            'dev_requirement' => false,
+        ),
         'matthiasmullie/minify' => array(
             'pretty_version' => '1.3.66',
             'version' => '1.3.66.0',
@@ -103,6 +148,15 @@
             'aliases' => array(),
             'dev_requirement' => false,
         ),
+        'paragonie/random_compat' => array(
+            'pretty_version' => 'v9.99.100',
+            'version' => '9.99.100.0',
+            'reference' => '996434e5492cb4c3edcb9168db6fbb1359ef965a',
+            'type' => 'library',
+            'install_path' => __DIR__ . '/../paragonie/random_compat',
+            'aliases' => array(),
+            'dev_requirement' => false,
+        ),
         'php-mime-mail-parser/php-mime-mail-parser' => array(
             'pretty_version' => '7.0.0',
             'version' => '7.0.0.0',
@@ -130,6 +184,51 @@
             'aliases' => array(),
             'dev_requirement' => false,
         ),
+        'psr/http-client' => array(
+            'pretty_version' => '1.0.1',
+            'version' => '1.0.1.0',
+            'reference' => '2dfb5f6c5eff0e91e20e913f8c5452ed95b86621',
+            'type' => 'library',
+            'install_path' => __DIR__ . '/../psr/http-client',
+            'aliases' => array(),
+            'dev_requirement' => false,
+        ),
+        'psr/http-client-implementation' => array(
+            'dev_requirement' => false,
+            'provided' => array(
+                0 => '1.0',
+            ),
+        ),
+        'psr/http-factory' => array(
+            'pretty_version' => '1.0.1',
+            'version' => '1.0.1.0',
+            'reference' => '12ac7fcd07e5b077433f5f2bee95b3a771bf61be',
+            'type' => 'library',
+            'install_path' => __DIR__ . '/../psr/http-factory',
+            'aliases' => array(),
+            'dev_requirement' => false,
+        ),
+        'psr/http-factory-implementation' => array(
+            'dev_requirement' => false,
+            'provided' => array(
+                0 => '1.0',
+            ),
+        ),
+        'psr/http-message' => array(
+            'pretty_version' => '1.0.1',
+            'version' => '1.0.1.0',
+            'reference' => 'f6561bf28d520154e4b0ec72be95418abe6d9363',
+            'type' => 'library',
+            'install_path' => __DIR__ . '/../psr/http-message',
+            'aliases' => array(),
+            'dev_requirement' => false,
+        ),
+        'psr/http-message-implementation' => array(
+            'dev_requirement' => false,
+            'provided' => array(
+                0 => '1.0',
+            ),
+        ),
         'psr/log' => array(
             'pretty_version' => '3.0.0',
             'version' => '3.0.0.0',
@@ -148,6 +247,15 @@
             'aliases' => array(),
             'dev_requirement' => false,
         ),
+        'ralouphie/getallheaders' => array(
+            'pretty_version' => '3.0.3',
+            'version' => '3.0.3.0',
+            'reference' => '120b605dfeb996808c31b6477290a714d356e822',
+            'type' => 'library',
+            'install_path' => __DIR__ . '/../ralouphie/getallheaders',
+            'aliases' => array(),
+            'dev_requirement' => false,
+        ),
         'robthree/twofactorauth' => array(
             'pretty_version' => '1.8.1',
             'version' => '1.8.1.0',
@@ -166,6 +274,24 @@
             'aliases' => array(),
             'dev_requirement' => false,
         ),
+        'stevenmaguire/oauth2-keycloak' => array(
+            'pretty_version' => '3.2.0',
+            'version' => '3.2.0.0',
+            'reference' => '34e4824f5fa26aa8e90f1258859c75570c12d27a',
+            'type' => 'library',
+            'install_path' => __DIR__ . '/../stevenmaguire/oauth2-keycloak',
+            'aliases' => array(),
+            'dev_requirement' => false,
+        ),
+        'symfony/deprecation-contracts' => array(
+            'pretty_version' => 'v3.2.1',
+            'version' => '3.2.1.0',
+            'reference' => 'e2d1534420bd723d0ef5aec58a22c5fe60ce6f5e',
+            'type' => 'library',
+            'install_path' => __DIR__ . '/../symfony/deprecation-contracts',
+            'aliases' => array(),
+            'dev_requirement' => false,
+        ),
         'symfony/polyfill-ctype' => array(
             'pretty_version' => 'v1.24.0',
             'version' => '1.24.0.0',
diff --git a/data/web/inc/lib/vendor/composer/platform_check.php b/data/web/inc/lib/vendor/composer/platform_check.php
index b168ddd5d..4c3a5d68f 100644
--- a/data/web/inc/lib/vendor/composer/platform_check.php
+++ b/data/web/inc/lib/vendor/composer/platform_check.php
@@ -4,8 +4,8 @@
 
 $issues = array();
 
-if (!(PHP_VERSION_ID >= 80002)) {
-    $issues[] = 'Your Composer dependencies require a PHP version ">= 8.0.2". You are running ' . PHP_VERSION . '.';
+if (!(PHP_VERSION_ID >= 80100)) {
+    $issues[] = 'Your Composer dependencies require a PHP version ">= 8.1.0". You are running ' . PHP_VERSION . '.';
 }
 
 if ($issues) {
diff --git a/data/web/inc/lib/vendor/firebase/php-jwt/LICENSE b/data/web/inc/lib/vendor/firebase/php-jwt/LICENSE
new file mode 100644
index 000000000..11c014665
--- /dev/null
+++ b/data/web/inc/lib/vendor/firebase/php-jwt/LICENSE
@@ -0,0 +1,30 @@
+Copyright (c) 2011, Neuman Vong
+
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+    * Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+
+    * Redistributions in binary form must reproduce the above
+      copyright notice, this list of conditions and the following
+      disclaimer in the documentation and/or other materials provided
+      with the distribution.
+
+    * Neither the name of the copyright holder nor the names of other
+      contributors may be used to endorse or promote products derived
+      from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/data/web/inc/lib/vendor/firebase/php-jwt/README.md b/data/web/inc/lib/vendor/firebase/php-jwt/README.md
new file mode 100644
index 000000000..1d392cd12
--- /dev/null
+++ b/data/web/inc/lib/vendor/firebase/php-jwt/README.md
@@ -0,0 +1,289 @@
+[![Build Status](https://travis-ci.org/firebase/php-jwt.png?branch=master)](https://travis-ci.org/firebase/php-jwt)
+[![Latest Stable Version](https://poser.pugx.org/firebase/php-jwt/v/stable)](https://packagist.org/packages/firebase/php-jwt)
+[![Total Downloads](https://poser.pugx.org/firebase/php-jwt/downloads)](https://packagist.org/packages/firebase/php-jwt)
+[![License](https://poser.pugx.org/firebase/php-jwt/license)](https://packagist.org/packages/firebase/php-jwt)
+
+PHP-JWT
+=======
+A simple library to encode and decode JSON Web Tokens (JWT) in PHP, conforming to [RFC 7519](https://tools.ietf.org/html/rfc7519).
+
+Installation
+------------
+
+Use composer to manage your dependencies and download PHP-JWT:
+
+```bash
+composer require firebase/php-jwt
+```
+
+Optionally, install the `paragonie/sodium_compat` package from composer if your
+php is < 7.2 or does not have libsodium installed:
+
+```bash
+composer require paragonie/sodium_compat
+```
+
+Example
+-------
+```php
+use Firebase\JWT\JWT;
+use Firebase\JWT\Key;
+
+$key = "example_key";
+$payload = array(
+    "iss" => "http://example.org",
+    "aud" => "http://example.com",
+    "iat" => 1356999524,
+    "nbf" => 1357000000
+);
+
+/**
+ * IMPORTANT:
+ * You must specify supported algorithms for your application. See
+ * https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40
+ * for a list of spec-compliant algorithms.
+ */
+$jwt = JWT::encode($payload, $key, 'HS256');
+$decoded = JWT::decode($jwt, new Key($key, 'HS256'));
+
+print_r($decoded);
+
+/*
+ NOTE: This will now be an object instead of an associative array. To get
+ an associative array, you will need to cast it as such:
+*/
+
+$decoded_array = (array) $decoded;
+
+/**
+ * You can add a leeway to account for when there is a clock skew times between
+ * the signing and verifying servers. It is recommended that this leeway should
+ * not be bigger than a few minutes.
+ *
+ * Source: http://self-issued.info/docs/draft-ietf-oauth-json-web-token.html#nbfDef
+ */
+JWT::$leeway = 60; // $leeway in seconds
+$decoded = JWT::decode($jwt, new Key($key, 'HS256'));
+```
+Example with RS256 (openssl)
+----------------------------
+```php
+use Firebase\JWT\JWT;
+use Firebase\JWT\Key;
+
+$privateKey = <<<EOD
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQC8kGa1pSjbSYZVebtTRBLxBz5H4i2p/llLCrEeQhta5kaQu/Rn
+vuER4W8oDH3+3iuIYW4VQAzyqFpwuzjkDI+17t5t0tyazyZ8JXw+KgXTxldMPEL9
+5+qVhgXvwtihXC1c5oGbRlEDvDF6Sa53rcFVsYJ4ehde/zUxo6UvS7UrBQIDAQAB
+AoGAb/MXV46XxCFRxNuB8LyAtmLDgi/xRnTAlMHjSACddwkyKem8//8eZtw9fzxz
+bWZ/1/doQOuHBGYZU8aDzzj59FZ78dyzNFoF91hbvZKkg+6wGyd/LrGVEB+Xre0J
+Nil0GReM2AHDNZUYRv+HYJPIOrB0CRczLQsgFJ8K6aAD6F0CQQDzbpjYdx10qgK1
+cP59UHiHjPZYC0loEsk7s+hUmT3QHerAQJMZWC11Qrn2N+ybwwNblDKv+s5qgMQ5
+5tNoQ9IfAkEAxkyffU6ythpg/H0Ixe1I2rd0GbF05biIzO/i77Det3n4YsJVlDck
+ZkcvY3SK2iRIL4c9yY6hlIhs+K9wXTtGWwJBAO9Dskl48mO7woPR9uD22jDpNSwe
+k90OMepTjzSvlhjbfuPN1IdhqvSJTDychRwn1kIJ7LQZgQ8fVz9OCFZ/6qMCQGOb
+qaGwHmUK6xzpUbbacnYrIM6nLSkXgOAwv7XXCojvY614ILTK3iXiLBOxPu5Eu13k
+eUz9sHyD6vkgZzjtxXECQAkp4Xerf5TGfQXGXhxIX52yH+N2LtujCdkQZjXAsGdm
+B2zNzvrlgRmgBrklMTrMYgm1NPcW+bRLGcwgW2PTvNM=
+-----END RSA PRIVATE KEY-----
+EOD;
+
+$publicKey = <<<EOD
+-----BEGIN PUBLIC KEY-----
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8kGa1pSjbSYZVebtTRBLxBz5H
+4i2p/llLCrEeQhta5kaQu/RnvuER4W8oDH3+3iuIYW4VQAzyqFpwuzjkDI+17t5t
+0tyazyZ8JXw+KgXTxldMPEL95+qVhgXvwtihXC1c5oGbRlEDvDF6Sa53rcFVsYJ4
+ehde/zUxo6UvS7UrBQIDAQAB
+-----END PUBLIC KEY-----
+EOD;
+
+$payload = array(
+    "iss" => "example.org",
+    "aud" => "example.com",
+    "iat" => 1356999524,
+    "nbf" => 1357000000
+);
+
+$jwt = JWT::encode($payload, $privateKey, 'RS256');
+echo "Encode:\n" . print_r($jwt, true) . "\n";
+
+$decoded = JWT::decode($jwt, new Key($publicKey, 'RS256'));
+
+/*
+ NOTE: This will now be an object instead of an associative array. To get
+ an associative array, you will need to cast it as such:
+*/
+
+$decoded_array = (array) $decoded;
+echo "Decode:\n" . print_r($decoded_array, true) . "\n";
+```
+
+Example with a passphrase
+-------------------------
+
+```php
+use Firebase\JWT\JWT;
+use Firebase\JWT\Key;
+
+// Your passphrase
+$passphrase = '[YOUR_PASSPHRASE]';
+
+// Your private key file with passphrase
+// Can be generated with "ssh-keygen -t rsa -m pem"
+$privateKeyFile = '/path/to/key-with-passphrase.pem';
+
+// Create a private key of type "resource"
+$privateKey = openssl_pkey_get_private(
+    file_get_contents($privateKeyFile),
+    $passphrase
+);
+
+$payload = array(
+    "iss" => "example.org",
+    "aud" => "example.com",
+    "iat" => 1356999524,
+    "nbf" => 1357000000
+);
+
+$jwt = JWT::encode($payload, $privateKey, 'RS256');
+echo "Encode:\n" . print_r($jwt, true) . "\n";
+
+// Get public key from the private key, or pull from from a file.
+$publicKey = openssl_pkey_get_details($privateKey)['key'];
+
+$decoded = JWT::decode($jwt, new Key($publicKey, 'RS256'));
+echo "Decode:\n" . print_r((array) $decoded, true) . "\n";
+```
+
+Example with EdDSA (libsodium and Ed25519 signature)
+----------------------------
+```php
+use Firebase\JWT\JWT;
+use Firebase\JWT\Key;
+
+// Public and private keys are expected to be Base64 encoded. The last
+// non-empty line is used so that keys can be generated with
+// sodium_crypto_sign_keypair(). The secret keys generated by other tools may
+// need to be adjusted to match the input expected by libsodium.
+
+$keyPair = sodium_crypto_sign_keypair();
+
+$privateKey = base64_encode(sodium_crypto_sign_secretkey($keyPair));
+
+$publicKey = base64_encode(sodium_crypto_sign_publickey($keyPair));
+
+$payload = array(
+    "iss" => "example.org",
+    "aud" => "example.com",
+    "iat" => 1356999524,
+    "nbf" => 1357000000
+);
+
+$jwt = JWT::encode($payload, $privateKey, 'EdDSA');
+echo "Encode:\n" . print_r($jwt, true) . "\n";
+
+$decoded = JWT::decode($jwt, new Key($publicKey, 'EdDSA'));
+echo "Decode:\n" . print_r((array) $decoded, true) . "\n";
+````
+
+Using JWKs
+----------
+
+```php
+use Firebase\JWT\JWK;
+use Firebase\JWT\JWT;
+
+// Set of keys. The "keys" key is required. For example, the JSON response to
+// this endpoint: https://www.gstatic.com/iap/verify/public_key-jwk
+$jwks = ['keys' => []];
+
+// JWK::parseKeySet($jwks) returns an associative array of **kid** to private
+// key. Pass this as the second parameter to JWT::decode.
+// NOTE: The deprecated $supportedAlgorithm must be supplied when parsing from JWK.
+JWT::decode($payload, JWK::parseKeySet($jwks), $supportedAlgorithm);
+```
+
+Changelog
+---------
+
+#### 5.0.0 / 2017-06-26
+- Support RS384 and RS512.
+  See [#117](https://github.com/firebase/php-jwt/pull/117). Thanks [@joostfaassen](https://github.com/joostfaassen)!
+- Add an example for RS256 openssl.
+  See [#125](https://github.com/firebase/php-jwt/pull/125). Thanks [@akeeman](https://github.com/akeeman)!
+- Detect invalid Base64 encoding in signature.
+  See [#162](https://github.com/firebase/php-jwt/pull/162). Thanks [@psignoret](https://github.com/psignoret)!
+- Update `JWT::verify` to handle OpenSSL errors.
+  See [#159](https://github.com/firebase/php-jwt/pull/159). Thanks [@bshaffer](https://github.com/bshaffer)!
+- Add `array` type hinting to `decode` method
+  See [#101](https://github.com/firebase/php-jwt/pull/101). Thanks [@hywak](https://github.com/hywak)!
+- Add all JSON error types.
+  See [#110](https://github.com/firebase/php-jwt/pull/110). Thanks [@gbalduzzi](https://github.com/gbalduzzi)!
+- Bugfix 'kid' not in given key list.
+  See [#129](https://github.com/firebase/php-jwt/pull/129). Thanks [@stampycode](https://github.com/stampycode)!
+- Miscellaneous cleanup, documentation and test fixes.
+  See [#107](https://github.com/firebase/php-jwt/pull/107), [#115](https://github.com/firebase/php-jwt/pull/115),
+  [#160](https://github.com/firebase/php-jwt/pull/160), [#161](https://github.com/firebase/php-jwt/pull/161), and
+  [#165](https://github.com/firebase/php-jwt/pull/165). Thanks [@akeeman](https://github.com/akeeman),
+  [@chinedufn](https://github.com/chinedufn), and [@bshaffer](https://github.com/bshaffer)!
+
+#### 4.0.0 / 2016-07-17
+- Add support for late static binding. See [#88](https://github.com/firebase/php-jwt/pull/88) for details. Thanks to [@chappy84](https://github.com/chappy84)!
+- Use static `$timestamp` instead of `time()` to improve unit testing. See [#93](https://github.com/firebase/php-jwt/pull/93) for details. Thanks to [@josephmcdermott](https://github.com/josephmcdermott)!
+- Fixes to exceptions classes. See [#81](https://github.com/firebase/php-jwt/pull/81) for details. Thanks to [@Maks3w](https://github.com/Maks3w)!
+- Fixes to PHPDoc. See [#76](https://github.com/firebase/php-jwt/pull/76) for details. Thanks to [@akeeman](https://github.com/akeeman)!
+
+#### 3.0.0 / 2015-07-22
+- Minimum PHP version updated from `5.2.0` to `5.3.0`.
+- Add `\Firebase\JWT` namespace. See
+[#59](https://github.com/firebase/php-jwt/pull/59) for details. Thanks to
+[@Dashron](https://github.com/Dashron)!
+- Require a non-empty key to decode and verify a JWT. See
+[#60](https://github.com/firebase/php-jwt/pull/60) for details. Thanks to
+[@sjones608](https://github.com/sjones608)!
+- Cleaner documentation blocks in the code. See
+[#62](https://github.com/firebase/php-jwt/pull/62) for details. Thanks to
+[@johanderuijter](https://github.com/johanderuijter)!
+
+#### 2.2.0 / 2015-06-22
+- Add support for adding custom, optional JWT headers to `JWT::encode()`. See
+[#53](https://github.com/firebase/php-jwt/pull/53/files) for details. Thanks to
+[@mcocaro](https://github.com/mcocaro)!
+
+#### 2.1.0 / 2015-05-20
+- Add support for adding a leeway to `JWT:decode()` that accounts for clock skew
+between signing and verifying entities. Thanks to [@lcabral](https://github.com/lcabral)!
+- Add support for passing an object implementing the `ArrayAccess` interface for
+`$keys` argument in `JWT::decode()`. Thanks to [@aztech-dev](https://github.com/aztech-dev)!
+
+#### 2.0.0 / 2015-04-01
+- **Note**: It is strongly recommended that you update to > v2.0.0 to address
+  known security vulnerabilities in prior versions when both symmetric and
+  asymmetric keys are used together.
+- Update signature for `JWT::decode(...)` to require an array of supported
+  algorithms to use when verifying token signatures.
+
+
+Tests
+-----
+Run the tests using phpunit:
+
+```bash
+$ pear install PHPUnit
+$ phpunit --configuration phpunit.xml.dist
+PHPUnit 3.7.10 by Sebastian Bergmann.
+.....
+Time: 0 seconds, Memory: 2.50Mb
+OK (5 tests, 5 assertions)
+```
+
+New Lines in private keys
+-----
+
+If your private key contains `\n` characters, be sure to wrap it in double quotes `""`
+and not single quotes `''` in order to properly interpret the escaped characters.
+
+License
+-------
+[3-Clause BSD](http://opensource.org/licenses/BSD-3-Clause).
diff --git a/data/web/inc/lib/vendor/firebase/php-jwt/composer.json b/data/web/inc/lib/vendor/firebase/php-jwt/composer.json
new file mode 100644
index 000000000..6146e2dcc
--- /dev/null
+++ b/data/web/inc/lib/vendor/firebase/php-jwt/composer.json
@@ -0,0 +1,36 @@
+{
+    "name": "firebase/php-jwt",
+    "description": "A simple library to encode and decode JSON Web Tokens (JWT) in PHP. Should conform to the current spec.",
+    "homepage": "https://github.com/firebase/php-jwt",
+    "keywords": [
+        "php",
+        "jwt"
+    ],
+    "authors": [
+        {
+            "name": "Neuman Vong",
+            "email": "neuman+pear@twilio.com",
+            "role": "Developer"
+        },
+        {
+            "name": "Anant Narayanan",
+            "email": "anant@php.net",
+            "role": "Developer"
+        }
+    ],
+    "license": "BSD-3-Clause",
+    "require": {
+        "php": ">=5.3.0"
+    },
+    "suggest": {
+        "paragonie/sodium_compat": "Support EdDSA (Ed25519) signatures when libsodium is not present"
+    },
+    "autoload": {
+        "psr-4": {
+            "Firebase\\JWT\\": "src"
+        }
+    },
+    "require-dev": {
+        "phpunit/phpunit": ">=4.8 <=9"
+    }
+}
diff --git a/data/web/inc/lib/vendor/firebase/php-jwt/src/BeforeValidException.php b/data/web/inc/lib/vendor/firebase/php-jwt/src/BeforeValidException.php
new file mode 100644
index 000000000..c147852b9
--- /dev/null
+++ b/data/web/inc/lib/vendor/firebase/php-jwt/src/BeforeValidException.php
@@ -0,0 +1,7 @@
+<?php
+
+namespace Firebase\JWT;
+
+class BeforeValidException extends \UnexpectedValueException
+{
+}
diff --git a/data/web/inc/lib/vendor/firebase/php-jwt/src/ExpiredException.php b/data/web/inc/lib/vendor/firebase/php-jwt/src/ExpiredException.php
new file mode 100644
index 000000000..81ba52d43
--- /dev/null
+++ b/data/web/inc/lib/vendor/firebase/php-jwt/src/ExpiredException.php
@@ -0,0 +1,7 @@
+<?php
+
+namespace Firebase\JWT;
+
+class ExpiredException extends \UnexpectedValueException
+{
+}
diff --git a/data/web/inc/lib/vendor/firebase/php-jwt/src/JWK.php b/data/web/inc/lib/vendor/firebase/php-jwt/src/JWK.php
new file mode 100644
index 000000000..981a9ba7f
--- /dev/null
+++ b/data/web/inc/lib/vendor/firebase/php-jwt/src/JWK.php
@@ -0,0 +1,172 @@
+<?php
+
+namespace Firebase\JWT;
+
+use DomainException;
+use InvalidArgumentException;
+use UnexpectedValueException;
+
+/**
+ * JSON Web Key implementation, based on this spec:
+ * https://tools.ietf.org/html/draft-ietf-jose-json-web-key-41
+ *
+ * PHP version 5
+ *
+ * @category Authentication
+ * @package  Authentication_JWT
+ * @author   Bui Sy Nguyen <nguyenbs@gmail.com>
+ * @license  http://opensource.org/licenses/BSD-3-Clause 3-clause BSD
+ * @link     https://github.com/firebase/php-jwt
+ */
+class JWK
+{
+    /**
+     * Parse a set of JWK keys
+     *
+     * @param array $jwks The JSON Web Key Set as an associative array
+     *
+     * @return array An associative array that represents the set of keys
+     *
+     * @throws InvalidArgumentException     Provided JWK Set is empty
+     * @throws UnexpectedValueException     Provided JWK Set was invalid
+     * @throws DomainException              OpenSSL failure
+     *
+     * @uses parseKey
+     */
+    public static function parseKeySet(array $jwks)
+    {
+        $keys = array();
+
+        if (!isset($jwks['keys'])) {
+            throw new UnexpectedValueException('"keys" member must exist in the JWK Set');
+        }
+        if (empty($jwks['keys'])) {
+            throw new InvalidArgumentException('JWK Set did not contain any keys');
+        }
+
+        foreach ($jwks['keys'] as $k => $v) {
+            $kid = isset($v['kid']) ? $v['kid'] : $k;
+            if ($key = self::parseKey($v)) {
+                $keys[$kid] = $key;
+            }
+        }
+
+        if (0 === \count($keys)) {
+            throw new UnexpectedValueException('No supported algorithms found in JWK Set');
+        }
+
+        return $keys;
+    }
+
+    /**
+     * Parse a JWK key
+     *
+     * @param array $jwk An individual JWK
+     *
+     * @return resource|array An associative array that represents the key
+     *
+     * @throws InvalidArgumentException     Provided JWK is empty
+     * @throws UnexpectedValueException     Provided JWK was invalid
+     * @throws DomainException              OpenSSL failure
+     *
+     * @uses createPemFromModulusAndExponent
+     */
+    public static function parseKey(array $jwk)
+    {
+        if (empty($jwk)) {
+            throw new InvalidArgumentException('JWK must not be empty');
+        }
+        if (!isset($jwk['kty'])) {
+            throw new UnexpectedValueException('JWK must contain a "kty" parameter');
+        }
+
+        switch ($jwk['kty']) {
+            case 'RSA':
+                if (!empty($jwk['d'])) {
+                    throw new UnexpectedValueException('RSA private keys are not supported');
+                }
+                if (!isset($jwk['n']) || !isset($jwk['e'])) {
+                    throw new UnexpectedValueException('RSA keys must contain values for both "n" and "e"');
+                }
+
+                $pem = self::createPemFromModulusAndExponent($jwk['n'], $jwk['e']);
+                $publicKey = \openssl_pkey_get_public($pem);
+                if (false === $publicKey) {
+                    throw new DomainException(
+                        'OpenSSL error: ' . \openssl_error_string()
+                    );
+                }
+                return $publicKey;
+            default:
+                // Currently only RSA is supported
+                break;
+        }
+    }
+
+    /**
+     * Create a public key represented in PEM format from RSA modulus and exponent information
+     *
+     * @param string $n The RSA modulus encoded in Base64
+     * @param string $e The RSA exponent encoded in Base64
+     *
+     * @return string The RSA public key represented in PEM format
+     *
+     * @uses encodeLength
+     */
+    private static function createPemFromModulusAndExponent($n, $e)
+    {
+        $modulus = JWT::urlsafeB64Decode($n);
+        $publicExponent = JWT::urlsafeB64Decode($e);
+
+        $components = array(
+            'modulus' => \pack('Ca*a*', 2, self::encodeLength(\strlen($modulus)), $modulus),
+            'publicExponent' => \pack('Ca*a*', 2, self::encodeLength(\strlen($publicExponent)), $publicExponent)
+        );
+
+        $rsaPublicKey = \pack(
+            'Ca*a*a*',
+            48,
+            self::encodeLength(\strlen($components['modulus']) + \strlen($components['publicExponent'])),
+            $components['modulus'],
+            $components['publicExponent']
+        );
+
+        // sequence(oid(1.2.840.113549.1.1.1), null)) = rsaEncryption.
+        $rsaOID = \pack('H*', '300d06092a864886f70d0101010500'); // hex version of MA0GCSqGSIb3DQEBAQUA
+        $rsaPublicKey = \chr(0) . $rsaPublicKey;
+        $rsaPublicKey = \chr(3) . self::encodeLength(\strlen($rsaPublicKey)) . $rsaPublicKey;
+
+        $rsaPublicKey = \pack(
+            'Ca*a*',
+            48,
+            self::encodeLength(\strlen($rsaOID . $rsaPublicKey)),
+            $rsaOID . $rsaPublicKey
+        );
+
+        $rsaPublicKey = "-----BEGIN PUBLIC KEY-----\r\n" .
+            \chunk_split(\base64_encode($rsaPublicKey), 64) .
+            '-----END PUBLIC KEY-----';
+
+        return $rsaPublicKey;
+    }
+
+    /**
+     * DER-encode the length
+     *
+     * DER supports lengths up to (2**8)**127, however, we'll only support lengths up to (2**8)**4.  See
+     * {@link http://itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf#p=13 X.690 paragraph 8.1.3} for more information.
+     *
+     * @param int $length
+     * @return string
+     */
+    private static function encodeLength($length)
+    {
+        if ($length <= 0x7F) {
+            return \chr($length);
+        }
+
+        $temp = \ltrim(\pack('N', $length), \chr(0));
+
+        return \pack('Ca*', 0x80 | \strlen($temp), $temp);
+    }
+}
diff --git a/data/web/inc/lib/vendor/firebase/php-jwt/src/JWT.php b/data/web/inc/lib/vendor/firebase/php-jwt/src/JWT.php
new file mode 100644
index 000000000..ec1641bc4
--- /dev/null
+++ b/data/web/inc/lib/vendor/firebase/php-jwt/src/JWT.php
@@ -0,0 +1,611 @@
+<?php
+
+namespace Firebase\JWT;
+
+use ArrayAccess;
+use DomainException;
+use Exception;
+use InvalidArgumentException;
+use OpenSSLAsymmetricKey;
+use UnexpectedValueException;
+use DateTime;
+
+/**
+ * JSON Web Token implementation, based on this spec:
+ * https://tools.ietf.org/html/rfc7519
+ *
+ * PHP version 5
+ *
+ * @category Authentication
+ * @package  Authentication_JWT
+ * @author   Neuman Vong <neuman@twilio.com>
+ * @author   Anant Narayanan <anant@php.net>
+ * @license  http://opensource.org/licenses/BSD-3-Clause 3-clause BSD
+ * @link     https://github.com/firebase/php-jwt
+ */
+class JWT
+{
+    const ASN1_INTEGER = 0x02;
+    const ASN1_SEQUENCE = 0x10;
+    const ASN1_BIT_STRING = 0x03;
+
+    /**
+     * When checking nbf, iat or expiration times,
+     * we want to provide some extra leeway time to
+     * account for clock skew.
+     */
+    public static $leeway = 0;
+
+    /**
+     * Allow the current timestamp to be specified.
+     * Useful for fixing a value within unit testing.
+     *
+     * Will default to PHP time() value if null.
+     */
+    public static $timestamp = null;
+
+    public static $supported_algs = array(
+        'ES384' => array('openssl', 'SHA384'),
+        'ES256' => array('openssl', 'SHA256'),
+        'HS256' => array('hash_hmac', 'SHA256'),
+        'HS384' => array('hash_hmac', 'SHA384'),
+        'HS512' => array('hash_hmac', 'SHA512'),
+        'RS256' => array('openssl', 'SHA256'),
+        'RS384' => array('openssl', 'SHA384'),
+        'RS512' => array('openssl', 'SHA512'),
+        'EdDSA' => array('sodium_crypto', 'EdDSA'),
+    );
+
+    /**
+     * Decodes a JWT string into a PHP object.
+     *
+     * @param string                    $jwt            The JWT
+     * @param Key|array<Key>|mixed      $keyOrKeyArray  The Key or array of Key objects.
+     *                                                  If the algorithm used is asymmetric, this is the public key
+     *                                                  Each Key object contains an algorithm and matching key.
+     *                                                  Supported algorithms are 'ES384','ES256', 'HS256', 'HS384',
+     *                                                  'HS512', 'RS256', 'RS384', and 'RS512'
+     * @param array                     $allowed_algs   [DEPRECATED] List of supported verification algorithms. Only
+     *                                                  should be used for backwards  compatibility.
+     *
+     * @return object The JWT's payload as a PHP object
+     *
+     * @throws InvalidArgumentException     Provided JWT was empty
+     * @throws UnexpectedValueException     Provided JWT was invalid
+     * @throws SignatureInvalidException    Provided JWT was invalid because the signature verification failed
+     * @throws BeforeValidException         Provided JWT is trying to be used before it's eligible as defined by 'nbf'
+     * @throws BeforeValidException         Provided JWT is trying to be used before it's been created as defined by 'iat'
+     * @throws ExpiredException             Provided JWT has since expired, as defined by the 'exp' claim
+     *
+     * @uses jsonDecode
+     * @uses urlsafeB64Decode
+     */
+    public static function decode($jwt, $keyOrKeyArray, array $allowed_algs = array())
+    {
+        $timestamp = \is_null(static::$timestamp) ? \time() : static::$timestamp;
+
+        if (empty($keyOrKeyArray)) {
+            throw new InvalidArgumentException('Key may not be empty');
+        }
+        $tks = \explode('.', $jwt);
+        if (\count($tks) != 3) {
+            throw new UnexpectedValueException('Wrong number of segments');
+        }
+        list($headb64, $bodyb64, $cryptob64) = $tks;
+        if (null === ($header = static::jsonDecode(static::urlsafeB64Decode($headb64)))) {
+            throw new UnexpectedValueException('Invalid header encoding');
+        }
+        if (null === $payload = static::jsonDecode(static::urlsafeB64Decode($bodyb64))) {
+            throw new UnexpectedValueException('Invalid claims encoding');
+        }
+        if (false === ($sig = static::urlsafeB64Decode($cryptob64))) {
+            throw new UnexpectedValueException('Invalid signature encoding');
+        }
+        if (empty($header->alg)) {
+            throw new UnexpectedValueException('Empty algorithm');
+        }
+        if (empty(static::$supported_algs[$header->alg])) {
+            throw new UnexpectedValueException('Algorithm not supported');
+        }
+
+        list($keyMaterial, $algorithm) = self::getKeyMaterialAndAlgorithm(
+            $keyOrKeyArray,
+            empty($header->kid) ? null : $header->kid
+        );
+
+        if (empty($algorithm)) {
+            // Use deprecated "allowed_algs" to determine if the algorithm is supported.
+            // This opens up the possibility of an attack in some implementations.
+            // @see https://github.com/firebase/php-jwt/issues/351
+            if (!\in_array($header->alg, $allowed_algs)) {
+                throw new UnexpectedValueException('Algorithm not allowed');
+            }
+        } else {
+            // Check the algorithm
+            if (!self::constantTimeEquals($algorithm, $header->alg)) {
+                // See issue #351
+                throw new UnexpectedValueException('Incorrect key for this algorithm');
+            }
+        }
+        if ($header->alg === 'ES256' || $header->alg === 'ES384') {
+            // OpenSSL expects an ASN.1 DER sequence for ES256/ES384 signatures
+            $sig = self::signatureToDER($sig);
+        }
+
+        if (!static::verify("$headb64.$bodyb64", $sig, $keyMaterial, $header->alg)) {
+            throw new SignatureInvalidException('Signature verification failed');
+        }
+
+        // Check the nbf if it is defined. This is the time that the
+        // token can actually be used. If it's not yet that time, abort.
+        if (isset($payload->nbf) && $payload->nbf > ($timestamp + static::$leeway)) {
+            throw new BeforeValidException(
+                'Cannot handle token prior to ' . \date(DateTime::ISO8601, $payload->nbf)
+            );
+        }
+
+        // Check that this token has been created before 'now'. This prevents
+        // using tokens that have been created for later use (and haven't
+        // correctly used the nbf claim).
+        if (isset($payload->iat) && $payload->iat > ($timestamp + static::$leeway)) {
+            throw new BeforeValidException(
+                'Cannot handle token prior to ' . \date(DateTime::ISO8601, $payload->iat)
+            );
+        }
+
+        // Check if this token has expired.
+        if (isset($payload->exp) && ($timestamp - static::$leeway) >= $payload->exp) {
+            throw new ExpiredException('Expired token');
+        }
+
+        return $payload;
+    }
+
+    /**
+     * Converts and signs a PHP object or array into a JWT string.
+     *
+     * @param object|array      $payload    PHP object or array
+     * @param string|resource   $key        The secret key.
+     *                                      If the algorithm used is asymmetric, this is the private key
+     * @param string            $alg        The signing algorithm.
+     *                                      Supported algorithms are 'ES384','ES256', 'HS256', 'HS384',
+     *                                      'HS512', 'RS256', 'RS384', and 'RS512'
+     * @param mixed             $keyId
+     * @param array             $head       An array with header elements to attach
+     *
+     * @return string A signed JWT
+     *
+     * @uses jsonEncode
+     * @uses urlsafeB64Encode
+     */
+    public static function encode($payload, $key, $alg = 'HS256', $keyId = null, $head = null)
+    {
+        $header = array('typ' => 'JWT', 'alg' => $alg);
+        if ($keyId !== null) {
+            $header['kid'] = $keyId;
+        }
+        if (isset($head) && \is_array($head)) {
+            $header = \array_merge($head, $header);
+        }
+        $segments = array();
+        $segments[] = static::urlsafeB64Encode(static::jsonEncode($header));
+        $segments[] = static::urlsafeB64Encode(static::jsonEncode($payload));
+        $signing_input = \implode('.', $segments);
+
+        $signature = static::sign($signing_input, $key, $alg);
+        $segments[] = static::urlsafeB64Encode($signature);
+
+        return \implode('.', $segments);
+    }
+
+    /**
+     * Sign a string with a given key and algorithm.
+     *
+     * @param string            $msg    The message to sign
+     * @param string|resource   $key    The secret key
+     * @param string            $alg    The signing algorithm.
+     *                                  Supported algorithms are 'ES384','ES256', 'HS256', 'HS384',
+     *                                  'HS512', 'RS256', 'RS384', and 'RS512'
+     *
+     * @return string An encrypted message
+     *
+     * @throws DomainException Unsupported algorithm or bad key was specified
+     */
+    public static function sign($msg, $key, $alg = 'HS256')
+    {
+        if (empty(static::$supported_algs[$alg])) {
+            throw new DomainException('Algorithm not supported');
+        }
+        list($function, $algorithm) = static::$supported_algs[$alg];
+        switch ($function) {
+            case 'hash_hmac':
+                return \hash_hmac($algorithm, $msg, $key, true);
+            case 'openssl':
+                $signature = '';
+                $success = \openssl_sign($msg, $signature, $key, $algorithm);
+                if (!$success) {
+                    throw new DomainException("OpenSSL unable to sign data");
+                }
+                if ($alg === 'ES256') {
+                    $signature = self::signatureFromDER($signature, 256);
+                } elseif ($alg === 'ES384') {
+                    $signature = self::signatureFromDER($signature, 384);
+                }
+                return $signature;
+            case 'sodium_crypto':
+                if (!function_exists('sodium_crypto_sign_detached')) {
+                    throw new DomainException('libsodium is not available');
+                }
+                try {
+                    // The last non-empty line is used as the key.
+                    $lines = array_filter(explode("\n", $key));
+                    $key = base64_decode(end($lines));
+                    return sodium_crypto_sign_detached($msg, $key);
+                } catch (Exception $e) {
+                    throw new DomainException($e->getMessage(), 0, $e);
+                }
+        }
+    }
+
+    /**
+     * Verify a signature with the message, key and method. Not all methods
+     * are symmetric, so we must have a separate verify and sign method.
+     *
+     * @param string            $msg        The original message (header and body)
+     * @param string            $signature  The original signature
+     * @param string|resource   $key        For HS*, a string key works. for RS*, must be a resource of an openssl public key
+     * @param string            $alg        The algorithm
+     *
+     * @return bool
+     *
+     * @throws DomainException Invalid Algorithm, bad key, or OpenSSL failure
+     */
+    private static function verify($msg, $signature, $key, $alg)
+    {
+        if (empty(static::$supported_algs[$alg])) {
+            throw new DomainException('Algorithm not supported');
+        }
+
+        list($function, $algorithm) = static::$supported_algs[$alg];
+        switch ($function) {
+            case 'openssl':
+                $success = \openssl_verify($msg, $signature, $key, $algorithm);
+                if ($success === 1) {
+                    return true;
+                } elseif ($success === 0) {
+                    return false;
+                }
+                // returns 1 on success, 0 on failure, -1 on error.
+                throw new DomainException(
+                    'OpenSSL error: ' . \openssl_error_string()
+                );
+            case 'sodium_crypto':
+              if (!function_exists('sodium_crypto_sign_verify_detached')) {
+                  throw new DomainException('libsodium is not available');
+              }
+              try {
+                  // The last non-empty line is used as the key.
+                  $lines = array_filter(explode("\n", $key));
+                  $key = base64_decode(end($lines));
+                  return sodium_crypto_sign_verify_detached($signature, $msg, $key);
+              } catch (Exception $e) {
+                  throw new DomainException($e->getMessage(), 0, $e);
+              }
+            case 'hash_hmac':
+            default:
+                $hash = \hash_hmac($algorithm, $msg, $key, true);
+                return self::constantTimeEquals($signature, $hash);
+        }
+    }
+
+    /**
+     * Decode a JSON string into a PHP object.
+     *
+     * @param string $input JSON string
+     *
+     * @return object Object representation of JSON string
+     *
+     * @throws DomainException Provided string was invalid JSON
+     */
+    public static function jsonDecode($input)
+    {
+        if (\version_compare(PHP_VERSION, '5.4.0', '>=') && !(\defined('JSON_C_VERSION') && PHP_INT_SIZE > 4)) {
+            /** In PHP >=5.4.0, json_decode() accepts an options parameter, that allows you
+             * to specify that large ints (like Steam Transaction IDs) should be treated as
+             * strings, rather than the PHP default behaviour of converting them to floats.
+             */
+            $obj = \json_decode($input, false, 512, JSON_BIGINT_AS_STRING);
+        } else {
+            /** Not all servers will support that, however, so for older versions we must
+             * manually detect large ints in the JSON string and quote them (thus converting
+             *them to strings) before decoding, hence the preg_replace() call.
+             */
+            $max_int_length = \strlen((string) PHP_INT_MAX) - 1;
+            $json_without_bigints = \preg_replace('/:\s*(-?\d{'.$max_int_length.',})/', ': "$1"', $input);
+            $obj = \json_decode($json_without_bigints);
+        }
+
+        if ($errno = \json_last_error()) {
+            static::handleJsonError($errno);
+        } elseif ($obj === null && $input !== 'null') {
+            throw new DomainException('Null result with non-null input');
+        }
+        return $obj;
+    }
+
+    /**
+     * Encode a PHP object into a JSON string.
+     *
+     * @param object|array $input A PHP object or array
+     *
+     * @return string JSON representation of the PHP object or array
+     *
+     * @throws DomainException Provided object could not be encoded to valid JSON
+     */
+    public static function jsonEncode($input)
+    {
+        $json = \json_encode($input);
+        if ($errno = \json_last_error()) {
+            static::handleJsonError($errno);
+        } elseif ($json === 'null' && $input !== null) {
+            throw new DomainException('Null result with non-null input');
+        }
+        return $json;
+    }
+
+    /**
+     * Decode a string with URL-safe Base64.
+     *
+     * @param string $input A Base64 encoded string
+     *
+     * @return string A decoded string
+     */
+    public static function urlsafeB64Decode($input)
+    {
+        $remainder = \strlen($input) % 4;
+        if ($remainder) {
+            $padlen = 4 - $remainder;
+            $input .= \str_repeat('=', $padlen);
+        }
+        return \base64_decode(\strtr($input, '-_', '+/'));
+    }
+
+    /**
+     * Encode a string with URL-safe Base64.
+     *
+     * @param string $input The string you want encoded
+     *
+     * @return string The base64 encode of what you passed in
+     */
+    public static function urlsafeB64Encode($input)
+    {
+        return \str_replace('=', '', \strtr(\base64_encode($input), '+/', '-_'));
+    }
+
+
+    /**
+     * Determine if an algorithm has been provided for each Key
+     *
+     * @param Key|array<Key>|mixed $keyOrKeyArray
+     * @param string|null $kid
+     *
+     * @throws UnexpectedValueException
+     *
+     * @return array containing the keyMaterial and algorithm
+     */
+    private static function getKeyMaterialAndAlgorithm($keyOrKeyArray, $kid = null)
+    {
+        if (
+            is_string($keyOrKeyArray)
+            || is_resource($keyOrKeyArray)
+            || $keyOrKeyArray instanceof OpenSSLAsymmetricKey
+        ) {
+            return array($keyOrKeyArray, null);
+        }
+
+        if ($keyOrKeyArray instanceof Key) {
+            return array($keyOrKeyArray->getKeyMaterial(), $keyOrKeyArray->getAlgorithm());
+        }
+
+        if (is_array($keyOrKeyArray) || $keyOrKeyArray instanceof ArrayAccess) {
+            if (!isset($kid)) {
+                throw new UnexpectedValueException('"kid" empty, unable to lookup correct key');
+            }
+            if (!isset($keyOrKeyArray[$kid])) {
+                throw new UnexpectedValueException('"kid" invalid, unable to lookup correct key');
+            }
+
+            $key = $keyOrKeyArray[$kid];
+
+            if ($key instanceof Key) {
+                return array($key->getKeyMaterial(), $key->getAlgorithm());
+            }
+
+            return array($key, null);
+        }
+
+        throw new UnexpectedValueException(
+            '$keyOrKeyArray must be a string|resource key, an array of string|resource keys, '
+            . 'an instance of Firebase\JWT\Key key or an array of Firebase\JWT\Key keys'
+        );
+    }
+
+    /**
+     * @param string $left
+     * @param string $right
+     * @return bool
+     */
+    public static function constantTimeEquals($left, $right)
+    {
+        if (\function_exists('hash_equals')) {
+            return \hash_equals($left, $right);
+        }
+        $len = \min(static::safeStrlen($left), static::safeStrlen($right));
+
+        $status = 0;
+        for ($i = 0; $i < $len; $i++) {
+            $status |= (\ord($left[$i]) ^ \ord($right[$i]));
+        }
+        $status |= (static::safeStrlen($left) ^ static::safeStrlen($right));
+
+        return ($status === 0);
+    }
+
+    /**
+     * Helper method to create a JSON error.
+     *
+     * @param int $errno An error number from json_last_error()
+     *
+     * @return void
+     */
+    private static function handleJsonError($errno)
+    {
+        $messages = array(
+            JSON_ERROR_DEPTH => 'Maximum stack depth exceeded',
+            JSON_ERROR_STATE_MISMATCH => 'Invalid or malformed JSON',
+            JSON_ERROR_CTRL_CHAR => 'Unexpected control character found',
+            JSON_ERROR_SYNTAX => 'Syntax error, malformed JSON',
+            JSON_ERROR_UTF8 => 'Malformed UTF-8 characters' //PHP >= 5.3.3
+        );
+        throw new DomainException(
+            isset($messages[$errno])
+            ? $messages[$errno]
+            : 'Unknown JSON error: ' . $errno
+        );
+    }
+
+    /**
+     * Get the number of bytes in cryptographic strings.
+     *
+     * @param string $str
+     *
+     * @return int
+     */
+    private static function safeStrlen($str)
+    {
+        if (\function_exists('mb_strlen')) {
+            return \mb_strlen($str, '8bit');
+        }
+        return \strlen($str);
+    }
+
+    /**
+     * Convert an ECDSA signature to an ASN.1 DER sequence
+     *
+     * @param   string $sig The ECDSA signature to convert
+     * @return  string The encoded DER object
+     */
+    private static function signatureToDER($sig)
+    {
+        // Separate the signature into r-value and s-value
+        list($r, $s) = \str_split($sig, (int) (\strlen($sig) / 2));
+
+        // Trim leading zeros
+        $r = \ltrim($r, "\x00");
+        $s = \ltrim($s, "\x00");
+
+        // Convert r-value and s-value from unsigned big-endian integers to
+        // signed two's complement
+        if (\ord($r[0]) > 0x7f) {
+            $r = "\x00" . $r;
+        }
+        if (\ord($s[0]) > 0x7f) {
+            $s = "\x00" . $s;
+        }
+
+        return self::encodeDER(
+            self::ASN1_SEQUENCE,
+            self::encodeDER(self::ASN1_INTEGER, $r) .
+            self::encodeDER(self::ASN1_INTEGER, $s)
+        );
+    }
+
+    /**
+     * Encodes a value into a DER object.
+     *
+     * @param   int     $type DER tag
+     * @param   string  $value the value to encode
+     * @return  string  the encoded object
+     */
+    private static function encodeDER($type, $value)
+    {
+        $tag_header = 0;
+        if ($type === self::ASN1_SEQUENCE) {
+            $tag_header |= 0x20;
+        }
+
+        // Type
+        $der = \chr($tag_header | $type);
+
+        // Length
+        $der .= \chr(\strlen($value));
+
+        return $der . $value;
+    }
+
+    /**
+     * Encodes signature from a DER object.
+     *
+     * @param   string  $der binary signature in DER format
+     * @param   int     $keySize the number of bits in the key
+     * @return  string  the signature
+     */
+    private static function signatureFromDER($der, $keySize)
+    {
+        // OpenSSL returns the ECDSA signatures as a binary ASN.1 DER SEQUENCE
+        list($offset, $_) = self::readDER($der);
+        list($offset, $r) = self::readDER($der, $offset);
+        list($offset, $s) = self::readDER($der, $offset);
+
+        // Convert r-value and s-value from signed two's compliment to unsigned
+        // big-endian integers
+        $r = \ltrim($r, "\x00");
+        $s = \ltrim($s, "\x00");
+
+        // Pad out r and s so that they are $keySize bits long
+        $r = \str_pad($r, $keySize / 8, "\x00", STR_PAD_LEFT);
+        $s = \str_pad($s, $keySize / 8, "\x00", STR_PAD_LEFT);
+
+        return $r . $s;
+    }
+
+    /**
+     * Reads binary DER-encoded data and decodes into a single object
+     *
+     * @param string $der the binary data in DER format
+     * @param int $offset the offset of the data stream containing the object
+     * to decode
+     * @return array [$offset, $data] the new offset and the decoded object
+     */
+    private static function readDER($der, $offset = 0)
+    {
+        $pos = $offset;
+        $size = \strlen($der);
+        $constructed = (\ord($der[$pos]) >> 5) & 0x01;
+        $type = \ord($der[$pos++]) & 0x1f;
+
+        // Length
+        $len = \ord($der[$pos++]);
+        if ($len & 0x80) {
+            $n = $len & 0x1f;
+            $len = 0;
+            while ($n-- && $pos < $size) {
+                $len = ($len << 8) | \ord($der[$pos++]);
+            }
+        }
+
+        // Value
+        if ($type == self::ASN1_BIT_STRING) {
+            $pos++; // Skip the first contents octet (padding indicator)
+            $data = \substr($der, $pos, $len - 1);
+            $pos += $len - 1;
+        } elseif (!$constructed) {
+            $data = \substr($der, $pos, $len);
+            $pos += $len;
+        } else {
+            $data = null;
+        }
+
+        return array($pos, $data);
+    }
+}
diff --git a/data/web/inc/lib/vendor/firebase/php-jwt/src/Key.php b/data/web/inc/lib/vendor/firebase/php-jwt/src/Key.php
new file mode 100644
index 000000000..f1ede6f27
--- /dev/null
+++ b/data/web/inc/lib/vendor/firebase/php-jwt/src/Key.php
@@ -0,0 +1,59 @@
+<?php
+
+namespace Firebase\JWT;
+
+use InvalidArgumentException;
+use OpenSSLAsymmetricKey;
+
+class Key
+{
+    /** @var string $algorithm */
+    private $algorithm;
+
+    /** @var string|resource|OpenSSLAsymmetricKey $keyMaterial */
+    private $keyMaterial;
+
+    /**
+     * @param string|resource|OpenSSLAsymmetricKey $keyMaterial
+     * @param string $algorithm
+     */
+    public function __construct($keyMaterial, $algorithm)
+    {
+        if (
+            !is_string($keyMaterial)
+            && !is_resource($keyMaterial)
+            && !$keyMaterial instanceof OpenSSLAsymmetricKey
+        ) {
+            throw new InvalidArgumentException('Type error: $keyMaterial must be a string, resource, or OpenSSLAsymmetricKey');
+        }
+
+        if (empty($keyMaterial)) {
+            throw new InvalidArgumentException('Type error: $keyMaterial must not be empty');
+        }
+
+        if (!is_string($algorithm)|| empty($keyMaterial)) {
+            throw new InvalidArgumentException('Type error: $algorithm must be a string');
+        }
+
+        $this->keyMaterial = $keyMaterial;
+        $this->algorithm = $algorithm;
+    }
+
+    /**
+     * Return the algorithm valid for this key
+     *
+     * @return string
+     */
+    public function getAlgorithm()
+    {
+        return $this->algorithm;
+    }
+
+    /**
+     * @return string|resource|OpenSSLAsymmetricKey
+     */
+    public function getKeyMaterial()
+    {
+        return $this->keyMaterial;
+    }
+}
diff --git a/data/web/inc/lib/vendor/firebase/php-jwt/src/SignatureInvalidException.php b/data/web/inc/lib/vendor/firebase/php-jwt/src/SignatureInvalidException.php
new file mode 100644
index 000000000..d35dee9f1
--- /dev/null
+++ b/data/web/inc/lib/vendor/firebase/php-jwt/src/SignatureInvalidException.php
@@ -0,0 +1,7 @@
+<?php
+
+namespace Firebase\JWT;
+
+class SignatureInvalidException extends \UnexpectedValueException
+{
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/guzzle/CHANGELOG.md b/data/web/inc/lib/vendor/guzzlehttp/guzzle/CHANGELOG.md
new file mode 100644
index 000000000..12949ba67
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/guzzle/CHANGELOG.md
@@ -0,0 +1,1519 @@
+# Change Log
+
+Please refer to [UPGRADING](UPGRADING.md) guide for upgrading to a major version.
+
+## 7.5.0 - 2022-08-28
+
+### Added
+
+- Support PHP 8.2
+- Add request to delay closure params
+
+## 7.4.5 - 2022-06-20
+
+* Fix change in port should be considered a change in origin
+* Fix `CURLOPT_HTTPAUTH` option not cleared on change of origin
+
+## 7.4.4 - 2022-06-09
+
+* Fix failure to strip Authorization header on HTTP downgrade
+* Fix failure to strip the Cookie header on change in host or HTTP downgrade
+
+## 7.4.3 - 2022-05-25
+
+* Fix cross-domain cookie leakage
+
+## 7.4.2 - 2022-03-20
+
+### Fixed
+
+- Remove curl auth on cross-domain redirects to align with the Authorization HTTP header
+- Reject non-HTTP schemes in StreamHandler
+- Set a default ssl.peer_name context in StreamHandler to allow `force_ip_resolve`
+
+## 7.4.1 - 2021-12-06
+
+### Changed
+
+- Replaced implicit URI to string coercion [#2946](https://github.com/guzzle/guzzle/pull/2946)
+- Allow `symfony/deprecation-contracts` version 3 [#2961](https://github.com/guzzle/guzzle/pull/2961)
+
+### Fixed
+
+- Only close curl handle if it's done [#2950](https://github.com/guzzle/guzzle/pull/2950)
+
+## 7.4.0 - 2021-10-18
+
+### Added
+
+- Support PHP 8.1 [#2929](https://github.com/guzzle/guzzle/pull/2929), [#2939](https://github.com/guzzle/guzzle/pull/2939)
+- Support `psr/log` version 2 and 3 [#2943](https://github.com/guzzle/guzzle/pull/2943)
+
+### Fixed
+
+- Make sure we always call `restore_error_handler()` [#2915](https://github.com/guzzle/guzzle/pull/2915)
+- Fix progress parameter type compatibility between the cURL and stream handlers [#2936](https://github.com/guzzle/guzzle/pull/2936)
+- Throw `InvalidArgumentException` when an incorrect `headers` array is provided [#2916](https://github.com/guzzle/guzzle/pull/2916), [#2942](https://github.com/guzzle/guzzle/pull/2942)
+
+### Changed
+
+- Be more strict with types [#2914](https://github.com/guzzle/guzzle/pull/2914), [#2917](https://github.com/guzzle/guzzle/pull/2917), [#2919](https://github.com/guzzle/guzzle/pull/2919), [#2945](https://github.com/guzzle/guzzle/pull/2945)
+
+## 7.3.0 - 2021-03-23
+
+### Added
+
+- Support for DER and P12 certificates [#2413](https://github.com/guzzle/guzzle/pull/2413)
+- Support the cURL (http://) scheme for StreamHandler proxies [#2850](https://github.com/guzzle/guzzle/pull/2850)
+- Support for `guzzlehttp/psr7:^2.0` [#2878](https://github.com/guzzle/guzzle/pull/2878)
+
+### Fixed
+
+- Handle exceptions on invalid header consistently between PHP versions and handlers [#2872](https://github.com/guzzle/guzzle/pull/2872)
+
+## 7.2.0 - 2020-10-10
+
+### Added
+
+- Support for PHP 8 [#2712](https://github.com/guzzle/guzzle/pull/2712), [#2715](https://github.com/guzzle/guzzle/pull/2715), [#2789](https://github.com/guzzle/guzzle/pull/2789)
+- Support passing a body summarizer to the http errors middleware [#2795](https://github.com/guzzle/guzzle/pull/2795)
+
+### Fixed
+
+- Handle exceptions during response creation [#2591](https://github.com/guzzle/guzzle/pull/2591)
+- Fix CURLOPT_ENCODING not to be overwritten [#2595](https://github.com/guzzle/guzzle/pull/2595)
+- Make sure the Request always has a body object [#2804](https://github.com/guzzle/guzzle/pull/2804)
+
+### Changed
+
+- The `TooManyRedirectsException` has a response [#2660](https://github.com/guzzle/guzzle/pull/2660)
+- Avoid "functions" from dependencies [#2712](https://github.com/guzzle/guzzle/pull/2712)
+
+### Deprecated
+
+- Using environment variable GUZZLE_CURL_SELECT_TIMEOUT [#2786](https://github.com/guzzle/guzzle/pull/2786)
+
+## 7.1.1 - 2020-09-30
+
+### Fixed
+
+- Incorrect EOF detection for response body streams on Windows.
+
+### Changed
+
+- We dont connect curl `sink` on HEAD requests.
+- Removed some PHP 5 workarounds
+
+## 7.1.0 - 2020-09-22
+
+### Added
+
+- `GuzzleHttp\MessageFormatterInterface`
+
+### Fixed
+
+- Fixed issue that caused cookies with no value not to be stored.
+- On redirects, we allow all safe methods like GET, HEAD and OPTIONS.
+- Fixed logging on empty responses.
+- Make sure MessageFormatter::format returns string
+
+### Deprecated
+
+- All functions in `GuzzleHttp` has been deprecated. Use static methods on `Utils` instead.
+- `ClientInterface::getConfig()`
+- `Client::getConfig()`
+- `Client::__call()`
+- `Utils::defaultCaBundle()`
+- `CurlFactory::LOW_CURL_VERSION_NUMBER`
+
+## 7.0.1 - 2020-06-27
+
+* Fix multiply defined functions fatal error [#2699](https://github.com/guzzle/guzzle/pull/2699)
+
+## 7.0.0 - 2020-06-27
+
+No changes since 7.0.0-rc1.
+
+## 7.0.0-rc1 - 2020-06-15
+
+### Changed
+
+* Use error level for logging errors in Middleware [#2629](https://github.com/guzzle/guzzle/pull/2629)
+* Disabled IDN support by default and require ext-intl to use it [#2675](https://github.com/guzzle/guzzle/pull/2675)
+
+## 7.0.0-beta2 - 2020-05-25
+
+### Added
+
+* Using `Utils` class instead of functions in the `GuzzleHttp` namespace. [#2546](https://github.com/guzzle/guzzle/pull/2546)
+* `ClientInterface::MAJOR_VERSION` [#2583](https://github.com/guzzle/guzzle/pull/2583)
+
+### Changed
+
+* Avoid the `getenv` function when unsafe [#2531](https://github.com/guzzle/guzzle/pull/2531)
+* Added real client methods [#2529](https://github.com/guzzle/guzzle/pull/2529)
+* Avoid functions due to global install conflicts [#2546](https://github.com/guzzle/guzzle/pull/2546)
+* Use Symfony intl-idn polyfill [#2550](https://github.com/guzzle/guzzle/pull/2550)
+* Adding methods for HTTP verbs like `Client::get()`, `Client::head()`, `Client::patch()` etc [#2529](https://github.com/guzzle/guzzle/pull/2529)
+* `ConnectException` extends `TransferException` [#2541](https://github.com/guzzle/guzzle/pull/2541)
+* Updated the default User Agent to "GuzzleHttp/7" [#2654](https://github.com/guzzle/guzzle/pull/2654)
+
+### Fixed
+
+* Various intl icu issues [#2626](https://github.com/guzzle/guzzle/pull/2626)
+
+### Removed
+
+* Pool option `pool_size` [#2528](https://github.com/guzzle/guzzle/pull/2528)
+
+## 7.0.0-beta1 - 2019-12-30
+
+The diff might look very big but 95% of Guzzle users will be able to upgrade without modification.
+Please see [the upgrade document](UPGRADING.md) that describes all BC breaking changes.
+
+### Added
+
+* Implement PSR-18 and dropped PHP 5 support [#2421](https://github.com/guzzle/guzzle/pull/2421) [#2474](https://github.com/guzzle/guzzle/pull/2474)
+* PHP 7 types [#2442](https://github.com/guzzle/guzzle/pull/2442) [#2449](https://github.com/guzzle/guzzle/pull/2449) [#2466](https://github.com/guzzle/guzzle/pull/2466) [#2497](https://github.com/guzzle/guzzle/pull/2497) [#2499](https://github.com/guzzle/guzzle/pull/2499)
+* IDN support for redirects [2424](https://github.com/guzzle/guzzle/pull/2424)
+
+### Changed
+
+* Dont allow passing null as third argument to `BadResponseException::__construct()` [#2427](https://github.com/guzzle/guzzle/pull/2427)
+* Use SAPI constant instead of method call [#2450](https://github.com/guzzle/guzzle/pull/2450)
+* Use native function invocation [#2444](https://github.com/guzzle/guzzle/pull/2444)
+* Better defaults for PHP installations with old ICU lib [2454](https://github.com/guzzle/guzzle/pull/2454)
+* Added visibility to all constants [#2462](https://github.com/guzzle/guzzle/pull/2462)
+* Dont allow passing `null` as URI to `Client::request()` and `Client::requestAsync()` [#2461](https://github.com/guzzle/guzzle/pull/2461)
+* Widen the exception argument to throwable [#2495](https://github.com/guzzle/guzzle/pull/2495)
+
+### Fixed
+
+* Logging when Promise rejected with a string [#2311](https://github.com/guzzle/guzzle/pull/2311)
+
+### Removed
+
+* Class `SeekException` [#2162](https://github.com/guzzle/guzzle/pull/2162)
+* `RequestException::getResponseBodySummary()` [#2425](https://github.com/guzzle/guzzle/pull/2425)
+* `CookieJar::getCookieValue()` [#2433](https://github.com/guzzle/guzzle/pull/2433)
+* `uri_template()` and `UriTemplate` [#2440](https://github.com/guzzle/guzzle/pull/2440)
+* Request options `save_to` and `exceptions` [#2464](https://github.com/guzzle/guzzle/pull/2464)
+
+## 6.5.2 - 2019-12-23
+
+* idn_to_ascii() fix for old PHP versions [#2489](https://github.com/guzzle/guzzle/pull/2489)
+
+## 6.5.1 - 2019-12-21
+
+* Better defaults for PHP installations with old ICU lib [#2454](https://github.com/guzzle/guzzle/pull/2454)
+* IDN support for redirects [#2424](https://github.com/guzzle/guzzle/pull/2424)
+
+## 6.5.0 - 2019-12-07
+
+* Improvement: Added support for reset internal queue in MockHandler. [#2143](https://github.com/guzzle/guzzle/pull/2143)
+* Improvement: Added support to pass arbitrary options to `curl_multi_init`. [#2287](https://github.com/guzzle/guzzle/pull/2287)
+* Fix: Gracefully handle passing `null` to the `header` option. [#2132](https://github.com/guzzle/guzzle/pull/2132)
+* Fix: `RetryMiddleware` did not do exponential delay between retires due unit mismatch. [#2132](https://github.com/guzzle/guzzle/pull/2132)
+* Fix: Prevent undefined offset when using array for ssl_key options. [#2348](https://github.com/guzzle/guzzle/pull/2348)
+* Deprecated `ClientInterface::VERSION`
+
+## 6.4.1 - 2019-10-23
+
+* No `guzzle.phar` was created in 6.4.0 due expired API token. This release will fix that
+* Added `parent::__construct()` to `FileCookieJar` and `SessionCookieJar`
+
+## 6.4.0 - 2019-10-23
+
+* Improvement: Improved error messages when using curl < 7.21.2 [#2108](https://github.com/guzzle/guzzle/pull/2108)
+* Fix: Test if response is readable before returning a summary in `RequestException::getResponseBodySummary()` [#2081](https://github.com/guzzle/guzzle/pull/2081)
+* Fix: Add support for GUZZLE_CURL_SELECT_TIMEOUT environment variable [#2161](https://github.com/guzzle/guzzle/pull/2161)
+* Improvement: Added `GuzzleHttp\Exception\InvalidArgumentException` [#2163](https://github.com/guzzle/guzzle/pull/2163)
+* Improvement: Added `GuzzleHttp\_current_time()` to use `hrtime()` if that function exists. [#2242](https://github.com/guzzle/guzzle/pull/2242)
+* Improvement: Added curl's `appconnect_time` in `TransferStats` [#2284](https://github.com/guzzle/guzzle/pull/2284)
+* Improvement: Make GuzzleException extend Throwable wherever it's available [#2273](https://github.com/guzzle/guzzle/pull/2273)
+* Fix: Prevent concurrent writes to file when saving `CookieJar` [#2335](https://github.com/guzzle/guzzle/pull/2335)
+* Improvement: Update `MockHandler` so we can test transfer time [#2362](https://github.com/guzzle/guzzle/pull/2362)
+
+## 6.3.3 - 2018-04-22
+
+* Fix: Default headers when decode_content is specified
+
+
+## 6.3.2 - 2018-03-26
+
+* Fix: Release process
+
+
+## 6.3.1 - 2018-03-26
+
+* Bug fix: Parsing 0 epoch expiry times in cookies [#2014](https://github.com/guzzle/guzzle/pull/2014)
+* Improvement: Better ConnectException detection [#2012](https://github.com/guzzle/guzzle/pull/2012)
+* Bug fix: Malformed domain that contains a "/" [#1999](https://github.com/guzzle/guzzle/pull/1999)
+* Bug fix: Undefined offset when a cookie has no first key-value pair [#1998](https://github.com/guzzle/guzzle/pull/1998)
+* Improvement: Support PHPUnit 6 [#1953](https://github.com/guzzle/guzzle/pull/1953)
+* Bug fix: Support empty headers [#1915](https://github.com/guzzle/guzzle/pull/1915)
+* Bug fix: Ignore case during header modifications [#1916](https://github.com/guzzle/guzzle/pull/1916)
+
++ Minor code cleanups, documentation fixes and clarifications.
+
+
+## 6.3.0 - 2017-06-22
+
+* Feature: force IP resolution (ipv4 or ipv6) [#1608](https://github.com/guzzle/guzzle/pull/1608), [#1659](https://github.com/guzzle/guzzle/pull/1659)
+* Improvement: Don't include summary in exception message when body is empty [#1621](https://github.com/guzzle/guzzle/pull/1621)
+* Improvement: Handle `on_headers` option in MockHandler [#1580](https://github.com/guzzle/guzzle/pull/1580)
+* Improvement: Added SUSE Linux CA path [#1609](https://github.com/guzzle/guzzle/issues/1609)
+* Improvement: Use class reference for getting the name of the class instead of using hardcoded strings [#1641](https://github.com/guzzle/guzzle/pull/1641)
+* Feature: Added `read_timeout` option [#1611](https://github.com/guzzle/guzzle/pull/1611)
+* Bug fix: PHP 7.x fixes [#1685](https://github.com/guzzle/guzzle/pull/1685), [#1686](https://github.com/guzzle/guzzle/pull/1686), [#1811](https://github.com/guzzle/guzzle/pull/1811)
+* Deprecation: BadResponseException instantiation without a response [#1642](https://github.com/guzzle/guzzle/pull/1642)
+* Feature: Added NTLM auth [#1569](https://github.com/guzzle/guzzle/pull/1569)
+* Feature: Track redirect HTTP status codes [#1711](https://github.com/guzzle/guzzle/pull/1711)
+* Improvement: Check handler type during construction [#1745](https://github.com/guzzle/guzzle/pull/1745)
+* Improvement: Always include the Content-Length if there's a body [#1721](https://github.com/guzzle/guzzle/pull/1721)
+* Feature: Added convenience method to access a cookie by name [#1318](https://github.com/guzzle/guzzle/pull/1318)
+* Bug fix: Fill `CURLOPT_CAPATH` and `CURLOPT_CAINFO` properly [#1684](https://github.com/guzzle/guzzle/pull/1684)
+* Improvement:  	Use `\GuzzleHttp\Promise\rejection_for` function instead of object init [#1827](https://github.com/guzzle/guzzle/pull/1827)
+
+
++ Minor code cleanups, documentation fixes and clarifications.
+
+## 6.2.3 - 2017-02-28
+
+* Fix deprecations with guzzle/psr7 version 1.4
+
+## 6.2.2 - 2016-10-08
+
+* Allow to pass nullable Response to delay callable
+* Only add scheme when host is present
+* Fix drain case where content-length is the literal string zero
+* Obfuscate in-URL credentials in exceptions
+
+## 6.2.1 - 2016-07-18
+
+* Address HTTP_PROXY security vulnerability, CVE-2016-5385:
+  https://httpoxy.org/
+* Fixing timeout bug with StreamHandler:
+  https://github.com/guzzle/guzzle/pull/1488
+* Only read up to `Content-Length` in PHP StreamHandler to avoid timeouts when
+  a server does not honor `Connection: close`.
+* Ignore URI fragment when sending requests.
+
+## 6.2.0 - 2016-03-21
+
+* Feature: added `GuzzleHttp\json_encode` and `GuzzleHttp\json_decode`.
+  https://github.com/guzzle/guzzle/pull/1389
+* Bug fix: Fix sleep calculation when waiting for delayed requests.
+  https://github.com/guzzle/guzzle/pull/1324
+* Feature: More flexible history containers.
+  https://github.com/guzzle/guzzle/pull/1373
+* Bug fix: defer sink stream opening in StreamHandler.
+  https://github.com/guzzle/guzzle/pull/1377
+* Bug fix: do not attempt to escape cookie values.
+  https://github.com/guzzle/guzzle/pull/1406
+* Feature: report original content encoding and length on decoded responses.
+  https://github.com/guzzle/guzzle/pull/1409
+* Bug fix: rewind seekable request bodies before dispatching to cURL.
+  https://github.com/guzzle/guzzle/pull/1422
+* Bug fix: provide an empty string to `http_build_query` for HHVM workaround.
+  https://github.com/guzzle/guzzle/pull/1367
+
+## 6.1.1 - 2015-11-22
+
+* Bug fix: Proxy::wrapSync() now correctly proxies to the appropriate handler
+  https://github.com/guzzle/guzzle/commit/911bcbc8b434adce64e223a6d1d14e9a8f63e4e4
+* Feature: HandlerStack is now more generic.
+  https://github.com/guzzle/guzzle/commit/f2102941331cda544745eedd97fc8fd46e1ee33e
+* Bug fix: setting verify to false in the StreamHandler now disables peer
+  verification. https://github.com/guzzle/guzzle/issues/1256
+* Feature: Middleware now uses an exception factory, including more error
+  context. https://github.com/guzzle/guzzle/pull/1282
+* Feature: better support for disabled functions.
+  https://github.com/guzzle/guzzle/pull/1287
+* Bug fix: fixed regression where MockHandler was not using `sink`.
+  https://github.com/guzzle/guzzle/pull/1292
+
+## 6.1.0 - 2015-09-08
+
+* Feature: Added the `on_stats` request option to provide access to transfer
+  statistics for requests. https://github.com/guzzle/guzzle/pull/1202
+* Feature: Added the ability to persist session cookies in CookieJars.
+  https://github.com/guzzle/guzzle/pull/1195
+* Feature: Some compatibility updates for Google APP Engine
+  https://github.com/guzzle/guzzle/pull/1216
+* Feature: Added support for NO_PROXY to prevent the use of a proxy based on
+  a simple set of rules. https://github.com/guzzle/guzzle/pull/1197
+* Feature: Cookies can now contain square brackets.
+  https://github.com/guzzle/guzzle/pull/1237
+* Bug fix: Now correctly parsing `=` inside of quotes in Cookies.
+  https://github.com/guzzle/guzzle/pull/1232
+* Bug fix: Cusotm cURL options now correctly override curl options of the
+  same name. https://github.com/guzzle/guzzle/pull/1221
+* Bug fix: Content-Type header is now added when using an explicitly provided
+  multipart body. https://github.com/guzzle/guzzle/pull/1218
+* Bug fix: Now ignoring Set-Cookie headers that have no name.
+* Bug fix: Reason phrase is no longer cast to an int in some cases in the
+  cURL handler. https://github.com/guzzle/guzzle/pull/1187
+* Bug fix: Remove the Authorization header when redirecting if the Host
+  header changes. https://github.com/guzzle/guzzle/pull/1207
+* Bug fix: Cookie path matching fixes
+  https://github.com/guzzle/guzzle/issues/1129
+* Bug fix: Fixing the cURL `body_as_string` setting
+  https://github.com/guzzle/guzzle/pull/1201
+* Bug fix: quotes are no longer stripped when parsing cookies.
+  https://github.com/guzzle/guzzle/issues/1172
+* Bug fix: `form_params` and `query` now always uses the `&` separator.
+  https://github.com/guzzle/guzzle/pull/1163
+* Bug fix: Adding a Content-Length to PHP stream wrapper requests if not set.
+  https://github.com/guzzle/guzzle/pull/1189
+
+## 6.0.2 - 2015-07-04
+
+* Fixed a memory leak in the curl handlers in which references to callbacks
+  were not being removed by `curl_reset`.
+* Cookies are now extracted properly before redirects.
+* Cookies now allow more character ranges.
+* Decoded Content-Encoding responses are now modified to correctly reflect
+  their state if the encoding was automatically removed by a handler. This
+  means that the `Content-Encoding` header may be removed an the
+  `Content-Length` modified to reflect the message size after removing the
+  encoding.
+* Added a more explicit error message when trying to use `form_params` and
+  `multipart` in the same request.
+* Several fixes for HHVM support.
+* Functions are now conditionally required using an additional level of
+  indirection to help with global Composer installations.
+
+## 6.0.1 - 2015-05-27
+
+* Fixed a bug with serializing the `query` request option where the `&`
+  separator was missing.
+* Added a better error message for when `body` is provided as an array. Please
+  use `form_params` or `multipart` instead.
+* Various doc fixes.
+
+## 6.0.0 - 2015-05-26
+
+* See the UPGRADING.md document for more information.
+* Added `multipart` and `form_params` request options.
+* Added `synchronous` request option.
+* Added the `on_headers` request option.
+* Fixed `expect` handling.
+* No longer adding default middlewares in the client ctor. These need to be
+  present on the provided handler in order to work.
+* Requests are no longer initiated when sending async requests with the
+  CurlMultiHandler. This prevents unexpected recursion from requests completing
+  while ticking the cURL loop.
+* Removed the semantics of setting `default` to `true`. This is no longer
+  required now that the cURL loop is not ticked for async requests.
+* Added request and response logging middleware.
+* No longer allowing self signed certificates when using the StreamHandler.
+* Ensuring that `sink` is valid if saving to a file.
+* Request exceptions now include a "handler context" which provides handler
+  specific contextual information.
+* Added `GuzzleHttp\RequestOptions` to allow request options to be applied
+  using constants.
+* `$maxHandles` has been removed from CurlMultiHandler.
+* `MultipartPostBody` is now part of the `guzzlehttp/psr7` package.
+
+## 5.3.0 - 2015-05-19
+
+* Mock now supports `save_to`
+* Marked `AbstractRequestEvent::getTransaction()` as public.
+* Fixed a bug in which multiple headers using different casing would overwrite
+  previous headers in the associative array.
+* Added `Utils::getDefaultHandler()`
+* Marked `GuzzleHttp\Client::getDefaultUserAgent` as deprecated.
+* URL scheme is now always lowercased.
+
+## 6.0.0-beta.1
+
+* Requires PHP >= 5.5
+* Updated to use PSR-7
+  * Requires immutable messages, which basically means an event based system
+    owned by a request instance is no longer possible.
+  * Utilizing the [Guzzle PSR-7 package](https://github.com/guzzle/psr7).
+  * Removed the dependency on `guzzlehttp/streams`. These stream abstractions
+    are available in the `guzzlehttp/psr7` package under the `GuzzleHttp\Psr7`
+    namespace.
+* Added middleware and handler system
+  * Replaced the Guzzle event and subscriber system with a middleware system.
+  * No longer depends on RingPHP, but rather places the HTTP handlers directly
+    in Guzzle, operating on PSR-7 messages.
+  * Retry logic is now encapsulated in `GuzzleHttp\Middleware::retry`, which
+    means the `guzzlehttp/retry-subscriber` is now obsolete.
+  * Mocking responses is now handled using `GuzzleHttp\Handler\MockHandler`.
+* Asynchronous responses
+  * No longer supports the `future` request option to send an async request.
+    Instead, use one of the `*Async` methods of a client (e.g., `requestAsync`,
+    `getAsync`, etc.).
+  * Utilizing `GuzzleHttp\Promise` instead of React's promise library to avoid
+    recursion required by chaining and forwarding react promises. See
+    https://github.com/guzzle/promises
+  * Added `requestAsync` and `sendAsync` to send request asynchronously.
+  * Added magic methods for `getAsync()`, `postAsync()`, etc. to send requests
+    asynchronously.
+* Request options
+  * POST and form updates
+    * Added the `form_fields` and `form_files` request options.
+    * Removed the `GuzzleHttp\Post` namespace.
+    * The `body` request option no longer accepts an array for POST requests.
+  * The `exceptions` request option has been deprecated in favor of the
+    `http_errors` request options.
+  * The `save_to` request option has been deprecated in favor of `sink` request
+    option.
+* Clients no longer accept an array of URI template string and variables for
+  URI variables. You will need to expand URI templates before passing them
+  into a client constructor or request method.
+* Client methods `get()`, `post()`, `put()`, `patch()`, `options()`, etc. are
+  now magic methods that will send synchronous requests.
+* Replaced `Utils.php` with plain functions in `functions.php`.
+* Removed `GuzzleHttp\Collection`.
+* Removed `GuzzleHttp\BatchResults`. Batched pool results are now returned as
+  an array.
+* Removed `GuzzleHttp\Query`. Query string handling is now handled using an
+  associative array passed into the `query` request option. The query string
+  is serialized using PHP's `http_build_query`. If you need more control, you
+  can pass the query string in as a string.
+* `GuzzleHttp\QueryParser` has been replaced with the
+  `GuzzleHttp\Psr7\parse_query`.
+
+## 5.2.0 - 2015-01-27
+
+* Added `AppliesHeadersInterface` to make applying headers to a request based
+  on the body more generic and not specific to `PostBodyInterface`.
+* Reduced the number of stack frames needed to send requests.
+* Nested futures are now resolved in the client rather than the RequestFsm
+* Finishing state transitions is now handled in the RequestFsm rather than the
+  RingBridge.
+* Added a guard in the Pool class to not use recursion for request retries.
+
+## 5.1.0 - 2014-12-19
+
+* Pool class no longer uses recursion when a request is intercepted.
+* The size of a Pool can now be dynamically adjusted using a callback.
+  See https://github.com/guzzle/guzzle/pull/943.
+* Setting a request option to `null` when creating a request with a client will
+  ensure that the option is not set. This allows you to overwrite default
+  request options on a per-request basis.
+  See https://github.com/guzzle/guzzle/pull/937.
+* Added the ability to limit which protocols are allowed for redirects by
+  specifying a `protocols` array in the `allow_redirects` request option.
+* Nested futures due to retries are now resolved when waiting for synchronous
+  responses. See https://github.com/guzzle/guzzle/pull/947.
+* `"0"` is now an allowed URI path. See
+  https://github.com/guzzle/guzzle/pull/935.
+* `Query` no longer typehints on the `$query` argument in the constructor,
+  allowing for strings and arrays.
+* Exceptions thrown in the `end` event are now correctly wrapped with Guzzle
+  specific exceptions if necessary.
+
+## 5.0.3 - 2014-11-03
+
+This change updates query strings so that they are treated as un-encoded values
+by default where the value represents an un-encoded value to send over the
+wire. A Query object then encodes the value before sending over the wire. This
+means that even value query string values (e.g., ":") are url encoded. This
+makes the Query class match PHP's http_build_query function. However, if you
+want to send requests over the wire using valid query string characters that do
+not need to be encoded, then you can provide a string to Url::setQuery() and
+pass true as the second argument to specify that the query string is a raw
+string that should not be parsed or encoded (unless a call to getQuery() is
+subsequently made, forcing the query-string to be converted into a Query
+object).
+
+## 5.0.2 - 2014-10-30
+
+* Added a trailing `\r\n` to multipart/form-data payloads. See
+  https://github.com/guzzle/guzzle/pull/871
+* Added a `GuzzleHttp\Pool::send()` convenience method to match the docs.
+* Status codes are now returned as integers. See
+  https://github.com/guzzle/guzzle/issues/881
+* No longer overwriting an existing `application/x-www-form-urlencoded` header
+  when sending POST requests, allowing for customized headers. See
+  https://github.com/guzzle/guzzle/issues/877
+* Improved path URL serialization.
+
+  * No longer double percent-encoding characters in the path or query string if
+    they are already encoded.
+  * Now properly encoding the supplied path to a URL object, instead of only
+    encoding ' ' and '?'.
+  * Note: This has been changed in 5.0.3 to now encode query string values by
+    default unless the `rawString` argument is provided when setting the query
+    string on a URL: Now allowing many more characters to be present in the
+    query string without being percent encoded. See https://tools.ietf.org/html/rfc3986#appendix-A
+
+## 5.0.1 - 2014-10-16
+
+Bugfix release.
+
+* Fixed an issue where connection errors still returned response object in
+  error and end events event though the response is unusable. This has been
+  corrected so that a response is not returned in the `getResponse` method of
+  these events if the response did not complete. https://github.com/guzzle/guzzle/issues/867
+* Fixed an issue where transfer statistics were not being populated in the
+  RingBridge. https://github.com/guzzle/guzzle/issues/866
+
+## 5.0.0 - 2014-10-12
+
+Adding support for non-blocking responses and some minor API cleanup.
+
+### New Features
+
+* Added support for non-blocking responses based on `guzzlehttp/guzzle-ring`.
+* Added a public API for creating a default HTTP adapter.
+* Updated the redirect plugin to be non-blocking so that redirects are sent
+  concurrently. Other plugins like this can now be updated to be non-blocking.
+* Added a "progress" event so that you can get upload and download progress
+  events.
+* Added `GuzzleHttp\Pool` which implements FutureInterface and transfers
+  requests concurrently using a capped pool size as efficiently as possible.
+* Added `hasListeners()` to EmitterInterface.
+* Removed `GuzzleHttp\ClientInterface::sendAll` and marked
+  `GuzzleHttp\Client::sendAll` as deprecated (it's still there, just not the
+  recommended way).
+
+### Breaking changes
+
+The breaking changes in this release are relatively minor. The biggest thing to
+look out for is that request and response objects no longer implement fluent
+interfaces.
+
+* Removed the fluent interfaces (i.e., `return $this`) from requests,
+  responses, `GuzzleHttp\Collection`, `GuzzleHttp\Url`,
+  `GuzzleHttp\Query`, `GuzzleHttp\Post\PostBody`, and
+  `GuzzleHttp\Cookie\SetCookie`. This blog post provides a good outline of
+  why I did this: https://ocramius.github.io/blog/fluent-interfaces-are-evil/.
+  This also makes the Guzzle message interfaces compatible with the current
+  PSR-7 message proposal.
+* Removed "functions.php", so that Guzzle is truly PSR-4 compliant. Except
+  for the HTTP request functions from function.php, these functions are now
+  implemented in `GuzzleHttp\Utils` using camelCase. `GuzzleHttp\json_decode`
+  moved to `GuzzleHttp\Utils::jsonDecode`. `GuzzleHttp\get_path` moved to
+  `GuzzleHttp\Utils::getPath`. `GuzzleHttp\set_path` moved to
+  `GuzzleHttp\Utils::setPath`. `GuzzleHttp\batch` should now be
+  `GuzzleHttp\Pool::batch`, which returns an `objectStorage`. Using functions.php
+  caused problems for many users: they aren't PSR-4 compliant, require an
+  explicit include, and needed an if-guard to ensure that the functions are not
+  declared multiple times.
+* Rewrote adapter layer.
+    * Removing all classes from `GuzzleHttp\Adapter`, these are now
+      implemented as callables that are stored in `GuzzleHttp\Ring\Client`.
+    * Removed the concept of "parallel adapters". Sending requests serially or
+      concurrently is now handled using a single adapter.
+    * Moved `GuzzleHttp\Adapter\Transaction` to `GuzzleHttp\Transaction`. The
+      Transaction object now exposes the request, response, and client as public
+      properties. The getters and setters have been removed.
+* Removed the "headers" event. This event was only useful for changing the
+  body a response once the headers of the response were known. You can implement
+  a similar behavior in a number of ways. One example might be to use a
+  FnStream that has access to the transaction being sent. For example, when the
+  first byte is written, you could check if the response headers match your
+  expectations, and if so, change the actual stream body that is being
+  written to.
+* Removed the `asArray` parameter from
+  `GuzzleHttp\Message\MessageInterface::getHeader`. If you want to get a header
+  value as an array, then use the newly added `getHeaderAsArray()` method of
+  `MessageInterface`. This change makes the Guzzle interfaces compatible with
+  the PSR-7 interfaces.
+* `GuzzleHttp\Message\MessageFactory` no longer allows subclasses to add
+  custom request options using double-dispatch (this was an implementation
+  detail). Instead, you should now provide an associative array to the
+  constructor which is a mapping of the request option name mapping to a
+  function that applies the option value to a request.
+* Removed the concept of "throwImmediately" from exceptions and error events.
+  This control mechanism was used to stop a transfer of concurrent requests
+  from completing. This can now be handled by throwing the exception or by
+  cancelling a pool of requests or each outstanding future request individually.
+* Updated to "GuzzleHttp\Streams" 3.0.
+    * `GuzzleHttp\Stream\StreamInterface::getContents()` no longer accepts a
+      `maxLen` parameter. This update makes the Guzzle streams project
+      compatible with the current PSR-7 proposal.
+    * `GuzzleHttp\Stream\Stream::__construct`,
+      `GuzzleHttp\Stream\Stream::factory`, and
+      `GuzzleHttp\Stream\Utils::create` no longer accept a size in the second
+      argument. They now accept an associative array of options, including the
+      "size" key and "metadata" key which can be used to provide custom metadata.
+
+## 4.2.2 - 2014-09-08
+
+* Fixed a memory leak in the CurlAdapter when reusing cURL handles.
+* No longer using `request_fulluri` in stream adapter proxies.
+* Relative redirects are now based on the last response, not the first response.
+
+## 4.2.1 - 2014-08-19
+
+* Ensuring that the StreamAdapter does not always add a Content-Type header
+* Adding automated github releases with a phar and zip
+
+## 4.2.0 - 2014-08-17
+
+* Now merging in default options using a case-insensitive comparison.
+  Closes https://github.com/guzzle/guzzle/issues/767
+* Added the ability to automatically decode `Content-Encoding` response bodies
+  using the `decode_content` request option. This is set to `true` by default
+  to decode the response body if it comes over the wire with a
+  `Content-Encoding`. Set this value to `false` to disable decoding the
+  response content, and pass a string to provide a request `Accept-Encoding`
+  header and turn on automatic response decoding. This feature now allows you
+  to pass an `Accept-Encoding` header in the headers of a request but still
+  disable automatic response decoding.
+  Closes https://github.com/guzzle/guzzle/issues/764
+* Added the ability to throw an exception immediately when transferring
+  requests in parallel. Closes https://github.com/guzzle/guzzle/issues/760
+* Updating guzzlehttp/streams dependency to ~2.1
+* No longer utilizing the now deprecated namespaced methods from the stream
+  package.
+
+## 4.1.8 - 2014-08-14
+
+* Fixed an issue in the CurlFactory that caused setting the `stream=false`
+  request option to throw an exception.
+  See: https://github.com/guzzle/guzzle/issues/769
+* TransactionIterator now calls rewind on the inner iterator.
+  See: https://github.com/guzzle/guzzle/pull/765
+* You can now set the `Content-Type` header to `multipart/form-data`
+  when creating POST requests to force multipart bodies.
+  See https://github.com/guzzle/guzzle/issues/768
+
+## 4.1.7 - 2014-08-07
+
+* Fixed an error in the HistoryPlugin that caused the same request and response
+  to be logged multiple times when an HTTP protocol error occurs.
+* Ensuring that cURL does not add a default Content-Type when no Content-Type
+  has been supplied by the user. This prevents the adapter layer from modifying
+  the request that is sent over the wire after any listeners may have already
+  put the request in a desired state (e.g., signed the request).
+* Throwing an exception when you attempt to send requests that have the
+  "stream" set to true in parallel using the MultiAdapter.
+* Only calling curl_multi_select when there are active cURL handles. This was
+  previously changed and caused performance problems on some systems due to PHP
+  always selecting until the maximum select timeout.
+* Fixed a bug where multipart/form-data POST fields were not correctly
+  aggregated (e.g., values with "&").
+
+## 4.1.6 - 2014-08-03
+
+* Added helper methods to make it easier to represent messages as strings,
+  including getting the start line and getting headers as a string.
+
+## 4.1.5 - 2014-08-02
+
+* Automatically retrying cURL "Connection died, retrying a fresh connect"
+  errors when possible.
+* cURL implementation cleanup
+* Allowing multiple event subscriber listeners to be registered per event by
+  passing an array of arrays of listener configuration.
+
+## 4.1.4 - 2014-07-22
+
+* Fixed a bug that caused multi-part POST requests with more than one field to
+  serialize incorrectly.
+* Paths can now be set to "0"
+* `ResponseInterface::xml` now accepts a `libxml_options` option and added a
+  missing default argument that was required when parsing XML response bodies.
+* A `save_to` stream is now created lazily, which means that files are not
+  created on disk unless a request succeeds.
+
+## 4.1.3 - 2014-07-15
+
+* Various fixes to multipart/form-data POST uploads
+* Wrapping function.php in an if-statement to ensure Guzzle can be used
+  globally and in a Composer install
+* Fixed an issue with generating and merging in events to an event array
+* POST headers are only applied before sending a request to allow you to change
+  the query aggregator used before uploading
+* Added much more robust query string parsing
+* Fixed various parsing and normalization issues with URLs
+* Fixing an issue where multi-valued headers were not being utilized correctly
+  in the StreamAdapter
+
+## 4.1.2 - 2014-06-18
+
+* Added support for sending payloads with GET requests
+
+## 4.1.1 - 2014-06-08
+
+* Fixed an issue related to using custom message factory options in subclasses
+* Fixed an issue with nested form fields in a multi-part POST
+* Fixed an issue with using the `json` request option for POST requests
+* Added `ToArrayInterface` to `GuzzleHttp\Cookie\CookieJar`
+
+## 4.1.0 - 2014-05-27
+
+* Added a `json` request option to easily serialize JSON payloads.
+* Added a `GuzzleHttp\json_decode()` wrapper to safely parse JSON.
+* Added `setPort()` and `getPort()` to `GuzzleHttp\Message\RequestInterface`.
+* Added the ability to provide an emitter to a client in the client constructor.
+* Added the ability to persist a cookie session using $_SESSION.
+* Added a trait that can be used to add event listeners to an iterator.
+* Removed request method constants from RequestInterface.
+* Fixed warning when invalid request start-lines are received.
+* Updated MessageFactory to work with custom request option methods.
+* Updated cacert bundle to latest build.
+
+4.0.2 (2014-04-16)
+------------------
+
+* Proxy requests using the StreamAdapter now properly use request_fulluri (#632)
+* Added the ability to set scalars as POST fields (#628)
+
+## 4.0.1 - 2014-04-04
+
+* The HTTP status code of a response is now set as the exception code of
+  RequestException objects.
+* 303 redirects will now correctly switch from POST to GET requests.
+* The default parallel adapter of a client now correctly uses the MultiAdapter.
+* HasDataTrait now initializes the internal data array as an empty array so
+  that the toArray() method always returns an array.
+
+## 4.0.0 - 2014-03-29
+
+* For information on changes and upgrading, see:
+  https://github.com/guzzle/guzzle/blob/master/UPGRADING.md#3x-to-40
+* Added `GuzzleHttp\batch()` as a convenience function for sending requests in
+  parallel without needing to write asynchronous code.
+* Restructured how events are added to `GuzzleHttp\ClientInterface::sendAll()`.
+  You can now pass a callable or an array of associative arrays where each
+  associative array contains the "fn", "priority", and "once" keys.
+
+## 4.0.0.rc-2 - 2014-03-25
+
+* Removed `getConfig()` and `setConfig()` from clients to avoid confusion
+  around whether things like base_url, message_factory, etc. should be able to
+  be retrieved or modified.
+* Added `getDefaultOption()` and `setDefaultOption()` to ClientInterface
+* functions.php functions were renamed using snake_case to match PHP idioms
+* Added support for `HTTP_PROXY`, `HTTPS_PROXY`, and
+  `GUZZLE_CURL_SELECT_TIMEOUT` environment variables
+* Added the ability to specify custom `sendAll()` event priorities
+* Added the ability to specify custom stream context options to the stream
+  adapter.
+* Added a functions.php function for `get_path()` and `set_path()`
+* CurlAdapter and MultiAdapter now use a callable to generate curl resources
+* MockAdapter now properly reads a body and emits a `headers` event
+* Updated Url class to check if a scheme and host are set before adding ":"
+  and "//". This allows empty Url (e.g., "") to be serialized as "".
+* Parsing invalid XML no longer emits warnings
+* Curl classes now properly throw AdapterExceptions
+* Various performance optimizations
+* Streams are created with the faster `Stream\create()` function
+* Marked deprecation_proxy() as internal
+* Test server is now a collection of static methods on a class
+
+## 4.0.0-rc.1 - 2014-03-15
+
+* See https://github.com/guzzle/guzzle/blob/master/UPGRADING.md#3x-to-40
+
+## 3.8.1 - 2014-01-28
+
+* Bug: Always using GET requests when redirecting from a 303 response
+* Bug: CURLOPT_SSL_VERIFYHOST is now correctly set to false when setting `$certificateAuthority` to false in
+  `Guzzle\Http\ClientInterface::setSslVerification()`
+* Bug: RedirectPlugin now uses strict RFC 3986 compliance when combining a base URL with a relative URL
+* Bug: The body of a request can now be set to `"0"`
+* Sending PHP stream requests no longer forces `HTTP/1.0`
+* Adding more information to ExceptionCollection exceptions so that users have more context, including a stack trace of
+  each sub-exception
+* Updated the `$ref` attribute in service descriptions to merge over any existing parameters of a schema (rather than
+  clobbering everything).
+* Merging URLs will now use the query string object from the relative URL (thus allowing custom query aggregators)
+* Query strings are now parsed in a way that they do no convert empty keys with no value to have a dangling `=`.
+  For example `foo&bar=baz` is now correctly parsed and recognized as `foo&bar=baz` rather than `foo=&bar=baz`.
+* Now properly escaping the regular expression delimiter when matching Cookie domains.
+* Network access is now disabled when loading XML documents
+
+## 3.8.0 - 2013-12-05
+
+* Added the ability to define a POST name for a file
+* JSON response parsing now properly walks additionalProperties
+* cURL error code 18 is now retried automatically in the BackoffPlugin
+* Fixed a cURL error when URLs contain fragments
+* Fixed an issue in the BackoffPlugin retry event where it was trying to access all exceptions as if they were
+  CurlExceptions
+* CURLOPT_PROGRESS function fix for PHP 5.5 (69fcc1e)
+* Added the ability for Guzzle to work with older versions of cURL that do not support `CURLOPT_TIMEOUT_MS`
+* Fixed a bug that was encountered when parsing empty header parameters
+* UriTemplate now has a `setRegex()` method to match the docs
+* The `debug` request parameter now checks if it is truthy rather than if it exists
+* Setting the `debug` request parameter to true shows verbose cURL output instead of using the LogPlugin
+* Added the ability to combine URLs using strict RFC 3986 compliance
+* Command objects can now return the validation errors encountered by the command
+* Various fixes to cache revalidation (#437 and 29797e5)
+* Various fixes to the AsyncPlugin
+* Cleaned up build scripts
+
+## 3.7.4 - 2013-10-02
+
+* Bug fix: 0 is now an allowed value in a description parameter that has a default value (#430)
+* Bug fix: SchemaFormatter now returns an integer when formatting to a Unix timestamp
+  (see https://github.com/aws/aws-sdk-php/issues/147)
+* Bug fix: Cleaned up and fixed URL dot segment removal to properly resolve internal dots
+* Minimum PHP version is now properly specified as 5.3.3 (up from 5.3.2) (#420)
+* Updated the bundled cacert.pem (#419)
+* OauthPlugin now supports adding authentication to headers or query string (#425)
+
+## 3.7.3 - 2013-09-08
+
+* Added the ability to get the exception associated with a request/command when using `MultiTransferException` and
+  `CommandTransferException`.
+* Setting `additionalParameters` of a response to false is now honored when parsing responses with a service description
+* Schemas are only injected into response models when explicitly configured.
+* No longer guessing Content-Type based on the path of a request. Content-Type is now only guessed based on the path of
+  an EntityBody.
+* Bug fix: ChunkedIterator can now properly chunk a \Traversable as well as an \Iterator.
+* Bug fix: FilterIterator now relies on `\Iterator` instead of `\Traversable`.
+* Bug fix: Gracefully handling malformed responses in RequestMediator::writeResponseBody()
+* Bug fix: Replaced call to canCache with canCacheRequest in the CallbackCanCacheStrategy of the CachePlugin
+* Bug fix: Visiting XML attributes first before visiting XML children when serializing requests
+* Bug fix: Properly parsing headers that contain commas contained in quotes
+* Bug fix: mimetype guessing based on a filename is now case-insensitive
+
+## 3.7.2 - 2013-08-02
+
+* Bug fix: Properly URL encoding paths when using the PHP-only version of the UriTemplate expander
+  See https://github.com/guzzle/guzzle/issues/371
+* Bug fix: Cookie domains are now matched correctly according to RFC 6265
+  See https://github.com/guzzle/guzzle/issues/377
+* Bug fix: GET parameters are now used when calculating an OAuth signature
+* Bug fix: Fixed an issue with cache revalidation where the If-None-Match header was being double quoted
+* `Guzzle\Common\AbstractHasDispatcher::dispatch()` now returns the event that was dispatched
+* `Guzzle\Http\QueryString::factory()` now guesses the most appropriate query aggregator to used based on the input.
+  See https://github.com/guzzle/guzzle/issues/379
+* Added a way to add custom domain objects to service description parsing using the `operation.parse_class` event. See
+  https://github.com/guzzle/guzzle/pull/380
+* cURL multi cleanup and optimizations
+
+## 3.7.1 - 2013-07-05
+
+* Bug fix: Setting default options on a client now works
+* Bug fix: Setting options on HEAD requests now works. See #352
+* Bug fix: Moving stream factory before send event to before building the stream. See #353
+* Bug fix: Cookies no longer match on IP addresses per RFC 6265
+* Bug fix: Correctly parsing header parameters that are in `<>` and quotes
+* Added `cert` and `ssl_key` as request options
+* `Host` header can now diverge from the host part of a URL if the header is set manually
+* `Guzzle\Service\Command\LocationVisitor\Request\XmlVisitor` was rewritten to change from using SimpleXML to XMLWriter
+* OAuth parameters are only added via the plugin if they aren't already set
+* Exceptions are now thrown when a URL cannot be parsed
+* Returning `false` if `Guzzle\Http\EntityBody::getContentMd5()` fails
+* Not setting a `Content-MD5` on a command if calculating the Content-MD5 fails via the CommandContentMd5Plugin
+
+## 3.7.0 - 2013-06-10
+
+* See UPGRADING.md for more information on how to upgrade.
+* Requests now support the ability to specify an array of $options when creating a request to more easily modify a
+  request. You can pass a 'request.options' configuration setting to a client to apply default request options to
+  every request created by a client (e.g. default query string variables, headers, curl options, etc.).
+* Added a static facade class that allows you to use Guzzle with static methods and mount the class to `\Guzzle`.
+  See `Guzzle\Http\StaticClient::mount`.
+* Added `command.request_options` to `Guzzle\Service\Command\AbstractCommand` to pass request options to requests
+      created by a command (e.g. custom headers, query string variables, timeout settings, etc.).
+* Stream size in `Guzzle\Stream\PhpStreamRequestFactory` will now be set if Content-Length is returned in the
+  headers of a response
+* Added `Guzzle\Common\Collection::setPath($path, $value)` to set a value into an array using a nested key
+  (e.g. `$collection->setPath('foo/baz/bar', 'test'); echo $collection['foo']['bar']['bar'];`)
+* ServiceBuilders now support storing and retrieving arbitrary data
+* CachePlugin can now purge all resources for a given URI
+* CachePlugin can automatically purge matching cached items when a non-idempotent request is sent to a resource
+* CachePlugin now uses the Vary header to determine if a resource is a cache hit
+* `Guzzle\Http\Message\Response` now implements `\Serializable`
+* Added `Guzzle\Cache\CacheAdapterFactory::fromCache()` to more easily create cache adapters
+* `Guzzle\Service\ClientInterface::execute()` now accepts an array, single command, or Traversable
+* Fixed a bug in `Guzzle\Http\Message\Header\Link::addLink()`
+* Better handling of calculating the size of a stream in `Guzzle\Stream\Stream` using fstat() and caching the size
+* `Guzzle\Common\Exception\ExceptionCollection` now creates a more readable exception message
+* Fixing BC break: Added back the MonologLogAdapter implementation rather than extending from PsrLog so that older
+  Symfony users can still use the old version of Monolog.
+* Fixing BC break: Added the implementation back in for `Guzzle\Http\Message\AbstractMessage::getTokenizedHeader()`.
+  Now triggering an E_USER_DEPRECATED warning when used. Use `$message->getHeader()->parseParams()`.
+* Several performance improvements to `Guzzle\Common\Collection`
+* Added an `$options` argument to the end of the following methods of `Guzzle\Http\ClientInterface`:
+  createRequest, head, delete, put, patch, post, options, prepareRequest
+* Added an `$options` argument to the end of `Guzzle\Http\Message\Request\RequestFactoryInterface::createRequest()`
+* Added an `applyOptions()` method to `Guzzle\Http\Message\Request\RequestFactoryInterface`
+* Changed `Guzzle\Http\ClientInterface::get($uri = null, $headers = null, $body = null)` to
+  `Guzzle\Http\ClientInterface::get($uri = null, $headers = null, $options = array())`. You can still pass in a
+  resource, string, or EntityBody into the $options parameter to specify the download location of the response.
+* Changed `Guzzle\Common\Collection::__construct($data)` to no longer accepts a null value for `$data` but a
+  default `array()`
+* Added `Guzzle\Stream\StreamInterface::isRepeatable`
+* Removed `Guzzle\Http\ClientInterface::setDefaultHeaders(). Use
+  $client->getConfig()->setPath('request.options/headers/{header_name}', 'value')`. or
+  $client->getConfig()->setPath('request.options/headers', array('header_name' => 'value'))`.
+* Removed `Guzzle\Http\ClientInterface::getDefaultHeaders(). Use $client->getConfig()->getPath('request.options/headers')`.
+* Removed `Guzzle\Http\ClientInterface::expandTemplate()`
+* Removed `Guzzle\Http\ClientInterface::setRequestFactory()`
+* Removed `Guzzle\Http\ClientInterface::getCurlMulti()`
+* Removed `Guzzle\Http\Message\RequestInterface::canCache`
+* Removed `Guzzle\Http\Message\RequestInterface::setIsRedirect`
+* Removed `Guzzle\Http\Message\RequestInterface::isRedirect`
+* Made `Guzzle\Http\Client::expandTemplate` and `getUriTemplate` protected methods.
+* You can now enable E_USER_DEPRECATED warnings to see if you are using a deprecated method by setting
+  `Guzzle\Common\Version::$emitWarnings` to true.
+* Marked `Guzzle\Http\Message\Request::isResponseBodyRepeatable()` as deprecated. Use
+      `$request->getResponseBody()->isRepeatable()` instead.
+* Marked `Guzzle\Http\Message\Request::canCache()` as deprecated. Use
+  `Guzzle\Plugin\Cache\DefaultCanCacheStrategy->canCacheRequest()` instead.
+* Marked `Guzzle\Http\Message\Request::canCache()` as deprecated. Use
+  `Guzzle\Plugin\Cache\DefaultCanCacheStrategy->canCacheRequest()` instead.
+* Marked `Guzzle\Http\Message\Request::setIsRedirect()` as deprecated. Use the HistoryPlugin instead.
+* Marked `Guzzle\Http\Message\Request::isRedirect()` as deprecated. Use the HistoryPlugin instead.
+* Marked `Guzzle\Cache\CacheAdapterFactory::factory()` as deprecated
+* Marked 'command.headers', 'command.response_body' and 'command.on_complete' as deprecated for AbstractCommand.
+  These will work through Guzzle 4.0
+* Marked 'request.params' for `Guzzle\Http\Client` as deprecated. Use [request.options][params].
+* Marked `Guzzle\Service\Client::enableMagicMethods()` as deprecated. Magic methods can no longer be disabled on a Guzzle\Service\Client.
+* Marked `Guzzle\Service\Client::getDefaultHeaders()` as deprecated. Use $client->getConfig()->getPath('request.options/headers')`.
+* Marked `Guzzle\Service\Client::setDefaultHeaders()` as deprecated. Use $client->getConfig()->setPath('request.options/headers/{header_name}', 'value')`.
+* Marked `Guzzle\Parser\Url\UrlParser` as deprecated. Just use PHP's `parse_url()` and percent encode your UTF-8.
+* Marked `Guzzle\Common\Collection::inject()` as deprecated.
+* Marked `Guzzle\Plugin\CurlAuth\CurlAuthPlugin` as deprecated. Use `$client->getConfig()->setPath('request.options/auth', array('user', 'pass', 'Basic|Digest');`
+* CacheKeyProviderInterface and DefaultCacheKeyProvider are no longer used. All of this logic is handled in a
+  CacheStorageInterface. These two objects and interface will be removed in a future version.
+* Always setting X-cache headers on cached responses
+* Default cache TTLs are now handled by the CacheStorageInterface of a CachePlugin
+* `CacheStorageInterface::cache($key, Response $response, $ttl = null)` has changed to `cache(RequestInterface
+  $request, Response $response);`
+* `CacheStorageInterface::fetch($key)` has changed to `fetch(RequestInterface $request);`
+* `CacheStorageInterface::delete($key)` has changed to `delete(RequestInterface $request);`
+* Added `CacheStorageInterface::purge($url)`
+* `DefaultRevalidation::__construct(CacheKeyProviderInterface $cacheKey, CacheStorageInterface $cache, CachePlugin
+  $plugin)` has changed to `DefaultRevalidation::__construct(CacheStorageInterface $cache,
+  CanCacheStrategyInterface $canCache = null)`
+* Added `RevalidationInterface::shouldRevalidate(RequestInterface $request, Response $response)`
+
+## 3.6.0 - 2013-05-29
+
+* ServiceDescription now implements ToArrayInterface
+* Added command.hidden_params to blacklist certain headers from being treated as additionalParameters
+* Guzzle can now correctly parse incomplete URLs
+* Mixed casing of headers are now forced to be a single consistent casing across all values for that header.
+* Messages internally use a HeaderCollection object to delegate handling case-insensitive header resolution
+* Removed the whole changedHeader() function system of messages because all header changes now go through addHeader().
+* Specific header implementations can be created for complex headers. When a message creates a header, it uses a
+  HeaderFactory which can map specific headers to specific header classes. There is now a Link header and
+  CacheControl header implementation.
+* Removed from interface: Guzzle\Http\ClientInterface::setUriTemplate
+* Removed from interface: Guzzle\Http\ClientInterface::setCurlMulti()
+* Removed Guzzle\Http\Message\Request::receivedRequestHeader() and implemented this functionality in
+  Guzzle\Http\Curl\RequestMediator
+* Removed the optional $asString parameter from MessageInterface::getHeader(). Just cast the header to a string.
+* Removed the optional $tryChunkedTransfer option from Guzzle\Http\Message\EntityEnclosingRequestInterface
+* Removed the $asObjects argument from Guzzle\Http\Message\MessageInterface::getHeaders()
+* Removed Guzzle\Parser\ParserRegister::get(). Use getParser()
+* Removed Guzzle\Parser\ParserRegister::set(). Use registerParser().
+* All response header helper functions return a string rather than mixing Header objects and strings inconsistently
+* Removed cURL blacklist support. This is no longer necessary now that Expect, Accept, etc. are managed by Guzzle
+  directly via interfaces
+* Removed the injecting of a request object onto a response object. The methods to get and set a request still exist
+  but are a no-op until removed.
+* Most classes that used to require a `Guzzle\Service\Command\CommandInterface` typehint now request a
+  `Guzzle\Service\Command\ArrayCommandInterface`.
+* Added `Guzzle\Http\Message\RequestInterface::startResponse()` to the RequestInterface to handle injecting a response
+  on a request while the request is still being transferred
+* The ability to case-insensitively search for header values
+* Guzzle\Http\Message\Header::hasExactHeader
+* Guzzle\Http\Message\Header::raw. Use getAll()
+* Deprecated cache control specific methods on Guzzle\Http\Message\AbstractMessage. Use the CacheControl header object
+  instead.
+* `Guzzle\Service\Command\CommandInterface` now extends from ToArrayInterface and ArrayAccess
+* Added the ability to cast Model objects to a string to view debug information.
+
+## 3.5.0 - 2013-05-13
+
+* Bug: Fixed a regression so that request responses are parsed only once per oncomplete event rather than multiple times
+* Bug: Better cleanup of one-time events across the board (when an event is meant to fire once, it will now remove
+  itself from the EventDispatcher)
+* Bug: `Guzzle\Log\MessageFormatter` now properly writes "total_time" and "connect_time" values
+* Bug: Cloning an EntityEnclosingRequest now clones the EntityBody too
+* Bug: Fixed an undefined index error when parsing nested JSON responses with a sentAs parameter that reference a
+  non-existent key
+* Bug: All __call() method arguments are now required (helps with mocking frameworks)
+* Deprecating Response::getRequest() and now using a shallow clone of a request object to remove a circular reference
+  to help with refcount based garbage collection of resources created by sending a request
+* Deprecating ZF1 cache and log adapters. These will be removed in the next major version.
+* Deprecating `Response::getPreviousResponse()` (method signature still exists, but it's deprecated). Use the
+  HistoryPlugin for a history.
+* Added a `responseBody` alias for the `response_body` location
+* Refactored internals to no longer rely on Response::getRequest()
+* HistoryPlugin can now be cast to a string
+* HistoryPlugin now logs transactions rather than requests and responses to more accurately keep track of the requests
+  and responses that are sent over the wire
+* Added `getEffectiveUrl()` and `getRedirectCount()` to Response objects
+
+## 3.4.3 - 2013-04-30
+
+* Bug fix: Fixing bug introduced in 3.4.2 where redirect responses are duplicated on the final redirected response
+* Added a check to re-extract the temp cacert bundle from the phar before sending each request
+
+## 3.4.2 - 2013-04-29
+
+* Bug fix: Stream objects now work correctly with "a" and "a+" modes
+* Bug fix: Removing `Transfer-Encoding: chunked` header when a Content-Length is present
+* Bug fix: AsyncPlugin no longer forces HEAD requests
+* Bug fix: DateTime timezones are now properly handled when using the service description schema formatter
+* Bug fix: CachePlugin now properly handles stale-if-error directives when a request to the origin server fails
+* Setting a response on a request will write to the custom request body from the response body if one is specified
+* LogPlugin now writes to php://output when STDERR is undefined
+* Added the ability to set multiple POST files for the same key in a single call
+* application/x-www-form-urlencoded POSTs now use the utf-8 charset by default
+* Added the ability to queue CurlExceptions to the MockPlugin
+* Cleaned up how manual responses are queued on requests (removed "queued_response" and now using request.before_send)
+* Configuration loading now allows remote files
+
+## 3.4.1 - 2013-04-16
+
+* Large refactoring to how CurlMulti handles work. There is now a proxy that sits in front of a pool of CurlMulti
+  handles. This greatly simplifies the implementation, fixes a couple bugs, and provides a small performance boost.
+* Exceptions are now properly grouped when sending requests in parallel
+* Redirects are now properly aggregated when a multi transaction fails
+* Redirects now set the response on the original object even in the event of a failure
+* Bug fix: Model names are now properly set even when using $refs
+* Added support for PHP 5.5's CurlFile to prevent warnings with the deprecated @ syntax
+* Added support for oauth_callback in OAuth signatures
+* Added support for oauth_verifier in OAuth signatures
+* Added support to attempt to retrieve a command first literally, then ucfirst, the with inflection
+
+## 3.4.0 - 2013-04-11
+
+* Bug fix: URLs are now resolved correctly based on https://tools.ietf.org/html/rfc3986#section-5.2. #289
+* Bug fix: Absolute URLs with a path in a service description will now properly override the base URL. #289
+* Bug fix: Parsing a query string with a single PHP array value will now result in an array. #263
+* Bug fix: Better normalization of the User-Agent header to prevent duplicate headers. #264.
+* Bug fix: Added `number` type to service descriptions.
+* Bug fix: empty parameters are removed from an OAuth signature
+* Bug fix: Revalidating a cache entry prefers the Last-Modified over the Date header
+* Bug fix: Fixed "array to string" error when validating a union of types in a service description
+* Bug fix: Removed code that attempted to determine the size of a stream when data is written to the stream
+* Bug fix: Not including an `oauth_token` if the value is null in the OauthPlugin.
+* Bug fix: Now correctly aggregating successful requests and failed requests in CurlMulti when a redirect occurs.
+* The new default CURLOPT_TIMEOUT setting has been increased to 150 seconds so that Guzzle works on poor connections.
+* Added a feature to EntityEnclosingRequest::setBody() that will automatically set the Content-Type of the request if
+  the Content-Type can be determined based on the entity body or the path of the request.
+* Added the ability to overwrite configuration settings in a client when grabbing a throwaway client from a builder.
+* Added support for a PSR-3 LogAdapter.
+* Added a `command.after_prepare` event
+* Added `oauth_callback` parameter to the OauthPlugin
+* Added the ability to create a custom stream class when using a stream factory
+* Added a CachingEntityBody decorator
+* Added support for `additionalParameters` in service descriptions to define how custom parameters are serialized.
+* The bundled SSL certificate is now provided in the phar file and extracted when running Guzzle from a phar.
+* You can now send any EntityEnclosingRequest with POST fields or POST files and cURL will handle creating bodies
+* POST requests using a custom entity body are now treated exactly like PUT requests but with a custom cURL method. This
+  means that the redirect behavior of POST requests with custom bodies will not be the same as POST requests that use
+  POST fields or files (the latter is only used when emulating a form POST in the browser).
+* Lots of cleanup to CurlHandle::factory and RequestFactory::createRequest
+
+## 3.3.1 - 2013-03-10
+
+* Added the ability to create PHP streaming responses from HTTP requests
+* Bug fix: Running any filters when parsing response headers with service descriptions
+* Bug fix: OauthPlugin fixes to allow for multi-dimensional array signing, and sorting parameters before signing
+* Bug fix: Removed the adding of default empty arrays and false Booleans to responses in order to be consistent across
+  response location visitors.
+* Bug fix: Removed the possibility of creating configuration files with circular dependencies
+* RequestFactory::create() now uses the key of a POST file when setting the POST file name
+* Added xmlAllowEmpty to serialize an XML body even if no XML specific parameters are set
+
+## 3.3.0 - 2013-03-03
+
+* A large number of performance optimizations have been made
+* Bug fix: Added 'wb' as a valid write mode for streams
+* Bug fix: `Guzzle\Http\Message\Response::json()` now allows scalar values to be returned
+* Bug fix: Fixed bug in `Guzzle\Http\Message\Response` where wrapping quotes were stripped from `getEtag()`
+* BC: Removed `Guzzle\Http\Utils` class
+* BC: Setting a service description on a client will no longer modify the client's command factories.
+* BC: Emitting IO events from a RequestMediator is now a parameter that must be set in a request's curl options using
+  the 'emit_io' key. This was previously set under a request's parameters using 'curl.emit_io'
+* BC: `Guzzle\Stream\Stream::getWrapper()` and `Guzzle\Stream\Stream::getSteamType()` are no longer converted to
+  lowercase
+* Operation parameter objects are now lazy loaded internally
+* Added ErrorResponsePlugin that can throw errors for responses defined in service description operations' errorResponses
+* Added support for instantiating responseType=class responseClass classes. Classes must implement
+  `Guzzle\Service\Command\ResponseClassInterface`
+* Added support for additionalProperties for top-level parameters in responseType=model responseClasses. These
+  additional properties also support locations and can be used to parse JSON responses where the outermost part of the
+  JSON is an array
+* Added support for nested renaming of JSON models (rename sentAs to name)
+* CachePlugin
+    * Added support for stale-if-error so that the CachePlugin can now serve stale content from the cache on error
+    * Debug headers can now added to cached response in the CachePlugin
+
+## 3.2.0 - 2013-02-14
+
+* CurlMulti is no longer reused globally. A new multi object is created per-client. This helps to isolate clients.
+* URLs with no path no longer contain a "/" by default
+* Guzzle\Http\QueryString does no longer manages the leading "?". This is now handled in Guzzle\Http\Url.
+* BadResponseException no longer includes the full request and response message
+* Adding setData() to Guzzle\Service\Description\ServiceDescriptionInterface
+* Adding getResponseBody() to Guzzle\Http\Message\RequestInterface
+* Various updates to classes to use ServiceDescriptionInterface type hints rather than ServiceDescription
+* Header values can now be normalized into distinct values when multiple headers are combined with a comma separated list
+* xmlEncoding can now be customized for the XML declaration of a XML service description operation
+* Guzzle\Http\QueryString now uses Guzzle\Http\QueryAggregator\QueryAggregatorInterface objects to add custom value
+  aggregation and no longer uses callbacks
+* The URL encoding implementation of Guzzle\Http\QueryString can now be customized
+* Bug fix: Filters were not always invoked for array service description parameters
+* Bug fix: Redirects now use a target response body rather than a temporary response body
+* Bug fix: The default exponential backoff BackoffPlugin was not giving when the request threshold was exceeded
+* Bug fix: Guzzle now takes the first found value when grabbing Cache-Control directives
+
+## 3.1.2 - 2013-01-27
+
+* Refactored how operation responses are parsed. Visitors now include a before() method responsible for parsing the
+  response body. For example, the XmlVisitor now parses the XML response into an array in the before() method.
+* Fixed an issue where cURL would not automatically decompress responses when the Accept-Encoding header was sent
+* CURLOPT_SSL_VERIFYHOST is never set to 1 because it is deprecated (see 5e0ff2ef20f839e19d1eeb298f90ba3598784444)
+* Fixed a bug where redirect responses were not chained correctly using getPreviousResponse()
+* Setting default headers on a client after setting the user-agent will not erase the user-agent setting
+
+## 3.1.1 - 2013-01-20
+
+* Adding wildcard support to Guzzle\Common\Collection::getPath()
+* Adding alias support to ServiceBuilder configs
+* Adding Guzzle\Service\Resource\CompositeResourceIteratorFactory and cleaning up factory interface
+
+## 3.1.0 - 2013-01-12
+
+* BC: CurlException now extends from RequestException rather than BadResponseException
+* BC: Renamed Guzzle\Plugin\Cache\CanCacheStrategyInterface::canCache() to canCacheRequest() and added CanCacheResponse()
+* Added getData to ServiceDescriptionInterface
+* Added context array to RequestInterface::setState()
+* Bug: Removing hard dependency on the BackoffPlugin from Guzzle\Http
+* Bug: Adding required content-type when JSON request visitor adds JSON to a command
+* Bug: Fixing the serialization of a service description with custom data
+* Made it easier to deal with exceptions thrown when transferring commands or requests in parallel by providing
+  an array of successful and failed responses
+* Moved getPath from Guzzle\Service\Resource\Model to Guzzle\Common\Collection
+* Added Guzzle\Http\IoEmittingEntityBody
+* Moved command filtration from validators to location visitors
+* Added `extends` attributes to service description parameters
+* Added getModels to ServiceDescriptionInterface
+
+## 3.0.7 - 2012-12-19
+
+* Fixing phar detection when forcing a cacert to system if null or true
+* Allowing filename to be passed to `Guzzle\Http\Message\Request::setResponseBody()`
+* Cleaning up `Guzzle\Common\Collection::inject` method
+* Adding a response_body location to service descriptions
+
+## 3.0.6 - 2012-12-09
+
+* CurlMulti performance improvements
+* Adding setErrorResponses() to Operation
+* composer.json tweaks
+
+## 3.0.5 - 2012-11-18
+
+* Bug: Fixing an infinite recursion bug caused from revalidating with the CachePlugin
+* Bug: Response body can now be a string containing "0"
+* Bug: Using Guzzle inside of a phar uses system by default but now allows for a custom cacert
+* Bug: QueryString::fromString now properly parses query string parameters that contain equal signs
+* Added support for XML attributes in service description responses
+* DefaultRequestSerializer now supports array URI parameter values for URI template expansion
+* Added better mimetype guessing to requests and post files
+
+## 3.0.4 - 2012-11-11
+
+* Bug: Fixed a bug when adding multiple cookies to a request to use the correct glue value
+* Bug: Cookies can now be added that have a name, domain, or value set to "0"
+* Bug: Using the system cacert bundle when using the Phar
+* Added json and xml methods to Response to make it easier to parse JSON and XML response data into data structures
+* Enhanced cookie jar de-duplication
+* Added the ability to enable strict cookie jars that throw exceptions when invalid cookies are added
+* Added setStream to StreamInterface to actually make it possible to implement custom rewind behavior for entity bodies
+* Added the ability to create any sort of hash for a stream rather than just an MD5 hash
+
+## 3.0.3 - 2012-11-04
+
+* Implementing redirects in PHP rather than cURL
+* Added PECL URI template extension and using as default parser if available
+* Bug: Fixed Content-Length parsing of Response factory
+* Adding rewind() method to entity bodies and streams. Allows for custom rewinding of non-repeatable streams.
+* Adding ToArrayInterface throughout library
+* Fixing OauthPlugin to create unique nonce values per request
+
+## 3.0.2 - 2012-10-25
+
+* Magic methods are enabled by default on clients
+* Magic methods return the result of a command
+* Service clients no longer require a base_url option in the factory
+* Bug: Fixed an issue with URI templates where null template variables were being expanded
+
+## 3.0.1 - 2012-10-22
+
+* Models can now be used like regular collection objects by calling filter, map, etc.
+* Models no longer require a Parameter structure or initial data in the constructor
+* Added a custom AppendIterator to get around a PHP bug with the `\AppendIterator`
+
+## 3.0.0 - 2012-10-15
+
+* Rewrote service description format to be based on Swagger
+    * Now based on JSON schema
+    * Added nested input structures and nested response models
+    * Support for JSON and XML input and output models
+    * Renamed `commands` to `operations`
+    * Removed dot class notation
+    * Removed custom types
+* Broke the project into smaller top-level namespaces to be more component friendly
+* Removed support for XML configs and descriptions. Use arrays or JSON files.
+* Removed the Validation component and Inspector
+* Moved all cookie code to Guzzle\Plugin\Cookie
+* Magic methods on a Guzzle\Service\Client now return the command un-executed.
+* Calling getResult() or getResponse() on a command will lazily execute the command if needed.
+* Now shipping with cURL's CA certs and using it by default
+* Added previousResponse() method to response objects
+* No longer sending Accept and Accept-Encoding headers on every request
+* Only sending an Expect header by default when a payload is greater than 1MB
+* Added/moved client options:
+    * curl.blacklist to curl.option.blacklist
+    * Added ssl.certificate_authority
+* Added a Guzzle\Iterator component
+* Moved plugins from Guzzle\Http\Plugin to Guzzle\Plugin
+* Added a more robust backoff retry strategy (replaced the ExponentialBackoffPlugin)
+* Added a more robust caching plugin
+* Added setBody to response objects
+* Updating LogPlugin to use a more flexible MessageFormatter
+* Added a completely revamped build process
+* Cleaning up Collection class and removing default values from the get method
+* Fixed ZF2 cache adapters
+
+## 2.8.8 - 2012-10-15
+
+* Bug: Fixed a cookie issue that caused dot prefixed domains to not match where popular browsers did
+
+## 2.8.7 - 2012-09-30
+
+* Bug: Fixed config file aliases for JSON includes
+* Bug: Fixed cookie bug on a request object by using CookieParser to parse cookies on requests
+* Bug: Removing the path to a file when sending a Content-Disposition header on a POST upload
+* Bug: Hardening request and response parsing to account for missing parts
+* Bug: Fixed PEAR packaging
+* Bug: Fixed Request::getInfo
+* Bug: Fixed cases where CURLM_CALL_MULTI_PERFORM return codes were causing curl transactions to fail
+* Adding the ability for the namespace Iterator factory to look in multiple directories
+* Added more getters/setters/removers from service descriptions
+* Added the ability to remove POST fields from OAuth signatures
+* OAuth plugin now supports 2-legged OAuth
+
+## 2.8.6 - 2012-09-05
+
+* Added the ability to modify and build service descriptions
+* Added the use of visitors to apply parameters to locations in service descriptions using the dynamic command
+* Added a `json` parameter location
+* Now allowing dot notation for classes in the CacheAdapterFactory
+* Using the union of two arrays rather than an array_merge when extending service builder services and service params
+* Ensuring that a service is a string before doing strpos() checks on it when substituting services for references
+  in service builder config files.
+* Services defined in two different config files that include one another will by default replace the previously
+  defined service, but you can now create services that extend themselves and merge their settings over the previous
+* The JsonLoader now supports aliasing filenames with different filenames. This allows you to alias something like
+  '_default' with a default JSON configuration file.
+
+## 2.8.5 - 2012-08-29
+
+* Bug: Suppressed empty arrays from URI templates
+* Bug: Added the missing $options argument from ServiceDescription::factory to enable caching
+* Added support for HTTP responses that do not contain a reason phrase in the start-line
+* AbstractCommand commands are now invokable
+* Added a way to get the data used when signing an Oauth request before a request is sent
+
+## 2.8.4 - 2012-08-15
+
+* Bug: Custom delay time calculations are no longer ignored in the ExponentialBackoffPlugin
+* Added the ability to transfer entity bodies as a string rather than streamed. This gets around curl error 65. Set `body_as_string` in a request's curl options to enable.
+* Added a StreamInterface, EntityBodyInterface, and added ftell() to Guzzle\Common\Stream
+* Added an AbstractEntityBodyDecorator and a ReadLimitEntityBody decorator to transfer only a subset of a decorated stream
+* Stream and EntityBody objects will now return the file position to the previous position after a read required operation (e.g. getContentMd5())
+* Added additional response status codes
+* Removed SSL information from the default User-Agent header
+* DELETE requests can now send an entity body
+* Added an EventDispatcher to the ExponentialBackoffPlugin and added an ExponentialBackoffLogger to log backoff retries
+* Added the ability of the MockPlugin to consume mocked request bodies
+* LogPlugin now exposes request and response objects in the extras array
+
+## 2.8.3 - 2012-07-30
+
+* Bug: Fixed a case where empty POST requests were sent as GET requests
+* Bug: Fixed a bug in ExponentialBackoffPlugin that caused fatal errors when retrying an EntityEnclosingRequest that does not have a body
+* Bug: Setting the response body of a request to null after completing a request, not when setting the state of a request to new
+* Added multiple inheritance to service description commands
+* Added an ApiCommandInterface and added `getParamNames()` and `hasParam()`
+* Removed the default 2mb size cutoff from the Md5ValidatorPlugin so that it now defaults to validating everything
+* Changed CurlMulti::perform to pass a smaller timeout to CurlMulti::executeHandles
+
+## 2.8.2 - 2012-07-24
+
+* Bug: Query string values set to 0 are no longer dropped from the query string
+* Bug: A Collection object is no longer created each time a call is made to `Guzzle\Service\Command\AbstractCommand::getRequestHeaders()`
+* Bug: `+` is now treated as an encoded space when parsing query strings
+* QueryString and Collection performance improvements
+* Allowing dot notation for class paths in filters attribute of a service descriptions
+
+## 2.8.1 - 2012-07-16
+
+* Loosening Event Dispatcher dependency
+* POST redirects can now be customized using CURLOPT_POSTREDIR
+
+## 2.8.0 - 2012-07-15
+
+* BC: Guzzle\Http\Query
+    * Query strings with empty variables will always show an equal sign unless the variable is set to QueryString::BLANK (e.g. ?acl= vs ?acl)
+    * Changed isEncodingValues() and isEncodingFields() to isUrlEncoding()
+    * Changed setEncodeValues(bool) and setEncodeFields(bool) to useUrlEncoding(bool)
+    * Changed the aggregation functions of QueryString to be static methods
+    * Can now use fromString() with querystrings that have a leading ?
+* cURL configuration values can be specified in service descriptions using `curl.` prefixed parameters
+* Content-Length is set to 0 before emitting the request.before_send event when sending an empty request body
+* Cookies are no longer URL decoded by default
+* Bug: URI template variables set to null are no longer expanded
+
+## 2.7.2 - 2012-07-02
+
+* BC: Moving things to get ready for subtree splits. Moving Inflection into Common. Moving Guzzle\Http\Parser to Guzzle\Parser.
+* BC: Removing Guzzle\Common\Batch\Batch::count() and replacing it with isEmpty()
+* CachePlugin now allows for a custom request parameter function to check if a request can be cached
+* Bug fix: CachePlugin now only caches GET and HEAD requests by default
+* Bug fix: Using header glue when transferring headers over the wire
+* Allowing deeply nested arrays for composite variables in URI templates
+* Batch divisors can now return iterators or arrays
+
+## 2.7.1 - 2012-06-26
+
+* Minor patch to update version number in UA string
+* Updating build process
+
+## 2.7.0 - 2012-06-25
+
+* BC: Inflection classes moved to Guzzle\Inflection. No longer static methods. Can now inject custom inflectors into classes.
+* BC: Removed magic setX methods from commands
+* BC: Magic methods mapped to service description commands are now inflected in the command factory rather than the client __call() method
+* Verbose cURL options are no longer enabled by default. Set curl.debug to true on a client to enable.
+* Bug: Now allowing colons in a response start-line (e.g. HTTP/1.1 503 Service Unavailable: Back-end server is at capacity)
+* Guzzle\Service\Resource\ResourceIteratorApplyBatched now internally uses the Guzzle\Common\Batch namespace
+* Added Guzzle\Service\Plugin namespace and a PluginCollectionPlugin
+* Added the ability to set POST fields and files in a service description
+* Guzzle\Http\EntityBody::factory() now accepts objects with a __toString() method
+* Adding a command.before_prepare event to clients
+* Added BatchClosureTransfer and BatchClosureDivisor
+* BatchTransferException now includes references to the batch divisor and transfer strategies
+* Fixed some tests so that they pass more reliably
+* Added Guzzle\Common\Log\ArrayLogAdapter
+
+## 2.6.6 - 2012-06-10
+
+* BC: Removing Guzzle\Http\Plugin\BatchQueuePlugin
+* BC: Removing Guzzle\Service\Command\CommandSet
+* Adding generic batching system (replaces the batch queue plugin and command set)
+* Updating ZF cache and log adapters and now using ZF's composer repository
+* Bug: Setting the name of each ApiParam when creating through an ApiCommand
+* Adding result_type, result_doc, deprecated, and doc_url to service descriptions
+* Bug: Changed the default cookie header casing back to 'Cookie'
+
+## 2.6.5 - 2012-06-03
+
+* BC: Renaming Guzzle\Http\Message\RequestInterface::getResourceUri() to getResource()
+* BC: Removing unused AUTH_BASIC and AUTH_DIGEST constants from
+* BC: Guzzle\Http\Cookie is now used to manage Set-Cookie data, not Cookie data
+* BC: Renaming methods in the CookieJarInterface
+* Moving almost all cookie logic out of the CookiePlugin and into the Cookie or CookieJar implementations
+* Making the default glue for HTTP headers ';' instead of ','
+* Adding a removeValue to Guzzle\Http\Message\Header
+* Adding getCookies() to request interface.
+* Making it easier to add event subscribers to HasDispatcherInterface classes. Can now directly call addSubscriber()
+
+## 2.6.4 - 2012-05-30
+
+* BC: Cleaning up how POST files are stored in EntityEnclosingRequest objects. Adding PostFile class.
+* BC: Moving ApiCommand specific functionality from the Inspector and on to the ApiCommand
+* Bug: Fixing magic method command calls on clients
+* Bug: Email constraint only validates strings
+* Bug: Aggregate POST fields when POST files are present in curl handle
+* Bug: Fixing default User-Agent header
+* Bug: Only appending or prepending parameters in commands if they are specified
+* Bug: Not requiring response reason phrases or status codes to match a predefined list of codes
+* Allowing the use of dot notation for class namespaces when using instance_of constraint
+* Added any_match validation constraint
+* Added an AsyncPlugin
+* Passing request object to the calculateWait method of the ExponentialBackoffPlugin
+* Allowing the result of a command object to be changed
+* Parsing location and type sub values when instantiating a service description rather than over and over at runtime
+
+## 2.6.3 - 2012-05-23
+
+* [BC] Guzzle\Common\FromConfigInterface no longer requires any config options.
+* [BC] Refactoring how POST files are stored on an EntityEnclosingRequest. They are now separate from POST fields.
+* You can now use an array of data when creating PUT request bodies in the request factory.
+* Removing the requirement that HTTPS requests needed a Cache-Control: public directive to be cacheable.
+* [Http] Adding support for Content-Type in multipart POST uploads per upload
+* [Http] Added support for uploading multiple files using the same name (foo[0], foo[1])
+* Adding more POST data operations for easier manipulation of POST data.
+* You can now set empty POST fields.
+* The body of a request is only shown on EntityEnclosingRequest objects that do not use POST files.
+* Split the Guzzle\Service\Inspector::validateConfig method into two methods. One to initialize when a command is created, and one to validate.
+* CS updates
+
+## 2.6.2 - 2012-05-19
+
+* [Http] Better handling of nested scope requests in CurlMulti.  Requests are now always prepares in the send() method rather than the addRequest() method.
+
+## 2.6.1 - 2012-05-19
+
+* [BC] Removing 'path' support in service descriptions.  Use 'uri'.
+* [BC] Guzzle\Service\Inspector::parseDocBlock is now protected. Adding getApiParamsForClass() with cache.
+* [BC] Removing Guzzle\Common\NullObject.  Use https://github.com/mtdowling/NullObject if you need it.
+* [BC] Removing Guzzle\Common\XmlElement.
+* All commands, both dynamic and concrete, have ApiCommand objects.
+* Adding a fix for CurlMulti so that if all of the connections encounter some sort of curl error, then the loop exits.
+* Adding checks to EntityEnclosingRequest so that empty POST files and fields are ignored.
+* Making the method signature of Guzzle\Service\Builder\ServiceBuilder::factory more flexible.
+
+## 2.6.0 - 2012-05-15
+
+* [BC] Moving Guzzle\Service\Builder to Guzzle\Service\Builder\ServiceBuilder
+* [BC] Executing a Command returns the result of the command rather than the command
+* [BC] Moving all HTTP parsing logic to Guzzle\Http\Parsers. Allows for faster C implementations if needed.
+* [BC] Changing the Guzzle\Http\Message\Response::setProtocol() method to accept a protocol and version in separate args.
+* [BC] Moving ResourceIterator* to Guzzle\Service\Resource
+* [BC] Completely refactored ResourceIterators to iterate over a cloned command object
+* [BC] Moved Guzzle\Http\UriTemplate to Guzzle\Http\Parser\UriTemplate\UriTemplate
+* [BC] Guzzle\Guzzle is now deprecated
+* Moving Guzzle\Common\Guzzle::inject to Guzzle\Common\Collection::inject
+* Adding Guzzle\Version class to give version information about Guzzle
+* Adding Guzzle\Http\Utils class to provide getDefaultUserAgent() and getHttpDate()
+* Adding Guzzle\Curl\CurlVersion to manage caching curl_version() data
+* ServiceDescription and ServiceBuilder are now cacheable using similar configs
+* Changing the format of XML and JSON service builder configs.  Backwards compatible.
+* Cleaned up Cookie parsing
+* Trimming the default Guzzle User-Agent header
+* Adding a setOnComplete() method to Commands that is called when a command completes
+* Keeping track of requests that were mocked in the MockPlugin
+* Fixed a caching bug in the CacheAdapterFactory
+* Inspector objects can be injected into a Command object
+* Refactoring a lot of code and tests to be case insensitive when dealing with headers
+* Adding Guzzle\Http\Message\HeaderComparison for easy comparison of HTTP headers using a DSL
+* Adding the ability to set global option overrides to service builder configs
+* Adding the ability to include other service builder config files from within XML and JSON files
+* Moving the parseQuery method out of Url and on to QueryString::fromString() as a static factory method.
+
+## 2.5.0 - 2012-05-08
+
+* Major performance improvements
+* [BC] Simplifying Guzzle\Common\Collection.  Please check to see if you are using features that are now deprecated.
+* [BC] Using a custom validation system that allows a flyweight implementation for much faster validation. No longer using Symfony2 Validation component.
+* [BC] No longer supporting "{{ }}" for injecting into command or UriTemplates.  Use "{}"
+* Added the ability to passed parameters to all requests created by a client
+* Added callback functionality to the ExponentialBackoffPlugin
+* Using microtime in ExponentialBackoffPlugin to allow more granular backoff strategies.
+* Rewinding request stream bodies when retrying requests
+* Exception is thrown when JSON response body cannot be decoded
+* Added configurable magic method calls to clients and commands.  This is off by default.
+* Fixed a defect that added a hash to every parsed URL part
+* Fixed duplicate none generation for OauthPlugin.
+* Emitting an event each time a client is generated by a ServiceBuilder
+* Using an ApiParams object instead of a Collection for parameters of an ApiCommand
+* cache.* request parameters should be renamed to params.cache.*
+* Added the ability to set arbitrary curl options on requests (disable_wire, progress, etc.). See CurlHandle.
+* Added the ability to disable type validation of service descriptions
+* ServiceDescriptions and ServiceBuilders are now Serializable
diff --git a/data/web/inc/lib/vendor/guzzlehttp/guzzle/LICENSE b/data/web/inc/lib/vendor/guzzlehttp/guzzle/LICENSE
new file mode 100644
index 000000000..fd2375d88
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/guzzle/LICENSE
@@ -0,0 +1,27 @@
+The MIT License (MIT)
+
+Copyright (c) 2011 Michael Dowling <mtdowling@gmail.com>
+Copyright (c) 2012 Jeremy Lindblom <jeremeamia@gmail.com>
+Copyright (c) 2014 Graham Campbell <hello@gjcampbell.co.uk>
+Copyright (c) 2015 Márk Sági-Kazár <mark.sagikazar@gmail.com>
+Copyright (c) 2015 Tobias Schultze <webmaster@tubo-world.de>
+Copyright (c) 2016 Tobias Nyholm <tobias.nyholm@gmail.com>
+Copyright (c) 2016 George Mponos <gmponos@gmail.com>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
diff --git a/data/web/inc/lib/vendor/guzzlehttp/guzzle/README.md b/data/web/inc/lib/vendor/guzzlehttp/guzzle/README.md
new file mode 100644
index 000000000..f287fa98d
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/guzzle/README.md
@@ -0,0 +1,94 @@
+![Guzzle](.github/logo.png?raw=true)
+
+# Guzzle, PHP HTTP client
+
+[![Latest Version](https://img.shields.io/github/release/guzzle/guzzle.svg?style=flat-square)](https://github.com/guzzle/guzzle/releases)
+[![Build Status](https://img.shields.io/github/workflow/status/guzzle/guzzle/CI?label=ci%20build&style=flat-square)](https://github.com/guzzle/guzzle/actions?query=workflow%3ACI)
+[![Total Downloads](https://img.shields.io/packagist/dt/guzzlehttp/guzzle.svg?style=flat-square)](https://packagist.org/packages/guzzlehttp/guzzle)
+
+Guzzle is a PHP HTTP client that makes it easy to send HTTP requests and
+trivial to integrate with web services.
+
+- Simple interface for building query strings, POST requests, streaming large
+  uploads, streaming large downloads, using HTTP cookies, uploading JSON data,
+  etc...
+- Can send both synchronous and asynchronous requests using the same interface.
+- Uses PSR-7 interfaces for requests, responses, and streams. This allows you
+  to utilize other PSR-7 compatible libraries with Guzzle.
+- Supports PSR-18 allowing interoperability between other PSR-18 HTTP Clients.
+- Abstracts away the underlying HTTP transport, allowing you to write
+  environment and transport agnostic code; i.e., no hard dependency on cURL,
+  PHP streams, sockets, or non-blocking event loops.
+- Middleware system allows you to augment and compose client behavior.
+
+```php
+$client = new \GuzzleHttp\Client();
+$response = $client->request('GET', 'https://api.github.com/repos/guzzle/guzzle');
+
+echo $response->getStatusCode(); // 200
+echo $response->getHeaderLine('content-type'); // 'application/json; charset=utf8'
+echo $response->getBody(); // '{"id": 1420053, "name": "guzzle", ...}'
+
+// Send an asynchronous request.
+$request = new \GuzzleHttp\Psr7\Request('GET', 'http://httpbin.org');
+$promise = $client->sendAsync($request)->then(function ($response) {
+    echo 'I completed! ' . $response->getBody();
+});
+
+$promise->wait();
+```
+
+## Help and docs
+
+We use GitHub issues only to discuss bugs and new features. For support please refer to:
+
+- [Documentation](https://docs.guzzlephp.org)
+- [Stack Overflow](https://stackoverflow.com/questions/tagged/guzzle)
+- [#guzzle](https://app.slack.com/client/T0D2S9JCT/CE6UAAKL4) channel on [PHP-HTTP Slack](https://slack.httplug.io/)
+- [Gitter](https://gitter.im/guzzle/guzzle)
+
+
+## Installing Guzzle
+
+The recommended way to install Guzzle is through
+[Composer](https://getcomposer.org/).
+
+```bash
+composer require guzzlehttp/guzzle
+```
+
+
+## Version Guidance
+
+| Version | Status         | Packagist           | Namespace    | Repo                | Docs                | PSR-7 | PHP Version  |
+|---------|----------------|---------------------|--------------|---------------------|---------------------|-------|--------------|
+| 3.x     | EOL            | `guzzle/guzzle`     | `Guzzle`     | [v3][guzzle-3-repo] | [v3][guzzle-3-docs] | No    | >=5.3.3,<7.0 |
+| 4.x     | EOL            | `guzzlehttp/guzzle` | `GuzzleHttp` | [v4][guzzle-4-repo] | N/A                 | No    | >=5.4,<7.0   |
+| 5.x     | EOL            | `guzzlehttp/guzzle` | `GuzzleHttp` | [v5][guzzle-5-repo] | [v5][guzzle-5-docs] | No    | >=5.4,<7.4   |
+| 6.x     | Security fixes | `guzzlehttp/guzzle` | `GuzzleHttp` | [v6][guzzle-6-repo] | [v6][guzzle-6-docs] | Yes   | >=5.5,<8.0   |
+| 7.x     | Latest         | `guzzlehttp/guzzle` | `GuzzleHttp` | [v7][guzzle-7-repo] | [v7][guzzle-7-docs] | Yes   | >=7.2.5,<8.2 |
+
+[guzzle-3-repo]: https://github.com/guzzle/guzzle3
+[guzzle-4-repo]: https://github.com/guzzle/guzzle/tree/4.x
+[guzzle-5-repo]: https://github.com/guzzle/guzzle/tree/5.3
+[guzzle-6-repo]: https://github.com/guzzle/guzzle/tree/6.5
+[guzzle-7-repo]: https://github.com/guzzle/guzzle
+[guzzle-3-docs]: https://guzzle3.readthedocs.io/
+[guzzle-5-docs]: https://docs.guzzlephp.org/en/5.3/
+[guzzle-6-docs]: https://docs.guzzlephp.org/en/6.5/
+[guzzle-7-docs]: https://docs.guzzlephp.org/en/latest/
+
+
+## Security
+
+If you discover a security vulnerability within this package, please send an email to security@tidelift.com. All security vulnerabilities will be promptly addressed. Please do not disclose security-related issues publicly until a fix has been announced. Please see [Security Policy](https://github.com/guzzle/guzzle/security/policy) for more information.
+
+## License
+
+Guzzle is made available under the MIT License (MIT). Please see [License File](LICENSE) for more information.
+
+## For Enterprise
+
+Available as part of the Tidelift Subscription
+
+The maintainers of Guzzle and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open source dependencies you use to build your applications. Save time, reduce risk, and improve code health, while paying the maintainers of the exact dependencies you use. [Learn more.](https://tidelift.com/subscription/pkg/packagist-guzzlehttp-guzzle?utm_source=packagist-guzzlehttp-guzzle&utm_medium=referral&utm_campaign=enterprise&utm_term=repo)
diff --git a/data/web/inc/lib/vendor/guzzlehttp/guzzle/UPGRADING.md b/data/web/inc/lib/vendor/guzzlehttp/guzzle/UPGRADING.md
new file mode 100644
index 000000000..45417a7e1
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/guzzle/UPGRADING.md
@@ -0,0 +1,1253 @@
+Guzzle Upgrade Guide
+====================
+
+6.0 to 7.0
+----------
+
+In order to take advantage of the new features of PHP, Guzzle dropped the support
+of PHP 5. The minimum supported PHP version is now PHP 7.2. Type hints and return
+types for functions and methods have been added wherever possible. 
+
+Please make sure:
+- You are calling a function or a method with the correct type.
+- If you extend a class of Guzzle; update all signatures on methods you override.
+
+#### Other backwards compatibility breaking changes
+
+- Class `GuzzleHttp\UriTemplate` is removed.
+- Class `GuzzleHttp\Exception\SeekException` is removed.
+- Classes `GuzzleHttp\Exception\BadResponseException`, `GuzzleHttp\Exception\ClientException`, 
+  `GuzzleHttp\Exception\ServerException` can no longer be initialized with an empty
+  Response as argument.
+- Class `GuzzleHttp\Exception\ConnectException` now extends `GuzzleHttp\Exception\TransferException`
+  instead of `GuzzleHttp\Exception\RequestException`.
+- Function `GuzzleHttp\Exception\ConnectException::getResponse()` is removed.
+- Function `GuzzleHttp\Exception\ConnectException::hasResponse()` is removed.
+- Constant `GuzzleHttp\ClientInterface::VERSION` is removed. Added `GuzzleHttp\ClientInterface::MAJOR_VERSION` instead.
+- Function `GuzzleHttp\Exception\RequestException::getResponseBodySummary` is removed.
+  Use `\GuzzleHttp\Psr7\get_message_body_summary` as an alternative.
+- Function `GuzzleHttp\Cookie\CookieJar::getCookieValue` is removed.
+- Request option `exception` is removed. Please use `http_errors`.
+- Request option `save_to` is removed. Please use `sink`.
+- Pool option `pool_size` is removed. Please use `concurrency`.
+- We now look for environment variables in the `$_SERVER` super global, due to thread safety issues with `getenv`. We continue to fallback to `getenv` in CLI environments, for maximum compatibility.
+- The `get`, `head`, `put`, `post`, `patch`, `delete`, `getAsync`, `headAsync`, `putAsync`, `postAsync`, `patchAsync`, and `deleteAsync` methods are now implemented as genuine methods on `GuzzleHttp\Client`, with strong typing. The original `__call` implementation remains unchanged for now, for maximum backwards compatibility, but won't be invoked under normal operation.
+- The `log` middleware will log the errors with level `error` instead of `notice` 
+- Support for international domain names (IDN) is now disabled by default, and enabling it requires installing ext-intl, linked against a modern version of the C library (ICU 4.6 or higher).
+
+#### Native functions calls
+
+All internal native functions calls of Guzzle are now prefixed with a slash. This
+change makes it impossible for method overloading by other libraries or applications.
+Example:
+
+```php
+// Before:
+curl_version();
+
+// After:
+\curl_version();
+```
+
+For the full diff you can check [here](https://github.com/guzzle/guzzle/compare/6.5.4..master).
+
+5.0 to 6.0
+----------
+
+Guzzle now uses [PSR-7](https://www.php-fig.org/psr/psr-7/) for HTTP messages.
+Due to the fact that these messages are immutable, this prompted a refactoring
+of Guzzle to use a middleware based system rather than an event system. Any
+HTTP message interaction (e.g., `GuzzleHttp\Message\Request`) need to be
+updated to work with the new immutable PSR-7 request and response objects. Any
+event listeners or subscribers need to be updated to become middleware
+functions that wrap handlers (or are injected into a
+`GuzzleHttp\HandlerStack`).
+
+- Removed `GuzzleHttp\BatchResults`
+- Removed `GuzzleHttp\Collection`
+- Removed `GuzzleHttp\HasDataTrait`
+- Removed `GuzzleHttp\ToArrayInterface`
+- The `guzzlehttp/streams` dependency has been removed. Stream functionality
+  is now present in the `GuzzleHttp\Psr7` namespace provided by the
+  `guzzlehttp/psr7` package.
+- Guzzle no longer uses ReactPHP promises and now uses the
+  `guzzlehttp/promises` library. We use a custom promise library for three
+  significant reasons:
+  1. React promises (at the time of writing this) are recursive. Promise
+     chaining and promise resolution will eventually blow the stack. Guzzle
+     promises are not recursive as they use a sort of trampolining technique.
+     Note: there has been movement in the React project to modify promises to
+     no longer utilize recursion.
+  2. Guzzle needs to have the ability to synchronously block on a promise to
+     wait for a result. Guzzle promises allows this functionality (and does
+     not require the use of recursion).
+  3. Because we need to be able to wait on a result, doing so using React
+     promises requires wrapping react promises with RingPHP futures. This
+     overhead is no longer needed, reducing stack sizes, reducing complexity,
+     and improving performance.
+- `GuzzleHttp\Mimetypes` has been moved to a function in
+  `GuzzleHttp\Psr7\mimetype_from_extension` and
+  `GuzzleHttp\Psr7\mimetype_from_filename`.
+- `GuzzleHttp\Query` and `GuzzleHttp\QueryParser` have been removed. Query
+  strings must now be passed into request objects as strings, or provided to
+  the `query` request option when creating requests with clients. The `query`
+  option uses PHP's `http_build_query` to convert an array to a string. If you
+  need a different serialization technique, you will need to pass the query
+  string in as a string. There are a couple helper functions that will make
+  working with query strings easier: `GuzzleHttp\Psr7\parse_query` and
+  `GuzzleHttp\Psr7\build_query`.
+- Guzzle no longer has a dependency on RingPHP. Due to the use of a middleware
+  system based on PSR-7, using RingPHP and it's middleware system as well adds
+  more complexity than the benefits it provides. All HTTP handlers that were
+  present in RingPHP have been modified to work directly with PSR-7 messages
+  and placed in the `GuzzleHttp\Handler` namespace. This significantly reduces
+  complexity in Guzzle, removes a dependency, and improves performance. RingPHP
+  will be maintained for Guzzle 5 support, but will no longer be a part of
+  Guzzle 6.
+- As Guzzle now uses a middleware based systems the event system and RingPHP
+  integration has been removed. Note: while the event system has been removed,
+  it is possible to add your own type of event system that is powered by the
+  middleware system.
+  - Removed the `Event` namespace.
+  - Removed the `Subscriber` namespace.
+  - Removed `Transaction` class
+  - Removed `RequestFsm`
+  - Removed `RingBridge`
+  - `GuzzleHttp\Subscriber\Cookie` is now provided by
+    `GuzzleHttp\Middleware::cookies`
+  - `GuzzleHttp\Subscriber\HttpError` is now provided by
+    `GuzzleHttp\Middleware::httpError`
+  - `GuzzleHttp\Subscriber\History` is now provided by
+    `GuzzleHttp\Middleware::history`
+  - `GuzzleHttp\Subscriber\Mock` is now provided by
+    `GuzzleHttp\Handler\MockHandler`
+  - `GuzzleHttp\Subscriber\Prepare` is now provided by
+    `GuzzleHttp\PrepareBodyMiddleware`
+  - `GuzzleHttp\Subscriber\Redirect` is now provided by
+    `GuzzleHttp\RedirectMiddleware`
+- Guzzle now uses `Psr\Http\Message\UriInterface` (implements in
+  `GuzzleHttp\Psr7\Uri`) for URI support. `GuzzleHttp\Url` is now gone.
+- Static functions in `GuzzleHttp\Utils` have been moved to namespaced
+  functions under the `GuzzleHttp` namespace. This requires either a Composer
+  based autoloader or you to include functions.php.
+- `GuzzleHttp\ClientInterface::getDefaultOption` has been renamed to
+  `GuzzleHttp\ClientInterface::getConfig`.
+- `GuzzleHttp\ClientInterface::setDefaultOption` has been removed.
+- The `json` and `xml` methods of response objects has been removed. With the
+  migration to strictly adhering to PSR-7 as the interface for Guzzle messages,
+  adding methods to message interfaces would actually require Guzzle messages
+  to extend from PSR-7 messages rather then work with them directly.
+
+## Migrating to middleware
+
+The change to PSR-7 unfortunately required significant refactoring to Guzzle
+due to the fact that PSR-7 messages are immutable. Guzzle 5 relied on an event
+system from plugins. The event system relied on mutability of HTTP messages and
+side effects in order to work. With immutable messages, you have to change your
+workflow to become more about either returning a value (e.g., functional
+middlewares) or setting a value on an object. Guzzle v6 has chosen the
+functional middleware approach.
+
+Instead of using the event system to listen for things like the `before` event,
+you now create a stack based middleware function that intercepts a request on
+the way in and the promise of the response on the way out. This is a much
+simpler and more predictable approach than the event system and works nicely
+with PSR-7 middleware. Due to the use of promises, the middleware system is
+also asynchronous.
+
+v5:
+
+```php
+use GuzzleHttp\Event\BeforeEvent;
+$client = new GuzzleHttp\Client();
+// Get the emitter and listen to the before event.
+$client->getEmitter()->on('before', function (BeforeEvent $e) {
+    // Guzzle v5 events relied on mutation
+    $e->getRequest()->setHeader('X-Foo', 'Bar');
+});
+```
+
+v6:
+
+In v6, you can modify the request before it is sent using the `mapRequest`
+middleware. The idiomatic way in v6 to modify the request/response lifecycle is
+to setup a handler middleware stack up front and inject the handler into a
+client.
+
+```php
+use GuzzleHttp\Middleware;
+// Create a handler stack that has all of the default middlewares attached
+$handler = GuzzleHttp\HandlerStack::create();
+// Push the handler onto the handler stack
+$handler->push(Middleware::mapRequest(function (RequestInterface $request) {
+    // Notice that we have to return a request object
+    return $request->withHeader('X-Foo', 'Bar');
+}));
+// Inject the handler into the client
+$client = new GuzzleHttp\Client(['handler' => $handler]);
+```
+
+## POST Requests
+
+This version added the [`form_params`](http://guzzle.readthedocs.org/en/latest/request-options.html#form_params)
+and `multipart` request options. `form_params` is an associative array of
+strings or array of strings and is used to serialize an
+`application/x-www-form-urlencoded` POST request. The
+[`multipart`](http://guzzle.readthedocs.org/en/latest/request-options.html#multipart)
+option is now used to send a multipart/form-data POST request.
+
+`GuzzleHttp\Post\PostFile` has been removed. Use the `multipart` option to add
+POST files to a multipart/form-data request.
+
+The `body` option no longer accepts an array to send POST requests. Please use
+`multipart` or `form_params` instead.
+
+The `base_url` option has been renamed to `base_uri`.
+
+4.x to 5.0
+----------
+
+## Rewritten Adapter Layer
+
+Guzzle now uses [RingPHP](http://ringphp.readthedocs.org/en/latest) to send
+HTTP requests. The `adapter` option in a `GuzzleHttp\Client` constructor
+is still supported, but it has now been renamed to `handler`. Instead of
+passing a `GuzzleHttp\Adapter\AdapterInterface`, you must now pass a PHP
+`callable` that follows the RingPHP specification.
+
+## Removed Fluent Interfaces
+
+[Fluent interfaces were removed](https://ocramius.github.io/blog/fluent-interfaces-are-evil/)
+from the following classes:
+
+- `GuzzleHttp\Collection`
+- `GuzzleHttp\Url`
+- `GuzzleHttp\Query`
+- `GuzzleHttp\Post\PostBody`
+- `GuzzleHttp\Cookie\SetCookie`
+
+## Removed functions.php
+
+Removed "functions.php", so that Guzzle is truly PSR-4 compliant. The following
+functions can be used as replacements.
+
+- `GuzzleHttp\json_decode` -> `GuzzleHttp\Utils::jsonDecode`
+- `GuzzleHttp\get_path` -> `GuzzleHttp\Utils::getPath`
+- `GuzzleHttp\Utils::setPath` -> `GuzzleHttp\set_path`
+- `GuzzleHttp\Pool::batch` -> `GuzzleHttp\batch`. This function is, however,
+  deprecated in favor of using `GuzzleHttp\Pool::batch()`.
+
+The "procedural" global client has been removed with no replacement (e.g.,
+`GuzzleHttp\get()`, `GuzzleHttp\post()`, etc.). Use a `GuzzleHttp\Client`
+object as a replacement.
+
+## `throwImmediately` has been removed
+
+The concept of "throwImmediately" has been removed from exceptions and error
+events. This control mechanism was used to stop a transfer of concurrent
+requests from completing. This can now be handled by throwing the exception or
+by cancelling a pool of requests or each outstanding future request
+individually.
+
+## headers event has been removed
+
+Removed the "headers" event. This event was only useful for changing the
+body a response once the headers of the response were known. You can implement
+a similar behavior in a number of ways. One example might be to use a
+FnStream that has access to the transaction being sent. For example, when the
+first byte is written, you could check if the response headers match your
+expectations, and if so, change the actual stream body that is being
+written to.
+
+## Updates to HTTP Messages
+
+Removed the `asArray` parameter from
+`GuzzleHttp\Message\MessageInterface::getHeader`. If you want to get a header
+value as an array, then use the newly added `getHeaderAsArray()` method of
+`MessageInterface`. This change makes the Guzzle interfaces compatible with
+the PSR-7 interfaces.
+
+3.x to 4.0
+----------
+
+## Overarching changes:
+
+- Now requires PHP 5.4 or greater.
+- No longer requires cURL to send requests.
+- Guzzle no longer wraps every exception it throws. Only exceptions that are
+  recoverable are now wrapped by Guzzle.
+- Various namespaces have been removed or renamed.
+- No longer requiring the Symfony EventDispatcher. A custom event dispatcher
+  based on the Symfony EventDispatcher is
+  now utilized in `GuzzleHttp\Event\EmitterInterface` (resulting in significant
+  speed and functionality improvements).
+
+Changes per Guzzle 3.x namespace are described below.
+
+## Batch
+
+The `Guzzle\Batch` namespace has been removed. This is best left to
+third-parties to implement on top of Guzzle's core HTTP library.
+
+## Cache
+
+The `Guzzle\Cache` namespace has been removed. (Todo: No suitable replacement
+has been implemented yet, but hoping to utilize a PSR cache interface).
+
+## Common
+
+- Removed all of the wrapped exceptions. It's better to use the standard PHP
+  library for unrecoverable exceptions.
+- `FromConfigInterface` has been removed.
+- `Guzzle\Common\Version` has been removed. The VERSION constant can be found
+  at `GuzzleHttp\ClientInterface::VERSION`.
+
+### Collection
+
+- `getAll` has been removed. Use `toArray` to convert a collection to an array.
+- `inject` has been removed.
+- `keySearch` has been removed.
+- `getPath` no longer supports wildcard expressions. Use something better like
+  JMESPath for this.
+- `setPath` now supports appending to an existing array via the `[]` notation.
+
+### Events
+
+Guzzle no longer requires Symfony's EventDispatcher component. Guzzle now uses
+`GuzzleHttp\Event\Emitter`.
+
+- `Symfony\Component\EventDispatcher\EventDispatcherInterface` is replaced by
+  `GuzzleHttp\Event\EmitterInterface`.
+- `Symfony\Component\EventDispatcher\EventDispatcher` is replaced by
+  `GuzzleHttp\Event\Emitter`.
+- `Symfony\Component\EventDispatcher\Event` is replaced by
+  `GuzzleHttp\Event\Event`, and Guzzle now has an EventInterface in
+  `GuzzleHttp\Event\EventInterface`.
+- `AbstractHasDispatcher` has moved to a trait, `HasEmitterTrait`, and
+  `HasDispatcherInterface` has moved to `HasEmitterInterface`. Retrieving the
+  event emitter of a request, client, etc. now uses the `getEmitter` method
+  rather than the `getDispatcher` method.
+
+#### Emitter
+
+- Use the `once()` method to add a listener that automatically removes itself
+  the first time it is invoked.
+- Use the `listeners()` method to retrieve a list of event listeners rather than
+  the `getListeners()` method.
+- Use `emit()` instead of `dispatch()` to emit an event from an emitter.
+- Use `attach()` instead of `addSubscriber()` and `detach()` instead of
+  `removeSubscriber()`.
+
+```php
+$mock = new Mock();
+// 3.x
+$request->getEventDispatcher()->addSubscriber($mock);
+$request->getEventDispatcher()->removeSubscriber($mock);
+// 4.x
+$request->getEmitter()->attach($mock);
+$request->getEmitter()->detach($mock);
+```
+
+Use the `on()` method to add a listener rather than the `addListener()` method.
+
+```php
+// 3.x
+$request->getEventDispatcher()->addListener('foo', function (Event $event) { /* ... */ } );
+// 4.x
+$request->getEmitter()->on('foo', function (Event $event, $name) { /* ... */ } );
+```
+
+## Http
+
+### General changes
+
+- The cacert.pem certificate has been moved to `src/cacert.pem`.
+- Added the concept of adapters that are used to transfer requests over the
+  wire.
+- Simplified the event system.
+- Sending requests in parallel is still possible, but batching is no longer a
+  concept of the HTTP layer. Instead, you must use the `complete` and `error`
+  events to asynchronously manage parallel request transfers.
+- `Guzzle\Http\Url` has moved to `GuzzleHttp\Url`.
+- `Guzzle\Http\QueryString` has moved to `GuzzleHttp\Query`.
+- QueryAggregators have been rewritten so that they are simply callable
+  functions.
+- `GuzzleHttp\StaticClient` has been removed. Use the functions provided in
+  `functions.php` for an easy to use static client instance.
+- Exceptions in `GuzzleHttp\Exception` have been updated to all extend from
+  `GuzzleHttp\Exception\TransferException`.
+
+### Client
+
+Calling methods like `get()`, `post()`, `head()`, etc. no longer create and
+return a request, but rather creates a request, sends the request, and returns
+the response.
+
+```php
+// 3.0
+$request = $client->get('/');
+$response = $request->send();
+
+// 4.0
+$response = $client->get('/');
+
+// or, to mirror the previous behavior
+$request = $client->createRequest('GET', '/');
+$response = $client->send($request);
+```
+
+`GuzzleHttp\ClientInterface` has changed.
+
+- The `send` method no longer accepts more than one request. Use `sendAll` to
+  send multiple requests in parallel.
+- `setUserAgent()` has been removed. Use a default request option instead. You
+  could, for example, do something like:
+  `$client->setConfig('defaults/headers/User-Agent', 'Foo/Bar ' . $client::getDefaultUserAgent())`.
+- `setSslVerification()` has been removed. Use default request options instead,
+  like `$client->setConfig('defaults/verify', true)`.
+
+`GuzzleHttp\Client` has changed.
+
+- The constructor now accepts only an associative array. You can include a
+  `base_url` string or array to use a URI template as the base URL of a client.
+  You can also specify a `defaults` key that is an associative array of default
+  request options. You can pass an `adapter` to use a custom adapter,
+  `batch_adapter` to use a custom adapter for sending requests in parallel, or
+  a `message_factory` to change the factory used to create HTTP requests and
+  responses.
+- The client no longer emits a `client.create_request` event.
+- Creating requests with a client no longer automatically utilize a URI
+  template. You must pass an array into a creational method (e.g.,
+  `createRequest`, `get`, `put`, etc.) in order to expand a URI template.
+
+### Messages
+
+Messages no longer have references to their counterparts (i.e., a request no
+longer has a reference to it's response, and a response no loger has a
+reference to its request). This association is now managed through a
+`GuzzleHttp\Adapter\TransactionInterface` object. You can get references to
+these transaction objects using request events that are emitted over the
+lifecycle of a request.
+
+#### Requests with a body
+
+- `GuzzleHttp\Message\EntityEnclosingRequest` and
+  `GuzzleHttp\Message\EntityEnclosingRequestInterface` have been removed. The
+  separation between requests that contain a body and requests that do not
+  contain a body has been removed, and now `GuzzleHttp\Message\RequestInterface`
+  handles both use cases.
+- Any method that previously accepts a `GuzzleHttp\Response` object now accept a
+  `GuzzleHttp\Message\ResponseInterface`.
+- `GuzzleHttp\Message\RequestFactoryInterface` has been renamed to
+  `GuzzleHttp\Message\MessageFactoryInterface`. This interface is used to create
+  both requests and responses and is implemented in
+  `GuzzleHttp\Message\MessageFactory`.
+- POST field and file methods have been removed from the request object. You
+  must now use the methods made available to `GuzzleHttp\Post\PostBodyInterface`
+  to control the format of a POST body. Requests that are created using a
+  standard `GuzzleHttp\Message\MessageFactoryInterface` will automatically use
+  a `GuzzleHttp\Post\PostBody` body if the body was passed as an array or if
+  the method is POST and no body is provided.
+
+```php
+$request = $client->createRequest('POST', '/');
+$request->getBody()->setField('foo', 'bar');
+$request->getBody()->addFile(new PostFile('file_key', fopen('/path/to/content', 'r')));
+```
+
+#### Headers
+
+- `GuzzleHttp\Message\Header` has been removed. Header values are now simply
+  represented by an array of values or as a string. Header values are returned
+  as a string by default when retrieving a header value from a message. You can
+  pass an optional argument of `true` to retrieve a header value as an array
+  of strings instead of a single concatenated string.
+- `GuzzleHttp\PostFile` and `GuzzleHttp\PostFileInterface` have been moved to
+  `GuzzleHttp\Post`. This interface has been simplified and now allows the
+  addition of arbitrary headers.
+- Custom headers like `GuzzleHttp\Message\Header\Link` have been removed. Most
+  of the custom headers are now handled separately in specific
+  subscribers/plugins, and `GuzzleHttp\Message\HeaderValues::parseParams()` has
+  been updated to properly handle headers that contain parameters (like the
+  `Link` header).
+
+#### Responses
+
+- `GuzzleHttp\Message\Response::getInfo()` and
+  `GuzzleHttp\Message\Response::setInfo()` have been removed. Use the event
+  system to retrieve this type of information.
+- `GuzzleHttp\Message\Response::getRawHeaders()` has been removed.
+- `GuzzleHttp\Message\Response::getMessage()` has been removed.
+- `GuzzleHttp\Message\Response::calculateAge()` and other cache specific
+  methods have moved to the CacheSubscriber.
+- Header specific helper functions like `getContentMd5()` have been removed.
+  Just use `getHeader('Content-MD5')` instead.
+- `GuzzleHttp\Message\Response::setRequest()` and
+  `GuzzleHttp\Message\Response::getRequest()` have been removed. Use the event
+  system to work with request and response objects as a transaction.
+- `GuzzleHttp\Message\Response::getRedirectCount()` has been removed. Use the
+  Redirect subscriber instead.
+- `GuzzleHttp\Message\Response::isSuccessful()` and other related methods have
+  been removed. Use `getStatusCode()` instead.
+
+#### Streaming responses
+
+Streaming requests can now be created by a client directly, returning a
+`GuzzleHttp\Message\ResponseInterface` object that contains a body stream
+referencing an open PHP HTTP stream.
+
+```php
+// 3.0
+use Guzzle\Stream\PhpStreamRequestFactory;
+$request = $client->get('/');
+$factory = new PhpStreamRequestFactory();
+$stream = $factory->fromRequest($request);
+$data = $stream->read(1024);
+
+// 4.0
+$response = $client->get('/', ['stream' => true]);
+// Read some data off of the stream in the response body
+$data = $response->getBody()->read(1024);
+```
+
+#### Redirects
+
+The `configureRedirects()` method has been removed in favor of a
+`allow_redirects` request option.
+
+```php
+// Standard redirects with a default of a max of 5 redirects
+$request = $client->createRequest('GET', '/', ['allow_redirects' => true]);
+
+// Strict redirects with a custom number of redirects
+$request = $client->createRequest('GET', '/', [
+    'allow_redirects' => ['max' => 5, 'strict' => true]
+]);
+```
+
+#### EntityBody
+
+EntityBody interfaces and classes have been removed or moved to
+`GuzzleHttp\Stream`. All classes and interfaces that once required
+`GuzzleHttp\EntityBodyInterface` now require
+`GuzzleHttp\Stream\StreamInterface`. Creating a new body for a request no
+longer uses `GuzzleHttp\EntityBody::factory` but now uses
+`GuzzleHttp\Stream\Stream::factory` or even better:
+`GuzzleHttp\Stream\create()`.
+
+- `Guzzle\Http\EntityBodyInterface` is now `GuzzleHttp\Stream\StreamInterface`
+- `Guzzle\Http\EntityBody` is now `GuzzleHttp\Stream\Stream`
+- `Guzzle\Http\CachingEntityBody` is now `GuzzleHttp\Stream\CachingStream`
+- `Guzzle\Http\ReadLimitEntityBody` is now `GuzzleHttp\Stream\LimitStream`
+- `Guzzle\Http\IoEmittyinEntityBody` has been removed.
+
+#### Request lifecycle events
+
+Requests previously submitted a large number of requests. The number of events
+emitted over the lifecycle of a request has been significantly reduced to make
+it easier to understand how to extend the behavior of a request. All events
+emitted during the lifecycle of a request now emit a custom
+`GuzzleHttp\Event\EventInterface` object that contains context providing
+methods and a way in which to modify the transaction at that specific point in
+time (e.g., intercept the request and set a response on the transaction).
+
+- `request.before_send` has been renamed to `before` and now emits a
+  `GuzzleHttp\Event\BeforeEvent`
+- `request.complete` has been renamed to `complete` and now emits a
+  `GuzzleHttp\Event\CompleteEvent`.
+- `request.sent` has been removed. Use `complete`.
+- `request.success` has been removed. Use `complete`.
+- `error` is now an event that emits a `GuzzleHttp\Event\ErrorEvent`.
+- `request.exception` has been removed. Use `error`.
+- `request.receive.status_line` has been removed.
+- `curl.callback.progress` has been removed. Use a custom `StreamInterface` to
+  maintain a status update.
+- `curl.callback.write` has been removed. Use a custom `StreamInterface` to
+  intercept writes.
+- `curl.callback.read` has been removed. Use a custom `StreamInterface` to
+  intercept reads.
+
+`headers` is a new event that is emitted after the response headers of a
+request have been received before the body of the response is downloaded. This
+event emits a `GuzzleHttp\Event\HeadersEvent`.
+
+You can intercept a request and inject a response using the `intercept()` event
+of a `GuzzleHttp\Event\BeforeEvent`, `GuzzleHttp\Event\CompleteEvent`, and
+`GuzzleHttp\Event\ErrorEvent` event.
+
+See: http://docs.guzzlephp.org/en/latest/events.html
+
+## Inflection
+
+The `Guzzle\Inflection` namespace has been removed. This is not a core concern
+of Guzzle.
+
+## Iterator
+
+The `Guzzle\Iterator` namespace has been removed.
+
+- `Guzzle\Iterator\AppendIterator`, `Guzzle\Iterator\ChunkedIterator`, and
+  `Guzzle\Iterator\MethodProxyIterator` are nice, but not a core requirement of
+  Guzzle itself.
+- `Guzzle\Iterator\FilterIterator` is no longer needed because an equivalent
+  class is shipped with PHP 5.4.
+- `Guzzle\Iterator\MapIterator` is not really needed when using PHP 5.5 because
+  it's easier to just wrap an iterator in a generator that maps values.
+
+For a replacement of these iterators, see https://github.com/nikic/iter
+
+## Log
+
+The LogPlugin has moved to https://github.com/guzzle/log-subscriber. The
+`Guzzle\Log` namespace has been removed. Guzzle now relies on
+`Psr\Log\LoggerInterface` for all logging. The MessageFormatter class has been
+moved to `GuzzleHttp\Subscriber\Log\Formatter`.
+
+## Parser
+
+The `Guzzle\Parser` namespace has been removed. This was previously used to
+make it possible to plug in custom parsers for cookies, messages, URI
+templates, and URLs; however, this level of complexity is not needed in Guzzle
+so it has been removed.
+
+- Cookie: Cookie parsing logic has been moved to
+  `GuzzleHttp\Cookie\SetCookie::fromString`.
+- Message: Message parsing logic for both requests and responses has been moved
+  to `GuzzleHttp\Message\MessageFactory::fromMessage`. Message parsing is only
+  used in debugging or deserializing messages, so it doesn't make sense for
+  Guzzle as a library to add this level of complexity to parsing messages.
+- UriTemplate: URI template parsing has been moved to
+  `GuzzleHttp\UriTemplate`. The Guzzle library will automatically use the PECL
+  URI template library if it is installed.
+- Url: URL parsing is now performed in `GuzzleHttp\Url::fromString` (previously
+  it was `Guzzle\Http\Url::factory()`). If custom URL parsing is necessary,
+  then developers are free to subclass `GuzzleHttp\Url`.
+
+## Plugin
+
+The `Guzzle\Plugin` namespace has been renamed to `GuzzleHttp\Subscriber`.
+Several plugins are shipping with the core Guzzle library under this namespace.
+
+- `GuzzleHttp\Subscriber\Cookie`: Replaces the old CookiePlugin. Cookie jar
+  code has moved to `GuzzleHttp\Cookie`.
+- `GuzzleHttp\Subscriber\History`: Replaces the old HistoryPlugin.
+- `GuzzleHttp\Subscriber\HttpError`: Throws errors when a bad HTTP response is
+  received.
+- `GuzzleHttp\Subscriber\Mock`: Replaces the old MockPlugin.
+- `GuzzleHttp\Subscriber\Prepare`: Prepares the body of a request just before
+  sending. This subscriber is attached to all requests by default.
+- `GuzzleHttp\Subscriber\Redirect`: Replaces the RedirectPlugin.
+
+The following plugins have been removed (third-parties are free to re-implement
+these if needed):
+
+- `GuzzleHttp\Plugin\Async` has been removed.
+- `GuzzleHttp\Plugin\CurlAuth` has been removed.
+- `GuzzleHttp\Plugin\ErrorResponse\ErrorResponsePlugin` has been removed. This
+  functionality should instead be implemented with event listeners that occur
+  after normal response parsing occurs in the guzzle/command package.
+
+The following plugins are not part of the core Guzzle package, but are provided
+in separate repositories:
+
+- `Guzzle\Http\Plugin\BackoffPlugin` has been rewritten to be much simpler
+  to build custom retry policies using simple functions rather than various
+  chained classes. See: https://github.com/guzzle/retry-subscriber
+- `Guzzle\Http\Plugin\Cache\CachePlugin` has moved to
+  https://github.com/guzzle/cache-subscriber
+- `Guzzle\Http\Plugin\Log\LogPlugin` has moved to
+  https://github.com/guzzle/log-subscriber
+- `Guzzle\Http\Plugin\Md5\Md5Plugin` has moved to
+  https://github.com/guzzle/message-integrity-subscriber
+- `Guzzle\Http\Plugin\Mock\MockPlugin` has moved to
+  `GuzzleHttp\Subscriber\MockSubscriber`.
+- `Guzzle\Http\Plugin\Oauth\OauthPlugin` has moved to
+  https://github.com/guzzle/oauth-subscriber
+
+## Service
+
+The service description layer of Guzzle has moved into two separate packages:
+
+- http://github.com/guzzle/command Provides a high level abstraction over web
+  services by representing web service operations using commands.
+- http://github.com/guzzle/guzzle-services Provides an implementation of
+  guzzle/command that provides request serialization and response parsing using
+  Guzzle service descriptions.
+
+## Stream
+
+Stream have moved to a separate package available at
+https://github.com/guzzle/streams.
+
+`Guzzle\Stream\StreamInterface` has been given a large update to cleanly take
+on the responsibilities of `Guzzle\Http\EntityBody` and
+`Guzzle\Http\EntityBodyInterface` now that they have been removed. The number
+of methods implemented by the `StreamInterface` has been drastically reduced to
+allow developers to more easily extend and decorate stream behavior.
+
+## Removed methods from StreamInterface
+
+- `getStream` and `setStream` have been removed to better encapsulate streams.
+- `getMetadata` and `setMetadata` have been removed in favor of
+  `GuzzleHttp\Stream\MetadataStreamInterface`.
+- `getWrapper`, `getWrapperData`, `getStreamType`, and `getUri` have all been
+  removed. This data is accessible when
+  using streams that implement `GuzzleHttp\Stream\MetadataStreamInterface`.
+- `rewind` has been removed. Use `seek(0)` for a similar behavior.
+
+## Renamed methods
+
+- `detachStream` has been renamed to `detach`.
+- `feof` has been renamed to `eof`.
+- `ftell` has been renamed to `tell`.
+- `readLine` has moved from an instance method to a static class method of
+  `GuzzleHttp\Stream\Stream`.
+
+## Metadata streams
+
+`GuzzleHttp\Stream\MetadataStreamInterface` has been added to denote streams
+that contain additional metadata accessible via `getMetadata()`.
+`GuzzleHttp\Stream\StreamInterface::getMetadata` and
+`GuzzleHttp\Stream\StreamInterface::setMetadata` have been removed.
+
+## StreamRequestFactory
+
+The entire concept of the StreamRequestFactory has been removed. The way this
+was used in Guzzle 3 broke the actual interface of sending streaming requests
+(instead of getting back a Response, you got a StreamInterface). Streaming
+PHP requests are now implemented through the `GuzzleHttp\Adapter\StreamAdapter`.
+
+3.6 to 3.7
+----------
+
+### Deprecations
+
+- You can now enable E_USER_DEPRECATED warnings to see if you are using any deprecated methods.:
+
+```php
+\Guzzle\Common\Version::$emitWarnings = true;
+```
+
+The following APIs and options have been marked as deprecated:
+
+- Marked `Guzzle\Http\Message\Request::isResponseBodyRepeatable()` as deprecated. Use `$request->getResponseBody()->isRepeatable()` instead.
+- Marked `Guzzle\Http\Message\Request::canCache()` as deprecated. Use `Guzzle\Plugin\Cache\DefaultCanCacheStrategy->canCacheRequest()` instead.
+- Marked `Guzzle\Http\Message\Request::canCache()` as deprecated. Use `Guzzle\Plugin\Cache\DefaultCanCacheStrategy->canCacheRequest()` instead.
+- Marked `Guzzle\Http\Message\Request::setIsRedirect()` as deprecated. Use the HistoryPlugin instead.
+- Marked `Guzzle\Http\Message\Request::isRedirect()` as deprecated. Use the HistoryPlugin instead.
+- Marked `Guzzle\Cache\CacheAdapterFactory::factory()` as deprecated
+- Marked `Guzzle\Service\Client::enableMagicMethods()` as deprecated. Magic methods can no longer be disabled on a Guzzle\Service\Client.
+- Marked `Guzzle\Parser\Url\UrlParser` as deprecated. Just use PHP's `parse_url()` and percent encode your UTF-8.
+- Marked `Guzzle\Common\Collection::inject()` as deprecated.
+- Marked `Guzzle\Plugin\CurlAuth\CurlAuthPlugin` as deprecated. Use
+  `$client->getConfig()->setPath('request.options/auth', array('user', 'pass', 'Basic|Digest|NTLM|Any'));` or
+  `$client->setDefaultOption('auth', array('user', 'pass', 'Basic|Digest|NTLM|Any'));`
+
+3.7 introduces `request.options` as a parameter for a client configuration and as an optional argument to all creational
+request methods. When paired with a client's configuration settings, these options allow you to specify default settings
+for various aspects of a request. Because these options make other previous configuration options redundant, several
+configuration options and methods of a client and AbstractCommand have been deprecated.
+
+- Marked `Guzzle\Service\Client::getDefaultHeaders()` as deprecated. Use `$client->getDefaultOption('headers')`.
+- Marked `Guzzle\Service\Client::setDefaultHeaders()` as deprecated. Use `$client->setDefaultOption('headers/{header_name}', 'value')`.
+- Marked 'request.params' for `Guzzle\Http\Client` as deprecated. Use `$client->setDefaultOption('params/{param_name}', 'value')`
+- Marked 'command.headers', 'command.response_body' and 'command.on_complete' as deprecated for AbstractCommand. These will work through Guzzle 4.0
+
+        $command = $client->getCommand('foo', array(
+            'command.headers' => array('Test' => '123'),
+            'command.response_body' => '/path/to/file'
+        ));
+
+        // Should be changed to:
+
+        $command = $client->getCommand('foo', array(
+            'command.request_options' => array(
+                'headers' => array('Test' => '123'),
+                'save_as' => '/path/to/file'
+            )
+        ));
+
+### Interface changes
+
+Additions and changes (you will need to update any implementations or subclasses you may have created):
+
+- Added an `$options` argument to the end of the following methods of `Guzzle\Http\ClientInterface`:
+  createRequest, head, delete, put, patch, post, options, prepareRequest
+- Added an `$options` argument to the end of `Guzzle\Http\Message\Request\RequestFactoryInterface::createRequest()`
+- Added an `applyOptions()` method to `Guzzle\Http\Message\Request\RequestFactoryInterface`
+- Changed `Guzzle\Http\ClientInterface::get($uri = null, $headers = null, $body = null)` to
+  `Guzzle\Http\ClientInterface::get($uri = null, $headers = null, $options = array())`. You can still pass in a
+  resource, string, or EntityBody into the $options parameter to specify the download location of the response.
+- Changed `Guzzle\Common\Collection::__construct($data)` to no longer accepts a null value for `$data` but a
+  default `array()`
+- Added `Guzzle\Stream\StreamInterface::isRepeatable`
+- Made `Guzzle\Http\Client::expandTemplate` and `getUriTemplate` protected methods.
+
+The following methods were removed from interfaces. All of these methods are still available in the concrete classes
+that implement them, but you should update your code to use alternative methods:
+
+- Removed `Guzzle\Http\ClientInterface::setDefaultHeaders(). Use
+  `$client->getConfig()->setPath('request.options/headers/{header_name}', 'value')`. or
+  `$client->getConfig()->setPath('request.options/headers', array('header_name' => 'value'))` or
+  `$client->setDefaultOption('headers/{header_name}', 'value')`. or
+  `$client->setDefaultOption('headers', array('header_name' => 'value'))`.
+- Removed `Guzzle\Http\ClientInterface::getDefaultHeaders(). Use `$client->getConfig()->getPath('request.options/headers')`.
+- Removed `Guzzle\Http\ClientInterface::expandTemplate()`. This is an implementation detail.
+- Removed `Guzzle\Http\ClientInterface::setRequestFactory()`. This is an implementation detail.
+- Removed `Guzzle\Http\ClientInterface::getCurlMulti()`. This is a very specific implementation detail.
+- Removed `Guzzle\Http\Message\RequestInterface::canCache`. Use the CachePlugin.
+- Removed `Guzzle\Http\Message\RequestInterface::setIsRedirect`. Use the HistoryPlugin.
+- Removed `Guzzle\Http\Message\RequestInterface::isRedirect`. Use the HistoryPlugin.
+
+### Cache plugin breaking changes
+
+- CacheKeyProviderInterface and DefaultCacheKeyProvider are no longer used. All of this logic is handled in a
+  CacheStorageInterface. These two objects and interface will be removed in a future version.
+- Always setting X-cache headers on cached responses
+- Default cache TTLs are now handled by the CacheStorageInterface of a CachePlugin
+- `CacheStorageInterface::cache($key, Response $response, $ttl = null)` has changed to `cache(RequestInterface
+  $request, Response $response);`
+- `CacheStorageInterface::fetch($key)` has changed to `fetch(RequestInterface $request);`
+- `CacheStorageInterface::delete($key)` has changed to `delete(RequestInterface $request);`
+- Added `CacheStorageInterface::purge($url)`
+- `DefaultRevalidation::__construct(CacheKeyProviderInterface $cacheKey, CacheStorageInterface $cache, CachePlugin
+  $plugin)` has changed to `DefaultRevalidation::__construct(CacheStorageInterface $cache,
+  CanCacheStrategyInterface $canCache = null)`
+- Added `RevalidationInterface::shouldRevalidate(RequestInterface $request, Response $response)`
+
+3.5 to 3.6
+----------
+
+* Mixed casing of headers are now forced to be a single consistent casing across all values for that header.
+* Messages internally use a HeaderCollection object to delegate handling case-insensitive header resolution
+* Removed the whole changedHeader() function system of messages because all header changes now go through addHeader().
+  For example, setHeader() first removes the header using unset on a HeaderCollection and then calls addHeader().
+  Keeping the Host header and URL host in sync is now handled by overriding the addHeader method in Request.
+* Specific header implementations can be created for complex headers. When a message creates a header, it uses a
+  HeaderFactory which can map specific headers to specific header classes. There is now a Link header and
+  CacheControl header implementation.
+* Moved getLinks() from Response to just be used on a Link header object.
+
+If you previously relied on Guzzle\Http\Message\Header::raw(), then you will need to update your code to use the
+HeaderInterface (e.g. toArray(), getAll(), etc.).
+
+### Interface changes
+
+* Removed from interface: Guzzle\Http\ClientInterface::setUriTemplate
+* Removed from interface: Guzzle\Http\ClientInterface::setCurlMulti()
+* Removed Guzzle\Http\Message\Request::receivedRequestHeader() and implemented this functionality in
+  Guzzle\Http\Curl\RequestMediator
+* Removed the optional $asString parameter from MessageInterface::getHeader(). Just cast the header to a string.
+* Removed the optional $tryChunkedTransfer option from Guzzle\Http\Message\EntityEnclosingRequestInterface
+* Removed the $asObjects argument from Guzzle\Http\Message\MessageInterface::getHeaders()
+
+### Removed deprecated functions
+
+* Removed Guzzle\Parser\ParserRegister::get(). Use getParser()
+* Removed Guzzle\Parser\ParserRegister::set(). Use registerParser().
+
+### Deprecations
+
+* The ability to case-insensitively search for header values
+* Guzzle\Http\Message\Header::hasExactHeader
+* Guzzle\Http\Message\Header::raw. Use getAll()
+* Deprecated cache control specific methods on Guzzle\Http\Message\AbstractMessage. Use the CacheControl header object
+  instead.
+
+### Other changes
+
+* All response header helper functions return a string rather than mixing Header objects and strings inconsistently
+* Removed cURL blacklist support. This is no longer necessary now that Expect, Accept, etc. are managed by Guzzle
+  directly via interfaces
+* Removed the injecting of a request object onto a response object. The methods to get and set a request still exist
+  but are a no-op until removed.
+* Most classes that used to require a `Guzzle\Service\Command\CommandInterface` typehint now request a
+  `Guzzle\Service\Command\ArrayCommandInterface`.
+* Added `Guzzle\Http\Message\RequestInterface::startResponse()` to the RequestInterface to handle injecting a response
+  on a request while the request is still being transferred
+* `Guzzle\Service\Command\CommandInterface` now extends from ToArrayInterface and ArrayAccess
+
+3.3 to 3.4
+----------
+
+Base URLs of a client now follow the rules of https://tools.ietf.org/html/rfc3986#section-5.2.2 when merging URLs.
+
+3.2 to 3.3
+----------
+
+### Response::getEtag() quote stripping removed
+
+`Guzzle\Http\Message\Response::getEtag()` no longer strips quotes around the ETag response header
+
+### Removed `Guzzle\Http\Utils`
+
+The `Guzzle\Http\Utils` class was removed. This class was only used for testing.
+
+### Stream wrapper and type
+
+`Guzzle\Stream\Stream::getWrapper()` and `Guzzle\Stream\Stream::getStreamType()` are no longer converted to lowercase.
+
+### curl.emit_io became emit_io
+
+Emitting IO events from a RequestMediator is now a parameter that must be set in a request's curl options using the
+'emit_io' key. This was previously set under a request's parameters using 'curl.emit_io'
+
+3.1 to 3.2
+----------
+
+### CurlMulti is no longer reused globally
+
+Before 3.2, the same CurlMulti object was reused globally for each client. This can cause issue where plugins added
+to a single client can pollute requests dispatched from other clients.
+
+If you still wish to reuse the same CurlMulti object with each client, then you can add a listener to the
+ServiceBuilder's `service_builder.create_client` event to inject a custom CurlMulti object into each client as it is
+created.
+
+```php
+$multi = new Guzzle\Http\Curl\CurlMulti();
+$builder = Guzzle\Service\Builder\ServiceBuilder::factory('/path/to/config.json');
+$builder->addListener('service_builder.create_client', function ($event) use ($multi) {
+    $event['client']->setCurlMulti($multi);
+}
+});
+```
+
+### No default path
+
+URLs no longer have a default path value of '/' if no path was specified.
+
+Before:
+
+```php
+$request = $client->get('http://www.foo.com');
+echo $request->getUrl();
+// >> http://www.foo.com/
+```
+
+After:
+
+```php
+$request = $client->get('http://www.foo.com');
+echo $request->getUrl();
+// >> http://www.foo.com
+```
+
+### Less verbose BadResponseException
+
+The exception message for `Guzzle\Http\Exception\BadResponseException` no longer contains the full HTTP request and
+response information. You can, however, get access to the request and response object by calling `getRequest()` or
+`getResponse()` on the exception object.
+
+### Query parameter aggregation
+
+Multi-valued query parameters are no longer aggregated using a callback function. `Guzzle\Http\Query` now has a
+setAggregator() method that accepts a `Guzzle\Http\QueryAggregator\QueryAggregatorInterface` object. This object is
+responsible for handling the aggregation of multi-valued query string variables into a flattened hash.
+
+2.8 to 3.x
+----------
+
+### Guzzle\Service\Inspector
+
+Change `\Guzzle\Service\Inspector::fromConfig` to `\Guzzle\Common\Collection::fromConfig`
+
+**Before**
+
+```php
+use Guzzle\Service\Inspector;
+
+class YourClient extends \Guzzle\Service\Client
+{
+    public static function factory($config = array())
+    {
+        $default = array();
+        $required = array('base_url', 'username', 'api_key');
+        $config = Inspector::fromConfig($config, $default, $required);
+
+        $client = new self(
+            $config->get('base_url'),
+            $config->get('username'),
+            $config->get('api_key')
+        );
+        $client->setConfig($config);
+
+        $client->setDescription(ServiceDescription::factory(__DIR__ . DIRECTORY_SEPARATOR . 'client.json'));
+
+        return $client;
+    }
+```
+
+**After**
+
+```php
+use Guzzle\Common\Collection;
+
+class YourClient extends \Guzzle\Service\Client
+{
+    public static function factory($config = array())
+    {
+        $default = array();
+        $required = array('base_url', 'username', 'api_key');
+        $config = Collection::fromConfig($config, $default, $required);
+
+        $client = new self(
+            $config->get('base_url'),
+            $config->get('username'),
+            $config->get('api_key')
+        );
+        $client->setConfig($config);
+
+        $client->setDescription(ServiceDescription::factory(__DIR__ . DIRECTORY_SEPARATOR . 'client.json'));
+
+        return $client;
+    }
+```
+
+### Convert XML Service Descriptions to JSON
+
+**Before**
+
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<client>
+    <commands>
+        <!-- Groups -->
+        <command name="list_groups" method="GET" uri="groups.json">
+            <doc>Get a list of groups</doc>
+        </command>
+        <command name="search_groups" method="GET" uri='search.json?query="{{query}} type:group"'>
+            <doc>Uses a search query to get a list of groups</doc>
+            <param name="query" type="string" required="true" />
+        </command>
+        <command name="create_group" method="POST" uri="groups.json">
+            <doc>Create a group</doc>
+            <param name="data" type="array" location="body" filters="json_encode" doc="Group JSON"/>
+            <param name="Content-Type" location="header" static="application/json"/>
+        </command>
+        <command name="delete_group" method="DELETE" uri="groups/{{id}}.json">
+            <doc>Delete a group by ID</doc>
+            <param name="id" type="integer" required="true"/>
+        </command>
+        <command name="get_group" method="GET" uri="groups/{{id}}.json">
+            <param name="id" type="integer" required="true"/>
+        </command>
+        <command name="update_group" method="PUT" uri="groups/{{id}}.json">
+            <doc>Update a group</doc>
+            <param name="id" type="integer" required="true"/>
+            <param name="data" type="array" location="body" filters="json_encode" doc="Group JSON"/>
+            <param name="Content-Type" location="header" static="application/json"/>
+        </command>
+    </commands>
+</client>
+```
+
+**After**
+
+```json
+{
+    "name":       "Zendesk REST API v2",
+    "apiVersion": "2012-12-31",
+    "description":"Provides access to Zendesk views, groups, tickets, ticket fields, and users",
+    "operations": {
+        "list_groups":  {
+            "httpMethod":"GET",
+            "uri":       "groups.json",
+            "summary":   "Get a list of groups"
+        },
+        "search_groups":{
+            "httpMethod":"GET",
+            "uri":       "search.json?query=\"{query} type:group\"",
+            "summary":   "Uses a search query to get a list of groups",
+            "parameters":{
+                "query":{
+                    "location":   "uri",
+                    "description":"Zendesk Search Query",
+                    "type":       "string",
+                    "required":   true
+                }
+            }
+        },
+        "create_group": {
+            "httpMethod":"POST",
+            "uri":       "groups.json",
+            "summary":   "Create a group",
+            "parameters":{
+                "data":        {
+                    "type":       "array",
+                    "location":   "body",
+                    "description":"Group JSON",
+                    "filters":    "json_encode",
+                    "required":   true
+                },
+                "Content-Type":{
+                    "type":    "string",
+                    "location":"header",
+                    "static":  "application/json"
+                }
+            }
+        },
+        "delete_group": {
+            "httpMethod":"DELETE",
+            "uri":       "groups/{id}.json",
+            "summary":   "Delete a group",
+            "parameters":{
+                "id":{
+                    "location":   "uri",
+                    "description":"Group to delete by ID",
+                    "type":       "integer",
+                    "required":   true
+                }
+            }
+        },
+        "get_group":    {
+            "httpMethod":"GET",
+            "uri":       "groups/{id}.json",
+            "summary":   "Get a ticket",
+            "parameters":{
+                "id":{
+                    "location":   "uri",
+                    "description":"Group to get by ID",
+                    "type":       "integer",
+                    "required":   true
+                }
+            }
+        },
+        "update_group": {
+            "httpMethod":"PUT",
+            "uri":       "groups/{id}.json",
+            "summary":   "Update a group",
+            "parameters":{
+                "id":          {
+                    "location":   "uri",
+                    "description":"Group to update by ID",
+                    "type":       "integer",
+                    "required":   true
+                },
+                "data":        {
+                    "type":       "array",
+                    "location":   "body",
+                    "description":"Group JSON",
+                    "filters":    "json_encode",
+                    "required":   true
+                },
+                "Content-Type":{
+                    "type":    "string",
+                    "location":"header",
+                    "static":  "application/json"
+                }
+            }
+        }
+}
+```
+
+### Guzzle\Service\Description\ServiceDescription
+
+Commands are now called Operations
+
+**Before**
+
+```php
+use Guzzle\Service\Description\ServiceDescription;
+
+$sd = new ServiceDescription();
+$sd->getCommands();     // @returns ApiCommandInterface[]
+$sd->hasCommand($name);
+$sd->getCommand($name); // @returns ApiCommandInterface|null
+$sd->addCommand($command); // @param ApiCommandInterface $command
+```
+
+**After**
+
+```php
+use Guzzle\Service\Description\ServiceDescription;
+
+$sd = new ServiceDescription();
+$sd->getOperations();           // @returns OperationInterface[]
+$sd->hasOperation($name);
+$sd->getOperation($name);       // @returns OperationInterface|null
+$sd->addOperation($operation);  // @param OperationInterface $operation
+```
+
+### Guzzle\Common\Inflection\Inflector
+
+Namespace is now `Guzzle\Inflection\Inflector`
+
+### Guzzle\Http\Plugin
+
+Namespace is now `Guzzle\Plugin`. Many other changes occur within this namespace and are detailed in their own sections below.
+
+### Guzzle\Http\Plugin\LogPlugin and Guzzle\Common\Log
+
+Now `Guzzle\Plugin\Log\LogPlugin` and `Guzzle\Log` respectively.
+
+**Before**
+
+```php
+use Guzzle\Common\Log\ClosureLogAdapter;
+use Guzzle\Http\Plugin\LogPlugin;
+
+/** @var \Guzzle\Http\Client */
+$client;
+
+// $verbosity is an integer indicating desired message verbosity level
+$client->addSubscriber(new LogPlugin(new ClosureLogAdapter(function($m) { echo $m; }, $verbosity = LogPlugin::LOG_VERBOSE);
+```
+
+**After**
+
+```php
+use Guzzle\Log\ClosureLogAdapter;
+use Guzzle\Log\MessageFormatter;
+use Guzzle\Plugin\Log\LogPlugin;
+
+/** @var \Guzzle\Http\Client */
+$client;
+
+// $format is a string indicating desired message format -- @see MessageFormatter
+$client->addSubscriber(new LogPlugin(new ClosureLogAdapter(function($m) { echo $m; }, $format = MessageFormatter::DEBUG_FORMAT);
+```
+
+### Guzzle\Http\Plugin\CurlAuthPlugin
+
+Now `Guzzle\Plugin\CurlAuth\CurlAuthPlugin`.
+
+### Guzzle\Http\Plugin\ExponentialBackoffPlugin
+
+Now `Guzzle\Plugin\Backoff\BackoffPlugin`, and other changes.
+
+**Before**
+
+```php
+use Guzzle\Http\Plugin\ExponentialBackoffPlugin;
+
+$backoffPlugin = new ExponentialBackoffPlugin($maxRetries, array_merge(
+        ExponentialBackoffPlugin::getDefaultFailureCodes(), array(429)
+    ));
+
+$client->addSubscriber($backoffPlugin);
+```
+
+**After**
+
+```php
+use Guzzle\Plugin\Backoff\BackoffPlugin;
+use Guzzle\Plugin\Backoff\HttpBackoffStrategy;
+
+// Use convenient factory method instead -- see implementation for ideas of what
+// you can do with chaining backoff strategies
+$backoffPlugin = BackoffPlugin::getExponentialBackoff($maxRetries, array_merge(
+        HttpBackoffStrategy::getDefaultFailureCodes(), array(429)
+    ));
+$client->addSubscriber($backoffPlugin);
+```
+
+### Known Issues
+
+#### [BUG] Accept-Encoding header behavior changed unintentionally.
+
+(See #217) (Fixed in 09daeb8c666fb44499a0646d655a8ae36456575e)
+
+In version 2.8 setting the `Accept-Encoding` header would set the CURLOPT_ENCODING option, which permitted cURL to
+properly handle gzip/deflate compressed responses from the server. In versions affected by this bug this does not happen.
+See issue #217 for a workaround, or use a version containing the fix.
diff --git a/data/web/inc/lib/vendor/guzzlehttp/guzzle/composer.json b/data/web/inc/lib/vendor/guzzlehttp/guzzle/composer.json
new file mode 100644
index 000000000..f369ce67e
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/guzzle/composer.json
@@ -0,0 +1,105 @@
+{
+    "name": "guzzlehttp/guzzle",
+    "description": "Guzzle is a PHP HTTP client library",
+    "keywords": [
+        "framework",
+        "http",
+        "rest",
+        "web service",
+        "curl",
+        "client",
+        "HTTP client",
+        "PSR-7",
+        "PSR-18"
+    ],
+    "license": "MIT",
+    "authors": [
+        {
+            "name": "Graham Campbell",
+            "email": "hello@gjcampbell.co.uk",
+            "homepage": "https://github.com/GrahamCampbell"
+        },
+        {
+            "name": "Michael Dowling",
+            "email": "mtdowling@gmail.com",
+            "homepage": "https://github.com/mtdowling"
+        },
+        {
+            "name": "Jeremy Lindblom",
+            "email": "jeremeamia@gmail.com",
+            "homepage": "https://github.com/jeremeamia"
+        },
+        {
+            "name": "George Mponos",
+            "email": "gmponos@gmail.com",
+            "homepage": "https://github.com/gmponos"
+        },
+        {
+            "name": "Tobias Nyholm",
+            "email": "tobias.nyholm@gmail.com",
+            "homepage": "https://github.com/Nyholm"
+        },
+        {
+            "name": "Márk Sági-Kazár",
+            "email": "mark.sagikazar@gmail.com",
+            "homepage": "https://github.com/sagikazarmark"
+        },
+        {
+            "name": "Tobias Schultze",
+            "email": "webmaster@tubo-world.de",
+            "homepage": "https://github.com/Tobion"
+        }
+    ],
+    "require": {
+        "php": "^7.2.5 || ^8.0",
+        "ext-json": "*",
+        "guzzlehttp/promises": "^1.5",
+        "guzzlehttp/psr7": "^1.9 || ^2.4",
+        "psr/http-client": "^1.0",
+        "symfony/deprecation-contracts": "^2.2 || ^3.0"
+    },
+    "provide": {
+        "psr/http-client-implementation": "1.0"
+    },
+    "require-dev": {
+        "ext-curl": "*",
+        "bamarni/composer-bin-plugin": "^1.8.1",
+        "php-http/client-integration-tests": "^3.0",
+        "phpunit/phpunit": "^8.5.29 || ^9.5.23",
+        "psr/log": "^1.1 || ^2.0 || ^3.0"
+    },
+    "suggest": {
+        "ext-curl": "Required for CURL handler support",
+        "ext-intl": "Required for Internationalized Domain Name (IDN) support",
+        "psr/log": "Required for using the Log middleware"
+    },
+    "config": {
+        "allow-plugins": {
+            "bamarni/composer-bin-plugin": true
+        },
+        "preferred-install": "dist",
+        "sort-packages": true
+    },
+    "extra": {
+        "bamarni-bin": {
+            "bin-links": true,
+            "forward-command": false
+        },
+        "branch-alias": {
+            "dev-master": "7.5-dev"
+        }
+    },
+    "autoload": {
+        "psr-4": {
+            "GuzzleHttp\\": "src/"
+        },
+        "files": [
+            "src/functions_include.php"
+        ]
+    },
+    "autoload-dev": {
+        "psr-4": {
+            "GuzzleHttp\\Tests\\": "tests/"
+        }
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/BodySummarizer.php b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/BodySummarizer.php
new file mode 100644
index 000000000..6eca94ef9
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/BodySummarizer.php
@@ -0,0 +1,28 @@
+<?php
+
+namespace GuzzleHttp;
+
+use Psr\Http\Message\MessageInterface;
+
+final class BodySummarizer implements BodySummarizerInterface
+{
+    /**
+     * @var int|null
+     */
+    private $truncateAt;
+
+    public function __construct(int $truncateAt = null)
+    {
+        $this->truncateAt = $truncateAt;
+    }
+
+    /**
+     * Returns a summarized message body.
+     */
+    public function summarize(MessageInterface $message): ?string
+    {
+        return $this->truncateAt === null
+            ? \GuzzleHttp\Psr7\Message::bodySummary($message)
+            : \GuzzleHttp\Psr7\Message::bodySummary($message, $this->truncateAt);
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/BodySummarizerInterface.php b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/BodySummarizerInterface.php
new file mode 100644
index 000000000..3e02e036e
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/BodySummarizerInterface.php
@@ -0,0 +1,13 @@
+<?php
+
+namespace GuzzleHttp;
+
+use Psr\Http\Message\MessageInterface;
+
+interface BodySummarizerInterface
+{
+    /**
+     * Returns a summarized message body.
+     */
+    public function summarize(MessageInterface $message): ?string;
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Client.php b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Client.php
new file mode 100644
index 000000000..58f1d891a
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Client.php
@@ -0,0 +1,477 @@
+<?php
+
+namespace GuzzleHttp;
+
+use GuzzleHttp\Cookie\CookieJar;
+use GuzzleHttp\Exception\GuzzleException;
+use GuzzleHttp\Exception\InvalidArgumentException;
+use GuzzleHttp\Promise as P;
+use GuzzleHttp\Promise\PromiseInterface;
+use Psr\Http\Message\RequestInterface;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\UriInterface;
+
+/**
+ * @final
+ */
+class Client implements ClientInterface, \Psr\Http\Client\ClientInterface
+{
+    use ClientTrait;
+
+    /**
+     * @var array Default request options
+     */
+    private $config;
+
+    /**
+     * Clients accept an array of constructor parameters.
+     *
+     * Here's an example of creating a client using a base_uri and an array of
+     * default request options to apply to each request:
+     *
+     *     $client = new Client([
+     *         'base_uri'        => 'http://www.foo.com/1.0/',
+     *         'timeout'         => 0,
+     *         'allow_redirects' => false,
+     *         'proxy'           => '192.168.16.1:10'
+     *     ]);
+     *
+     * Client configuration settings include the following options:
+     *
+     * - handler: (callable) Function that transfers HTTP requests over the
+     *   wire. The function is called with a Psr7\Http\Message\RequestInterface
+     *   and array of transfer options, and must return a
+     *   GuzzleHttp\Promise\PromiseInterface that is fulfilled with a
+     *   Psr7\Http\Message\ResponseInterface on success.
+     *   If no handler is provided, a default handler will be created
+     *   that enables all of the request options below by attaching all of the
+     *   default middleware to the handler.
+     * - base_uri: (string|UriInterface) Base URI of the client that is merged
+     *   into relative URIs. Can be a string or instance of UriInterface.
+     * - **: any request option
+     *
+     * @param array $config Client configuration settings.
+     *
+     * @see \GuzzleHttp\RequestOptions for a list of available request options.
+     */
+    public function __construct(array $config = [])
+    {
+        if (!isset($config['handler'])) {
+            $config['handler'] = HandlerStack::create();
+        } elseif (!\is_callable($config['handler'])) {
+            throw new InvalidArgumentException('handler must be a callable');
+        }
+
+        // Convert the base_uri to a UriInterface
+        if (isset($config['base_uri'])) {
+            $config['base_uri'] = Psr7\Utils::uriFor($config['base_uri']);
+        }
+
+        $this->configureDefaults($config);
+    }
+
+    /**
+     * @param string $method
+     * @param array  $args
+     *
+     * @return PromiseInterface|ResponseInterface
+     *
+     * @deprecated Client::__call will be removed in guzzlehttp/guzzle:8.0.
+     */
+    public function __call($method, $args)
+    {
+        if (\count($args) < 1) {
+            throw new InvalidArgumentException('Magic request methods require a URI and optional options array');
+        }
+
+        $uri = $args[0];
+        $opts = $args[1] ?? [];
+
+        return \substr($method, -5) === 'Async'
+            ? $this->requestAsync(\substr($method, 0, -5), $uri, $opts)
+            : $this->request($method, $uri, $opts);
+    }
+
+    /**
+     * Asynchronously send an HTTP request.
+     *
+     * @param array $options Request options to apply to the given
+     *                       request and to the transfer. See \GuzzleHttp\RequestOptions.
+     */
+    public function sendAsync(RequestInterface $request, array $options = []): PromiseInterface
+    {
+        // Merge the base URI into the request URI if needed.
+        $options = $this->prepareDefaults($options);
+
+        return $this->transfer(
+            $request->withUri($this->buildUri($request->getUri(), $options), $request->hasHeader('Host')),
+            $options
+        );
+    }
+
+    /**
+     * Send an HTTP request.
+     *
+     * @param array $options Request options to apply to the given
+     *                       request and to the transfer. See \GuzzleHttp\RequestOptions.
+     *
+     * @throws GuzzleException
+     */
+    public function send(RequestInterface $request, array $options = []): ResponseInterface
+    {
+        $options[RequestOptions::SYNCHRONOUS] = true;
+        return $this->sendAsync($request, $options)->wait();
+    }
+
+    /**
+     * The HttpClient PSR (PSR-18) specify this method.
+     *
+     * @inheritDoc
+     */
+    public function sendRequest(RequestInterface $request): ResponseInterface
+    {
+        $options[RequestOptions::SYNCHRONOUS] = true;
+        $options[RequestOptions::ALLOW_REDIRECTS] = false;
+        $options[RequestOptions::HTTP_ERRORS] = false;
+
+        return $this->sendAsync($request, $options)->wait();
+    }
+
+    /**
+     * Create and send an asynchronous HTTP request.
+     *
+     * Use an absolute path to override the base path of the client, or a
+     * relative path to append to the base path of the client. The URL can
+     * contain the query string as well. Use an array to provide a URL
+     * template and additional variables to use in the URL template expansion.
+     *
+     * @param string              $method  HTTP method
+     * @param string|UriInterface $uri     URI object or string.
+     * @param array               $options Request options to apply. See \GuzzleHttp\RequestOptions.
+     */
+    public function requestAsync(string $method, $uri = '', array $options = []): PromiseInterface
+    {
+        $options = $this->prepareDefaults($options);
+        // Remove request modifying parameter because it can be done up-front.
+        $headers = $options['headers'] ?? [];
+        $body = $options['body'] ?? null;
+        $version = $options['version'] ?? '1.1';
+        // Merge the URI into the base URI.
+        $uri = $this->buildUri(Psr7\Utils::uriFor($uri), $options);
+        if (\is_array($body)) {
+            throw $this->invalidBody();
+        }
+        $request = new Psr7\Request($method, $uri, $headers, $body, $version);
+        // Remove the option so that they are not doubly-applied.
+        unset($options['headers'], $options['body'], $options['version']);
+
+        return $this->transfer($request, $options);
+    }
+
+    /**
+     * Create and send an HTTP request.
+     *
+     * Use an absolute path to override the base path of the client, or a
+     * relative path to append to the base path of the client. The URL can
+     * contain the query string as well.
+     *
+     * @param string              $method  HTTP method.
+     * @param string|UriInterface $uri     URI object or string.
+     * @param array               $options Request options to apply. See \GuzzleHttp\RequestOptions.
+     *
+     * @throws GuzzleException
+     */
+    public function request(string $method, $uri = '', array $options = []): ResponseInterface
+    {
+        $options[RequestOptions::SYNCHRONOUS] = true;
+        return $this->requestAsync($method, $uri, $options)->wait();
+    }
+
+    /**
+     * Get a client configuration option.
+     *
+     * These options include default request options of the client, a "handler"
+     * (if utilized by the concrete client), and a "base_uri" if utilized by
+     * the concrete client.
+     *
+     * @param string|null $option The config option to retrieve.
+     *
+     * @return mixed
+     *
+     * @deprecated Client::getConfig will be removed in guzzlehttp/guzzle:8.0.
+     */
+    public function getConfig(?string $option = null)
+    {
+        return $option === null
+            ? $this->config
+            : ($this->config[$option] ?? null);
+    }
+
+    private function buildUri(UriInterface $uri, array $config): UriInterface
+    {
+        if (isset($config['base_uri'])) {
+            $uri = Psr7\UriResolver::resolve(Psr7\Utils::uriFor($config['base_uri']), $uri);
+        }
+
+        if (isset($config['idn_conversion']) && ($config['idn_conversion'] !== false)) {
+            $idnOptions = ($config['idn_conversion'] === true) ? \IDNA_DEFAULT : $config['idn_conversion'];
+            $uri = Utils::idnUriConvert($uri, $idnOptions);
+        }
+
+        return $uri->getScheme() === '' && $uri->getHost() !== '' ? $uri->withScheme('http') : $uri;
+    }
+
+    /**
+     * Configures the default options for a client.
+     */
+    private function configureDefaults(array $config): void
+    {
+        $defaults = [
+            'allow_redirects' => RedirectMiddleware::$defaultSettings,
+            'http_errors'     => true,
+            'decode_content'  => true,
+            'verify'          => true,
+            'cookies'         => false,
+            'idn_conversion'  => false,
+        ];
+
+        // Use the standard Linux HTTP_PROXY and HTTPS_PROXY if set.
+
+        // We can only trust the HTTP_PROXY environment variable in a CLI
+        // process due to the fact that PHP has no reliable mechanism to
+        // get environment variables that start with "HTTP_".
+        if (\PHP_SAPI === 'cli' && ($proxy = Utils::getenv('HTTP_PROXY'))) {
+            $defaults['proxy']['http'] = $proxy;
+        }
+
+        if ($proxy = Utils::getenv('HTTPS_PROXY')) {
+            $defaults['proxy']['https'] = $proxy;
+        }
+
+        if ($noProxy = Utils::getenv('NO_PROXY')) {
+            $cleanedNoProxy = \str_replace(' ', '', $noProxy);
+            $defaults['proxy']['no'] = \explode(',', $cleanedNoProxy);
+        }
+
+        $this->config = $config + $defaults;
+
+        if (!empty($config['cookies']) && $config['cookies'] === true) {
+            $this->config['cookies'] = new CookieJar();
+        }
+
+        // Add the default user-agent header.
+        if (!isset($this->config['headers'])) {
+            $this->config['headers'] = ['User-Agent' => Utils::defaultUserAgent()];
+        } else {
+            // Add the User-Agent header if one was not already set.
+            foreach (\array_keys($this->config['headers']) as $name) {
+                if (\strtolower($name) === 'user-agent') {
+                    return;
+                }
+            }
+            $this->config['headers']['User-Agent'] = Utils::defaultUserAgent();
+        }
+    }
+
+    /**
+     * Merges default options into the array.
+     *
+     * @param array $options Options to modify by reference
+     */
+    private function prepareDefaults(array $options): array
+    {
+        $defaults = $this->config;
+
+        if (!empty($defaults['headers'])) {
+            // Default headers are only added if they are not present.
+            $defaults['_conditional'] = $defaults['headers'];
+            unset($defaults['headers']);
+        }
+
+        // Special handling for headers is required as they are added as
+        // conditional headers and as headers passed to a request ctor.
+        if (\array_key_exists('headers', $options)) {
+            // Allows default headers to be unset.
+            if ($options['headers'] === null) {
+                $defaults['_conditional'] = [];
+                unset($options['headers']);
+            } elseif (!\is_array($options['headers'])) {
+                throw new InvalidArgumentException('headers must be an array');
+            }
+        }
+
+        // Shallow merge defaults underneath options.
+        $result = $options + $defaults;
+
+        // Remove null values.
+        foreach ($result as $k => $v) {
+            if ($v === null) {
+                unset($result[$k]);
+            }
+        }
+
+        return $result;
+    }
+
+    /**
+     * Transfers the given request and applies request options.
+     *
+     * The URI of the request is not modified and the request options are used
+     * as-is without merging in default options.
+     *
+     * @param array $options See \GuzzleHttp\RequestOptions.
+     */
+    private function transfer(RequestInterface $request, array $options): PromiseInterface
+    {
+        $request = $this->applyOptions($request, $options);
+        /** @var HandlerStack $handler */
+        $handler = $options['handler'];
+
+        try {
+            return P\Create::promiseFor($handler($request, $options));
+        } catch (\Exception $e) {
+            return P\Create::rejectionFor($e);
+        }
+    }
+
+    /**
+     * Applies the array of request options to a request.
+     */
+    private function applyOptions(RequestInterface $request, array &$options): RequestInterface
+    {
+        $modify = [
+            'set_headers' => [],
+        ];
+
+        if (isset($options['headers'])) {
+            if (array_keys($options['headers']) === range(0, count($options['headers']) - 1)) {
+                throw new InvalidArgumentException('The headers array must have header name as keys.');
+            }
+            $modify['set_headers'] = $options['headers'];
+            unset($options['headers']);
+        }
+
+        if (isset($options['form_params'])) {
+            if (isset($options['multipart'])) {
+                throw new InvalidArgumentException('You cannot use '
+                    . 'form_params and multipart at the same time. Use the '
+                    . 'form_params option if you want to send application/'
+                    . 'x-www-form-urlencoded requests, and the multipart '
+                    . 'option to send multipart/form-data requests.');
+            }
+            $options['body'] = \http_build_query($options['form_params'], '', '&');
+            unset($options['form_params']);
+            // Ensure that we don't have the header in different case and set the new value.
+            $options['_conditional'] = Psr7\Utils::caselessRemove(['Content-Type'], $options['_conditional']);
+            $options['_conditional']['Content-Type'] = 'application/x-www-form-urlencoded';
+        }
+
+        if (isset($options['multipart'])) {
+            $options['body'] = new Psr7\MultipartStream($options['multipart']);
+            unset($options['multipart']);
+        }
+
+        if (isset($options['json'])) {
+            $options['body'] = Utils::jsonEncode($options['json']);
+            unset($options['json']);
+            // Ensure that we don't have the header in different case and set the new value.
+            $options['_conditional'] = Psr7\Utils::caselessRemove(['Content-Type'], $options['_conditional']);
+            $options['_conditional']['Content-Type'] = 'application/json';
+        }
+
+        if (!empty($options['decode_content'])
+            && $options['decode_content'] !== true
+        ) {
+            // Ensure that we don't have the header in different case and set the new value.
+            $options['_conditional'] = Psr7\Utils::caselessRemove(['Accept-Encoding'], $options['_conditional']);
+            $modify['set_headers']['Accept-Encoding'] = $options['decode_content'];
+        }
+
+        if (isset($options['body'])) {
+            if (\is_array($options['body'])) {
+                throw $this->invalidBody();
+            }
+            $modify['body'] = Psr7\Utils::streamFor($options['body']);
+            unset($options['body']);
+        }
+
+        if (!empty($options['auth']) && \is_array($options['auth'])) {
+            $value = $options['auth'];
+            $type = isset($value[2]) ? \strtolower($value[2]) : 'basic';
+            switch ($type) {
+                case 'basic':
+                    // Ensure that we don't have the header in different case and set the new value.
+                    $modify['set_headers'] = Psr7\Utils::caselessRemove(['Authorization'], $modify['set_headers']);
+                    $modify['set_headers']['Authorization'] = 'Basic '
+                        . \base64_encode("$value[0]:$value[1]");
+                    break;
+                case 'digest':
+                    // @todo: Do not rely on curl
+                    $options['curl'][\CURLOPT_HTTPAUTH] = \CURLAUTH_DIGEST;
+                    $options['curl'][\CURLOPT_USERPWD] = "$value[0]:$value[1]";
+                    break;
+                case 'ntlm':
+                    $options['curl'][\CURLOPT_HTTPAUTH] = \CURLAUTH_NTLM;
+                    $options['curl'][\CURLOPT_USERPWD] = "$value[0]:$value[1]";
+                    break;
+            }
+        }
+
+        if (isset($options['query'])) {
+            $value = $options['query'];
+            if (\is_array($value)) {
+                $value = \http_build_query($value, '', '&', \PHP_QUERY_RFC3986);
+            }
+            if (!\is_string($value)) {
+                throw new InvalidArgumentException('query must be a string or array');
+            }
+            $modify['query'] = $value;
+            unset($options['query']);
+        }
+
+        // Ensure that sink is not an invalid value.
+        if (isset($options['sink'])) {
+            // TODO: Add more sink validation?
+            if (\is_bool($options['sink'])) {
+                throw new InvalidArgumentException('sink must not be a boolean');
+            }
+        }
+
+        $request = Psr7\Utils::modifyRequest($request, $modify);
+        if ($request->getBody() instanceof Psr7\MultipartStream) {
+            // Use a multipart/form-data POST if a Content-Type is not set.
+            // Ensure that we don't have the header in different case and set the new value.
+            $options['_conditional'] = Psr7\Utils::caselessRemove(['Content-Type'], $options['_conditional']);
+            $options['_conditional']['Content-Type'] = 'multipart/form-data; boundary='
+                . $request->getBody()->getBoundary();
+        }
+
+        // Merge in conditional headers if they are not present.
+        if (isset($options['_conditional'])) {
+            // Build up the changes so it's in a single clone of the message.
+            $modify = [];
+            foreach ($options['_conditional'] as $k => $v) {
+                if (!$request->hasHeader($k)) {
+                    $modify['set_headers'][$k] = $v;
+                }
+            }
+            $request = Psr7\Utils::modifyRequest($request, $modify);
+            // Don't pass this internal value along to middleware/handlers.
+            unset($options['_conditional']);
+        }
+
+        return $request;
+    }
+
+    /**
+     * Return an InvalidArgumentException with pre-set message.
+     */
+    private function invalidBody(): InvalidArgumentException
+    {
+        return new InvalidArgumentException('Passing in the "body" request '
+            . 'option as an array to send a request is not supported. '
+            . 'Please use the "form_params" request option to send a '
+            . 'application/x-www-form-urlencoded request, or the "multipart" '
+            . 'request option to send a multipart/form-data request.');
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/ClientInterface.php b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/ClientInterface.php
new file mode 100644
index 000000000..6aaee61af
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/ClientInterface.php
@@ -0,0 +1,84 @@
+<?php
+
+namespace GuzzleHttp;
+
+use GuzzleHttp\Exception\GuzzleException;
+use GuzzleHttp\Promise\PromiseInterface;
+use Psr\Http\Message\RequestInterface;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\UriInterface;
+
+/**
+ * Client interface for sending HTTP requests.
+ */
+interface ClientInterface
+{
+    /**
+     * The Guzzle major version.
+     */
+    public const MAJOR_VERSION = 7;
+
+    /**
+     * Send an HTTP request.
+     *
+     * @param RequestInterface $request Request to send
+     * @param array            $options Request options to apply to the given
+     *                                  request and to the transfer.
+     *
+     * @throws GuzzleException
+     */
+    public function send(RequestInterface $request, array $options = []): ResponseInterface;
+
+    /**
+     * Asynchronously send an HTTP request.
+     *
+     * @param RequestInterface $request Request to send
+     * @param array            $options Request options to apply to the given
+     *                                  request and to the transfer.
+     */
+    public function sendAsync(RequestInterface $request, array $options = []): PromiseInterface;
+
+    /**
+     * Create and send an HTTP request.
+     *
+     * Use an absolute path to override the base path of the client, or a
+     * relative path to append to the base path of the client. The URL can
+     * contain the query string as well.
+     *
+     * @param string              $method  HTTP method.
+     * @param string|UriInterface $uri     URI object or string.
+     * @param array               $options Request options to apply.
+     *
+     * @throws GuzzleException
+     */
+    public function request(string $method, $uri, array $options = []): ResponseInterface;
+
+    /**
+     * Create and send an asynchronous HTTP request.
+     *
+     * Use an absolute path to override the base path of the client, or a
+     * relative path to append to the base path of the client. The URL can
+     * contain the query string as well. Use an array to provide a URL
+     * template and additional variables to use in the URL template expansion.
+     *
+     * @param string              $method  HTTP method
+     * @param string|UriInterface $uri     URI object or string.
+     * @param array               $options Request options to apply.
+     */
+    public function requestAsync(string $method, $uri, array $options = []): PromiseInterface;
+
+    /**
+     * Get a client configuration option.
+     *
+     * These options include default request options of the client, a "handler"
+     * (if utilized by the concrete client), and a "base_uri" if utilized by
+     * the concrete client.
+     *
+     * @param string|null $option The config option to retrieve.
+     *
+     * @return mixed
+     *
+     * @deprecated ClientInterface::getConfig will be removed in guzzlehttp/guzzle:8.0.
+     */
+    public function getConfig(?string $option = null);
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/ClientTrait.php b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/ClientTrait.php
new file mode 100644
index 000000000..c584c76cb
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/ClientTrait.php
@@ -0,0 +1,241 @@
+<?php
+
+namespace GuzzleHttp;
+
+use GuzzleHttp\Exception\GuzzleException;
+use GuzzleHttp\Promise\PromiseInterface;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\UriInterface;
+
+/**
+ * Client interface for sending HTTP requests.
+ */
+trait ClientTrait
+{
+    /**
+     * Create and send an HTTP request.
+     *
+     * Use an absolute path to override the base path of the client, or a
+     * relative path to append to the base path of the client. The URL can
+     * contain the query string as well.
+     *
+     * @param string              $method  HTTP method.
+     * @param string|UriInterface $uri     URI object or string.
+     * @param array               $options Request options to apply.
+     *
+     * @throws GuzzleException
+     */
+    abstract public function request(string $method, $uri, array $options = []): ResponseInterface;
+
+    /**
+     * Create and send an HTTP GET request.
+     *
+     * Use an absolute path to override the base path of the client, or a
+     * relative path to append to the base path of the client. The URL can
+     * contain the query string as well.
+     *
+     * @param string|UriInterface $uri     URI object or string.
+     * @param array               $options Request options to apply.
+     *
+     * @throws GuzzleException
+     */
+    public function get($uri, array $options = []): ResponseInterface
+    {
+        return $this->request('GET', $uri, $options);
+    }
+
+    /**
+     * Create and send an HTTP HEAD request.
+     *
+     * Use an absolute path to override the base path of the client, or a
+     * relative path to append to the base path of the client. The URL can
+     * contain the query string as well.
+     *
+     * @param string|UriInterface $uri     URI object or string.
+     * @param array               $options Request options to apply.
+     *
+     * @throws GuzzleException
+     */
+    public function head($uri, array $options = []): ResponseInterface
+    {
+        return $this->request('HEAD', $uri, $options);
+    }
+
+    /**
+     * Create and send an HTTP PUT request.
+     *
+     * Use an absolute path to override the base path of the client, or a
+     * relative path to append to the base path of the client. The URL can
+     * contain the query string as well.
+     *
+     * @param string|UriInterface $uri     URI object or string.
+     * @param array               $options Request options to apply.
+     *
+     * @throws GuzzleException
+     */
+    public function put($uri, array $options = []): ResponseInterface
+    {
+        return $this->request('PUT', $uri, $options);
+    }
+
+    /**
+     * Create and send an HTTP POST request.
+     *
+     * Use an absolute path to override the base path of the client, or a
+     * relative path to append to the base path of the client. The URL can
+     * contain the query string as well.
+     *
+     * @param string|UriInterface $uri     URI object or string.
+     * @param array               $options Request options to apply.
+     *
+     * @throws GuzzleException
+     */
+    public function post($uri, array $options = []): ResponseInterface
+    {
+        return $this->request('POST', $uri, $options);
+    }
+
+    /**
+     * Create and send an HTTP PATCH request.
+     *
+     * Use an absolute path to override the base path of the client, or a
+     * relative path to append to the base path of the client. The URL can
+     * contain the query string as well.
+     *
+     * @param string|UriInterface $uri     URI object or string.
+     * @param array               $options Request options to apply.
+     *
+     * @throws GuzzleException
+     */
+    public function patch($uri, array $options = []): ResponseInterface
+    {
+        return $this->request('PATCH', $uri, $options);
+    }
+
+    /**
+     * Create and send an HTTP DELETE request.
+     *
+     * Use an absolute path to override the base path of the client, or a
+     * relative path to append to the base path of the client. The URL can
+     * contain the query string as well.
+     *
+     * @param string|UriInterface $uri     URI object or string.
+     * @param array               $options Request options to apply.
+     *
+     * @throws GuzzleException
+     */
+    public function delete($uri, array $options = []): ResponseInterface
+    {
+        return $this->request('DELETE', $uri, $options);
+    }
+
+    /**
+     * Create and send an asynchronous HTTP request.
+     *
+     * Use an absolute path to override the base path of the client, or a
+     * relative path to append to the base path of the client. The URL can
+     * contain the query string as well. Use an array to provide a URL
+     * template and additional variables to use in the URL template expansion.
+     *
+     * @param string              $method  HTTP method
+     * @param string|UriInterface $uri     URI object or string.
+     * @param array               $options Request options to apply.
+     */
+    abstract public function requestAsync(string $method, $uri, array $options = []): PromiseInterface;
+
+    /**
+     * Create and send an asynchronous HTTP GET request.
+     *
+     * Use an absolute path to override the base path of the client, or a
+     * relative path to append to the base path of the client. The URL can
+     * contain the query string as well. Use an array to provide a URL
+     * template and additional variables to use in the URL template expansion.
+     *
+     * @param string|UriInterface $uri     URI object or string.
+     * @param array               $options Request options to apply.
+     */
+    public function getAsync($uri, array $options = []): PromiseInterface
+    {
+        return $this->requestAsync('GET', $uri, $options);
+    }
+
+    /**
+     * Create and send an asynchronous HTTP HEAD request.
+     *
+     * Use an absolute path to override the base path of the client, or a
+     * relative path to append to the base path of the client. The URL can
+     * contain the query string as well. Use an array to provide a URL
+     * template and additional variables to use in the URL template expansion.
+     *
+     * @param string|UriInterface $uri     URI object or string.
+     * @param array               $options Request options to apply.
+     */
+    public function headAsync($uri, array $options = []): PromiseInterface
+    {
+        return $this->requestAsync('HEAD', $uri, $options);
+    }
+
+    /**
+     * Create and send an asynchronous HTTP PUT request.
+     *
+     * Use an absolute path to override the base path of the client, or a
+     * relative path to append to the base path of the client. The URL can
+     * contain the query string as well. Use an array to provide a URL
+     * template and additional variables to use in the URL template expansion.
+     *
+     * @param string|UriInterface $uri     URI object or string.
+     * @param array               $options Request options to apply.
+     */
+    public function putAsync($uri, array $options = []): PromiseInterface
+    {
+        return $this->requestAsync('PUT', $uri, $options);
+    }
+
+    /**
+     * Create and send an asynchronous HTTP POST request.
+     *
+     * Use an absolute path to override the base path of the client, or a
+     * relative path to append to the base path of the client. The URL can
+     * contain the query string as well. Use an array to provide a URL
+     * template and additional variables to use in the URL template expansion.
+     *
+     * @param string|UriInterface $uri     URI object or string.
+     * @param array               $options Request options to apply.
+     */
+    public function postAsync($uri, array $options = []): PromiseInterface
+    {
+        return $this->requestAsync('POST', $uri, $options);
+    }
+
+    /**
+     * Create and send an asynchronous HTTP PATCH request.
+     *
+     * Use an absolute path to override the base path of the client, or a
+     * relative path to append to the base path of the client. The URL can
+     * contain the query string as well. Use an array to provide a URL
+     * template and additional variables to use in the URL template expansion.
+     *
+     * @param string|UriInterface $uri     URI object or string.
+     * @param array               $options Request options to apply.
+     */
+    public function patchAsync($uri, array $options = []): PromiseInterface
+    {
+        return $this->requestAsync('PATCH', $uri, $options);
+    }
+
+    /**
+     * Create and send an asynchronous HTTP DELETE request.
+     *
+     * Use an absolute path to override the base path of the client, or a
+     * relative path to append to the base path of the client. The URL can
+     * contain the query string as well. Use an array to provide a URL
+     * template and additional variables to use in the URL template expansion.
+     *
+     * @param string|UriInterface $uri     URI object or string.
+     * @param array               $options Request options to apply.
+     */
+    public function deleteAsync($uri, array $options = []): PromiseInterface
+    {
+        return $this->requestAsync('DELETE', $uri, $options);
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Cookie/CookieJar.php b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Cookie/CookieJar.php
new file mode 100644
index 000000000..9985a9814
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Cookie/CookieJar.php
@@ -0,0 +1,317 @@
+<?php
+
+namespace GuzzleHttp\Cookie;
+
+use Psr\Http\Message\RequestInterface;
+use Psr\Http\Message\ResponseInterface;
+
+/**
+ * Cookie jar that stores cookies as an array
+ */
+class CookieJar implements CookieJarInterface
+{
+    /**
+     * @var SetCookie[] Loaded cookie data
+     */
+    private $cookies = [];
+
+    /**
+     * @var bool
+     */
+    private $strictMode;
+
+    /**
+     * @param bool  $strictMode  Set to true to throw exceptions when invalid
+     *                           cookies are added to the cookie jar.
+     * @param array $cookieArray Array of SetCookie objects or a hash of
+     *                           arrays that can be used with the SetCookie
+     *                           constructor
+     */
+    public function __construct(bool $strictMode = false, array $cookieArray = [])
+    {
+        $this->strictMode = $strictMode;
+
+        foreach ($cookieArray as $cookie) {
+            if (!($cookie instanceof SetCookie)) {
+                $cookie = new SetCookie($cookie);
+            }
+            $this->setCookie($cookie);
+        }
+    }
+
+    /**
+     * Create a new Cookie jar from an associative array and domain.
+     *
+     * @param array  $cookies Cookies to create the jar from
+     * @param string $domain  Domain to set the cookies to
+     */
+    public static function fromArray(array $cookies, string $domain): self
+    {
+        $cookieJar = new self();
+        foreach ($cookies as $name => $value) {
+            $cookieJar->setCookie(new SetCookie([
+                'Domain'  => $domain,
+                'Name'    => $name,
+                'Value'   => $value,
+                'Discard' => true
+            ]));
+        }
+
+        return $cookieJar;
+    }
+
+    /**
+     * Evaluate if this cookie should be persisted to storage
+     * that survives between requests.
+     *
+     * @param SetCookie $cookie              Being evaluated.
+     * @param bool      $allowSessionCookies If we should persist session cookies
+     */
+    public static function shouldPersist(SetCookie $cookie, bool $allowSessionCookies = false): bool
+    {
+        if ($cookie->getExpires() || $allowSessionCookies) {
+            if (!$cookie->getDiscard()) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    /**
+     * Finds and returns the cookie based on the name
+     *
+     * @param string $name cookie name to search for
+     *
+     * @return SetCookie|null cookie that was found or null if not found
+     */
+    public function getCookieByName(string $name): ?SetCookie
+    {
+        foreach ($this->cookies as $cookie) {
+            if ($cookie->getName() !== null && \strcasecmp($cookie->getName(), $name) === 0) {
+                return $cookie;
+            }
+        }
+
+        return null;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function toArray(): array
+    {
+        return \array_map(static function (SetCookie $cookie): array {
+            return $cookie->toArray();
+        }, $this->getIterator()->getArrayCopy());
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function clear(?string $domain = null, ?string $path = null, ?string $name = null): void
+    {
+        if (!$domain) {
+            $this->cookies = [];
+            return;
+        } elseif (!$path) {
+            $this->cookies = \array_filter(
+                $this->cookies,
+                static function (SetCookie $cookie) use ($domain): bool {
+                    return !$cookie->matchesDomain($domain);
+                }
+            );
+        } elseif (!$name) {
+            $this->cookies = \array_filter(
+                $this->cookies,
+                static function (SetCookie $cookie) use ($path, $domain): bool {
+                    return !($cookie->matchesPath($path) &&
+                        $cookie->matchesDomain($domain));
+                }
+            );
+        } else {
+            $this->cookies = \array_filter(
+                $this->cookies,
+                static function (SetCookie $cookie) use ($path, $domain, $name) {
+                    return !($cookie->getName() == $name &&
+                        $cookie->matchesPath($path) &&
+                        $cookie->matchesDomain($domain));
+                }
+            );
+        }
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function clearSessionCookies(): void
+    {
+        $this->cookies = \array_filter(
+            $this->cookies,
+            static function (SetCookie $cookie): bool {
+                return !$cookie->getDiscard() && $cookie->getExpires();
+            }
+        );
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function setCookie(SetCookie $cookie): bool
+    {
+        // If the name string is empty (but not 0), ignore the set-cookie
+        // string entirely.
+        $name = $cookie->getName();
+        if (!$name && $name !== '0') {
+            return false;
+        }
+
+        // Only allow cookies with set and valid domain, name, value
+        $result = $cookie->validate();
+        if ($result !== true) {
+            if ($this->strictMode) {
+                throw new \RuntimeException('Invalid cookie: ' . $result);
+            }
+            $this->removeCookieIfEmpty($cookie);
+            return false;
+        }
+
+        // Resolve conflicts with previously set cookies
+        foreach ($this->cookies as $i => $c) {
+            // Two cookies are identical, when their path, and domain are
+            // identical.
+            if ($c->getPath() != $cookie->getPath() ||
+                $c->getDomain() != $cookie->getDomain() ||
+                $c->getName() != $cookie->getName()
+            ) {
+                continue;
+            }
+
+            // The previously set cookie is a discard cookie and this one is
+            // not so allow the new cookie to be set
+            if (!$cookie->getDiscard() && $c->getDiscard()) {
+                unset($this->cookies[$i]);
+                continue;
+            }
+
+            // If the new cookie's expiration is further into the future, then
+            // replace the old cookie
+            if ($cookie->getExpires() > $c->getExpires()) {
+                unset($this->cookies[$i]);
+                continue;
+            }
+
+            // If the value has changed, we better change it
+            if ($cookie->getValue() !== $c->getValue()) {
+                unset($this->cookies[$i]);
+                continue;
+            }
+
+            // The cookie exists, so no need to continue
+            return false;
+        }
+
+        $this->cookies[] = $cookie;
+
+        return true;
+    }
+
+    public function count(): int
+    {
+        return \count($this->cookies);
+    }
+
+    /**
+     * @return \ArrayIterator<int, SetCookie>
+     */
+    public function getIterator(): \ArrayIterator
+    {
+        return new \ArrayIterator(\array_values($this->cookies));
+    }
+
+    public function extractCookies(RequestInterface $request, ResponseInterface $response): void
+    {
+        if ($cookieHeader = $response->getHeader('Set-Cookie')) {
+            foreach ($cookieHeader as $cookie) {
+                $sc = SetCookie::fromString($cookie);
+                if (!$sc->getDomain()) {
+                    $sc->setDomain($request->getUri()->getHost());
+                }
+                if (0 !== \strpos($sc->getPath(), '/')) {
+                    $sc->setPath($this->getCookiePathFromRequest($request));
+                }
+                if (!$sc->matchesDomain($request->getUri()->getHost())) {
+                    continue;
+                }
+                // Note: At this point `$sc->getDomain()` being a public suffix should
+                // be rejected, but we don't want to pull in the full PSL dependency.
+                $this->setCookie($sc);
+            }
+        }
+    }
+
+    /**
+     * Computes cookie path following RFC 6265 section 5.1.4
+     *
+     * @link https://tools.ietf.org/html/rfc6265#section-5.1.4
+     */
+    private function getCookiePathFromRequest(RequestInterface $request): string
+    {
+        $uriPath = $request->getUri()->getPath();
+        if ('' === $uriPath) {
+            return '/';
+        }
+        if (0 !== \strpos($uriPath, '/')) {
+            return '/';
+        }
+        if ('/' === $uriPath) {
+            return '/';
+        }
+        $lastSlashPos = \strrpos($uriPath, '/');
+        if (0 === $lastSlashPos || false === $lastSlashPos) {
+            return '/';
+        }
+
+        return \substr($uriPath, 0, $lastSlashPos);
+    }
+
+    public function withCookieHeader(RequestInterface $request): RequestInterface
+    {
+        $values = [];
+        $uri = $request->getUri();
+        $scheme = $uri->getScheme();
+        $host = $uri->getHost();
+        $path = $uri->getPath() ?: '/';
+
+        foreach ($this->cookies as $cookie) {
+            if ($cookie->matchesPath($path) &&
+                $cookie->matchesDomain($host) &&
+                !$cookie->isExpired() &&
+                (!$cookie->getSecure() || $scheme === 'https')
+            ) {
+                $values[] = $cookie->getName() . '='
+                    . $cookie->getValue();
+            }
+        }
+
+        return $values
+            ? $request->withHeader('Cookie', \implode('; ', $values))
+            : $request;
+    }
+
+    /**
+     * If a cookie already exists and the server asks to set it again with a
+     * null value, the cookie must be deleted.
+     */
+    private function removeCookieIfEmpty(SetCookie $cookie): void
+    {
+        $cookieValue = $cookie->getValue();
+        if ($cookieValue === null || $cookieValue === '') {
+            $this->clear(
+                $cookie->getDomain(),
+                $cookie->getPath(),
+                $cookie->getName()
+            );
+        }
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Cookie/CookieJarInterface.php b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Cookie/CookieJarInterface.php
new file mode 100644
index 000000000..7df374b5b
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Cookie/CookieJarInterface.php
@@ -0,0 +1,79 @@
+<?php
+
+namespace GuzzleHttp\Cookie;
+
+use Psr\Http\Message\RequestInterface;
+use Psr\Http\Message\ResponseInterface;
+
+/**
+ * Stores HTTP cookies.
+ *
+ * It extracts cookies from HTTP requests, and returns them in HTTP responses.
+ * CookieJarInterface instances automatically expire contained cookies when
+ * necessary. Subclasses are also responsible for storing and retrieving
+ * cookies from a file, database, etc.
+ *
+ * @link https://docs.python.org/2/library/cookielib.html Inspiration
+ * @extends \IteratorAggregate<SetCookie>
+ */
+interface CookieJarInterface extends \Countable, \IteratorAggregate
+{
+    /**
+     * Create a request with added cookie headers.
+     *
+     * If no matching cookies are found in the cookie jar, then no Cookie
+     * header is added to the request and the same request is returned.
+     *
+     * @param RequestInterface $request Request object to modify.
+     *
+     * @return RequestInterface returns the modified request.
+     */
+    public function withCookieHeader(RequestInterface $request): RequestInterface;
+
+    /**
+     * Extract cookies from an HTTP response and store them in the CookieJar.
+     *
+     * @param RequestInterface  $request  Request that was sent
+     * @param ResponseInterface $response Response that was received
+     */
+    public function extractCookies(RequestInterface $request, ResponseInterface $response): void;
+
+    /**
+     * Sets a cookie in the cookie jar.
+     *
+     * @param SetCookie $cookie Cookie to set.
+     *
+     * @return bool Returns true on success or false on failure
+     */
+    public function setCookie(SetCookie $cookie): bool;
+
+    /**
+     * Remove cookies currently held in the cookie jar.
+     *
+     * Invoking this method without arguments will empty the whole cookie jar.
+     * If given a $domain argument only cookies belonging to that domain will
+     * be removed. If given a $domain and $path argument, cookies belonging to
+     * the specified path within that domain are removed. If given all three
+     * arguments, then the cookie with the specified name, path and domain is
+     * removed.
+     *
+     * @param string|null $domain Clears cookies matching a domain
+     * @param string|null $path   Clears cookies matching a domain and path
+     * @param string|null $name   Clears cookies matching a domain, path, and name
+     */
+    public function clear(?string $domain = null, ?string $path = null, ?string $name = null): void;
+
+    /**
+     * Discard all sessions cookies.
+     *
+     * Removes cookies that don't have an expire field or a have a discard
+     * field set to true. To be called when the user agent shuts down according
+     * to RFC 2965.
+     */
+    public function clearSessionCookies(): void;
+
+    /**
+     * Converts the cookie jar to an array.
+     */
+    public function toArray(): array;
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Cookie/FileCookieJar.php b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Cookie/FileCookieJar.php
new file mode 100644
index 000000000..290236d54
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Cookie/FileCookieJar.php
@@ -0,0 +1,101 @@
+<?php
+
+namespace GuzzleHttp\Cookie;
+
+use GuzzleHttp\Utils;
+
+/**
+ * Persists non-session cookies using a JSON formatted file
+ */
+class FileCookieJar extends CookieJar
+{
+    /**
+     * @var string filename
+     */
+    private $filename;
+
+    /**
+     * @var bool Control whether to persist session cookies or not.
+     */
+    private $storeSessionCookies;
+
+    /**
+     * Create a new FileCookieJar object
+     *
+     * @param string $cookieFile          File to store the cookie data
+     * @param bool   $storeSessionCookies Set to true to store session cookies
+     *                                    in the cookie jar.
+     *
+     * @throws \RuntimeException if the file cannot be found or created
+     */
+    public function __construct(string $cookieFile, bool $storeSessionCookies = false)
+    {
+        parent::__construct();
+        $this->filename = $cookieFile;
+        $this->storeSessionCookies = $storeSessionCookies;
+
+        if (\file_exists($cookieFile)) {
+            $this->load($cookieFile);
+        }
+    }
+
+    /**
+     * Saves the file when shutting down
+     */
+    public function __destruct()
+    {
+        $this->save($this->filename);
+    }
+
+    /**
+     * Saves the cookies to a file.
+     *
+     * @param string $filename File to save
+     *
+     * @throws \RuntimeException if the file cannot be found or created
+     */
+    public function save(string $filename): void
+    {
+        $json = [];
+        /** @var SetCookie $cookie */
+        foreach ($this as $cookie) {
+            if (CookieJar::shouldPersist($cookie, $this->storeSessionCookies)) {
+                $json[] = $cookie->toArray();
+            }
+        }
+
+        $jsonStr = Utils::jsonEncode($json);
+        if (false === \file_put_contents($filename, $jsonStr, \LOCK_EX)) {
+            throw new \RuntimeException("Unable to save file {$filename}");
+        }
+    }
+
+    /**
+     * Load cookies from a JSON formatted file.
+     *
+     * Old cookies are kept unless overwritten by newly loaded ones.
+     *
+     * @param string $filename Cookie file to load.
+     *
+     * @throws \RuntimeException if the file cannot be loaded.
+     */
+    public function load(string $filename): void
+    {
+        $json = \file_get_contents($filename);
+        if (false === $json) {
+            throw new \RuntimeException("Unable to load file {$filename}");
+        }
+        if ($json === '') {
+            return;
+        }
+
+        $data = Utils::jsonDecode($json, true);
+        if (\is_array($data)) {
+            foreach ($data as $cookie) {
+                $this->setCookie(new SetCookie($cookie));
+            }
+        } elseif (\is_scalar($data) && !empty($data)) {
+            throw new \RuntimeException("Invalid cookie file: {$filename}");
+        }
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Cookie/SessionCookieJar.php b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Cookie/SessionCookieJar.php
new file mode 100644
index 000000000..5d51ca982
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Cookie/SessionCookieJar.php
@@ -0,0 +1,77 @@
+<?php
+
+namespace GuzzleHttp\Cookie;
+
+/**
+ * Persists cookies in the client session
+ */
+class SessionCookieJar extends CookieJar
+{
+    /**
+     * @var string session key
+     */
+    private $sessionKey;
+
+    /**
+     * @var bool Control whether to persist session cookies or not.
+     */
+    private $storeSessionCookies;
+
+    /**
+     * Create a new SessionCookieJar object
+     *
+     * @param string $sessionKey          Session key name to store the cookie
+     *                                    data in session
+     * @param bool   $storeSessionCookies Set to true to store session cookies
+     *                                    in the cookie jar.
+     */
+    public function __construct(string $sessionKey, bool $storeSessionCookies = false)
+    {
+        parent::__construct();
+        $this->sessionKey = $sessionKey;
+        $this->storeSessionCookies = $storeSessionCookies;
+        $this->load();
+    }
+
+    /**
+     * Saves cookies to session when shutting down
+     */
+    public function __destruct()
+    {
+        $this->save();
+    }
+
+    /**
+     * Save cookies to the client session
+     */
+    public function save(): void
+    {
+        $json = [];
+        /** @var SetCookie $cookie */
+        foreach ($this as $cookie) {
+            if (CookieJar::shouldPersist($cookie, $this->storeSessionCookies)) {
+                $json[] = $cookie->toArray();
+            }
+        }
+
+        $_SESSION[$this->sessionKey] = \json_encode($json);
+    }
+
+    /**
+     * Load the contents of the client session into the data array
+     */
+    protected function load(): void
+    {
+        if (!isset($_SESSION[$this->sessionKey])) {
+            return;
+        }
+        $data = \json_decode($_SESSION[$this->sessionKey], true);
+        if (\is_array($data)) {
+            foreach ($data as $cookie) {
+                $this->setCookie(new SetCookie($cookie));
+            }
+        } elseif (\strlen($data)) {
+            throw new \RuntimeException("Invalid cookie data");
+        }
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Cookie/SetCookie.php b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Cookie/SetCookie.php
new file mode 100644
index 000000000..a613c77bf
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Cookie/SetCookie.php
@@ -0,0 +1,446 @@
+<?php
+
+namespace GuzzleHttp\Cookie;
+
+/**
+ * Set-Cookie object
+ */
+class SetCookie
+{
+    /**
+     * @var array
+     */
+    private static $defaults = [
+        'Name'     => null,
+        'Value'    => null,
+        'Domain'   => null,
+        'Path'     => '/',
+        'Max-Age'  => null,
+        'Expires'  => null,
+        'Secure'   => false,
+        'Discard'  => false,
+        'HttpOnly' => false
+    ];
+
+    /**
+     * @var array Cookie data
+     */
+    private $data;
+
+    /**
+     * Create a new SetCookie object from a string.
+     *
+     * @param string $cookie Set-Cookie header string
+     */
+    public static function fromString(string $cookie): self
+    {
+        // Create the default return array
+        $data = self::$defaults;
+        // Explode the cookie string using a series of semicolons
+        $pieces = \array_filter(\array_map('trim', \explode(';', $cookie)));
+        // The name of the cookie (first kvp) must exist and include an equal sign.
+        if (!isset($pieces[0]) || \strpos($pieces[0], '=') === false) {
+            return new self($data);
+        }
+
+        // Add the cookie pieces into the parsed data array
+        foreach ($pieces as $part) {
+            $cookieParts = \explode('=', $part, 2);
+            $key = \trim($cookieParts[0]);
+            $value = isset($cookieParts[1])
+                ? \trim($cookieParts[1], " \n\r\t\0\x0B")
+                : true;
+
+            // Only check for non-cookies when cookies have been found
+            if (!isset($data['Name'])) {
+                $data['Name'] = $key;
+                $data['Value'] = $value;
+            } else {
+                foreach (\array_keys(self::$defaults) as $search) {
+                    if (!\strcasecmp($search, $key)) {
+                        $data[$search] = $value;
+                        continue 2;
+                    }
+                }
+                $data[$key] = $value;
+            }
+        }
+
+        return new self($data);
+    }
+
+    /**
+     * @param array $data Array of cookie data provided by a Cookie parser
+     */
+    public function __construct(array $data = [])
+    {
+        /** @var array|null $replaced will be null in case of replace error */
+        $replaced = \array_replace(self::$defaults, $data);
+        if ($replaced === null) {
+            throw new \InvalidArgumentException('Unable to replace the default values for the Cookie.');
+        }
+
+        $this->data = $replaced;
+        // Extract the Expires value and turn it into a UNIX timestamp if needed
+        if (!$this->getExpires() && $this->getMaxAge()) {
+            // Calculate the Expires date
+            $this->setExpires(\time() + $this->getMaxAge());
+        } elseif (null !== ($expires = $this->getExpires()) && !\is_numeric($expires)) {
+            $this->setExpires($expires);
+        }
+    }
+
+    public function __toString()
+    {
+        $str = $this->data['Name'] . '=' . ($this->data['Value'] ?? '') . '; ';
+        foreach ($this->data as $k => $v) {
+            if ($k !== 'Name' && $k !== 'Value' && $v !== null && $v !== false) {
+                if ($k === 'Expires') {
+                    $str .= 'Expires=' . \gmdate('D, d M Y H:i:s \G\M\T', $v) . '; ';
+                } else {
+                    $str .= ($v === true ? $k : "{$k}={$v}") . '; ';
+                }
+            }
+        }
+
+        return \rtrim($str, '; ');
+    }
+
+    public function toArray(): array
+    {
+        return $this->data;
+    }
+
+    /**
+     * Get the cookie name.
+     *
+     * @return string
+     */
+    public function getName()
+    {
+        return $this->data['Name'];
+    }
+
+    /**
+     * Set the cookie name.
+     *
+     * @param string $name Cookie name
+     */
+    public function setName($name): void
+    {
+        if (!is_string($name)) {
+            trigger_deprecation('guzzlehttp/guzzle', '7.4', 'Not passing a string to %s::%s() is deprecated and will cause an error in 8.0.', __CLASS__, __FUNCTION__);
+        }
+
+        $this->data['Name'] = (string) $name;
+    }
+
+    /**
+     * Get the cookie value.
+     *
+     * @return string|null
+     */
+    public function getValue()
+    {
+        return $this->data['Value'];
+    }
+
+    /**
+     * Set the cookie value.
+     *
+     * @param string $value Cookie value
+     */
+    public function setValue($value): void
+    {
+        if (!is_string($value)) {
+            trigger_deprecation('guzzlehttp/guzzle', '7.4', 'Not passing a string to %s::%s() is deprecated and will cause an error in 8.0.', __CLASS__, __FUNCTION__);
+        }
+
+        $this->data['Value'] = (string) $value;
+    }
+
+    /**
+     * Get the domain.
+     *
+     * @return string|null
+     */
+    public function getDomain()
+    {
+        return $this->data['Domain'];
+    }
+
+    /**
+     * Set the domain of the cookie.
+     *
+     * @param string|null $domain
+     */
+    public function setDomain($domain): void
+    {
+        if (!is_string($domain) && null !== $domain) {
+            trigger_deprecation('guzzlehttp/guzzle', '7.4', 'Not passing a string or null to %s::%s() is deprecated and will cause an error in 8.0.', __CLASS__, __FUNCTION__);
+        }
+
+        $this->data['Domain'] = null === $domain ? null : (string) $domain;
+    }
+
+    /**
+     * Get the path.
+     *
+     * @return string
+     */
+    public function getPath()
+    {
+        return $this->data['Path'];
+    }
+
+    /**
+     * Set the path of the cookie.
+     *
+     * @param string $path Path of the cookie
+     */
+    public function setPath($path): void
+    {
+        if (!is_string($path)) {
+            trigger_deprecation('guzzlehttp/guzzle', '7.4', 'Not passing a string to %s::%s() is deprecated and will cause an error in 8.0.', __CLASS__, __FUNCTION__);
+        }
+
+        $this->data['Path'] = (string) $path;
+    }
+
+    /**
+     * Maximum lifetime of the cookie in seconds.
+     *
+     * @return int|null
+     */
+    public function getMaxAge()
+    {
+        return null === $this->data['Max-Age'] ? null : (int) $this->data['Max-Age'];
+    }
+
+    /**
+     * Set the max-age of the cookie.
+     *
+     * @param int|null $maxAge Max age of the cookie in seconds
+     */
+    public function setMaxAge($maxAge): void
+    {
+        if (!is_int($maxAge) && null !== $maxAge) {
+            trigger_deprecation('guzzlehttp/guzzle', '7.4', 'Not passing an int or null to %s::%s() is deprecated and will cause an error in 8.0.', __CLASS__, __FUNCTION__);
+        }
+
+        $this->data['Max-Age'] = $maxAge === null ? null : (int) $maxAge;
+    }
+
+    /**
+     * The UNIX timestamp when the cookie Expires.
+     *
+     * @return string|int|null
+     */
+    public function getExpires()
+    {
+        return $this->data['Expires'];
+    }
+
+    /**
+     * Set the unix timestamp for which the cookie will expire.
+     *
+     * @param int|string|null $timestamp Unix timestamp or any English textual datetime description.
+     */
+    public function setExpires($timestamp): void
+    {
+        if (!is_int($timestamp) && !is_string($timestamp) && null !== $timestamp) {
+            trigger_deprecation('guzzlehttp/guzzle', '7.4', 'Not passing an int, string or null to %s::%s() is deprecated and will cause an error in 8.0.', __CLASS__, __FUNCTION__);
+        }
+
+        $this->data['Expires'] = null === $timestamp ? null : (\is_numeric($timestamp) ? (int) $timestamp : \strtotime((string) $timestamp));
+    }
+
+    /**
+     * Get whether or not this is a secure cookie.
+     *
+     * @return bool
+     */
+    public function getSecure()
+    {
+        return $this->data['Secure'];
+    }
+
+    /**
+     * Set whether or not the cookie is secure.
+     *
+     * @param bool $secure Set to true or false if secure
+     */
+    public function setSecure($secure): void
+    {
+        if (!is_bool($secure)) {
+            trigger_deprecation('guzzlehttp/guzzle', '7.4', 'Not passing a bool to %s::%s() is deprecated and will cause an error in 8.0.', __CLASS__, __FUNCTION__);
+        }
+
+        $this->data['Secure'] = (bool) $secure;
+    }
+
+    /**
+     * Get whether or not this is a session cookie.
+     *
+     * @return bool|null
+     */
+    public function getDiscard()
+    {
+        return $this->data['Discard'];
+    }
+
+    /**
+     * Set whether or not this is a session cookie.
+     *
+     * @param bool $discard Set to true or false if this is a session cookie
+     */
+    public function setDiscard($discard): void
+    {
+        if (!is_bool($discard)) {
+            trigger_deprecation('guzzlehttp/guzzle', '7.4', 'Not passing a bool to %s::%s() is deprecated and will cause an error in 8.0.', __CLASS__, __FUNCTION__);
+        }
+
+        $this->data['Discard'] = (bool) $discard;
+    }
+
+    /**
+     * Get whether or not this is an HTTP only cookie.
+     *
+     * @return bool
+     */
+    public function getHttpOnly()
+    {
+        return $this->data['HttpOnly'];
+    }
+
+    /**
+     * Set whether or not this is an HTTP only cookie.
+     *
+     * @param bool $httpOnly Set to true or false if this is HTTP only
+     */
+    public function setHttpOnly($httpOnly): void
+    {
+        if (!is_bool($httpOnly)) {
+            trigger_deprecation('guzzlehttp/guzzle', '7.4', 'Not passing a bool to %s::%s() is deprecated and will cause an error in 8.0.', __CLASS__, __FUNCTION__);
+        }
+
+        $this->data['HttpOnly'] = (bool) $httpOnly;
+    }
+
+    /**
+     * Check if the cookie matches a path value.
+     *
+     * A request-path path-matches a given cookie-path if at least one of
+     * the following conditions holds:
+     *
+     * - The cookie-path and the request-path are identical.
+     * - The cookie-path is a prefix of the request-path, and the last
+     *   character of the cookie-path is %x2F ("/").
+     * - The cookie-path is a prefix of the request-path, and the first
+     *   character of the request-path that is not included in the cookie-
+     *   path is a %x2F ("/") character.
+     *
+     * @param string $requestPath Path to check against
+     */
+    public function matchesPath(string $requestPath): bool
+    {
+        $cookiePath = $this->getPath();
+
+        // Match on exact matches or when path is the default empty "/"
+        if ($cookiePath === '/' || $cookiePath == $requestPath) {
+            return true;
+        }
+
+        // Ensure that the cookie-path is a prefix of the request path.
+        if (0 !== \strpos($requestPath, $cookiePath)) {
+            return false;
+        }
+
+        // Match if the last character of the cookie-path is "/"
+        if (\substr($cookiePath, -1, 1) === '/') {
+            return true;
+        }
+
+        // Match if the first character not included in cookie path is "/"
+        return \substr($requestPath, \strlen($cookiePath), 1) === '/';
+    }
+
+    /**
+     * Check if the cookie matches a domain value.
+     *
+     * @param string $domain Domain to check against
+     */
+    public function matchesDomain(string $domain): bool
+    {
+        $cookieDomain = $this->getDomain();
+        if (null === $cookieDomain) {
+            return true;
+        }
+
+        // Remove the leading '.' as per spec in RFC 6265.
+        // https://tools.ietf.org/html/rfc6265#section-5.2.3
+        $cookieDomain = \ltrim(\strtolower($cookieDomain), '.');
+
+        $domain = \strtolower($domain);
+
+        // Domain not set or exact match.
+        if ('' === $cookieDomain || $domain === $cookieDomain) {
+            return true;
+        }
+
+        // Matching the subdomain according to RFC 6265.
+        // https://tools.ietf.org/html/rfc6265#section-5.1.3
+        if (\filter_var($domain, \FILTER_VALIDATE_IP)) {
+            return false;
+        }
+
+        return (bool) \preg_match('/\.' . \preg_quote($cookieDomain, '/') . '$/', $domain);
+    }
+
+    /**
+     * Check if the cookie is expired.
+     */
+    public function isExpired(): bool
+    {
+        return $this->getExpires() !== null && \time() > $this->getExpires();
+    }
+
+    /**
+     * Check if the cookie is valid according to RFC 6265.
+     *
+     * @return bool|string Returns true if valid or an error message if invalid
+     */
+    public function validate()
+    {
+        $name = $this->getName();
+        if ($name === '') {
+            return 'The cookie name must not be empty';
+        }
+
+        // Check if any of the invalid characters are present in the cookie name
+        if (\preg_match(
+            '/[\x00-\x20\x22\x28-\x29\x2c\x2f\x3a-\x40\x5c\x7b\x7d\x7f]/',
+            $name
+        )) {
+            return 'Cookie name must not contain invalid characters: ASCII '
+                . 'Control characters (0-31;127), space, tab and the '
+                . 'following characters: ()<>@,;:\"/?={}';
+        }
+
+        // Value must not be null. 0 and empty string are valid. Empty strings
+        // are technically against RFC 6265, but known to happen in the wild.
+        $value = $this->getValue();
+        if ($value === null) {
+            return 'The cookie value must not be empty';
+        }
+
+        // Domains must not be empty, but can be 0. "0" is not a valid internet
+        // domain, but may be used as server name in a private network.
+        $domain = $this->getDomain();
+        if ($domain === null || $domain === '') {
+            return 'The cookie domain must not be empty';
+        }
+
+        return true;
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Exception/BadResponseException.php b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Exception/BadResponseException.php
new file mode 100644
index 000000000..a80956c9d
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Exception/BadResponseException.php
@@ -0,0 +1,39 @@
+<?php
+
+namespace GuzzleHttp\Exception;
+
+use Psr\Http\Message\RequestInterface;
+use Psr\Http\Message\ResponseInterface;
+
+/**
+ * Exception when an HTTP error occurs (4xx or 5xx error)
+ */
+class BadResponseException extends RequestException
+{
+    public function __construct(
+        string $message,
+        RequestInterface $request,
+        ResponseInterface $response,
+        \Throwable $previous = null,
+        array $handlerContext = []
+    ) {
+        parent::__construct($message, $request, $response, $previous, $handlerContext);
+    }
+
+    /**
+     * Current exception and the ones that extend it will always have a response.
+     */
+    public function hasResponse(): bool
+    {
+        return true;
+    }
+
+    /**
+     * This function narrows the return type from the parent class and does not allow it to be nullable.
+     */
+    public function getResponse(): ResponseInterface
+    {
+        /** @var ResponseInterface */
+        return parent::getResponse();
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Exception/ClientException.php b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Exception/ClientException.php
new file mode 100644
index 000000000..12fa5e351
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Exception/ClientException.php
@@ -0,0 +1,10 @@
+<?php
+
+namespace GuzzleHttp\Exception;
+
+/**
+ * Exception when a client error is encountered (4xx codes)
+ */
+class ClientException extends BadResponseException
+{
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Exception/ConnectException.php b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Exception/ConnectException.php
new file mode 100644
index 000000000..e1a31519c
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Exception/ConnectException.php
@@ -0,0 +1,56 @@
+<?php
+
+namespace GuzzleHttp\Exception;
+
+use Psr\Http\Client\NetworkExceptionInterface;
+use Psr\Http\Message\RequestInterface;
+
+/**
+ * Exception thrown when a connection cannot be established.
+ *
+ * Note that no response is present for a ConnectException
+ */
+class ConnectException extends TransferException implements NetworkExceptionInterface
+{
+    /**
+     * @var RequestInterface
+     */
+    private $request;
+
+    /**
+     * @var array
+     */
+    private $handlerContext;
+
+    public function __construct(
+        string $message,
+        RequestInterface $request,
+        \Throwable $previous = null,
+        array $handlerContext = []
+    ) {
+        parent::__construct($message, 0, $previous);
+        $this->request = $request;
+        $this->handlerContext = $handlerContext;
+    }
+
+    /**
+     * Get the request that caused the exception
+     */
+    public function getRequest(): RequestInterface
+    {
+        return $this->request;
+    }
+
+    /**
+     * Get contextual information about the error from the underlying handler.
+     *
+     * The contents of this array will vary depending on which handler you are
+     * using. It may also be just an empty array. Relying on this data will
+     * couple you to a specific handler, but can give more debug information
+     * when needed.
+     */
+    public function getHandlerContext(): array
+    {
+        return $this->handlerContext;
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Exception/GuzzleException.php b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Exception/GuzzleException.php
new file mode 100644
index 000000000..fa3ed6998
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Exception/GuzzleException.php
@@ -0,0 +1,9 @@
+<?php
+
+namespace GuzzleHttp\Exception;
+
+use Psr\Http\Client\ClientExceptionInterface;
+
+interface GuzzleException extends ClientExceptionInterface
+{
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Exception/InvalidArgumentException.php b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Exception/InvalidArgumentException.php
new file mode 100644
index 000000000..bfd20e232
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Exception/InvalidArgumentException.php
@@ -0,0 +1,7 @@
+<?php
+
+namespace GuzzleHttp\Exception;
+
+final class InvalidArgumentException extends \InvalidArgumentException implements GuzzleException
+{
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Exception/RequestException.php b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Exception/RequestException.php
new file mode 100644
index 000000000..c2d0a9ccc
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Exception/RequestException.php
@@ -0,0 +1,166 @@
+<?php
+
+namespace GuzzleHttp\Exception;
+
+use GuzzleHttp\BodySummarizer;
+use GuzzleHttp\BodySummarizerInterface;
+use Psr\Http\Client\RequestExceptionInterface;
+use Psr\Http\Message\RequestInterface;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\UriInterface;
+
+/**
+ * HTTP Request exception
+ */
+class RequestException extends TransferException implements RequestExceptionInterface
+{
+    /**
+     * @var RequestInterface
+     */
+    private $request;
+
+    /**
+     * @var ResponseInterface|null
+     */
+    private $response;
+
+    /**
+     * @var array
+     */
+    private $handlerContext;
+
+    public function __construct(
+        string $message,
+        RequestInterface $request,
+        ResponseInterface $response = null,
+        \Throwable $previous = null,
+        array $handlerContext = []
+    ) {
+        // Set the code of the exception if the response is set and not future.
+        $code = $response ? $response->getStatusCode() : 0;
+        parent::__construct($message, $code, $previous);
+        $this->request = $request;
+        $this->response = $response;
+        $this->handlerContext = $handlerContext;
+    }
+
+    /**
+     * Wrap non-RequestExceptions with a RequestException
+     */
+    public static function wrapException(RequestInterface $request, \Throwable $e): RequestException
+    {
+        return $e instanceof RequestException ? $e : new RequestException($e->getMessage(), $request, null, $e);
+    }
+
+    /**
+     * Factory method to create a new exception with a normalized error message
+     *
+     * @param RequestInterface             $request        Request sent
+     * @param ResponseInterface            $response       Response received
+     * @param \Throwable|null              $previous       Previous exception
+     * @param array                        $handlerContext Optional handler context
+     * @param BodySummarizerInterface|null $bodySummarizer Optional body summarizer
+     */
+    public static function create(
+        RequestInterface $request,
+        ResponseInterface $response = null,
+        \Throwable $previous = null,
+        array $handlerContext = [],
+        BodySummarizerInterface $bodySummarizer = null
+    ): self {
+        if (!$response) {
+            return new self(
+                'Error completing request',
+                $request,
+                null,
+                $previous,
+                $handlerContext
+            );
+        }
+
+        $level = (int) \floor($response->getStatusCode() / 100);
+        if ($level === 4) {
+            $label = 'Client error';
+            $className = ClientException::class;
+        } elseif ($level === 5) {
+            $label = 'Server error';
+            $className = ServerException::class;
+        } else {
+            $label = 'Unsuccessful request';
+            $className = __CLASS__;
+        }
+
+        $uri = $request->getUri();
+        $uri = static::obfuscateUri($uri);
+
+        // Client Error: `GET /` resulted in a `404 Not Found` response:
+        // <html> ... (truncated)
+        $message = \sprintf(
+            '%s: `%s %s` resulted in a `%s %s` response',
+            $label,
+            $request->getMethod(),
+            $uri->__toString(),
+            $response->getStatusCode(),
+            $response->getReasonPhrase()
+        );
+
+        $summary = ($bodySummarizer ?? new BodySummarizer())->summarize($response);
+
+        if ($summary !== null) {
+            $message .= ":\n{$summary}\n";
+        }
+
+        return new $className($message, $request, $response, $previous, $handlerContext);
+    }
+
+    /**
+     * Obfuscates URI if there is a username and a password present
+     */
+    private static function obfuscateUri(UriInterface $uri): UriInterface
+    {
+        $userInfo = $uri->getUserInfo();
+
+        if (false !== ($pos = \strpos($userInfo, ':'))) {
+            return $uri->withUserInfo(\substr($userInfo, 0, $pos), '***');
+        }
+
+        return $uri;
+    }
+
+    /**
+     * Get the request that caused the exception
+     */
+    public function getRequest(): RequestInterface
+    {
+        return $this->request;
+    }
+
+    /**
+     * Get the associated response
+     */
+    public function getResponse(): ?ResponseInterface
+    {
+        return $this->response;
+    }
+
+    /**
+     * Check if a response was received
+     */
+    public function hasResponse(): bool
+    {
+        return $this->response !== null;
+    }
+
+    /**
+     * Get contextual information about the error from the underlying handler.
+     *
+     * The contents of this array will vary depending on which handler you are
+     * using. It may also be just an empty array. Relying on this data will
+     * couple you to a specific handler, but can give more debug information
+     * when needed.
+     */
+    public function getHandlerContext(): array
+    {
+        return $this->handlerContext;
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Exception/ServerException.php b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Exception/ServerException.php
new file mode 100644
index 000000000..8055e067c
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Exception/ServerException.php
@@ -0,0 +1,10 @@
+<?php
+
+namespace GuzzleHttp\Exception;
+
+/**
+ * Exception when a server error is encountered (5xx codes)
+ */
+class ServerException extends BadResponseException
+{
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Exception/TooManyRedirectsException.php b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Exception/TooManyRedirectsException.php
new file mode 100644
index 000000000..fad3a57cf
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Exception/TooManyRedirectsException.php
@@ -0,0 +1,7 @@
+<?php
+
+namespace GuzzleHttp\Exception;
+
+class TooManyRedirectsException extends RequestException
+{
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Exception/TransferException.php b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Exception/TransferException.php
new file mode 100644
index 000000000..507633608
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Exception/TransferException.php
@@ -0,0 +1,7 @@
+<?php
+
+namespace GuzzleHttp\Exception;
+
+class TransferException extends \RuntimeException implements GuzzleException
+{
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php
new file mode 100644
index 000000000..0c45089f1
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php
@@ -0,0 +1,595 @@
+<?php
+
+namespace GuzzleHttp\Handler;
+
+use GuzzleHttp\Exception\ConnectException;
+use GuzzleHttp\Exception\RequestException;
+use GuzzleHttp\Promise as P;
+use GuzzleHttp\Promise\FulfilledPromise;
+use GuzzleHttp\Promise\PromiseInterface;
+use GuzzleHttp\Psr7\LazyOpenStream;
+use GuzzleHttp\TransferStats;
+use GuzzleHttp\Utils;
+use Psr\Http\Message\RequestInterface;
+
+/**
+ * Creates curl resources from a request
+ *
+ * @final
+ */
+class CurlFactory implements CurlFactoryInterface
+{
+    public const CURL_VERSION_STR = 'curl_version';
+
+    /**
+     * @deprecated
+     */
+    public const LOW_CURL_VERSION_NUMBER = '7.21.2';
+
+    /**
+     * @var resource[]|\CurlHandle[]
+     */
+    private $handles = [];
+
+    /**
+     * @var int Total number of idle handles to keep in cache
+     */
+    private $maxHandles;
+
+    /**
+     * @param int $maxHandles Maximum number of idle handles.
+     */
+    public function __construct(int $maxHandles)
+    {
+        $this->maxHandles = $maxHandles;
+    }
+
+    public function create(RequestInterface $request, array $options): EasyHandle
+    {
+        if (isset($options['curl']['body_as_string'])) {
+            $options['_body_as_string'] = $options['curl']['body_as_string'];
+            unset($options['curl']['body_as_string']);
+        }
+
+        $easy = new EasyHandle;
+        $easy->request = $request;
+        $easy->options = $options;
+        $conf = $this->getDefaultConf($easy);
+        $this->applyMethod($easy, $conf);
+        $this->applyHandlerOptions($easy, $conf);
+        $this->applyHeaders($easy, $conf);
+        unset($conf['_headers']);
+
+        // Add handler options from the request configuration options
+        if (isset($options['curl'])) {
+            $conf = \array_replace($conf, $options['curl']);
+        }
+
+        $conf[\CURLOPT_HEADERFUNCTION] = $this->createHeaderFn($easy);
+        $easy->handle = $this->handles ? \array_pop($this->handles) : \curl_init();
+        curl_setopt_array($easy->handle, $conf);
+
+        return $easy;
+    }
+
+    public function release(EasyHandle $easy): void
+    {
+        $resource = $easy->handle;
+        unset($easy->handle);
+
+        if (\count($this->handles) >= $this->maxHandles) {
+            \curl_close($resource);
+        } else {
+            // Remove all callback functions as they can hold onto references
+            // and are not cleaned up by curl_reset. Using curl_setopt_array
+            // does not work for some reason, so removing each one
+            // individually.
+            \curl_setopt($resource, \CURLOPT_HEADERFUNCTION, null);
+            \curl_setopt($resource, \CURLOPT_READFUNCTION, null);
+            \curl_setopt($resource, \CURLOPT_WRITEFUNCTION, null);
+            \curl_setopt($resource, \CURLOPT_PROGRESSFUNCTION, null);
+            \curl_reset($resource);
+            $this->handles[] = $resource;
+        }
+    }
+
+    /**
+     * Completes a cURL transaction, either returning a response promise or a
+     * rejected promise.
+     *
+     * @param callable(RequestInterface, array): PromiseInterface $handler
+     * @param CurlFactoryInterface                                $factory Dictates how the handle is released
+     */
+    public static function finish(callable $handler, EasyHandle $easy, CurlFactoryInterface $factory): PromiseInterface
+    {
+        if (isset($easy->options['on_stats'])) {
+            self::invokeStats($easy);
+        }
+
+        if (!$easy->response || $easy->errno) {
+            return self::finishError($handler, $easy, $factory);
+        }
+
+        // Return the response if it is present and there is no error.
+        $factory->release($easy);
+
+        // Rewind the body of the response if possible.
+        $body = $easy->response->getBody();
+        if ($body->isSeekable()) {
+            $body->rewind();
+        }
+
+        return new FulfilledPromise($easy->response);
+    }
+
+    private static function invokeStats(EasyHandle $easy): void
+    {
+        $curlStats = \curl_getinfo($easy->handle);
+        $curlStats['appconnect_time'] = \curl_getinfo($easy->handle, \CURLINFO_APPCONNECT_TIME);
+        $stats = new TransferStats(
+            $easy->request,
+            $easy->response,
+            $curlStats['total_time'],
+            $easy->errno,
+            $curlStats
+        );
+        ($easy->options['on_stats'])($stats);
+    }
+
+    /**
+     * @param callable(RequestInterface, array): PromiseInterface $handler
+     */
+    private static function finishError(callable $handler, EasyHandle $easy, CurlFactoryInterface $factory): PromiseInterface
+    {
+        // Get error information and release the handle to the factory.
+        $ctx = [
+            'errno' => $easy->errno,
+            'error' => \curl_error($easy->handle),
+            'appconnect_time' => \curl_getinfo($easy->handle, \CURLINFO_APPCONNECT_TIME),
+        ] + \curl_getinfo($easy->handle);
+        $ctx[self::CURL_VERSION_STR] = \curl_version()['version'];
+        $factory->release($easy);
+
+        // Retry when nothing is present or when curl failed to rewind.
+        if (empty($easy->options['_err_message']) && (!$easy->errno || $easy->errno == 65)) {
+            return self::retryFailedRewind($handler, $easy, $ctx);
+        }
+
+        return self::createRejection($easy, $ctx);
+    }
+
+    private static function createRejection(EasyHandle $easy, array $ctx): PromiseInterface
+    {
+        static $connectionErrors = [
+            \CURLE_OPERATION_TIMEOUTED  => true,
+            \CURLE_COULDNT_RESOLVE_HOST => true,
+            \CURLE_COULDNT_CONNECT      => true,
+            \CURLE_SSL_CONNECT_ERROR    => true,
+            \CURLE_GOT_NOTHING          => true,
+        ];
+
+        if ($easy->createResponseException) {
+            return P\Create::rejectionFor(
+                new RequestException(
+                    'An error was encountered while creating the response',
+                    $easy->request,
+                    $easy->response,
+                    $easy->createResponseException,
+                    $ctx
+                )
+            );
+        }
+
+        // If an exception was encountered during the onHeaders event, then
+        // return a rejected promise that wraps that exception.
+        if ($easy->onHeadersException) {
+            return P\Create::rejectionFor(
+                new RequestException(
+                    'An error was encountered during the on_headers event',
+                    $easy->request,
+                    $easy->response,
+                    $easy->onHeadersException,
+                    $ctx
+                )
+            );
+        }
+
+        $message = \sprintf(
+            'cURL error %s: %s (%s)',
+            $ctx['errno'],
+            $ctx['error'],
+            'see https://curl.haxx.se/libcurl/c/libcurl-errors.html'
+        );
+        $uriString = (string) $easy->request->getUri();
+        if ($uriString !== '' && false === \strpos($ctx['error'], $uriString)) {
+            $message .= \sprintf(' for %s', $uriString);
+        }
+
+        // Create a connection exception if it was a specific error code.
+        $error = isset($connectionErrors[$easy->errno])
+            ? new ConnectException($message, $easy->request, null, $ctx)
+            : new RequestException($message, $easy->request, $easy->response, null, $ctx);
+
+        return P\Create::rejectionFor($error);
+    }
+
+    /**
+     * @return array<int|string, mixed>
+     */
+    private function getDefaultConf(EasyHandle $easy): array
+    {
+        $conf = [
+            '_headers'              => $easy->request->getHeaders(),
+            \CURLOPT_CUSTOMREQUEST  => $easy->request->getMethod(),
+            \CURLOPT_URL            => (string) $easy->request->getUri()->withFragment(''),
+            \CURLOPT_RETURNTRANSFER => false,
+            \CURLOPT_HEADER         => false,
+            \CURLOPT_CONNECTTIMEOUT => 150,
+        ];
+
+        if (\defined('CURLOPT_PROTOCOLS')) {
+            $conf[\CURLOPT_PROTOCOLS] = \CURLPROTO_HTTP | \CURLPROTO_HTTPS;
+        }
+
+        $version = $easy->request->getProtocolVersion();
+        if ($version == 1.1) {
+            $conf[\CURLOPT_HTTP_VERSION] = \CURL_HTTP_VERSION_1_1;
+        } elseif ($version == 2.0) {
+            $conf[\CURLOPT_HTTP_VERSION] = \CURL_HTTP_VERSION_2_0;
+        } else {
+            $conf[\CURLOPT_HTTP_VERSION] = \CURL_HTTP_VERSION_1_0;
+        }
+
+        return $conf;
+    }
+
+    private function applyMethod(EasyHandle $easy, array &$conf): void
+    {
+        $body = $easy->request->getBody();
+        $size = $body->getSize();
+
+        if ($size === null || $size > 0) {
+            $this->applyBody($easy->request, $easy->options, $conf);
+            return;
+        }
+
+        $method = $easy->request->getMethod();
+        if ($method === 'PUT' || $method === 'POST') {
+            // See https://tools.ietf.org/html/rfc7230#section-3.3.2
+            if (!$easy->request->hasHeader('Content-Length')) {
+                $conf[\CURLOPT_HTTPHEADER][] = 'Content-Length: 0';
+            }
+        } elseif ($method === 'HEAD') {
+            $conf[\CURLOPT_NOBODY] = true;
+            unset(
+                $conf[\CURLOPT_WRITEFUNCTION],
+                $conf[\CURLOPT_READFUNCTION],
+                $conf[\CURLOPT_FILE],
+                $conf[\CURLOPT_INFILE]
+            );
+        }
+    }
+
+    private function applyBody(RequestInterface $request, array $options, array &$conf): void
+    {
+        $size = $request->hasHeader('Content-Length')
+            ? (int) $request->getHeaderLine('Content-Length')
+            : null;
+
+        // Send the body as a string if the size is less than 1MB OR if the
+        // [curl][body_as_string] request value is set.
+        if (($size !== null && $size < 1000000) || !empty($options['_body_as_string'])) {
+            $conf[\CURLOPT_POSTFIELDS] = (string) $request->getBody();
+            // Don't duplicate the Content-Length header
+            $this->removeHeader('Content-Length', $conf);
+            $this->removeHeader('Transfer-Encoding', $conf);
+        } else {
+            $conf[\CURLOPT_UPLOAD] = true;
+            if ($size !== null) {
+                $conf[\CURLOPT_INFILESIZE] = $size;
+                $this->removeHeader('Content-Length', $conf);
+            }
+            $body = $request->getBody();
+            if ($body->isSeekable()) {
+                $body->rewind();
+            }
+            $conf[\CURLOPT_READFUNCTION] = static function ($ch, $fd, $length) use ($body) {
+                return $body->read($length);
+            };
+        }
+
+        // If the Expect header is not present, prevent curl from adding it
+        if (!$request->hasHeader('Expect')) {
+            $conf[\CURLOPT_HTTPHEADER][] = 'Expect:';
+        }
+
+        // cURL sometimes adds a content-type by default. Prevent this.
+        if (!$request->hasHeader('Content-Type')) {
+            $conf[\CURLOPT_HTTPHEADER][] = 'Content-Type:';
+        }
+    }
+
+    private function applyHeaders(EasyHandle $easy, array &$conf): void
+    {
+        foreach ($conf['_headers'] as $name => $values) {
+            foreach ($values as $value) {
+                $value = (string) $value;
+                if ($value === '') {
+                    // cURL requires a special format for empty headers.
+                    // See https://github.com/guzzle/guzzle/issues/1882 for more details.
+                    $conf[\CURLOPT_HTTPHEADER][] = "$name;";
+                } else {
+                    $conf[\CURLOPT_HTTPHEADER][] = "$name: $value";
+                }
+            }
+        }
+
+        // Remove the Accept header if one was not set
+        if (!$easy->request->hasHeader('Accept')) {
+            $conf[\CURLOPT_HTTPHEADER][] = 'Accept:';
+        }
+    }
+
+    /**
+     * Remove a header from the options array.
+     *
+     * @param string $name    Case-insensitive header to remove
+     * @param array  $options Array of options to modify
+     */
+    private function removeHeader(string $name, array &$options): void
+    {
+        foreach (\array_keys($options['_headers']) as $key) {
+            if (!\strcasecmp($key, $name)) {
+                unset($options['_headers'][$key]);
+                return;
+            }
+        }
+    }
+
+    private function applyHandlerOptions(EasyHandle $easy, array &$conf): void
+    {
+        $options = $easy->options;
+        if (isset($options['verify'])) {
+            if ($options['verify'] === false) {
+                unset($conf[\CURLOPT_CAINFO]);
+                $conf[\CURLOPT_SSL_VERIFYHOST] = 0;
+                $conf[\CURLOPT_SSL_VERIFYPEER] = false;
+            } else {
+                $conf[\CURLOPT_SSL_VERIFYHOST] = 2;
+                $conf[\CURLOPT_SSL_VERIFYPEER] = true;
+                if (\is_string($options['verify'])) {
+                    // Throw an error if the file/folder/link path is not valid or doesn't exist.
+                    if (!\file_exists($options['verify'])) {
+                        throw new \InvalidArgumentException("SSL CA bundle not found: {$options['verify']}");
+                    }
+                    // If it's a directory or a link to a directory use CURLOPT_CAPATH.
+                    // If not, it's probably a file, or a link to a file, so use CURLOPT_CAINFO.
+                    if (
+                        \is_dir($options['verify']) ||
+                        (
+                            \is_link($options['verify']) === true &&
+                            ($verifyLink = \readlink($options['verify'])) !== false &&
+                            \is_dir($verifyLink)
+                        )
+                    ) {
+                        $conf[\CURLOPT_CAPATH] = $options['verify'];
+                    } else {
+                        $conf[\CURLOPT_CAINFO] = $options['verify'];
+                    }
+                }
+            }
+        }
+
+        if (!isset($options['curl'][\CURLOPT_ENCODING]) && !empty($options['decode_content'])) {
+            $accept = $easy->request->getHeaderLine('Accept-Encoding');
+            if ($accept) {
+                $conf[\CURLOPT_ENCODING] = $accept;
+            } else {
+                // The empty string enables all available decoders and implicitly
+                // sets a matching 'Accept-Encoding' header.
+                $conf[\CURLOPT_ENCODING] = '';
+                // But as the user did not specify any acceptable encodings we need
+                // to overwrite this implicit header with an empty one.
+                $conf[\CURLOPT_HTTPHEADER][] = 'Accept-Encoding:';
+            }
+        }
+
+        if (!isset($options['sink'])) {
+            // Use a default temp stream if no sink was set.
+            $options['sink'] = \GuzzleHttp\Psr7\Utils::tryFopen('php://temp', 'w+');
+        }
+        $sink = $options['sink'];
+        if (!\is_string($sink)) {
+            $sink = \GuzzleHttp\Psr7\Utils::streamFor($sink);
+        } elseif (!\is_dir(\dirname($sink))) {
+            // Ensure that the directory exists before failing in curl.
+            throw new \RuntimeException(\sprintf('Directory %s does not exist for sink value of %s', \dirname($sink), $sink));
+        } else {
+            $sink = new LazyOpenStream($sink, 'w+');
+        }
+        $easy->sink = $sink;
+        $conf[\CURLOPT_WRITEFUNCTION] = static function ($ch, $write) use ($sink): int {
+            return $sink->write($write);
+        };
+
+        $timeoutRequiresNoSignal = false;
+        if (isset($options['timeout'])) {
+            $timeoutRequiresNoSignal |= $options['timeout'] < 1;
+            $conf[\CURLOPT_TIMEOUT_MS] = $options['timeout'] * 1000;
+        }
+
+        // CURL default value is CURL_IPRESOLVE_WHATEVER
+        if (isset($options['force_ip_resolve'])) {
+            if ('v4' === $options['force_ip_resolve']) {
+                $conf[\CURLOPT_IPRESOLVE] = \CURL_IPRESOLVE_V4;
+            } elseif ('v6' === $options['force_ip_resolve']) {
+                $conf[\CURLOPT_IPRESOLVE] = \CURL_IPRESOLVE_V6;
+            }
+        }
+
+        if (isset($options['connect_timeout'])) {
+            $timeoutRequiresNoSignal |= $options['connect_timeout'] < 1;
+            $conf[\CURLOPT_CONNECTTIMEOUT_MS] = $options['connect_timeout'] * 1000;
+        }
+
+        if ($timeoutRequiresNoSignal && \strtoupper(\substr(\PHP_OS, 0, 3)) !== 'WIN') {
+            $conf[\CURLOPT_NOSIGNAL] = true;
+        }
+
+        if (isset($options['proxy'])) {
+            if (!\is_array($options['proxy'])) {
+                $conf[\CURLOPT_PROXY] = $options['proxy'];
+            } else {
+                $scheme = $easy->request->getUri()->getScheme();
+                if (isset($options['proxy'][$scheme])) {
+                    $host = $easy->request->getUri()->getHost();
+                    if (!isset($options['proxy']['no']) || !Utils::isHostInNoProxy($host, $options['proxy']['no'])) {
+                        $conf[\CURLOPT_PROXY] = $options['proxy'][$scheme];
+                    }
+                }
+            }
+        }
+
+        if (isset($options['cert'])) {
+            $cert = $options['cert'];
+            if (\is_array($cert)) {
+                $conf[\CURLOPT_SSLCERTPASSWD] = $cert[1];
+                $cert = $cert[0];
+            }
+            if (!\file_exists($cert)) {
+                throw new \InvalidArgumentException("SSL certificate not found: {$cert}");
+            }
+            # OpenSSL (versions 0.9.3 and later) also support "P12" for PKCS#12-encoded files.
+            # see https://curl.se/libcurl/c/CURLOPT_SSLCERTTYPE.html
+            $ext = pathinfo($cert, \PATHINFO_EXTENSION);
+            if (preg_match('#^(der|p12)$#i', $ext)) {
+                $conf[\CURLOPT_SSLCERTTYPE] = strtoupper($ext);
+            }
+            $conf[\CURLOPT_SSLCERT] = $cert;
+        }
+
+        if (isset($options['ssl_key'])) {
+            if (\is_array($options['ssl_key'])) {
+                if (\count($options['ssl_key']) === 2) {
+                    [$sslKey, $conf[\CURLOPT_SSLKEYPASSWD]] = $options['ssl_key'];
+                } else {
+                    [$sslKey] = $options['ssl_key'];
+                }
+            }
+
+            $sslKey = $sslKey ?? $options['ssl_key'];
+
+            if (!\file_exists($sslKey)) {
+                throw new \InvalidArgumentException("SSL private key not found: {$sslKey}");
+            }
+            $conf[\CURLOPT_SSLKEY] = $sslKey;
+        }
+
+        if (isset($options['progress'])) {
+            $progress = $options['progress'];
+            if (!\is_callable($progress)) {
+                throw new \InvalidArgumentException('progress client option must be callable');
+            }
+            $conf[\CURLOPT_NOPROGRESS] = false;
+            $conf[\CURLOPT_PROGRESSFUNCTION] = static function ($resource, int $downloadSize, int $downloaded, int $uploadSize, int $uploaded) use ($progress) {
+                $progress($downloadSize, $downloaded, $uploadSize, $uploaded);
+            };
+        }
+
+        if (!empty($options['debug'])) {
+            $conf[\CURLOPT_STDERR] = Utils::debugResource($options['debug']);
+            $conf[\CURLOPT_VERBOSE] = true;
+        }
+    }
+
+    /**
+     * This function ensures that a response was set on a transaction. If one
+     * was not set, then the request is retried if possible. This error
+     * typically means you are sending a payload, curl encountered a
+     * "Connection died, retrying a fresh connect" error, tried to rewind the
+     * stream, and then encountered a "necessary data rewind wasn't possible"
+     * error, causing the request to be sent through curl_multi_info_read()
+     * without an error status.
+     *
+     * @param callable(RequestInterface, array): PromiseInterface $handler
+     */
+    private static function retryFailedRewind(callable $handler, EasyHandle $easy, array $ctx): PromiseInterface
+    {
+        try {
+            // Only rewind if the body has been read from.
+            $body = $easy->request->getBody();
+            if ($body->tell() > 0) {
+                $body->rewind();
+            }
+        } catch (\RuntimeException $e) {
+            $ctx['error'] = 'The connection unexpectedly failed without '
+                . 'providing an error. The request would have been retried, '
+                . 'but attempting to rewind the request body failed. '
+                . 'Exception: ' . $e;
+            return self::createRejection($easy, $ctx);
+        }
+
+        // Retry no more than 3 times before giving up.
+        if (!isset($easy->options['_curl_retries'])) {
+            $easy->options['_curl_retries'] = 1;
+        } elseif ($easy->options['_curl_retries'] == 2) {
+            $ctx['error'] = 'The cURL request was retried 3 times '
+                . 'and did not succeed. The most likely reason for the failure '
+                . 'is that cURL was unable to rewind the body of the request '
+                . 'and subsequent retries resulted in the same error. Turn on '
+                . 'the debug option to see what went wrong. See '
+                . 'https://bugs.php.net/bug.php?id=47204 for more information.';
+            return self::createRejection($easy, $ctx);
+        } else {
+            $easy->options['_curl_retries']++;
+        }
+
+        return $handler($easy->request, $easy->options);
+    }
+
+    private function createHeaderFn(EasyHandle $easy): callable
+    {
+        if (isset($easy->options['on_headers'])) {
+            $onHeaders = $easy->options['on_headers'];
+
+            if (!\is_callable($onHeaders)) {
+                throw new \InvalidArgumentException('on_headers must be callable');
+            }
+        } else {
+            $onHeaders = null;
+        }
+
+        return static function ($ch, $h) use (
+            $onHeaders,
+            $easy,
+            &$startingResponse
+        ) {
+            $value = \trim($h);
+            if ($value === '') {
+                $startingResponse = true;
+                try {
+                    $easy->createResponse();
+                } catch (\Exception $e) {
+                    $easy->createResponseException = $e;
+                    return -1;
+                }
+                if ($onHeaders !== null) {
+                    try {
+                        $onHeaders($easy->response);
+                    } catch (\Exception $e) {
+                        // Associate the exception with the handle and trigger
+                        // a curl header write error by returning 0.
+                        $easy->onHeadersException = $e;
+                        return -1;
+                    }
+                }
+            } elseif ($startingResponse) {
+                $startingResponse = false;
+                $easy->headers = [$value];
+            } else {
+                $easy->headers[] = $value;
+            }
+            return \strlen($h);
+        };
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Handler/CurlFactoryInterface.php b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Handler/CurlFactoryInterface.php
new file mode 100644
index 000000000..fe57ed5d5
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Handler/CurlFactoryInterface.php
@@ -0,0 +1,25 @@
+<?php
+
+namespace GuzzleHttp\Handler;
+
+use Psr\Http\Message\RequestInterface;
+
+interface CurlFactoryInterface
+{
+    /**
+     * Creates a cURL handle resource.
+     *
+     * @param RequestInterface $request Request
+     * @param array            $options Transfer options
+     *
+     * @throws \RuntimeException when an option cannot be applied
+     */
+    public function create(RequestInterface $request, array $options): EasyHandle;
+
+    /**
+     * Release an easy handle, allowing it to be reused or closed.
+     *
+     * This function must call unset on the easy handle's "handle" property.
+     */
+    public function release(EasyHandle $easy): void;
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Handler/CurlHandler.php b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Handler/CurlHandler.php
new file mode 100644
index 000000000..9ad10a9b0
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Handler/CurlHandler.php
@@ -0,0 +1,49 @@
+<?php
+
+namespace GuzzleHttp\Handler;
+
+use GuzzleHttp\Promise\PromiseInterface;
+use Psr\Http\Message\RequestInterface;
+
+/**
+ * HTTP handler that uses cURL easy handles as a transport layer.
+ *
+ * When using the CurlHandler, custom curl options can be specified as an
+ * associative array of curl option constants mapping to values in the
+ * **curl** key of the "client" key of the request.
+ *
+ * @final
+ */
+class CurlHandler
+{
+    /**
+     * @var CurlFactoryInterface
+     */
+    private $factory;
+
+    /**
+     * Accepts an associative array of options:
+     *
+     * - handle_factory: Optional curl factory used to create cURL handles.
+     *
+     * @param array{handle_factory?: ?CurlFactoryInterface} $options Array of options to use with the handler
+     */
+    public function __construct(array $options = [])
+    {
+        $this->factory = $options['handle_factory']
+            ?? new CurlFactory(3);
+    }
+
+    public function __invoke(RequestInterface $request, array $options): PromiseInterface
+    {
+        if (isset($options['delay'])) {
+            \usleep($options['delay'] * 1000);
+        }
+
+        $easy = $this->factory->create($request, $options);
+        \curl_exec($easy->handle);
+        $easy->errno = \curl_errno($easy->handle);
+
+        return CurlFactory::finish($this, $easy, $this->factory);
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Handler/CurlMultiHandler.php b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Handler/CurlMultiHandler.php
new file mode 100644
index 000000000..4356d0247
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Handler/CurlMultiHandler.php
@@ -0,0 +1,262 @@
+<?php
+
+namespace GuzzleHttp\Handler;
+
+use GuzzleHttp\Promise as P;
+use GuzzleHttp\Promise\Promise;
+use GuzzleHttp\Promise\PromiseInterface;
+use GuzzleHttp\Utils;
+use Psr\Http\Message\RequestInterface;
+
+/**
+ * Returns an asynchronous response using curl_multi_* functions.
+ *
+ * When using the CurlMultiHandler, custom curl options can be specified as an
+ * associative array of curl option constants mapping to values in the
+ * **curl** key of the provided request options.
+ *
+ * @property resource|\CurlMultiHandle $_mh Internal use only. Lazy loaded multi-handle.
+ *
+ * @final
+ */
+#[\AllowDynamicProperties]
+class CurlMultiHandler
+{
+    /**
+     * @var CurlFactoryInterface
+     */
+    private $factory;
+
+    /**
+     * @var int
+     */
+    private $selectTimeout;
+
+    /**
+     * @var int Will be higher than 0 when `curl_multi_exec` is still running.
+     */
+    private $active = 0;
+
+    /**
+     * @var array Request entry handles, indexed by handle id in `addRequest`.
+     *
+     * @see CurlMultiHandler::addRequest
+     */
+    private $handles = [];
+
+    /**
+     * @var array<int, float> An array of delay times, indexed by handle id in `addRequest`.
+     *
+     * @see CurlMultiHandler::addRequest
+     */
+    private $delays = [];
+
+    /**
+     * @var array<mixed> An associative array of CURLMOPT_* options and corresponding values for curl_multi_setopt()
+     */
+    private $options = [];
+
+    /**
+     * This handler accepts the following options:
+     *
+     * - handle_factory: An optional factory  used to create curl handles
+     * - select_timeout: Optional timeout (in seconds) to block before timing
+     *   out while selecting curl handles. Defaults to 1 second.
+     * - options: An associative array of CURLMOPT_* options and
+     *   corresponding values for curl_multi_setopt()
+     */
+    public function __construct(array $options = [])
+    {
+        $this->factory = $options['handle_factory'] ?? new CurlFactory(50);
+
+        if (isset($options['select_timeout'])) {
+            $this->selectTimeout = $options['select_timeout'];
+        } elseif ($selectTimeout = Utils::getenv('GUZZLE_CURL_SELECT_TIMEOUT')) {
+            @trigger_error('Since guzzlehttp/guzzle 7.2.0: Using environment variable GUZZLE_CURL_SELECT_TIMEOUT is deprecated. Use option "select_timeout" instead.', \E_USER_DEPRECATED);
+            $this->selectTimeout = (int) $selectTimeout;
+        } else {
+            $this->selectTimeout = 1;
+        }
+
+        $this->options = $options['options'] ?? [];
+    }
+
+    /**
+     * @param string $name
+     *
+     * @return resource|\CurlMultiHandle
+     *
+     * @throws \BadMethodCallException when another field as `_mh` will be gotten
+     * @throws \RuntimeException       when curl can not initialize a multi handle
+     */
+    public function __get($name)
+    {
+        if ($name !== '_mh') {
+            throw new \BadMethodCallException("Can not get other property as '_mh'.");
+        }
+
+        $multiHandle = \curl_multi_init();
+
+        if (false === $multiHandle) {
+            throw new \RuntimeException('Can not initialize curl multi handle.');
+        }
+
+        $this->_mh = $multiHandle;
+
+        foreach ($this->options as $option => $value) {
+            // A warning is raised in case of a wrong option.
+            curl_multi_setopt($this->_mh, $option, $value);
+        }
+
+        return $this->_mh;
+    }
+
+    public function __destruct()
+    {
+        if (isset($this->_mh)) {
+            \curl_multi_close($this->_mh);
+            unset($this->_mh);
+        }
+    }
+
+    public function __invoke(RequestInterface $request, array $options): PromiseInterface
+    {
+        $easy = $this->factory->create($request, $options);
+        $id = (int) $easy->handle;
+
+        $promise = new Promise(
+            [$this, 'execute'],
+            function () use ($id) {
+                return $this->cancel($id);
+            }
+        );
+
+        $this->addRequest(['easy' => $easy, 'deferred' => $promise]);
+
+        return $promise;
+    }
+
+    /**
+     * Ticks the curl event loop.
+     */
+    public function tick(): void
+    {
+        // Add any delayed handles if needed.
+        if ($this->delays) {
+            $currentTime = Utils::currentTime();
+            foreach ($this->delays as $id => $delay) {
+                if ($currentTime >= $delay) {
+                    unset($this->delays[$id]);
+                    \curl_multi_add_handle(
+                        $this->_mh,
+                        $this->handles[$id]['easy']->handle
+                    );
+                }
+            }
+        }
+
+        // Step through the task queue which may add additional requests.
+        P\Utils::queue()->run();
+
+        if ($this->active && \curl_multi_select($this->_mh, $this->selectTimeout) === -1) {
+            // Perform a usleep if a select returns -1.
+            // See: https://bugs.php.net/bug.php?id=61141
+            \usleep(250);
+        }
+
+        while (\curl_multi_exec($this->_mh, $this->active) === \CURLM_CALL_MULTI_PERFORM);
+
+        $this->processMessages();
+    }
+
+    /**
+     * Runs until all outstanding connections have completed.
+     */
+    public function execute(): void
+    {
+        $queue = P\Utils::queue();
+
+        while ($this->handles || !$queue->isEmpty()) {
+            // If there are no transfers, then sleep for the next delay
+            if (!$this->active && $this->delays) {
+                \usleep($this->timeToNext());
+            }
+            $this->tick();
+        }
+    }
+
+    private function addRequest(array $entry): void
+    {
+        $easy = $entry['easy'];
+        $id = (int) $easy->handle;
+        $this->handles[$id] = $entry;
+        if (empty($easy->options['delay'])) {
+            \curl_multi_add_handle($this->_mh, $easy->handle);
+        } else {
+            $this->delays[$id] = Utils::currentTime() + ($easy->options['delay'] / 1000);
+        }
+    }
+
+    /**
+     * Cancels a handle from sending and removes references to it.
+     *
+     * @param int $id Handle ID to cancel and remove.
+     *
+     * @return bool True on success, false on failure.
+     */
+    private function cancel($id): bool
+    {
+        if (!is_int($id)) {
+            trigger_deprecation('guzzlehttp/guzzle', '7.4', 'Not passing an integer to %s::%s() is deprecated and will cause an error in 8.0.', __CLASS__, __FUNCTION__);
+        }
+
+        // Cannot cancel if it has been processed.
+        if (!isset($this->handles[$id])) {
+            return false;
+        }
+
+        $handle = $this->handles[$id]['easy']->handle;
+        unset($this->delays[$id], $this->handles[$id]);
+        \curl_multi_remove_handle($this->_mh, $handle);
+        \curl_close($handle);
+
+        return true;
+    }
+
+    private function processMessages(): void
+    {
+        while ($done = \curl_multi_info_read($this->_mh)) {
+            if ($done['msg'] !== \CURLMSG_DONE) {
+                // if it's not done, then it would be premature to remove the handle. ref https://github.com/guzzle/guzzle/pull/2892#issuecomment-945150216
+                continue;
+            }
+            $id = (int) $done['handle'];
+            \curl_multi_remove_handle($this->_mh, $done['handle']);
+
+            if (!isset($this->handles[$id])) {
+                // Probably was cancelled.
+                continue;
+            }
+
+            $entry = $this->handles[$id];
+            unset($this->handles[$id], $this->delays[$id]);
+            $entry['easy']->errno = $done['result'];
+            $entry['deferred']->resolve(
+                CurlFactory::finish($this, $entry['easy'], $this->factory)
+            );
+        }
+    }
+
+    private function timeToNext(): int
+    {
+        $currentTime = Utils::currentTime();
+        $nextTime = \PHP_INT_MAX;
+        foreach ($this->delays as $time) {
+            if ($time < $nextTime) {
+                $nextTime = $time;
+            }
+        }
+
+        return ((int) \max(0, $nextTime - $currentTime)) * 1000000;
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Handler/EasyHandle.php b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Handler/EasyHandle.php
new file mode 100644
index 000000000..224344d7c
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Handler/EasyHandle.php
@@ -0,0 +1,112 @@
+<?php
+
+namespace GuzzleHttp\Handler;
+
+use GuzzleHttp\Psr7\Response;
+use GuzzleHttp\Utils;
+use Psr\Http\Message\RequestInterface;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\StreamInterface;
+
+/**
+ * Represents a cURL easy handle and the data it populates.
+ *
+ * @internal
+ */
+final class EasyHandle
+{
+    /**
+     * @var resource|\CurlHandle cURL resource
+     */
+    public $handle;
+
+    /**
+     * @var StreamInterface Where data is being written
+     */
+    public $sink;
+
+    /**
+     * @var array Received HTTP headers so far
+     */
+    public $headers = [];
+
+    /**
+     * @var ResponseInterface|null Received response (if any)
+     */
+    public $response;
+
+    /**
+     * @var RequestInterface Request being sent
+     */
+    public $request;
+
+    /**
+     * @var array Request options
+     */
+    public $options = [];
+
+    /**
+     * @var int cURL error number (if any)
+     */
+    public $errno = 0;
+
+    /**
+     * @var \Throwable|null Exception during on_headers (if any)
+     */
+    public $onHeadersException;
+
+    /**
+     * @var \Exception|null Exception during createResponse (if any)
+     */
+    public $createResponseException;
+
+    /**
+     * Attach a response to the easy handle based on the received headers.
+     *
+     * @throws \RuntimeException if no headers have been received or the first
+     *                           header line is invalid.
+     */
+    public function createResponse(): void
+    {
+        [$ver, $status, $reason, $headers] = HeaderProcessor::parseHeaders($this->headers);
+
+        $normalizedKeys = Utils::normalizeHeaderKeys($headers);
+
+        if (!empty($this->options['decode_content']) && isset($normalizedKeys['content-encoding'])) {
+            $headers['x-encoded-content-encoding'] = $headers[$normalizedKeys['content-encoding']];
+            unset($headers[$normalizedKeys['content-encoding']]);
+            if (isset($normalizedKeys['content-length'])) {
+                $headers['x-encoded-content-length'] = $headers[$normalizedKeys['content-length']];
+
+                $bodyLength = (int) $this->sink->getSize();
+                if ($bodyLength) {
+                    $headers[$normalizedKeys['content-length']] = $bodyLength;
+                } else {
+                    unset($headers[$normalizedKeys['content-length']]);
+                }
+            }
+        }
+
+        // Attach a response to the easy handle with the parsed headers.
+        $this->response = new Response(
+            $status,
+            $headers,
+            $this->sink,
+            $ver,
+            $reason
+        );
+    }
+
+    /**
+     * @param string $name
+     *
+     * @return void
+     *
+     * @throws \BadMethodCallException
+     */
+    public function __get($name)
+    {
+        $msg = $name === 'handle' ? 'The EasyHandle has been released' : 'Invalid property: ' . $name;
+        throw new \BadMethodCallException($msg);
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Handler/HeaderProcessor.php b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Handler/HeaderProcessor.php
new file mode 100644
index 000000000..a0988845f
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Handler/HeaderProcessor.php
@@ -0,0 +1,42 @@
+<?php
+
+namespace GuzzleHttp\Handler;
+
+use GuzzleHttp\Utils;
+
+/**
+ * @internal
+ */
+final class HeaderProcessor
+{
+    /**
+     * Returns the HTTP version, status code, reason phrase, and headers.
+     *
+     * @param string[] $headers
+     *
+     * @throws \RuntimeException
+     *
+     * @return array{0:string, 1:int, 2:?string, 3:array}
+     */
+    public static function parseHeaders(array $headers): array
+    {
+        if ($headers === []) {
+            throw new \RuntimeException('Expected a non-empty array of header data');
+        }
+
+        $parts = \explode(' ', \array_shift($headers), 3);
+        $version = \explode('/', $parts[0])[1] ?? null;
+
+        if ($version === null) {
+            throw new \RuntimeException('HTTP version missing from header data');
+        }
+
+        $status = $parts[1] ?? null;
+
+        if ($status === null) {
+            throw new \RuntimeException('HTTP status code missing from header data');
+        }
+
+        return [$version, (int) $status, $parts[2] ?? null, Utils::headersFromLines($headers)];
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Handler/MockHandler.php b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Handler/MockHandler.php
new file mode 100644
index 000000000..79664e279
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Handler/MockHandler.php
@@ -0,0 +1,211 @@
+<?php
+
+namespace GuzzleHttp\Handler;
+
+use GuzzleHttp\Exception\RequestException;
+use GuzzleHttp\HandlerStack;
+use GuzzleHttp\Promise as P;
+use GuzzleHttp\Promise\PromiseInterface;
+use GuzzleHttp\TransferStats;
+use GuzzleHttp\Utils;
+use Psr\Http\Message\RequestInterface;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\StreamInterface;
+
+/**
+ * Handler that returns responses or throw exceptions from a queue.
+ *
+ * @final
+ */
+class MockHandler implements \Countable
+{
+    /**
+     * @var array
+     */
+    private $queue = [];
+
+    /**
+     * @var RequestInterface|null
+     */
+    private $lastRequest;
+
+    /**
+     * @var array
+     */
+    private $lastOptions = [];
+
+    /**
+     * @var callable|null
+     */
+    private $onFulfilled;
+
+    /**
+     * @var callable|null
+     */
+    private $onRejected;
+
+    /**
+     * Creates a new MockHandler that uses the default handler stack list of
+     * middlewares.
+     *
+     * @param array|null    $queue       Array of responses, callables, or exceptions.
+     * @param callable|null $onFulfilled Callback to invoke when the return value is fulfilled.
+     * @param callable|null $onRejected  Callback to invoke when the return value is rejected.
+     */
+    public static function createWithMiddleware(array $queue = null, callable $onFulfilled = null, callable $onRejected = null): HandlerStack
+    {
+        return HandlerStack::create(new self($queue, $onFulfilled, $onRejected));
+    }
+
+    /**
+     * The passed in value must be an array of
+     * {@see \Psr\Http\Message\ResponseInterface} objects, Exceptions,
+     * callables, or Promises.
+     *
+     * @param array<int, mixed>|null $queue       The parameters to be passed to the append function, as an indexed array.
+     * @param callable|null          $onFulfilled Callback to invoke when the return value is fulfilled.
+     * @param callable|null          $onRejected  Callback to invoke when the return value is rejected.
+     */
+    public function __construct(array $queue = null, callable $onFulfilled = null, callable $onRejected = null)
+    {
+        $this->onFulfilled = $onFulfilled;
+        $this->onRejected = $onRejected;
+
+        if ($queue) {
+            // array_values included for BC
+            $this->append(...array_values($queue));
+        }
+    }
+
+    public function __invoke(RequestInterface $request, array $options): PromiseInterface
+    {
+        if (!$this->queue) {
+            throw new \OutOfBoundsException('Mock queue is empty');
+        }
+
+        if (isset($options['delay']) && \is_numeric($options['delay'])) {
+            \usleep((int) $options['delay'] * 1000);
+        }
+
+        $this->lastRequest = $request;
+        $this->lastOptions = $options;
+        $response = \array_shift($this->queue);
+
+        if (isset($options['on_headers'])) {
+            if (!\is_callable($options['on_headers'])) {
+                throw new \InvalidArgumentException('on_headers must be callable');
+            }
+            try {
+                $options['on_headers']($response);
+            } catch (\Exception $e) {
+                $msg = 'An error was encountered during the on_headers event';
+                $response = new RequestException($msg, $request, $response, $e);
+            }
+        }
+
+        if (\is_callable($response)) {
+            $response = $response($request, $options);
+        }
+
+        $response = $response instanceof \Throwable
+            ? P\Create::rejectionFor($response)
+            : P\Create::promiseFor($response);
+
+        return $response->then(
+            function (?ResponseInterface $value) use ($request, $options) {
+                $this->invokeStats($request, $options, $value);
+                if ($this->onFulfilled) {
+                    ($this->onFulfilled)($value);
+                }
+
+                if ($value !== null && isset($options['sink'])) {
+                    $contents = (string) $value->getBody();
+                    $sink = $options['sink'];
+
+                    if (\is_resource($sink)) {
+                        \fwrite($sink, $contents);
+                    } elseif (\is_string($sink)) {
+                        \file_put_contents($sink, $contents);
+                    } elseif ($sink instanceof StreamInterface) {
+                        $sink->write($contents);
+                    }
+                }
+
+                return $value;
+            },
+            function ($reason) use ($request, $options) {
+                $this->invokeStats($request, $options, null, $reason);
+                if ($this->onRejected) {
+                    ($this->onRejected)($reason);
+                }
+                return P\Create::rejectionFor($reason);
+            }
+        );
+    }
+
+    /**
+     * Adds one or more variadic requests, exceptions, callables, or promises
+     * to the queue.
+     *
+     * @param mixed ...$values
+     */
+    public function append(...$values): void
+    {
+        foreach ($values as $value) {
+            if ($value instanceof ResponseInterface
+                || $value instanceof \Throwable
+                || $value instanceof PromiseInterface
+                || \is_callable($value)
+            ) {
+                $this->queue[] = $value;
+            } else {
+                throw new \TypeError('Expected a Response, Promise, Throwable or callable. Found ' . Utils::describeType($value));
+            }
+        }
+    }
+
+    /**
+     * Get the last received request.
+     */
+    public function getLastRequest(): ?RequestInterface
+    {
+        return $this->lastRequest;
+    }
+
+    /**
+     * Get the last received request options.
+     */
+    public function getLastOptions(): array
+    {
+        return $this->lastOptions;
+    }
+
+    /**
+     * Returns the number of remaining items in the queue.
+     */
+    public function count(): int
+    {
+        return \count($this->queue);
+    }
+
+    public function reset(): void
+    {
+        $this->queue = [];
+    }
+
+    /**
+     * @param mixed $reason Promise or reason.
+     */
+    private function invokeStats(
+        RequestInterface $request,
+        array $options,
+        ResponseInterface $response = null,
+        $reason = null
+    ): void {
+        if (isset($options['on_stats'])) {
+            $transferTime = $options['transfer_time'] ?? 0;
+            $stats = new TransferStats($request, $response, $transferTime, $reason);
+            ($options['on_stats'])($stats);
+        }
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Handler/Proxy.php b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Handler/Proxy.php
new file mode 100644
index 000000000..f045b526c
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Handler/Proxy.php
@@ -0,0 +1,51 @@
+<?php
+
+namespace GuzzleHttp\Handler;
+
+use GuzzleHttp\Promise\PromiseInterface;
+use GuzzleHttp\RequestOptions;
+use Psr\Http\Message\RequestInterface;
+
+/**
+ * Provides basic proxies for handlers.
+ *
+ * @final
+ */
+class Proxy
+{
+    /**
+     * Sends synchronous requests to a specific handler while sending all other
+     * requests to another handler.
+     *
+     * @param callable(\Psr\Http\Message\RequestInterface, array): \GuzzleHttp\Promise\PromiseInterface $default Handler used for normal responses
+     * @param callable(\Psr\Http\Message\RequestInterface, array): \GuzzleHttp\Promise\PromiseInterface $sync    Handler used for synchronous responses.
+     *
+     * @return callable(\Psr\Http\Message\RequestInterface, array): \GuzzleHttp\Promise\PromiseInterface Returns the composed handler.
+     */
+    public static function wrapSync(callable $default, callable $sync): callable
+    {
+        return static function (RequestInterface $request, array $options) use ($default, $sync): PromiseInterface {
+            return empty($options[RequestOptions::SYNCHRONOUS]) ? $default($request, $options) : $sync($request, $options);
+        };
+    }
+
+    /**
+     * Sends streaming requests to a streaming compatible handler while sending
+     * all other requests to a default handler.
+     *
+     * This, for example, could be useful for taking advantage of the
+     * performance benefits of curl while still supporting true streaming
+     * through the StreamHandler.
+     *
+     * @param callable(\Psr\Http\Message\RequestInterface, array): \GuzzleHttp\Promise\PromiseInterface $default   Handler used for non-streaming responses
+     * @param callable(\Psr\Http\Message\RequestInterface, array): \GuzzleHttp\Promise\PromiseInterface $streaming Handler used for streaming responses
+     *
+     * @return callable(\Psr\Http\Message\RequestInterface, array): \GuzzleHttp\Promise\PromiseInterface Returns the composed handler.
+     */
+    public static function wrapStreaming(callable $default, callable $streaming): callable
+    {
+        return static function (RequestInterface $request, array $options) use ($default, $streaming): PromiseInterface {
+            return empty($options['stream']) ? $default($request, $options) : $streaming($request, $options);
+        };
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Handler/StreamHandler.php b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Handler/StreamHandler.php
new file mode 100644
index 000000000..543f825a2
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Handler/StreamHandler.php
@@ -0,0 +1,593 @@
+<?php
+
+namespace GuzzleHttp\Handler;
+
+use GuzzleHttp\Exception\ConnectException;
+use GuzzleHttp\Exception\RequestException;
+use GuzzleHttp\Promise as P;
+use GuzzleHttp\Promise\FulfilledPromise;
+use GuzzleHttp\Promise\PromiseInterface;
+use GuzzleHttp\Psr7;
+use GuzzleHttp\TransferStats;
+use GuzzleHttp\Utils;
+use Psr\Http\Message\RequestInterface;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\StreamInterface;
+use Psr\Http\Message\UriInterface;
+
+/**
+ * HTTP handler that uses PHP's HTTP stream wrapper.
+ *
+ * @final
+ */
+class StreamHandler
+{
+    /**
+     * @var array
+     */
+    private $lastHeaders = [];
+
+    /**
+     * Sends an HTTP request.
+     *
+     * @param RequestInterface $request Request to send.
+     * @param array            $options Request transfer options.
+     */
+    public function __invoke(RequestInterface $request, array $options): PromiseInterface
+    {
+        // Sleep if there is a delay specified.
+        if (isset($options['delay'])) {
+            \usleep($options['delay'] * 1000);
+        }
+
+        $startTime = isset($options['on_stats']) ? Utils::currentTime() : null;
+
+        try {
+            // Does not support the expect header.
+            $request = $request->withoutHeader('Expect');
+
+            // Append a content-length header if body size is zero to match
+            // cURL's behavior.
+            if (0 === $request->getBody()->getSize()) {
+                $request = $request->withHeader('Content-Length', '0');
+            }
+
+            return $this->createResponse(
+                $request,
+                $options,
+                $this->createStream($request, $options),
+                $startTime
+            );
+        } catch (\InvalidArgumentException $e) {
+            throw $e;
+        } catch (\Exception $e) {
+            // Determine if the error was a networking error.
+            $message = $e->getMessage();
+            // This list can probably get more comprehensive.
+            if (false !== \strpos($message, 'getaddrinfo') // DNS lookup failed
+                || false !== \strpos($message, 'Connection refused')
+                || false !== \strpos($message, "couldn't connect to host") // error on HHVM
+                || false !== \strpos($message, "connection attempt failed")
+            ) {
+                $e = new ConnectException($e->getMessage(), $request, $e);
+            } else {
+                $e = RequestException::wrapException($request, $e);
+            }
+            $this->invokeStats($options, $request, $startTime, null, $e);
+
+            return P\Create::rejectionFor($e);
+        }
+    }
+
+    private function invokeStats(
+        array $options,
+        RequestInterface $request,
+        ?float $startTime,
+        ResponseInterface $response = null,
+        \Throwable $error = null
+    ): void {
+        if (isset($options['on_stats'])) {
+            $stats = new TransferStats($request, $response, Utils::currentTime() - $startTime, $error, []);
+            ($options['on_stats'])($stats);
+        }
+    }
+
+    /**
+     * @param resource $stream
+     */
+    private function createResponse(RequestInterface $request, array $options, $stream, ?float $startTime): PromiseInterface
+    {
+        $hdrs = $this->lastHeaders;
+        $this->lastHeaders = [];
+
+        try {
+            [$ver, $status, $reason, $headers] = HeaderProcessor::parseHeaders($hdrs);
+        } catch (\Exception $e) {
+            return P\Create::rejectionFor(
+                new RequestException('An error was encountered while creating the response', $request, null, $e)
+            );
+        }
+
+        [$stream, $headers] = $this->checkDecode($options, $headers, $stream);
+        $stream = Psr7\Utils::streamFor($stream);
+        $sink = $stream;
+
+        if (\strcasecmp('HEAD', $request->getMethod())) {
+            $sink = $this->createSink($stream, $options);
+        }
+
+        try {
+            $response = new Psr7\Response($status, $headers, $sink, $ver, $reason);
+        } catch (\Exception $e) {
+            return P\Create::rejectionFor(
+                new RequestException('An error was encountered while creating the response', $request, null, $e)
+            );
+        }
+
+        if (isset($options['on_headers'])) {
+            try {
+                $options['on_headers']($response);
+            } catch (\Exception $e) {
+                return P\Create::rejectionFor(
+                    new RequestException('An error was encountered during the on_headers event', $request, $response, $e)
+                );
+            }
+        }
+
+        // Do not drain when the request is a HEAD request because they have
+        // no body.
+        if ($sink !== $stream) {
+            $this->drain($stream, $sink, $response->getHeaderLine('Content-Length'));
+        }
+
+        $this->invokeStats($options, $request, $startTime, $response, null);
+
+        return new FulfilledPromise($response);
+    }
+
+    private function createSink(StreamInterface $stream, array $options): StreamInterface
+    {
+        if (!empty($options['stream'])) {
+            return $stream;
+        }
+
+        $sink = $options['sink'] ?? Psr7\Utils::tryFopen('php://temp', 'r+');
+
+        return \is_string($sink) ? new Psr7\LazyOpenStream($sink, 'w+') : Psr7\Utils::streamFor($sink);
+    }
+
+    /**
+     * @param resource $stream
+     */
+    private function checkDecode(array $options, array $headers, $stream): array
+    {
+        // Automatically decode responses when instructed.
+        if (!empty($options['decode_content'])) {
+            $normalizedKeys = Utils::normalizeHeaderKeys($headers);
+            if (isset($normalizedKeys['content-encoding'])) {
+                $encoding = $headers[$normalizedKeys['content-encoding']];
+                if ($encoding[0] === 'gzip' || $encoding[0] === 'deflate') {
+                    $stream = new Psr7\InflateStream(Psr7\Utils::streamFor($stream));
+                    $headers['x-encoded-content-encoding'] = $headers[$normalizedKeys['content-encoding']];
+
+                    // Remove content-encoding header
+                    unset($headers[$normalizedKeys['content-encoding']]);
+
+                    // Fix content-length header
+                    if (isset($normalizedKeys['content-length'])) {
+                        $headers['x-encoded-content-length'] = $headers[$normalizedKeys['content-length']];
+                        $length = (int) $stream->getSize();
+                        if ($length === 0) {
+                            unset($headers[$normalizedKeys['content-length']]);
+                        } else {
+                            $headers[$normalizedKeys['content-length']] = [$length];
+                        }
+                    }
+                }
+            }
+        }
+
+        return [$stream, $headers];
+    }
+
+    /**
+     * Drains the source stream into the "sink" client option.
+     *
+     * @param string $contentLength Header specifying the amount of
+     *                              data to read.
+     *
+     * @throws \RuntimeException when the sink option is invalid.
+     */
+    private function drain(StreamInterface $source, StreamInterface $sink, string $contentLength): StreamInterface
+    {
+        // If a content-length header is provided, then stop reading once
+        // that number of bytes has been read. This can prevent infinitely
+        // reading from a stream when dealing with servers that do not honor
+        // Connection: Close headers.
+        Psr7\Utils::copyToStream(
+            $source,
+            $sink,
+            (\strlen($contentLength) > 0 && (int) $contentLength > 0) ? (int) $contentLength : -1
+        );
+
+        $sink->seek(0);
+        $source->close();
+
+        return $sink;
+    }
+
+    /**
+     * Create a resource and check to ensure it was created successfully
+     *
+     * @param callable $callback Callable that returns stream resource
+     *
+     * @return resource
+     *
+     * @throws \RuntimeException on error
+     */
+    private function createResource(callable $callback)
+    {
+        $errors = [];
+        \set_error_handler(static function ($_, $msg, $file, $line) use (&$errors): bool {
+            $errors[] = [
+                'message' => $msg,
+                'file'    => $file,
+                'line'    => $line
+            ];
+            return true;
+        });
+
+        try {
+            $resource = $callback();
+        } finally {
+            \restore_error_handler();
+        }
+
+        if (!$resource) {
+            $message = 'Error creating resource: ';
+            foreach ($errors as $err) {
+                foreach ($err as $key => $value) {
+                    $message .= "[$key] $value" . \PHP_EOL;
+                }
+            }
+            throw new \RuntimeException(\trim($message));
+        }
+
+        return $resource;
+    }
+
+    /**
+     * @return resource
+     */
+    private function createStream(RequestInterface $request, array $options)
+    {
+        static $methods;
+        if (!$methods) {
+            $methods = \array_flip(\get_class_methods(__CLASS__));
+        }
+
+        if (!\in_array($request->getUri()->getScheme(), ['http', 'https'])) {
+            throw new RequestException(\sprintf("The scheme '%s' is not supported.", $request->getUri()->getScheme()), $request);
+        }
+
+        // HTTP/1.1 streams using the PHP stream wrapper require a
+        // Connection: close header
+        if ($request->getProtocolVersion() == '1.1'
+            && !$request->hasHeader('Connection')
+        ) {
+            $request = $request->withHeader('Connection', 'close');
+        }
+
+        // Ensure SSL is verified by default
+        if (!isset($options['verify'])) {
+            $options['verify'] = true;
+        }
+
+        $params = [];
+        $context = $this->getDefaultContext($request);
+
+        if (isset($options['on_headers']) && !\is_callable($options['on_headers'])) {
+            throw new \InvalidArgumentException('on_headers must be callable');
+        }
+
+        if (!empty($options)) {
+            foreach ($options as $key => $value) {
+                $method = "add_{$key}";
+                if (isset($methods[$method])) {
+                    $this->{$method}($request, $context, $value, $params);
+                }
+            }
+        }
+
+        if (isset($options['stream_context'])) {
+            if (!\is_array($options['stream_context'])) {
+                throw new \InvalidArgumentException('stream_context must be an array');
+            }
+            $context = \array_replace_recursive($context, $options['stream_context']);
+        }
+
+        // Microsoft NTLM authentication only supported with curl handler
+        if (isset($options['auth'][2]) && 'ntlm' === $options['auth'][2]) {
+            throw new \InvalidArgumentException('Microsoft NTLM authentication only supported with curl handler');
+        }
+
+        $uri = $this->resolveHost($request, $options);
+
+        $contextResource = $this->createResource(
+            static function () use ($context, $params) {
+                return \stream_context_create($context, $params);
+            }
+        );
+
+        return $this->createResource(
+            function () use ($uri, &$http_response_header, $contextResource, $context, $options, $request) {
+                $resource = @\fopen((string) $uri, 'r', false, $contextResource);
+                $this->lastHeaders = $http_response_header ?? [];
+
+                if (false === $resource) {
+                    throw new ConnectException(sprintf('Connection refused for URI %s', $uri), $request, null, $context);
+                }
+
+                if (isset($options['read_timeout'])) {
+                    $readTimeout = $options['read_timeout'];
+                    $sec = (int) $readTimeout;
+                    $usec = ($readTimeout - $sec) * 100000;
+                    \stream_set_timeout($resource, $sec, $usec);
+                }
+
+                return $resource;
+            }
+        );
+    }
+
+    private function resolveHost(RequestInterface $request, array $options): UriInterface
+    {
+        $uri = $request->getUri();
+
+        if (isset($options['force_ip_resolve']) && !\filter_var($uri->getHost(), \FILTER_VALIDATE_IP)) {
+            if ('v4' === $options['force_ip_resolve']) {
+                $records = \dns_get_record($uri->getHost(), \DNS_A);
+                if (false === $records || !isset($records[0]['ip'])) {
+                    throw new ConnectException(\sprintf("Could not resolve IPv4 address for host '%s'", $uri->getHost()), $request);
+                }
+                return $uri->withHost($records[0]['ip']);
+            }
+            if ('v6' === $options['force_ip_resolve']) {
+                $records = \dns_get_record($uri->getHost(), \DNS_AAAA);
+                if (false === $records || !isset($records[0]['ipv6'])) {
+                    throw new ConnectException(\sprintf("Could not resolve IPv6 address for host '%s'", $uri->getHost()), $request);
+                }
+                return $uri->withHost('[' . $records[0]['ipv6'] . ']');
+            }
+        }
+
+        return $uri;
+    }
+
+    private function getDefaultContext(RequestInterface $request): array
+    {
+        $headers = '';
+        foreach ($request->getHeaders() as $name => $value) {
+            foreach ($value as $val) {
+                $headers .= "$name: $val\r\n";
+            }
+        }
+
+        $context = [
+            'http' => [
+                'method'           => $request->getMethod(),
+                'header'           => $headers,
+                'protocol_version' => $request->getProtocolVersion(),
+                'ignore_errors'    => true,
+                'follow_location'  => 0,
+            ],
+            'ssl' => [
+                'peer_name' => $request->getUri()->getHost(),
+            ],
+        ];
+
+        $body = (string) $request->getBody();
+
+        if (!empty($body)) {
+            $context['http']['content'] = $body;
+            // Prevent the HTTP handler from adding a Content-Type header.
+            if (!$request->hasHeader('Content-Type')) {
+                $context['http']['header'] .= "Content-Type:\r\n";
+            }
+        }
+
+        $context['http']['header'] = \rtrim($context['http']['header']);
+
+        return $context;
+    }
+
+    /**
+     * @param mixed $value as passed via Request transfer options.
+     */
+    private function add_proxy(RequestInterface $request, array &$options, $value, array &$params): void
+    {
+        $uri = null;
+
+        if (!\is_array($value)) {
+            $uri = $value;
+        } else {
+            $scheme = $request->getUri()->getScheme();
+            if (isset($value[$scheme])) {
+                if (!isset($value['no']) || !Utils::isHostInNoProxy($request->getUri()->getHost(), $value['no'])) {
+                    $uri = $value[$scheme];
+                }
+            }
+        }
+
+        if (!$uri) {
+            return;
+        }
+
+        $parsed = $this->parse_proxy($uri);
+        $options['http']['proxy'] = $parsed['proxy'];
+
+        if ($parsed['auth']) {
+            if (!isset($options['http']['header'])) {
+                $options['http']['header'] = [];
+            }
+            $options['http']['header'] .= "\r\nProxy-Authorization: {$parsed['auth']}";
+        }
+    }
+
+    /**
+     * Parses the given proxy URL to make it compatible with the format PHP's stream context expects.
+     */
+    private function parse_proxy(string $url): array
+    {
+        $parsed = \parse_url($url);
+
+        if ($parsed !== false && isset($parsed['scheme']) && $parsed['scheme'] === 'http') {
+            if (isset($parsed['host']) && isset($parsed['port'])) {
+                $auth = null;
+                if (isset($parsed['user']) && isset($parsed['pass'])) {
+                    $auth = \base64_encode("{$parsed['user']}:{$parsed['pass']}");
+                }
+
+                return [
+                    'proxy' => "tcp://{$parsed['host']}:{$parsed['port']}",
+                    'auth' => $auth ? "Basic {$auth}" : null,
+                ];
+            }
+        }
+
+        // Return proxy as-is.
+        return [
+            'proxy' => $url,
+            'auth' => null,
+        ];
+    }
+
+    /**
+     * @param mixed $value as passed via Request transfer options.
+     */
+    private function add_timeout(RequestInterface $request, array &$options, $value, array &$params): void
+    {
+        if ($value > 0) {
+            $options['http']['timeout'] = $value;
+        }
+    }
+
+    /**
+     * @param mixed $value as passed via Request transfer options.
+     */
+    private function add_verify(RequestInterface $request, array &$options, $value, array &$params): void
+    {
+        if ($value === false) {
+            $options['ssl']['verify_peer'] = false;
+            $options['ssl']['verify_peer_name'] = false;
+
+            return;
+        }
+
+        if (\is_string($value)) {
+            $options['ssl']['cafile'] = $value;
+            if (!\file_exists($value)) {
+                throw new \RuntimeException("SSL CA bundle not found: $value");
+            }
+        } elseif ($value !== true) {
+            throw new \InvalidArgumentException('Invalid verify request option');
+        }
+
+        $options['ssl']['verify_peer'] = true;
+        $options['ssl']['verify_peer_name'] = true;
+        $options['ssl']['allow_self_signed'] = false;
+    }
+
+    /**
+     * @param mixed $value as passed via Request transfer options.
+     */
+    private function add_cert(RequestInterface $request, array &$options, $value, array &$params): void
+    {
+        if (\is_array($value)) {
+            $options['ssl']['passphrase'] = $value[1];
+            $value = $value[0];
+        }
+
+        if (!\file_exists($value)) {
+            throw new \RuntimeException("SSL certificate not found: {$value}");
+        }
+
+        $options['ssl']['local_cert'] = $value;
+    }
+
+    /**
+     * @param mixed $value as passed via Request transfer options.
+     */
+    private function add_progress(RequestInterface $request, array &$options, $value, array &$params): void
+    {
+        self::addNotification(
+            $params,
+            static function ($code, $a, $b, $c, $transferred, $total) use ($value) {
+                if ($code == \STREAM_NOTIFY_PROGRESS) {
+                    // The upload progress cannot be determined. Use 0 for cURL compatibility:
+                    // https://curl.se/libcurl/c/CURLOPT_PROGRESSFUNCTION.html
+                    $value($total, $transferred, 0, 0);
+                }
+            }
+        );
+    }
+
+    /**
+     * @param mixed $value as passed via Request transfer options.
+     */
+    private function add_debug(RequestInterface $request, array &$options, $value, array &$params): void
+    {
+        if ($value === false) {
+            return;
+        }
+
+        static $map = [
+            \STREAM_NOTIFY_CONNECT       => 'CONNECT',
+            \STREAM_NOTIFY_AUTH_REQUIRED => 'AUTH_REQUIRED',
+            \STREAM_NOTIFY_AUTH_RESULT   => 'AUTH_RESULT',
+            \STREAM_NOTIFY_MIME_TYPE_IS  => 'MIME_TYPE_IS',
+            \STREAM_NOTIFY_FILE_SIZE_IS  => 'FILE_SIZE_IS',
+            \STREAM_NOTIFY_REDIRECTED    => 'REDIRECTED',
+            \STREAM_NOTIFY_PROGRESS      => 'PROGRESS',
+            \STREAM_NOTIFY_FAILURE       => 'FAILURE',
+            \STREAM_NOTIFY_COMPLETED     => 'COMPLETED',
+            \STREAM_NOTIFY_RESOLVE       => 'RESOLVE',
+        ];
+        static $args = ['severity', 'message', 'message_code', 'bytes_transferred', 'bytes_max'];
+
+        $value = Utils::debugResource($value);
+        $ident = $request->getMethod() . ' ' . $request->getUri()->withFragment('');
+        self::addNotification(
+            $params,
+            static function (int $code, ...$passed) use ($ident, $value, $map, $args): void {
+                \fprintf($value, '<%s> [%s] ', $ident, $map[$code]);
+                foreach (\array_filter($passed) as $i => $v) {
+                    \fwrite($value, $args[$i] . ': "' . $v . '" ');
+                }
+                \fwrite($value, "\n");
+            }
+        );
+    }
+
+    private static function addNotification(array &$params, callable $notify): void
+    {
+        // Wrap the existing function if needed.
+        if (!isset($params['notification'])) {
+            $params['notification'] = $notify;
+        } else {
+            $params['notification'] = self::callArray([
+                $params['notification'],
+                $notify
+            ]);
+        }
+    }
+
+    private static function callArray(array $functions): callable
+    {
+        return static function (...$args) use ($functions) {
+            foreach ($functions as $fn) {
+                $fn(...$args);
+            }
+        };
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/HandlerStack.php b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/HandlerStack.php
new file mode 100644
index 000000000..e0a1d1191
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/HandlerStack.php
@@ -0,0 +1,275 @@
+<?php
+
+namespace GuzzleHttp;
+
+use GuzzleHttp\Promise\PromiseInterface;
+use Psr\Http\Message\RequestInterface;
+use Psr\Http\Message\ResponseInterface;
+
+/**
+ * Creates a composed Guzzle handler function by stacking middlewares on top of
+ * an HTTP handler function.
+ *
+ * @final
+ */
+class HandlerStack
+{
+    /**
+     * @var (callable(RequestInterface, array): PromiseInterface)|null
+     */
+    private $handler;
+
+    /**
+     * @var array{(callable(callable(RequestInterface, array): PromiseInterface): callable), (string|null)}[]
+     */
+    private $stack = [];
+
+    /**
+     * @var (callable(RequestInterface, array): PromiseInterface)|null
+     */
+    private $cached;
+
+    /**
+     * Creates a default handler stack that can be used by clients.
+     *
+     * The returned handler will wrap the provided handler or use the most
+     * appropriate default handler for your system. The returned HandlerStack has
+     * support for cookies, redirects, HTTP error exceptions, and preparing a body
+     * before sending.
+     *
+     * The returned handler stack can be passed to a client in the "handler"
+     * option.
+     *
+     * @param (callable(RequestInterface, array): PromiseInterface)|null $handler HTTP handler function to use with the stack. If no
+     *                                                                            handler is provided, the best handler for your
+     *                                                                            system will be utilized.
+     */
+    public static function create(?callable $handler = null): self
+    {
+        $stack = new self($handler ?: Utils::chooseHandler());
+        $stack->push(Middleware::httpErrors(), 'http_errors');
+        $stack->push(Middleware::redirect(), 'allow_redirects');
+        $stack->push(Middleware::cookies(), 'cookies');
+        $stack->push(Middleware::prepareBody(), 'prepare_body');
+
+        return $stack;
+    }
+
+    /**
+     * @param (callable(RequestInterface, array): PromiseInterface)|null $handler Underlying HTTP handler.
+     */
+    public function __construct(callable $handler = null)
+    {
+        $this->handler = $handler;
+    }
+
+    /**
+     * Invokes the handler stack as a composed handler
+     *
+     * @return ResponseInterface|PromiseInterface
+     */
+    public function __invoke(RequestInterface $request, array $options)
+    {
+        $handler = $this->resolve();
+
+        return $handler($request, $options);
+    }
+
+    /**
+     * Dumps a string representation of the stack.
+     *
+     * @return string
+     */
+    public function __toString()
+    {
+        $depth = 0;
+        $stack = [];
+
+        if ($this->handler !== null) {
+            $stack[] = "0) Handler: " . $this->debugCallable($this->handler);
+        }
+
+        $result = '';
+        foreach (\array_reverse($this->stack) as $tuple) {
+            $depth++;
+            $str = "{$depth}) Name: '{$tuple[1]}', ";
+            $str .= "Function: " . $this->debugCallable($tuple[0]);
+            $result = "> {$str}\n{$result}";
+            $stack[] = $str;
+        }
+
+        foreach (\array_keys($stack) as $k) {
+            $result .= "< {$stack[$k]}\n";
+        }
+
+        return $result;
+    }
+
+    /**
+     * Set the HTTP handler that actually returns a promise.
+     *
+     * @param callable(RequestInterface, array): PromiseInterface $handler Accepts a request and array of options and
+     *                                                                     returns a Promise.
+     */
+    public function setHandler(callable $handler): void
+    {
+        $this->handler = $handler;
+        $this->cached = null;
+    }
+
+    /**
+     * Returns true if the builder has a handler.
+     */
+    public function hasHandler(): bool
+    {
+        return $this->handler !== null ;
+    }
+
+    /**
+     * Unshift a middleware to the bottom of the stack.
+     *
+     * @param callable(callable): callable $middleware Middleware function
+     * @param string                       $name       Name to register for this middleware.
+     */
+    public function unshift(callable $middleware, ?string $name = null): void
+    {
+        \array_unshift($this->stack, [$middleware, $name]);
+        $this->cached = null;
+    }
+
+    /**
+     * Push a middleware to the top of the stack.
+     *
+     * @param callable(callable): callable $middleware Middleware function
+     * @param string                       $name       Name to register for this middleware.
+     */
+    public function push(callable $middleware, string $name = ''): void
+    {
+        $this->stack[] = [$middleware, $name];
+        $this->cached = null;
+    }
+
+    /**
+     * Add a middleware before another middleware by name.
+     *
+     * @param string                       $findName   Middleware to find
+     * @param callable(callable): callable $middleware Middleware function
+     * @param string                       $withName   Name to register for this middleware.
+     */
+    public function before(string $findName, callable $middleware, string $withName = ''): void
+    {
+        $this->splice($findName, $withName, $middleware, true);
+    }
+
+    /**
+     * Add a middleware after another middleware by name.
+     *
+     * @param string                       $findName   Middleware to find
+     * @param callable(callable): callable $middleware Middleware function
+     * @param string                       $withName   Name to register for this middleware.
+     */
+    public function after(string $findName, callable $middleware, string $withName = ''): void
+    {
+        $this->splice($findName, $withName, $middleware, false);
+    }
+
+    /**
+     * Remove a middleware by instance or name from the stack.
+     *
+     * @param callable|string $remove Middleware to remove by instance or name.
+     */
+    public function remove($remove): void
+    {
+        if (!is_string($remove) && !is_callable($remove)) {
+            trigger_deprecation('guzzlehttp/guzzle', '7.4', 'Not passing a callable or string to %s::%s() is deprecated and will cause an error in 8.0.', __CLASS__, __FUNCTION__);
+        }
+
+        $this->cached = null;
+        $idx = \is_callable($remove) ? 0 : 1;
+        $this->stack = \array_values(\array_filter(
+            $this->stack,
+            static function ($tuple) use ($idx, $remove) {
+                return $tuple[$idx] !== $remove;
+            }
+        ));
+    }
+
+    /**
+     * Compose the middleware and handler into a single callable function.
+     *
+     * @return callable(RequestInterface, array): PromiseInterface
+     */
+    public function resolve(): callable
+    {
+        if ($this->cached === null) {
+            if (($prev = $this->handler) === null) {
+                throw new \LogicException('No handler has been specified');
+            }
+
+            foreach (\array_reverse($this->stack) as $fn) {
+                /** @var callable(RequestInterface, array): PromiseInterface $prev */
+                $prev = $fn[0]($prev);
+            }
+
+            $this->cached = $prev;
+        }
+
+        return $this->cached;
+    }
+
+    private function findByName(string $name): int
+    {
+        foreach ($this->stack as $k => $v) {
+            if ($v[1] === $name) {
+                return $k;
+            }
+        }
+
+        throw new \InvalidArgumentException("Middleware not found: $name");
+    }
+
+    /**
+     * Splices a function into the middleware list at a specific position.
+     */
+    private function splice(string $findName, string $withName, callable $middleware, bool $before): void
+    {
+        $this->cached = null;
+        $idx = $this->findByName($findName);
+        $tuple = [$middleware, $withName];
+
+        if ($before) {
+            if ($idx === 0) {
+                \array_unshift($this->stack, $tuple);
+            } else {
+                $replacement = [$tuple, $this->stack[$idx]];
+                \array_splice($this->stack, $idx, 1, $replacement);
+            }
+        } elseif ($idx === \count($this->stack) - 1) {
+            $this->stack[] = $tuple;
+        } else {
+            $replacement = [$this->stack[$idx], $tuple];
+            \array_splice($this->stack, $idx, 1, $replacement);
+        }
+    }
+
+    /**
+     * Provides a debug string for a given callable.
+     *
+     * @param callable|string $fn Function to write as a string.
+     */
+    private function debugCallable($fn): string
+    {
+        if (\is_string($fn)) {
+            return "callable({$fn})";
+        }
+
+        if (\is_array($fn)) {
+            return \is_string($fn[0])
+                ? "callable({$fn[0]}::{$fn[1]})"
+                : "callable(['" . \get_class($fn[0]) . "', '{$fn[1]}'])";
+        }
+
+        /** @var object $fn */
+        return 'callable(' . \spl_object_hash($fn) . ')';
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/MessageFormatter.php b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/MessageFormatter.php
new file mode 100644
index 000000000..da499547f
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/MessageFormatter.php
@@ -0,0 +1,198 @@
+<?php
+
+namespace GuzzleHttp;
+
+use Psr\Http\Message\MessageInterface;
+use Psr\Http\Message\RequestInterface;
+use Psr\Http\Message\ResponseInterface;
+
+/**
+ * Formats log messages using variable substitutions for requests, responses,
+ * and other transactional data.
+ *
+ * The following variable substitutions are supported:
+ *
+ * - {request}:        Full HTTP request message
+ * - {response}:       Full HTTP response message
+ * - {ts}:             ISO 8601 date in GMT
+ * - {date_iso_8601}   ISO 8601 date in GMT
+ * - {date_common_log} Apache common log date using the configured timezone.
+ * - {host}:           Host of the request
+ * - {method}:         Method of the request
+ * - {uri}:            URI of the request
+ * - {version}:        Protocol version
+ * - {target}:         Request target of the request (path + query + fragment)
+ * - {hostname}:       Hostname of the machine that sent the request
+ * - {code}:           Status code of the response (if available)
+ * - {phrase}:         Reason phrase of the response  (if available)
+ * - {error}:          Any error messages (if available)
+ * - {req_header_*}:   Replace `*` with the lowercased name of a request header to add to the message
+ * - {res_header_*}:   Replace `*` with the lowercased name of a response header to add to the message
+ * - {req_headers}:    Request headers
+ * - {res_headers}:    Response headers
+ * - {req_body}:       Request body
+ * - {res_body}:       Response body
+ *
+ * @final
+ */
+class MessageFormatter implements MessageFormatterInterface
+{
+    /**
+     * Apache Common Log Format.
+     *
+     * @link https://httpd.apache.org/docs/2.4/logs.html#common
+     *
+     * @var string
+     */
+    public const CLF = "{hostname} {req_header_User-Agent} - [{date_common_log}] \"{method} {target} HTTP/{version}\" {code} {res_header_Content-Length}";
+    public const DEBUG = ">>>>>>>>\n{request}\n<<<<<<<<\n{response}\n--------\n{error}";
+    public const SHORT = '[{ts}] "{method} {target} HTTP/{version}" {code}';
+
+    /**
+     * @var string Template used to format log messages
+     */
+    private $template;
+
+    /**
+     * @param string $template Log message template
+     */
+    public function __construct(?string $template = self::CLF)
+    {
+        $this->template = $template ?: self::CLF;
+    }
+
+    /**
+     * Returns a formatted message string.
+     *
+     * @param RequestInterface       $request  Request that was sent
+     * @param ResponseInterface|null $response Response that was received
+     * @param \Throwable|null        $error    Exception that was received
+     */
+    public function format(RequestInterface $request, ?ResponseInterface $response = null, ?\Throwable $error = null): string
+    {
+        $cache = [];
+
+        /** @var string */
+        return \preg_replace_callback(
+            '/{\s*([A-Za-z_\-\.0-9]+)\s*}/',
+            function (array $matches) use ($request, $response, $error, &$cache) {
+                if (isset($cache[$matches[1]])) {
+                    return $cache[$matches[1]];
+                }
+
+                $result = '';
+                switch ($matches[1]) {
+                    case 'request':
+                        $result = Psr7\Message::toString($request);
+                        break;
+                    case 'response':
+                        $result = $response ? Psr7\Message::toString($response) : '';
+                        break;
+                    case 'req_headers':
+                        $result = \trim($request->getMethod()
+                                . ' ' . $request->getRequestTarget())
+                            . ' HTTP/' . $request->getProtocolVersion() . "\r\n"
+                            . $this->headers($request);
+                        break;
+                    case 'res_headers':
+                        $result = $response ?
+                            \sprintf(
+                                'HTTP/%s %d %s',
+                                $response->getProtocolVersion(),
+                                $response->getStatusCode(),
+                                $response->getReasonPhrase()
+                            ) . "\r\n" . $this->headers($response)
+                            : 'NULL';
+                        break;
+                    case 'req_body':
+                        $result = $request->getBody()->__toString();
+                        break;
+                    case 'res_body':
+                        if (!$response instanceof ResponseInterface) {
+                            $result = 'NULL';
+                            break;
+                        }
+
+                        $body = $response->getBody();
+
+                        if (!$body->isSeekable()) {
+                            $result = 'RESPONSE_NOT_LOGGEABLE';
+                            break;
+                        }
+
+                        $result = $response->getBody()->__toString();
+                        break;
+                    case 'ts':
+                    case 'date_iso_8601':
+                        $result = \gmdate('c');
+                        break;
+                    case 'date_common_log':
+                        $result = \date('d/M/Y:H:i:s O');
+                        break;
+                    case 'method':
+                        $result = $request->getMethod();
+                        break;
+                    case 'version':
+                        $result = $request->getProtocolVersion();
+                        break;
+                    case 'uri':
+                    case 'url':
+                        $result = $request->getUri()->__toString();
+                        break;
+                    case 'target':
+                        $result = $request->getRequestTarget();
+                        break;
+                    case 'req_version':
+                        $result = $request->getProtocolVersion();
+                        break;
+                    case 'res_version':
+                        $result = $response
+                            ? $response->getProtocolVersion()
+                            : 'NULL';
+                        break;
+                    case 'host':
+                        $result = $request->getHeaderLine('Host');
+                        break;
+                    case 'hostname':
+                        $result = \gethostname();
+                        break;
+                    case 'code':
+                        $result = $response ? $response->getStatusCode() : 'NULL';
+                        break;
+                    case 'phrase':
+                        $result = $response ? $response->getReasonPhrase() : 'NULL';
+                        break;
+                    case 'error':
+                        $result = $error ? $error->getMessage() : 'NULL';
+                        break;
+                    default:
+                        // handle prefixed dynamic headers
+                        if (\strpos($matches[1], 'req_header_') === 0) {
+                            $result = $request->getHeaderLine(\substr($matches[1], 11));
+                        } elseif (\strpos($matches[1], 'res_header_') === 0) {
+                            $result = $response
+                                ? $response->getHeaderLine(\substr($matches[1], 11))
+                                : 'NULL';
+                        }
+                }
+
+                $cache[$matches[1]] = $result;
+                return $result;
+            },
+            $this->template
+        );
+    }
+
+    /**
+     * Get headers from message as string
+     */
+    private function headers(MessageInterface $message): string
+    {
+        $result = '';
+        foreach ($message->getHeaders() as $name => $values) {
+            $result .= $name . ': ' . \implode(', ', $values) . "\r\n";
+        }
+
+        return \trim($result);
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/MessageFormatterInterface.php b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/MessageFormatterInterface.php
new file mode 100644
index 000000000..a39ac248e
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/MessageFormatterInterface.php
@@ -0,0 +1,18 @@
+<?php
+
+namespace GuzzleHttp;
+
+use Psr\Http\Message\RequestInterface;
+use Psr\Http\Message\ResponseInterface;
+
+interface MessageFormatterInterface
+{
+    /**
+     * Returns a formatted message string.
+     *
+     * @param RequestInterface       $request  Request that was sent
+     * @param ResponseInterface|null $response Response that was received
+     * @param \Throwable|null        $error    Exception that was received
+     */
+    public function format(RequestInterface $request, ?ResponseInterface $response = null, ?\Throwable $error = null): string;
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Middleware.php b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Middleware.php
new file mode 100644
index 000000000..7035c77ff
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Middleware.php
@@ -0,0 +1,260 @@
+<?php
+
+namespace GuzzleHttp;
+
+use GuzzleHttp\Cookie\CookieJarInterface;
+use GuzzleHttp\Exception\RequestException;
+use GuzzleHttp\Promise as P;
+use GuzzleHttp\Promise\PromiseInterface;
+use Psr\Http\Message\RequestInterface;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Log\LoggerInterface;
+
+/**
+ * Functions used to create and wrap handlers with handler middleware.
+ */
+final class Middleware
+{
+    /**
+     * Middleware that adds cookies to requests.
+     *
+     * The options array must be set to a CookieJarInterface in order to use
+     * cookies. This is typically handled for you by a client.
+     *
+     * @return callable Returns a function that accepts the next handler.
+     */
+    public static function cookies(): callable
+    {
+        return static function (callable $handler): callable {
+            return static function ($request, array $options) use ($handler) {
+                if (empty($options['cookies'])) {
+                    return $handler($request, $options);
+                } elseif (!($options['cookies'] instanceof CookieJarInterface)) {
+                    throw new \InvalidArgumentException('cookies must be an instance of GuzzleHttp\Cookie\CookieJarInterface');
+                }
+                $cookieJar = $options['cookies'];
+                $request = $cookieJar->withCookieHeader($request);
+                return $handler($request, $options)
+                    ->then(
+                        static function (ResponseInterface $response) use ($cookieJar, $request): ResponseInterface {
+                            $cookieJar->extractCookies($request, $response);
+                            return $response;
+                        }
+                    );
+            };
+        };
+    }
+
+    /**
+     * Middleware that throws exceptions for 4xx or 5xx responses when the
+     * "http_errors" request option is set to true.
+     *
+     * @param BodySummarizerInterface|null $bodySummarizer The body summarizer to use in exception messages.
+     *
+     * @return callable(callable): callable Returns a function that accepts the next handler.
+     */
+    public static function httpErrors(BodySummarizerInterface $bodySummarizer = null): callable
+    {
+        return static function (callable $handler) use ($bodySummarizer): callable {
+            return static function ($request, array $options) use ($handler, $bodySummarizer) {
+                if (empty($options['http_errors'])) {
+                    return $handler($request, $options);
+                }
+                return $handler($request, $options)->then(
+                    static function (ResponseInterface $response) use ($request, $bodySummarizer) {
+                        $code = $response->getStatusCode();
+                        if ($code < 400) {
+                            return $response;
+                        }
+                        throw RequestException::create($request, $response, null, [], $bodySummarizer);
+                    }
+                );
+            };
+        };
+    }
+
+    /**
+     * Middleware that pushes history data to an ArrayAccess container.
+     *
+     * @param array|\ArrayAccess<int, array> $container Container to hold the history (by reference).
+     *
+     * @return callable(callable): callable Returns a function that accepts the next handler.
+     *
+     * @throws \InvalidArgumentException if container is not an array or ArrayAccess.
+     */
+    public static function history(&$container): callable
+    {
+        if (!\is_array($container) && !$container instanceof \ArrayAccess) {
+            throw new \InvalidArgumentException('history container must be an array or object implementing ArrayAccess');
+        }
+
+        return static function (callable $handler) use (&$container): callable {
+            return static function (RequestInterface $request, array $options) use ($handler, &$container) {
+                return $handler($request, $options)->then(
+                    static function ($value) use ($request, &$container, $options) {
+                        $container[] = [
+                            'request'  => $request,
+                            'response' => $value,
+                            'error'    => null,
+                            'options'  => $options
+                        ];
+                        return $value;
+                    },
+                    static function ($reason) use ($request, &$container, $options) {
+                        $container[] = [
+                            'request'  => $request,
+                            'response' => null,
+                            'error'    => $reason,
+                            'options'  => $options
+                        ];
+                        return P\Create::rejectionFor($reason);
+                    }
+                );
+            };
+        };
+    }
+
+    /**
+     * Middleware that invokes a callback before and after sending a request.
+     *
+     * The provided listener cannot modify or alter the response. It simply
+     * "taps" into the chain to be notified before returning the promise. The
+     * before listener accepts a request and options array, and the after
+     * listener accepts a request, options array, and response promise.
+     *
+     * @param callable $before Function to invoke before forwarding the request.
+     * @param callable $after  Function invoked after forwarding.
+     *
+     * @return callable Returns a function that accepts the next handler.
+     */
+    public static function tap(callable $before = null, callable $after = null): callable
+    {
+        return static function (callable $handler) use ($before, $after): callable {
+            return static function (RequestInterface $request, array $options) use ($handler, $before, $after) {
+                if ($before) {
+                    $before($request, $options);
+                }
+                $response = $handler($request, $options);
+                if ($after) {
+                    $after($request, $options, $response);
+                }
+                return $response;
+            };
+        };
+    }
+
+    /**
+     * Middleware that handles request redirects.
+     *
+     * @return callable Returns a function that accepts the next handler.
+     */
+    public static function redirect(): callable
+    {
+        return static function (callable $handler): RedirectMiddleware {
+            return new RedirectMiddleware($handler);
+        };
+    }
+
+    /**
+     * Middleware that retries requests based on the boolean result of
+     * invoking the provided "decider" function.
+     *
+     * If no delay function is provided, a simple implementation of exponential
+     * backoff will be utilized.
+     *
+     * @param callable $decider Function that accepts the number of retries,
+     *                          a request, [response], and [exception] and
+     *                          returns true if the request is to be retried.
+     * @param callable $delay   Function that accepts the number of retries and
+     *                          returns the number of milliseconds to delay.
+     *
+     * @return callable Returns a function that accepts the next handler.
+     */
+    public static function retry(callable $decider, callable $delay = null): callable
+    {
+        return static function (callable $handler) use ($decider, $delay): RetryMiddleware {
+            return new RetryMiddleware($decider, $handler, $delay);
+        };
+    }
+
+    /**
+     * Middleware that logs requests, responses, and errors using a message
+     * formatter.
+     *
+     * @phpstan-param \Psr\Log\LogLevel::* $logLevel  Level at which to log requests.
+     *
+     * @param LoggerInterface                            $logger    Logs messages.
+     * @param MessageFormatterInterface|MessageFormatter $formatter Formatter used to create message strings.
+     * @param string                                     $logLevel  Level at which to log requests.
+     *
+     * @return callable Returns a function that accepts the next handler.
+     */
+    public static function log(LoggerInterface $logger, $formatter, string $logLevel = 'info'): callable
+    {
+        // To be compatible with Guzzle 7.1.x we need to allow users to pass a MessageFormatter
+        if (!$formatter instanceof MessageFormatter && !$formatter instanceof MessageFormatterInterface) {
+            throw new \LogicException(sprintf('Argument 2 to %s::log() must be of type %s', self::class, MessageFormatterInterface::class));
+        }
+
+        return static function (callable $handler) use ($logger, $formatter, $logLevel): callable {
+            return static function (RequestInterface $request, array $options = []) use ($handler, $logger, $formatter, $logLevel) {
+                return $handler($request, $options)->then(
+                    static function ($response) use ($logger, $request, $formatter, $logLevel): ResponseInterface {
+                        $message = $formatter->format($request, $response);
+                        $logger->log($logLevel, $message);
+                        return $response;
+                    },
+                    static function ($reason) use ($logger, $request, $formatter): PromiseInterface {
+                        $response = $reason instanceof RequestException ? $reason->getResponse() : null;
+                        $message = $formatter->format($request, $response, P\Create::exceptionFor($reason));
+                        $logger->error($message);
+                        return P\Create::rejectionFor($reason);
+                    }
+                );
+            };
+        };
+    }
+
+    /**
+     * This middleware adds a default content-type if possible, a default
+     * content-length or transfer-encoding header, and the expect header.
+     */
+    public static function prepareBody(): callable
+    {
+        return static function (callable $handler): PrepareBodyMiddleware {
+            return new PrepareBodyMiddleware($handler);
+        };
+    }
+
+    /**
+     * Middleware that applies a map function to the request before passing to
+     * the next handler.
+     *
+     * @param callable $fn Function that accepts a RequestInterface and returns
+     *                     a RequestInterface.
+     */
+    public static function mapRequest(callable $fn): callable
+    {
+        return static function (callable $handler) use ($fn): callable {
+            return static function (RequestInterface $request, array $options) use ($handler, $fn) {
+                return $handler($fn($request), $options);
+            };
+        };
+    }
+
+    /**
+     * Middleware that applies a map function to the resolved promise's
+     * response.
+     *
+     * @param callable $fn Function that accepts a ResponseInterface and
+     *                     returns a ResponseInterface.
+     */
+    public static function mapResponse(callable $fn): callable
+    {
+        return static function (callable $handler) use ($fn): callable {
+            return static function (RequestInterface $request, array $options) use ($handler, $fn) {
+                return $handler($request, $options)->then($fn);
+            };
+        };
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Pool.php b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Pool.php
new file mode 100644
index 000000000..6277c61fb
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Pool.php
@@ -0,0 +1,125 @@
+<?php
+
+namespace GuzzleHttp;
+
+use GuzzleHttp\Promise as P;
+use GuzzleHttp\Promise\EachPromise;
+use GuzzleHttp\Promise\PromiseInterface;
+use GuzzleHttp\Promise\PromisorInterface;
+use Psr\Http\Message\RequestInterface;
+
+/**
+ * Sends an iterator of requests concurrently using a capped pool size.
+ *
+ * The pool will read from an iterator until it is cancelled or until the
+ * iterator is consumed. When a request is yielded, the request is sent after
+ * applying the "request_options" request options (if provided in the ctor).
+ *
+ * When a function is yielded by the iterator, the function is provided the
+ * "request_options" array that should be merged on top of any existing
+ * options, and the function MUST then return a wait-able promise.
+ *
+ * @final
+ */
+class Pool implements PromisorInterface
+{
+    /**
+     * @var EachPromise
+     */
+    private $each;
+
+    /**
+     * @param ClientInterface $client   Client used to send the requests.
+     * @param array|\Iterator $requests Requests or functions that return
+     *                                  requests to send concurrently.
+     * @param array           $config   Associative array of options
+     *                                  - concurrency: (int) Maximum number of requests to send concurrently
+     *                                  - options: Array of request options to apply to each request.
+     *                                  - fulfilled: (callable) Function to invoke when a request completes.
+     *                                  - rejected: (callable) Function to invoke when a request is rejected.
+     */
+    public function __construct(ClientInterface $client, $requests, array $config = [])
+    {
+        if (!isset($config['concurrency'])) {
+            $config['concurrency'] = 25;
+        }
+
+        if (isset($config['options'])) {
+            $opts = $config['options'];
+            unset($config['options']);
+        } else {
+            $opts = [];
+        }
+
+        $iterable = P\Create::iterFor($requests);
+        $requests = static function () use ($iterable, $client, $opts) {
+            foreach ($iterable as $key => $rfn) {
+                if ($rfn instanceof RequestInterface) {
+                    yield $key => $client->sendAsync($rfn, $opts);
+                } elseif (\is_callable($rfn)) {
+                    yield $key => $rfn($opts);
+                } else {
+                    throw new \InvalidArgumentException('Each value yielded by the iterator must be a Psr7\Http\Message\RequestInterface or a callable that returns a promise that fulfills with a Psr7\Message\Http\ResponseInterface object.');
+                }
+            }
+        };
+
+        $this->each = new EachPromise($requests(), $config);
+    }
+
+    /**
+     * Get promise
+     */
+    public function promise(): PromiseInterface
+    {
+        return $this->each->promise();
+    }
+
+    /**
+     * Sends multiple requests concurrently and returns an array of responses
+     * and exceptions that uses the same ordering as the provided requests.
+     *
+     * IMPORTANT: This method keeps every request and response in memory, and
+     * as such, is NOT recommended when sending a large number or an
+     * indeterminate number of requests concurrently.
+     *
+     * @param ClientInterface $client   Client used to send the requests
+     * @param array|\Iterator $requests Requests to send concurrently.
+     * @param array           $options  Passes through the options available in
+     *                                  {@see \GuzzleHttp\Pool::__construct}
+     *
+     * @return array Returns an array containing the response or an exception
+     *               in the same order that the requests were sent.
+     *
+     * @throws \InvalidArgumentException if the event format is incorrect.
+     */
+    public static function batch(ClientInterface $client, $requests, array $options = []): array
+    {
+        $res = [];
+        self::cmpCallback($options, 'fulfilled', $res);
+        self::cmpCallback($options, 'rejected', $res);
+        $pool = new static($client, $requests, $options);
+        $pool->promise()->wait();
+        \ksort($res);
+
+        return $res;
+    }
+
+    /**
+     * Execute callback(s)
+     */
+    private static function cmpCallback(array &$options, string $name, array &$results): void
+    {
+        if (!isset($options[$name])) {
+            $options[$name] = static function ($v, $k) use (&$results) {
+                $results[$k] = $v;
+            };
+        } else {
+            $currentFn = $options[$name];
+            $options[$name] = static function ($v, $k) use (&$results, $currentFn) {
+                $currentFn($v, $k);
+                $results[$k] = $v;
+            };
+        }
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/PrepareBodyMiddleware.php b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/PrepareBodyMiddleware.php
new file mode 100644
index 000000000..7ca628338
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/PrepareBodyMiddleware.php
@@ -0,0 +1,104 @@
+<?php
+
+namespace GuzzleHttp;
+
+use GuzzleHttp\Promise\PromiseInterface;
+use Psr\Http\Message\RequestInterface;
+
+/**
+ * Prepares requests that contain a body, adding the Content-Length,
+ * Content-Type, and Expect headers.
+ *
+ * @final
+ */
+class PrepareBodyMiddleware
+{
+    /**
+     * @var callable(RequestInterface, array): PromiseInterface
+     */
+    private $nextHandler;
+
+    /**
+     * @param callable(RequestInterface, array): PromiseInterface $nextHandler Next handler to invoke.
+     */
+    public function __construct(callable $nextHandler)
+    {
+        $this->nextHandler = $nextHandler;
+    }
+
+    public function __invoke(RequestInterface $request, array $options): PromiseInterface
+    {
+        $fn = $this->nextHandler;
+
+        // Don't do anything if the request has no body.
+        if ($request->getBody()->getSize() === 0) {
+            return $fn($request, $options);
+        }
+
+        $modify = [];
+
+        // Add a default content-type if possible.
+        if (!$request->hasHeader('Content-Type')) {
+            if ($uri = $request->getBody()->getMetadata('uri')) {
+                if (is_string($uri) && $type = Psr7\MimeType::fromFilename($uri)) {
+                    $modify['set_headers']['Content-Type'] = $type;
+                }
+            }
+        }
+
+        // Add a default content-length or transfer-encoding header.
+        if (!$request->hasHeader('Content-Length')
+            && !$request->hasHeader('Transfer-Encoding')
+        ) {
+            $size = $request->getBody()->getSize();
+            if ($size !== null) {
+                $modify['set_headers']['Content-Length'] = $size;
+            } else {
+                $modify['set_headers']['Transfer-Encoding'] = 'chunked';
+            }
+        }
+
+        // Add the expect header if needed.
+        $this->addExpectHeader($request, $options, $modify);
+
+        return $fn(Psr7\Utils::modifyRequest($request, $modify), $options);
+    }
+
+    /**
+     * Add expect header
+     */
+    private function addExpectHeader(RequestInterface $request, array $options, array &$modify): void
+    {
+        // Determine if the Expect header should be used
+        if ($request->hasHeader('Expect')) {
+            return;
+        }
+
+        $expect = $options['expect'] ?? null;
+
+        // Return if disabled or if you're not using HTTP/1.1 or HTTP/2.0
+        if ($expect === false || $request->getProtocolVersion() < 1.1) {
+            return;
+        }
+
+        // The expect header is unconditionally enabled
+        if ($expect === true) {
+            $modify['set_headers']['Expect'] = '100-Continue';
+            return;
+        }
+
+        // By default, send the expect header when the payload is > 1mb
+        if ($expect === null) {
+            $expect = 1048576;
+        }
+
+        // Always add if the body cannot be rewound, the size cannot be
+        // determined, or the size is greater than the cutoff threshold
+        $body = $request->getBody();
+        $size = $body->getSize();
+
+        if ($size === null || $size >= (int) $expect || !$body->isSeekable()) {
+            $modify['set_headers']['Expect'] = '100-Continue';
+        }
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/RedirectMiddleware.php b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/RedirectMiddleware.php
new file mode 100644
index 000000000..f67d448be
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/RedirectMiddleware.php
@@ -0,0 +1,228 @@
+<?php
+
+namespace GuzzleHttp;
+
+use GuzzleHttp\Exception\BadResponseException;
+use GuzzleHttp\Exception\TooManyRedirectsException;
+use GuzzleHttp\Promise\PromiseInterface;
+use Psr\Http\Message\RequestInterface;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\UriInterface;
+
+/**
+ * Request redirect middleware.
+ *
+ * Apply this middleware like other middleware using
+ * {@see \GuzzleHttp\Middleware::redirect()}.
+ *
+ * @final
+ */
+class RedirectMiddleware
+{
+    public const HISTORY_HEADER = 'X-Guzzle-Redirect-History';
+
+    public const STATUS_HISTORY_HEADER = 'X-Guzzle-Redirect-Status-History';
+
+    /**
+     * @var array
+     */
+    public static $defaultSettings = [
+        'max'             => 5,
+        'protocols'       => ['http', 'https'],
+        'strict'          => false,
+        'referer'         => false,
+        'track_redirects' => false,
+    ];
+
+    /**
+     * @var callable(RequestInterface, array): PromiseInterface
+     */
+    private $nextHandler;
+
+    /**
+     * @param callable(RequestInterface, array): PromiseInterface $nextHandler Next handler to invoke.
+     */
+    public function __construct(callable $nextHandler)
+    {
+        $this->nextHandler = $nextHandler;
+    }
+
+    public function __invoke(RequestInterface $request, array $options): PromiseInterface
+    {
+        $fn = $this->nextHandler;
+
+        if (empty($options['allow_redirects'])) {
+            return $fn($request, $options);
+        }
+
+        if ($options['allow_redirects'] === true) {
+            $options['allow_redirects'] = self::$defaultSettings;
+        } elseif (!\is_array($options['allow_redirects'])) {
+            throw new \InvalidArgumentException('allow_redirects must be true, false, or array');
+        } else {
+            // Merge the default settings with the provided settings
+            $options['allow_redirects'] += self::$defaultSettings;
+        }
+
+        if (empty($options['allow_redirects']['max'])) {
+            return $fn($request, $options);
+        }
+
+        return $fn($request, $options)
+            ->then(function (ResponseInterface $response) use ($request, $options) {
+                return $this->checkRedirect($request, $options, $response);
+            });
+    }
+
+    /**
+     * @return ResponseInterface|PromiseInterface
+     */
+    public function checkRedirect(RequestInterface $request, array $options, ResponseInterface $response)
+    {
+        if (\strpos((string) $response->getStatusCode(), '3') !== 0
+            || !$response->hasHeader('Location')
+        ) {
+            return $response;
+        }
+
+        $this->guardMax($request, $response, $options);
+        $nextRequest = $this->modifyRequest($request, $options, $response);
+
+        // If authorization is handled by curl, unset it if URI is cross-origin.
+        if (Psr7\UriComparator::isCrossOrigin($request->getUri(), $nextRequest->getUri()) && defined('\CURLOPT_HTTPAUTH')) {
+            unset(
+                $options['curl'][\CURLOPT_HTTPAUTH],
+                $options['curl'][\CURLOPT_USERPWD]
+            );
+        }
+
+        if (isset($options['allow_redirects']['on_redirect'])) {
+            ($options['allow_redirects']['on_redirect'])(
+                $request,
+                $response,
+                $nextRequest->getUri()
+            );
+        }
+
+        $promise = $this($nextRequest, $options);
+
+        // Add headers to be able to track history of redirects.
+        if (!empty($options['allow_redirects']['track_redirects'])) {
+            return $this->withTracking(
+                $promise,
+                (string) $nextRequest->getUri(),
+                $response->getStatusCode()
+            );
+        }
+
+        return $promise;
+    }
+
+    /**
+     * Enable tracking on promise.
+     */
+    private function withTracking(PromiseInterface $promise, string $uri, int $statusCode): PromiseInterface
+    {
+        return $promise->then(
+            static function (ResponseInterface $response) use ($uri, $statusCode) {
+                // Note that we are pushing to the front of the list as this
+                // would be an earlier response than what is currently present
+                // in the history header.
+                $historyHeader = $response->getHeader(self::HISTORY_HEADER);
+                $statusHeader = $response->getHeader(self::STATUS_HISTORY_HEADER);
+                \array_unshift($historyHeader, $uri);
+                \array_unshift($statusHeader, (string) $statusCode);
+
+                return $response->withHeader(self::HISTORY_HEADER, $historyHeader)
+                                ->withHeader(self::STATUS_HISTORY_HEADER, $statusHeader);
+            }
+        );
+    }
+
+    /**
+     * Check for too many redirects.
+     *
+     * @throws TooManyRedirectsException Too many redirects.
+     */
+    private function guardMax(RequestInterface $request, ResponseInterface $response, array &$options): void
+    {
+        $current = $options['__redirect_count']
+            ?? 0;
+        $options['__redirect_count'] = $current + 1;
+        $max = $options['allow_redirects']['max'];
+
+        if ($options['__redirect_count'] > $max) {
+            throw new TooManyRedirectsException("Will not follow more than {$max} redirects", $request, $response);
+        }
+    }
+
+    public function modifyRequest(RequestInterface $request, array $options, ResponseInterface $response): RequestInterface
+    {
+        // Request modifications to apply.
+        $modify = [];
+        $protocols = $options['allow_redirects']['protocols'];
+
+        // Use a GET request if this is an entity enclosing request and we are
+        // not forcing RFC compliance, but rather emulating what all browsers
+        // would do.
+        $statusCode = $response->getStatusCode();
+        if ($statusCode == 303 ||
+            ($statusCode <= 302 && !$options['allow_redirects']['strict'])
+        ) {
+            $safeMethods = ['GET', 'HEAD', 'OPTIONS'];
+            $requestMethod = $request->getMethod();
+
+            $modify['method'] = in_array($requestMethod, $safeMethods) ? $requestMethod : 'GET';
+            $modify['body'] = '';
+        }
+
+        $uri = self::redirectUri($request, $response, $protocols);
+        if (isset($options['idn_conversion']) && ($options['idn_conversion'] !== false)) {
+            $idnOptions = ($options['idn_conversion'] === true) ? \IDNA_DEFAULT : $options['idn_conversion'];
+            $uri = Utils::idnUriConvert($uri, $idnOptions);
+        }
+
+        $modify['uri'] = $uri;
+        Psr7\Message::rewindBody($request);
+
+        // Add the Referer header if it is told to do so and only
+        // add the header if we are not redirecting from https to http.
+        if ($options['allow_redirects']['referer']
+            && $modify['uri']->getScheme() === $request->getUri()->getScheme()
+        ) {
+            $uri = $request->getUri()->withUserInfo('');
+            $modify['set_headers']['Referer'] = (string) $uri;
+        } else {
+            $modify['remove_headers'][] = 'Referer';
+        }
+
+        // Remove Authorization and Cookie headers if URI is cross-origin.
+        if (Psr7\UriComparator::isCrossOrigin($request->getUri(), $modify['uri'])) {
+            $modify['remove_headers'][] = 'Authorization';
+            $modify['remove_headers'][] = 'Cookie';
+        }
+
+        return Psr7\Utils::modifyRequest($request, $modify);
+    }
+
+    /**
+     * Set the appropriate URL on the request based on the location header.
+     */
+    private static function redirectUri(
+        RequestInterface $request,
+        ResponseInterface $response,
+        array $protocols
+    ): UriInterface {
+        $location = Psr7\UriResolver::resolve(
+            $request->getUri(),
+            new Psr7\Uri($response->getHeaderLine('Location'))
+        );
+
+        // Ensure that the redirect URI is allowed based on the protocols.
+        if (!\in_array($location->getScheme(), $protocols)) {
+            throw new BadResponseException(\sprintf('Redirect URI, %s, does not use one of the allowed redirect protocols: %s', $location, \implode(', ', $protocols)), $request, $response);
+        }
+
+        return $location;
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/RequestOptions.php b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/RequestOptions.php
new file mode 100644
index 000000000..20b31bc20
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/RequestOptions.php
@@ -0,0 +1,264 @@
+<?php
+
+namespace GuzzleHttp;
+
+/**
+ * This class contains a list of built-in Guzzle request options.
+ *
+ * More documentation for each option can be found at http://guzzlephp.org/.
+ *
+ * @link http://docs.guzzlephp.org/en/v6/request-options.html
+ */
+final class RequestOptions
+{
+    /**
+     * allow_redirects: (bool|array) Controls redirect behavior. Pass false
+     * to disable redirects, pass true to enable redirects, pass an
+     * associative to provide custom redirect settings. Defaults to "false".
+     * This option only works if your handler has the RedirectMiddleware. When
+     * passing an associative array, you can provide the following key value
+     * pairs:
+     *
+     * - max: (int, default=5) maximum number of allowed redirects.
+     * - strict: (bool, default=false) Set to true to use strict redirects
+     *   meaning redirect POST requests with POST requests vs. doing what most
+     *   browsers do which is redirect POST requests with GET requests
+     * - referer: (bool, default=false) Set to true to enable the Referer
+     *   header.
+     * - protocols: (array, default=['http', 'https']) Allowed redirect
+     *   protocols.
+     * - on_redirect: (callable) PHP callable that is invoked when a redirect
+     *   is encountered. The callable is invoked with the request, the redirect
+     *   response that was received, and the effective URI. Any return value
+     *   from the on_redirect function is ignored.
+     */
+    public const ALLOW_REDIRECTS = 'allow_redirects';
+
+    /**
+     * auth: (array) Pass an array of HTTP authentication parameters to use
+     * with the request. The array must contain the username in index [0],
+     * the password in index [1], and you can optionally provide a built-in
+     * authentication type in index [2]. Pass null to disable authentication
+     * for a request.
+     */
+    public const AUTH = 'auth';
+
+    /**
+     * body: (resource|string|null|int|float|StreamInterface|callable|\Iterator)
+     * Body to send in the request.
+     */
+    public const BODY = 'body';
+
+    /**
+     * cert: (string|array) Set to a string to specify the path to a file
+     * containing a PEM formatted SSL client side certificate. If a password
+     * is required, then set cert to an array containing the path to the PEM
+     * file in the first array element followed by the certificate password
+     * in the second array element.
+     */
+    public const CERT = 'cert';
+
+    /**
+     * cookies: (bool|GuzzleHttp\Cookie\CookieJarInterface, default=false)
+     * Specifies whether or not cookies are used in a request or what cookie
+     * jar to use or what cookies to send. This option only works if your
+     * handler has the `cookie` middleware. Valid values are `false` and
+     * an instance of {@see \GuzzleHttp\Cookie\CookieJarInterface}.
+     */
+    public const COOKIES = 'cookies';
+
+    /**
+     * connect_timeout: (float, default=0) Float describing the number of
+     * seconds to wait while trying to connect to a server. Use 0 to wait
+     * indefinitely (the default behavior).
+     */
+    public const CONNECT_TIMEOUT = 'connect_timeout';
+
+    /**
+     * debug: (bool|resource) Set to true or set to a PHP stream returned by
+     * fopen()  enable debug output with the HTTP handler used to send a
+     * request.
+     */
+    public const DEBUG = 'debug';
+
+    /**
+     * decode_content: (bool, default=true) Specify whether or not
+     * Content-Encoding responses (gzip, deflate, etc.) are automatically
+     * decoded.
+     */
+    public const DECODE_CONTENT = 'decode_content';
+
+    /**
+     * delay: (int) The amount of time to delay before sending in milliseconds.
+     */
+    public const DELAY = 'delay';
+
+    /**
+     * expect: (bool|integer) Controls the behavior of the
+     * "Expect: 100-Continue" header.
+     *
+     * Set to `true` to enable the "Expect: 100-Continue" header for all
+     * requests that sends a body. Set to `false` to disable the
+     * "Expect: 100-Continue" header for all requests. Set to a number so that
+     * the size of the payload must be greater than the number in order to send
+     * the Expect header. Setting to a number will send the Expect header for
+     * all requests in which the size of the payload cannot be determined or
+     * where the body is not rewindable.
+     *
+     * By default, Guzzle will add the "Expect: 100-Continue" header when the
+     * size of the body of a request is greater than 1 MB and a request is
+     * using HTTP/1.1.
+     */
+    public const EXPECT = 'expect';
+
+    /**
+     * form_params: (array) Associative array of form field names to values
+     * where each value is a string or array of strings. Sets the Content-Type
+     * header to application/x-www-form-urlencoded when no Content-Type header
+     * is already present.
+     */
+    public const FORM_PARAMS = 'form_params';
+
+    /**
+     * headers: (array) Associative array of HTTP headers. Each value MUST be
+     * a string or array of strings.
+     */
+    public const HEADERS = 'headers';
+
+    /**
+     * http_errors: (bool, default=true) Set to false to disable exceptions
+     * when a non- successful HTTP response is received. By default,
+     * exceptions will be thrown for 4xx and 5xx responses. This option only
+     * works if your handler has the `httpErrors` middleware.
+     */
+    public const HTTP_ERRORS = 'http_errors';
+
+    /**
+     * idn: (bool|int, default=true) A combination of IDNA_* constants for
+     * idn_to_ascii() PHP's function (see "options" parameter). Set to false to
+     * disable IDN support completely, or to true to use the default
+     * configuration (IDNA_DEFAULT constant).
+     */
+    public const IDN_CONVERSION = 'idn_conversion';
+
+    /**
+     * json: (mixed) Adds JSON data to a request. The provided value is JSON
+     * encoded and a Content-Type header of application/json will be added to
+     * the request if no Content-Type header is already present.
+     */
+    public const JSON = 'json';
+
+    /**
+     * multipart: (array) Array of associative arrays, each containing a
+     * required "name" key mapping to the form field, name, a required
+     * "contents" key mapping to a StreamInterface|resource|string, an
+     * optional "headers" associative array of custom headers, and an
+     * optional "filename" key mapping to a string to send as the filename in
+     * the part. If no "filename" key is present, then no "filename" attribute
+     * will be added to the part.
+     */
+    public const MULTIPART = 'multipart';
+
+    /**
+     * on_headers: (callable) A callable that is invoked when the HTTP headers
+     * of the response have been received but the body has not yet begun to
+     * download.
+     */
+    public const ON_HEADERS = 'on_headers';
+
+    /**
+     * on_stats: (callable) allows you to get access to transfer statistics of
+     * a request and access the lower level transfer details of the handler
+     * associated with your client. ``on_stats`` is a callable that is invoked
+     * when a handler has finished sending a request. The callback is invoked
+     * with transfer statistics about the request, the response received, or
+     * the error encountered. Included in the data is the total amount of time
+     * taken to send the request.
+     */
+    public const ON_STATS = 'on_stats';
+
+    /**
+     * progress: (callable) Defines a function to invoke when transfer
+     * progress is made. The function accepts the following positional
+     * arguments: the total number of bytes expected to be downloaded, the
+     * number of bytes downloaded so far, the number of bytes expected to be
+     * uploaded, the number of bytes uploaded so far.
+     */
+    public const PROGRESS = 'progress';
+
+    /**
+     * proxy: (string|array) Pass a string to specify an HTTP proxy, or an
+     * array to specify different proxies for different protocols (where the
+     * key is the protocol and the value is a proxy string).
+     */
+    public const PROXY = 'proxy';
+
+    /**
+     * query: (array|string) Associative array of query string values to add
+     * to the request. This option uses PHP's http_build_query() to create
+     * the string representation. Pass a string value if you need more
+     * control than what this method provides
+     */
+    public const QUERY = 'query';
+
+    /**
+     * sink: (resource|string|StreamInterface) Where the data of the
+     * response is written to. Defaults to a PHP temp stream. Providing a
+     * string will write data to a file by the given name.
+     */
+    public const SINK = 'sink';
+
+    /**
+     * synchronous: (bool) Set to true to inform HTTP handlers that you intend
+     * on waiting on the response. This can be useful for optimizations. Note
+     * that a promise is still returned if you are using one of the async
+     * client methods.
+     */
+    public const SYNCHRONOUS = 'synchronous';
+
+    /**
+     * ssl_key: (array|string) Specify the path to a file containing a private
+     * SSL key in PEM format. If a password is required, then set to an array
+     * containing the path to the SSL key in the first array element followed
+     * by the password required for the certificate in the second element.
+     */
+    public const SSL_KEY = 'ssl_key';
+
+    /**
+     * stream: Set to true to attempt to stream a response rather than
+     * download it all up-front.
+     */
+    public const STREAM = 'stream';
+
+    /**
+     * verify: (bool|string, default=true) Describes the SSL certificate
+     * verification behavior of a request. Set to true to enable SSL
+     * certificate verification using the system CA bundle when available
+     * (the default). Set to false to disable certificate verification (this
+     * is insecure!). Set to a string to provide the path to a CA bundle on
+     * disk to enable verification using a custom certificate.
+     */
+    public const VERIFY = 'verify';
+
+    /**
+     * timeout: (float, default=0) Float describing the timeout of the
+     * request in seconds. Use 0 to wait indefinitely (the default behavior).
+     */
+    public const TIMEOUT = 'timeout';
+
+    /**
+     * read_timeout: (float, default=default_socket_timeout ini setting) Float describing
+     * the body read timeout, for stream requests.
+     */
+    public const READ_TIMEOUT = 'read_timeout';
+
+    /**
+     * version: (float) Specifies the HTTP protocol version to attempt to use.
+     */
+    public const VERSION = 'version';
+
+    /**
+     * force_ip_resolve: (bool) Force client to use only ipv4 or ipv6 protocol
+     */
+    public const FORCE_IP_RESOLVE = 'force_ip_resolve';
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/RetryMiddleware.php b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/RetryMiddleware.php
new file mode 100644
index 000000000..0236a9d54
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/RetryMiddleware.php
@@ -0,0 +1,116 @@
+<?php
+
+namespace GuzzleHttp;
+
+use GuzzleHttp\Promise as P;
+use GuzzleHttp\Promise\PromiseInterface;
+use Psr\Http\Message\RequestInterface;
+use Psr\Http\Message\ResponseInterface;
+
+/**
+ * Middleware that retries requests based on the boolean result of
+ * invoking the provided "decider" function.
+ *
+ * @final
+ */
+class RetryMiddleware
+{
+    /**
+     * @var callable(RequestInterface, array): PromiseInterface
+     */
+    private $nextHandler;
+
+    /**
+     * @var callable
+     */
+    private $decider;
+
+    /**
+     * @var callable(int)
+     */
+    private $delay;
+
+    /**
+     * @param callable                                            $decider     Function that accepts the number of retries,
+     *                                                                         a request, [response], and [exception] and
+     *                                                                         returns true if the request is to be
+     *                                                                         retried.
+     * @param callable(RequestInterface, array): PromiseInterface $nextHandler Next handler to invoke.
+     * @param (callable(int): int)|null                           $delay       Function that accepts the number of retries
+     *                                                                         and returns the number of
+     *                                                                         milliseconds to delay.
+     */
+    public function __construct(callable $decider, callable $nextHandler, callable $delay = null)
+    {
+        $this->decider = $decider;
+        $this->nextHandler = $nextHandler;
+        $this->delay = $delay ?: __CLASS__ . '::exponentialDelay';
+    }
+
+    /**
+     * Default exponential backoff delay function.
+     *
+     * @return int milliseconds.
+     */
+    public static function exponentialDelay(int $retries): int
+    {
+        return (int) \pow(2, $retries - 1) * 1000;
+    }
+
+    public function __invoke(RequestInterface $request, array $options): PromiseInterface
+    {
+        if (!isset($options['retries'])) {
+            $options['retries'] = 0;
+        }
+
+        $fn = $this->nextHandler;
+        return $fn($request, $options)
+            ->then(
+                $this->onFulfilled($request, $options),
+                $this->onRejected($request, $options)
+            );
+    }
+
+    /**
+     * Execute fulfilled closure
+     */
+    private function onFulfilled(RequestInterface $request, array $options): callable
+    {
+        return function ($value) use ($request, $options) {
+            if (!($this->decider)(
+                $options['retries'],
+                $request,
+                $value,
+                null
+            )) {
+                return $value;
+            }
+            return $this->doRetry($request, $options, $value);
+        };
+    }
+
+    /**
+     * Execute rejected closure
+     */
+    private function onRejected(RequestInterface $req, array $options): callable
+    {
+        return function ($reason) use ($req, $options) {
+            if (!($this->decider)(
+                $options['retries'],
+                $req,
+                null,
+                $reason
+            )) {
+                return P\Create::rejectionFor($reason);
+            }
+            return $this->doRetry($req, $options);
+        };
+    }
+
+    private function doRetry(RequestInterface $request, array $options, ResponseInterface $response = null): PromiseInterface
+    {
+        $options['delay'] = ($this->delay)(++$options['retries'], $response, $request);
+
+        return $this($request, $options);
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/TransferStats.php b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/TransferStats.php
new file mode 100644
index 000000000..93fa334c8
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/TransferStats.php
@@ -0,0 +1,133 @@
+<?php
+
+namespace GuzzleHttp;
+
+use Psr\Http\Message\RequestInterface;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\UriInterface;
+
+/**
+ * Represents data at the point after it was transferred either successfully
+ * or after a network error.
+ */
+final class TransferStats
+{
+    /**
+     * @var RequestInterface
+     */
+    private $request;
+
+    /**
+     * @var ResponseInterface|null
+     */
+    private $response;
+
+    /**
+     * @var float|null
+     */
+    private $transferTime;
+
+    /**
+     * @var array
+     */
+    private $handlerStats;
+
+    /**
+     * @var mixed|null
+     */
+    private $handlerErrorData;
+
+    /**
+     * @param RequestInterface       $request          Request that was sent.
+     * @param ResponseInterface|null $response         Response received (if any)
+     * @param float|null             $transferTime     Total handler transfer time.
+     * @param mixed                  $handlerErrorData Handler error data.
+     * @param array                  $handlerStats     Handler specific stats.
+     */
+    public function __construct(
+        RequestInterface $request,
+        ?ResponseInterface $response = null,
+        ?float $transferTime = null,
+        $handlerErrorData = null,
+        array $handlerStats = []
+    ) {
+        $this->request = $request;
+        $this->response = $response;
+        $this->transferTime = $transferTime;
+        $this->handlerErrorData = $handlerErrorData;
+        $this->handlerStats = $handlerStats;
+    }
+
+    public function getRequest(): RequestInterface
+    {
+        return $this->request;
+    }
+
+    /**
+     * Returns the response that was received (if any).
+     */
+    public function getResponse(): ?ResponseInterface
+    {
+        return $this->response;
+    }
+
+    /**
+     * Returns true if a response was received.
+     */
+    public function hasResponse(): bool
+    {
+        return $this->response !== null;
+    }
+
+    /**
+     * Gets handler specific error data.
+     *
+     * This might be an exception, a integer representing an error code, or
+     * anything else. Relying on this value assumes that you know what handler
+     * you are using.
+     *
+     * @return mixed
+     */
+    public function getHandlerErrorData()
+    {
+        return $this->handlerErrorData;
+    }
+
+    /**
+     * Get the effective URI the request was sent to.
+     */
+    public function getEffectiveUri(): UriInterface
+    {
+        return $this->request->getUri();
+    }
+
+    /**
+     * Get the estimated time the request was being transferred by the handler.
+     *
+     * @return float|null Time in seconds.
+     */
+    public function getTransferTime(): ?float
+    {
+        return $this->transferTime;
+    }
+
+    /**
+     * Gets an array of all of the handler specific transfer data.
+     */
+    public function getHandlerStats(): array
+    {
+        return $this->handlerStats;
+    }
+
+    /**
+     * Get a specific handler statistic from the handler by name.
+     *
+     * @param string $stat Handler specific transfer stat to retrieve.
+     *
+     * @return mixed|null
+     */
+    public function getHandlerStat(string $stat)
+    {
+        return $this->handlerStats[$stat] ?? null;
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Utils.php b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Utils.php
new file mode 100644
index 000000000..e355f3212
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/Utils.php
@@ -0,0 +1,385 @@
+<?php
+
+namespace GuzzleHttp;
+
+use GuzzleHttp\Exception\InvalidArgumentException;
+use GuzzleHttp\Handler\CurlHandler;
+use GuzzleHttp\Handler\CurlMultiHandler;
+use GuzzleHttp\Handler\Proxy;
+use GuzzleHttp\Handler\StreamHandler;
+use Psr\Http\Message\UriInterface;
+
+final class Utils
+{
+    /**
+     * Debug function used to describe the provided value type and class.
+     *
+     * @param mixed $input
+     *
+     * @return string Returns a string containing the type of the variable and
+     *                if a class is provided, the class name.
+     */
+    public static function describeType($input): string
+    {
+        switch (\gettype($input)) {
+            case 'object':
+                return 'object(' . \get_class($input) . ')';
+            case 'array':
+                return 'array(' . \count($input) . ')';
+            default:
+                \ob_start();
+                \var_dump($input);
+                // normalize float vs double
+                /** @var string $varDumpContent */
+                $varDumpContent = \ob_get_clean();
+
+                return \str_replace('double(', 'float(', \rtrim($varDumpContent));
+        }
+    }
+
+    /**
+     * Parses an array of header lines into an associative array of headers.
+     *
+     * @param iterable $lines Header lines array of strings in the following
+     *                        format: "Name: Value"
+     */
+    public static function headersFromLines(iterable $lines): array
+    {
+        $headers = [];
+
+        foreach ($lines as $line) {
+            $parts = \explode(':', $line, 2);
+            $headers[\trim($parts[0])][] = isset($parts[1]) ? \trim($parts[1]) : null;
+        }
+
+        return $headers;
+    }
+
+    /**
+     * Returns a debug stream based on the provided variable.
+     *
+     * @param mixed $value Optional value
+     *
+     * @return resource
+     */
+    public static function debugResource($value = null)
+    {
+        if (\is_resource($value)) {
+            return $value;
+        }
+        if (\defined('STDOUT')) {
+            return \STDOUT;
+        }
+
+        return \GuzzleHttp\Psr7\Utils::tryFopen('php://output', 'w');
+    }
+
+    /**
+     * Chooses and creates a default handler to use based on the environment.
+     *
+     * The returned handler is not wrapped by any default middlewares.
+     *
+     * @throws \RuntimeException if no viable Handler is available.
+     *
+     * @return callable(\Psr\Http\Message\RequestInterface, array): \GuzzleHttp\Promise\PromiseInterface Returns the best handler for the given system.
+     */
+    public static function chooseHandler(): callable
+    {
+        $handler = null;
+
+        if (\defined('CURLOPT_CUSTOMREQUEST')) {
+            if (\function_exists('curl_multi_exec') && \function_exists('curl_exec')) {
+                $handler = Proxy::wrapSync(new CurlMultiHandler(), new CurlHandler());
+            } elseif (\function_exists('curl_exec')) {
+                $handler = new CurlHandler();
+            } elseif (\function_exists('curl_multi_exec')) {
+                $handler = new CurlMultiHandler();
+            }
+        }
+
+        if (\ini_get('allow_url_fopen')) {
+            $handler = $handler
+                ? Proxy::wrapStreaming($handler, new StreamHandler())
+                : new StreamHandler();
+        } elseif (!$handler) {
+            throw new \RuntimeException('GuzzleHttp requires cURL, the allow_url_fopen ini setting, or a custom HTTP handler.');
+        }
+
+        return $handler;
+    }
+
+    /**
+     * Get the default User-Agent string to use with Guzzle.
+     */
+    public static function defaultUserAgent(): string
+    {
+        return sprintf('GuzzleHttp/%d', ClientInterface::MAJOR_VERSION);
+    }
+
+    /**
+     * Returns the default cacert bundle for the current system.
+     *
+     * First, the openssl.cafile and curl.cainfo php.ini settings are checked.
+     * If those settings are not configured, then the common locations for
+     * bundles found on Red Hat, CentOS, Fedora, Ubuntu, Debian, FreeBSD, OS X
+     * and Windows are checked. If any of these file locations are found on
+     * disk, they will be utilized.
+     *
+     * Note: the result of this function is cached for subsequent calls.
+     *
+     * @throws \RuntimeException if no bundle can be found.
+     *
+     * @deprecated Utils::defaultCaBundle will be removed in guzzlehttp/guzzle:8.0. This method is not needed in PHP 5.6+.
+     */
+    public static function defaultCaBundle(): string
+    {
+        static $cached = null;
+        static $cafiles = [
+            // Red Hat, CentOS, Fedora (provided by the ca-certificates package)
+            '/etc/pki/tls/certs/ca-bundle.crt',
+            // Ubuntu, Debian (provided by the ca-certificates package)
+            '/etc/ssl/certs/ca-certificates.crt',
+            // FreeBSD (provided by the ca_root_nss package)
+            '/usr/local/share/certs/ca-root-nss.crt',
+            // SLES 12 (provided by the ca-certificates package)
+            '/var/lib/ca-certificates/ca-bundle.pem',
+            // OS X provided by homebrew (using the default path)
+            '/usr/local/etc/openssl/cert.pem',
+            // Google app engine
+            '/etc/ca-certificates.crt',
+            // Windows?
+            'C:\\windows\\system32\\curl-ca-bundle.crt',
+            'C:\\windows\\curl-ca-bundle.crt',
+        ];
+
+        if ($cached) {
+            return $cached;
+        }
+
+        if ($ca = \ini_get('openssl.cafile')) {
+            return $cached = $ca;
+        }
+
+        if ($ca = \ini_get('curl.cainfo')) {
+            return $cached = $ca;
+        }
+
+        foreach ($cafiles as $filename) {
+            if (\file_exists($filename)) {
+                return $cached = $filename;
+            }
+        }
+
+        throw new \RuntimeException(
+            <<< EOT
+No system CA bundle could be found in any of the the common system locations.
+PHP versions earlier than 5.6 are not properly configured to use the system's
+CA bundle by default. In order to verify peer certificates, you will need to
+supply the path on disk to a certificate bundle to the 'verify' request
+option: http://docs.guzzlephp.org/en/latest/clients.html#verify. If you do not
+need a specific certificate bundle, then Mozilla provides a commonly used CA
+bundle which can be downloaded here (provided by the maintainer of cURL):
+https://curl.haxx.se/ca/cacert.pem. Once
+you have a CA bundle available on disk, you can set the 'openssl.cafile' PHP
+ini setting to point to the path to the file, allowing you to omit the 'verify'
+request option. See https://curl.haxx.se/docs/sslcerts.html for more
+information.
+EOT
+        );
+    }
+
+    /**
+     * Creates an associative array of lowercase header names to the actual
+     * header casing.
+     */
+    public static function normalizeHeaderKeys(array $headers): array
+    {
+        $result = [];
+        foreach (\array_keys($headers) as $key) {
+            $result[\strtolower($key)] = $key;
+        }
+
+        return $result;
+    }
+
+    /**
+     * Returns true if the provided host matches any of the no proxy areas.
+     *
+     * This method will strip a port from the host if it is present. Each pattern
+     * can be matched with an exact match (e.g., "foo.com" == "foo.com") or a
+     * partial match: (e.g., "foo.com" == "baz.foo.com" and ".foo.com" ==
+     * "baz.foo.com", but ".foo.com" != "foo.com").
+     *
+     * Areas are matched in the following cases:
+     * 1. "*" (without quotes) always matches any hosts.
+     * 2. An exact match.
+     * 3. The area starts with "." and the area is the last part of the host. e.g.
+     *    '.mit.edu' will match any host that ends with '.mit.edu'.
+     *
+     * @param string   $host         Host to check against the patterns.
+     * @param string[] $noProxyArray An array of host patterns.
+     *
+     * @throws InvalidArgumentException
+     */
+    public static function isHostInNoProxy(string $host, array $noProxyArray): bool
+    {
+        if (\strlen($host) === 0) {
+            throw new InvalidArgumentException('Empty host provided');
+        }
+
+        // Strip port if present.
+        [$host] = \explode(':', $host, 2);
+
+        foreach ($noProxyArray as $area) {
+            // Always match on wildcards.
+            if ($area === '*') {
+                return true;
+            }
+
+            if (empty($area)) {
+                // Don't match on empty values.
+                continue;
+            }
+
+            if ($area === $host) {
+                // Exact matches.
+                return true;
+            }
+            // Special match if the area when prefixed with ".". Remove any
+            // existing leading "." and add a new leading ".".
+            $area = '.' . \ltrim($area, '.');
+            if (\substr($host, -(\strlen($area))) === $area) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    /**
+     * Wrapper for json_decode that throws when an error occurs.
+     *
+     * @param string $json    JSON data to parse
+     * @param bool   $assoc   When true, returned objects will be converted
+     *                        into associative arrays.
+     * @param int    $depth   User specified recursion depth.
+     * @param int    $options Bitmask of JSON decode options.
+     *
+     * @return object|array|string|int|float|bool|null
+     *
+     * @throws InvalidArgumentException if the JSON cannot be decoded.
+     *
+     * @link https://www.php.net/manual/en/function.json-decode.php
+     */
+    public static function jsonDecode(string $json, bool $assoc = false, int $depth = 512, int $options = 0)
+    {
+        $data = \json_decode($json, $assoc, $depth, $options);
+        if (\JSON_ERROR_NONE !== \json_last_error()) {
+            throw new InvalidArgumentException('json_decode error: ' . \json_last_error_msg());
+        }
+
+        return $data;
+    }
+
+    /**
+     * Wrapper for JSON encoding that throws when an error occurs.
+     *
+     * @param mixed $value   The value being encoded
+     * @param int   $options JSON encode option bitmask
+     * @param int   $depth   Set the maximum depth. Must be greater than zero.
+     *
+     * @throws InvalidArgumentException if the JSON cannot be encoded.
+     *
+     * @link https://www.php.net/manual/en/function.json-encode.php
+     */
+    public static function jsonEncode($value, int $options = 0, int $depth = 512): string
+    {
+        $json = \json_encode($value, $options, $depth);
+        if (\JSON_ERROR_NONE !== \json_last_error()) {
+            throw new InvalidArgumentException('json_encode error: ' . \json_last_error_msg());
+        }
+
+        /** @var string */
+        return $json;
+    }
+
+    /**
+     * Wrapper for the hrtime() or microtime() functions
+     * (depending on the PHP version, one of the two is used)
+     *
+     * @return float UNIX timestamp
+     *
+     * @internal
+     */
+    public static function currentTime(): float
+    {
+        return (float) \function_exists('hrtime') ? \hrtime(true) / 1e9 : \microtime(true);
+    }
+
+    /**
+     * @throws InvalidArgumentException
+     *
+     * @internal
+     */
+    public static function idnUriConvert(UriInterface $uri, int $options = 0): UriInterface
+    {
+        if ($uri->getHost()) {
+            $asciiHost = self::idnToAsci($uri->getHost(), $options, $info);
+            if ($asciiHost === false) {
+                $errorBitSet = $info['errors'] ?? 0;
+
+                $errorConstants = array_filter(array_keys(get_defined_constants()), static function (string $name): bool {
+                    return substr($name, 0, 11) === 'IDNA_ERROR_';
+                });
+
+                $errors = [];
+                foreach ($errorConstants as $errorConstant) {
+                    if ($errorBitSet & constant($errorConstant)) {
+                        $errors[] = $errorConstant;
+                    }
+                }
+
+                $errorMessage = 'IDN conversion failed';
+                if ($errors) {
+                    $errorMessage .= ' (errors: ' . implode(', ', $errors) . ')';
+                }
+
+                throw new InvalidArgumentException($errorMessage);
+            }
+            if ($uri->getHost() !== $asciiHost) {
+                // Replace URI only if the ASCII version is different
+                $uri = $uri->withHost($asciiHost);
+            }
+        }
+
+        return $uri;
+    }
+
+    /**
+     * @internal
+     */
+    public static function getenv(string $name): ?string
+    {
+        if (isset($_SERVER[$name])) {
+            return (string) $_SERVER[$name];
+        }
+
+        if (\PHP_SAPI === 'cli' && ($value = \getenv($name)) !== false && $value !== null) {
+            return (string) $value;
+        }
+
+        return null;
+    }
+
+    /**
+     * @return string|false
+     */
+    private static function idnToAsci(string $domain, int $options, ?array &$info = [])
+    {
+        if (\function_exists('idn_to_ascii') && \defined('INTL_IDNA_VARIANT_UTS46')) {
+            return \idn_to_ascii($domain, $options, \INTL_IDNA_VARIANT_UTS46, $info);
+        }
+
+        throw new \Error('ext-idn or symfony/polyfill-intl-idn not loaded or too old');
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/functions.php b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/functions.php
new file mode 100644
index 000000000..a70d2cbf3
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/functions.php
@@ -0,0 +1,167 @@
+<?php
+
+namespace GuzzleHttp;
+
+/**
+ * Debug function used to describe the provided value type and class.
+ *
+ * @param mixed $input Any type of variable to describe the type of. This
+ *                     parameter misses a typehint because of that.
+ *
+ * @return string Returns a string containing the type of the variable and
+ *                if a class is provided, the class name.
+ *
+ * @deprecated describe_type will be removed in guzzlehttp/guzzle:8.0. Use Utils::describeType instead.
+ */
+function describe_type($input): string
+{
+    return Utils::describeType($input);
+}
+
+/**
+ * Parses an array of header lines into an associative array of headers.
+ *
+ * @param iterable $lines Header lines array of strings in the following
+ *                        format: "Name: Value"
+ *
+ * @deprecated headers_from_lines will be removed in guzzlehttp/guzzle:8.0. Use Utils::headersFromLines instead.
+ */
+function headers_from_lines(iterable $lines): array
+{
+    return Utils::headersFromLines($lines);
+}
+
+/**
+ * Returns a debug stream based on the provided variable.
+ *
+ * @param mixed $value Optional value
+ *
+ * @return resource
+ *
+ * @deprecated debug_resource will be removed in guzzlehttp/guzzle:8.0. Use Utils::debugResource instead.
+ */
+function debug_resource($value = null)
+{
+    return Utils::debugResource($value);
+}
+
+/**
+ * Chooses and creates a default handler to use based on the environment.
+ *
+ * The returned handler is not wrapped by any default middlewares.
+ *
+ * @throws \RuntimeException if no viable Handler is available.
+ *
+ * @return callable(\Psr\Http\Message\RequestInterface, array): \GuzzleHttp\Promise\PromiseInterface Returns the best handler for the given system.
+ *
+ * @deprecated choose_handler will be removed in guzzlehttp/guzzle:8.0. Use Utils::chooseHandler instead.
+ */
+function choose_handler(): callable
+{
+    return Utils::chooseHandler();
+}
+
+/**
+ * Get the default User-Agent string to use with Guzzle.
+ *
+ * @deprecated default_user_agent will be removed in guzzlehttp/guzzle:8.0. Use Utils::defaultUserAgent instead.
+ */
+function default_user_agent(): string
+{
+    return Utils::defaultUserAgent();
+}
+
+/**
+ * Returns the default cacert bundle for the current system.
+ *
+ * First, the openssl.cafile and curl.cainfo php.ini settings are checked.
+ * If those settings are not configured, then the common locations for
+ * bundles found on Red Hat, CentOS, Fedora, Ubuntu, Debian, FreeBSD, OS X
+ * and Windows are checked. If any of these file locations are found on
+ * disk, they will be utilized.
+ *
+ * Note: the result of this function is cached for subsequent calls.
+ *
+ * @throws \RuntimeException if no bundle can be found.
+ *
+ * @deprecated default_ca_bundle will be removed in guzzlehttp/guzzle:8.0. This function is not needed in PHP 5.6+.
+ */
+function default_ca_bundle(): string
+{
+    return Utils::defaultCaBundle();
+}
+
+/**
+ * Creates an associative array of lowercase header names to the actual
+ * header casing.
+ *
+ * @deprecated normalize_header_keys will be removed in guzzlehttp/guzzle:8.0. Use Utils::normalizeHeaderKeys instead.
+ */
+function normalize_header_keys(array $headers): array
+{
+    return Utils::normalizeHeaderKeys($headers);
+}
+
+/**
+ * Returns true if the provided host matches any of the no proxy areas.
+ *
+ * This method will strip a port from the host if it is present. Each pattern
+ * can be matched with an exact match (e.g., "foo.com" == "foo.com") or a
+ * partial match: (e.g., "foo.com" == "baz.foo.com" and ".foo.com" ==
+ * "baz.foo.com", but ".foo.com" != "foo.com").
+ *
+ * Areas are matched in the following cases:
+ * 1. "*" (without quotes) always matches any hosts.
+ * 2. An exact match.
+ * 3. The area starts with "." and the area is the last part of the host. e.g.
+ *    '.mit.edu' will match any host that ends with '.mit.edu'.
+ *
+ * @param string   $host         Host to check against the patterns.
+ * @param string[] $noProxyArray An array of host patterns.
+ *
+ * @throws Exception\InvalidArgumentException
+ *
+ * @deprecated is_host_in_noproxy will be removed in guzzlehttp/guzzle:8.0. Use Utils::isHostInNoProxy instead.
+ */
+function is_host_in_noproxy(string $host, array $noProxyArray): bool
+{
+    return Utils::isHostInNoProxy($host, $noProxyArray);
+}
+
+/**
+ * Wrapper for json_decode that throws when an error occurs.
+ *
+ * @param string $json    JSON data to parse
+ * @param bool   $assoc   When true, returned objects will be converted
+ *                        into associative arrays.
+ * @param int    $depth   User specified recursion depth.
+ * @param int    $options Bitmask of JSON decode options.
+ *
+ * @return object|array|string|int|float|bool|null
+ *
+ * @throws Exception\InvalidArgumentException if the JSON cannot be decoded.
+ *
+ * @link https://www.php.net/manual/en/function.json-decode.php
+ * @deprecated json_decode will be removed in guzzlehttp/guzzle:8.0. Use Utils::jsonDecode instead.
+ */
+function json_decode(string $json, bool $assoc = false, int $depth = 512, int $options = 0)
+{
+    return Utils::jsonDecode($json, $assoc, $depth, $options);
+}
+
+/**
+ * Wrapper for JSON encoding that throws when an error occurs.
+ *
+ * @param mixed $value   The value being encoded
+ * @param int   $options JSON encode option bitmask
+ * @param int   $depth   Set the maximum depth. Must be greater than zero.
+ *
+ * @throws Exception\InvalidArgumentException if the JSON cannot be encoded.
+ *
+ * @link https://www.php.net/manual/en/function.json-encode.php
+ * @deprecated json_encode will be removed in guzzlehttp/guzzle:8.0. Use Utils::jsonEncode instead.
+ */
+function json_encode($value, int $options = 0, int $depth = 512): string
+{
+    return Utils::jsonEncode($value, $options, $depth);
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/functions_include.php b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/functions_include.php
new file mode 100644
index 000000000..6636a4224
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/guzzle/src/functions_include.php
@@ -0,0 +1,6 @@
+<?php
+
+// Don't redefine the functions if included multiple times.
+if (!\function_exists('GuzzleHttp\describe_type')) {
+    require __DIR__ . '/functions.php';
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/promises/CHANGELOG.md b/data/web/inc/lib/vendor/guzzlehttp/promises/CHANGELOG.md
new file mode 100644
index 000000000..253282eb1
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/promises/CHANGELOG.md
@@ -0,0 +1,110 @@
+# CHANGELOG
+
+## 1.5.2 - 2022-08-07
+
+### Changed
+
+- Officially support PHP 8.2
+
+## 1.5.1 - 2021-10-22
+
+### Fixed
+
+- Revert "Call handler when waiting on fulfilled/rejected Promise"
+- Fix pool memory leak when empty array of promises provided
+
+## 1.5.0 - 2021-10-07
+
+### Changed
+
+- Call handler when waiting on fulfilled/rejected Promise
+- Officially support PHP 8.1
+
+### Fixed
+
+- Fix manually settle promises generated with `Utils::task`
+
+## 1.4.1 - 2021-02-18
+
+### Fixed
+
+- Fixed `each_limit` skipping promises and failing
+
+## 1.4.0 - 2020-09-30
+
+### Added
+
+- Support for PHP 8
+- Optional `$recursive` flag to `all`
+- Replaced functions by static methods
+
+### Fixed
+
+- Fix empty `each` processing
+- Fix promise handling for Iterators of non-unique keys
+- Fixed `method_exists` crashes on PHP 8
+- Memory leak on exceptions
+
+
+## 1.3.1 - 2016-12-20
+
+### Fixed
+
+- `wait()` foreign promise compatibility
+
+
+## 1.3.0 - 2016-11-18
+
+### Added
+
+- Adds support for custom task queues.
+
+### Fixed
+
+- Fixed coroutine promise memory leak.
+
+
+## 1.2.0 - 2016-05-18
+
+### Changed
+
+- Update to now catch `\Throwable` on PHP 7+
+
+
+## 1.1.0 - 2016-03-07
+
+### Changed
+
+- Update EachPromise to prevent recurring on a iterator when advancing, as this
+  could trigger fatal generator errors.
+- Update Promise to allow recursive waiting without unwrapping exceptions.
+
+
+## 1.0.3 - 2015-10-15
+
+### Changed
+
+- Update EachPromise to immediately resolve when the underlying promise iterator
+  is empty. Previously, such a promise would throw an exception when its `wait`
+  function was called.
+
+
+## 1.0.2 - 2015-05-15
+
+### Changed
+
+- Conditionally require functions.php.
+
+
+## 1.0.1 - 2015-06-24
+
+### Changed
+
+- Updating EachPromise to call next on the underlying promise iterator as late
+  as possible to ensure that generators that generate new requests based on
+  callbacks are not iterated until after callbacks are invoked.
+
+
+## 1.0.0 - 2015-05-12
+
+- Initial release
diff --git a/data/web/inc/lib/vendor/guzzlehttp/promises/LICENSE b/data/web/inc/lib/vendor/guzzlehttp/promises/LICENSE
new file mode 100644
index 000000000..9f0f943be
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/promises/LICENSE
@@ -0,0 +1,24 @@
+The MIT License (MIT)
+
+Copyright (c) 2015 Michael Dowling <mtdowling@gmail.com>
+Copyright (c) 2015 Graham Campbell <hello@gjcampbell.co.uk>
+Copyright (c) 2017 Tobias Schultze <webmaster@tubo-world.de>
+Copyright (c) 2020 Tobias Nyholm <tobias.nyholm@gmail.com>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
diff --git a/data/web/inc/lib/vendor/guzzlehttp/promises/README.md b/data/web/inc/lib/vendor/guzzlehttp/promises/README.md
new file mode 100644
index 000000000..1ea667ab9
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/promises/README.md
@@ -0,0 +1,546 @@
+# Guzzle Promises
+
+[Promises/A+](https://promisesaplus.com/) implementation that handles promise
+chaining and resolution iteratively, allowing for "infinite" promise chaining
+while keeping the stack size constant. Read [this blog post](https://blog.domenic.me/youre-missing-the-point-of-promises/)
+for a general introduction to promises.
+
+- [Features](#features)
+- [Quick start](#quick-start)
+- [Synchronous wait](#synchronous-wait)
+- [Cancellation](#cancellation)
+- [API](#api)
+  - [Promise](#promise)
+  - [FulfilledPromise](#fulfilledpromise)
+  - [RejectedPromise](#rejectedpromise)
+- [Promise interop](#promise-interop)
+- [Implementation notes](#implementation-notes)
+
+
+## Features
+
+- [Promises/A+](https://promisesaplus.com/) implementation.
+- Promise resolution and chaining is handled iteratively, allowing for
+  "infinite" promise chaining.
+- Promises have a synchronous `wait` method.
+- Promises can be cancelled.
+- Works with any object that has a `then` function.
+- C# style async/await coroutine promises using
+  `GuzzleHttp\Promise\Coroutine::of()`.
+
+
+## Quick Start
+
+A *promise* represents the eventual result of an asynchronous operation. The
+primary way of interacting with a promise is through its `then` method, which
+registers callbacks to receive either a promise's eventual value or the reason
+why the promise cannot be fulfilled.
+
+### Callbacks
+
+Callbacks are registered with the `then` method by providing an optional 
+`$onFulfilled` followed by an optional `$onRejected` function.
+
+
+```php
+use GuzzleHttp\Promise\Promise;
+
+$promise = new Promise();
+$promise->then(
+    // $onFulfilled
+    function ($value) {
+        echo 'The promise was fulfilled.';
+    },
+    // $onRejected
+    function ($reason) {
+        echo 'The promise was rejected.';
+    }
+);
+```
+
+*Resolving* a promise means that you either fulfill a promise with a *value* or
+reject a promise with a *reason*. Resolving a promise triggers callbacks
+registered with the promise's `then` method. These callbacks are triggered
+only once and in the order in which they were added.
+
+### Resolving a Promise
+
+Promises are fulfilled using the `resolve($value)` method. Resolving a promise
+with any value other than a `GuzzleHttp\Promise\RejectedPromise` will trigger
+all of the onFulfilled callbacks (resolving a promise with a rejected promise
+will reject the promise and trigger the `$onRejected` callbacks).
+
+```php
+use GuzzleHttp\Promise\Promise;
+
+$promise = new Promise();
+$promise
+    ->then(function ($value) {
+        // Return a value and don't break the chain
+        return "Hello, " . $value;
+    })
+    // This then is executed after the first then and receives the value
+    // returned from the first then.
+    ->then(function ($value) {
+        echo $value;
+    });
+
+// Resolving the promise triggers the $onFulfilled callbacks and outputs
+// "Hello, reader."
+$promise->resolve('reader.');
+```
+
+### Promise Forwarding
+
+Promises can be chained one after the other. Each then in the chain is a new
+promise. The return value of a promise is what's forwarded to the next
+promise in the chain. Returning a promise in a `then` callback will cause the
+subsequent promises in the chain to only be fulfilled when the returned promise
+has been fulfilled. The next promise in the chain will be invoked with the
+resolved value of the promise.
+
+```php
+use GuzzleHttp\Promise\Promise;
+
+$promise = new Promise();
+$nextPromise = new Promise();
+
+$promise
+    ->then(function ($value) use ($nextPromise) {
+        echo $value;
+        return $nextPromise;
+    })
+    ->then(function ($value) {
+        echo $value;
+    });
+
+// Triggers the first callback and outputs "A"
+$promise->resolve('A');
+// Triggers the second callback and outputs "B"
+$nextPromise->resolve('B');
+```
+
+### Promise Rejection
+
+When a promise is rejected, the `$onRejected` callbacks are invoked with the
+rejection reason.
+
+```php
+use GuzzleHttp\Promise\Promise;
+
+$promise = new Promise();
+$promise->then(null, function ($reason) {
+    echo $reason;
+});
+
+$promise->reject('Error!');
+// Outputs "Error!"
+```
+
+### Rejection Forwarding
+
+If an exception is thrown in an `$onRejected` callback, subsequent
+`$onRejected` callbacks are invoked with the thrown exception as the reason.
+
+```php
+use GuzzleHttp\Promise\Promise;
+
+$promise = new Promise();
+$promise->then(null, function ($reason) {
+    throw new Exception($reason);
+})->then(null, function ($reason) {
+    assert($reason->getMessage() === 'Error!');
+});
+
+$promise->reject('Error!');
+```
+
+You can also forward a rejection down the promise chain by returning a
+`GuzzleHttp\Promise\RejectedPromise` in either an `$onFulfilled` or
+`$onRejected` callback.
+
+```php
+use GuzzleHttp\Promise\Promise;
+use GuzzleHttp\Promise\RejectedPromise;
+
+$promise = new Promise();
+$promise->then(null, function ($reason) {
+    return new RejectedPromise($reason);
+})->then(null, function ($reason) {
+    assert($reason === 'Error!');
+});
+
+$promise->reject('Error!');
+```
+
+If an exception is not thrown in a `$onRejected` callback and the callback
+does not return a rejected promise, downstream `$onFulfilled` callbacks are
+invoked using the value returned from the `$onRejected` callback.
+
+```php
+use GuzzleHttp\Promise\Promise;
+
+$promise = new Promise();
+$promise
+    ->then(null, function ($reason) {
+        return "It's ok";
+    })
+    ->then(function ($value) {
+        assert($value === "It's ok");
+    });
+
+$promise->reject('Error!');
+```
+
+
+## Synchronous Wait
+
+You can synchronously force promises to complete using a promise's `wait`
+method. When creating a promise, you can provide a wait function that is used
+to synchronously force a promise to complete. When a wait function is invoked
+it is expected to deliver a value to the promise or reject the promise. If the
+wait function does not deliver a value, then an exception is thrown. The wait
+function provided to a promise constructor is invoked when the `wait` function
+of the promise is called.
+
+```php
+$promise = new Promise(function () use (&$promise) {
+    $promise->resolve('foo');
+});
+
+// Calling wait will return the value of the promise.
+echo $promise->wait(); // outputs "foo"
+```
+
+If an exception is encountered while invoking the wait function of a promise,
+the promise is rejected with the exception and the exception is thrown.
+
+```php
+$promise = new Promise(function () use (&$promise) {
+    throw new Exception('foo');
+});
+
+$promise->wait(); // throws the exception.
+```
+
+Calling `wait` on a promise that has been fulfilled will not trigger the wait
+function. It will simply return the previously resolved value.
+
+```php
+$promise = new Promise(function () { die('this is not called!'); });
+$promise->resolve('foo');
+echo $promise->wait(); // outputs "foo"
+```
+
+Calling `wait` on a promise that has been rejected will throw an exception. If
+the rejection reason is an instance of `\Exception` the reason is thrown.
+Otherwise, a `GuzzleHttp\Promise\RejectionException` is thrown and the reason
+can be obtained by calling the `getReason` method of the exception.
+
+```php
+$promise = new Promise();
+$promise->reject('foo');
+$promise->wait();
+```
+
+> PHP Fatal error:  Uncaught exception 'GuzzleHttp\Promise\RejectionException' with message 'The promise was rejected with value: foo'
+
+### Unwrapping a Promise
+
+When synchronously waiting on a promise, you are joining the state of the
+promise into the current state of execution (i.e., return the value of the
+promise if it was fulfilled or throw an exception if it was rejected). This is
+called "unwrapping" the promise. Waiting on a promise will by default unwrap
+the promise state.
+
+You can force a promise to resolve and *not* unwrap the state of the promise
+by passing `false` to the first argument of the `wait` function:
+
+```php
+$promise = new Promise();
+$promise->reject('foo');
+// This will not throw an exception. It simply ensures the promise has
+// been resolved.
+$promise->wait(false);
+```
+
+When unwrapping a promise, the resolved value of the promise will be waited
+upon until the unwrapped value is not a promise. This means that if you resolve
+promise A with a promise B and unwrap promise A, the value returned by the
+wait function will be the value delivered to promise B.
+
+**Note**: when you do not unwrap the promise, no value is returned.
+
+
+## Cancellation
+
+You can cancel a promise that has not yet been fulfilled using the `cancel()`
+method of a promise. When creating a promise you can provide an optional
+cancel function that when invoked cancels the action of computing a resolution
+of the promise.
+
+
+## API
+
+### Promise
+
+When creating a promise object, you can provide an optional `$waitFn` and
+`$cancelFn`. `$waitFn` is a function that is invoked with no arguments and is
+expected to resolve the promise. `$cancelFn` is a function with no arguments
+that is expected to cancel the computation of a promise. It is invoked when the
+`cancel()` method of a promise is called.
+
+```php
+use GuzzleHttp\Promise\Promise;
+
+$promise = new Promise(
+    function () use (&$promise) {
+        $promise->resolve('waited');
+    },
+    function () {
+        // do something that will cancel the promise computation (e.g., close
+        // a socket, cancel a database query, etc...)
+    }
+);
+
+assert('waited' === $promise->wait());
+```
+
+A promise has the following methods:
+
+- `then(callable $onFulfilled, callable $onRejected) : PromiseInterface`
+  
+  Appends fulfillment and rejection handlers to the promise, and returns a new promise resolving to the return value of the called handler.
+
+- `otherwise(callable $onRejected) : PromiseInterface`
+  
+  Appends a rejection handler callback to the promise, and returns a new promise resolving to the return value of the callback if it is called, or to its original fulfillment value if the promise is instead fulfilled.
+
+- `wait($unwrap = true) : mixed`
+
+  Synchronously waits on the promise to complete.
+  
+  `$unwrap` controls whether or not the value of the promise is returned for a
+  fulfilled promise or if an exception is thrown if the promise is rejected.
+  This is set to `true` by default.
+
+- `cancel()`
+
+  Attempts to cancel the promise if possible. The promise being cancelled and
+  the parent most ancestor that has not yet been resolved will also be
+  cancelled. Any promises waiting on the cancelled promise to resolve will also
+  be cancelled.
+
+- `getState() : string`
+
+  Returns the state of the promise. One of `pending`, `fulfilled`, or
+  `rejected`.
+
+- `resolve($value)`
+
+  Fulfills the promise with the given `$value`.
+
+- `reject($reason)`
+
+  Rejects the promise with the given `$reason`.
+
+
+### FulfilledPromise
+
+A fulfilled promise can be created to represent a promise that has been
+fulfilled.
+
+```php
+use GuzzleHttp\Promise\FulfilledPromise;
+
+$promise = new FulfilledPromise('value');
+
+// Fulfilled callbacks are immediately invoked.
+$promise->then(function ($value) {
+    echo $value;
+});
+```
+
+
+### RejectedPromise
+
+A rejected promise can be created to represent a promise that has been
+rejected.
+
+```php
+use GuzzleHttp\Promise\RejectedPromise;
+
+$promise = new RejectedPromise('Error');
+
+// Rejected callbacks are immediately invoked.
+$promise->then(null, function ($reason) {
+    echo $reason;
+});
+```
+
+
+## Promise Interoperability
+
+This library works with foreign promises that have a `then` method. This means
+you can use Guzzle promises with [React promises](https://github.com/reactphp/promise)
+for example. When a foreign promise is returned inside of a then method
+callback, promise resolution will occur recursively.
+
+```php
+// Create a React promise
+$deferred = new React\Promise\Deferred();
+$reactPromise = $deferred->promise();
+
+// Create a Guzzle promise that is fulfilled with a React promise.
+$guzzlePromise = new GuzzleHttp\Promise\Promise();
+$guzzlePromise->then(function ($value) use ($reactPromise) {
+    // Do something something with the value...
+    // Return the React promise
+    return $reactPromise;
+});
+```
+
+Please note that wait and cancel chaining is no longer possible when forwarding
+a foreign promise. You will need to wrap a third-party promise with a Guzzle
+promise in order to utilize wait and cancel functions with foreign promises.
+
+
+### Event Loop Integration
+
+In order to keep the stack size constant, Guzzle promises are resolved
+asynchronously using a task queue. When waiting on promises synchronously, the
+task queue will be automatically run to ensure that the blocking promise and
+any forwarded promises are resolved. When using promises asynchronously in an
+event loop, you will need to run the task queue on each tick of the loop. If
+you do not run the task queue, then promises will not be resolved.
+
+You can run the task queue using the `run()` method of the global task queue
+instance.
+
+```php
+// Get the global task queue
+$queue = GuzzleHttp\Promise\Utils::queue();
+$queue->run();
+```
+
+For example, you could use Guzzle promises with React using a periodic timer:
+
+```php
+$loop = React\EventLoop\Factory::create();
+$loop->addPeriodicTimer(0, [$queue, 'run']);
+```
+
+*TODO*: Perhaps adding a `futureTick()` on each tick would be faster?
+
+
+## Implementation Notes
+
+### Promise Resolution and Chaining is Handled Iteratively
+
+By shuffling pending handlers from one owner to another, promises are
+resolved iteratively, allowing for "infinite" then chaining.
+
+```php
+<?php
+require 'vendor/autoload.php';
+
+use GuzzleHttp\Promise\Promise;
+
+$parent = new Promise();
+$p = $parent;
+
+for ($i = 0; $i < 1000; $i++) {
+    $p = $p->then(function ($v) {
+        // The stack size remains constant (a good thing)
+        echo xdebug_get_stack_depth() . ', ';
+        return $v + 1;
+    });
+}
+
+$parent->resolve(0);
+var_dump($p->wait()); // int(1000)
+
+```
+
+When a promise is fulfilled or rejected with a non-promise value, the promise
+then takes ownership of the handlers of each child promise and delivers values
+down the chain without using recursion.
+
+When a promise is resolved with another promise, the original promise transfers
+all of its pending handlers to the new promise. When the new promise is
+eventually resolved, all of the pending handlers are delivered the forwarded
+value.
+
+### A Promise is the Deferred
+
+Some promise libraries implement promises using a deferred object to represent
+a computation and a promise object to represent the delivery of the result of
+the computation. This is a nice separation of computation and delivery because
+consumers of the promise cannot modify the value that will be eventually
+delivered.
+
+One side effect of being able to implement promise resolution and chaining
+iteratively is that you need to be able for one promise to reach into the state
+of another promise to shuffle around ownership of handlers. In order to achieve
+this without making the handlers of a promise publicly mutable, a promise is
+also the deferred value, allowing promises of the same parent class to reach
+into and modify the private properties of promises of the same type. While this
+does allow consumers of the value to modify the resolution or rejection of the
+deferred, it is a small price to pay for keeping the stack size constant.
+
+```php
+$promise = new Promise();
+$promise->then(function ($value) { echo $value; });
+// The promise is the deferred value, so you can deliver a value to it.
+$promise->resolve('foo');
+// prints "foo"
+```
+
+
+## Upgrading from Function API
+
+A static API was first introduced in 1.4.0, in order to mitigate problems with
+functions conflicting between global and local copies of the package. The
+function API will be removed in 2.0.0. A migration table has been provided here
+for your convenience:
+
+| Original Function | Replacement Method |
+|----------------|----------------|
+| `queue` | `Utils::queue` |
+| `task` | `Utils::task` |
+| `promise_for` | `Create::promiseFor` |
+| `rejection_for` | `Create::rejectionFor` |
+| `exception_for` | `Create::exceptionFor` |
+| `iter_for` | `Create::iterFor` |
+| `inspect` | `Utils::inspect` |
+| `inspect_all` | `Utils::inspectAll` |
+| `unwrap` | `Utils::unwrap` |
+| `all` | `Utils::all` |
+| `some` | `Utils::some` |
+| `any` | `Utils::any` |
+| `settle` | `Utils::settle` |
+| `each` | `Each::of` |
+| `each_limit` | `Each::ofLimit` |
+| `each_limit_all` | `Each::ofLimitAll` |
+| `!is_fulfilled` | `Is::pending` |
+| `is_fulfilled` | `Is::fulfilled` |
+| `is_rejected` | `Is::rejected` |
+| `is_settled` | `Is::settled` |
+| `coroutine` | `Coroutine::of` |
+
+
+## Security
+
+If you discover a security vulnerability within this package, please send an email to security@tidelift.com. All security vulnerabilities will be promptly addressed. Please do not disclose security-related issues publicly until a fix has been announced. Please see [Security Policy](https://github.com/guzzle/promises/security/policy) for more information.
+
+
+## License
+
+Guzzle is made available under the MIT License (MIT). Please see [License File](LICENSE) for more information.
+
+
+## For Enterprise
+
+Available as part of the Tidelift Subscription
+
+The maintainers of Guzzle and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open source dependencies you use to build your applications. Save time, reduce risk, and improve code health, while paying the maintainers of the exact dependencies you use. [Learn more.](https://tidelift.com/subscription/pkg/packagist-guzzlehttp-promises?utm_source=packagist-guzzlehttp-promises&utm_medium=referral&utm_campaign=enterprise&utm_term=repo)
diff --git a/data/web/inc/lib/vendor/guzzlehttp/promises/composer.json b/data/web/inc/lib/vendor/guzzlehttp/promises/composer.json
new file mode 100644
index 000000000..c959fb32b
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/promises/composer.json
@@ -0,0 +1,58 @@
+{
+    "name": "guzzlehttp/promises",
+    "description": "Guzzle promises library",
+    "keywords": ["promise"],
+    "license": "MIT",
+    "authors": [
+        {
+            "name": "Graham Campbell",
+            "email": "hello@gjcampbell.co.uk",
+            "homepage": "https://github.com/GrahamCampbell"
+        },
+        {
+            "name": "Michael Dowling",
+            "email": "mtdowling@gmail.com",
+            "homepage": "https://github.com/mtdowling"
+        },
+        {
+            "name": "Tobias Nyholm",
+            "email": "tobias.nyholm@gmail.com",
+            "homepage": "https://github.com/Nyholm"
+        },
+        {
+            "name": "Tobias Schultze",
+            "email": "webmaster@tubo-world.de",
+            "homepage": "https://github.com/Tobion"
+        }
+    ],
+    "require": {
+        "php": ">=5.5"
+    },
+    "require-dev": {
+        "symfony/phpunit-bridge": "^4.4 || ^5.1"
+    },
+    "autoload": {
+        "psr-4": {
+            "GuzzleHttp\\Promise\\": "src/"
+        },
+        "files": ["src/functions_include.php"]
+    },
+    "autoload-dev": {
+        "psr-4": {
+            "GuzzleHttp\\Promise\\Tests\\": "tests/"
+        }
+    },
+    "scripts": {
+        "test": "vendor/bin/simple-phpunit",
+        "test-ci": "vendor/bin/simple-phpunit --coverage-text"
+    },
+    "extra": {
+        "branch-alias": {
+            "dev-master": "1.5-dev"
+        }
+    },
+    "config": {
+        "preferred-install": "dist",
+        "sort-packages": true
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/promises/src/AggregateException.php b/data/web/inc/lib/vendor/guzzlehttp/promises/src/AggregateException.php
new file mode 100644
index 000000000..d2b5712b9
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/promises/src/AggregateException.php
@@ -0,0 +1,17 @@
+<?php
+
+namespace GuzzleHttp\Promise;
+
+/**
+ * Exception thrown when too many errors occur in the some() or any() methods.
+ */
+class AggregateException extends RejectionException
+{
+    public function __construct($msg, array $reasons)
+    {
+        parent::__construct(
+            $reasons,
+            sprintf('%s; %d rejected promises', $msg, count($reasons))
+        );
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/promises/src/CancellationException.php b/data/web/inc/lib/vendor/guzzlehttp/promises/src/CancellationException.php
new file mode 100644
index 000000000..56a1ed65b
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/promises/src/CancellationException.php
@@ -0,0 +1,10 @@
+<?php
+
+namespace GuzzleHttp\Promise;
+
+/**
+ * Exception that is set as the reason for a promise that has been cancelled.
+ */
+class CancellationException extends RejectionException
+{
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/promises/src/Coroutine.php b/data/web/inc/lib/vendor/guzzlehttp/promises/src/Coroutine.php
new file mode 100644
index 000000000..670da4773
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/promises/src/Coroutine.php
@@ -0,0 +1,169 @@
+<?php
+
+namespace GuzzleHttp\Promise;
+
+use Exception;
+use Generator;
+use Throwable;
+
+/**
+ * Creates a promise that is resolved using a generator that yields values or
+ * promises (somewhat similar to C#'s async keyword).
+ *
+ * When called, the Coroutine::of method will start an instance of the generator
+ * and returns a promise that is fulfilled with its final yielded value.
+ *
+ * Control is returned back to the generator when the yielded promise settles.
+ * This can lead to less verbose code when doing lots of sequential async calls
+ * with minimal processing in between.
+ *
+ *     use GuzzleHttp\Promise;
+ *
+ *     function createPromise($value) {
+ *         return new Promise\FulfilledPromise($value);
+ *     }
+ *
+ *     $promise = Promise\Coroutine::of(function () {
+ *         $value = (yield createPromise('a'));
+ *         try {
+ *             $value = (yield createPromise($value . 'b'));
+ *         } catch (\Exception $e) {
+ *             // The promise was rejected.
+ *         }
+ *         yield $value . 'c';
+ *     });
+ *
+ *     // Outputs "abc"
+ *     $promise->then(function ($v) { echo $v; });
+ *
+ * @param callable $generatorFn Generator function to wrap into a promise.
+ *
+ * @return Promise
+ *
+ * @link https://github.com/petkaantonov/bluebird/blob/master/API.md#generators inspiration
+ */
+final class Coroutine implements PromiseInterface
+{
+    /**
+     * @var PromiseInterface|null
+     */
+    private $currentPromise;
+
+    /**
+     * @var Generator
+     */
+    private $generator;
+
+    /**
+     * @var Promise
+     */
+    private $result;
+
+    public function __construct(callable $generatorFn)
+    {
+        $this->generator = $generatorFn();
+        $this->result = new Promise(function () {
+            while (isset($this->currentPromise)) {
+                $this->currentPromise->wait();
+            }
+        });
+        try {
+            $this->nextCoroutine($this->generator->current());
+        } catch (\Exception $exception) {
+            $this->result->reject($exception);
+        } catch (Throwable $throwable) {
+            $this->result->reject($throwable);
+        }
+    }
+
+    /**
+     * Create a new coroutine.
+     *
+     * @return self
+     */
+    public static function of(callable $generatorFn)
+    {
+        return new self($generatorFn);
+    }
+
+    public function then(
+        callable $onFulfilled = null,
+        callable $onRejected = null
+    ) {
+        return $this->result->then($onFulfilled, $onRejected);
+    }
+
+    public function otherwise(callable $onRejected)
+    {
+        return $this->result->otherwise($onRejected);
+    }
+
+    public function wait($unwrap = true)
+    {
+        return $this->result->wait($unwrap);
+    }
+
+    public function getState()
+    {
+        return $this->result->getState();
+    }
+
+    public function resolve($value)
+    {
+        $this->result->resolve($value);
+    }
+
+    public function reject($reason)
+    {
+        $this->result->reject($reason);
+    }
+
+    public function cancel()
+    {
+        $this->currentPromise->cancel();
+        $this->result->cancel();
+    }
+
+    private function nextCoroutine($yielded)
+    {
+        $this->currentPromise = Create::promiseFor($yielded)
+            ->then([$this, '_handleSuccess'], [$this, '_handleFailure']);
+    }
+
+    /**
+     * @internal
+     */
+    public function _handleSuccess($value)
+    {
+        unset($this->currentPromise);
+        try {
+            $next = $this->generator->send($value);
+            if ($this->generator->valid()) {
+                $this->nextCoroutine($next);
+            } else {
+                $this->result->resolve($value);
+            }
+        } catch (Exception $exception) {
+            $this->result->reject($exception);
+        } catch (Throwable $throwable) {
+            $this->result->reject($throwable);
+        }
+    }
+
+    /**
+     * @internal
+     */
+    public function _handleFailure($reason)
+    {
+        unset($this->currentPromise);
+        try {
+            $nextYield = $this->generator->throw(Create::exceptionFor($reason));
+            // The throw was caught, so keep iterating on the coroutine
+            $this->nextCoroutine($nextYield);
+        } catch (Exception $exception) {
+            $this->result->reject($exception);
+        } catch (Throwable $throwable) {
+            $this->result->reject($throwable);
+        }
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/promises/src/Create.php b/data/web/inc/lib/vendor/guzzlehttp/promises/src/Create.php
new file mode 100644
index 000000000..8d038e9c1
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/promises/src/Create.php
@@ -0,0 +1,84 @@
+<?php
+
+namespace GuzzleHttp\Promise;
+
+final class Create
+{
+    /**
+     * Creates a promise for a value if the value is not a promise.
+     *
+     * @param mixed $value Promise or value.
+     *
+     * @return PromiseInterface
+     */
+    public static function promiseFor($value)
+    {
+        if ($value instanceof PromiseInterface) {
+            return $value;
+        }
+
+        // Return a Guzzle promise that shadows the given promise.
+        if (is_object($value) && method_exists($value, 'then')) {
+            $wfn = method_exists($value, 'wait') ? [$value, 'wait'] : null;
+            $cfn = method_exists($value, 'cancel') ? [$value, 'cancel'] : null;
+            $promise = new Promise($wfn, $cfn);
+            $value->then([$promise, 'resolve'], [$promise, 'reject']);
+            return $promise;
+        }
+
+        return new FulfilledPromise($value);
+    }
+
+    /**
+     * Creates a rejected promise for a reason if the reason is not a promise.
+     * If the provided reason is a promise, then it is returned as-is.
+     *
+     * @param mixed $reason Promise or reason.
+     *
+     * @return PromiseInterface
+     */
+    public static function rejectionFor($reason)
+    {
+        if ($reason instanceof PromiseInterface) {
+            return $reason;
+        }
+
+        return new RejectedPromise($reason);
+    }
+
+    /**
+     * Create an exception for a rejected promise value.
+     *
+     * @param mixed $reason
+     *
+     * @return \Exception|\Throwable
+     */
+    public static function exceptionFor($reason)
+    {
+        if ($reason instanceof \Exception || $reason instanceof \Throwable) {
+            return $reason;
+        }
+
+        return new RejectionException($reason);
+    }
+
+    /**
+     * Returns an iterator for the given value.
+     *
+     * @param mixed $value
+     *
+     * @return \Iterator
+     */
+    public static function iterFor($value)
+    {
+        if ($value instanceof \Iterator) {
+            return $value;
+        }
+
+        if (is_array($value)) {
+            return new \ArrayIterator($value);
+        }
+
+        return new \ArrayIterator([$value]);
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/promises/src/Each.php b/data/web/inc/lib/vendor/guzzlehttp/promises/src/Each.php
new file mode 100644
index 000000000..1dda35499
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/promises/src/Each.php
@@ -0,0 +1,90 @@
+<?php
+
+namespace GuzzleHttp\Promise;
+
+final class Each
+{
+    /**
+     * Given an iterator that yields promises or values, returns a promise that
+     * is fulfilled with a null value when the iterator has been consumed or
+     * the aggregate promise has been fulfilled or rejected.
+     *
+     * $onFulfilled is a function that accepts the fulfilled value, iterator
+     * index, and the aggregate promise. The callback can invoke any necessary
+     * side effects and choose to resolve or reject the aggregate if needed.
+     *
+     * $onRejected is a function that accepts the rejection reason, iterator
+     * index, and the aggregate promise. The callback can invoke any necessary
+     * side effects and choose to resolve or reject the aggregate if needed.
+     *
+     * @param mixed    $iterable    Iterator or array to iterate over.
+     * @param callable $onFulfilled
+     * @param callable $onRejected
+     *
+     * @return PromiseInterface
+     */
+    public static function of(
+        $iterable,
+        callable $onFulfilled = null,
+        callable $onRejected = null
+    ) {
+        return (new EachPromise($iterable, [
+            'fulfilled' => $onFulfilled,
+            'rejected'  => $onRejected
+        ]))->promise();
+    }
+
+    /**
+     * Like of, but only allows a certain number of outstanding promises at any
+     * given time.
+     *
+     * $concurrency may be an integer or a function that accepts the number of
+     * pending promises and returns a numeric concurrency limit value to allow
+     * for dynamic a concurrency size.
+     *
+     * @param mixed        $iterable
+     * @param int|callable $concurrency
+     * @param callable     $onFulfilled
+     * @param callable     $onRejected
+     *
+     * @return PromiseInterface
+     */
+    public static function ofLimit(
+        $iterable,
+        $concurrency,
+        callable $onFulfilled = null,
+        callable $onRejected = null
+    ) {
+        return (new EachPromise($iterable, [
+            'fulfilled'   => $onFulfilled,
+            'rejected'    => $onRejected,
+            'concurrency' => $concurrency
+        ]))->promise();
+    }
+
+    /**
+     * Like limit, but ensures that no promise in the given $iterable argument
+     * is rejected. If any promise is rejected, then the aggregate promise is
+     * rejected with the encountered rejection.
+     *
+     * @param mixed        $iterable
+     * @param int|callable $concurrency
+     * @param callable     $onFulfilled
+     *
+     * @return PromiseInterface
+     */
+    public static function ofLimitAll(
+        $iterable,
+        $concurrency,
+        callable $onFulfilled = null
+    ) {
+        return each_limit(
+            $iterable,
+            $concurrency,
+            $onFulfilled,
+            function ($reason, $idx, PromiseInterface $aggregate) {
+                $aggregate->reject($reason);
+            }
+        );
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/promises/src/EachPromise.php b/data/web/inc/lib/vendor/guzzlehttp/promises/src/EachPromise.php
new file mode 100644
index 000000000..280d79950
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/promises/src/EachPromise.php
@@ -0,0 +1,247 @@
+<?php
+
+namespace GuzzleHttp\Promise;
+
+/**
+ * Represents a promise that iterates over many promises and invokes
+ * side-effect functions in the process.
+ */
+class EachPromise implements PromisorInterface
+{
+    private $pending = [];
+
+    private $nextPendingIndex = 0;
+
+    /** @var \Iterator|null */
+    private $iterable;
+
+    /** @var callable|int|null */
+    private $concurrency;
+
+    /** @var callable|null */
+    private $onFulfilled;
+
+    /** @var callable|null */
+    private $onRejected;
+
+    /** @var Promise|null */
+    private $aggregate;
+
+    /** @var bool|null */
+    private $mutex;
+
+    /**
+     * Configuration hash can include the following key value pairs:
+     *
+     * - fulfilled: (callable) Invoked when a promise fulfills. The function
+     *   is invoked with three arguments: the fulfillment value, the index
+     *   position from the iterable list of the promise, and the aggregate
+     *   promise that manages all of the promises. The aggregate promise may
+     *   be resolved from within the callback to short-circuit the promise.
+     * - rejected: (callable) Invoked when a promise is rejected. The
+     *   function is invoked with three arguments: the rejection reason, the
+     *   index position from the iterable list of the promise, and the
+     *   aggregate promise that manages all of the promises. The aggregate
+     *   promise may be resolved from within the callback to short-circuit
+     *   the promise.
+     * - concurrency: (integer) Pass this configuration option to limit the
+     *   allowed number of outstanding concurrently executing promises,
+     *   creating a capped pool of promises. There is no limit by default.
+     *
+     * @param mixed $iterable Promises or values to iterate.
+     * @param array $config   Configuration options
+     */
+    public function __construct($iterable, array $config = [])
+    {
+        $this->iterable = Create::iterFor($iterable);
+
+        if (isset($config['concurrency'])) {
+            $this->concurrency = $config['concurrency'];
+        }
+
+        if (isset($config['fulfilled'])) {
+            $this->onFulfilled = $config['fulfilled'];
+        }
+
+        if (isset($config['rejected'])) {
+            $this->onRejected = $config['rejected'];
+        }
+    }
+
+    /** @psalm-suppress InvalidNullableReturnType */
+    public function promise()
+    {
+        if ($this->aggregate) {
+            return $this->aggregate;
+        }
+
+        try {
+            $this->createPromise();
+            /** @psalm-assert Promise $this->aggregate */
+            $this->iterable->rewind();
+            $this->refillPending();
+        } catch (\Throwable $e) {
+            $this->aggregate->reject($e);
+        } catch (\Exception $e) {
+            $this->aggregate->reject($e);
+        }
+
+        /**
+         * @psalm-suppress NullableReturnStatement
+         * @phpstan-ignore-next-line
+         */
+        return $this->aggregate;
+    }
+
+    private function createPromise()
+    {
+        $this->mutex = false;
+        $this->aggregate = new Promise(function () {
+            if ($this->checkIfFinished()) {
+                return;
+            }
+            reset($this->pending);
+            // Consume a potentially fluctuating list of promises while
+            // ensuring that indexes are maintained (precluding array_shift).
+            while ($promise = current($this->pending)) {
+                next($this->pending);
+                $promise->wait();
+                if (Is::settled($this->aggregate)) {
+                    return;
+                }
+            }
+        });
+
+        // Clear the references when the promise is resolved.
+        $clearFn = function () {
+            $this->iterable = $this->concurrency = $this->pending = null;
+            $this->onFulfilled = $this->onRejected = null;
+            $this->nextPendingIndex = 0;
+        };
+
+        $this->aggregate->then($clearFn, $clearFn);
+    }
+
+    private function refillPending()
+    {
+        if (!$this->concurrency) {
+            // Add all pending promises.
+            while ($this->addPending() && $this->advanceIterator());
+            return;
+        }
+
+        // Add only up to N pending promises.
+        $concurrency = is_callable($this->concurrency)
+            ? call_user_func($this->concurrency, count($this->pending))
+            : $this->concurrency;
+        $concurrency = max($concurrency - count($this->pending), 0);
+        // Concurrency may be set to 0 to disallow new promises.
+        if (!$concurrency) {
+            return;
+        }
+        // Add the first pending promise.
+        $this->addPending();
+        // Note this is special handling for concurrency=1 so that we do
+        // not advance the iterator after adding the first promise. This
+        // helps work around issues with generators that might not have the
+        // next value to yield until promise callbacks are called.
+        while (--$concurrency
+            && $this->advanceIterator()
+            && $this->addPending());
+    }
+
+    private function addPending()
+    {
+        if (!$this->iterable || !$this->iterable->valid()) {
+            return false;
+        }
+
+        $promise = Create::promiseFor($this->iterable->current());
+        $key = $this->iterable->key();
+
+        // Iterable keys may not be unique, so we use a counter to
+        // guarantee uniqueness
+        $idx = $this->nextPendingIndex++;
+
+        $this->pending[$idx] = $promise->then(
+            function ($value) use ($idx, $key) {
+                if ($this->onFulfilled) {
+                    call_user_func(
+                        $this->onFulfilled,
+                        $value,
+                        $key,
+                        $this->aggregate
+                    );
+                }
+                $this->step($idx);
+            },
+            function ($reason) use ($idx, $key) {
+                if ($this->onRejected) {
+                    call_user_func(
+                        $this->onRejected,
+                        $reason,
+                        $key,
+                        $this->aggregate
+                    );
+                }
+                $this->step($idx);
+            }
+        );
+
+        return true;
+    }
+
+    private function advanceIterator()
+    {
+        // Place a lock on the iterator so that we ensure to not recurse,
+        // preventing fatal generator errors.
+        if ($this->mutex) {
+            return false;
+        }
+
+        $this->mutex = true;
+
+        try {
+            $this->iterable->next();
+            $this->mutex = false;
+            return true;
+        } catch (\Throwable $e) {
+            $this->aggregate->reject($e);
+            $this->mutex = false;
+            return false;
+        } catch (\Exception $e) {
+            $this->aggregate->reject($e);
+            $this->mutex = false;
+            return false;
+        }
+    }
+
+    private function step($idx)
+    {
+        // If the promise was already resolved, then ignore this step.
+        if (Is::settled($this->aggregate)) {
+            return;
+        }
+
+        unset($this->pending[$idx]);
+
+        // Only refill pending promises if we are not locked, preventing the
+        // EachPromise to recursively invoke the provided iterator, which
+        // cause a fatal error: "Cannot resume an already running generator"
+        if ($this->advanceIterator() && !$this->checkIfFinished()) {
+            // Add more pending promises if possible.
+            $this->refillPending();
+        }
+    }
+
+    private function checkIfFinished()
+    {
+        if (!$this->pending && !$this->iterable->valid()) {
+            // Resolve the promise if there's nothing left to do.
+            $this->aggregate->resolve(null);
+            return true;
+        }
+
+        return false;
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/promises/src/FulfilledPromise.php b/data/web/inc/lib/vendor/guzzlehttp/promises/src/FulfilledPromise.php
new file mode 100644
index 000000000..98f72a62a
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/promises/src/FulfilledPromise.php
@@ -0,0 +1,84 @@
+<?php
+
+namespace GuzzleHttp\Promise;
+
+/**
+ * A promise that has been fulfilled.
+ *
+ * Thenning off of this promise will invoke the onFulfilled callback
+ * immediately and ignore other callbacks.
+ */
+class FulfilledPromise implements PromiseInterface
+{
+    private $value;
+
+    public function __construct($value)
+    {
+        if (is_object($value) && method_exists($value, 'then')) {
+            throw new \InvalidArgumentException(
+                'You cannot create a FulfilledPromise with a promise.'
+            );
+        }
+
+        $this->value = $value;
+    }
+
+    public function then(
+        callable $onFulfilled = null,
+        callable $onRejected = null
+    ) {
+        // Return itself if there is no onFulfilled function.
+        if (!$onFulfilled) {
+            return $this;
+        }
+
+        $queue = Utils::queue();
+        $p = new Promise([$queue, 'run']);
+        $value = $this->value;
+        $queue->add(static function () use ($p, $value, $onFulfilled) {
+            if (Is::pending($p)) {
+                try {
+                    $p->resolve($onFulfilled($value));
+                } catch (\Throwable $e) {
+                    $p->reject($e);
+                } catch (\Exception $e) {
+                    $p->reject($e);
+                }
+            }
+        });
+
+        return $p;
+    }
+
+    public function otherwise(callable $onRejected)
+    {
+        return $this->then(null, $onRejected);
+    }
+
+    public function wait($unwrap = true, $defaultDelivery = null)
+    {
+        return $unwrap ? $this->value : null;
+    }
+
+    public function getState()
+    {
+        return self::FULFILLED;
+    }
+
+    public function resolve($value)
+    {
+        if ($value !== $this->value) {
+            throw new \LogicException("Cannot resolve a fulfilled promise");
+        }
+    }
+
+    public function reject($reason)
+    {
+        throw new \LogicException("Cannot reject a fulfilled promise");
+    }
+
+    public function cancel()
+    {
+        // pass
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/promises/src/Is.php b/data/web/inc/lib/vendor/guzzlehttp/promises/src/Is.php
new file mode 100644
index 000000000..c3ed8d014
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/promises/src/Is.php
@@ -0,0 +1,46 @@
+<?php
+
+namespace GuzzleHttp\Promise;
+
+final class Is
+{
+    /**
+     * Returns true if a promise is pending.
+     *
+     * @return bool
+     */
+    public static function pending(PromiseInterface $promise)
+    {
+        return $promise->getState() === PromiseInterface::PENDING;
+    }
+
+    /**
+     * Returns true if a promise is fulfilled or rejected.
+     *
+     * @return bool
+     */
+    public static function settled(PromiseInterface $promise)
+    {
+        return $promise->getState() !== PromiseInterface::PENDING;
+    }
+
+    /**
+     * Returns true if a promise is fulfilled.
+     *
+     * @return bool
+     */
+    public static function fulfilled(PromiseInterface $promise)
+    {
+        return $promise->getState() === PromiseInterface::FULFILLED;
+    }
+
+    /**
+     * Returns true if a promise is rejected.
+     *
+     * @return bool
+     */
+    public static function rejected(PromiseInterface $promise)
+    {
+        return $promise->getState() === PromiseInterface::REJECTED;
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/promises/src/Promise.php b/data/web/inc/lib/vendor/guzzlehttp/promises/src/Promise.php
new file mode 100644
index 000000000..75939057b
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/promises/src/Promise.php
@@ -0,0 +1,278 @@
+<?php
+
+namespace GuzzleHttp\Promise;
+
+/**
+ * Promises/A+ implementation that avoids recursion when possible.
+ *
+ * @link https://promisesaplus.com/
+ */
+class Promise implements PromiseInterface
+{
+    private $state = self::PENDING;
+    private $result;
+    private $cancelFn;
+    private $waitFn;
+    private $waitList;
+    private $handlers = [];
+
+    /**
+     * @param callable $waitFn   Fn that when invoked resolves the promise.
+     * @param callable $cancelFn Fn that when invoked cancels the promise.
+     */
+    public function __construct(
+        callable $waitFn = null,
+        callable $cancelFn = null
+    ) {
+        $this->waitFn = $waitFn;
+        $this->cancelFn = $cancelFn;
+    }
+
+    public function then(
+        callable $onFulfilled = null,
+        callable $onRejected = null
+    ) {
+        if ($this->state === self::PENDING) {
+            $p = new Promise(null, [$this, 'cancel']);
+            $this->handlers[] = [$p, $onFulfilled, $onRejected];
+            $p->waitList = $this->waitList;
+            $p->waitList[] = $this;
+            return $p;
+        }
+
+        // Return a fulfilled promise and immediately invoke any callbacks.
+        if ($this->state === self::FULFILLED) {
+            $promise = Create::promiseFor($this->result);
+            return $onFulfilled ? $promise->then($onFulfilled) : $promise;
+        }
+
+        // It's either cancelled or rejected, so return a rejected promise
+        // and immediately invoke any callbacks.
+        $rejection = Create::rejectionFor($this->result);
+        return $onRejected ? $rejection->then(null, $onRejected) : $rejection;
+    }
+
+    public function otherwise(callable $onRejected)
+    {
+        return $this->then(null, $onRejected);
+    }
+
+    public function wait($unwrap = true)
+    {
+        $this->waitIfPending();
+
+        if ($this->result instanceof PromiseInterface) {
+            return $this->result->wait($unwrap);
+        }
+        if ($unwrap) {
+            if ($this->state === self::FULFILLED) {
+                return $this->result;
+            }
+            // It's rejected so "unwrap" and throw an exception.
+            throw Create::exceptionFor($this->result);
+        }
+    }
+
+    public function getState()
+    {
+        return $this->state;
+    }
+
+    public function cancel()
+    {
+        if ($this->state !== self::PENDING) {
+            return;
+        }
+
+        $this->waitFn = $this->waitList = null;
+
+        if ($this->cancelFn) {
+            $fn = $this->cancelFn;
+            $this->cancelFn = null;
+            try {
+                $fn();
+            } catch (\Throwable $e) {
+                $this->reject($e);
+            } catch (\Exception $e) {
+                $this->reject($e);
+            }
+        }
+
+        // Reject the promise only if it wasn't rejected in a then callback.
+        /** @psalm-suppress RedundantCondition */
+        if ($this->state === self::PENDING) {
+            $this->reject(new CancellationException('Promise has been cancelled'));
+        }
+    }
+
+    public function resolve($value)
+    {
+        $this->settle(self::FULFILLED, $value);
+    }
+
+    public function reject($reason)
+    {
+        $this->settle(self::REJECTED, $reason);
+    }
+
+    private function settle($state, $value)
+    {
+        if ($this->state !== self::PENDING) {
+            // Ignore calls with the same resolution.
+            if ($state === $this->state && $value === $this->result) {
+                return;
+            }
+            throw $this->state === $state
+                ? new \LogicException("The promise is already {$state}.")
+                : new \LogicException("Cannot change a {$this->state} promise to {$state}");
+        }
+
+        if ($value === $this) {
+            throw new \LogicException('Cannot fulfill or reject a promise with itself');
+        }
+
+        // Clear out the state of the promise but stash the handlers.
+        $this->state = $state;
+        $this->result = $value;
+        $handlers = $this->handlers;
+        $this->handlers = null;
+        $this->waitList = $this->waitFn = null;
+        $this->cancelFn = null;
+
+        if (!$handlers) {
+            return;
+        }
+
+        // If the value was not a settled promise or a thenable, then resolve
+        // it in the task queue using the correct ID.
+        if (!is_object($value) || !method_exists($value, 'then')) {
+            $id = $state === self::FULFILLED ? 1 : 2;
+            // It's a success, so resolve the handlers in the queue.
+            Utils::queue()->add(static function () use ($id, $value, $handlers) {
+                foreach ($handlers as $handler) {
+                    self::callHandler($id, $value, $handler);
+                }
+            });
+        } elseif ($value instanceof Promise && Is::pending($value)) {
+            // We can just merge our handlers onto the next promise.
+            $value->handlers = array_merge($value->handlers, $handlers);
+        } else {
+            // Resolve the handlers when the forwarded promise is resolved.
+            $value->then(
+                static function ($value) use ($handlers) {
+                    foreach ($handlers as $handler) {
+                        self::callHandler(1, $value, $handler);
+                    }
+                },
+                static function ($reason) use ($handlers) {
+                    foreach ($handlers as $handler) {
+                        self::callHandler(2, $reason, $handler);
+                    }
+                }
+            );
+        }
+    }
+
+    /**
+     * Call a stack of handlers using a specific callback index and value.
+     *
+     * @param int   $index   1 (resolve) or 2 (reject).
+     * @param mixed $value   Value to pass to the callback.
+     * @param array $handler Array of handler data (promise and callbacks).
+     */
+    private static function callHandler($index, $value, array $handler)
+    {
+        /** @var PromiseInterface $promise */
+        $promise = $handler[0];
+
+        // The promise may have been cancelled or resolved before placing
+        // this thunk in the queue.
+        if (Is::settled($promise)) {
+            return;
+        }
+
+        try {
+            if (isset($handler[$index])) {
+                /*
+                 * If $f throws an exception, then $handler will be in the exception
+                 * stack trace. Since $handler contains a reference to the callable
+                 * itself we get a circular reference. We clear the $handler
+                 * here to avoid that memory leak.
+                 */
+                $f = $handler[$index];
+                unset($handler);
+                $promise->resolve($f($value));
+            } elseif ($index === 1) {
+                // Forward resolution values as-is.
+                $promise->resolve($value);
+            } else {
+                // Forward rejections down the chain.
+                $promise->reject($value);
+            }
+        } catch (\Throwable $reason) {
+            $promise->reject($reason);
+        } catch (\Exception $reason) {
+            $promise->reject($reason);
+        }
+    }
+
+    private function waitIfPending()
+    {
+        if ($this->state !== self::PENDING) {
+            return;
+        } elseif ($this->waitFn) {
+            $this->invokeWaitFn();
+        } elseif ($this->waitList) {
+            $this->invokeWaitList();
+        } else {
+            // If there's no wait function, then reject the promise.
+            $this->reject('Cannot wait on a promise that has '
+                . 'no internal wait function. You must provide a wait '
+                . 'function when constructing the promise to be able to '
+                . 'wait on a promise.');
+        }
+
+        Utils::queue()->run();
+
+        /** @psalm-suppress RedundantCondition */
+        if ($this->state === self::PENDING) {
+            $this->reject('Invoking the wait callback did not resolve the promise');
+        }
+    }
+
+    private function invokeWaitFn()
+    {
+        try {
+            $wfn = $this->waitFn;
+            $this->waitFn = null;
+            $wfn(true);
+        } catch (\Exception $reason) {
+            if ($this->state === self::PENDING) {
+                // The promise has not been resolved yet, so reject the promise
+                // with the exception.
+                $this->reject($reason);
+            } else {
+                // The promise was already resolved, so there's a problem in
+                // the application.
+                throw $reason;
+            }
+        }
+    }
+
+    private function invokeWaitList()
+    {
+        $waitList = $this->waitList;
+        $this->waitList = null;
+
+        foreach ($waitList as $result) {
+            do {
+                $result->waitIfPending();
+                $result = $result->result;
+            } while ($result instanceof Promise);
+
+            if ($result instanceof PromiseInterface) {
+                $result->wait(false);
+            }
+        }
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/promises/src/PromiseInterface.php b/data/web/inc/lib/vendor/guzzlehttp/promises/src/PromiseInterface.php
new file mode 100644
index 000000000..e59833143
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/promises/src/PromiseInterface.php
@@ -0,0 +1,97 @@
+<?php
+
+namespace GuzzleHttp\Promise;
+
+/**
+ * A promise represents the eventual result of an asynchronous operation.
+ *
+ * The primary way of interacting with a promise is through its then method,
+ * which registers callbacks to receive either a promise’s eventual value or
+ * the reason why the promise cannot be fulfilled.
+ *
+ * @link https://promisesaplus.com/
+ */
+interface PromiseInterface
+{
+    const PENDING = 'pending';
+    const FULFILLED = 'fulfilled';
+    const REJECTED = 'rejected';
+
+    /**
+     * Appends fulfillment and rejection handlers to the promise, and returns
+     * a new promise resolving to the return value of the called handler.
+     *
+     * @param callable $onFulfilled Invoked when the promise fulfills.
+     * @param callable $onRejected  Invoked when the promise is rejected.
+     *
+     * @return PromiseInterface
+     */
+    public function then(
+        callable $onFulfilled = null,
+        callable $onRejected = null
+    );
+
+    /**
+     * Appends a rejection handler callback to the promise, and returns a new
+     * promise resolving to the return value of the callback if it is called,
+     * or to its original fulfillment value if the promise is instead
+     * fulfilled.
+     *
+     * @param callable $onRejected Invoked when the promise is rejected.
+     *
+     * @return PromiseInterface
+     */
+    public function otherwise(callable $onRejected);
+
+    /**
+     * Get the state of the promise ("pending", "rejected", or "fulfilled").
+     *
+     * The three states can be checked against the constants defined on
+     * PromiseInterface: PENDING, FULFILLED, and REJECTED.
+     *
+     * @return string
+     */
+    public function getState();
+
+    /**
+     * Resolve the promise with the given value.
+     *
+     * @param mixed $value
+     *
+     * @throws \RuntimeException if the promise is already resolved.
+     */
+    public function resolve($value);
+
+    /**
+     * Reject the promise with the given reason.
+     *
+     * @param mixed $reason
+     *
+     * @throws \RuntimeException if the promise is already resolved.
+     */
+    public function reject($reason);
+
+    /**
+     * Cancels the promise if possible.
+     *
+     * @link https://github.com/promises-aplus/cancellation-spec/issues/7
+     */
+    public function cancel();
+
+    /**
+     * Waits until the promise completes if possible.
+     *
+     * Pass $unwrap as true to unwrap the result of the promise, either
+     * returning the resolved value or throwing the rejected exception.
+     *
+     * If the promise cannot be waited on, then the promise will be rejected.
+     *
+     * @param bool $unwrap
+     *
+     * @return mixed
+     *
+     * @throws \LogicException if the promise has no wait function or if the
+     *                         promise does not settle after waiting.
+     */
+    public function wait($unwrap = true);
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/promises/src/PromisorInterface.php b/data/web/inc/lib/vendor/guzzlehttp/promises/src/PromisorInterface.php
new file mode 100644
index 000000000..2d2e3422b
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/promises/src/PromisorInterface.php
@@ -0,0 +1,16 @@
+<?php
+
+namespace GuzzleHttp\Promise;
+
+/**
+ * Interface used with classes that return a promise.
+ */
+interface PromisorInterface
+{
+    /**
+     * Returns a promise.
+     *
+     * @return PromiseInterface
+     */
+    public function promise();
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/promises/src/RejectedPromise.php b/data/web/inc/lib/vendor/guzzlehttp/promises/src/RejectedPromise.php
new file mode 100644
index 000000000..d2918468c
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/promises/src/RejectedPromise.php
@@ -0,0 +1,91 @@
+<?php
+
+namespace GuzzleHttp\Promise;
+
+/**
+ * A promise that has been rejected.
+ *
+ * Thenning off of this promise will invoke the onRejected callback
+ * immediately and ignore other callbacks.
+ */
+class RejectedPromise implements PromiseInterface
+{
+    private $reason;
+
+    public function __construct($reason)
+    {
+        if (is_object($reason) && method_exists($reason, 'then')) {
+            throw new \InvalidArgumentException(
+                'You cannot create a RejectedPromise with a promise.'
+            );
+        }
+
+        $this->reason = $reason;
+    }
+
+    public function then(
+        callable $onFulfilled = null,
+        callable $onRejected = null
+    ) {
+        // If there's no onRejected callback then just return self.
+        if (!$onRejected) {
+            return $this;
+        }
+
+        $queue = Utils::queue();
+        $reason = $this->reason;
+        $p = new Promise([$queue, 'run']);
+        $queue->add(static function () use ($p, $reason, $onRejected) {
+            if (Is::pending($p)) {
+                try {
+                    // Return a resolved promise if onRejected does not throw.
+                    $p->resolve($onRejected($reason));
+                } catch (\Throwable $e) {
+                    // onRejected threw, so return a rejected promise.
+                    $p->reject($e);
+                } catch (\Exception $e) {
+                    // onRejected threw, so return a rejected promise.
+                    $p->reject($e);
+                }
+            }
+        });
+
+        return $p;
+    }
+
+    public function otherwise(callable $onRejected)
+    {
+        return $this->then(null, $onRejected);
+    }
+
+    public function wait($unwrap = true, $defaultDelivery = null)
+    {
+        if ($unwrap) {
+            throw Create::exceptionFor($this->reason);
+        }
+
+        return null;
+    }
+
+    public function getState()
+    {
+        return self::REJECTED;
+    }
+
+    public function resolve($value)
+    {
+        throw new \LogicException("Cannot resolve a rejected promise");
+    }
+
+    public function reject($reason)
+    {
+        if ($reason !== $this->reason) {
+            throw new \LogicException("Cannot reject a rejected promise");
+        }
+    }
+
+    public function cancel()
+    {
+        // pass
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/promises/src/RejectionException.php b/data/web/inc/lib/vendor/guzzlehttp/promises/src/RejectionException.php
new file mode 100644
index 000000000..e2f137707
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/promises/src/RejectionException.php
@@ -0,0 +1,48 @@
+<?php
+
+namespace GuzzleHttp\Promise;
+
+/**
+ * A special exception that is thrown when waiting on a rejected promise.
+ *
+ * The reason value is available via the getReason() method.
+ */
+class RejectionException extends \RuntimeException
+{
+    /** @var mixed Rejection reason. */
+    private $reason;
+
+    /**
+     * @param mixed  $reason      Rejection reason.
+     * @param string $description Optional description
+     */
+    public function __construct($reason, $description = null)
+    {
+        $this->reason = $reason;
+
+        $message = 'The promise was rejected';
+
+        if ($description) {
+            $message .= ' with reason: ' . $description;
+        } elseif (is_string($reason)
+            || (is_object($reason) && method_exists($reason, '__toString'))
+        ) {
+            $message .= ' with reason: ' . $this->reason;
+        } elseif ($reason instanceof \JsonSerializable) {
+            $message .= ' with reason: '
+                . json_encode($this->reason, JSON_PRETTY_PRINT);
+        }
+
+        parent::__construct($message);
+    }
+
+    /**
+     * Returns the rejection reason.
+     *
+     * @return mixed
+     */
+    public function getReason()
+    {
+        return $this->reason;
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/promises/src/TaskQueue.php b/data/web/inc/lib/vendor/guzzlehttp/promises/src/TaskQueue.php
new file mode 100644
index 000000000..f0fba2c59
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/promises/src/TaskQueue.php
@@ -0,0 +1,67 @@
+<?php
+
+namespace GuzzleHttp\Promise;
+
+/**
+ * A task queue that executes tasks in a FIFO order.
+ *
+ * This task queue class is used to settle promises asynchronously and
+ * maintains a constant stack size. You can use the task queue asynchronously
+ * by calling the `run()` function of the global task queue in an event loop.
+ *
+ *     GuzzleHttp\Promise\Utils::queue()->run();
+ */
+class TaskQueue implements TaskQueueInterface
+{
+    private $enableShutdown = true;
+    private $queue = [];
+
+    public function __construct($withShutdown = true)
+    {
+        if ($withShutdown) {
+            register_shutdown_function(function () {
+                if ($this->enableShutdown) {
+                    // Only run the tasks if an E_ERROR didn't occur.
+                    $err = error_get_last();
+                    if (!$err || ($err['type'] ^ E_ERROR)) {
+                        $this->run();
+                    }
+                }
+            });
+        }
+    }
+
+    public function isEmpty()
+    {
+        return !$this->queue;
+    }
+
+    public function add(callable $task)
+    {
+        $this->queue[] = $task;
+    }
+
+    public function run()
+    {
+        while ($task = array_shift($this->queue)) {
+            /** @var callable $task */
+            $task();
+        }
+    }
+
+    /**
+     * The task queue will be run and exhausted by default when the process
+     * exits IFF the exit is not the result of a PHP E_ERROR error.
+     *
+     * You can disable running the automatic shutdown of the queue by calling
+     * this function. If you disable the task queue shutdown process, then you
+     * MUST either run the task queue (as a result of running your event loop
+     * or manually using the run() method) or wait on each outstanding promise.
+     *
+     * Note: This shutdown will occur before any destructors are triggered.
+     */
+    public function disableShutdown()
+    {
+        $this->enableShutdown = false;
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/promises/src/TaskQueueInterface.php b/data/web/inc/lib/vendor/guzzlehttp/promises/src/TaskQueueInterface.php
new file mode 100644
index 000000000..723d4d54e
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/promises/src/TaskQueueInterface.php
@@ -0,0 +1,24 @@
+<?php
+
+namespace GuzzleHttp\Promise;
+
+interface TaskQueueInterface
+{
+    /**
+     * Returns true if the queue is empty.
+     *
+     * @return bool
+     */
+    public function isEmpty();
+
+    /**
+     * Adds a task to the queue that will be executed the next time run is
+     * called.
+     */
+    public function add(callable $task);
+
+    /**
+     * Execute all of the pending task in the queue.
+     */
+    public function run();
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/promises/src/Utils.php b/data/web/inc/lib/vendor/guzzlehttp/promises/src/Utils.php
new file mode 100644
index 000000000..8647126d8
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/promises/src/Utils.php
@@ -0,0 +1,276 @@
+<?php
+
+namespace GuzzleHttp\Promise;
+
+final class Utils
+{
+    /**
+     * Get the global task queue used for promise resolution.
+     *
+     * This task queue MUST be run in an event loop in order for promises to be
+     * settled asynchronously. It will be automatically run when synchronously
+     * waiting on a promise.
+     *
+     * <code>
+     * while ($eventLoop->isRunning()) {
+     *     GuzzleHttp\Promise\Utils::queue()->run();
+     * }
+     * </code>
+     *
+     * @param TaskQueueInterface $assign Optionally specify a new queue instance.
+     *
+     * @return TaskQueueInterface
+     */
+    public static function queue(TaskQueueInterface $assign = null)
+    {
+        static $queue;
+
+        if ($assign) {
+            $queue = $assign;
+        } elseif (!$queue) {
+            $queue = new TaskQueue();
+        }
+
+        return $queue;
+    }
+
+    /**
+     * Adds a function to run in the task queue when it is next `run()` and
+     * returns a promise that is fulfilled or rejected with the result.
+     *
+     * @param callable $task Task function to run.
+     *
+     * @return PromiseInterface
+     */
+    public static function task(callable $task)
+    {
+        $queue = self::queue();
+        $promise = new Promise([$queue, 'run']);
+        $queue->add(function () use ($task, $promise) {
+            try {
+                if (Is::pending($promise)) {
+                    $promise->resolve($task());
+                }
+            } catch (\Throwable $e) {
+                $promise->reject($e);
+            } catch (\Exception $e) {
+                $promise->reject($e);
+            }
+        });
+
+        return $promise;
+    }
+
+    /**
+     * Synchronously waits on a promise to resolve and returns an inspection
+     * state array.
+     *
+     * Returns a state associative array containing a "state" key mapping to a
+     * valid promise state. If the state of the promise is "fulfilled", the
+     * array will contain a "value" key mapping to the fulfilled value of the
+     * promise. If the promise is rejected, the array will contain a "reason"
+     * key mapping to the rejection reason of the promise.
+     *
+     * @param PromiseInterface $promise Promise or value.
+     *
+     * @return array
+     */
+    public static function inspect(PromiseInterface $promise)
+    {
+        try {
+            return [
+                'state' => PromiseInterface::FULFILLED,
+                'value' => $promise->wait()
+            ];
+        } catch (RejectionException $e) {
+            return ['state' => PromiseInterface::REJECTED, 'reason' => $e->getReason()];
+        } catch (\Throwable $e) {
+            return ['state' => PromiseInterface::REJECTED, 'reason' => $e];
+        } catch (\Exception $e) {
+            return ['state' => PromiseInterface::REJECTED, 'reason' => $e];
+        }
+    }
+
+    /**
+     * Waits on all of the provided promises, but does not unwrap rejected
+     * promises as thrown exception.
+     *
+     * Returns an array of inspection state arrays.
+     *
+     * @see inspect for the inspection state array format.
+     *
+     * @param PromiseInterface[] $promises Traversable of promises to wait upon.
+     *
+     * @return array
+     */
+    public static function inspectAll($promises)
+    {
+        $results = [];
+        foreach ($promises as $key => $promise) {
+            $results[$key] = inspect($promise);
+        }
+
+        return $results;
+    }
+
+    /**
+     * Waits on all of the provided promises and returns the fulfilled values.
+     *
+     * Returns an array that contains the value of each promise (in the same
+     * order the promises were provided). An exception is thrown if any of the
+     * promises are rejected.
+     *
+     * @param iterable<PromiseInterface> $promises Iterable of PromiseInterface objects to wait on.
+     *
+     * @return array
+     *
+     * @throws \Exception on error
+     * @throws \Throwable on error in PHP >=7
+     */
+    public static function unwrap($promises)
+    {
+        $results = [];
+        foreach ($promises as $key => $promise) {
+            $results[$key] = $promise->wait();
+        }
+
+        return $results;
+    }
+
+    /**
+     * Given an array of promises, return a promise that is fulfilled when all
+     * the items in the array are fulfilled.
+     *
+     * The promise's fulfillment value is an array with fulfillment values at
+     * respective positions to the original array. If any promise in the array
+     * rejects, the returned promise is rejected with the rejection reason.
+     *
+     * @param mixed $promises  Promises or values.
+     * @param bool  $recursive If true, resolves new promises that might have been added to the stack during its own resolution.
+     *
+     * @return PromiseInterface
+     */
+    public static function all($promises, $recursive = false)
+    {
+        $results = [];
+        $promise = Each::of(
+            $promises,
+            function ($value, $idx) use (&$results) {
+                $results[$idx] = $value;
+            },
+            function ($reason, $idx, Promise $aggregate) {
+                $aggregate->reject($reason);
+            }
+        )->then(function () use (&$results) {
+            ksort($results);
+            return $results;
+        });
+
+        if (true === $recursive) {
+            $promise = $promise->then(function ($results) use ($recursive, &$promises) {
+                foreach ($promises as $promise) {
+                    if (Is::pending($promise)) {
+                        return self::all($promises, $recursive);
+                    }
+                }
+                return $results;
+            });
+        }
+
+        return $promise;
+    }
+
+    /**
+     * Initiate a competitive race between multiple promises or values (values
+     * will become immediately fulfilled promises).
+     *
+     * When count amount of promises have been fulfilled, the returned promise
+     * is fulfilled with an array that contains the fulfillment values of the
+     * winners in order of resolution.
+     *
+     * This promise is rejected with a {@see AggregateException} if the number
+     * of fulfilled promises is less than the desired $count.
+     *
+     * @param int   $count    Total number of promises.
+     * @param mixed $promises Promises or values.
+     *
+     * @return PromiseInterface
+     */
+    public static function some($count, $promises)
+    {
+        $results = [];
+        $rejections = [];
+
+        return Each::of(
+            $promises,
+            function ($value, $idx, PromiseInterface $p) use (&$results, $count) {
+                if (Is::settled($p)) {
+                    return;
+                }
+                $results[$idx] = $value;
+                if (count($results) >= $count) {
+                    $p->resolve(null);
+                }
+            },
+            function ($reason) use (&$rejections) {
+                $rejections[] = $reason;
+            }
+        )->then(
+            function () use (&$results, &$rejections, $count) {
+                if (count($results) !== $count) {
+                    throw new AggregateException(
+                        'Not enough promises to fulfill count',
+                        $rejections
+                    );
+                }
+                ksort($results);
+                return array_values($results);
+            }
+        );
+    }
+
+    /**
+     * Like some(), with 1 as count. However, if the promise fulfills, the
+     * fulfillment value is not an array of 1 but the value directly.
+     *
+     * @param mixed $promises Promises or values.
+     *
+     * @return PromiseInterface
+     */
+    public static function any($promises)
+    {
+        return self::some(1, $promises)->then(function ($values) {
+            return $values[0];
+        });
+    }
+
+    /**
+     * Returns a promise that is fulfilled when all of the provided promises have
+     * been fulfilled or rejected.
+     *
+     * The returned promise is fulfilled with an array of inspection state arrays.
+     *
+     * @see inspect for the inspection state array format.
+     *
+     * @param mixed $promises Promises or values.
+     *
+     * @return PromiseInterface
+     */
+    public static function settle($promises)
+    {
+        $results = [];
+
+        return Each::of(
+            $promises,
+            function ($value, $idx) use (&$results) {
+                $results[$idx] = ['state' => PromiseInterface::FULFILLED, 'value' => $value];
+            },
+            function ($reason, $idx) use (&$results) {
+                $results[$idx] = ['state' => PromiseInterface::REJECTED, 'reason' => $reason];
+            }
+        )->then(function () use (&$results) {
+            ksort($results);
+            return $results;
+        });
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/promises/src/functions.php b/data/web/inc/lib/vendor/guzzlehttp/promises/src/functions.php
new file mode 100644
index 000000000..c03d39d02
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/promises/src/functions.php
@@ -0,0 +1,363 @@
+<?php
+
+namespace GuzzleHttp\Promise;
+
+/**
+ * Get the global task queue used for promise resolution.
+ *
+ * This task queue MUST be run in an event loop in order for promises to be
+ * settled asynchronously. It will be automatically run when synchronously
+ * waiting on a promise.
+ *
+ * <code>
+ * while ($eventLoop->isRunning()) {
+ *     GuzzleHttp\Promise\queue()->run();
+ * }
+ * </code>
+ *
+ * @param TaskQueueInterface $assign Optionally specify a new queue instance.
+ *
+ * @return TaskQueueInterface
+ *
+ * @deprecated queue will be removed in guzzlehttp/promises:2.0. Use Utils::queue instead.
+ */
+function queue(TaskQueueInterface $assign = null)
+{
+    return Utils::queue($assign);
+}
+
+/**
+ * Adds a function to run in the task queue when it is next `run()` and returns
+ * a promise that is fulfilled or rejected with the result.
+ *
+ * @param callable $task Task function to run.
+ *
+ * @return PromiseInterface
+ *
+ * @deprecated task will be removed in guzzlehttp/promises:2.0. Use Utils::task instead.
+ */
+function task(callable $task)
+{
+    return Utils::task($task);
+}
+
+/**
+ * Creates a promise for a value if the value is not a promise.
+ *
+ * @param mixed $value Promise or value.
+ *
+ * @return PromiseInterface
+ *
+ * @deprecated promise_for will be removed in guzzlehttp/promises:2.0. Use Create::promiseFor instead.
+ */
+function promise_for($value)
+{
+    return Create::promiseFor($value);
+}
+
+/**
+ * Creates a rejected promise for a reason if the reason is not a promise. If
+ * the provided reason is a promise, then it is returned as-is.
+ *
+ * @param mixed $reason Promise or reason.
+ *
+ * @return PromiseInterface
+ *
+ * @deprecated rejection_for will be removed in guzzlehttp/promises:2.0. Use Create::rejectionFor instead.
+ */
+function rejection_for($reason)
+{
+    return Create::rejectionFor($reason);
+}
+
+/**
+ * Create an exception for a rejected promise value.
+ *
+ * @param mixed $reason
+ *
+ * @return \Exception|\Throwable
+ *
+ * @deprecated exception_for will be removed in guzzlehttp/promises:2.0. Use Create::exceptionFor instead.
+ */
+function exception_for($reason)
+{
+    return Create::exceptionFor($reason);
+}
+
+/**
+ * Returns an iterator for the given value.
+ *
+ * @param mixed $value
+ *
+ * @return \Iterator
+ *
+ * @deprecated iter_for will be removed in guzzlehttp/promises:2.0. Use Create::iterFor instead.
+ */
+function iter_for($value)
+{
+    return Create::iterFor($value);
+}
+
+/**
+ * Synchronously waits on a promise to resolve and returns an inspection state
+ * array.
+ *
+ * Returns a state associative array containing a "state" key mapping to a
+ * valid promise state. If the state of the promise is "fulfilled", the array
+ * will contain a "value" key mapping to the fulfilled value of the promise. If
+ * the promise is rejected, the array will contain a "reason" key mapping to
+ * the rejection reason of the promise.
+ *
+ * @param PromiseInterface $promise Promise or value.
+ *
+ * @return array
+ *
+ * @deprecated inspect will be removed in guzzlehttp/promises:2.0. Use Utils::inspect instead.
+ */
+function inspect(PromiseInterface $promise)
+{
+    return Utils::inspect($promise);
+}
+
+/**
+ * Waits on all of the provided promises, but does not unwrap rejected promises
+ * as thrown exception.
+ *
+ * Returns an array of inspection state arrays.
+ *
+ * @see inspect for the inspection state array format.
+ *
+ * @param PromiseInterface[] $promises Traversable of promises to wait upon.
+ *
+ * @return array
+ *
+ * @deprecated inspect will be removed in guzzlehttp/promises:2.0. Use Utils::inspectAll instead.
+ */
+function inspect_all($promises)
+{
+    return Utils::inspectAll($promises);
+}
+
+/**
+ * Waits on all of the provided promises and returns the fulfilled values.
+ *
+ * Returns an array that contains the value of each promise (in the same order
+ * the promises were provided). An exception is thrown if any of the promises
+ * are rejected.
+ *
+ * @param iterable<PromiseInterface> $promises Iterable of PromiseInterface objects to wait on.
+ *
+ * @return array
+ *
+ * @throws \Exception on error
+ * @throws \Throwable on error in PHP >=7
+ *
+ * @deprecated unwrap will be removed in guzzlehttp/promises:2.0. Use Utils::unwrap instead.
+ */
+function unwrap($promises)
+{
+    return Utils::unwrap($promises);
+}
+
+/**
+ * Given an array of promises, return a promise that is fulfilled when all the
+ * items in the array are fulfilled.
+ *
+ * The promise's fulfillment value is an array with fulfillment values at
+ * respective positions to the original array. If any promise in the array
+ * rejects, the returned promise is rejected with the rejection reason.
+ *
+ * @param mixed $promises  Promises or values.
+ * @param bool  $recursive If true, resolves new promises that might have been added to the stack during its own resolution.
+ *
+ * @return PromiseInterface
+ *
+ * @deprecated all will be removed in guzzlehttp/promises:2.0. Use Utils::all instead.
+ */
+function all($promises, $recursive = false)
+{
+    return Utils::all($promises, $recursive);
+}
+
+/**
+ * Initiate a competitive race between multiple promises or values (values will
+ * become immediately fulfilled promises).
+ *
+ * When count amount of promises have been fulfilled, the returned promise is
+ * fulfilled with an array that contains the fulfillment values of the winners
+ * in order of resolution.
+ *
+ * This promise is rejected with a {@see AggregateException} if the number of
+ * fulfilled promises is less than the desired $count.
+ *
+ * @param int   $count    Total number of promises.
+ * @param mixed $promises Promises or values.
+ *
+ * @return PromiseInterface
+ *
+ * @deprecated some will be removed in guzzlehttp/promises:2.0. Use Utils::some instead.
+ */
+function some($count, $promises)
+{
+    return Utils::some($count, $promises);
+}
+
+/**
+ * Like some(), with 1 as count. However, if the promise fulfills, the
+ * fulfillment value is not an array of 1 but the value directly.
+ *
+ * @param mixed $promises Promises or values.
+ *
+ * @return PromiseInterface
+ *
+ * @deprecated any will be removed in guzzlehttp/promises:2.0. Use Utils::any instead.
+ */
+function any($promises)
+{
+    return Utils::any($promises);
+}
+
+/**
+ * Returns a promise that is fulfilled when all of the provided promises have
+ * been fulfilled or rejected.
+ *
+ * The returned promise is fulfilled with an array of inspection state arrays.
+ *
+ * @see inspect for the inspection state array format.
+ *
+ * @param mixed $promises Promises or values.
+ *
+ * @return PromiseInterface
+ *
+ * @deprecated settle will be removed in guzzlehttp/promises:2.0. Use Utils::settle instead.
+ */
+function settle($promises)
+{
+    return Utils::settle($promises);
+}
+
+/**
+ * Given an iterator that yields promises or values, returns a promise that is
+ * fulfilled with a null value when the iterator has been consumed or the
+ * aggregate promise has been fulfilled or rejected.
+ *
+ * $onFulfilled is a function that accepts the fulfilled value, iterator index,
+ * and the aggregate promise. The callback can invoke any necessary side
+ * effects and choose to resolve or reject the aggregate if needed.
+ *
+ * $onRejected is a function that accepts the rejection reason, iterator index,
+ * and the aggregate promise. The callback can invoke any necessary side
+ * effects and choose to resolve or reject the aggregate if needed.
+ *
+ * @param mixed    $iterable    Iterator or array to iterate over.
+ * @param callable $onFulfilled
+ * @param callable $onRejected
+ *
+ * @return PromiseInterface
+ *
+ * @deprecated each will be removed in guzzlehttp/promises:2.0. Use Each::of instead.
+ */
+function each(
+    $iterable,
+    callable $onFulfilled = null,
+    callable $onRejected = null
+) {
+    return Each::of($iterable, $onFulfilled, $onRejected);
+}
+
+/**
+ * Like each, but only allows a certain number of outstanding promises at any
+ * given time.
+ *
+ * $concurrency may be an integer or a function that accepts the number of
+ * pending promises and returns a numeric concurrency limit value to allow for
+ * dynamic a concurrency size.
+ *
+ * @param mixed        $iterable
+ * @param int|callable $concurrency
+ * @param callable     $onFulfilled
+ * @param callable     $onRejected
+ *
+ * @return PromiseInterface
+ *
+ * @deprecated each_limit will be removed in guzzlehttp/promises:2.0. Use Each::ofLimit instead.
+ */
+function each_limit(
+    $iterable,
+    $concurrency,
+    callable $onFulfilled = null,
+    callable $onRejected = null
+) {
+    return Each::ofLimit($iterable, $concurrency, $onFulfilled, $onRejected);
+}
+
+/**
+ * Like each_limit, but ensures that no promise in the given $iterable argument
+ * is rejected. If any promise is rejected, then the aggregate promise is
+ * rejected with the encountered rejection.
+ *
+ * @param mixed        $iterable
+ * @param int|callable $concurrency
+ * @param callable     $onFulfilled
+ *
+ * @return PromiseInterface
+ *
+ * @deprecated each_limit_all will be removed in guzzlehttp/promises:2.0. Use Each::ofLimitAll instead.
+ */
+function each_limit_all(
+    $iterable,
+    $concurrency,
+    callable $onFulfilled = null
+) {
+    return Each::ofLimitAll($iterable, $concurrency, $onFulfilled);
+}
+
+/**
+ * Returns true if a promise is fulfilled.
+ *
+ * @return bool
+ *
+ * @deprecated is_fulfilled will be removed in guzzlehttp/promises:2.0. Use Is::fulfilled instead.
+ */
+function is_fulfilled(PromiseInterface $promise)
+{
+    return Is::fulfilled($promise);
+}
+
+/**
+ * Returns true if a promise is rejected.
+ *
+ * @return bool
+ *
+ * @deprecated is_rejected will be removed in guzzlehttp/promises:2.0. Use Is::rejected instead.
+ */
+function is_rejected(PromiseInterface $promise)
+{
+    return Is::rejected($promise);
+}
+
+/**
+ * Returns true if a promise is fulfilled or rejected.
+ *
+ * @return bool
+ *
+ * @deprecated is_settled will be removed in guzzlehttp/promises:2.0. Use Is::settled instead.
+ */
+function is_settled(PromiseInterface $promise)
+{
+    return Is::settled($promise);
+}
+
+/**
+ * Create a new coroutine.
+ *
+ * @see Coroutine
+ *
+ * @return PromiseInterface
+ *
+ * @deprecated coroutine will be removed in guzzlehttp/promises:2.0. Use Coroutine::of instead.
+ */
+function coroutine(callable $generatorFn)
+{
+    return Coroutine::of($generatorFn);
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/promises/src/functions_include.php b/data/web/inc/lib/vendor/guzzlehttp/promises/src/functions_include.php
new file mode 100644
index 000000000..34cd1710a
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/promises/src/functions_include.php
@@ -0,0 +1,6 @@
+<?php
+
+// Don't redefine the functions if included multiple times.
+if (!function_exists('GuzzleHttp\Promise\promise_for')) {
+    require __DIR__ . '/functions.php';
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/psr7/CHANGELOG.md b/data/web/inc/lib/vendor/guzzlehttp/psr7/CHANGELOG.md
new file mode 100644
index 000000000..0eabd3048
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/psr7/CHANGELOG.md
@@ -0,0 +1,402 @@
+# Change Log
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## Unreleased
+
+## 2.4.4 - 2023-03-09
+
+### Changed
+
+- Removed the need for `AllowDynamicProperties` in `LazyOpenStream`
+
+## 2.4.3 - 2022-10-26
+
+### Changed
+
+- Replaced `sha1(uniqid())` by `bin2hex(random_bytes(20))`
+
+## 2.4.2 - 2022-10-25
+
+### Fixed
+
+- Fixed erroneous behaviour when combining host and relative path
+
+## 2.4.1 - 2022-08-28
+
+### Fixed
+
+- Rewind body before reading in `Message::bodySummary`
+
+## 2.4.0 - 2022-06-20
+
+### Added
+
+- Added provisional PHP 8.2 support
+- Added `UriComparator::isCrossOrigin` method
+
+## 2.3.0 - 2022-06-09
+
+### Fixed
+
+- Added `Header::splitList` method
+- Added `Utils::tryGetContents` method
+- Improved `Stream::getContents` method
+- Updated mimetype mappings
+
+## 2.2.2 - 2022-06-08
+
+### Fixed
+
+- Fix `Message::parseRequestUri` for numeric headers
+- Re-wrap exceptions thrown in `fread` into runtime exceptions
+- Throw an exception when multipart options is misformatted
+
+## 2.2.1 - 2022-03-20
+
+### Fixed
+
+- Correct header value validation
+
+## 2.2.0 - 2022-03-20
+
+### Added
+
+- A more compressive list of mime types
+- Add JsonSerializable to Uri
+- Missing return types
+
+### Fixed
+
+- Bug MultipartStream no `uri` metadata
+- Bug MultipartStream with filename for `data://` streams
+- Fixed new line handling in MultipartStream
+- Reduced RAM usage when copying streams
+- Updated parsing in `Header::normalize()`
+
+## 2.1.1 - 2022-03-20
+
+### Fixed
+
+- Validate header values properly
+
+## 2.1.0 - 2021-10-06
+
+### Changed
+
+- Attempting to create a `Uri` object from a malformed URI will no longer throw a generic
+  `InvalidArgumentException`, but rather a `MalformedUriException`, which inherits from the former
+  for backwards compatibility. Callers relying on the exception being thrown to detect invalid
+  URIs should catch the new exception.
+
+### Fixed
+
+- Return `null` in caching stream size if remote size is `null`
+
+## 2.0.0 - 2021-06-30
+
+Identical to the RC release.
+
+## 2.0.0@RC-1 - 2021-04-29
+
+### Fixed
+
+- Handle possibly unset `url` in `stream_get_meta_data`
+
+## 2.0.0@beta-1 - 2021-03-21
+
+### Added
+
+- PSR-17 factories
+- Made classes final
+- PHP7 type hints
+
+### Changed
+
+- When building a query string, booleans are represented as 1 and 0.
+
+### Removed
+
+- PHP < 7.2 support
+- All functions in the `GuzzleHttp\Psr7` namespace
+
+## 1.8.1 - 2021-03-21
+
+### Fixed
+
+- Issue parsing IPv6 URLs
+- Issue modifying ServerRequest lost all its attributes
+
+## 1.8.0 - 2021-03-21
+
+### Added
+
+- Locale independent URL parsing
+- Most classes got a `@final` annotation to prepare for 2.0
+
+### Fixed
+
+- Issue when creating stream from `php://input` and curl-ext is not installed
+- Broken `Utils::tryFopen()` on PHP 8
+
+## 1.7.0 - 2020-09-30
+
+### Added
+
+- Replaced functions by static methods
+
+### Fixed
+
+- Converting a non-seekable stream to a string
+- Handle multiple Set-Cookie correctly
+- Ignore array keys in header values when merging
+- Allow multibyte characters to be parsed in `Message:bodySummary()`
+
+### Changed
+
+- Restored partial HHVM 3 support
+
+
+## [1.6.1] - 2019-07-02
+
+### Fixed
+
+- Accept null and bool header values again
+
+
+## [1.6.0] - 2019-06-30
+
+### Added
+
+- Allowed version `^3.0` of `ralouphie/getallheaders` dependency (#244)
+- Added MIME type for WEBP image format (#246)
+- Added more validation of values according to PSR-7 and RFC standards, e.g. status code range (#250, #272)
+
+### Changed
+
+- Tests don't pass with HHVM 4.0, so HHVM support got dropped. Other libraries like composer have done the same. (#262)
+- Accept port number 0 to be valid (#270)
+
+### Fixed
+
+- Fixed subsequent reads from `php://input` in ServerRequest (#247)
+- Fixed readable/writable detection for certain stream modes (#248)
+- Fixed encoding of special characters in the `userInfo` component of an URI (#253)
+
+
+## [1.5.2] - 2018-12-04
+
+### Fixed
+
+- Check body size when getting the message summary
+
+
+## [1.5.1] - 2018-12-04
+
+### Fixed
+
+- Get the summary of a body only if it is readable
+
+
+## [1.5.0] - 2018-12-03
+
+### Added
+
+- Response first-line to response string exception (fixes #145)
+- A test for #129 behavior
+- `get_message_body_summary` function in order to get the message summary
+- `3gp` and `mkv` mime types
+
+### Changed
+
+- Clarify exception message when stream is detached
+
+### Deprecated
+
+- Deprecated parsing folded header lines as per RFC 7230
+
+### Fixed
+
+- Fix `AppendStream::detach` to not close streams
+- `InflateStream` preserves `isSeekable` attribute of the underlying stream
+- `ServerRequest::getUriFromGlobals` to support URLs in query parameters
+
+
+Several other fixes and improvements.
+
+
+## [1.4.2] - 2017-03-20
+
+### Fixed
+
+- Reverted BC break to `Uri::resolve` and `Uri::removeDotSegments` by removing
+  calls to `trigger_error` when deprecated methods are invoked.
+
+
+## [1.4.1] - 2017-02-27
+
+### Added
+
+- Rriggering of silenced deprecation warnings.
+
+### Fixed
+
+- Reverted BC break by reintroducing behavior to automagically fix a URI with a
+  relative path and an authority by adding a leading slash to the path. It's only
+  deprecated now.
+
+
+## [1.4.0] - 2017-02-21
+
+### Added
+
+- Added common URI utility methods based on RFC 3986 (see documentation in the readme):
+  - `Uri::isDefaultPort`
+  - `Uri::isAbsolute`
+  - `Uri::isNetworkPathReference`
+  - `Uri::isAbsolutePathReference`
+  - `Uri::isRelativePathReference`
+  - `Uri::isSameDocumentReference`
+  - `Uri::composeComponents`
+  - `UriNormalizer::normalize`
+  - `UriNormalizer::isEquivalent`
+  - `UriResolver::relativize`
+
+### Changed
+
+- Ensure `ServerRequest::getUriFromGlobals` returns a URI in absolute form.
+- Allow `parse_response` to parse a response without delimiting space and reason.
+- Ensure each URI modification results in a valid URI according to PSR-7 discussions.
+  Invalid modifications will throw an exception instead of returning a wrong URI or
+  doing some magic.
+  - `(new Uri)->withPath('foo')->withHost('example.com')` will throw an exception
+    because the path of a URI with an authority must start with a slash "/" or be empty
+  - `(new Uri())->withScheme('http')` will return `'http://localhost'`
+
+### Deprecated
+
+- `Uri::resolve` in favor of `UriResolver::resolve`
+- `Uri::removeDotSegments` in favor of `UriResolver::removeDotSegments`
+
+### Fixed
+
+- `Stream::read` when length parameter <= 0.
+- `copy_to_stream` reads bytes in chunks instead of `maxLen` into memory.
+- `ServerRequest::getUriFromGlobals` when `Host` header contains port.
+- Compatibility of URIs with `file` scheme and empty host.
+
+
+## [1.3.1] - 2016-06-25
+
+### Fixed
+
+- `Uri::__toString` for network path references, e.g. `//example.org`.
+- Missing lowercase normalization for host.
+- Handling of URI components in case they are `'0'` in a lot of places,
+  e.g. as a user info password.
+- `Uri::withAddedHeader` to correctly merge headers with different case.
+- Trimming of header values in `Uri::withAddedHeader`. Header values may
+  be surrounded by whitespace which should be ignored according to RFC 7230
+  Section 3.2.4. This does not apply to header names.
+- `Uri::withAddedHeader` with an array of header values.
+- `Uri::resolve` when base path has no slash and handling of fragment.
+- Handling of encoding in `Uri::with(out)QueryValue` so one can pass the
+  key/value both in encoded as well as decoded form to those methods. This is
+  consistent with withPath, withQuery etc.
+- `ServerRequest::withoutAttribute` when attribute value is null.
+
+
+## [1.3.0] - 2016-04-13
+
+### Added
+
+- Remaining interfaces needed for full PSR7 compatibility
+  (ServerRequestInterface, UploadedFileInterface, etc.).
+- Support for stream_for from scalars.
+
+### Changed
+
+- Can now extend Uri.
+
+### Fixed
+- A bug in validating request methods by making it more permissive.
+
+
+## [1.2.3] - 2016-02-18
+
+### Fixed
+
+- Support in `GuzzleHttp\Psr7\CachingStream` for seeking forward on remote
+  streams, which can sometimes return fewer bytes than requested with `fread`.
+- Handling of gzipped responses with FNAME headers.
+
+
+## [1.2.2] - 2016-01-22
+
+### Added
+
+- Support for URIs without any authority.
+- Support for HTTP 451 'Unavailable For Legal Reasons.'
+- Support for using '0' as a filename.
+- Support for including non-standard ports in Host headers.
+
+
+## [1.2.1] - 2015-11-02
+
+### Changes
+
+- Now supporting negative offsets when seeking to SEEK_END.
+
+
+## [1.2.0] - 2015-08-15
+
+### Changed
+
+- Body as `"0"` is now properly added to a response.
+- Now allowing forward seeking in CachingStream.
+- Now properly parsing HTTP requests that contain proxy targets in
+  `parse_request`.
+- functions.php is now conditionally required.
+- user-info is no longer dropped when resolving URIs.
+
+
+## [1.1.0] - 2015-06-24
+
+### Changed
+
+- URIs can now be relative.
+- `multipart/form-data` headers are now overridden case-insensitively.
+- URI paths no longer encode the following characters because they are allowed
+  in URIs: "(", ")", "*", "!", "'"
+- A port is no longer added to a URI when the scheme is missing and no port is
+  present.
+
+
+## 1.0.0 - 2015-05-19
+
+Initial release.
+
+Currently unsupported:
+
+- `Psr\Http\Message\ServerRequestInterface`
+- `Psr\Http\Message\UploadedFileInterface`
+
+
+
+[1.6.0]: https://github.com/guzzle/psr7/compare/1.5.2...1.6.0
+[1.5.2]: https://github.com/guzzle/psr7/compare/1.5.1...1.5.2
+[1.5.1]: https://github.com/guzzle/psr7/compare/1.5.0...1.5.1
+[1.5.0]: https://github.com/guzzle/psr7/compare/1.4.2...1.5.0
+[1.4.2]: https://github.com/guzzle/psr7/compare/1.4.1...1.4.2
+[1.4.1]: https://github.com/guzzle/psr7/compare/1.4.0...1.4.1
+[1.4.0]: https://github.com/guzzle/psr7/compare/1.3.1...1.4.0
+[1.3.1]: https://github.com/guzzle/psr7/compare/1.3.0...1.3.1
+[1.3.0]: https://github.com/guzzle/psr7/compare/1.2.3...1.3.0
+[1.2.3]: https://github.com/guzzle/psr7/compare/1.2.2...1.2.3
+[1.2.2]: https://github.com/guzzle/psr7/compare/1.2.1...1.2.2
+[1.2.1]: https://github.com/guzzle/psr7/compare/1.2.0...1.2.1
+[1.2.0]: https://github.com/guzzle/psr7/compare/1.1.0...1.2.0
+[1.1.0]: https://github.com/guzzle/psr7/compare/1.0.0...1.1.0
diff --git a/data/web/inc/lib/vendor/guzzlehttp/psr7/LICENSE b/data/web/inc/lib/vendor/guzzlehttp/psr7/LICENSE
new file mode 100644
index 000000000..51c7ec81c
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/psr7/LICENSE
@@ -0,0 +1,26 @@
+The MIT License (MIT)
+
+Copyright (c) 2015 Michael Dowling <mtdowling@gmail.com>
+Copyright (c) 2015 Márk Sági-Kazár <mark.sagikazar@gmail.com>
+Copyright (c) 2015 Graham Campbell <hello@gjcampbell.co.uk>
+Copyright (c) 2016 Tobias Schultze <webmaster@tubo-world.de>
+Copyright (c) 2016 George Mponos <gmponos@gmail.com>
+Copyright (c) 2018 Tobias Nyholm <tobias.nyholm@gmail.com>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
diff --git a/data/web/inc/lib/vendor/guzzlehttp/psr7/README.md b/data/web/inc/lib/vendor/guzzlehttp/psr7/README.md
new file mode 100644
index 000000000..9566a7d47
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/psr7/README.md
@@ -0,0 +1,880 @@
+# PSR-7 Message Implementation
+
+This repository contains a full [PSR-7](https://www.php-fig.org/psr/psr-7/)
+message implementation, several stream decorators, and some helpful
+functionality like query string parsing.
+
+![CI](https://github.com/guzzle/psr7/workflows/CI/badge.svg)
+![Static analysis](https://github.com/guzzle/psr7/workflows/Static%20analysis/badge.svg)
+
+
+# Installation
+
+```shell
+composer require guzzlehttp/psr7
+```
+
+# Stream implementation
+
+This package comes with a number of stream implementations and stream
+decorators.
+
+
+## AppendStream
+
+`GuzzleHttp\Psr7\AppendStream`
+
+Reads from multiple streams, one after the other.
+
+```php
+use GuzzleHttp\Psr7;
+
+$a = Psr7\Utils::streamFor('abc, ');
+$b = Psr7\Utils::streamFor('123.');
+$composed = new Psr7\AppendStream([$a, $b]);
+
+$composed->addStream(Psr7\Utils::streamFor(' Above all listen to me'));
+
+echo $composed; // abc, 123. Above all listen to me.
+```
+
+
+## BufferStream
+
+`GuzzleHttp\Psr7\BufferStream`
+
+Provides a buffer stream that can be written to fill a buffer, and read
+from to remove bytes from the buffer.
+
+This stream returns a "hwm" metadata value that tells upstream consumers
+what the configured high water mark of the stream is, or the maximum
+preferred size of the buffer.
+
+```php
+use GuzzleHttp\Psr7;
+
+// When more than 1024 bytes are in the buffer, it will begin returning
+// false to writes. This is an indication that writers should slow down.
+$buffer = new Psr7\BufferStream(1024);
+```
+
+
+## CachingStream
+
+The CachingStream is used to allow seeking over previously read bytes on
+non-seekable streams. This can be useful when transferring a non-seekable
+entity body fails due to needing to rewind the stream (for example, resulting
+from a redirect). Data that is read from the remote stream will be buffered in
+a PHP temp stream so that previously read bytes are cached first in memory,
+then on disk.
+
+```php
+use GuzzleHttp\Psr7;
+
+$original = Psr7\Utils::streamFor(fopen('http://www.google.com', 'r'));
+$stream = new Psr7\CachingStream($original);
+
+$stream->read(1024);
+echo $stream->tell();
+// 1024
+
+$stream->seek(0);
+echo $stream->tell();
+// 0
+```
+
+
+## DroppingStream
+
+`GuzzleHttp\Psr7\DroppingStream`
+
+Stream decorator that begins dropping data once the size of the underlying
+stream becomes too full.
+
+```php
+use GuzzleHttp\Psr7;
+
+// Create an empty stream
+$stream = Psr7\Utils::streamFor();
+
+// Start dropping data when the stream has more than 10 bytes
+$dropping = new Psr7\DroppingStream($stream, 10);
+
+$dropping->write('01234567890123456789');
+echo $stream; // 0123456789
+```
+
+
+## FnStream
+
+`GuzzleHttp\Psr7\FnStream`
+
+Compose stream implementations based on a hash of functions.
+
+Allows for easy testing and extension of a provided stream without needing
+to create a concrete class for a simple extension point.
+
+```php
+
+use GuzzleHttp\Psr7;
+
+$stream = Psr7\Utils::streamFor('hi');
+$fnStream = Psr7\FnStream::decorate($stream, [
+    'rewind' => function () use ($stream) {
+        echo 'About to rewind - ';
+        $stream->rewind();
+        echo 'rewound!';
+    }
+]);
+
+$fnStream->rewind();
+// Outputs: About to rewind - rewound!
+```
+
+
+## InflateStream
+
+`GuzzleHttp\Psr7\InflateStream`
+
+Uses PHP's zlib.inflate filter to inflate zlib (HTTP deflate, RFC1950) or gzipped (RFC1952) content.
+
+This stream decorator converts the provided stream to a PHP stream resource,
+then appends the zlib.inflate filter. The stream is then converted back
+to a Guzzle stream resource to be used as a Guzzle stream.
+
+
+## LazyOpenStream
+
+`GuzzleHttp\Psr7\LazyOpenStream`
+
+Lazily reads or writes to a file that is opened only after an IO operation
+take place on the stream.
+
+```php
+use GuzzleHttp\Psr7;
+
+$stream = new Psr7\LazyOpenStream('/path/to/file', 'r');
+// The file has not yet been opened...
+
+echo $stream->read(10);
+// The file is opened and read from only when needed.
+```
+
+
+## LimitStream
+
+`GuzzleHttp\Psr7\LimitStream`
+
+LimitStream can be used to read a subset or slice of an existing stream object.
+This can be useful for breaking a large file into smaller pieces to be sent in
+chunks (e.g. Amazon S3's multipart upload API).
+
+```php
+use GuzzleHttp\Psr7;
+
+$original = Psr7\Utils::streamFor(fopen('/tmp/test.txt', 'r+'));
+echo $original->getSize();
+// >>> 1048576
+
+// Limit the size of the body to 1024 bytes and start reading from byte 2048
+$stream = new Psr7\LimitStream($original, 1024, 2048);
+echo $stream->getSize();
+// >>> 1024
+echo $stream->tell();
+// >>> 0
+```
+
+
+## MultipartStream
+
+`GuzzleHttp\Psr7\MultipartStream`
+
+Stream that when read returns bytes for a streaming multipart or
+multipart/form-data stream.
+
+
+## NoSeekStream
+
+`GuzzleHttp\Psr7\NoSeekStream`
+
+NoSeekStream wraps a stream and does not allow seeking.
+
+```php
+use GuzzleHttp\Psr7;
+
+$original = Psr7\Utils::streamFor('foo');
+$noSeek = new Psr7\NoSeekStream($original);
+
+echo $noSeek->read(3);
+// foo
+var_export($noSeek->isSeekable());
+// false
+$noSeek->seek(0);
+var_export($noSeek->read(3));
+// NULL
+```
+
+
+## PumpStream
+
+`GuzzleHttp\Psr7\PumpStream`
+
+Provides a read only stream that pumps data from a PHP callable.
+
+When invoking the provided callable, the PumpStream will pass the amount of
+data requested to read to the callable. The callable can choose to ignore
+this value and return fewer or more bytes than requested. Any extra data
+returned by the provided callable is buffered internally until drained using
+the read() function of the PumpStream. The provided callable MUST return
+false when there is no more data to read.
+
+
+## Implementing stream decorators
+
+Creating a stream decorator is very easy thanks to the
+`GuzzleHttp\Psr7\StreamDecoratorTrait`. This trait provides methods that
+implement `Psr\Http\Message\StreamInterface` by proxying to an underlying
+stream. Just `use` the `StreamDecoratorTrait` and implement your custom
+methods.
+
+For example, let's say we wanted to call a specific function each time the last
+byte is read from a stream. This could be implemented by overriding the
+`read()` method.
+
+```php
+use Psr\Http\Message\StreamInterface;
+use GuzzleHttp\Psr7\StreamDecoratorTrait;
+
+class EofCallbackStream implements StreamInterface
+{
+    use StreamDecoratorTrait;
+
+    private $callback;
+
+    private $stream;
+
+    public function __construct(StreamInterface $stream, callable $cb)
+    {
+        $this->stream = $stream;
+        $this->callback = $cb;
+    }
+
+    public function read($length)
+    {
+        $result = $this->stream->read($length);
+
+        // Invoke the callback when EOF is hit.
+        if ($this->eof()) {
+            call_user_func($this->callback);
+        }
+
+        return $result;
+    }
+}
+```
+
+This decorator could be added to any existing stream and used like so:
+
+```php
+use GuzzleHttp\Psr7;
+
+$original = Psr7\Utils::streamFor('foo');
+
+$eofStream = new EofCallbackStream($original, function () {
+    echo 'EOF!';
+});
+
+$eofStream->read(2);
+$eofStream->read(1);
+// echoes "EOF!"
+$eofStream->seek(0);
+$eofStream->read(3);
+// echoes "EOF!"
+```
+
+
+## PHP StreamWrapper
+
+You can use the `GuzzleHttp\Psr7\StreamWrapper` class if you need to use a
+PSR-7 stream as a PHP stream resource.
+
+Use the `GuzzleHttp\Psr7\StreamWrapper::getResource()` method to create a PHP
+stream from a PSR-7 stream.
+
+```php
+use GuzzleHttp\Psr7\StreamWrapper;
+
+$stream = GuzzleHttp\Psr7\Utils::streamFor('hello!');
+$resource = StreamWrapper::getResource($stream);
+echo fread($resource, 6); // outputs hello!
+```
+
+
+# Static API
+
+There are various static methods available under the `GuzzleHttp\Psr7` namespace.
+
+
+## `GuzzleHttp\Psr7\Message::toString`
+
+`public static function toString(MessageInterface $message): string`
+
+Returns the string representation of an HTTP message.
+
+```php
+$request = new GuzzleHttp\Psr7\Request('GET', 'http://example.com');
+echo GuzzleHttp\Psr7\Message::toString($request);
+```
+
+
+## `GuzzleHttp\Psr7\Message::bodySummary`
+
+`public static function bodySummary(MessageInterface $message, int $truncateAt = 120): string|null`
+
+Get a short summary of the message body.
+
+Will return `null` if the response is not printable.
+
+
+## `GuzzleHttp\Psr7\Message::rewindBody`
+
+`public static function rewindBody(MessageInterface $message): void`
+
+Attempts to rewind a message body and throws an exception on failure.
+
+The body of the message will only be rewound if a call to `tell()`
+returns a value other than `0`.
+
+
+## `GuzzleHttp\Psr7\Message::parseMessage`
+
+`public static function parseMessage(string $message): array`
+
+Parses an HTTP message into an associative array.
+
+The array contains the "start-line" key containing the start line of
+the message, "headers" key containing an associative array of header
+array values, and a "body" key containing the body of the message.
+
+
+## `GuzzleHttp\Psr7\Message::parseRequestUri`
+
+`public static function parseRequestUri(string $path, array $headers): string`
+
+Constructs a URI for an HTTP request message.
+
+
+## `GuzzleHttp\Psr7\Message::parseRequest`
+
+`public static function parseRequest(string $message): Request`
+
+Parses a request message string into a request object.
+
+
+## `GuzzleHttp\Psr7\Message::parseResponse`
+
+`public static function parseResponse(string $message): Response`
+
+Parses a response message string into a response object.
+
+
+## `GuzzleHttp\Psr7\Header::parse`
+
+`public static function parse(string|array $header): array`
+
+Parse an array of header values containing ";" separated data into an
+array of associative arrays representing the header key value pair data
+of the header. When a parameter does not contain a value, but just
+contains a key, this function will inject a key with a '' string value.
+
+
+## `GuzzleHttp\Psr7\Header::splitList`
+
+`public static function splitList(string|string[] $header): string[]`
+
+Splits a HTTP header defined to contain a comma-separated list into
+each individual value:
+
+```
+$knownEtags = Header::splitList($request->getHeader('if-none-match'));
+```
+
+Example headers include `accept`, `cache-control` and `if-none-match`.
+
+
+## `GuzzleHttp\Psr7\Header::normalize` (deprecated)
+
+`public static function normalize(string|array $header): array`
+
+`Header::normalize()` is deprecated in favor of [`Header::splitList()`](README.md#guzzlehttppsr7headersplitlist)
+which performs the same operation with a cleaned up API and improved
+documentation.
+
+Converts an array of header values that may contain comma separated
+headers into an array of headers with no comma separated values.
+
+
+## `GuzzleHttp\Psr7\Query::parse`
+
+`public static function parse(string $str, int|bool $urlEncoding = true): array`
+
+Parse a query string into an associative array.
+
+If multiple values are found for the same key, the value of that key
+value pair will become an array. This function does not parse nested
+PHP style arrays into an associative array (e.g., `foo[a]=1&foo[b]=2`
+will be parsed into `['foo[a]' => '1', 'foo[b]' => '2'])`.
+
+
+## `GuzzleHttp\Psr7\Query::build`
+
+`public static function build(array $params, int|false $encoding = PHP_QUERY_RFC3986): string`
+
+Build a query string from an array of key value pairs.
+
+This function can use the return value of `parse()` to build a query
+string. This function does not modify the provided keys when an array is
+encountered (like `http_build_query()` would).
+
+
+## `GuzzleHttp\Psr7\Utils::caselessRemove`
+
+`public static function caselessRemove(iterable<string> $keys, $keys, array $data): array`
+
+Remove the items given by the keys, case insensitively from the data.
+
+
+## `GuzzleHttp\Psr7\Utils::copyToStream`
+
+`public static function copyToStream(StreamInterface $source, StreamInterface $dest, int $maxLen = -1): void`
+
+Copy the contents of a stream into another stream until the given number
+of bytes have been read.
+
+
+## `GuzzleHttp\Psr7\Utils::copyToString`
+
+`public static function copyToString(StreamInterface $stream, int $maxLen = -1): string`
+
+Copy the contents of a stream into a string until the given number of
+bytes have been read.
+
+
+## `GuzzleHttp\Psr7\Utils::hash`
+
+`public static function hash(StreamInterface $stream, string $algo, bool $rawOutput = false): string`
+
+Calculate a hash of a stream.
+
+This method reads the entire stream to calculate a rolling hash, based on
+PHP's `hash_init` functions.
+
+
+## `GuzzleHttp\Psr7\Utils::modifyRequest`
+
+`public static function modifyRequest(RequestInterface $request, array $changes): RequestInterface`
+
+Clone and modify a request with the given changes.
+
+This method is useful for reducing the number of clones needed to mutate
+a message.
+
+- method: (string) Changes the HTTP method.
+- set_headers: (array) Sets the given headers.
+- remove_headers: (array) Remove the given headers.
+- body: (mixed) Sets the given body.
+- uri: (UriInterface) Set the URI.
+- query: (string) Set the query string value of the URI.
+- version: (string) Set the protocol version.
+
+
+## `GuzzleHttp\Psr7\Utils::readLine`
+
+`public static function readLine(StreamInterface $stream, int $maxLength = null): string`
+
+Read a line from the stream up to the maximum allowed buffer length.
+
+
+## `GuzzleHttp\Psr7\Utils::streamFor`
+
+`public static function streamFor(resource|string|null|int|float|bool|StreamInterface|callable|\Iterator $resource = '', array $options = []): StreamInterface`
+
+Create a new stream based on the input type.
+
+Options is an associative array that can contain the following keys:
+
+- metadata: Array of custom metadata.
+- size: Size of the stream.
+
+This method accepts the following `$resource` types:
+
+- `Psr\Http\Message\StreamInterface`: Returns the value as-is.
+- `string`: Creates a stream object that uses the given string as the contents.
+- `resource`: Creates a stream object that wraps the given PHP stream resource.
+- `Iterator`: If the provided value implements `Iterator`, then a read-only
+  stream object will be created that wraps the given iterable. Each time the
+  stream is read from, data from the iterator will fill a buffer and will be
+  continuously called until the buffer is equal to the requested read size.
+  Subsequent read calls will first read from the buffer and then call `next`
+  on the underlying iterator until it is exhausted.
+- `object` with `__toString()`: If the object has the `__toString()` method,
+  the object will be cast to a string and then a stream will be returned that
+  uses the string value.
+- `NULL`: When `null` is passed, an empty stream object is returned.
+- `callable` When a callable is passed, a read-only stream object will be
+  created that invokes the given callable. The callable is invoked with the
+  number of suggested bytes to read. The callable can return any number of
+  bytes, but MUST return `false` when there is no more data to return. The
+  stream object that wraps the callable will invoke the callable until the
+  number of requested bytes are available. Any additional bytes will be
+  buffered and used in subsequent reads.
+
+```php
+$stream = GuzzleHttp\Psr7\Utils::streamFor('foo');
+$stream = GuzzleHttp\Psr7\Utils::streamFor(fopen('/path/to/file', 'r'));
+
+$generator = function ($bytes) {
+    for ($i = 0; $i < $bytes; $i++) {
+        yield ' ';
+    }
+}
+
+$stream = GuzzleHttp\Psr7\Utils::streamFor($generator(100));
+```
+
+
+## `GuzzleHttp\Psr7\Utils::tryFopen`
+
+`public static function tryFopen(string $filename, string $mode): resource`
+
+Safely opens a PHP stream resource using a filename.
+
+When fopen fails, PHP normally raises a warning. This function adds an
+error handler that checks for errors and throws an exception instead.
+
+
+## `GuzzleHttp\Psr7\Utils::tryGetContents`
+
+`public static function tryGetContents(resource $stream): string`
+
+Safely gets the contents of a given stream.
+
+When stream_get_contents fails, PHP normally raises a warning. This
+function adds an error handler that checks for errors and throws an
+exception instead.
+
+
+## `GuzzleHttp\Psr7\Utils::uriFor`
+
+`public static function uriFor(string|UriInterface $uri): UriInterface`
+
+Returns a UriInterface for the given value.
+
+This function accepts a string or UriInterface and returns a
+UriInterface for the given value. If the value is already a
+UriInterface, it is returned as-is.
+
+
+## `GuzzleHttp\Psr7\MimeType::fromFilename`
+
+`public static function fromFilename(string $filename): string|null`
+
+Determines the mimetype of a file by looking at its extension.
+
+
+## `GuzzleHttp\Psr7\MimeType::fromExtension`
+
+`public static function fromExtension(string $extension): string|null`
+
+Maps a file extensions to a mimetype.
+
+
+## Upgrading from Function API
+
+The static API was first introduced in 1.7.0, in order to mitigate problems with functions conflicting between global and local copies of the package. The function API was removed in 2.0.0. A migration table has been provided here for your convenience:
+
+| Original Function | Replacement Method |
+|----------------|----------------|
+| `str` | `Message::toString` |
+| `uri_for` | `Utils::uriFor` |
+| `stream_for` | `Utils::streamFor` |
+| `parse_header` | `Header::parse` |
+| `normalize_header` | `Header::normalize` |
+| `modify_request` | `Utils::modifyRequest` |
+| `rewind_body` | `Message::rewindBody` |
+| `try_fopen` | `Utils::tryFopen` |
+| `copy_to_string` | `Utils::copyToString` |
+| `copy_to_stream` | `Utils::copyToStream` |
+| `hash` | `Utils::hash` |
+| `readline` | `Utils::readLine` |
+| `parse_request` | `Message::parseRequest` |
+| `parse_response` | `Message::parseResponse` |
+| `parse_query` | `Query::parse` |
+| `build_query` | `Query::build` |
+| `mimetype_from_filename` | `MimeType::fromFilename` |
+| `mimetype_from_extension` | `MimeType::fromExtension` |
+| `_parse_message` | `Message::parseMessage` |
+| `_parse_request_uri` | `Message::parseRequestUri` |
+| `get_message_body_summary` | `Message::bodySummary` |
+| `_caseless_remove` | `Utils::caselessRemove` |
+
+
+# Additional URI Methods
+
+Aside from the standard `Psr\Http\Message\UriInterface` implementation in form of the `GuzzleHttp\Psr7\Uri` class,
+this library also provides additional functionality when working with URIs as static methods.
+
+## URI Types
+
+An instance of `Psr\Http\Message\UriInterface` can either be an absolute URI or a relative reference.
+An absolute URI has a scheme. A relative reference is used to express a URI relative to another URI,
+the base URI. Relative references can be divided into several forms according to
+[RFC 3986 Section 4.2](https://tools.ietf.org/html/rfc3986#section-4.2):
+
+- network-path references, e.g. `//example.com/path`
+- absolute-path references, e.g. `/path`
+- relative-path references, e.g. `subpath`
+
+The following methods can be used to identify the type of the URI.
+
+### `GuzzleHttp\Psr7\Uri::isAbsolute`
+
+`public static function isAbsolute(UriInterface $uri): bool`
+
+Whether the URI is absolute, i.e. it has a scheme.
+
+### `GuzzleHttp\Psr7\Uri::isNetworkPathReference`
+
+`public static function isNetworkPathReference(UriInterface $uri): bool`
+
+Whether the URI is a network-path reference. A relative reference that begins with two slash characters is
+termed an network-path reference.
+
+### `GuzzleHttp\Psr7\Uri::isAbsolutePathReference`
+
+`public static function isAbsolutePathReference(UriInterface $uri): bool`
+
+Whether the URI is a absolute-path reference. A relative reference that begins with a single slash character is
+termed an absolute-path reference.
+
+### `GuzzleHttp\Psr7\Uri::isRelativePathReference`
+
+`public static function isRelativePathReference(UriInterface $uri): bool`
+
+Whether the URI is a relative-path reference. A relative reference that does not begin with a slash character is
+termed a relative-path reference.
+
+### `GuzzleHttp\Psr7\Uri::isSameDocumentReference`
+
+`public static function isSameDocumentReference(UriInterface $uri, UriInterface $base = null): bool`
+
+Whether the URI is a same-document reference. A same-document reference refers to a URI that is, aside from its
+fragment component, identical to the base URI. When no base URI is given, only an empty URI reference
+(apart from its fragment) is considered a same-document reference.
+
+## URI Components
+
+Additional methods to work with URI components.
+
+### `GuzzleHttp\Psr7\Uri::isDefaultPort`
+
+`public static function isDefaultPort(UriInterface $uri): bool`
+
+Whether the URI has the default port of the current scheme. `Psr\Http\Message\UriInterface::getPort` may return null
+or the standard port. This method can be used independently of the implementation.
+
+### `GuzzleHttp\Psr7\Uri::composeComponents`
+
+`public static function composeComponents($scheme, $authority, $path, $query, $fragment): string`
+
+Composes a URI reference string from its various components according to
+[RFC 3986 Section 5.3](https://tools.ietf.org/html/rfc3986#section-5.3). Usually this method does not need to be called
+manually but instead is used indirectly via `Psr\Http\Message\UriInterface::__toString`.
+
+### `GuzzleHttp\Psr7\Uri::fromParts`
+
+`public static function fromParts(array $parts): UriInterface`
+
+Creates a URI from a hash of [`parse_url`](https://www.php.net/manual/en/function.parse-url.php) components.
+
+
+### `GuzzleHttp\Psr7\Uri::withQueryValue`
+
+`public static function withQueryValue(UriInterface $uri, $key, $value): UriInterface`
+
+Creates a new URI with a specific query string value. Any existing query string values that exactly match the
+provided key are removed and replaced with the given key value pair. A value of null will set the query string
+key without a value, e.g. "key" instead of "key=value".
+
+### `GuzzleHttp\Psr7\Uri::withQueryValues`
+
+`public static function withQueryValues(UriInterface $uri, array $keyValueArray): UriInterface`
+
+Creates a new URI with multiple query string values. It has the same behavior as `withQueryValue()` but for an
+associative array of key => value.
+
+### `GuzzleHttp\Psr7\Uri::withoutQueryValue`
+
+`public static function withoutQueryValue(UriInterface $uri, $key): UriInterface`
+
+Creates a new URI with a specific query string value removed. Any existing query string values that exactly match the
+provided key are removed.
+
+## Cross-Origin Detection
+
+`GuzzleHttp\Psr7\UriComparator` provides methods to determine if a modified URL should be considered cross-origin.
+
+### `GuzzleHttp\Psr7\UriComparator::isCrossOrigin`
+
+`public static function isCrossOrigin(UriInterface $original, UriInterface $modified): bool`
+
+Determines if a modified URL should be considered cross-origin with respect to an original URL.
+
+## Reference Resolution
+
+`GuzzleHttp\Psr7\UriResolver` provides methods to resolve a URI reference in the context of a base URI according
+to [RFC 3986 Section 5](https://tools.ietf.org/html/rfc3986#section-5). This is for example also what web browsers
+do when resolving a link in a website based on the current request URI.
+
+### `GuzzleHttp\Psr7\UriResolver::resolve`
+
+`public static function resolve(UriInterface $base, UriInterface $rel): UriInterface`
+
+Converts the relative URI into a new URI that is resolved against the base URI.
+
+### `GuzzleHttp\Psr7\UriResolver::removeDotSegments`
+
+`public static function removeDotSegments(string $path): string`
+
+Removes dot segments from a path and returns the new path according to
+[RFC 3986 Section 5.2.4](https://tools.ietf.org/html/rfc3986#section-5.2.4).
+
+### `GuzzleHttp\Psr7\UriResolver::relativize`
+
+`public static function relativize(UriInterface $base, UriInterface $target): UriInterface`
+
+Returns the target URI as a relative reference from the base URI. This method is the counterpart to resolve():
+
+```php
+(string) $target === (string) UriResolver::resolve($base, UriResolver::relativize($base, $target))
+```
+
+One use-case is to use the current request URI as base URI and then generate relative links in your documents
+to reduce the document size or offer self-contained downloadable document archives.
+
+```php
+$base = new Uri('http://example.com/a/b/');
+echo UriResolver::relativize($base, new Uri('http://example.com/a/b/c'));  // prints 'c'.
+echo UriResolver::relativize($base, new Uri('http://example.com/a/x/y'));  // prints '../x/y'.
+echo UriResolver::relativize($base, new Uri('http://example.com/a/b/?q')); // prints '?q'.
+echo UriResolver::relativize($base, new Uri('http://example.org/a/b/'));   // prints '//example.org/a/b/'.
+```
+
+## Normalization and Comparison
+
+`GuzzleHttp\Psr7\UriNormalizer` provides methods to normalize and compare URIs according to
+[RFC 3986 Section 6](https://tools.ietf.org/html/rfc3986#section-6).
+
+### `GuzzleHttp\Psr7\UriNormalizer::normalize`
+
+`public static function normalize(UriInterface $uri, $flags = self::PRESERVING_NORMALIZATIONS): UriInterface`
+
+Returns a normalized URI. The scheme and host component are already normalized to lowercase per PSR-7 UriInterface.
+This methods adds additional normalizations that can be configured with the `$flags` parameter which is a bitmask
+of normalizations to apply. The following normalizations are available:
+
+- `UriNormalizer::PRESERVING_NORMALIZATIONS`
+
+    Default normalizations which only include the ones that preserve semantics.
+
+- `UriNormalizer::CAPITALIZE_PERCENT_ENCODING`
+
+    All letters within a percent-encoding triplet (e.g., "%3A") are case-insensitive, and should be capitalized.
+
+    Example: `http://example.org/a%c2%b1b` → `http://example.org/a%C2%B1b`
+
+- `UriNormalizer::DECODE_UNRESERVED_CHARACTERS`
+
+    Decodes percent-encoded octets of unreserved characters. For consistency, percent-encoded octets in the ranges of
+    ALPHA (%41–%5A and %61–%7A), DIGIT (%30–%39), hyphen (%2D), period (%2E), underscore (%5F), or tilde (%7E) should
+    not be created by URI producers and, when found in a URI, should be decoded to their corresponding unreserved
+    characters by URI normalizers.
+
+    Example: `http://example.org/%7Eusern%61me/` → `http://example.org/~username/`
+
+- `UriNormalizer::CONVERT_EMPTY_PATH`
+
+    Converts the empty path to "/" for http and https URIs.
+
+    Example: `http://example.org` → `http://example.org/`
+
+- `UriNormalizer::REMOVE_DEFAULT_HOST`
+
+    Removes the default host of the given URI scheme from the URI. Only the "file" scheme defines the default host
+    "localhost". All of `file:/myfile`, `file:///myfile`, and `file://localhost/myfile` are equivalent according to
+    RFC 3986.
+
+    Example: `file://localhost/myfile` → `file:///myfile`
+
+- `UriNormalizer::REMOVE_DEFAULT_PORT`
+
+    Removes the default port of the given URI scheme from the URI.
+
+    Example: `http://example.org:80/` → `http://example.org/`
+
+- `UriNormalizer::REMOVE_DOT_SEGMENTS`
+
+    Removes unnecessary dot-segments. Dot-segments in relative-path references are not removed as it would
+    change the semantics of the URI reference.
+
+    Example: `http://example.org/../a/b/../c/./d.html` → `http://example.org/a/c/d.html`
+
+- `UriNormalizer::REMOVE_DUPLICATE_SLASHES`
+
+    Paths which include two or more adjacent slashes are converted to one. Webservers usually ignore duplicate slashes
+    and treat those URIs equivalent. But in theory those URIs do not need to be equivalent. So this normalization
+    may change the semantics. Encoded slashes (%2F) are not removed.
+
+    Example: `http://example.org//foo///bar.html` → `http://example.org/foo/bar.html`
+
+- `UriNormalizer::SORT_QUERY_PARAMETERS`
+
+    Sort query parameters with their values in alphabetical order. However, the order of parameters in a URI may be
+    significant (this is not defined by the standard). So this normalization is not safe and may change the semantics
+    of the URI.
+
+    Example: `?lang=en&article=fred` → `?article=fred&lang=en`
+
+### `GuzzleHttp\Psr7\UriNormalizer::isEquivalent`
+
+`public static function isEquivalent(UriInterface $uri1, UriInterface $uri2, $normalizations = self::PRESERVING_NORMALIZATIONS): bool`
+
+Whether two URIs can be considered equivalent. Both URIs are normalized automatically before comparison with the given
+`$normalizations` bitmask. The method also accepts relative URI references and returns true when they are equivalent.
+This of course assumes they will be resolved against the same base URI. If this is not the case, determination of
+equivalence or difference of relative references does not mean anything.
+
+
+## Version Guidance
+
+| Version | Status         | PHP Version      |
+|---------|----------------|------------------|
+| 1.x     | Security fixes | >=5.4,<8.1       |
+| 2.x     | Latest         | ^7.2.5 \|\| ^8.0 |
+
+
+## Security
+
+If you discover a security vulnerability within this package, please send an email to security@tidelift.com. All security vulnerabilities will be promptly addressed. Please do not disclose security-related issues publicly until a fix has been announced. Please see [Security Policy](https://github.com/guzzle/psr7/security/policy) for more information.
+
+
+## License
+
+Guzzle is made available under the MIT License (MIT). Please see [License File](LICENSE) for more information.
+
+
+## For Enterprise
+
+Available as part of the Tidelift Subscription
+
+The maintainers of Guzzle and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open source dependencies you use to build your applications. Save time, reduce risk, and improve code health, while paying the maintainers of the exact dependencies you use. [Learn more.](https://tidelift.com/subscription/pkg/packagist-guzzlehttp-psr7?utm_source=packagist-guzzlehttp-psr7&utm_medium=referral&utm_campaign=enterprise&utm_term=repo)
diff --git a/data/web/inc/lib/vendor/guzzlehttp/psr7/composer.json b/data/web/inc/lib/vendor/guzzlehttp/psr7/composer.json
new file mode 100644
index 000000000..cd91040cf
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/psr7/composer.json
@@ -0,0 +1,96 @@
+{
+    "name": "guzzlehttp/psr7",
+    "description": "PSR-7 message implementation that also provides common utility methods",
+    "keywords": [
+        "request",
+        "response",
+        "message",
+        "stream",
+        "http",
+        "uri",
+        "url",
+        "psr-7"
+    ],
+    "license": "MIT",
+    "authors": [
+        {
+            "name": "Graham Campbell",
+            "email": "hello@gjcampbell.co.uk",
+            "homepage": "https://github.com/GrahamCampbell"
+        },
+        {
+            "name": "Michael Dowling",
+            "email": "mtdowling@gmail.com",
+            "homepage": "https://github.com/mtdowling"
+        },
+        {
+            "name": "George Mponos",
+            "email": "gmponos@gmail.com",
+            "homepage": "https://github.com/gmponos"
+        },
+        {
+            "name": "Tobias Nyholm",
+            "email": "tobias.nyholm@gmail.com",
+            "homepage": "https://github.com/Nyholm"
+        },
+        {
+            "name": "Márk Sági-Kazár",
+            "email": "mark.sagikazar@gmail.com",
+            "homepage": "https://github.com/sagikazarmark"
+        },
+        {
+            "name": "Tobias Schultze",
+            "email": "webmaster@tubo-world.de",
+            "homepage": "https://github.com/Tobion"
+        },
+        {
+            "name": "Márk Sági-Kazár",
+            "email": "mark.sagikazar@gmail.com",
+            "homepage": "https://sagikazarmark.hu"
+        }
+    ],
+    "require": {
+        "php": "^7.2.5 || ^8.0",
+        "psr/http-factory": "^1.0",
+        "psr/http-message": "^1.0",
+        "ralouphie/getallheaders": "^3.0"
+    },
+    "provide": {
+        "psr/http-factory-implementation": "1.0",
+        "psr/http-message-implementation": "1.0"
+    },
+    "require-dev": {
+        "bamarni/composer-bin-plugin": "^1.8.1",
+        "http-interop/http-factory-tests": "^0.9",
+        "phpunit/phpunit": "^8.5.29 || ^9.5.23"
+    },
+    "suggest": {
+        "laminas/laminas-httphandlerrunner": "Emit PSR-7 responses"
+    },
+    "autoload": {
+        "psr-4": {
+            "GuzzleHttp\\Psr7\\": "src/"
+        }
+    },
+    "autoload-dev": {
+        "psr-4": {
+            "GuzzleHttp\\Tests\\Psr7\\": "tests/"
+        }
+    },
+    "extra": {
+        "bamarni-bin": {
+            "bin-links": true,
+            "forward-command": false
+        },
+        "branch-alias": {
+            "dev-master": "2.4-dev"
+        }
+    },
+    "config": {
+        "allow-plugins": {
+            "bamarni/composer-bin-plugin": true
+        },
+        "preferred-install": "dist",
+        "sort-packages": true
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/psr7/src/AppendStream.php b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/AppendStream.php
new file mode 100644
index 000000000..cbcfaee65
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/AppendStream.php
@@ -0,0 +1,248 @@
+<?php
+
+declare(strict_types=1);
+
+namespace GuzzleHttp\Psr7;
+
+use Psr\Http\Message\StreamInterface;
+
+/**
+ * Reads from multiple streams, one after the other.
+ *
+ * This is a read-only stream decorator.
+ */
+final class AppendStream implements StreamInterface
+{
+    /** @var StreamInterface[] Streams being decorated */
+    private $streams = [];
+
+    /** @var bool */
+    private $seekable = true;
+
+    /** @var int */
+    private $current = 0;
+
+    /** @var int */
+    private $pos = 0;
+
+    /**
+     * @param StreamInterface[] $streams Streams to decorate. Each stream must
+     *                                   be readable.
+     */
+    public function __construct(array $streams = [])
+    {
+        foreach ($streams as $stream) {
+            $this->addStream($stream);
+        }
+    }
+
+    public function __toString(): string
+    {
+        try {
+            $this->rewind();
+            return $this->getContents();
+        } catch (\Throwable $e) {
+            if (\PHP_VERSION_ID >= 70400) {
+                throw $e;
+            }
+            trigger_error(sprintf('%s::__toString exception: %s', self::class, (string) $e), E_USER_ERROR);
+            return '';
+        }
+    }
+
+    /**
+     * Add a stream to the AppendStream
+     *
+     * @param StreamInterface $stream Stream to append. Must be readable.
+     *
+     * @throws \InvalidArgumentException if the stream is not readable
+     */
+    public function addStream(StreamInterface $stream): void
+    {
+        if (!$stream->isReadable()) {
+            throw new \InvalidArgumentException('Each stream must be readable');
+        }
+
+        // The stream is only seekable if all streams are seekable
+        if (!$stream->isSeekable()) {
+            $this->seekable = false;
+        }
+
+        $this->streams[] = $stream;
+    }
+
+    public function getContents(): string
+    {
+        return Utils::copyToString($this);
+    }
+
+    /**
+     * Closes each attached stream.
+     */
+    public function close(): void
+    {
+        $this->pos = $this->current = 0;
+        $this->seekable = true;
+
+        foreach ($this->streams as $stream) {
+            $stream->close();
+        }
+
+        $this->streams = [];
+    }
+
+    /**
+     * Detaches each attached stream.
+     *
+     * Returns null as it's not clear which underlying stream resource to return.
+     */
+    public function detach()
+    {
+        $this->pos = $this->current = 0;
+        $this->seekable = true;
+
+        foreach ($this->streams as $stream) {
+            $stream->detach();
+        }
+
+        $this->streams = [];
+
+        return null;
+    }
+
+    public function tell(): int
+    {
+        return $this->pos;
+    }
+
+    /**
+     * Tries to calculate the size by adding the size of each stream.
+     *
+     * If any of the streams do not return a valid number, then the size of the
+     * append stream cannot be determined and null is returned.
+     */
+    public function getSize(): ?int
+    {
+        $size = 0;
+
+        foreach ($this->streams as $stream) {
+            $s = $stream->getSize();
+            if ($s === null) {
+                return null;
+            }
+            $size += $s;
+        }
+
+        return $size;
+    }
+
+    public function eof(): bool
+    {
+        return !$this->streams ||
+            ($this->current >= count($this->streams) - 1 &&
+             $this->streams[$this->current]->eof());
+    }
+
+    public function rewind(): void
+    {
+        $this->seek(0);
+    }
+
+    /**
+     * Attempts to seek to the given position. Only supports SEEK_SET.
+     */
+    public function seek($offset, $whence = SEEK_SET): void
+    {
+        if (!$this->seekable) {
+            throw new \RuntimeException('This AppendStream is not seekable');
+        } elseif ($whence !== SEEK_SET) {
+            throw new \RuntimeException('The AppendStream can only seek with SEEK_SET');
+        }
+
+        $this->pos = $this->current = 0;
+
+        // Rewind each stream
+        foreach ($this->streams as $i => $stream) {
+            try {
+                $stream->rewind();
+            } catch (\Exception $e) {
+                throw new \RuntimeException('Unable to seek stream '
+                    . $i . ' of the AppendStream', 0, $e);
+            }
+        }
+
+        // Seek to the actual position by reading from each stream
+        while ($this->pos < $offset && !$this->eof()) {
+            $result = $this->read(min(8096, $offset - $this->pos));
+            if ($result === '') {
+                break;
+            }
+        }
+    }
+
+    /**
+     * Reads from all of the appended streams until the length is met or EOF.
+     */
+    public function read($length): string
+    {
+        $buffer = '';
+        $total = count($this->streams) - 1;
+        $remaining = $length;
+        $progressToNext = false;
+
+        while ($remaining > 0) {
+            // Progress to the next stream if needed.
+            if ($progressToNext || $this->streams[$this->current]->eof()) {
+                $progressToNext = false;
+                if ($this->current === $total) {
+                    break;
+                }
+                $this->current++;
+            }
+
+            $result = $this->streams[$this->current]->read($remaining);
+
+            if ($result === '') {
+                $progressToNext = true;
+                continue;
+            }
+
+            $buffer .= $result;
+            $remaining = $length - strlen($buffer);
+        }
+
+        $this->pos += strlen($buffer);
+
+        return $buffer;
+    }
+
+    public function isReadable(): bool
+    {
+        return true;
+    }
+
+    public function isWritable(): bool
+    {
+        return false;
+    }
+
+    public function isSeekable(): bool
+    {
+        return $this->seekable;
+    }
+
+    public function write($string): int
+    {
+        throw new \RuntimeException('Cannot write to an AppendStream');
+    }
+
+    /**
+     * {@inheritdoc}
+     *
+     * @return mixed
+     */
+    public function getMetadata($key = null)
+    {
+        return $key ? null : [];
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/psr7/src/BufferStream.php b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/BufferStream.php
new file mode 100644
index 000000000..21be8c0a9
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/BufferStream.php
@@ -0,0 +1,149 @@
+<?php
+
+declare(strict_types=1);
+
+namespace GuzzleHttp\Psr7;
+
+use Psr\Http\Message\StreamInterface;
+
+/**
+ * Provides a buffer stream that can be written to to fill a buffer, and read
+ * from to remove bytes from the buffer.
+ *
+ * This stream returns a "hwm" metadata value that tells upstream consumers
+ * what the configured high water mark of the stream is, or the maximum
+ * preferred size of the buffer.
+ */
+final class BufferStream implements StreamInterface
+{
+    /** @var int */
+    private $hwm;
+
+    /** @var string */
+    private $buffer = '';
+
+    /**
+     * @param int $hwm High water mark, representing the preferred maximum
+     *                 buffer size. If the size of the buffer exceeds the high
+     *                 water mark, then calls to write will continue to succeed
+     *                 but will return 0 to inform writers to slow down
+     *                 until the buffer has been drained by reading from it.
+     */
+    public function __construct(int $hwm = 16384)
+    {
+        $this->hwm = $hwm;
+    }
+
+    public function __toString(): string
+    {
+        return $this->getContents();
+    }
+
+    public function getContents(): string
+    {
+        $buffer = $this->buffer;
+        $this->buffer = '';
+
+        return $buffer;
+    }
+
+    public function close(): void
+    {
+        $this->buffer = '';
+    }
+
+    public function detach()
+    {
+        $this->close();
+
+        return null;
+    }
+
+    public function getSize(): ?int
+    {
+        return strlen($this->buffer);
+    }
+
+    public function isReadable(): bool
+    {
+        return true;
+    }
+
+    public function isWritable(): bool
+    {
+        return true;
+    }
+
+    public function isSeekable(): bool
+    {
+        return false;
+    }
+
+    public function rewind(): void
+    {
+        $this->seek(0);
+    }
+
+    public function seek($offset, $whence = SEEK_SET): void
+    {
+        throw new \RuntimeException('Cannot seek a BufferStream');
+    }
+
+    public function eof(): bool
+    {
+        return strlen($this->buffer) === 0;
+    }
+
+    public function tell(): int
+    {
+        throw new \RuntimeException('Cannot determine the position of a BufferStream');
+    }
+
+    /**
+     * Reads data from the buffer.
+     */
+    public function read($length): string
+    {
+        $currentLength = strlen($this->buffer);
+
+        if ($length >= $currentLength) {
+            // No need to slice the buffer because we don't have enough data.
+            $result = $this->buffer;
+            $this->buffer = '';
+        } else {
+            // Slice up the result to provide a subset of the buffer.
+            $result = substr($this->buffer, 0, $length);
+            $this->buffer = substr($this->buffer, $length);
+        }
+
+        return $result;
+    }
+
+    /**
+     * Writes data to the buffer.
+     */
+    public function write($string): int
+    {
+        $this->buffer .= $string;
+
+        if (strlen($this->buffer) >= $this->hwm) {
+            return 0;
+        }
+
+        return strlen($string);
+    }
+
+    /**
+     * {@inheritdoc}
+     *
+     * @return mixed
+     */
+    public function getMetadata($key = null)
+    {
+        if ($key === 'hwm') {
+            return $this->hwm;
+        }
+
+        return $key ? null : [];
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/psr7/src/CachingStream.php b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/CachingStream.php
new file mode 100644
index 000000000..f34722cff
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/CachingStream.php
@@ -0,0 +1,153 @@
+<?php
+
+declare(strict_types=1);
+
+namespace GuzzleHttp\Psr7;
+
+use Psr\Http\Message\StreamInterface;
+
+/**
+ * Stream decorator that can cache previously read bytes from a sequentially
+ * read stream.
+ */
+final class CachingStream implements StreamInterface
+{
+    use StreamDecoratorTrait;
+
+    /** @var StreamInterface Stream being wrapped */
+    private $remoteStream;
+
+    /** @var int Number of bytes to skip reading due to a write on the buffer */
+    private $skipReadBytes = 0;
+
+    /**
+     * @var StreamInterface
+     */
+    private $stream;
+
+    /**
+     * We will treat the buffer object as the body of the stream
+     *
+     * @param StreamInterface $stream Stream to cache. The cursor is assumed to be at the beginning of the stream.
+     * @param StreamInterface $target Optionally specify where data is cached
+     */
+    public function __construct(
+        StreamInterface $stream,
+        StreamInterface $target = null
+    ) {
+        $this->remoteStream = $stream;
+        $this->stream = $target ?: new Stream(Utils::tryFopen('php://temp', 'r+'));
+    }
+
+    public function getSize(): ?int
+    {
+        $remoteSize = $this->remoteStream->getSize();
+
+        if (null === $remoteSize) {
+            return null;
+        }
+
+        return max($this->stream->getSize(), $remoteSize);
+    }
+
+    public function rewind(): void
+    {
+        $this->seek(0);
+    }
+
+    public function seek($offset, $whence = SEEK_SET): void
+    {
+        if ($whence === SEEK_SET) {
+            $byte = $offset;
+        } elseif ($whence === SEEK_CUR) {
+            $byte = $offset + $this->tell();
+        } elseif ($whence === SEEK_END) {
+            $size = $this->remoteStream->getSize();
+            if ($size === null) {
+                $size = $this->cacheEntireStream();
+            }
+            $byte = $size + $offset;
+        } else {
+            throw new \InvalidArgumentException('Invalid whence');
+        }
+
+        $diff = $byte - $this->stream->getSize();
+
+        if ($diff > 0) {
+            // Read the remoteStream until we have read in at least the amount
+            // of bytes requested, or we reach the end of the file.
+            while ($diff > 0 && !$this->remoteStream->eof()) {
+                $this->read($diff);
+                $diff = $byte - $this->stream->getSize();
+            }
+        } else {
+            // We can just do a normal seek since we've already seen this byte.
+            $this->stream->seek($byte);
+        }
+    }
+
+    public function read($length): string
+    {
+        // Perform a regular read on any previously read data from the buffer
+        $data = $this->stream->read($length);
+        $remaining = $length - strlen($data);
+
+        // More data was requested so read from the remote stream
+        if ($remaining) {
+            // If data was written to the buffer in a position that would have
+            // been filled from the remote stream, then we must skip bytes on
+            // the remote stream to emulate overwriting bytes from that
+            // position. This mimics the behavior of other PHP stream wrappers.
+            $remoteData = $this->remoteStream->read(
+                $remaining + $this->skipReadBytes
+            );
+
+            if ($this->skipReadBytes) {
+                $len = strlen($remoteData);
+                $remoteData = substr($remoteData, $this->skipReadBytes);
+                $this->skipReadBytes = max(0, $this->skipReadBytes - $len);
+            }
+
+            $data .= $remoteData;
+            $this->stream->write($remoteData);
+        }
+
+        return $data;
+    }
+
+    public function write($string): int
+    {
+        // When appending to the end of the currently read stream, you'll want
+        // to skip bytes from being read from the remote stream to emulate
+        // other stream wrappers. Basically replacing bytes of data of a fixed
+        // length.
+        $overflow = (strlen($string) + $this->tell()) - $this->remoteStream->tell();
+        if ($overflow > 0) {
+            $this->skipReadBytes += $overflow;
+        }
+
+        return $this->stream->write($string);
+    }
+
+    public function eof(): bool
+    {
+        return $this->stream->eof() && $this->remoteStream->eof();
+    }
+
+    /**
+     * Close both the remote stream and buffer stream
+     */
+    public function close(): void
+    {
+        $this->remoteStream->close();
+        $this->stream->close();
+    }
+
+    private function cacheEntireStream(): int
+    {
+        $target = new FnStream(['write' => 'strlen']);
+        Utils::copyToStream($this, $target);
+
+        return $this->tell();
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/psr7/src/DroppingStream.php b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/DroppingStream.php
new file mode 100644
index 000000000..6e3d209d0
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/DroppingStream.php
@@ -0,0 +1,49 @@
+<?php
+
+declare(strict_types=1);
+
+namespace GuzzleHttp\Psr7;
+
+use Psr\Http\Message\StreamInterface;
+
+/**
+ * Stream decorator that begins dropping data once the size of the underlying
+ * stream becomes too full.
+ */
+final class DroppingStream implements StreamInterface
+{
+    use StreamDecoratorTrait;
+
+    /** @var int */
+    private $maxLength;
+
+    /** @var StreamInterface */
+    private $stream;
+
+    /**
+     * @param StreamInterface $stream    Underlying stream to decorate.
+     * @param int             $maxLength Maximum size before dropping data.
+     */
+    public function __construct(StreamInterface $stream, int $maxLength)
+    {
+        $this->stream = $stream;
+        $this->maxLength = $maxLength;
+    }
+
+    public function write($string): int
+    {
+        $diff = $this->maxLength - $this->stream->getSize();
+
+        // Begin returning 0 when the underlying stream is too large.
+        if ($diff <= 0) {
+            return 0;
+        }
+
+        // Write the stream or a subset of the stream if needed.
+        if (strlen($string) < $diff) {
+            return $this->stream->write($string);
+        }
+
+        return $this->stream->write(substr($string, 0, $diff));
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/psr7/src/Exception/MalformedUriException.php b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/Exception/MalformedUriException.php
new file mode 100644
index 000000000..3a084779a
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/Exception/MalformedUriException.php
@@ -0,0 +1,14 @@
+<?php
+
+declare(strict_types=1);
+
+namespace GuzzleHttp\Psr7\Exception;
+
+use InvalidArgumentException;
+
+/**
+ * Exception thrown if a URI cannot be parsed because it's malformed.
+ */
+class MalformedUriException extends InvalidArgumentException
+{
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/psr7/src/FnStream.php b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/FnStream.php
new file mode 100644
index 000000000..3a1a9512e
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/FnStream.php
@@ -0,0 +1,180 @@
+<?php
+
+declare(strict_types=1);
+
+namespace GuzzleHttp\Psr7;
+
+use Psr\Http\Message\StreamInterface;
+
+/**
+ * Compose stream implementations based on a hash of functions.
+ *
+ * Allows for easy testing and extension of a provided stream without needing
+ * to create a concrete class for a simple extension point.
+ */
+#[\AllowDynamicProperties]
+final class FnStream implements StreamInterface
+{
+    private const SLOTS = [
+        '__toString', 'close', 'detach', 'rewind',
+        'getSize', 'tell', 'eof', 'isSeekable', 'seek', 'isWritable', 'write',
+        'isReadable', 'read', 'getContents', 'getMetadata'
+    ];
+
+    /** @var array<string, callable> */
+    private $methods;
+
+    /**
+     * @param array<string, callable> $methods Hash of method name to a callable.
+     */
+    public function __construct(array $methods)
+    {
+        $this->methods = $methods;
+
+        // Create the functions on the class
+        foreach ($methods as $name => $fn) {
+            $this->{'_fn_' . $name} = $fn;
+        }
+    }
+
+    /**
+     * Lazily determine which methods are not implemented.
+     *
+     * @throws \BadMethodCallException
+     */
+    public function __get(string $name): void
+    {
+        throw new \BadMethodCallException(str_replace('_fn_', '', $name)
+            . '() is not implemented in the FnStream');
+    }
+
+    /**
+     * The close method is called on the underlying stream only if possible.
+     */
+    public function __destruct()
+    {
+        if (isset($this->_fn_close)) {
+            call_user_func($this->_fn_close);
+        }
+    }
+
+    /**
+     * An unserialize would allow the __destruct to run when the unserialized value goes out of scope.
+     *
+     * @throws \LogicException
+     */
+    public function __wakeup(): void
+    {
+        throw new \LogicException('FnStream should never be unserialized');
+    }
+
+    /**
+     * Adds custom functionality to an underlying stream by intercepting
+     * specific method calls.
+     *
+     * @param StreamInterface         $stream  Stream to decorate
+     * @param array<string, callable> $methods Hash of method name to a closure
+     *
+     * @return FnStream
+     */
+    public static function decorate(StreamInterface $stream, array $methods)
+    {
+        // If any of the required methods were not provided, then simply
+        // proxy to the decorated stream.
+        foreach (array_diff(self::SLOTS, array_keys($methods)) as $diff) {
+            /** @var callable $callable */
+            $callable = [$stream, $diff];
+            $methods[$diff] = $callable;
+        }
+
+        return new self($methods);
+    }
+
+    public function __toString(): string
+    {
+        try {
+            return call_user_func($this->_fn___toString);
+        } catch (\Throwable $e) {
+            if (\PHP_VERSION_ID >= 70400) {
+                throw $e;
+            }
+            trigger_error(sprintf('%s::__toString exception: %s', self::class, (string) $e), E_USER_ERROR);
+            return '';
+        }
+    }
+
+    public function close(): void
+    {
+        call_user_func($this->_fn_close);
+    }
+
+    public function detach()
+    {
+        return call_user_func($this->_fn_detach);
+    }
+
+    public function getSize(): ?int
+    {
+        return call_user_func($this->_fn_getSize);
+    }
+
+    public function tell(): int
+    {
+        return call_user_func($this->_fn_tell);
+    }
+
+    public function eof(): bool
+    {
+        return call_user_func($this->_fn_eof);
+    }
+
+    public function isSeekable(): bool
+    {
+        return call_user_func($this->_fn_isSeekable);
+    }
+
+    public function rewind(): void
+    {
+        call_user_func($this->_fn_rewind);
+    }
+
+    public function seek($offset, $whence = SEEK_SET): void
+    {
+        call_user_func($this->_fn_seek, $offset, $whence);
+    }
+
+    public function isWritable(): bool
+    {
+        return call_user_func($this->_fn_isWritable);
+    }
+
+    public function write($string): int
+    {
+        return call_user_func($this->_fn_write, $string);
+    }
+
+    public function isReadable(): bool
+    {
+        return call_user_func($this->_fn_isReadable);
+    }
+
+    public function read($length): string
+    {
+        return call_user_func($this->_fn_read, $length);
+    }
+
+    public function getContents(): string
+    {
+        return call_user_func($this->_fn_getContents);
+    }
+
+    /**
+     * {@inheritdoc}
+     *
+     * @return mixed
+     */
+    public function getMetadata($key = null)
+    {
+        return call_user_func($this->_fn_getMetadata, $key);
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/psr7/src/Header.php b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/Header.php
new file mode 100644
index 000000000..4d7005b22
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/Header.php
@@ -0,0 +1,134 @@
+<?php
+
+declare(strict_types=1);
+
+namespace GuzzleHttp\Psr7;
+
+final class Header
+{
+    /**
+     * Parse an array of header values containing ";" separated data into an
+     * array of associative arrays representing the header key value pair data
+     * of the header. When a parameter does not contain a value, but just
+     * contains a key, this function will inject a key with a '' string value.
+     *
+     * @param string|array $header Header to parse into components.
+     */
+    public static function parse($header): array
+    {
+        static $trimmed = "\"'  \n\t\r";
+        $params = $matches = [];
+
+        foreach ((array) $header as $value) {
+            foreach (self::splitList($value) as $val) {
+                $part = [];
+                foreach (preg_split('/;(?=([^"]*"[^"]*")*[^"]*$)/', $val) as $kvp) {
+                    if (preg_match_all('/<[^>]+>|[^=]+/', $kvp, $matches)) {
+                        $m = $matches[0];
+                        if (isset($m[1])) {
+                            $part[trim($m[0], $trimmed)] = trim($m[1], $trimmed);
+                        } else {
+                            $part[] = trim($m[0], $trimmed);
+                        }
+                    }
+                }
+                if ($part) {
+                    $params[] = $part;
+                }
+            }
+        }
+
+        return $params;
+    }
+
+    /**
+     * Converts an array of header values that may contain comma separated
+     * headers into an array of headers with no comma separated values.
+     *
+     * @param string|array $header Header to normalize.
+     *
+     * @deprecated Use self::splitList() instead.
+     */
+    public static function normalize($header): array
+    {
+        $result = [];
+        foreach ((array) $header as $value) {
+            foreach (self::splitList($value) as $parsed) {
+                $result[] = $parsed;
+            }
+        }
+
+        return $result;
+    }
+
+    /**
+     * Splits a HTTP header defined to contain a comma-separated list into
+     * each individual value. Empty values will be removed.
+     *
+     * Example headers include 'accept', 'cache-control' and 'if-none-match'.
+     *
+     * This method must not be used to parse headers that are not defined as
+     * a list, such as 'user-agent' or 'set-cookie'.
+     *
+     * @param string|string[] $values Header value as returned by MessageInterface::getHeader()
+     *
+     * @return string[]
+     */
+    public static function splitList($values): array
+    {
+        if (!\is_array($values)) {
+            $values = [$values];
+        }
+
+        $result = [];
+        foreach ($values as $value) {
+            if (!\is_string($value)) {
+                throw new \TypeError('$header must either be a string or an array containing strings.');
+            }
+
+            $v = '';
+            $isQuoted = false;
+            $isEscaped = false;
+            for ($i = 0, $max = \strlen($value); $i < $max; $i++) {
+                if ($isEscaped) {
+                    $v .= $value[$i];
+                    $isEscaped = false;
+
+                    continue;
+                }
+
+                if (!$isQuoted && $value[$i] === ',') {
+                    $v = \trim($v);
+                    if ($v !== '') {
+                        $result[] = $v;
+                    }
+
+                    $v = '';
+                    continue;
+                }
+
+                if ($isQuoted && $value[$i] === '\\') {
+                    $isEscaped = true;
+                    $v .= $value[$i];
+
+                    continue;
+                }
+                if ($value[$i] === '"') {
+                    $isQuoted = !$isQuoted;
+                    $v .= $value[$i];
+
+                    continue;
+                }
+
+                $v .= $value[$i];
+            }
+
+            $v = \trim($v);
+            if ($v !== '') {
+                $result[] = $v;
+            }
+        }
+
+        return $result;
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/psr7/src/HttpFactory.php b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/HttpFactory.php
new file mode 100644
index 000000000..30be222fc
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/HttpFactory.php
@@ -0,0 +1,100 @@
+<?php
+
+declare(strict_types=1);
+
+namespace GuzzleHttp\Psr7;
+
+use Psr\Http\Message\RequestFactoryInterface;
+use Psr\Http\Message\RequestInterface;
+use Psr\Http\Message\ResponseFactoryInterface;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestFactoryInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Psr\Http\Message\StreamFactoryInterface;
+use Psr\Http\Message\StreamInterface;
+use Psr\Http\Message\UploadedFileFactoryInterface;
+use Psr\Http\Message\UploadedFileInterface;
+use Psr\Http\Message\UriFactoryInterface;
+use Psr\Http\Message\UriInterface;
+
+/**
+ * Implements all of the PSR-17 interfaces.
+ *
+ * Note: in consuming code it is recommended to require the implemented interfaces
+ * and inject the instance of this class multiple times.
+ */
+final class HttpFactory implements
+    RequestFactoryInterface,
+    ResponseFactoryInterface,
+    ServerRequestFactoryInterface,
+    StreamFactoryInterface,
+    UploadedFileFactoryInterface,
+    UriFactoryInterface
+{
+    public function createUploadedFile(
+        StreamInterface $stream,
+        int $size = null,
+        int $error = \UPLOAD_ERR_OK,
+        string $clientFilename = null,
+        string $clientMediaType = null
+    ): UploadedFileInterface {
+        if ($size === null) {
+            $size = $stream->getSize();
+        }
+
+        return new UploadedFile($stream, $size, $error, $clientFilename, $clientMediaType);
+    }
+
+    public function createStream(string $content = ''): StreamInterface
+    {
+        return Utils::streamFor($content);
+    }
+
+    public function createStreamFromFile(string $file, string $mode = 'r'): StreamInterface
+    {
+        try {
+            $resource = Utils::tryFopen($file, $mode);
+        } catch (\RuntimeException $e) {
+            if ('' === $mode || false === \in_array($mode[0], ['r', 'w', 'a', 'x', 'c'], true)) {
+                throw new \InvalidArgumentException(sprintf('Invalid file opening mode "%s"', $mode), 0, $e);
+            }
+
+            throw $e;
+        }
+
+        return Utils::streamFor($resource);
+    }
+
+    public function createStreamFromResource($resource): StreamInterface
+    {
+        return Utils::streamFor($resource);
+    }
+
+    public function createServerRequest(string $method, $uri, array $serverParams = []): ServerRequestInterface
+    {
+        if (empty($method)) {
+            if (!empty($serverParams['REQUEST_METHOD'])) {
+                $method = $serverParams['REQUEST_METHOD'];
+            } else {
+                throw new \InvalidArgumentException('Cannot determine HTTP method');
+            }
+        }
+
+        return new ServerRequest($method, $uri, [], null, '1.1', $serverParams);
+    }
+
+    public function createResponse(int $code = 200, string $reasonPhrase = ''): ResponseInterface
+    {
+        return new Response($code, [], null, '1.1', $reasonPhrase);
+    }
+
+    public function createRequest(string $method, $uri): RequestInterface
+    {
+        return new Request($method, $uri);
+    }
+
+    public function createUri(string $uri = ''): UriInterface
+    {
+        return new Uri($uri);
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/psr7/src/InflateStream.php b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/InflateStream.php
new file mode 100644
index 000000000..8e00f1c32
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/InflateStream.php
@@ -0,0 +1,37 @@
+<?php
+
+declare(strict_types=1);
+
+namespace GuzzleHttp\Psr7;
+
+use Psr\Http\Message\StreamInterface;
+
+/**
+ * Uses PHP's zlib.inflate filter to inflate zlib (HTTP deflate, RFC1950) or gzipped (RFC1952) content.
+ *
+ * This stream decorator converts the provided stream to a PHP stream resource,
+ * then appends the zlib.inflate filter. The stream is then converted back
+ * to a Guzzle stream resource to be used as a Guzzle stream.
+ *
+ * @link http://tools.ietf.org/html/rfc1950
+ * @link http://tools.ietf.org/html/rfc1952
+ * @link http://php.net/manual/en/filters.compression.php
+ */
+final class InflateStream implements StreamInterface
+{
+    use StreamDecoratorTrait;
+
+    /** @var StreamInterface */
+    private $stream;
+
+    public function __construct(StreamInterface $stream)
+    {
+        $resource = StreamWrapper::getResource($stream);
+        // Specify window=15+32, so zlib will use header detection to both gzip (with header) and zlib data
+        // See http://www.zlib.net/manual.html#Advanced definition of inflateInit2
+        // "Add 32 to windowBits to enable zlib and gzip decoding with automatic header detection"
+        // Default window size is 15.
+        stream_filter_append($resource, 'zlib.inflate', STREAM_FILTER_READ, ['window' => 15 + 32]);
+        $this->stream = $stream->isSeekable() ? new Stream($resource) : new NoSeekStream(new Stream($resource));
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/psr7/src/LazyOpenStream.php b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/LazyOpenStream.php
new file mode 100644
index 000000000..f6c84904e
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/LazyOpenStream.php
@@ -0,0 +1,49 @@
+<?php
+
+declare(strict_types=1);
+
+namespace GuzzleHttp\Psr7;
+
+use Psr\Http\Message\StreamInterface;
+
+/**
+ * Lazily reads or writes to a file that is opened only after an IO operation
+ * take place on the stream.
+ */
+final class LazyOpenStream implements StreamInterface
+{
+    use StreamDecoratorTrait;
+
+    /** @var string */
+    private $filename;
+
+    /** @var string */
+    private $mode;
+
+    /**
+     * @var StreamInterface
+     */
+    private $stream;
+
+    /**
+     * @param string $filename File to lazily open
+     * @param string $mode     fopen mode to use when opening the stream
+     */
+    public function __construct(string $filename, string $mode)
+    {
+        $this->filename = $filename;
+        $this->mode = $mode;
+
+        // unsetting the property forces the first access to go through
+        // __get().
+        unset($this->stream);
+    }
+
+    /**
+     * Creates the underlying stream lazily when required.
+     */
+    protected function createStream(): StreamInterface
+    {
+        return Utils::streamFor(Utils::tryFopen($this->filename, $this->mode));
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/psr7/src/LimitStream.php b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/LimitStream.php
new file mode 100644
index 000000000..fb2232557
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/LimitStream.php
@@ -0,0 +1,157 @@
+<?php
+
+declare(strict_types=1);
+
+namespace GuzzleHttp\Psr7;
+
+use Psr\Http\Message\StreamInterface;
+
+/**
+ * Decorator used to return only a subset of a stream.
+ */
+final class LimitStream implements StreamInterface
+{
+    use StreamDecoratorTrait;
+
+    /** @var int Offset to start reading from */
+    private $offset;
+
+    /** @var int Limit the number of bytes that can be read */
+    private $limit;
+
+    /** @var StreamInterface */
+    private $stream;
+
+    /**
+     * @param StreamInterface $stream Stream to wrap
+     * @param int             $limit  Total number of bytes to allow to be read
+     *                                from the stream. Pass -1 for no limit.
+     * @param int             $offset Position to seek to before reading (only
+     *                                works on seekable streams).
+     */
+    public function __construct(
+        StreamInterface $stream,
+        int $limit = -1,
+        int $offset = 0
+    ) {
+        $this->stream = $stream;
+        $this->setLimit($limit);
+        $this->setOffset($offset);
+    }
+
+    public function eof(): bool
+    {
+        // Always return true if the underlying stream is EOF
+        if ($this->stream->eof()) {
+            return true;
+        }
+
+        // No limit and the underlying stream is not at EOF
+        if ($this->limit === -1) {
+            return false;
+        }
+
+        return $this->stream->tell() >= $this->offset + $this->limit;
+    }
+
+    /**
+     * Returns the size of the limited subset of data
+     */
+    public function getSize(): ?int
+    {
+        if (null === ($length = $this->stream->getSize())) {
+            return null;
+        } elseif ($this->limit === -1) {
+            return $length - $this->offset;
+        } else {
+            return min($this->limit, $length - $this->offset);
+        }
+    }
+
+    /**
+     * Allow for a bounded seek on the read limited stream
+     */
+    public function seek($offset, $whence = SEEK_SET): void
+    {
+        if ($whence !== SEEK_SET || $offset < 0) {
+            throw new \RuntimeException(sprintf(
+                'Cannot seek to offset %s with whence %s',
+                $offset,
+                $whence
+            ));
+        }
+
+        $offset += $this->offset;
+
+        if ($this->limit !== -1) {
+            if ($offset > $this->offset + $this->limit) {
+                $offset = $this->offset + $this->limit;
+            }
+        }
+
+        $this->stream->seek($offset);
+    }
+
+    /**
+     * Give a relative tell()
+     */
+    public function tell(): int
+    {
+        return $this->stream->tell() - $this->offset;
+    }
+
+    /**
+     * Set the offset to start limiting from
+     *
+     * @param int $offset Offset to seek to and begin byte limiting from
+     *
+     * @throws \RuntimeException if the stream cannot be seeked.
+     */
+    public function setOffset(int $offset): void
+    {
+        $current = $this->stream->tell();
+
+        if ($current !== $offset) {
+            // If the stream cannot seek to the offset position, then read to it
+            if ($this->stream->isSeekable()) {
+                $this->stream->seek($offset);
+            } elseif ($current > $offset) {
+                throw new \RuntimeException("Could not seek to stream offset $offset");
+            } else {
+                $this->stream->read($offset - $current);
+            }
+        }
+
+        $this->offset = $offset;
+    }
+
+    /**
+     * Set the limit of bytes that the decorator allows to be read from the
+     * stream.
+     *
+     * @param int $limit Number of bytes to allow to be read from the stream.
+     *                   Use -1 for no limit.
+     */
+    public function setLimit(int $limit): void
+    {
+        $this->limit = $limit;
+    }
+
+    public function read($length): string
+    {
+        if ($this->limit === -1) {
+            return $this->stream->read($length);
+        }
+
+        // Check if the current position is less than the total allowed
+        // bytes + original offset
+        $remaining = ($this->offset + $this->limit) - $this->stream->tell();
+        if ($remaining > 0) {
+            // Only return the amount of requested data, ensuring that the byte
+            // limit is not exceeded
+            return $this->stream->read(min($remaining, $length));
+        }
+
+        return '';
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/psr7/src/Message.php b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/Message.php
new file mode 100644
index 000000000..61c1a5dcc
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/Message.php
@@ -0,0 +1,246 @@
+<?php
+
+declare(strict_types=1);
+
+namespace GuzzleHttp\Psr7;
+
+use Psr\Http\Message\MessageInterface;
+use Psr\Http\Message\RequestInterface;
+use Psr\Http\Message\ResponseInterface;
+
+final class Message
+{
+    /**
+     * Returns the string representation of an HTTP message.
+     *
+     * @param MessageInterface $message Message to convert to a string.
+     */
+    public static function toString(MessageInterface $message): string
+    {
+        if ($message instanceof RequestInterface) {
+            $msg = trim($message->getMethod() . ' '
+                    . $message->getRequestTarget())
+                . ' HTTP/' . $message->getProtocolVersion();
+            if (!$message->hasHeader('host')) {
+                $msg .= "\r\nHost: " . $message->getUri()->getHost();
+            }
+        } elseif ($message instanceof ResponseInterface) {
+            $msg = 'HTTP/' . $message->getProtocolVersion() . ' '
+                . $message->getStatusCode() . ' '
+                . $message->getReasonPhrase();
+        } else {
+            throw new \InvalidArgumentException('Unknown message type');
+        }
+
+        foreach ($message->getHeaders() as $name => $values) {
+            if (strtolower($name) === 'set-cookie') {
+                foreach ($values as $value) {
+                    $msg .= "\r\n{$name}: " . $value;
+                }
+            } else {
+                $msg .= "\r\n{$name}: " . implode(', ', $values);
+            }
+        }
+
+        return "{$msg}\r\n\r\n" . $message->getBody();
+    }
+
+    /**
+     * Get a short summary of the message body.
+     *
+     * Will return `null` if the response is not printable.
+     *
+     * @param MessageInterface $message    The message to get the body summary
+     * @param int              $truncateAt The maximum allowed size of the summary
+     */
+    public static function bodySummary(MessageInterface $message, int $truncateAt = 120): ?string
+    {
+        $body = $message->getBody();
+
+        if (!$body->isSeekable() || !$body->isReadable()) {
+            return null;
+        }
+
+        $size = $body->getSize();
+
+        if ($size === 0) {
+            return null;
+        }
+
+        $body->rewind();
+        $summary = $body->read($truncateAt);
+        $body->rewind();
+
+        if ($size > $truncateAt) {
+            $summary .= ' (truncated...)';
+        }
+
+        // Matches any printable character, including unicode characters:
+        // letters, marks, numbers, punctuation, spacing, and separators.
+        if (preg_match('/[^\pL\pM\pN\pP\pS\pZ\n\r\t]/u', $summary)) {
+            return null;
+        }
+
+        return $summary;
+    }
+
+    /**
+     * Attempts to rewind a message body and throws an exception on failure.
+     *
+     * The body of the message will only be rewound if a call to `tell()`
+     * returns a value other than `0`.
+     *
+     * @param MessageInterface $message Message to rewind
+     *
+     * @throws \RuntimeException
+     */
+    public static function rewindBody(MessageInterface $message): void
+    {
+        $body = $message->getBody();
+
+        if ($body->tell()) {
+            $body->rewind();
+        }
+    }
+
+    /**
+     * Parses an HTTP message into an associative array.
+     *
+     * The array contains the "start-line" key containing the start line of
+     * the message, "headers" key containing an associative array of header
+     * array values, and a "body" key containing the body of the message.
+     *
+     * @param string $message HTTP request or response to parse.
+     */
+    public static function parseMessage(string $message): array
+    {
+        if (!$message) {
+            throw new \InvalidArgumentException('Invalid message');
+        }
+
+        $message = ltrim($message, "\r\n");
+
+        $messageParts = preg_split("/\r?\n\r?\n/", $message, 2);
+
+        if ($messageParts === false || count($messageParts) !== 2) {
+            throw new \InvalidArgumentException('Invalid message: Missing header delimiter');
+        }
+
+        [$rawHeaders, $body] = $messageParts;
+        $rawHeaders .= "\r\n"; // Put back the delimiter we split previously
+        $headerParts = preg_split("/\r?\n/", $rawHeaders, 2);
+
+        if ($headerParts === false || count($headerParts) !== 2) {
+            throw new \InvalidArgumentException('Invalid message: Missing status line');
+        }
+
+        [$startLine, $rawHeaders] = $headerParts;
+
+        if (preg_match("/(?:^HTTP\/|^[A-Z]+ \S+ HTTP\/)(\d+(?:\.\d+)?)/i", $startLine, $matches) && $matches[1] === '1.0') {
+            // Header folding is deprecated for HTTP/1.1, but allowed in HTTP/1.0
+            $rawHeaders = preg_replace(Rfc7230::HEADER_FOLD_REGEX, ' ', $rawHeaders);
+        }
+
+        /** @var array[] $headerLines */
+        $count = preg_match_all(Rfc7230::HEADER_REGEX, $rawHeaders, $headerLines, PREG_SET_ORDER);
+
+        // If these aren't the same, then one line didn't match and there's an invalid header.
+        if ($count !== substr_count($rawHeaders, "\n")) {
+            // Folding is deprecated, see https://tools.ietf.org/html/rfc7230#section-3.2.4
+            if (preg_match(Rfc7230::HEADER_FOLD_REGEX, $rawHeaders)) {
+                throw new \InvalidArgumentException('Invalid header syntax: Obsolete line folding');
+            }
+
+            throw new \InvalidArgumentException('Invalid header syntax');
+        }
+
+        $headers = [];
+
+        foreach ($headerLines as $headerLine) {
+            $headers[$headerLine[1]][] = $headerLine[2];
+        }
+
+        return [
+            'start-line' => $startLine,
+            'headers' => $headers,
+            'body' => $body,
+        ];
+    }
+
+    /**
+     * Constructs a URI for an HTTP request message.
+     *
+     * @param string $path    Path from the start-line
+     * @param array  $headers Array of headers (each value an array).
+     */
+    public static function parseRequestUri(string $path, array $headers): string
+    {
+        $hostKey = array_filter(array_keys($headers), function ($k) {
+            // Numeric array keys are converted to int by PHP.
+            $k = (string) $k;
+
+            return strtolower($k) === 'host';
+        });
+
+        // If no host is found, then a full URI cannot be constructed.
+        if (!$hostKey) {
+            return $path;
+        }
+
+        $host = $headers[reset($hostKey)][0];
+        $scheme = substr($host, -4) === ':443' ? 'https' : 'http';
+
+        return $scheme . '://' . $host . '/' . ltrim($path, '/');
+    }
+
+    /**
+     * Parses a request message string into a request object.
+     *
+     * @param string $message Request message string.
+     */
+    public static function parseRequest(string $message): RequestInterface
+    {
+        $data = self::parseMessage($message);
+        $matches = [];
+        if (!preg_match('/^[\S]+\s+([a-zA-Z]+:\/\/|\/).*/', $data['start-line'], $matches)) {
+            throw new \InvalidArgumentException('Invalid request string');
+        }
+        $parts = explode(' ', $data['start-line'], 3);
+        $version = isset($parts[2]) ? explode('/', $parts[2])[1] : '1.1';
+
+        $request = new Request(
+            $parts[0],
+            $matches[1] === '/' ? self::parseRequestUri($parts[1], $data['headers']) : $parts[1],
+            $data['headers'],
+            $data['body'],
+            $version
+        );
+
+        return $matches[1] === '/' ? $request : $request->withRequestTarget($parts[1]);
+    }
+
+    /**
+     * Parses a response message string into a response object.
+     *
+     * @param string $message Response message string.
+     */
+    public static function parseResponse(string $message): ResponseInterface
+    {
+        $data = self::parseMessage($message);
+        // According to https://tools.ietf.org/html/rfc7230#section-3.1.2 the space
+        // between status-code and reason-phrase is required. But browsers accept
+        // responses without space and reason as well.
+        if (!preg_match('/^HTTP\/.* [0-9]{3}( .*|$)/', $data['start-line'])) {
+            throw new \InvalidArgumentException('Invalid response string: ' . $data['start-line']);
+        }
+        $parts = explode(' ', $data['start-line'], 3);
+
+        return new Response(
+            (int) $parts[1],
+            $data['headers'],
+            $data['body'],
+            explode('/', $parts[0])[1],
+            $parts[2] ?? null
+        );
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/psr7/src/MessageTrait.php b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/MessageTrait.php
new file mode 100644
index 000000000..d2dc28b60
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/MessageTrait.php
@@ -0,0 +1,264 @@
+<?php
+
+declare(strict_types=1);
+
+namespace GuzzleHttp\Psr7;
+
+use Psr\Http\Message\MessageInterface;
+use Psr\Http\Message\StreamInterface;
+
+/**
+ * Trait implementing functionality common to requests and responses.
+ */
+trait MessageTrait
+{
+    /** @var array<string, string[]> Map of all registered headers, as original name => array of values */
+    private $headers = [];
+
+    /** @var array<string, string> Map of lowercase header name => original name at registration */
+    private $headerNames  = [];
+
+    /** @var string */
+    private $protocol = '1.1';
+
+    /** @var StreamInterface|null */
+    private $stream;
+
+    public function getProtocolVersion(): string
+    {
+        return $this->protocol;
+    }
+
+    public function withProtocolVersion($version): MessageInterface
+    {
+        if ($this->protocol === $version) {
+            return $this;
+        }
+
+        $new = clone $this;
+        $new->protocol = $version;
+        return $new;
+    }
+
+    public function getHeaders(): array
+    {
+        return $this->headers;
+    }
+
+    public function hasHeader($header): bool
+    {
+        return isset($this->headerNames[strtolower($header)]);
+    }
+
+    public function getHeader($header): array
+    {
+        $header = strtolower($header);
+
+        if (!isset($this->headerNames[$header])) {
+            return [];
+        }
+
+        $header = $this->headerNames[$header];
+
+        return $this->headers[$header];
+    }
+
+    public function getHeaderLine($header): string
+    {
+        return implode(', ', $this->getHeader($header));
+    }
+
+    public function withHeader($header, $value): MessageInterface
+    {
+        $this->assertHeader($header);
+        $value = $this->normalizeHeaderValue($value);
+        $normalized = strtolower($header);
+
+        $new = clone $this;
+        if (isset($new->headerNames[$normalized])) {
+            unset($new->headers[$new->headerNames[$normalized]]);
+        }
+        $new->headerNames[$normalized] = $header;
+        $new->headers[$header] = $value;
+
+        return $new;
+    }
+
+    public function withAddedHeader($header, $value): MessageInterface
+    {
+        $this->assertHeader($header);
+        $value = $this->normalizeHeaderValue($value);
+        $normalized = strtolower($header);
+
+        $new = clone $this;
+        if (isset($new->headerNames[$normalized])) {
+            $header = $this->headerNames[$normalized];
+            $new->headers[$header] = array_merge($this->headers[$header], $value);
+        } else {
+            $new->headerNames[$normalized] = $header;
+            $new->headers[$header] = $value;
+        }
+
+        return $new;
+    }
+
+    public function withoutHeader($header): MessageInterface
+    {
+        $normalized = strtolower($header);
+
+        if (!isset($this->headerNames[$normalized])) {
+            return $this;
+        }
+
+        $header = $this->headerNames[$normalized];
+
+        $new = clone $this;
+        unset($new->headers[$header], $new->headerNames[$normalized]);
+
+        return $new;
+    }
+
+    public function getBody(): StreamInterface
+    {
+        if (!$this->stream) {
+            $this->stream = Utils::streamFor('');
+        }
+
+        return $this->stream;
+    }
+
+    public function withBody(StreamInterface $body): MessageInterface
+    {
+        if ($body === $this->stream) {
+            return $this;
+        }
+
+        $new = clone $this;
+        $new->stream = $body;
+        return $new;
+    }
+
+    /**
+     * @param array<string|int, string|string[]> $headers
+     */
+    private function setHeaders(array $headers): void
+    {
+        $this->headerNames = $this->headers = [];
+        foreach ($headers as $header => $value) {
+            // Numeric array keys are converted to int by PHP.
+            $header = (string) $header;
+
+            $this->assertHeader($header);
+            $value = $this->normalizeHeaderValue($value);
+            $normalized = strtolower($header);
+            if (isset($this->headerNames[$normalized])) {
+                $header = $this->headerNames[$normalized];
+                $this->headers[$header] = array_merge($this->headers[$header], $value);
+            } else {
+                $this->headerNames[$normalized] = $header;
+                $this->headers[$header] = $value;
+            }
+        }
+    }
+
+    /**
+     * @param mixed $value
+     *
+     * @return string[]
+     */
+    private function normalizeHeaderValue($value): array
+    {
+        if (!is_array($value)) {
+            return $this->trimAndValidateHeaderValues([$value]);
+        }
+
+        if (count($value) === 0) {
+            throw new \InvalidArgumentException('Header value can not be an empty array.');
+        }
+
+        return $this->trimAndValidateHeaderValues($value);
+    }
+
+    /**
+     * Trims whitespace from the header values.
+     *
+     * Spaces and tabs ought to be excluded by parsers when extracting the field value from a header field.
+     *
+     * header-field = field-name ":" OWS field-value OWS
+     * OWS          = *( SP / HTAB )
+     *
+     * @param mixed[] $values Header values
+     *
+     * @return string[] Trimmed header values
+     *
+     * @see https://tools.ietf.org/html/rfc7230#section-3.2.4
+     */
+    private function trimAndValidateHeaderValues(array $values): array
+    {
+        return array_map(function ($value) {
+            if (!is_scalar($value) && null !== $value) {
+                throw new \InvalidArgumentException(sprintf(
+                    'Header value must be scalar or null but %s provided.',
+                    is_object($value) ? get_class($value) : gettype($value)
+                ));
+            }
+
+            $trimmed = trim((string) $value, " \t");
+            $this->assertValue($trimmed);
+
+            return $trimmed;
+        }, array_values($values));
+    }
+
+    /**
+     * @see https://tools.ietf.org/html/rfc7230#section-3.2
+     *
+     * @param mixed $header
+     */
+    private function assertHeader($header): void
+    {
+        if (!is_string($header)) {
+            throw new \InvalidArgumentException(sprintf(
+                'Header name must be a string but %s provided.',
+                is_object($header) ? get_class($header) : gettype($header)
+            ));
+        }
+
+        if (! preg_match('/^[a-zA-Z0-9\'`#$%&*+.^_|~!-]+$/', $header)) {
+            throw new \InvalidArgumentException(
+                sprintf(
+                    '"%s" is not valid header name',
+                    $header
+                )
+            );
+        }
+    }
+
+    /**
+     * @see https://tools.ietf.org/html/rfc7230#section-3.2
+     *
+     * field-value    = *( field-content / obs-fold )
+     * field-content  = field-vchar [ 1*( SP / HTAB ) field-vchar ]
+     * field-vchar    = VCHAR / obs-text
+     * VCHAR          = %x21-7E
+     * obs-text       = %x80-FF
+     * obs-fold       = CRLF 1*( SP / HTAB )
+     */
+    private function assertValue(string $value): void
+    {
+        // The regular expression intentionally does not support the obs-fold production, because as
+        // per RFC 7230#3.2.4:
+        //
+        // A sender MUST NOT generate a message that includes
+        // line folding (i.e., that has any field-value that contains a match to
+        // the obs-fold rule) unless the message is intended for packaging
+        // within the message/http media type.
+        //
+        // Clients must not send a request with line folding and a server sending folded headers is
+        // likely very rare. Line folding is a fairly obscure feature of HTTP/1.1 and thus not accepting
+        // folding is not likely to break any legitimate use case.
+        if (! preg_match('/^[\x20\x09\x21-\x7E\x80-\xFF]*$/', $value)) {
+            throw new \InvalidArgumentException(sprintf('"%s" is not valid header value', $value));
+        }
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/psr7/src/MimeType.php b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/MimeType.php
new file mode 100644
index 000000000..0debbd18c
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/MimeType.php
@@ -0,0 +1,1237 @@
+<?php
+
+declare(strict_types=1);
+
+namespace GuzzleHttp\Psr7;
+
+final class MimeType
+{
+    private const MIME_TYPES = [
+        '1km' => 'application/vnd.1000minds.decision-model+xml',
+        '3dml' => 'text/vnd.in3d.3dml',
+        '3ds' => 'image/x-3ds',
+        '3g2' => 'video/3gpp2',
+        '3gp' => 'video/3gp',
+        '3gpp' => 'video/3gpp',
+        '3mf' => 'model/3mf',
+        '7z' => 'application/x-7z-compressed',
+        '7zip' => 'application/x-7z-compressed',
+        '123' => 'application/vnd.lotus-1-2-3',
+        'aab' => 'application/x-authorware-bin',
+        'aac' => 'audio/x-acc',
+        'aam' => 'application/x-authorware-map',
+        'aas' => 'application/x-authorware-seg',
+        'abw' => 'application/x-abiword',
+        'ac' => 'application/vnd.nokia.n-gage.ac+xml',
+        'ac3' => 'audio/ac3',
+        'acc' => 'application/vnd.americandynamics.acc',
+        'ace' => 'application/x-ace-compressed',
+        'acu' => 'application/vnd.acucobol',
+        'acutc' => 'application/vnd.acucorp',
+        'adp' => 'audio/adpcm',
+        'aep' => 'application/vnd.audiograph',
+        'afm' => 'application/x-font-type1',
+        'afp' => 'application/vnd.ibm.modcap',
+        'age' => 'application/vnd.age',
+        'ahead' => 'application/vnd.ahead.space',
+        'ai' => 'application/pdf',
+        'aif' => 'audio/x-aiff',
+        'aifc' => 'audio/x-aiff',
+        'aiff' => 'audio/x-aiff',
+        'air' => 'application/vnd.adobe.air-application-installer-package+zip',
+        'ait' => 'application/vnd.dvb.ait',
+        'ami' => 'application/vnd.amiga.ami',
+        'amr' => 'audio/amr',
+        'apk' => 'application/vnd.android.package-archive',
+        'apng' => 'image/apng',
+        'appcache' => 'text/cache-manifest',
+        'application' => 'application/x-ms-application',
+        'apr' => 'application/vnd.lotus-approach',
+        'arc' => 'application/x-freearc',
+        'arj' => 'application/x-arj',
+        'asc' => 'application/pgp-signature',
+        'asf' => 'video/x-ms-asf',
+        'asm' => 'text/x-asm',
+        'aso' => 'application/vnd.accpac.simply.aso',
+        'asx' => 'video/x-ms-asf',
+        'atc' => 'application/vnd.acucorp',
+        'atom' => 'application/atom+xml',
+        'atomcat' => 'application/atomcat+xml',
+        'atomdeleted' => 'application/atomdeleted+xml',
+        'atomsvc' => 'application/atomsvc+xml',
+        'atx' => 'application/vnd.antix.game-component',
+        'au' => 'audio/x-au',
+        'avci' => 'image/avci',
+        'avcs' => 'image/avcs',
+        'avi' => 'video/x-msvideo',
+        'avif' => 'image/avif',
+        'aw' => 'application/applixware',
+        'azf' => 'application/vnd.airzip.filesecure.azf',
+        'azs' => 'application/vnd.airzip.filesecure.azs',
+        'azv' => 'image/vnd.airzip.accelerator.azv',
+        'azw' => 'application/vnd.amazon.ebook',
+        'b16' => 'image/vnd.pco.b16',
+        'bat' => 'application/x-msdownload',
+        'bcpio' => 'application/x-bcpio',
+        'bdf' => 'application/x-font-bdf',
+        'bdm' => 'application/vnd.syncml.dm+wbxml',
+        'bdoc' => 'application/x-bdoc',
+        'bed' => 'application/vnd.realvnc.bed',
+        'bh2' => 'application/vnd.fujitsu.oasysprs',
+        'bin' => 'application/octet-stream',
+        'blb' => 'application/x-blorb',
+        'blorb' => 'application/x-blorb',
+        'bmi' => 'application/vnd.bmi',
+        'bmml' => 'application/vnd.balsamiq.bmml+xml',
+        'bmp' => 'image/bmp',
+        'book' => 'application/vnd.framemaker',
+        'box' => 'application/vnd.previewsystems.box',
+        'boz' => 'application/x-bzip2',
+        'bpk' => 'application/octet-stream',
+        'bpmn' => 'application/octet-stream',
+        'bsp' => 'model/vnd.valve.source.compiled-map',
+        'btif' => 'image/prs.btif',
+        'buffer' => 'application/octet-stream',
+        'bz' => 'application/x-bzip',
+        'bz2' => 'application/x-bzip2',
+        'c' => 'text/x-c',
+        'c4d' => 'application/vnd.clonk.c4group',
+        'c4f' => 'application/vnd.clonk.c4group',
+        'c4g' => 'application/vnd.clonk.c4group',
+        'c4p' => 'application/vnd.clonk.c4group',
+        'c4u' => 'application/vnd.clonk.c4group',
+        'c11amc' => 'application/vnd.cluetrust.cartomobile-config',
+        'c11amz' => 'application/vnd.cluetrust.cartomobile-config-pkg',
+        'cab' => 'application/vnd.ms-cab-compressed',
+        'caf' => 'audio/x-caf',
+        'cap' => 'application/vnd.tcpdump.pcap',
+        'car' => 'application/vnd.curl.car',
+        'cat' => 'application/vnd.ms-pki.seccat',
+        'cb7' => 'application/x-cbr',
+        'cba' => 'application/x-cbr',
+        'cbr' => 'application/x-cbr',
+        'cbt' => 'application/x-cbr',
+        'cbz' => 'application/x-cbr',
+        'cc' => 'text/x-c',
+        'cco' => 'application/x-cocoa',
+        'cct' => 'application/x-director',
+        'ccxml' => 'application/ccxml+xml',
+        'cdbcmsg' => 'application/vnd.contact.cmsg',
+        'cdf' => 'application/x-netcdf',
+        'cdfx' => 'application/cdfx+xml',
+        'cdkey' => 'application/vnd.mediastation.cdkey',
+        'cdmia' => 'application/cdmi-capability',
+        'cdmic' => 'application/cdmi-container',
+        'cdmid' => 'application/cdmi-domain',
+        'cdmio' => 'application/cdmi-object',
+        'cdmiq' => 'application/cdmi-queue',
+        'cdr' => 'application/cdr',
+        'cdx' => 'chemical/x-cdx',
+        'cdxml' => 'application/vnd.chemdraw+xml',
+        'cdy' => 'application/vnd.cinderella',
+        'cer' => 'application/pkix-cert',
+        'cfs' => 'application/x-cfs-compressed',
+        'cgm' => 'image/cgm',
+        'chat' => 'application/x-chat',
+        'chm' => 'application/vnd.ms-htmlhelp',
+        'chrt' => 'application/vnd.kde.kchart',
+        'cif' => 'chemical/x-cif',
+        'cii' => 'application/vnd.anser-web-certificate-issue-initiation',
+        'cil' => 'application/vnd.ms-artgalry',
+        'cjs' => 'application/node',
+        'cla' => 'application/vnd.claymore',
+        'class' => 'application/octet-stream',
+        'clkk' => 'application/vnd.crick.clicker.keyboard',
+        'clkp' => 'application/vnd.crick.clicker.palette',
+        'clkt' => 'application/vnd.crick.clicker.template',
+        'clkw' => 'application/vnd.crick.clicker.wordbank',
+        'clkx' => 'application/vnd.crick.clicker',
+        'clp' => 'application/x-msclip',
+        'cmc' => 'application/vnd.cosmocaller',
+        'cmdf' => 'chemical/x-cmdf',
+        'cml' => 'chemical/x-cml',
+        'cmp' => 'application/vnd.yellowriver-custom-menu',
+        'cmx' => 'image/x-cmx',
+        'cod' => 'application/vnd.rim.cod',
+        'coffee' => 'text/coffeescript',
+        'com' => 'application/x-msdownload',
+        'conf' => 'text/plain',
+        'cpio' => 'application/x-cpio',
+        'cpl' => 'application/cpl+xml',
+        'cpp' => 'text/x-c',
+        'cpt' => 'application/mac-compactpro',
+        'crd' => 'application/x-mscardfile',
+        'crl' => 'application/pkix-crl',
+        'crt' => 'application/x-x509-ca-cert',
+        'crx' => 'application/x-chrome-extension',
+        'cryptonote' => 'application/vnd.rig.cryptonote',
+        'csh' => 'application/x-csh',
+        'csl' => 'application/vnd.citationstyles.style+xml',
+        'csml' => 'chemical/x-csml',
+        'csp' => 'application/vnd.commonspace',
+        'csr' => 'application/octet-stream',
+        'css' => 'text/css',
+        'cst' => 'application/x-director',
+        'csv' => 'text/csv',
+        'cu' => 'application/cu-seeme',
+        'curl' => 'text/vnd.curl',
+        'cww' => 'application/prs.cww',
+        'cxt' => 'application/x-director',
+        'cxx' => 'text/x-c',
+        'dae' => 'model/vnd.collada+xml',
+        'daf' => 'application/vnd.mobius.daf',
+        'dart' => 'application/vnd.dart',
+        'dataless' => 'application/vnd.fdsn.seed',
+        'davmount' => 'application/davmount+xml',
+        'dbf' => 'application/vnd.dbf',
+        'dbk' => 'application/docbook+xml',
+        'dcr' => 'application/x-director',
+        'dcurl' => 'text/vnd.curl.dcurl',
+        'dd2' => 'application/vnd.oma.dd2+xml',
+        'ddd' => 'application/vnd.fujixerox.ddd',
+        'ddf' => 'application/vnd.syncml.dmddf+xml',
+        'dds' => 'image/vnd.ms-dds',
+        'deb' => 'application/x-debian-package',
+        'def' => 'text/plain',
+        'deploy' => 'application/octet-stream',
+        'der' => 'application/x-x509-ca-cert',
+        'dfac' => 'application/vnd.dreamfactory',
+        'dgc' => 'application/x-dgc-compressed',
+        'dic' => 'text/x-c',
+        'dir' => 'application/x-director',
+        'dis' => 'application/vnd.mobius.dis',
+        'disposition-notification' => 'message/disposition-notification',
+        'dist' => 'application/octet-stream',
+        'distz' => 'application/octet-stream',
+        'djv' => 'image/vnd.djvu',
+        'djvu' => 'image/vnd.djvu',
+        'dll' => 'application/octet-stream',
+        'dmg' => 'application/x-apple-diskimage',
+        'dmn' => 'application/octet-stream',
+        'dmp' => 'application/vnd.tcpdump.pcap',
+        'dms' => 'application/octet-stream',
+        'dna' => 'application/vnd.dna',
+        'doc' => 'application/msword',
+        'docm' => 'application/vnd.ms-word.template.macroEnabled.12',
+        'docx' => 'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
+        'dot' => 'application/msword',
+        'dotm' => 'application/vnd.ms-word.template.macroEnabled.12',
+        'dotx' => 'application/vnd.openxmlformats-officedocument.wordprocessingml.template',
+        'dp' => 'application/vnd.osgi.dp',
+        'dpg' => 'application/vnd.dpgraph',
+        'dra' => 'audio/vnd.dra',
+        'drle' => 'image/dicom-rle',
+        'dsc' => 'text/prs.lines.tag',
+        'dssc' => 'application/dssc+der',
+        'dtb' => 'application/x-dtbook+xml',
+        'dtd' => 'application/xml-dtd',
+        'dts' => 'audio/vnd.dts',
+        'dtshd' => 'audio/vnd.dts.hd',
+        'dump' => 'application/octet-stream',
+        'dvb' => 'video/vnd.dvb.file',
+        'dvi' => 'application/x-dvi',
+        'dwd' => 'application/atsc-dwd+xml',
+        'dwf' => 'model/vnd.dwf',
+        'dwg' => 'image/vnd.dwg',
+        'dxf' => 'image/vnd.dxf',
+        'dxp' => 'application/vnd.spotfire.dxp',
+        'dxr' => 'application/x-director',
+        'ear' => 'application/java-archive',
+        'ecelp4800' => 'audio/vnd.nuera.ecelp4800',
+        'ecelp7470' => 'audio/vnd.nuera.ecelp7470',
+        'ecelp9600' => 'audio/vnd.nuera.ecelp9600',
+        'ecma' => 'application/ecmascript',
+        'edm' => 'application/vnd.novadigm.edm',
+        'edx' => 'application/vnd.novadigm.edx',
+        'efif' => 'application/vnd.picsel',
+        'ei6' => 'application/vnd.pg.osasli',
+        'elc' => 'application/octet-stream',
+        'emf' => 'image/emf',
+        'eml' => 'message/rfc822',
+        'emma' => 'application/emma+xml',
+        'emotionml' => 'application/emotionml+xml',
+        'emz' => 'application/x-msmetafile',
+        'eol' => 'audio/vnd.digital-winds',
+        'eot' => 'application/vnd.ms-fontobject',
+        'eps' => 'application/postscript',
+        'epub' => 'application/epub+zip',
+        'es' => 'application/ecmascript',
+        'es3' => 'application/vnd.eszigno3+xml',
+        'esa' => 'application/vnd.osgi.subsystem',
+        'esf' => 'application/vnd.epson.esf',
+        'et3' => 'application/vnd.eszigno3+xml',
+        'etx' => 'text/x-setext',
+        'eva' => 'application/x-eva',
+        'evy' => 'application/x-envoy',
+        'exe' => 'application/octet-stream',
+        'exi' => 'application/exi',
+        'exp' => 'application/express',
+        'exr' => 'image/aces',
+        'ext' => 'application/vnd.novadigm.ext',
+        'ez' => 'application/andrew-inset',
+        'ez2' => 'application/vnd.ezpix-album',
+        'ez3' => 'application/vnd.ezpix-package',
+        'f' => 'text/x-fortran',
+        'f4v' => 'video/mp4',
+        'f77' => 'text/x-fortran',
+        'f90' => 'text/x-fortran',
+        'fbs' => 'image/vnd.fastbidsheet',
+        'fcdt' => 'application/vnd.adobe.formscentral.fcdt',
+        'fcs' => 'application/vnd.isac.fcs',
+        'fdf' => 'application/vnd.fdf',
+        'fdt' => 'application/fdt+xml',
+        'fe_launch' => 'application/vnd.denovo.fcselayout-link',
+        'fg5' => 'application/vnd.fujitsu.oasysgp',
+        'fgd' => 'application/x-director',
+        'fh' => 'image/x-freehand',
+        'fh4' => 'image/x-freehand',
+        'fh5' => 'image/x-freehand',
+        'fh7' => 'image/x-freehand',
+        'fhc' => 'image/x-freehand',
+        'fig' => 'application/x-xfig',
+        'fits' => 'image/fits',
+        'flac' => 'audio/x-flac',
+        'fli' => 'video/x-fli',
+        'flo' => 'application/vnd.micrografx.flo',
+        'flv' => 'video/x-flv',
+        'flw' => 'application/vnd.kde.kivio',
+        'flx' => 'text/vnd.fmi.flexstor',
+        'fly' => 'text/vnd.fly',
+        'fm' => 'application/vnd.framemaker',
+        'fnc' => 'application/vnd.frogans.fnc',
+        'fo' => 'application/vnd.software602.filler.form+xml',
+        'for' => 'text/x-fortran',
+        'fpx' => 'image/vnd.fpx',
+        'frame' => 'application/vnd.framemaker',
+        'fsc' => 'application/vnd.fsc.weblaunch',
+        'fst' => 'image/vnd.fst',
+        'ftc' => 'application/vnd.fluxtime.clip',
+        'fti' => 'application/vnd.anser-web-funds-transfer-initiation',
+        'fvt' => 'video/vnd.fvt',
+        'fxp' => 'application/vnd.adobe.fxp',
+        'fxpl' => 'application/vnd.adobe.fxp',
+        'fzs' => 'application/vnd.fuzzysheet',
+        'g2w' => 'application/vnd.geoplan',
+        'g3' => 'image/g3fax',
+        'g3w' => 'application/vnd.geospace',
+        'gac' => 'application/vnd.groove-account',
+        'gam' => 'application/x-tads',
+        'gbr' => 'application/rpki-ghostbusters',
+        'gca' => 'application/x-gca-compressed',
+        'gdl' => 'model/vnd.gdl',
+        'gdoc' => 'application/vnd.google-apps.document',
+        'ged' => 'text/vnd.familysearch.gedcom',
+        'geo' => 'application/vnd.dynageo',
+        'geojson' => 'application/geo+json',
+        'gex' => 'application/vnd.geometry-explorer',
+        'ggb' => 'application/vnd.geogebra.file',
+        'ggt' => 'application/vnd.geogebra.tool',
+        'ghf' => 'application/vnd.groove-help',
+        'gif' => 'image/gif',
+        'gim' => 'application/vnd.groove-identity-message',
+        'glb' => 'model/gltf-binary',
+        'gltf' => 'model/gltf+json',
+        'gml' => 'application/gml+xml',
+        'gmx' => 'application/vnd.gmx',
+        'gnumeric' => 'application/x-gnumeric',
+        'gpg' => 'application/gpg-keys',
+        'gph' => 'application/vnd.flographit',
+        'gpx' => 'application/gpx+xml',
+        'gqf' => 'application/vnd.grafeq',
+        'gqs' => 'application/vnd.grafeq',
+        'gram' => 'application/srgs',
+        'gramps' => 'application/x-gramps-xml',
+        'gre' => 'application/vnd.geometry-explorer',
+        'grv' => 'application/vnd.groove-injector',
+        'grxml' => 'application/srgs+xml',
+        'gsf' => 'application/x-font-ghostscript',
+        'gsheet' => 'application/vnd.google-apps.spreadsheet',
+        'gslides' => 'application/vnd.google-apps.presentation',
+        'gtar' => 'application/x-gtar',
+        'gtm' => 'application/vnd.groove-tool-message',
+        'gtw' => 'model/vnd.gtw',
+        'gv' => 'text/vnd.graphviz',
+        'gxf' => 'application/gxf',
+        'gxt' => 'application/vnd.geonext',
+        'gz' => 'application/gzip',
+        'gzip' => 'application/gzip',
+        'h' => 'text/x-c',
+        'h261' => 'video/h261',
+        'h263' => 'video/h263',
+        'h264' => 'video/h264',
+        'hal' => 'application/vnd.hal+xml',
+        'hbci' => 'application/vnd.hbci',
+        'hbs' => 'text/x-handlebars-template',
+        'hdd' => 'application/x-virtualbox-hdd',
+        'hdf' => 'application/x-hdf',
+        'heic' => 'image/heic',
+        'heics' => 'image/heic-sequence',
+        'heif' => 'image/heif',
+        'heifs' => 'image/heif-sequence',
+        'hej2' => 'image/hej2k',
+        'held' => 'application/atsc-held+xml',
+        'hh' => 'text/x-c',
+        'hjson' => 'application/hjson',
+        'hlp' => 'application/winhlp',
+        'hpgl' => 'application/vnd.hp-hpgl',
+        'hpid' => 'application/vnd.hp-hpid',
+        'hps' => 'application/vnd.hp-hps',
+        'hqx' => 'application/mac-binhex40',
+        'hsj2' => 'image/hsj2',
+        'htc' => 'text/x-component',
+        'htke' => 'application/vnd.kenameaapp',
+        'htm' => 'text/html',
+        'html' => 'text/html',
+        'hvd' => 'application/vnd.yamaha.hv-dic',
+        'hvp' => 'application/vnd.yamaha.hv-voice',
+        'hvs' => 'application/vnd.yamaha.hv-script',
+        'i2g' => 'application/vnd.intergeo',
+        'icc' => 'application/vnd.iccprofile',
+        'ice' => 'x-conference/x-cooltalk',
+        'icm' => 'application/vnd.iccprofile',
+        'ico' => 'image/x-icon',
+        'ics' => 'text/calendar',
+        'ief' => 'image/ief',
+        'ifb' => 'text/calendar',
+        'ifm' => 'application/vnd.shana.informed.formdata',
+        'iges' => 'model/iges',
+        'igl' => 'application/vnd.igloader',
+        'igm' => 'application/vnd.insors.igm',
+        'igs' => 'model/iges',
+        'igx' => 'application/vnd.micrografx.igx',
+        'iif' => 'application/vnd.shana.informed.interchange',
+        'img' => 'application/octet-stream',
+        'imp' => 'application/vnd.accpac.simply.imp',
+        'ims' => 'application/vnd.ms-ims',
+        'in' => 'text/plain',
+        'ini' => 'text/plain',
+        'ink' => 'application/inkml+xml',
+        'inkml' => 'application/inkml+xml',
+        'install' => 'application/x-install-instructions',
+        'iota' => 'application/vnd.astraea-software.iota',
+        'ipfix' => 'application/ipfix',
+        'ipk' => 'application/vnd.shana.informed.package',
+        'irm' => 'application/vnd.ibm.rights-management',
+        'irp' => 'application/vnd.irepository.package+xml',
+        'iso' => 'application/x-iso9660-image',
+        'itp' => 'application/vnd.shana.informed.formtemplate',
+        'its' => 'application/its+xml',
+        'ivp' => 'application/vnd.immervision-ivp',
+        'ivu' => 'application/vnd.immervision-ivu',
+        'jad' => 'text/vnd.sun.j2me.app-descriptor',
+        'jade' => 'text/jade',
+        'jam' => 'application/vnd.jam',
+        'jar' => 'application/java-archive',
+        'jardiff' => 'application/x-java-archive-diff',
+        'java' => 'text/x-java-source',
+        'jhc' => 'image/jphc',
+        'jisp' => 'application/vnd.jisp',
+        'jls' => 'image/jls',
+        'jlt' => 'application/vnd.hp-jlyt',
+        'jng' => 'image/x-jng',
+        'jnlp' => 'application/x-java-jnlp-file',
+        'joda' => 'application/vnd.joost.joda-archive',
+        'jp2' => 'image/jp2',
+        'jpe' => 'image/jpeg',
+        'jpeg' => 'image/jpeg',
+        'jpf' => 'image/jpx',
+        'jpg' => 'image/jpeg',
+        'jpg2' => 'image/jp2',
+        'jpgm' => 'video/jpm',
+        'jpgv' => 'video/jpeg',
+        'jph' => 'image/jph',
+        'jpm' => 'video/jpm',
+        'jpx' => 'image/jpx',
+        'js' => 'application/javascript',
+        'json' => 'application/json',
+        'json5' => 'application/json5',
+        'jsonld' => 'application/ld+json',
+        'jsonml' => 'application/jsonml+json',
+        'jsx' => 'text/jsx',
+        'jxr' => 'image/jxr',
+        'jxra' => 'image/jxra',
+        'jxrs' => 'image/jxrs',
+        'jxs' => 'image/jxs',
+        'jxsc' => 'image/jxsc',
+        'jxsi' => 'image/jxsi',
+        'jxss' => 'image/jxss',
+        'kar' => 'audio/midi',
+        'karbon' => 'application/vnd.kde.karbon',
+        'kdb' => 'application/octet-stream',
+        'kdbx' => 'application/x-keepass2',
+        'key' => 'application/x-iwork-keynote-sffkey',
+        'kfo' => 'application/vnd.kde.kformula',
+        'kia' => 'application/vnd.kidspiration',
+        'kml' => 'application/vnd.google-earth.kml+xml',
+        'kmz' => 'application/vnd.google-earth.kmz',
+        'kne' => 'application/vnd.kinar',
+        'knp' => 'application/vnd.kinar',
+        'kon' => 'application/vnd.kde.kontour',
+        'kpr' => 'application/vnd.kde.kpresenter',
+        'kpt' => 'application/vnd.kde.kpresenter',
+        'kpxx' => 'application/vnd.ds-keypoint',
+        'ksp' => 'application/vnd.kde.kspread',
+        'ktr' => 'application/vnd.kahootz',
+        'ktx' => 'image/ktx',
+        'ktx2' => 'image/ktx2',
+        'ktz' => 'application/vnd.kahootz',
+        'kwd' => 'application/vnd.kde.kword',
+        'kwt' => 'application/vnd.kde.kword',
+        'lasxml' => 'application/vnd.las.las+xml',
+        'latex' => 'application/x-latex',
+        'lbd' => 'application/vnd.llamagraphics.life-balance.desktop',
+        'lbe' => 'application/vnd.llamagraphics.life-balance.exchange+xml',
+        'les' => 'application/vnd.hhe.lesson-player',
+        'less' => 'text/less',
+        'lgr' => 'application/lgr+xml',
+        'lha' => 'application/octet-stream',
+        'link66' => 'application/vnd.route66.link66+xml',
+        'list' => 'text/plain',
+        'list3820' => 'application/vnd.ibm.modcap',
+        'listafp' => 'application/vnd.ibm.modcap',
+        'litcoffee' => 'text/coffeescript',
+        'lnk' => 'application/x-ms-shortcut',
+        'log' => 'text/plain',
+        'lostxml' => 'application/lost+xml',
+        'lrf' => 'application/octet-stream',
+        'lrm' => 'application/vnd.ms-lrm',
+        'ltf' => 'application/vnd.frogans.ltf',
+        'lua' => 'text/x-lua',
+        'luac' => 'application/x-lua-bytecode',
+        'lvp' => 'audio/vnd.lucent.voice',
+        'lwp' => 'application/vnd.lotus-wordpro',
+        'lzh' => 'application/octet-stream',
+        'm1v' => 'video/mpeg',
+        'm2a' => 'audio/mpeg',
+        'm2v' => 'video/mpeg',
+        'm3a' => 'audio/mpeg',
+        'm3u' => 'text/plain',
+        'm3u8' => 'application/vnd.apple.mpegurl',
+        'm4a' => 'audio/x-m4a',
+        'm4p' => 'application/mp4',
+        'm4s' => 'video/iso.segment',
+        'm4u' => 'application/vnd.mpegurl',
+        'm4v' => 'video/x-m4v',
+        'm13' => 'application/x-msmediaview',
+        'm14' => 'application/x-msmediaview',
+        'm21' => 'application/mp21',
+        'ma' => 'application/mathematica',
+        'mads' => 'application/mads+xml',
+        'maei' => 'application/mmt-aei+xml',
+        'mag' => 'application/vnd.ecowin.chart',
+        'maker' => 'application/vnd.framemaker',
+        'man' => 'text/troff',
+        'manifest' => 'text/cache-manifest',
+        'map' => 'application/json',
+        'mar' => 'application/octet-stream',
+        'markdown' => 'text/markdown',
+        'mathml' => 'application/mathml+xml',
+        'mb' => 'application/mathematica',
+        'mbk' => 'application/vnd.mobius.mbk',
+        'mbox' => 'application/mbox',
+        'mc1' => 'application/vnd.medcalcdata',
+        'mcd' => 'application/vnd.mcd',
+        'mcurl' => 'text/vnd.curl.mcurl',
+        'md' => 'text/markdown',
+        'mdb' => 'application/x-msaccess',
+        'mdi' => 'image/vnd.ms-modi',
+        'mdx' => 'text/mdx',
+        'me' => 'text/troff',
+        'mesh' => 'model/mesh',
+        'meta4' => 'application/metalink4+xml',
+        'metalink' => 'application/metalink+xml',
+        'mets' => 'application/mets+xml',
+        'mfm' => 'application/vnd.mfmp',
+        'mft' => 'application/rpki-manifest',
+        'mgp' => 'application/vnd.osgeo.mapguide.package',
+        'mgz' => 'application/vnd.proteus.magazine',
+        'mid' => 'audio/midi',
+        'midi' => 'audio/midi',
+        'mie' => 'application/x-mie',
+        'mif' => 'application/vnd.mif',
+        'mime' => 'message/rfc822',
+        'mj2' => 'video/mj2',
+        'mjp2' => 'video/mj2',
+        'mjs' => 'application/javascript',
+        'mk3d' => 'video/x-matroska',
+        'mka' => 'audio/x-matroska',
+        'mkd' => 'text/x-markdown',
+        'mks' => 'video/x-matroska',
+        'mkv' => 'video/x-matroska',
+        'mlp' => 'application/vnd.dolby.mlp',
+        'mmd' => 'application/vnd.chipnuts.karaoke-mmd',
+        'mmf' => 'application/vnd.smaf',
+        'mml' => 'text/mathml',
+        'mmr' => 'image/vnd.fujixerox.edmics-mmr',
+        'mng' => 'video/x-mng',
+        'mny' => 'application/x-msmoney',
+        'mobi' => 'application/x-mobipocket-ebook',
+        'mods' => 'application/mods+xml',
+        'mov' => 'video/quicktime',
+        'movie' => 'video/x-sgi-movie',
+        'mp2' => 'audio/mpeg',
+        'mp2a' => 'audio/mpeg',
+        'mp3' => 'audio/mpeg',
+        'mp4' => 'video/mp4',
+        'mp4a' => 'audio/mp4',
+        'mp4s' => 'application/mp4',
+        'mp4v' => 'video/mp4',
+        'mp21' => 'application/mp21',
+        'mpc' => 'application/vnd.mophun.certificate',
+        'mpd' => 'application/dash+xml',
+        'mpe' => 'video/mpeg',
+        'mpeg' => 'video/mpeg',
+        'mpf' => 'application/media-policy-dataset+xml',
+        'mpg' => 'video/mpeg',
+        'mpg4' => 'video/mp4',
+        'mpga' => 'audio/mpeg',
+        'mpkg' => 'application/vnd.apple.installer+xml',
+        'mpm' => 'application/vnd.blueice.multipass',
+        'mpn' => 'application/vnd.mophun.application',
+        'mpp' => 'application/vnd.ms-project',
+        'mpt' => 'application/vnd.ms-project',
+        'mpy' => 'application/vnd.ibm.minipay',
+        'mqy' => 'application/vnd.mobius.mqy',
+        'mrc' => 'application/marc',
+        'mrcx' => 'application/marcxml+xml',
+        'ms' => 'text/troff',
+        'mscml' => 'application/mediaservercontrol+xml',
+        'mseed' => 'application/vnd.fdsn.mseed',
+        'mseq' => 'application/vnd.mseq',
+        'msf' => 'application/vnd.epson.msf',
+        'msg' => 'application/vnd.ms-outlook',
+        'msh' => 'model/mesh',
+        'msi' => 'application/x-msdownload',
+        'msl' => 'application/vnd.mobius.msl',
+        'msm' => 'application/octet-stream',
+        'msp' => 'application/octet-stream',
+        'msty' => 'application/vnd.muvee.style',
+        'mtl' => 'model/mtl',
+        'mts' => 'model/vnd.mts',
+        'mus' => 'application/vnd.musician',
+        'musd' => 'application/mmt-usd+xml',
+        'musicxml' => 'application/vnd.recordare.musicxml+xml',
+        'mvb' => 'application/x-msmediaview',
+        'mvt' => 'application/vnd.mapbox-vector-tile',
+        'mwf' => 'application/vnd.mfer',
+        'mxf' => 'application/mxf',
+        'mxl' => 'application/vnd.recordare.musicxml',
+        'mxmf' => 'audio/mobile-xmf',
+        'mxml' => 'application/xv+xml',
+        'mxs' => 'application/vnd.triscape.mxs',
+        'mxu' => 'video/vnd.mpegurl',
+        'n-gage' => 'application/vnd.nokia.n-gage.symbian.install',
+        'n3' => 'text/n3',
+        'nb' => 'application/mathematica',
+        'nbp' => 'application/vnd.wolfram.player',
+        'nc' => 'application/x-netcdf',
+        'ncx' => 'application/x-dtbncx+xml',
+        'nfo' => 'text/x-nfo',
+        'ngdat' => 'application/vnd.nokia.n-gage.data',
+        'nitf' => 'application/vnd.nitf',
+        'nlu' => 'application/vnd.neurolanguage.nlu',
+        'nml' => 'application/vnd.enliven',
+        'nnd' => 'application/vnd.noblenet-directory',
+        'nns' => 'application/vnd.noblenet-sealer',
+        'nnw' => 'application/vnd.noblenet-web',
+        'npx' => 'image/vnd.net-fpx',
+        'nq' => 'application/n-quads',
+        'nsc' => 'application/x-conference',
+        'nsf' => 'application/vnd.lotus-notes',
+        'nt' => 'application/n-triples',
+        'ntf' => 'application/vnd.nitf',
+        'numbers' => 'application/x-iwork-numbers-sffnumbers',
+        'nzb' => 'application/x-nzb',
+        'oa2' => 'application/vnd.fujitsu.oasys2',
+        'oa3' => 'application/vnd.fujitsu.oasys3',
+        'oas' => 'application/vnd.fujitsu.oasys',
+        'obd' => 'application/x-msbinder',
+        'obgx' => 'application/vnd.openblox.game+xml',
+        'obj' => 'model/obj',
+        'oda' => 'application/oda',
+        'odb' => 'application/vnd.oasis.opendocument.database',
+        'odc' => 'application/vnd.oasis.opendocument.chart',
+        'odf' => 'application/vnd.oasis.opendocument.formula',
+        'odft' => 'application/vnd.oasis.opendocument.formula-template',
+        'odg' => 'application/vnd.oasis.opendocument.graphics',
+        'odi' => 'application/vnd.oasis.opendocument.image',
+        'odm' => 'application/vnd.oasis.opendocument.text-master',
+        'odp' => 'application/vnd.oasis.opendocument.presentation',
+        'ods' => 'application/vnd.oasis.opendocument.spreadsheet',
+        'odt' => 'application/vnd.oasis.opendocument.text',
+        'oga' => 'audio/ogg',
+        'ogex' => 'model/vnd.opengex',
+        'ogg' => 'audio/ogg',
+        'ogv' => 'video/ogg',
+        'ogx' => 'application/ogg',
+        'omdoc' => 'application/omdoc+xml',
+        'onepkg' => 'application/onenote',
+        'onetmp' => 'application/onenote',
+        'onetoc' => 'application/onenote',
+        'onetoc2' => 'application/onenote',
+        'opf' => 'application/oebps-package+xml',
+        'opml' => 'text/x-opml',
+        'oprc' => 'application/vnd.palm',
+        'opus' => 'audio/ogg',
+        'org' => 'text/x-org',
+        'osf' => 'application/vnd.yamaha.openscoreformat',
+        'osfpvg' => 'application/vnd.yamaha.openscoreformat.osfpvg+xml',
+        'osm' => 'application/vnd.openstreetmap.data+xml',
+        'otc' => 'application/vnd.oasis.opendocument.chart-template',
+        'otf' => 'font/otf',
+        'otg' => 'application/vnd.oasis.opendocument.graphics-template',
+        'oth' => 'application/vnd.oasis.opendocument.text-web',
+        'oti' => 'application/vnd.oasis.opendocument.image-template',
+        'otp' => 'application/vnd.oasis.opendocument.presentation-template',
+        'ots' => 'application/vnd.oasis.opendocument.spreadsheet-template',
+        'ott' => 'application/vnd.oasis.opendocument.text-template',
+        'ova' => 'application/x-virtualbox-ova',
+        'ovf' => 'application/x-virtualbox-ovf',
+        'owl' => 'application/rdf+xml',
+        'oxps' => 'application/oxps',
+        'oxt' => 'application/vnd.openofficeorg.extension',
+        'p' => 'text/x-pascal',
+        'p7a' => 'application/x-pkcs7-signature',
+        'p7b' => 'application/x-pkcs7-certificates',
+        'p7c' => 'application/pkcs7-mime',
+        'p7m' => 'application/pkcs7-mime',
+        'p7r' => 'application/x-pkcs7-certreqresp',
+        'p7s' => 'application/pkcs7-signature',
+        'p8' => 'application/pkcs8',
+        'p10' => 'application/x-pkcs10',
+        'p12' => 'application/x-pkcs12',
+        'pac' => 'application/x-ns-proxy-autoconfig',
+        'pages' => 'application/x-iwork-pages-sffpages',
+        'pas' => 'text/x-pascal',
+        'paw' => 'application/vnd.pawaafile',
+        'pbd' => 'application/vnd.powerbuilder6',
+        'pbm' => 'image/x-portable-bitmap',
+        'pcap' => 'application/vnd.tcpdump.pcap',
+        'pcf' => 'application/x-font-pcf',
+        'pcl' => 'application/vnd.hp-pcl',
+        'pclxl' => 'application/vnd.hp-pclxl',
+        'pct' => 'image/x-pict',
+        'pcurl' => 'application/vnd.curl.pcurl',
+        'pcx' => 'image/x-pcx',
+        'pdb' => 'application/x-pilot',
+        'pde' => 'text/x-processing',
+        'pdf' => 'application/pdf',
+        'pem' => 'application/x-x509-user-cert',
+        'pfa' => 'application/x-font-type1',
+        'pfb' => 'application/x-font-type1',
+        'pfm' => 'application/x-font-type1',
+        'pfr' => 'application/font-tdpfr',
+        'pfx' => 'application/x-pkcs12',
+        'pgm' => 'image/x-portable-graymap',
+        'pgn' => 'application/x-chess-pgn',
+        'pgp' => 'application/pgp',
+        'phar' => 'application/octet-stream',
+        'php' => 'application/x-httpd-php',
+        'php3' => 'application/x-httpd-php',
+        'php4' => 'application/x-httpd-php',
+        'phps' => 'application/x-httpd-php-source',
+        'phtml' => 'application/x-httpd-php',
+        'pic' => 'image/x-pict',
+        'pkg' => 'application/octet-stream',
+        'pki' => 'application/pkixcmp',
+        'pkipath' => 'application/pkix-pkipath',
+        'pkpass' => 'application/vnd.apple.pkpass',
+        'pl' => 'application/x-perl',
+        'plb' => 'application/vnd.3gpp.pic-bw-large',
+        'plc' => 'application/vnd.mobius.plc',
+        'plf' => 'application/vnd.pocketlearn',
+        'pls' => 'application/pls+xml',
+        'pm' => 'application/x-perl',
+        'pml' => 'application/vnd.ctc-posml',
+        'png' => 'image/png',
+        'pnm' => 'image/x-portable-anymap',
+        'portpkg' => 'application/vnd.macports.portpkg',
+        'pot' => 'application/vnd.ms-powerpoint',
+        'potm' => 'application/vnd.ms-powerpoint.presentation.macroEnabled.12',
+        'potx' => 'application/vnd.openxmlformats-officedocument.presentationml.template',
+        'ppa' => 'application/vnd.ms-powerpoint',
+        'ppam' => 'application/vnd.ms-powerpoint.addin.macroEnabled.12',
+        'ppd' => 'application/vnd.cups-ppd',
+        'ppm' => 'image/x-portable-pixmap',
+        'pps' => 'application/vnd.ms-powerpoint',
+        'ppsm' => 'application/vnd.ms-powerpoint.slideshow.macroEnabled.12',
+        'ppsx' => 'application/vnd.openxmlformats-officedocument.presentationml.slideshow',
+        'ppt' => 'application/powerpoint',
+        'pptm' => 'application/vnd.ms-powerpoint.presentation.macroEnabled.12',
+        'pptx' => 'application/vnd.openxmlformats-officedocument.presentationml.presentation',
+        'pqa' => 'application/vnd.palm',
+        'prc' => 'model/prc',
+        'pre' => 'application/vnd.lotus-freelance',
+        'prf' => 'application/pics-rules',
+        'provx' => 'application/provenance+xml',
+        'ps' => 'application/postscript',
+        'psb' => 'application/vnd.3gpp.pic-bw-small',
+        'psd' => 'application/x-photoshop',
+        'psf' => 'application/x-font-linux-psf',
+        'pskcxml' => 'application/pskc+xml',
+        'pti' => 'image/prs.pti',
+        'ptid' => 'application/vnd.pvi.ptid1',
+        'pub' => 'application/x-mspublisher',
+        'pvb' => 'application/vnd.3gpp.pic-bw-var',
+        'pwn' => 'application/vnd.3m.post-it-notes',
+        'pya' => 'audio/vnd.ms-playready.media.pya',
+        'pyv' => 'video/vnd.ms-playready.media.pyv',
+        'qam' => 'application/vnd.epson.quickanime',
+        'qbo' => 'application/vnd.intu.qbo',
+        'qfx' => 'application/vnd.intu.qfx',
+        'qps' => 'application/vnd.publishare-delta-tree',
+        'qt' => 'video/quicktime',
+        'qwd' => 'application/vnd.quark.quarkxpress',
+        'qwt' => 'application/vnd.quark.quarkxpress',
+        'qxb' => 'application/vnd.quark.quarkxpress',
+        'qxd' => 'application/vnd.quark.quarkxpress',
+        'qxl' => 'application/vnd.quark.quarkxpress',
+        'qxt' => 'application/vnd.quark.quarkxpress',
+        'ra' => 'audio/x-realaudio',
+        'ram' => 'audio/x-pn-realaudio',
+        'raml' => 'application/raml+yaml',
+        'rapd' => 'application/route-apd+xml',
+        'rar' => 'application/x-rar',
+        'ras' => 'image/x-cmu-raster',
+        'rcprofile' => 'application/vnd.ipunplugged.rcprofile',
+        'rdf' => 'application/rdf+xml',
+        'rdz' => 'application/vnd.data-vision.rdz',
+        'relo' => 'application/p2p-overlay+xml',
+        'rep' => 'application/vnd.businessobjects',
+        'res' => 'application/x-dtbresource+xml',
+        'rgb' => 'image/x-rgb',
+        'rif' => 'application/reginfo+xml',
+        'rip' => 'audio/vnd.rip',
+        'ris' => 'application/x-research-info-systems',
+        'rl' => 'application/resource-lists+xml',
+        'rlc' => 'image/vnd.fujixerox.edmics-rlc',
+        'rld' => 'application/resource-lists-diff+xml',
+        'rm' => 'audio/x-pn-realaudio',
+        'rmi' => 'audio/midi',
+        'rmp' => 'audio/x-pn-realaudio-plugin',
+        'rms' => 'application/vnd.jcp.javame.midlet-rms',
+        'rmvb' => 'application/vnd.rn-realmedia-vbr',
+        'rnc' => 'application/relax-ng-compact-syntax',
+        'rng' => 'application/xml',
+        'roa' => 'application/rpki-roa',
+        'roff' => 'text/troff',
+        'rp9' => 'application/vnd.cloanto.rp9',
+        'rpm' => 'audio/x-pn-realaudio-plugin',
+        'rpss' => 'application/vnd.nokia.radio-presets',
+        'rpst' => 'application/vnd.nokia.radio-preset',
+        'rq' => 'application/sparql-query',
+        'rs' => 'application/rls-services+xml',
+        'rsa' => 'application/x-pkcs7',
+        'rsat' => 'application/atsc-rsat+xml',
+        'rsd' => 'application/rsd+xml',
+        'rsheet' => 'application/urc-ressheet+xml',
+        'rss' => 'application/rss+xml',
+        'rtf' => 'text/rtf',
+        'rtx' => 'text/richtext',
+        'run' => 'application/x-makeself',
+        'rusd' => 'application/route-usd+xml',
+        'rv' => 'video/vnd.rn-realvideo',
+        's' => 'text/x-asm',
+        's3m' => 'audio/s3m',
+        'saf' => 'application/vnd.yamaha.smaf-audio',
+        'sass' => 'text/x-sass',
+        'sbml' => 'application/sbml+xml',
+        'sc' => 'application/vnd.ibm.secure-container',
+        'scd' => 'application/x-msschedule',
+        'scm' => 'application/vnd.lotus-screencam',
+        'scq' => 'application/scvp-cv-request',
+        'scs' => 'application/scvp-cv-response',
+        'scss' => 'text/x-scss',
+        'scurl' => 'text/vnd.curl.scurl',
+        'sda' => 'application/vnd.stardivision.draw',
+        'sdc' => 'application/vnd.stardivision.calc',
+        'sdd' => 'application/vnd.stardivision.impress',
+        'sdkd' => 'application/vnd.solent.sdkm+xml',
+        'sdkm' => 'application/vnd.solent.sdkm+xml',
+        'sdp' => 'application/sdp',
+        'sdw' => 'application/vnd.stardivision.writer',
+        'sea' => 'application/octet-stream',
+        'see' => 'application/vnd.seemail',
+        'seed' => 'application/vnd.fdsn.seed',
+        'sema' => 'application/vnd.sema',
+        'semd' => 'application/vnd.semd',
+        'semf' => 'application/vnd.semf',
+        'senmlx' => 'application/senml+xml',
+        'sensmlx' => 'application/sensml+xml',
+        'ser' => 'application/java-serialized-object',
+        'setpay' => 'application/set-payment-initiation',
+        'setreg' => 'application/set-registration-initiation',
+        'sfd-hdstx' => 'application/vnd.hydrostatix.sof-data',
+        'sfs' => 'application/vnd.spotfire.sfs',
+        'sfv' => 'text/x-sfv',
+        'sgi' => 'image/sgi',
+        'sgl' => 'application/vnd.stardivision.writer-global',
+        'sgm' => 'text/sgml',
+        'sgml' => 'text/sgml',
+        'sh' => 'application/x-sh',
+        'shar' => 'application/x-shar',
+        'shex' => 'text/shex',
+        'shf' => 'application/shf+xml',
+        'shtml' => 'text/html',
+        'sid' => 'image/x-mrsid-image',
+        'sieve' => 'application/sieve',
+        'sig' => 'application/pgp-signature',
+        'sil' => 'audio/silk',
+        'silo' => 'model/mesh',
+        'sis' => 'application/vnd.symbian.install',
+        'sisx' => 'application/vnd.symbian.install',
+        'sit' => 'application/x-stuffit',
+        'sitx' => 'application/x-stuffitx',
+        'siv' => 'application/sieve',
+        'skd' => 'application/vnd.koan',
+        'skm' => 'application/vnd.koan',
+        'skp' => 'application/vnd.koan',
+        'skt' => 'application/vnd.koan',
+        'sldm' => 'application/vnd.ms-powerpoint.slide.macroenabled.12',
+        'sldx' => 'application/vnd.openxmlformats-officedocument.presentationml.slide',
+        'slim' => 'text/slim',
+        'slm' => 'text/slim',
+        'sls' => 'application/route-s-tsid+xml',
+        'slt' => 'application/vnd.epson.salt',
+        'sm' => 'application/vnd.stepmania.stepchart',
+        'smf' => 'application/vnd.stardivision.math',
+        'smi' => 'application/smil',
+        'smil' => 'application/smil',
+        'smv' => 'video/x-smv',
+        'smzip' => 'application/vnd.stepmania.package',
+        'snd' => 'audio/basic',
+        'snf' => 'application/x-font-snf',
+        'so' => 'application/octet-stream',
+        'spc' => 'application/x-pkcs7-certificates',
+        'spdx' => 'text/spdx',
+        'spf' => 'application/vnd.yamaha.smaf-phrase',
+        'spl' => 'application/x-futuresplash',
+        'spot' => 'text/vnd.in3d.spot',
+        'spp' => 'application/scvp-vp-response',
+        'spq' => 'application/scvp-vp-request',
+        'spx' => 'audio/ogg',
+        'sql' => 'application/x-sql',
+        'src' => 'application/x-wais-source',
+        'srt' => 'application/x-subrip',
+        'sru' => 'application/sru+xml',
+        'srx' => 'application/sparql-results+xml',
+        'ssdl' => 'application/ssdl+xml',
+        'sse' => 'application/vnd.kodak-descriptor',
+        'ssf' => 'application/vnd.epson.ssf',
+        'ssml' => 'application/ssml+xml',
+        'sst' => 'application/octet-stream',
+        'st' => 'application/vnd.sailingtracker.track',
+        'stc' => 'application/vnd.sun.xml.calc.template',
+        'std' => 'application/vnd.sun.xml.draw.template',
+        'stf' => 'application/vnd.wt.stf',
+        'sti' => 'application/vnd.sun.xml.impress.template',
+        'stk' => 'application/hyperstudio',
+        'stl' => 'model/stl',
+        'stpx' => 'model/step+xml',
+        'stpxz' => 'model/step-xml+zip',
+        'stpz' => 'model/step+zip',
+        'str' => 'application/vnd.pg.format',
+        'stw' => 'application/vnd.sun.xml.writer.template',
+        'styl' => 'text/stylus',
+        'stylus' => 'text/stylus',
+        'sub' => 'text/vnd.dvb.subtitle',
+        'sus' => 'application/vnd.sus-calendar',
+        'susp' => 'application/vnd.sus-calendar',
+        'sv4cpio' => 'application/x-sv4cpio',
+        'sv4crc' => 'application/x-sv4crc',
+        'svc' => 'application/vnd.dvb.service',
+        'svd' => 'application/vnd.svd',
+        'svg' => 'image/svg+xml',
+        'svgz' => 'image/svg+xml',
+        'swa' => 'application/x-director',
+        'swf' => 'application/x-shockwave-flash',
+        'swi' => 'application/vnd.aristanetworks.swi',
+        'swidtag' => 'application/swid+xml',
+        'sxc' => 'application/vnd.sun.xml.calc',
+        'sxd' => 'application/vnd.sun.xml.draw',
+        'sxg' => 'application/vnd.sun.xml.writer.global',
+        'sxi' => 'application/vnd.sun.xml.impress',
+        'sxm' => 'application/vnd.sun.xml.math',
+        'sxw' => 'application/vnd.sun.xml.writer',
+        't' => 'text/troff',
+        't3' => 'application/x-t3vm-image',
+        't38' => 'image/t38',
+        'taglet' => 'application/vnd.mynfc',
+        'tao' => 'application/vnd.tao.intent-module-archive',
+        'tap' => 'image/vnd.tencent.tap',
+        'tar' => 'application/x-tar',
+        'tcap' => 'application/vnd.3gpp2.tcap',
+        'tcl' => 'application/x-tcl',
+        'td' => 'application/urc-targetdesc+xml',
+        'teacher' => 'application/vnd.smart.teacher',
+        'tei' => 'application/tei+xml',
+        'teicorpus' => 'application/tei+xml',
+        'tex' => 'application/x-tex',
+        'texi' => 'application/x-texinfo',
+        'texinfo' => 'application/x-texinfo',
+        'text' => 'text/plain',
+        'tfi' => 'application/thraud+xml',
+        'tfm' => 'application/x-tex-tfm',
+        'tfx' => 'image/tiff-fx',
+        'tga' => 'image/x-tga',
+        'tgz' => 'application/x-tar',
+        'thmx' => 'application/vnd.ms-officetheme',
+        'tif' => 'image/tiff',
+        'tiff' => 'image/tiff',
+        'tk' => 'application/x-tcl',
+        'tmo' => 'application/vnd.tmobile-livetv',
+        'toml' => 'application/toml',
+        'torrent' => 'application/x-bittorrent',
+        'tpl' => 'application/vnd.groove-tool-template',
+        'tpt' => 'application/vnd.trid.tpt',
+        'tr' => 'text/troff',
+        'tra' => 'application/vnd.trueapp',
+        'trig' => 'application/trig',
+        'trm' => 'application/x-msterminal',
+        'ts' => 'video/mp2t',
+        'tsd' => 'application/timestamped-data',
+        'tsv' => 'text/tab-separated-values',
+        'ttc' => 'font/collection',
+        'ttf' => 'font/ttf',
+        'ttl' => 'text/turtle',
+        'ttml' => 'application/ttml+xml',
+        'twd' => 'application/vnd.simtech-mindmapper',
+        'twds' => 'application/vnd.simtech-mindmapper',
+        'txd' => 'application/vnd.genomatix.tuxedo',
+        'txf' => 'application/vnd.mobius.txf',
+        'txt' => 'text/plain',
+        'u3d' => 'model/u3d',
+        'u8dsn' => 'message/global-delivery-status',
+        'u8hdr' => 'message/global-headers',
+        'u8mdn' => 'message/global-disposition-notification',
+        'u8msg' => 'message/global',
+        'u32' => 'application/x-authorware-bin',
+        'ubj' => 'application/ubjson',
+        'udeb' => 'application/x-debian-package',
+        'ufd' => 'application/vnd.ufdl',
+        'ufdl' => 'application/vnd.ufdl',
+        'ulx' => 'application/x-glulx',
+        'umj' => 'application/vnd.umajin',
+        'unityweb' => 'application/vnd.unity',
+        'uoml' => 'application/vnd.uoml+xml',
+        'uri' => 'text/uri-list',
+        'uris' => 'text/uri-list',
+        'urls' => 'text/uri-list',
+        'usdz' => 'model/vnd.usdz+zip',
+        'ustar' => 'application/x-ustar',
+        'utz' => 'application/vnd.uiq.theme',
+        'uu' => 'text/x-uuencode',
+        'uva' => 'audio/vnd.dece.audio',
+        'uvd' => 'application/vnd.dece.data',
+        'uvf' => 'application/vnd.dece.data',
+        'uvg' => 'image/vnd.dece.graphic',
+        'uvh' => 'video/vnd.dece.hd',
+        'uvi' => 'image/vnd.dece.graphic',
+        'uvm' => 'video/vnd.dece.mobile',
+        'uvp' => 'video/vnd.dece.pd',
+        'uvs' => 'video/vnd.dece.sd',
+        'uvt' => 'application/vnd.dece.ttml+xml',
+        'uvu' => 'video/vnd.uvvu.mp4',
+        'uvv' => 'video/vnd.dece.video',
+        'uvva' => 'audio/vnd.dece.audio',
+        'uvvd' => 'application/vnd.dece.data',
+        'uvvf' => 'application/vnd.dece.data',
+        'uvvg' => 'image/vnd.dece.graphic',
+        'uvvh' => 'video/vnd.dece.hd',
+        'uvvi' => 'image/vnd.dece.graphic',
+        'uvvm' => 'video/vnd.dece.mobile',
+        'uvvp' => 'video/vnd.dece.pd',
+        'uvvs' => 'video/vnd.dece.sd',
+        'uvvt' => 'application/vnd.dece.ttml+xml',
+        'uvvu' => 'video/vnd.uvvu.mp4',
+        'uvvv' => 'video/vnd.dece.video',
+        'uvvx' => 'application/vnd.dece.unspecified',
+        'uvvz' => 'application/vnd.dece.zip',
+        'uvx' => 'application/vnd.dece.unspecified',
+        'uvz' => 'application/vnd.dece.zip',
+        'vbox' => 'application/x-virtualbox-vbox',
+        'vbox-extpack' => 'application/x-virtualbox-vbox-extpack',
+        'vcard' => 'text/vcard',
+        'vcd' => 'application/x-cdlink',
+        'vcf' => 'text/x-vcard',
+        'vcg' => 'application/vnd.groove-vcard',
+        'vcs' => 'text/x-vcalendar',
+        'vcx' => 'application/vnd.vcx',
+        'vdi' => 'application/x-virtualbox-vdi',
+        'vds' => 'model/vnd.sap.vds',
+        'vhd' => 'application/x-virtualbox-vhd',
+        'vis' => 'application/vnd.visionary',
+        'viv' => 'video/vnd.vivo',
+        'vlc' => 'application/videolan',
+        'vmdk' => 'application/x-virtualbox-vmdk',
+        'vob' => 'video/x-ms-vob',
+        'vor' => 'application/vnd.stardivision.writer',
+        'vox' => 'application/x-authorware-bin',
+        'vrml' => 'model/vrml',
+        'vsd' => 'application/vnd.visio',
+        'vsf' => 'application/vnd.vsf',
+        'vss' => 'application/vnd.visio',
+        'vst' => 'application/vnd.visio',
+        'vsw' => 'application/vnd.visio',
+        'vtf' => 'image/vnd.valve.source.texture',
+        'vtt' => 'text/vtt',
+        'vtu' => 'model/vnd.vtu',
+        'vxml' => 'application/voicexml+xml',
+        'w3d' => 'application/x-director',
+        'wad' => 'application/x-doom',
+        'wadl' => 'application/vnd.sun.wadl+xml',
+        'war' => 'application/java-archive',
+        'wasm' => 'application/wasm',
+        'wav' => 'audio/x-wav',
+        'wax' => 'audio/x-ms-wax',
+        'wbmp' => 'image/vnd.wap.wbmp',
+        'wbs' => 'application/vnd.criticaltools.wbs+xml',
+        'wbxml' => 'application/wbxml',
+        'wcm' => 'application/vnd.ms-works',
+        'wdb' => 'application/vnd.ms-works',
+        'wdp' => 'image/vnd.ms-photo',
+        'weba' => 'audio/webm',
+        'webapp' => 'application/x-web-app-manifest+json',
+        'webm' => 'video/webm',
+        'webmanifest' => 'application/manifest+json',
+        'webp' => 'image/webp',
+        'wg' => 'application/vnd.pmi.widget',
+        'wgt' => 'application/widget',
+        'wif' => 'application/watcherinfo+xml',
+        'wks' => 'application/vnd.ms-works',
+        'wm' => 'video/x-ms-wm',
+        'wma' => 'audio/x-ms-wma',
+        'wmd' => 'application/x-ms-wmd',
+        'wmf' => 'image/wmf',
+        'wml' => 'text/vnd.wap.wml',
+        'wmlc' => 'application/wmlc',
+        'wmls' => 'text/vnd.wap.wmlscript',
+        'wmlsc' => 'application/vnd.wap.wmlscriptc',
+        'wmv' => 'video/x-ms-wmv',
+        'wmx' => 'video/x-ms-wmx',
+        'wmz' => 'application/x-msmetafile',
+        'woff' => 'font/woff',
+        'woff2' => 'font/woff2',
+        'word' => 'application/msword',
+        'wpd' => 'application/vnd.wordperfect',
+        'wpl' => 'application/vnd.ms-wpl',
+        'wps' => 'application/vnd.ms-works',
+        'wqd' => 'application/vnd.wqd',
+        'wri' => 'application/x-mswrite',
+        'wrl' => 'model/vrml',
+        'wsc' => 'message/vnd.wfa.wsc',
+        'wsdl' => 'application/wsdl+xml',
+        'wspolicy' => 'application/wspolicy+xml',
+        'wtb' => 'application/vnd.webturbo',
+        'wvx' => 'video/x-ms-wvx',
+        'x3d' => 'model/x3d+xml',
+        'x3db' => 'model/x3d+fastinfoset',
+        'x3dbz' => 'model/x3d+binary',
+        'x3dv' => 'model/x3d-vrml',
+        'x3dvz' => 'model/x3d+vrml',
+        'x3dz' => 'model/x3d+xml',
+        'x32' => 'application/x-authorware-bin',
+        'x_b' => 'model/vnd.parasolid.transmit.binary',
+        'x_t' => 'model/vnd.parasolid.transmit.text',
+        'xaml' => 'application/xaml+xml',
+        'xap' => 'application/x-silverlight-app',
+        'xar' => 'application/vnd.xara',
+        'xav' => 'application/xcap-att+xml',
+        'xbap' => 'application/x-ms-xbap',
+        'xbd' => 'application/vnd.fujixerox.docuworks.binder',
+        'xbm' => 'image/x-xbitmap',
+        'xca' => 'application/xcap-caps+xml',
+        'xcs' => 'application/calendar+xml',
+        'xdf' => 'application/xcap-diff+xml',
+        'xdm' => 'application/vnd.syncml.dm+xml',
+        'xdp' => 'application/vnd.adobe.xdp+xml',
+        'xdssc' => 'application/dssc+xml',
+        'xdw' => 'application/vnd.fujixerox.docuworks',
+        'xel' => 'application/xcap-el+xml',
+        'xenc' => 'application/xenc+xml',
+        'xer' => 'application/patch-ops-error+xml',
+        'xfdf' => 'application/vnd.adobe.xfdf',
+        'xfdl' => 'application/vnd.xfdl',
+        'xht' => 'application/xhtml+xml',
+        'xhtml' => 'application/xhtml+xml',
+        'xhvml' => 'application/xv+xml',
+        'xif' => 'image/vnd.xiff',
+        'xl' => 'application/excel',
+        'xla' => 'application/vnd.ms-excel',
+        'xlam' => 'application/vnd.ms-excel.addin.macroEnabled.12',
+        'xlc' => 'application/vnd.ms-excel',
+        'xlf' => 'application/xliff+xml',
+        'xlm' => 'application/vnd.ms-excel',
+        'xls' => 'application/vnd.ms-excel',
+        'xlsb' => 'application/vnd.ms-excel.sheet.binary.macroEnabled.12',
+        'xlsm' => 'application/vnd.ms-excel.sheet.macroEnabled.12',
+        'xlsx' => 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
+        'xlt' => 'application/vnd.ms-excel',
+        'xltm' => 'application/vnd.ms-excel.template.macroEnabled.12',
+        'xltx' => 'application/vnd.openxmlformats-officedocument.spreadsheetml.template',
+        'xlw' => 'application/vnd.ms-excel',
+        'xm' => 'audio/xm',
+        'xml' => 'application/xml',
+        'xns' => 'application/xcap-ns+xml',
+        'xo' => 'application/vnd.olpc-sugar',
+        'xop' => 'application/xop+xml',
+        'xpi' => 'application/x-xpinstall',
+        'xpl' => 'application/xproc+xml',
+        'xpm' => 'image/x-xpixmap',
+        'xpr' => 'application/vnd.is-xpr',
+        'xps' => 'application/vnd.ms-xpsdocument',
+        'xpw' => 'application/vnd.intercon.formnet',
+        'xpx' => 'application/vnd.intercon.formnet',
+        'xsd' => 'application/xml',
+        'xsl' => 'application/xml',
+        'xslt' => 'application/xslt+xml',
+        'xsm' => 'application/vnd.syncml+xml',
+        'xspf' => 'application/xspf+xml',
+        'xul' => 'application/vnd.mozilla.xul+xml',
+        'xvm' => 'application/xv+xml',
+        'xvml' => 'application/xv+xml',
+        'xwd' => 'image/x-xwindowdump',
+        'xyz' => 'chemical/x-xyz',
+        'xz' => 'application/x-xz',
+        'yaml' => 'text/yaml',
+        'yang' => 'application/yang',
+        'yin' => 'application/yin+xml',
+        'yml' => 'text/yaml',
+        'ymp' => 'text/x-suse-ymp',
+        'z' => 'application/x-compress',
+        'z1' => 'application/x-zmachine',
+        'z2' => 'application/x-zmachine',
+        'z3' => 'application/x-zmachine',
+        'z4' => 'application/x-zmachine',
+        'z5' => 'application/x-zmachine',
+        'z6' => 'application/x-zmachine',
+        'z7' => 'application/x-zmachine',
+        'z8' => 'application/x-zmachine',
+        'zaz' => 'application/vnd.zzazz.deck+xml',
+        'zip' => 'application/zip',
+        'zir' => 'application/vnd.zul',
+        'zirz' => 'application/vnd.zul',
+        'zmm' => 'application/vnd.handheld-entertainment+xml',
+        'zsh' => 'text/x-scriptzsh',
+    ];
+
+    /**
+     * Determines the mimetype of a file by looking at its extension.
+     *
+     * @link https://raw.githubusercontent.com/jshttp/mime-db/master/db.json
+     */
+    public static function fromFilename(string $filename): ?string
+    {
+        return self::fromExtension(pathinfo($filename, PATHINFO_EXTENSION));
+    }
+
+    /**
+     * Maps a file extensions to a mimetype.
+     *
+     * @link https://raw.githubusercontent.com/jshttp/mime-db/master/db.json
+     */
+    public static function fromExtension(string $extension): ?string
+    {
+        return self::MIME_TYPES[strtolower($extension)] ?? null;
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/psr7/src/MultipartStream.php b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/MultipartStream.php
new file mode 100644
index 000000000..3e12b74d1
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/MultipartStream.php
@@ -0,0 +1,159 @@
+<?php
+
+declare(strict_types=1);
+
+namespace GuzzleHttp\Psr7;
+
+use Psr\Http\Message\StreamInterface;
+
+/**
+ * Stream that when read returns bytes for a streaming multipart or
+ * multipart/form-data stream.
+ */
+final class MultipartStream implements StreamInterface
+{
+    use StreamDecoratorTrait;
+
+    /** @var string */
+    private $boundary;
+
+    /** @var StreamInterface */
+    private $stream;
+
+    /**
+     * @param array  $elements Array of associative arrays, each containing a
+     *                         required "name" key mapping to the form field,
+     *                         name, a required "contents" key mapping to a
+     *                         StreamInterface/resource/string, an optional
+     *                         "headers" associative array of custom headers,
+     *                         and an optional "filename" key mapping to a
+     *                         string to send as the filename in the part.
+     * @param string $boundary You can optionally provide a specific boundary
+     *
+     * @throws \InvalidArgumentException
+     */
+    public function __construct(array $elements = [], string $boundary = null)
+    {
+        $this->boundary = $boundary ?: bin2hex(random_bytes(20));
+        $this->stream = $this->createStream($elements);
+    }
+
+    public function getBoundary(): string
+    {
+        return $this->boundary;
+    }
+
+    public function isWritable(): bool
+    {
+        return false;
+    }
+
+    /**
+     * Get the headers needed before transferring the content of a POST file
+     *
+     * @param array<string, string> $headers
+     */
+    private function getHeaders(array $headers): string
+    {
+        $str = '';
+        foreach ($headers as $key => $value) {
+            $str .= "{$key}: {$value}\r\n";
+        }
+
+        return "--{$this->boundary}\r\n" . trim($str) . "\r\n\r\n";
+    }
+
+    /**
+     * Create the aggregate stream that will be used to upload the POST data
+     */
+    protected function createStream(array $elements = []): StreamInterface
+    {
+        $stream = new AppendStream();
+
+        foreach ($elements as $element) {
+            if (!is_array($element)) {
+                throw new \UnexpectedValueException("An array is expected");
+            }
+            $this->addElement($stream, $element);
+        }
+
+        // Add the trailing boundary with CRLF
+        $stream->addStream(Utils::streamFor("--{$this->boundary}--\r\n"));
+
+        return $stream;
+    }
+
+    private function addElement(AppendStream $stream, array $element): void
+    {
+        foreach (['contents', 'name'] as $key) {
+            if (!array_key_exists($key, $element)) {
+                throw new \InvalidArgumentException("A '{$key}' key is required");
+            }
+        }
+
+        $element['contents'] = Utils::streamFor($element['contents']);
+
+        if (empty($element['filename'])) {
+            $uri = $element['contents']->getMetadata('uri');
+            if ($uri && \is_string($uri) && \substr($uri, 0, 6) !== 'php://' && \substr($uri, 0, 7) !== 'data://') {
+                $element['filename'] = $uri;
+            }
+        }
+
+        [$body, $headers] = $this->createElement(
+            $element['name'],
+            $element['contents'],
+            $element['filename'] ?? null,
+            $element['headers'] ?? []
+        );
+
+        $stream->addStream(Utils::streamFor($this->getHeaders($headers)));
+        $stream->addStream($body);
+        $stream->addStream(Utils::streamFor("\r\n"));
+    }
+
+    private function createElement(string $name, StreamInterface $stream, ?string $filename, array $headers): array
+    {
+        // Set a default content-disposition header if one was no provided
+        $disposition = $this->getHeader($headers, 'content-disposition');
+        if (!$disposition) {
+            $headers['Content-Disposition'] = ($filename === '0' || $filename)
+                ? sprintf(
+                    'form-data; name="%s"; filename="%s"',
+                    $name,
+                    basename($filename)
+                )
+                : "form-data; name=\"{$name}\"";
+        }
+
+        // Set a default content-length header if one was no provided
+        $length = $this->getHeader($headers, 'content-length');
+        if (!$length) {
+            if ($length = $stream->getSize()) {
+                $headers['Content-Length'] = (string) $length;
+            }
+        }
+
+        // Set a default Content-Type if one was not supplied
+        $type = $this->getHeader($headers, 'content-type');
+        if (!$type && ($filename === '0' || $filename)) {
+            if ($type = MimeType::fromFilename($filename)) {
+                $headers['Content-Type'] = $type;
+            }
+        }
+
+        return [$stream, $headers];
+    }
+
+    private function getHeader(array $headers, string $key)
+    {
+        $lowercaseHeader = strtolower($key);
+        foreach ($headers as $k => $v) {
+            if (strtolower($k) === $lowercaseHeader) {
+                return $v;
+            }
+        }
+
+        return null;
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/psr7/src/NoSeekStream.php b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/NoSeekStream.php
new file mode 100644
index 000000000..161a224f0
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/NoSeekStream.php
@@ -0,0 +1,28 @@
+<?php
+
+declare(strict_types=1);
+
+namespace GuzzleHttp\Psr7;
+
+use Psr\Http\Message\StreamInterface;
+
+/**
+ * Stream decorator that prevents a stream from being seeked.
+ */
+final class NoSeekStream implements StreamInterface
+{
+    use StreamDecoratorTrait;
+
+    /** @var StreamInterface */
+    private $stream;
+
+    public function seek($offset, $whence = SEEK_SET): void
+    {
+        throw new \RuntimeException('Cannot seek a NoSeekStream');
+    }
+
+    public function isSeekable(): bool
+    {
+        return false;
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/psr7/src/PumpStream.php b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/PumpStream.php
new file mode 100644
index 000000000..e90389c3b
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/PumpStream.php
@@ -0,0 +1,179 @@
+<?php
+
+declare(strict_types=1);
+
+namespace GuzzleHttp\Psr7;
+
+use Psr\Http\Message\StreamInterface;
+
+/**
+ * Provides a read only stream that pumps data from a PHP callable.
+ *
+ * When invoking the provided callable, the PumpStream will pass the amount of
+ * data requested to read to the callable. The callable can choose to ignore
+ * this value and return fewer or more bytes than requested. Any extra data
+ * returned by the provided callable is buffered internally until drained using
+ * the read() function of the PumpStream. The provided callable MUST return
+ * false when there is no more data to read.
+ */
+final class PumpStream implements StreamInterface
+{
+    /** @var callable|null */
+    private $source;
+
+    /** @var int|null */
+    private $size;
+
+    /** @var int */
+    private $tellPos = 0;
+
+    /** @var array */
+    private $metadata;
+
+    /** @var BufferStream */
+    private $buffer;
+
+    /**
+     * @param callable(int): (string|null|false)  $source  Source of the stream data. The callable MAY
+     *                                                     accept an integer argument used to control the
+     *                                                     amount of data to return. The callable MUST
+     *                                                     return a string when called, or false|null on error
+     *                                                     or EOF.
+     * @param array{size?: int, metadata?: array} $options Stream options:
+     *                                                     - metadata: Hash of metadata to use with stream.
+     *                                                     - size: Size of the stream, if known.
+     */
+    public function __construct(callable $source, array $options = [])
+    {
+        $this->source = $source;
+        $this->size = $options['size'] ?? null;
+        $this->metadata = $options['metadata'] ?? [];
+        $this->buffer = new BufferStream();
+    }
+
+    public function __toString(): string
+    {
+        try {
+            return Utils::copyToString($this);
+        } catch (\Throwable $e) {
+            if (\PHP_VERSION_ID >= 70400) {
+                throw $e;
+            }
+            trigger_error(sprintf('%s::__toString exception: %s', self::class, (string) $e), E_USER_ERROR);
+            return '';
+        }
+    }
+
+    public function close(): void
+    {
+        $this->detach();
+    }
+
+    public function detach()
+    {
+        $this->tellPos = 0;
+        $this->source = null;
+
+        return null;
+    }
+
+    public function getSize(): ?int
+    {
+        return $this->size;
+    }
+
+    public function tell(): int
+    {
+        return $this->tellPos;
+    }
+
+    public function eof(): bool
+    {
+        return $this->source === null;
+    }
+
+    public function isSeekable(): bool
+    {
+        return false;
+    }
+
+    public function rewind(): void
+    {
+        $this->seek(0);
+    }
+
+    public function seek($offset, $whence = SEEK_SET): void
+    {
+        throw new \RuntimeException('Cannot seek a PumpStream');
+    }
+
+    public function isWritable(): bool
+    {
+        return false;
+    }
+
+    public function write($string): int
+    {
+        throw new \RuntimeException('Cannot write to a PumpStream');
+    }
+
+    public function isReadable(): bool
+    {
+        return true;
+    }
+
+    public function read($length): string
+    {
+        $data = $this->buffer->read($length);
+        $readLen = strlen($data);
+        $this->tellPos += $readLen;
+        $remaining = $length - $readLen;
+
+        if ($remaining) {
+            $this->pump($remaining);
+            $data .= $this->buffer->read($remaining);
+            $this->tellPos += strlen($data) - $readLen;
+        }
+
+        return $data;
+    }
+
+    public function getContents(): string
+    {
+        $result = '';
+        while (!$this->eof()) {
+            $result .= $this->read(1000000);
+        }
+
+        return $result;
+    }
+
+    /**
+     * {@inheritdoc}
+     *
+     * @return mixed
+     */
+    public function getMetadata($key = null)
+    {
+        if (!$key) {
+            return $this->metadata;
+        }
+
+        return $this->metadata[$key] ?? null;
+    }
+
+    private function pump(int $length): void
+    {
+        if ($this->source) {
+            do {
+                $data = call_user_func($this->source, $length);
+                if ($data === false || $data === null) {
+                    $this->source = null;
+                    return;
+                }
+                $this->buffer->write($data);
+                $length -= strlen($data);
+            } while ($length > 0);
+        }
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/psr7/src/Query.php b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/Query.php
new file mode 100644
index 000000000..2faab3a88
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/Query.php
@@ -0,0 +1,113 @@
+<?php
+
+declare(strict_types=1);
+
+namespace GuzzleHttp\Psr7;
+
+final class Query
+{
+    /**
+     * Parse a query string into an associative array.
+     *
+     * If multiple values are found for the same key, the value of that key
+     * value pair will become an array. This function does not parse nested
+     * PHP style arrays into an associative array (e.g., `foo[a]=1&foo[b]=2`
+     * will be parsed into `['foo[a]' => '1', 'foo[b]' => '2'])`.
+     *
+     * @param string   $str         Query string to parse
+     * @param int|bool $urlEncoding How the query string is encoded
+     */
+    public static function parse(string $str, $urlEncoding = true): array
+    {
+        $result = [];
+
+        if ($str === '') {
+            return $result;
+        }
+
+        if ($urlEncoding === true) {
+            $decoder = function ($value) {
+                return rawurldecode(str_replace('+', ' ', (string) $value));
+            };
+        } elseif ($urlEncoding === PHP_QUERY_RFC3986) {
+            $decoder = 'rawurldecode';
+        } elseif ($urlEncoding === PHP_QUERY_RFC1738) {
+            $decoder = 'urldecode';
+        } else {
+            $decoder = function ($str) {
+                return $str;
+            };
+        }
+
+        foreach (explode('&', $str) as $kvp) {
+            $parts = explode('=', $kvp, 2);
+            $key = $decoder($parts[0]);
+            $value = isset($parts[1]) ? $decoder($parts[1]) : null;
+            if (!array_key_exists($key, $result)) {
+                $result[$key] = $value;
+            } else {
+                if (!is_array($result[$key])) {
+                    $result[$key] = [$result[$key]];
+                }
+                $result[$key][] = $value;
+            }
+        }
+
+        return $result;
+    }
+
+    /**
+     * Build a query string from an array of key value pairs.
+     *
+     * This function can use the return value of `parse()` to build a query
+     * string. This function does not modify the provided keys when an array is
+     * encountered (like `http_build_query()` would).
+     *
+     * @param array     $params   Query string parameters.
+     * @param int|false $encoding Set to false to not encode, PHP_QUERY_RFC3986
+     *                            to encode using RFC3986, or PHP_QUERY_RFC1738
+     *                            to encode using RFC1738.
+     */
+    public static function build(array $params, $encoding = PHP_QUERY_RFC3986): string
+    {
+        if (!$params) {
+            return '';
+        }
+
+        if ($encoding === false) {
+            $encoder = function (string $str): string {
+                return $str;
+            };
+        } elseif ($encoding === PHP_QUERY_RFC3986) {
+            $encoder = 'rawurlencode';
+        } elseif ($encoding === PHP_QUERY_RFC1738) {
+            $encoder = 'urlencode';
+        } else {
+            throw new \InvalidArgumentException('Invalid type');
+        }
+
+        $qs = '';
+        foreach ($params as $k => $v) {
+            $k = $encoder((string) $k);
+            if (!is_array($v)) {
+                $qs .= $k;
+                $v = is_bool($v) ? (int) $v : $v;
+                if ($v !== null) {
+                    $qs .= '=' . $encoder((string) $v);
+                }
+                $qs .= '&';
+            } else {
+                foreach ($v as $vv) {
+                    $qs .= $k;
+                    $vv = is_bool($vv) ? (int) $vv : $vv;
+                    if ($vv !== null) {
+                        $qs .= '=' . $encoder((string) $vv);
+                    }
+                    $qs .= '&';
+                }
+            }
+        }
+
+        return $qs ? (string) substr($qs, 0, -1) : '';
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/psr7/src/Request.php b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/Request.php
new file mode 100644
index 000000000..b17af66a2
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/Request.php
@@ -0,0 +1,157 @@
+<?php
+
+declare(strict_types=1);
+
+namespace GuzzleHttp\Psr7;
+
+use InvalidArgumentException;
+use Psr\Http\Message\RequestInterface;
+use Psr\Http\Message\StreamInterface;
+use Psr\Http\Message\UriInterface;
+
+/**
+ * PSR-7 request implementation.
+ */
+class Request implements RequestInterface
+{
+    use MessageTrait;
+
+    /** @var string */
+    private $method;
+
+    /** @var string|null */
+    private $requestTarget;
+
+    /** @var UriInterface */
+    private $uri;
+
+    /**
+     * @param string                               $method  HTTP method
+     * @param string|UriInterface                  $uri     URI
+     * @param array<string, string|string[]>       $headers Request headers
+     * @param string|resource|StreamInterface|null $body    Request body
+     * @param string                               $version Protocol version
+     */
+    public function __construct(
+        string $method,
+        $uri,
+        array $headers = [],
+        $body = null,
+        string $version = '1.1'
+    ) {
+        $this->assertMethod($method);
+        if (!($uri instanceof UriInterface)) {
+            $uri = new Uri($uri);
+        }
+
+        $this->method = strtoupper($method);
+        $this->uri = $uri;
+        $this->setHeaders($headers);
+        $this->protocol = $version;
+
+        if (!isset($this->headerNames['host'])) {
+            $this->updateHostFromUri();
+        }
+
+        if ($body !== '' && $body !== null) {
+            $this->stream = Utils::streamFor($body);
+        }
+    }
+
+    public function getRequestTarget(): string
+    {
+        if ($this->requestTarget !== null) {
+            return $this->requestTarget;
+        }
+
+        $target = $this->uri->getPath();
+        if ($target === '') {
+            $target = '/';
+        }
+        if ($this->uri->getQuery() != '') {
+            $target .= '?' . $this->uri->getQuery();
+        }
+
+        return $target;
+    }
+
+    public function withRequestTarget($requestTarget): RequestInterface
+    {
+        if (preg_match('#\s#', $requestTarget)) {
+            throw new InvalidArgumentException(
+                'Invalid request target provided; cannot contain whitespace'
+            );
+        }
+
+        $new = clone $this;
+        $new->requestTarget = $requestTarget;
+        return $new;
+    }
+
+    public function getMethod(): string
+    {
+        return $this->method;
+    }
+
+    public function withMethod($method): RequestInterface
+    {
+        $this->assertMethod($method);
+        $new = clone $this;
+        $new->method = strtoupper($method);
+        return $new;
+    }
+
+    public function getUri(): UriInterface
+    {
+        return $this->uri;
+    }
+
+    public function withUri(UriInterface $uri, $preserveHost = false): RequestInterface
+    {
+        if ($uri === $this->uri) {
+            return $this;
+        }
+
+        $new = clone $this;
+        $new->uri = $uri;
+
+        if (!$preserveHost || !isset($this->headerNames['host'])) {
+            $new->updateHostFromUri();
+        }
+
+        return $new;
+    }
+
+    private function updateHostFromUri(): void
+    {
+        $host = $this->uri->getHost();
+
+        if ($host == '') {
+            return;
+        }
+
+        if (($port = $this->uri->getPort()) !== null) {
+            $host .= ':' . $port;
+        }
+
+        if (isset($this->headerNames['host'])) {
+            $header = $this->headerNames['host'];
+        } else {
+            $header = 'Host';
+            $this->headerNames['host'] = 'Host';
+        }
+        // Ensure Host is the first header.
+        // See: http://tools.ietf.org/html/rfc7230#section-5.4
+        $this->headers = [$header => [$host]] + $this->headers;
+    }
+
+    /**
+     * @param mixed $method
+     */
+    private function assertMethod($method): void
+    {
+        if (!is_string($method) || $method === '') {
+            throw new InvalidArgumentException('Method must be a non-empty string.');
+        }
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/psr7/src/Response.php b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/Response.php
new file mode 100644
index 000000000..4c6ee6f03
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/Response.php
@@ -0,0 +1,160 @@
+<?php
+
+declare(strict_types=1);
+
+namespace GuzzleHttp\Psr7;
+
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\StreamInterface;
+
+/**
+ * PSR-7 response implementation.
+ */
+class Response implements ResponseInterface
+{
+    use MessageTrait;
+
+    /** Map of standard HTTP status code/reason phrases */
+    private const PHRASES = [
+        100 => 'Continue',
+        101 => 'Switching Protocols',
+        102 => 'Processing',
+        200 => 'OK',
+        201 => 'Created',
+        202 => 'Accepted',
+        203 => 'Non-Authoritative Information',
+        204 => 'No Content',
+        205 => 'Reset Content',
+        206 => 'Partial Content',
+        207 => 'Multi-status',
+        208 => 'Already Reported',
+        300 => 'Multiple Choices',
+        301 => 'Moved Permanently',
+        302 => 'Found',
+        303 => 'See Other',
+        304 => 'Not Modified',
+        305 => 'Use Proxy',
+        306 => 'Switch Proxy',
+        307 => 'Temporary Redirect',
+        308 => 'Permanent Redirect',
+        400 => 'Bad Request',
+        401 => 'Unauthorized',
+        402 => 'Payment Required',
+        403 => 'Forbidden',
+        404 => 'Not Found',
+        405 => 'Method Not Allowed',
+        406 => 'Not Acceptable',
+        407 => 'Proxy Authentication Required',
+        408 => 'Request Time-out',
+        409 => 'Conflict',
+        410 => 'Gone',
+        411 => 'Length Required',
+        412 => 'Precondition Failed',
+        413 => 'Request Entity Too Large',
+        414 => 'Request-URI Too Large',
+        415 => 'Unsupported Media Type',
+        416 => 'Requested range not satisfiable',
+        417 => 'Expectation Failed',
+        418 => 'I\'m a teapot',
+        422 => 'Unprocessable Entity',
+        423 => 'Locked',
+        424 => 'Failed Dependency',
+        425 => 'Unordered Collection',
+        426 => 'Upgrade Required',
+        428 => 'Precondition Required',
+        429 => 'Too Many Requests',
+        431 => 'Request Header Fields Too Large',
+        451 => 'Unavailable For Legal Reasons',
+        500 => 'Internal Server Error',
+        501 => 'Not Implemented',
+        502 => 'Bad Gateway',
+        503 => 'Service Unavailable',
+        504 => 'Gateway Time-out',
+        505 => 'HTTP Version not supported',
+        506 => 'Variant Also Negotiates',
+        507 => 'Insufficient Storage',
+        508 => 'Loop Detected',
+        510 => 'Not Extended',
+        511 => 'Network Authentication Required',
+    ];
+
+    /** @var string */
+    private $reasonPhrase;
+
+    /** @var int */
+    private $statusCode;
+
+    /**
+     * @param int                                  $status  Status code
+     * @param array<string, string|string[]>       $headers Response headers
+     * @param string|resource|StreamInterface|null $body    Response body
+     * @param string                               $version Protocol version
+     * @param string|null                          $reason  Reason phrase (when empty a default will be used based on the status code)
+     */
+    public function __construct(
+        int $status = 200,
+        array $headers = [],
+        $body = null,
+        string $version = '1.1',
+        string $reason = null
+    ) {
+        $this->assertStatusCodeRange($status);
+
+        $this->statusCode = $status;
+
+        if ($body !== '' && $body !== null) {
+            $this->stream = Utils::streamFor($body);
+        }
+
+        $this->setHeaders($headers);
+        if ($reason == '' && isset(self::PHRASES[$this->statusCode])) {
+            $this->reasonPhrase = self::PHRASES[$this->statusCode];
+        } else {
+            $this->reasonPhrase = (string) $reason;
+        }
+
+        $this->protocol = $version;
+    }
+
+    public function getStatusCode(): int
+    {
+        return $this->statusCode;
+    }
+
+    public function getReasonPhrase(): string
+    {
+        return $this->reasonPhrase;
+    }
+
+    public function withStatus($code, $reasonPhrase = ''): ResponseInterface
+    {
+        $this->assertStatusCodeIsInteger($code);
+        $code = (int) $code;
+        $this->assertStatusCodeRange($code);
+
+        $new = clone $this;
+        $new->statusCode = $code;
+        if ($reasonPhrase == '' && isset(self::PHRASES[$new->statusCode])) {
+            $reasonPhrase = self::PHRASES[$new->statusCode];
+        }
+        $new->reasonPhrase = (string) $reasonPhrase;
+        return $new;
+    }
+
+    /**
+     * @param mixed $statusCode
+     */
+    private function assertStatusCodeIsInteger($statusCode): void
+    {
+        if (filter_var($statusCode, FILTER_VALIDATE_INT) === false) {
+            throw new \InvalidArgumentException('Status code must be an integer value.');
+        }
+    }
+
+    private function assertStatusCodeRange(int $statusCode): void
+    {
+        if ($statusCode < 100 || $statusCode >= 600) {
+            throw new \InvalidArgumentException('Status code must be an integer value between 1xx and 5xx.');
+        }
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/psr7/src/Rfc7230.php b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/Rfc7230.php
new file mode 100644
index 000000000..30224018d
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/Rfc7230.php
@@ -0,0 +1,23 @@
+<?php
+
+declare(strict_types=1);
+
+namespace GuzzleHttp\Psr7;
+
+/**
+ * @internal
+ */
+final class Rfc7230
+{
+    /**
+     * Header related regular expressions (based on amphp/http package)
+     *
+     * Note: header delimiter (\r\n) is modified to \r?\n to accept line feed only delimiters for BC reasons.
+     *
+     * @link    https://github.com/amphp/http/blob/v1.0.1/src/Rfc7230.php#L12-L15
+     *
+     * @license https://github.com/amphp/http/blob/v1.0.1/LICENSE
+     */
+    public const HEADER_REGEX = "(^([^()<>@,;:\\\"/[\]?={}\x01-\x20\x7F]++):[ \t]*+((?:[ \t]*+[\x21-\x7E\x80-\xFF]++)*+)[ \t]*+\r?\n)m";
+    public const HEADER_FOLD_REGEX = "(\r?\n[ \t]++)";
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/psr7/src/ServerRequest.php b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/ServerRequest.php
new file mode 100644
index 000000000..43cbb502e
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/ServerRequest.php
@@ -0,0 +1,344 @@
+<?php
+
+declare(strict_types=1);
+
+namespace GuzzleHttp\Psr7;
+
+use InvalidArgumentException;
+use Psr\Http\Message\ServerRequestInterface;
+use Psr\Http\Message\StreamInterface;
+use Psr\Http\Message\UploadedFileInterface;
+use Psr\Http\Message\UriInterface;
+
+/**
+ * Server-side HTTP request
+ *
+ * Extends the Request definition to add methods for accessing incoming data,
+ * specifically server parameters, cookies, matched path parameters, query
+ * string arguments, body parameters, and upload file information.
+ *
+ * "Attributes" are discovered via decomposing the request (and usually
+ * specifically the URI path), and typically will be injected by the application.
+ *
+ * Requests are considered immutable; all methods that might change state are
+ * implemented such that they retain the internal state of the current
+ * message and return a new instance that contains the changed state.
+ */
+class ServerRequest extends Request implements ServerRequestInterface
+{
+    /**
+     * @var array
+     */
+    private $attributes = [];
+
+    /**
+     * @var array
+     */
+    private $cookieParams = [];
+
+    /**
+     * @var array|object|null
+     */
+    private $parsedBody;
+
+    /**
+     * @var array
+     */
+    private $queryParams = [];
+
+    /**
+     * @var array
+     */
+    private $serverParams;
+
+    /**
+     * @var array
+     */
+    private $uploadedFiles = [];
+
+    /**
+     * @param string                               $method       HTTP method
+     * @param string|UriInterface                  $uri          URI
+     * @param array<string, string|string[]>       $headers      Request headers
+     * @param string|resource|StreamInterface|null $body         Request body
+     * @param string                               $version      Protocol version
+     * @param array                                $serverParams Typically the $_SERVER superglobal
+     */
+    public function __construct(
+        string $method,
+        $uri,
+        array $headers = [],
+        $body = null,
+        string $version = '1.1',
+        array $serverParams = []
+    ) {
+        $this->serverParams = $serverParams;
+
+        parent::__construct($method, $uri, $headers, $body, $version);
+    }
+
+    /**
+     * Return an UploadedFile instance array.
+     *
+     * @param array $files An array which respect $_FILES structure
+     *
+     * @throws InvalidArgumentException for unrecognized values
+     */
+    public static function normalizeFiles(array $files): array
+    {
+        $normalized = [];
+
+        foreach ($files as $key => $value) {
+            if ($value instanceof UploadedFileInterface) {
+                $normalized[$key] = $value;
+            } elseif (is_array($value) && isset($value['tmp_name'])) {
+                $normalized[$key] = self::createUploadedFileFromSpec($value);
+            } elseif (is_array($value)) {
+                $normalized[$key] = self::normalizeFiles($value);
+                continue;
+            } else {
+                throw new InvalidArgumentException('Invalid value in files specification');
+            }
+        }
+
+        return $normalized;
+    }
+
+    /**
+     * Create and return an UploadedFile instance from a $_FILES specification.
+     *
+     * If the specification represents an array of values, this method will
+     * delegate to normalizeNestedFileSpec() and return that return value.
+     *
+     * @param array $value $_FILES struct
+     *
+     * @return UploadedFileInterface|UploadedFileInterface[]
+     */
+    private static function createUploadedFileFromSpec(array $value)
+    {
+        if (is_array($value['tmp_name'])) {
+            return self::normalizeNestedFileSpec($value);
+        }
+
+        return new UploadedFile(
+            $value['tmp_name'],
+            (int) $value['size'],
+            (int) $value['error'],
+            $value['name'],
+            $value['type']
+        );
+    }
+
+    /**
+     * Normalize an array of file specifications.
+     *
+     * Loops through all nested files and returns a normalized array of
+     * UploadedFileInterface instances.
+     *
+     * @return UploadedFileInterface[]
+     */
+    private static function normalizeNestedFileSpec(array $files = []): array
+    {
+        $normalizedFiles = [];
+
+        foreach (array_keys($files['tmp_name']) as $key) {
+            $spec = [
+                'tmp_name' => $files['tmp_name'][$key],
+                'size'     => $files['size'][$key],
+                'error'    => $files['error'][$key],
+                'name'     => $files['name'][$key],
+                'type'     => $files['type'][$key],
+            ];
+            $normalizedFiles[$key] = self::createUploadedFileFromSpec($spec);
+        }
+
+        return $normalizedFiles;
+    }
+
+    /**
+     * Return a ServerRequest populated with superglobals:
+     * $_GET
+     * $_POST
+     * $_COOKIE
+     * $_FILES
+     * $_SERVER
+     */
+    public static function fromGlobals(): ServerRequestInterface
+    {
+        $method = $_SERVER['REQUEST_METHOD'] ?? 'GET';
+        $headers = getallheaders();
+        $uri = self::getUriFromGlobals();
+        $body = new CachingStream(new LazyOpenStream('php://input', 'r+'));
+        $protocol = isset($_SERVER['SERVER_PROTOCOL']) ? str_replace('HTTP/', '', $_SERVER['SERVER_PROTOCOL']) : '1.1';
+
+        $serverRequest = new ServerRequest($method, $uri, $headers, $body, $protocol, $_SERVER);
+
+        return $serverRequest
+            ->withCookieParams($_COOKIE)
+            ->withQueryParams($_GET)
+            ->withParsedBody($_POST)
+            ->withUploadedFiles(self::normalizeFiles($_FILES));
+    }
+
+    private static function extractHostAndPortFromAuthority(string $authority): array
+    {
+        $uri = 'http://' . $authority;
+        $parts = parse_url($uri);
+        if (false === $parts) {
+            return [null, null];
+        }
+
+        $host = $parts['host'] ?? null;
+        $port = $parts['port'] ?? null;
+
+        return [$host, $port];
+    }
+
+    /**
+     * Get a Uri populated with values from $_SERVER.
+     */
+    public static function getUriFromGlobals(): UriInterface
+    {
+        $uri = new Uri('');
+
+        $uri = $uri->withScheme(!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off' ? 'https' : 'http');
+
+        $hasPort = false;
+        if (isset($_SERVER['HTTP_HOST'])) {
+            [$host, $port] = self::extractHostAndPortFromAuthority($_SERVER['HTTP_HOST']);
+            if ($host !== null) {
+                $uri = $uri->withHost($host);
+            }
+
+            if ($port !== null) {
+                $hasPort = true;
+                $uri = $uri->withPort($port);
+            }
+        } elseif (isset($_SERVER['SERVER_NAME'])) {
+            $uri = $uri->withHost($_SERVER['SERVER_NAME']);
+        } elseif (isset($_SERVER['SERVER_ADDR'])) {
+            $uri = $uri->withHost($_SERVER['SERVER_ADDR']);
+        }
+
+        if (!$hasPort && isset($_SERVER['SERVER_PORT'])) {
+            $uri = $uri->withPort($_SERVER['SERVER_PORT']);
+        }
+
+        $hasQuery = false;
+        if (isset($_SERVER['REQUEST_URI'])) {
+            $requestUriParts = explode('?', $_SERVER['REQUEST_URI'], 2);
+            $uri = $uri->withPath($requestUriParts[0]);
+            if (isset($requestUriParts[1])) {
+                $hasQuery = true;
+                $uri = $uri->withQuery($requestUriParts[1]);
+            }
+        }
+
+        if (!$hasQuery && isset($_SERVER['QUERY_STRING'])) {
+            $uri = $uri->withQuery($_SERVER['QUERY_STRING']);
+        }
+
+        return $uri;
+    }
+
+    public function getServerParams(): array
+    {
+        return $this->serverParams;
+    }
+
+    public function getUploadedFiles(): array
+    {
+        return $this->uploadedFiles;
+    }
+
+    public function withUploadedFiles(array $uploadedFiles): ServerRequestInterface
+    {
+        $new = clone $this;
+        $new->uploadedFiles = $uploadedFiles;
+
+        return $new;
+    }
+
+    public function getCookieParams(): array
+    {
+        return $this->cookieParams;
+    }
+
+    public function withCookieParams(array $cookies): ServerRequestInterface
+    {
+        $new = clone $this;
+        $new->cookieParams = $cookies;
+
+        return $new;
+    }
+
+    public function getQueryParams(): array
+    {
+        return $this->queryParams;
+    }
+
+    public function withQueryParams(array $query): ServerRequestInterface
+    {
+        $new = clone $this;
+        $new->queryParams = $query;
+
+        return $new;
+    }
+
+    /**
+     * {@inheritdoc}
+     *
+     * @return array|object|null
+     */
+    public function getParsedBody()
+    {
+        return $this->parsedBody;
+    }
+
+    public function withParsedBody($data): ServerRequestInterface
+    {
+        $new = clone $this;
+        $new->parsedBody = $data;
+
+        return $new;
+    }
+
+    public function getAttributes(): array
+    {
+        return $this->attributes;
+    }
+
+    /**
+     * {@inheritdoc}
+     *
+     * @return mixed
+     */
+    public function getAttribute($attribute, $default = null)
+    {
+        if (false === array_key_exists($attribute, $this->attributes)) {
+            return $default;
+        }
+
+        return $this->attributes[$attribute];
+    }
+
+    public function withAttribute($attribute, $value): ServerRequestInterface
+    {
+        $new = clone $this;
+        $new->attributes[$attribute] = $value;
+
+        return $new;
+    }
+
+    public function withoutAttribute($attribute): ServerRequestInterface
+    {
+        if (false === array_key_exists($attribute, $this->attributes)) {
+            return $this;
+        }
+
+        $new = clone $this;
+        unset($new->attributes[$attribute]);
+
+        return $new;
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/psr7/src/Stream.php b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/Stream.php
new file mode 100644
index 000000000..ecd31861e
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/Stream.php
@@ -0,0 +1,282 @@
+<?php
+
+declare(strict_types=1);
+
+namespace GuzzleHttp\Psr7;
+
+use Psr\Http\Message\StreamInterface;
+
+/**
+ * PHP stream implementation.
+ */
+class Stream implements StreamInterface
+{
+    /**
+     * @see http://php.net/manual/function.fopen.php
+     * @see http://php.net/manual/en/function.gzopen.php
+     */
+    private const READABLE_MODES = '/r|a\+|ab\+|w\+|wb\+|x\+|xb\+|c\+|cb\+/';
+    private const WRITABLE_MODES = '/a|w|r\+|rb\+|rw|x|c/';
+
+    /** @var resource */
+    private $stream;
+    /** @var int|null */
+    private $size;
+    /** @var bool */
+    private $seekable;
+    /** @var bool */
+    private $readable;
+    /** @var bool */
+    private $writable;
+    /** @var string|null */
+    private $uri;
+    /** @var mixed[] */
+    private $customMetadata;
+
+    /**
+     * This constructor accepts an associative array of options.
+     *
+     * - size: (int) If a read stream would otherwise have an indeterminate
+     *   size, but the size is known due to foreknowledge, then you can
+     *   provide that size, in bytes.
+     * - metadata: (array) Any additional metadata to return when the metadata
+     *   of the stream is accessed.
+     *
+     * @param resource                            $stream  Stream resource to wrap.
+     * @param array{size?: int, metadata?: array} $options Associative array of options.
+     *
+     * @throws \InvalidArgumentException if the stream is not a stream resource
+     */
+    public function __construct($stream, array $options = [])
+    {
+        if (!is_resource($stream)) {
+            throw new \InvalidArgumentException('Stream must be a resource');
+        }
+
+        if (isset($options['size'])) {
+            $this->size = $options['size'];
+        }
+
+        $this->customMetadata = $options['metadata'] ?? [];
+        $this->stream = $stream;
+        $meta = stream_get_meta_data($this->stream);
+        $this->seekable = $meta['seekable'];
+        $this->readable = (bool)preg_match(self::READABLE_MODES, $meta['mode']);
+        $this->writable = (bool)preg_match(self::WRITABLE_MODES, $meta['mode']);
+        $this->uri = $this->getMetadata('uri');
+    }
+
+    /**
+     * Closes the stream when the destructed
+     */
+    public function __destruct()
+    {
+        $this->close();
+    }
+
+    public function __toString(): string
+    {
+        try {
+            if ($this->isSeekable()) {
+                $this->seek(0);
+            }
+            return $this->getContents();
+        } catch (\Throwable $e) {
+            if (\PHP_VERSION_ID >= 70400) {
+                throw $e;
+            }
+            trigger_error(sprintf('%s::__toString exception: %s', self::class, (string) $e), E_USER_ERROR);
+            return '';
+        }
+    }
+
+    public function getContents(): string
+    {
+        if (!isset($this->stream)) {
+            throw new \RuntimeException('Stream is detached');
+        }
+
+        if (!$this->readable) {
+            throw new \RuntimeException('Cannot read from non-readable stream');
+        }
+
+        return Utils::tryGetContents($this->stream);
+    }
+
+    public function close(): void
+    {
+        if (isset($this->stream)) {
+            if (is_resource($this->stream)) {
+                fclose($this->stream);
+            }
+            $this->detach();
+        }
+    }
+
+    public function detach()
+    {
+        if (!isset($this->stream)) {
+            return null;
+        }
+
+        $result = $this->stream;
+        unset($this->stream);
+        $this->size = $this->uri = null;
+        $this->readable = $this->writable = $this->seekable = false;
+
+        return $result;
+    }
+
+    public function getSize(): ?int
+    {
+        if ($this->size !== null) {
+            return $this->size;
+        }
+
+        if (!isset($this->stream)) {
+            return null;
+        }
+
+        // Clear the stat cache if the stream has a URI
+        if ($this->uri) {
+            clearstatcache(true, $this->uri);
+        }
+
+        $stats = fstat($this->stream);
+        if (is_array($stats) && isset($stats['size'])) {
+            $this->size = $stats['size'];
+            return $this->size;
+        }
+
+        return null;
+    }
+
+    public function isReadable(): bool
+    {
+        return $this->readable;
+    }
+
+    public function isWritable(): bool
+    {
+        return $this->writable;
+    }
+
+    public function isSeekable(): bool
+    {
+        return $this->seekable;
+    }
+
+    public function eof(): bool
+    {
+        if (!isset($this->stream)) {
+            throw new \RuntimeException('Stream is detached');
+        }
+
+        return feof($this->stream);
+    }
+
+    public function tell(): int
+    {
+        if (!isset($this->stream)) {
+            throw new \RuntimeException('Stream is detached');
+        }
+
+        $result = ftell($this->stream);
+
+        if ($result === false) {
+            throw new \RuntimeException('Unable to determine stream position');
+        }
+
+        return $result;
+    }
+
+    public function rewind(): void
+    {
+        $this->seek(0);
+    }
+
+    public function seek($offset, $whence = SEEK_SET): void
+    {
+        $whence = (int) $whence;
+
+        if (!isset($this->stream)) {
+            throw new \RuntimeException('Stream is detached');
+        }
+        if (!$this->seekable) {
+            throw new \RuntimeException('Stream is not seekable');
+        }
+        if (fseek($this->stream, $offset, $whence) === -1) {
+            throw new \RuntimeException('Unable to seek to stream position '
+                . $offset . ' with whence ' . var_export($whence, true));
+        }
+    }
+
+    public function read($length): string
+    {
+        if (!isset($this->stream)) {
+            throw new \RuntimeException('Stream is detached');
+        }
+        if (!$this->readable) {
+            throw new \RuntimeException('Cannot read from non-readable stream');
+        }
+        if ($length < 0) {
+            throw new \RuntimeException('Length parameter cannot be negative');
+        }
+
+        if (0 === $length) {
+            return '';
+        }
+
+        try {
+            $string = fread($this->stream, $length);
+        } catch (\Exception $e) {
+            throw new \RuntimeException('Unable to read from stream', 0, $e);
+        }
+
+        if (false === $string) {
+            throw new \RuntimeException('Unable to read from stream');
+        }
+
+        return $string;
+    }
+
+    public function write($string): int
+    {
+        if (!isset($this->stream)) {
+            throw new \RuntimeException('Stream is detached');
+        }
+        if (!$this->writable) {
+            throw new \RuntimeException('Cannot write to a non-writable stream');
+        }
+
+        // We can't know the size after writing anything
+        $this->size = null;
+        $result = fwrite($this->stream, $string);
+
+        if ($result === false) {
+            throw new \RuntimeException('Unable to write to stream');
+        }
+
+        return $result;
+    }
+
+    /**
+     * {@inheritdoc}
+     *
+     * @return mixed
+     */
+    public function getMetadata($key = null)
+    {
+        if (!isset($this->stream)) {
+            return $key ? null : [];
+        } elseif (!$key) {
+            return $this->customMetadata + stream_get_meta_data($this->stream);
+        } elseif (isset($this->customMetadata[$key])) {
+            return $this->customMetadata[$key];
+        }
+
+        $meta = stream_get_meta_data($this->stream);
+
+        return $meta[$key] ?? null;
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/psr7/src/StreamDecoratorTrait.php b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/StreamDecoratorTrait.php
new file mode 100644
index 000000000..56d4104d4
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/StreamDecoratorTrait.php
@@ -0,0 +1,155 @@
+<?php
+
+declare(strict_types=1);
+
+namespace GuzzleHttp\Psr7;
+
+use Psr\Http\Message\StreamInterface;
+
+/**
+ * Stream decorator trait
+ *
+ * @property StreamInterface $stream
+ */
+trait StreamDecoratorTrait
+{
+    /**
+     * @param StreamInterface $stream Stream to decorate
+     */
+    public function __construct(StreamInterface $stream)
+    {
+        $this->stream = $stream;
+    }
+
+    /**
+     * Magic method used to create a new stream if streams are not added in
+     * the constructor of a decorator (e.g., LazyOpenStream).
+     *
+     * @return StreamInterface
+     */
+    public function __get(string $name)
+    {
+        if ($name === 'stream') {
+            $this->stream = $this->createStream();
+            return $this->stream;
+        }
+
+        throw new \UnexpectedValueException("$name not found on class");
+    }
+
+    public function __toString(): string
+    {
+        try {
+            if ($this->isSeekable()) {
+                $this->seek(0);
+            }
+            return $this->getContents();
+        } catch (\Throwable $e) {
+            if (\PHP_VERSION_ID >= 70400) {
+                throw $e;
+            }
+            trigger_error(sprintf('%s::__toString exception: %s', self::class, (string) $e), E_USER_ERROR);
+            return '';
+        }
+    }
+
+    public function getContents(): string
+    {
+        return Utils::copyToString($this);
+    }
+
+    /**
+     * Allow decorators to implement custom methods
+     *
+     * @return mixed
+     */
+    public function __call(string $method, array $args)
+    {
+        /** @var callable $callable */
+        $callable = [$this->stream, $method];
+        $result = call_user_func_array($callable, $args);
+
+        // Always return the wrapped object if the result is a return $this
+        return $result === $this->stream ? $this : $result;
+    }
+
+    public function close(): void
+    {
+        $this->stream->close();
+    }
+
+    /**
+     * {@inheritdoc}
+     *
+     * @return mixed
+     */
+    public function getMetadata($key = null)
+    {
+        return $this->stream->getMetadata($key);
+    }
+
+    public function detach()
+    {
+        return $this->stream->detach();
+    }
+
+    public function getSize(): ?int
+    {
+        return $this->stream->getSize();
+    }
+
+    public function eof(): bool
+    {
+        return $this->stream->eof();
+    }
+
+    public function tell(): int
+    {
+        return $this->stream->tell();
+    }
+
+    public function isReadable(): bool
+    {
+        return $this->stream->isReadable();
+    }
+
+    public function isWritable(): bool
+    {
+        return $this->stream->isWritable();
+    }
+
+    public function isSeekable(): bool
+    {
+        return $this->stream->isSeekable();
+    }
+
+    public function rewind(): void
+    {
+        $this->seek(0);
+    }
+
+    public function seek($offset, $whence = SEEK_SET): void
+    {
+        $this->stream->seek($offset, $whence);
+    }
+
+    public function read($length): string
+    {
+        return $this->stream->read($length);
+    }
+
+    public function write($string): int
+    {
+        return $this->stream->write($string);
+    }
+
+    /**
+     * Implement in subclasses to dynamically create streams when requested.
+     *
+     * @throws \BadMethodCallException
+     */
+    protected function createStream(): StreamInterface
+    {
+        throw new \BadMethodCallException('Not implemented');
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/psr7/src/StreamWrapper.php b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/StreamWrapper.php
new file mode 100644
index 000000000..2a9346403
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/StreamWrapper.php
@@ -0,0 +1,175 @@
+<?php
+
+declare(strict_types=1);
+
+namespace GuzzleHttp\Psr7;
+
+use Psr\Http\Message\StreamInterface;
+
+/**
+ * Converts Guzzle streams into PHP stream resources.
+ *
+ * @see https://www.php.net/streamwrapper
+ */
+final class StreamWrapper
+{
+    /** @var resource */
+    public $context;
+
+    /** @var StreamInterface */
+    private $stream;
+
+    /** @var string r, r+, or w */
+    private $mode;
+
+    /**
+     * Returns a resource representing the stream.
+     *
+     * @param StreamInterface $stream The stream to get a resource for
+     *
+     * @return resource
+     *
+     * @throws \InvalidArgumentException if stream is not readable or writable
+     */
+    public static function getResource(StreamInterface $stream)
+    {
+        self::register();
+
+        if ($stream->isReadable()) {
+            $mode = $stream->isWritable() ? 'r+' : 'r';
+        } elseif ($stream->isWritable()) {
+            $mode = 'w';
+        } else {
+            throw new \InvalidArgumentException('The stream must be readable, '
+                . 'writable, or both.');
+        }
+
+        return fopen('guzzle://stream', $mode, false, self::createStreamContext($stream));
+    }
+
+    /**
+     * Creates a stream context that can be used to open a stream as a php stream resource.
+     *
+     * @return resource
+     */
+    public static function createStreamContext(StreamInterface $stream)
+    {
+        return stream_context_create([
+            'guzzle' => ['stream' => $stream]
+        ]);
+    }
+
+    /**
+     * Registers the stream wrapper if needed
+     */
+    public static function register(): void
+    {
+        if (!in_array('guzzle', stream_get_wrappers())) {
+            stream_wrapper_register('guzzle', __CLASS__);
+        }
+    }
+
+    public function stream_open(string $path, string $mode, int $options, string &$opened_path = null): bool
+    {
+        $options = stream_context_get_options($this->context);
+
+        if (!isset($options['guzzle']['stream'])) {
+            return false;
+        }
+
+        $this->mode = $mode;
+        $this->stream = $options['guzzle']['stream'];
+
+        return true;
+    }
+
+    public function stream_read(int $count): string
+    {
+        return $this->stream->read($count);
+    }
+
+    public function stream_write(string $data): int
+    {
+        return $this->stream->write($data);
+    }
+
+    public function stream_tell(): int
+    {
+        return $this->stream->tell();
+    }
+
+    public function stream_eof(): bool
+    {
+        return $this->stream->eof();
+    }
+
+    public function stream_seek(int $offset, int $whence): bool
+    {
+        $this->stream->seek($offset, $whence);
+
+        return true;
+    }
+
+    /**
+     * @return resource|false
+     */
+    public function stream_cast(int $cast_as)
+    {
+        $stream = clone($this->stream);
+        $resource = $stream->detach();
+
+        return $resource ?? false;
+    }
+
+    /**
+     * @return array<int|string, int>
+     */
+    public function stream_stat(): array
+    {
+        static $modeMap = [
+            'r'  => 33060,
+            'rb' => 33060,
+            'r+' => 33206,
+            'w'  => 33188,
+            'wb' => 33188
+        ];
+
+        return [
+            'dev'     => 0,
+            'ino'     => 0,
+            'mode'    => $modeMap[$this->mode],
+            'nlink'   => 0,
+            'uid'     => 0,
+            'gid'     => 0,
+            'rdev'    => 0,
+            'size'    => $this->stream->getSize() ?: 0,
+            'atime'   => 0,
+            'mtime'   => 0,
+            'ctime'   => 0,
+            'blksize' => 0,
+            'blocks'  => 0
+        ];
+    }
+
+    /**
+     * @return array<int|string, int>
+     */
+    public function url_stat(string $path, int $flags): array
+    {
+        return [
+            'dev'     => 0,
+            'ino'     => 0,
+            'mode'    => 0,
+            'nlink'   => 0,
+            'uid'     => 0,
+            'gid'     => 0,
+            'rdev'    => 0,
+            'size'    => 0,
+            'atime'   => 0,
+            'mtime'   => 0,
+            'ctime'   => 0,
+            'blksize' => 0,
+            'blocks'  => 0
+        ];
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/psr7/src/UploadedFile.php b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/UploadedFile.php
new file mode 100644
index 000000000..b1521bcf8
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/UploadedFile.php
@@ -0,0 +1,211 @@
+<?php
+
+declare(strict_types=1);
+
+namespace GuzzleHttp\Psr7;
+
+use InvalidArgumentException;
+use Psr\Http\Message\StreamInterface;
+use Psr\Http\Message\UploadedFileInterface;
+use RuntimeException;
+
+class UploadedFile implements UploadedFileInterface
+{
+    private const ERRORS = [
+        UPLOAD_ERR_OK,
+        UPLOAD_ERR_INI_SIZE,
+        UPLOAD_ERR_FORM_SIZE,
+        UPLOAD_ERR_PARTIAL,
+        UPLOAD_ERR_NO_FILE,
+        UPLOAD_ERR_NO_TMP_DIR,
+        UPLOAD_ERR_CANT_WRITE,
+        UPLOAD_ERR_EXTENSION,
+    ];
+
+    /**
+     * @var string|null
+     */
+    private $clientFilename;
+
+    /**
+     * @var string|null
+     */
+    private $clientMediaType;
+
+    /**
+     * @var int
+     */
+    private $error;
+
+    /**
+     * @var string|null
+     */
+    private $file;
+
+    /**
+     * @var bool
+     */
+    private $moved = false;
+
+    /**
+     * @var int|null
+     */
+    private $size;
+
+    /**
+     * @var StreamInterface|null
+     */
+    private $stream;
+
+    /**
+     * @param StreamInterface|string|resource $streamOrFile
+     */
+    public function __construct(
+        $streamOrFile,
+        ?int $size,
+        int $errorStatus,
+        string $clientFilename = null,
+        string $clientMediaType = null
+    ) {
+        $this->setError($errorStatus);
+        $this->size = $size;
+        $this->clientFilename = $clientFilename;
+        $this->clientMediaType = $clientMediaType;
+
+        if ($this->isOk()) {
+            $this->setStreamOrFile($streamOrFile);
+        }
+    }
+
+    /**
+     * Depending on the value set file or stream variable
+     *
+     * @param StreamInterface|string|resource $streamOrFile
+     *
+     * @throws InvalidArgumentException
+     */
+    private function setStreamOrFile($streamOrFile): void
+    {
+        if (is_string($streamOrFile)) {
+            $this->file = $streamOrFile;
+        } elseif (is_resource($streamOrFile)) {
+            $this->stream = new Stream($streamOrFile);
+        } elseif ($streamOrFile instanceof StreamInterface) {
+            $this->stream = $streamOrFile;
+        } else {
+            throw new InvalidArgumentException(
+                'Invalid stream or file provided for UploadedFile'
+            );
+        }
+    }
+
+    /**
+     * @throws InvalidArgumentException
+     */
+    private function setError(int $error): void
+    {
+        if (false === in_array($error, UploadedFile::ERRORS, true)) {
+            throw new InvalidArgumentException(
+                'Invalid error status for UploadedFile'
+            );
+        }
+
+        $this->error = $error;
+    }
+
+    private function isStringNotEmpty($param): bool
+    {
+        return is_string($param) && false === empty($param);
+    }
+
+    /**
+     * Return true if there is no upload error
+     */
+    private function isOk(): bool
+    {
+        return $this->error === UPLOAD_ERR_OK;
+    }
+
+    public function isMoved(): bool
+    {
+        return $this->moved;
+    }
+
+    /**
+     * @throws RuntimeException if is moved or not ok
+     */
+    private function validateActive(): void
+    {
+        if (false === $this->isOk()) {
+            throw new RuntimeException('Cannot retrieve stream due to upload error');
+        }
+
+        if ($this->isMoved()) {
+            throw new RuntimeException('Cannot retrieve stream after it has already been moved');
+        }
+    }
+
+    public function getStream(): StreamInterface
+    {
+        $this->validateActive();
+
+        if ($this->stream instanceof StreamInterface) {
+            return $this->stream;
+        }
+
+        /** @var string $file */
+        $file = $this->file;
+
+        return new LazyOpenStream($file, 'r+');
+    }
+
+    public function moveTo($targetPath): void
+    {
+        $this->validateActive();
+
+        if (false === $this->isStringNotEmpty($targetPath)) {
+            throw new InvalidArgumentException(
+                'Invalid path provided for move operation; must be a non-empty string'
+            );
+        }
+
+        if ($this->file) {
+            $this->moved = PHP_SAPI === 'cli'
+                ? rename($this->file, $targetPath)
+                : move_uploaded_file($this->file, $targetPath);
+        } else {
+            Utils::copyToStream(
+                $this->getStream(),
+                new LazyOpenStream($targetPath, 'w')
+            );
+
+            $this->moved = true;
+        }
+
+        if (false === $this->moved) {
+            throw new RuntimeException(
+                sprintf('Uploaded file could not be moved to %s', $targetPath)
+            );
+        }
+    }
+
+    public function getSize(): ?int
+    {
+        return $this->size;
+    }
+
+    public function getError(): int
+    {
+        return $this->error;
+    }
+
+    public function getClientFilename(): ?string
+    {
+        return $this->clientFilename;
+    }
+
+    public function getClientMediaType(): ?string
+    {
+        return $this->clientMediaType;
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/psr7/src/Uri.php b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/Uri.php
new file mode 100644
index 000000000..09e878d3d
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/Uri.php
@@ -0,0 +1,740 @@
+<?php
+
+declare(strict_types=1);
+
+namespace GuzzleHttp\Psr7;
+
+use GuzzleHttp\Psr7\Exception\MalformedUriException;
+use Psr\Http\Message\UriInterface;
+
+/**
+ * PSR-7 URI implementation.
+ *
+ * @author Michael Dowling
+ * @author Tobias Schultze
+ * @author Matthew Weier O'Phinney
+ */
+class Uri implements UriInterface, \JsonSerializable
+{
+    /**
+     * Absolute http and https URIs require a host per RFC 7230 Section 2.7
+     * but in generic URIs the host can be empty. So for http(s) URIs
+     * we apply this default host when no host is given yet to form a
+     * valid URI.
+     */
+    private const HTTP_DEFAULT_HOST = 'localhost';
+
+    private const DEFAULT_PORTS = [
+        'http'  => 80,
+        'https' => 443,
+        'ftp' => 21,
+        'gopher' => 70,
+        'nntp' => 119,
+        'news' => 119,
+        'telnet' => 23,
+        'tn3270' => 23,
+        'imap' => 143,
+        'pop' => 110,
+        'ldap' => 389,
+    ];
+
+    /**
+     * Unreserved characters for use in a regex.
+     *
+     * @link https://tools.ietf.org/html/rfc3986#section-2.3
+     */
+    private const CHAR_UNRESERVED = 'a-zA-Z0-9_\-\.~';
+
+    /**
+     * Sub-delims for use in a regex.
+     *
+     * @link https://tools.ietf.org/html/rfc3986#section-2.2
+     */
+    private const CHAR_SUB_DELIMS = '!\$&\'\(\)\*\+,;=';
+    private const QUERY_SEPARATORS_REPLACEMENT = ['=' => '%3D', '&' => '%26'];
+
+    /** @var string Uri scheme. */
+    private $scheme = '';
+
+    /** @var string Uri user info. */
+    private $userInfo = '';
+
+    /** @var string Uri host. */
+    private $host = '';
+
+    /** @var int|null Uri port. */
+    private $port;
+
+    /** @var string Uri path. */
+    private $path = '';
+
+    /** @var string Uri query string. */
+    private $query = '';
+
+    /** @var string Uri fragment. */
+    private $fragment = '';
+
+    /** @var string|null String representation */
+    private $composedComponents;
+
+    public function __construct(string $uri = '')
+    {
+        if ($uri !== '') {
+            $parts = self::parse($uri);
+            if ($parts === false) {
+                throw new MalformedUriException("Unable to parse URI: $uri");
+            }
+            $this->applyParts($parts);
+        }
+    }
+    /**
+     * UTF-8 aware \parse_url() replacement.
+     *
+     * The internal function produces broken output for non ASCII domain names
+     * (IDN) when used with locales other than "C".
+     *
+     * On the other hand, cURL understands IDN correctly only when UTF-8 locale
+     * is configured ("C.UTF-8", "en_US.UTF-8", etc.).
+     *
+     * @see https://bugs.php.net/bug.php?id=52923
+     * @see https://www.php.net/manual/en/function.parse-url.php#114817
+     * @see https://curl.haxx.se/libcurl/c/CURLOPT_URL.html#ENCODING
+     *
+     * @return array|false
+     */
+    private static function parse(string $url)
+    {
+        // If IPv6
+        $prefix = '';
+        if (preg_match('%^(.*://\[[0-9:a-f]+\])(.*?)$%', $url, $matches)) {
+            /** @var array{0:string, 1:string, 2:string} $matches */
+            $prefix = $matches[1];
+            $url = $matches[2];
+        }
+
+        /** @var string */
+        $encodedUrl = preg_replace_callback(
+            '%[^:/@?&=#]+%usD',
+            static function ($matches) {
+                return urlencode($matches[0]);
+            },
+            $url
+        );
+
+        $result = parse_url($prefix . $encodedUrl);
+
+        if ($result === false) {
+            return false;
+        }
+
+        return array_map('urldecode', $result);
+    }
+
+    public function __toString(): string
+    {
+        if ($this->composedComponents === null) {
+            $this->composedComponents = self::composeComponents(
+                $this->scheme,
+                $this->getAuthority(),
+                $this->path,
+                $this->query,
+                $this->fragment
+            );
+        }
+
+        return $this->composedComponents;
+    }
+
+    /**
+     * Composes a URI reference string from its various components.
+     *
+     * Usually this method does not need to be called manually but instead is used indirectly via
+     * `Psr\Http\Message\UriInterface::__toString`.
+     *
+     * PSR-7 UriInterface treats an empty component the same as a missing component as
+     * getQuery(), getFragment() etc. always return a string. This explains the slight
+     * difference to RFC 3986 Section 5.3.
+     *
+     * Another adjustment is that the authority separator is added even when the authority is missing/empty
+     * for the "file" scheme. This is because PHP stream functions like `file_get_contents` only work with
+     * `file:///myfile` but not with `file:/myfile` although they are equivalent according to RFC 3986. But
+     * `file:///` is the more common syntax for the file scheme anyway (Chrome for example redirects to
+     * that format).
+     *
+     * @link https://tools.ietf.org/html/rfc3986#section-5.3
+     */
+    public static function composeComponents(?string $scheme, ?string $authority, string $path, ?string $query, ?string $fragment): string
+    {
+        $uri = '';
+
+        // weak type checks to also accept null until we can add scalar type hints
+        if ($scheme != '') {
+            $uri .= $scheme . ':';
+        }
+
+        if ($authority != '' || $scheme === 'file') {
+            $uri .= '//' . $authority;
+        }
+
+        if ($authority != '' && $path != '' && $path[0] != '/') {
+            $path = '/' . $path;
+        }
+
+        $uri .= $path;
+
+        if ($query != '') {
+            $uri .= '?' . $query;
+        }
+
+        if ($fragment != '') {
+            $uri .= '#' . $fragment;
+        }
+
+        return $uri;
+    }
+
+    /**
+     * Whether the URI has the default port of the current scheme.
+     *
+     * `Psr\Http\Message\UriInterface::getPort` may return null or the standard port. This method can be used
+     * independently of the implementation.
+     */
+    public static function isDefaultPort(UriInterface $uri): bool
+    {
+        return $uri->getPort() === null
+            || (isset(self::DEFAULT_PORTS[$uri->getScheme()]) && $uri->getPort() === self::DEFAULT_PORTS[$uri->getScheme()]);
+    }
+
+    /**
+     * Whether the URI is absolute, i.e. it has a scheme.
+     *
+     * An instance of UriInterface can either be an absolute URI or a relative reference. This method returns true
+     * if it is the former. An absolute URI has a scheme. A relative reference is used to express a URI relative
+     * to another URI, the base URI. Relative references can be divided into several forms:
+     * - network-path references, e.g. '//example.com/path'
+     * - absolute-path references, e.g. '/path'
+     * - relative-path references, e.g. 'subpath'
+     *
+     * @see Uri::isNetworkPathReference
+     * @see Uri::isAbsolutePathReference
+     * @see Uri::isRelativePathReference
+     * @link https://tools.ietf.org/html/rfc3986#section-4
+     */
+    public static function isAbsolute(UriInterface $uri): bool
+    {
+        return $uri->getScheme() !== '';
+    }
+
+    /**
+     * Whether the URI is a network-path reference.
+     *
+     * A relative reference that begins with two slash characters is termed an network-path reference.
+     *
+     * @link https://tools.ietf.org/html/rfc3986#section-4.2
+     */
+    public static function isNetworkPathReference(UriInterface $uri): bool
+    {
+        return $uri->getScheme() === '' && $uri->getAuthority() !== '';
+    }
+
+    /**
+     * Whether the URI is a absolute-path reference.
+     *
+     * A relative reference that begins with a single slash character is termed an absolute-path reference.
+     *
+     * @link https://tools.ietf.org/html/rfc3986#section-4.2
+     */
+    public static function isAbsolutePathReference(UriInterface $uri): bool
+    {
+        return $uri->getScheme() === ''
+            && $uri->getAuthority() === ''
+            && isset($uri->getPath()[0])
+            && $uri->getPath()[0] === '/';
+    }
+
+    /**
+     * Whether the URI is a relative-path reference.
+     *
+     * A relative reference that does not begin with a slash character is termed a relative-path reference.
+     *
+     * @link https://tools.ietf.org/html/rfc3986#section-4.2
+     */
+    public static function isRelativePathReference(UriInterface $uri): bool
+    {
+        return $uri->getScheme() === ''
+            && $uri->getAuthority() === ''
+            && (!isset($uri->getPath()[0]) || $uri->getPath()[0] !== '/');
+    }
+
+    /**
+     * Whether the URI is a same-document reference.
+     *
+     * A same-document reference refers to a URI that is, aside from its fragment
+     * component, identical to the base URI. When no base URI is given, only an empty
+     * URI reference (apart from its fragment) is considered a same-document reference.
+     *
+     * @param UriInterface      $uri  The URI to check
+     * @param UriInterface|null $base An optional base URI to compare against
+     *
+     * @link https://tools.ietf.org/html/rfc3986#section-4.4
+     */
+    public static function isSameDocumentReference(UriInterface $uri, UriInterface $base = null): bool
+    {
+        if ($base !== null) {
+            $uri = UriResolver::resolve($base, $uri);
+
+            return ($uri->getScheme() === $base->getScheme())
+                && ($uri->getAuthority() === $base->getAuthority())
+                && ($uri->getPath() === $base->getPath())
+                && ($uri->getQuery() === $base->getQuery());
+        }
+
+        return $uri->getScheme() === '' && $uri->getAuthority() === '' && $uri->getPath() === '' && $uri->getQuery() === '';
+    }
+
+    /**
+     * Creates a new URI with a specific query string value removed.
+     *
+     * Any existing query string values that exactly match the provided key are
+     * removed.
+     *
+     * @param UriInterface $uri URI to use as a base.
+     * @param string       $key Query string key to remove.
+     */
+    public static function withoutQueryValue(UriInterface $uri, string $key): UriInterface
+    {
+        $result = self::getFilteredQueryString($uri, [$key]);
+
+        return $uri->withQuery(implode('&', $result));
+    }
+
+    /**
+     * Creates a new URI with a specific query string value.
+     *
+     * Any existing query string values that exactly match the provided key are
+     * removed and replaced with the given key value pair.
+     *
+     * A value of null will set the query string key without a value, e.g. "key"
+     * instead of "key=value".
+     *
+     * @param UriInterface $uri   URI to use as a base.
+     * @param string       $key   Key to set.
+     * @param string|null  $value Value to set
+     */
+    public static function withQueryValue(UriInterface $uri, string $key, ?string $value): UriInterface
+    {
+        $result = self::getFilteredQueryString($uri, [$key]);
+
+        $result[] = self::generateQueryString($key, $value);
+
+        return $uri->withQuery(implode('&', $result));
+    }
+
+    /**
+     * Creates a new URI with multiple specific query string values.
+     *
+     * It has the same behavior as withQueryValue() but for an associative array of key => value.
+     *
+     * @param UriInterface               $uri           URI to use as a base.
+     * @param array<string, string|null> $keyValueArray Associative array of key and values
+     */
+    public static function withQueryValues(UriInterface $uri, array $keyValueArray): UriInterface
+    {
+        $result = self::getFilteredQueryString($uri, array_keys($keyValueArray));
+
+        foreach ($keyValueArray as $key => $value) {
+            $result[] = self::generateQueryString((string) $key, $value !== null ? (string) $value : null);
+        }
+
+        return $uri->withQuery(implode('&', $result));
+    }
+
+    /**
+     * Creates a URI from a hash of `parse_url` components.
+     *
+     * @link http://php.net/manual/en/function.parse-url.php
+     *
+     * @throws MalformedUriException If the components do not form a valid URI.
+     */
+    public static function fromParts(array $parts): UriInterface
+    {
+        $uri = new self();
+        $uri->applyParts($parts);
+        $uri->validateState();
+
+        return $uri;
+    }
+
+    public function getScheme(): string
+    {
+        return $this->scheme;
+    }
+
+    public function getAuthority(): string
+    {
+        $authority = $this->host;
+        if ($this->userInfo !== '') {
+            $authority = $this->userInfo . '@' . $authority;
+        }
+
+        if ($this->port !== null) {
+            $authority .= ':' . $this->port;
+        }
+
+        return $authority;
+    }
+
+    public function getUserInfo(): string
+    {
+        return $this->userInfo;
+    }
+
+    public function getHost(): string
+    {
+        return $this->host;
+    }
+
+    public function getPort(): ?int
+    {
+        return $this->port;
+    }
+
+    public function getPath(): string
+    {
+        return $this->path;
+    }
+
+    public function getQuery(): string
+    {
+        return $this->query;
+    }
+
+    public function getFragment(): string
+    {
+        return $this->fragment;
+    }
+
+    public function withScheme($scheme): UriInterface
+    {
+        $scheme = $this->filterScheme($scheme);
+
+        if ($this->scheme === $scheme) {
+            return $this;
+        }
+
+        $new = clone $this;
+        $new->scheme = $scheme;
+        $new->composedComponents = null;
+        $new->removeDefaultPort();
+        $new->validateState();
+
+        return $new;
+    }
+
+    public function withUserInfo($user, $password = null): UriInterface
+    {
+        $info = $this->filterUserInfoComponent($user);
+        if ($password !== null) {
+            $info .= ':' . $this->filterUserInfoComponent($password);
+        }
+
+        if ($this->userInfo === $info) {
+            return $this;
+        }
+
+        $new = clone $this;
+        $new->userInfo = $info;
+        $new->composedComponents = null;
+        $new->validateState();
+
+        return $new;
+    }
+
+    public function withHost($host): UriInterface
+    {
+        $host = $this->filterHost($host);
+
+        if ($this->host === $host) {
+            return $this;
+        }
+
+        $new = clone $this;
+        $new->host = $host;
+        $new->composedComponents = null;
+        $new->validateState();
+
+        return $new;
+    }
+
+    public function withPort($port): UriInterface
+    {
+        $port = $this->filterPort($port);
+
+        if ($this->port === $port) {
+            return $this;
+        }
+
+        $new = clone $this;
+        $new->port = $port;
+        $new->composedComponents = null;
+        $new->removeDefaultPort();
+        $new->validateState();
+
+        return $new;
+    }
+
+    public function withPath($path): UriInterface
+    {
+        $path = $this->filterPath($path);
+
+        if ($this->path === $path) {
+            return $this;
+        }
+
+        $new = clone $this;
+        $new->path = $path;
+        $new->composedComponents = null;
+        $new->validateState();
+
+        return $new;
+    }
+
+    public function withQuery($query): UriInterface
+    {
+        $query = $this->filterQueryAndFragment($query);
+
+        if ($this->query === $query) {
+            return $this;
+        }
+
+        $new = clone $this;
+        $new->query = $query;
+        $new->composedComponents = null;
+
+        return $new;
+    }
+
+    public function withFragment($fragment): UriInterface
+    {
+        $fragment = $this->filterQueryAndFragment($fragment);
+
+        if ($this->fragment === $fragment) {
+            return $this;
+        }
+
+        $new = clone $this;
+        $new->fragment = $fragment;
+        $new->composedComponents = null;
+
+        return $new;
+    }
+
+    public function jsonSerialize(): string
+    {
+        return $this->__toString();
+    }
+
+    /**
+     * Apply parse_url parts to a URI.
+     *
+     * @param array $parts Array of parse_url parts to apply.
+     */
+    private function applyParts(array $parts): void
+    {
+        $this->scheme = isset($parts['scheme'])
+            ? $this->filterScheme($parts['scheme'])
+            : '';
+        $this->userInfo = isset($parts['user'])
+            ? $this->filterUserInfoComponent($parts['user'])
+            : '';
+        $this->host = isset($parts['host'])
+            ? $this->filterHost($parts['host'])
+            : '';
+        $this->port = isset($parts['port'])
+            ? $this->filterPort($parts['port'])
+            : null;
+        $this->path = isset($parts['path'])
+            ? $this->filterPath($parts['path'])
+            : '';
+        $this->query = isset($parts['query'])
+            ? $this->filterQueryAndFragment($parts['query'])
+            : '';
+        $this->fragment = isset($parts['fragment'])
+            ? $this->filterQueryAndFragment($parts['fragment'])
+            : '';
+        if (isset($parts['pass'])) {
+            $this->userInfo .= ':' . $this->filterUserInfoComponent($parts['pass']);
+        }
+
+        $this->removeDefaultPort();
+    }
+
+    /**
+     * @param mixed $scheme
+     *
+     * @throws \InvalidArgumentException If the scheme is invalid.
+     */
+    private function filterScheme($scheme): string
+    {
+        if (!is_string($scheme)) {
+            throw new \InvalidArgumentException('Scheme must be a string');
+        }
+
+        return \strtr($scheme, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz');
+    }
+
+    /**
+     * @param mixed $component
+     *
+     * @throws \InvalidArgumentException If the user info is invalid.
+     */
+    private function filterUserInfoComponent($component): string
+    {
+        if (!is_string($component)) {
+            throw new \InvalidArgumentException('User info must be a string');
+        }
+
+        return preg_replace_callback(
+            '/(?:[^%' . self::CHAR_UNRESERVED . self::CHAR_SUB_DELIMS . ']+|%(?![A-Fa-f0-9]{2}))/',
+            [$this, 'rawurlencodeMatchZero'],
+            $component
+        );
+    }
+
+    /**
+     * @param mixed $host
+     *
+     * @throws \InvalidArgumentException If the host is invalid.
+     */
+    private function filterHost($host): string
+    {
+        if (!is_string($host)) {
+            throw new \InvalidArgumentException('Host must be a string');
+        }
+
+        return \strtr($host, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz');
+    }
+
+    /**
+     * @param mixed $port
+     *
+     * @throws \InvalidArgumentException If the port is invalid.
+     */
+    private function filterPort($port): ?int
+    {
+        if ($port === null) {
+            return null;
+        }
+
+        $port = (int) $port;
+        if (0 > $port || 0xffff < $port) {
+            throw new \InvalidArgumentException(
+                sprintf('Invalid port: %d. Must be between 0 and 65535', $port)
+            );
+        }
+
+        return $port;
+    }
+
+    /**
+     * @param string[] $keys
+     *
+     * @return string[]
+     */
+    private static function getFilteredQueryString(UriInterface $uri, array $keys): array
+    {
+        $current = $uri->getQuery();
+
+        if ($current === '') {
+            return [];
+        }
+
+        $decodedKeys = array_map('rawurldecode', $keys);
+
+        return array_filter(explode('&', $current), function ($part) use ($decodedKeys) {
+            return !in_array(rawurldecode(explode('=', $part)[0]), $decodedKeys, true);
+        });
+    }
+
+    private static function generateQueryString(string $key, ?string $value): string
+    {
+        // Query string separators ("=", "&") within the key or value need to be encoded
+        // (while preventing double-encoding) before setting the query string. All other
+        // chars that need percent-encoding will be encoded by withQuery().
+        $queryString = strtr($key, self::QUERY_SEPARATORS_REPLACEMENT);
+
+        if ($value !== null) {
+            $queryString .= '=' . strtr($value, self::QUERY_SEPARATORS_REPLACEMENT);
+        }
+
+        return $queryString;
+    }
+
+    private function removeDefaultPort(): void
+    {
+        if ($this->port !== null && self::isDefaultPort($this)) {
+            $this->port = null;
+        }
+    }
+
+    /**
+     * Filters the path of a URI
+     *
+     * @param mixed $path
+     *
+     * @throws \InvalidArgumentException If the path is invalid.
+     */
+    private function filterPath($path): string
+    {
+        if (!is_string($path)) {
+            throw new \InvalidArgumentException('Path must be a string');
+        }
+
+        return preg_replace_callback(
+            '/(?:[^' . self::CHAR_UNRESERVED . self::CHAR_SUB_DELIMS . '%:@\/]++|%(?![A-Fa-f0-9]{2}))/',
+            [$this, 'rawurlencodeMatchZero'],
+            $path
+        );
+    }
+
+    /**
+     * Filters the query string or fragment of a URI.
+     *
+     * @param mixed $str
+     *
+     * @throws \InvalidArgumentException If the query or fragment is invalid.
+     */
+    private function filterQueryAndFragment($str): string
+    {
+        if (!is_string($str)) {
+            throw new \InvalidArgumentException('Query and fragment must be a string');
+        }
+
+        return preg_replace_callback(
+            '/(?:[^' . self::CHAR_UNRESERVED . self::CHAR_SUB_DELIMS . '%:@\/\?]++|%(?![A-Fa-f0-9]{2}))/',
+            [$this, 'rawurlencodeMatchZero'],
+            $str
+        );
+    }
+
+    private function rawurlencodeMatchZero(array $match): string
+    {
+        return rawurlencode($match[0]);
+    }
+
+    private function validateState(): void
+    {
+        if ($this->host === '' && ($this->scheme === 'http' || $this->scheme === 'https')) {
+            $this->host = self::HTTP_DEFAULT_HOST;
+        }
+
+        if ($this->getAuthority() === '') {
+            if (0 === strpos($this->path, '//')) {
+                throw new MalformedUriException('The path of a URI without an authority must not start with two slashes "//"');
+            }
+            if ($this->scheme === '' && false !== strpos(explode('/', $this->path, 2)[0], ':')) {
+                throw new MalformedUriException('A relative URI must not have a path beginning with a segment containing a colon');
+            }
+        }
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/psr7/src/UriComparator.php b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/UriComparator.php
new file mode 100644
index 000000000..70c582aa0
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/UriComparator.php
@@ -0,0 +1,52 @@
+<?php
+
+declare(strict_types=1);
+
+namespace GuzzleHttp\Psr7;
+
+use Psr\Http\Message\UriInterface;
+
+/**
+ * Provides methods to determine if a modified URL should be considered cross-origin.
+ *
+ * @author Graham Campbell
+ */
+final class UriComparator
+{
+    /**
+     * Determines if a modified URL should be considered cross-origin with
+     * respect to an original URL.
+     */
+    public static function isCrossOrigin(UriInterface $original, UriInterface $modified): bool
+    {
+        if (\strcasecmp($original->getHost(), $modified->getHost()) !== 0) {
+            return true;
+        }
+
+        if ($original->getScheme() !== $modified->getScheme()) {
+            return true;
+        }
+
+        if (self::computePort($original) !== self::computePort($modified)) {
+            return true;
+        }
+
+        return false;
+    }
+
+    private static function computePort(UriInterface $uri): int
+    {
+        $port = $uri->getPort();
+
+        if (null !== $port) {
+            return $port;
+        }
+
+        return 'https' === $uri->getScheme() ? 443 : 80;
+    }
+
+    private function __construct()
+    {
+        // cannot be instantiated
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/psr7/src/UriNormalizer.php b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/UriNormalizer.php
new file mode 100644
index 000000000..e12971edd
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/UriNormalizer.php
@@ -0,0 +1,220 @@
+<?php
+
+declare(strict_types=1);
+
+namespace GuzzleHttp\Psr7;
+
+use Psr\Http\Message\UriInterface;
+
+/**
+ * Provides methods to normalize and compare URIs.
+ *
+ * @author Tobias Schultze
+ *
+ * @link https://tools.ietf.org/html/rfc3986#section-6
+ */
+final class UriNormalizer
+{
+    /**
+     * Default normalizations which only include the ones that preserve semantics.
+     */
+    public const PRESERVING_NORMALIZATIONS =
+        self::CAPITALIZE_PERCENT_ENCODING |
+        self::DECODE_UNRESERVED_CHARACTERS |
+        self::CONVERT_EMPTY_PATH |
+        self::REMOVE_DEFAULT_HOST |
+        self::REMOVE_DEFAULT_PORT |
+        self::REMOVE_DOT_SEGMENTS;
+
+    /**
+     * All letters within a percent-encoding triplet (e.g., "%3A") are case-insensitive, and should be capitalized.
+     *
+     * Example: http://example.org/a%c2%b1b → http://example.org/a%C2%B1b
+     */
+    public const CAPITALIZE_PERCENT_ENCODING = 1;
+
+    /**
+     * Decodes percent-encoded octets of unreserved characters.
+     *
+     * For consistency, percent-encoded octets in the ranges of ALPHA (%41–%5A and %61–%7A), DIGIT (%30–%39),
+     * hyphen (%2D), period (%2E), underscore (%5F), or tilde (%7E) should not be created by URI producers and,
+     * when found in a URI, should be decoded to their corresponding unreserved characters by URI normalizers.
+     *
+     * Example: http://example.org/%7Eusern%61me/ → http://example.org/~username/
+     */
+    public const DECODE_UNRESERVED_CHARACTERS = 2;
+
+    /**
+     * Converts the empty path to "/" for http and https URIs.
+     *
+     * Example: http://example.org → http://example.org/
+     */
+    public const CONVERT_EMPTY_PATH = 4;
+
+    /**
+     * Removes the default host of the given URI scheme from the URI.
+     *
+     * Only the "file" scheme defines the default host "localhost".
+     * All of `file:/myfile`, `file:///myfile`, and `file://localhost/myfile`
+     * are equivalent according to RFC 3986. The first format is not accepted
+     * by PHPs stream functions and thus already normalized implicitly to the
+     * second format in the Uri class. See `GuzzleHttp\Psr7\Uri::composeComponents`.
+     *
+     * Example: file://localhost/myfile → file:///myfile
+     */
+    public const REMOVE_DEFAULT_HOST = 8;
+
+    /**
+     * Removes the default port of the given URI scheme from the URI.
+     *
+     * Example: http://example.org:80/ → http://example.org/
+     */
+    public const REMOVE_DEFAULT_PORT = 16;
+
+    /**
+     * Removes unnecessary dot-segments.
+     *
+     * Dot-segments in relative-path references are not removed as it would
+     * change the semantics of the URI reference.
+     *
+     * Example: http://example.org/../a/b/../c/./d.html → http://example.org/a/c/d.html
+     */
+    public const REMOVE_DOT_SEGMENTS = 32;
+
+    /**
+     * Paths which include two or more adjacent slashes are converted to one.
+     *
+     * Webservers usually ignore duplicate slashes and treat those URIs equivalent.
+     * But in theory those URIs do not need to be equivalent. So this normalization
+     * may change the semantics. Encoded slashes (%2F) are not removed.
+     *
+     * Example: http://example.org//foo///bar.html → http://example.org/foo/bar.html
+     */
+    public const REMOVE_DUPLICATE_SLASHES = 64;
+
+    /**
+     * Sort query parameters with their values in alphabetical order.
+     *
+     * However, the order of parameters in a URI may be significant (this is not defined by the standard).
+     * So this normalization is not safe and may change the semantics of the URI.
+     *
+     * Example: ?lang=en&article=fred → ?article=fred&lang=en
+     *
+     * Note: The sorting is neither locale nor Unicode aware (the URI query does not get decoded at all) as the
+     * purpose is to be able to compare URIs in a reproducible way, not to have the params sorted perfectly.
+     */
+    public const SORT_QUERY_PARAMETERS = 128;
+
+    /**
+     * Returns a normalized URI.
+     *
+     * The scheme and host component are already normalized to lowercase per PSR-7 UriInterface.
+     * This methods adds additional normalizations that can be configured with the $flags parameter.
+     *
+     * PSR-7 UriInterface cannot distinguish between an empty component and a missing component as
+     * getQuery(), getFragment() etc. always return a string. This means the URIs "/?#" and "/" are
+     * treated equivalent which is not necessarily true according to RFC 3986. But that difference
+     * is highly uncommon in reality. So this potential normalization is implied in PSR-7 as well.
+     *
+     * @param UriInterface $uri   The URI to normalize
+     * @param int          $flags A bitmask of normalizations to apply, see constants
+     *
+     * @link https://tools.ietf.org/html/rfc3986#section-6.2
+     */
+    public static function normalize(UriInterface $uri, int $flags = self::PRESERVING_NORMALIZATIONS): UriInterface
+    {
+        if ($flags & self::CAPITALIZE_PERCENT_ENCODING) {
+            $uri = self::capitalizePercentEncoding($uri);
+        }
+
+        if ($flags & self::DECODE_UNRESERVED_CHARACTERS) {
+            $uri = self::decodeUnreservedCharacters($uri);
+        }
+
+        if ($flags & self::CONVERT_EMPTY_PATH && $uri->getPath() === '' &&
+            ($uri->getScheme() === 'http' || $uri->getScheme() === 'https')
+        ) {
+            $uri = $uri->withPath('/');
+        }
+
+        if ($flags & self::REMOVE_DEFAULT_HOST && $uri->getScheme() === 'file' && $uri->getHost() === 'localhost') {
+            $uri = $uri->withHost('');
+        }
+
+        if ($flags & self::REMOVE_DEFAULT_PORT && $uri->getPort() !== null && Uri::isDefaultPort($uri)) {
+            $uri = $uri->withPort(null);
+        }
+
+        if ($flags & self::REMOVE_DOT_SEGMENTS && !Uri::isRelativePathReference($uri)) {
+            $uri = $uri->withPath(UriResolver::removeDotSegments($uri->getPath()));
+        }
+
+        if ($flags & self::REMOVE_DUPLICATE_SLASHES) {
+            $uri = $uri->withPath(preg_replace('#//++#', '/', $uri->getPath()));
+        }
+
+        if ($flags & self::SORT_QUERY_PARAMETERS && $uri->getQuery() !== '') {
+            $queryKeyValues = explode('&', $uri->getQuery());
+            sort($queryKeyValues);
+            $uri = $uri->withQuery(implode('&', $queryKeyValues));
+        }
+
+        return $uri;
+    }
+
+    /**
+     * Whether two URIs can be considered equivalent.
+     *
+     * Both URIs are normalized automatically before comparison with the given $normalizations bitmask. The method also
+     * accepts relative URI references and returns true when they are equivalent. This of course assumes they will be
+     * resolved against the same base URI. If this is not the case, determination of equivalence or difference of
+     * relative references does not mean anything.
+     *
+     * @param UriInterface $uri1           An URI to compare
+     * @param UriInterface $uri2           An URI to compare
+     * @param int          $normalizations A bitmask of normalizations to apply, see constants
+     *
+     * @link https://tools.ietf.org/html/rfc3986#section-6.1
+     */
+    public static function isEquivalent(UriInterface $uri1, UriInterface $uri2, int $normalizations = self::PRESERVING_NORMALIZATIONS): bool
+    {
+        return (string) self::normalize($uri1, $normalizations) === (string) self::normalize($uri2, $normalizations);
+    }
+
+    private static function capitalizePercentEncoding(UriInterface $uri): UriInterface
+    {
+        $regex = '/(?:%[A-Fa-f0-9]{2})++/';
+
+        $callback = function (array $match) {
+            return strtoupper($match[0]);
+        };
+
+        return
+            $uri->withPath(
+                preg_replace_callback($regex, $callback, $uri->getPath())
+            )->withQuery(
+                preg_replace_callback($regex, $callback, $uri->getQuery())
+            );
+    }
+
+    private static function decodeUnreservedCharacters(UriInterface $uri): UriInterface
+    {
+        $regex = '/%(?:2D|2E|5F|7E|3[0-9]|[46][1-9A-F]|[57][0-9A])/i';
+
+        $callback = function (array $match) {
+            return rawurldecode($match[0]);
+        };
+
+        return
+            $uri->withPath(
+                preg_replace_callback($regex, $callback, $uri->getPath())
+            )->withQuery(
+                preg_replace_callback($regex, $callback, $uri->getQuery())
+            );
+    }
+
+    private function __construct()
+    {
+        // cannot be instantiated
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/psr7/src/UriResolver.php b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/UriResolver.php
new file mode 100644
index 000000000..426e5c9ad
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/UriResolver.php
@@ -0,0 +1,211 @@
+<?php
+
+declare(strict_types=1);
+
+namespace GuzzleHttp\Psr7;
+
+use Psr\Http\Message\UriInterface;
+
+/**
+ * Resolves a URI reference in the context of a base URI and the opposite way.
+ *
+ * @author Tobias Schultze
+ *
+ * @link https://tools.ietf.org/html/rfc3986#section-5
+ */
+final class UriResolver
+{
+    /**
+     * Removes dot segments from a path and returns the new path.
+     *
+     * @link http://tools.ietf.org/html/rfc3986#section-5.2.4
+     */
+    public static function removeDotSegments(string $path): string
+    {
+        if ($path === '' || $path === '/') {
+            return $path;
+        }
+
+        $results = [];
+        $segments = explode('/', $path);
+        foreach ($segments as $segment) {
+            if ($segment === '..') {
+                array_pop($results);
+            } elseif ($segment !== '.') {
+                $results[] = $segment;
+            }
+        }
+
+        $newPath = implode('/', $results);
+
+        if ($path[0] === '/' && (!isset($newPath[0]) || $newPath[0] !== '/')) {
+            // Re-add the leading slash if necessary for cases like "/.."
+            $newPath = '/' . $newPath;
+        } elseif ($newPath !== '' && ($segment === '.' || $segment === '..')) {
+            // Add the trailing slash if necessary
+            // If newPath is not empty, then $segment must be set and is the last segment from the foreach
+            $newPath .= '/';
+        }
+
+        return $newPath;
+    }
+
+    /**
+     * Converts the relative URI into a new URI that is resolved against the base URI.
+     *
+     * @link http://tools.ietf.org/html/rfc3986#section-5.2
+     */
+    public static function resolve(UriInterface $base, UriInterface $rel): UriInterface
+    {
+        if ((string) $rel === '') {
+            // we can simply return the same base URI instance for this same-document reference
+            return $base;
+        }
+
+        if ($rel->getScheme() != '') {
+            return $rel->withPath(self::removeDotSegments($rel->getPath()));
+        }
+
+        if ($rel->getAuthority() != '') {
+            $targetAuthority = $rel->getAuthority();
+            $targetPath = self::removeDotSegments($rel->getPath());
+            $targetQuery = $rel->getQuery();
+        } else {
+            $targetAuthority = $base->getAuthority();
+            if ($rel->getPath() === '') {
+                $targetPath = $base->getPath();
+                $targetQuery = $rel->getQuery() != '' ? $rel->getQuery() : $base->getQuery();
+            } else {
+                if ($rel->getPath()[0] === '/') {
+                    $targetPath = $rel->getPath();
+                } else {
+                    if ($targetAuthority != '' && $base->getPath() === '') {
+                        $targetPath = '/' . $rel->getPath();
+                    } else {
+                        $lastSlashPos = strrpos($base->getPath(), '/');
+                        if ($lastSlashPos === false) {
+                            $targetPath = $rel->getPath();
+                        } else {
+                            $targetPath = substr($base->getPath(), 0, $lastSlashPos + 1) . $rel->getPath();
+                        }
+                    }
+                }
+                $targetPath = self::removeDotSegments($targetPath);
+                $targetQuery = $rel->getQuery();
+            }
+        }
+
+        return new Uri(Uri::composeComponents(
+            $base->getScheme(),
+            $targetAuthority,
+            $targetPath,
+            $targetQuery,
+            $rel->getFragment()
+        ));
+    }
+
+    /**
+     * Returns the target URI as a relative reference from the base URI.
+     *
+     * This method is the counterpart to resolve():
+     *
+     *    (string) $target === (string) UriResolver::resolve($base, UriResolver::relativize($base, $target))
+     *
+     * One use-case is to use the current request URI as base URI and then generate relative links in your documents
+     * to reduce the document size or offer self-contained downloadable document archives.
+     *
+     *    $base = new Uri('http://example.com/a/b/');
+     *    echo UriResolver::relativize($base, new Uri('http://example.com/a/b/c'));  // prints 'c'.
+     *    echo UriResolver::relativize($base, new Uri('http://example.com/a/x/y'));  // prints '../x/y'.
+     *    echo UriResolver::relativize($base, new Uri('http://example.com/a/b/?q')); // prints '?q'.
+     *    echo UriResolver::relativize($base, new Uri('http://example.org/a/b/'));   // prints '//example.org/a/b/'.
+     *
+     * This method also accepts a target that is already relative and will try to relativize it further. Only a
+     * relative-path reference will be returned as-is.
+     *
+     *    echo UriResolver::relativize($base, new Uri('/a/b/c'));  // prints 'c' as well
+     */
+    public static function relativize(UriInterface $base, UriInterface $target): UriInterface
+    {
+        if ($target->getScheme() !== '' &&
+            ($base->getScheme() !== $target->getScheme() || $target->getAuthority() === '' && $base->getAuthority() !== '')
+        ) {
+            return $target;
+        }
+
+        if (Uri::isRelativePathReference($target)) {
+            // As the target is already highly relative we return it as-is. It would be possible to resolve
+            // the target with `$target = self::resolve($base, $target);` and then try make it more relative
+            // by removing a duplicate query. But let's not do that automatically.
+            return $target;
+        }
+
+        if ($target->getAuthority() !== '' && $base->getAuthority() !== $target->getAuthority()) {
+            return $target->withScheme('');
+        }
+
+        // We must remove the path before removing the authority because if the path starts with two slashes, the URI
+        // would turn invalid. And we also cannot set a relative path before removing the authority, as that is also
+        // invalid.
+        $emptyPathUri = $target->withScheme('')->withPath('')->withUserInfo('')->withPort(null)->withHost('');
+
+        if ($base->getPath() !== $target->getPath()) {
+            return $emptyPathUri->withPath(self::getRelativePath($base, $target));
+        }
+
+        if ($base->getQuery() === $target->getQuery()) {
+            // Only the target fragment is left. And it must be returned even if base and target fragment are the same.
+            return $emptyPathUri->withQuery('');
+        }
+
+        // If the base URI has a query but the target has none, we cannot return an empty path reference as it would
+        // inherit the base query component when resolving.
+        if ($target->getQuery() === '') {
+            $segments = explode('/', $target->getPath());
+            /** @var string $lastSegment */
+            $lastSegment = end($segments);
+
+            return $emptyPathUri->withPath($lastSegment === '' ? './' : $lastSegment);
+        }
+
+        return $emptyPathUri;
+    }
+
+    private static function getRelativePath(UriInterface $base, UriInterface $target): string
+    {
+        $sourceSegments = explode('/', $base->getPath());
+        $targetSegments = explode('/', $target->getPath());
+        array_pop($sourceSegments);
+        $targetLastSegment = array_pop($targetSegments);
+        foreach ($sourceSegments as $i => $segment) {
+            if (isset($targetSegments[$i]) && $segment === $targetSegments[$i]) {
+                unset($sourceSegments[$i], $targetSegments[$i]);
+            } else {
+                break;
+            }
+        }
+        $targetSegments[] = $targetLastSegment;
+        $relativePath = str_repeat('../', count($sourceSegments)) . implode('/', $targetSegments);
+
+        // A reference to am empty last segment or an empty first sub-segment must be prefixed with "./".
+        // This also applies to a segment with a colon character (e.g., "file:colon") that cannot be used
+        // as the first segment of a relative-path reference, as it would be mistaken for a scheme name.
+        if ('' === $relativePath || false !== strpos(explode('/', $relativePath, 2)[0], ':')) {
+            $relativePath = "./$relativePath";
+        } elseif ('/' === $relativePath[0]) {
+            if ($base->getAuthority() != '' && $base->getPath() === '') {
+                // In this case an extra slash is added by resolve() automatically. So we must not add one here.
+                $relativePath = ".$relativePath";
+            } else {
+                $relativePath = "./$relativePath";
+            }
+        }
+
+        return $relativePath;
+    }
+
+    private function __construct()
+    {
+        // cannot be instantiated
+    }
+}
diff --git a/data/web/inc/lib/vendor/guzzlehttp/psr7/src/Utils.php b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/Utils.php
new file mode 100644
index 000000000..3a4cf3946
--- /dev/null
+++ b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/Utils.php
@@ -0,0 +1,459 @@
+<?php
+
+declare(strict_types=1);
+
+namespace GuzzleHttp\Psr7;
+
+use Psr\Http\Message\RequestInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Psr\Http\Message\StreamInterface;
+use Psr\Http\Message\UriInterface;
+
+final class Utils
+{
+    /**
+     * Remove the items given by the keys, case insensitively from the data.
+     *
+     * @param string[] $keys
+     */
+    public static function caselessRemove(array $keys, array $data): array
+    {
+        $result = [];
+
+        foreach ($keys as &$key) {
+            $key = strtolower($key);
+        }
+
+        foreach ($data as $k => $v) {
+            if (!is_string($k) || !in_array(strtolower($k), $keys)) {
+                $result[$k] = $v;
+            }
+        }
+
+        return $result;
+    }
+
+    /**
+     * Copy the contents of a stream into another stream until the given number
+     * of bytes have been read.
+     *
+     * @param StreamInterface $source Stream to read from
+     * @param StreamInterface $dest   Stream to write to
+     * @param int             $maxLen Maximum number of bytes to read. Pass -1
+     *                                to read the entire stream.
+     *
+     * @throws \RuntimeException on error.
+     */
+    public static function copyToStream(StreamInterface $source, StreamInterface $dest, int $maxLen = -1): void
+    {
+        $bufferSize = 8192;
+
+        if ($maxLen === -1) {
+            while (!$source->eof()) {
+                if (!$dest->write($source->read($bufferSize))) {
+                    break;
+                }
+            }
+        } else {
+            $remaining = $maxLen;
+            while ($remaining > 0 && !$source->eof()) {
+                $buf = $source->read(min($bufferSize, $remaining));
+                $len = strlen($buf);
+                if (!$len) {
+                    break;
+                }
+                $remaining -= $len;
+                $dest->write($buf);
+            }
+        }
+    }
+
+    /**
+     * Copy the contents of a stream into a string until the given number of
+     * bytes have been read.
+     *
+     * @param StreamInterface $stream Stream to read
+     * @param int             $maxLen Maximum number of bytes to read. Pass -1
+     *                                to read the entire stream.
+     *
+     * @throws \RuntimeException on error.
+     */
+    public static function copyToString(StreamInterface $stream, int $maxLen = -1): string
+    {
+        $buffer = '';
+
+        if ($maxLen === -1) {
+            while (!$stream->eof()) {
+                $buf = $stream->read(1048576);
+                if ($buf === '') {
+                    break;
+                }
+                $buffer .= $buf;
+            }
+            return $buffer;
+        }
+
+        $len = 0;
+        while (!$stream->eof() && $len < $maxLen) {
+            $buf = $stream->read($maxLen - $len);
+            if ($buf === '') {
+                break;
+            }
+            $buffer .= $buf;
+            $len = strlen($buffer);
+        }
+
+        return $buffer;
+    }
+
+    /**
+     * Calculate a hash of a stream.
+     *
+     * This method reads the entire stream to calculate a rolling hash, based
+     * on PHP's `hash_init` functions.
+     *
+     * @param StreamInterface $stream    Stream to calculate the hash for
+     * @param string          $algo      Hash algorithm (e.g. md5, crc32, etc)
+     * @param bool            $rawOutput Whether or not to use raw output
+     *
+     * @throws \RuntimeException on error.
+     */
+    public static function hash(StreamInterface $stream, string $algo, bool $rawOutput = false): string
+    {
+        $pos = $stream->tell();
+
+        if ($pos > 0) {
+            $stream->rewind();
+        }
+
+        $ctx = hash_init($algo);
+        while (!$stream->eof()) {
+            hash_update($ctx, $stream->read(1048576));
+        }
+
+        $out = hash_final($ctx, $rawOutput);
+        $stream->seek($pos);
+
+        return $out;
+    }
+
+    /**
+     * Clone and modify a request with the given changes.
+     *
+     * This method is useful for reducing the number of clones needed to mutate
+     * a message.
+     *
+     * The changes can be one of:
+     * - method: (string) Changes the HTTP method.
+     * - set_headers: (array) Sets the given headers.
+     * - remove_headers: (array) Remove the given headers.
+     * - body: (mixed) Sets the given body.
+     * - uri: (UriInterface) Set the URI.
+     * - query: (string) Set the query string value of the URI.
+     * - version: (string) Set the protocol version.
+     *
+     * @param RequestInterface $request Request to clone and modify.
+     * @param array            $changes Changes to apply.
+     */
+    public static function modifyRequest(RequestInterface $request, array $changes): RequestInterface
+    {
+        if (!$changes) {
+            return $request;
+        }
+
+        $headers = $request->getHeaders();
+
+        if (!isset($changes['uri'])) {
+            $uri = $request->getUri();
+        } else {
+            // Remove the host header if one is on the URI
+            if ($host = $changes['uri']->getHost()) {
+                $changes['set_headers']['Host'] = $host;
+
+                if ($port = $changes['uri']->getPort()) {
+                    $standardPorts = ['http' => 80, 'https' => 443];
+                    $scheme = $changes['uri']->getScheme();
+                    if (isset($standardPorts[$scheme]) && $port != $standardPorts[$scheme]) {
+                        $changes['set_headers']['Host'] .= ':' . $port;
+                    }
+                }
+            }
+            $uri = $changes['uri'];
+        }
+
+        if (!empty($changes['remove_headers'])) {
+            $headers = self::caselessRemove($changes['remove_headers'], $headers);
+        }
+
+        if (!empty($changes['set_headers'])) {
+            $headers = self::caselessRemove(array_keys($changes['set_headers']), $headers);
+            $headers = $changes['set_headers'] + $headers;
+        }
+
+        if (isset($changes['query'])) {
+            $uri = $uri->withQuery($changes['query']);
+        }
+
+        if ($request instanceof ServerRequestInterface) {
+            $new = (new ServerRequest(
+                $changes['method'] ?? $request->getMethod(),
+                $uri,
+                $headers,
+                $changes['body'] ?? $request->getBody(),
+                $changes['version'] ?? $request->getProtocolVersion(),
+                $request->getServerParams()
+            ))
+            ->withParsedBody($request->getParsedBody())
+            ->withQueryParams($request->getQueryParams())
+            ->withCookieParams($request->getCookieParams())
+            ->withUploadedFiles($request->getUploadedFiles());
+
+            foreach ($request->getAttributes() as $key => $value) {
+                $new = $new->withAttribute($key, $value);
+            }
+
+            return $new;
+        }
+
+        return new Request(
+            $changes['method'] ?? $request->getMethod(),
+            $uri,
+            $headers,
+            $changes['body'] ?? $request->getBody(),
+            $changes['version'] ?? $request->getProtocolVersion()
+        );
+    }
+
+    /**
+     * Read a line from the stream up to the maximum allowed buffer length.
+     *
+     * @param StreamInterface $stream    Stream to read from
+     * @param int|null        $maxLength Maximum buffer length
+     */
+    public static function readLine(StreamInterface $stream, ?int $maxLength = null): string
+    {
+        $buffer = '';
+        $size = 0;
+
+        while (!$stream->eof()) {
+            if ('' === ($byte = $stream->read(1))) {
+                return $buffer;
+            }
+            $buffer .= $byte;
+            // Break when a new line is found or the max length - 1 is reached
+            if ($byte === "\n" || ++$size === $maxLength - 1) {
+                break;
+            }
+        }
+
+        return $buffer;
+    }
+
+    /**
+     * Create a new stream based on the input type.
+     *
+     * Options is an associative array that can contain the following keys:
+     * - metadata: Array of custom metadata.
+     * - size: Size of the stream.
+     *
+     * This method accepts the following `$resource` types:
+     * - `Psr\Http\Message\StreamInterface`: Returns the value as-is.
+     * - `string`: Creates a stream object that uses the given string as the contents.
+     * - `resource`: Creates a stream object that wraps the given PHP stream resource.
+     * - `Iterator`: If the provided value implements `Iterator`, then a read-only
+     *   stream object will be created that wraps the given iterable. Each time the
+     *   stream is read from, data from the iterator will fill a buffer and will be
+     *   continuously called until the buffer is equal to the requested read size.
+     *   Subsequent read calls will first read from the buffer and then call `next`
+     *   on the underlying iterator until it is exhausted.
+     * - `object` with `__toString()`: If the object has the `__toString()` method,
+     *   the object will be cast to a string and then a stream will be returned that
+     *   uses the string value.
+     * - `NULL`: When `null` is passed, an empty stream object is returned.
+     * - `callable` When a callable is passed, a read-only stream object will be
+     *   created that invokes the given callable. The callable is invoked with the
+     *   number of suggested bytes to read. The callable can return any number of
+     *   bytes, but MUST return `false` when there is no more data to return. The
+     *   stream object that wraps the callable will invoke the callable until the
+     *   number of requested bytes are available. Any additional bytes will be
+     *   buffered and used in subsequent reads.
+     *
+     * @param resource|string|int|float|bool|StreamInterface|callable|\Iterator|null $resource Entity body data
+     * @param array{size?: int, metadata?: array}                                    $options  Additional options
+     *
+     * @throws \InvalidArgumentException if the $resource arg is not valid.
+     */
+    public static function streamFor($resource = '', array $options = []): StreamInterface
+    {
+        if (is_scalar($resource)) {
+            $stream = self::tryFopen('php://temp', 'r+');
+            if ($resource !== '') {
+                fwrite($stream, (string) $resource);
+                fseek($stream, 0);
+            }
+            return new Stream($stream, $options);
+        }
+
+        switch (gettype($resource)) {
+            case 'resource':
+                /*
+                 * The 'php://input' is a special stream with quirks and inconsistencies.
+                 * We avoid using that stream by reading it into php://temp
+                 */
+
+                /** @var resource $resource */
+                if ((\stream_get_meta_data($resource)['uri'] ?? '') === 'php://input') {
+                    $stream = self::tryFopen('php://temp', 'w+');
+                    stream_copy_to_stream($resource, $stream);
+                    fseek($stream, 0);
+                    $resource = $stream;
+                }
+                return new Stream($resource, $options);
+            case 'object':
+                /** @var object $resource */
+                if ($resource instanceof StreamInterface) {
+                    return $resource;
+                } elseif ($resource instanceof \Iterator) {
+                    return new PumpStream(function () use ($resource) {
+                        if (!$resource->valid()) {
+                            return false;
+                        }
+                        $result = $resource->current();
+                        $resource->next();
+                        return $result;
+                    }, $options);
+                } elseif (method_exists($resource, '__toString')) {
+                    return self::streamFor((string) $resource, $options);
+                }
+                break;
+            case 'NULL':
+                return new Stream(self::tryFopen('php://temp', 'r+'), $options);
+        }
+
+        if (is_callable($resource)) {
+            return new PumpStream($resource, $options);
+        }
+
+        throw new \InvalidArgumentException('Invalid resource type: ' . gettype($resource));
+    }
+
+    /**
+     * Safely opens a PHP stream resource using a filename.
+     *
+     * When fopen fails, PHP normally raises a warning. This function adds an
+     * error handler that checks for errors and throws an exception instead.
+     *
+     * @param string $filename File to open
+     * @param string $mode     Mode used to open the file
+     *
+     * @return resource
+     *
+     * @throws \RuntimeException if the file cannot be opened
+     */
+    public static function tryFopen(string $filename, string $mode)
+    {
+        $ex = null;
+        set_error_handler(static function (int $errno, string $errstr) use ($filename, $mode, &$ex): bool {
+            $ex = new \RuntimeException(sprintf(
+                'Unable to open "%s" using mode "%s": %s',
+                $filename,
+                $mode,
+                $errstr
+            ));
+
+            return true;
+        });
+
+        try {
+            /** @var resource $handle */
+            $handle = fopen($filename, $mode);
+        } catch (\Throwable $e) {
+            $ex = new \RuntimeException(sprintf(
+                'Unable to open "%s" using mode "%s": %s',
+                $filename,
+                $mode,
+                $e->getMessage()
+            ), 0, $e);
+        }
+
+        restore_error_handler();
+
+        if ($ex) {
+            /** @var $ex \RuntimeException */
+            throw $ex;
+        }
+
+        return $handle;
+    }
+
+    /**
+     * Safely gets the contents of a given stream.
+     *
+     * When stream_get_contents fails, PHP normally raises a warning. This
+     * function adds an error handler that checks for errors and throws an
+     * exception instead.
+     *
+     * @param resource $stream
+     *
+     * @throws \RuntimeException if the stream cannot be read
+     */
+    public static function tryGetContents($stream): string
+    {
+        $ex = null;
+        set_error_handler(static function (int $errno, string $errstr) use (&$ex): bool {
+            $ex = new \RuntimeException(sprintf(
+                'Unable to read stream contents: %s',
+                $errstr
+            ));
+
+            return true;
+        });
+
+        try {
+            /** @var string|false $contents */
+            $contents = stream_get_contents($stream);
+
+            if ($contents === false) {
+                $ex = new \RuntimeException('Unable to read stream contents');
+            }
+        } catch (\Throwable $e) {
+            $ex = new \RuntimeException(sprintf(
+                'Unable to read stream contents: %s',
+                $e->getMessage()
+            ), 0, $e);
+        }
+
+        restore_error_handler();
+
+        if ($ex) {
+            /** @var $ex \RuntimeException */
+            throw $ex;
+        }
+
+        return $contents;
+    }
+
+    /**
+     * Returns a UriInterface for the given value.
+     *
+     * This function accepts a string or UriInterface and returns a
+     * UriInterface for the given value. If the value is already a
+     * UriInterface, it is returned as-is.
+     *
+     * @param string|UriInterface $uri
+     *
+     * @throws \InvalidArgumentException
+     */
+    public static function uriFor($uri): UriInterface
+    {
+        if ($uri instanceof UriInterface) {
+            return $uri;
+        }
+
+        if (is_string($uri)) {
+            return new Uri($uri);
+        }
+
+        throw new \InvalidArgumentException('URI must be a string or UriInterface');
+    }
+}
diff --git a/data/web/inc/lib/vendor/league/oauth2-client/LICENSE b/data/web/inc/lib/vendor/league/oauth2-client/LICENSE
new file mode 100644
index 000000000..7dfa39b7c
--- /dev/null
+++ b/data/web/inc/lib/vendor/league/oauth2-client/LICENSE
@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2013-2020 Alex Bilbie <hello@alexbilbie.com>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
diff --git a/data/web/inc/lib/vendor/league/oauth2-client/README.md b/data/web/inc/lib/vendor/league/oauth2-client/README.md
new file mode 100644
index 000000000..f35d53e8a
--- /dev/null
+++ b/data/web/inc/lib/vendor/league/oauth2-client/README.md
@@ -0,0 +1,58 @@
+# OAuth 2.0 Client
+
+This package provides a base for integrating with [OAuth 2.0](http://oauth.net/2/) service providers.
+
+[![Gitter Chat](https://img.shields.io/badge/gitter-join_chat-brightgreen.svg?style=flat-square)](https://gitter.im/thephpleague/oauth2-client)
+[![Source Code](https://img.shields.io/badge/source-thephpleague/oauth2--client-blue.svg?style=flat-square)](https://github.com/thephpleague/oauth2-client)
+[![Latest Version](https://img.shields.io/github/release/thephpleague/oauth2-client.svg?style=flat-square)](https://github.com/thephpleague/oauth2-client/releases)
+[![Software License](https://img.shields.io/badge/license-MIT-brightgreen.svg?style=flat-square)](https://github.com/thephpleague/oauth2-client/blob/master/LICENSE)
+[![Build Status](https://img.shields.io/github/workflow/status/thephpleague/oauth2-client/CI?label=CI&logo=github&style=flat-square)](https://github.com/thephpleague/oauth2-client/actions?query=workflow%3ACI)
+[![Codecov Code Coverage](https://img.shields.io/codecov/c/gh/thephpleague/oauth2-client?label=codecov&logo=codecov&style=flat-square)](https://codecov.io/gh/thephpleague/oauth2-client)
+[![Total Downloads](https://img.shields.io/packagist/dt/league/oauth2-client.svg?style=flat-square)](https://packagist.org/packages/league/oauth2-client)
+
+---
+
+The OAuth 2.0 login flow, seen commonly around the web in the form of "Connect with Facebook/Google/etc." buttons, is a common integration added to web applications, but it can be tricky and tedious to do right. To help, we've created the `league/oauth2-client` package, which provides a base for integrating with various OAuth 2.0 providers, without overburdening your application with the concerns of [RFC 6749](http://tools.ietf.org/html/rfc6749).
+
+This OAuth 2.0 client library will work with any OAuth 2.0 provider that conforms to the OAuth 2.0 Authorization Framework. Out-of-the-box, we provide a `GenericProvider` class to connect to any service provider that uses [Bearer tokens](http://tools.ietf.org/html/rfc6750). See our [basic usage guide](https://oauth2-client.thephpleague.com/usage/) for examples using `GenericProvider`.
+
+Many service providers provide additional functionality above and beyond the OAuth 2.0 specification. For this reason, you may extend and wrap this library to support additional behavior. There are already many [official](https://oauth2-client.thephpleague.com/providers/league/) and [third-party](https://oauth2-client.thephpleague.com/providers/thirdparty/) provider clients available (e.g., Facebook, GitHub, Google, Instagram, LinkedIn, etc.). If your provider isn't in the list, feel free to add it.
+
+This package is compliant with [PSR-1][], [PSR-2][], [PSR-4][], and [PSR-7][]. If you notice compliance oversights, please send a patch via pull request. If you're interested in contributing to this library, please take a look at our [contributing guidelines](https://github.com/thephpleague/oauth2-client/blob/master/CONTRIBUTING.md).
+
+## Requirements
+
+We support the following versions of PHP:
+
+* PHP 8.1
+* PHP 8.0
+* PHP 7.4
+* PHP 7.3
+* PHP 7.2
+* PHP 7.1
+* PHP 7.0
+* PHP 5.6
+
+## Provider Clients
+
+We provide a list of [official PHP League provider clients](https://oauth2-client.thephpleague.com/providers/league/), as well as [third-party provider clients](https://oauth2-client.thephpleague.com/providers/thirdparty/).
+
+To build your own provider client, please refer to "[Implementing a Provider Client](https://oauth2-client.thephpleague.com/providers/implementing/)."
+
+## Usage
+
+For usage and code examples, check out our [basic usage guide](https://oauth2-client.thephpleague.com/usage/).
+
+## Contributing
+
+Please see [our contributing guidelines](https://github.com/thephpleague/oauth2-client/blob/master/CONTRIBUTING.md) for details.
+
+## License
+
+The MIT License (MIT). Please see [LICENSE](https://github.com/thephpleague/oauth2-client/blob/master/LICENSE) for more information.
+
+
+[PSR-1]: https://github.com/php-fig/fig-standards/blob/master/accepted/PSR-1-basic-coding-standard.md
+[PSR-2]: https://github.com/php-fig/fig-standards/blob/master/accepted/PSR-2-coding-style-guide.md
+[PSR-4]: https://github.com/php-fig/fig-standards/blob/master/accepted/PSR-4-autoloader.md
+[PSR-7]: https://github.com/php-fig/fig-standards/blob/master/accepted/PSR-7-http-message.md
diff --git a/data/web/inc/lib/vendor/league/oauth2-client/composer.json b/data/web/inc/lib/vendor/league/oauth2-client/composer.json
new file mode 100644
index 000000000..59201f48f
--- /dev/null
+++ b/data/web/inc/lib/vendor/league/oauth2-client/composer.json
@@ -0,0 +1,58 @@
+{
+    "name": "league/oauth2-client",
+    "description": "OAuth 2.0 Client Library",
+    "license": "MIT",
+    "config": {
+        "sort-packages": true
+    },
+    "require": {
+        "php": "^5.6 || ^7.0 || ^8.0",
+        "guzzlehttp/guzzle": "^6.0 || ^7.0",
+        "paragonie/random_compat": "^1 || ^2 || ^9.99"
+    },
+    "require-dev": {
+        "mockery/mockery": "^1.3.5",
+        "php-parallel-lint/php-parallel-lint": "^1.3.1",
+        "phpunit/phpunit": "^5.7 || ^6.0 || ^9.5",
+        "squizlabs/php_codesniffer": "^2.3 || ^3.0"
+    },
+    "keywords": [
+        "oauth",
+        "oauth2",
+        "authorization",
+        "authentication",
+        "idp",
+        "identity",
+        "sso",
+        "single sign on"
+    ],
+    "authors": [
+        {
+            "name": "Alex Bilbie",
+            "email": "hello@alexbilbie.com",
+            "homepage": "http://www.alexbilbie.com",
+            "role": "Developer"
+        },
+        {
+            "name": "Woody Gilk",
+            "homepage": "https://github.com/shadowhand",
+            "role": "Contributor"
+        }
+
+    ],
+    "autoload": {
+        "psr-4": {
+            "League\\OAuth2\\Client\\": "src/"
+        }
+    },
+    "autoload-dev": {
+        "psr-4": {
+            "League\\OAuth2\\Client\\Test\\": "test/src/"
+        }
+    },
+    "extra": {
+        "branch-alias": {
+            "dev-2.x": "2.0.x-dev"
+        }
+    }
+}
diff --git a/data/web/inc/lib/vendor/league/oauth2-client/src/Grant/AbstractGrant.php b/data/web/inc/lib/vendor/league/oauth2-client/src/Grant/AbstractGrant.php
new file mode 100644
index 000000000..2c0244ba3
--- /dev/null
+++ b/data/web/inc/lib/vendor/league/oauth2-client/src/Grant/AbstractGrant.php
@@ -0,0 +1,80 @@
+<?php
+/**
+ * This file is part of the league/oauth2-client library
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ *
+ * @copyright Copyright (c) Alex Bilbie <hello@alexbilbie.com>
+ * @license http://opensource.org/licenses/MIT MIT
+ * @link http://thephpleague.com/oauth2-client/ Documentation
+ * @link https://packagist.org/packages/league/oauth2-client Packagist
+ * @link https://github.com/thephpleague/oauth2-client GitHub
+ */
+
+namespace League\OAuth2\Client\Grant;
+
+use League\OAuth2\Client\Tool\RequiredParameterTrait;
+
+/**
+ * Represents a type of authorization grant.
+ *
+ * An authorization grant is a credential representing the resource
+ * owner's authorization (to access its protected resources) used by the
+ * client to obtain an access token.  OAuth 2.0 defines four
+ * grant types -- authorization code, implicit, resource owner password
+ * credentials, and client credentials -- as well as an extensibility
+ * mechanism for defining additional types.
+ *
+ * @link http://tools.ietf.org/html/rfc6749#section-1.3 Authorization Grant (RFC 6749, §1.3)
+ */
+abstract class AbstractGrant
+{
+    use RequiredParameterTrait;
+
+    /**
+     * Returns the name of this grant, eg. 'grant_name', which is used as the
+     * grant type when encoding URL query parameters.
+     *
+     * @return string
+     */
+    abstract protected function getName();
+
+    /**
+     * Returns a list of all required request parameters.
+     *
+     * @return array
+     */
+    abstract protected function getRequiredRequestParameters();
+
+    /**
+     * Returns this grant's name as its string representation. This allows for
+     * string interpolation when building URL query parameters.
+     *
+     * @return string
+     */
+    public function __toString()
+    {
+        return $this->getName();
+    }
+
+    /**
+     * Prepares an access token request's parameters by checking that all
+     * required parameters are set, then merging with any given defaults.
+     *
+     * @param  array $defaults
+     * @param  array $options
+     * @return array
+     */
+    public function prepareRequestParameters(array $defaults, array $options)
+    {
+        $defaults['grant_type'] = $this->getName();
+
+        $required = $this->getRequiredRequestParameters();
+        $provided = array_merge($defaults, $options);
+
+        $this->checkRequiredParameters($required, $provided);
+
+        return $provided;
+    }
+}
diff --git a/data/web/inc/lib/vendor/league/oauth2-client/src/Grant/AuthorizationCode.php b/data/web/inc/lib/vendor/league/oauth2-client/src/Grant/AuthorizationCode.php
new file mode 100644
index 000000000..c49460c02
--- /dev/null
+++ b/data/web/inc/lib/vendor/league/oauth2-client/src/Grant/AuthorizationCode.php
@@ -0,0 +1,41 @@
+<?php
+/**
+ * This file is part of the league/oauth2-client library
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ *
+ * @copyright Copyright (c) Alex Bilbie <hello@alexbilbie.com>
+ * @license http://opensource.org/licenses/MIT MIT
+ * @link http://thephpleague.com/oauth2-client/ Documentation
+ * @link https://packagist.org/packages/league/oauth2-client Packagist
+ * @link https://github.com/thephpleague/oauth2-client GitHub
+ */
+
+namespace League\OAuth2\Client\Grant;
+
+/**
+ * Represents an authorization code grant.
+ *
+ * @link http://tools.ietf.org/html/rfc6749#section-1.3.1 Authorization Code (RFC 6749, §1.3.1)
+ */
+class AuthorizationCode extends AbstractGrant
+{
+    /**
+     * @inheritdoc
+     */
+    protected function getName()
+    {
+        return 'authorization_code';
+    }
+
+    /**
+     * @inheritdoc
+     */
+    protected function getRequiredRequestParameters()
+    {
+        return [
+            'code',
+        ];
+    }
+}
diff --git a/data/web/inc/lib/vendor/league/oauth2-client/src/Grant/ClientCredentials.php b/data/web/inc/lib/vendor/league/oauth2-client/src/Grant/ClientCredentials.php
new file mode 100644
index 000000000..dc78c4fda
--- /dev/null
+++ b/data/web/inc/lib/vendor/league/oauth2-client/src/Grant/ClientCredentials.php
@@ -0,0 +1,39 @@
+<?php
+/**
+ * This file is part of the league/oauth2-client library
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ *
+ * @copyright Copyright (c) Alex Bilbie <hello@alexbilbie.com>
+ * @license http://opensource.org/licenses/MIT MIT
+ * @link http://thephpleague.com/oauth2-client/ Documentation
+ * @link https://packagist.org/packages/league/oauth2-client Packagist
+ * @link https://github.com/thephpleague/oauth2-client GitHub
+ */
+
+namespace League\OAuth2\Client\Grant;
+
+/**
+ * Represents a client credentials grant.
+ *
+ * @link http://tools.ietf.org/html/rfc6749#section-1.3.4 Client Credentials (RFC 6749, §1.3.4)
+ */
+class ClientCredentials extends AbstractGrant
+{
+    /**
+     * @inheritdoc
+     */
+    protected function getName()
+    {
+        return 'client_credentials';
+    }
+
+    /**
+     * @inheritdoc
+     */
+    protected function getRequiredRequestParameters()
+    {
+        return [];
+    }
+}
diff --git a/data/web/inc/lib/vendor/league/oauth2-client/src/Grant/Exception/InvalidGrantException.php b/data/web/inc/lib/vendor/league/oauth2-client/src/Grant/Exception/InvalidGrantException.php
new file mode 100644
index 000000000..c3c4e677b
--- /dev/null
+++ b/data/web/inc/lib/vendor/league/oauth2-client/src/Grant/Exception/InvalidGrantException.php
@@ -0,0 +1,26 @@
+<?php
+/**
+ * This file is part of the league/oauth2-client library
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ *
+ * @copyright Copyright (c) Alex Bilbie <hello@alexbilbie.com>
+ * @license http://opensource.org/licenses/MIT MIT
+ * @link http://thephpleague.com/oauth2-client/ Documentation
+ * @link https://packagist.org/packages/league/oauth2-client Packagist
+ * @link https://github.com/thephpleague/oauth2-client GitHub
+ */
+
+namespace League\OAuth2\Client\Grant\Exception;
+
+use InvalidArgumentException;
+
+/**
+ * Exception thrown if the grant does not extend from AbstractGrant.
+ *
+ * @see League\OAuth2\Client\Grant\AbstractGrant
+ */
+class InvalidGrantException extends InvalidArgumentException
+{
+}
diff --git a/data/web/inc/lib/vendor/league/oauth2-client/src/Grant/GrantFactory.php b/data/web/inc/lib/vendor/league/oauth2-client/src/Grant/GrantFactory.php
new file mode 100644
index 000000000..71990e83d
--- /dev/null
+++ b/data/web/inc/lib/vendor/league/oauth2-client/src/Grant/GrantFactory.php
@@ -0,0 +1,104 @@
+<?php
+/**
+ * This file is part of the league/oauth2-client library
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ *
+ * @copyright Copyright (c) Alex Bilbie <hello@alexbilbie.com>
+ * @license http://opensource.org/licenses/MIT MIT
+ * @link http://thephpleague.com/oauth2-client/ Documentation
+ * @link https://packagist.org/packages/league/oauth2-client Packagist
+ * @link https://github.com/thephpleague/oauth2-client GitHub
+ */
+
+namespace League\OAuth2\Client\Grant;
+
+use League\OAuth2\Client\Grant\Exception\InvalidGrantException;
+
+/**
+ * Represents a factory used when retrieving an authorization grant type.
+ */
+class GrantFactory
+{
+    /**
+     * @var array
+     */
+    protected $registry = [];
+
+    /**
+     * Defines a grant singleton in the registry.
+     *
+     * @param  string $name
+     * @param  AbstractGrant $grant
+     * @return self
+     */
+    public function setGrant($name, AbstractGrant $grant)
+    {
+        $this->registry[$name] = $grant;
+
+        return $this;
+    }
+
+    /**
+     * Returns a grant singleton by name.
+     *
+     * If the grant has not be registered, a default grant will be loaded.
+     *
+     * @param  string $name
+     * @return AbstractGrant
+     */
+    public function getGrant($name)
+    {
+        if (empty($this->registry[$name])) {
+            $this->registerDefaultGrant($name);
+        }
+
+        return $this->registry[$name];
+    }
+
+    /**
+     * Registers a default grant singleton by name.
+     *
+     * @param  string $name
+     * @return self
+     */
+    protected function registerDefaultGrant($name)
+    {
+        // PascalCase the grant. E.g: 'authorization_code' becomes 'AuthorizationCode'
+        $class = str_replace(' ', '', ucwords(str_replace(['-', '_'], ' ', $name)));
+        $class = 'League\\OAuth2\\Client\\Grant\\' . $class;
+
+        $this->checkGrant($class);
+
+        return $this->setGrant($name, new $class);
+    }
+
+    /**
+     * Determines if a variable is a valid grant.
+     *
+     * @param  mixed $class
+     * @return boolean
+     */
+    public function isGrant($class)
+    {
+        return is_subclass_of($class, AbstractGrant::class);
+    }
+
+    /**
+     * Checks if a variable is a valid grant.
+     *
+     * @throws InvalidGrantException
+     * @param  mixed $class
+     * @return void
+     */
+    public function checkGrant($class)
+    {
+        if (!$this->isGrant($class)) {
+            throw new InvalidGrantException(sprintf(
+                'Grant "%s" must extend AbstractGrant',
+                is_object($class) ? get_class($class) : $class
+            ));
+        }
+    }
+}
diff --git a/data/web/inc/lib/vendor/league/oauth2-client/src/Grant/Password.php b/data/web/inc/lib/vendor/league/oauth2-client/src/Grant/Password.php
new file mode 100644
index 000000000..6543b2ebd
--- /dev/null
+++ b/data/web/inc/lib/vendor/league/oauth2-client/src/Grant/Password.php
@@ -0,0 +1,42 @@
+<?php
+/**
+ * This file is part of the league/oauth2-client library
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ *
+ * @copyright Copyright (c) Alex Bilbie <hello@alexbilbie.com>
+ * @license http://opensource.org/licenses/MIT MIT
+ * @link http://thephpleague.com/oauth2-client/ Documentation
+ * @link https://packagist.org/packages/league/oauth2-client Packagist
+ * @link https://github.com/thephpleague/oauth2-client GitHub
+ */
+
+namespace League\OAuth2\Client\Grant;
+
+/**
+ * Represents a resource owner password credentials grant.
+ *
+ * @link http://tools.ietf.org/html/rfc6749#section-1.3.3 Resource Owner Password Credentials (RFC 6749, §1.3.3)
+ */
+class Password extends AbstractGrant
+{
+    /**
+     * @inheritdoc
+     */
+    protected function getName()
+    {
+        return 'password';
+    }
+
+    /**
+     * @inheritdoc
+     */
+    protected function getRequiredRequestParameters()
+    {
+        return [
+            'username',
+            'password',
+        ];
+    }
+}
diff --git a/data/web/inc/lib/vendor/league/oauth2-client/src/Grant/RefreshToken.php b/data/web/inc/lib/vendor/league/oauth2-client/src/Grant/RefreshToken.php
new file mode 100644
index 000000000..819218230
--- /dev/null
+++ b/data/web/inc/lib/vendor/league/oauth2-client/src/Grant/RefreshToken.php
@@ -0,0 +1,41 @@
+<?php
+/**
+ * This file is part of the league/oauth2-client library
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ *
+ * @copyright Copyright (c) Alex Bilbie <hello@alexbilbie.com>
+ * @license http://opensource.org/licenses/MIT MIT
+ * @link http://thephpleague.com/oauth2-client/ Documentation
+ * @link https://packagist.org/packages/league/oauth2-client Packagist
+ * @link https://github.com/thephpleague/oauth2-client GitHub
+ */
+
+namespace League\OAuth2\Client\Grant;
+
+/**
+ * Represents a refresh token grant.
+ *
+ * @link http://tools.ietf.org/html/rfc6749#section-6 Refreshing an Access Token (RFC 6749, §6)
+ */
+class RefreshToken extends AbstractGrant
+{
+    /**
+     * @inheritdoc
+     */
+    protected function getName()
+    {
+        return 'refresh_token';
+    }
+
+    /**
+     * @inheritdoc
+     */
+    protected function getRequiredRequestParameters()
+    {
+        return [
+            'refresh_token',
+        ];
+    }
+}
diff --git a/data/web/inc/lib/vendor/league/oauth2-client/src/OptionProvider/HttpBasicAuthOptionProvider.php b/data/web/inc/lib/vendor/league/oauth2-client/src/OptionProvider/HttpBasicAuthOptionProvider.php
new file mode 100644
index 000000000..3da406568
--- /dev/null
+++ b/data/web/inc/lib/vendor/league/oauth2-client/src/OptionProvider/HttpBasicAuthOptionProvider.php
@@ -0,0 +1,42 @@
+<?php
+/**
+ * This file is part of the league/oauth2-client library
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ *
+ * @copyright Copyright (c) Alex Bilbie <hello@alexbilbie.com>
+ * @license http://opensource.org/licenses/MIT MIT
+ * @link http://thephpleague.com/oauth2-client/ Documentation
+ * @link https://packagist.org/packages/league/oauth2-client Packagist
+ * @link https://github.com/thephpleague/oauth2-client GitHub
+ */
+
+namespace League\OAuth2\Client\OptionProvider;
+
+use InvalidArgumentException;
+
+/**
+ * Add http basic auth into access token request options
+ * @link https://tools.ietf.org/html/rfc6749#section-2.3.1
+ */
+class HttpBasicAuthOptionProvider extends PostAuthOptionProvider
+{
+    /**
+     * @inheritdoc
+     */
+    public function getAccessTokenOptions($method, array $params)
+    {
+        if (empty($params['client_id']) || empty($params['client_secret'])) {
+            throw new InvalidArgumentException('clientId and clientSecret are required for http basic auth');
+        }
+
+        $encodedCredentials = base64_encode(sprintf('%s:%s', $params['client_id'], $params['client_secret']));
+        unset($params['client_id'], $params['client_secret']);
+
+        $options = parent::getAccessTokenOptions($method, $params);
+        $options['headers']['Authorization'] = 'Basic ' . $encodedCredentials;
+
+        return $options;
+    }
+}
diff --git a/data/web/inc/lib/vendor/league/oauth2-client/src/OptionProvider/OptionProviderInterface.php b/data/web/inc/lib/vendor/league/oauth2-client/src/OptionProvider/OptionProviderInterface.php
new file mode 100644
index 000000000..1126d25aa
--- /dev/null
+++ b/data/web/inc/lib/vendor/league/oauth2-client/src/OptionProvider/OptionProviderInterface.php
@@ -0,0 +1,30 @@
+<?php
+/**
+ * This file is part of the league/oauth2-client library
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ *
+ * @copyright Copyright (c) Alex Bilbie <hello@alexbilbie.com>
+ * @license http://opensource.org/licenses/MIT MIT
+ * @link http://thephpleague.com/oauth2-client/ Documentation
+ * @link https://packagist.org/packages/league/oauth2-client Packagist
+ * @link https://github.com/thephpleague/oauth2-client GitHub
+ */
+
+namespace League\OAuth2\Client\OptionProvider;
+
+/**
+ * Interface for access token options provider
+ */
+interface OptionProviderInterface
+{
+    /**
+     * Builds request options used for requesting an access token.
+     *
+     * @param string $method
+     * @param  array $params
+     * @return array
+     */
+    public function getAccessTokenOptions($method, array $params);
+}
diff --git a/data/web/inc/lib/vendor/league/oauth2-client/src/OptionProvider/PostAuthOptionProvider.php b/data/web/inc/lib/vendor/league/oauth2-client/src/OptionProvider/PostAuthOptionProvider.php
new file mode 100644
index 000000000..12d920ecf
--- /dev/null
+++ b/data/web/inc/lib/vendor/league/oauth2-client/src/OptionProvider/PostAuthOptionProvider.php
@@ -0,0 +1,51 @@
+<?php
+/**
+ * This file is part of the league/oauth2-client library
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ *
+ * @copyright Copyright (c) Alex Bilbie <hello@alexbilbie.com>
+ * @license http://opensource.org/licenses/MIT MIT
+ * @link http://thephpleague.com/oauth2-client/ Documentation
+ * @link https://packagist.org/packages/league/oauth2-client Packagist
+ * @link https://github.com/thephpleague/oauth2-client GitHub
+ */
+
+namespace League\OAuth2\Client\OptionProvider;
+
+use League\OAuth2\Client\Provider\AbstractProvider;
+use League\OAuth2\Client\Tool\QueryBuilderTrait;
+
+/**
+ * Provide options for access token
+ */
+class PostAuthOptionProvider implements OptionProviderInterface
+{
+    use QueryBuilderTrait;
+
+    /**
+     * @inheritdoc
+     */
+    public function getAccessTokenOptions($method, array $params)
+    {
+        $options = ['headers' => ['content-type' => 'application/x-www-form-urlencoded']];
+
+        if ($method === AbstractProvider::METHOD_POST) {
+            $options['body'] = $this->getAccessTokenBody($params);
+        }
+
+        return $options;
+    }
+
+    /**
+     * Returns the request body for requesting an access token.
+     *
+     * @param  array $params
+     * @return string
+     */
+    protected function getAccessTokenBody(array $params)
+    {
+        return $this->buildQueryString($params);
+    }
+}
diff --git a/data/web/inc/lib/vendor/league/oauth2-client/src/Provider/AbstractProvider.php b/data/web/inc/lib/vendor/league/oauth2-client/src/Provider/AbstractProvider.php
new file mode 100644
index 000000000..d1679998c
--- /dev/null
+++ b/data/web/inc/lib/vendor/league/oauth2-client/src/Provider/AbstractProvider.php
@@ -0,0 +1,843 @@
+<?php
+/**
+ * This file is part of the league/oauth2-client library
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ *
+ * @copyright Copyright (c) Alex Bilbie <hello@alexbilbie.com>
+ * @license http://opensource.org/licenses/MIT MIT
+ * @link http://thephpleague.com/oauth2-client/ Documentation
+ * @link https://packagist.org/packages/league/oauth2-client Packagist
+ * @link https://github.com/thephpleague/oauth2-client GitHub
+ */
+
+namespace League\OAuth2\Client\Provider;
+
+use GuzzleHttp\Client as HttpClient;
+use GuzzleHttp\ClientInterface as HttpClientInterface;
+use GuzzleHttp\Exception\BadResponseException;
+use League\OAuth2\Client\Grant\AbstractGrant;
+use League\OAuth2\Client\Grant\GrantFactory;
+use League\OAuth2\Client\OptionProvider\OptionProviderInterface;
+use League\OAuth2\Client\OptionProvider\PostAuthOptionProvider;
+use League\OAuth2\Client\Provider\Exception\IdentityProviderException;
+use League\OAuth2\Client\Token\AccessToken;
+use League\OAuth2\Client\Token\AccessTokenInterface;
+use League\OAuth2\Client\Tool\ArrayAccessorTrait;
+use League\OAuth2\Client\Tool\GuardedPropertyTrait;
+use League\OAuth2\Client\Tool\QueryBuilderTrait;
+use League\OAuth2\Client\Tool\RequestFactory;
+use Psr\Http\Message\RequestInterface;
+use Psr\Http\Message\ResponseInterface;
+use UnexpectedValueException;
+
+/**
+ * Represents a service provider (authorization server).
+ *
+ * @link http://tools.ietf.org/html/rfc6749#section-1.1 Roles (RFC 6749, §1.1)
+ */
+abstract class AbstractProvider
+{
+    use ArrayAccessorTrait;
+    use GuardedPropertyTrait;
+    use QueryBuilderTrait;
+
+    /**
+     * @var string Key used in a token response to identify the resource owner.
+     */
+    const ACCESS_TOKEN_RESOURCE_OWNER_ID = null;
+
+    /**
+     * @var string HTTP method used to fetch access tokens.
+     */
+    const METHOD_GET = 'GET';
+
+    /**
+     * @var string HTTP method used to fetch access tokens.
+     */
+    const METHOD_POST = 'POST';
+
+    /**
+     * @var string
+     */
+    protected $clientId;
+
+    /**
+     * @var string
+     */
+    protected $clientSecret;
+
+    /**
+     * @var string
+     */
+    protected $redirectUri;
+
+    /**
+     * @var string
+     */
+    protected $state;
+
+    /**
+     * @var GrantFactory
+     */
+    protected $grantFactory;
+
+    /**
+     * @var RequestFactory
+     */
+    protected $requestFactory;
+
+    /**
+     * @var HttpClientInterface
+     */
+    protected $httpClient;
+
+    /**
+     * @var OptionProviderInterface
+     */
+    protected $optionProvider;
+
+    /**
+     * Constructs an OAuth 2.0 service provider.
+     *
+     * @param array $options An array of options to set on this provider.
+     *     Options include `clientId`, `clientSecret`, `redirectUri`, and `state`.
+     *     Individual providers may introduce more options, as needed.
+     * @param array $collaborators An array of collaborators that may be used to
+     *     override this provider's default behavior. Collaborators include
+     *     `grantFactory`, `requestFactory`, and `httpClient`.
+     *     Individual providers may introduce more collaborators, as needed.
+     */
+    public function __construct(array $options = [], array $collaborators = [])
+    {
+        // We'll let the GuardedPropertyTrait handle mass assignment of incoming
+        // options, skipping any blacklisted properties defined in the provider
+        $this->fillProperties($options);
+
+        if (empty($collaborators['grantFactory'])) {
+            $collaborators['grantFactory'] = new GrantFactory();
+        }
+        $this->setGrantFactory($collaborators['grantFactory']);
+
+        if (empty($collaborators['requestFactory'])) {
+            $collaborators['requestFactory'] = new RequestFactory();
+        }
+        $this->setRequestFactory($collaborators['requestFactory']);
+
+        if (empty($collaborators['httpClient'])) {
+            $client_options = $this->getAllowedClientOptions($options);
+
+            $collaborators['httpClient'] = new HttpClient(
+                array_intersect_key($options, array_flip($client_options))
+            );
+        }
+        $this->setHttpClient($collaborators['httpClient']);
+
+        if (empty($collaborators['optionProvider'])) {
+            $collaborators['optionProvider'] = new PostAuthOptionProvider();
+        }
+        $this->setOptionProvider($collaborators['optionProvider']);
+    }
+
+    /**
+     * Returns the list of options that can be passed to the HttpClient
+     *
+     * @param array $options An array of options to set on this provider.
+     *     Options include `clientId`, `clientSecret`, `redirectUri`, and `state`.
+     *     Individual providers may introduce more options, as needed.
+     * @return array The options to pass to the HttpClient constructor
+     */
+    protected function getAllowedClientOptions(array $options)
+    {
+        $client_options = ['timeout', 'proxy'];
+
+        // Only allow turning off ssl verification if it's for a proxy
+        if (!empty($options['proxy'])) {
+            $client_options[] = 'verify';
+        }
+
+        return $client_options;
+    }
+
+    /**
+     * Sets the grant factory instance.
+     *
+     * @param  GrantFactory $factory
+     * @return self
+     */
+    public function setGrantFactory(GrantFactory $factory)
+    {
+        $this->grantFactory = $factory;
+
+        return $this;
+    }
+
+    /**
+     * Returns the current grant factory instance.
+     *
+     * @return GrantFactory
+     */
+    public function getGrantFactory()
+    {
+        return $this->grantFactory;
+    }
+
+    /**
+     * Sets the request factory instance.
+     *
+     * @param  RequestFactory $factory
+     * @return self
+     */
+    public function setRequestFactory(RequestFactory $factory)
+    {
+        $this->requestFactory = $factory;
+
+        return $this;
+    }
+
+    /**
+     * Returns the request factory instance.
+     *
+     * @return RequestFactory
+     */
+    public function getRequestFactory()
+    {
+        return $this->requestFactory;
+    }
+
+    /**
+     * Sets the HTTP client instance.
+     *
+     * @param  HttpClientInterface $client
+     * @return self
+     */
+    public function setHttpClient(HttpClientInterface $client)
+    {
+        $this->httpClient = $client;
+
+        return $this;
+    }
+
+    /**
+     * Returns the HTTP client instance.
+     *
+     * @return HttpClientInterface
+     */
+    public function getHttpClient()
+    {
+        return $this->httpClient;
+    }
+
+    /**
+     * Sets the option provider instance.
+     *
+     * @param  OptionProviderInterface $provider
+     * @return self
+     */
+    public function setOptionProvider(OptionProviderInterface $provider)
+    {
+        $this->optionProvider = $provider;
+
+        return $this;
+    }
+
+    /**
+     * Returns the option provider instance.
+     *
+     * @return OptionProviderInterface
+     */
+    public function getOptionProvider()
+    {
+        return $this->optionProvider;
+    }
+
+    /**
+     * Returns the current value of the state parameter.
+     *
+     * This can be accessed by the redirect handler during authorization.
+     *
+     * @return string
+     */
+    public function getState()
+    {
+        return $this->state;
+    }
+
+    /**
+     * Returns the base URL for authorizing a client.
+     *
+     * Eg. https://oauth.service.com/authorize
+     *
+     * @return string
+     */
+    abstract public function getBaseAuthorizationUrl();
+
+    /**
+     * Returns the base URL for requesting an access token.
+     *
+     * Eg. https://oauth.service.com/token
+     *
+     * @param array $params
+     * @return string
+     */
+    abstract public function getBaseAccessTokenUrl(array $params);
+
+    /**
+     * Returns the URL for requesting the resource owner's details.
+     *
+     * @param AccessToken $token
+     * @return string
+     */
+    abstract public function getResourceOwnerDetailsUrl(AccessToken $token);
+
+    /**
+     * Returns a new random string to use as the state parameter in an
+     * authorization flow.
+     *
+     * @param  int $length Length of the random string to be generated.
+     * @return string
+     */
+    protected function getRandomState($length = 32)
+    {
+        // Converting bytes to hex will always double length. Hence, we can reduce
+        // the amount of bytes by half to produce the correct length.
+        return bin2hex(random_bytes($length / 2));
+    }
+
+    /**
+     * Returns the default scopes used by this provider.
+     *
+     * This should only be the scopes that are required to request the details
+     * of the resource owner, rather than all the available scopes.
+     *
+     * @return array
+     */
+    abstract protected function getDefaultScopes();
+
+    /**
+     * Returns the string that should be used to separate scopes when building
+     * the URL for requesting an access token.
+     *
+     * @return string Scope separator, defaults to ','
+     */
+    protected function getScopeSeparator()
+    {
+        return ',';
+    }
+
+    /**
+     * Returns authorization parameters based on provided options.
+     *
+     * @param  array $options
+     * @return array Authorization parameters
+     */
+    protected function getAuthorizationParameters(array $options)
+    {
+        if (empty($options['state'])) {
+            $options['state'] = $this->getRandomState();
+        }
+
+        if (empty($options['scope'])) {
+            $options['scope'] = $this->getDefaultScopes();
+        }
+
+        $options += [
+            'response_type'   => 'code',
+            'approval_prompt' => 'auto'
+        ];
+
+        if (is_array($options['scope'])) {
+            $separator = $this->getScopeSeparator();
+            $options['scope'] = implode($separator, $options['scope']);
+        }
+
+        // Store the state as it may need to be accessed later on.
+        $this->state = $options['state'];
+
+        // Business code layer might set a different redirect_uri parameter
+        // depending on the context, leave it as-is
+        if (!isset($options['redirect_uri'])) {
+            $options['redirect_uri'] = $this->redirectUri;
+        }
+
+        $options['client_id'] = $this->clientId;
+
+        return $options;
+    }
+
+    /**
+     * Builds the authorization URL's query string.
+     *
+     * @param  array $params Query parameters
+     * @return string Query string
+     */
+    protected function getAuthorizationQuery(array $params)
+    {
+        return $this->buildQueryString($params);
+    }
+
+    /**
+     * Builds the authorization URL.
+     *
+     * @param  array $options
+     * @return string Authorization URL
+     */
+    public function getAuthorizationUrl(array $options = [])
+    {
+        $base   = $this->getBaseAuthorizationUrl();
+        $params = $this->getAuthorizationParameters($options);
+        $query  = $this->getAuthorizationQuery($params);
+
+        return $this->appendQuery($base, $query);
+    }
+
+    /**
+     * Redirects the client for authorization.
+     *
+     * @param  array $options
+     * @param  callable|null $redirectHandler
+     * @return mixed
+     */
+    public function authorize(
+        array $options = [],
+        callable $redirectHandler = null
+    ) {
+        $url = $this->getAuthorizationUrl($options);
+        if ($redirectHandler) {
+            return $redirectHandler($url, $this);
+        }
+
+        // @codeCoverageIgnoreStart
+        header('Location: ' . $url);
+        exit;
+        // @codeCoverageIgnoreEnd
+    }
+
+    /**
+     * Appends a query string to a URL.
+     *
+     * @param  string $url The URL to append the query to
+     * @param  string $query The HTTP query string
+     * @return string The resulting URL
+     */
+    protected function appendQuery($url, $query)
+    {
+        $query = trim($query, '?&');
+
+        if ($query) {
+            $glue = strstr($url, '?') === false ? '?' : '&';
+            return $url . $glue . $query;
+        }
+
+        return $url;
+    }
+
+    /**
+     * Returns the method to use when requesting an access token.
+     *
+     * @return string HTTP method
+     */
+    protected function getAccessTokenMethod()
+    {
+        return self::METHOD_POST;
+    }
+
+    /**
+     * Returns the key used in the access token response to identify the resource owner.
+     *
+     * @return string|null Resource owner identifier key
+     */
+    protected function getAccessTokenResourceOwnerId()
+    {
+        return static::ACCESS_TOKEN_RESOURCE_OWNER_ID;
+    }
+
+    /**
+     * Builds the access token URL's query string.
+     *
+     * @param  array $params Query parameters
+     * @return string Query string
+     */
+    protected function getAccessTokenQuery(array $params)
+    {
+        return $this->buildQueryString($params);
+    }
+
+    /**
+     * Checks that a provided grant is valid, or attempts to produce one if the
+     * provided grant is a string.
+     *
+     * @param  AbstractGrant|string $grant
+     * @return AbstractGrant
+     */
+    protected function verifyGrant($grant)
+    {
+        if (is_string($grant)) {
+            return $this->grantFactory->getGrant($grant);
+        }
+
+        $this->grantFactory->checkGrant($grant);
+        return $grant;
+    }
+
+    /**
+     * Returns the full URL to use when requesting an access token.
+     *
+     * @param array $params Query parameters
+     * @return string
+     */
+    protected function getAccessTokenUrl(array $params)
+    {
+        $url = $this->getBaseAccessTokenUrl($params);
+
+        if ($this->getAccessTokenMethod() === self::METHOD_GET) {
+            $query = $this->getAccessTokenQuery($params);
+            return $this->appendQuery($url, $query);
+        }
+
+        return $url;
+    }
+
+    /**
+     * Returns a prepared request for requesting an access token.
+     *
+     * @param array $params Query string parameters
+     * @return RequestInterface
+     */
+    protected function getAccessTokenRequest(array $params)
+    {
+        $method  = $this->getAccessTokenMethod();
+        $url     = $this->getAccessTokenUrl($params);
+        $options = $this->optionProvider->getAccessTokenOptions($this->getAccessTokenMethod(), $params);
+
+        return $this->getRequest($method, $url, $options);
+    }
+
+    /**
+     * Requests an access token using a specified grant and option set.
+     *
+     * @param  mixed $grant
+     * @param  array $options
+     * @throws IdentityProviderException
+     * @return AccessTokenInterface
+     */
+    public function getAccessToken($grant, array $options = [])
+    {
+        $grant = $this->verifyGrant($grant);
+
+        $params = [
+            'client_id'     => $this->clientId,
+            'client_secret' => $this->clientSecret,
+            'redirect_uri'  => $this->redirectUri,
+        ];
+
+        $params   = $grant->prepareRequestParameters($params, $options);
+        $request  = $this->getAccessTokenRequest($params);
+        $response = $this->getParsedResponse($request);
+        if (false === is_array($response)) {
+            throw new UnexpectedValueException(
+                'Invalid response received from Authorization Server. Expected JSON.'
+            );
+        }
+        $prepared = $this->prepareAccessTokenResponse($response);
+        $token    = $this->createAccessToken($prepared, $grant);
+
+        return $token;
+    }
+
+    /**
+     * Returns a PSR-7 request instance that is not authenticated.
+     *
+     * @param  string $method
+     * @param  string $url
+     * @param  array $options
+     * @return RequestInterface
+     */
+    public function getRequest($method, $url, array $options = [])
+    {
+        return $this->createRequest($method, $url, null, $options);
+    }
+
+    /**
+     * Returns an authenticated PSR-7 request instance.
+     *
+     * @param  string $method
+     * @param  string $url
+     * @param  AccessTokenInterface|string $token
+     * @param  array $options Any of "headers", "body", and "protocolVersion".
+     * @return RequestInterface
+     */
+    public function getAuthenticatedRequest($method, $url, $token, array $options = [])
+    {
+        return $this->createRequest($method, $url, $token, $options);
+    }
+
+    /**
+     * Creates a PSR-7 request instance.
+     *
+     * @param  string $method
+     * @param  string $url
+     * @param  AccessTokenInterface|string|null $token
+     * @param  array $options
+     * @return RequestInterface
+     */
+    protected function createRequest($method, $url, $token, array $options)
+    {
+        $defaults = [
+            'headers' => $this->getHeaders($token),
+        ];
+
+        $options = array_merge_recursive($defaults, $options);
+        $factory = $this->getRequestFactory();
+
+        return $factory->getRequestWithOptions($method, $url, $options);
+    }
+
+    /**
+     * Sends a request instance and returns a response instance.
+     *
+     * WARNING: This method does not attempt to catch exceptions caused by HTTP
+     * errors! It is recommended to wrap this method in a try/catch block.
+     *
+     * @param  RequestInterface $request
+     * @return ResponseInterface
+     */
+    public function getResponse(RequestInterface $request)
+    {
+        return $this->getHttpClient()->send($request);
+    }
+
+    /**
+     * Sends a request and returns the parsed response.
+     *
+     * @param  RequestInterface $request
+     * @throws IdentityProviderException
+     * @return mixed
+     */
+    public function getParsedResponse(RequestInterface $request)
+    {
+        try {
+            $response = $this->getResponse($request);
+        } catch (BadResponseException $e) {
+            $response = $e->getResponse();
+        }
+
+        $parsed = $this->parseResponse($response);
+
+        $this->checkResponse($response, $parsed);
+
+        return $parsed;
+    }
+
+    /**
+     * Attempts to parse a JSON response.
+     *
+     * @param  string $content JSON content from response body
+     * @return array Parsed JSON data
+     * @throws UnexpectedValueException if the content could not be parsed
+     */
+    protected function parseJson($content)
+    {
+        $content = json_decode($content, true);
+
+        if (json_last_error() !== JSON_ERROR_NONE) {
+            throw new UnexpectedValueException(sprintf(
+                "Failed to parse JSON response: %s",
+                json_last_error_msg()
+            ));
+        }
+
+        return $content;
+    }
+
+    /**
+     * Returns the content type header of a response.
+     *
+     * @param  ResponseInterface $response
+     * @return string Semi-colon separated join of content-type headers.
+     */
+    protected function getContentType(ResponseInterface $response)
+    {
+        return join(';', (array) $response->getHeader('content-type'));
+    }
+
+    /**
+     * Parses the response according to its content-type header.
+     *
+     * @throws UnexpectedValueException
+     * @param  ResponseInterface $response
+     * @return array
+     */
+    protected function parseResponse(ResponseInterface $response)
+    {
+        $content = (string) $response->getBody();
+        $type = $this->getContentType($response);
+
+        if (strpos($type, 'urlencoded') !== false) {
+            parse_str($content, $parsed);
+            return $parsed;
+        }
+
+        // Attempt to parse the string as JSON regardless of content type,
+        // since some providers use non-standard content types. Only throw an
+        // exception if the JSON could not be parsed when it was expected to.
+        try {
+            return $this->parseJson($content);
+        } catch (UnexpectedValueException $e) {
+            if (strpos($type, 'json') !== false) {
+                throw $e;
+            }
+
+            if ($response->getStatusCode() == 500) {
+                throw new UnexpectedValueException(
+                    'An OAuth server error was encountered that did not contain a JSON body',
+                    0,
+                    $e
+                );
+            }
+
+            return $content;
+        }
+    }
+
+    /**
+     * Checks a provider response for errors.
+     *
+     * @throws IdentityProviderException
+     * @param  ResponseInterface $response
+     * @param  array|string $data Parsed response data
+     * @return void
+     */
+    abstract protected function checkResponse(ResponseInterface $response, $data);
+
+    /**
+     * Prepares an parsed access token response for a grant.
+     *
+     * Custom mapping of expiration, etc should be done here. Always call the
+     * parent method when overloading this method.
+     *
+     * @param  mixed $result
+     * @return array
+     */
+    protected function prepareAccessTokenResponse(array $result)
+    {
+        if ($this->getAccessTokenResourceOwnerId() !== null) {
+            $result['resource_owner_id'] = $this->getValueByKey(
+                $result,
+                $this->getAccessTokenResourceOwnerId()
+            );
+        }
+        return $result;
+    }
+
+    /**
+     * Creates an access token from a response.
+     *
+     * The grant that was used to fetch the response can be used to provide
+     * additional context.
+     *
+     * @param  array $response
+     * @param  AbstractGrant $grant
+     * @return AccessTokenInterface
+     */
+    protected function createAccessToken(array $response, AbstractGrant $grant)
+    {
+        return new AccessToken($response);
+    }
+
+    /**
+     * Generates a resource owner object from a successful resource owner
+     * details request.
+     *
+     * @param  array $response
+     * @param  AccessToken $token
+     * @return ResourceOwnerInterface
+     */
+    abstract protected function createResourceOwner(array $response, AccessToken $token);
+
+    /**
+     * Requests and returns the resource owner of given access token.
+     *
+     * @param  AccessToken $token
+     * @return ResourceOwnerInterface
+     */
+    public function getResourceOwner(AccessToken $token)
+    {
+        $response = $this->fetchResourceOwnerDetails($token);
+
+        return $this->createResourceOwner($response, $token);
+    }
+
+    /**
+     * Requests resource owner details.
+     *
+     * @param  AccessToken $token
+     * @return mixed
+     */
+    protected function fetchResourceOwnerDetails(AccessToken $token)
+    {
+        $url = $this->getResourceOwnerDetailsUrl($token);
+
+        $request = $this->getAuthenticatedRequest(self::METHOD_GET, $url, $token);
+
+        $response = $this->getParsedResponse($request);
+
+        if (false === is_array($response)) {
+            throw new UnexpectedValueException(
+                'Invalid response received from Authorization Server. Expected JSON.'
+            );
+        }
+
+        return $response;
+    }
+
+    /**
+     * Returns the default headers used by this provider.
+     *
+     * Typically this is used to set 'Accept' or 'Content-Type' headers.
+     *
+     * @return array
+     */
+    protected function getDefaultHeaders()
+    {
+        return [];
+    }
+
+    /**
+     * Returns the authorization headers used by this provider.
+     *
+     * Typically this is "Bearer" or "MAC". For more information see:
+     * http://tools.ietf.org/html/rfc6749#section-7.1
+     *
+     * No default is provided, providers must overload this method to activate
+     * authorization headers.
+     *
+     * @param  mixed|null $token Either a string or an access token instance
+     * @return array
+     */
+    protected function getAuthorizationHeaders($token = null)
+    {
+        return [];
+    }
+
+    /**
+     * Returns all headers used by this provider for a request.
+     *
+     * The request will be authenticated if an access token is provided.
+     *
+     * @param  mixed|null $token object or string
+     * @return array
+     */
+    public function getHeaders($token = null)
+    {
+        if ($token) {
+            return array_merge(
+                $this->getDefaultHeaders(),
+                $this->getAuthorizationHeaders($token)
+            );
+        }
+
+        return $this->getDefaultHeaders();
+    }
+}
diff --git a/data/web/inc/lib/vendor/league/oauth2-client/src/Provider/Exception/IdentityProviderException.php b/data/web/inc/lib/vendor/league/oauth2-client/src/Provider/Exception/IdentityProviderException.php
new file mode 100644
index 000000000..52b7e0353
--- /dev/null
+++ b/data/web/inc/lib/vendor/league/oauth2-client/src/Provider/Exception/IdentityProviderException.php
@@ -0,0 +1,48 @@
+<?php
+/**
+ * This file is part of the league/oauth2-client library
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ *
+ * @copyright Copyright (c) Alex Bilbie <hello@alexbilbie.com>
+ * @license http://opensource.org/licenses/MIT MIT
+ * @link http://thephpleague.com/oauth2-client/ Documentation
+ * @link https://packagist.org/packages/league/oauth2-client Packagist
+ * @link https://github.com/thephpleague/oauth2-client GitHub
+ */
+
+namespace League\OAuth2\Client\Provider\Exception;
+
+/**
+ * Exception thrown if the provider response contains errors.
+ */
+class IdentityProviderException extends \Exception
+{
+    /**
+     * @var mixed
+     */
+    protected $response;
+
+    /**
+     * @param string $message
+     * @param int $code
+     * @param array|string $response The response body
+     */
+    public function __construct($message, $code, $response)
+    {
+        $this->response = $response;
+
+        parent::__construct($message, $code);
+    }
+
+    /**
+     * Returns the exception's response body.
+     *
+     * @return array|string
+     */
+    public function getResponseBody()
+    {
+        return $this->response;
+    }
+}
diff --git a/data/web/inc/lib/vendor/league/oauth2-client/src/Provider/GenericProvider.php b/data/web/inc/lib/vendor/league/oauth2-client/src/Provider/GenericProvider.php
new file mode 100644
index 000000000..74393ffda
--- /dev/null
+++ b/data/web/inc/lib/vendor/league/oauth2-client/src/Provider/GenericProvider.php
@@ -0,0 +1,233 @@
+<?php
+/**
+ * This file is part of the league/oauth2-client library
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ *
+ * @copyright Copyright (c) Alex Bilbie <hello@alexbilbie.com>
+ * @license http://opensource.org/licenses/MIT MIT
+ * @link http://thephpleague.com/oauth2-client/ Documentation
+ * @link https://packagist.org/packages/league/oauth2-client Packagist
+ * @link https://github.com/thephpleague/oauth2-client GitHub
+ */
+
+namespace League\OAuth2\Client\Provider;
+
+use InvalidArgumentException;
+use League\OAuth2\Client\Provider\Exception\IdentityProviderException;
+use League\OAuth2\Client\Token\AccessToken;
+use League\OAuth2\Client\Tool\BearerAuthorizationTrait;
+use Psr\Http\Message\ResponseInterface;
+
+/**
+ * Represents a generic service provider that may be used to interact with any
+ * OAuth 2.0 service provider, using Bearer token authentication.
+ */
+class GenericProvider extends AbstractProvider
+{
+    use BearerAuthorizationTrait;
+
+    /**
+     * @var string
+     */
+    private $urlAuthorize;
+
+    /**
+     * @var string
+     */
+    private $urlAccessToken;
+
+    /**
+     * @var string
+     */
+    private $urlResourceOwnerDetails;
+
+    /**
+     * @var string
+     */
+    private $accessTokenMethod;
+
+    /**
+     * @var string
+     */
+    private $accessTokenResourceOwnerId;
+
+    /**
+     * @var array|null
+     */
+    private $scopes = null;
+
+    /**
+     * @var string
+     */
+    private $scopeSeparator;
+
+    /**
+     * @var string
+     */
+    private $responseError = 'error';
+
+    /**
+     * @var string
+     */
+    private $responseCode;
+
+    /**
+     * @var string
+     */
+    private $responseResourceOwnerId = 'id';
+
+    /**
+     * @param array $options
+     * @param array $collaborators
+     */
+    public function __construct(array $options = [], array $collaborators = [])
+    {
+        $this->assertRequiredOptions($options);
+
+        $possible   = $this->getConfigurableOptions();
+        $configured = array_intersect_key($options, array_flip($possible));
+
+        foreach ($configured as $key => $value) {
+            $this->$key = $value;
+        }
+
+        // Remove all options that are only used locally
+        $options = array_diff_key($options, $configured);
+
+        parent::__construct($options, $collaborators);
+    }
+
+    /**
+     * Returns all options that can be configured.
+     *
+     * @return array
+     */
+    protected function getConfigurableOptions()
+    {
+        return array_merge($this->getRequiredOptions(), [
+            'accessTokenMethod',
+            'accessTokenResourceOwnerId',
+            'scopeSeparator',
+            'responseError',
+            'responseCode',
+            'responseResourceOwnerId',
+            'scopes',
+        ]);
+    }
+
+    /**
+     * Returns all options that are required.
+     *
+     * @return array
+     */
+    protected function getRequiredOptions()
+    {
+        return [
+            'urlAuthorize',
+            'urlAccessToken',
+            'urlResourceOwnerDetails',
+        ];
+    }
+
+    /**
+     * Verifies that all required options have been passed.
+     *
+     * @param  array $options
+     * @return void
+     * @throws InvalidArgumentException
+     */
+    private function assertRequiredOptions(array $options)
+    {
+        $missing = array_diff_key(array_flip($this->getRequiredOptions()), $options);
+
+        if (!empty($missing)) {
+            throw new InvalidArgumentException(
+                'Required options not defined: ' . implode(', ', array_keys($missing))
+            );
+        }
+    }
+
+    /**
+     * @inheritdoc
+     */
+    public function getBaseAuthorizationUrl()
+    {
+        return $this->urlAuthorize;
+    }
+
+    /**
+     * @inheritdoc
+     */
+    public function getBaseAccessTokenUrl(array $params)
+    {
+        return $this->urlAccessToken;
+    }
+
+    /**
+     * @inheritdoc
+     */
+    public function getResourceOwnerDetailsUrl(AccessToken $token)
+    {
+        return $this->urlResourceOwnerDetails;
+    }
+
+    /**
+     * @inheritdoc
+     */
+    public function getDefaultScopes()
+    {
+        return $this->scopes;
+    }
+
+    /**
+     * @inheritdoc
+     */
+    protected function getAccessTokenMethod()
+    {
+        return $this->accessTokenMethod ?: parent::getAccessTokenMethod();
+    }
+
+    /**
+     * @inheritdoc
+     */
+    protected function getAccessTokenResourceOwnerId()
+    {
+        return $this->accessTokenResourceOwnerId ?: parent::getAccessTokenResourceOwnerId();
+    }
+
+    /**
+     * @inheritdoc
+     */
+    protected function getScopeSeparator()
+    {
+        return $this->scopeSeparator ?: parent::getScopeSeparator();
+    }
+
+    /**
+     * @inheritdoc
+     */
+    protected function checkResponse(ResponseInterface $response, $data)
+    {
+        if (!empty($data[$this->responseError])) {
+            $error = $data[$this->responseError];
+            if (!is_string($error)) {
+                $error = var_export($error, true);
+            }
+            $code  = $this->responseCode && !empty($data[$this->responseCode])? $data[$this->responseCode] : 0;
+            if (!is_int($code)) {
+                $code = intval($code);
+            }
+            throw new IdentityProviderException($error, $code, $data);
+        }
+    }
+
+    /**
+     * @inheritdoc
+     */
+    protected function createResourceOwner(array $response, AccessToken $token)
+    {
+        return new GenericResourceOwner($response, $this->responseResourceOwnerId);
+    }
+}
diff --git a/data/web/inc/lib/vendor/league/oauth2-client/src/Provider/GenericResourceOwner.php b/data/web/inc/lib/vendor/league/oauth2-client/src/Provider/GenericResourceOwner.php
new file mode 100644
index 000000000..f87661485
--- /dev/null
+++ b/data/web/inc/lib/vendor/league/oauth2-client/src/Provider/GenericResourceOwner.php
@@ -0,0 +1,61 @@
+<?php
+/**
+ * This file is part of the league/oauth2-client library
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ *
+ * @copyright Copyright (c) Alex Bilbie <hello@alexbilbie.com>
+ * @license http://opensource.org/licenses/MIT MIT
+ * @link http://thephpleague.com/oauth2-client/ Documentation
+ * @link https://packagist.org/packages/league/oauth2-client Packagist
+ * @link https://github.com/thephpleague/oauth2-client GitHub
+ */
+
+namespace League\OAuth2\Client\Provider;
+
+/**
+ * Represents a generic resource owner for use with the GenericProvider.
+ */
+class GenericResourceOwner implements ResourceOwnerInterface
+{
+    /**
+     * @var array
+     */
+    protected $response;
+
+    /**
+     * @var string
+     */
+    protected $resourceOwnerId;
+
+    /**
+     * @param array $response
+     * @param string $resourceOwnerId
+     */
+    public function __construct(array $response, $resourceOwnerId)
+    {
+        $this->response = $response;
+        $this->resourceOwnerId = $resourceOwnerId;
+    }
+
+    /**
+     * Returns the identifier of the authorized resource owner.
+     *
+     * @return mixed
+     */
+    public function getId()
+    {
+        return $this->response[$this->resourceOwnerId];
+    }
+
+    /**
+     * Returns the raw resource owner response.
+     *
+     * @return array
+     */
+    public function toArray()
+    {
+        return $this->response;
+    }
+}
diff --git a/data/web/inc/lib/vendor/league/oauth2-client/src/Provider/ResourceOwnerInterface.php b/data/web/inc/lib/vendor/league/oauth2-client/src/Provider/ResourceOwnerInterface.php
new file mode 100644
index 000000000..828442425
--- /dev/null
+++ b/data/web/inc/lib/vendor/league/oauth2-client/src/Provider/ResourceOwnerInterface.php
@@ -0,0 +1,36 @@
+<?php
+/**
+ * This file is part of the league/oauth2-client library
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ *
+ * @copyright Copyright (c) Alex Bilbie <hello@alexbilbie.com>
+ * @license http://opensource.org/licenses/MIT MIT
+ * @link http://thephpleague.com/oauth2-client/ Documentation
+ * @link https://packagist.org/packages/league/oauth2-client Packagist
+ * @link https://github.com/thephpleague/oauth2-client GitHub
+ */
+
+namespace League\OAuth2\Client\Provider;
+
+/**
+ * Classes implementing `ResourceOwnerInterface` may be used to represent
+ * the resource owner authenticated with a service provider.
+ */
+interface ResourceOwnerInterface
+{
+    /**
+     * Returns the identifier of the authorized resource owner.
+     *
+     * @return mixed
+     */
+    public function getId();
+
+    /**
+     * Return all of the owner details available as an array.
+     *
+     * @return array
+     */
+    public function toArray();
+}
diff --git a/data/web/inc/lib/vendor/league/oauth2-client/src/Token/AccessToken.php b/data/web/inc/lib/vendor/league/oauth2-client/src/Token/AccessToken.php
new file mode 100644
index 000000000..81533c307
--- /dev/null
+++ b/data/web/inc/lib/vendor/league/oauth2-client/src/Token/AccessToken.php
@@ -0,0 +1,243 @@
+<?php
+/**
+ * This file is part of the league/oauth2-client library
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ *
+ * @copyright Copyright (c) Alex Bilbie <hello@alexbilbie.com>
+ * @license http://opensource.org/licenses/MIT MIT
+ * @link http://thephpleague.com/oauth2-client/ Documentation
+ * @link https://packagist.org/packages/league/oauth2-client Packagist
+ * @link https://github.com/thephpleague/oauth2-client GitHub
+ */
+
+namespace League\OAuth2\Client\Token;
+
+use InvalidArgumentException;
+use RuntimeException;
+
+/**
+ * Represents an access token.
+ *
+ * @link http://tools.ietf.org/html/rfc6749#section-1.4 Access Token (RFC 6749, §1.4)
+ */
+class AccessToken implements AccessTokenInterface, ResourceOwnerAccessTokenInterface
+{
+    /**
+     * @var string
+     */
+    protected $accessToken;
+
+    /**
+     * @var int
+     */
+    protected $expires;
+
+    /**
+     * @var string
+     */
+    protected $refreshToken;
+
+    /**
+     * @var string
+     */
+    protected $resourceOwnerId;
+
+    /**
+     * @var array
+     */
+    protected $values = [];
+
+    /**
+     * @var int
+     */
+    private static $timeNow;
+
+    /**
+     * Set the time now. This should only be used for testing purposes.
+     *
+     * @param int $timeNow the time in seconds since epoch
+     * @return void
+     */
+    public static function setTimeNow($timeNow)
+    {
+        self::$timeNow = $timeNow;
+    }
+
+    /**
+     * Reset the time now if it was set for test purposes.
+     *
+     * @return void
+     */
+    public static function resetTimeNow()
+    {
+        self::$timeNow = null;
+    }
+
+    /**
+     * @return int
+     */
+    public function getTimeNow()
+    {
+        return self::$timeNow ? self::$timeNow : time();
+    }
+
+    /**
+     * Constructs an access token.
+     *
+     * @param array $options An array of options returned by the service provider
+     *     in the access token request. The `access_token` option is required.
+     * @throws InvalidArgumentException if `access_token` is not provided in `$options`.
+     */
+    public function __construct(array $options = [])
+    {
+        if (empty($options['access_token'])) {
+            throw new InvalidArgumentException('Required option not passed: "access_token"');
+        }
+
+        $this->accessToken = $options['access_token'];
+
+        if (!empty($options['resource_owner_id'])) {
+            $this->resourceOwnerId = $options['resource_owner_id'];
+        }
+
+        if (!empty($options['refresh_token'])) {
+            $this->refreshToken = $options['refresh_token'];
+        }
+
+        // We need to know when the token expires. Show preference to
+        // 'expires_in' since it is defined in RFC6749 Section 5.1.
+        // Defer to 'expires' if it is provided instead.
+        if (isset($options['expires_in'])) {
+            if (!is_numeric($options['expires_in'])) {
+                throw new \InvalidArgumentException('expires_in value must be an integer');
+            }
+
+            $this->expires = $options['expires_in'] != 0 ? $this->getTimeNow() + $options['expires_in'] : 0;
+        } elseif (!empty($options['expires'])) {
+            // Some providers supply the seconds until expiration rather than
+            // the exact timestamp. Take a best guess at which we received.
+            $expires = $options['expires'];
+
+            if (!$this->isExpirationTimestamp($expires)) {
+                $expires += $this->getTimeNow();
+            }
+
+            $this->expires = $expires;
+        }
+
+        // Capture any additional values that might exist in the token but are
+        // not part of the standard response. Vendors will sometimes pass
+        // additional user data this way.
+        $this->values = array_diff_key($options, array_flip([
+            'access_token',
+            'resource_owner_id',
+            'refresh_token',
+            'expires_in',
+            'expires',
+        ]));
+    }
+
+    /**
+     * Check if a value is an expiration timestamp or second value.
+     *
+     * @param integer $value
+     * @return bool
+     */
+    protected function isExpirationTimestamp($value)
+    {
+        // If the given value is larger than the original OAuth 2 draft date,
+        // assume that it is meant to be a (possible expired) timestamp.
+        $oauth2InceptionDate = 1349067600; // 2012-10-01
+        return ($value > $oauth2InceptionDate);
+    }
+
+    /**
+     * @inheritdoc
+     */
+    public function getToken()
+    {
+        return $this->accessToken;
+    }
+
+    /**
+     * @inheritdoc
+     */
+    public function getRefreshToken()
+    {
+        return $this->refreshToken;
+    }
+
+    /**
+     * @inheritdoc
+     */
+    public function getExpires()
+    {
+        return $this->expires;
+    }
+
+    /**
+     * @inheritdoc
+     */
+    public function getResourceOwnerId()
+    {
+        return $this->resourceOwnerId;
+    }
+
+    /**
+     * @inheritdoc
+     */
+    public function hasExpired()
+    {
+        $expires = $this->getExpires();
+
+        if (empty($expires)) {
+            throw new RuntimeException('"expires" is not set on the token');
+        }
+
+        return $expires < time();
+    }
+
+    /**
+     * @inheritdoc
+     */
+    public function getValues()
+    {
+        return $this->values;
+    }
+
+    /**
+     * @inheritdoc
+     */
+    public function __toString()
+    {
+        return (string) $this->getToken();
+    }
+
+    /**
+     * @inheritdoc
+     */
+    public function jsonSerialize()
+    {
+        $parameters = $this->values;
+
+        if ($this->accessToken) {
+            $parameters['access_token'] = $this->accessToken;
+        }
+
+        if ($this->refreshToken) {
+            $parameters['refresh_token'] = $this->refreshToken;
+        }
+
+        if ($this->expires) {
+            $parameters['expires'] = $this->expires;
+        }
+
+        if ($this->resourceOwnerId) {
+            $parameters['resource_owner_id'] = $this->resourceOwnerId;
+        }
+
+        return $parameters;
+    }
+}
diff --git a/data/web/inc/lib/vendor/league/oauth2-client/src/Token/AccessTokenInterface.php b/data/web/inc/lib/vendor/league/oauth2-client/src/Token/AccessTokenInterface.php
new file mode 100644
index 000000000..5fd219ffc
--- /dev/null
+++ b/data/web/inc/lib/vendor/league/oauth2-client/src/Token/AccessTokenInterface.php
@@ -0,0 +1,74 @@
+<?php
+/**
+ * This file is part of the league/oauth2-client library
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ *
+ * @copyright Copyright (c) Alex Bilbie <hello@alexbilbie.com>
+ * @license http://opensource.org/licenses/MIT MIT
+ * @link http://thephpleague.com/oauth2-client/ Documentation
+ * @link https://packagist.org/packages/league/oauth2-client Packagist
+ * @link https://github.com/thephpleague/oauth2-client GitHub
+ */
+
+namespace League\OAuth2\Client\Token;
+
+use JsonSerializable;
+use ReturnTypeWillChange;
+use RuntimeException;
+
+interface AccessTokenInterface extends JsonSerializable
+{
+    /**
+     * Returns the access token string of this instance.
+     *
+     * @return string
+     */
+    public function getToken();
+
+    /**
+     * Returns the refresh token, if defined.
+     *
+     * @return string|null
+     */
+    public function getRefreshToken();
+
+    /**
+     * Returns the expiration timestamp in seconds, if defined.
+     *
+     * @return integer|null
+     */
+    public function getExpires();
+
+    /**
+     * Checks if this token has expired.
+     *
+     * @return boolean true if the token has expired, false otherwise.
+     * @throws RuntimeException if 'expires' is not set on the token.
+     */
+    public function hasExpired();
+
+    /**
+     * Returns additional vendor values stored in the token.
+     *
+     * @return array
+     */
+    public function getValues();
+
+    /**
+     * Returns a string representation of the access token
+     *
+     * @return string
+     */
+    public function __toString();
+
+    /**
+     * Returns an array of parameters to serialize when this is serialized with
+     * json_encode().
+     *
+     * @return array
+     */
+    #[ReturnTypeWillChange]
+    public function jsonSerialize();
+}
diff --git a/data/web/inc/lib/vendor/league/oauth2-client/src/Token/ResourceOwnerAccessTokenInterface.php b/data/web/inc/lib/vendor/league/oauth2-client/src/Token/ResourceOwnerAccessTokenInterface.php
new file mode 100644
index 000000000..51e4ce413
--- /dev/null
+++ b/data/web/inc/lib/vendor/league/oauth2-client/src/Token/ResourceOwnerAccessTokenInterface.php
@@ -0,0 +1,25 @@
+<?php
+/**
+ * This file is part of the league/oauth2-client library
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ *
+ * @copyright Copyright (c) Alex Bilbie <hello@alexbilbie.com>
+ * @license http://opensource.org/licenses/MIT MIT
+ * @link http://thephpleague.com/oauth2-client/ Documentation
+ * @link https://packagist.org/packages/league/oauth2-client Packagist
+ * @link https://github.com/thephpleague/oauth2-client GitHub
+ */
+
+namespace League\OAuth2\Client\Token;
+
+interface ResourceOwnerAccessTokenInterface extends AccessTokenInterface
+{
+    /**
+     * Returns the resource owner identifier, if defined.
+     *
+     * @return string|null
+     */
+    public function getResourceOwnerId();
+}
diff --git a/data/web/inc/lib/vendor/league/oauth2-client/src/Tool/ArrayAccessorTrait.php b/data/web/inc/lib/vendor/league/oauth2-client/src/Tool/ArrayAccessorTrait.php
new file mode 100644
index 000000000..a18198cf3
--- /dev/null
+++ b/data/web/inc/lib/vendor/league/oauth2-client/src/Tool/ArrayAccessorTrait.php
@@ -0,0 +1,52 @@
+<?php
+/**
+ * This file is part of the league/oauth2-client library
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ *
+ * @copyright Copyright (c) Alex Bilbie <hello@alexbilbie.com>
+ * @license http://opensource.org/licenses/MIT MIT
+ * @link http://thephpleague.com/oauth2-client/ Documentation
+ * @link https://packagist.org/packages/league/oauth2-client Packagist
+ * @link https://github.com/thephpleague/oauth2-client GitHub
+ */
+
+namespace League\OAuth2\Client\Tool;
+
+/**
+ * Provides generic array navigation tools.
+ */
+trait ArrayAccessorTrait
+{
+    /**
+     * Returns a value by key using dot notation.
+     *
+     * @param  array      $data
+     * @param  string     $key
+     * @param  mixed|null $default
+     * @return mixed
+     */
+    private function getValueByKey(array $data, $key, $default = null)
+    {
+        if (!is_string($key) || empty($key) || !count($data)) {
+            return $default;
+        }
+
+        if (strpos($key, '.') !== false) {
+            $keys = explode('.', $key);
+
+            foreach ($keys as $innerKey) {
+                if (!is_array($data) || !array_key_exists($innerKey, $data)) {
+                    return $default;
+                }
+
+                $data = $data[$innerKey];
+            }
+
+            return $data;
+        }
+
+        return array_key_exists($key, $data) ? $data[$key] : $default;
+    }
+}
diff --git a/data/web/inc/lib/vendor/league/oauth2-client/src/Tool/BearerAuthorizationTrait.php b/data/web/inc/lib/vendor/league/oauth2-client/src/Tool/BearerAuthorizationTrait.php
new file mode 100644
index 000000000..081c7c861
--- /dev/null
+++ b/data/web/inc/lib/vendor/league/oauth2-client/src/Tool/BearerAuthorizationTrait.php
@@ -0,0 +1,36 @@
+<?php
+/**
+ * This file is part of the league/oauth2-client library
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ *
+ * @copyright Copyright (c) Alex Bilbie <hello@alexbilbie.com>
+ * @license http://opensource.org/licenses/MIT MIT
+ * @link http://thephpleague.com/oauth2-client/ Documentation
+ * @link https://packagist.org/packages/league/oauth2-client Packagist
+ * @link https://github.com/thephpleague/oauth2-client GitHub
+ */
+
+namespace League\OAuth2\Client\Tool;
+
+use League\OAuth2\Client\Token\AccessTokenInterface;
+
+/**
+ * Enables `Bearer` header authorization for providers.
+ *
+ * @link http://tools.ietf.org/html/rfc6750 Bearer Token Usage (RFC 6750)
+ */
+trait BearerAuthorizationTrait
+{
+    /**
+     * Returns authorization headers for the 'bearer' grant.
+     *
+     * @param  AccessTokenInterface|string|null $token Either a string or an access token instance
+     * @return array
+     */
+    protected function getAuthorizationHeaders($token = null)
+    {
+        return ['Authorization' => 'Bearer ' . $token];
+    }
+}
diff --git a/data/web/inc/lib/vendor/league/oauth2-client/src/Tool/GuardedPropertyTrait.php b/data/web/inc/lib/vendor/league/oauth2-client/src/Tool/GuardedPropertyTrait.php
new file mode 100644
index 000000000..02c9ba5fb
--- /dev/null
+++ b/data/web/inc/lib/vendor/league/oauth2-client/src/Tool/GuardedPropertyTrait.php
@@ -0,0 +1,70 @@
+<?php
+/**
+ * This file is part of the league/oauth2-client library
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ *
+ * @copyright Copyright (c) Alex Bilbie <hello@alexbilbie.com>
+ * @license http://opensource.org/licenses/MIT MIT
+ * @link http://thephpleague.com/oauth2-client/ Documentation
+ * @link https://packagist.org/packages/league/oauth2-client Packagist
+ * @link https://github.com/thephpleague/oauth2-client GitHub
+ */
+
+namespace League\OAuth2\Client\Tool;
+
+/**
+ * Provides support for blacklisting explicit properties from the
+ * mass assignment behavior.
+ */
+trait GuardedPropertyTrait
+{
+    /**
+     * The properties that aren't mass assignable.
+     *
+     * @var array
+     */
+    protected $guarded = [];
+
+    /**
+     * Attempts to mass assign the given options to explicitly defined properties,
+     * skipping over any properties that are defined in the guarded array.
+     *
+     * @param array $options
+     * @return mixed
+     */
+    protected function fillProperties(array $options = [])
+    {
+        if (isset($options['guarded'])) {
+            unset($options['guarded']);
+        }
+
+        foreach ($options as $option => $value) {
+            if (property_exists($this, $option) && !$this->isGuarded($option)) {
+                $this->{$option} = $value;
+            }
+        }
+    }
+
+    /**
+     * Returns current guarded properties.
+     *
+     * @return array
+     */
+    public function getGuarded()
+    {
+        return $this->guarded;
+    }
+
+    /**
+     * Determines if the given property is guarded.
+     *
+     * @param  string  $property
+     * @return bool
+     */
+    public function isGuarded($property)
+    {
+        return in_array($property, $this->getGuarded());
+    }
+}
diff --git a/data/web/inc/lib/vendor/league/oauth2-client/src/Tool/MacAuthorizationTrait.php b/data/web/inc/lib/vendor/league/oauth2-client/src/Tool/MacAuthorizationTrait.php
new file mode 100644
index 000000000..f8dcd77c5
--- /dev/null
+++ b/data/web/inc/lib/vendor/league/oauth2-client/src/Tool/MacAuthorizationTrait.php
@@ -0,0 +1,83 @@
+<?php
+/**
+ * This file is part of the league/oauth2-client library
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ *
+ * @copyright Copyright (c) Alex Bilbie <hello@alexbilbie.com>
+ * @license http://opensource.org/licenses/MIT MIT
+ * @link http://thephpleague.com/oauth2-client/ Documentation
+ * @link https://packagist.org/packages/league/oauth2-client Packagist
+ * @link https://github.com/thephpleague/oauth2-client GitHub
+ */
+
+namespace League\OAuth2\Client\Tool;
+
+use League\OAuth2\Client\Token\AccessToken;
+use League\OAuth2\Client\Token\AccessTokenInterface;
+
+/**
+ * Enables `MAC` header authorization for providers.
+ *
+ * @link http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-05 Message Authentication Code (MAC) Tokens
+ */
+trait MacAuthorizationTrait
+{
+    /**
+     * Returns the id of this token for MAC generation.
+     *
+     * @param  AccessToken $token
+     * @return string
+     */
+    abstract protected function getTokenId(AccessToken $token);
+
+    /**
+     * Returns the MAC signature for the current request.
+     *
+     * @param  string $id
+     * @param  integer $ts
+     * @param  string $nonce
+     * @return string
+     */
+    abstract protected function getMacSignature($id, $ts, $nonce);
+
+    /**
+     * Returns a new random string to use as the state parameter in an
+     * authorization flow.
+     *
+     * @param  int $length Length of the random string to be generated.
+     * @return string
+     */
+    abstract protected function getRandomState($length = 32);
+
+    /**
+     * Returns the authorization headers for the 'mac' grant.
+     *
+     * @param  AccessTokenInterface|string|null $token Either a string or an access token instance
+     * @return array
+     * @codeCoverageIgnore
+     *
+     * @todo This is currently untested and provided only as an example. If you
+     * complete the implementation, please create a pull request for
+     * https://github.com/thephpleague/oauth2-client
+     */
+    protected function getAuthorizationHeaders($token = null)
+    {
+        if ($token === null) {
+            return [];
+        }
+
+        $ts    = time();
+        $id    = $this->getTokenId($token);
+        $nonce = $this->getRandomState(16);
+        $mac   = $this->getMacSignature($id, $ts, $nonce);
+
+        $parts = [];
+        foreach (compact('id', 'ts', 'nonce', 'mac') as $key => $value) {
+            $parts[] = sprintf('%s="%s"', $key, $value);
+        }
+
+        return ['Authorization' => 'MAC ' . implode(', ', $parts)];
+    }
+}
diff --git a/data/web/inc/lib/vendor/league/oauth2-client/src/Tool/ProviderRedirectTrait.php b/data/web/inc/lib/vendor/league/oauth2-client/src/Tool/ProviderRedirectTrait.php
new file mode 100644
index 000000000..f81b511f9
--- /dev/null
+++ b/data/web/inc/lib/vendor/league/oauth2-client/src/Tool/ProviderRedirectTrait.php
@@ -0,0 +1,122 @@
+<?php
+
+namespace League\OAuth2\Client\Tool;
+
+use GuzzleHttp\Exception\BadResponseException;
+use GuzzleHttp\Psr7\Uri;
+use InvalidArgumentException;
+use Psr\Http\Message\RequestInterface;
+use Psr\Http\Message\ResponseInterface;
+
+trait ProviderRedirectTrait
+{
+    /**
+     * Maximum number of times to follow provider initiated redirects
+     *
+     * @var integer
+     */
+    protected $redirectLimit = 2;
+
+    /**
+     * Retrieves a response for a given request and retrieves subsequent
+     * responses, with authorization headers, if a redirect is detected.
+     *
+     * @param  RequestInterface $request
+     * @return ResponseInterface
+     * @throws BadResponseException
+     */
+    protected function followRequestRedirects(RequestInterface $request)
+    {
+        $response = null;
+        $attempts = 0;
+
+        while ($attempts < $this->redirectLimit) {
+            $attempts++;
+            $response = $this->getHttpClient()->send($request, [
+                'allow_redirects' => false
+            ]);
+
+            if ($this->isRedirect($response)) {
+                $redirectUrl = new Uri($response->getHeader('Location')[0]);
+                $request = $request->withUri($redirectUrl);
+            } else {
+                break;
+            }
+        }
+
+        return $response;
+    }
+
+    /**
+     * Returns the HTTP client instance.
+     *
+     * @return GuzzleHttp\ClientInterface
+     */
+    abstract public function getHttpClient();
+
+    /**
+     * Retrieves current redirect limit.
+     *
+     * @return integer
+     */
+    public function getRedirectLimit()
+    {
+        return $this->redirectLimit;
+    }
+
+    /**
+     * Determines if a given response is a redirect.
+     *
+     * @param  ResponseInterface  $response
+     *
+     * @return boolean
+     */
+    protected function isRedirect(ResponseInterface $response)
+    {
+        $statusCode = $response->getStatusCode();
+
+        return $statusCode > 300 && $statusCode < 400 && $response->hasHeader('Location');
+    }
+
+    /**
+     * Sends a request instance and returns a response instance.
+     *
+     * WARNING: This method does not attempt to catch exceptions caused by HTTP
+     * errors! It is recommended to wrap this method in a try/catch block.
+     *
+     * @param  RequestInterface $request
+     * @return ResponseInterface
+     */
+    public function getResponse(RequestInterface $request)
+    {
+        try {
+            $response = $this->followRequestRedirects($request);
+        } catch (BadResponseException $e) {
+            $response = $e->getResponse();
+        }
+
+        return $response;
+    }
+
+    /**
+     * Updates the redirect limit.
+     *
+     * @param integer $limit
+     * @return League\OAuth2\Client\Provider\AbstractProvider
+     * @throws InvalidArgumentException
+     */
+    public function setRedirectLimit($limit)
+    {
+        if (!is_int($limit)) {
+            throw new InvalidArgumentException('redirectLimit must be an integer.');
+        }
+
+        if ($limit < 1) {
+            throw new InvalidArgumentException('redirectLimit must be greater than or equal to one.');
+        }
+
+        $this->redirectLimit = $limit;
+
+        return $this;
+    }
+}
diff --git a/data/web/inc/lib/vendor/league/oauth2-client/src/Tool/QueryBuilderTrait.php b/data/web/inc/lib/vendor/league/oauth2-client/src/Tool/QueryBuilderTrait.php
new file mode 100644
index 000000000..bdda3e79e
--- /dev/null
+++ b/data/web/inc/lib/vendor/league/oauth2-client/src/Tool/QueryBuilderTrait.php
@@ -0,0 +1,33 @@
+<?php
+/**
+ * This file is part of the league/oauth2-client library
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ *
+ * @copyright Copyright (c) Alex Bilbie <hello@alexbilbie.com>
+ * @license http://opensource.org/licenses/MIT MIT
+ * @link http://thephpleague.com/oauth2-client/ Documentation
+ * @link https://packagist.org/packages/league/oauth2-client Packagist
+ * @link https://github.com/thephpleague/oauth2-client GitHub
+ */
+
+namespace League\OAuth2\Client\Tool;
+
+/**
+ * Provides a standard way to generate query strings.
+ */
+trait QueryBuilderTrait
+{
+    /**
+     * Build a query string from an array.
+     *
+     * @param array $params
+     *
+     * @return string
+     */
+    protected function buildQueryString(array $params)
+    {
+        return http_build_query($params, '', '&', \PHP_QUERY_RFC3986);
+    }
+}
diff --git a/data/web/inc/lib/vendor/league/oauth2-client/src/Tool/RequestFactory.php b/data/web/inc/lib/vendor/league/oauth2-client/src/Tool/RequestFactory.php
new file mode 100644
index 000000000..1af434297
--- /dev/null
+++ b/data/web/inc/lib/vendor/league/oauth2-client/src/Tool/RequestFactory.php
@@ -0,0 +1,87 @@
+<?php
+/**
+ * This file is part of the league/oauth2-client library
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ *
+ * @copyright Copyright (c) Alex Bilbie <hello@alexbilbie.com>
+ * @license http://opensource.org/licenses/MIT MIT
+ * @link http://thephpleague.com/oauth2-client/ Documentation
+ * @link https://packagist.org/packages/league/oauth2-client Packagist
+ * @link https://github.com/thephpleague/oauth2-client GitHub
+ */
+
+namespace League\OAuth2\Client\Tool;
+
+use GuzzleHttp\Psr7\Request;
+
+/**
+ * Used to produce PSR-7 Request instances.
+ *
+ * @link https://github.com/guzzle/guzzle/pull/1101
+ */
+class RequestFactory
+{
+    /**
+     * Creates a PSR-7 Request instance.
+     *
+     * @param  null|string $method HTTP method for the request.
+     * @param  null|string $uri URI for the request.
+     * @param  array $headers Headers for the message.
+     * @param  string|resource|StreamInterface $body Message body.
+     * @param  string $version HTTP protocol version.
+     *
+     * @return Request
+     */
+    public function getRequest(
+        $method,
+        $uri,
+        array $headers = [],
+        $body = null,
+        $version = '1.1'
+    ) {
+        return new Request($method, $uri, $headers, $body, $version);
+    }
+
+    /**
+     * Parses simplified options.
+     *
+     * @param array $options Simplified options.
+     *
+     * @return array Extended options for use with getRequest.
+     */
+    protected function parseOptions(array $options)
+    {
+        // Should match default values for getRequest
+        $defaults = [
+            'headers' => [],
+            'body'    => null,
+            'version' => '1.1',
+        ];
+
+        return array_merge($defaults, $options);
+    }
+
+    /**
+     * Creates a request using a simplified array of options.
+     *
+     * @param  null|string $method
+     * @param  null|string $uri
+     * @param  array $options
+     *
+     * @return Request
+     */
+    public function getRequestWithOptions($method, $uri, array $options = [])
+    {
+        $options = $this->parseOptions($options);
+
+        return $this->getRequest(
+            $method,
+            $uri,
+            $options['headers'],
+            $options['body'],
+            $options['version']
+        );
+    }
+}
diff --git a/data/web/inc/lib/vendor/league/oauth2-client/src/Tool/RequiredParameterTrait.php b/data/web/inc/lib/vendor/league/oauth2-client/src/Tool/RequiredParameterTrait.php
new file mode 100644
index 000000000..47da97717
--- /dev/null
+++ b/data/web/inc/lib/vendor/league/oauth2-client/src/Tool/RequiredParameterTrait.php
@@ -0,0 +1,56 @@
+<?php
+/**
+ * This file is part of the league/oauth2-client library
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ *
+ * @copyright Copyright (c) Alex Bilbie <hello@alexbilbie.com>
+ * @license http://opensource.org/licenses/MIT MIT
+ * @link http://thephpleague.com/oauth2-client/ Documentation
+ * @link https://packagist.org/packages/league/oauth2-client Packagist
+ * @link https://github.com/thephpleague/oauth2-client GitHub
+ */
+
+namespace League\OAuth2\Client\Tool;
+
+use BadMethodCallException;
+
+/**
+ * Provides functionality to check for required parameters.
+ */
+trait RequiredParameterTrait
+{
+    /**
+     * Checks for a required parameter in a hash.
+     *
+     * @throws BadMethodCallException
+     * @param  string $name
+     * @param  array  $params
+     * @return void
+     */
+    private function checkRequiredParameter($name, array $params)
+    {
+        if (!isset($params[$name])) {
+            throw new BadMethodCallException(sprintf(
+                'Required parameter not passed: "%s"',
+                $name
+            ));
+        }
+    }
+
+    /**
+     * Checks for multiple required parameters in a hash.
+     *
+     * @throws InvalidArgumentException
+     * @param  array $names
+     * @param  array $params
+     * @return void
+     */
+    private function checkRequiredParameters(array $names, array $params)
+    {
+        foreach ($names as $name) {
+            $this->checkRequiredParameter($name, $params);
+        }
+    }
+}
diff --git a/data/web/inc/lib/vendor/paragonie/random_compat/LICENSE b/data/web/inc/lib/vendor/paragonie/random_compat/LICENSE
new file mode 100644
index 000000000..45c7017df
--- /dev/null
+++ b/data/web/inc/lib/vendor/paragonie/random_compat/LICENSE
@@ -0,0 +1,22 @@
+The MIT License (MIT)
+
+Copyright (c) 2015 Paragon Initiative Enterprises
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
diff --git a/data/web/inc/lib/vendor/paragonie/random_compat/build-phar.sh b/data/web/inc/lib/vendor/paragonie/random_compat/build-phar.sh
new file mode 100755
index 000000000..b4a5ba31c
--- /dev/null
+++ b/data/web/inc/lib/vendor/paragonie/random_compat/build-phar.sh
@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+basedir=$( dirname $( readlink -f ${BASH_SOURCE[0]} ) )
+
+php -dphar.readonly=0 "$basedir/other/build_phar.php" $*
\ No newline at end of file
diff --git a/data/web/inc/lib/vendor/paragonie/random_compat/composer.json b/data/web/inc/lib/vendor/paragonie/random_compat/composer.json
new file mode 100644
index 000000000..f2b9c4e51
--- /dev/null
+++ b/data/web/inc/lib/vendor/paragonie/random_compat/composer.json
@@ -0,0 +1,34 @@
+{
+  "name":         "paragonie/random_compat",
+  "description":  "PHP 5.x polyfill for random_bytes() and random_int() from PHP 7",
+  "keywords": [
+    "csprng",
+    "random",
+    "polyfill",
+    "pseudorandom"
+  ],
+  "license":      "MIT",
+  "type":         "library",
+  "authors": [
+    {
+      "name":     "Paragon Initiative Enterprises",
+      "email":    "security@paragonie.com",
+      "homepage": "https://paragonie.com"
+    }
+  ],
+  "support": {
+    "issues":     "https://github.com/paragonie/random_compat/issues",
+    "email":      "info@paragonie.com",
+    "source":     "https://github.com/paragonie/random_compat"
+  },
+  "require": {
+    "php": ">= 7"
+  },
+  "require-dev": {
+    "vimeo/psalm": "^1",
+    "phpunit/phpunit": "4.*|5.*"
+  },
+  "suggest": {
+    "ext-libsodium": "Provides a modern crypto API that can be used to generate random bytes."
+  }
+}
diff --git a/data/web/inc/lib/vendor/paragonie/random_compat/dist/random_compat.phar.pubkey b/data/web/inc/lib/vendor/paragonie/random_compat/dist/random_compat.phar.pubkey
new file mode 100644
index 000000000..eb50ebfcd
--- /dev/null
+++ b/data/web/inc/lib/vendor/paragonie/random_compat/dist/random_compat.phar.pubkey
@@ -0,0 +1,5 @@
+-----BEGIN PUBLIC KEY-----
+MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEEd+wCqJDrx5B4OldM0dQE0ZMX+lx1ZWm
+pui0SUqD4G29L3NGsz9UhJ/0HjBdbnkhIK5xviT0X5vtjacF6ajgcCArbTB+ds+p
++h7Q084NuSuIpNb6YPfoUFgC/CL9kAoc
+-----END PUBLIC KEY-----
diff --git a/data/web/inc/lib/vendor/paragonie/random_compat/dist/random_compat.phar.pubkey.asc b/data/web/inc/lib/vendor/paragonie/random_compat/dist/random_compat.phar.pubkey.asc
new file mode 100644
index 000000000..6a1d7f300
--- /dev/null
+++ b/data/web/inc/lib/vendor/paragonie/random_compat/dist/random_compat.phar.pubkey.asc
@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.0.22 (MingW32)
+
+iQEcBAABAgAGBQJWtW1hAAoJEGuXocKCZATaJf0H+wbZGgskK1dcRTsuVJl9IWip
+QwGw/qIKI280SD6/ckoUMxKDCJiFuPR14zmqnS36k7N5UNPnpdTJTS8T11jttSpg
+1LCmgpbEIpgaTah+cELDqFCav99fS+bEiAL5lWDAHBTE/XPjGVCqeehyPYref4IW
+NDBIEsvnHPHPLsn6X5jq4+Yj5oUixgxaMPiR+bcO4Sh+RzOVB6i2D0upWfRXBFXA
+NNnsg9/zjvoC7ZW73y9uSH+dPJTt/Vgfeiv52/v41XliyzbUyLalf02GNPY+9goV
+JHG1ulEEBJOCiUD9cE1PUIJwHA/HqyhHIvV350YoEFiHl8iSwm7SiZu5kPjaq74=
+=B6+8
+-----END PGP SIGNATURE-----
diff --git a/data/web/inc/lib/vendor/paragonie/random_compat/lib/random.php b/data/web/inc/lib/vendor/paragonie/random_compat/lib/random.php
new file mode 100644
index 000000000..c7731a56f
--- /dev/null
+++ b/data/web/inc/lib/vendor/paragonie/random_compat/lib/random.php
@@ -0,0 +1,32 @@
+<?php
+/**
+ * Random_* Compatibility Library
+ * for using the new PHP 7 random_* API in PHP 5 projects
+ *
+ * @version 2.99.99
+ * @released 2018-06-06
+ *
+ * The MIT License (MIT)
+ *
+ * Copyright (c) 2015 - 2018 Paragon Initiative Enterprises
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+// NOP
diff --git a/data/web/inc/lib/vendor/paragonie/random_compat/other/build_phar.php b/data/web/inc/lib/vendor/paragonie/random_compat/other/build_phar.php
new file mode 100644
index 000000000..70ef4b2ed
--- /dev/null
+++ b/data/web/inc/lib/vendor/paragonie/random_compat/other/build_phar.php
@@ -0,0 +1,57 @@
+<?php
+$dist = dirname(__DIR__).'/dist';
+if (!is_dir($dist)) {
+    mkdir($dist, 0755);
+}
+if (file_exists($dist.'/random_compat.phar')) {
+    unlink($dist.'/random_compat.phar');
+}
+$phar = new Phar(
+    $dist.'/random_compat.phar',
+    FilesystemIterator::CURRENT_AS_FILEINFO | \FilesystemIterator::KEY_AS_FILENAME,
+    'random_compat.phar'
+);
+rename(
+    dirname(__DIR__).'/lib/random.php', 
+    dirname(__DIR__).'/lib/index.php'
+);
+$phar->buildFromDirectory(dirname(__DIR__).'/lib');
+rename(
+    dirname(__DIR__).'/lib/index.php', 
+    dirname(__DIR__).'/lib/random.php'
+);
+
+/**
+ * If we pass an (optional) path to a private key as a second argument, we will
+ * sign the Phar with OpenSSL.
+ * 
+ * If you leave this out, it will produce an unsigned .phar!
+ */
+if ($argc > 1) {
+    if (!@is_readable($argv[1])) {
+        echo 'Could not read the private key file:', $argv[1], "\n";
+        exit(255);
+    }
+    $pkeyFile = file_get_contents($argv[1]);
+    
+    $private = openssl_get_privatekey($pkeyFile);
+    if ($private !== false) {
+        $pkey = '';
+        openssl_pkey_export($private, $pkey);
+        $phar->setSignatureAlgorithm(Phar::OPENSSL, $pkey);
+        
+        /**
+         * Save the corresponding public key to the file
+         */
+        if (!@is_readable($dist.'/random_compat.phar.pubkey')) {
+            $details = openssl_pkey_get_details($private);
+            file_put_contents(
+                $dist.'/random_compat.phar.pubkey',
+                $details['key']
+            );
+        }
+    } else {
+        echo 'An error occurred reading the private key from OpenSSL.', "\n";
+        exit(255);
+    }
+}
diff --git a/data/web/inc/lib/vendor/paragonie/random_compat/psalm-autoload.php b/data/web/inc/lib/vendor/paragonie/random_compat/psalm-autoload.php
new file mode 100644
index 000000000..d71d1b818
--- /dev/null
+++ b/data/web/inc/lib/vendor/paragonie/random_compat/psalm-autoload.php
@@ -0,0 +1,9 @@
+<?php
+
+require_once 'lib/byte_safe_strings.php';
+require_once 'lib/cast_to_int.php';
+require_once 'lib/error_polyfill.php';
+require_once 'other/ide_stubs/libsodium.php';
+require_once 'lib/random.php';
+
+$int = random_int(0, 65536);
diff --git a/data/web/inc/lib/vendor/paragonie/random_compat/psalm.xml b/data/web/inc/lib/vendor/paragonie/random_compat/psalm.xml
new file mode 100644
index 000000000..596d99dd6
--- /dev/null
+++ b/data/web/inc/lib/vendor/paragonie/random_compat/psalm.xml
@@ -0,0 +1,19 @@
+<?xml version="1.0"?>
+<psalm
+    autoloader="psalm-autoload.php"
+    stopOnFirstError="false"
+    useDocblockTypes="true"
+>
+    <projectFiles>
+        <directory name="lib" />
+    </projectFiles>
+    <issueHandlers>
+        <RedundantConditionGivenDocblockType errorLevel="info" />
+        <UnresolvableInclude errorLevel="info" />
+        <DuplicateClass errorLevel="info" />
+        <InvalidOperand errorLevel="info" />
+        <UndefinedConstant errorLevel="info" />
+        <MissingReturnType errorLevel="info" />
+        <InvalidReturnType errorLevel="info" />
+    </issueHandlers>
+</psalm>
diff --git a/data/web/inc/lib/vendor/psr/http-client/CHANGELOG.md b/data/web/inc/lib/vendor/psr/http-client/CHANGELOG.md
new file mode 100644
index 000000000..e2dc25f51
--- /dev/null
+++ b/data/web/inc/lib/vendor/psr/http-client/CHANGELOG.md
@@ -0,0 +1,23 @@
+# Changelog
+
+All notable changes to this project will be documented in this file, in reverse chronological order by release.
+
+## 1.0.1
+
+Allow installation with PHP 8. No code changes.
+
+## 1.0.0
+
+First stable release. No changes since 0.3.0.
+
+## 0.3.0
+
+Added Interface suffix on exceptions
+ 
+## 0.2.0 
+
+All exceptions are in `Psr\Http\Client` namespace
+
+## 0.1.0
+
+First release
diff --git a/data/web/inc/lib/vendor/psr/http-client/LICENSE b/data/web/inc/lib/vendor/psr/http-client/LICENSE
new file mode 100644
index 000000000..cd5e0020a
--- /dev/null
+++ b/data/web/inc/lib/vendor/psr/http-client/LICENSE
@@ -0,0 +1,19 @@
+Copyright (c) 2017 PHP Framework Interoperability Group
+
+Permission is hereby granted, free of charge, to any person obtaining a copy 
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights 
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 
+copies of the Software, and to permit persons to whom the Software is 
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in 
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
diff --git a/data/web/inc/lib/vendor/psr/http-client/README.md b/data/web/inc/lib/vendor/psr/http-client/README.md
new file mode 100644
index 000000000..6876b8403
--- /dev/null
+++ b/data/web/inc/lib/vendor/psr/http-client/README.md
@@ -0,0 +1,12 @@
+HTTP Client
+===========
+
+This repository holds all the common code related to [PSR-18 (HTTP Client)][psr-url].
+
+Note that this is not a HTTP Client implementation of its own. It is merely abstractions that describe the components of a HTTP Client.
+
+The installable [package][package-url] and [implementations][implementation-url] are listed on Packagist.
+
+[psr-url]: http://www.php-fig.org/psr/psr-18
+[package-url]: https://packagist.org/packages/psr/http-client
+[implementation-url]: https://packagist.org/providers/psr/http-client-implementation
diff --git a/data/web/inc/lib/vendor/psr/http-client/composer.json b/data/web/inc/lib/vendor/psr/http-client/composer.json
new file mode 100644
index 000000000..c195f8ff1
--- /dev/null
+++ b/data/web/inc/lib/vendor/psr/http-client/composer.json
@@ -0,0 +1,27 @@
+{
+    "name": "psr/http-client",
+    "description": "Common interface for HTTP clients",
+    "keywords": ["psr", "psr-18", "http", "http-client"],
+    "homepage": "https://github.com/php-fig/http-client",
+    "license": "MIT",
+    "authors": [
+        {
+            "name": "PHP-FIG",
+            "homepage": "http://www.php-fig.org/"
+        }
+    ],
+    "require": {
+        "php": "^7.0 || ^8.0",
+        "psr/http-message": "^1.0"
+    },
+    "autoload": {
+        "psr-4": {
+            "Psr\\Http\\Client\\": "src/"
+        }
+    },
+    "extra": {
+        "branch-alias": {
+            "dev-master": "1.0.x-dev"
+        }
+    }
+}
diff --git a/data/web/inc/lib/vendor/psr/http-client/src/ClientExceptionInterface.php b/data/web/inc/lib/vendor/psr/http-client/src/ClientExceptionInterface.php
new file mode 100644
index 000000000..aa0b9cf14
--- /dev/null
+++ b/data/web/inc/lib/vendor/psr/http-client/src/ClientExceptionInterface.php
@@ -0,0 +1,10 @@
+<?php
+
+namespace Psr\Http\Client;
+
+/**
+ * Every HTTP client related exception MUST implement this interface.
+ */
+interface ClientExceptionInterface extends \Throwable
+{
+}
diff --git a/data/web/inc/lib/vendor/psr/http-client/src/ClientInterface.php b/data/web/inc/lib/vendor/psr/http-client/src/ClientInterface.php
new file mode 100644
index 000000000..ad99fd4b7
--- /dev/null
+++ b/data/web/inc/lib/vendor/psr/http-client/src/ClientInterface.php
@@ -0,0 +1,20 @@
+<?php
+
+namespace Psr\Http\Client;
+
+use Psr\Http\Message\RequestInterface;
+use Psr\Http\Message\ResponseInterface;
+
+interface ClientInterface
+{
+    /**
+     * Sends a PSR-7 request and returns a PSR-7 response.
+     *
+     * @param RequestInterface $request
+     *
+     * @return ResponseInterface
+     *
+     * @throws \Psr\Http\Client\ClientExceptionInterface If an error happens while processing the request.
+     */
+    public function sendRequest(RequestInterface $request): ResponseInterface;
+}
diff --git a/data/web/inc/lib/vendor/psr/http-client/src/NetworkExceptionInterface.php b/data/web/inc/lib/vendor/psr/http-client/src/NetworkExceptionInterface.php
new file mode 100644
index 000000000..4a11627c7
--- /dev/null
+++ b/data/web/inc/lib/vendor/psr/http-client/src/NetworkExceptionInterface.php
@@ -0,0 +1,24 @@
+<?php
+
+namespace Psr\Http\Client;
+
+use Psr\Http\Message\RequestInterface;
+
+/**
+ * Thrown when the request cannot be completed because of network issues.
+ *
+ * There is no response object as this exception is thrown when no response has been received.
+ *
+ * Example: the target host name can not be resolved or the connection failed.
+ */
+interface NetworkExceptionInterface extends ClientExceptionInterface
+{
+    /**
+     * Returns the request.
+     *
+     * The request object MAY be a different object from the one passed to ClientInterface::sendRequest()
+     *
+     * @return RequestInterface
+     */
+    public function getRequest(): RequestInterface;
+}
diff --git a/data/web/inc/lib/vendor/psr/http-client/src/RequestExceptionInterface.php b/data/web/inc/lib/vendor/psr/http-client/src/RequestExceptionInterface.php
new file mode 100644
index 000000000..b17fc34fd
--- /dev/null
+++ b/data/web/inc/lib/vendor/psr/http-client/src/RequestExceptionInterface.php
@@ -0,0 +1,24 @@
+<?php
+
+namespace Psr\Http\Client;
+
+use Psr\Http\Message\RequestInterface;
+
+/**
+ * Exception for when a request failed.
+ *
+ * Examples:
+ *      - Request is invalid (e.g. method is missing)
+ *      - Runtime request errors (e.g. the body stream is not seekable)
+ */
+interface RequestExceptionInterface extends ClientExceptionInterface
+{
+    /**
+     * Returns the request.
+     *
+     * The request object MAY be a different object from the one passed to ClientInterface::sendRequest()
+     *
+     * @return RequestInterface
+     */
+    public function getRequest(): RequestInterface;
+}
diff --git a/data/web/inc/lib/vendor/psr/http-factory/.gitignore b/data/web/inc/lib/vendor/psr/http-factory/.gitignore
new file mode 100644
index 000000000..d8a7996ab
--- /dev/null
+++ b/data/web/inc/lib/vendor/psr/http-factory/.gitignore
@@ -0,0 +1,2 @@
+composer.lock
+vendor/
diff --git a/data/web/inc/lib/vendor/psr/http-factory/.pullapprove.yml b/data/web/inc/lib/vendor/psr/http-factory/.pullapprove.yml
new file mode 100644
index 000000000..8cf081942
--- /dev/null
+++ b/data/web/inc/lib/vendor/psr/http-factory/.pullapprove.yml
@@ -0,0 +1,7 @@
+extends: default
+reviewers:
+    -
+        name: contributors
+        required: 1
+        teams:
+            - http-factory-contributors
diff --git a/data/web/inc/lib/vendor/psr/http-factory/LICENSE b/data/web/inc/lib/vendor/psr/http-factory/LICENSE
new file mode 100644
index 000000000..3f1559b2a
--- /dev/null
+++ b/data/web/inc/lib/vendor/psr/http-factory/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2018 PHP-FIG
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/data/web/inc/lib/vendor/psr/http-factory/README.md b/data/web/inc/lib/vendor/psr/http-factory/README.md
new file mode 100644
index 000000000..41d362a62
--- /dev/null
+++ b/data/web/inc/lib/vendor/psr/http-factory/README.md
@@ -0,0 +1,10 @@
+HTTP Factories
+==============
+
+This repository holds all interfaces related to [PSR-17 (HTTP Message Factories)][psr-17]. 
+Please refer to the specification for a description.
+
+You can find implementations of the specification by looking for packages providing the 
+[psr/http-factory-implementation](https://packagist.org/providers/psr/http-factory-implementation) virtual package.
+
+[psr-17]: https://www.php-fig.org/psr/psr-17/
diff --git a/data/web/inc/lib/vendor/psr/http-factory/composer.json b/data/web/inc/lib/vendor/psr/http-factory/composer.json
new file mode 100644
index 000000000..af62b290f
--- /dev/null
+++ b/data/web/inc/lib/vendor/psr/http-factory/composer.json
@@ -0,0 +1,35 @@
+{
+    "name": "psr/http-factory",
+    "description": "Common interfaces for PSR-7 HTTP message factories",
+    "keywords": [
+        "psr",
+        "psr-7",
+        "psr-17",
+        "http",
+        "factory",
+        "message",
+        "request",
+        "response"
+    ],
+    "license": "MIT",
+    "authors": [
+        {
+            "name": "PHP-FIG",
+            "homepage": "http://www.php-fig.org/"
+        }
+    ],
+    "require": {
+        "php": ">=7.0.0",
+        "psr/http-message": "^1.0"
+    },
+    "autoload": {
+        "psr-4": {
+            "Psr\\Http\\Message\\": "src/"
+        }
+    },
+    "extra": {
+        "branch-alias": {
+            "dev-master": "1.0.x-dev"
+        }
+    }
+}
diff --git a/data/web/inc/lib/vendor/psr/http-factory/src/RequestFactoryInterface.php b/data/web/inc/lib/vendor/psr/http-factory/src/RequestFactoryInterface.php
new file mode 100644
index 000000000..cb39a08bf
--- /dev/null
+++ b/data/web/inc/lib/vendor/psr/http-factory/src/RequestFactoryInterface.php
@@ -0,0 +1,18 @@
+<?php
+
+namespace Psr\Http\Message;
+
+interface RequestFactoryInterface
+{
+    /**
+     * Create a new request.
+     *
+     * @param string $method The HTTP method associated with the request.
+     * @param UriInterface|string $uri The URI associated with the request. If
+     *     the value is a string, the factory MUST create a UriInterface
+     *     instance based on it.
+     *
+     * @return RequestInterface
+     */
+    public function createRequest(string $method, $uri): RequestInterface;
+}
diff --git a/data/web/inc/lib/vendor/psr/http-factory/src/ResponseFactoryInterface.php b/data/web/inc/lib/vendor/psr/http-factory/src/ResponseFactoryInterface.php
new file mode 100644
index 000000000..212562f00
--- /dev/null
+++ b/data/web/inc/lib/vendor/psr/http-factory/src/ResponseFactoryInterface.php
@@ -0,0 +1,18 @@
+<?php
+
+namespace Psr\Http\Message;
+
+interface ResponseFactoryInterface
+{
+    /**
+     * Create a new response.
+     *
+     * @param int $code HTTP status code; defaults to 200
+     * @param string $reasonPhrase Reason phrase to associate with status code
+     *     in generated response; if none is provided implementations MAY use
+     *     the defaults as suggested in the HTTP specification.
+     *
+     * @return ResponseInterface
+     */
+    public function createResponse(int $code = 200, string $reasonPhrase = ''): ResponseInterface;
+}
diff --git a/data/web/inc/lib/vendor/psr/http-factory/src/ServerRequestFactoryInterface.php b/data/web/inc/lib/vendor/psr/http-factory/src/ServerRequestFactoryInterface.php
new file mode 100644
index 000000000..9fe031a8f
--- /dev/null
+++ b/data/web/inc/lib/vendor/psr/http-factory/src/ServerRequestFactoryInterface.php
@@ -0,0 +1,24 @@
+<?php
+
+namespace Psr\Http\Message;
+
+interface ServerRequestFactoryInterface
+{
+    /**
+     * Create a new server request.
+     *
+     * Note that server-params are taken precisely as given - no parsing/processing
+     * of the given values is performed, and, in particular, no attempt is made to
+     * determine the HTTP method or URI, which must be provided explicitly.
+     *
+     * @param string $method The HTTP method associated with the request.
+     * @param UriInterface|string $uri The URI associated with the request. If
+     *     the value is a string, the factory MUST create a UriInterface
+     *     instance based on it.
+     * @param array $serverParams Array of SAPI parameters with which to seed
+     *     the generated request instance.
+     *
+     * @return ServerRequestInterface
+     */
+    public function createServerRequest(string $method, $uri, array $serverParams = []): ServerRequestInterface;
+}
diff --git a/data/web/inc/lib/vendor/psr/http-factory/src/StreamFactoryInterface.php b/data/web/inc/lib/vendor/psr/http-factory/src/StreamFactoryInterface.php
new file mode 100644
index 000000000..90e3240c4
--- /dev/null
+++ b/data/web/inc/lib/vendor/psr/http-factory/src/StreamFactoryInterface.php
@@ -0,0 +1,45 @@
+<?php
+
+namespace Psr\Http\Message;
+
+interface StreamFactoryInterface
+{
+    /**
+     * Create a new stream from a string.
+     *
+     * The stream SHOULD be created with a temporary resource.
+     *
+     * @param string $content String content with which to populate the stream.
+     *
+     * @return StreamInterface
+     */
+    public function createStream(string $content = ''): StreamInterface;
+
+    /**
+     * Create a stream from an existing file.
+     *
+     * The file MUST be opened using the given mode, which may be any mode
+     * supported by the `fopen` function.
+     *
+     * The `$filename` MAY be any string supported by `fopen()`.
+     *
+     * @param string $filename Filename or stream URI to use as basis of stream.
+     * @param string $mode Mode with which to open the underlying filename/stream.
+     *
+     * @return StreamInterface
+     * @throws \RuntimeException If the file cannot be opened.
+     * @throws \InvalidArgumentException If the mode is invalid.
+     */
+    public function createStreamFromFile(string $filename, string $mode = 'r'): StreamInterface;
+
+    /**
+     * Create a new stream from an existing resource.
+     *
+     * The stream MUST be readable and may be writable.
+     *
+     * @param resource $resource PHP resource to use as basis of stream.
+     *
+     * @return StreamInterface
+     */
+    public function createStreamFromResource($resource): StreamInterface;
+}
diff --git a/data/web/inc/lib/vendor/psr/http-factory/src/UploadedFileFactoryInterface.php b/data/web/inc/lib/vendor/psr/http-factory/src/UploadedFileFactoryInterface.php
new file mode 100644
index 000000000..7db4e30af
--- /dev/null
+++ b/data/web/inc/lib/vendor/psr/http-factory/src/UploadedFileFactoryInterface.php
@@ -0,0 +1,34 @@
+<?php
+
+namespace Psr\Http\Message;
+
+interface UploadedFileFactoryInterface
+{
+    /**
+     * Create a new uploaded file.
+     *
+     * If a size is not provided it will be determined by checking the size of
+     * the file.
+     *
+     * @see http://php.net/manual/features.file-upload.post-method.php
+     * @see http://php.net/manual/features.file-upload.errors.php
+     *
+     * @param StreamInterface $stream Underlying stream representing the
+     *     uploaded file content.
+     * @param int $size in bytes
+     * @param int $error PHP file upload error
+     * @param string $clientFilename Filename as provided by the client, if any.
+     * @param string $clientMediaType Media type as provided by the client, if any.
+     *
+     * @return UploadedFileInterface
+     *
+     * @throws \InvalidArgumentException If the file resource is not readable.
+     */
+    public function createUploadedFile(
+        StreamInterface $stream,
+        int $size = null,
+        int $error = \UPLOAD_ERR_OK,
+        string $clientFilename = null,
+        string $clientMediaType = null
+    ): UploadedFileInterface;
+}
diff --git a/data/web/inc/lib/vendor/psr/http-factory/src/UriFactoryInterface.php b/data/web/inc/lib/vendor/psr/http-factory/src/UriFactoryInterface.php
new file mode 100644
index 000000000..06df0b46a
--- /dev/null
+++ b/data/web/inc/lib/vendor/psr/http-factory/src/UriFactoryInterface.php
@@ -0,0 +1,17 @@
+<?php
+
+namespace Psr\Http\Message;
+
+interface UriFactoryInterface
+{
+    /**
+     * Create a new URI.
+     *
+     * @param string $uri
+     *
+     * @return UriInterface
+     *
+     * @throws \InvalidArgumentException If the given URI cannot be parsed.
+     */
+    public function createUri(string $uri = ''): UriInterface;
+}
diff --git a/data/web/inc/lib/vendor/psr/http-message/CHANGELOG.md b/data/web/inc/lib/vendor/psr/http-message/CHANGELOG.md
new file mode 100644
index 000000000..74b1ef923
--- /dev/null
+++ b/data/web/inc/lib/vendor/psr/http-message/CHANGELOG.md
@@ -0,0 +1,36 @@
+# Changelog
+
+All notable changes to this project will be documented in this file, in reverse chronological order by release.
+
+## 1.0.1 - 2016-08-06
+
+### Added
+
+- Nothing.
+
+### Deprecated
+
+- Nothing.
+
+### Removed
+
+- Nothing.
+
+### Fixed
+
+- Updated all `@return self` annotation references in interfaces to use
+  `@return static`, which more closelly follows the semantics of the
+  specification.
+- Updated the `MessageInterface::getHeaders()` return annotation to use the
+  value `string[][]`, indicating the format is a nested array of strings.
+- Updated the `@link` annotation for `RequestInterface::withRequestTarget()`
+  to point to the correct section of RFC 7230.
+- Updated the `ServerRequestInterface::withUploadedFiles()` parameter annotation
+  to add the parameter name (`$uploadedFiles`).
+- Updated a `@throws` annotation for the `UploadedFileInterface::moveTo()`
+  method to correctly reference the method parameter (it was referencing an
+  incorrect parameter name previously).
+
+## 1.0.0 - 2016-05-18
+
+Initial stable release; reflects accepted PSR-7 specification.
diff --git a/data/web/inc/lib/vendor/psr/http-message/LICENSE b/data/web/inc/lib/vendor/psr/http-message/LICENSE
new file mode 100644
index 000000000..c2d8e452d
--- /dev/null
+++ b/data/web/inc/lib/vendor/psr/http-message/LICENSE
@@ -0,0 +1,19 @@
+Copyright (c) 2014 PHP Framework Interoperability Group
+
+Permission is hereby granted, free of charge, to any person obtaining a copy 
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights 
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 
+copies of the Software, and to permit persons to whom the Software is 
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in 
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
diff --git a/data/web/inc/lib/vendor/psr/http-message/README.md b/data/web/inc/lib/vendor/psr/http-message/README.md
new file mode 100644
index 000000000..28185338f
--- /dev/null
+++ b/data/web/inc/lib/vendor/psr/http-message/README.md
@@ -0,0 +1,13 @@
+PSR Http Message
+================
+
+This repository holds all interfaces/classes/traits related to
+[PSR-7](http://www.php-fig.org/psr/psr-7/).
+
+Note that this is not a HTTP message implementation of its own. It is merely an
+interface that describes a HTTP message. See the specification for more details.
+
+Usage
+-----
+
+We'll certainly need some stuff in here.
\ No newline at end of file
diff --git a/data/web/inc/lib/vendor/psr/http-message/composer.json b/data/web/inc/lib/vendor/psr/http-message/composer.json
new file mode 100644
index 000000000..b0d2937a0
--- /dev/null
+++ b/data/web/inc/lib/vendor/psr/http-message/composer.json
@@ -0,0 +1,26 @@
+{
+    "name": "psr/http-message",
+    "description": "Common interface for HTTP messages",
+    "keywords": ["psr", "psr-7", "http", "http-message", "request", "response"],
+    "homepage": "https://github.com/php-fig/http-message",
+    "license": "MIT",
+    "authors": [
+        {
+            "name": "PHP-FIG",
+            "homepage": "http://www.php-fig.org/"
+        }
+    ],
+    "require": {
+        "php": ">=5.3.0"
+    },
+    "autoload": {
+        "psr-4": {
+            "Psr\\Http\\Message\\": "src/"
+        }
+    },
+    "extra": {
+        "branch-alias": {
+            "dev-master": "1.0.x-dev"
+        }
+    }
+}
diff --git a/data/web/inc/lib/vendor/psr/http-message/src/MessageInterface.php b/data/web/inc/lib/vendor/psr/http-message/src/MessageInterface.php
new file mode 100644
index 000000000..dd46e5ec8
--- /dev/null
+++ b/data/web/inc/lib/vendor/psr/http-message/src/MessageInterface.php
@@ -0,0 +1,187 @@
+<?php
+
+namespace Psr\Http\Message;
+
+/**
+ * HTTP messages consist of requests from a client to a server and responses
+ * from a server to a client. This interface defines the methods common to
+ * each.
+ *
+ * Messages are considered immutable; all methods that might change state MUST
+ * be implemented such that they retain the internal state of the current
+ * message and return an instance that contains the changed state.
+ *
+ * @link http://www.ietf.org/rfc/rfc7230.txt
+ * @link http://www.ietf.org/rfc/rfc7231.txt
+ */
+interface MessageInterface
+{
+    /**
+     * Retrieves the HTTP protocol version as a string.
+     *
+     * The string MUST contain only the HTTP version number (e.g., "1.1", "1.0").
+     *
+     * @return string HTTP protocol version.
+     */
+    public function getProtocolVersion();
+
+    /**
+     * Return an instance with the specified HTTP protocol version.
+     *
+     * The version string MUST contain only the HTTP version number (e.g.,
+     * "1.1", "1.0").
+     *
+     * This method MUST be implemented in such a way as to retain the
+     * immutability of the message, and MUST return an instance that has the
+     * new protocol version.
+     *
+     * @param string $version HTTP protocol version
+     * @return static
+     */
+    public function withProtocolVersion($version);
+
+    /**
+     * Retrieves all message header values.
+     *
+     * The keys represent the header name as it will be sent over the wire, and
+     * each value is an array of strings associated with the header.
+     *
+     *     // Represent the headers as a string
+     *     foreach ($message->getHeaders() as $name => $values) {
+     *         echo $name . ": " . implode(", ", $values);
+     *     }
+     *
+     *     // Emit headers iteratively:
+     *     foreach ($message->getHeaders() as $name => $values) {
+     *         foreach ($values as $value) {
+     *             header(sprintf('%s: %s', $name, $value), false);
+     *         }
+     *     }
+     *
+     * While header names are not case-sensitive, getHeaders() will preserve the
+     * exact case in which headers were originally specified.
+     *
+     * @return string[][] Returns an associative array of the message's headers. Each
+     *     key MUST be a header name, and each value MUST be an array of strings
+     *     for that header.
+     */
+    public function getHeaders();
+
+    /**
+     * Checks if a header exists by the given case-insensitive name.
+     *
+     * @param string $name Case-insensitive header field name.
+     * @return bool Returns true if any header names match the given header
+     *     name using a case-insensitive string comparison. Returns false if
+     *     no matching header name is found in the message.
+     */
+    public function hasHeader($name);
+
+    /**
+     * Retrieves a message header value by the given case-insensitive name.
+     *
+     * This method returns an array of all the header values of the given
+     * case-insensitive header name.
+     *
+     * If the header does not appear in the message, this method MUST return an
+     * empty array.
+     *
+     * @param string $name Case-insensitive header field name.
+     * @return string[] An array of string values as provided for the given
+     *    header. If the header does not appear in the message, this method MUST
+     *    return an empty array.
+     */
+    public function getHeader($name);
+
+    /**
+     * Retrieves a comma-separated string of the values for a single header.
+     *
+     * This method returns all of the header values of the given
+     * case-insensitive header name as a string concatenated together using
+     * a comma.
+     *
+     * NOTE: Not all header values may be appropriately represented using
+     * comma concatenation. For such headers, use getHeader() instead
+     * and supply your own delimiter when concatenating.
+     *
+     * If the header does not appear in the message, this method MUST return
+     * an empty string.
+     *
+     * @param string $name Case-insensitive header field name.
+     * @return string A string of values as provided for the given header
+     *    concatenated together using a comma. If the header does not appear in
+     *    the message, this method MUST return an empty string.
+     */
+    public function getHeaderLine($name);
+
+    /**
+     * Return an instance with the provided value replacing the specified header.
+     *
+     * While header names are case-insensitive, the casing of the header will
+     * be preserved by this function, and returned from getHeaders().
+     *
+     * This method MUST be implemented in such a way as to retain the
+     * immutability of the message, and MUST return an instance that has the
+     * new and/or updated header and value.
+     *
+     * @param string $name Case-insensitive header field name.
+     * @param string|string[] $value Header value(s).
+     * @return static
+     * @throws \InvalidArgumentException for invalid header names or values.
+     */
+    public function withHeader($name, $value);
+
+    /**
+     * Return an instance with the specified header appended with the given value.
+     *
+     * Existing values for the specified header will be maintained. The new
+     * value(s) will be appended to the existing list. If the header did not
+     * exist previously, it will be added.
+     *
+     * This method MUST be implemented in such a way as to retain the
+     * immutability of the message, and MUST return an instance that has the
+     * new header and/or value.
+     *
+     * @param string $name Case-insensitive header field name to add.
+     * @param string|string[] $value Header value(s).
+     * @return static
+     * @throws \InvalidArgumentException for invalid header names or values.
+     */
+    public function withAddedHeader($name, $value);
+
+    /**
+     * Return an instance without the specified header.
+     *
+     * Header resolution MUST be done without case-sensitivity.
+     *
+     * This method MUST be implemented in such a way as to retain the
+     * immutability of the message, and MUST return an instance that removes
+     * the named header.
+     *
+     * @param string $name Case-insensitive header field name to remove.
+     * @return static
+     */
+    public function withoutHeader($name);
+
+    /**
+     * Gets the body of the message.
+     *
+     * @return StreamInterface Returns the body as a stream.
+     */
+    public function getBody();
+
+    /**
+     * Return an instance with the specified message body.
+     *
+     * The body MUST be a StreamInterface object.
+     *
+     * This method MUST be implemented in such a way as to retain the
+     * immutability of the message, and MUST return a new instance that has the
+     * new body stream.
+     *
+     * @param StreamInterface $body Body.
+     * @return static
+     * @throws \InvalidArgumentException When the body is not valid.
+     */
+    public function withBody(StreamInterface $body);
+}
diff --git a/data/web/inc/lib/vendor/psr/http-message/src/RequestInterface.php b/data/web/inc/lib/vendor/psr/http-message/src/RequestInterface.php
new file mode 100644
index 000000000..a96d4fd63
--- /dev/null
+++ b/data/web/inc/lib/vendor/psr/http-message/src/RequestInterface.php
@@ -0,0 +1,129 @@
+<?php
+
+namespace Psr\Http\Message;
+
+/**
+ * Representation of an outgoing, client-side request.
+ *
+ * Per the HTTP specification, this interface includes properties for
+ * each of the following:
+ *
+ * - Protocol version
+ * - HTTP method
+ * - URI
+ * - Headers
+ * - Message body
+ *
+ * During construction, implementations MUST attempt to set the Host header from
+ * a provided URI if no Host header is provided.
+ *
+ * Requests are considered immutable; all methods that might change state MUST
+ * be implemented such that they retain the internal state of the current
+ * message and return an instance that contains the changed state.
+ */
+interface RequestInterface extends MessageInterface
+{
+    /**
+     * Retrieves the message's request target.
+     *
+     * Retrieves the message's request-target either as it will appear (for
+     * clients), as it appeared at request (for servers), or as it was
+     * specified for the instance (see withRequestTarget()).
+     *
+     * In most cases, this will be the origin-form of the composed URI,
+     * unless a value was provided to the concrete implementation (see
+     * withRequestTarget() below).
+     *
+     * If no URI is available, and no request-target has been specifically
+     * provided, this method MUST return the string "/".
+     *
+     * @return string
+     */
+    public function getRequestTarget();
+
+    /**
+     * Return an instance with the specific request-target.
+     *
+     * If the request needs a non-origin-form request-target — e.g., for
+     * specifying an absolute-form, authority-form, or asterisk-form —
+     * this method may be used to create an instance with the specified
+     * request-target, verbatim.
+     *
+     * This method MUST be implemented in such a way as to retain the
+     * immutability of the message, and MUST return an instance that has the
+     * changed request target.
+     *
+     * @link http://tools.ietf.org/html/rfc7230#section-5.3 (for the various
+     *     request-target forms allowed in request messages)
+     * @param mixed $requestTarget
+     * @return static
+     */
+    public function withRequestTarget($requestTarget);
+
+    /**
+     * Retrieves the HTTP method of the request.
+     *
+     * @return string Returns the request method.
+     */
+    public function getMethod();
+
+    /**
+     * Return an instance with the provided HTTP method.
+     *
+     * While HTTP method names are typically all uppercase characters, HTTP
+     * method names are case-sensitive and thus implementations SHOULD NOT
+     * modify the given string.
+     *
+     * This method MUST be implemented in such a way as to retain the
+     * immutability of the message, and MUST return an instance that has the
+     * changed request method.
+     *
+     * @param string $method Case-sensitive method.
+     * @return static
+     * @throws \InvalidArgumentException for invalid HTTP methods.
+     */
+    public function withMethod($method);
+
+    /**
+     * Retrieves the URI instance.
+     *
+     * This method MUST return a UriInterface instance.
+     *
+     * @link http://tools.ietf.org/html/rfc3986#section-4.3
+     * @return UriInterface Returns a UriInterface instance
+     *     representing the URI of the request.
+     */
+    public function getUri();
+
+    /**
+     * Returns an instance with the provided URI.
+     *
+     * This method MUST update the Host header of the returned request by
+     * default if the URI contains a host component. If the URI does not
+     * contain a host component, any pre-existing Host header MUST be carried
+     * over to the returned request.
+     *
+     * You can opt-in to preserving the original state of the Host header by
+     * setting `$preserveHost` to `true`. When `$preserveHost` is set to
+     * `true`, this method interacts with the Host header in the following ways:
+     *
+     * - If the Host header is missing or empty, and the new URI contains
+     *   a host component, this method MUST update the Host header in the returned
+     *   request.
+     * - If the Host header is missing or empty, and the new URI does not contain a
+     *   host component, this method MUST NOT update the Host header in the returned
+     *   request.
+     * - If a Host header is present and non-empty, this method MUST NOT update
+     *   the Host header in the returned request.
+     *
+     * This method MUST be implemented in such a way as to retain the
+     * immutability of the message, and MUST return an instance that has the
+     * new UriInterface instance.
+     *
+     * @link http://tools.ietf.org/html/rfc3986#section-4.3
+     * @param UriInterface $uri New request URI to use.
+     * @param bool $preserveHost Preserve the original state of the Host header.
+     * @return static
+     */
+    public function withUri(UriInterface $uri, $preserveHost = false);
+}
diff --git a/data/web/inc/lib/vendor/psr/http-message/src/ResponseInterface.php b/data/web/inc/lib/vendor/psr/http-message/src/ResponseInterface.php
new file mode 100644
index 000000000..c306514e6
--- /dev/null
+++ b/data/web/inc/lib/vendor/psr/http-message/src/ResponseInterface.php
@@ -0,0 +1,68 @@
+<?php
+
+namespace Psr\Http\Message;
+
+/**
+ * Representation of an outgoing, server-side response.
+ *
+ * Per the HTTP specification, this interface includes properties for
+ * each of the following:
+ *
+ * - Protocol version
+ * - Status code and reason phrase
+ * - Headers
+ * - Message body
+ *
+ * Responses are considered immutable; all methods that might change state MUST
+ * be implemented such that they retain the internal state of the current
+ * message and return an instance that contains the changed state.
+ */
+interface ResponseInterface extends MessageInterface
+{
+    /**
+     * Gets the response status code.
+     *
+     * The status code is a 3-digit integer result code of the server's attempt
+     * to understand and satisfy the request.
+     *
+     * @return int Status code.
+     */
+    public function getStatusCode();
+
+    /**
+     * Return an instance with the specified status code and, optionally, reason phrase.
+     *
+     * If no reason phrase is specified, implementations MAY choose to default
+     * to the RFC 7231 or IANA recommended reason phrase for the response's
+     * status code.
+     *
+     * This method MUST be implemented in such a way as to retain the
+     * immutability of the message, and MUST return an instance that has the
+     * updated status and reason phrase.
+     *
+     * @link http://tools.ietf.org/html/rfc7231#section-6
+     * @link http://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml
+     * @param int $code The 3-digit integer result code to set.
+     * @param string $reasonPhrase The reason phrase to use with the
+     *     provided status code; if none is provided, implementations MAY
+     *     use the defaults as suggested in the HTTP specification.
+     * @return static
+     * @throws \InvalidArgumentException For invalid status code arguments.
+     */
+    public function withStatus($code, $reasonPhrase = '');
+
+    /**
+     * Gets the response reason phrase associated with the status code.
+     *
+     * Because a reason phrase is not a required element in a response
+     * status line, the reason phrase value MAY be null. Implementations MAY
+     * choose to return the default RFC 7231 recommended reason phrase (or those
+     * listed in the IANA HTTP Status Code Registry) for the response's
+     * status code.
+     *
+     * @link http://tools.ietf.org/html/rfc7231#section-6
+     * @link http://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml
+     * @return string Reason phrase; must return an empty string if none present.
+     */
+    public function getReasonPhrase();
+}
diff --git a/data/web/inc/lib/vendor/psr/http-message/src/ServerRequestInterface.php b/data/web/inc/lib/vendor/psr/http-message/src/ServerRequestInterface.php
new file mode 100644
index 000000000..02512340a
--- /dev/null
+++ b/data/web/inc/lib/vendor/psr/http-message/src/ServerRequestInterface.php
@@ -0,0 +1,261 @@
+<?php
+
+namespace Psr\Http\Message;
+
+/**
+ * Representation of an incoming, server-side HTTP request.
+ *
+ * Per the HTTP specification, this interface includes properties for
+ * each of the following:
+ *
+ * - Protocol version
+ * - HTTP method
+ * - URI
+ * - Headers
+ * - Message body
+ *
+ * Additionally, it encapsulates all data as it has arrived to the
+ * application from the CGI and/or PHP environment, including:
+ *
+ * - The values represented in $_SERVER.
+ * - Any cookies provided (generally via $_COOKIE)
+ * - Query string arguments (generally via $_GET, or as parsed via parse_str())
+ * - Upload files, if any (as represented by $_FILES)
+ * - Deserialized body parameters (generally from $_POST)
+ *
+ * $_SERVER values MUST be treated as immutable, as they represent application
+ * state at the time of request; as such, no methods are provided to allow
+ * modification of those values. The other values provide such methods, as they
+ * can be restored from $_SERVER or the request body, and may need treatment
+ * during the application (e.g., body parameters may be deserialized based on
+ * content type).
+ *
+ * Additionally, this interface recognizes the utility of introspecting a
+ * request to derive and match additional parameters (e.g., via URI path
+ * matching, decrypting cookie values, deserializing non-form-encoded body
+ * content, matching authorization headers to users, etc). These parameters
+ * are stored in an "attributes" property.
+ *
+ * Requests are considered immutable; all methods that might change state MUST
+ * be implemented such that they retain the internal state of the current
+ * message and return an instance that contains the changed state.
+ */
+interface ServerRequestInterface extends RequestInterface
+{
+    /**
+     * Retrieve server parameters.
+     *
+     * Retrieves data related to the incoming request environment,
+     * typically derived from PHP's $_SERVER superglobal. The data IS NOT
+     * REQUIRED to originate from $_SERVER.
+     *
+     * @return array
+     */
+    public function getServerParams();
+
+    /**
+     * Retrieve cookies.
+     *
+     * Retrieves cookies sent by the client to the server.
+     *
+     * The data MUST be compatible with the structure of the $_COOKIE
+     * superglobal.
+     *
+     * @return array
+     */
+    public function getCookieParams();
+
+    /**
+     * Return an instance with the specified cookies.
+     *
+     * The data IS NOT REQUIRED to come from the $_COOKIE superglobal, but MUST
+     * be compatible with the structure of $_COOKIE. Typically, this data will
+     * be injected at instantiation.
+     *
+     * This method MUST NOT update the related Cookie header of the request
+     * instance, nor related values in the server params.
+     *
+     * This method MUST be implemented in such a way as to retain the
+     * immutability of the message, and MUST return an instance that has the
+     * updated cookie values.
+     *
+     * @param array $cookies Array of key/value pairs representing cookies.
+     * @return static
+     */
+    public function withCookieParams(array $cookies);
+
+    /**
+     * Retrieve query string arguments.
+     *
+     * Retrieves the deserialized query string arguments, if any.
+     *
+     * Note: the query params might not be in sync with the URI or server
+     * params. If you need to ensure you are only getting the original
+     * values, you may need to parse the query string from `getUri()->getQuery()`
+     * or from the `QUERY_STRING` server param.
+     *
+     * @return array
+     */
+    public function getQueryParams();
+
+    /**
+     * Return an instance with the specified query string arguments.
+     *
+     * These values SHOULD remain immutable over the course of the incoming
+     * request. They MAY be injected during instantiation, such as from PHP's
+     * $_GET superglobal, or MAY be derived from some other value such as the
+     * URI. In cases where the arguments are parsed from the URI, the data
+     * MUST be compatible with what PHP's parse_str() would return for
+     * purposes of how duplicate query parameters are handled, and how nested
+     * sets are handled.
+     *
+     * Setting query string arguments MUST NOT change the URI stored by the
+     * request, nor the values in the server params.
+     *
+     * This method MUST be implemented in such a way as to retain the
+     * immutability of the message, and MUST return an instance that has the
+     * updated query string arguments.
+     *
+     * @param array $query Array of query string arguments, typically from
+     *     $_GET.
+     * @return static
+     */
+    public function withQueryParams(array $query);
+
+    /**
+     * Retrieve normalized file upload data.
+     *
+     * This method returns upload metadata in a normalized tree, with each leaf
+     * an instance of Psr\Http\Message\UploadedFileInterface.
+     *
+     * These values MAY be prepared from $_FILES or the message body during
+     * instantiation, or MAY be injected via withUploadedFiles().
+     *
+     * @return array An array tree of UploadedFileInterface instances; an empty
+     *     array MUST be returned if no data is present.
+     */
+    public function getUploadedFiles();
+
+    /**
+     * Create a new instance with the specified uploaded files.
+     *
+     * This method MUST be implemented in such a way as to retain the
+     * immutability of the message, and MUST return an instance that has the
+     * updated body parameters.
+     *
+     * @param array $uploadedFiles An array tree of UploadedFileInterface instances.
+     * @return static
+     * @throws \InvalidArgumentException if an invalid structure is provided.
+     */
+    public function withUploadedFiles(array $uploadedFiles);
+
+    /**
+     * Retrieve any parameters provided in the request body.
+     *
+     * If the request Content-Type is either application/x-www-form-urlencoded
+     * or multipart/form-data, and the request method is POST, this method MUST
+     * return the contents of $_POST.
+     *
+     * Otherwise, this method may return any results of deserializing
+     * the request body content; as parsing returns structured content, the
+     * potential types MUST be arrays or objects only. A null value indicates
+     * the absence of body content.
+     *
+     * @return null|array|object The deserialized body parameters, if any.
+     *     These will typically be an array or object.
+     */
+    public function getParsedBody();
+
+    /**
+     * Return an instance with the specified body parameters.
+     *
+     * These MAY be injected during instantiation.
+     *
+     * If the request Content-Type is either application/x-www-form-urlencoded
+     * or multipart/form-data, and the request method is POST, use this method
+     * ONLY to inject the contents of $_POST.
+     *
+     * The data IS NOT REQUIRED to come from $_POST, but MUST be the results of
+     * deserializing the request body content. Deserialization/parsing returns
+     * structured data, and, as such, this method ONLY accepts arrays or objects,
+     * or a null value if nothing was available to parse.
+     *
+     * As an example, if content negotiation determines that the request data
+     * is a JSON payload, this method could be used to create a request
+     * instance with the deserialized parameters.
+     *
+     * This method MUST be implemented in such a way as to retain the
+     * immutability of the message, and MUST return an instance that has the
+     * updated body parameters.
+     *
+     * @param null|array|object $data The deserialized body data. This will
+     *     typically be in an array or object.
+     * @return static
+     * @throws \InvalidArgumentException if an unsupported argument type is
+     *     provided.
+     */
+    public function withParsedBody($data);
+
+    /**
+     * Retrieve attributes derived from the request.
+     *
+     * The request "attributes" may be used to allow injection of any
+     * parameters derived from the request: e.g., the results of path
+     * match operations; the results of decrypting cookies; the results of
+     * deserializing non-form-encoded message bodies; etc. Attributes
+     * will be application and request specific, and CAN be mutable.
+     *
+     * @return array Attributes derived from the request.
+     */
+    public function getAttributes();
+
+    /**
+     * Retrieve a single derived request attribute.
+     *
+     * Retrieves a single derived request attribute as described in
+     * getAttributes(). If the attribute has not been previously set, returns
+     * the default value as provided.
+     *
+     * This method obviates the need for a hasAttribute() method, as it allows
+     * specifying a default value to return if the attribute is not found.
+     *
+     * @see getAttributes()
+     * @param string $name The attribute name.
+     * @param mixed $default Default value to return if the attribute does not exist.
+     * @return mixed
+     */
+    public function getAttribute($name, $default = null);
+
+    /**
+     * Return an instance with the specified derived request attribute.
+     *
+     * This method allows setting a single derived request attribute as
+     * described in getAttributes().
+     *
+     * This method MUST be implemented in such a way as to retain the
+     * immutability of the message, and MUST return an instance that has the
+     * updated attribute.
+     *
+     * @see getAttributes()
+     * @param string $name The attribute name.
+     * @param mixed $value The value of the attribute.
+     * @return static
+     */
+    public function withAttribute($name, $value);
+
+    /**
+     * Return an instance that removes the specified derived request attribute.
+     *
+     * This method allows removing a single derived request attribute as
+     * described in getAttributes().
+     *
+     * This method MUST be implemented in such a way as to retain the
+     * immutability of the message, and MUST return an instance that removes
+     * the attribute.
+     *
+     * @see getAttributes()
+     * @param string $name The attribute name.
+     * @return static
+     */
+    public function withoutAttribute($name);
+}
diff --git a/data/web/inc/lib/vendor/psr/http-message/src/StreamInterface.php b/data/web/inc/lib/vendor/psr/http-message/src/StreamInterface.php
new file mode 100644
index 000000000..f68f39126
--- /dev/null
+++ b/data/web/inc/lib/vendor/psr/http-message/src/StreamInterface.php
@@ -0,0 +1,158 @@
+<?php
+
+namespace Psr\Http\Message;
+
+/**
+ * Describes a data stream.
+ *
+ * Typically, an instance will wrap a PHP stream; this interface provides
+ * a wrapper around the most common operations, including serialization of
+ * the entire stream to a string.
+ */
+interface StreamInterface
+{
+    /**
+     * Reads all data from the stream into a string, from the beginning to end.
+     *
+     * This method MUST attempt to seek to the beginning of the stream before
+     * reading data and read the stream until the end is reached.
+     *
+     * Warning: This could attempt to load a large amount of data into memory.
+     *
+     * This method MUST NOT raise an exception in order to conform with PHP's
+     * string casting operations.
+     *
+     * @see http://php.net/manual/en/language.oop5.magic.php#object.tostring
+     * @return string
+     */
+    public function __toString();
+
+    /**
+     * Closes the stream and any underlying resources.
+     *
+     * @return void
+     */
+    public function close();
+
+    /**
+     * Separates any underlying resources from the stream.
+     *
+     * After the stream has been detached, the stream is in an unusable state.
+     *
+     * @return resource|null Underlying PHP stream, if any
+     */
+    public function detach();
+
+    /**
+     * Get the size of the stream if known.
+     *
+     * @return int|null Returns the size in bytes if known, or null if unknown.
+     */
+    public function getSize();
+
+    /**
+     * Returns the current position of the file read/write pointer
+     *
+     * @return int Position of the file pointer
+     * @throws \RuntimeException on error.
+     */
+    public function tell();
+
+    /**
+     * Returns true if the stream is at the end of the stream.
+     *
+     * @return bool
+     */
+    public function eof();
+
+    /**
+     * Returns whether or not the stream is seekable.
+     *
+     * @return bool
+     */
+    public function isSeekable();
+
+    /**
+     * Seek to a position in the stream.
+     *
+     * @link http://www.php.net/manual/en/function.fseek.php
+     * @param int $offset Stream offset
+     * @param int $whence Specifies how the cursor position will be calculated
+     *     based on the seek offset. Valid values are identical to the built-in
+     *     PHP $whence values for `fseek()`.  SEEK_SET: Set position equal to
+     *     offset bytes SEEK_CUR: Set position to current location plus offset
+     *     SEEK_END: Set position to end-of-stream plus offset.
+     * @throws \RuntimeException on failure.
+     */
+    public function seek($offset, $whence = SEEK_SET);
+
+    /**
+     * Seek to the beginning of the stream.
+     *
+     * If the stream is not seekable, this method will raise an exception;
+     * otherwise, it will perform a seek(0).
+     *
+     * @see seek()
+     * @link http://www.php.net/manual/en/function.fseek.php
+     * @throws \RuntimeException on failure.
+     */
+    public function rewind();
+
+    /**
+     * Returns whether or not the stream is writable.
+     *
+     * @return bool
+     */
+    public function isWritable();
+
+    /**
+     * Write data to the stream.
+     *
+     * @param string $string The string that is to be written.
+     * @return int Returns the number of bytes written to the stream.
+     * @throws \RuntimeException on failure.
+     */
+    public function write($string);
+
+    /**
+     * Returns whether or not the stream is readable.
+     *
+     * @return bool
+     */
+    public function isReadable();
+
+    /**
+     * Read data from the stream.
+     *
+     * @param int $length Read up to $length bytes from the object and return
+     *     them. Fewer than $length bytes may be returned if underlying stream
+     *     call returns fewer bytes.
+     * @return string Returns the data read from the stream, or an empty string
+     *     if no bytes are available.
+     * @throws \RuntimeException if an error occurs.
+     */
+    public function read($length);
+
+    /**
+     * Returns the remaining contents in a string
+     *
+     * @return string
+     * @throws \RuntimeException if unable to read or an error occurs while
+     *     reading.
+     */
+    public function getContents();
+
+    /**
+     * Get stream metadata as an associative array or retrieve a specific key.
+     *
+     * The keys returned are identical to the keys returned from PHP's
+     * stream_get_meta_data() function.
+     *
+     * @link http://php.net/manual/en/function.stream-get-meta-data.php
+     * @param string $key Specific metadata to retrieve.
+     * @return array|mixed|null Returns an associative array if no key is
+     *     provided. Returns a specific key value if a key is provided and the
+     *     value is found, or null if the key is not found.
+     */
+    public function getMetadata($key = null);
+}
diff --git a/data/web/inc/lib/vendor/psr/http-message/src/UploadedFileInterface.php b/data/web/inc/lib/vendor/psr/http-message/src/UploadedFileInterface.php
new file mode 100644
index 000000000..f8a6901e0
--- /dev/null
+++ b/data/web/inc/lib/vendor/psr/http-message/src/UploadedFileInterface.php
@@ -0,0 +1,123 @@
+<?php
+
+namespace Psr\Http\Message;
+
+/**
+ * Value object representing a file uploaded through an HTTP request.
+ *
+ * Instances of this interface are considered immutable; all methods that
+ * might change state MUST be implemented such that they retain the internal
+ * state of the current instance and return an instance that contains the
+ * changed state.
+ */
+interface UploadedFileInterface
+{
+    /**
+     * Retrieve a stream representing the uploaded file.
+     *
+     * This method MUST return a StreamInterface instance, representing the
+     * uploaded file. The purpose of this method is to allow utilizing native PHP
+     * stream functionality to manipulate the file upload, such as
+     * stream_copy_to_stream() (though the result will need to be decorated in a
+     * native PHP stream wrapper to work with such functions).
+     *
+     * If the moveTo() method has been called previously, this method MUST raise
+     * an exception.
+     *
+     * @return StreamInterface Stream representation of the uploaded file.
+     * @throws \RuntimeException in cases when no stream is available or can be
+     *     created.
+     */
+    public function getStream();
+
+    /**
+     * Move the uploaded file to a new location.
+     *
+     * Use this method as an alternative to move_uploaded_file(). This method is
+     * guaranteed to work in both SAPI and non-SAPI environments.
+     * Implementations must determine which environment they are in, and use the
+     * appropriate method (move_uploaded_file(), rename(), or a stream
+     * operation) to perform the operation.
+     *
+     * $targetPath may be an absolute path, or a relative path. If it is a
+     * relative path, resolution should be the same as used by PHP's rename()
+     * function.
+     *
+     * The original file or stream MUST be removed on completion.
+     *
+     * If this method is called more than once, any subsequent calls MUST raise
+     * an exception.
+     *
+     * When used in an SAPI environment where $_FILES is populated, when writing
+     * files via moveTo(), is_uploaded_file() and move_uploaded_file() SHOULD be
+     * used to ensure permissions and upload status are verified correctly.
+     *
+     * If you wish to move to a stream, use getStream(), as SAPI operations
+     * cannot guarantee writing to stream destinations.
+     *
+     * @see http://php.net/is_uploaded_file
+     * @see http://php.net/move_uploaded_file
+     * @param string $targetPath Path to which to move the uploaded file.
+     * @throws \InvalidArgumentException if the $targetPath specified is invalid.
+     * @throws \RuntimeException on any error during the move operation, or on
+     *     the second or subsequent call to the method.
+     */
+    public function moveTo($targetPath);
+    
+    /**
+     * Retrieve the file size.
+     *
+     * Implementations SHOULD return the value stored in the "size" key of
+     * the file in the $_FILES array if available, as PHP calculates this based
+     * on the actual size transmitted.
+     *
+     * @return int|null The file size in bytes or null if unknown.
+     */
+    public function getSize();
+    
+    /**
+     * Retrieve the error associated with the uploaded file.
+     *
+     * The return value MUST be one of PHP's UPLOAD_ERR_XXX constants.
+     *
+     * If the file was uploaded successfully, this method MUST return
+     * UPLOAD_ERR_OK.
+     *
+     * Implementations SHOULD return the value stored in the "error" key of
+     * the file in the $_FILES array.
+     *
+     * @see http://php.net/manual/en/features.file-upload.errors.php
+     * @return int One of PHP's UPLOAD_ERR_XXX constants.
+     */
+    public function getError();
+    
+    /**
+     * Retrieve the filename sent by the client.
+     *
+     * Do not trust the value returned by this method. A client could send
+     * a malicious filename with the intention to corrupt or hack your
+     * application.
+     *
+     * Implementations SHOULD return the value stored in the "name" key of
+     * the file in the $_FILES array.
+     *
+     * @return string|null The filename sent by the client or null if none
+     *     was provided.
+     */
+    public function getClientFilename();
+    
+    /**
+     * Retrieve the media type sent by the client.
+     *
+     * Do not trust the value returned by this method. A client could send
+     * a malicious media type with the intention to corrupt or hack your
+     * application.
+     *
+     * Implementations SHOULD return the value stored in the "type" key of
+     * the file in the $_FILES array.
+     *
+     * @return string|null The media type sent by the client or null if none
+     *     was provided.
+     */
+    public function getClientMediaType();
+}
diff --git a/data/web/inc/lib/vendor/psr/http-message/src/UriInterface.php b/data/web/inc/lib/vendor/psr/http-message/src/UriInterface.php
new file mode 100644
index 000000000..9d7ab9eae
--- /dev/null
+++ b/data/web/inc/lib/vendor/psr/http-message/src/UriInterface.php
@@ -0,0 +1,323 @@
+<?php
+namespace Psr\Http\Message;
+
+/**
+ * Value object representing a URI.
+ *
+ * This interface is meant to represent URIs according to RFC 3986 and to
+ * provide methods for most common operations. Additional functionality for
+ * working with URIs can be provided on top of the interface or externally.
+ * Its primary use is for HTTP requests, but may also be used in other
+ * contexts.
+ *
+ * Instances of this interface are considered immutable; all methods that
+ * might change state MUST be implemented such that they retain the internal
+ * state of the current instance and return an instance that contains the
+ * changed state.
+ *
+ * Typically the Host header will be also be present in the request message.
+ * For server-side requests, the scheme will typically be discoverable in the
+ * server parameters.
+ *
+ * @link http://tools.ietf.org/html/rfc3986 (the URI specification)
+ */
+interface UriInterface
+{
+    /**
+     * Retrieve the scheme component of the URI.
+     *
+     * If no scheme is present, this method MUST return an empty string.
+     *
+     * The value returned MUST be normalized to lowercase, per RFC 3986
+     * Section 3.1.
+     *
+     * The trailing ":" character is not part of the scheme and MUST NOT be
+     * added.
+     *
+     * @see https://tools.ietf.org/html/rfc3986#section-3.1
+     * @return string The URI scheme.
+     */
+    public function getScheme();
+
+    /**
+     * Retrieve the authority component of the URI.
+     *
+     * If no authority information is present, this method MUST return an empty
+     * string.
+     *
+     * The authority syntax of the URI is:
+     *
+     * <pre>
+     * [user-info@]host[:port]
+     * </pre>
+     *
+     * If the port component is not set or is the standard port for the current
+     * scheme, it SHOULD NOT be included.
+     *
+     * @see https://tools.ietf.org/html/rfc3986#section-3.2
+     * @return string The URI authority, in "[user-info@]host[:port]" format.
+     */
+    public function getAuthority();
+
+    /**
+     * Retrieve the user information component of the URI.
+     *
+     * If no user information is present, this method MUST return an empty
+     * string.
+     *
+     * If a user is present in the URI, this will return that value;
+     * additionally, if the password is also present, it will be appended to the
+     * user value, with a colon (":") separating the values.
+     *
+     * The trailing "@" character is not part of the user information and MUST
+     * NOT be added.
+     *
+     * @return string The URI user information, in "username[:password]" format.
+     */
+    public function getUserInfo();
+
+    /**
+     * Retrieve the host component of the URI.
+     *
+     * If no host is present, this method MUST return an empty string.
+     *
+     * The value returned MUST be normalized to lowercase, per RFC 3986
+     * Section 3.2.2.
+     *
+     * @see http://tools.ietf.org/html/rfc3986#section-3.2.2
+     * @return string The URI host.
+     */
+    public function getHost();
+
+    /**
+     * Retrieve the port component of the URI.
+     *
+     * If a port is present, and it is non-standard for the current scheme,
+     * this method MUST return it as an integer. If the port is the standard port
+     * used with the current scheme, this method SHOULD return null.
+     *
+     * If no port is present, and no scheme is present, this method MUST return
+     * a null value.
+     *
+     * If no port is present, but a scheme is present, this method MAY return
+     * the standard port for that scheme, but SHOULD return null.
+     *
+     * @return null|int The URI port.
+     */
+    public function getPort();
+
+    /**
+     * Retrieve the path component of the URI.
+     *
+     * The path can either be empty or absolute (starting with a slash) or
+     * rootless (not starting with a slash). Implementations MUST support all
+     * three syntaxes.
+     *
+     * Normally, the empty path "" and absolute path "/" are considered equal as
+     * defined in RFC 7230 Section 2.7.3. But this method MUST NOT automatically
+     * do this normalization because in contexts with a trimmed base path, e.g.
+     * the front controller, this difference becomes significant. It's the task
+     * of the user to handle both "" and "/".
+     *
+     * The value returned MUST be percent-encoded, but MUST NOT double-encode
+     * any characters. To determine what characters to encode, please refer to
+     * RFC 3986, Sections 2 and 3.3.
+     *
+     * As an example, if the value should include a slash ("/") not intended as
+     * delimiter between path segments, that value MUST be passed in encoded
+     * form (e.g., "%2F") to the instance.
+     *
+     * @see https://tools.ietf.org/html/rfc3986#section-2
+     * @see https://tools.ietf.org/html/rfc3986#section-3.3
+     * @return string The URI path.
+     */
+    public function getPath();
+
+    /**
+     * Retrieve the query string of the URI.
+     *
+     * If no query string is present, this method MUST return an empty string.
+     *
+     * The leading "?" character is not part of the query and MUST NOT be
+     * added.
+     *
+     * The value returned MUST be percent-encoded, but MUST NOT double-encode
+     * any characters. To determine what characters to encode, please refer to
+     * RFC 3986, Sections 2 and 3.4.
+     *
+     * As an example, if a value in a key/value pair of the query string should
+     * include an ampersand ("&") not intended as a delimiter between values,
+     * that value MUST be passed in encoded form (e.g., "%26") to the instance.
+     *
+     * @see https://tools.ietf.org/html/rfc3986#section-2
+     * @see https://tools.ietf.org/html/rfc3986#section-3.4
+     * @return string The URI query string.
+     */
+    public function getQuery();
+
+    /**
+     * Retrieve the fragment component of the URI.
+     *
+     * If no fragment is present, this method MUST return an empty string.
+     *
+     * The leading "#" character is not part of the fragment and MUST NOT be
+     * added.
+     *
+     * The value returned MUST be percent-encoded, but MUST NOT double-encode
+     * any characters. To determine what characters to encode, please refer to
+     * RFC 3986, Sections 2 and 3.5.
+     *
+     * @see https://tools.ietf.org/html/rfc3986#section-2
+     * @see https://tools.ietf.org/html/rfc3986#section-3.5
+     * @return string The URI fragment.
+     */
+    public function getFragment();
+
+    /**
+     * Return an instance with the specified scheme.
+     *
+     * This method MUST retain the state of the current instance, and return
+     * an instance that contains the specified scheme.
+     *
+     * Implementations MUST support the schemes "http" and "https" case
+     * insensitively, and MAY accommodate other schemes if required.
+     *
+     * An empty scheme is equivalent to removing the scheme.
+     *
+     * @param string $scheme The scheme to use with the new instance.
+     * @return static A new instance with the specified scheme.
+     * @throws \InvalidArgumentException for invalid or unsupported schemes.
+     */
+    public function withScheme($scheme);
+
+    /**
+     * Return an instance with the specified user information.
+     *
+     * This method MUST retain the state of the current instance, and return
+     * an instance that contains the specified user information.
+     *
+     * Password is optional, but the user information MUST include the
+     * user; an empty string for the user is equivalent to removing user
+     * information.
+     *
+     * @param string $user The user name to use for authority.
+     * @param null|string $password The password associated with $user.
+     * @return static A new instance with the specified user information.
+     */
+    public function withUserInfo($user, $password = null);
+
+    /**
+     * Return an instance with the specified host.
+     *
+     * This method MUST retain the state of the current instance, and return
+     * an instance that contains the specified host.
+     *
+     * An empty host value is equivalent to removing the host.
+     *
+     * @param string $host The hostname to use with the new instance.
+     * @return static A new instance with the specified host.
+     * @throws \InvalidArgumentException for invalid hostnames.
+     */
+    public function withHost($host);
+
+    /**
+     * Return an instance with the specified port.
+     *
+     * This method MUST retain the state of the current instance, and return
+     * an instance that contains the specified port.
+     *
+     * Implementations MUST raise an exception for ports outside the
+     * established TCP and UDP port ranges.
+     *
+     * A null value provided for the port is equivalent to removing the port
+     * information.
+     *
+     * @param null|int $port The port to use with the new instance; a null value
+     *     removes the port information.
+     * @return static A new instance with the specified port.
+     * @throws \InvalidArgumentException for invalid ports.
+     */
+    public function withPort($port);
+
+    /**
+     * Return an instance with the specified path.
+     *
+     * This method MUST retain the state of the current instance, and return
+     * an instance that contains the specified path.
+     *
+     * The path can either be empty or absolute (starting with a slash) or
+     * rootless (not starting with a slash). Implementations MUST support all
+     * three syntaxes.
+     *
+     * If the path is intended to be domain-relative rather than path relative then
+     * it must begin with a slash ("/"). Paths not starting with a slash ("/")
+     * are assumed to be relative to some base path known to the application or
+     * consumer.
+     *
+     * Users can provide both encoded and decoded path characters.
+     * Implementations ensure the correct encoding as outlined in getPath().
+     *
+     * @param string $path The path to use with the new instance.
+     * @return static A new instance with the specified path.
+     * @throws \InvalidArgumentException for invalid paths.
+     */
+    public function withPath($path);
+
+    /**
+     * Return an instance with the specified query string.
+     *
+     * This method MUST retain the state of the current instance, and return
+     * an instance that contains the specified query string.
+     *
+     * Users can provide both encoded and decoded query characters.
+     * Implementations ensure the correct encoding as outlined in getQuery().
+     *
+     * An empty query string value is equivalent to removing the query string.
+     *
+     * @param string $query The query string to use with the new instance.
+     * @return static A new instance with the specified query string.
+     * @throws \InvalidArgumentException for invalid query strings.
+     */
+    public function withQuery($query);
+
+    /**
+     * Return an instance with the specified URI fragment.
+     *
+     * This method MUST retain the state of the current instance, and return
+     * an instance that contains the specified URI fragment.
+     *
+     * Users can provide both encoded and decoded fragment characters.
+     * Implementations ensure the correct encoding as outlined in getFragment().
+     *
+     * An empty fragment value is equivalent to removing the fragment.
+     *
+     * @param string $fragment The fragment to use with the new instance.
+     * @return static A new instance with the specified fragment.
+     */
+    public function withFragment($fragment);
+
+    /**
+     * Return the string representation as a URI reference.
+     *
+     * Depending on which components of the URI are present, the resulting
+     * string is either a full URI or relative reference according to RFC 3986,
+     * Section 4.1. The method concatenates the various components of the URI,
+     * using the appropriate delimiters:
+     *
+     * - If a scheme is present, it MUST be suffixed by ":".
+     * - If an authority is present, it MUST be prefixed by "//".
+     * - The path can be concatenated without delimiters. But there are two
+     *   cases where the path has to be adjusted to make the URI reference
+     *   valid as PHP does not allow to throw an exception in __toString():
+     *     - If the path is rootless and an authority is present, the path MUST
+     *       be prefixed by "/".
+     *     - If the path is starting with more than one "/" and no authority is
+     *       present, the starting slashes MUST be reduced to one.
+     * - If a query is present, it MUST be prefixed by "?".
+     * - If a fragment is present, it MUST be prefixed by "#".
+     *
+     * @see http://tools.ietf.org/html/rfc3986#section-4.1
+     * @return string
+     */
+    public function __toString();
+}
diff --git a/data/web/inc/lib/vendor/ralouphie/getallheaders/LICENSE b/data/web/inc/lib/vendor/ralouphie/getallheaders/LICENSE
new file mode 100644
index 000000000..be5540c2a
--- /dev/null
+++ b/data/web/inc/lib/vendor/ralouphie/getallheaders/LICENSE
@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2014 Ralph Khattar
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/data/web/inc/lib/vendor/ralouphie/getallheaders/README.md b/data/web/inc/lib/vendor/ralouphie/getallheaders/README.md
new file mode 100644
index 000000000..9430d76bb
--- /dev/null
+++ b/data/web/inc/lib/vendor/ralouphie/getallheaders/README.md
@@ -0,0 +1,27 @@
+getallheaders
+=============
+
+PHP `getallheaders()` polyfill. Compatible with PHP >= 5.3.
+
+[![Build Status](https://travis-ci.org/ralouphie/getallheaders.svg?branch=master)](https://travis-ci.org/ralouphie/getallheaders)
+[![Coverage Status](https://coveralls.io/repos/ralouphie/getallheaders/badge.png?branch=master)](https://coveralls.io/r/ralouphie/getallheaders?branch=master)
+[![Latest Stable Version](https://poser.pugx.org/ralouphie/getallheaders/v/stable.png)](https://packagist.org/packages/ralouphie/getallheaders)
+[![Latest Unstable Version](https://poser.pugx.org/ralouphie/getallheaders/v/unstable.png)](https://packagist.org/packages/ralouphie/getallheaders)
+[![License](https://poser.pugx.org/ralouphie/getallheaders/license.png)](https://packagist.org/packages/ralouphie/getallheaders)
+
+
+This is a simple polyfill for [`getallheaders()`](http://www.php.net/manual/en/function.getallheaders.php).
+
+## Install
+
+For PHP version **`>= 5.6`**:
+
+```
+composer require ralouphie/getallheaders
+```
+
+For PHP version **`< 5.6`**:
+
+```
+composer require ralouphie/getallheaders "^2"
+```
diff --git a/data/web/inc/lib/vendor/ralouphie/getallheaders/composer.json b/data/web/inc/lib/vendor/ralouphie/getallheaders/composer.json
new file mode 100644
index 000000000..de8ce62e4
--- /dev/null
+++ b/data/web/inc/lib/vendor/ralouphie/getallheaders/composer.json
@@ -0,0 +1,26 @@
+{
+	"name": "ralouphie/getallheaders",
+	"description": "A polyfill for getallheaders.",
+	"license": "MIT",
+	"authors": [
+		{
+			"name": "Ralph Khattar",
+			"email": "ralph.khattar@gmail.com"
+		}
+	],
+	"require": {
+		"php": ">=5.6"
+	},
+	"require-dev": {
+		"phpunit/phpunit": "^5 || ^6.5",
+		"php-coveralls/php-coveralls": "^2.1"
+	},
+	"autoload": {
+		"files": ["src/getallheaders.php"]
+	},
+	"autoload-dev": {
+		"psr-4": {
+			"getallheaders\\Tests\\": "tests/"
+		}
+	}
+}
diff --git a/data/web/inc/lib/vendor/ralouphie/getallheaders/src/getallheaders.php b/data/web/inc/lib/vendor/ralouphie/getallheaders/src/getallheaders.php
new file mode 100644
index 000000000..c7285a5ba
--- /dev/null
+++ b/data/web/inc/lib/vendor/ralouphie/getallheaders/src/getallheaders.php
@@ -0,0 +1,46 @@
+<?php
+
+if (!function_exists('getallheaders')) {
+
+    /**
+     * Get all HTTP header key/values as an associative array for the current request.
+     *
+     * @return string[string] The HTTP header key/value pairs.
+     */
+    function getallheaders()
+    {
+        $headers = array();
+
+        $copy_server = array(
+            'CONTENT_TYPE'   => 'Content-Type',
+            'CONTENT_LENGTH' => 'Content-Length',
+            'CONTENT_MD5'    => 'Content-Md5',
+        );
+
+        foreach ($_SERVER as $key => $value) {
+            if (substr($key, 0, 5) === 'HTTP_') {
+                $key = substr($key, 5);
+                if (!isset($copy_server[$key]) || !isset($_SERVER[$key])) {
+                    $key = str_replace(' ', '-', ucwords(strtolower(str_replace('_', ' ', $key))));
+                    $headers[$key] = $value;
+                }
+            } elseif (isset($copy_server[$key])) {
+                $headers[$copy_server[$key]] = $value;
+            }
+        }
+
+        if (!isset($headers['Authorization'])) {
+            if (isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION'])) {
+                $headers['Authorization'] = $_SERVER['REDIRECT_HTTP_AUTHORIZATION'];
+            } elseif (isset($_SERVER['PHP_AUTH_USER'])) {
+                $basic_pass = isset($_SERVER['PHP_AUTH_PW']) ? $_SERVER['PHP_AUTH_PW'] : '';
+                $headers['Authorization'] = 'Basic ' . base64_encode($_SERVER['PHP_AUTH_USER'] . ':' . $basic_pass);
+            } elseif (isset($_SERVER['PHP_AUTH_DIGEST'])) {
+                $headers['Authorization'] = $_SERVER['PHP_AUTH_DIGEST'];
+            }
+        }
+
+        return $headers;
+    }
+
+}
diff --git a/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/.gitignore b/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/.gitignore
new file mode 100644
index 000000000..e8c7cb69e
--- /dev/null
+++ b/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/.gitignore
@@ -0,0 +1,4 @@
+/build
+/vendor
+composer.phar
+composer.lock
\ No newline at end of file
diff --git a/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/.scrutinizer.yml b/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/.scrutinizer.yml
new file mode 100644
index 000000000..1f831e850
--- /dev/null
+++ b/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/.scrutinizer.yml
@@ -0,0 +1,35 @@
+filter:
+    excluded_paths: [test/*]
+checks:
+    php:
+        code_rating: true
+        remove_extra_empty_lines: true
+        remove_php_closing_tag: true
+        remove_trailing_whitespace: true
+        fix_use_statements:
+            remove_unused: true
+            preserve_multiple: false
+            preserve_blanklines: true
+            order_alphabetically: true
+        fix_php_opening_tag: true
+        fix_linefeed: true
+        fix_line_ending: true
+        fix_identation_4spaces: true
+        fix_doc_comments: true
+tools:
+    external_code_coverage:
+        timeout: 600
+        runs: 2
+    php_analyzer: true
+    php_code_coverage: false
+    php_code_sniffer:
+        config:
+            standard: PSR2
+        filter:
+            paths: ['src']
+    php_loc:
+        enabled: true
+        excluded_dirs: [examples, vendor, test]
+    php_cpd:
+        enabled: true
+        excluded_dirs: [examples, vendor, test]
diff --git a/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/.travis.yml b/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/.travis.yml
new file mode 100644
index 000000000..87831a56c
--- /dev/null
+++ b/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/.travis.yml
@@ -0,0 +1,26 @@
+language: php
+
+sudo: false
+
+php:
+  - 5.6
+  - 7.0
+  - 7.1
+
+matrix:
+  include:
+    - php: 5.6
+      env: 'COMPOSER_FLAGS="--prefer-stable --prefer-lowest"'
+
+before_script:
+  - travis_retry composer self-update
+  - travis_retry composer install --no-interaction --prefer-source --dev
+  - travis_retry phpenv rehash
+
+script:
+  - ./vendor/bin/phpcs --standard=psr2 src/
+  - ./vendor/bin/phpunit --coverage-text --coverage-clover=coverage.clover
+
+after_script:
+  - wget https://scrutinizer-ci.com/ocular.phar
+  - php ocular.phar code-coverage:upload --format=php-clover coverage.clover
diff --git a/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/CHANGELOG.md b/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/CHANGELOG.md
new file mode 100644
index 000000000..e1990de3b
--- /dev/null
+++ b/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/CHANGELOG.md
@@ -0,0 +1,74 @@
+# Changelog
+All Notable changes to `oauth2-keycloak` will be documented in this file
+
+## 2.1.0 - 2018-03-12
+
+### Added
+- Introduce `getLogoutUrl` method on provider to build and return and authorized logout url - thanks @FlxPeters
+
+### Deprecated
+- Nothing
+
+### Fixed
+- Nothing
+
+### Removed
+- Nothing
+
+### Security
+- Nothing
+
+## 2.0.0 - 2017-01-25
+
+### Added
+- PHP 7.1 Support
+
+### Deprecated
+- Nothing
+
+### Fixed
+- Nothing
+
+### Removed
+- PHP 5.5 Support
+
+### Security
+- Nothing
+
+## 1.0.0 - 2017-01-25
+
+Bump for base package parity
+
+## 0.2.0 - 2016-12-07
+
+### Added
+- JSON Web Token decryption support
+
+### Deprecated
+- Nothing
+
+### Fixed
+- Nothing
+
+### Removed
+- Nothing
+
+### Security
+- Nothing
+
+## 0.1.0 - 2015-08-31
+
+### Added
+- Initial release!
+
+### Deprecated
+- Nothing
+
+### Fixed
+- Nothing
+
+### Removed
+- Nothing
+
+### Security
+- Nothing
diff --git a/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/CONTRIBUTING.md b/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/CONTRIBUTING.md
new file mode 100644
index 000000000..e1e078197
--- /dev/null
+++ b/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/CONTRIBUTING.md
@@ -0,0 +1,42 @@
+# Contributing
+
+Contributions are **welcome** and will be fully **credited**.
+
+We accept contributions via Pull Requests on [Github](https://github.com/stevenmaguire/oauth2-keycloak).
+
+
+## Pull Requests
+
+- **[PSR-2 Coding Standard](https://github.com/php-fig/fig-standards/blob/master/accepted/PSR-2-coding-style-guide.md)** - The easiest way to apply the conventions is to install [PHP Code Sniffer](http://pear.php.net/package/PHP_CodeSniffer).
+
+- **Add tests!** - Your patch won't be accepted if it doesn't have tests.
+
+- **Document any change in behaviour** - Make sure the README and any other relevant documentation are kept up-to-date.
+
+- **Consider our release cycle** - We try to follow SemVer. Randomly breaking public APIs is not an option.
+
+- **Create topic branches** - Don't ask us to pull from your master branch.
+
+- **One pull request per feature** - If you want to do more than one thing, send multiple pull requests.
+
+- **Send coherent history** - Make sure each individual commit in your pull request is meaningful. If you had to make multiple intermediate commits while developing, please squash them before submitting.
+
+- **Ensure tests pass!** - Please run the tests (see below) before submitting your pull request, and make sure they pass. We won't accept a patch until all tests pass.
+
+- **Ensure no coding standards violations** - Please run PHP Code Sniffer using the PSR-2 standard (see below) before submitting your pull request. A violation will cause the build to fail, so please make sure there are no violations. We can't accept a patch if the build fails.
+
+
+## Running Tests
+
+``` bash
+$ ./vendor/bin/phpunit
+```
+
+
+## Running PHP Code Sniffer
+
+``` bash
+$ ./vendor/bin/phpcs src --standard=psr2 -sp
+```
+
+**Happy coding**!
diff --git a/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/LICENSE b/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/LICENSE
new file mode 100644
index 000000000..51455e2dd
--- /dev/null
+++ b/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/LICENSE
@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2015 Steven Maguire
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
diff --git a/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/README.md b/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/README.md
new file mode 100644
index 000000000..e050a6d0a
--- /dev/null
+++ b/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/README.md
@@ -0,0 +1,175 @@
+# Keycloak Provider for OAuth 2.0 Client
+[![Latest Version](https://img.shields.io/github/release/stevenmaguire/oauth2-keycloak.svg?style=flat-square)](https://github.com/stevenmaguire/oauth2-keycloak/releases)
+[![Software License](https://img.shields.io/badge/license-MIT-brightgreen.svg?style=flat-square)](LICENSE.md)
+[![Build Status](https://img.shields.io/travis/stevenmaguire/oauth2-keycloak/master.svg?style=flat-square)](https://travis-ci.org/stevenmaguire/oauth2-keycloak)
+[![Coverage Status](https://img.shields.io/scrutinizer/coverage/g/stevenmaguire/oauth2-keycloak.svg?style=flat-square)](https://scrutinizer-ci.com/g/stevenmaguire/oauth2-keycloak/code-structure)
+[![Quality Score](https://img.shields.io/scrutinizer/g/stevenmaguire/oauth2-keycloak.svg?style=flat-square)](https://scrutinizer-ci.com/g/stevenmaguire/oauth2-keycloak)
+[![Total Downloads](https://img.shields.io/packagist/dt/stevenmaguire/oauth2-keycloak.svg?style=flat-square)](https://packagist.org/packages/stevenmaguire/oauth2-keycloak)
+
+This package provides Keycloak OAuth 2.0 support for the PHP League's [OAuth 2.0 Client](https://github.com/thephpleague/oauth2-client).
+
+## Installation
+
+To install, use composer:
+
+```
+composer require stevenmaguire/oauth2-keycloak
+```
+
+## Usage
+
+Usage is the same as The League's OAuth client, using `\Stevenmaguire\OAuth2\Client\Provider\Keycloak` as the provider.
+
+Use `authServerUrl` to specify the Keycloak server URL. You can lookup the correct value from the Keycloak client installer JSON under `auth-server-url`, eg. `http://localhost:8080/auth`.
+
+Use `realm` to specify the Keycloak realm name. You can lookup the correct value from the Keycloak client installer JSON under `resource`, eg. `master`.
+
+### Authorization Code Flow
+
+```php
+$provider = new Stevenmaguire\OAuth2\Client\Provider\Keycloak([
+    'authServerUrl'         => '{keycloak-server-url}',
+    'realm'                 => '{keycloak-realm}',
+    'clientId'              => '{keycloak-client-id}',
+    'clientSecret'          => '{keycloak-client-secret}',
+    'redirectUri'           => 'https://example.com/callback-url',
+    'encryptionAlgorithm'   => 'RS256',                             // optional
+    'encryptionKeyPath'     => '../key.pem'                         // optional
+    'encryptionKey'         => 'contents_of_key_or_certificate'     // optional
+]);
+
+if (!isset($_GET['code'])) {
+
+    // If we don't have an authorization code then get one
+    $authUrl = $provider->getAuthorizationUrl();
+    $_SESSION['oauth2state'] = $provider->getState();
+    header('Location: '.$authUrl);
+    exit;
+
+// Check given state against previously stored one to mitigate CSRF attack
+} elseif (empty($_GET['state']) || ($_GET['state'] !== $_SESSION['oauth2state'])) {
+
+    unset($_SESSION['oauth2state']);
+    exit('Invalid state, make sure HTTP sessions are enabled.');
+
+} else {
+
+    // Try to get an access token (using the authorization coe grant)
+    try {
+        $token = $provider->getAccessToken('authorization_code', [
+            'code' => $_GET['code']
+        ]);
+    } catch (Exception $e) {
+        exit('Failed to get access token: '.$e->getMessage());
+    }
+
+    // Optional: Now you have a token you can look up a users profile data
+    try {
+
+        // We got an access token, let's now get the user's details
+        $user = $provider->getResourceOwner($token);
+
+        // Use these details to create a new profile
+        printf('Hello %s!', $user->getName());
+
+    } catch (Exception $e) {
+        exit('Failed to get resource owner: '.$e->getMessage());
+    }
+
+    // Use this to interact with an API on the users behalf
+    echo $token->getToken();
+}
+```
+
+### Refreshing a Token
+
+```php
+$provider = new Stevenmaguire\OAuth2\Client\Provider\Keycloak([
+    'authServerUrl'     => '{keycloak-server-url}',
+    'realm'             => '{keycloak-realm}',
+    'clientId'          => '{keycloak-client-id}',
+    'clientSecret'      => '{keycloak-client-secret}',
+    'redirectUri'       => 'https://example.com/callback-url',
+]);
+
+$token = $provider->getAccessToken('refresh_token', ['refresh_token' => $token->getRefreshToken()]);
+```
+
+### Handling encryption
+
+If you've configured your Keycloak instance to use encryption, there are some advanced options available to you.
+
+#### Configure the provider to use the same encryption algorithm
+
+```php
+$provider = new Stevenmaguire\OAuth2\Client\Provider\Keycloak([
+    // ...
+    'encryptionAlgorithm'   => 'RS256',
+]);
+```
+
+or
+
+```php
+$provider->setEncryptionAlgorithm('RS256');
+```
+
+#### Configure the provider to use the expected decryption public key or certificate
+
+##### By key value
+
+```php
+$key = "-----BEGIN PUBLIC KEY-----\n....\n-----END PUBLIC KEY-----";
+// or
+// $key = "-----BEGIN CERTIFICATE-----\n....\n-----END CERTIFICATE-----";
+
+$provider = new Stevenmaguire\OAuth2\Client\Provider\Keycloak([
+    // ...
+    'encryptionKey'   => $key,
+]);
+```
+
+or
+
+```php
+$provider->setEncryptionKey($key);
+```
+
+##### By key path
+
+```php
+$keyPath = '../key.pem';
+
+$provider = new Stevenmaguire\OAuth2\Client\Provider\Keycloak([
+    // ...
+    'encryptionKeyPath'   => $keyPath,
+]);
+```
+
+or
+
+```php
+$provider->setEncryptionKeyPath($keyPath);
+```
+
+## Testing
+
+``` bash
+$ ./vendor/bin/phpunit
+```
+
+## Contributing
+
+Please see [CONTRIBUTING](https://github.com/stevenmaguire/oauth2-keycloak/blob/master/CONTRIBUTING.md) for details.
+
+
+## Credits
+
+- [Steven Maguire](https://github.com/stevenmaguire)
+- [Martin Stefan](https://github.com/mstefan21)
+- [All Contributors](https://github.com/stevenmaguire/oauth2-keycloak/contributors)
+
+
+## License
+
+The MIT License (MIT). Please see [License File](https://github.com/stevenmaguire/oauth2-keycloak/blob/master/LICENSE) for more information.
diff --git a/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/composer.json b/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/composer.json
new file mode 100644
index 000000000..958f8c3af
--- /dev/null
+++ b/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/composer.json
@@ -0,0 +1,44 @@
+{
+    "name": "stevenmaguire/oauth2-keycloak",
+    "description": "Keycloak OAuth 2.0 Client Provider for The PHP League OAuth2-Client",
+    "license": "MIT",
+    "authors": [
+        {
+            "name": "Steven Maguire",
+            "email": "stevenmaguire@gmail.com",
+            "homepage": "https://github.com/stevenmaguire"
+        }
+    ],
+    "keywords": [
+        "oauth",
+        "oauth2",
+        "client",
+        "authorization",
+        "authorisation",
+        "keycloak"
+    ],
+    "require": {
+        "league/oauth2-client": "^2.0",
+        "firebase/php-jwt": "~4.0|~5.0"
+    },
+    "require-dev": {
+        "phpunit/phpunit": "~4.0",
+        "mockery/mockery": "~0.9",
+        "squizlabs/php_codesniffer": "~2.0"
+    },
+    "autoload": {
+        "psr-4": {
+            "Stevenmaguire\\OAuth2\\Client\\": "src/"
+        }
+    },
+    "autoload-dev": {
+        "psr-4": {
+            "Stevenmaguire\\OAuth2\\Client\\Test\\": "test/src/"
+        }
+    },
+    "extra": {
+        "branch-alias": {
+            "dev-master": "1.0.x-dev"
+        }
+    }
+}
diff --git a/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/examples/index.php b/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/examples/index.php
new file mode 100644
index 000000000..398333f15
--- /dev/null
+++ b/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/examples/index.php
@@ -0,0 +1,53 @@
+<?php
+
+require 'vendor/autoload.php';
+
+session_start();
+
+$provider = new Stevenmaguire\OAuth2\Client\Provider\Keycloak([
+    'authServerUrl'             => '',
+    'realm'                     => '',
+    'clientId'                  => '',
+    'clientSecret'              => '',
+    'redirectUri'               => '',
+    'encryptionAlgorithm'       => null,
+    'encryptionKey'             => null,
+    'encryptionKeyPath'         => null
+]);
+
+if (!isset($_GET['code'])) {
+    // If we don't have an authorization code then get one
+    $authUrl = $provider->getAuthorizationUrl();
+    $_SESSION['oauth2state'] = $provider->getState();
+    header('Location: '.$authUrl);
+    exit;
+
+// Check given state against previously stored one to mitigate CSRF attack
+} elseif (empty($_GET['state']) || ($_GET['state'] !== $_SESSION['oauth2state'])) {
+    unset($_SESSION['oauth2state']);
+    exit('Invalid state, make sure HTTP sessions are enabled.');
+} else {
+    // Try to get an access token (using the authorization coe grant)
+    try {
+        $token = $provider->getAccessToken('authorization_code', [
+            'code' => $_GET['code']
+        ]);
+    } catch (Exception $e) {
+        exit('Failed to get access token: '.$e->getMessage());
+    }
+
+    // Optional: Now you have a token you can look up a users profile data
+    try {
+
+        // We got an access token, let's now get the user's details
+        $user = $provider->getResourceOwner($token);
+        // Use these details to create a new profile
+        printf('Hello %s!\n<br>', $user->getName());
+
+    } catch (Exception $e) {
+        exit('Failed to get resource owner: '.$e->getMessage());
+    }
+
+    // Use this to interact with an API on the users behalf
+    echo $token->getToken();
+}
diff --git a/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/phpunit.xml.dist b/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/phpunit.xml.dist
new file mode 100644
index 000000000..04d164dc2
--- /dev/null
+++ b/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/phpunit.xml.dist
@@ -0,0 +1,38 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<phpunit backupGlobals="false"
+         backupStaticAttributes="false"
+         bootstrap="vendor/autoload.php"
+         colors="true"
+         convertErrorsToExceptions="true"
+         convertNoticesToExceptions="true"
+         convertWarningsToExceptions="true"
+         processIsolation="false"
+         stopOnFailure="false"
+         syntaxCheck="false"
+>
+    <logging>
+        <log type="coverage-html"
+                target="./build/coverage/html"
+                charset="UTF-8"
+                highlight="false"
+                lowUpperBound="35"
+                highLowerBound="70"/>
+          <log type="coverage-clover"
+                target="./build/coverage/log/coverage.xml"/>
+    </logging>
+    <testsuites>
+        <testsuite name="Package Test Suite">
+            <directory suffix=".php">./test/</directory>
+        </testsuite>
+    </testsuites>
+    <filter>
+        <whitelist>
+            <directory suffix=".php">./</directory>
+            <exclude>
+                <directory suffix=".php">./examples</directory>
+                <directory suffix=".php">./vendor</directory>
+                <directory suffix=".php">./test</directory>
+            </exclude>
+        </whitelist>
+    </filter>
+</phpunit>
diff --git a/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/src/Provider/Exception/EncryptionConfigurationException.php b/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/src/Provider/Exception/EncryptionConfigurationException.php
new file mode 100644
index 000000000..546d2de83
--- /dev/null
+++ b/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/src/Provider/Exception/EncryptionConfigurationException.php
@@ -0,0 +1,22 @@
+<?php
+
+namespace Stevenmaguire\OAuth2\Client\Provider\Exception;
+
+use Exception;
+
+class EncryptionConfigurationException extends Exception
+{
+    /**
+     * Returns properly formatted exception when response decryption fails.
+     *
+     * @return \Stevenmaguire\OAuth2\Client\Provider\Exception\EncryptionConfigurationException
+     */
+    public static function undeterminedEncryption()
+    {
+        return new static(
+            'The given response may be encrypted and sufficient '.
+            'encryption configuration has not been provided.',
+            400
+        );
+    }
+}
diff --git a/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/src/Provider/Keycloak.php b/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/src/Provider/Keycloak.php
new file mode 100644
index 000000000..bc41a7138
--- /dev/null
+++ b/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/src/Provider/Keycloak.php
@@ -0,0 +1,387 @@
+<?php
+
+namespace Stevenmaguire\OAuth2\Client\Provider;
+
+use Exception;
+use Firebase\JWT\JWT;
+use League\OAuth2\Client\Provider\AbstractProvider;
+use League\OAuth2\Client\Provider\Exception\IdentityProviderException;
+use League\OAuth2\Client\Token\AccessToken;
+use League\OAuth2\Client\Tool\BearerAuthorizationTrait;
+use Psr\Http\Message\ResponseInterface;
+use Stevenmaguire\OAuth2\Client\Provider\Exception\EncryptionConfigurationException;
+use UnexpectedValueException;
+
+class Keycloak extends AbstractProvider
+{
+    use BearerAuthorizationTrait;
+
+    /**
+     * Keycloak URL, eg. http://localhost:8080/auth.
+     *
+     * @var string
+     */
+    public $authServerUrl = null;
+
+    /**
+     * Realm name, eg. demo.
+     *
+     * @var string
+     */
+    public $realm = null;
+
+    /**
+     * Encryption algorithm.
+     *
+     * You must specify supported algorithms for your application. See
+     * https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40
+     * for a list of spec-compliant algorithms.
+     *
+     * @var string
+     */
+    public $encryptionAlgorithm = null;
+
+    /**
+     * Encryption key.
+     *
+     * @var string
+     */
+    public $encryptionKey = null;
+
+    /**
+      * Keycloak version.
+      *
+      * @var string
+      */
+    public $version = null;
+
+    /**
+     * Constructs an OAuth 2.0 service provider.
+     *
+     * @param array $options An array of options to set on this provider.
+     *     Options include `clientId`, `clientSecret`, `redirectUri`, and `state`.
+     *     Individual providers may introduce more options, as needed.
+     * @param array $collaborators An array of collaborators that may be used to
+     *     override this provider's default behavior. Collaborators include
+     *     `grantFactory`, `requestFactory`, `httpClient`, and `randomFactory`.
+     *     Individual providers may introduce more collaborators, as needed.
+     */
+    public function __construct(array $options = [], array $collaborators = [])
+    {
+        if (isset($options['encryptionKeyPath'])) {
+            $this->setEncryptionKeyPath($options['encryptionKeyPath']);
+            unset($options['encryptionKeyPath']);
+        }
+
+        if (isset($options['version'])) {
+            $this->setVersion($options['version']);
+        }
+
+        parent::__construct($options, $collaborators);
+    }
+
+    /**
+     * Attempts to decrypt the given response.
+     *
+     * @param  string|array|null $response
+     *
+     * @return string|array|null
+     */
+    public function decryptResponse($response)
+    {
+        if (!is_string($response)) {
+            return $response;
+        }
+
+        if ($this->usesEncryption()) {
+            return json_decode(
+                json_encode(
+                    JWT::decode(
+                        $response,
+                        $this->encryptionKey,
+                        array($this->encryptionAlgorithm)
+                    )
+                ),
+                true
+            );
+        }
+
+        throw EncryptionConfigurationException::undeterminedEncryption();
+    }
+
+    /**
+     * Get authorization url to begin OAuth flow
+     *
+     * @return string
+     */
+    public function getBaseAuthorizationUrl()
+    {
+        return $this->getBaseUrlWithRealm().'/protocol/openid-connect/auth';
+    }
+
+    /**
+     * Get access token url to retrieve token
+     *
+     * @param  array $params
+     *
+     * @return string
+     */
+    public function getBaseAccessTokenUrl(array $params)
+    {
+        return $this->getBaseUrlWithRealm().'/protocol/openid-connect/token';
+    }
+
+    /**
+     * Get provider url to fetch user details
+     *
+     * @param  AccessToken $token
+     *
+     * @return string
+     */
+    public function getResourceOwnerDetailsUrl(AccessToken $token)
+    {
+        return $this->getBaseUrlWithRealm().'/protocol/openid-connect/userinfo';
+    }
+
+    /**
+     * Builds the logout URL.
+     *
+     * @param array $options
+     * @return string Authorization URL
+     */
+    public function getLogoutUrl(array $options = [])
+    {
+        $base = $this->getBaseLogoutUrl();
+        $params = $this->getAuthorizationParameters($options);
+
+        // Starting with keycloak 18.0.0, the parameter redirect_uri is no longer supported on logout.
+        // As of this version the parameter is called post_logout_redirect_uri. In addition to this
+        // a parameter id_token_hint has to be provided.
+        if ($this->validateGteVersion('18.0.0')) {
+            if (isset($options['access_token']) === true) {
+                $accessToken = $options['access_token'];
+
+                $params['id_token_hint'] = $accessToken->getValues()['id_token'];
+                $params['post_logout_redirect_uri'] = $params['redirect_uri'];
+            }
+
+            unset($params['redirect_uri']);
+        }
+
+        $query = $this->getAuthorizationQuery($params);
+        return $this->appendQuery($base, $query);
+    }
+
+    /**
+     * Get logout url to logout of session token
+     *
+     * @return string
+     */
+    private function getBaseLogoutUrl()
+    {
+        return $this->getBaseUrlWithRealm() . '/protocol/openid-connect/logout';
+    }
+
+    /**
+     * Creates base url from provider configuration.
+     *
+     * @return string
+     */
+    protected function getBaseUrlWithRealm()
+    {
+        return $this->authServerUrl.'/realms/'.$this->realm;
+    }
+
+    /**
+     * Get the default scopes used by this provider.
+     *
+     * This should not be a complete list of all scopes, but the minimum
+     * required for the provider user interface!
+     *
+     * @return string[]
+     */
+    protected function getDefaultScopes()
+    {
+        $scopes = [
+            'profile',
+            'email'
+        ];
+        if ($this->validateGteVersion('20.0.0')) {
+            $scopes[] = 'openid';
+        }
+        return $scopes;
+    }
+
+    /**
+     * Returns the string that should be used to separate scopes when building
+     * the URL for requesting an access token.
+     *
+     * @return string Scope separator, defaults to ','
+     */
+    protected function getScopeSeparator()
+    {
+        return ' ';
+    }
+
+
+    /**
+     * Check a provider response for errors.
+     *
+     * @throws IdentityProviderException
+     * @param  ResponseInterface $response
+     * @param  string $data Parsed response data
+     * @return void
+     */
+    protected function checkResponse(ResponseInterface $response, $data)
+    {
+        if (!empty($data['error'])) {
+            $error = $data['error'];
+            if (isset($data['error_description'])) {
+                $error.=': '.$data['error_description'];
+            }
+            throw new IdentityProviderException($error, 0, $data);
+        }
+    }
+
+    /**
+     * Generate a user object from a successful user details request.
+     *
+     * @param array $response
+     * @param AccessToken $token
+     * @return KeycloakResourceOwner
+     */
+    protected function createResourceOwner(array $response, AccessToken $token)
+    {
+        return new KeycloakResourceOwner($response);
+    }
+
+    /**
+     * Requests and returns the resource owner of given access token.
+     *
+     * @param  AccessToken $token
+     * @return KeycloakResourceOwner
+     * @throws EncryptionConfigurationException
+     */
+    public function getResourceOwner(AccessToken $token)
+    {
+        $response = $this->fetchResourceOwnerDetails($token);
+
+        // We are always getting an array. We have to check if it is
+        // the array we created
+        if (array_key_exists('jwt', $response)) {
+            $response = $response['jwt'];
+        }
+
+        $response = $this->decryptResponse($response);
+
+        return $this->createResourceOwner($response, $token);
+    }
+
+    /**
+     * Updates expected encryption algorithm of Keycloak instance.
+     *
+     * @param string  $encryptionAlgorithm
+     *
+     * @return Keycloak
+     */
+    public function setEncryptionAlgorithm($encryptionAlgorithm)
+    {
+        $this->encryptionAlgorithm = $encryptionAlgorithm;
+
+        return $this;
+    }
+
+    /**
+     * Updates expected encryption key of Keycloak instance.
+     *
+     * @param string  $encryptionKey
+     *
+     * @return Keycloak
+     */
+    public function setEncryptionKey($encryptionKey)
+    {
+        $this->encryptionKey = $encryptionKey;
+
+        return $this;
+    }
+
+    /**
+     * Updates expected encryption key of Keycloak instance to content of given
+     * file path.
+     *
+     * @param string  $encryptionKeyPath
+     *
+     * @return Keycloak
+     */
+    public function setEncryptionKeyPath($encryptionKeyPath)
+    {
+        try {
+            $this->encryptionKey = file_get_contents($encryptionKeyPath);
+        } catch (Exception $e) {
+            // Not sure how to handle this yet.
+        }
+
+        return $this;
+    }
+
+     /**
+      * Updates the keycloak version.
+      *
+      * @param string  $version
+      *
+      * @return Keycloak
+      */
+    public function setVersion($version)
+    {
+        $this->version = $version;
+
+        return $this;
+    }
+
+    /**
+     * Checks if provider is configured to use encryption.
+     *
+     * @return bool
+     */
+    public function usesEncryption()
+    {
+        return (bool) $this->encryptionAlgorithm && $this->encryptionKey;
+    }
+
+    /**
+     * Parses the response according to its content-type header.
+     *
+     * @throws UnexpectedValueException
+     * @param  ResponseInterface $response
+     * @return array
+     */
+    protected function parseResponse(ResponseInterface $response)
+    {
+        // We have a problem with keycloak when the userinfo responses
+        // with a jwt token
+        // Because it just return a jwt as string with the header
+        // application/jwt
+        // This can't be parsed to a array
+        // Dont know why this function only allow an array as return value...
+        $content = (string) $response->getBody();
+        $type = $this->getContentType($response);
+
+        if (strpos($type, 'jwt') !== false) {
+            // Here we make the temporary array
+            return ['jwt' => $content];
+        }
+
+        return parent::parseResponse($response);
+    }
+
+    /**
+     * Validate if version is greater or equal
+     *
+     * @param string $version
+     * @return bool
+     */
+    private function validateGteVersion($version)
+    {
+        return (isset($this->version) && version_compare($this->version, $version, '>='));
+    }
+}
diff --git a/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/src/Provider/KeycloakResourceOwner.php b/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/src/Provider/KeycloakResourceOwner.php
new file mode 100644
index 000000000..7587af783
--- /dev/null
+++ b/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/src/Provider/KeycloakResourceOwner.php
@@ -0,0 +1,65 @@
+<?php
+
+namespace Stevenmaguire\OAuth2\Client\Provider;
+
+use League\OAuth2\Client\Provider\ResourceOwnerInterface;
+
+class KeycloakResourceOwner implements ResourceOwnerInterface
+{
+    /**
+     * Raw response
+     *
+     * @var array
+     */
+    protected $response;
+
+    /**
+     * Creates new resource owner.
+     *
+     * @param array  $response
+     */
+    public function __construct(array $response = array())
+    {
+        $this->response = $response;
+    }
+
+    /**
+     * Get resource owner id
+     *
+     * @return string|null
+     */
+    public function getId()
+    {
+        return \array_key_exists('sub', $this->response) ? $this->response['sub'] : null;
+    }
+
+    /**
+     * Get resource owner email
+     *
+     * @return string|null
+     */
+    public function getEmail()
+    {
+        return \array_key_exists('email', $this->response) ? $this->response['email'] : null;
+    }
+
+    /**
+     * Get resource owner name
+     *
+     * @return string|null
+     */
+    public function getName()
+    {
+        return \array_key_exists('name', $this->response) ? $this->response['name'] : null;
+    }
+
+    /**
+     * Return all of the owner details available as an array.
+     *
+     * @return array
+     */
+    public function toArray()
+    {
+        return $this->response;
+    }
+}
diff --git a/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/test/src/Provider/KeycloakTest.php b/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/test/src/Provider/KeycloakTest.php
new file mode 100644
index 000000000..01f6b62dd
--- /dev/null
+++ b/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/test/src/Provider/KeycloakTest.php
@@ -0,0 +1,306 @@
+<?php
+
+namespace
+{
+    $mockFileGetContents = null;
+}
+
+namespace Stevenmaguire\OAuth2\Client\Provider
+{
+    function file_get_contents()
+    {
+        global $mockFileGetContents;
+        if (isset($mockFileGetContents) && ! is_null($mockFileGetContents)) {
+            if (is_a($mockFileGetContents, 'Exception')) {
+                throw $mockFileGetContents;
+            }
+            return $mockFileGetContents;
+        } else {
+            return call_user_func_array('\file_get_contents', func_get_args());
+        }
+    }
+}
+
+namespace Stevenmaguire\OAuth2\Client\Test\Provider
+{
+    use League\OAuth2\Client\Tool\QueryBuilderTrait;
+    use Mockery as m;
+
+    class KeycloakTest extends \PHPUnit_Framework_TestCase
+    {
+        use QueryBuilderTrait;
+
+        protected $provider;
+
+        protected function setUp()
+        {
+            $this->provider = new \Stevenmaguire\OAuth2\Client\Provider\Keycloak([
+                'authServerUrl' => 'http://mock.url/auth',
+                'realm' => 'mock_realm',
+                'clientId' => 'mock_client_id',
+                'clientSecret' => 'mock_secret',
+                'redirectUri' => 'none',
+            ]);
+        }
+
+        public function tearDown()
+        {
+            m::close();
+            parent::tearDown();
+        }
+
+        public function testAuthorizationUrl()
+        {
+            $url = $this->provider->getAuthorizationUrl();
+            $uri = parse_url($url);
+            parse_str($uri['query'], $query);
+
+            $this->assertArrayHasKey('client_id', $query);
+            $this->assertArrayHasKey('redirect_uri', $query);
+            $this->assertArrayHasKey('state', $query);
+            $this->assertArrayHasKey('scope', $query);
+            $this->assertArrayHasKey('response_type', $query);
+            $this->assertArrayHasKey('approval_prompt', $query);
+            $this->assertNotNull($this->provider->getState());
+        }
+
+        public function testEncryptionAlgorithm()
+        {
+            $algorithm = uniqid();
+            $provider = new \Stevenmaguire\OAuth2\Client\Provider\Keycloak([
+                'encryptionAlgorithm' => $algorithm,
+            ]);
+
+            $this->assertEquals($algorithm, $provider->encryptionAlgorithm);
+
+            $algorithm = uniqid();
+            $provider->setEncryptionAlgorithm($algorithm);
+
+            $this->assertEquals($algorithm, $provider->encryptionAlgorithm);
+        }
+
+        public function testEncryptionKey()
+        {
+            $key = uniqid();
+            $provider = new \Stevenmaguire\OAuth2\Client\Provider\Keycloak([
+                'encryptionKey' => $key,
+            ]);
+
+            $this->assertEquals($key, $provider->encryptionKey);
+
+            $key = uniqid();
+            $provider->setEncryptionKey($key);
+
+            $this->assertEquals($key, $provider->encryptionKey);
+        }
+
+        public function testEncryptionKeyPath()
+        {
+            global $mockFileGetContents;
+            $path = uniqid();
+            $key = uniqid();
+            $mockFileGetContents = $key;
+
+            $provider = new \Stevenmaguire\OAuth2\Client\Provider\Keycloak([
+                'encryptionKeyPath' => $path,
+            ]);
+
+            $this->assertEquals($key, $provider->encryptionKey);
+
+            $path = uniqid();
+            $key = uniqid();
+            $mockFileGetContents = $key;
+
+            $provider->setEncryptionKeyPath($path);
+
+            $this->assertEquals($key, $provider->encryptionKey);
+        }
+
+        public function testEncryptionKeyPathFails()
+        {
+            global $mockFileGetContents;
+            $path = uniqid();
+            $key = uniqid();
+            $mockFileGetContents = new \Exception();
+
+            $provider = new \Stevenmaguire\OAuth2\Client\Provider\Keycloak([
+                'encryptionKeyPath' => $path,
+            ]);
+
+            $provider->setEncryptionKeyPath($path);
+        }
+
+        public function testScopes()
+        {
+            $scopeSeparator = ' ';
+            $options = ['scope' => [uniqid(), uniqid()]];
+            $query = ['scope' => implode($scopeSeparator, $options['scope'])];
+            $url = $this->provider->getAuthorizationUrl($options);
+            $encodedScope = $this->buildQueryString($query);
+            $this->assertContains($encodedScope, $url);
+        }
+
+        public function testGetAuthorizationUrl()
+        {
+            $url = $this->provider->getAuthorizationUrl();
+            $uri = parse_url($url);
+
+            $this->assertEquals('/auth/realms/mock_realm/protocol/openid-connect/auth', $uri['path']);
+        }
+
+        public function testGetLogoutUrl()
+        {
+            $url = $this->provider->getLogoutUrl();
+            $uri = parse_url($url);
+
+            $this->assertEquals('/auth/realms/mock_realm/protocol/openid-connect/logout', $uri['path']);
+        }
+
+        public function testGetBaseAccessTokenUrl()
+        {
+            $params = [];
+
+            $url = $this->provider->getBaseAccessTokenUrl($params);
+            $uri = parse_url($url);
+
+            $this->assertEquals('/auth/realms/mock_realm/protocol/openid-connect/token', $uri['path']);
+        }
+
+        public function testGetAccessToken()
+        {
+            $response = m::mock('Psr\Http\Message\ResponseInterface');
+            $response->shouldReceive('getBody')->andReturn('{"access_token":"mock_access_token", "scope":"email", "token_type":"bearer"}');
+            $response->shouldReceive('getHeader')->andReturn(['content-type' => 'json']);
+
+            $client = m::mock('GuzzleHttp\ClientInterface');
+            $client->shouldReceive('send')->times(1)->andReturn($response);
+            $this->provider->setHttpClient($client);
+
+            $token = $this->provider->getAccessToken('authorization_code', ['code' => 'mock_authorization_code']);
+
+            $this->assertEquals('mock_access_token', $token->getToken());
+            $this->assertNull($token->getExpires());
+            $this->assertNull($token->getRefreshToken());
+            $this->assertNull($token->getResourceOwnerId());
+        }
+
+        public function testUserData()
+        {
+            $userId = rand(1000,9999);
+            $name = uniqid();
+            $nickname = uniqid();
+            $email = uniqid();
+
+            $postResponse = m::mock('Psr\Http\Message\ResponseInterface');
+            $postResponse->shouldReceive('getBody')->andReturn('access_token=mock_access_token&expires=3600&refresh_token=mock_refresh_token&otherKey={1234}');
+            $postResponse->shouldReceive('getHeader')->andReturn(['content-type' => 'application/x-www-form-urlencoded']);
+
+            $userResponse = m::mock('Psr\Http\Message\ResponseInterface');
+            $userResponse->shouldReceive('getBody')->andReturn('{"sub": '.$userId.', "name": "'.$name.'", "email": "'.$email.'"}');
+            $userResponse->shouldReceive('getHeader')->andReturn(['content-type' => 'json']);
+
+            $client = m::mock('GuzzleHttp\ClientInterface');
+            $client->shouldReceive('send')
+                ->times(2)
+                ->andReturn($postResponse, $userResponse);
+            $this->provider->setHttpClient($client);
+
+            $token = $this->provider->getAccessToken('authorization_code', ['code' => 'mock_authorization_code']);
+            $user = $this->provider->getResourceOwner($token);
+
+            $this->assertEquals($userId, $user->getId());
+            $this->assertEquals($userId, $user->toArray()['sub']);
+            $this->assertEquals($name, $user->getName());
+            $this->assertEquals($name, $user->toArray()['name']);
+            $this->assertEquals($email, $user->getEmail());
+            $this->assertEquals($email, $user->toArray()['email']);
+        }
+
+        public function testUserDataWithEncryption()
+        {
+            $userId = rand(1000,9999);
+            $name = uniqid();
+            $nickname = uniqid();
+            $email = uniqid();
+            $jwt = uniqid();
+            $algorithm = uniqid();
+            $key = uniqid();
+
+            $postResponse = m::mock('Psr\Http\Message\ResponseInterface');
+            $postResponse->shouldReceive('getBody')->andReturn('access_token=mock_access_token&expires=3600&refresh_token=mock_refresh_token&otherKey={1234}');
+            $postResponse->shouldReceive('getHeader')->andReturn(['content-type' => 'application/x-www-form-urlencoded']);
+            $postResponse->shouldReceive('getStatusCode')->andReturn(200);
+
+            $userResponse = m::mock('Psr\Http\Message\ResponseInterface');
+            $userResponse->shouldReceive('getBody')->andReturn($jwt);
+            $userResponse->shouldReceive('getHeader')->andReturn(['content-type' => 'application/jwt']);
+            $userResponse->shouldReceive('getStatusCode')->andReturn(200);
+
+            $decoder = \Mockery::mock('overload:Firebase\JWT\JWT');
+            $decoder->shouldReceive('decode')->with($jwt, $key, [$algorithm])->andReturn([
+                'sub' => $userId,
+                'email' => $email,
+                'name' => $name,
+            ]);
+
+            $client = m::mock('GuzzleHttp\ClientInterface');
+            $client->shouldReceive('send')
+                ->times(2)
+                ->andReturn($postResponse, $userResponse);
+            $this->provider->setHttpClient($client);
+
+            $token = $this->provider->setEncryptionAlgorithm($algorithm)
+                ->setEncryptionKey($key)
+                ->getAccessToken('authorization_code', ['code' => 'mock_authorization_code']);
+            $user = $this->provider->getResourceOwner($token);
+
+            $this->assertEquals($userId, $user->getId());
+            $this->assertEquals($userId, $user->toArray()['sub']);
+            $this->assertEquals($name, $user->getName());
+            $this->assertEquals($name, $user->toArray()['name']);
+            $this->assertEquals($email, $user->getEmail());
+            $this->assertEquals($email, $user->toArray()['email']);
+        }
+
+        /**
+         * @expectedException Stevenmaguire\OAuth2\Client\Provider\Exception\EncryptionConfigurationException
+         */
+        public function testUserDataFailsWhenEncryptionEncounteredAndNotConfigured()
+        {
+            $postResponse = m::mock('Psr\Http\Message\ResponseInterface');
+            $postResponse->shouldReceive('getBody')->andReturn('access_token=mock_access_token&expires=3600&refresh_token=mock_refresh_token&otherKey={1234}');
+            $postResponse->shouldReceive('getHeader')->andReturn(['content-type' => 'application/x-www-form-urlencoded']);
+            $postResponse->shouldReceive('getStatusCode')->andReturn(200);
+
+            $userResponse = m::mock('Psr\Http\Message\ResponseInterface');
+            $userResponse->shouldReceive('getBody')->andReturn(uniqid());
+            $userResponse->shouldReceive('getHeader')->andReturn(['content-type' => 'application/jwt']);
+            $userResponse->shouldReceive('getStatusCode')->andReturn(200);
+
+            $client = m::mock('GuzzleHttp\ClientInterface');
+            $client->shouldReceive('send')
+                ->times(2)
+                ->andReturn($postResponse, $userResponse);
+            $this->provider->setHttpClient($client);
+
+            $token = $this->provider->getAccessToken('authorization_code', ['code' => 'mock_authorization_code']);
+            $user = $this->provider->getResourceOwner($token);
+        }
+
+        /**
+         * @expectedException League\OAuth2\Client\Provider\Exception\IdentityProviderException
+         */
+        public function testErrorResponse()
+        {
+            $response = m::mock('Psr\Http\Message\ResponseInterface');
+            $response->shouldReceive('getBody')->andReturn('{"error": "invalid_grant", "error_description": "Code not found"}');
+            $response->shouldReceive('getHeader')->andReturn(['content-type' => 'json']);
+
+            $client = m::mock('GuzzleHttp\ClientInterface');
+            $client->shouldReceive('send')->times(1)->andReturn($response);
+            $this->provider->setHttpClient($client);
+
+            $token = $this->provider->getAccessToken('authorization_code', ['code' => 'mock_authorization_code']);
+        }
+    }
+}
diff --git a/data/web/inc/lib/vendor/symfony/deprecation-contracts/CHANGELOG.md b/data/web/inc/lib/vendor/symfony/deprecation-contracts/CHANGELOG.md
new file mode 100644
index 000000000..7932e2613
--- /dev/null
+++ b/data/web/inc/lib/vendor/symfony/deprecation-contracts/CHANGELOG.md
@@ -0,0 +1,5 @@
+CHANGELOG
+=========
+
+The changelog is maintained for all Symfony contracts at the following URL:
+https://github.com/symfony/contracts/blob/main/CHANGELOG.md
diff --git a/data/web/inc/lib/vendor/symfony/deprecation-contracts/LICENSE b/data/web/inc/lib/vendor/symfony/deprecation-contracts/LICENSE
new file mode 100644
index 000000000..0ed3a2465
--- /dev/null
+++ b/data/web/inc/lib/vendor/symfony/deprecation-contracts/LICENSE
@@ -0,0 +1,19 @@
+Copyright (c) 2020-present Fabien Potencier
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is furnished
+to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
diff --git a/data/web/inc/lib/vendor/symfony/deprecation-contracts/README.md b/data/web/inc/lib/vendor/symfony/deprecation-contracts/README.md
new file mode 100644
index 000000000..9814864c0
--- /dev/null
+++ b/data/web/inc/lib/vendor/symfony/deprecation-contracts/README.md
@@ -0,0 +1,26 @@
+Symfony Deprecation Contracts
+=============================
+
+A generic function and convention to trigger deprecation notices.
+
+This package provides a single global function named `trigger_deprecation()` that triggers silenced deprecation notices.
+
+By using a custom PHP error handler such as the one provided by the Symfony ErrorHandler component,
+the triggered deprecations can be caught and logged for later discovery, both on dev and prod environments.
+
+The function requires at least 3 arguments:
+ - the name of the Composer package that is triggering the deprecation
+ - the version of the package that introduced the deprecation
+ - the message of the deprecation
+ - more arguments can be provided: they will be inserted in the message using `printf()` formatting
+
+Example:
+```php
+trigger_deprecation('symfony/blockchain', '8.9', 'Using "%s" is deprecated, use "%s" instead.', 'bitcoin', 'fabcoin');
+```
+
+This will generate the following message:
+`Since symfony/blockchain 8.9: Using "bitcoin" is deprecated, use "fabcoin" instead.`
+
+While not recommended, the deprecation notices can be completely ignored by declaring an empty
+`function trigger_deprecation() {}` in your application.
diff --git a/data/web/inc/lib/vendor/symfony/deprecation-contracts/composer.json b/data/web/inc/lib/vendor/symfony/deprecation-contracts/composer.json
new file mode 100644
index 000000000..774200fdc
--- /dev/null
+++ b/data/web/inc/lib/vendor/symfony/deprecation-contracts/composer.json
@@ -0,0 +1,35 @@
+{
+    "name": "symfony/deprecation-contracts",
+    "type": "library",
+    "description": "A generic function and convention to trigger deprecation notices",
+    "homepage": "https://symfony.com",
+    "license": "MIT",
+    "authors": [
+        {
+            "name": "Nicolas Grekas",
+            "email": "p@tchwork.com"
+        },
+        {
+            "name": "Symfony Community",
+            "homepage": "https://symfony.com/contributors"
+        }
+    ],
+    "require": {
+        "php": ">=8.1"
+    },
+    "autoload": {
+        "files": [
+            "function.php"
+        ]
+    },
+    "minimum-stability": "dev",
+    "extra": {
+        "branch-alias": {
+            "dev-main": "3.3-dev"
+        },
+        "thanks": {
+            "name": "symfony/contracts",
+            "url": "https://github.com/symfony/contracts"
+        }
+    }
+}
diff --git a/data/web/inc/lib/vendor/symfony/deprecation-contracts/function.php b/data/web/inc/lib/vendor/symfony/deprecation-contracts/function.php
new file mode 100644
index 000000000..2d56512ba
--- /dev/null
+++ b/data/web/inc/lib/vendor/symfony/deprecation-contracts/function.php
@@ -0,0 +1,27 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+if (!function_exists('trigger_deprecation')) {
+    /**
+     * Triggers a silenced deprecation notice.
+     *
+     * @param string $package The name of the Composer package that is triggering the deprecation
+     * @param string $version The version of the package that introduced the deprecation
+     * @param string $message The message of the deprecation
+     * @param mixed  ...$args Values to insert in the message using printf() formatting
+     *
+     * @author Nicolas Grekas <p@tchwork.com>
+     */
+    function trigger_deprecation(string $package, string $version, string $message, mixed ...$args): void
+    {
+        @trigger_error(($package || $version ? "Since $package $version: " : '').($args ? vsprintf($message, $args) : $message), \E_USER_DEPRECATED);
+    }
+}

From 67c9c5b8ed3280a45df996e89c4b1bd7b0150003 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Mon, 13 Mar 2023 09:04:05 +0100
Subject: [PATCH 013/378] [Web] remove u2f lib from prerequisites

---
 data/web/inc/prerequisites.inc.php | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/data/web/inc/prerequisites.inc.php b/data/web/inc/prerequisites.inc.php
index eac35be77..d0ed31091 100644
--- a/data/web/inc/prerequisites.inc.php
+++ b/data/web/inc/prerequisites.inc.php
@@ -46,9 +46,7 @@ require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/lib/CSSminifierExtended.php';
 
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/lib/array_merge_real.php';
 
-// U2F API + T/HOTP API
-// u2f - deprecated, should be removed
-$u2f = new u2flib_server\U2F('https://' . $_SERVER['HTTP_HOST']);
+// T/HOTP API
 $qrprovider = new RobThree\Auth\Providers\Qr\QRServerProvider();
 $tfa = new RobThree\Auth\TwoFactorAuth($OTP_LABEL, 6, 30, 'sha1', $qrprovider);
 

From 6e9980bf0f8b16420cc884e12889b074c7b8bc79 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Tue, 14 Mar 2023 14:10:46 +0100
Subject: [PATCH 014/378] [Web] add manage identity provider

---
 data/web/admin.php                            |   3 +
 data/web/inc/footer.inc.php                   |   2 +
 data/web/inc/functions.inc.php                | 109 +++++++++++++-----
 data/web/inc/init_db.inc.php                  |   2 +-
 data/web/js/build/013-mailcow.js              |  11 ++
 data/web/js/site/admin.js                     |  34 ++++++
 data/web/js/site/mailbox.js                   |  40 ++++++-
 data/web/json_api.php                         |  13 +++
 data/web/lang/lang.en-gb.json                 |  16 +++
 data/web/templates/admin.twig                 |   4 +-
 .../admin/tab-config-identity-provider.twig   |  95 +++++++++++++++
 .../admin/tab-config-identity-providers.twig  |  58 ----------
 data/web/templates/base.twig                  |   2 +
 .../web/templates/edit/mailbox-templates.twig |   9 ++
 data/web/templates/edit/mailbox.twig          |   4 +-
 data/web/templates/index.twig                 |  19 ++-
 data/web/templates/modals/mailbox.twig        |  61 ++++++----
 17 files changed, 364 insertions(+), 118 deletions(-)
 create mode 100644 data/web/templates/admin/tab-config-identity-provider.twig
 delete mode 100644 data/web/templates/admin/tab-config-identity-providers.twig

diff --git a/data/web/admin.php b/data/web/admin.php
index 278ab61b8..1ffb76fb4 100644
--- a/data/web/admin.php
+++ b/data/web/admin.php
@@ -88,6 +88,8 @@ $cors_settings['allowed_methods'] = explode(", ", $cors_settings['allowed_method
 $f2b_data = fail2ban('get');
 // identity provider
 $identity_provider_settings = identity_provider('get');
+// mbox templates
+$mbox_templates = mailbox('get', 'mailbox_templates');
 
 $template = 'admin.twig';
 $template_data = [
@@ -120,6 +122,7 @@ $template_data = [
   'cors_settings' => $cors_settings,
   'is_https' => isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on',
   'identity_provider_settings' => $identity_provider_settings,
+  'mbox_templates' => $mbox_templates,
   'lang_admin' => json_encode($lang['admin']),
   'lang_datatables' => json_encode($lang['datatables'])
 ];
diff --git a/data/web/inc/footer.inc.php b/data/web/inc/footer.inc.php
index 61d81dffa..8c50c9c15 100644
--- a/data/web/inc/footer.inc.php
+++ b/data/web/inc/footer.inc.php
@@ -65,6 +65,8 @@ $globalVariables = [
   'lang_acl' => json_encode($lang['acl']),
   'lang_tfa' => json_encode($lang['tfa']),
   'lang_fido2' => json_encode($lang['fido2']),
+  'lang_success' => json_encode($lang['success']),
+  'lang_danger' => json_encode($lang['danger']),
   'docker_timeout' => $DOCKER_TIMEOUT,
   'session_lifetime' => (int)$SESSION_LIFETIME,
   'csrf_token' => $_SESSION['CSRF']['TOKEN'],
diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index 793e3e6b1..0a1edcff3 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -2071,7 +2071,6 @@ function identity_provider($_action, $_data = null) {
 function identity_provider($_action, $_data = null, $hide_secret = false) {
   global $pdo;
 
-
   switch ($_action) {
     case 'get':
       $settings = array();
@@ -2079,12 +2078,19 @@ function identity_provider($_action, $_data = null, $hide_secret = false) {
       $stmt->execute();
       $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
       foreach($rows as $row){
-        $settings[$row["key"]] = $row["value"];
+        if ($row["key"] == 'roles'){
+          $settings['roles'] = json_decode($row["value"]);
+        } else if ($row["key"] == 'templates'){
+          $settings['templates'] = json_decode($row["value"]);
+        } else {
+          $settings[$row["key"]] = $row["value"];
+        }
       }
       if ($hide_secret){
-        $settings['client_secret'] = '***********************';
+        $settings['client_secret'] = '';
       }
       return $settings;
+    break;
     case 'edit':
       if ($_SESSION['mailcow_cc_role'] != "admin") {
         $_SESSION['return'][] = array(
@@ -2094,36 +2100,24 @@ function identity_provider($_action, $_data = null, $hide_secret = false) {
         );
         return false;
       }
-
+      $data_log = $_data;
+      $data_log['client_secret'] = '*';
+      $stmt = $pdo->prepare("INSERT INTO identity_provider (`key`, `value`) VALUES (:key, :value) ON DUPLICATE KEY UPDATE `value` = VALUES(`value`);");
+      
+      // add connection settings      
       $required_settings = array('server_url', 'authsource', 'realm', 'client_id', 'client_secret', 'redirect_url', 'version');
       foreach($required_settings as $setting){
         if (!$_data[$setting]){
+          $_SESSION['return'][] =  array(
+            'type' => 'danger',
+            'log' => array(__FUNCTION__, $_action, $data_log),
+            'msg' => 'required_data_missing'
+          );
           return false;
         }
       }
-      try {
-        $_SESSION['return'][] =  array(
-          'type' => 'success',
-          'log' => array(__FUNCTION__, $_action, $_data),
-          'msg' => '2'
-        );
-        $stmt = $pdo->prepare("INSERT INTO identity_provider (`key`, `value`) VALUES (:key, :value) ON DUPLICATE KEY UPDATE `value` = VALUES(`value`);");
-        $_SESSION['return'][] =  array(
-          'type' => 'success',
-          'log' => array(__FUNCTION__, $_action, $_data),
-          'msg' => '3'
-        );
-      } catch (Exception $e){
-        $_SESSION['return'][] =  array(
-          'type' => 'success',
-          'log' => array(__FUNCTION__, $_action, $_data, $e->getMessage()),
-          'msg' => 'post'
-        );
-        return;
-      }
-
       foreach($_data as $key => $value){
-        if (!in_array($key, $required_settings)){
+        if (!in_array($key, $required_settings) || $key == 'roles' || $key == 'templates'){
           continue;
         }
 
@@ -2131,8 +2125,71 @@ function identity_provider($_action, $_data = null, $hide_secret = false) {
         $stmt->bindParam(':value', $value);
         $stmt->execute();
       }
+
+      // add role mappings
+      if ($_data['roles'] && $_data['templates']){
+        if (!is_array($_data['roles'])){
+          $_data['roles'] = array($_data['roles']);
+        }
+        if (!is_array($_data['templates'])){
+          $_data['templates'] = array($_data['templates']);
+        }
+        $roles = array();
+        $templates = array();
+        foreach($_data['roles'] as $role){
+          if ($role){
+            array_push($roles, $role);
+          }
+        }
+        foreach($_data['templates'] as $template){
+          if ($template){
+            array_push($templates, $template);
+          }
+        }
+        if (count($roles) == count($templates)){
+          $roles = json_encode($roles);
+          $templates = json_encode($templates);
+
+          $stmt = $pdo->prepare("INSERT INTO identity_provider (`key`, `value`) VALUES ('roles', :value) ON DUPLICATE KEY UPDATE `value` = VALUES(`value`);");
+          $stmt->bindParam(':value', $roles);
+          $stmt->execute();
+          $stmt = $pdo->prepare("INSERT INTO identity_provider (`key`, `value`) VALUES ('templates', :value) ON DUPLICATE KEY UPDATE `value` = VALUES(`value`);");
+          $stmt->bindParam(':value', $templates);
+          $stmt->execute();
+        }
+      }
+
+      $_SESSION['return'][] =  array(
+        'type' => 'success',
+        'log' => array(__FUNCTION__, $_action, $data_log),
+        'msg' => array('object_modified', '')
+      );
       return true;
     break;
+    case 'test':  
+      $identity_provider_settings = identity_provider('get');
+      $url = "{$identity_provider_settings['server_url']}/realms/{$identity_provider_settings['realm']}/protocol/openid-connect/token";
+      $req = http_build_query(array(
+        'grant_type'    => 'password',
+        'client_id'     => $identity_provider_settings['client_id'],
+        'client_secret' => $identity_provider_settings['client_secret'],
+        'username'      => "test",
+        'password'      => "test",
+      ));
+      $curl = curl_init();
+      curl_setopt($curl, CURLOPT_URL, $url);
+      curl_setopt($curl, CURLOPT_POST, 1);
+      curl_setopt($curl, CURLOPT_POSTFIELDS, $req);
+      curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));
+      curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
+      $res = json_decode(curl_exec($curl), true);
+      curl_close ($curl);
+
+      if ($res["error"] && $res["error"] === 'invalid_grant'){
+        return true;
+      }
+      return false;
+    break;
   }
 }
 
diff --git a/data/web/inc/init_db.inc.php b/data/web/inc/init_db.inc.php
index 5cfb1cd62..3de3dec9b 100644
--- a/data/web/inc/init_db.inc.php
+++ b/data/web/inc/init_db.inc.php
@@ -571,7 +571,7 @@ function init_db_schema() {
       "identity_provider" => array(
         "cols" => array(
           "key" => "VARCHAR(255) NOT NULL",
-          "value" => "VARCHAR(255) NOT NULL",
+          "value" => "TEXT NOT NULL",
           "created" => "DATETIME(0) NOT NULL DEFAULT NOW(0)",
           "modified" => "DATETIME ON UPDATE CURRENT_TIMESTAMP"
         ),
diff --git a/data/web/js/build/013-mailcow.js b/data/web/js/build/013-mailcow.js
index f3ecbb904..f09098310 100644
--- a/data/web/js/build/013-mailcow.js
+++ b/data/web/js/build/013-mailcow.js
@@ -352,6 +352,17 @@ $(document).ready(function() {
       localStorage.setItem('theme', 'dark');
     }
   }
+
+  // Reveal Password Input
+  $(".reveal-password-input").on('click', '.toggle-password', function() {
+    $(this).parent().find('.toggle-password').children().toggleClass("bi-eye bi-eye-slash");
+    var input = $(this).parent().find('.password-field')
+    if (input.attr("type") === "password") {
+      input.attr("type", "text");
+    } else {
+      input.attr("type", "password");
+    }
+  });
 });
 
 
diff --git a/data/web/js/site/admin.js b/data/web/js/site/admin.js
index dd6dcce4b..708cb0be0 100644
--- a/data/web/js/site/admin.js
+++ b/data/web/js/site/admin.js
@@ -749,4 +749,38 @@ jQuery(function($){
   $('#add_f2b_regex_row').click(function() {
     add_table_row($('#f2b_regex_table'), "f2b_regex");
   });
+  // IAM test connection
+  $('#iam_test_connection').click(async function(e){
+    e.preventDefault();
+    var res = await fetch("/api/v1/get/status/identity-provider", { method:'GET', cache:'no-cache' });
+    res = await res.json();
+    console.log(res);
+    if (res.type === 'success'){
+      return mailcow_alert_box(lang_success.iam_test_connection, 'success');
+    }
+    return mailcow_alert_box(lang_danger.iam_test_connection, 'danger');
+  });
+  $('#iam_rolemap_add').click(async function(e){
+    e.preventDefault();
+
+    var parent = $(this).parent().parent();
+    $(parent).children().last().clone().appendTo(parent);
+    var newChild = $(parent).children().last();
+    $(newChild).find('input').val('');
+    $(newChild).find('.dropdown-toggle').remove();
+    $(newChild).find('.dropdown-menu').remove();
+    $(newChild).find('.bs-title-option').remove();
+    $(newChild).find('select').selectpicker('destroy');
+    $(newChild).find('select').selectpicker();
+
+    $('.iam_rolemap_del').off('click');
+    $('.iam_rolemap_del').click(async function(e){
+      e.preventDefault();
+      $(this).parent().remove();
+    });
+  });
+  $('.iam_rolemap_del').click(async function(e){
+    e.preventDefault();
+    $(this).parent().remove();
+  });
 });
diff --git a/data/web/js/site/mailbox.js b/data/web/js/site/mailbox.js
index cc316b713..6fbcc3e3f 100644
--- a/data/web/js/site/mailbox.js
+++ b/data/web/js/site/mailbox.js
@@ -162,6 +162,17 @@ $(document).ready(function() {
       }
     });
   });
+  // @selecting identity provider mbox_add_modal
+  $('#mbox_add_iam').on('change', function(){
+    // toggle password fields
+    if (this.value === 'mailcow'){
+      $('#mbox_add_pwds').removeClass('d-none');
+      $('#mbox_add_pwds').find('.form-control').prop('required', true);
+    } else {
+      $('#mbox_add_pwds').addClass('d-none');
+      $('#mbox_add_pwds').find('.form-control').prop('required', false);
+    }
+  });
   // Sieve data modal
   $('#sieveDataModal').on('show.bs.modal', function(e) {
     var sieveScript = $(e.relatedTarget).data('sieve-script');
@@ -269,6 +280,15 @@ $(document).ready(function() {
   }
   function setMailboxTemplateData(template){
     $("#addInputQuota").val(template.quota / 1048576);
+    $('#mbox_add_iam').selectpicker('val', template.authsource);
+    // toggle password fields
+    if (template.authsource === 'mailcow'){
+      $('#mbox_add_pwds').removeClass('d-none');
+      $('#mbox_add_pwds').find('.form-control').prop('required', true);
+    } else {
+      $('#mbox_add_pwds').addClass('d-none');
+      $('#mbox_add_pwds').find('.form-control').prop('required', false);
+    }
 
     if (template.quarantine_notification === "never"){
       $('#quarantine_notification_never').prop('checked', true);
@@ -1035,7 +1055,16 @@ jQuery(function($){
           title: lang.domain,
           data: 'domain',
           defaultContent: '',
-          className: 'none'
+          className: 'none',
+        },
+        {
+          title: lang.iam,
+          data: 'authsource',
+          defaultContent: '',
+          className: 'none',
+          render: function (data, type) {
+            return '<span class="badge bg-primary">' + data + '<i class="ms-2 bi bi-person-circle"></i></i></span>';
+          }
         },
         {
           title: lang.tls_enforce_in,
@@ -1263,6 +1292,15 @@ jQuery(function($){
           data: 'attributes.quota',
           defaultContent: '',
         },
+        {
+          title: lang.iam,
+          data: 'attributes.authsource',
+          defaultContent: '',
+          render: function (data, type) {
+            data = data ? '<span class="badge bg-primary">' + data + '<i class="ms-2 bi bi-person-circle"></i></i></span>' : '<i class="bi bi-x-lg"></i>';
+            return data;
+          }
+        },
         {
           title: lang.tls_enforce_in,
           data: 'attributes.tls_enforce_in',
diff --git a/data/web/json_api.php b/data/web/json_api.php
index 769775cee..52ca8b715 100644
--- a/data/web/json_api.php
+++ b/data/web/json_api.php
@@ -1702,6 +1702,19 @@ if (isset($_GET['query'])) {
                     'version' => $GLOBALS['MAILCOW_GIT_VERSION']
                   ));
                 break;
+                case "identity-provider":
+                  if (identity_provider('test')){
+                    echo json_encode(array(
+                      'type' => 'success',
+                      'msg' => 'connection successfull'
+                    ));
+                  } else {
+                    echo json_encode(array(
+                      'type' => 'error',
+                      'msg' => 'connection failed'
+                    ));
+                  }
+                break;
               }
             }
           break;
diff --git a/data/web/lang/lang.en-gb.json b/data/web/lang/lang.en-gb.json
index 851b98aa1..436a9b370 100644
--- a/data/web/lang/lang.en-gb.json
+++ b/data/web/lang/lang.en-gb.json
@@ -211,6 +211,17 @@
         "help_text": "Override help text below login mask (HTML allowed)",
         "host": "Host",
         "html": "HTML",
+        "iam": "Identity Provider",
+        "iam_client_id": "Client Id",
+        "iam_client_secret": "Client Secret",
+        "iam_description": "Here, you can configure the integration with an external Keycloak service. The Keycloak user's mailboxes will be automatically created upon their first login, provided that a role mapping has been set.",
+        "iam_realm": "Realm",
+        "iam_redirect_url": "Redirect Url",
+        "iam_rolemapping": "Role Mapping",
+        "iam_server_url": "Server Url",
+        "iam_sso": "SSO",
+        "iam_test_connection": "Test Connection",
+        "iam_version": "Version",
         "import": "Import",
         "import_private_key": "Import private key",
         "in_use_by": "In use by",
@@ -395,6 +406,8 @@
         "goto_empty": "An alias address must contain at least one valid goto address",
         "goto_invalid": "Goto address %s is invalid",
         "ham_learn_error": "Ham learn error: %s",
+        "iam_invalid_sso": "SSO login failed",
+        "iam_test_connection": "Connection failed",
         "imagick_exception": "Error: Imagick exception while reading image",
         "img_dimensions_exceeded": "Image exceeds the maximum image size",
         "img_invalid": "Cannot validate image file",
@@ -449,6 +462,7 @@
         "redis_error": "Redis error: %s",
         "relayhost_invalid": "Map entry %s is invalid",
         "release_send_failed": "Message could not be released: %s",
+        "required_data_missing": "Required data is missing",
         "reset_f2b_regex": "Regex filter could not be reset in time, please try again or wait a few more seconds and reload the website.",
         "resource_invalid": "Resource name %s is invalid",
         "rl_timeframe": "Rate limit time frame is incorrect",
@@ -825,6 +839,7 @@
         "goto_ham": "Learn as <b>ham</b>",
         "goto_spam": "Learn as <b>spam</b>",
         "hourly": "Hourly",
+        "iam": "Identity Provider",
         "in_use": "In use (%)",
         "inactive": "Inactive",
         "insert_preset": "Insert example preset \"%s\"",
@@ -1060,6 +1075,7 @@
         "forwarding_host_removed": "Forwarding host %s has been removed",
         "global_filter_written": "Filter was successfully written to file",
         "hash_deleted": "Hash deleted",
+        "iam_test_connection": "Connection successfull",
         "ip_check_opt_in_modified": "IP check was saved successfully",
         "item_deleted": "Item %s successfully deleted",
         "item_released": "Item %s released",
diff --git a/data/web/templates/admin.twig b/data/web/templates/admin.twig
index 53fdeadc1..792c0bca0 100644
--- a/data/web/templates/admin.twig
+++ b/data/web/templates/admin.twig
@@ -7,7 +7,7 @@
       <a class="nav-link dropdown-toggle active" data-bs-toggle="dropdown" href="#" role="button" aria-expanded="false">{{ lang.admin.access }}</a>
       <ul class="dropdown-menu">
         <li><button class="dropdown-item active" data-bs-target="#tab-config-admins" aria-selected="false" aria-controls="tab-config-admins" role="tab" data-bs-toggle="tab">{{ lang.admin.admins }}</button></li>
-        <li><button class="dropdown-item" data-bs-target="#tab-config-identity-providers" aria-selected="false" aria-controls="tab-config-identity-providers" role="tab" data-bs-toggle="tab">Identity Providers</button></li>
+        <li><button class="dropdown-item" data-bs-target="#tab-config-identity-provider" aria-selected="false" aria-controls="tab-config-identity-provider" role="tab" data-bs-toggle="tab">Identity Provider</button></li>
         <!-- <li><button class="dropdown-item" data-bs-target="#tab-config-ldap-admins" aria-controls="tab-config-ldap-admins" role="tab" data-bs-toggle="tab">{{ lang.admin.admins_ldap }}</button></li> -->
         <li><button class="dropdown-item" data-bs-target="#tab-config-oauth2" aria-selected="false" aria-controls="tab-config-oauth2" role="tab" data-bs-toggle="tab">{{ lang.admin.oauth2_apps }}</button></li>
         <li><button class="dropdown-item" data-bs-target="#tab-config-rspamd" aria-selected="false" aria-controls="tab-config-rspamd" role="tab" data-bs-toggle="tab">Rspamd UI</button></li>
@@ -41,7 +41,7 @@
     <div class="col-md-12">
       <div class="tab-content" style="padding-top:20px">
         {% include 'admin/tab-config-admins.twig' %}
-        {% include 'admin/tab-config-identity-providers.twig' %}
+        {% include 'admin/tab-config-identity-provider.twig' %}
         {# {% include 'admin/tab-ldap.twig' %} #}
         {% include 'admin/tab-config-oauth2.twig' %}
         {% include 'admin/tab-config-rspamd.twig' %}
diff --git a/data/web/templates/admin/tab-config-identity-provider.twig b/data/web/templates/admin/tab-config-identity-provider.twig
new file mode 100644
index 000000000..600b336a3
--- /dev/null
+++ b/data/web/templates/admin/tab-config-identity-provider.twig
@@ -0,0 +1,95 @@
+<div role="tabpanel" class="tab-pane fade" id="tab-config-identity-provider" role="tabpanel" aria-labelledby="tab-config-identity-provider">
+  <div class="card mb-4">
+    <div class="card-header d-flex fs-5">
+      <button class="btn d-md-none flex-grow-1 text-start" data-bs-target="#collapse-tab-config-identity-provider" data-bs-toggle="collapse" aria-controls="collapse-tab-config-identity-provider">
+        {{ lang.admin.iam }}
+      </button>
+      <span class="d-none d-md-block">{{ lang.admin.iam }}</span>
+    </div>
+    <div id="collapse-tab-config-identity-provider" class="card-body collapse" data-bs-parent="#admin-content">
+      <p class="offset-sm-3 mb-4">{{ lang.admin.iam_description }}</p>
+      <form class="form-horizontal" autocapitalize="none" data-id="iam_sso" autocorrect="off" role="form" method="post">
+        <input type="hidden" name="authsource" value="keycloak">
+        <div class="row mb-2">
+          <label class="control-label col-sm-3 text-sm-end" for="iam_url">{{ lang.admin.iam_server_url }}:</label>
+          <div class="col-sm-4">
+            <input type="text" class="form-control" id="iam_server_url" name="server_url" value="{{ identity_provider_settings.server_url }}" required>
+          </div>
+        </div>
+        <div class="row mb-2">
+          <label class="control-label col-sm-3 text-sm-end" for="iam_realm">{{ lang.admin.iam_realm }}:</label>
+          <div class="col-sm-4">
+            <input type="text" class="form-control" id="iam_realm" name="realm" value="{{ identity_provider_settings.realm }}" required>
+          </div>
+        </div>
+        <div class="row mb-2">
+          <label class="control-label col-sm-3 text-sm-end" for="iam_client_id">{{ lang.admin.iam_client_id }}:</label>
+          <div class="col-sm-4">
+            <input type="text" class="form-control" id="iam_client_id" name="client_id" value="{{ identity_provider_settings.client_id }}" required>
+          </div>
+        </div>
+        <div class="row mb-2">
+          <label class="control-label col-sm-3 text-sm-end" for="iam_client_secret">{{ lang.admin.iam_client_secret }}:</label>
+          <div class="col-sm-4">
+            <div class="reveal-password-input input-group">
+              <input type="password" class="password-field form-control" id="iam_client_secret" name="client_secret" value="{{ identity_provider_settings.client_secret }}" required>
+              <button class="toggle-password btn btn-secondary" type="button"><i class="bi bi-eye"></i></button>
+            </div>
+          </div>
+        </div>
+        <div class="row mb-2">
+          <label class="control-label col-sm-3 text-sm-end" for="iam_redirect_url">{{ lang.admin.iam_redirect_url }}:</label>
+          <div class="col-sm-4">
+            <input type="text" class="form-control" id="iam_redirect_url" name="redirect_url" value="{{ identity_provider_settings.redirect_url }}" required>
+          </div>
+        </div>
+        <div class="row mb-4">
+          <label class="control-label col-sm-3 text-sm-end" for="iam_version">{{ lang.admin.iam_version }}:</label>
+          <div class="col-sm-4">
+            <input type="text" class="form-control" id="iam_version" name="version" value="{{ identity_provider_settings.version }}" required>
+          </div>
+        </div>
+        <div class="row mb-2">
+          <label class="control-label col-sm-3 text-sm-end" for="iam_version">{{ lang.admin.iam_rolemapping }}:</label>
+          <div class="col-4 d-flex mb-2">
+            <span class="w-100 me-2">Role</span>
+            <span class="w-100 ms-2">Template</span>
+            <button id="iam_rolemap_add" class="btn btn-sm d-block d-sm-inline btn-secondary ms-2"><i class="bi bi-plus-lg"></i></button>
+          </div>
+          {% for key, role in identity_provider_settings.roles %}
+          <div class="offset-sm-3 col-4 d-flex mb-2">
+            <input type="text" class="form-control me-2" name="roles" value="{{ identity_provider_settings.roles[key] }}">
+            <select data-live-search="true" name="templates" class="form-control" title="{{ lang.mailbox.template }}">
+            {% for mbox_template in mbox_templates %}
+              <option{% if mbox_template.template == identity_provider_settings.templates[key] %} selected{% endif %}>
+                {{ mbox_template.template }}
+              </option>
+            {% endfor %}
+            </select>
+            <button class="iam_rolemap_del btn btn-sm d-block d-sm-inline btn-secondary ms-2"><i class="bi bi-x-lg"></i></button>
+          </div>
+          {% endfor %}
+          <div class="offset-sm-3 col-4 d-flex mb-2">
+            <input type="text" class="form-control me-2" name="roles" value="">
+            <select data-live-search="true" name="templates" class="form-control" title="{{ lang.mailbox.template }}">
+            {% for mbox_template in mbox_templates %}
+              <option>
+                {{ mbox_template.template }}
+              </option>
+            {% endfor %}
+            </select>
+            <button class="iam_rolemap_del btn btn-sm d-block d-sm-inline btn-secondary ms-2"><i class="bi bi-x-lg"></i></button>
+          </div>
+        </div>
+        <div class="row mt-4 mb-2">
+          <div class="offset-sm-3 col-sm-9">
+            <div class="btn-group">   
+              <button id="iam_test_connection" class="btn btn-sm d-block d-sm-inline btn-secondary"><i class="bi bi-play"></i> {{ lang.admin.iam_test_connection }}</button>
+              <button class="btn btn-sm d-block d-sm-inline btn-success" data-item="iam_sso" data-action="edit_selected" data-id="iam_sso" data-api-url='edit/identity_provider' data-api-attr='{}' href="#"><i class="bi bi-check-lg"></i> {{ lang.admin.save }}</button>
+            </div>
+          </div>
+        </div>
+      </form>
+    </div>
+  </div>
+</div>
diff --git a/data/web/templates/admin/tab-config-identity-providers.twig b/data/web/templates/admin/tab-config-identity-providers.twig
deleted file mode 100644
index c81978db9..000000000
--- a/data/web/templates/admin/tab-config-identity-providers.twig
+++ /dev/null
@@ -1,58 +0,0 @@
-<div role="tabpanel" class="tab-pane fade" id="tab-config-identity-providers" role="tabpanel" aria-labelledby="tab-config-identity-providers">
-  <div class="card mb-4">
-    <div class="card-header d-flex fs-5">
-      <button class="btn d-md-none flex-grow-1 text-start" data-bs-target="#collapse-tab-config-identity-providers" data-bs-toggle="collapse" aria-controls="collapse-tab-config-identity-providers">
-        {{ lang.admin.oauth2_apps }}
-      </button>
-      <span class="d-none d-md-block">{{ lang.admin.oauth2_apps }}</span>
-    </div>
-    <div id="collapse-tab-config-identity-providers" class="card-body collapse" data-bs-parent="#admin-content">
-      <form class="form-horizontal" autocapitalize="none" data-id="keycloak_sso" autocorrect="off" role="form" method="post">
-        <input type="hidden" name="authsource" value="keycloak">
-        <div class="row mb-2">
-          <label class="control-label col-sm-3 text-sm-end" for="keycloak_url">Server URL:</label>
-          <div class="col-sm-4">
-            <input type="text" class="form-control" id="keycloak_url" name="server_url" value="{{ identity_provider_settings.server_url }}" required>
-          </div>
-        </div>
-        <div class="row mb-2">
-          <label class="control-label col-sm-3 text-sm-end" for="keycloak_realm">Realm:</label>
-          <div class="col-sm-4">
-            <input type="text" class="form-control" id="keycloak_realm" name="realm" value="{{ identity_provider_settings.realm }}" required>
-          </div>
-        </div>
-        <div class="row mb-2">
-          <label class="control-label col-sm-3 text-sm-end" for="keycloak_client_id">Client Id:</label>
-          <div class="col-sm-4">
-            <input type="text" class="form-control" id="keycloak_client_id" name="client_id" value="{{ identity_provider_settings.client_id }}" required>
-          </div>
-        </div>
-        <div class="row mb-2">
-          <label class="control-label col-sm-3 text-sm-end" for="keycloak_client_secret">Client Secret:</label>
-          <div class="col-sm-4">
-            <input type="text" class="form-control" id="keycloak_client_secret" name="client_secret" value="{{ identity_provider_settings.client_secret }}" required>
-          </div>
-        </div>
-        <div class="row mb-2">
-          <label class="control-label col-sm-3 text-sm-end" for="keycloak_redirect_url">Redirect Url:</label>
-          <div class="col-sm-4">
-            <input type="text" class="form-control" id="keycloak_redirect_url" name="redirect_url" value="{{ identity_provider_settings.redirect_url }}" required>
-          </div>
-        </div>
-        <div class="row mb-2">
-          <label class="control-label col-sm-3 text-sm-end" for="keycloak_version">Keycloak Version:</label>
-          <div class="col-sm-4">
-            <input type="text" class="form-control" id="keycloak_version" name="version" value="{{ identity_provider_settings.version }}" required>
-          </div>
-        </div>
-        <div class="row mt-4 mb-2">
-          <div class="offset-sm-3 col-sm-9">
-            <div class="btn-group">
-              <button class="btn btn-sm d-block d-sm-inline btn-success" data-item="keycloak_sso" data-action="edit_selected" data-id="keycloak_sso" data-api-url='edit/identity_provider' data-api-attr='{}' href="#"><i class="bi bi-check-lg"></i> {{ lang.admin.save }}</button>
-            </div>
-          </div>
-        </div>
-      </form>
-    </div>
-  </div>
-</div>
diff --git a/data/web/templates/base.twig b/data/web/templates/base.twig
index 1c027138c..29b3cc23a 100644
--- a/data/web/templates/base.twig
+++ b/data/web/templates/base.twig
@@ -153,6 +153,8 @@
   var lang_acl = {{ lang_acl|raw }};
   var lang_tfa = {{ lang_tfa|raw }};
   var lang_fido2 = {{ lang_fido2|raw }};
+  var lang_success = {{ lang_success|raw }};
+  var lang_danger = {{ lang_danger|raw }};
   var docker_timeout = {{ docker_timeout|raw }} * 1000;
   var mailcow_cc_role = '{{ mailcow_cc_role }}';
   var last_login = '{{ last_login }}';
diff --git a/data/web/templates/edit/mailbox-templates.twig b/data/web/templates/edit/mailbox-templates.twig
index f606bd452..c83a15dd7 100644
--- a/data/web/templates/edit/mailbox-templates.twig
+++ b/data/web/templates/edit/mailbox-templates.twig
@@ -19,6 +19,15 @@
         </div>
       </div>
     </div>
+    <div class="row mb-2">
+      <label class="control-label col-sm-2" for="authsource">{{ lang.admin.iam }}</label>
+      <div class="col-sm-10">
+        <select class="full-width-select" data-live-search="true" id="mbox_template_iam" name="authsource" required>
+          <option {% if template.attributes.authsource == 'mailcow' %}selected{% endif %}>mailcow</option>
+          <option {% if template.attributes.authsource == 'keycloak' %}selected{% endif %}>keycloak</option>
+        </select>
+      </div>
+    </div>
     <div class="row mb-2">
       <label class="control-label col-sm-2">{{ lang.add.tags }}</label>
       <div class="col-sm-10">
diff --git a/data/web/templates/edit/mailbox.twig b/data/web/templates/edit/mailbox.twig
index 52b4096cc..d2275cdd2 100644
--- a/data/web/templates/edit/mailbox.twig
+++ b/data/web/templates/edit/mailbox.twig
@@ -26,9 +26,9 @@
                   <input type="hidden" value="0" name="sogo_access">
                   <input type="hidden" value="0" name="protocol_access">      
                   <div class="row mb-2">
-                    <label class="control-label col-sm-2">{{ lang.edit.full_name }}</label>
+                    <label class="control-label col-sm-2">{{ lang.admin.iam }}</label>
                     <div class="col-sm-10">
-                      <span>{{ result.authsource }}</span>
+                      <h4><span class="badge bg-primary">{{ result.authsource }}<i class="ms-2 bi bi-person-circle"></i></i></span></h4>
                     </div>
                   </div>
                   <div class="row mb-2">
diff --git a/data/web/templates/index.twig b/data/web/templates/index.twig
index 420bd5318..35e53b828 100644
--- a/data/web/templates/index.twig
+++ b/data/web/templates/index.twig
@@ -26,6 +26,13 @@
         <div class="my-4 alert alert-info ">{{ lang.login.mobileconfig_info }}</div>
         {% endif %}
         <form method="post" autofill="off">
+          {% if invalid_keycloak_sso %}
+          <div class="d-flex mt-3 w-100">
+            <div class="alert alert-danger w-100" role="alert">
+              {{ lang.danger.iam_invalid_sso}}
+            </div>
+          </div>
+          {% endif %}
           <div class="d-flex mt-3">
             <label class="visually-hidden" for="login_user">{{ lang.login.username }}</label>
             <div class="input-group">
@@ -40,10 +47,16 @@
               <input name="pass_user" type="password" id="pass_user" class="form-control" placeholder="{{ lang.login.password }}" required="" autocomplete="current-password">
             </div>
           </div>
-          <div class="d-flex justify-content-between mt-4" style="position: relative">
-            <div class="d-grid gap-2 d-sm-block">
+          <div class="d-flex mt-4" style="position: relative">
+            <div class="btn-group">
               <button type="submit" class="btn btn-xs-lg btn-success" value="Login">{{ lang.login.login }}</button>
-              <button type="button" class="btn btn-xs-lg btn-success" id="fido2-login"><i class="bi bi-shield-fill-check"></i> {{ lang.login.fido2_webauthn }}</button>
+              <button type="button" class="btn btn-xs-lg btn-success dropdown-toggle" data-bs-toggle="dropdown" aria-haspopup="true" aria-expanded="false"></button>
+              <ul class="dropdown-menu">
+                <li><a class="dropdown-item" href="#" id="fido2-login"><i class="bi bi-shield-fill-check"></i> {{ lang.login.fido2_webauthn }}</a></li>
+                {% if has_keycloak_sso %}
+                <li><a class="dropdown-item" href="/?keycloak_sso=1"><i class="bi bi-cloud-arrow-up-fill"></i> {{ lang.admin.iam_sso }}</a></li>
+                {% endif %}
+              </ul>
             </div>
             {% if not oauth2_request %}
             <div class="d-grid d-sm-block">
diff --git a/data/web/templates/modals/mailbox.twig b/data/web/templates/modals/mailbox.twig
index 5d6ea535b..e0b4f02b6 100644
--- a/data/web/templates/modals/mailbox.twig
+++ b/data/web/templates/modals/mailbox.twig
@@ -12,6 +12,12 @@
           <input type="hidden" value="0" name="sogo_access">
           <input type="hidden" value="0" name="protocol_access">
 
+          <div class="row mb-2">
+            <label class="control-label col-sm-2 text-sm-end text-sm-end" for="name">{{ lang.add.full_name }}</label>
+            <div class="col-sm-10">
+              <input type="text" class="form-control" name="name">
+            </div>
+          </div>
           <div class="row mb-2">
             <label class="control-label col-sm-2 text-sm-end text-sm-end" for="local_part">{{ lang.add.mailbox_username }}</label>
             <div class="col-sm-10">
@@ -28,38 +34,34 @@
               </select>
             </div>
           </div>
-          <div class="row mb-2">
-            <label class="control-label col-sm-2 text-sm-end text-sm-end" for="authsource">{{ lang.add.domain }}</label>
+          <div class="row mb-4">
+            <label class="control-label col-sm-2 text-sm-end text-sm-end" for="description">{{ lang.mailbox.template }}</label>
             <div class="col-sm-10">
-              <select class="full-width-select" data-live-search="true" id="addAuthsource" name="authsource" required>
+              <select data-live-search="true" id="mailbox_templates" class="form-control" title="{{ lang.mailbox.template }}">
+              </select>
+            </div>
+          </div>
+          <div class="row mb-2">
+            <label class="control-label col-sm-2 text-sm-end text-sm-end" for="authsource">{{ lang.admin.iam }}</label>
+            <div class="col-sm-10">
+              <select class="full-width-select" data-live-search="true" id="mbox_add_iam" name="authsource" required>
                 <option selected>mailcow</option>
                 <option>keycloak</option>
               </select>
             </div>
           </div>
-          <div class="row mb-4">
-            <label class="control-label col-sm-2 text-sm-end text-sm-end" for="name">{{ lang.add.full_name }}</label>
-            <div class="col-sm-10">
-              <input type="text" class="form-control" name="name">
+          <div id="mbox_add_pwds">
+            <div class="row mb-2">
+              <label class="control-label col-sm-2 text-sm-end text-sm-end" for="password">{{ lang.add.password }} (<a href="#" class="generate_password">{{ lang.add.generate }}</a>)</label>
+              <div class="col-sm-10">
+                <input type="password" data-pwgen-field="true" data-hibp="true" class="form-control" name="password" placeholder="" autocomplete="new-password" required>
+              </div>
             </div>
-          </div>
-          <div class="row mb-2">
-            <label class="control-label col-sm-2 text-sm-end text-sm-end" for="password">{{ lang.add.password }} (<a href="#" class="generate_password">{{ lang.add.generate }}</a>)</label>
-            <div class="col-sm-10">
-              <input type="password" data-pwgen-field="true" data-hibp="true" class="form-control" name="password" placeholder="" autocomplete="new-password" required>
-            </div>
-          </div>
-          <div class="row mb-4">
-            <label class="control-label col-sm-2 text-sm-end text-sm-end" for="password2">{{ lang.add.password_repeat }}</label>
-            <div class="col-sm-10">
-              <input type="password" data-pwgen-field="true" class="form-control" name="password2" placeholder="" autocomplete="new-password" required>
-            </div>
-          </div>
-          <div class="row mb-2">
-            <label class="control-label col-sm-2 text-sm-end text-sm-end" for="description">{{ lang.mailbox.template }}</label>
-            <div class="col-sm-10">
-              <select data-live-search="true" id="mailbox_templates" class="form-control" title="{{ lang.mailbox.template }}">
-              </select>
+            <div class="row mb-4">
+              <label class="control-label col-sm-2 text-sm-end text-sm-end" for="password2">{{ lang.add.password_repeat }}</label>
+              <div class="col-sm-10">
+                <input type="password" data-pwgen-field="true" class="form-control" name="password2" placeholder="" autocomplete="new-password" required>
+              </div>
             </div>
           </div>
           <div class="row mb-2">
@@ -234,6 +236,15 @@
               </div>
             </div>
           </div>
+          <div class="row mb-2">
+            <label class="control-label col-sm-2 text-sm-end text-sm-end" for="authsource">{{ lang.admin.iam }}</label>
+            <div class="col-sm-10">
+              <select class="full-width-select" data-live-search="true" id="mbox_template_iam" name="authsource">
+                <option selected>mailcow</option>
+                <option>keycloak</option>
+              </select>
+            </div>
+          </div>
           <div class="row mb-2">
             <label class="control-label col-sm-2 text-sm-end text-sm-end">{{ lang.add.tags }}</label>
             <div class="col-sm-10">

From eba1d469c88914ea6d7b223fe12bbddb847581c6 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Tue, 14 Mar 2023 14:30:32 +0100
Subject: [PATCH 015/378] [Web] keycloak auth functions

---
 data/web/inc/functions.auth.inc.php    | 291 ++++++++++++++++++++++++-
 data/web/inc/functions.mailbox.inc.php |   8 +-
 data/web/inc/triggers.inc.php          |  32 +++
 data/web/index.php                     |   2 +
 4 files changed, 326 insertions(+), 7 deletions(-)

diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php
index 3f4f2f3b7..6a8a1dda7 100644
--- a/data/web/inc/functions.auth.inc.php
+++ b/data/web/inc/functions.auth.inc.php
@@ -1,4 +1,14 @@
 <?php
+function unset_auth_session(){
+  unset($_SESSION['keycloak_token']);
+  unset($_SESSION['keycloak_refresh_token']);
+  unset($_SESSION['mailcow_cc_username']);
+  unset($_SESSION['mailcow_cc_role']);
+  unset($_SESSION['oauth2state']);
+  unset($_SESSION['pending_mailcow_cc_username']);
+  unset($_SESSION['pending_mailcow_cc_role']);
+  unset($_SESSION['pending_tfa_methods']);
+}
 function check_login($user, $pass, $app_passwd_data = false) {
   global $pdo;
   global $redis;
@@ -40,7 +50,13 @@ function check_login($user, $pass, $app_passwd_data = false) {
         AND `username` = :user");
   $stmt->execute(array(':user' => $user));
   $row = $stmt->fetch(PDO::FETCH_ASSOC);
-  if ($row['authsource'] == 'keycloak'){
+  if (!$row){
+    // mbox does not exist, call keycloak login and create mbox if possible
+    $result = keycloak_mbox_login($user, $pass, $is_dovecot, true);
+    if ($result){
+      return $result;
+    }
+  } else if ($row['authsource'] == 'keycloak'){
     $result = keycloak_mbox_login($user, $pass, $is_dovecot);
     if ($result){
       return $result;
@@ -123,13 +139,13 @@ function mailcow_mbox_login($user, $pass, $app_passwd_data = false, $is_internal
     // fetch password data
     $stmt = $pdo->prepare($app_passwd_query);
     $stmt->execute(array(':user' => $user));
-    $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
+    $rows = array_merge($rows, $stmt->fetchAll(PDO::FETCH_ASSOC));
   }
 
   foreach ($rows as $row) { 
     // verify password
     if (verify_hash($row['password'], $pass) !== false) {
-      if (!$is_app_passwd){ 
+      if (!array_key_exists("app_passwd_id", $row)){ 
         // password is not a app password
         // check for tfa authenticators
         $authenticators = get_tfa($user);
@@ -152,12 +168,14 @@ function mailcow_mbox_login($user, $pass, $app_passwd_data = false, $is_internal
             // Reactivate TFA if it was set to "deactivate TFA for next login"
             $stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user");
             $stmt->execute(array(':user' => $user));
+            if (!$is_internal){
               // skip log
               $_SESSION['return'][] =  array(
                 'type' => 'success',
                 'log' => array(__FUNCTION__, $user, '*'),
                 'msg' => array('logged_in_as', $user)
               );
+            }
           }
           return "user";
         }
@@ -183,6 +201,52 @@ function mailcow_mbox_login($user, $pass, $app_passwd_data = false, $is_internal
     }
   }
 
+  foreach ($rows as $row) { 
+    // verify password
+    if (verify_hash($row['password'], $pass) !== false) {
+      if (!array_key_exists("app_passwd_id", $row)){ 
+        // password is not a app password
+        // check for tfa authenticators
+        $authenticators = get_tfa($user);
+        if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 &&
+            $app_passwd_data['eas'] !== true && $app_passwd_data['dav'] !== true) {
+          // authenticators found, init TFA flow
+          $_SESSION['pending_mailcow_cc_username'] = $user;
+          $_SESSION['pending_mailcow_cc_role'] = "user";
+          $_SESSION['pending_tfa_methods'] = $authenticators['additional'];
+          unset($_SESSION['ldelay']);
+          $_SESSION['return'][] =  array(
+            'type' => 'success',
+            'log' => array(__FUNCTION__, $user, '*'),
+            'msg' => array('logged_in_as', $user)
+          );
+          return "pending";
+        } else if (!isset($authenticators['additional']) || !is_array($authenticators['additional']) || count($authenticators['additional']) == 0) {
+          // no authenticators found, login successfull
+          // Reactivate TFA if it was set to "deactivate TFA for next login"
+          $stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user");
+          $stmt->execute(array(':user' => $user));
+
+          unset($_SESSION['ldelay']);
+          return "user";
+        }
+      } elseif ($app_passwd_data['eas'] === true || $app_passwd_data['dav'] === true) {
+        // password is a app password
+        $service = ($app_passwd_data['eas'] === true) ? 'EAS' : 'DAV';
+        $stmt = $pdo->prepare("REPLACE INTO sasl_log (`service`, `app_password`, `username`, `real_rip`) VALUES (:service, :app_id, :username, :remote_addr)");
+        $stmt->execute(array(
+          ':service' => $service,
+          ':app_id' => $row['app_passwd_id'],
+          ':username' => $user,
+          ':remote_addr' => ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR'])
+        ));
+
+        unset($_SESSION['ldelay']);
+        return "user";
+      }
+    }
+  }
+
   return false;
 }
 function mailcow_domainadmin_login($user, $pass){
@@ -273,6 +337,223 @@ function mailcow_admin_login($user, $pass){
   return false;
 }
 
-function keycloak_mbox_login($user, $pass, $is_internal = false){
-  return false;
+function keycloak_mbox_login($user, $pass, $is_internal = false, $create = false){
+  global $pdo;
+
+  $identity_provider_settings = identity_provider('get');
+  $url = "{$identity_provider_settings['server_url']}/realms/{$identity_provider_settings['realm']}/protocol/openid-connect/token";
+  $req = http_build_query(array(
+    'grant_type'    => 'password',
+    'client_id'     => $identity_provider_settings['client_id'],
+    'client_secret' => $identity_provider_settings['client_secret'],
+    'username'      => $user,
+    'password'      => $pass,
+  ));
+  $curl = curl_init();
+  curl_setopt($curl, CURLOPT_URL, $url);
+  curl_setopt($curl, CURLOPT_POST, 1);
+  curl_setopt($curl, CURLOPT_POSTFIELDS, $req);
+  curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));
+  curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
+  $res = json_decode(curl_exec($curl), true);
+  $code = curl_getinfo($curl, CURLINFO_HTTP_CODE);
+  curl_close ($curl);
+
+  if ($code == 200) {
+    // decode jwt
+    $user_data = json_decode(base64_decode(str_replace('_', '/', str_replace('-','+',explode('.', $res['access_token'])[1]))), true);
+    if ($user != $user_data['email']){
+      // check if $user is email address, only accept email address as username
+      return false;
+    }
+    if ($create && !empty($identity_provider_settings['roles'])){
+      // try to create mbox on successfull login
+      $user_roles = $user_data['realm_access']['roles'];
+      $mbox_template = null;
+      // check if matching rolemapping exist
+      foreach ($user_roles as $index => $role){
+        if (in_array($role, $identity_provider_settings['roles'])) {
+          $mbox_template = $identity_provider_settings['templates'][$index];
+          break;
+        }
+      }
+      if ($mbox_template){
+        $stmt = $pdo->prepare("SELECT * FROM `templates` 
+        WHERE `template` = :template AND type = 'mailbox'");
+        $stmt->execute(array(
+          ":template" => $mbox_template
+        ));
+        $mbox_template_data = $stmt->fetch(PDO::FETCH_ASSOC);
+
+        if (!empty($mbox_template_data)){
+          $mbox_template_data = json_decode($mbox_template_data["attributes"], true);
+          $mbox_template_data['domain'] = explode('@', $user)[1];
+          $mbox_template_data['local_part'] = explode('@', $user)[0];
+          $mbox_template_data['authsource'] = 'keycloak';
+          $_SESSION['iam_create_login'] = true;
+          $create_res = mailbox('add', 'mailbox', $mbox_template_data);
+          $_SESSION['iam_create_login'] = false;
+          if (!$create_res){
+            return false;
+          }
+        }
+      }
+    }
+
+    $_SESSION['return'][] =  array(
+      'type' => 'success',
+      'log' => array(__FUNCTION__, $user, '*'),
+      'msg' => array('logged_in_as', $user)
+    );
+    return 'user';
+  } else {
+    return false;
+  }
+}
+function keycloak_verify_token(){
+  global $keycloak_provider;
+  global $pdo;
+
+  try {
+    $token = $keycloak_provider->getAccessToken('authorization_code', ['code' => $_GET['code']]);
+  } catch (Exception $e) {
+    $_SESSION['return'][] =  array(
+      'type' => 'danger',
+      'log' => array(__FUNCTION__),
+      'msg' => array('login_failed', $e->getMessage())
+    );
+    die($e->getMessage() . " - " . $_GET['code'] . " - " . $_SESSION['oauth2state']);
+    return false;
+  }
+  
+  $login = false;
+  $_SESSION['keycloak_token'] = $token->getToken();
+  $_SESSION['keycloak_refresh_token'] = $token->getRefreshToken();
+  // decode jwt data
+  $info = json_decode(base64_decode(str_replace('_', '/', str_replace('-','+',explode('.', $token->getToken())[1]))), true);
+  if (in_array("mailbox", $info['realm_access']['roles']) && $info['email']){
+    // token valid, get mailbox
+    $stmt = $pdo->prepare("SELECT * FROM `mailbox`
+      INNER JOIN domain on mailbox.domain = domain.domain
+      WHERE `kind` NOT REGEXP 'location|thing|group'
+        AND `mailbox`.`active`='1'
+        AND `domain`.`active`='1'
+        AND `username` = :user
+        AND `authsource`='keycloak'");
+    $stmt->execute(array(':user' => $info['email']));
+    $row = $stmt->fetch(PDO::FETCH_ASSOC);
+
+    if ($row){
+      $_SESSION['mailcow_cc_username'] = $info['email'];
+      $_SESSION['mailcow_cc_role'] = "user";
+      $login = true;
+    } else {
+      $identity_provider_settings = identity_provider('get');
+      if (!empty($identity_provider_settings['roles'])){
+        // try to create mbox on successfull login
+        $user_roles = $info['realm_access']['roles'];
+        $mbox_template = null;
+        // check if matching rolemapping exist
+        foreach ($user_roles as $index => $role){
+          if (in_array($role, $identity_provider_settings['roles'])) {
+            $mbox_template = $identity_provider_settings['templates'][$index];
+            break;
+          }
+        }
+        if ($mbox_template){
+          $stmt = $pdo->prepare("SELECT * FROM `templates` 
+          WHERE `template` = :template AND type = 'mailbox'");
+          $stmt->execute(array(
+            ":template" => $mbox_template
+          ));
+          $mbox_template_data = $stmt->fetch(PDO::FETCH_ASSOC);
+
+          if (!empty($mbox_template_data)){
+            $mbox_template_data = json_decode($mbox_template_data["attributes"], true);
+            $mbox_template_data['domain'] = explode('@', $info['email'])[1];
+            $mbox_template_data['local_part'] = explode('@', $info['email'])[0];
+            $mbox_template_data['authsource'] = 'keycloak';
+            $_SESSION['iam_create_login'] = true;
+            $create_res = mailbox('add', 'mailbox', $mbox_template_data);
+            $_SESSION['iam_create_login'] = false;
+            if ($create_res){
+              $_SESSION['mailcow_cc_username'] = $info['email'];
+              $_SESSION['mailcow_cc_role'] = "user";
+              $login = true;
+            }
+          }
+        }
+      }
+    }
+  } 
+
+  if ($login){
+    $_SESSION['return'][] =  array(
+      'type' => 'success',
+      'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
+      'msg' => array('logged_in_as', $_SESSION['mailcow_cc_username'])
+    );
+  } else {
+    unset_auth_session();  
+    $_SESSION['return'][] =  array(
+      'type' => 'danger',
+      'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
+      'msg' => 'login_failed'
+    );
+  }
+  return $login;
+}
+function keycloak_refresh(){
+  global $keycloak_provider;
+
+  try {
+    $token = $keycloak_provider->getAccessToken('refresh_token', ['refresh_token' => $_SESSION['keycloak_refresh_token']]);
+  } catch (Exception $e) {
+    $_SESSION['return'][] =  array(
+      'type' => 'danger',
+      'log' => array(__FUNCTION__),
+      'msg' => array('login_failed', $e->getMessage())
+    );
+    return false;
+  }
+
+
+  $refresh = false;
+  $_SESSION['keycloak_token'] = $token->getToken();
+  $_SESSION['keycloak_refresh_token'] = $token->getRefreshToken();
+  // decode jwt data
+  $info = json_decode(base64_decode(str_replace('_', '/', str_replace('-','+',explode('.', $_SESSION['keycloak_token'])[1]))), true);
+  if (in_array("mailbox",  $info['realm_access']['roles']) && $info['email']){
+    $_SESSION['mailcow_cc_username'] = $info['email'];
+
+    $_SESSION['mailcow_cc_role'] = "user";
+    $refresh = true;
+  } 
+
+  if (!$refresh){
+    unset_auth_session();  
+    $_SESSION['return'][] =  array(
+      'type' => 'danger',
+      'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
+      'msg' => 'refresh_login_failed'
+    );
+  }
+
+  return $refresh;
+}
+function keycloak_get_redirect(){
+  global $keycloak_provider;
+
+  $authUrl = $keycloak_provider->getAuthorizationUrl();
+  $_SESSION['oauth2state'] = $keycloak_provider->getState();
+
+  return $authUrl;
+}
+function keycloak_get_logout(){
+  global $keycloak_provider;
+
+  $logoutUrl = $keycloak_provider->getLogoutUrl();
+  $logoutUrl = $logoutUrl . "&post_logout_redirect_uri=https://" . $_SERVER['SERVER_NAME'];
+
+  return $logoutUrl;
 }
diff --git a/data/web/inc/functions.mailbox.inc.php b/data/web/inc/functions.mailbox.inc.php
index a38094022..c93cbfac0 100644
--- a/data/web/inc/functions.mailbox.inc.php
+++ b/data/web/inc/functions.mailbox.inc.php
@@ -1044,7 +1044,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             $password2 = '';
             $password_hashed = '';
           }
-          if ((!isset($_SESSION['acl']['unlimited_quota']) || $_SESSION['acl']['unlimited_quota'] != "1") && $quota_m === 0) {
+          if (!$_SESSION['iam_create_login'] && ((!isset($_SESSION['acl']['unlimited_quota']) || $_SESSION['acl']['unlimited_quota'] != "1") && $quota_m === 0)) {
             $_SESSION['return'][] = array(
               'type' => 'danger',
               'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@@ -1098,7 +1098,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             );
             return false;
           }
-          if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $domain)) {
+          if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $domain) && !$_SESSION['iam_create_login']) {
             $_SESSION['return'][] = array(
               'type' => 'danger',
               'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@@ -1547,7 +1547,9 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
 
 
           // check attributes
+          $authsources = array('mailcow', 'keycloak');
           $attr = array();
+          $attr["authsource"]                  = (isset($_data['authsource']) && in_array($_data['authsource'], $authsources)) ? $_data['authsource'] : 'mailcow';
           $attr["quota"]                       = isset($_data['quota']) ? intval($_data['quota']) * 1048576 : 0;
           $attr['tags']                        = (isset($_data['tags'])) ? $_data['tags'] : array();
           $attr["quarantine_notification"]     = (!empty($_data['quarantine_notification'])) ? $_data['quarantine_notification'] : strval($MAILBOX_DEFAULT_ATTRIBUTES['quarantine_notification']);
@@ -3235,7 +3237,9 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               $_data["template"]                   = (isset($_data["template"])) ? $_data["template"] : $is_now["template"]; 
             }   
             // check attributes
+            $authsources = array('mailcow', 'keycloak');
             $attr = array();
+            $attr["authsource"]                  = (isset($_data['authsource']) && in_array($_data['authsource'], $authsources)) ? $_data['authsource'] : $is_now['authsource'];
             $attr["quota"]                       = isset($_data['quota']) ? intval($_data['quota']) * 1048576 : 0;
             $attr['tags']                        = (isset($_data['tags'])) ? $_data['tags'] : $is_now['tags'];
             $attr["quarantine_notification"]     = (!empty($_data['quarantine_notification'])) ? $_data['quarantine_notification'] : $is_now['quarantine_notification'];
diff --git a/data/web/inc/triggers.inc.php b/data/web/inc/triggers.inc.php
index 6922429b8..50722a797 100644
--- a/data/web/inc/triggers.inc.php
+++ b/data/web/inc/triggers.inc.php
@@ -1,4 +1,36 @@
 <?php
+// handle keycloak authentication
+if ($keycloak_provider){
+  if (isset($_GET['keycloak_sso'])){
+    // redirect to keycloak for sso
+    $redirect_uri = keycloak_get_redirect();
+    header('Location: ' . $redirect_uri);
+    die();
+  }
+  if ($_SESSION['keycloak_token'] && $_SESSION['keycloak_refresh_token']) {
+    // Session found, try to refresh
+    $isRefreshed = keycloak_refresh();
+
+    if (!$isRefreshed){
+      // Session could not be refreshed, clear and redirect to keycloak
+      unset_auth_session();
+      $redirect_uri = keycloak_get_redirect();
+      header('Location: ' . $redirect_uri);
+      die();
+    }
+  } elseif ($_GET['code'] && $_GET['state'] === $_SESSION['oauth2state']) {
+    // Check given state against previously stored one to mitigate CSRF attack
+    // Recieved access token in $_GET['code']
+    // extract info and verify user
+    $isValid = keycloak_verify_token();
+
+    if (!$isValid){
+      // Token could not be verified, redirect to keycloak
+      $_SESSION['invalid_keycloak_sso'] = true;
+    }
+  }
+}
+
 // SSO Domain Admin
 if (!empty($_GET['sso_token'])) {
   $username = domain_admin_sso('check', $_GET['sso_token']);
diff --git a/data/web/index.php b/data/web/index.php
index 05b3a7f47..05c50b01f 100644
--- a/data/web/index.php
+++ b/data/web/index.php
@@ -29,6 +29,8 @@ $template_data = [
   'oauth2_request' => @$_SESSION['oauth2_request'],
   'is_mobileconfig' => str_contains($_SESSION['index_query_string'], 'mobileconfig'),
   'login_delay' => @$_SESSION['ldelay'],
+  'has_keycloak_sso' => ($keycloak_provider) ? true : false,
+  'invalid_keycloak_sso' => $_SESSION['invalid_keycloak_sso']
 ];
 
 $js_minifier->add('/web/js/site/index.js');

From 13f88826165b8cf2c4e82e4596078039b5ccfa6a Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Tue, 14 Mar 2023 14:38:28 +0100
Subject: [PATCH 016/378] [Web] fix app_pass ignore_access

---
 data/web/inc/functions.auth.inc.php | 15 ++++++---------
 1 file changed, 6 insertions(+), 9 deletions(-)

diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php
index 6a8a1dda7..6a0cafa8b 100644
--- a/data/web/inc/functions.auth.inc.php
+++ b/data/web/inc/functions.auth.inc.php
@@ -133,7 +133,7 @@ function mailcow_mbox_login($user, $pass, $app_passwd_data = false, $is_internal
         AND `app_passwd`.`mailbox` = :user";
     // check if app password has protocol access
     // skip if $app_passwd_data['ignore_hasaccess'] is true and the call is not external
-    if (!$app_passwd_data['ignore_hasaccess'] || !$is_internal){
+    if (!$is_internal || ($is_internal && !$app_passwd_data['ignore_hasaccess'])){
       $app_passwd_query = $app_passwd_query . " AND `app_passwd`.`" . $is_app_passwd . "_access` = '1'";
     }
     // fetch password data
@@ -168,14 +168,11 @@ function mailcow_mbox_login($user, $pass, $app_passwd_data = false, $is_internal
             // Reactivate TFA if it was set to "deactivate TFA for next login"
             $stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user");
             $stmt->execute(array(':user' => $user));
-            if (!$is_internal){
-              // skip log
-              $_SESSION['return'][] =  array(
-                'type' => 'success',
-                'log' => array(__FUNCTION__, $user, '*'),
-                'msg' => array('logged_in_as', $user)
-              );
-            }
+            $_SESSION['return'][] =  array(
+              'type' => 'success',
+              'log' => array(__FUNCTION__, $user, '*'),
+              'msg' => array('logged_in_as', $user)
+            );
           }
           return "user";
         }

From 204063819ccc4e04b6ab03018e194d1429d67da8 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Tue, 14 Mar 2023 18:30:18 +0100
Subject: [PATCH 017/378] [Web] fix broken sogo-sso

---
 data/web/inc/functions.mailbox.inc.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/data/web/inc/functions.mailbox.inc.php b/data/web/inc/functions.mailbox.inc.php
index c93cbfac0..f549785e7 100644
--- a/data/web/inc/functions.mailbox.inc.php
+++ b/data/web/inc/functions.mailbox.inc.php
@@ -1327,7 +1327,6 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
             'msg' => array('mailbox_added', htmlspecialchars($username))
           );
-          return true;
         break;
         case 'resource':
           $domain             = idn_to_ascii(strtolower(trim($_data['domain'])), 0, INTL_IDNA_VARIANT_UTS46);
@@ -5568,4 +5567,6 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
   if ($_action != 'get' && in_array($_type, array('domain', 'alias', 'alias_domain', 'resource')) && getenv('SKIP_SOGO') != "y") {
     update_sogo_static_view();
   }
+  
+  return true;
 }

From f251c9826e72f32564cc2bfbc1c57fd1d63f05cd Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Tue, 14 Mar 2023 18:41:05 +0100
Subject: [PATCH 018/378] [Web] create ratelimit acl on iam mbox creation

---
 data/web/inc/functions.ratelimit.inc.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/web/inc/functions.ratelimit.inc.php b/data/web/inc/functions.ratelimit.inc.php
index f9e7a71a6..f311533fa 100644
--- a/data/web/inc/functions.ratelimit.inc.php
+++ b/data/web/inc/functions.ratelimit.inc.php
@@ -92,7 +92,7 @@ function ratelimit($_action, $_scope, $_data = null) {
               );
               continue;
             }
-            if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $object)
+            if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $object) && !$_SESSION['iam_create_login']
               || ($_SESSION['mailcow_cc_role'] != 'admin' && $_SESSION['mailcow_cc_role'] != 'domainadmin')) {
               $_SESSION['return'][] = array(
                 'type' => 'danger',

From 1aeb36d40e2ed921bc0caaf33fd2c679b674363c Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Tue, 14 Mar 2023 18:49:57 +0100
Subject: [PATCH 019/378] [Web] create ratelimit acl on iam mbox creation 2

---
 data/web/inc/functions.ratelimit.inc.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/data/web/inc/functions.ratelimit.inc.php b/data/web/inc/functions.ratelimit.inc.php
index f311533fa..93840b5eb 100644
--- a/data/web/inc/functions.ratelimit.inc.php
+++ b/data/web/inc/functions.ratelimit.inc.php
@@ -4,7 +4,7 @@ function ratelimit($_action, $_scope, $_data = null) {
   $_data_log = $_data;
   switch ($_action) {
     case 'edit':
-      if (!isset($_SESSION['acl']['ratelimit']) || $_SESSION['acl']['ratelimit'] != "1" ) {
+      if ((!isset($_SESSION['acl']['ratelimit']) || $_SESSION['acl']['ratelimit'] != "1") && !$_SESSION['iam_create_login']) {
         $_SESSION['return'][] = array(
           'type' => 'danger',
           'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@@ -92,8 +92,8 @@ function ratelimit($_action, $_scope, $_data = null) {
               );
               continue;
             }
-            if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $object) && !$_SESSION['iam_create_login']
-              || ($_SESSION['mailcow_cc_role'] != 'admin' && $_SESSION['mailcow_cc_role'] != 'domainadmin')) {
+            if ((!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $object)
+              || ($_SESSION['mailcow_cc_role'] != 'admin' && $_SESSION['mailcow_cc_role'] != 'domainadmin')) && !$_SESSION['iam_create_login']) {
               $_SESSION['return'][] = array(
                 'type' => 'danger',
                 'log' => array(__FUNCTION__, $_action, $_scope, $_data_log),

From 1c73a16ca085132e3b73a62222883c36d018d502 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Wed, 15 Mar 2023 16:19:30 +0100
Subject: [PATCH 020/378] new dovecout lua auth - use https

---
 data/Dockerfiles/dovecot/Dockerfile           | 1 +
 data/Dockerfiles/dovecot/docker-entrypoint.sh | 8 ++++----
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/data/Dockerfiles/dovecot/Dockerfile b/data/Dockerfiles/dovecot/Dockerfile
index a35589689..a9d4739cf 100644
--- a/data/Dockerfiles/dovecot/Dockerfile
+++ b/data/Dockerfiles/dovecot/Dockerfile
@@ -34,6 +34,7 @@ RUN addgroup -g 5000 vmail \
   icu-data-full \
   mariadb-connector-c \
   gcompat \
+  lua-sec \
   mariadb-client \
   perl \
   perl-ntlm \
diff --git a/data/Dockerfiles/dovecot/docker-entrypoint.sh b/data/Dockerfiles/dovecot/docker-entrypoint.sh
index f146a8a01..be9dd4d44 100755
--- a/data/Dockerfiles/dovecot/docker-entrypoint.sh
+++ b/data/Dockerfiles/dovecot/docker-entrypoint.sh
@@ -136,8 +136,8 @@ function auth_password_verify(request, password)
 
   json = require "json"
   ltn12 = require "ltn12"
-  http = require "socket.http"
-  http.TIMEOUT = 5
+  https = require "ssl.https"
+  https.TIMEOUT = 5
   mysql = require "luasql.mysql"
   env  = mysql.mysql()
   con = env:connect("__DBNAME__","__DBUSER__","__DBPASS__","localhost")
@@ -150,7 +150,7 @@ function auth_password_verify(request, password)
   local res = {} 
   
   -- check against mailbox passwds
-  local b, c = http.request {
+  local b, c = https.request {
     method = "POST",
     url = "https://nginx/api/v1/process/login",
     source = ltn12.source.string(req_json),
@@ -181,7 +181,7 @@ function auth_password_verify(request, password)
       req.protocol.ignore_hasaccess = true
     end
 
-    local b, c = http.request {
+    local b, c = https.request {
       method = "POST",
       url = "https://nginx/api/v1/process/login",
       source = ltn12.source.string(req_json),

From b7a18255fe77a911bbdd929628c547357180df01 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 17 Mar 2023 13:14:36 +0100
Subject: [PATCH 021/378] [Web] rename role mapping to attribute mapping

---
 data/web/inc/functions.inc.php                | 30 +++++++++----------
 data/web/lang/lang.en-gb.json                 |  4 +--
 .../admin/tab-config-identity-provider.twig   | 10 +++----
 3 files changed, 22 insertions(+), 22 deletions(-)

diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index 0a1edcff3..f64f150ad 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -2078,8 +2078,8 @@ function identity_provider($_action, $_data = null, $hide_secret = false) {
       $stmt->execute();
       $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
       foreach($rows as $row){
-        if ($row["key"] == 'roles'){
-          $settings['roles'] = json_decode($row["value"]);
+        if ($row["key"] == 'mappers'){
+          $settings['mappers'] = json_decode($row["value"]);
         } else if ($row["key"] == 'templates'){
           $settings['templates'] = json_decode($row["value"]);
         } else {
@@ -2117,7 +2117,7 @@ function identity_provider($_action, $_data = null, $hide_secret = false) {
         }
       }
       foreach($_data as $key => $value){
-        if (!in_array($key, $required_settings) || $key == 'roles' || $key == 'templates'){
+        if (!in_array($key, $required_settings) || $key == 'mappers' || $key == 'templates'){
           continue;
         }
 
@@ -2126,19 +2126,19 @@ function identity_provider($_action, $_data = null, $hide_secret = false) {
         $stmt->execute();
       }
 
-      // add role mappings
-      if ($_data['roles'] && $_data['templates']){
-        if (!is_array($_data['roles'])){
-          $_data['roles'] = array($_data['roles']);
+      // add mappers
+      if ($_data['mappers'] && $_data['templates']){
+        if (!is_array($_data['mappers'])){
+          $_data['mappers'] = array($_data['mappers']);
         }
         if (!is_array($_data['templates'])){
           $_data['templates'] = array($_data['templates']);
         }
-        $roles = array();
+        $mappers = array();
         $templates = array();
-        foreach($_data['roles'] as $role){
-          if ($role){
-            array_push($roles, $role);
+        foreach($_data['mappers'] as $mapper){
+          if ($mapper){
+            array_push($mappers, $mapper);
           }
         }
         foreach($_data['templates'] as $template){
@@ -2146,12 +2146,12 @@ function identity_provider($_action, $_data = null, $hide_secret = false) {
             array_push($templates, $template);
           }
         }
-        if (count($roles) == count($templates)){
-          $roles = json_encode($roles);
+        if (count($mappers) == count($templates)){
+          $mappers = json_encode($mappers);
           $templates = json_encode($templates);
 
-          $stmt = $pdo->prepare("INSERT INTO identity_provider (`key`, `value`) VALUES ('roles', :value) ON DUPLICATE KEY UPDATE `value` = VALUES(`value`);");
-          $stmt->bindParam(':value', $roles);
+          $stmt = $pdo->prepare("INSERT INTO identity_provider (`key`, `value`) VALUES ('mappers', :value) ON DUPLICATE KEY UPDATE `value` = VALUES(`value`);");
+          $stmt->bindParam(':value', $mappers);
           $stmt->execute();
           $stmt = $pdo->prepare("INSERT INTO identity_provider (`key`, `value`) VALUES ('templates', :value) ON DUPLICATE KEY UPDATE `value` = VALUES(`value`);");
           $stmt->bindParam(':value', $templates);
diff --git a/data/web/lang/lang.en-gb.json b/data/web/lang/lang.en-gb.json
index 436a9b370..ebebd3dc8 100644
--- a/data/web/lang/lang.en-gb.json
+++ b/data/web/lang/lang.en-gb.json
@@ -214,10 +214,10 @@
         "iam": "Identity Provider",
         "iam_client_id": "Client Id",
         "iam_client_secret": "Client Secret",
-        "iam_description": "Here, you can configure the integration with an external Keycloak service. The Keycloak user's mailboxes will be automatically created upon their first login, provided that a role mapping has been set.",
+        "iam_description": "Here, you can configure the integration with an external Keycloak service. The Keycloak user's mailboxes will be automatically created upon their first login, provided that a attribute mapping has been set.",
         "iam_realm": "Realm",
         "iam_redirect_url": "Redirect Url",
-        "iam_rolemapping": "Role Mapping",
+        "iam_mapping": "Attribute Mapping",
         "iam_server_url": "Server Url",
         "iam_sso": "SSO",
         "iam_test_connection": "Test Connection",
diff --git a/data/web/templates/admin/tab-config-identity-provider.twig b/data/web/templates/admin/tab-config-identity-provider.twig
index 600b336a3..fd7a8dc81 100644
--- a/data/web/templates/admin/tab-config-identity-provider.twig
+++ b/data/web/templates/admin/tab-config-identity-provider.twig
@@ -50,15 +50,15 @@
           </div>
         </div>
         <div class="row mb-2">
-          <label class="control-label col-sm-3 text-sm-end" for="iam_version">{{ lang.admin.iam_rolemapping }}:</label>
+          <label class="control-label col-sm-3 text-sm-end" for="iam_version">{{ lang.admin.iam_mapping }}:</label>
           <div class="col-4 d-flex mb-2">
-            <span class="w-100 me-2">Role</span>
+            <span class="w-100 me-2">Attribute</span>
             <span class="w-100 ms-2">Template</span>
             <button id="iam_rolemap_add" class="btn btn-sm d-block d-sm-inline btn-secondary ms-2"><i class="bi bi-plus-lg"></i></button>
           </div>
-          {% for key, role in identity_provider_settings.roles %}
+          {% for key, role in identity_provider_settings.mappers %}
           <div class="offset-sm-3 col-4 d-flex mb-2">
-            <input type="text" class="form-control me-2" name="roles" value="{{ identity_provider_settings.roles[key] }}">
+            <input type="text" class="form-control me-2" name="mappers" value="{{ identity_provider_settings.mappers[key] }}">
             <select data-live-search="true" name="templates" class="form-control" title="{{ lang.mailbox.template }}">
             {% for mbox_template in mbox_templates %}
               <option{% if mbox_template.template == identity_provider_settings.templates[key] %} selected{% endif %}>
@@ -70,7 +70,7 @@
           </div>
           {% endfor %}
           <div class="offset-sm-3 col-4 d-flex mb-2">
-            <input type="text" class="form-control me-2" name="roles" value="">
+            <input type="text" class="form-control me-2" name="mappers" value="">
             <select data-live-search="true" name="templates" class="form-control" title="{{ lang.mailbox.template }}">
             {% for mbox_template in mbox_templates %}
               <option>

From d4ae61646020eb23b5a7fdcca6e5ca80d21a6bf8 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 17 Mar 2023 13:15:31 +0100
Subject: [PATCH 022/378] replace ropc flow with keycloak rest api flow

---
 data/Dockerfiles/dovecot/docker-entrypoint.sh |  13 +-
 data/web/inc/functions.auth.inc.php           | 465 +++++++++++-------
 2 files changed, 296 insertions(+), 182 deletions(-)

diff --git a/data/Dockerfiles/dovecot/docker-entrypoint.sh b/data/Dockerfiles/dovecot/docker-entrypoint.sh
index be9dd4d44..a7936bf2d 100755
--- a/data/Dockerfiles/dovecot/docker-entrypoint.sh
+++ b/data/Dockerfiles/dovecot/docker-entrypoint.sh
@@ -172,14 +172,13 @@ function auth_password_verify(request, password)
   -- check against app passwds for imap and smtp
   -- app passwords are only available for imap, smtp, sieve and pop3 when using sasl
   if request.service == "smtp" or request.service == "imap" or request.service == "sieve" or request.service == "pop3" then
+    skip_sasl_log = true
     req.protocol = {}
-    req.protocol[request.service] = true
-    req_json = json.encode(req)
-
-    req.protocol.ignore_hasaccess = false
-    if tostring(req.real_rip) == "__IPV4_SOGO__" then
-      req.protocol.ignore_hasaccess = true
+    if tostring(req.real_rip) != "__IPV4_SOGO__" then
+      skip_sasl_log = false
+      req.protocol[request.service] = true
     end
+    req_json = json.encode(req)
 
     local b, c = https.request {
       method = "POST",
@@ -193,7 +192,7 @@ function auth_password_verify(request, password)
     }
     local api_response = json.decode(table.concat(res))
     if api_response.role == 'user' then
-      if req.protocol.ignore_hasaccess == false then
+      if skip_sasl_log == true then
         con:execute(string.format([[REPLACE INTO sasl_log (service, app_password, username, real_rip)
           VALUES ("%s", %d, "%s", "%s")]], con:escape(req.service), row.id, con:escape(req.user), con:escape(req.real_rip)))
       end
diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php
index 6a0cafa8b..c125b5d68 100644
--- a/data/web/inc/functions.auth.inc.php
+++ b/data/web/inc/functions.auth.inc.php
@@ -37,7 +37,7 @@ function check_login($user, $pass, $app_passwd_data = false) {
   // Validate mailbox user
   // skip log & ldelay if requests comes from dovecot
   $is_dovecot = false;
-  $request_ip =  ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR']);
+  $request_ip =  $_SERVER['REMOTE_ADDR'];
   if ($request_ip == getenv('IPV4_NETWORK').'.250'){
     $is_dovecot = true;
   }
@@ -52,16 +52,32 @@ function check_login($user, $pass, $app_passwd_data = false) {
   $row = $stmt->fetch(PDO::FETCH_ASSOC);
   if (!$row){
     // mbox does not exist, call keycloak login and create mbox if possible
-    $result = keycloak_mbox_login($user, $pass, $is_dovecot, true);
+    $result = keycloak_mbox_login_rest($user, $pass, $is_dovecot, true);
     if ($result){
       return $result;
     }
   } else if ($row['authsource'] == 'keycloak'){
-    $result = keycloak_mbox_login($user, $pass, $is_dovecot);
+    if ($app_passwd_data){
+      // first check if password is app_password
+      $result = mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_dovecot);
+      if ($result){
+        return $result;
+      }
+    }
+
+    $result = keycloak_mbox_login_rest($user, $pass, $is_dovecot);
     if ($result){
       return $result;
     }
   } else {
+    if ($app_passwd_data){
+      // first check if password is app_password
+      $result = mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_dovecot);
+      if ($result){
+        return $result;
+      }
+    }
+
     $result = mailcow_mbox_login($user, $pass, $app_passwd_data, $is_dovecot);
     if ($result){
       return $result;
@@ -106,42 +122,6 @@ function mailcow_mbox_login($user, $pass, $app_passwd_data = false, $is_internal
   $stmt->execute(array(':user' => $user));
   $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
 
-  // check if password is app password
-  $is_app_passwd = false;
-  if ($app_passwd_data['eas']){
-    $is_app_passwd = 'eas';
-  } else if ($app_passwd_data['dav']){
-    $is_app_passwd = 'dav';
-  } else if ($app_passwd_data['smtp']){
-    $is_app_passwd = 'smtp';
-  } else if ($app_passwd_data['imap']){
-    $is_app_passwd = 'imap';
-  } else if ($app_passwd_data['sieve']){
-    $is_app_passwd = 'sieve';
-  } else if ($app_passwd_data['pop3']){
-    $is_app_passwd = 'pop3';
-  }
-  if ($is_app_passwd){
-    // fetch app password data
-    $app_passwd_query = "SELECT `app_passwd`.`password` as `password`, `app_passwd`.`id` as `app_passwd_id` FROM `app_passwd`
-      INNER JOIN `mailbox` ON `mailbox`.`username` = `app_passwd`.`mailbox`
-      INNER JOIN `domain` ON `mailbox`.`domain` = `domain`.`domain`
-      WHERE `mailbox`.`kind` NOT REGEXP 'location|thing|group'
-        AND `mailbox`.`active` = '1'
-        AND `domain`.`active` = '1'
-        AND `app_passwd`.`active` = '1'
-        AND `app_passwd`.`mailbox` = :user";
-    // check if app password has protocol access
-    // skip if $app_passwd_data['ignore_hasaccess'] is true and the call is not external
-    if (!$is_internal || ($is_internal && !$app_passwd_data['ignore_hasaccess'])){
-      $app_passwd_query = $app_passwd_query . " AND `app_passwd`.`" . $is_app_passwd . "_access` = '1'";
-    }
-    // fetch password data
-    $stmt = $pdo->prepare($app_passwd_query);
-    $stmt->execute(array(':user' => $user));
-    $rows = array_merge($rows, $stmt->fetchAll(PDO::FETCH_ASSOC));
-  }
-
   foreach ($rows as $row) { 
     // verify password
     if (verify_hash($row['password'], $pass) !== false) {
@@ -176,70 +156,6 @@ function mailcow_mbox_login($user, $pass, $app_passwd_data = false, $is_internal
           }
           return "user";
         }
-      } elseif ($is_app_passwd) {
-        // password is a app password
-        if ($is_internal){
-          // skip log
-          return "user";
-        }
-
-        $service = strtoupper($is_app_passwd);
-        $stmt = $pdo->prepare("REPLACE INTO sasl_log (`service`, `app_password`, `username`, `real_rip`) VALUES (:service, :app_id, :username, :remote_addr)");
-        $stmt->execute(array(
-          ':service' => $service,
-          ':app_id' => $row['app_passwd_id'],
-          ':username' => $user,
-          ':remote_addr' => ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR'])
-        ));
-
-        unset($_SESSION['ldelay']);
-        return "user";
-      }
-    }
-  }
-
-  foreach ($rows as $row) { 
-    // verify password
-    if (verify_hash($row['password'], $pass) !== false) {
-      if (!array_key_exists("app_passwd_id", $row)){ 
-        // password is not a app password
-        // check for tfa authenticators
-        $authenticators = get_tfa($user);
-        if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 &&
-            $app_passwd_data['eas'] !== true && $app_passwd_data['dav'] !== true) {
-          // authenticators found, init TFA flow
-          $_SESSION['pending_mailcow_cc_username'] = $user;
-          $_SESSION['pending_mailcow_cc_role'] = "user";
-          $_SESSION['pending_tfa_methods'] = $authenticators['additional'];
-          unset($_SESSION['ldelay']);
-          $_SESSION['return'][] =  array(
-            'type' => 'success',
-            'log' => array(__FUNCTION__, $user, '*'),
-            'msg' => array('logged_in_as', $user)
-          );
-          return "pending";
-        } else if (!isset($authenticators['additional']) || !is_array($authenticators['additional']) || count($authenticators['additional']) == 0) {
-          // no authenticators found, login successfull
-          // Reactivate TFA if it was set to "deactivate TFA for next login"
-          $stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user");
-          $stmt->execute(array(':user' => $user));
-
-          unset($_SESSION['ldelay']);
-          return "user";
-        }
-      } elseif ($app_passwd_data['eas'] === true || $app_passwd_data['dav'] === true) {
-        // password is a app password
-        $service = ($app_passwd_data['eas'] === true) ? 'EAS' : 'DAV';
-        $stmt = $pdo->prepare("REPLACE INTO sasl_log (`service`, `app_password`, `username`, `real_rip`) VALUES (:service, :app_id, :username, :remote_addr)");
-        $stmt->execute(array(
-          ':service' => $service,
-          ':app_id' => $row['app_passwd_id'],
-          ':username' => $user,
-          ':remote_addr' => ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR'])
-        ));
-
-        unset($_SESSION['ldelay']);
-        return "user";
       }
     }
   }
@@ -333,8 +249,76 @@ function mailcow_admin_login($user, $pass){
 
   return false;
 }
+function mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_internal = false){
+  global $pdo;
 
-function keycloak_mbox_login($user, $pass, $is_internal = false, $create = false){
+  $protocol = false;
+  if ($app_passwd_data['eas']){
+    $protocol = 'eas';
+  } else if ($app_passwd_data['dav']){
+    $protocol = 'dav';
+  } else if ($app_passwd_data['smtp']){
+    $protocol = 'smtp';
+  } else if ($app_passwd_data['imap']){
+    $protocol = 'imap';
+  } else if ($app_passwd_data['sieve']){
+    $protocol = 'sieve';
+  } else if ($app_passwd_data['pop3']){
+    $protocol = 'pop3';
+  }
+
+  // fetch app password data
+  $stmt = $pdo->prepare("SELECT `app_passwd`.`password` as `password`, `app_passwd`.`id` as `app_passwd_id` FROM `app_passwd`
+    INNER JOIN `mailbox` ON `mailbox`.`username` = `app_passwd`.`mailbox`
+    INNER JOIN `domain` ON `mailbox`.`domain` = `domain`.`domain`
+    WHERE `mailbox`.`kind` NOT REGEXP 'location|thing|group'
+      AND `mailbox`.`active` = '1'
+      AND `domain`.`active` = '1'
+      AND `app_passwd`.`active` = '1'
+      AND `app_passwd`.`mailbox` = :user
+      :has_access_query"
+  );    
+  // check if app password has protocol access
+  // skip if protocol is false and the call is not external
+  $has_access_query = '';
+  if (!$is_internal || ($is_internal && !empty($protocol))){
+    $has_access_query = " AND `app_passwd`.`" . $protocol . "_access` = '1'";
+  }
+  // fetch password data
+  $stmt->execute(array(
+    ':user' => $user,
+    ':has_access_query' => $has_access_query
+  ));
+  $rows = array_merge($rows, $stmt->fetchAll(PDO::FETCH_ASSOC));
+  
+  foreach ($rows as $row) { 
+    // verify password
+    if (verify_hash($row['password'], $pass) !== false) {
+      if ($is_internal){
+        // skip sasl_log, dovecot does the job
+        return "user";
+      }
+
+      $service = strtoupper($is_app_passwd);
+      $stmt = $pdo->prepare("REPLACE INTO sasl_log (`service`, `app_password`, `username`, `real_rip`) VALUES (:service, :app_id, :username, :remote_addr)");
+      $stmt->execute(array(
+        ':service' => $service,
+        ':app_id' => $row['app_passwd_id'],
+        ':username' => $user,
+        ':remote_addr' => ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR'])
+      ));
+
+      unset($_SESSION['ldelay']);
+      return "user";
+    }
+  }
+
+  return false;
+}
+
+// ROPC Flow (deprecated oAuth2.1)
+// uses direct user credentials for UI, IMAP and SMTP Auth
+function keycloak_mbox_login_ropc($user, $pass, $is_internal = false, $create = false){
   global $pdo;
 
   $identity_provider_settings = identity_provider('get');
@@ -363,7 +347,7 @@ function keycloak_mbox_login($user, $pass, $is_internal = false, $create = false
       // check if $user is email address, only accept email address as username
       return false;
     }
-    if ($create && !empty($identity_provider_settings['roles'])){
+    if ($create && !empty($identity_provider_settings['mappers'])){
       // try to create mbox on successfull login
       $user_roles = $user_data['realm_access']['roles'];
       $mbox_template = null;
@@ -407,6 +391,117 @@ function keycloak_mbox_login($user, $pass, $is_internal = false, $create = false
     return false;
   }
 }
+// Keycloak REST Api Flow - auth user by mailcow_password attribute
+// This password will be used for direct UI, IMAP and SMTP Auth
+// To use direct user credentials, only Authorization Code Flow is valid
+function keycloak_mbox_login_rest($user, $pass, $is_internal = false, $create = false){
+  global $pdo;
+
+  $identity_provider_settings = identity_provider('get');
+
+  // get access_token for service account of mailcow client
+  $url = "{$identity_provider_settings['server_url']}/realms/{$identity_provider_settings['realm']}/protocol/openid-connect/token";
+  $req = http_build_query(array(
+    'grant_type'    => 'client_credentials',
+    'client_id'     => $identity_provider_settings['client_id'],
+    'client_secret' => $identity_provider_settings['client_secret']
+  ));
+  $curl = curl_init();
+  curl_setopt($curl, CURLOPT_URL, $url);
+  curl_setopt($curl, CURLOPT_POST, 1);
+  curl_setopt($curl, CURLOPT_POSTFIELDS, $req);
+  curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));
+  curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
+  $mcclient_res = json_decode(curl_exec($curl), true);
+  $code = curl_getinfo($curl, CURLINFO_HTTP_CODE);
+  curl_close ($curl);
+  if ($code != 200) {
+    return false;
+  }
+
+  // get the mailcow_password attribute from keycloak user
+  $url = "{$identity_provider_settings['server_url']}/admin/realms/{$identity_provider_settings['realm']}/users";
+  $queryParams = array('email' => $user, 'exact' => true);
+  $queryString = http_build_query($queryParams);
+  $curl = curl_init();
+  curl_setopt($curl, CURLOPT_URL, $url . '?' . $queryString);
+  curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
+  curl_setopt($curl, CURLOPT_HTTPHEADER, array(
+      'Authorization: Bearer ' . $mcclient_res['access_token'],
+      'Content-Type: application/json'
+  ));
+  $user_res = json_decode(curl_exec($curl), true)[0];
+  $code = curl_getinfo($curl, CURLINFO_HTTP_CODE);
+  curl_close($curl);
+  if ($code != 200) {
+    return false;
+  }
+
+  
+
+  // validate mailcow_password
+  $mailcow_password = $user_res['attributes']['mailcow_password'][0];
+  if (!verify_hash($mailcow_password, $pass)) {
+    return false;
+  }
+
+  // get mapped template, if not set return false
+  // also return false if no mappers were defined
+  $user_template = $user_data['attributes']['mailcow_template'][0];
+  if ($create && (empty($identity_provider_settings['mappers']) || $user_template)){
+    return false;
+  } else if (!$create) {
+    // login success - dont create mailbox
+    $_SESSION['return'][] =  array(
+      'type' => 'success',
+      'log' => array(__FUNCTION__, $user, '*'),
+      'msg' => array('logged_in_as', $user)
+    );
+    return 'user';
+  }
+
+  // try to create mbox on successfull login
+  $mbox_template = null;
+  // check if matching rolemapping exist
+  foreach ($identity_provider_settings['mappers'] as $index => $mapper){
+    if (in_array($mapper, $identity_provider_settings['mappers'])) {
+      $mbox_template = $identity_provider_settings['templates'][$index];
+      break;
+    }
+  }
+  if (!$mbox_template){
+    // no matching template found
+    return false;
+  }
+  $stmt = $pdo->prepare("SELECT * FROM `templates` 
+  WHERE `template` = :template AND type = 'mailbox'");
+  $stmt->execute(array(
+    ":template" => $mbox_template
+  ));
+  $mbox_template_data = $stmt->fetch(PDO::FETCH_ASSOC);
+  if (empty($mbox_template_data)){
+    return false;
+  }
+
+  $mbox_template_data = json_decode($mbox_template_data["attributes"], true);
+  $mbox_template_data['domain'] = explode('@', $user)[1];
+  $mbox_template_data['local_part'] = explode('@', $user)[0];
+  $mbox_template_data['authsource'] = 'keycloak';
+  $_SESSION['iam_create_login'] = true;
+  $create_res = mailbox('add', 'mailbox', $mbox_template_data);
+  $_SESSION['iam_create_login'] = false;
+  if (!$create_res){
+    return false;
+  }
+
+  $_SESSION['return'][] =  array(
+    'type' => 'success',
+    'log' => array(__FUNCTION__, $user, '*'),
+    'msg' => array('logged_in_as', $user)
+  );
+  return 'user';
+}
+// Authorization Code Flow
 function keycloak_verify_token(){
   global $keycloak_provider;
   global $pdo;
@@ -419,86 +514,113 @@ function keycloak_verify_token(){
       'log' => array(__FUNCTION__),
       'msg' => array('login_failed', $e->getMessage())
     );
-    die($e->getMessage() . " - " . $_GET['code'] . " - " . $_SESSION['oauth2state']);
     return false;
   }
   
-  $login = false;
   $_SESSION['keycloak_token'] = $token->getToken();
   $_SESSION['keycloak_refresh_token'] = $token->getRefreshToken();
   // decode jwt data
   $info = json_decode(base64_decode(str_replace('_', '/', str_replace('-','+',explode('.', $token->getToken())[1]))), true);
-  if (in_array("mailbox", $info['realm_access']['roles']) && $info['email']){
-    // token valid, get mailbox
-    $stmt = $pdo->prepare("SELECT * FROM `mailbox`
-      INNER JOIN domain on mailbox.domain = domain.domain
-      WHERE `kind` NOT REGEXP 'location|thing|group'
-        AND `mailbox`.`active`='1'
-        AND `domain`.`active`='1'
-        AND `username` = :user
-        AND `authsource`='keycloak'");
-    $stmt->execute(array(':user' => $info['email']));
-    $row = $stmt->fetch(PDO::FETCH_ASSOC);
+  // check if email address is given
+  if (!$info['email']){
+    return false;
+  }
 
-    if ($row){
-      $_SESSION['mailcow_cc_username'] = $info['email'];
-      $_SESSION['mailcow_cc_role'] = "user";
-      $login = true;
-    } else {
-      $identity_provider_settings = identity_provider('get');
-      if (!empty($identity_provider_settings['roles'])){
-        // try to create mbox on successfull login
-        $user_roles = $info['realm_access']['roles'];
-        $mbox_template = null;
-        // check if matching rolemapping exist
-        foreach ($user_roles as $index => $role){
-          if (in_array($role, $identity_provider_settings['roles'])) {
-            $mbox_template = $identity_provider_settings['templates'][$index];
-            break;
-          }
-        }
-        if ($mbox_template){
-          $stmt = $pdo->prepare("SELECT * FROM `templates` 
-          WHERE `template` = :template AND type = 'mailbox'");
-          $stmt->execute(array(
-            ":template" => $mbox_template
-          ));
-          $mbox_template_data = $stmt->fetch(PDO::FETCH_ASSOC);
 
-          if (!empty($mbox_template_data)){
-            $mbox_template_data = json_decode($mbox_template_data["attributes"], true);
-            $mbox_template_data['domain'] = explode('@', $info['email'])[1];
-            $mbox_template_data['local_part'] = explode('@', $info['email'])[0];
-            $mbox_template_data['authsource'] = 'keycloak';
-            $_SESSION['iam_create_login'] = true;
-            $create_res = mailbox('add', 'mailbox', $mbox_template_data);
-            $_SESSION['iam_create_login'] = false;
-            if ($create_res){
-              $_SESSION['mailcow_cc_username'] = $info['email'];
-              $_SESSION['mailcow_cc_role'] = "user";
-              $login = true;
-            }
-          }
-        }
-      }
-    }
-  } 
-
-  if ($login){
+  // token valid, get mailbox
+  $stmt = $pdo->prepare("SELECT * FROM `mailbox`
+    INNER JOIN domain on mailbox.domain = domain.domain
+    WHERE `kind` NOT REGEXP 'location|thing|group'
+      AND `mailbox`.`active`='1'
+      AND `domain`.`active`='1'
+      AND `username` = :user
+      AND `authsource`='keycloak'");
+  $stmt->execute(array(':user' => $info['email']));
+  $row = $stmt->fetch(PDO::FETCH_ASSOC);
+  if ($row){
+    // success
+    $_SESSION['mailcow_cc_username'] = $info['email'];
+    $_SESSION['mailcow_cc_role'] = "user";
     $_SESSION['return'][] =  array(
       'type' => 'success',
       'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
       'msg' => array('logged_in_as', $_SESSION['mailcow_cc_username'])
     );
-  } else {
+    return true;
+  }
+  // get mapped template, if not set return false
+  // also return false if no mappers were defined
+  $identity_provider_settings = identity_provider('get');
+  $user_template = $info['mailcow_template'];
+  if (empty($identity_provider_settings['mappers']) || empty($user_template)){
     unset_auth_session();  
     $_SESSION['return'][] =  array(
       'type' => 'danger',
       'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
       'msg' => 'login_failed'
     );
+    return false;
   }
-  return $login;
+  $mbox_template = null;
+  // check if matching rolemapping exist
+  foreach ($identity_provider_settings['mappers'] as $index => $mapper){
+    if ($user_template == $mapper) {
+      $mbox_template = $identity_provider_settings['templates'][$index];
+      break;
+    }
+  }
+  if (!$mbox_template){
+    // no matching template found
+    unset_auth_session();  
+    $_SESSION['return'][] =  array(
+      'type' => 'danger',
+      'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
+      'msg' => 'login_failed'
+    );
+    return false;
+  }
+  $stmt = $pdo->prepare("SELECT * FROM `templates` 
+  WHERE `template` = :template AND type = 'mailbox'");
+  $stmt->execute(array(
+    ":template" => $mbox_template
+  ));
+  $mbox_template_data = $stmt->fetch(PDO::FETCH_ASSOC);
+  if (empty($mbox_template_data)){
+    unset_auth_session();  
+    $_SESSION['return'][] =  array(
+      'type' => 'danger',
+      'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
+      'msg' => 'login_failed'
+    );
+    return false;
+  }
+
+  // create mailbox
+  $mbox_template_data = json_decode($mbox_template_data["attributes"], true);
+  $mbox_template_data['domain'] = explode('@', $info['email'])[1];
+  $mbox_template_data['local_part'] = explode('@', $info['email'])[0];
+  $mbox_template_data['authsource'] = 'keycloak';
+  $_SESSION['iam_create_login'] = true;
+  $create_res = mailbox('add', 'mailbox', $mbox_template_data);
+  $_SESSION['iam_create_login'] = false;
+  if (!$create_res){
+    unset_auth_session();  
+    $_SESSION['return'][] =  array(
+      'type' => 'danger',
+      'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
+      'msg' => 'login_failed'
+    );
+    return false;
+  }
+
+  $_SESSION['mailcow_cc_username'] = $info['email'];
+  $_SESSION['mailcow_cc_role'] = "user";
+  $_SESSION['return'][] =  array(
+    'type' => 'success',
+    'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
+    'msg' => array('logged_in_as', $_SESSION['mailcow_cc_username'])
+  );
+  return true;
 }
 function keycloak_refresh(){
   global $keycloak_provider;
@@ -514,20 +636,11 @@ function keycloak_refresh(){
     return false;
   }
 
-
-  $refresh = false;
   $_SESSION['keycloak_token'] = $token->getToken();
   $_SESSION['keycloak_refresh_token'] = $token->getRefreshToken();
   // decode jwt data
   $info = json_decode(base64_decode(str_replace('_', '/', str_replace('-','+',explode('.', $_SESSION['keycloak_token'])[1]))), true);
-  if (in_array("mailbox",  $info['realm_access']['roles']) && $info['email']){
-    $_SESSION['mailcow_cc_username'] = $info['email'];
-
-    $_SESSION['mailcow_cc_role'] = "user";
-    $refresh = true;
-  } 
-
-  if (!$refresh){
+  if (!$info['email']){
     unset_auth_session();  
     $_SESSION['return'][] =  array(
       'type' => 'danger',
@@ -536,7 +649,9 @@ function keycloak_refresh(){
     );
   }
 
-  return $refresh;
+  $_SESSION['mailcow_cc_username'] = $info['email'];
+  $_SESSION['mailcow_cc_role'] = "user";
+  return true;
 }
 function keycloak_get_redirect(){
   global $keycloak_provider;

From 61ab17d8a182b42b28427465efb2247815400162 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 31 Mar 2023 10:08:00 +0200
Subject: [PATCH 023/378] [Web] fix iam attribute mapping ui

---
 .../templates/admin/tab-config-identity-provider.twig  | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/data/web/templates/admin/tab-config-identity-provider.twig b/data/web/templates/admin/tab-config-identity-provider.twig
index fd7a8dc81..02d5ca14c 100644
--- a/data/web/templates/admin/tab-config-identity-provider.twig
+++ b/data/web/templates/admin/tab-config-identity-provider.twig
@@ -58,8 +58,8 @@
           </div>
           {% for key, role in identity_provider_settings.mappers %}
           <div class="offset-sm-3 col-4 d-flex mb-2">
-            <input type="text" class="form-control me-2" name="mappers" value="{{ identity_provider_settings.mappers[key] }}">
-            <select data-live-search="true" name="templates" class="form-control" title="{{ lang.mailbox.template }}">
+            <input type="text" class="form-control me-2" name="mappers" value="{{ identity_provider_settings.mappers[key] }}" required>
+            <select data-live-search="true" name="templates" class="form-control" title="{{ lang.mailbox.template }}" required>
             {% for mbox_template in mbox_templates %}
               <option{% if mbox_template.template == identity_provider_settings.templates[key] %} selected{% endif %}>
                 {{ mbox_template.template }}
@@ -69,9 +69,10 @@
             <button class="iam_rolemap_del btn btn-sm d-block d-sm-inline btn-secondary ms-2"><i class="bi bi-x-lg"></i></button>
           </div>
           {% endfor %}
+          {% if not identity_provider_settings.mappers %}
           <div class="offset-sm-3 col-4 d-flex mb-2">
-            <input type="text" class="form-control me-2" name="mappers" value="">
-            <select data-live-search="true" name="templates" class="form-control" title="{{ lang.mailbox.template }}">
+            <input type="text" class="form-control me-2" name="mappers" value="" required>
+            <select data-live-search="true" name="templates" class="form-control" title="{{ lang.mailbox.template }}" required>
             {% for mbox_template in mbox_templates %}
               <option>
                 {{ mbox_template.template }}
@@ -80,6 +81,7 @@
             </select>
             <button class="iam_rolemap_del btn btn-sm d-block d-sm-inline btn-secondary ms-2"><i class="bi bi-x-lg"></i></button>
           </div>
+          {% endif %}
         </div>
         <div class="row mt-4 mb-2">
           <div class="offset-sm-3 col-sm-9">

From 3c62a7fd9f67592371f2334e04cf7dbcfa328073 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 31 Mar 2023 14:55:05 +0200
Subject: [PATCH 024/378] [Web] IAM - add delete option & fix test connection

---
 data/web/inc/functions.inc.php | 48 +++++++++++++++++++++++++---------
 data/web/js/site/admin.js      | 12 +++++++--
 data/web/json_api.php          | 20 +++++---------
 3 files changed, 52 insertions(+), 28 deletions(-)

diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index f64f150ad..1e4cc8c1d 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -2166,15 +2166,21 @@ function identity_provider($_action, $_data = null, $hide_secret = false) {
       );
       return true;
     break;
-    case 'test':  
-      $identity_provider_settings = identity_provider('get');
-      $url = "{$identity_provider_settings['server_url']}/realms/{$identity_provider_settings['realm']}/protocol/openid-connect/token";
+    case 'test':
+      if ($_SESSION['mailcow_cc_role'] != "admin") {
+        $_SESSION['return'][] = array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $_action, $_data),
+          'msg' => 'access_denied'
+        );
+        return false;
+      }
+
+      $url = "{$_data['server_url']}/realms/{$_data['realm']}/protocol/openid-connect/token";
       $req = http_build_query(array(
-        'grant_type'    => 'password',
-        'client_id'     => $identity_provider_settings['client_id'],
-        'client_secret' => $identity_provider_settings['client_secret'],
-        'username'      => "test",
-        'password'      => "test",
+        'grant_type'    => 'client_credentials',
+        'client_id'     => $_data['client_id'],
+        'client_secret' => $_data['client_secret']
       ));
       $curl = curl_init();
       curl_setopt($curl, CURLOPT_URL, $url);
@@ -2182,13 +2188,29 @@ function identity_provider($_action, $_data = null, $hide_secret = false) {
       curl_setopt($curl, CURLOPT_POSTFIELDS, $req);
       curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));
       curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
-      $res = json_decode(curl_exec($curl), true);
+      $res = curl_exec($curl);
+      $code = curl_getinfo($curl, CURLINFO_HTTP_CODE);
       curl_close ($curl);
-
-      if ($res["error"] && $res["error"] === 'invalid_grant'){
-        return true;
+      
+      if ($code != 200) {
+        return false;
       }
-      return false;
+      return true;
+    break;
+    case "delete":
+      if ($_SESSION['mailcow_cc_role'] != "admin") {
+        $_SESSION['return'][] = array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $_action, $_data),
+          'msg' => 'access_denied'
+        );
+        return false;
+      }
+      
+      $stmt = $pdo->prepare("DELETE FROM identity_provider;");
+      $stmt->execute();
+
+      return true;
     break;
   }
 }
diff --git a/data/web/js/site/admin.js b/data/web/js/site/admin.js
index 708cb0be0..885e5ea52 100644
--- a/data/web/js/site/admin.js
+++ b/data/web/js/site/admin.js
@@ -752,14 +752,22 @@ jQuery(function($){
   // IAM test connection
   $('#iam_test_connection').click(async function(e){
     e.preventDefault();
-    var res = await fetch("/api/v1/get/status/identity-provider", { method:'GET', cache:'no-cache' });
+    var data = { attr: $('form[data-id="iam_sso"]').serializeObject() };
+    var res = await fetch("/api/v1/edit/identity-provider-test", { 
+      headers: {
+        "Content-Type": "application/json",
+      },
+      method:'POST', 
+      cache:'no-cache', 
+      body: JSON.stringify(data) 
+    });
     res = await res.json();
-    console.log(res);
     if (res.type === 'success'){
       return mailcow_alert_box(lang_success.iam_test_connection, 'success');
     }
     return mailcow_alert_box(lang_danger.iam_test_connection, 'danger');
   });
+
   $('#iam_rolemap_add').click(async function(e){
     e.preventDefault();
 
diff --git a/data/web/json_api.php b/data/web/json_api.php
index 52ca8b715..9564af888 100644
--- a/data/web/json_api.php
+++ b/data/web/json_api.php
@@ -1702,19 +1702,6 @@ if (isset($_GET['query'])) {
                     'version' => $GLOBALS['MAILCOW_GIT_VERSION']
                   ));
                 break;
-                case "identity-provider":
-                  if (identity_provider('test')){
-                    echo json_encode(array(
-                      'type' => 'success',
-                      'msg' => 'connection successfull'
-                    ));
-                  } else {
-                    echo json_encode(array(
-                      'type' => 'error',
-                      'msg' => 'connection failed'
-                    ));
-                  }
-                break;
               }
             }
           break;
@@ -1879,6 +1866,9 @@ if (isset($_GET['query'])) {
         case "rlhash":
           echo ratelimit('delete', null, implode($items));
         break;
+        case "identity-provider":
+          process_delete_return(identity_provider('delete'));
+        break;
         // return no route found if no case is matched
         default:
           http_response_code(404);
@@ -2098,8 +2088,12 @@ if (isset($_GET['query'])) {
         case "cors":
           process_edit_return(cors('edit', $attr));
         case "identity_provider":
+        case "identity-provider":
           process_edit_return(identity_provider('edit', $attr));
         break;
+        case "identity-provider-test":
+          process_edit_return(identity_provider('test', $attr));
+        break;
         // return no route found if no case is matched
         default:
           http_response_code(404);

From c6a56e0748c52f6cad2cc6ec45ab5f30bcf01c52 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 31 Mar 2023 14:56:31 +0200
Subject: [PATCH 025/378] [Web] add IAM delete button & fix add mbox modal

---
 data/web/js/site/mailbox.js                                | 2 +-
 data/web/templates/admin/tab-config-identity-provider.twig | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/data/web/js/site/mailbox.js b/data/web/js/site/mailbox.js
index 6fbcc3e3f..e562ab8cf 100644
--- a/data/web/js/site/mailbox.js
+++ b/data/web/js/site/mailbox.js
@@ -282,7 +282,7 @@ $(document).ready(function() {
     $("#addInputQuota").val(template.quota / 1048576);
     $('#mbox_add_iam').selectpicker('val', template.authsource);
     // toggle password fields
-    if (template.authsource === 'mailcow'){
+    if (!template.authsource || template.authsource === 'mailcow'){
       $('#mbox_add_pwds').removeClass('d-none');
       $('#mbox_add_pwds').find('.form-control').prop('required', true);
     } else {
diff --git a/data/web/templates/admin/tab-config-identity-provider.twig b/data/web/templates/admin/tab-config-identity-provider.twig
index 02d5ca14c..13bbc7553 100644
--- a/data/web/templates/admin/tab-config-identity-provider.twig
+++ b/data/web/templates/admin/tab-config-identity-provider.twig
@@ -87,8 +87,9 @@
           <div class="offset-sm-3 col-sm-9">
             <div class="btn-group">   
               <button id="iam_test_connection" class="btn btn-sm d-block d-sm-inline btn-secondary"><i class="bi bi-play"></i> {{ lang.admin.iam_test_connection }}</button>
-              <button class="btn btn-sm d-block d-sm-inline btn-success" data-item="iam_sso" data-action="edit_selected" data-id="iam_sso" data-api-url='edit/identity_provider' data-api-attr='{}' href="#"><i class="bi bi-check-lg"></i> {{ lang.admin.save }}</button>
+              <button class="btn btn-sm d-block d-sm-inline btn-success" data-item="iam_sso" data-action="edit_selected" data-id="iam_sso" data-api-url='edit/identity-provider' data-api-attr='{}'><i class="bi bi-check-lg"></i> {{ lang.admin.save }}</button>
             </div>
+            <button class="btn btn-sm d-block d-sm-inline btn-danger ms-2" data-item="identity-provider" data-action="delete_selected" data-id="iam_sso" data-api-url='delete/identity-provider'><i class="bi bi-trash"></i> {{ lang.mailbox.remove }}</button>
           </div>
         </div>
       </form>

From 5bbb12b53e0fcf4d50369d332c6e85d8e0164bc3 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Tue, 4 Apr 2023 10:47:29 +0200
Subject: [PATCH 026/378] [Dovecot] fix wrong lua syntax

---
 data/Dockerfiles/dovecot/docker-entrypoint.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/Dockerfiles/dovecot/docker-entrypoint.sh b/data/Dockerfiles/dovecot/docker-entrypoint.sh
index a7936bf2d..9755398e7 100755
--- a/data/Dockerfiles/dovecot/docker-entrypoint.sh
+++ b/data/Dockerfiles/dovecot/docker-entrypoint.sh
@@ -174,7 +174,7 @@ function auth_password_verify(request, password)
   if request.service == "smtp" or request.service == "imap" or request.service == "sieve" or request.service == "pop3" then
     skip_sasl_log = true
     req.protocol = {}
-    if tostring(req.real_rip) != "__IPV4_SOGO__" then
+    if tostring(req.real_rip) ~= "__IPV4_SOGO__" then
       skip_sasl_log = false
       req.protocol[request.service] = true
     end

From f0689e08d96f29c6e2161b1677c398187330c3b1 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Wed, 12 Apr 2023 11:21:29 +0200
Subject: [PATCH 027/378] [Web] iam - add switch for direct login flow

---
 data/web/inc/functions.auth.inc.php           | 95 ++++++++++---------
 data/web/inc/functions.inc.php                |  4 +-
 data/web/js/site/mailbox.js                   |  1 -
 data/web/lang/lang.en-gb.json                 |  6 ++
 .../admin/tab-config-identity-provider.twig   | 25 ++++-
 5 files changed, 83 insertions(+), 48 deletions(-)

diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php
index c125b5d68..83c9ba8b1 100644
--- a/data/web/inc/functions.auth.inc.php
+++ b/data/web/inc/functions.auth.inc.php
@@ -52,7 +52,12 @@ function check_login($user, $pass, $app_passwd_data = false) {
   $row = $stmt->fetch(PDO::FETCH_ASSOC);
   if (!$row){
     // mbox does not exist, call keycloak login and create mbox if possible
-    $result = keycloak_mbox_login_rest($user, $pass, $is_dovecot, true);
+    $identity_provider_settings = identity_provider('get');
+    if ($identity_provider_settings['login_flow'] == 'ropc'){
+      $result = keycloak_mbox_login_ropc($user, $pass, $identity_provider_settings, $is_dovecot, true);
+    } else {
+      $result = keycloak_mbox_login_rest($user, $pass, $identity_provider_settings, $is_dovecot, true);
+    }
     if ($result){
       return $result;
     }
@@ -65,7 +70,12 @@ function check_login($user, $pass, $app_passwd_data = false) {
       }
     }
 
-    $result = keycloak_mbox_login_rest($user, $pass, $is_dovecot);
+    $identity_provider_settings = identity_provider('get');
+    if ($identity_provider_settings['login_flow'] == 'ropc'){
+      $result = keycloak_mbox_login_ropc($user, $pass, $identity_provider_settings, $is_dovecot);
+    } else {
+      $result = keycloak_mbox_login_rest($user, $pass, $identity_provider_settings, $is_dovecot);
+    }
     if ($result){
       return $result;
     }
@@ -318,15 +328,14 @@ function mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_internal
 
 // ROPC Flow (deprecated oAuth2.1)
 // uses direct user credentials for UI, IMAP and SMTP Auth
-function keycloak_mbox_login_ropc($user, $pass, $is_internal = false, $create = false){
+function keycloak_mbox_login_ropc($user, $pass, $iam_settings, $is_internal = false, $create = false){
   global $pdo;
 
-  $identity_provider_settings = identity_provider('get');
-  $url = "{$identity_provider_settings['server_url']}/realms/{$identity_provider_settings['realm']}/protocol/openid-connect/token";
+  $url = "{$iam_settings['server_url']}/realms/{$iam_settings['realm']}/protocol/openid-connect/token";
   $req = http_build_query(array(
     'grant_type'    => 'password',
-    'client_id'     => $identity_provider_settings['client_id'],
-    'client_secret' => $identity_provider_settings['client_secret'],
+    'client_id'     => $iam_settings['client_id'],
+    'client_secret' => $iam_settings['client_secret'],
     'username'      => $user,
     'password'      => $pass,
   ));
@@ -347,36 +356,38 @@ function keycloak_mbox_login_ropc($user, $pass, $is_internal = false, $create =
       // check if $user is email address, only accept email address as username
       return false;
     }
-    if ($create && !empty($identity_provider_settings['mappers'])){
+    if ($create && !empty($iam_settings['mappers'])){
       // try to create mbox on successfull login
-      $user_roles = $user_data['realm_access']['roles'];
       $mbox_template = null;
-      // check if matching rolemapping exist
-      foreach ($user_roles as $index => $role){
-        if (in_array($role, $identity_provider_settings['roles'])) {
-          $mbox_template = $identity_provider_settings['templates'][$index];
+      // check if matching attribute mapping exists
+      foreach ($iam_settings['mappers'] as $index => $mapper){
+        if (in_array($mapper, $iam_settings['mappers'])) {
+          $mbox_template = $iam_settings['templates'][$index];
           break;
         }
       }
-      if ($mbox_template){
-        $stmt = $pdo->prepare("SELECT * FROM `templates` 
-        WHERE `template` = :template AND type = 'mailbox'");
-        $stmt->execute(array(
-          ":template" => $mbox_template
-        ));
-        $mbox_template_data = $stmt->fetch(PDO::FETCH_ASSOC);
+      if (!$mbox_template){
+        // no matching template found
+        return false;
+      }
+      
+      $stmt = $pdo->prepare("SELECT * FROM `templates` 
+      WHERE `template` = :template AND type = 'mailbox'");
+      $stmt->execute(array(
+        ":template" => $mbox_template
+      ));
+      $mbox_template_data = $stmt->fetch(PDO::FETCH_ASSOC);
 
-        if (!empty($mbox_template_data)){
-          $mbox_template_data = json_decode($mbox_template_data["attributes"], true);
-          $mbox_template_data['domain'] = explode('@', $user)[1];
-          $mbox_template_data['local_part'] = explode('@', $user)[0];
-          $mbox_template_data['authsource'] = 'keycloak';
-          $_SESSION['iam_create_login'] = true;
-          $create_res = mailbox('add', 'mailbox', $mbox_template_data);
-          $_SESSION['iam_create_login'] = false;
-          if (!$create_res){
-            return false;
-          }
+      if (!empty($mbox_template_data)){
+        $mbox_template_data = json_decode($mbox_template_data["attributes"], true);
+        $mbox_template_data['domain'] = explode('@', $user)[1];
+        $mbox_template_data['local_part'] = explode('@', $user)[0];
+        $mbox_template_data['authsource'] = 'keycloak';
+        $_SESSION['iam_create_login'] = true;
+        $create_res = mailbox('add', 'mailbox', $mbox_template_data);
+        $_SESSION['iam_create_login'] = false;
+        if (!$create_res){
+          return false;
         }
       }
     }
@@ -394,17 +405,15 @@ function keycloak_mbox_login_ropc($user, $pass, $is_internal = false, $create =
 // Keycloak REST Api Flow - auth user by mailcow_password attribute
 // This password will be used for direct UI, IMAP and SMTP Auth
 // To use direct user credentials, only Authorization Code Flow is valid
-function keycloak_mbox_login_rest($user, $pass, $is_internal = false, $create = false){
+function keycloak_mbox_login_rest($user, $pass, $iam_settings, $is_internal = false, $create = false){
   global $pdo;
 
-  $identity_provider_settings = identity_provider('get');
-
   // get access_token for service account of mailcow client
-  $url = "{$identity_provider_settings['server_url']}/realms/{$identity_provider_settings['realm']}/protocol/openid-connect/token";
+  $url = "{$iam_settings['server_url']}/realms/{$iam_settings['realm']}/protocol/openid-connect/token";
   $req = http_build_query(array(
     'grant_type'    => 'client_credentials',
-    'client_id'     => $identity_provider_settings['client_id'],
-    'client_secret' => $identity_provider_settings['client_secret']
+    'client_id'     => $iam_settings['client_id'],
+    'client_secret' => $iam_settings['client_secret']
   ));
   $curl = curl_init();
   curl_setopt($curl, CURLOPT_URL, $url);
@@ -420,7 +429,7 @@ function keycloak_mbox_login_rest($user, $pass, $is_internal = false, $create =
   }
 
   // get the mailcow_password attribute from keycloak user
-  $url = "{$identity_provider_settings['server_url']}/admin/realms/{$identity_provider_settings['realm']}/users";
+  $url = "{$iam_settings['server_url']}/admin/realms/{$iam_settings['realm']}/users";
   $queryParams = array('email' => $user, 'exact' => true);
   $queryString = http_build_query($queryParams);
   $curl = curl_init();
@@ -448,7 +457,7 @@ function keycloak_mbox_login_rest($user, $pass, $is_internal = false, $create =
   // get mapped template, if not set return false
   // also return false if no mappers were defined
   $user_template = $user_data['attributes']['mailcow_template'][0];
-  if ($create && (empty($identity_provider_settings['mappers']) || $user_template)){
+  if ($create && (empty($iam_settings['mappers']) || $user_template)){
     return false;
   } else if (!$create) {
     // login success - dont create mailbox
@@ -462,10 +471,10 @@ function keycloak_mbox_login_rest($user, $pass, $is_internal = false, $create =
 
   // try to create mbox on successfull login
   $mbox_template = null;
-  // check if matching rolemapping exist
-  foreach ($identity_provider_settings['mappers'] as $index => $mapper){
-    if (in_array($mapper, $identity_provider_settings['mappers'])) {
-      $mbox_template = $identity_provider_settings['templates'][$index];
+  // check if matching attribute mapping exists
+  foreach ($iam_settings['mappers'] as $index => $mapper){
+    if (in_array($mapper, $iam_settings['mappers'])) {
+      $mbox_template = $iam_settings['templates'][$index];
       break;
     }
   }
diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index 1e4cc8c1d..9ee4d0d09 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -2104,8 +2104,10 @@ function identity_provider($_action, $_data = null, $hide_secret = false) {
       $data_log['client_secret'] = '*';
       $stmt = $pdo->prepare("INSERT INTO identity_provider (`key`, `value`) VALUES (:key, :value) ON DUPLICATE KEY UPDATE `value` = VALUES(`value`);");
       
+      $_data['login_flow'] = (isset($_data['login_flow']) && $_data['login_flow'] == 'ropc') ? 'ropc' : 'rest';
+
       // add connection settings      
-      $required_settings = array('server_url', 'authsource', 'realm', 'client_id', 'client_secret', 'redirect_url', 'version');
+      $required_settings = array('server_url', 'authsource', 'realm', 'client_id', 'client_secret', 'redirect_url', 'version', 'login_flow');
       foreach($required_settings as $setting){
         if (!$_data[$setting]){
           $_SESSION['return'][] =  array(
diff --git a/data/web/js/site/mailbox.js b/data/web/js/site/mailbox.js
index e562ab8cf..06c1444d3 100644
--- a/data/web/js/site/mailbox.js
+++ b/data/web/js/site/mailbox.js
@@ -407,7 +407,6 @@ $(document).ready(function() {
       $('#rl_frame').selectpicker('val', template.rl_frame);
     }
 
-    console.log(template.active)
     if (template.active){
       $('#mbox_active').selectpicker('val', template.active.toString());
     } else {
diff --git a/data/web/lang/lang.en-gb.json b/data/web/lang/lang.en-gb.json
index ebebd3dc8..9825ab9d2 100644
--- a/data/web/lang/lang.en-gb.json
+++ b/data/web/lang/lang.en-gb.json
@@ -212,11 +212,17 @@
         "host": "Host",
         "html": "HTML",
         "iam": "Identity Provider",
+        "iam_auth_flow": "Authentication Flow",
+        "iam_auth_flow_info": "In addition to the Authorization Code Flow (Standard Flow in Keycloak), which is used for Single-Sign On login, mailcow also supports Authentication Flows with direct Credentials",
+        "iam_auth_flow_rest_info": "1. Mailpassword Flow (Default)<br>The Mailpassword Flow attempts to validate the user's credentials by using the Keycloak Admin REST API. mailcow retrieves the hashed password from the <code>mailcow_password</code> attribute, which is mapped in Keycloak. If this attribute is not found, the user needs to log in to the mailcow UI via Single-Sign On and create an App Password to use a mail client.<br>To enable this flow, the mailcow client in Keycloak must have <code>Service accounts roles</code> checked under <code>Authentication Flow</code>.",
+        "iam_auth_flow_ropc_info": "2. Resource Owner Password Flow<br>We do not recommend using this flow, as it is probably deprecated in the new OAuth 2.1 protocol. The Resource Owner Password Flow allows direct validation of the user's credentials. Therefore, the user has to trust mailcow to handle their external credentials securely. No Mailpassword or App Password is required to use a mail client.<br>To enable this flow, the mailcow client in Keycloak must have <code>Direct access grants</code> checked under <code>Authentication Flow</code>.",
         "iam_client_id": "Client Id",
         "iam_client_secret": "Client Secret",
         "iam_description": "Here, you can configure the integration with an external Keycloak service. The Keycloak user's mailboxes will be automatically created upon their first login, provided that a attribute mapping has been set.",
         "iam_realm": "Realm",
         "iam_redirect_url": "Redirect Url",
+        "iam_ropc_flow": "Resource Owner Password Flow",
+        "iam_rest_flow": "Mailpassword Flow",
         "iam_mapping": "Attribute Mapping",
         "iam_server_url": "Server Url",
         "iam_sso": "SSO",
diff --git a/data/web/templates/admin/tab-config-identity-provider.twig b/data/web/templates/admin/tab-config-identity-provider.twig
index 13bbc7553..1eb9aef39 100644
--- a/data/web/templates/admin/tab-config-identity-provider.twig
+++ b/data/web/templates/admin/tab-config-identity-provider.twig
@@ -49,7 +49,7 @@
             <input type="text" class="form-control" id="iam_version" name="version" value="{{ identity_provider_settings.version }}" required>
           </div>
         </div>
-        <div class="row mb-2">
+        <div class="row mb-4">
           <label class="control-label col-sm-3 text-sm-end" for="iam_version">{{ lang.admin.iam_mapping }}:</label>
           <div class="col-4 d-flex mb-2">
             <span class="w-100 me-2">Attribute</span>
@@ -83,13 +83,32 @@
           </div>
           {% endif %}
         </div>
+        <div class="row mb-2">
+          <label class="control-label col-sm-3 text-sm-end">{{ lang.admin.iam_auth_flow }}</label>
+          <div class="col-sm-9">
+            <div class="btn-group">
+              <input type="radio" class="btn-check" name="login_flow" id="iam_login_flow_rest" autocomplete="off" value="rest" {% if  identity_provider_settings.login_flow != 'ropc' %}checked{% endif %}>
+              <label class="btn btn-sm btn-xs-quart d-block d-sm-inline btn-secondary" for="iam_login_flow_rest">{{ lang.admin.iam_rest_flow }}</label>
+
+              <input type="radio" class="btn-check" name="login_flow" id="iam_login_flow_ropc" autocomplete="off" value="ropc" {% if  identity_provider_settings.login_flow == 'ropc' %}checked{% endif %}>
+              <label class="btn btn-sm btn-xs-quart d-block d-sm-inline btn-secondary" for="iam_login_flow_ropc">{{ lang.admin.iam_ropc_flow }}</label>
+            </div>
+            <p class="text-muted">
+              <small>
+                {{ lang.admin.iam_auth_flow_info|raw }}<br>
+                {{ lang.admin.iam_auth_flow_rest_info|raw }}<br>
+                {{ lang.admin.iam_auth_flow_ropc_info|raw }}
+              </small>
+            </p>
+          </div>
+        </div>
         <div class="row mt-4 mb-2">
-          <div class="offset-sm-3 col-sm-9">
+          <div class="offset-sm-3 col-sm-9 d-flex">
             <div class="btn-group">   
               <button id="iam_test_connection" class="btn btn-sm d-block d-sm-inline btn-secondary"><i class="bi bi-play"></i> {{ lang.admin.iam_test_connection }}</button>
               <button class="btn btn-sm d-block d-sm-inline btn-success" data-item="iam_sso" data-action="edit_selected" data-id="iam_sso" data-api-url='edit/identity-provider' data-api-attr='{}'><i class="bi bi-check-lg"></i> {{ lang.admin.save }}</button>
             </div>
-            <button class="btn btn-sm d-block d-sm-inline btn-danger ms-2" data-item="identity-provider" data-action="delete_selected" data-id="iam_sso" data-api-url='delete/identity-provider'><i class="bi bi-trash"></i> {{ lang.mailbox.remove }}</button>
+            <button class="btn btn-sm d-block d-sm-inline btn-danger ms-auto" data-item="identity-provider" data-action="delete_selected" data-id="iam_sso" data-api-url='delete/identity-provider'><i class="bi bi-trash"></i> {{ lang.mailbox.remove }}</button>
           </div>
         </div>
       </form>

From dca5f1baab2ed5a0d5e8309df6b2909a15ed70a4 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Wed, 12 Apr 2023 15:32:22 +0200
Subject: [PATCH 028/378] [Web] move /process/login to internal endpoint

---
 .gitignore                                    |  1 +
 data/Dockerfiles/dovecot/docker-entrypoint.sh | 10 ++--
 data/conf/dovecot/auth/mailcowauth.php        | 54 +++++++++++++++++++
 data/conf/nginx/mailcow_auth.conf             | 23 ++++++++
 data/web/inc/functions.auth.inc.php           | 27 ++++------
 data/web/inc/functions.inc.php                | 19 +++++++
 data/web/inc/prerequisites.inc.php            | 17 +-----
 data/web/json_api.php                         | 20 -------
 docker-compose.yml                            |  8 +++
 generate_config.sh                            |  2 +-
 10 files changed, 123 insertions(+), 58 deletions(-)
 create mode 100644 data/conf/dovecot/auth/mailcowauth.php
 create mode 100644 data/conf/nginx/mailcow_auth.conf

diff --git a/.gitignore b/.gitignore
index e25639a70..e1e8e8882 100644
--- a/.gitignore
+++ b/.gitignore
@@ -69,3 +69,4 @@ rebuild-images.sh
 refresh_images.sh
 update_diffs/
 create_cold_standby.sh
+!data/conf/nginx/mailcow_auth.conf
diff --git a/data/Dockerfiles/dovecot/docker-entrypoint.sh b/data/Dockerfiles/dovecot/docker-entrypoint.sh
index 9755398e7..ca06108dc 100755
--- a/data/Dockerfiles/dovecot/docker-entrypoint.sh
+++ b/data/Dockerfiles/dovecot/docker-entrypoint.sh
@@ -152,13 +152,14 @@ function auth_password_verify(request, password)
   -- check against mailbox passwds
   local b, c = https.request {
     method = "POST",
-    url = "https://nginx/api/v1/process/login",
+    url = "https://nginx:9082",
     source = ltn12.source.string(req_json),
     headers = {
       ["content-type"] = "application/json",
       ["content-length"] = tostring(#req_json)
     },
-    sink = ltn12.sink.table(res)
+    sink = ltn12.sink.table(res),
+    insecure = true
   }
   local api_response = json.decode(table.concat(res))
   if api_response.role == 'user' then
@@ -182,13 +183,14 @@ function auth_password_verify(request, password)
 
     local b, c = https.request {
       method = "POST",
-      url = "https://nginx/api/v1/process/login",
+      url = "https://nginx:9082",
       source = ltn12.source.string(req_json),
       headers = {
         ["content-type"] = "application/json",
         ["content-length"] = tostring(#req_json)
       },
-      sink = ltn12.sink.table(res)
+      sink = ltn12.sink.table(res),
+      insecure = true
     }
     local api_response = json.decode(table.concat(res))
     if api_response.role == 'user' then
diff --git a/data/conf/dovecot/auth/mailcowauth.php b/data/conf/dovecot/auth/mailcowauth.php
new file mode 100644
index 000000000..57dffdb57
--- /dev/null
+++ b/data/conf/dovecot/auth/mailcowauth.php
@@ -0,0 +1,54 @@
+<?php
+header('Content-Type: application/json');
+
+$post = trim(file_get_contents('php://input'));
+if ($post) {
+  $post = json_decode($post, true);
+}
+
+$return = array("success" => false, "role" => false);
+if(!isset($post['username']) || !isset($post['password'])){
+  echo json_encode($return); 
+  exit();
+}
+
+require_once('../../../web/inc/vars.inc.php');
+if (file_exists('../../../web/inc/vars.local.inc.php')) {
+  include_once('../../../web/inc/vars.local.inc.php');
+}
+require_once '../../../web/inc/lib/vendor/autoload.php';
+
+// Do not show errors, we log to using error_log
+ini_set('error_reporting', 0);
+// Init database
+//$dsn = $database_type . ':host=' . $database_host . ';dbname=' . $database_name;
+$dsn = $database_type . ":unix_socket=" . $database_sock . ";dbname=" . $database_name;
+$opt = [
+    PDO::ATTR_ERRMODE            => PDO::ERRMODE_EXCEPTION,
+    PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
+    PDO::ATTR_EMULATE_PREPARES   => false,
+];
+try {
+  $pdo = new PDO($dsn, $database_user, $database_pass, $opt);
+}
+catch (PDOException $e) {
+  error_log("MAILCOWAUTH: " . $e . PHP_EOL);
+  http_response_code(501);
+  exit;
+}
+
+// Load core functions first
+require_once 'functions.inc.php';
+require_once 'functions.auth.inc.php';
+require_once 'sessions.inc.php';
+
+// Init Keycloak Provider
+$iam_provider = identity_provider('init');
+
+$result = check_login($post['username'], $post['password'], $post['protocol'], true);
+if ($result) {
+  $return = array("success" => true, "role" => $result);
+}
+
+echo json_encode($return); 
+exit();
diff --git a/data/conf/nginx/mailcow_auth.conf b/data/conf/nginx/mailcow_auth.conf
new file mode 100644
index 000000000..3e4a8c736
--- /dev/null
+++ b/data/conf/nginx/mailcow_auth.conf
@@ -0,0 +1,23 @@
+server {
+  listen 9082 ssl http2;
+
+  ssl_certificate /etc/ssl/mail/cert.pem;
+  ssl_certificate_key /etc/ssl/mail/key.pem;
+
+  index mailcowauth.php;
+  server_name _;
+  error_log  /var/log/nginx/error.log;
+  access_log /var/log/nginx/access.log;
+  root /mailcowauth;
+  client_max_body_size 10M;
+
+  location ~ \.php$ {
+    client_max_body_size 10M;
+    try_files $uri =404;
+    fastcgi_split_path_info ^(.+\.php)(/.+)$;
+    fastcgi_pass phpfpm:9001;
+    include fastcgi_params;
+    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+    fastcgi_param PATH_INFO $fastcgi_path_info;
+  }
+}
diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php
index 83c9ba8b1..d68a7b6e5 100644
--- a/data/web/inc/functions.auth.inc.php
+++ b/data/web/inc/functions.auth.inc.php
@@ -9,7 +9,7 @@ function unset_auth_session(){
   unset($_SESSION['pending_mailcow_cc_role']);
   unset($_SESSION['pending_tfa_methods']);
 }
-function check_login($user, $pass, $app_passwd_data = false) {
+function check_login($user, $pass, $app_passwd_data = false, $is_internal = false) {
   global $pdo;
   global $redis;
 
@@ -35,12 +35,6 @@ function check_login($user, $pass, $app_passwd_data = false) {
   }
 
   // Validate mailbox user
-  // skip log & ldelay if requests comes from dovecot
-  $is_dovecot = false;
-  $request_ip =  $_SERVER['REMOTE_ADDR'];
-  if ($request_ip == getenv('IPV4_NETWORK').'.250'){
-    $is_dovecot = true;
-  }
   // check authsource
   $stmt = $pdo->prepare("SELECT authsource FROM `mailbox`
       INNER JOIN domain on mailbox.domain = domain.domain
@@ -54,9 +48,9 @@ function check_login($user, $pass, $app_passwd_data = false) {
     // mbox does not exist, call keycloak login and create mbox if possible
     $identity_provider_settings = identity_provider('get');
     if ($identity_provider_settings['login_flow'] == 'ropc'){
-      $result = keycloak_mbox_login_ropc($user, $pass, $identity_provider_settings, $is_dovecot, true);
+      $result = keycloak_mbox_login_ropc($user, $pass, $identity_provider_settings, $is_internal, true);
     } else {
-      $result = keycloak_mbox_login_rest($user, $pass, $identity_provider_settings, $is_dovecot, true);
+      $result = keycloak_mbox_login_rest($user, $pass, $identity_provider_settings, $is_internal, true);
     }
     if ($result){
       return $result;
@@ -64,7 +58,7 @@ function check_login($user, $pass, $app_passwd_data = false) {
   } else if ($row['authsource'] == 'keycloak'){
     if ($app_passwd_data){
       // first check if password is app_password
-      $result = mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_dovecot);
+      $result = mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_internal);
       if ($result){
         return $result;
       }
@@ -72,9 +66,9 @@ function check_login($user, $pass, $app_passwd_data = false) {
 
     $identity_provider_settings = identity_provider('get');
     if ($identity_provider_settings['login_flow'] == 'ropc'){
-      $result = keycloak_mbox_login_ropc($user, $pass, $identity_provider_settings, $is_dovecot);
+      $result = keycloak_mbox_login_ropc($user, $pass, $identity_provider_settings, $is_internal);
     } else {
-      $result = keycloak_mbox_login_rest($user, $pass, $identity_provider_settings, $is_dovecot);
+      $result = keycloak_mbox_login_rest($user, $pass, $identity_provider_settings, $is_internal);
     }
     if ($result){
       return $result;
@@ -82,21 +76,20 @@ function check_login($user, $pass, $app_passwd_data = false) {
   } else {
     if ($app_passwd_data){
       // first check if password is app_password
-      $result = mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_dovecot);
+      $result = mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_internal);
       if ($result){
         return $result;
       }
     }
 
-    $result = mailcow_mbox_login($user, $pass, $app_passwd_data, $is_dovecot);
+    $result = mailcow_mbox_login($user, $pass, $app_passwd_data, $is_internal);
     if ($result){
       return $result;
     }
   }
 
-  // skip log and only return false
-  // netfilter uses dovecot error log for banning
-  if ($is_dovecot){
+  // skip log and only return false if it's an internal request
+  if ($is_internal){
     return false;
   }
   if (!isset($_SESSION['ldelay'])) {
diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index 9ee4d0d09..b88133e50 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -2214,6 +2214,25 @@ function identity_provider($_action, $_data = null, $hide_secret = false) {
 
       return true;
     break;
+    case "init":
+      $identity_provider_settings = identity_provider('get');
+      $provider = null;
+      if ($identity_provider_settings['server_url'] && $identity_provider_settings['realm'] && $identity_provider_settings['client_id'] &&
+          $identity_provider_settings['client_secret'] && $identity_provider_settings['redirect_url'] && $identity_provider_settings['version']){
+        $provider = new Stevenmaguire\OAuth2\Client\Provider\Keycloak([
+          'authServerUrl'         => $identity_provider_settings['server_url'],
+          'realm'                 => $identity_provider_settings['realm'],
+          'clientId'              => $identity_provider_settings['client_id'],
+          'clientSecret'          => $identity_provider_settings['client_secret'],
+          'redirectUri'           => $identity_provider_settings['redirect_url'],
+          'version'               => $identity_provider_settings['version'],                            
+          // 'encryptionAlgorithm'   => 'RS256',                             // optional
+          // 'encryptionKeyPath'     => '../key.pem'                         // optional
+          // 'encryptionKey'         => 'contents_of_key_or_certificate'     // optional
+        ]);
+      }
+      return $provider;
+    break;
   }
 }
 
diff --git a/data/web/inc/prerequisites.inc.php b/data/web/inc/prerequisites.inc.php
index d0ed31091..90cff4b22 100644
--- a/data/web/inc/prerequisites.inc.php
+++ b/data/web/inc/prerequisites.inc.php
@@ -179,22 +179,7 @@ require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.auth.inc.php';
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/sessions.inc.php';
 
 // Init Keycloak Provider
-$identity_provider_settings = identity_provider('get');
-$keycloak_provider = null;
-if ($identity_provider_settings['server_url'] && $identity_provider_settings['realm'] && $identity_provider_settings['client_id'] &&
-    $identity_provider_settings['client_secret'] && $identity_provider_settings['redirect_url'] && $identity_provider_settings['version']){
-  $keycloak_provider = new Stevenmaguire\OAuth2\Client\Provider\Keycloak([
-    'authServerUrl'         => $identity_provider_settings['server_url'],
-    'realm'                 => $identity_provider_settings['realm'],
-    'clientId'              => $identity_provider_settings['client_id'],
-    'clientSecret'          => $identity_provider_settings['client_secret'],
-    'redirectUri'           => $identity_provider_settings['redirect_url'],
-    'version'               => $identity_provider_settings['version'],                            
-    // 'encryptionAlgorithm'   => 'RS256',                             // optional
-    // 'encryptionKeyPath'     => '../key.pem'                         // optional
-    // 'encryptionKey'         => 'contents_of_key_or_certificate'     // optional
-  ]);
-}
+$keycloak_provider = identity_provider('init');
 
 // IMAP lib
 // use Ddeboer\Imap\Server;
diff --git a/data/web/json_api.php b/data/web/json_api.php
index 9564af888..69b236d7a 100644
--- a/data/web/json_api.php
+++ b/data/web/json_api.php
@@ -401,26 +401,6 @@ if (isset($_GET['query'])) {
           );
           echo json_encode($return);
         break;
-        case "login":
-          header('Content-Type: application/json');
-          $post = trim(file_get_contents('php://input'));
-          if ($post) {
-            $post = json_decode($post, true);
-          }
-
-          $return = array("success" => false, "role" => false);
-          if(!isset($post['username']) || !isset($post['password'])){
-            echo json_encode($return); 
-            return;
-          }
-          $result = check_login($post['username'], $post['password'], $post['protocol']);
-          if ($result) {
-            $return = array("success" => true, "role" => $result);
-          }
-
-          echo json_encode($return); 
-          return;
-        break;
       }
     break;
     case "get":
diff --git a/docker-compose.yml b/docker-compose.yml
index df545c15e..fffa193c8 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -120,6 +120,10 @@ services:
         - ./data/web:/web:z
         - ./data/conf/rspamd/dynmaps:/dynmaps:ro,z
         - ./data/conf/rspamd/custom/:/rspamd_custom_maps:z
+        - ./data/conf/dovecot/auth/mailcowauth.php:/mailcowauth/mailcowauth.php:z
+        - ./data/web/inc/functions.inc.php:/mailcowauth/functions.inc.php:z
+        - ./data/web/inc/functions.auth.inc.php:/mailcowauth/functions.auth.inc.php:z
+        - ./data/web/inc/sessions.inc.php:/mailcowauth/sessions.inc.php:z
         - rspamd-vol-1:/var/lib/rspamd
         - mysql-socket-vol-1:/var/run/mysqld/
         - ./data/conf/sogo/:/etc/sogo/:z
@@ -389,6 +393,10 @@ services:
         - ./data/assets/ssl/:/etc/ssl/mail/:ro,z
         - ./data/conf/nginx/:/etc/nginx/conf.d/:z
         - ./data/conf/rspamd/meta_exporter:/meta_exporter:ro,z
+        - ./data/conf/dovecot/auth/mailcowauth.php:/mailcowauth/mailcowauth.php:z
+        - ./data/web/inc/functions.inc.php:/mailcowauth/functions.inc.php:z
+        - ./data/web/inc/functions.auth.inc.php:/mailcowauth/functions.auth.inc.php:z
+        - ./data/web/inc/sessions.inc.php:/mailcowauth/sessions.inc.php:z
         - sogo-web-vol-1:/usr/lib/GNUstep/SOGo/
       ports:
         - "${HTTPS_BIND:-}:${HTTPS_PORT:-443}:${HTTPS_PORT:-443}"
diff --git a/generate_config.sh b/generate_config.sh
index 05d9ee2f1..6fdc25537 100755
--- a/generate_config.sh
+++ b/generate_config.sh
@@ -258,7 +258,7 @@ DBROOT=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2> /dev/null | head -c 28)
 # Might be important: This will also change the binding within the container.
 # If you use a proxy within Docker, point it to the ports you set below.
 # Do _not_ use IP:PORT in HTTP(S)_BIND or HTTP(S)_PORT
-# IMPORTANT: Do not use port 8081, 9081 or 65510!
+# IMPORTANT: Do not use port 8081, 9081, 9082 or 65510!
 # Example: HTTP_BIND=1.2.3.4
 # For IPv4 leave it as it is: HTTP_BIND= & HTTPS_PORT=
 # For IPv6 see https://docs.mailcow.email/post_installation/firststeps-ip_bindings/

From e202d00bebb6937cf2aca726cba79534b5bf0a53 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Tue, 16 May 2023 09:56:23 +0200
Subject: [PATCH 029/378] [Dovecot] group auth files

---
 data/Dockerfiles/dovecot/docker-entrypoint.sh | 24 +++++++++----------
 data/conf/dovecot/auth/mailcowauth.php        |  2 +-
 data/conf/dovecot/dovecot.conf                |  4 ++--
 3 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/data/Dockerfiles/dovecot/docker-entrypoint.sh b/data/Dockerfiles/dovecot/docker-entrypoint.sh
index ca06108dc..a2a4554bc 100755
--- a/data/Dockerfiles/dovecot/docker-entrypoint.sh
+++ b/data/Dockerfiles/dovecot/docker-entrypoint.sh
@@ -28,7 +28,7 @@ ${REDIS_CMDLINE} SET DOVECOT_REPL_HEALTH 1 > /dev/null
 
 # Create missing directories
 [[ ! -d /etc/dovecot/sql/ ]] && mkdir -p /etc/dovecot/sql/
-[[ ! -d /etc/dovecot/lua/ ]] && mkdir -p /etc/dovecot/lua/
+[[ ! -d /etc/dovecot/auth/ ]] && mkdir -p /etc/dovecot/auth/
 [[ ! -d /var/vmail/_garbage ]] && mkdir -p /var/vmail/_garbage
 [[ ! -d /var/vmail/sieve ]] && mkdir -p /var/vmail/sieve
 [[ ! -d /etc/sogo ]] && mkdir -p /etc/sogo
@@ -128,7 +128,7 @@ user_query = SELECT CONCAT(JSON_UNQUOTE(JSON_VALUE(attributes, '$.mailbox_format
 iterate_query = SELECT username FROM mailbox WHERE active = '1' OR active = '2';
 EOF
 
-cat <<EOF > /etc/dovecot/lua/passwd-verify.lua
+cat <<EOF > /etc/dovecot/auth/passwd-verify.lua
 function auth_password_verify(request, password)
   if request.domain == nil then
     return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, "No such user"
@@ -173,10 +173,10 @@ function auth_password_verify(request, password)
   -- check against app passwds for imap and smtp
   -- app passwords are only available for imap, smtp, sieve and pop3 when using sasl
   if request.service == "smtp" or request.service == "imap" or request.service == "sieve" or request.service == "pop3" then
-    skip_sasl_log = true
+    skip_sasl_log = false
     req.protocol = {}
     if tostring(req.real_rip) ~= "__IPV4_SOGO__" then
-      skip_sasl_log = false
+      skip_sasl_log = true
       req.protocol[request.service] = true
     end
     req_json = json.encode(req)
@@ -194,7 +194,7 @@ function auth_password_verify(request, password)
     }
     local api_response = json.decode(table.concat(res))
     if api_response.role == 'user' then
-      if skip_sasl_log == true then
+      if skip_sasl_log == false then
         con:execute(string.format([[REPLACE INTO sasl_log (service, app_password, username, real_rip)
           VALUES ("%s", %d, "%s", "%s")]], con:escape(req.service), row.id, con:escape(req.user), con:escape(req.real_rip)))
       end
@@ -213,10 +213,10 @@ end
 EOF
 
 # Replace patterns in app-passdb.lua
-sed -i "s/__DBUSER__/${DBUSER}/g" /etc/dovecot/lua/passwd-verify.lua
-sed -i "s/__DBPASS__/${DBPASS}/g" /etc/dovecot/lua/passwd-verify.lua
-sed -i "s/__DBNAME__/${DBNAME}/g" /etc/dovecot/lua/passwd-verify.lua
-sed -i "s/__IPV4_SOGO__/${IPV4_NETWORK}.248/g" /etc/dovecot/lua/passwd-verify.lua
+sed -i "s/__DBUSER__/${DBUSER}/g" /etc/dovecot/auth/passwd-verify.lua
+sed -i "s/__DBPASS__/${DBPASS}/g" /etc/dovecot/auth/passwd-verify.lua
+sed -i "s/__DBNAME__/${DBNAME}/g" /etc/dovecot/auth/passwd-verify.lua
+sed -i "s/__IPV4_SOGO__/${IPV4_NETWORK}.248/g" /etc/dovecot/auth/passwd-verify.lua
 
 
 # Migrate old sieve_after file
@@ -342,8 +342,8 @@ done
 
 # Fix permissions
 chown root:root /etc/dovecot/sql/*.conf
-chown root:dovecot /etc/dovecot/sql/dovecot-dict-sql-sieve* /etc/dovecot/sql/dovecot-dict-sql-quota* /etc/dovecot/lua/passwd-verify.lua
-chmod 640 /etc/dovecot/sql/*.conf /etc/dovecot/lua/passwd-verify.lua
+chown root:dovecot /etc/dovecot/sql/dovecot-dict-sql-sieve* /etc/dovecot/sql/dovecot-dict-sql-quota* /etc/dovecot/auth/passwd-verify.lua
+chmod 640 /etc/dovecot/sql/*.conf /etc/dovecot/auth/passwd-verify.lua
 chown -R vmail:vmail /var/vmail/sieve
 chown -R vmail:vmail /var/volatile
 chown -R vmail:vmail /var/vmail_index
@@ -412,7 +412,7 @@ done
 
 # For some strange, unknown and stupid reason, Dovecot may run into a race condition, when this file is not touched before it is read by dovecot/auth
 # May be related to something inside Docker, I seriously don't know
-touch /etc/dovecot/lua/passwd-verify.lua
+touch /etc/dovecot/auth/passwd-verify.lua
 
 if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
   cp /etc/syslog-ng/syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng.conf
diff --git a/data/conf/dovecot/auth/mailcowauth.php b/data/conf/dovecot/auth/mailcowauth.php
index 57dffdb57..fa505d709 100644
--- a/data/conf/dovecot/auth/mailcowauth.php
+++ b/data/conf/dovecot/auth/mailcowauth.php
@@ -42,7 +42,7 @@ require_once 'functions.inc.php';
 require_once 'functions.auth.inc.php';
 require_once 'sessions.inc.php';
 
-// Init Keycloak Provider
+// Init provider
 $iam_provider = identity_provider('init');
 
 $result = check_login($post['username'], $post['password'], $post['protocol'], true);
diff --git a/data/conf/dovecot/dovecot.conf b/data/conf/dovecot/dovecot.conf
index 729686fb1..f2c917eff 100644
--- a/data/conf/dovecot/dovecot.conf
+++ b/data/conf/dovecot/dovecot.conf
@@ -52,7 +52,7 @@ mail_shared_explicit_inbox = yes
 mail_prefetch_count = 30
 passdb {
   driver = lua
-  args = file=/etc/dovecot/lua/passwd-verify.lua blocking=yes
+  args = file=/etc/dovecot/auth/passwd-verify.lua blocking=yes
   result_success = return-ok
   result_failure = continue
   result_internalfail = continue
@@ -68,7 +68,7 @@ passdb {
 # a return of the following passdb is mandatory
 passdb {
   driver = lua
-  args = file=/etc/dovecot/lua/passwd-verify.lua blocking=yes
+  args = file=/etc/dovecot/auth/passwd-verify.lua blocking=yes
 }
 # Set doveadm_password=your-secret-password in data/conf/dovecot/extra.conf (create if missing)
 service doveadm {

From 593e581cf3775e4add21ffa8b126ffa5f55e33af Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Tue, 16 May 2023 10:40:52 +0200
Subject: [PATCH 030/378] [Web] move iam sso functions

---
 data/web/inc/functions.auth.inc.php | 178 -----------------------
 data/web/inc/functions.inc.php      | 209 ++++++++++++++++++++++++++++
 data/web/inc/prerequisites.inc.php  |   4 +-
 data/web/inc/triggers.inc.php       |  27 ++--
 4 files changed, 222 insertions(+), 196 deletions(-)

diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php
index d68a7b6e5..fbb79ed8a 100644
--- a/data/web/inc/functions.auth.inc.php
+++ b/data/web/inc/functions.auth.inc.php
@@ -1,14 +1,4 @@
 <?php
-function unset_auth_session(){
-  unset($_SESSION['keycloak_token']);
-  unset($_SESSION['keycloak_refresh_token']);
-  unset($_SESSION['mailcow_cc_username']);
-  unset($_SESSION['mailcow_cc_role']);
-  unset($_SESSION['oauth2state']);
-  unset($_SESSION['pending_mailcow_cc_username']);
-  unset($_SESSION['pending_mailcow_cc_role']);
-  unset($_SESSION['pending_tfa_methods']);
-}
 function check_login($user, $pass, $app_passwd_data = false, $is_internal = false) {
   global $pdo;
   global $redis;
@@ -503,171 +493,3 @@ function keycloak_mbox_login_rest($user, $pass, $iam_settings, $is_internal = fa
   );
   return 'user';
 }
-// Authorization Code Flow
-function keycloak_verify_token(){
-  global $keycloak_provider;
-  global $pdo;
-
-  try {
-    $token = $keycloak_provider->getAccessToken('authorization_code', ['code' => $_GET['code']]);
-  } catch (Exception $e) {
-    $_SESSION['return'][] =  array(
-      'type' => 'danger',
-      'log' => array(__FUNCTION__),
-      'msg' => array('login_failed', $e->getMessage())
-    );
-    return false;
-  }
-  
-  $_SESSION['keycloak_token'] = $token->getToken();
-  $_SESSION['keycloak_refresh_token'] = $token->getRefreshToken();
-  // decode jwt data
-  $info = json_decode(base64_decode(str_replace('_', '/', str_replace('-','+',explode('.', $token->getToken())[1]))), true);
-  // check if email address is given
-  if (!$info['email']){
-    return false;
-  }
-
-
-  // token valid, get mailbox
-  $stmt = $pdo->prepare("SELECT * FROM `mailbox`
-    INNER JOIN domain on mailbox.domain = domain.domain
-    WHERE `kind` NOT REGEXP 'location|thing|group'
-      AND `mailbox`.`active`='1'
-      AND `domain`.`active`='1'
-      AND `username` = :user
-      AND `authsource`='keycloak'");
-  $stmt->execute(array(':user' => $info['email']));
-  $row = $stmt->fetch(PDO::FETCH_ASSOC);
-  if ($row){
-    // success
-    $_SESSION['mailcow_cc_username'] = $info['email'];
-    $_SESSION['mailcow_cc_role'] = "user";
-    $_SESSION['return'][] =  array(
-      'type' => 'success',
-      'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
-      'msg' => array('logged_in_as', $_SESSION['mailcow_cc_username'])
-    );
-    return true;
-  }
-  // get mapped template, if not set return false
-  // also return false if no mappers were defined
-  $identity_provider_settings = identity_provider('get');
-  $user_template = $info['mailcow_template'];
-  if (empty($identity_provider_settings['mappers']) || empty($user_template)){
-    unset_auth_session();  
-    $_SESSION['return'][] =  array(
-      'type' => 'danger',
-      'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
-      'msg' => 'login_failed'
-    );
-    return false;
-  }
-  $mbox_template = null;
-  // check if matching rolemapping exist
-  foreach ($identity_provider_settings['mappers'] as $index => $mapper){
-    if ($user_template == $mapper) {
-      $mbox_template = $identity_provider_settings['templates'][$index];
-      break;
-    }
-  }
-  if (!$mbox_template){
-    // no matching template found
-    unset_auth_session();  
-    $_SESSION['return'][] =  array(
-      'type' => 'danger',
-      'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
-      'msg' => 'login_failed'
-    );
-    return false;
-  }
-  $stmt = $pdo->prepare("SELECT * FROM `templates` 
-  WHERE `template` = :template AND type = 'mailbox'");
-  $stmt->execute(array(
-    ":template" => $mbox_template
-  ));
-  $mbox_template_data = $stmt->fetch(PDO::FETCH_ASSOC);
-  if (empty($mbox_template_data)){
-    unset_auth_session();  
-    $_SESSION['return'][] =  array(
-      'type' => 'danger',
-      'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
-      'msg' => 'login_failed'
-    );
-    return false;
-  }
-
-  // create mailbox
-  $mbox_template_data = json_decode($mbox_template_data["attributes"], true);
-  $mbox_template_data['domain'] = explode('@', $info['email'])[1];
-  $mbox_template_data['local_part'] = explode('@', $info['email'])[0];
-  $mbox_template_data['authsource'] = 'keycloak';
-  $_SESSION['iam_create_login'] = true;
-  $create_res = mailbox('add', 'mailbox', $mbox_template_data);
-  $_SESSION['iam_create_login'] = false;
-  if (!$create_res){
-    unset_auth_session();  
-    $_SESSION['return'][] =  array(
-      'type' => 'danger',
-      'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
-      'msg' => 'login_failed'
-    );
-    return false;
-  }
-
-  $_SESSION['mailcow_cc_username'] = $info['email'];
-  $_SESSION['mailcow_cc_role'] = "user";
-  $_SESSION['return'][] =  array(
-    'type' => 'success',
-    'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
-    'msg' => array('logged_in_as', $_SESSION['mailcow_cc_username'])
-  );
-  return true;
-}
-function keycloak_refresh(){
-  global $keycloak_provider;
-
-  try {
-    $token = $keycloak_provider->getAccessToken('refresh_token', ['refresh_token' => $_SESSION['keycloak_refresh_token']]);
-  } catch (Exception $e) {
-    $_SESSION['return'][] =  array(
-      'type' => 'danger',
-      'log' => array(__FUNCTION__),
-      'msg' => array('login_failed', $e->getMessage())
-    );
-    return false;
-  }
-
-  $_SESSION['keycloak_token'] = $token->getToken();
-  $_SESSION['keycloak_refresh_token'] = $token->getRefreshToken();
-  // decode jwt data
-  $info = json_decode(base64_decode(str_replace('_', '/', str_replace('-','+',explode('.', $_SESSION['keycloak_token'])[1]))), true);
-  if (!$info['email']){
-    unset_auth_session();  
-    $_SESSION['return'][] =  array(
-      'type' => 'danger',
-      'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
-      'msg' => 'refresh_login_failed'
-    );
-  }
-
-  $_SESSION['mailcow_cc_username'] = $info['email'];
-  $_SESSION['mailcow_cc_role'] = "user";
-  return true;
-}
-function keycloak_get_redirect(){
-  global $keycloak_provider;
-
-  $authUrl = $keycloak_provider->getAuthorizationUrl();
-  $_SESSION['oauth2state'] = $keycloak_provider->getState();
-
-  return $authUrl;
-}
-function keycloak_get_logout(){
-  global $keycloak_provider;
-
-  $logoutUrl = $keycloak_provider->getLogoutUrl();
-  $logoutUrl = $logoutUrl . "&post_logout_redirect_uri=https://" . $_SERVER['SERVER_NAME'];
-
-  return $logoutUrl;
-}
diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index b88133e50..61d21ae30 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -2233,8 +2233,217 @@ function identity_provider($_action, $_data = null, $hide_secret = false) {
       }
       return $provider;
     break;
+    case "verify-sso":
+      $provider = $_data['iam_provider'];
+    
+      try {
+        $token = $provider->getAccessToken('authorization_code', ['code' => $_GET['code']]);
+      } catch (Exception $e) {
+        $_SESSION['return'][] =  array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__),
+          'msg' => array('login_failed', $e->getMessage())
+        );
+        return false;
+      }
+      try {
+        $_SESSION['iam_token'] = $token->getToken();
+        $_SESSION['iam_refresh_token'] = $token->getRefreshToken();
+        $info = $provider->getResourceOwner($token)->toArray();
+      } catch (Throwable $e) {
+        $_SESSION['return'][] =  array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__),
+          'msg' => array('login_failed', $e->getMessage())
+        );
+        return false;
+      }
+      
+      // check if email address is given
+      if (empty($info['email'])) return false;
+    
+      // token valid, get mailbox
+      $stmt = $pdo->prepare("SELECT * FROM `mailbox`
+        INNER JOIN domain on mailbox.domain = domain.domain
+        WHERE `kind` NOT REGEXP 'location|thing|group'
+          AND `mailbox`.`active`='1'
+          AND `domain`.`active`='1'
+          AND `username` = :user
+          AND `authsource`='keycloak' OR `authsource`='generic-oidc'");
+      $stmt->execute(array(':user' => $info['email']));
+      $row = $stmt->fetch(PDO::FETCH_ASSOC);
+      if ($row){
+        // success
+        $_SESSION['mailcow_cc_username'] = $info['email'];
+        $_SESSION['mailcow_cc_role'] = "user";
+        $_SESSION['return'][] =  array(
+          'type' => 'success',
+          'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
+          'msg' => array('logged_in_as', $_SESSION['mailcow_cc_username'])
+        );
+        return true;
+      }
+    
+      // get mapped template, if not set return false
+      // also return false if no mappers were defined
+      $provider = identity_provider('get');
+      $user_template = $info['mailcow_template'];
+      if (empty($provider['mappers']) || empty($user_template)){
+        clear_session();  
+        $_SESSION['return'][] =  array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
+          'msg' => 'login_failed'
+        );
+        return false;
+      }
+    
+      // check if matching attribute exist
+      if (array_search($user_template, $provider['mappers']) === false) {
+        clear_session();  
+        $_SESSION['return'][] =  array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
+          'msg' => 'login_failed'
+        );
+        return false;
+      }
+    
+      // create mailbox
+      $create_res = mailbox('add', 'mailbox_from_template', array(
+        'domain' => explode('@', $info['email'])[1],
+        'local_part' => explode('@', $info['email'])[0],
+        'authsource' => identity_provider('get')['authsource'],
+        'template' => $user_template
+      ));
+      if (!$create_res){
+        clear_session();  
+        $_SESSION['return'][] =  array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
+          'msg' => 'login_failed'
+        );
+        return false;
+      }
+    
+      $_SESSION['mailcow_cc_username'] = $info['email'];
+      $_SESSION['mailcow_cc_role'] = "user";
+      $_SESSION['return'][] =  array(
+        'type' => 'success',
+        'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
+        'msg' => array('logged_in_as', $_SESSION['mailcow_cc_username'])
+      );
+      return true;
+    break;
+    case "refresh-token":
+      $provider = $_data['iam_provider'];
+
+      try {
+        $token = $provider->getAccessToken('refresh_token', ['refresh_token' => $_SESSION['iam_refresh_token']]);
+      } catch (Exception $e) {
+        $_SESSION['return'][] =  array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__),
+          'msg' => array('login_failed', $e->getMessage())
+        );
+        return false;
+      }
+      try {
+        $_SESSION['iam_token'] = $token->getToken();
+        $_SESSION['iam_refresh_token'] = $token->getRefreshToken();
+        $info = $provider->getResourceOwner($token)->toArray();
+      } catch (Throwable $e) {
+        $_SESSION['return'][] =  array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__),
+          'msg' => array('login_failed', $e->getMessage())
+        );
+        return false;
+      }
+
+      if (empty($info['email'])){
+        clear_session();  
+        $_SESSION['return'][] =  array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
+          'msg' => 'refresh_login_failed'
+        );
+        return false;
+      }
+    
+      $_SESSION['mailcow_cc_username'] = $info['email'];
+      $_SESSION['mailcow_cc_role'] = "user";
+      return true;
+    break;
+    case "get-redirect":
+      $provider = $_data['iam_provider'];
+      $authUrl = $provider->getAuthorizationUrl();
+      $_SESSION['oauth2state'] = $provider->getState();
+      return $authUrl;
+    break;
+    case "get-keycloak-admin-token":
+      // get access_token for service account of mailcow client
+      $iam_settings = identity_provider('get');
+      if ($iam_settings['authsource'] !== 'keycloak') return false;
+      if (isset($iam_settings['access_token'])) {
+        // check if access_token is valid
+        $url = "{$iam_settings['server_url']}/realms/{$iam_settings['realm']}/protocol/openid-connect/token/introspect";
+        $req = http_build_query(array(
+          'token'    => $iam_settings['access_token'],
+          'client_id'     => $iam_settings['client_id'],
+          'client_secret' => $iam_settings['client_secret']
+        ));
+        $curl = curl_init();
+        curl_setopt($curl, CURLOPT_URL, $url);
+        curl_setopt($curl, CURLOPT_POST, 1);
+        curl_setopt($curl, CURLOPT_POSTFIELDS, $req);
+        curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));
+        curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
+        curl_setopt($curl, CURLOPT_TIMEOUT, 5);
+        $res = json_decode(curl_exec($curl), true);
+        $code = curl_getinfo($curl, CURLINFO_HTTP_CODE);
+        curl_close ($curl);
+        if ($code == 200 && $res['active'] == true) {
+          // token is valid
+          return $iam_settings['access_token'];
+        }
+      }
+
+      $url = "{$iam_settings['server_url']}/realms/{$iam_settings['realm']}/protocol/openid-connect/token";
+      $req = http_build_query(array(
+        'grant_type'    => 'client_credentials',
+        'client_id'     => $iam_settings['client_id'],
+        'client_secret' => $iam_settings['client_secret']
+      ));
+      $curl = curl_init();
+      curl_setopt($curl, CURLOPT_URL, $url);
+      curl_setopt($curl, CURLOPT_POST, 1);
+      curl_setopt($curl, CURLOPT_POSTFIELDS, $req);
+      curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));
+      curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
+      curl_setopt($curl, CURLOPT_TIMEOUT, 5);
+      $res = json_decode(curl_exec($curl), true);
+      $code = curl_getinfo($curl, CURLINFO_HTTP_CODE);
+      curl_close ($curl);
+      if ($code != 200) {
+        return false;
+      }
+      
+      $stmt = $pdo->prepare("INSERT INTO identity_provider (`key`, `value`) VALUES (:key, :value) ON DUPLICATE KEY UPDATE `value` = VALUES(`value`);");
+      $stmt->execute(array(
+        ':key' => 'access_token',
+        ':value' => $res['access_token']
+      ));
+      return $res['access_token'];
+    break;
   }
 }
+function clear_session(){
+  session_regenerate_id(true);
+  session_unset();
+  session_destroy();
+  session_write_close();
+}
 
 function get_logs($application, $lines = false) {
   if ($lines === false) {
diff --git a/data/web/inc/prerequisites.inc.php b/data/web/inc/prerequisites.inc.php
index 90cff4b22..fb30956f4 100644
--- a/data/web/inc/prerequisites.inc.php
+++ b/data/web/inc/prerequisites.inc.php
@@ -178,8 +178,8 @@ require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.inc.php';
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.auth.inc.php';
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/sessions.inc.php';
 
-// Init Keycloak Provider
-$keycloak_provider = identity_provider('init');
+// Init Identity Provider
+$iam_provider = identity_provider('init');
 
 // IMAP lib
 // use Ddeboer\Imap\Server;
diff --git a/data/web/inc/triggers.inc.php b/data/web/inc/triggers.inc.php
index 50722a797..c8333f979 100644
--- a/data/web/inc/triggers.inc.php
+++ b/data/web/inc/triggers.inc.php
@@ -1,20 +1,20 @@
 <?php
-// handle keycloak authentication
-if ($keycloak_provider){
-  if (isset($_GET['keycloak_sso'])){
-    // redirect to keycloak for sso
-    $redirect_uri = keycloak_get_redirect();
+// handle iam authentication
+if ($iam_provider){
+  if (isset($_GET['iam_sso'])){
+    // redirect for sso
+    $redirect_uri = identity_provider('get-redirect', array('iam_provider' => $iam_provider));
     header('Location: ' . $redirect_uri);
     die();
   }
-  if ($_SESSION['keycloak_token'] && $_SESSION['keycloak_refresh_token']) {
+  if ($_SESSION['iam_token'] && $_SESSION['iam_refresh_token']) {
     // Session found, try to refresh
-    $isRefreshed = keycloak_refresh();
+    $isRefreshed = identity_provider('refresh-token', array('iam_provider' => $iam_provider));
 
     if (!$isRefreshed){
-      // Session could not be refreshed, clear and redirect to keycloak
-      unset_auth_session();
-      $redirect_uri = keycloak_get_redirect();
+      // Session could not be refreshed, clear and redirect to provider
+      clear_session();
+      $redirect_uri = identity_provider('get-redirect', array('iam_provider' => $iam_provider));
       header('Location: ' . $redirect_uri);
       die();
     }
@@ -22,12 +22,7 @@ if ($keycloak_provider){
     // Check given state against previously stored one to mitigate CSRF attack
     // Recieved access token in $_GET['code']
     // extract info and verify user
-    $isValid = keycloak_verify_token();
-
-    if (!$isValid){
-      // Token could not be verified, redirect to keycloak
-      $_SESSION['invalid_keycloak_sso'] = true;
-    }
+    identity_provider('verify-sso', array('iam_provider' => $iam_provider));
   }
 }
 

From 1ab1505c8883c052b2766ea2e4e7e8a4a3b81c4e Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Tue, 16 May 2023 10:44:14 +0200
Subject: [PATCH 031/378] [Web] remove sso login alertbox

---
 data/web/index.php            |  3 +--
 data/web/templates/index.twig | 11 ++---------
 2 files changed, 3 insertions(+), 11 deletions(-)

diff --git a/data/web/index.php b/data/web/index.php
index 05c50b01f..c44696b6d 100644
--- a/data/web/index.php
+++ b/data/web/index.php
@@ -29,8 +29,7 @@ $template_data = [
   'oauth2_request' => @$_SESSION['oauth2_request'],
   'is_mobileconfig' => str_contains($_SESSION['index_query_string'], 'mobileconfig'),
   'login_delay' => @$_SESSION['ldelay'],
-  'has_keycloak_sso' => ($keycloak_provider) ? true : false,
-  'invalid_keycloak_sso' => $_SESSION['invalid_keycloak_sso']
+  'has_iam_sso' => ($iam_provider) ? true : false
 ];
 
 $js_minifier->add('/web/js/site/index.js');
diff --git a/data/web/templates/index.twig b/data/web/templates/index.twig
index 35e53b828..98847d53e 100644
--- a/data/web/templates/index.twig
+++ b/data/web/templates/index.twig
@@ -26,13 +26,6 @@
         <div class="my-4 alert alert-info ">{{ lang.login.mobileconfig_info }}</div>
         {% endif %}
         <form method="post" autofill="off">
-          {% if invalid_keycloak_sso %}
-          <div class="d-flex mt-3 w-100">
-            <div class="alert alert-danger w-100" role="alert">
-              {{ lang.danger.iam_invalid_sso}}
-            </div>
-          </div>
-          {% endif %}
           <div class="d-flex mt-3">
             <label class="visually-hidden" for="login_user">{{ lang.login.username }}</label>
             <div class="input-group">
@@ -53,8 +46,8 @@
               <button type="button" class="btn btn-xs-lg btn-success dropdown-toggle" data-bs-toggle="dropdown" aria-haspopup="true" aria-expanded="false"></button>
               <ul class="dropdown-menu">
                 <li><a class="dropdown-item" href="#" id="fido2-login"><i class="bi bi-shield-fill-check"></i> {{ lang.login.fido2_webauthn }}</a></li>
-                {% if has_keycloak_sso %}
-                <li><a class="dropdown-item" href="/?keycloak_sso=1"><i class="bi bi-cloud-arrow-up-fill"></i> {{ lang.admin.iam_sso }}</a></li>
+                {% if has_iam_sso %}
+                <li><a class="dropdown-item" href="/?iam_sso=1"><i class="bi bi-cloud-arrow-up-fill"></i> {{ lang.admin.iam_sso }}</a></li>
                 {% endif %}
               </ul>
             </div>

From 3b6a1d50bd463b3db54403a9a3264bbcbd1af1e4 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Tue, 16 May 2023 10:58:45 +0200
Subject: [PATCH 032/378] [Web] add generic-oidc provider

---
 data/web/inc/functions.inc.php                | 141 ++++----
 data/web/inc/init_db.inc.php                  |   2 +-
 .../admin/tab-config-identity-provider.twig   | 300 ++++++++++++------
 3 files changed, 297 insertions(+), 146 deletions(-)

diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index 61d21ae30..ef6fbec6f 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -2069,8 +2069,13 @@ function uuid4() {
 }
 function identity_provider($_action, $_data = null) {
 function identity_provider($_action, $_data = null, $hide_secret = false) {
+function identity_provider($_action, $_data = null, $_extra = null) {
   global $pdo;
 
+  $data_log = $_data;
+  if (isset($data_log['client_secret'])) $data_log['client_secret'] = '*';
+  if (isset($data_log['access_token'])) $data_log['access_token'] = '*';
+
   switch ($_action) {
     case 'get':
       $settings = array();
@@ -2078,16 +2083,15 @@ function identity_provider($_action, $_data = null, $hide_secret = false) {
       $stmt->execute();
       $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
       foreach($rows as $row){
-        if ($row["key"] == 'mappers'){
-          $settings['mappers'] = json_decode($row["value"]);
-        } else if ($row["key"] == 'templates'){
-          $settings['templates'] = json_decode($row["value"]);
+        if ($row["key"] == 'mappers' || $row["key"] == 'templates'){
+          $settings[$row["key"]] = json_decode($row["value"]);
         } else {
           $settings[$row["key"]] = $row["value"];
         }
       }
-      if ($hide_secret){
+      if ($_extra['hide_sensitive']){
         $settings['client_secret'] = '';
+        $settings['access_token'] = '';
       }
       return $settings;
     break;
@@ -2100,54 +2104,60 @@ function identity_provider($_action, $_data = null, $hide_secret = false) {
         );
         return false;
       }
-      $data_log = $_data;
-      $data_log['client_secret'] = '*';
-      $stmt = $pdo->prepare("INSERT INTO identity_provider (`key`, `value`) VALUES (:key, :value) ON DUPLICATE KEY UPDATE `value` = VALUES(`value`);");
-      
-      $_data['login_flow'] = (isset($_data['login_flow']) && $_data['login_flow'] == 'ropc') ? 'ropc' : 'rest';
+      if (!isset($_data['authsource'])){
+        $_SESSION['return'][] =  array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $_action, $data_log),
+          'msg' => array('required_data_missing', $setting)
+        );
+        return false;
+      }
+      $_data['authsource'] = strtolower($_data['authsource']);
+      if ($_data['authsource'] != "keycloak" && $_data['authsource'] != "generic-oidc"){
+        $_SESSION['return'][] =  array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $_action, $data_log),
+          'msg' => array('invalid_authsource', $setting)
+        );
+        return false;
+      }
 
-      // add connection settings      
-      $required_settings = array('server_url', 'authsource', 'realm', 'client_id', 'client_secret', 'redirect_url', 'version', 'login_flow');
+      if ($_data['authsource'] == "keycloak") {
+        $_data['mailpassword_flow'] = isset($_data['mailpassword_flow']) ? intval($_data['mailpassword_flow']) : 0;
+        $_data['periodic_sync'] = isset($_data['periodic_sync']) ? intval($_data['periodic_sync']) : 0;
+        $_data['import_users'] = isset($_data['import_users']) ? intval($_data['import_users']) : 0;
+        $required_settings = array('authsource', 'server_url', 'realm', 'client_id', 'client_secret', 'redirect_url', 'version', 'mailpassword_flow', 'periodic_sync', 'import_users');
+      } else if ($_data['authsource'] == "generic-oidc") {
+        $required_settings = array('authsource', 'authorize_url', 'token_url', 'client_id', 'client_secret', 'redirect_url', 'userinfo_url');
+      }
+      
+      $pdo->beginTransaction();
+      $stmt = $pdo->prepare("INSERT INTO identity_provider (`key`, `value`) VALUES (:key, :value) ON DUPLICATE KEY UPDATE `value` = VALUES(`value`);");
+      // add connection settings
       foreach($required_settings as $setting){
-        if (!$_data[$setting]){
+        if (!isset($_data[$setting])){
           $_SESSION['return'][] =  array(
             'type' => 'danger',
             'log' => array(__FUNCTION__, $_action, $data_log),
-            'msg' => 'required_data_missing'
+            'msg' => array('required_data_missing', $setting)
           );
+          $pdo->rollback();
           return false;
         }
-      }
-      foreach($_data as $key => $value){
-        if (!in_array($key, $required_settings) || $key == 'mappers' || $key == 'templates'){
-          continue;
-        }
 
-        $stmt->bindParam(':key', $key);
-        $stmt->bindParam(':value', $value);
+        $stmt->bindParam(':key', $setting);
+        $stmt->bindParam(':value', $_data[$setting]);
         $stmt->execute();
       }
+      $pdo->commit();
 
       // add mappers
       if ($_data['mappers'] && $_data['templates']){
-        if (!is_array($_data['mappers'])){
-          $_data['mappers'] = array($_data['mappers']);
-        }
-        if (!is_array($_data['templates'])){
-          $_data['templates'] = array($_data['templates']);
-        }
-        $mappers = array();
-        $templates = array();
-        foreach($_data['mappers'] as $mapper){
-          if ($mapper){
-            array_push($mappers, $mapper);
-          }
-        }
-        foreach($_data['templates'] as $template){
-          if ($template){
-            array_push($templates, $template);
-          }
-        }
+        $_data['mappers'] = (!is_array($_data['mappers'])) ? array($_data['mappers']) : $_data['mappers'];
+        $_data['templates'] = (!is_array($_data['templates'])) ? array($_data['templates']) : $_data['templates'];
+
+        $mappers = array_filter($_data['mappers']);
+        $templates = array_filter($_data['templates']);
         if (count($mappers) == count($templates)){
           $mappers = json_encode($mappers);
           $templates = json_encode($templates);
@@ -2161,6 +2171,9 @@ function identity_provider($_action, $_data = null, $hide_secret = false) {
         }
       }
 
+      // delete old access_token
+      $stmt = $pdo->query("INSERT INTO identity_provider (`key`, `value`) VALUES ('access_token', '') ON DUPLICATE KEY UPDATE `value` = VALUES(`value`);");
+
       $_SESSION['return'][] =  array(
         'type' => 'success',
         'log' => array(__FUNCTION__, $_action, $data_log),
@@ -2178,7 +2191,11 @@ function identity_provider($_action, $_data = null, $hide_secret = false) {
         return false;
       }
 
-      $url = "{$_data['server_url']}/realms/{$_data['realm']}/protocol/openid-connect/token";
+      if ($_data['authsource'] == 'keycloak') {
+        $url = "{$_data['server_url']}/realms/{$_data['realm']}/protocol/openid-connect/token";
+      } else {
+        $url = $_data['token_url'];
+      }
       $req = http_build_query(array(
         'grant_type'    => 'client_credentials',
         'client_id'     => $_data['client_id'],
@@ -2215,21 +2232,37 @@ function identity_provider($_action, $_data = null, $hide_secret = false) {
       return true;
     break;
     case "init":
-      $identity_provider_settings = identity_provider('get');
+      $iam_settings = identity_provider('get');
       $provider = null;
-      if ($identity_provider_settings['server_url'] && $identity_provider_settings['realm'] && $identity_provider_settings['client_id'] &&
-          $identity_provider_settings['client_secret'] && $identity_provider_settings['redirect_url'] && $identity_provider_settings['version']){
-        $provider = new Stevenmaguire\OAuth2\Client\Provider\Keycloak([
-          'authServerUrl'         => $identity_provider_settings['server_url'],
-          'realm'                 => $identity_provider_settings['realm'],
-          'clientId'              => $identity_provider_settings['client_id'],
-          'clientSecret'          => $identity_provider_settings['client_secret'],
-          'redirectUri'           => $identity_provider_settings['redirect_url'],
-          'version'               => $identity_provider_settings['version'],                            
-          // 'encryptionAlgorithm'   => 'RS256',                             // optional
-          // 'encryptionKeyPath'     => '../key.pem'                         // optional
-          // 'encryptionKey'         => 'contents_of_key_or_certificate'     // optional
-        ]);
+      if ($iam_settings['authsource'] == 'keycloak'){
+        if ($iam_settings['server_url'] && $iam_settings['realm'] && $iam_settings['client_id'] &&
+            $iam_settings['client_secret'] && $iam_settings['redirect_url'] && $iam_settings['version']){
+          $provider = new Stevenmaguire\OAuth2\Client\Provider\Keycloak([
+            'authServerUrl'         => $iam_settings['server_url'],
+            'realm'                 => $iam_settings['realm'],
+            'clientId'              => $iam_settings['client_id'],
+            'clientSecret'          => $iam_settings['client_secret'],
+            'redirectUri'           => $iam_settings['redirect_url'],
+            'version'               => $iam_settings['version'],                            
+            // 'encryptionAlgorithm'   => 'RS256',                             // optional
+            // 'encryptionKeyPath'     => '../key.pem'                         // optional
+            // 'encryptionKey'         => 'contents_of_key_or_certificate'     // optional
+          ]);
+        }
+      }
+      else if ($iam_settings['authsource'] == 'generic-oidc'){
+        if ($iam_settings['client_id'] && $iam_settings['client_secret'] && $iam_settings['redirect_url'] &&
+            $iam_settings['authorize_url'] && $iam_settings['token_url'] && $iam_settings['userinfo_url']){
+          $provider = new \League\OAuth2\Client\Provider\GenericProvider([
+            'clientId'                => $iam_settings['client_id'],
+            'clientSecret'            => $iam_settings['client_secret'],
+            'redirectUri'             => $iam_settings['redirect_url'],
+            'urlAuthorize'            => $iam_settings['authorize_url'],
+            'urlAccessToken'          => $iam_settings['token_url'],
+            'urlResourceOwnerDetails' => $iam_settings['userinfo_url'],
+            'scopes'                  => 'openid profile email'
+          ]);
+        }
       }
       return $provider;
     break;
diff --git a/data/web/inc/init_db.inc.php b/data/web/inc/init_db.inc.php
index 3de3dec9b..7447b5f4b 100644
--- a/data/web/inc/init_db.inc.php
+++ b/data/web/inc/init_db.inc.php
@@ -362,7 +362,7 @@ function init_db_schema() {
           "custom_attributes" => "JSON NOT NULL DEFAULT ('{}')",
           "kind" => "VARCHAR(100) NOT NULL DEFAULT ''",
           "multiple_bookings" => "INT NOT NULL DEFAULT -1",
-          "authsource" => "ENUM('mailcow', 'keycloak') DEFAULT 'mailcow'",
+          "authsource" => "ENUM('mailcow', 'keycloak', 'generic-oidc') DEFAULT 'mailcow'",
           "created" => "DATETIME(0) NOT NULL DEFAULT NOW(0)",
           "modified" => "DATETIME ON UPDATE CURRENT_TIMESTAMP",
           "active" => "TINYINT(1) NOT NULL DEFAULT '1'"
diff --git a/data/web/templates/admin/tab-config-identity-provider.twig b/data/web/templates/admin/tab-config-identity-provider.twig
index 1eb9aef39..1a42d0088 100644
--- a/data/web/templates/admin/tab-config-identity-provider.twig
+++ b/data/web/templates/admin/tab-config-identity-provider.twig
@@ -8,110 +8,228 @@
     </div>
     <div id="collapse-tab-config-identity-provider" class="card-body collapse" data-bs-parent="#admin-content">
       <p class="offset-sm-3 mb-4">{{ lang.admin.iam_description }}</p>
-      <form class="form-horizontal" autocapitalize="none" data-id="iam_sso" autocorrect="off" role="form" method="post">
-        <input type="hidden" name="authsource" value="keycloak">
-        <div class="row mb-2">
-          <label class="control-label col-sm-3 text-sm-end" for="iam_url">{{ lang.admin.iam_server_url }}:</label>
-          <div class="col-sm-4">
-            <input type="text" class="form-control" id="iam_server_url" name="server_url" value="{{ identity_provider_settings.server_url }}" required>
-          </div>
+      <div class="row mb-4">
+        <label class="control-label col-sm-3 text-sm-end" for="iam_realm">{{ lang.admin.iam }}:</label>
+        <div class="col-sm-4">
+          <select
+            data-style="btn btn-secondary"
+            data-id="iam_provider"
+            title="{{ lang.admin.iam_provider }}"
+            name="iam_provider" id="iam_provider" class="full-width-select form-control" required>
+              <option value="keycloak" {% if not iam_settings.authsource or iam_settings.authsource == 'keycloak' %}selected{% endif %}>Keycloak</option>
+              <option value="generic-oidc" {% if iam_settings.authsource == 'generic-oidc' %}selected{% endif %}>Generic-OIDC</option>
+          </select>
         </div>
-        <div class="row mb-2">
-          <label class="control-label col-sm-3 text-sm-end" for="iam_realm">{{ lang.admin.iam_realm }}:</label>
-          <div class="col-sm-4">
-            <input type="text" class="form-control" id="iam_realm" name="realm" value="{{ identity_provider_settings.realm }}" required>
-          </div>
-        </div>
-        <div class="row mb-2">
-          <label class="control-label col-sm-3 text-sm-end" for="iam_client_id">{{ lang.admin.iam_client_id }}:</label>
-          <div class="col-sm-4">
-            <input type="text" class="form-control" id="iam_client_id" name="client_id" value="{{ identity_provider_settings.client_id }}" required>
-          </div>
-        </div>
-        <div class="row mb-2">
-          <label class="control-label col-sm-3 text-sm-end" for="iam_client_secret">{{ lang.admin.iam_client_secret }}:</label>
-          <div class="col-sm-4">
-            <div class="reveal-password-input input-group">
-              <input type="password" class="password-field form-control" id="iam_client_secret" name="client_secret" value="{{ identity_provider_settings.client_secret }}" required>
-              <button class="toggle-password btn btn-secondary" type="button"><i class="bi bi-eye"></i></button>
+      </div>
+      <div id="keycloak_settings" class="{% if iam_settings.authsource and iam_settings.authsource != 'keycloak' %}d-none{% endif %}">
+        <form class="form-horizontal" autocapitalize="none" data-id="iam_keycloak" autocorrect="off" role="form" method="post">
+          <input type="hidden" name="authsource" value="keycloak">
+          <div class="row mb-2">
+            <label class="control-label col-sm-3 text-sm-end" for="iam_keycloak_url">{{ lang.admin.iam_server_url }}:</label>
+            <div class="col-sm-4">
+              <input type="text" class="form-control" id="iam_keycloak_url" name="server_url" value="{{ iam_settings.server_url }}" required>
             </div>
           </div>
-        </div>
-        <div class="row mb-2">
-          <label class="control-label col-sm-3 text-sm-end" for="iam_redirect_url">{{ lang.admin.iam_redirect_url }}:</label>
-          <div class="col-sm-4">
-            <input type="text" class="form-control" id="iam_redirect_url" name="redirect_url" value="{{ identity_provider_settings.redirect_url }}" required>
+          <div class="row mb-2">
+            <label class="control-label col-sm-3 text-sm-end" for="iam_keycloak_realm">{{ lang.admin.iam_realm }}:</label>
+            <div class="col-sm-4">
+              <input type="text" class="form-control" id="iam_keycloak_realm" name="realm" value="{{ iam_settings.realm }}" required>
+            </div>
           </div>
-        </div>
-        <div class="row mb-4">
-          <label class="control-label col-sm-3 text-sm-end" for="iam_version">{{ lang.admin.iam_version }}:</label>
-          <div class="col-sm-4">
-            <input type="text" class="form-control" id="iam_version" name="version" value="{{ identity_provider_settings.version }}" required>
+          <div class="row mb-2">
+            <label class="control-label col-sm-3 text-sm-end" for="iam_keycloak_clientid">{{ lang.admin.iam_client_id }}:</label>
+            <div class="col-sm-4">
+              <input type="text" class="form-control" id="iam_keycloak_clientid" name="client_id" value="{{ iam_settings.client_id }}" required>
+            </div>
           </div>
-        </div>
-        <div class="row mb-4">
-          <label class="control-label col-sm-3 text-sm-end" for="iam_version">{{ lang.admin.iam_mapping }}:</label>
-          <div class="col-4 d-flex mb-2">
-            <span class="w-100 me-2">Attribute</span>
-            <span class="w-100 ms-2">Template</span>
-            <button id="iam_rolemap_add" class="btn btn-sm d-block d-sm-inline btn-secondary ms-2"><i class="bi bi-plus-lg"></i></button>
+          <div class="row mb-2">
+            <label class="control-label col-sm-3 text-sm-end" for="iam_keycloak_clientsecret">{{ lang.admin.iam_client_secret }}:</label>
+            <div class="col-sm-4">
+              <div class="reveal-password-input input-group">
+                <input type="password" class="password-field form-control" id="iam_keycloak_clientsecret" name="client_secret" value="{{ iam_settings.client_secret }}" required>
+                <button class="toggle-password btn btn-secondary" type="button"><i class="bi bi-eye"></i></button>
+              </div>
+            </div>
           </div>
-          {% for key, role in identity_provider_settings.mappers %}
-          <div class="offset-sm-3 col-4 d-flex mb-2">
-            <input type="text" class="form-control me-2" name="mappers" value="{{ identity_provider_settings.mappers[key] }}" required>
-            <select data-live-search="true" name="templates" class="form-control" title="{{ lang.mailbox.template }}" required>
-            {% for mbox_template in mbox_templates %}
-              <option{% if mbox_template.template == identity_provider_settings.templates[key] %} selected{% endif %}>
-                {{ mbox_template.template }}
-              </option>
+          <div class="row mb-2">
+            <label class="control-label col-sm-3 text-sm-end" for="iam_keycloak_redirecturl">{{ lang.admin.iam_redirect_url }}:</label>
+            <div class="col-sm-4">
+              <input type="text" class="form-control" id="iam_keycloak_redirecturl" name="redirect_url" value="{{ iam_settings.redirect_url }}" required>
+            </div>
+          </div>
+          <div class="row mb-4">
+            <label class="control-label col-sm-3 text-sm-end" for="iam_keycloak_version">{{ lang.admin.iam_version }}:</label>
+            <div class="col-sm-4">
+              <input type="text" class="form-control" id="iam_keycloak_version" name="version" value="{{ iam_settings.version }}" required>
+            </div>
+          </div>
+          <div class="row mb-4">
+            <label class="control-label col-sm-3 text-sm-end">{{ lang.admin.iam_mapping }}:</label>
+            <div class="col-4 d-flex mb-2">
+              <span class="w-100 me-2">Attribute</span>
+              <span class="w-100 ms-2">Template</span>
+              <button class="btn btn-sm d-block d-sm-inline btn-secondary ms-2 iam_rolemap_add"><i class="bi bi-plus-lg"></i></button>
+            </div>
+            {% for key, role in iam_settings.mappers %}
+            <div class="offset-sm-3 col-4 d-flex mb-2">
+              <input type="text" class="form-control me-2" name="mappers" value="{{ iam_settings.mappers[key] }}" required>
+              <select data-live-search="true" name="templates" class="form-control" title="{{ lang.mailbox.template }}" required>
+              {% for mbox_template in mbox_templates %}
+                <option{% if mbox_template.template == iam_settings.templates[key] %} selected{% endif %}>
+                  {{ mbox_template.template }}
+                </option>
+              {% endfor %}
+              </select>
+              <button class="iam_rolemap_del btn btn-sm d-block d-sm-inline btn-secondary ms-2"><i class="bi bi-x-lg"></i></button>
+            </div>
             {% endfor %}
-            </select>
-            <button class="iam_rolemap_del btn btn-sm d-block d-sm-inline btn-secondary ms-2"><i class="bi bi-x-lg"></i></button>
+            {% if not iam_settings.mappers %}
+            <div class="offset-sm-3 col-4 d-flex mb-2">
+              <input type="text" class="form-control me-2" name="mappers" value="" required>
+              <select data-live-search="true" name="templates" class="form-control" title="{{ lang.mailbox.template }}" required>
+              {% for mbox_template in mbox_templates %}
+                <option>
+                  {{ mbox_template.template }}
+                </option>
+              {% endfor %}
+              </select>
+              <button class="iam_rolemap_del btn btn-sm d-block d-sm-inline btn-secondary ms-2"><i class="bi bi-x-lg"></i></button>
+            </div>
+            {% endif %}
           </div>
-          {% endfor %}
-          {% if not identity_provider_settings.mappers %}
-          <div class="offset-sm-3 col-4 d-flex mb-2">
-            <input type="text" class="form-control me-2" name="mappers" value="" required>
-            <select data-live-search="true" name="templates" class="form-control" title="{{ lang.mailbox.template }}" required>
-            {% for mbox_template in mbox_templates %}
-              <option>
-                {{ mbox_template.template }}
-              </option>
+          <div class="row mb-2 mt-4">
+            <label class="control-label col-sm-3 text-sm-end"></label>
+            <div class="col-sm-9">
+              <span>{{ lang.admin.iam_extra_permission|raw }}</span>
+            </div>
+          </div>
+          <div class="row mb-2">
+            <label class="control-label col-sm-3 text-sm-end">{{ lang.admin.iam_rest_flow }}</label>
+            <div class="col-sm-9">
+              <div class="form-check form-switch">
+                <input class="form-check-input" type="checkbox" role="switch" name="mailpassword_flow" value="1" {% if iam_settings.mailpassword_flow == 1 %}checked{% endif %}>
+              </div>
+              <p class="text-muted">
+                <small>
+                  {{ lang.admin.iam_auth_flow_info|raw }}
+                </small>
+              </p>
+            </div>
+          </div>
+          <div class="row mb-2">
+            <label class="control-label col-sm-3 text-sm-end">Periodic Full Sync</label>
+            <div class="col-sm-9">
+              <div class="form-check form-switch">
+                <input class="form-check-input" type="checkbox" role="switch" name="periodic_sync"  value="1" {% if iam_settings.periodic_sync == 1 %}checked{% endif %}>
+              </div>
+            </div>
+          </div>
+          <div class="row mb-2">
+            <label class="control-label col-sm-3 text-sm-end">Import Users</label>
+            <div class="col-sm-9">
+              <div class="form-check form-switch">
+                <input class="form-check-input" type="checkbox" role="switch" name="import_users"  value="1" {% if iam_settings.import_users == 1 %}checked{% endif %}>
+              </div>
+            </div>
+          </div>
+          <div class="row mt-4 mb-2">
+            <div class="offset-sm-3 col-sm-9 d-flex">
+              <div class="btn-group">   
+                <button class="btn btn-sm d-block d-sm-inline btn-secondary iam_test_connection iam_test_connection" data-id="iam_keycloak"><i class="bi bi-play"></i> {{ lang.admin.iam_test_connection }}</button>
+                <button class="btn btn-sm d-block d-sm-inline btn-success" data-item="identity-provider" data-action="edit_selected" data-id="iam_keycloak" data-api-url='edit/identity-provider' data-api-attr='{}'><i class="bi bi-check-lg"></i> {{ lang.admin.save }}</button>
+              </div>
+              <button class="btn btn-sm d-block d-sm-inline btn-danger ms-auto" data-item="identity-provider" data-action="delete_selected" data-id="iam_keycloak" data-api-url='delete/identity-provider'><i class="bi bi-trash"></i> {{ lang.mailbox.remove }}</button>
+            </div>
+          </div>
+        </form>
+      </div>
+      <div id="generic_oidc_settings" class="{% if not iam_settings.authsource or iam_settings.authsource != 'generic-oidc' %}d-none{% endif %}">
+        <form class="form-horizontal" autocapitalize="none" data-id="iam_generic" autocorrect="off" role="form" method="post">
+          <input type="hidden" name="authsource" value="generic-oidc">
+          <div class="row mb-2">
+            <label class="control-label col-sm-3 text-sm-end" for="iam_authorize_url">{{ lang.admin.iam_authorize_url }}:</label>
+            <div class="col-sm-4">
+              <input type="text" class="form-control" id="iam_authorize_url" name="authorize_url" value="{{ iam_settings.authorize_url }}" required>
+            </div>
+          </div>
+          <div class="row mb-2">
+            <label class="control-label col-sm-3 text-sm-end" for="iam_token_url">{{ lang.admin.iam_token_url }}:</label>
+            <div class="col-sm-4">
+              <input type="text" class="form-control" id="iam_token_url" name="token_url" value="{{ iam_settings.token_url }}" required>
+            </div>
+          </div>
+          <div class="row mb-2">
+            <label class="control-label col-sm-3 text-sm-end" for="iam_userinfo_url">{{ lang.admin.iam_userinfo_url }}:</label>
+            <div class="col-sm-4">
+              <input type="text" class="form-control" id="iam_userinfo_url" name="userinfo_url" value="{{ iam_settings.userinfo_url }}" required>
+            </div>
+          </div>
+          <div class="row mb-2">
+            <label class="control-label col-sm-3 text-sm-end" for="iam_client_id">{{ lang.admin.iam_client_id }}:</label>
+            <div class="col-sm-4">
+              <input type="text" class="form-control" id="iam_client_id" name="client_id" value="{{ iam_settings.client_id }}" required>
+            </div>
+          </div>
+          <div class="row mb-2">
+            <label class="control-label col-sm-3 text-sm-end" for="iam_client_secret">{{ lang.admin.iam_client_secret }}:</label>
+            <div class="col-sm-4">
+              <div class="reveal-password-input input-group">
+                <input type="password" class="password-field form-control" id="iam_client_secret" name="client_secret" value="{{ iam_settings.client_secret }}" required>
+                <button class="toggle-password btn btn-secondary" type="button"><i class="bi bi-eye"></i></button>
+              </div>
+            </div>
+          </div>
+          <div class="row mb-4">
+            <label class="control-label col-sm-3 text-sm-end" for="iam_redirect_url">{{ lang.admin.iam_redirect_url }}:</label>
+            <div class="col-sm-4">
+              <input type="text" class="form-control" id="iam_redirect_url" name="redirect_url" value="{{ iam_settings.redirect_url }}" required>
+            </div>
+          </div>
+          <div class="row mb-4">
+            <label class="control-label col-sm-3 text-sm-end">{{ lang.admin.iam_mapping }}:</label>
+            <div class="col-4 d-flex mb-2">
+              <span class="w-100 me-2">Attribute</span>
+              <span class="w-100 ms-2">Template</span>
+              <button class="btn btn-sm d-block d-sm-inline btn-secondary ms-2 iam_rolemap_add"><i class="bi bi-plus-lg"></i></button>
+            </div>
+            {% for key, role in iam_settings.mappers %}
+            <div class="offset-sm-3 col-4 d-flex mb-2">
+              <input type="text" class="form-control me-2" name="mappers" value="{{ iam_settings.mappers[key] }}" required>
+              <select data-live-search="true" name="templates" class="form-control" title="{{ lang.mailbox.template }}" required>
+              {% for mbox_template in mbox_templates %}
+                <option{% if mbox_template.template == iam_settings.templates[key] %} selected{% endif %}>
+                  {{ mbox_template.template }}
+                </option>
+              {% endfor %}
+              </select>
+              <button class="iam_rolemap_del btn btn-sm d-block d-sm-inline btn-secondary ms-2"><i class="bi bi-x-lg"></i></button>
+            </div>
             {% endfor %}
-            </select>
-            <button class="iam_rolemap_del btn btn-sm d-block d-sm-inline btn-secondary ms-2"><i class="bi bi-x-lg"></i></button>
-          </div>
-          {% endif %}
-        </div>
-        <div class="row mb-2">
-          <label class="control-label col-sm-3 text-sm-end">{{ lang.admin.iam_auth_flow }}</label>
-          <div class="col-sm-9">
-            <div class="btn-group">
-              <input type="radio" class="btn-check" name="login_flow" id="iam_login_flow_rest" autocomplete="off" value="rest" {% if  identity_provider_settings.login_flow != 'ropc' %}checked{% endif %}>
-              <label class="btn btn-sm btn-xs-quart d-block d-sm-inline btn-secondary" for="iam_login_flow_rest">{{ lang.admin.iam_rest_flow }}</label>
-
-              <input type="radio" class="btn-check" name="login_flow" id="iam_login_flow_ropc" autocomplete="off" value="ropc" {% if  identity_provider_settings.login_flow == 'ropc' %}checked{% endif %}>
-              <label class="btn btn-sm btn-xs-quart d-block d-sm-inline btn-secondary" for="iam_login_flow_ropc">{{ lang.admin.iam_ropc_flow }}</label>
+            {% if not iam_settings.mappers %}
+            <div class="offset-sm-3 col-4 d-flex mb-2">
+              <input type="text" class="form-control me-2" name="mappers" value="" required>
+              <select data-live-search="true" name="templates" class="form-control" title="{{ lang.mailbox.template }}" required>
+              {% for mbox_template in mbox_templates %}
+                <option>
+                  {{ mbox_template.template }}
+                </option>
+              {% endfor %}
+              </select>
+              <button class="iam_rolemap_del btn btn-sm d-block d-sm-inline btn-secondary ms-2"><i class="bi bi-x-lg"></i></button>
             </div>
-            <p class="text-muted">
-              <small>
-                {{ lang.admin.iam_auth_flow_info|raw }}<br>
-                {{ lang.admin.iam_auth_flow_rest_info|raw }}<br>
-                {{ lang.admin.iam_auth_flow_ropc_info|raw }}
-              </small>
-            </p>
+            {% endif %}
           </div>
-        </div>
-        <div class="row mt-4 mb-2">
-          <div class="offset-sm-3 col-sm-9 d-flex">
-            <div class="btn-group">   
-              <button id="iam_test_connection" class="btn btn-sm d-block d-sm-inline btn-secondary"><i class="bi bi-play"></i> {{ lang.admin.iam_test_connection }}</button>
-              <button class="btn btn-sm d-block d-sm-inline btn-success" data-item="iam_sso" data-action="edit_selected" data-id="iam_sso" data-api-url='edit/identity-provider' data-api-attr='{}'><i class="bi bi-check-lg"></i> {{ lang.admin.save }}</button>
+          <div class="row mt-4 mb-2">
+            <div class="offset-sm-3 col-sm-9 d-flex">
+              <div class="btn-group">   
+                <button class="btn btn-sm d-block d-sm-inline btn-secondary iam_test_connection" data-id="iam_generic"><i class="bi bi-play"></i> {{ lang.admin.iam_test_connection }}</button>
+                <button class="btn btn-sm d-block d-sm-inline btn-success" data-item="identity-provider" data-action="edit_selected" data-id="iam_generic" data-api-url='edit/identity-provider' data-api-attr='{}'><i class="bi bi-check-lg"></i> {{ lang.admin.save }}</button>
+              </div>
+              <button class="btn btn-sm d-block d-sm-inline btn-danger ms-auto" data-item="identity-provider" data-action="delete_selected" data-id="iam_generic" data-api-url='delete/identity-provider'><i class="bi bi-trash"></i> {{ lang.mailbox.remove }}</button>
             </div>
-            <button class="btn btn-sm d-block d-sm-inline btn-danger ms-auto" data-item="identity-provider" data-action="delete_selected" data-id="iam_sso" data-api-url='delete/identity-provider'><i class="bi bi-trash"></i> {{ lang.mailbox.remove }}</button>
           </div>
-        </div>
-      </form>
+        </form>
+      </div>
     </div>
   </div>
 </div>

From 90476ae057f9ec3b6aa8807d8514767ad8428790 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Tue, 16 May 2023 11:03:43 +0200
Subject: [PATCH 033/378] [Web] rename var for
 tab-config-identity-provider.twig

---
 data/web/admin.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/data/web/admin.php b/data/web/admin.php
index 1ffb76fb4..8d5e00abc 100644
--- a/data/web/admin.php
+++ b/data/web/admin.php
@@ -87,7 +87,7 @@ $cors_settings['allowed_methods'] = explode(", ", $cors_settings['allowed_method
 
 $f2b_data = fail2ban('get');
 // identity provider
-$identity_provider_settings = identity_provider('get');
+$iam_settings = identity_provider('get');
 // mbox templates
 $mbox_templates = mailbox('get', 'mailbox_templates');
 
@@ -121,7 +121,7 @@ $template_data = [
   'show_rspamd_global_filters' => @$_SESSION['show_rspamd_global_filters'],
   'cors_settings' => $cors_settings,
   'is_https' => isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on',
-  'identity_provider_settings' => $identity_provider_settings,
+  'iam_settings' => $iam_settings,
   'mbox_templates' => $mbox_templates,
   'lang_admin' => json_encode($lang['admin']),
   'lang_datatables' => json_encode($lang['datatables'])

From 0c1e2ed6f2302b9ecc68aa74063a6609fba6698f Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Tue, 16 May 2023 11:10:41 +0200
Subject: [PATCH 034/378] [Web] revert configurable authsource

---
 data/web/inc/functions.mailbox.inc.php        |  6 +---
 data/web/js/site/mailbox.js                   | 29 -----------------
 .../web/templates/edit/mailbox-templates.twig |  9 ------
 data/web/templates/modals/mailbox.twig        | 31 +++++--------------
 4 files changed, 8 insertions(+), 67 deletions(-)

diff --git a/data/web/inc/functions.mailbox.inc.php b/data/web/inc/functions.mailbox.inc.php
index f549785e7..b9a98043b 100644
--- a/data/web/inc/functions.mailbox.inc.php
+++ b/data/web/inc/functions.mailbox.inc.php
@@ -1019,7 +1019,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             );
             return false;
           }
-          if (in_array($_data['authsource'], array('mailcow', 'keycloak'))){
+          if (in_array($_data['authsource'], array('mailcow', 'keycloak', 'generic-oidc'))){
             $authsource = $_data['authsource'];
           }
           if (empty($name)) {
@@ -1546,9 +1546,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
 
 
           // check attributes
-          $authsources = array('mailcow', 'keycloak');
           $attr = array();
-          $attr["authsource"]                  = (isset($_data['authsource']) && in_array($_data['authsource'], $authsources)) ? $_data['authsource'] : 'mailcow';
           $attr["quota"]                       = isset($_data['quota']) ? intval($_data['quota']) * 1048576 : 0;
           $attr['tags']                        = (isset($_data['tags'])) ? $_data['tags'] : array();
           $attr["quarantine_notification"]     = (!empty($_data['quarantine_notification'])) ? $_data['quarantine_notification'] : strval($MAILBOX_DEFAULT_ATTRIBUTES['quarantine_notification']);
@@ -3236,9 +3234,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               $_data["template"]                   = (isset($_data["template"])) ? $_data["template"] : $is_now["template"]; 
             }   
             // check attributes
-            $authsources = array('mailcow', 'keycloak');
             $attr = array();
-            $attr["authsource"]                  = (isset($_data['authsource']) && in_array($_data['authsource'], $authsources)) ? $_data['authsource'] : $is_now['authsource'];
             $attr["quota"]                       = isset($_data['quota']) ? intval($_data['quota']) * 1048576 : 0;
             $attr['tags']                        = (isset($_data['tags'])) ? $_data['tags'] : $is_now['tags'];
             $attr["quarantine_notification"]     = (!empty($_data['quarantine_notification'])) ? $_data['quarantine_notification'] : $is_now['quarantine_notification'];
diff --git a/data/web/js/site/mailbox.js b/data/web/js/site/mailbox.js
index 06c1444d3..1dc6b4f5b 100644
--- a/data/web/js/site/mailbox.js
+++ b/data/web/js/site/mailbox.js
@@ -162,17 +162,6 @@ $(document).ready(function() {
       }
     });
   });
-  // @selecting identity provider mbox_add_modal
-  $('#mbox_add_iam').on('change', function(){
-    // toggle password fields
-    if (this.value === 'mailcow'){
-      $('#mbox_add_pwds').removeClass('d-none');
-      $('#mbox_add_pwds').find('.form-control').prop('required', true);
-    } else {
-      $('#mbox_add_pwds').addClass('d-none');
-      $('#mbox_add_pwds').find('.form-control').prop('required', false);
-    }
-  });
   // Sieve data modal
   $('#sieveDataModal').on('show.bs.modal', function(e) {
     var sieveScript = $(e.relatedTarget).data('sieve-script');
@@ -280,15 +269,6 @@ $(document).ready(function() {
   }
   function setMailboxTemplateData(template){
     $("#addInputQuota").val(template.quota / 1048576);
-    $('#mbox_add_iam').selectpicker('val', template.authsource);
-    // toggle password fields
-    if (!template.authsource || template.authsource === 'mailcow'){
-      $('#mbox_add_pwds').removeClass('d-none');
-      $('#mbox_add_pwds').find('.form-control').prop('required', true);
-    } else {
-      $('#mbox_add_pwds').addClass('d-none');
-      $('#mbox_add_pwds').find('.form-control').prop('required', false);
-    }
 
     if (template.quarantine_notification === "never"){
       $('#quarantine_notification_never').prop('checked', true);
@@ -1291,15 +1271,6 @@ jQuery(function($){
           data: 'attributes.quota',
           defaultContent: '',
         },
-        {
-          title: lang.iam,
-          data: 'attributes.authsource',
-          defaultContent: '',
-          render: function (data, type) {
-            data = data ? '<span class="badge bg-primary">' + data + '<i class="ms-2 bi bi-person-circle"></i></i></span>' : '<i class="bi bi-x-lg"></i>';
-            return data;
-          }
-        },
         {
           title: lang.tls_enforce_in,
           data: 'attributes.tls_enforce_in',
diff --git a/data/web/templates/edit/mailbox-templates.twig b/data/web/templates/edit/mailbox-templates.twig
index c83a15dd7..f606bd452 100644
--- a/data/web/templates/edit/mailbox-templates.twig
+++ b/data/web/templates/edit/mailbox-templates.twig
@@ -19,15 +19,6 @@
         </div>
       </div>
     </div>
-    <div class="row mb-2">
-      <label class="control-label col-sm-2" for="authsource">{{ lang.admin.iam }}</label>
-      <div class="col-sm-10">
-        <select class="full-width-select" data-live-search="true" id="mbox_template_iam" name="authsource" required>
-          <option {% if template.attributes.authsource == 'mailcow' %}selected{% endif %}>mailcow</option>
-          <option {% if template.attributes.authsource == 'keycloak' %}selected{% endif %}>keycloak</option>
-        </select>
-      </div>
-    </div>
     <div class="row mb-2">
       <label class="control-label col-sm-2">{{ lang.add.tags }}</label>
       <div class="col-sm-10">
diff --git a/data/web/templates/modals/mailbox.twig b/data/web/templates/modals/mailbox.twig
index e0b4f02b6..27f709526 100644
--- a/data/web/templates/modals/mailbox.twig
+++ b/data/web/templates/modals/mailbox.twig
@@ -11,19 +11,20 @@
           <input type="hidden" value="0" name="force_pw_update">
           <input type="hidden" value="0" name="sogo_access">
           <input type="hidden" value="0" name="protocol_access">
+          <input type="hidden" value="mailcow" name="authsource">
 
-          <div class="row mb-2">
-            <label class="control-label col-sm-2 text-sm-end text-sm-end" for="name">{{ lang.add.full_name }}</label>
-            <div class="col-sm-10">
-              <input type="text" class="form-control" name="name">
-            </div>
-          </div>
           <div class="row mb-2">
             <label class="control-label col-sm-2 text-sm-end text-sm-end" for="local_part">{{ lang.add.mailbox_username }}</label>
             <div class="col-sm-10">
               <input type="text" pattern="[A-Za-z0-9\.!#$%&'*+/=?^_`{|}~-]+" autocorrect="off" autocapitalize="none" class="form-control" name="local_part" required>
             </div>
           </div>
+          <div class="row mb-2">
+            <label class="control-label col-sm-2 text-sm-end text-sm-end" for="name">{{ lang.add.full_name }}</label>
+            <div class="col-sm-10">
+              <input type="text" class="form-control" name="name">
+            </div>
+          </div>
           <div class="row mb-2">
             <label class="control-label col-sm-2 text-sm-end text-sm-end" for="domain">{{ lang.add.domain }}</label>
             <div class="col-sm-10">
@@ -41,15 +42,6 @@
               </select>
             </div>
           </div>
-          <div class="row mb-2">
-            <label class="control-label col-sm-2 text-sm-end text-sm-end" for="authsource">{{ lang.admin.iam }}</label>
-            <div class="col-sm-10">
-              <select class="full-width-select" data-live-search="true" id="mbox_add_iam" name="authsource" required>
-                <option selected>mailcow</option>
-                <option>keycloak</option>
-              </select>
-            </div>
-          </div>
           <div id="mbox_add_pwds">
             <div class="row mb-2">
               <label class="control-label col-sm-2 text-sm-end text-sm-end" for="password">{{ lang.add.password }} (<a href="#" class="generate_password">{{ lang.add.generate }}</a>)</label>
@@ -236,15 +228,6 @@
               </div>
             </div>
           </div>
-          <div class="row mb-2">
-            <label class="control-label col-sm-2 text-sm-end text-sm-end" for="authsource">{{ lang.admin.iam }}</label>
-            <div class="col-sm-10">
-              <select class="full-width-select" data-live-search="true" id="mbox_template_iam" name="authsource">
-                <option selected>mailcow</option>
-                <option>keycloak</option>
-              </select>
-            </div>
-          </div>
           <div class="row mb-2">
             <label class="control-label col-sm-2 text-sm-end text-sm-end">{{ lang.add.tags }}</label>
             <div class="col-sm-10">

From c8fec24da30162c1fe56bcab4042402f05f2be03 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Tue, 16 May 2023 11:16:56 +0200
Subject: [PATCH 035/378] [Web] add "edit mailbox_from_template" function

---
 data/web/inc/functions.mailbox.inc.php | 60 ++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)

diff --git a/data/web/inc/functions.mailbox.inc.php b/data/web/inc/functions.mailbox.inc.php
index b9a98043b..afa952e68 100644
--- a/data/web/inc/functions.mailbox.inc.php
+++ b/data/web/inc/functions.mailbox.inc.php
@@ -3196,6 +3196,66 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
           }
           return true;
         break;
+        case 'mailbox_from_template':
+          $stmt = $pdo->prepare("SELECT * FROM `templates` 
+          WHERE `template` = :template AND type = 'mailbox'");
+          $stmt->execute(array(
+            ":template" => $_data['template']
+          ));
+          $mbox_template_data = $stmt->fetch(PDO::FETCH_ASSOC);
+          if (empty($mbox_template_data)){
+            $_SESSION['return'][] =  array(
+              'type' => 'danger',
+              'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
+              'msg' => 'template_missing'
+            );
+            return false;
+          }
+
+          $mbox_template_data = json_decode($mbox_template_data["attributes"], true);  
+          $quarantine_attributes = array('username' => $_data['username']);
+          $tls_attributes = array('username' => $_data['username']);
+          $ratelimit_attributes = array('object' => $_data['username']);
+          $acl_attributes = array('username' => $_data['username'], 'user_acl' => array());
+          $mailbox_attributes = array('username' => $_data['username']);
+          foreach ($mbox_template_data as $key => $value){
+            switch (true) {
+              case (strpos($key, 'quarantine_') === 0):
+                $quarantine_attributes[$key] = $value;
+              break;
+              case (strpos($key, 'tls_') === 0):
+                if ($value == null)
+                  $value = 0;
+                $tls_attributes[$key] = $value;
+              break;
+              case (strpos($key, 'rl_') === 0):
+                $ratelimit_attributes[$key] = $value;
+              break;
+              case (strpos($key, 'acl_') === 0 && $value != 0):
+                array_push($acl_attributes['user_acl'], str_replace('acl_' , '', $key));
+              break;
+              default:
+                $mailbox_attributes[$key] = $value;
+              break;
+            }
+          }
+        
+          $mailbox_attributes['quota'] = intval($mailbox_attributes['quota'] / 1048576);
+          $result = mailbox('edit', 'mailbox', $mailbox_attributes);
+          if ($result === false) return $result;
+          $result = mailbox('edit', 'tls_policy', $tls_attributes);
+          if ($result === false) return $result;
+          $result = mailbox('edit', 'quarantine_notification', $quarantine_attributes);
+          if ($result === false) return $result;
+          $result = mailbox('edit', 'quarantine_category', $quarantine_attributes);
+          if ($result === false) return $result;
+          $result = ratelimit('edit', 'mailbox', $ratelimit_attributes);
+          if ($result === false) return $result;
+          $result = acl('edit', 'user', $acl_attributes);
+          if ($result === false) return $result;
+
+          return true;
+        break;
         case 'mailbox_templates':
           if ($_SESSION['mailcow_cc_role'] != "admin") {
             $_SESSION['return'][] = array(

From 28679eb916e143c1ebf855e76f33d1812fe7ee2f Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Tue, 16 May 2023 11:19:49 +0200
Subject: [PATCH 036/378] [Web] add generic-oidc provider

---
 data/web/js/site/admin.js | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/data/web/js/site/admin.js b/data/web/js/site/admin.js
index 885e5ea52..b2f8ae1a5 100644
--- a/data/web/js/site/admin.js
+++ b/data/web/js/site/admin.js
@@ -750,9 +750,9 @@ jQuery(function($){
     add_table_row($('#f2b_regex_table'), "f2b_regex");
   });
   // IAM test connection
-  $('#iam_test_connection').click(async function(e){
+  $('.iam_test_connection').click(async function(e){
     e.preventDefault();
-    var data = { attr: $('form[data-id="iam_sso"]').serializeObject() };
+    var data = { attr: $('form[data-id="' + $(this).data('id') + '"]').serializeObject() };
     var res = await fetch("/api/v1/edit/identity-provider-test", { 
       headers: {
         "Content-Type": "application/json",
@@ -768,7 +768,7 @@ jQuery(function($){
     return mailcow_alert_box(lang_danger.iam_test_connection, 'danger');
   });
 
-  $('#iam_rolemap_add').click(async function(e){
+  $('.iam_rolemap_add').click(async function(e){
     e.preventDefault();
 
     var parent = $(this).parent().parent();
@@ -791,4 +791,15 @@ jQuery(function($){
     e.preventDefault();
     $(this).parent().remove();
   });
+  // selecting identity provider
+  $('#iam_provider').on('change', function(){
+    // toggle password fields
+    if (this.value === 'keycloak'){
+      $('#keycloak_settings').removeClass('d-none');
+      $('#generic_oidc_settings').addClass('d-none');
+    } else if (this.value === 'generic-oidc') {
+      $('#keycloak_settings').addClass('d-none');
+      $('#generic_oidc_settings').removeClass('d-none');
+    }
+  });
 });

From e784c98a5a88cfcaf13e45071cc6038b3dee59fa Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Tue, 16 May 2023 12:32:51 +0200
Subject: [PATCH 037/378] [Web] add "add mailbox_from_template" function

---
 data/web/inc/functions.mailbox.inc.php   | 42 ++++++++++++++++++++++--
 data/web/inc/functions.ratelimit.inc.php |  6 ++--
 2 files changed, 42 insertions(+), 6 deletions(-)

diff --git a/data/web/inc/functions.mailbox.inc.php b/data/web/inc/functions.mailbox.inc.php
index afa952e68..7ba0a2f49 100644
--- a/data/web/inc/functions.mailbox.inc.php
+++ b/data/web/inc/functions.mailbox.inc.php
@@ -1044,7 +1044,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             $password2 = '';
             $password_hashed = '';
           }
-          if (!$_SESSION['iam_create_login'] && ((!isset($_SESSION['acl']['unlimited_quota']) || $_SESSION['acl']['unlimited_quota'] != "1") && $quota_m === 0)) {
+          if (!$_extra['iam_create_login'] && ((!isset($_SESSION['acl']['unlimited_quota']) || $_SESSION['acl']['unlimited_quota'] != "1") && $quota_m === 0)) {
             $_SESSION['return'][] = array(
               'type' => 'danger',
               'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@@ -1098,7 +1098,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             );
             return false;
           }
-          if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $domain) && !$_SESSION['iam_create_login']) {
+          if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $domain) && !$_extra['iam_create_login']) {
             $_SESSION['return'][] = array(
               'type' => 'danger',
               'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@@ -1318,7 +1318,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               'object' => $username,
               'rl_frame' => $_data['rl_frame'],
               'rl_value' => $_data['rl_value']
-            ));
+            ), $_extra);
           }
 
           update_sogo_static_view($username);
@@ -1328,6 +1328,42 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             'msg' => array('mailbox_added', htmlspecialchars($username))
           );
         break;
+        case 'mailbox_from_template':
+          $stmt = $pdo->prepare("SELECT * FROM `templates` 
+          WHERE `template` = :template AND type = 'mailbox'");
+          $stmt->execute(array(
+            ":template" => $_data['template']
+          ));
+          $mbox_template_data = $stmt->fetch(PDO::FETCH_ASSOC);
+          if (empty($mbox_template_data)){
+            $_SESSION['return'][] =  array(
+              'type' => 'danger',
+              'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
+              'msg' => 'template_missing'
+            );
+            return false;
+          }  
+          
+          $mbox_template_data = json_decode($mbox_template_data["attributes"], true);  
+          $mbox_template_data['domain'] = $_data['domain'];
+          $mbox_template_data['local_part'] = $_data['local_part'];
+          $mbox_template_data['authsource'] = $_data['authsource'];
+          $mbox_template_data['quota'] = intval($mbox_template_data['quota'] / 1048576);
+        
+          $mailbox_attributes = array('acl' => array());
+          foreach ($mbox_template_data as $key => $value){
+            switch (true) {
+              case (strpos($key, 'acl_') === 0 && $value != 0):
+                array_push($mailbox_attributes['acl'], str_replace('acl_' , '', $key));
+              break;
+              default:
+                $mailbox_attributes[$key] = $value;
+              break;
+            }
+          }
+        
+          return mailbox('add', 'mailbox', $mailbox_attributes, array('iam_create_login' => true));
+        break;
         case 'resource':
           $domain             = idn_to_ascii(strtolower(trim($_data['domain'])), 0, INTL_IDNA_VARIANT_UTS46);
           $description        = $_data['description'];
diff --git a/data/web/inc/functions.ratelimit.inc.php b/data/web/inc/functions.ratelimit.inc.php
index 93840b5eb..bc05cd362 100644
--- a/data/web/inc/functions.ratelimit.inc.php
+++ b/data/web/inc/functions.ratelimit.inc.php
@@ -1,10 +1,10 @@
 <?php
-function ratelimit($_action, $_scope, $_data = null) {
+function ratelimit($_action, $_scope, $_data = null, $_extra = null) {
   global $redis;
   $_data_log = $_data;
   switch ($_action) {
     case 'edit':
-      if ((!isset($_SESSION['acl']['ratelimit']) || $_SESSION['acl']['ratelimit'] != "1") && !$_SESSION['iam_create_login']) {
+      if ((!isset($_SESSION['acl']['ratelimit']) || $_SESSION['acl']['ratelimit'] != "1") && !$_extra['iam_create_login']) {
         $_SESSION['return'][] = array(
           'type' => 'danger',
           'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@@ -93,7 +93,7 @@ function ratelimit($_action, $_scope, $_data = null) {
               continue;
             }
             if ((!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $object)
-              || ($_SESSION['mailcow_cc_role'] != 'admin' && $_SESSION['mailcow_cc_role'] != 'domainadmin')) && !$_SESSION['iam_create_login']) {
+                || ($_SESSION['mailcow_cc_role'] != 'admin' && $_SESSION['mailcow_cc_role'] != 'domainadmin')) && !$_extra['iam_create_login']) {
               $_SESSION['return'][] = array(
                 'type' => 'danger',
                 'log' => array(__FUNCTION__, $_action, $_scope, $_data_log),

From ad19ff5429a44c7162d8b5d14c4624e0d75373bd Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Tue, 16 May 2023 12:37:01 +0200
Subject: [PATCH 038/378] [Web] remove ropc flow

---
 data/web/inc/functions.auth.inc.php | 79 +----------------------------
 1 file changed, 1 insertion(+), 78 deletions(-)

diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php
index fbb79ed8a..303bcbe0b 100644
--- a/data/web/inc/functions.auth.inc.php
+++ b/data/web/inc/functions.auth.inc.php
@@ -270,7 +270,7 @@ function mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_internal
       AND `app_passwd`.`active` = '1'
       AND `app_passwd`.`mailbox` = :user
       :has_access_query"
-  );    
+  );
   // check if app password has protocol access
   // skip if protocol is false and the call is not external
   $has_access_query = '';
@@ -308,83 +308,6 @@ function mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_internal
 
   return false;
 }
-
-// ROPC Flow (deprecated oAuth2.1)
-// uses direct user credentials for UI, IMAP and SMTP Auth
-function keycloak_mbox_login_ropc($user, $pass, $iam_settings, $is_internal = false, $create = false){
-  global $pdo;
-
-  $url = "{$iam_settings['server_url']}/realms/{$iam_settings['realm']}/protocol/openid-connect/token";
-  $req = http_build_query(array(
-    'grant_type'    => 'password',
-    'client_id'     => $iam_settings['client_id'],
-    'client_secret' => $iam_settings['client_secret'],
-    'username'      => $user,
-    'password'      => $pass,
-  ));
-  $curl = curl_init();
-  curl_setopt($curl, CURLOPT_URL, $url);
-  curl_setopt($curl, CURLOPT_POST, 1);
-  curl_setopt($curl, CURLOPT_POSTFIELDS, $req);
-  curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));
-  curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
-  $res = json_decode(curl_exec($curl), true);
-  $code = curl_getinfo($curl, CURLINFO_HTTP_CODE);
-  curl_close ($curl);
-
-  if ($code == 200) {
-    // decode jwt
-    $user_data = json_decode(base64_decode(str_replace('_', '/', str_replace('-','+',explode('.', $res['access_token'])[1]))), true);
-    if ($user != $user_data['email']){
-      // check if $user is email address, only accept email address as username
-      return false;
-    }
-    if ($create && !empty($iam_settings['mappers'])){
-      // try to create mbox on successfull login
-      $mbox_template = null;
-      // check if matching attribute mapping exists
-      foreach ($iam_settings['mappers'] as $index => $mapper){
-        if (in_array($mapper, $iam_settings['mappers'])) {
-          $mbox_template = $iam_settings['templates'][$index];
-          break;
-        }
-      }
-      if (!$mbox_template){
-        // no matching template found
-        return false;
-      }
-      
-      $stmt = $pdo->prepare("SELECT * FROM `templates` 
-      WHERE `template` = :template AND type = 'mailbox'");
-      $stmt->execute(array(
-        ":template" => $mbox_template
-      ));
-      $mbox_template_data = $stmt->fetch(PDO::FETCH_ASSOC);
-
-      if (!empty($mbox_template_data)){
-        $mbox_template_data = json_decode($mbox_template_data["attributes"], true);
-        $mbox_template_data['domain'] = explode('@', $user)[1];
-        $mbox_template_data['local_part'] = explode('@', $user)[0];
-        $mbox_template_data['authsource'] = 'keycloak';
-        $_SESSION['iam_create_login'] = true;
-        $create_res = mailbox('add', 'mailbox', $mbox_template_data);
-        $_SESSION['iam_create_login'] = false;
-        if (!$create_res){
-          return false;
-        }
-      }
-    }
-
-    $_SESSION['return'][] =  array(
-      'type' => 'success',
-      'log' => array(__FUNCTION__, $user, '*'),
-      'msg' => array('logged_in_as', $user)
-    );
-    return 'user';
-  } else {
-    return false;
-  }
-}
 // Keycloak REST Api Flow - auth user by mailcow_password attribute
 // This password will be used for direct UI, IMAP and SMTP Auth
 // To use direct user credentials, only Authorization Code Flow is valid

From cc7516685f4dfddabf39c7c96c5c72ed1a7558d0 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Tue, 16 May 2023 12:47:47 +0200
Subject: [PATCH 039/378] [Web] functions.auth.inc.php corrections

---
 data/web/inc/functions.auth.inc.php | 273 ++++++++++++----------------
 1 file changed, 113 insertions(+), 160 deletions(-)

diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php
index 303bcbe0b..cd46b45b1 100644
--- a/data/web/inc/functions.auth.inc.php
+++ b/data/web/inc/functions.auth.inc.php
@@ -14,74 +14,51 @@ function check_login($user, $pass, $app_passwd_data = false, $is_internal = fals
 
   // Validate admin
   $result = mailcow_admin_login($user, $pass);
-  if ($result){
-    return $result;
-  }
+  if ($result !== false) return $result;
 
   // Validate domain admin
   $result = mailcow_domainadmin_login($user, $pass);
-  if ($result){
-    return $result;
-  }
+  if ($result !== false) return $result;
 
   // Validate mailbox user
   // check authsource
-  $stmt = $pdo->prepare("SELECT authsource FROM `mailbox`
+  $stmt = $pdo->prepare("SELECT authsource, mailbox.active AS mailbox_active, domain.active AS domain_active FROM `mailbox`
       INNER JOIN domain on mailbox.domain = domain.domain
       WHERE `kind` NOT REGEXP 'location|thing|group'
-        AND `mailbox`.`active`='1'
-        AND `domain`.`active`='1'
         AND `username` = :user");
   $stmt->execute(array(':user' => $user));
   $row = $stmt->fetch(PDO::FETCH_ASSOC);
-  if (!$row){
-    // mbox does not exist, call keycloak login and create mbox if possible
-    $identity_provider_settings = identity_provider('get');
-    if ($identity_provider_settings['login_flow'] == 'ropc'){
-      $result = keycloak_mbox_login_ropc($user, $pass, $identity_provider_settings, $is_internal, true);
-    } else {
-      $result = keycloak_mbox_login_rest($user, $pass, $identity_provider_settings, $is_internal, true);
+  if (!$row && $row['domain_active'] == 1){
+    // mbox does not exist, call keycloak login and create mbox if possible via rest flow
+    $iam_settings = identity_provider('get');
+    if ($iam_settings['authsource'] == 'keycloak' && intval($iam_settings['mailboxpassword_flow']) == 1){
+      $result = keycloak_mbox_login_rest($user, $pass, $iam_settings, $is_internal, true);
+      if ($result !== false) return $result;
     }
-    if ($result){
-      return $result;
-    }
-  } else if ($row['authsource'] == 'keycloak'){
-    if ($app_passwd_data){
+  } else if ($row && $row['mailbox_active'] == 1 && $row['domain_active'] == 1) {
+    // mbox does exist and is active
+    if (isset($app_passwd_data)){
       // first check if password is app_password
       $result = mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_internal);
-      if ($result){
-        return $result;
-      }
+      if ($result !== false) return $result;
     }
 
-    $identity_provider_settings = identity_provider('get');
-    if ($identity_provider_settings['login_flow'] == 'ropc'){
-      $result = keycloak_mbox_login_ropc($user, $pass, $identity_provider_settings, $is_internal);
-    } else {
-      $result = keycloak_mbox_login_rest($user, $pass, $identity_provider_settings, $is_internal);
-    }
-    if ($result){
-      return $result;
-    }
-  } else {
-    if ($app_passwd_data){
-      // first check if password is app_password
-      $result = mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_internal);
-      if ($result){
-        return $result;
+    if ($row['authsource'] == 'mailcow') {
+      // mbox authsource is mailcow
+      $result = mailcow_mbox_login($user, $pass, $app_passwd_data, $is_internal);
+      if ($result !== false) return $result;
+    } else if ($row['authsource'] == 'keycloak'){
+      // mbox authsource is keycloak, try using via rest flow
+      $iam_settings = identity_provider('get');
+      if (intval($iam_settings['mailboxpassword_flow']) == 1){
+        $result = keycloak_mbox_login_rest($user, $pass, $iam_settings, $is_internal);
+        if ($result !== false) return $result;
       }
     }
-
-    $result = mailcow_mbox_login($user, $pass, $app_passwd_data, $is_internal);
-    if ($result){
-      return $result;
-    }
   }
 
   // skip log and only return false if it's an internal request
-  if ($is_internal){
-    return false;
-  }
+  if ($is_internal == true) return false;
   if (!isset($_SESSION['ldelay'])) {
     $_SESSION['ldelay'] = "0";
     $redis->publish("F2B_CHANNEL", "mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);
@@ -102,53 +79,44 @@ function check_login($user, $pass, $app_passwd_data = false, $is_internal = fals
   return false;
 }
 
-function mailcow_mbox_login($user, $pass, $app_passwd_data = false, $is_internal = false){
+function mailcow_admin_login($user, $pass){
   global $pdo;
 
-  $stmt = $pdo->prepare("SELECT * FROM `mailbox`
-      INNER JOIN domain on mailbox.domain = domain.domain
-      WHERE `kind` NOT REGEXP 'location|thing|group'
-        AND `mailbox`.`active`='1'
-        AND `domain`.`active`='1'
-        AND (`mailbox`.`authsource`='mailcow' OR `mailbox`.`authsource` IS NULL)
-        AND `username` = :user");
+  $user = strtolower(trim($user));
+  $stmt = $pdo->prepare("SELECT `password` FROM `admin`
+      WHERE `superadmin` = '1'
+      AND `active` = '1'
+      AND `username` = :user");
   $stmt->execute(array(':user' => $user));
   $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
-
-  foreach ($rows as $row) { 
+  foreach ($rows as $row) {
     // verify password
-    if (verify_hash($row['password'], $pass) !== false) {
-      if (!array_key_exists("app_passwd_id", $row)){ 
-        // password is not a app password
-        // check for tfa authenticators
-        $authenticators = get_tfa($user);
-        if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 && !$is_internal) {
-          // authenticators found, init TFA flow
-          $_SESSION['pending_mailcow_cc_username'] = $user;
-          $_SESSION['pending_mailcow_cc_role'] = "user";
-          $_SESSION['pending_tfa_methods'] = $authenticators['additional'];
-          unset($_SESSION['ldelay']);
-          $_SESSION['return'][] =  array(
-            'type' => 'success',
-            'log' => array(__FUNCTION__, $user, '*'),
-            'msg' => array('logged_in_as', $user)
-          );
-          return "pending";
-        } else if (!isset($authenticators['additional']) || !is_array($authenticators['additional']) || count($authenticators['additional']) == 0) {
-          // no authenticators found, login successfull
-          if (!$is_internal){
-            unset($_SESSION['ldelay']);
-            // Reactivate TFA if it was set to "deactivate TFA for next login"
-            $stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user");
-            $stmt->execute(array(':user' => $user));
-            $_SESSION['return'][] =  array(
-              'type' => 'success',
-              'log' => array(__FUNCTION__, $user, '*'),
-              'msg' => array('logged_in_as', $user)
-            );
-          }
-          return "user";
-        }
+    if (verify_hash($row['password'], $pass)) {
+      // check for tfa authenticators
+      $authenticators = get_tfa($user);
+      if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0) {
+        // active tfa authenticators found, set pending user login
+        $_SESSION['pending_mailcow_cc_username'] = $user;
+        $_SESSION['pending_mailcow_cc_role'] = "admin";
+        $_SESSION['pending_tfa_methods'] = $authenticators['additional'];
+        unset($_SESSION['ldelay']);
+        $_SESSION['return'][] =  array(
+          'type' => 'info',
+          'log' => array(__FUNCTION__, $user, '*'),
+          'msg' => 'awaiting_tfa_confirmation'
+        );
+        return "pending";
+      } else {
+        unset($_SESSION['ldelay']);
+        // Reactivate TFA if it was set to "deactivate TFA for next login"
+        $stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user");
+        $stmt->execute(array(':user' => $user));
+        $_SESSION['return'][] =  array(
+          'type' => 'success',
+          'log' => array(__FUNCTION__, $user, '*'),
+          'msg' => array('logged_in_as', $user)
+        );
+        return "admin";
       }
     }
   }
@@ -198,44 +166,53 @@ function mailcow_domainadmin_login($user, $pass){
 
   return false;
 }
-function mailcow_admin_login($user, $pass){
+function mailcow_mbox_login($user, $pass, $app_passwd_data = false, $is_internal = false){
   global $pdo;
 
-  $user = strtolower(trim($user));
-  $stmt = $pdo->prepare("SELECT `password` FROM `admin`
-      WHERE `superadmin` = '1'
-      AND `active` = '1'
-      AND `username` = :user");
+  $stmt = $pdo->prepare("SELECT * FROM `mailbox`
+      INNER JOIN domain on mailbox.domain = domain.domain
+      WHERE `kind` NOT REGEXP 'location|thing|group'
+        AND `mailbox`.`active`='1'
+        AND `domain`.`active`='1'
+        AND (`mailbox`.`authsource`='mailcow' OR `mailbox`.`authsource` IS NULL)
+        AND `username` = :user");
   $stmt->execute(array(':user' => $user));
   $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
-  foreach ($rows as $row) {
+
+  foreach ($rows as $row) { 
     // verify password
-    if (verify_hash($row['password'], $pass)) {
-      // check for tfa authenticators
-      $authenticators = get_tfa($user);
-      if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0) {
-        // active tfa authenticators found, set pending user login
-        $_SESSION['pending_mailcow_cc_username'] = $user;
-        $_SESSION['pending_mailcow_cc_role'] = "admin";
-        $_SESSION['pending_tfa_methods'] = $authenticators['additional'];
-        unset($_SESSION['ldelay']);
-        $_SESSION['return'][] =  array(
-          'type' => 'info',
-          'log' => array(__FUNCTION__, $user, '*'),
-          'msg' => 'awaiting_tfa_confirmation'
-        );
-        return "pending";
-      } else {
-        unset($_SESSION['ldelay']);
-        // Reactivate TFA if it was set to "deactivate TFA for next login"
-        $stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user");
-        $stmt->execute(array(':user' => $user));
-        $_SESSION['return'][] =  array(
-          'type' => 'success',
-          'log' => array(__FUNCTION__, $user, '*'),
-          'msg' => array('logged_in_as', $user)
-        );
-        return "admin";
+    if (verify_hash($row['password'], $pass) !== false) {
+      if (!array_key_exists("app_passwd_id", $row)){ 
+        // password is not a app password
+        // check for tfa authenticators
+        $authenticators = get_tfa($user);
+        if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 && !$is_internal) {
+          // authenticators found, init TFA flow
+          $_SESSION['pending_mailcow_cc_username'] = $user;
+          $_SESSION['pending_mailcow_cc_role'] = "user";
+          $_SESSION['pending_tfa_methods'] = $authenticators['additional'];
+          unset($_SESSION['ldelay']);
+          $_SESSION['return'][] =  array(
+            'type' => 'success',
+            'log' => array(__FUNCTION__, $user, '*'),
+            'msg' => array('logged_in_as', $user)
+          );
+          return "pending";
+        } else if (!isset($authenticators['additional']) || !is_array($authenticators['additional']) || count($authenticators['additional']) == 0) {
+          // no authenticators found, login successfull
+          if (!$is_internal){
+            unset($_SESSION['ldelay']);
+            // Reactivate TFA if it was set to "deactivate TFA for next login"
+            $stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user");
+            $stmt->execute(array(':user' => $user));
+            $_SESSION['return'][] =  array(
+              'type' => 'success',
+              'log' => array(__FUNCTION__, $user, '*'),
+              'msg' => array('logged_in_as', $user)
+            );
+          }
+          return "user";
+        }
       }
     }
   }
@@ -315,24 +292,7 @@ function keycloak_mbox_login_rest($user, $pass, $iam_settings, $is_internal = fa
   global $pdo;
 
   // get access_token for service account of mailcow client
-  $url = "{$iam_settings['server_url']}/realms/{$iam_settings['realm']}/protocol/openid-connect/token";
-  $req = http_build_query(array(
-    'grant_type'    => 'client_credentials',
-    'client_id'     => $iam_settings['client_id'],
-    'client_secret' => $iam_settings['client_secret']
-  ));
-  $curl = curl_init();
-  curl_setopt($curl, CURLOPT_URL, $url);
-  curl_setopt($curl, CURLOPT_POST, 1);
-  curl_setopt($curl, CURLOPT_POSTFIELDS, $req);
-  curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));
-  curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
-  $mcclient_res = json_decode(curl_exec($curl), true);
-  $code = curl_getinfo($curl, CURLINFO_HTTP_CODE);
-  curl_close ($curl);
-  if ($code != 200) {
-    return false;
-  }
+  $admin_token = identity_provider("get-keycloak-admin-token");
 
   // get the mailcow_password attribute from keycloak user
   $url = "{$iam_settings['server_url']}/admin/realms/{$iam_settings['realm']}/users";
@@ -342,7 +302,7 @@ function keycloak_mbox_login_rest($user, $pass, $iam_settings, $is_internal = fa
   curl_setopt($curl, CURLOPT_URL, $url . '?' . $queryString);
   curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
   curl_setopt($curl, CURLOPT_HTTPHEADER, array(
-      'Authorization: Bearer ' . $mcclient_res['access_token'],
+      'Authorization: Bearer ' . $admin_token,
       'Content-Type: application/json'
   ));
   $user_res = json_decode(curl_exec($curl), true)[0];
@@ -352,8 +312,6 @@ function keycloak_mbox_login_rest($user, $pass, $iam_settings, $is_internal = fa
     return false;
   }
 
-  
-
   // validate mailcow_password
   $mailcow_password = $user_res['attributes']['mailcow_password'][0];
   if (!verify_hash($mailcow_password, $pass)) {
@@ -388,24 +346,19 @@ function keycloak_mbox_login_rest($user, $pass, $iam_settings, $is_internal = fa
     // no matching template found
     return false;
   }
-  $stmt = $pdo->prepare("SELECT * FROM `templates` 
-  WHERE `template` = :template AND type = 'mailbox'");
-  $stmt->execute(array(
-    ":template" => $mbox_template
-  ));
-  $mbox_template_data = $stmt->fetch(PDO::FETCH_ASSOC);
-  if (empty($mbox_template_data)){
-    return false;
-  }
 
-  $mbox_template_data = json_decode($mbox_template_data["attributes"], true);
-  $mbox_template_data['domain'] = explode('@', $user)[1];
-  $mbox_template_data['local_part'] = explode('@', $user)[0];
-  $mbox_template_data['authsource'] = 'keycloak';
-  $_SESSION['iam_create_login'] = true;
-  $create_res = mailbox('add', 'mailbox', $mbox_template_data);
-  $_SESSION['iam_create_login'] = false;
-  if (!$create_res){
+  // create mailbox
+  $create_res = mailbox('add', 'mailbox_from_template', array(
+    'domain' => explode('@', $user)[1],
+    'local_part' => explode('@', $user)[0],
+    'authsource' => 'keycloak',
+    'template' => $mbox_template
+  ));
+  if (!$create_res) return false;
+
+  // check if created mailbox from template is even active
+  // maybe dont even create it if active != 1
+  if ($mailbox_attributes['active'] != 1){
     return false;
   }
 

From b251c58b23e134082ae877a40b39d6adec5ad65a Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Tue, 16 May 2023 12:48:30 +0200
Subject: [PATCH 040/378] update gitignore

---
 .gitignore | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitignore b/.gitignore
index e1e8e8882..22ea38bd0 100644
--- a/.gitignore
+++ b/.gitignore
@@ -17,6 +17,7 @@ data/conf/dovecot/mail_replica.conf
 data/conf/dovecot/global_sieve_*
 data/conf/dovecot/last_login
 data/conf/dovecot/lua
+data/conf/dovecot/auth/passwd-verify.lua
 data/conf/dovecot/mail_plugins*
 data/conf/dovecot/shared_namespace.conf
 data/conf/dovecot/sni.conf

From a805d3b2e3123b9e7adba5dfae405cadc4011431 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Tue, 16 May 2023 13:21:17 +0200
Subject: [PATCH 041/378] [Web] add league/oauth2-client

---
 data/web/inc/lib/composer.json                |   3 +-
 data/web/inc/lib/composer.lock                |  14 +--
 .../inc/lib/vendor/composer/autoload_psr4.php |   2 +-
 .../lib/vendor/composer/autoload_static.php   |   4 +-
 .../inc/lib/vendor/composer/installed.json    |  14 +--
 .../web/inc/lib/vendor/composer/installed.php |  10 +-
 .../lib/vendor/league/oauth2-client/README.md |   2 +-
 .../src/Provider/AbstractProvider.php         | 106 +++++++++++++++++-
 .../Exception/IdentityProviderException.php   |   4 +-
 .../src/Provider/GenericProvider.php          |  14 +++
 10 files changed, 143 insertions(+), 30 deletions(-)

diff --git a/data/web/inc/lib/composer.json b/data/web/inc/lib/composer.json
index cc1fc7dd4..c2fef5fb1 100644
--- a/data/web/inc/lib/composer.json
+++ b/data/web/inc/lib/composer.json
@@ -10,6 +10,7 @@
         "mustangostang/spyc": "^0.6.3",
         "directorytree/ldaprecord": "^2.4",
         "twig/twig": "^3.0",
-        "stevenmaguire/oauth2-keycloak": "^3.2"
+        "stevenmaguire/oauth2-keycloak": "^3.2",
+        "league/oauth2-client": "^2.7"
     }
 }
diff --git a/data/web/inc/lib/composer.lock b/data/web/inc/lib/composer.lock
index c03fe1c29..349056afc 100644
--- a/data/web/inc/lib/composer.lock
+++ b/data/web/inc/lib/composer.lock
@@ -4,7 +4,7 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
         "This file is @generated automatically"
     ],
-    "content-hash": "65fe6638523a3a93c55e67a061725223",
+    "content-hash": "ee35a2bf8c80a87b6825c3e86635f709",
     "packages": [
         {
             "name": "bshaffer/oauth2-server-php",
@@ -654,16 +654,16 @@
         },
         {
             "name": "league/oauth2-client",
-            "version": "2.6.1",
+            "version": "2.7.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/thephpleague/oauth2-client.git",
-                "reference": "2334c249907190c132364f5dae0287ab8666aa19"
+                "reference": "160d6274b03562ebeb55ed18399281d8118b76c8"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/thephpleague/oauth2-client/zipball/2334c249907190c132364f5dae0287ab8666aa19",
-                "reference": "2334c249907190c132364f5dae0287ab8666aa19",
+                "url": "https://api.github.com/repos/thephpleague/oauth2-client/zipball/160d6274b03562ebeb55ed18399281d8118b76c8",
+                "reference": "160d6274b03562ebeb55ed18399281d8118b76c8",
                 "shasum": ""
             },
             "require": {
@@ -718,9 +718,9 @@
             ],
             "support": {
                 "issues": "https://github.com/thephpleague/oauth2-client/issues",
-                "source": "https://github.com/thephpleague/oauth2-client/tree/2.6.1"
+                "source": "https://github.com/thephpleague/oauth2-client/tree/2.7.0"
             },
-            "time": "2021-12-22T16:42:49+00:00"
+            "time": "2023-04-16T18:19:15+00:00"
         },
         {
             "name": "matthiasmullie/minify",
diff --git a/data/web/inc/lib/vendor/composer/autoload_psr4.php b/data/web/inc/lib/vendor/composer/autoload_psr4.php
index 6112acbac..8e959eac3 100644
--- a/data/web/inc/lib/vendor/composer/autoload_psr4.php
+++ b/data/web/inc/lib/vendor/composer/autoload_psr4.php
@@ -18,7 +18,7 @@ return array(
     'RobThree\\Auth\\' => array($vendorDir . '/robthree/twofactorauth/lib'),
     'Psr\\SimpleCache\\' => array($vendorDir . '/psr/simple-cache/src'),
     'Psr\\Log\\' => array($vendorDir . '/psr/log/src'),
-    'Psr\\Http\\Message\\' => array($vendorDir . '/psr/http-message/src', $vendorDir . '/psr/http-factory/src'),
+    'Psr\\Http\\Message\\' => array($vendorDir . '/psr/http-factory/src', $vendorDir . '/psr/http-message/src'),
     'Psr\\Http\\Client\\' => array($vendorDir . '/psr/http-client/src'),
     'Psr\\Container\\' => array($vendorDir . '/psr/container/src'),
     'PhpMimeMailParser\\' => array($vendorDir . '/php-mime-mail-parser/php-mime-mail-parser/src'),
diff --git a/data/web/inc/lib/vendor/composer/autoload_static.php b/data/web/inc/lib/vendor/composer/autoload_static.php
index 440edffbc..27a95eda8 100644
--- a/data/web/inc/lib/vendor/composer/autoload_static.php
+++ b/data/web/inc/lib/vendor/composer/autoload_static.php
@@ -140,8 +140,8 @@ class ComposerStaticInit873464e4bd965a3168f133248b1b218b
         ),
         'Psr\\Http\\Message\\' => 
         array (
-            0 => __DIR__ . '/..' . '/psr/http-message/src',
-            1 => __DIR__ . '/..' . '/psr/http-factory/src',
+            0 => __DIR__ . '/..' . '/psr/http-factory/src',
+            1 => __DIR__ . '/..' . '/psr/http-message/src',
         ),
         'Psr\\Http\\Client\\' => 
         array (
diff --git a/data/web/inc/lib/vendor/composer/installed.json b/data/web/inc/lib/vendor/composer/installed.json
index cec6e781d..ef7cac481 100644
--- a/data/web/inc/lib/vendor/composer/installed.json
+++ b/data/web/inc/lib/vendor/composer/installed.json
@@ -668,17 +668,17 @@
         },
         {
             "name": "league/oauth2-client",
-            "version": "2.6.1",
-            "version_normalized": "2.6.1.0",
+            "version": "2.7.0",
+            "version_normalized": "2.7.0.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/thephpleague/oauth2-client.git",
-                "reference": "2334c249907190c132364f5dae0287ab8666aa19"
+                "reference": "160d6274b03562ebeb55ed18399281d8118b76c8"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/thephpleague/oauth2-client/zipball/2334c249907190c132364f5dae0287ab8666aa19",
-                "reference": "2334c249907190c132364f5dae0287ab8666aa19",
+                "url": "https://api.github.com/repos/thephpleague/oauth2-client/zipball/160d6274b03562ebeb55ed18399281d8118b76c8",
+                "reference": "160d6274b03562ebeb55ed18399281d8118b76c8",
                 "shasum": ""
             },
             "require": {
@@ -692,7 +692,7 @@
                 "phpunit/phpunit": "^5.7 || ^6.0 || ^9.5",
                 "squizlabs/php_codesniffer": "^2.3 || ^3.0"
             },
-            "time": "2021-12-22T16:42:49+00:00",
+            "time": "2023-04-16T18:19:15+00:00",
             "type": "library",
             "extra": {
                 "branch-alias": {
@@ -735,7 +735,7 @@
             ],
             "support": {
                 "issues": "https://github.com/thephpleague/oauth2-client/issues",
-                "source": "https://github.com/thephpleague/oauth2-client/tree/2.6.1"
+                "source": "https://github.com/thephpleague/oauth2-client/tree/2.7.0"
             },
             "install-path": "../league/oauth2-client"
         },
diff --git a/data/web/inc/lib/vendor/composer/installed.php b/data/web/inc/lib/vendor/composer/installed.php
index 07db23e07..a9737b061 100644
--- a/data/web/inc/lib/vendor/composer/installed.php
+++ b/data/web/inc/lib/vendor/composer/installed.php
@@ -3,7 +3,7 @@
         'name' => '__root__',
         'pretty_version' => 'dev-master',
         'version' => 'dev-master',
-        'reference' => 'ea394d702dd7fe05f9b28c818fd912c5a60e71f4',
+        'reference' => '07edec4ea50b8eedae10c28eba0b4b2774df537e',
         'type' => 'library',
         'install_path' => __DIR__ . '/../../',
         'aliases' => array(),
@@ -13,7 +13,7 @@
         '__root__' => array(
             'pretty_version' => 'dev-master',
             'version' => 'dev-master',
-            'reference' => 'ea394d702dd7fe05f9b28c818fd912c5a60e71f4',
+            'reference' => '07edec4ea50b8eedae10c28eba0b4b2774df537e',
             'type' => 'library',
             'install_path' => __DIR__ . '/../../',
             'aliases' => array(),
@@ -98,9 +98,9 @@
             'dev_requirement' => false,
         ),
         'league/oauth2-client' => array(
-            'pretty_version' => '2.6.1',
-            'version' => '2.6.1.0',
-            'reference' => '2334c249907190c132364f5dae0287ab8666aa19',
+            'pretty_version' => '2.7.0',
+            'version' => '2.7.0.0',
+            'reference' => '160d6274b03562ebeb55ed18399281d8118b76c8',
             'type' => 'library',
             'install_path' => __DIR__ . '/../league/oauth2-client',
             'aliases' => array(),
diff --git a/data/web/inc/lib/vendor/league/oauth2-client/README.md b/data/web/inc/lib/vendor/league/oauth2-client/README.md
index f35d53e8a..cbb449d48 100644
--- a/data/web/inc/lib/vendor/league/oauth2-client/README.md
+++ b/data/web/inc/lib/vendor/league/oauth2-client/README.md
@@ -6,7 +6,7 @@ This package provides a base for integrating with [OAuth 2.0](http://oauth.net/2
 [![Source Code](https://img.shields.io/badge/source-thephpleague/oauth2--client-blue.svg?style=flat-square)](https://github.com/thephpleague/oauth2-client)
 [![Latest Version](https://img.shields.io/github/release/thephpleague/oauth2-client.svg?style=flat-square)](https://github.com/thephpleague/oauth2-client/releases)
 [![Software License](https://img.shields.io/badge/license-MIT-brightgreen.svg?style=flat-square)](https://github.com/thephpleague/oauth2-client/blob/master/LICENSE)
-[![Build Status](https://img.shields.io/github/workflow/status/thephpleague/oauth2-client/CI?label=CI&logo=github&style=flat-square)](https://github.com/thephpleague/oauth2-client/actions?query=workflow%3ACI)
+[![Build Status](https://img.shields.io/github/actions/workflow/status/thephpleague/oauth2-client/continuous-integration.yml?label=CI&logo=github&style=flat-square)](https://github.com/thephpleague/oauth2-client/actions?query=workflow%3ACI)
 [![Codecov Code Coverage](https://img.shields.io/codecov/c/gh/thephpleague/oauth2-client?label=codecov&logo=codecov&style=flat-square)](https://codecov.io/gh/thephpleague/oauth2-client)
 [![Total Downloads](https://img.shields.io/packagist/dt/league/oauth2-client.svg?style=flat-square)](https://packagist.org/packages/league/oauth2-client)
 
diff --git a/data/web/inc/lib/vendor/league/oauth2-client/src/Provider/AbstractProvider.php b/data/web/inc/lib/vendor/league/oauth2-client/src/Provider/AbstractProvider.php
index d1679998c..293a54d6e 100644
--- a/data/web/inc/lib/vendor/league/oauth2-client/src/Provider/AbstractProvider.php
+++ b/data/web/inc/lib/vendor/league/oauth2-client/src/Provider/AbstractProvider.php
@@ -17,6 +17,7 @@ namespace League\OAuth2\Client\Provider;
 use GuzzleHttp\Client as HttpClient;
 use GuzzleHttp\ClientInterface as HttpClientInterface;
 use GuzzleHttp\Exception\BadResponseException;
+use InvalidArgumentException;
 use League\OAuth2\Client\Grant\AbstractGrant;
 use League\OAuth2\Client\Grant\GrantFactory;
 use League\OAuth2\Client\OptionProvider\OptionProviderInterface;
@@ -44,7 +45,7 @@ abstract class AbstractProvider
     use QueryBuilderTrait;
 
     /**
-     * @var string Key used in a token response to identify the resource owner.
+     * @var string|null Key used in a token response to identify the resource owner.
      */
     const ACCESS_TOKEN_RESOURCE_OWNER_ID = null;
 
@@ -58,6 +59,19 @@ abstract class AbstractProvider
      */
     const METHOD_POST = 'POST';
 
+    /**
+     * @var string PKCE method used to fetch authorization token.
+     * The PKCE code challenge will be hashed with sha256 (recommended).
+     */
+    const PKCE_METHOD_S256 = 'S256';
+
+    /**
+     * @var string PKCE method used to fetch authorization token.
+     * The PKCE code challenge will be sent as plain text, this is NOT recommended.
+     * Only use `plain` if no other option is possible.
+     */
+    const PKCE_METHOD_PLAIN = 'plain';
+
     /**
      * @var string
      */
@@ -78,6 +92,11 @@ abstract class AbstractProvider
      */
     protected $state;
 
+    /**
+     * @var string|null
+     */
+    protected $pkceCode = null;
+
     /**
      * @var GrantFactory
      */
@@ -264,6 +283,32 @@ abstract class AbstractProvider
         return $this->state;
     }
 
+    /**
+     * Set the value of the pkceCode parameter.
+     *
+     * When using PKCE this should be set before requesting an access token.
+     *
+     * @param string $pkceCode
+     * @return self
+     */
+    public function setPkceCode($pkceCode)
+    {
+        $this->pkceCode = $pkceCode;
+        return $this;
+    }
+
+    /**
+     * Returns the current value of the pkceCode parameter.
+     *
+     * This can be accessed by the redirect handler during authorization.
+     *
+     * @return string|null
+     */
+    public function getPkceCode()
+    {
+        return $this->pkceCode;
+    }
+
     /**
      * Returns the base URL for authorizing a client.
      *
@@ -305,6 +350,27 @@ abstract class AbstractProvider
         return bin2hex(random_bytes($length / 2));
     }
 
+    /**
+     * Returns a new random string to use as PKCE code_verifier and
+     * hashed as code_challenge parameters in an authorization flow.
+     * Must be between 43 and 128 characters long.
+     *
+     * @param  int $length Length of the random string to be generated.
+     * @return string
+     */
+    protected function getRandomPkceCode($length = 64)
+    {
+        return substr(
+            strtr(
+                base64_encode(random_bytes($length)),
+                '+/',
+                '-_'
+            ),
+            0,
+            $length
+        );
+    }
+
     /**
      * Returns the default scopes used by this provider.
      *
@@ -326,6 +392,14 @@ abstract class AbstractProvider
         return ',';
     }
 
+    /**
+     * @return string|null
+     */
+    protected function getPkceMethod()
+    {
+        return null;
+    }
+
     /**
      * Returns authorization parameters based on provided options.
      *
@@ -355,6 +429,26 @@ abstract class AbstractProvider
         // Store the state as it may need to be accessed later on.
         $this->state = $options['state'];
 
+        $pkceMethod = $this->getPkceMethod();
+        if (!empty($pkceMethod)) {
+            $this->pkceCode = $this->getRandomPkceCode();
+            if ($pkceMethod === static::PKCE_METHOD_S256) {
+                $options['code_challenge'] = trim(
+                    strtr(
+                        base64_encode(hash('sha256', $this->pkceCode, true)),
+                        '+/',
+                        '-_'
+                    ),
+                    '='
+                );
+            } elseif ($pkceMethod === static::PKCE_METHOD_PLAIN) {
+                $options['code_challenge'] = $this->pkceCode;
+            } else {
+                throw new InvalidArgumentException('Unknown PKCE method "' . $pkceMethod . '".');
+            }
+            $options['code_challenge_method'] = $pkceMethod;
+        }
+
         // Business code layer might set a different redirect_uri parameter
         // depending on the context, leave it as-is
         if (!isset($options['redirect_uri'])) {
@@ -517,8 +611,8 @@ abstract class AbstractProvider
     /**
      * Requests an access token using a specified grant and option set.
      *
-     * @param  mixed $grant
-     * @param  array $options
+     * @param  mixed                $grant
+     * @param  array<string, mixed> $options
      * @throws IdentityProviderException
      * @return AccessTokenInterface
      */
@@ -532,6 +626,10 @@ abstract class AbstractProvider
             'redirect_uri'  => $this->redirectUri,
         ];
 
+        if (!empty($this->pkceCode)) {
+            $params['code_verifier'] = $this->pkceCode;
+        }
+
         $params   = $grant->prepareRequestParameters($params, $options);
         $request  = $this->getAccessTokenRequest($params);
         $response = $this->getParsedResponse($request);
@@ -564,7 +662,7 @@ abstract class AbstractProvider
      *
      * @param  string $method
      * @param  string $url
-     * @param  AccessTokenInterface|string $token
+     * @param  AccessTokenInterface|string|null $token
      * @param  array $options Any of "headers", "body", and "protocolVersion".
      * @return RequestInterface
      */
diff --git a/data/web/inc/lib/vendor/league/oauth2-client/src/Provider/Exception/IdentityProviderException.php b/data/web/inc/lib/vendor/league/oauth2-client/src/Provider/Exception/IdentityProviderException.php
index 52b7e0353..55cb438fb 100644
--- a/data/web/inc/lib/vendor/league/oauth2-client/src/Provider/Exception/IdentityProviderException.php
+++ b/data/web/inc/lib/vendor/league/oauth2-client/src/Provider/Exception/IdentityProviderException.php
@@ -27,7 +27,7 @@ class IdentityProviderException extends \Exception
     /**
      * @param string $message
      * @param int $code
-     * @param array|string $response The response body
+     * @param mixed $response The response body
      */
     public function __construct($message, $code, $response)
     {
@@ -39,7 +39,7 @@ class IdentityProviderException extends \Exception
     /**
      * Returns the exception's response body.
      *
-     * @return array|string
+     * @return mixed
      */
     public function getResponseBody()
     {
diff --git a/data/web/inc/lib/vendor/league/oauth2-client/src/Provider/GenericProvider.php b/data/web/inc/lib/vendor/league/oauth2-client/src/Provider/GenericProvider.php
index 74393ffda..0fc95f250 100644
--- a/data/web/inc/lib/vendor/league/oauth2-client/src/Provider/GenericProvider.php
+++ b/data/web/inc/lib/vendor/league/oauth2-client/src/Provider/GenericProvider.php
@@ -78,6 +78,11 @@ class GenericProvider extends AbstractProvider
      */
     private $responseResourceOwnerId = 'id';
 
+    /**
+     * @var string|null
+     */
+    private $pkceMethod = null;
+
     /**
      * @param array $options
      * @param array $collaborators
@@ -114,6 +119,7 @@ class GenericProvider extends AbstractProvider
             'responseCode',
             'responseResourceOwnerId',
             'scopes',
+            'pkceMethod',
         ]);
     }
 
@@ -205,6 +211,14 @@ class GenericProvider extends AbstractProvider
         return $this->scopeSeparator ?: parent::getScopeSeparator();
     }
 
+    /**
+     * @inheritdoc
+     */
+    protected function getPkceMethod()
+    {
+        return $this->pkceMethod ?: parent::getPkceMethod();
+    }
+
     /**
      * @inheritdoc
      */

From cee771a3fb0ab6f2c188b9d9a6ff51bfa65da328 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Tue, 16 May 2023 13:31:40 +0200
Subject: [PATCH 042/378] [Web] update stevenmaguire/oauth2-keycloak and
 firebase/php-jwt

---
 data/web/inc/lib/composer.json                |   2 +-
 data/web/inc/lib/composer.lock                |  47 ++-
 .../inc/lib/vendor/composer/installed.json    |  49 ++-
 .../web/inc/lib/vendor/composer/installed.php |  16 +-
 .../lib/vendor/firebase/php-jwt/CHANGELOG.md  | 117 ++++++
 .../inc/lib/vendor/firebase/php-jwt/README.md | 330 ++++++++++-----
 .../lib/vendor/firebase/php-jwt/composer.json |  12 +-
 .../firebase/php-jwt/src/CachedKeySet.php     | 258 ++++++++++++
 .../lib/vendor/firebase/php-jwt/src/JWK.php   | 201 +++++++--
 .../lib/vendor/firebase/php-jwt/src/JWT.php   | 389 ++++++++++--------
 .../lib/vendor/firebase/php-jwt/src/Key.php   |  35 +-
 .../stevenmaguire/oauth2-keycloak/.travis.yml |   9 +-
 .../stevenmaguire/oauth2-keycloak/README.md   |   1 +
 .../oauth2-keycloak/composer.json             |  17 +-
 .../oauth2-keycloak/phpunit.xml.dist          |  45 +-
 .../test/src/Provider/KeycloakTest.php        | 124 ++++--
 16 files changed, 1203 insertions(+), 449 deletions(-)
 create mode 100644 data/web/inc/lib/vendor/firebase/php-jwt/CHANGELOG.md
 create mode 100644 data/web/inc/lib/vendor/firebase/php-jwt/src/CachedKeySet.php

diff --git a/data/web/inc/lib/composer.json b/data/web/inc/lib/composer.json
index c2fef5fb1..a803291f8 100644
--- a/data/web/inc/lib/composer.json
+++ b/data/web/inc/lib/composer.json
@@ -10,7 +10,7 @@
         "mustangostang/spyc": "^0.6.3",
         "directorytree/ldaprecord": "^2.4",
         "twig/twig": "^3.0",
-        "stevenmaguire/oauth2-keycloak": "^3.2",
+        "stevenmaguire/oauth2-keycloak": "^4.0",
         "league/oauth2-client": "^2.7"
     }
 }
diff --git a/data/web/inc/lib/composer.lock b/data/web/inc/lib/composer.lock
index 349056afc..0d55230c4 100644
--- a/data/web/inc/lib/composer.lock
+++ b/data/web/inc/lib/composer.lock
@@ -4,7 +4,7 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
         "This file is @generated automatically"
     ],
-    "content-hash": "ee35a2bf8c80a87b6825c3e86635f709",
+    "content-hash": "8f5a147cdb147b935a158b86f47a4747",
     "packages": [
         {
             "name": "bshaffer/oauth2-server-php",
@@ -218,25 +218,31 @@
         },
         {
             "name": "firebase/php-jwt",
-            "version": "v5.5.1",
+            "version": "v6.5.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/firebase/php-jwt.git",
-                "reference": "83b609028194aa042ea33b5af2d41a7427de80e6"
+                "reference": "e94e7353302b0c11ec3cfff7180cd0b1743975d2"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/firebase/php-jwt/zipball/83b609028194aa042ea33b5af2d41a7427de80e6",
-                "reference": "83b609028194aa042ea33b5af2d41a7427de80e6",
+                "url": "https://api.github.com/repos/firebase/php-jwt/zipball/e94e7353302b0c11ec3cfff7180cd0b1743975d2",
+                "reference": "e94e7353302b0c11ec3cfff7180cd0b1743975d2",
                 "shasum": ""
             },
             "require": {
-                "php": ">=5.3.0"
+                "php": "^7.4||^8.0"
             },
             "require-dev": {
-                "phpunit/phpunit": ">=4.8 <=9"
+                "guzzlehttp/guzzle": "^6.5||^7.4",
+                "phpspec/prophecy-phpunit": "^2.0",
+                "phpunit/phpunit": "^9.5",
+                "psr/cache": "^1.0||^2.0",
+                "psr/http-client": "^1.0",
+                "psr/http-factory": "^1.0"
             },
             "suggest": {
+                "ext-sodium": "Support EdDSA (Ed25519) signatures",
                 "paragonie/sodium_compat": "Support EdDSA (Ed25519) signatures when libsodium is not present"
             },
             "type": "library",
@@ -269,9 +275,9 @@
             ],
             "support": {
                 "issues": "https://github.com/firebase/php-jwt/issues",
-                "source": "https://github.com/firebase/php-jwt/tree/v5.5.1"
+                "source": "https://github.com/firebase/php-jwt/tree/v6.5.0"
             },
-            "time": "2021-11-08T20:18:51+00:00"
+            "time": "2023-05-12T15:47:07+00:00"
         },
         {
             "name": "guzzlehttp/guzzle",
@@ -1703,26 +1709,27 @@
         },
         {
             "name": "stevenmaguire/oauth2-keycloak",
-            "version": "3.2.0",
+            "version": "4.0.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/stevenmaguire/oauth2-keycloak.git",
-                "reference": "34e4824f5fa26aa8e90f1258859c75570c12d27a"
+                "reference": "05ead6bb6bcd2b6f96dfae87c769dcd3e5f6129d"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/stevenmaguire/oauth2-keycloak/zipball/34e4824f5fa26aa8e90f1258859c75570c12d27a",
-                "reference": "34e4824f5fa26aa8e90f1258859c75570c12d27a",
+                "url": "https://api.github.com/repos/stevenmaguire/oauth2-keycloak/zipball/05ead6bb6bcd2b6f96dfae87c769dcd3e5f6129d",
+                "reference": "05ead6bb6bcd2b6f96dfae87c769dcd3e5f6129d",
                 "shasum": ""
             },
             "require": {
-                "firebase/php-jwt": "~4.0|~5.0",
-                "league/oauth2-client": "^2.0"
+                "firebase/php-jwt": "^4.0 || ^5.0 || ^6.0",
+                "league/oauth2-client": "^2.0",
+                "php": "~7.2 || ~8.0"
             },
             "require-dev": {
-                "mockery/mockery": "~0.9",
-                "phpunit/phpunit": "~4.0",
-                "squizlabs/php_codesniffer": "~2.0"
+                "mockery/mockery": "~1.5.0",
+                "phpunit/phpunit": "~9.6.4",
+                "squizlabs/php_codesniffer": "~3.7.0"
             },
             "type": "library",
             "extra": {
@@ -1757,9 +1764,9 @@
             ],
             "support": {
                 "issues": "https://github.com/stevenmaguire/oauth2-keycloak/issues",
-                "source": "https://github.com/stevenmaguire/oauth2-keycloak/tree/3.2.0"
+                "source": "https://github.com/stevenmaguire/oauth2-keycloak/tree/4.0.0"
             },
-            "time": "2022-12-16T12:46:38+00:00"
+            "time": "2023-03-14T09:43:47+00:00"
         },
         {
             "name": "symfony/deprecation-contracts",
diff --git a/data/web/inc/lib/vendor/composer/installed.json b/data/web/inc/lib/vendor/composer/installed.json
index ef7cac481..0b7725517 100644
--- a/data/web/inc/lib/vendor/composer/installed.json
+++ b/data/web/inc/lib/vendor/composer/installed.json
@@ -217,29 +217,35 @@
         },
         {
             "name": "firebase/php-jwt",
-            "version": "v5.5.1",
-            "version_normalized": "5.5.1.0",
+            "version": "v6.5.0",
+            "version_normalized": "6.5.0.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/firebase/php-jwt.git",
-                "reference": "83b609028194aa042ea33b5af2d41a7427de80e6"
+                "reference": "e94e7353302b0c11ec3cfff7180cd0b1743975d2"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/firebase/php-jwt/zipball/83b609028194aa042ea33b5af2d41a7427de80e6",
-                "reference": "83b609028194aa042ea33b5af2d41a7427de80e6",
+                "url": "https://api.github.com/repos/firebase/php-jwt/zipball/e94e7353302b0c11ec3cfff7180cd0b1743975d2",
+                "reference": "e94e7353302b0c11ec3cfff7180cd0b1743975d2",
                 "shasum": ""
             },
             "require": {
-                "php": ">=5.3.0"
+                "php": "^7.4||^8.0"
             },
             "require-dev": {
-                "phpunit/phpunit": ">=4.8 <=9"
+                "guzzlehttp/guzzle": "^6.5||^7.4",
+                "phpspec/prophecy-phpunit": "^2.0",
+                "phpunit/phpunit": "^9.5",
+                "psr/cache": "^1.0||^2.0",
+                "psr/http-client": "^1.0",
+                "psr/http-factory": "^1.0"
             },
             "suggest": {
+                "ext-sodium": "Support EdDSA (Ed25519) signatures",
                 "paragonie/sodium_compat": "Support EdDSA (Ed25519) signatures when libsodium is not present"
             },
-            "time": "2021-11-08T20:18:51+00:00",
+            "time": "2023-05-12T15:47:07+00:00",
             "type": "library",
             "installation-source": "dist",
             "autoload": {
@@ -271,7 +277,7 @@
             ],
             "support": {
                 "issues": "https://github.com/firebase/php-jwt/issues",
-                "source": "https://github.com/firebase/php-jwt/tree/v5.5.1"
+                "source": "https://github.com/firebase/php-jwt/tree/v6.5.0"
             },
             "install-path": "../firebase/php-jwt"
         },
@@ -1759,29 +1765,30 @@
         },
         {
             "name": "stevenmaguire/oauth2-keycloak",
-            "version": "3.2.0",
-            "version_normalized": "3.2.0.0",
+            "version": "4.0.0",
+            "version_normalized": "4.0.0.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/stevenmaguire/oauth2-keycloak.git",
-                "reference": "34e4824f5fa26aa8e90f1258859c75570c12d27a"
+                "reference": "05ead6bb6bcd2b6f96dfae87c769dcd3e5f6129d"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/stevenmaguire/oauth2-keycloak/zipball/34e4824f5fa26aa8e90f1258859c75570c12d27a",
-                "reference": "34e4824f5fa26aa8e90f1258859c75570c12d27a",
+                "url": "https://api.github.com/repos/stevenmaguire/oauth2-keycloak/zipball/05ead6bb6bcd2b6f96dfae87c769dcd3e5f6129d",
+                "reference": "05ead6bb6bcd2b6f96dfae87c769dcd3e5f6129d",
                 "shasum": ""
             },
             "require": {
-                "firebase/php-jwt": "~4.0|~5.0",
-                "league/oauth2-client": "^2.0"
+                "firebase/php-jwt": "^4.0 || ^5.0 || ^6.0",
+                "league/oauth2-client": "^2.0",
+                "php": "~7.2 || ~8.0"
             },
             "require-dev": {
-                "mockery/mockery": "~0.9",
-                "phpunit/phpunit": "~4.0",
-                "squizlabs/php_codesniffer": "~2.0"
+                "mockery/mockery": "~1.5.0",
+                "phpunit/phpunit": "~9.6.4",
+                "squizlabs/php_codesniffer": "~3.7.0"
             },
-            "time": "2022-12-16T12:46:38+00:00",
+            "time": "2023-03-14T09:43:47+00:00",
             "type": "library",
             "extra": {
                 "branch-alias": {
@@ -1816,7 +1823,7 @@
             ],
             "support": {
                 "issues": "https://github.com/stevenmaguire/oauth2-keycloak/issues",
-                "source": "https://github.com/stevenmaguire/oauth2-keycloak/tree/3.2.0"
+                "source": "https://github.com/stevenmaguire/oauth2-keycloak/tree/4.0.0"
             },
             "install-path": "../stevenmaguire/oauth2-keycloak"
         },
diff --git a/data/web/inc/lib/vendor/composer/installed.php b/data/web/inc/lib/vendor/composer/installed.php
index a9737b061..d7cc77743 100644
--- a/data/web/inc/lib/vendor/composer/installed.php
+++ b/data/web/inc/lib/vendor/composer/installed.php
@@ -3,7 +3,7 @@
         'name' => '__root__',
         'pretty_version' => 'dev-master',
         'version' => 'dev-master',
-        'reference' => '07edec4ea50b8eedae10c28eba0b4b2774df537e',
+        'reference' => '34e7b3f613661fe2b3c3eb1d316a63dfe111022e',
         'type' => 'library',
         'install_path' => __DIR__ . '/../../',
         'aliases' => array(),
@@ -13,7 +13,7 @@
         '__root__' => array(
             'pretty_version' => 'dev-master',
             'version' => 'dev-master',
-            'reference' => '07edec4ea50b8eedae10c28eba0b4b2774df537e',
+            'reference' => '34e7b3f613661fe2b3c3eb1d316a63dfe111022e',
             'type' => 'library',
             'install_path' => __DIR__ . '/../../',
             'aliases' => array(),
@@ -53,9 +53,9 @@
             ),
         ),
         'firebase/php-jwt' => array(
-            'pretty_version' => 'v5.5.1',
-            'version' => '5.5.1.0',
-            'reference' => '83b609028194aa042ea33b5af2d41a7427de80e6',
+            'pretty_version' => 'v6.5.0',
+            'version' => '6.5.0.0',
+            'reference' => 'e94e7353302b0c11ec3cfff7180cd0b1743975d2',
             'type' => 'library',
             'install_path' => __DIR__ . '/../firebase/php-jwt',
             'aliases' => array(),
@@ -275,9 +275,9 @@
             'dev_requirement' => false,
         ),
         'stevenmaguire/oauth2-keycloak' => array(
-            'pretty_version' => '3.2.0',
-            'version' => '3.2.0.0',
-            'reference' => '34e4824f5fa26aa8e90f1258859c75570c12d27a',
+            'pretty_version' => '4.0.0',
+            'version' => '4.0.0.0',
+            'reference' => '05ead6bb6bcd2b6f96dfae87c769dcd3e5f6129d',
             'type' => 'library',
             'install_path' => __DIR__ . '/../stevenmaguire/oauth2-keycloak',
             'aliases' => array(),
diff --git a/data/web/inc/lib/vendor/firebase/php-jwt/CHANGELOG.md b/data/web/inc/lib/vendor/firebase/php-jwt/CHANGELOG.md
new file mode 100644
index 000000000..35e97fe86
--- /dev/null
+++ b/data/web/inc/lib/vendor/firebase/php-jwt/CHANGELOG.md
@@ -0,0 +1,117 @@
+# Changelog
+
+## [6.5.0](https://github.com/firebase/php-jwt/compare/v6.4.0...v6.5.0) (2023-05-12)
+
+
+### Bug Fixes
+
+* allow KID of '0' ([#505](https://github.com/firebase/php-jwt/issues/505)) ([9dc46a9](https://github.com/firebase/php-jwt/commit/9dc46a9c3e5801294249cfd2554c5363c9f9326a))
+
+
+### Miscellaneous Chores
+
+* drop support for PHP 7.3 ([#495](https://github.com/firebase/php-jwt/issues/495))
+
+## [6.4.0](https://github.com/firebase/php-jwt/compare/v6.3.2...v6.4.0) (2023-02-08)
+
+
+### Features
+
+* add support for W3C ES256K ([#462](https://github.com/firebase/php-jwt/issues/462)) ([213924f](https://github.com/firebase/php-jwt/commit/213924f51936291fbbca99158b11bd4ae56c2c95))
+* improve caching by only decoding jwks when necessary ([#486](https://github.com/firebase/php-jwt/issues/486)) ([78d3ed1](https://github.com/firebase/php-jwt/commit/78d3ed1073553f7d0bbffa6c2010009a0d483d5c))
+
+## [6.3.2](https://github.com/firebase/php-jwt/compare/v6.3.1...v6.3.2) (2022-11-01)
+
+
+### Bug Fixes
+
+* check kid before using as array index ([bad1b04](https://github.com/firebase/php-jwt/commit/bad1b040d0c736bbf86814c6b5ae614f517cf7bd))
+
+## [6.3.1](https://github.com/firebase/php-jwt/compare/v6.3.0...v6.3.1) (2022-11-01)
+
+
+### Bug Fixes
+
+* casing of GET for PSR compat ([#451](https://github.com/firebase/php-jwt/issues/451)) ([60b52b7](https://github.com/firebase/php-jwt/commit/60b52b71978790eafcf3b95cfbd83db0439e8d22))
+* string interpolation format for php 8.2 ([#446](https://github.com/firebase/php-jwt/issues/446)) ([2e07d8a](https://github.com/firebase/php-jwt/commit/2e07d8a1524d12b69b110ad649f17461d068b8f2))
+
+## 6.3.0 / 2022-07-15
+
+ - Added ES256 support to JWK parsing ([#399](https://github.com/firebase/php-jwt/pull/399))
+ - Fixed potential caching error in `CachedKeySet` by caching jwks as strings ([#435](https://github.com/firebase/php-jwt/pull/435))
+
+## 6.2.0 / 2022-05-14
+
+ - Added `CachedKeySet` ([#397](https://github.com/firebase/php-jwt/pull/397))
+ - Added `$defaultAlg` parameter to `JWT::parseKey` and `JWT::parseKeySet` ([#426](https://github.com/firebase/php-jwt/pull/426)).
+
+## 6.1.0 / 2022-03-23
+
+ - Drop support for PHP 5.3, 5.4, 5.5, 5.6, and 7.0
+ - Add parameter typing and return types where possible
+
+## 6.0.0 / 2022-01-24
+
+ - **Backwards-Compatibility Breaking Changes**: See the [Release Notes](https://github.com/firebase/php-jwt/releases/tag/v6.0.0) for more information.
+ - New Key object to prevent key/algorithm type confusion (#365)
+ - Add JWK support (#273)
+ - Add ES256 support (#256)
+ - Add ES384 support (#324)
+ - Add Ed25519 support (#343)
+
+## 5.0.0 / 2017-06-26
+- Support RS384 and RS512.
+  See [#117](https://github.com/firebase/php-jwt/pull/117). Thanks [@joostfaassen](https://github.com/joostfaassen)!
+- Add an example for RS256 openssl.
+  See [#125](https://github.com/firebase/php-jwt/pull/125). Thanks [@akeeman](https://github.com/akeeman)!
+- Detect invalid Base64 encoding in signature.
+  See [#162](https://github.com/firebase/php-jwt/pull/162). Thanks [@psignoret](https://github.com/psignoret)!
+- Update `JWT::verify` to handle OpenSSL errors.
+  See [#159](https://github.com/firebase/php-jwt/pull/159). Thanks [@bshaffer](https://github.com/bshaffer)!
+- Add `array` type hinting to `decode` method
+  See [#101](https://github.com/firebase/php-jwt/pull/101). Thanks [@hywak](https://github.com/hywak)!
+- Add all JSON error types.
+  See [#110](https://github.com/firebase/php-jwt/pull/110). Thanks [@gbalduzzi](https://github.com/gbalduzzi)!
+- Bugfix 'kid' not in given key list.
+  See [#129](https://github.com/firebase/php-jwt/pull/129). Thanks [@stampycode](https://github.com/stampycode)!
+- Miscellaneous cleanup, documentation and test fixes.
+  See [#107](https://github.com/firebase/php-jwt/pull/107), [#115](https://github.com/firebase/php-jwt/pull/115),
+  [#160](https://github.com/firebase/php-jwt/pull/160), [#161](https://github.com/firebase/php-jwt/pull/161), and
+  [#165](https://github.com/firebase/php-jwt/pull/165). Thanks [@akeeman](https://github.com/akeeman),
+  [@chinedufn](https://github.com/chinedufn), and [@bshaffer](https://github.com/bshaffer)!
+
+## 4.0.0 / 2016-07-17
+- Add support for late static binding. See [#88](https://github.com/firebase/php-jwt/pull/88) for details. Thanks to [@chappy84](https://github.com/chappy84)!
+- Use static `$timestamp` instead of `time()` to improve unit testing. See [#93](https://github.com/firebase/php-jwt/pull/93) for details. Thanks to [@josephmcdermott](https://github.com/josephmcdermott)!
+- Fixes to exceptions classes. See [#81](https://github.com/firebase/php-jwt/pull/81) for details. Thanks to [@Maks3w](https://github.com/Maks3w)!
+- Fixes to PHPDoc. See [#76](https://github.com/firebase/php-jwt/pull/76) for details. Thanks to [@akeeman](https://github.com/akeeman)!
+
+## 3.0.0 / 2015-07-22
+- Minimum PHP version updated from `5.2.0` to `5.3.0`.
+- Add `\Firebase\JWT` namespace. See
+[#59](https://github.com/firebase/php-jwt/pull/59) for details. Thanks to
+[@Dashron](https://github.com/Dashron)!
+- Require a non-empty key to decode and verify a JWT. See
+[#60](https://github.com/firebase/php-jwt/pull/60) for details. Thanks to
+[@sjones608](https://github.com/sjones608)!
+- Cleaner documentation blocks in the code. See
+[#62](https://github.com/firebase/php-jwt/pull/62) for details. Thanks to
+[@johanderuijter](https://github.com/johanderuijter)!
+
+## 2.2.0 / 2015-06-22
+- Add support for adding custom, optional JWT headers to `JWT::encode()`. See
+[#53](https://github.com/firebase/php-jwt/pull/53/files) for details. Thanks to
+[@mcocaro](https://github.com/mcocaro)!
+
+## 2.1.0 / 2015-05-20
+- Add support for adding a leeway to `JWT:decode()` that accounts for clock skew
+between signing and verifying entities. Thanks to [@lcabral](https://github.com/lcabral)!
+- Add support for passing an object implementing the `ArrayAccess` interface for
+`$keys` argument in `JWT::decode()`. Thanks to [@aztech-dev](https://github.com/aztech-dev)!
+
+## 2.0.0 / 2015-04-01
+- **Note**: It is strongly recommended that you update to > v2.0.0 to address
+  known security vulnerabilities in prior versions when both symmetric and
+  asymmetric keys are used together.
+- Update signature for `JWT::decode(...)` to require an array of supported
+  algorithms to use when verifying token signatures.
diff --git a/data/web/inc/lib/vendor/firebase/php-jwt/README.md b/data/web/inc/lib/vendor/firebase/php-jwt/README.md
index 1d392cd12..f03826673 100644
--- a/data/web/inc/lib/vendor/firebase/php-jwt/README.md
+++ b/data/web/inc/lib/vendor/firebase/php-jwt/README.md
@@ -1,4 +1,4 @@
-[![Build Status](https://travis-ci.org/firebase/php-jwt.png?branch=master)](https://travis-ci.org/firebase/php-jwt)
+![Build Status](https://github.com/firebase/php-jwt/actions/workflows/tests.yml/badge.svg)
 [![Latest Stable Version](https://poser.pugx.org/firebase/php-jwt/v/stable)](https://packagist.org/packages/firebase/php-jwt)
 [![Total Downloads](https://poser.pugx.org/firebase/php-jwt/downloads)](https://packagist.org/packages/firebase/php-jwt)
 [![License](https://poser.pugx.org/firebase/php-jwt/license)](https://packagist.org/packages/firebase/php-jwt)
@@ -29,13 +29,13 @@ Example
 use Firebase\JWT\JWT;
 use Firebase\JWT\Key;
 
-$key = "example_key";
-$payload = array(
-    "iss" => "http://example.org",
-    "aud" => "http://example.com",
-    "iat" => 1356999524,
-    "nbf" => 1357000000
-);
+$key = 'example_key';
+$payload = [
+    'iss' => 'http://example.org',
+    'aud' => 'http://example.com',
+    'iat' => 1356999524,
+    'nbf' => 1357000000
+];
 
 /**
  * IMPORTANT:
@@ -65,6 +65,40 @@ $decoded_array = (array) $decoded;
 JWT::$leeway = 60; // $leeway in seconds
 $decoded = JWT::decode($jwt, new Key($key, 'HS256'));
 ```
+Example encode/decode headers
+-------
+Decoding the JWT headers without verifying the JWT first is NOT recommended, and is not supported by
+this library. This is because without verifying the JWT, the header values could have been tampered with.
+Any value pulled from an unverified header should be treated as if it could be any string sent in from an
+attacker.  If this is something you still want to do in your application for whatever reason, it's possible to 
+decode the header values manually simply by calling `json_decode` and `base64_decode` on the JWT 
+header part:
+```php
+use Firebase\JWT\JWT;
+
+$key = 'example_key';
+$payload = [
+    'iss' => 'http://example.org',
+    'aud' => 'http://example.com',
+    'iat' => 1356999524,
+    'nbf' => 1357000000
+];
+
+$headers = [
+    'x-forwarded-for' => 'www.google.com'
+];
+
+// Encode headers in the JWT string
+$jwt = JWT::encode($payload, $key, 'HS256', null, $headers);
+
+// Decode headers from the JWT string WITHOUT validation
+// **IMPORTANT**: This operation is vulnerable to attacks, as the JWT has not yet been verified.
+// These headers could be any value sent by an attacker.
+list($headersB64, $payloadB64, $sig) = explode('.', $jwt);
+$decoded = json_decode(base64_decode($headersB64), true);
+
+print_r($decoded);
+```
 Example with RS256 (openssl)
 ----------------------------
 ```php
@@ -73,37 +107,52 @@ use Firebase\JWT\Key;
 
 $privateKey = <<<EOD
 -----BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQC8kGa1pSjbSYZVebtTRBLxBz5H4i2p/llLCrEeQhta5kaQu/Rn
-vuER4W8oDH3+3iuIYW4VQAzyqFpwuzjkDI+17t5t0tyazyZ8JXw+KgXTxldMPEL9
-5+qVhgXvwtihXC1c5oGbRlEDvDF6Sa53rcFVsYJ4ehde/zUxo6UvS7UrBQIDAQAB
-AoGAb/MXV46XxCFRxNuB8LyAtmLDgi/xRnTAlMHjSACddwkyKem8//8eZtw9fzxz
-bWZ/1/doQOuHBGYZU8aDzzj59FZ78dyzNFoF91hbvZKkg+6wGyd/LrGVEB+Xre0J
-Nil0GReM2AHDNZUYRv+HYJPIOrB0CRczLQsgFJ8K6aAD6F0CQQDzbpjYdx10qgK1
-cP59UHiHjPZYC0loEsk7s+hUmT3QHerAQJMZWC11Qrn2N+ybwwNblDKv+s5qgMQ5
-5tNoQ9IfAkEAxkyffU6ythpg/H0Ixe1I2rd0GbF05biIzO/i77Det3n4YsJVlDck
-ZkcvY3SK2iRIL4c9yY6hlIhs+K9wXTtGWwJBAO9Dskl48mO7woPR9uD22jDpNSwe
-k90OMepTjzSvlhjbfuPN1IdhqvSJTDychRwn1kIJ7LQZgQ8fVz9OCFZ/6qMCQGOb
-qaGwHmUK6xzpUbbacnYrIM6nLSkXgOAwv7XXCojvY614ILTK3iXiLBOxPu5Eu13k
-eUz9sHyD6vkgZzjtxXECQAkp4Xerf5TGfQXGXhxIX52yH+N2LtujCdkQZjXAsGdm
-B2zNzvrlgRmgBrklMTrMYgm1NPcW+bRLGcwgW2PTvNM=
+MIIEowIBAAKCAQEAuzWHNM5f+amCjQztc5QTfJfzCC5J4nuW+L/aOxZ4f8J3Frew
+M2c/dufrnmedsApb0By7WhaHlcqCh/ScAPyJhzkPYLae7bTVro3hok0zDITR8F6S
+JGL42JAEUk+ILkPI+DONM0+3vzk6Kvfe548tu4czCuqU8BGVOlnp6IqBHhAswNMM
+78pos/2z0CjPM4tbeXqSTTbNkXRboxjU29vSopcT51koWOgiTf3C7nJUoMWZHZI5
+HqnIhPAG9yv8HAgNk6CMk2CadVHDo4IxjxTzTTqo1SCSH2pooJl9O8at6kkRYsrZ
+WwsKlOFE2LUce7ObnXsYihStBUDoeBQlGG/BwQIDAQABAoIBAFtGaOqNKGwggn9k
+6yzr6GhZ6Wt2rh1Xpq8XUz514UBhPxD7dFRLpbzCrLVpzY80LbmVGJ9+1pJozyWc
+VKeCeUdNwbqkr240Oe7GTFmGjDoxU+5/HX/SJYPpC8JZ9oqgEA87iz+WQX9hVoP2
+oF6EB4ckDvXmk8FMwVZW2l2/kd5mrEVbDaXKxhvUDf52iVD+sGIlTif7mBgR99/b
+c3qiCnxCMmfYUnT2eh7Vv2LhCR/G9S6C3R4lA71rEyiU3KgsGfg0d82/XWXbegJW
+h3QbWNtQLxTuIvLq5aAryV3PfaHlPgdgK0ft6ocU2de2FagFka3nfVEyC7IUsNTK
+bq6nhAECgYEA7d/0DPOIaItl/8BWKyCuAHMss47j0wlGbBSHdJIiS55akMvnAG0M
+39y22Qqfzh1at9kBFeYeFIIU82ZLF3xOcE3z6pJZ4Dyvx4BYdXH77odo9uVK9s1l
+3T3BlMcqd1hvZLMS7dviyH79jZo4CXSHiKzc7pQ2YfK5eKxKqONeXuECgYEAyXlG
+vonaus/YTb1IBei9HwaccnQ/1HRn6MvfDjb7JJDIBhNClGPt6xRlzBbSZ73c2QEC
+6Fu9h36K/HZ2qcLd2bXiNyhIV7b6tVKk+0Psoj0dL9EbhsD1OsmE1nTPyAc9XZbb
+OPYxy+dpBCUA8/1U9+uiFoCa7mIbWcSQ+39gHuECgYAz82pQfct30aH4JiBrkNqP
+nJfRq05UY70uk5k1u0ikLTRoVS/hJu/d4E1Kv4hBMqYCavFSwAwnvHUo51lVCr/y
+xQOVYlsgnwBg2MX4+GjmIkqpSVCC8D7j/73MaWb746OIYZervQ8dbKahi2HbpsiG
+8AHcVSA/agxZr38qvWV54QKBgCD5TlDE8x18AuTGQ9FjxAAd7uD0kbXNz2vUYg9L
+hFL5tyL3aAAtUrUUw4xhd9IuysRhW/53dU+FsG2dXdJu6CxHjlyEpUJl2iZu/j15
+YnMzGWHIEX8+eWRDsw/+Ujtko/B7TinGcWPz3cYl4EAOiCeDUyXnqnO1btCEUU44
+DJ1BAoGBAJuPD27ErTSVtId90+M4zFPNibFP50KprVdc8CR37BE7r8vuGgNYXmnI
+RLnGP9p3pVgFCktORuYS2J/6t84I3+A17nEoB4xvhTLeAinAW/uTQOUmNicOP4Ek
+2MsLL2kHgL8bLTmvXV4FX+PXphrDKg1XxzOYn0otuoqdAQrkK4og
 -----END RSA PRIVATE KEY-----
 EOD;
 
 $publicKey = <<<EOD
 -----BEGIN PUBLIC KEY-----
-MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8kGa1pSjbSYZVebtTRBLxBz5H
-4i2p/llLCrEeQhta5kaQu/RnvuER4W8oDH3+3iuIYW4VQAzyqFpwuzjkDI+17t5t
-0tyazyZ8JXw+KgXTxldMPEL95+qVhgXvwtihXC1c5oGbRlEDvDF6Sa53rcFVsYJ4
-ehde/zUxo6UvS7UrBQIDAQAB
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzWHNM5f+amCjQztc5QT
+fJfzCC5J4nuW+L/aOxZ4f8J3FrewM2c/dufrnmedsApb0By7WhaHlcqCh/ScAPyJ
+hzkPYLae7bTVro3hok0zDITR8F6SJGL42JAEUk+ILkPI+DONM0+3vzk6Kvfe548t
+u4czCuqU8BGVOlnp6IqBHhAswNMM78pos/2z0CjPM4tbeXqSTTbNkXRboxjU29vS
+opcT51koWOgiTf3C7nJUoMWZHZI5HqnIhPAG9yv8HAgNk6CMk2CadVHDo4IxjxTz
+TTqo1SCSH2pooJl9O8at6kkRYsrZWwsKlOFE2LUce7ObnXsYihStBUDoeBQlGG/B
+wQIDAQAB
 -----END PUBLIC KEY-----
 EOD;
 
-$payload = array(
-    "iss" => "example.org",
-    "aud" => "example.com",
-    "iat" => 1356999524,
-    "nbf" => 1357000000
-);
+$payload = [
+    'iss' => 'example.org',
+    'aud' => 'example.com',
+    'iat' => 1356999524,
+    'nbf' => 1357000000
+];
 
 $jwt = JWT::encode($payload, $privateKey, 'RS256');
 echo "Encode:\n" . print_r($jwt, true) . "\n";
@@ -139,12 +188,12 @@ $privateKey = openssl_pkey_get_private(
     $passphrase
 );
 
-$payload = array(
-    "iss" => "example.org",
-    "aud" => "example.com",
-    "iat" => 1356999524,
-    "nbf" => 1357000000
-);
+$payload = [
+    'iss' => 'example.org',
+    'aud' => 'example.com',
+    'iat' => 1356999524,
+    'nbf' => 1357000000
+];
 
 $jwt = JWT::encode($payload, $privateKey, 'RS256');
 echo "Encode:\n" . print_r($jwt, true) . "\n";
@@ -173,12 +222,12 @@ $privateKey = base64_encode(sodium_crypto_sign_secretkey($keyPair));
 
 $publicKey = base64_encode(sodium_crypto_sign_publickey($keyPair));
 
-$payload = array(
-    "iss" => "example.org",
-    "aud" => "example.com",
-    "iat" => 1356999524,
-    "nbf" => 1357000000
-);
+$payload = [
+    'iss' => 'example.org',
+    'aud' => 'example.com',
+    'iat' => 1356999524,
+    'nbf' => 1357000000
+];
 
 $jwt = JWT::encode($payload, $privateKey, 'EdDSA');
 echo "Encode:\n" . print_r($jwt, true) . "\n";
@@ -187,6 +236,44 @@ $decoded = JWT::decode($jwt, new Key($publicKey, 'EdDSA'));
 echo "Decode:\n" . print_r((array) $decoded, true) . "\n";
 ````
 
+Example with multiple keys
+--------------------------
+```php
+use Firebase\JWT\JWT;
+use Firebase\JWT\Key;
+
+// Example RSA keys from previous example
+// $privateKey1 = '...';
+// $publicKey1 = '...';
+
+// Example EdDSA keys from previous example
+// $privateKey2 = '...';
+// $publicKey2 = '...';
+
+$payload = [
+    'iss' => 'example.org',
+    'aud' => 'example.com',
+    'iat' => 1356999524,
+    'nbf' => 1357000000
+];
+
+$jwt1 = JWT::encode($payload, $privateKey1, 'RS256', 'kid1');
+$jwt2 = JWT::encode($payload, $privateKey2, 'EdDSA', 'kid2');
+echo "Encode 1:\n" . print_r($jwt1, true) . "\n";
+echo "Encode 2:\n" . print_r($jwt2, true) . "\n";
+
+$keys = [
+    'kid1' => new Key($publicKey1, 'RS256'),
+    'kid2' => new Key($publicKey2, 'EdDSA'),
+];
+
+$decoded1 = JWT::decode($jwt1, $keys);
+$decoded2 = JWT::decode($jwt2, $keys);
+
+echo "Decode 1:\n" . print_r((array) $decoded1, true) . "\n";
+echo "Decode 2:\n" . print_r((array) $decoded2, true) . "\n";
+```
+
 Using JWKs
 ----------
 
@@ -198,72 +285,115 @@ use Firebase\JWT\JWT;
 // this endpoint: https://www.gstatic.com/iap/verify/public_key-jwk
 $jwks = ['keys' => []];
 
-// JWK::parseKeySet($jwks) returns an associative array of **kid** to private
-// key. Pass this as the second parameter to JWT::decode.
-// NOTE: The deprecated $supportedAlgorithm must be supplied when parsing from JWK.
-JWT::decode($payload, JWK::parseKeySet($jwks), $supportedAlgorithm);
+// JWK::parseKeySet($jwks) returns an associative array of **kid** to Firebase\JWT\Key
+// objects. Pass this as the second parameter to JWT::decode.
+JWT::decode($payload, JWK::parseKeySet($jwks));
 ```
 
-Changelog
----------
+Using Cached Key Sets
+---------------------
 
-#### 5.0.0 / 2017-06-26
-- Support RS384 and RS512.
-  See [#117](https://github.com/firebase/php-jwt/pull/117). Thanks [@joostfaassen](https://github.com/joostfaassen)!
-- Add an example for RS256 openssl.
-  See [#125](https://github.com/firebase/php-jwt/pull/125). Thanks [@akeeman](https://github.com/akeeman)!
-- Detect invalid Base64 encoding in signature.
-  See [#162](https://github.com/firebase/php-jwt/pull/162). Thanks [@psignoret](https://github.com/psignoret)!
-- Update `JWT::verify` to handle OpenSSL errors.
-  See [#159](https://github.com/firebase/php-jwt/pull/159). Thanks [@bshaffer](https://github.com/bshaffer)!
-- Add `array` type hinting to `decode` method
-  See [#101](https://github.com/firebase/php-jwt/pull/101). Thanks [@hywak](https://github.com/hywak)!
-- Add all JSON error types.
-  See [#110](https://github.com/firebase/php-jwt/pull/110). Thanks [@gbalduzzi](https://github.com/gbalduzzi)!
-- Bugfix 'kid' not in given key list.
-  See [#129](https://github.com/firebase/php-jwt/pull/129). Thanks [@stampycode](https://github.com/stampycode)!
-- Miscellaneous cleanup, documentation and test fixes.
-  See [#107](https://github.com/firebase/php-jwt/pull/107), [#115](https://github.com/firebase/php-jwt/pull/115),
-  [#160](https://github.com/firebase/php-jwt/pull/160), [#161](https://github.com/firebase/php-jwt/pull/161), and
-  [#165](https://github.com/firebase/php-jwt/pull/165). Thanks [@akeeman](https://github.com/akeeman),
-  [@chinedufn](https://github.com/chinedufn), and [@bshaffer](https://github.com/bshaffer)!
+The `CachedKeySet` class can be used to fetch and cache JWKS (JSON Web Key Sets) from a public URI.
+This has the following advantages:
 
-#### 4.0.0 / 2016-07-17
-- Add support for late static binding. See [#88](https://github.com/firebase/php-jwt/pull/88) for details. Thanks to [@chappy84](https://github.com/chappy84)!
-- Use static `$timestamp` instead of `time()` to improve unit testing. See [#93](https://github.com/firebase/php-jwt/pull/93) for details. Thanks to [@josephmcdermott](https://github.com/josephmcdermott)!
-- Fixes to exceptions classes. See [#81](https://github.com/firebase/php-jwt/pull/81) for details. Thanks to [@Maks3w](https://github.com/Maks3w)!
-- Fixes to PHPDoc. See [#76](https://github.com/firebase/php-jwt/pull/76) for details. Thanks to [@akeeman](https://github.com/akeeman)!
+1. The results are cached for performance.
+2. If an unrecognized key is requested, the cache is refreshed, to accomodate for key rotation.
+3. If rate limiting is enabled, the JWKS URI will not make more than 10 requests a second.
 
-#### 3.0.0 / 2015-07-22
-- Minimum PHP version updated from `5.2.0` to `5.3.0`.
-- Add `\Firebase\JWT` namespace. See
-[#59](https://github.com/firebase/php-jwt/pull/59) for details. Thanks to
-[@Dashron](https://github.com/Dashron)!
-- Require a non-empty key to decode and verify a JWT. See
-[#60](https://github.com/firebase/php-jwt/pull/60) for details. Thanks to
-[@sjones608](https://github.com/sjones608)!
-- Cleaner documentation blocks in the code. See
-[#62](https://github.com/firebase/php-jwt/pull/62) for details. Thanks to
-[@johanderuijter](https://github.com/johanderuijter)!
+```php
+use Firebase\JWT\CachedKeySet;
+use Firebase\JWT\JWT;
 
-#### 2.2.0 / 2015-06-22
-- Add support for adding custom, optional JWT headers to `JWT::encode()`. See
-[#53](https://github.com/firebase/php-jwt/pull/53/files) for details. Thanks to
-[@mcocaro](https://github.com/mcocaro)!
+// The URI for the JWKS you wish to cache the results from
+$jwksUri = 'https://www.gstatic.com/iap/verify/public_key-jwk';
 
-#### 2.1.0 / 2015-05-20
-- Add support for adding a leeway to `JWT:decode()` that accounts for clock skew
-between signing and verifying entities. Thanks to [@lcabral](https://github.com/lcabral)!
-- Add support for passing an object implementing the `ArrayAccess` interface for
-`$keys` argument in `JWT::decode()`. Thanks to [@aztech-dev](https://github.com/aztech-dev)!
+// Create an HTTP client (can be any PSR-7 compatible HTTP client)
+$httpClient = new GuzzleHttp\Client();
 
-#### 2.0.0 / 2015-04-01
-- **Note**: It is strongly recommended that you update to > v2.0.0 to address
-  known security vulnerabilities in prior versions when both symmetric and
-  asymmetric keys are used together.
-- Update signature for `JWT::decode(...)` to require an array of supported
-  algorithms to use when verifying token signatures.
+// Create an HTTP request factory (can be any PSR-17 compatible HTTP request factory)
+$httpFactory = new GuzzleHttp\Psr\HttpFactory();
 
+// Create a cache item pool (can be any PSR-6 compatible cache item pool)
+$cacheItemPool = Phpfastcache\CacheManager::getInstance('files');
+
+$keySet = new CachedKeySet(
+    $jwksUri,
+    $httpClient,
+    $httpFactory,
+    $cacheItemPool,
+    null, // $expiresAfter int seconds to set the JWKS to expire
+    true  // $rateLimit    true to enable rate limit of 10 RPS on lookup of invalid keys
+);
+
+$jwt = 'eyJhbGci...'; // Some JWT signed by a key from the $jwkUri above
+$decoded = JWT::decode($jwt, $keySet);
+```
+
+Miscellaneous
+-------------
+
+#### Exception Handling
+
+When a call to `JWT::decode` is invalid, it will throw one of the following exceptions:
+
+```php
+use Firebase\JWT\JWT;
+use Firebase\JWT\SignatureInvalidException;
+use Firebase\JWT\BeforeValidException;
+use Firebase\JWT\ExpiredException;
+use DomainException;
+use InvalidArgumentException;
+use UnexpectedValueException;
+
+try {
+    $decoded = JWT::decode($payload, $keys);
+} catch (InvalidArgumentException $e) {
+    // provided key/key-array is empty or malformed.
+} catch (DomainException $e) {
+    // provided algorithm is unsupported OR
+    // provided key is invalid OR
+    // unknown error thrown in openSSL or libsodium OR
+    // libsodium is required but not available.
+} catch (SignatureInvalidException $e) {
+    // provided JWT signature verification failed.
+} catch (BeforeValidException $e) {
+    // provided JWT is trying to be used before "nbf" claim OR
+    // provided JWT is trying to be used before "iat" claim.
+} catch (ExpiredException $e) {
+    // provided JWT is trying to be used after "exp" claim.
+} catch (UnexpectedValueException $e) {
+    // provided JWT is malformed OR
+    // provided JWT is missing an algorithm / using an unsupported algorithm OR
+    // provided JWT algorithm does not match provided key OR
+    // provided key ID in key/key-array is empty or invalid.
+}
+```
+
+All exceptions in the `Firebase\JWT` namespace extend `UnexpectedValueException`, and can be simplified
+like this:
+
+```php
+try {
+    $decoded = JWT::decode($payload, $keys);
+} catch (LogicException $e) {
+    // errors having to do with environmental setup or malformed JWT Keys
+} catch (UnexpectedValueException $e) {
+    // errors having to do with JWT signature and claims
+}
+```
+
+#### Casting to array
+
+The return value of `JWT::decode` is the generic PHP object `stdClass`. If you'd like to handle with arrays
+instead, you can do the following:
+
+```php
+// return type is stdClass
+$decoded = JWT::decode($payload, $keys);
+
+// cast to array
+$decoded = json_decode(json_encode($decoded), true);
+```
 
 Tests
 -----
diff --git a/data/web/inc/lib/vendor/firebase/php-jwt/composer.json b/data/web/inc/lib/vendor/firebase/php-jwt/composer.json
index 6146e2dcc..e23dfe378 100644
--- a/data/web/inc/lib/vendor/firebase/php-jwt/composer.json
+++ b/data/web/inc/lib/vendor/firebase/php-jwt/composer.json
@@ -20,10 +20,11 @@
     ],
     "license": "BSD-3-Clause",
     "require": {
-        "php": ">=5.3.0"
+        "php": "^7.4||^8.0"
     },
     "suggest": {
-        "paragonie/sodium_compat": "Support EdDSA (Ed25519) signatures when libsodium is not present"
+        "paragonie/sodium_compat": "Support EdDSA (Ed25519) signatures when libsodium is not present",
+        "ext-sodium": "Support EdDSA (Ed25519) signatures"
     },
     "autoload": {
         "psr-4": {
@@ -31,6 +32,11 @@
         }
     },
     "require-dev": {
-        "phpunit/phpunit": ">=4.8 <=9"
+        "guzzlehttp/guzzle": "^6.5||^7.4",
+        "phpspec/prophecy-phpunit": "^2.0",
+        "phpunit/phpunit": "^9.5",
+        "psr/cache": "^1.0||^2.0",
+        "psr/http-client": "^1.0",
+        "psr/http-factory": "^1.0"
     }
 }
diff --git a/data/web/inc/lib/vendor/firebase/php-jwt/src/CachedKeySet.php b/data/web/inc/lib/vendor/firebase/php-jwt/src/CachedKeySet.php
new file mode 100644
index 000000000..baf801f13
--- /dev/null
+++ b/data/web/inc/lib/vendor/firebase/php-jwt/src/CachedKeySet.php
@@ -0,0 +1,258 @@
+<?php
+
+namespace Firebase\JWT;
+
+use ArrayAccess;
+use InvalidArgumentException;
+use LogicException;
+use OutOfBoundsException;
+use Psr\Cache\CacheItemInterface;
+use Psr\Cache\CacheItemPoolInterface;
+use Psr\Http\Client\ClientInterface;
+use Psr\Http\Message\RequestFactoryInterface;
+use RuntimeException;
+use UnexpectedValueException;
+
+/**
+ * @implements ArrayAccess<string, Key>
+ */
+class CachedKeySet implements ArrayAccess
+{
+    /**
+     * @var string
+     */
+    private $jwksUri;
+    /**
+     * @var ClientInterface
+     */
+    private $httpClient;
+    /**
+     * @var RequestFactoryInterface
+     */
+    private $httpFactory;
+    /**
+     * @var CacheItemPoolInterface
+     */
+    private $cache;
+    /**
+     * @var ?int
+     */
+    private $expiresAfter;
+    /**
+     * @var ?CacheItemInterface
+     */
+    private $cacheItem;
+    /**
+     * @var array<string, array<mixed>>
+     */
+    private $keySet;
+    /**
+     * @var string
+     */
+    private $cacheKey;
+    /**
+     * @var string
+     */
+    private $cacheKeyPrefix = 'jwks';
+    /**
+     * @var int
+     */
+    private $maxKeyLength = 64;
+    /**
+     * @var bool
+     */
+    private $rateLimit;
+    /**
+     * @var string
+     */
+    private $rateLimitCacheKey;
+    /**
+     * @var int
+     */
+    private $maxCallsPerMinute = 10;
+    /**
+     * @var string|null
+     */
+    private $defaultAlg;
+
+    public function __construct(
+        string $jwksUri,
+        ClientInterface $httpClient,
+        RequestFactoryInterface $httpFactory,
+        CacheItemPoolInterface $cache,
+        int $expiresAfter = null,
+        bool $rateLimit = false,
+        string $defaultAlg = null
+    ) {
+        $this->jwksUri = $jwksUri;
+        $this->httpClient = $httpClient;
+        $this->httpFactory = $httpFactory;
+        $this->cache = $cache;
+        $this->expiresAfter = $expiresAfter;
+        $this->rateLimit = $rateLimit;
+        $this->defaultAlg = $defaultAlg;
+        $this->setCacheKeys();
+    }
+
+    /**
+     * @param string $keyId
+     * @return Key
+     */
+    public function offsetGet($keyId): Key
+    {
+        if (!$this->keyIdExists($keyId)) {
+            throw new OutOfBoundsException('Key ID not found');
+        }
+        return JWK::parseKey($this->keySet[$keyId], $this->defaultAlg);
+    }
+
+    /**
+     * @param string $keyId
+     * @return bool
+     */
+    public function offsetExists($keyId): bool
+    {
+        return $this->keyIdExists($keyId);
+    }
+
+    /**
+     * @param string $offset
+     * @param Key $value
+     */
+    public function offsetSet($offset, $value): void
+    {
+        throw new LogicException('Method not implemented');
+    }
+
+    /**
+     * @param string $offset
+     */
+    public function offsetUnset($offset): void
+    {
+        throw new LogicException('Method not implemented');
+    }
+
+    /**
+     * @return array<mixed>
+     */
+    private function formatJwksForCache(string $jwks): array
+    {
+        $jwks = json_decode($jwks, true);
+
+        if (!isset($jwks['keys'])) {
+            throw new UnexpectedValueException('"keys" member must exist in the JWK Set');
+        }
+
+        if (empty($jwks['keys'])) {
+            throw new InvalidArgumentException('JWK Set did not contain any keys');
+        }
+
+        $keys = [];
+        foreach ($jwks['keys'] as $k => $v) {
+            $kid = isset($v['kid']) ? $v['kid'] : $k;
+            $keys[(string) $kid] = $v;
+        }
+
+        return $keys;
+    }
+
+    private function keyIdExists(string $keyId): bool
+    {
+        if (null === $this->keySet) {
+            $item = $this->getCacheItem();
+            // Try to load keys from cache
+            if ($item->isHit()) {
+                // item found! retrieve it
+                $this->keySet = $item->get();
+                // If the cached item is a string, the JWKS response was cached (previous behavior).
+                // Parse this into expected format array<kid, jwk> instead.
+                if (\is_string($this->keySet)) {
+                    $this->keySet = $this->formatJwksForCache($this->keySet);
+                }
+            }
+        }
+
+        if (!isset($this->keySet[$keyId])) {
+            if ($this->rateLimitExceeded()) {
+                return false;
+            }
+            $request = $this->httpFactory->createRequest('GET', $this->jwksUri);
+            $jwksResponse = $this->httpClient->sendRequest($request);
+            $this->keySet = $this->formatJwksForCache((string) $jwksResponse->getBody());
+
+            if (!isset($this->keySet[$keyId])) {
+                return false;
+            }
+
+            $item = $this->getCacheItem();
+            $item->set($this->keySet);
+            if ($this->expiresAfter) {
+                $item->expiresAfter($this->expiresAfter);
+            }
+            $this->cache->save($item);
+        }
+
+        return true;
+    }
+
+    private function rateLimitExceeded(): bool
+    {
+        if (!$this->rateLimit) {
+            return false;
+        }
+
+        $cacheItem = $this->cache->getItem($this->rateLimitCacheKey);
+        if (!$cacheItem->isHit()) {
+            $cacheItem->expiresAfter(1); // # of calls are cached each minute
+        }
+
+        $callsPerMinute = (int) $cacheItem->get();
+        if (++$callsPerMinute > $this->maxCallsPerMinute) {
+            return true;
+        }
+        $cacheItem->set($callsPerMinute);
+        $this->cache->save($cacheItem);
+        return false;
+    }
+
+    private function getCacheItem(): CacheItemInterface
+    {
+        if (\is_null($this->cacheItem)) {
+            $this->cacheItem = $this->cache->getItem($this->cacheKey);
+        }
+
+        return $this->cacheItem;
+    }
+
+    private function setCacheKeys(): void
+    {
+        if (empty($this->jwksUri)) {
+            throw new RuntimeException('JWKS URI is empty');
+        }
+
+        // ensure we do not have illegal characters
+        $key = preg_replace('|[^a-zA-Z0-9_\.!]|', '', $this->jwksUri);
+
+        // add prefix
+        $key = $this->cacheKeyPrefix . $key;
+
+        // Hash keys if they exceed $maxKeyLength of 64
+        if (\strlen($key) > $this->maxKeyLength) {
+            $key = substr(hash('sha256', $key), 0, $this->maxKeyLength);
+        }
+
+        $this->cacheKey = $key;
+
+        if ($this->rateLimit) {
+            // add prefix
+            $rateLimitKey = $this->cacheKeyPrefix . 'ratelimit' . $key;
+
+            // Hash keys if they exceed $maxKeyLength of 64
+            if (\strlen($rateLimitKey) > $this->maxKeyLength) {
+                $rateLimitKey = substr(hash('sha256', $rateLimitKey), 0, $this->maxKeyLength);
+            }
+
+            $this->rateLimitCacheKey = $rateLimitKey;
+        }
+    }
+}
diff --git a/data/web/inc/lib/vendor/firebase/php-jwt/src/JWK.php b/data/web/inc/lib/vendor/firebase/php-jwt/src/JWK.php
index 981a9ba7f..c7eff8ae4 100644
--- a/data/web/inc/lib/vendor/firebase/php-jwt/src/JWK.php
+++ b/data/web/inc/lib/vendor/firebase/php-jwt/src/JWK.php
@@ -20,12 +20,25 @@ use UnexpectedValueException;
  */
 class JWK
 {
+    private const OID = '1.2.840.10045.2.1';
+    private const ASN1_OBJECT_IDENTIFIER = 0x06;
+    private const ASN1_SEQUENCE = 0x10; // also defined in JWT
+    private const ASN1_BIT_STRING = 0x03;
+    private const EC_CURVES = [
+        'P-256' => '1.2.840.10045.3.1.7', // Len: 64
+        'secp256k1' => '1.3.132.0.10', // Len: 64
+        // 'P-384' => '1.3.132.0.34', // Len: 96 (not yet supported)
+        // 'P-521' => '1.3.132.0.35', // Len: 132 (not supported)
+    ];
+
     /**
      * Parse a set of JWK keys
      *
-     * @param array $jwks The JSON Web Key Set as an associative array
+     * @param array<mixed> $jwks The JSON Web Key Set as an associative array
+     * @param string       $defaultAlg The algorithm for the Key object if "alg" is not set in the
+     *                                 JSON Web Key Set
      *
-     * @return array An associative array that represents the set of keys
+     * @return array<string, Key> An associative array of key IDs (kid) to Key objects
      *
      * @throws InvalidArgumentException     Provided JWK Set is empty
      * @throws UnexpectedValueException     Provided JWK Set was invalid
@@ -33,21 +46,22 @@ class JWK
      *
      * @uses parseKey
      */
-    public static function parseKeySet(array $jwks)
+    public static function parseKeySet(array $jwks, string $defaultAlg = null): array
     {
-        $keys = array();
+        $keys = [];
 
         if (!isset($jwks['keys'])) {
             throw new UnexpectedValueException('"keys" member must exist in the JWK Set');
         }
+
         if (empty($jwks['keys'])) {
             throw new InvalidArgumentException('JWK Set did not contain any keys');
         }
 
         foreach ($jwks['keys'] as $k => $v) {
             $kid = isset($v['kid']) ? $v['kid'] : $k;
-            if ($key = self::parseKey($v)) {
-                $keys[$kid] = $key;
+            if ($key = self::parseKey($v, $defaultAlg)) {
+                $keys[(string) $kid] = $key;
             }
         }
 
@@ -61,9 +75,11 @@ class JWK
     /**
      * Parse a JWK key
      *
-     * @param array $jwk An individual JWK
+     * @param array<mixed> $jwk An individual JWK
+     * @param string       $defaultAlg The algorithm for the Key object if "alg" is not set in the
+     *                                 JSON Web Key Set
      *
-     * @return resource|array An associative array that represents the key
+     * @return Key The key object for the JWK
      *
      * @throws InvalidArgumentException     Provided JWK is empty
      * @throws UnexpectedValueException     Provided JWK was invalid
@@ -71,15 +87,27 @@ class JWK
      *
      * @uses createPemFromModulusAndExponent
      */
-    public static function parseKey(array $jwk)
+    public static function parseKey(array $jwk, string $defaultAlg = null): ?Key
     {
         if (empty($jwk)) {
             throw new InvalidArgumentException('JWK must not be empty');
         }
+
         if (!isset($jwk['kty'])) {
             throw new UnexpectedValueException('JWK must contain a "kty" parameter');
         }
 
+        if (!isset($jwk['alg'])) {
+            if (\is_null($defaultAlg)) {
+                // The "alg" parameter is optional in a KTY, but an algorithm is required
+                // for parsing in this library. Use the $defaultAlg parameter when parsing the
+                // key set in order to prevent this error.
+                // @see https://datatracker.ietf.org/doc/html/rfc7517#section-4.4
+                throw new UnexpectedValueException('JWK must contain an "alg" parameter');
+            }
+            $jwk['alg'] = $defaultAlg;
+        }
+
         switch ($jwk['kty']) {
             case 'RSA':
                 if (!empty($jwk['d'])) {
@@ -96,11 +124,72 @@ class JWK
                         'OpenSSL error: ' . \openssl_error_string()
                     );
                 }
-                return $publicKey;
+                return new Key($publicKey, $jwk['alg']);
+            case 'EC':
+                if (isset($jwk['d'])) {
+                    // The key is actually a private key
+                    throw new UnexpectedValueException('Key data must be for a public key');
+                }
+
+                if (empty($jwk['crv'])) {
+                    throw new UnexpectedValueException('crv not set');
+                }
+
+                if (!isset(self::EC_CURVES[$jwk['crv']])) {
+                    throw new DomainException('Unrecognised or unsupported EC curve');
+                }
+
+                if (empty($jwk['x']) || empty($jwk['y'])) {
+                    throw new UnexpectedValueException('x and y not set');
+                }
+
+                $publicKey = self::createPemFromCrvAndXYCoordinates($jwk['crv'], $jwk['x'], $jwk['y']);
+                return new Key($publicKey, $jwk['alg']);
             default:
                 // Currently only RSA is supported
                 break;
         }
+
+        return null;
+    }
+
+    /**
+     * Converts the EC JWK values to pem format.
+     *
+     * @param   string  $crv The EC curve (only P-256 is supported)
+     * @param   string  $x   The EC x-coordinate
+     * @param   string  $y   The EC y-coordinate
+     *
+     * @return  string
+     */
+    private static function createPemFromCrvAndXYCoordinates(string $crv, string $x, string $y): string
+    {
+        $pem =
+            self::encodeDER(
+                self::ASN1_SEQUENCE,
+                self::encodeDER(
+                    self::ASN1_SEQUENCE,
+                    self::encodeDER(
+                        self::ASN1_OBJECT_IDENTIFIER,
+                        self::encodeOID(self::OID)
+                    )
+                    . self::encodeDER(
+                        self::ASN1_OBJECT_IDENTIFIER,
+                        self::encodeOID(self::EC_CURVES[$crv])
+                    )
+                ) .
+                self::encodeDER(
+                    self::ASN1_BIT_STRING,
+                    \chr(0x00) . \chr(0x04)
+                    . JWT::urlsafeB64Decode($x)
+                    . JWT::urlsafeB64Decode($y)
+                )
+            );
+
+        return sprintf(
+            "-----BEGIN PUBLIC KEY-----\n%s\n-----END PUBLIC KEY-----\n",
+            wordwrap(base64_encode($pem), 64, "\n", true)
+        );
     }
 
     /**
@@ -113,22 +202,22 @@ class JWK
      *
      * @uses encodeLength
      */
-    private static function createPemFromModulusAndExponent($n, $e)
-    {
-        $modulus = JWT::urlsafeB64Decode($n);
-        $publicExponent = JWT::urlsafeB64Decode($e);
+    private static function createPemFromModulusAndExponent(
+        string $n,
+        string $e
+    ): string {
+        $mod = JWT::urlsafeB64Decode($n);
+        $exp = JWT::urlsafeB64Decode($e);
 
-        $components = array(
-            'modulus' => \pack('Ca*a*', 2, self::encodeLength(\strlen($modulus)), $modulus),
-            'publicExponent' => \pack('Ca*a*', 2, self::encodeLength(\strlen($publicExponent)), $publicExponent)
-        );
+        $modulus = \pack('Ca*a*', 2, self::encodeLength(\strlen($mod)), $mod);
+        $publicExponent = \pack('Ca*a*', 2, self::encodeLength(\strlen($exp)), $exp);
 
         $rsaPublicKey = \pack(
             'Ca*a*a*',
             48,
-            self::encodeLength(\strlen($components['modulus']) + \strlen($components['publicExponent'])),
-            $components['modulus'],
-            $components['publicExponent']
+            self::encodeLength(\strlen($modulus) + \strlen($publicExponent)),
+            $modulus,
+            $publicExponent
         );
 
         // sequence(oid(1.2.840.113549.1.1.1), null)) = rsaEncryption.
@@ -143,11 +232,9 @@ class JWK
             $rsaOID . $rsaPublicKey
         );
 
-        $rsaPublicKey = "-----BEGIN PUBLIC KEY-----\r\n" .
+        return "-----BEGIN PUBLIC KEY-----\r\n" .
             \chunk_split(\base64_encode($rsaPublicKey), 64) .
             '-----END PUBLIC KEY-----';
-
-        return $rsaPublicKey;
     }
 
     /**
@@ -159,7 +246,7 @@ class JWK
      * @param int $length
      * @return string
      */
-    private static function encodeLength($length)
+    private static function encodeLength(int $length): string
     {
         if ($length <= 0x7F) {
             return \chr($length);
@@ -169,4 +256,68 @@ class JWK
 
         return \pack('Ca*', 0x80 | \strlen($temp), $temp);
     }
+
+    /**
+     * Encodes a value into a DER object.
+     * Also defined in Firebase\JWT\JWT
+     *
+     * @param   int     $type DER tag
+     * @param   string  $value the value to encode
+     * @return  string  the encoded object
+     */
+    private static function encodeDER(int $type, string $value): string
+    {
+        $tag_header = 0;
+        if ($type === self::ASN1_SEQUENCE) {
+            $tag_header |= 0x20;
+        }
+
+        // Type
+        $der = \chr($tag_header | $type);
+
+        // Length
+        $der .= \chr(\strlen($value));
+
+        return $der . $value;
+    }
+
+    /**
+     * Encodes a string into a DER-encoded OID.
+     *
+     * @param   string $oid the OID string
+     * @return  string the binary DER-encoded OID
+     */
+    private static function encodeOID(string $oid): string
+    {
+        $octets = explode('.', $oid);
+
+        // Get the first octet
+        $first = (int) array_shift($octets);
+        $second = (int) array_shift($octets);
+        $oid = \chr($first * 40 + $second);
+
+        // Iterate over subsequent octets
+        foreach ($octets as $octet) {
+            if ($octet == 0) {
+                $oid .= \chr(0x00);
+                continue;
+            }
+            $bin = '';
+
+            while ($octet) {
+                $bin .= \chr(0x80 | ($octet & 0x7f));
+                $octet >>= 7;
+            }
+            $bin[0] = $bin[0] & \chr(0x7f);
+
+            // Convert to big endian if necessary
+            if (pack('V', 65534) == pack('L', 65534)) {
+                $oid .= strrev($bin);
+            } else {
+                $oid .= $bin;
+            }
+        }
+
+        return $oid;
+    }
 }
diff --git a/data/web/inc/lib/vendor/firebase/php-jwt/src/JWT.php b/data/web/inc/lib/vendor/firebase/php-jwt/src/JWT.php
index ec1641bc4..c83ff0990 100644
--- a/data/web/inc/lib/vendor/firebase/php-jwt/src/JWT.php
+++ b/data/web/inc/lib/vendor/firebase/php-jwt/src/JWT.php
@@ -3,12 +3,14 @@
 namespace Firebase\JWT;
 
 use ArrayAccess;
+use DateTime;
 use DomainException;
 use Exception;
 use InvalidArgumentException;
 use OpenSSLAsymmetricKey;
+use OpenSSLCertificate;
+use stdClass;
 use UnexpectedValueException;
-use DateTime;
 
 /**
  * JSON Web Token implementation, based on this spec:
@@ -25,52 +27,62 @@ use DateTime;
  */
 class JWT
 {
-    const ASN1_INTEGER = 0x02;
-    const ASN1_SEQUENCE = 0x10;
-    const ASN1_BIT_STRING = 0x03;
+    private const ASN1_INTEGER = 0x02;
+    private const ASN1_SEQUENCE = 0x10;
+    private const ASN1_BIT_STRING = 0x03;
 
     /**
      * When checking nbf, iat or expiration times,
      * we want to provide some extra leeway time to
      * account for clock skew.
+     *
+     * @var int
      */
     public static $leeway = 0;
 
     /**
      * Allow the current timestamp to be specified.
      * Useful for fixing a value within unit testing.
-     *
      * Will default to PHP time() value if null.
+     *
+     * @var ?int
      */
     public static $timestamp = null;
 
-    public static $supported_algs = array(
-        'ES384' => array('openssl', 'SHA384'),
-        'ES256' => array('openssl', 'SHA256'),
-        'HS256' => array('hash_hmac', 'SHA256'),
-        'HS384' => array('hash_hmac', 'SHA384'),
-        'HS512' => array('hash_hmac', 'SHA512'),
-        'RS256' => array('openssl', 'SHA256'),
-        'RS384' => array('openssl', 'SHA384'),
-        'RS512' => array('openssl', 'SHA512'),
-        'EdDSA' => array('sodium_crypto', 'EdDSA'),
-    );
+    /**
+     * @var array<string, string[]>
+     */
+    public static $supported_algs = [
+        'ES384' => ['openssl', 'SHA384'],
+        'ES256' => ['openssl', 'SHA256'],
+        'ES256K' => ['openssl', 'SHA256'],
+        'HS256' => ['hash_hmac', 'SHA256'],
+        'HS384' => ['hash_hmac', 'SHA384'],
+        'HS512' => ['hash_hmac', 'SHA512'],
+        'RS256' => ['openssl', 'SHA256'],
+        'RS384' => ['openssl', 'SHA384'],
+        'RS512' => ['openssl', 'SHA512'],
+        'EdDSA' => ['sodium_crypto', 'EdDSA'],
+    ];
 
     /**
      * Decodes a JWT string into a PHP object.
      *
-     * @param string                    $jwt            The JWT
-     * @param Key|array<Key>|mixed      $keyOrKeyArray  The Key or array of Key objects.
-     *                                                  If the algorithm used is asymmetric, this is the public key
-     *                                                  Each Key object contains an algorithm and matching key.
-     *                                                  Supported algorithms are 'ES384','ES256', 'HS256', 'HS384',
-     *                                                  'HS512', 'RS256', 'RS384', and 'RS512'
-     * @param array                     $allowed_algs   [DEPRECATED] List of supported verification algorithms. Only
-     *                                                  should be used for backwards  compatibility.
+     * @param string                 $jwt            The JWT
+     * @param Key|ArrayAccess<string,Key>|array<string,Key> $keyOrKeyArray  The Key or associative array of key IDs
+     *                                                                      (kid) to Key objects.
+     *                                                                      If the algorithm used is asymmetric, this is
+     *                                                                      the public key.
+     *                                                                      Each Key object contains an algorithm and
+     *                                                                      matching key.
+     *                                                                      Supported algorithms are 'ES384','ES256',
+     *                                                                      'HS256', 'HS384', 'HS512', 'RS256', 'RS384'
+     *                                                                      and 'RS512'.
      *
-     * @return object The JWT's payload as a PHP object
+     * @return stdClass The JWT's payload as a PHP object
      *
-     * @throws InvalidArgumentException     Provided JWT was empty
+     * @throws InvalidArgumentException     Provided key/key-array was empty or malformed
+     * @throws DomainException              Provided JWT is malformed
      * @throws UnexpectedValueException     Provided JWT was invalid
      * @throws SignatureInvalidException    Provided JWT was invalid because the signature verification failed
      * @throws BeforeValidException         Provided JWT is trying to be used before it's eligible as defined by 'nbf'
@@ -80,27 +92,37 @@ class JWT
      * @uses jsonDecode
      * @uses urlsafeB64Decode
      */
-    public static function decode($jwt, $keyOrKeyArray, array $allowed_algs = array())
-    {
+    public static function decode(
+        string $jwt,
+        $keyOrKeyArray
+    ): stdClass {
+        // Validate JWT
         $timestamp = \is_null(static::$timestamp) ? \time() : static::$timestamp;
 
         if (empty($keyOrKeyArray)) {
             throw new InvalidArgumentException('Key may not be empty');
         }
         $tks = \explode('.', $jwt);
-        if (\count($tks) != 3) {
+        if (\count($tks) !== 3) {
             throw new UnexpectedValueException('Wrong number of segments');
         }
         list($headb64, $bodyb64, $cryptob64) = $tks;
-        if (null === ($header = static::jsonDecode(static::urlsafeB64Decode($headb64)))) {
+        $headerRaw = static::urlsafeB64Decode($headb64);
+        if (null === ($header = static::jsonDecode($headerRaw))) {
             throw new UnexpectedValueException('Invalid header encoding');
         }
-        if (null === $payload = static::jsonDecode(static::urlsafeB64Decode($bodyb64))) {
+        $payloadRaw = static::urlsafeB64Decode($bodyb64);
+        if (null === ($payload = static::jsonDecode($payloadRaw))) {
             throw new UnexpectedValueException('Invalid claims encoding');
         }
-        if (false === ($sig = static::urlsafeB64Decode($cryptob64))) {
-            throw new UnexpectedValueException('Invalid signature encoding');
+        if (\is_array($payload)) {
+            // prevent PHP Fatal Error in edge-cases when payload is empty array
+            $payload = (object) $payload;
         }
+        if (!$payload instanceof stdClass) {
+            throw new UnexpectedValueException('Payload must be a JSON object');
+        }
+        $sig = static::urlsafeB64Decode($cryptob64);
         if (empty($header->alg)) {
             throw new UnexpectedValueException('Empty algorithm');
         }
@@ -108,31 +130,18 @@ class JWT
             throw new UnexpectedValueException('Algorithm not supported');
         }
 
-        list($keyMaterial, $algorithm) = self::getKeyMaterialAndAlgorithm(
-            $keyOrKeyArray,
-            empty($header->kid) ? null : $header->kid
-        );
+        $key = self::getKey($keyOrKeyArray, property_exists($header, 'kid') ? $header->kid : null);
 
-        if (empty($algorithm)) {
-            // Use deprecated "allowed_algs" to determine if the algorithm is supported.
-            // This opens up the possibility of an attack in some implementations.
-            // @see https://github.com/firebase/php-jwt/issues/351
-            if (!\in_array($header->alg, $allowed_algs)) {
-                throw new UnexpectedValueException('Algorithm not allowed');
-            }
-        } else {
-            // Check the algorithm
-            if (!self::constantTimeEquals($algorithm, $header->alg)) {
-                // See issue #351
-                throw new UnexpectedValueException('Incorrect key for this algorithm');
-            }
+        // Check the algorithm
+        if (!self::constantTimeEquals($key->getAlgorithm(), $header->alg)) {
+            // See issue #351
+            throw new UnexpectedValueException('Incorrect key for this algorithm');
         }
-        if ($header->alg === 'ES256' || $header->alg === 'ES384') {
-            // OpenSSL expects an ASN.1 DER sequence for ES256/ES384 signatures
+        if (\in_array($header->alg, ['ES256', 'ES256K', 'ES384'], true)) {
+            // OpenSSL expects an ASN.1 DER sequence for ES256/ES256K/ES384 signatures
             $sig = self::signatureToDER($sig);
         }
-
-        if (!static::verify("$headb64.$bodyb64", $sig, $keyMaterial, $header->alg)) {
+        if (!self::verify("{$headb64}.{$bodyb64}", $sig, $key->getKeyMaterial(), $header->alg)) {
             throw new SignatureInvalidException('Signature verification failed');
         }
 
@@ -162,34 +171,37 @@ class JWT
     }
 
     /**
-     * Converts and signs a PHP object or array into a JWT string.
+     * Converts and signs a PHP array into a JWT string.
      *
-     * @param object|array      $payload    PHP object or array
-     * @param string|resource   $key        The secret key.
-     *                                      If the algorithm used is asymmetric, this is the private key
-     * @param string            $alg        The signing algorithm.
-     *                                      Supported algorithms are 'ES384','ES256', 'HS256', 'HS384',
-     *                                      'HS512', 'RS256', 'RS384', and 'RS512'
-     * @param mixed             $keyId
-     * @param array             $head       An array with header elements to attach
+     * @param array<mixed>          $payload PHP array
+     * @param string|resource|OpenSSLAsymmetricKey|OpenSSLCertificate $key The secret key.
+     * @param string                $alg     Supported algorithms are 'ES384','ES256', 'ES256K', 'HS256',
+     *                                       'HS384', 'HS512', 'RS256', 'RS384', and 'RS512'
+     * @param string                $keyId
+     * @param array<string, string> $head    An array with header elements to attach
      *
      * @return string A signed JWT
      *
      * @uses jsonEncode
      * @uses urlsafeB64Encode
      */
-    public static function encode($payload, $key, $alg = 'HS256', $keyId = null, $head = null)
-    {
-        $header = array('typ' => 'JWT', 'alg' => $alg);
+    public static function encode(
+        array $payload,
+        $key,
+        string $alg,
+        string $keyId = null,
+        array $head = null
+    ): string {
+        $header = ['typ' => 'JWT', 'alg' => $alg];
         if ($keyId !== null) {
             $header['kid'] = $keyId;
         }
         if (isset($head) && \is_array($head)) {
             $header = \array_merge($head, $header);
         }
-        $segments = array();
-        $segments[] = static::urlsafeB64Encode(static::jsonEncode($header));
-        $segments[] = static::urlsafeB64Encode(static::jsonEncode($payload));
+        $segments = [];
+        $segments[] = static::urlsafeB64Encode((string) static::jsonEncode($header));
+        $segments[] = static::urlsafeB64Encode((string) static::jsonEncode($payload));
         $signing_input = \implode('.', $segments);
 
         $signature = static::sign($signing_input, $key, $alg);
@@ -201,67 +213,84 @@ class JWT
     /**
      * Sign a string with a given key and algorithm.
      *
-     * @param string            $msg    The message to sign
-     * @param string|resource   $key    The secret key
-     * @param string            $alg    The signing algorithm.
-     *                                  Supported algorithms are 'ES384','ES256', 'HS256', 'HS384',
-     *                                  'HS512', 'RS256', 'RS384', and 'RS512'
+     * @param string $msg  The message to sign
+     * @param string|resource|OpenSSLAsymmetricKey|OpenSSLCertificate  $key  The secret key.
+     * @param string $alg  Supported algorithms are 'ES384','ES256', 'ES256K', 'HS256',
+     *                    'HS384', 'HS512', 'RS256', 'RS384', and 'RS512'
      *
      * @return string An encrypted message
      *
      * @throws DomainException Unsupported algorithm or bad key was specified
      */
-    public static function sign($msg, $key, $alg = 'HS256')
-    {
+    public static function sign(
+        string $msg,
+        $key,
+        string $alg
+    ): string {
         if (empty(static::$supported_algs[$alg])) {
             throw new DomainException('Algorithm not supported');
         }
         list($function, $algorithm) = static::$supported_algs[$alg];
         switch ($function) {
             case 'hash_hmac':
+                if (!\is_string($key)) {
+                    throw new InvalidArgumentException('key must be a string when using hmac');
+                }
                 return \hash_hmac($algorithm, $msg, $key, true);
             case 'openssl':
                 $signature = '';
-                $success = \openssl_sign($msg, $signature, $key, $algorithm);
+                $success = \openssl_sign($msg, $signature, $key, $algorithm); // @phpstan-ignore-line
                 if (!$success) {
-                    throw new DomainException("OpenSSL unable to sign data");
+                    throw new DomainException('OpenSSL unable to sign data');
                 }
-                if ($alg === 'ES256') {
+                if ($alg === 'ES256' || $alg === 'ES256K') {
                     $signature = self::signatureFromDER($signature, 256);
                 } elseif ($alg === 'ES384') {
                     $signature = self::signatureFromDER($signature, 384);
                 }
                 return $signature;
             case 'sodium_crypto':
-                if (!function_exists('sodium_crypto_sign_detached')) {
+                if (!\function_exists('sodium_crypto_sign_detached')) {
                     throw new DomainException('libsodium is not available');
                 }
+                if (!\is_string($key)) {
+                    throw new InvalidArgumentException('key must be a string when using EdDSA');
+                }
                 try {
                     // The last non-empty line is used as the key.
                     $lines = array_filter(explode("\n", $key));
-                    $key = base64_decode(end($lines));
+                    $key = base64_decode((string) end($lines));
+                    if (\strlen($key) === 0) {
+                        throw new DomainException('Key cannot be empty string');
+                    }
                     return sodium_crypto_sign_detached($msg, $key);
                 } catch (Exception $e) {
                     throw new DomainException($e->getMessage(), 0, $e);
                 }
         }
+
+        throw new DomainException('Algorithm not supported');
     }
 
     /**
      * Verify a signature with the message, key and method. Not all methods
      * are symmetric, so we must have a separate verify and sign method.
      *
-     * @param string            $msg        The original message (header and body)
-     * @param string            $signature  The original signature
-     * @param string|resource   $key        For HS*, a string key works. for RS*, must be a resource of an openssl public key
-     * @param string            $alg        The algorithm
+     * @param string $msg         The original message (header and body)
+     * @param string $signature   The original signature
+     * @param string|resource|OpenSSLAsymmetricKey|OpenSSLCertificate  $keyMaterial For HS*, a string key works. for RS*, must be an instance of OpenSSLAsymmetricKey
+     * @param string $alg         The algorithm
      *
      * @return bool
      *
      * @throws DomainException Invalid Algorithm, bad key, or OpenSSL failure
      */
-    private static function verify($msg, $signature, $key, $alg)
-    {
+    private static function verify(
+        string $msg,
+        string $signature,
+        $keyMaterial,
+        string $alg
+    ): bool {
         if (empty(static::$supported_algs[$alg])) {
             throw new DomainException('Algorithm not supported');
         }
@@ -269,10 +298,11 @@ class JWT
         list($function, $algorithm) = static::$supported_algs[$alg];
         switch ($function) {
             case 'openssl':
-                $success = \openssl_verify($msg, $signature, $key, $algorithm);
+                $success = \openssl_verify($msg, $signature, $keyMaterial, $algorithm); // @phpstan-ignore-line
                 if ($success === 1) {
                     return true;
-                } elseif ($success === 0) {
+                }
+                if ($success === 0) {
                     return false;
                 }
                 // returns 1 on success, 0 on failure, -1 on error.
@@ -280,21 +310,33 @@ class JWT
                     'OpenSSL error: ' . \openssl_error_string()
                 );
             case 'sodium_crypto':
-              if (!function_exists('sodium_crypto_sign_verify_detached')) {
-                  throw new DomainException('libsodium is not available');
-              }
-              try {
-                  // The last non-empty line is used as the key.
-                  $lines = array_filter(explode("\n", $key));
-                  $key = base64_decode(end($lines));
-                  return sodium_crypto_sign_verify_detached($signature, $msg, $key);
-              } catch (Exception $e) {
-                  throw new DomainException($e->getMessage(), 0, $e);
-              }
+                if (!\function_exists('sodium_crypto_sign_verify_detached')) {
+                    throw new DomainException('libsodium is not available');
+                }
+                if (!\is_string($keyMaterial)) {
+                    throw new InvalidArgumentException('key must be a string when using EdDSA');
+                }
+                try {
+                    // The last non-empty line is used as the key.
+                    $lines = array_filter(explode("\n", $keyMaterial));
+                    $key = base64_decode((string) end($lines));
+                    if (\strlen($key) === 0) {
+                        throw new DomainException('Key cannot be empty string');
+                    }
+                    if (\strlen($signature) === 0) {
+                        throw new DomainException('Signature cannot be empty string');
+                    }
+                    return sodium_crypto_sign_verify_detached($signature, $msg, $key);
+                } catch (Exception $e) {
+                    throw new DomainException($e->getMessage(), 0, $e);
+                }
             case 'hash_hmac':
             default:
-                $hash = \hash_hmac($algorithm, $msg, $key, true);
-                return self::constantTimeEquals($signature, $hash);
+                if (!\is_string($keyMaterial)) {
+                    throw new InvalidArgumentException('key must be a string when using hmac');
+                }
+                $hash = \hash_hmac($algorithm, $msg, $keyMaterial, true);
+                return self::constantTimeEquals($hash, $signature);
         }
     }
 
@@ -303,30 +345,16 @@ class JWT
      *
      * @param string $input JSON string
      *
-     * @return object Object representation of JSON string
+     * @return mixed The decoded JSON string
      *
      * @throws DomainException Provided string was invalid JSON
      */
-    public static function jsonDecode($input)
+    public static function jsonDecode(string $input)
     {
-        if (\version_compare(PHP_VERSION, '5.4.0', '>=') && !(\defined('JSON_C_VERSION') && PHP_INT_SIZE > 4)) {
-            /** In PHP >=5.4.0, json_decode() accepts an options parameter, that allows you
-             * to specify that large ints (like Steam Transaction IDs) should be treated as
-             * strings, rather than the PHP default behaviour of converting them to floats.
-             */
-            $obj = \json_decode($input, false, 512, JSON_BIGINT_AS_STRING);
-        } else {
-            /** Not all servers will support that, however, so for older versions we must
-             * manually detect large ints in the JSON string and quote them (thus converting
-             *them to strings) before decoding, hence the preg_replace() call.
-             */
-            $max_int_length = \strlen((string) PHP_INT_MAX) - 1;
-            $json_without_bigints = \preg_replace('/:\s*(-?\d{'.$max_int_length.',})/', ': "$1"', $input);
-            $obj = \json_decode($json_without_bigints);
-        }
+        $obj = \json_decode($input, false, 512, JSON_BIGINT_AS_STRING);
 
         if ($errno = \json_last_error()) {
-            static::handleJsonError($errno);
+            self::handleJsonError($errno);
         } elseif ($obj === null && $input !== 'null') {
             throw new DomainException('Null result with non-null input');
         }
@@ -334,22 +362,30 @@ class JWT
     }
 
     /**
-     * Encode a PHP object into a JSON string.
+     * Encode a PHP array into a JSON string.
      *
-     * @param object|array $input A PHP object or array
+     * @param array<mixed> $input A PHP array
      *
-     * @return string JSON representation of the PHP object or array
+     * @return string JSON representation of the PHP array
      *
      * @throws DomainException Provided object could not be encoded to valid JSON
      */
-    public static function jsonEncode($input)
+    public static function jsonEncode(array $input): string
     {
-        $json = \json_encode($input);
+        if (PHP_VERSION_ID >= 50400) {
+            $json = \json_encode($input, \JSON_UNESCAPED_SLASHES);
+        } else {
+            // PHP 5.3 only
+            $json = \json_encode($input);
+        }
         if ($errno = \json_last_error()) {
-            static::handleJsonError($errno);
-        } elseif ($json === 'null' && $input !== null) {
+            self::handleJsonError($errno);
+        } elseif ($json === 'null') {
             throw new DomainException('Null result with non-null input');
         }
+        if ($json === false) {
+            throw new DomainException('Provided object could not be encoded to valid JSON');
+        }
         return $json;
     }
 
@@ -359,8 +395,10 @@ class JWT
      * @param string $input A Base64 encoded string
      *
      * @return string A decoded string
+     *
+     * @throws InvalidArgumentException invalid base64 characters
      */
-    public static function urlsafeB64Decode($input)
+    public static function urlsafeB64Decode(string $input): string
     {
         $remainder = \strlen($input) % 4;
         if ($remainder) {
@@ -377,7 +415,7 @@ class JWT
      *
      * @return string The base64 encode of what you passed in
      */
-    public static function urlsafeB64Encode($input)
+    public static function urlsafeB64Encode(string $input): string
     {
         return \str_replace('=', '', \strtr(\base64_encode($input), '+/', '-_'));
     }
@@ -386,67 +424,54 @@ class JWT
     /**
      * Determine if an algorithm has been provided for each Key
      *
-     * @param Key|array<Key>|mixed $keyOrKeyArray
-     * @param string|null $kid
+     * @param Key|ArrayAccess<string,Key>|array<string,Key> $keyOrKeyArray
+     * @param string|null            $kid
      *
      * @throws UnexpectedValueException
      *
-     * @return array containing the keyMaterial and algorithm
+     * @return Key
      */
-    private static function getKeyMaterialAndAlgorithm($keyOrKeyArray, $kid = null)
-    {
-        if (
-            is_string($keyOrKeyArray)
-            || is_resource($keyOrKeyArray)
-            || $keyOrKeyArray instanceof OpenSSLAsymmetricKey
-        ) {
-            return array($keyOrKeyArray, null);
-        }
-
+    private static function getKey(
+        $keyOrKeyArray,
+        ?string $kid
+    ): Key {
         if ($keyOrKeyArray instanceof Key) {
-            return array($keyOrKeyArray->getKeyMaterial(), $keyOrKeyArray->getAlgorithm());
+            return $keyOrKeyArray;
         }
 
-        if (is_array($keyOrKeyArray) || $keyOrKeyArray instanceof ArrayAccess) {
-            if (!isset($kid)) {
-                throw new UnexpectedValueException('"kid" empty, unable to lookup correct key');
-            }
-            if (!isset($keyOrKeyArray[$kid])) {
-                throw new UnexpectedValueException('"kid" invalid, unable to lookup correct key');
-            }
-
-            $key = $keyOrKeyArray[$kid];
-
-            if ($key instanceof Key) {
-                return array($key->getKeyMaterial(), $key->getAlgorithm());
-            }
-
-            return array($key, null);
+        if (empty($kid) && $kid !== '0') {
+            throw new UnexpectedValueException('"kid" empty, unable to lookup correct key');
         }
 
-        throw new UnexpectedValueException(
-            '$keyOrKeyArray must be a string|resource key, an array of string|resource keys, '
-            . 'an instance of Firebase\JWT\Key key or an array of Firebase\JWT\Key keys'
-        );
+        if ($keyOrKeyArray instanceof CachedKeySet) {
+            // Skip "isset" check, as this will automatically refresh if not set
+            return $keyOrKeyArray[$kid];
+        }
+
+        if (!isset($keyOrKeyArray[$kid])) {
+            throw new UnexpectedValueException('"kid" invalid, unable to lookup correct key');
+        }
+
+        return $keyOrKeyArray[$kid];
     }
 
     /**
-     * @param string $left
-     * @param string $right
+     * @param string $left  The string of known length to compare against
+     * @param string $right The user-supplied string
      * @return bool
      */
-    public static function constantTimeEquals($left, $right)
+    public static function constantTimeEquals(string $left, string $right): bool
     {
         if (\function_exists('hash_equals')) {
             return \hash_equals($left, $right);
         }
-        $len = \min(static::safeStrlen($left), static::safeStrlen($right));
+        $len = \min(self::safeStrlen($left), self::safeStrlen($right));
 
         $status = 0;
         for ($i = 0; $i < $len; $i++) {
             $status |= (\ord($left[$i]) ^ \ord($right[$i]));
         }
-        $status |= (static::safeStrlen($left) ^ static::safeStrlen($right));
+        $status |= (self::safeStrlen($left) ^ self::safeStrlen($right));
 
         return ($status === 0);
     }
@@ -456,17 +481,19 @@ class JWT
      *
      * @param int $errno An error number from json_last_error()
      *
+     * @throws DomainException
+     *
      * @return void
      */
-    private static function handleJsonError($errno)
+    private static function handleJsonError(int $errno): void
     {
-        $messages = array(
+        $messages = [
             JSON_ERROR_DEPTH => 'Maximum stack depth exceeded',
             JSON_ERROR_STATE_MISMATCH => 'Invalid or malformed JSON',
             JSON_ERROR_CTRL_CHAR => 'Unexpected control character found',
             JSON_ERROR_SYNTAX => 'Syntax error, malformed JSON',
             JSON_ERROR_UTF8 => 'Malformed UTF-8 characters' //PHP >= 5.3.3
-        );
+        ];
         throw new DomainException(
             isset($messages[$errno])
             ? $messages[$errno]
@@ -481,7 +508,7 @@ class JWT
      *
      * @return int
      */
-    private static function safeStrlen($str)
+    private static function safeStrlen(string $str): int
     {
         if (\function_exists('mb_strlen')) {
             return \mb_strlen($str, '8bit');
@@ -495,10 +522,11 @@ class JWT
      * @param   string $sig The ECDSA signature to convert
      * @return  string The encoded DER object
      */
-    private static function signatureToDER($sig)
+    private static function signatureToDER(string $sig): string
     {
         // Separate the signature into r-value and s-value
-        list($r, $s) = \str_split($sig, (int) (\strlen($sig) / 2));
+        $length = max(1, (int) (\strlen($sig) / 2));
+        list($r, $s) = \str_split($sig, $length);
 
         // Trim leading zeros
         $r = \ltrim($r, "\x00");
@@ -525,9 +553,10 @@ class JWT
      *
      * @param   int     $type DER tag
      * @param   string  $value the value to encode
+     *
      * @return  string  the encoded object
      */
-    private static function encodeDER($type, $value)
+    private static function encodeDER(int $type, string $value): string
     {
         $tag_header = 0;
         if ($type === self::ASN1_SEQUENCE) {
@@ -548,9 +577,10 @@ class JWT
      *
      * @param   string  $der binary signature in DER format
      * @param   int     $keySize the number of bits in the key
+     *
      * @return  string  the signature
      */
-    private static function signatureFromDER($der, $keySize)
+    private static function signatureFromDER(string $der, int $keySize): string
     {
         // OpenSSL returns the ECDSA signatures as a binary ASN.1 DER SEQUENCE
         list($offset, $_) = self::readDER($der);
@@ -575,9 +605,10 @@ class JWT
      * @param string $der the binary data in DER format
      * @param int $offset the offset of the data stream containing the object
      * to decode
-     * @return array [$offset, $data] the new offset and the decoded object
+     *
+     * @return array{int, string|null} the new offset and the decoded object
      */
-    private static function readDER($der, $offset = 0)
+    private static function readDER(string $der, int $offset = 0): array
     {
         $pos = $offset;
         $size = \strlen($der);
@@ -595,7 +626,7 @@ class JWT
         }
 
         // Value
-        if ($type == self::ASN1_BIT_STRING) {
+        if ($type === self::ASN1_BIT_STRING) {
             $pos++; // Skip the first contents octet (padding indicator)
             $data = \substr($der, $pos, $len - 1);
             $pos += $len - 1;
@@ -606,6 +637,6 @@ class JWT
             $data = null;
         }
 
-        return array($pos, $data);
+        return [$pos, $data];
     }
 }
diff --git a/data/web/inc/lib/vendor/firebase/php-jwt/src/Key.php b/data/web/inc/lib/vendor/firebase/php-jwt/src/Key.php
index f1ede6f27..00cf7f2ed 100644
--- a/data/web/inc/lib/vendor/firebase/php-jwt/src/Key.php
+++ b/data/web/inc/lib/vendor/firebase/php-jwt/src/Key.php
@@ -4,37 +4,42 @@ namespace Firebase\JWT;
 
 use InvalidArgumentException;
 use OpenSSLAsymmetricKey;
+use OpenSSLCertificate;
+use TypeError;
 
 class Key
 {
-    /** @var string $algorithm */
+    /** @var string|resource|OpenSSLAsymmetricKey|OpenSSLCertificate */
+    private $keyMaterial;
+    /** @var string */
     private $algorithm;
 
-    /** @var string|resource|OpenSSLAsymmetricKey $keyMaterial */
-    private $keyMaterial;
-
     /**
-     * @param string|resource|OpenSSLAsymmetricKey $keyMaterial
+     * @param string|resource|OpenSSLAsymmetricKey|OpenSSLCertificate $keyMaterial
      * @param string $algorithm
      */
-    public function __construct($keyMaterial, $algorithm)
-    {
+    public function __construct(
+        $keyMaterial,
+        string $algorithm
+    ) {
         if (
-            !is_string($keyMaterial)
-            && !is_resource($keyMaterial)
+            !\is_string($keyMaterial)
             && !$keyMaterial instanceof OpenSSLAsymmetricKey
+            && !$keyMaterial instanceof OpenSSLCertificate
+            && !\is_resource($keyMaterial)
         ) {
-            throw new InvalidArgumentException('Type error: $keyMaterial must be a string, resource, or OpenSSLAsymmetricKey');
+            throw new TypeError('Key material must be a string, resource, or OpenSSLAsymmetricKey');
         }
 
         if (empty($keyMaterial)) {
-            throw new InvalidArgumentException('Type error: $keyMaterial must not be empty');
+            throw new InvalidArgumentException('Key material must not be empty');
         }
 
-        if (!is_string($algorithm)|| empty($keyMaterial)) {
-            throw new InvalidArgumentException('Type error: $algorithm must be a string');
+        if (empty($algorithm)) {
+            throw new InvalidArgumentException('Algorithm must not be empty');
         }
 
+        // TODO: Remove in PHP 8.0 in favor of class constructor property promotion
         $this->keyMaterial = $keyMaterial;
         $this->algorithm = $algorithm;
     }
@@ -44,13 +49,13 @@ class Key
      *
      * @return string
      */
-    public function getAlgorithm()
+    public function getAlgorithm(): string
     {
         return $this->algorithm;
     }
 
     /**
-     * @return string|resource|OpenSSLAsymmetricKey
+     * @return string|resource|OpenSSLAsymmetricKey|OpenSSLCertificate
      */
     public function getKeyMaterial()
     {
diff --git a/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/.travis.yml b/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/.travis.yml
index 87831a56c..c5f3825a3 100644
--- a/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/.travis.yml
+++ b/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/.travis.yml
@@ -3,9 +3,12 @@ language: php
 sudo: false
 
 php:
-  - 5.6
-  - 7.0
-  - 7.1
+  - 7.2
+  - 7.3
+  - 7.4
+  - 8.0
+  - 8.1
+  - 8.2
 
 matrix:
   include:
diff --git a/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/README.md b/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/README.md
index e050a6d0a..d0b1acaf3 100644
--- a/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/README.md
+++ b/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/README.md
@@ -36,6 +36,7 @@ $provider = new Stevenmaguire\OAuth2\Client\Provider\Keycloak([
     'encryptionAlgorithm'   => 'RS256',                             // optional
     'encryptionKeyPath'     => '../key.pem'                         // optional
     'encryptionKey'         => 'contents_of_key_or_certificate'     // optional
+    'version'               => '20.0.1',                            // optional
 ]);
 
 if (!isset($_GET['code'])) {
diff --git a/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/composer.json b/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/composer.json
index 958f8c3af..b6a54477e 100644
--- a/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/composer.json
+++ b/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/composer.json
@@ -18,13 +18,14 @@
         "keycloak"
     ],
     "require": {
+        "php": "~7.2 || ~8.0",
         "league/oauth2-client": "^2.0",
-        "firebase/php-jwt": "~4.0|~5.0"
+        "firebase/php-jwt": "^4.0 || ^5.0 || ^6.0"
     },
     "require-dev": {
-        "phpunit/phpunit": "~4.0",
-        "mockery/mockery": "~0.9",
-        "squizlabs/php_codesniffer": "~2.0"
+        "phpunit/phpunit": "~9.6.4",
+        "mockery/mockery": "~1.5.0",
+        "squizlabs/php_codesniffer": "~3.7.0"
     },
     "autoload": {
         "psr-4": {
@@ -40,5 +41,11 @@
         "branch-alias": {
             "dev-master": "1.0.x-dev"
         }
+    },
+    "scripts": {
+        "test": [
+            "@putenv XDEBUG_MODE=coverage",
+            "phpunit --colors=always"
+        ]
     }
-}
+}
\ No newline at end of file
diff --git a/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/phpunit.xml.dist b/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/phpunit.xml.dist
index 04d164dc2..b915f933b 100644
--- a/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/phpunit.xml.dist
+++ b/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/phpunit.xml.dist
@@ -1,38 +1,33 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <phpunit backupGlobals="false"
-         backupStaticAttributes="false"
          bootstrap="vendor/autoload.php"
          colors="true"
-         convertErrorsToExceptions="true"
-         convertNoticesToExceptions="true"
-         convertWarningsToExceptions="true"
          processIsolation="false"
          stopOnFailure="false"
-         syntaxCheck="false"
+         failOnRisky="true"
+         failOnWarning="true"
 >
-    <logging>
-        <log type="coverage-html"
-                target="./build/coverage/html"
-                charset="UTF-8"
-                highlight="false"
-                lowUpperBound="35"
-                highLowerBound="70"/>
-          <log type="coverage-clover"
-                target="./build/coverage/log/coverage.xml"/>
-    </logging>
+    <coverage includeUncoveredFiles="true"
+              pathCoverage="false"
+              ignoreDeprecatedCodeUnits="true"
+              disableCodeCoverageIgnore="true">
+        <include>
+            <directory suffix=".php">src</directory>
+        </include>
+        <exclude>
+            <directory suffix=".php">vendor</directory>
+            <file>src/autoload.php</file>
+        </exclude>
+        <report>
+            <html outputDirectory="./build/coverage/html"
+                  lowUpperBound="35"
+                  highLowerBound="70"/>
+            <clover outputFile="./build/coverage/log/coverage.xml"/>
+        </report>
+    </coverage>
     <testsuites>
         <testsuite name="Package Test Suite">
             <directory suffix=".php">./test/</directory>
         </testsuite>
     </testsuites>
-    <filter>
-        <whitelist>
-            <directory suffix=".php">./</directory>
-            <exclude>
-                <directory suffix=".php">./examples</directory>
-                <directory suffix=".php">./vendor</directory>
-                <directory suffix=".php">./test</directory>
-            </exclude>
-        </whitelist>
-    </filter>
 </phpunit>
diff --git a/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/test/src/Provider/KeycloakTest.php b/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/test/src/Provider/KeycloakTest.php
index 01f6b62dd..a5c1da14f 100644
--- a/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/test/src/Provider/KeycloakTest.php
+++ b/data/web/inc/lib/vendor/stevenmaguire/oauth2-keycloak/test/src/Provider/KeycloakTest.php
@@ -23,18 +23,22 @@ namespace Stevenmaguire\OAuth2\Client\Provider
 
 namespace Stevenmaguire\OAuth2\Client\Test\Provider
 {
+    use League\OAuth2\Client\Provider\Exception\IdentityProviderException;
     use League\OAuth2\Client\Tool\QueryBuilderTrait;
     use Mockery as m;
+    use PHPUnit\Framework\TestCase;
+    use Stevenmaguire\OAuth2\Client\Provider\Exception\EncryptionConfigurationException;
+    use Stevenmaguire\OAuth2\Client\Provider\Keycloak;
 
-    class KeycloakTest extends \PHPUnit_Framework_TestCase
+    class KeycloakTest extends TestCase
     {
         use QueryBuilderTrait;
 
         protected $provider;
 
-        protected function setUp()
+        protected function setUp(): void
         {
-            $this->provider = new \Stevenmaguire\OAuth2\Client\Provider\Keycloak([
+            $this->provider = new Keycloak([
                 'authServerUrl' => 'http://mock.url/auth',
                 'realm' => 'mock_realm',
                 'clientId' => 'mock_client_id',
@@ -43,7 +47,7 @@ namespace Stevenmaguire\OAuth2\Client\Test\Provider
             ]);
         }
 
-        public function tearDown()
+        public function tearDown(): void
         {
             m::close();
             parent::tearDown();
@@ -67,7 +71,7 @@ namespace Stevenmaguire\OAuth2\Client\Test\Provider
         public function testEncryptionAlgorithm()
         {
             $algorithm = uniqid();
-            $provider = new \Stevenmaguire\OAuth2\Client\Provider\Keycloak([
+            $provider = new Keycloak([
                 'encryptionAlgorithm' => $algorithm,
             ]);
 
@@ -82,7 +86,7 @@ namespace Stevenmaguire\OAuth2\Client\Test\Provider
         public function testEncryptionKey()
         {
             $key = uniqid();
-            $provider = new \Stevenmaguire\OAuth2\Client\Provider\Keycloak([
+            $provider = new Keycloak([
                 'encryptionKey' => $key,
             ]);
 
@@ -101,7 +105,7 @@ namespace Stevenmaguire\OAuth2\Client\Test\Provider
             $key = uniqid();
             $mockFileGetContents = $key;
 
-            $provider = new \Stevenmaguire\OAuth2\Client\Provider\Keycloak([
+            $provider = new Keycloak([
                 'encryptionKeyPath' => $path,
             ]);
 
@@ -118,12 +122,14 @@ namespace Stevenmaguire\OAuth2\Client\Test\Provider
 
         public function testEncryptionKeyPathFails()
         {
+            $this->markTestIncomplete('Need to assess the test to see what is required to be checked.');
+
             global $mockFileGetContents;
             $path = uniqid();
             $key = uniqid();
             $mockFileGetContents = new \Exception();
 
-            $provider = new \Stevenmaguire\OAuth2\Client\Provider\Keycloak([
+            $provider = new Keycloak([
                 'encryptionKeyPath' => $path,
             ]);
 
@@ -137,7 +143,7 @@ namespace Stevenmaguire\OAuth2\Client\Test\Provider
             $query = ['scope' => implode($scopeSeparator, $options['scope'])];
             $url = $this->provider->getAuthorizationUrl($options);
             $encodedScope = $this->buildQueryString($query);
-            $this->assertContains($encodedScope, $url);
+            $this->assertStringContainsString($encodedScope, $url);
         }
 
         public function testGetAuthorizationUrl()
@@ -169,11 +175,15 @@ namespace Stevenmaguire\OAuth2\Client\Test\Provider
         public function testGetAccessToken()
         {
             $response = m::mock('Psr\Http\Message\ResponseInterface');
-            $response->shouldReceive('getBody')->andReturn('{"access_token":"mock_access_token", "scope":"email", "token_type":"bearer"}');
-            $response->shouldReceive('getHeader')->andReturn(['content-type' => 'json']);
+            $response->shouldReceive('getBody')
+                ->andReturn('{"access_token":"mock_access_token", "scope":"email", "token_type":"bearer"}');
+            $response->shouldReceive('getHeader')
+                ->andReturn(['content-type' => 'json']);
 
             $client = m::mock('GuzzleHttp\ClientInterface');
-            $client->shouldReceive('send')->times(1)->andReturn($response);
+            $client->shouldReceive('send')
+                ->times(1)
+                ->andReturn($response);
             $this->provider->setHttpClient($client);
 
             $token = $this->provider->getAccessToken('authorization_code', ['code' => 'mock_authorization_code']);
@@ -186,18 +196,24 @@ namespace Stevenmaguire\OAuth2\Client\Test\Provider
 
         public function testUserData()
         {
-            $userId = rand(1000,9999);
+            $userId = rand(1000, 9999);
             $name = uniqid();
             $nickname = uniqid();
             $email = uniqid();
 
             $postResponse = m::mock('Psr\Http\Message\ResponseInterface');
-            $postResponse->shouldReceive('getBody')->andReturn('access_token=mock_access_token&expires=3600&refresh_token=mock_refresh_token&otherKey={1234}');
-            $postResponse->shouldReceive('getHeader')->andReturn(['content-type' => 'application/x-www-form-urlencoded']);
+            $postResponse->shouldReceive('getBody')
+                ->andReturn(
+                    'access_token=mock_access_token&expires=3600&refresh_token=mock_refresh_token&otherKey={1234}'
+                );
+            $postResponse->shouldReceive('getHeader')
+                ->andReturn(['content-type' => 'application/x-www-form-urlencoded']);
 
             $userResponse = m::mock('Psr\Http\Message\ResponseInterface');
-            $userResponse->shouldReceive('getBody')->andReturn('{"sub": '.$userId.', "name": "'.$name.'", "email": "'.$email.'"}');
-            $userResponse->shouldReceive('getHeader')->andReturn(['content-type' => 'json']);
+            $userResponse->shouldReceive('getBody')
+                ->andReturn('{"sub": '.$userId.', "name": "'.$name.'", "email": "'.$email.'"}');
+            $userResponse->shouldReceive('getHeader')
+                ->andReturn(['content-type' => 'json']);
 
             $client = m::mock('GuzzleHttp\ClientInterface');
             $client->shouldReceive('send')
@@ -218,7 +234,7 @@ namespace Stevenmaguire\OAuth2\Client\Test\Provider
 
         public function testUserDataWithEncryption()
         {
-            $userId = rand(1000,9999);
+            $userId = rand(1000, 9999);
             $name = uniqid();
             $nickname = uniqid();
             $email = uniqid();
@@ -227,21 +243,31 @@ namespace Stevenmaguire\OAuth2\Client\Test\Provider
             $key = uniqid();
 
             $postResponse = m::mock('Psr\Http\Message\ResponseInterface');
-            $postResponse->shouldReceive('getBody')->andReturn('access_token=mock_access_token&expires=3600&refresh_token=mock_refresh_token&otherKey={1234}');
-            $postResponse->shouldReceive('getHeader')->andReturn(['content-type' => 'application/x-www-form-urlencoded']);
-            $postResponse->shouldReceive('getStatusCode')->andReturn(200);
+            $postResponse->shouldReceive('getBody')
+                ->andReturn(
+                    'access_token=mock_access_token&expires=3600&refresh_token=mock_refresh_token&otherKey={1234}'
+                );
+            $postResponse->shouldReceive('getHeader')
+                ->andReturn(['content-type' => 'application/x-www-form-urlencoded']);
+            $postResponse->shouldReceive('getStatusCode')
+                ->andReturn(200);
 
             $userResponse = m::mock('Psr\Http\Message\ResponseInterface');
-            $userResponse->shouldReceive('getBody')->andReturn($jwt);
-            $userResponse->shouldReceive('getHeader')->andReturn(['content-type' => 'application/jwt']);
-            $userResponse->shouldReceive('getStatusCode')->andReturn(200);
+            $userResponse->shouldReceive('getBody')
+                ->andReturn($jwt);
+            $userResponse->shouldReceive('getHeader')
+                ->andReturn(['content-type' => 'application/jwt']);
+            $userResponse->shouldReceive('getStatusCode')
+                ->andReturn(200);
 
             $decoder = \Mockery::mock('overload:Firebase\JWT\JWT');
-            $decoder->shouldReceive('decode')->with($jwt, $key, [$algorithm])->andReturn([
-                'sub' => $userId,
-                'email' => $email,
-                'name' => $name,
-            ]);
+            $decoder->shouldReceive('decode')
+                ->with($jwt, $key, [$algorithm])
+                ->andReturn([
+                    'sub' => $userId,
+                    'email' => $email,
+                    'name' => $name,
+                ]);
 
             $client = m::mock('GuzzleHttp\ClientInterface');
             $client->shouldReceive('send')
@@ -262,20 +288,27 @@ namespace Stevenmaguire\OAuth2\Client\Test\Provider
             $this->assertEquals($email, $user->toArray()['email']);
         }
 
-        /**
-         * @expectedException Stevenmaguire\OAuth2\Client\Provider\Exception\EncryptionConfigurationException
-         */
         public function testUserDataFailsWhenEncryptionEncounteredAndNotConfigured()
         {
+            $this->expectException(EncryptionConfigurationException::class);
+
             $postResponse = m::mock('Psr\Http\Message\ResponseInterface');
-            $postResponse->shouldReceive('getBody')->andReturn('access_token=mock_access_token&expires=3600&refresh_token=mock_refresh_token&otherKey={1234}');
-            $postResponse->shouldReceive('getHeader')->andReturn(['content-type' => 'application/x-www-form-urlencoded']);
-            $postResponse->shouldReceive('getStatusCode')->andReturn(200);
+            $postResponse->shouldReceive('getBody')
+                ->andReturn(
+                    'access_token=mock_access_token&expires=3600&refresh_token=mock_refresh_token&otherKey={1234}'
+                );
+            $postResponse->shouldReceive('getHeader')
+                ->andReturn(['content-type' => 'application/x-www-form-urlencoded']);
+            $postResponse->shouldReceive('getStatusCode')
+                ->andReturn(200);
 
             $userResponse = m::mock('Psr\Http\Message\ResponseInterface');
-            $userResponse->shouldReceive('getBody')->andReturn(uniqid());
-            $userResponse->shouldReceive('getHeader')->andReturn(['content-type' => 'application/jwt']);
-            $userResponse->shouldReceive('getStatusCode')->andReturn(200);
+            $userResponse->shouldReceive('getBody')
+                ->andReturn(uniqid());
+            $userResponse->shouldReceive('getHeader')
+                ->andReturn(['content-type' => 'application/jwt']);
+            $userResponse->shouldReceive('getStatusCode')
+                ->andReturn(200);
 
             $client = m::mock('GuzzleHttp\ClientInterface');
             $client->shouldReceive('send')
@@ -287,17 +320,20 @@ namespace Stevenmaguire\OAuth2\Client\Test\Provider
             $user = $this->provider->getResourceOwner($token);
         }
 
-        /**
-         * @expectedException League\OAuth2\Client\Provider\Exception\IdentityProviderException
-         */
         public function testErrorResponse()
         {
+            $this->expectException(IdentityProviderException::class);
+
             $response = m::mock('Psr\Http\Message\ResponseInterface');
-            $response->shouldReceive('getBody')->andReturn('{"error": "invalid_grant", "error_description": "Code not found"}');
-            $response->shouldReceive('getHeader')->andReturn(['content-type' => 'json']);
+            $response->shouldReceive('getBody')
+                ->andReturn('{"error": "invalid_grant", "error_description": "Code not found"}');
+            $response->shouldReceive('getHeader')
+                ->andReturn(['content-type' => 'json']);
 
             $client = m::mock('GuzzleHttp\ClientInterface');
-            $client->shouldReceive('send')->times(1)->andReturn($response);
+            $client->shouldReceive('send')
+                ->times(1)
+                ->andReturn($response);
             $this->provider->setHttpClient($client);
 
             $token = $this->provider->getAccessToken('authorization_code', ['code' => 'mock_authorization_code']);

From 95a15d18a73cf516b89e9acfa199826043751fc0 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Tue, 16 May 2023 13:37:27 +0200
Subject: [PATCH 043/378] [Web] update guzzlehttp/psr7

---
 data/web/inc/lib/composer.lock                  | 15 ++++++---------
 data/web/inc/lib/vendor/composer/installed.json | 17 +++++++----------
 data/web/inc/lib/vendor/composer/installed.php  | 10 +++++-----
 .../inc/lib/vendor/guzzlehttp/psr7/CHANGELOG.md |  8 ++++++++
 .../lib/vendor/guzzlehttp/psr7/composer.json    |  3 ---
 .../lib/vendor/guzzlehttp/psr7/src/Message.php  |  2 +-
 .../vendor/guzzlehttp/psr7/src/MessageTrait.php | 13 ++++++-------
 .../guzzlehttp/psr7/src/ServerRequest.php       |  8 ++++----
 8 files changed, 37 insertions(+), 39 deletions(-)

diff --git a/data/web/inc/lib/composer.lock b/data/web/inc/lib/composer.lock
index 0d55230c4..516e9fec3 100644
--- a/data/web/inc/lib/composer.lock
+++ b/data/web/inc/lib/composer.lock
@@ -493,16 +493,16 @@
         },
         {
             "name": "guzzlehttp/psr7",
-            "version": "2.4.4",
+            "version": "2.4.5",
             "source": {
                 "type": "git",
                 "url": "https://github.com/guzzle/psr7.git",
-                "reference": "3cf1b6d4f0c820a2cf8bcaec39fc698f3443b5cf"
+                "reference": "0454e12ef0cd597ccd2adb036f7bda4e7fface66"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/guzzle/psr7/zipball/3cf1b6d4f0c820a2cf8bcaec39fc698f3443b5cf",
-                "reference": "3cf1b6d4f0c820a2cf8bcaec39fc698f3443b5cf",
+                "url": "https://api.github.com/repos/guzzle/psr7/zipball/0454e12ef0cd597ccd2adb036f7bda4e7fface66",
+                "reference": "0454e12ef0cd597ccd2adb036f7bda4e7fface66",
                 "shasum": ""
             },
             "require": {
@@ -528,9 +528,6 @@
                 "bamarni-bin": {
                     "bin-links": true,
                     "forward-command": false
-                },
-                "branch-alias": {
-                    "dev-master": "2.4-dev"
                 }
             },
             "autoload": {
@@ -592,7 +589,7 @@
             ],
             "support": {
                 "issues": "https://github.com/guzzle/psr7/issues",
-                "source": "https://github.com/guzzle/psr7/tree/2.4.4"
+                "source": "https://github.com/guzzle/psr7/tree/2.4.5"
             },
             "funding": [
                 {
@@ -608,7 +605,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2023-03-09T13:19:02+00:00"
+            "time": "2023-04-17T16:00:45+00:00"
         },
         {
             "name": "illuminate/contracts",
diff --git a/data/web/inc/lib/vendor/composer/installed.json b/data/web/inc/lib/vendor/composer/installed.json
index 0b7725517..c5f82771a 100644
--- a/data/web/inc/lib/vendor/composer/installed.json
+++ b/data/web/inc/lib/vendor/composer/installed.json
@@ -501,17 +501,17 @@
         },
         {
             "name": "guzzlehttp/psr7",
-            "version": "2.4.4",
-            "version_normalized": "2.4.4.0",
+            "version": "2.4.5",
+            "version_normalized": "2.4.5.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/guzzle/psr7.git",
-                "reference": "3cf1b6d4f0c820a2cf8bcaec39fc698f3443b5cf"
+                "reference": "0454e12ef0cd597ccd2adb036f7bda4e7fface66"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/guzzle/psr7/zipball/3cf1b6d4f0c820a2cf8bcaec39fc698f3443b5cf",
-                "reference": "3cf1b6d4f0c820a2cf8bcaec39fc698f3443b5cf",
+                "url": "https://api.github.com/repos/guzzle/psr7/zipball/0454e12ef0cd597ccd2adb036f7bda4e7fface66",
+                "reference": "0454e12ef0cd597ccd2adb036f7bda4e7fface66",
                 "shasum": ""
             },
             "require": {
@@ -532,15 +532,12 @@
             "suggest": {
                 "laminas/laminas-httphandlerrunner": "Emit PSR-7 responses"
             },
-            "time": "2023-03-09T13:19:02+00:00",
+            "time": "2023-04-17T16:00:45+00:00",
             "type": "library",
             "extra": {
                 "bamarni-bin": {
                     "bin-links": true,
                     "forward-command": false
-                },
-                "branch-alias": {
-                    "dev-master": "2.4-dev"
                 }
             },
             "installation-source": "dist",
@@ -603,7 +600,7 @@
             ],
             "support": {
                 "issues": "https://github.com/guzzle/psr7/issues",
-                "source": "https://github.com/guzzle/psr7/tree/2.4.4"
+                "source": "https://github.com/guzzle/psr7/tree/2.4.5"
             },
             "funding": [
                 {
diff --git a/data/web/inc/lib/vendor/composer/installed.php b/data/web/inc/lib/vendor/composer/installed.php
index d7cc77743..0616e9a82 100644
--- a/data/web/inc/lib/vendor/composer/installed.php
+++ b/data/web/inc/lib/vendor/composer/installed.php
@@ -3,7 +3,7 @@
         'name' => '__root__',
         'pretty_version' => 'dev-master',
         'version' => 'dev-master',
-        'reference' => '34e7b3f613661fe2b3c3eb1d316a63dfe111022e',
+        'reference' => '96390c2e12fd8d886495fde5514ad431e4e66069',
         'type' => 'library',
         'install_path' => __DIR__ . '/../../',
         'aliases' => array(),
@@ -13,7 +13,7 @@
         '__root__' => array(
             'pretty_version' => 'dev-master',
             'version' => 'dev-master',
-            'reference' => '34e7b3f613661fe2b3c3eb1d316a63dfe111022e',
+            'reference' => '96390c2e12fd8d886495fde5514ad431e4e66069',
             'type' => 'library',
             'install_path' => __DIR__ . '/../../',
             'aliases' => array(),
@@ -80,9 +80,9 @@
             'dev_requirement' => false,
         ),
         'guzzlehttp/psr7' => array(
-            'pretty_version' => '2.4.4',
-            'version' => '2.4.4.0',
-            'reference' => '3cf1b6d4f0c820a2cf8bcaec39fc698f3443b5cf',
+            'pretty_version' => '2.4.5',
+            'version' => '2.4.5.0',
+            'reference' => '0454e12ef0cd597ccd2adb036f7bda4e7fface66',
             'type' => 'library',
             'install_path' => __DIR__ . '/../guzzlehttp/psr7',
             'aliases' => array(),
diff --git a/data/web/inc/lib/vendor/guzzlehttp/psr7/CHANGELOG.md b/data/web/inc/lib/vendor/guzzlehttp/psr7/CHANGELOG.md
index 0eabd3048..49e0c12a4 100644
--- a/data/web/inc/lib/vendor/guzzlehttp/psr7/CHANGELOG.md
+++ b/data/web/inc/lib/vendor/guzzlehttp/psr7/CHANGELOG.md
@@ -7,6 +7,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## Unreleased
 
+## 2.4.5 - 2023-04-17
+
+### Fixed
+
+- Prevent possible warnings on unset variables in `ServerRequest::normalizeNestedFileSpec`
+- Fixed `Message::bodySummary` when `preg_match` fails
+- Fixed header validation issue
+
 ## 2.4.4 - 2023-03-09
 
 ### Changed
diff --git a/data/web/inc/lib/vendor/guzzlehttp/psr7/composer.json b/data/web/inc/lib/vendor/guzzlehttp/psr7/composer.json
index cd91040cf..c0e7236c3 100644
--- a/data/web/inc/lib/vendor/guzzlehttp/psr7/composer.json
+++ b/data/web/inc/lib/vendor/guzzlehttp/psr7/composer.json
@@ -81,9 +81,6 @@
         "bamarni-bin": {
             "bin-links": true,
             "forward-command": false
-        },
-        "branch-alias": {
-            "dev-master": "2.4-dev"
         }
     },
     "config": {
diff --git a/data/web/inc/lib/vendor/guzzlehttp/psr7/src/Message.php b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/Message.php
index 61c1a5dcc..c1e15f826 100644
--- a/data/web/inc/lib/vendor/guzzlehttp/psr7/src/Message.php
+++ b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/Message.php
@@ -77,7 +77,7 @@ final class Message
 
         // Matches any printable character, including unicode characters:
         // letters, marks, numbers, punctuation, spacing, and separators.
-        if (preg_match('/[^\pL\pM\pN\pP\pS\pZ\n\r\t]/u', $summary)) {
+        if (preg_match('/[^\pL\pM\pN\pP\pS\pZ\n\r\t]/u', $summary) !== 0) {
             return null;
         }
 
diff --git a/data/web/inc/lib/vendor/guzzlehttp/psr7/src/MessageTrait.php b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/MessageTrait.php
index d2dc28b60..464bdfaa4 100644
--- a/data/web/inc/lib/vendor/guzzlehttp/psr7/src/MessageTrait.php
+++ b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/MessageTrait.php
@@ -224,12 +224,9 @@ trait MessageTrait
             ));
         }
 
-        if (! preg_match('/^[a-zA-Z0-9\'`#$%&*+.^_|~!-]+$/', $header)) {
+        if (! preg_match('/^[a-zA-Z0-9\'`#$%&*+.^_|~!-]+$/D', $header)) {
             throw new \InvalidArgumentException(
-                sprintf(
-                    '"%s" is not valid header name',
-                    $header
-                )
+                sprintf('"%s" is not valid header name.', $header)
             );
         }
     }
@@ -257,8 +254,10 @@ trait MessageTrait
         // Clients must not send a request with line folding and a server sending folded headers is
         // likely very rare. Line folding is a fairly obscure feature of HTTP/1.1 and thus not accepting
         // folding is not likely to break any legitimate use case.
-        if (! preg_match('/^[\x20\x09\x21-\x7E\x80-\xFF]*$/', $value)) {
-            throw new \InvalidArgumentException(sprintf('"%s" is not valid header value', $value));
+        if (! preg_match('/^[\x20\x09\x21-\x7E\x80-\xFF]*$/D', $value)) {
+            throw new \InvalidArgumentException(
+                sprintf('"%s" is not valid header value.', $value)
+            );
         }
     }
 }
diff --git a/data/web/inc/lib/vendor/guzzlehttp/psr7/src/ServerRequest.php b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/ServerRequest.php
index 43cbb502e..b2aa382da 100644
--- a/data/web/inc/lib/vendor/guzzlehttp/psr7/src/ServerRequest.php
+++ b/data/web/inc/lib/vendor/guzzlehttp/psr7/src/ServerRequest.php
@@ -144,10 +144,10 @@ class ServerRequest extends Request implements ServerRequestInterface
         foreach (array_keys($files['tmp_name']) as $key) {
             $spec = [
                 'tmp_name' => $files['tmp_name'][$key],
-                'size'     => $files['size'][$key],
-                'error'    => $files['error'][$key],
-                'name'     => $files['name'][$key],
-                'type'     => $files['type'][$key],
+                'size'     => $files['size'][$key] ?? null,
+                'error'    => $files['error'][$key] ?? null,
+                'name'     => $files['name'][$key] ?? null,
+                'type'     => $files['type'][$key] ?? null,
             ];
             $normalizedFiles[$key] = self::createUploadedFileFromSpec($spec);
         }

From 7cf6a9d808ef82ed6e3e8226ee2cb48144c7f4c7 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Tue, 16 May 2023 13:41:16 +0200
Subject: [PATCH 044/378] [Web] update lang.en-gb.json

---
 data/web/lang/lang.en-gb.json | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/data/web/lang/lang.en-gb.json b/data/web/lang/lang.en-gb.json
index 9825ab9d2..748d9bf7d 100644
--- a/data/web/lang/lang.en-gb.json
+++ b/data/web/lang/lang.en-gb.json
@@ -212,21 +212,22 @@
         "host": "Host",
         "html": "HTML",
         "iam": "Identity Provider",
+        "iam_authorize_url": "Authorization endpoint",
         "iam_auth_flow": "Authentication Flow",
-        "iam_auth_flow_info": "In addition to the Authorization Code Flow (Standard Flow in Keycloak), which is used for Single-Sign On login, mailcow also supports Authentication Flows with direct Credentials",
-        "iam_auth_flow_rest_info": "1. Mailpassword Flow (Default)<br>The Mailpassword Flow attempts to validate the user's credentials by using the Keycloak Admin REST API. mailcow retrieves the hashed password from the <code>mailcow_password</code> attribute, which is mapped in Keycloak. If this attribute is not found, the user needs to log in to the mailcow UI via Single-Sign On and create an App Password to use a mail client.<br>To enable this flow, the mailcow client in Keycloak must have <code>Service accounts roles</code> checked under <code>Authentication Flow</code>.",
-        "iam_auth_flow_ropc_info": "2. Resource Owner Password Flow<br>We do not recommend using this flow, as it is probably deprecated in the new OAuth 2.1 protocol. The Resource Owner Password Flow allows direct validation of the user's credentials. Therefore, the user has to trust mailcow to handle their external credentials securely. No Mailpassword or App Password is required to use a mail client.<br>To enable this flow, the mailcow client in Keycloak must have <code>Direct access grants</code> checked under <code>Authentication Flow</code>.",
-        "iam_client_id": "Client Id",
+        "iam_auth_flow_info": "In addition to the Authorization Code Flow (Standard Flow in Keycloak), which is used for Single-Sign On login, mailcow also supports Authentication Flow with direct Credentials. The Mailpassword Flow attempts to validate the user's credentials by using the Keycloak Admin REST API. mailcow retrieves the hashed password from the <code>mailcow_password</code> attribute, which is mapped in Keycloak.",
+        "iam_client_id": "Client ID",
         "iam_client_secret": "Client Secret",
         "iam_description": "Here, you can configure the integration with an external Keycloak service. The Keycloak user's mailboxes will be automatically created upon their first login, provided that a attribute mapping has been set.",
+        "iam_extra_permission": "For the following settings to work, the mailcow client in Keycloak needs a <code>Service account</code> and the permission to <code>view-users</code>.",
+        "iam_mapping": "Attribute Mapping",
         "iam_realm": "Realm",
         "iam_redirect_url": "Redirect Url",
-        "iam_ropc_flow": "Resource Owner Password Flow",
         "iam_rest_flow": "Mailpassword Flow",
-        "iam_mapping": "Attribute Mapping",
         "iam_server_url": "Server Url",
         "iam_sso": "SSO",
         "iam_test_connection": "Test Connection",
+        "iam_token_url": "Token endpoint",
+        "iam_userinfo_url": "User info endpoint",
         "iam_version": "Version",
         "import": "Import",
         "import_private_key": "Import private key",
@@ -412,7 +413,6 @@
         "goto_empty": "An alias address must contain at least one valid goto address",
         "goto_invalid": "Goto address %s is invalid",
         "ham_learn_error": "Ham learn error: %s",
-        "iam_invalid_sso": "SSO login failed",
         "iam_test_connection": "Connection failed",
         "imagick_exception": "Error: Imagick exception while reading image",
         "img_dimensions_exceeded": "Image exceeds the maximum image size",
@@ -468,7 +468,7 @@
         "redis_error": "Redis error: %s",
         "relayhost_invalid": "Map entry %s is invalid",
         "release_send_failed": "Message could not be released: %s",
-        "required_data_missing": "Required data is missing",
+        "required_data_missing": "Required data %s is missing",
         "reset_f2b_regex": "Regex filter could not be reset in time, please try again or wait a few more seconds and reload the website.",
         "resource_invalid": "Resource name %s is invalid",
         "rl_timeframe": "Rate limit time frame is incorrect",

From 4dc3222f03e8bf366dcc730c34b9db4cf1ab2cef Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Tue, 16 May 2023 14:50:36 +0200
Subject: [PATCH 045/378] [Web] fix bug on mailbox login

---
 data/web/inc/functions.auth.inc.php    | 18 ++++--------------
 data/web/inc/functions.inc.php         | 11 ++++++-----
 data/web/inc/functions.mailbox.inc.php |  2 +-
 3 files changed, 11 insertions(+), 20 deletions(-)

diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php
index cd46b45b1..88bdaf77c 100644
--- a/data/web/inc/functions.auth.inc.php
+++ b/data/web/inc/functions.auth.inc.php
@@ -333,26 +333,16 @@ function keycloak_mbox_login_rest($user, $pass, $iam_settings, $is_internal = fa
     return 'user';
   }
 
-  // try to create mbox on successfull login
-  $mbox_template = null;
-  // check if matching attribute mapping exists
-  foreach ($iam_settings['mappers'] as $index => $mapper){
-    if (in_array($mapper, $iam_settings['mappers'])) {
-      $mbox_template = $iam_settings['templates'][$index];
-      break;
-    }
-  }
-  if (!$mbox_template){
-    // no matching template found
-    return false;
-  }
+  // check if matching attribute exist
+  $mapper_key = array_search($user_template, $iam_settings['mappers']);
+  if ($mapper_key === false) return false;
 
   // create mailbox
   $create_res = mailbox('add', 'mailbox_from_template', array(
     'domain' => explode('@', $user)[1],
     'local_part' => explode('@', $user)[0],
     'authsource' => 'keycloak',
-    'template' => $mbox_template
+    'template' => $iam_settings['mappers'][$mapper_key]
   ));
   if (!$create_res) return false;
 
diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index ef6fbec6f..98991628d 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -2316,7 +2316,7 @@ function identity_provider($_action, $_data = null, $_extra = null) {
         );
         return true;
       }
-    
+
       // get mapped template, if not set return false
       // also return false if no mappers were defined
       $provider = identity_provider('get');
@@ -2330,9 +2330,10 @@ function identity_provider($_action, $_data = null, $_extra = null) {
         );
         return false;
       }
-    
+
       // check if matching attribute exist
-      if (array_search($user_template, $provider['mappers']) === false) {
+      $mapper_key = array_search($user_template, $provider['mappers']);
+      if ($mapper_key === false) {
         clear_session();  
         $_SESSION['return'][] =  array(
           'type' => 'danger',
@@ -2341,13 +2342,13 @@ function identity_provider($_action, $_data = null, $_extra = null) {
         );
         return false;
       }
-    
+
       // create mailbox
       $create_res = mailbox('add', 'mailbox_from_template', array(
         'domain' => explode('@', $info['email'])[1],
         'local_part' => explode('@', $info['email'])[0],
         'authsource' => identity_provider('get')['authsource'],
-        'template' => $user_template
+        'template' => $provider['templates'][$mapper_key]
       ));
       if (!$create_res){
         clear_session();  
diff --git a/data/web/inc/functions.mailbox.inc.php b/data/web/inc/functions.mailbox.inc.php
index 7ba0a2f49..7ff1044a4 100644
--- a/data/web/inc/functions.mailbox.inc.php
+++ b/data/web/inc/functions.mailbox.inc.php
@@ -1361,7 +1361,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               break;
             }
           }
-        
+
           return mailbox('add', 'mailbox', $mailbox_attributes, array('iam_create_login' => true));
         break;
         case 'resource':

From 5545d8a56c87f4f3e8267d4a5954470466cdbecd Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Thu, 25 May 2023 10:06:55 +0200
Subject: [PATCH 046/378] [Web] hide auth settings for external users

---
 data/web/inc/functions.auth.inc.php        | 10 +++++-----
 data/web/inc/functions.inc.php             |  4 ++--
 data/web/inc/functions.mailbox.inc.php     |  2 +-
 data/web/templates/user/tab-user-auth.twig |  2 ++
 4 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php
index 88bdaf77c..f7a2a3519 100644
--- a/data/web/inc/functions.auth.inc.php
+++ b/data/web/inc/functions.auth.inc.php
@@ -235,8 +235,11 @@ function mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_internal
     $protocol = 'sieve';
   } else if ($app_passwd_data['pop3']){
     $protocol = 'pop3';
+  } else if (!$is_internal) {
+    return false;
   }
 
+
   // fetch app password data
   $stmt = $pdo->prepare("SELECT `app_passwd`.`password` as `password`, `app_passwd`.`id` as `app_passwd_id` FROM `app_passwd`
     INNER JOIN `mailbox` ON `mailbox`.`username` = `app_passwd`.`mailbox`
@@ -249,11 +252,8 @@ function mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_internal
       :has_access_query"
   );
   // check if app password has protocol access
-  // skip if protocol is false and the call is not external
-  $has_access_query = '';
-  if (!$is_internal || ($is_internal && !empty($protocol))){
-    $has_access_query = " AND `app_passwd`.`" . $protocol . "_access` = '1'";
-  }
+  // skip if protocol is false and the call is internal
+  $has_access_query = ($is_internal && $protocol === false) ? "" : " AND `app_passwd`.`" . $protocol . "_access` = '1'";
   // fetch password data
   $stmt->execute(array(
     ':user' => $user,
diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index 98991628d..21e20f39a 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -896,7 +896,7 @@ function edit_user_account($_data) {
   }
   $stmt = $pdo->prepare("SELECT `password` FROM `mailbox`
       WHERE `kind` NOT REGEXP 'location|thing|group'
-        AND `username` = :user");
+        AND `username` = :user AND authsource = 'mailcow'");
   $stmt->execute(array(':user' => $username));
   $row = $stmt->fetch(PDO::FETCH_ASSOC);
   if (!verify_hash($row['password'], $password_old)) {
@@ -917,7 +917,7 @@ function edit_user_account($_data) {
     $stmt = $pdo->prepare("UPDATE `mailbox` SET `password` = :password_hashed,
       `attributes` = JSON_SET(`attributes`, '$.force_pw_update', '0'),
       `attributes` = JSON_SET(`attributes`, '$.passwd_update', NOW())
-        WHERE `username` = :username");
+        WHERE `username` = :username AND authsource = 'mailcow'");
     $stmt->execute(array(
       ':password_hashed' => $password_hashed,
       ':username' => $username
diff --git a/data/web/inc/functions.mailbox.inc.php b/data/web/inc/functions.mailbox.inc.php
index 7ff1044a4..30d927398 100644
--- a/data/web/inc/functions.mailbox.inc.php
+++ b/data/web/inc/functions.mailbox.inc.php
@@ -3165,7 +3165,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               $stmt = $pdo->prepare("UPDATE `mailbox` SET
                   `password` = :password_hashed,
                   `attributes` = JSON_SET(`attributes`, '$.passwd_update', NOW())
-                    WHERE `username` = :username");
+                    WHERE `username` = :username AND authsource = 'mailcow'");
               $stmt->execute(array(
                 ':password_hashed' => $password_hashed,
                 ':username' => $username
diff --git a/data/web/templates/user/tab-user-auth.twig b/data/web/templates/user/tab-user-auth.twig
index c39f10086..f8429821e 100644
--- a/data/web/templates/user/tab-user-auth.twig
+++ b/data/web/templates/user/tab-user-auth.twig
@@ -97,6 +97,7 @@
           </div>
 
           {# TFA #}
+          {% if mailboxdata.authsource == "mailcow" %}
           <legend class="mt-4">{{ lang.user.authentication }}</legend>
           <hr>
           <div class="row">
@@ -170,6 +171,7 @@
             </div>
             <br>
           </div>
+          {% endif %}
         </div>
         <div class="ms-auto col-xl-3 col-lg-5 col-md-12 col-12 d-flex flex-column well flex-grow-1">
           <legend class="d-flex">

From e4284b8e19cdfba174ce7e3ce67b632ff2a4765a Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Thu, 25 May 2023 11:36:17 +0200
Subject: [PATCH 047/378] [Web] fix attribute mapping list

---
 data/web/js/site/admin.js                     |  8 +--
 .../admin/tab-config-identity-provider.twig   | 50 ++++++++++---------
 2 files changed, 31 insertions(+), 27 deletions(-)

diff --git a/data/web/js/site/admin.js b/data/web/js/site/admin.js
index b2f8ae1a5..d2b206d22 100644
--- a/data/web/js/site/admin.js
+++ b/data/web/js/site/admin.js
@@ -771,7 +771,7 @@ jQuery(function($){
   $('.iam_rolemap_add').click(async function(e){
     e.preventDefault();
 
-    var parent = $(this).parent().parent();
+    var parent = $('#iam_mapping_list')
     $(parent).children().last().clone().appendTo(parent);
     var newChild = $(parent).children().last();
     $(newChild).find('input').val('');
@@ -784,12 +784,14 @@ jQuery(function($){
     $('.iam_rolemap_del').off('click');
     $('.iam_rolemap_del').click(async function(e){
       e.preventDefault();
-      $(this).parent().remove();
+      if ($(this).parent().parent().children().length > 1)
+        $(this).parent().remove();
     });
   });
   $('.iam_rolemap_del').click(async function(e){
     e.preventDefault();
-    $(this).parent().remove();
+    if ($(this).parent().parent().children().length > 1)
+      $(this).parent().remove();
   });
   // selecting identity provider
   $('#iam_provider').on('change', function(){
diff --git a/data/web/templates/admin/tab-config-identity-provider.twig b/data/web/templates/admin/tab-config-identity-provider.twig
index 1a42d0088..a2aff987c 100644
--- a/data/web/templates/admin/tab-config-identity-provider.twig
+++ b/data/web/templates/admin/tab-config-identity-provider.twig
@@ -70,32 +70,34 @@
               <span class="w-100 ms-2">Template</span>
               <button class="btn btn-sm d-block d-sm-inline btn-secondary ms-2 iam_rolemap_add"><i class="bi bi-plus-lg"></i></button>
             </div>
-            {% for key, role in iam_settings.mappers %}
-            <div class="offset-sm-3 col-4 d-flex mb-2">
-              <input type="text" class="form-control me-2" name="mappers" value="{{ iam_settings.mappers[key] }}" required>
-              <select data-live-search="true" name="templates" class="form-control" title="{{ lang.mailbox.template }}" required>
-              {% for mbox_template in mbox_templates %}
-                <option{% if mbox_template.template == iam_settings.templates[key] %} selected{% endif %}>
-                  {{ mbox_template.template }}
-                </option>
+            <div id="iam_mapping_list">
+              {% for key, role in iam_settings.mappers %}
+              <div class="offset-sm-3 col-4 d-flex mb-2">
+                <input type="text" class="form-control me-2" name="mappers" value="{{ iam_settings.mappers[key] }}" required>
+                <select data-live-search="true" name="templates" class="form-control" title="{{ lang.mailbox.template }}" required>
+                {% for mbox_template in mbox_templates %}
+                  <option{% if mbox_template.template == iam_settings.templates[key] %} selected{% endif %}>
+                    {{ mbox_template.template }}
+                  </option>
+                {% endfor %}
+                </select>
+                <button class="iam_rolemap_del btn btn-sm d-block d-sm-inline btn-secondary ms-2"><i class="bi bi-x-lg"></i></button>
+              </div>
               {% endfor %}
-              </select>
-              <button class="iam_rolemap_del btn btn-sm d-block d-sm-inline btn-secondary ms-2"><i class="bi bi-x-lg"></i></button>
+              {% if not iam_settings.mappers %}
+              <div class="offset-sm-3 col-4 d-flex mb-2">
+                <input type="text" class="form-control me-2" name="mappers" value="" required>
+                <select data-live-search="true" name="templates" class="form-control" title="{{ lang.mailbox.template }}" required>
+                {% for mbox_template in mbox_templates %}
+                  <option>
+                    {{ mbox_template.template }}
+                  </option>
+                {% endfor %}
+                </select>
+                <button class="iam_rolemap_del btn btn-sm d-block d-sm-inline btn-secondary ms-2"><i class="bi bi-x-lg"></i></button>
+              </div>
+              {% endif %}
             </div>
-            {% endfor %}
-            {% if not iam_settings.mappers %}
-            <div class="offset-sm-3 col-4 d-flex mb-2">
-              <input type="text" class="form-control me-2" name="mappers" value="" required>
-              <select data-live-search="true" name="templates" class="form-control" title="{{ lang.mailbox.template }}" required>
-              {% for mbox_template in mbox_templates %}
-                <option>
-                  {{ mbox_template.template }}
-                </option>
-              {% endfor %}
-              </select>
-              <button class="iam_rolemap_del btn btn-sm d-block d-sm-inline btn-secondary ms-2"><i class="bi bi-x-lg"></i></button>
-            </div>
-            {% endif %}
           </div>
           <div class="row mb-2 mt-4">
             <label class="control-label col-sm-3 text-sm-end"></label>

From 85368971fd23be5036f4f055eb5440a05ef61c97 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Thu, 25 May 2023 12:32:47 +0200
Subject: [PATCH 048/378] [Web] handle fatal errors on getAccessToken

---
 data/web/inc/functions.inc.php | 22 +++-------------------
 1 file changed, 3 insertions(+), 19 deletions(-)

diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index 21e20f39a..4e353dd0b 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -2144,6 +2144,9 @@ function identity_provider($_action, $_data = null, $_extra = null) {
           $pdo->rollback();
           return false;
         }
+        if ($setting == "server_url" || $setting == "authorize_url" || $setting == "token_url" || $setting == "userinfo_url") {
+          $_data[$setting] = rtrim($_data[$setting], '/');
+        }
 
         $stmt->bindParam(':key', $setting);
         $stmt->bindParam(':value', $_data[$setting]);
@@ -2271,15 +2274,6 @@ function identity_provider($_action, $_data = null, $_extra = null) {
     
       try {
         $token = $provider->getAccessToken('authorization_code', ['code' => $_GET['code']]);
-      } catch (Exception $e) {
-        $_SESSION['return'][] =  array(
-          'type' => 'danger',
-          'log' => array(__FUNCTION__),
-          'msg' => array('login_failed', $e->getMessage())
-        );
-        return false;
-      }
-      try {
         $_SESSION['iam_token'] = $token->getToken();
         $_SESSION['iam_refresh_token'] = $token->getRefreshToken();
         $info = $provider->getResourceOwner($token)->toArray();
@@ -2291,7 +2285,6 @@ function identity_provider($_action, $_data = null, $_extra = null) {
         );
         return false;
       }
-      
       // check if email address is given
       if (empty($info['email'])) return false;
     
@@ -2374,15 +2367,6 @@ function identity_provider($_action, $_data = null, $_extra = null) {
 
       try {
         $token = $provider->getAccessToken('refresh_token', ['refresh_token' => $_SESSION['iam_refresh_token']]);
-      } catch (Exception $e) {
-        $_SESSION['return'][] =  array(
-          'type' => 'danger',
-          'log' => array(__FUNCTION__),
-          'msg' => array('login_failed', $e->getMessage())
-        );
-        return false;
-      }
-      try {
         $_SESSION['iam_token'] = $token->getToken();
         $_SESSION['iam_refresh_token'] = $token->getRefreshToken();
         $info = $provider->getResourceOwner($token)->toArray();

From f8647bb15eecc44d1bbd15cd5ea26a41e87f6606 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Thu, 6 Jul 2023 15:49:06 +0200
Subject: [PATCH 049/378] [Web] add keycloak sync crontask

---
 data/conf/phpfpm/crons/keycloak-sync.php | 221 +++++++++++++++++++++++
 docker-compose.yml                       |   6 +
 2 files changed, 227 insertions(+)
 create mode 100644 data/conf/phpfpm/crons/keycloak-sync.php

diff --git a/data/conf/phpfpm/crons/keycloak-sync.php b/data/conf/phpfpm/crons/keycloak-sync.php
new file mode 100644
index 000000000..f401f0ae7
--- /dev/null
+++ b/data/conf/phpfpm/crons/keycloak-sync.php
@@ -0,0 +1,221 @@
+<?php
+
+require_once(__DIR__ . '/../web/inc/vars.inc.php');
+if (file_exists(__DIR__ . '/../web/inc/vars.local.inc.php')) {
+  include_once(__DIR__ . '/../web/inc/vars.local.inc.php');
+}
+require_once __DIR__ . '/../web/inc/lib/vendor/autoload.php';
+
+// Init database
+//$dsn = $database_type . ':host=' . $database_host . ';dbname=' . $database_name;
+$dsn = $database_type . ":unix_socket=" . $database_sock . ";dbname=" . $database_name;
+$opt = [
+    PDO::ATTR_ERRMODE            => PDO::ERRMODE_EXCEPTION,
+    PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
+    PDO::ATTR_EMULATE_PREPARES   => false,
+];
+try {
+  $pdo = new PDO($dsn, $database_user, $database_pass, $opt);
+}
+catch (PDOException $e) {
+  logMsg("danger", $e->getMessage());
+  session_destroy();
+  exit;
+}
+
+// Init Redis
+$redis = new Redis();
+try {
+  if (!empty(getenv('REDIS_SLAVEOF_IP'))) {
+    $redis->connect(getenv('REDIS_SLAVEOF_IP'), getenv('REDIS_SLAVEOF_PORT'));
+  }
+  else {
+    $redis->connect('redis-mailcow', 6379);
+  }
+}
+catch (Exception $e) {
+  echo "Exiting: " . $e->getMessage();
+  session_destroy();
+  exit;
+}
+
+function logMsg($priority, $message, $task = "Keycloak Sync") {
+  global $redis;
+
+  $finalMsg = array(
+    "time" => time(),
+    "priority" => $priority,
+    "task" => $task,
+    "message" => $message
+  );
+  $redis->lPush('CRON_LOG', json_encode($finalMsg));
+}
+
+// Load core functions first
+require_once __DIR__ . '/../web/inc/functions.inc.php';
+require_once __DIR__ . '/../web/inc/functions.auth.inc.php';
+require_once __DIR__ . '/../web/inc/sessions.inc.php';
+require_once __DIR__ . '/../web/inc/functions.mailbox.inc.php';
+require_once __DIR__ . '/../web/inc/functions.ratelimit.inc.php';
+require_once __DIR__ . '/../web/inc/functions.acl.inc.php';
+
+$_SESSION['mailcow_cc_username'] = "admin";
+$_SESSION['mailcow_cc_role'] = "admin";
+$_SESSION['acl']['tls_policy'] = "1";
+$_SESSION['acl']['quarantine_notification'] = "1";
+$_SESSION['acl']['quarantine_category'] = "1";
+$_SESSION['acl']['ratelimit'] = "1";
+$_SESSION['acl']['sogo_access'] = "1";
+$_SESSION['acl']['protocol_access'] = "1";
+$_SESSION['acl']['mailbox_relayhost'] = "1";
+
+// Init Keycloak Provider
+$iam_provider = identity_provider('init');
+$iam_settings = identity_provider('get');
+if (intval($iam_settings['periodic_sync']) != 1 && $iam_settings['import_users'] != 1) {
+  logMsg("warning", "IAM Sync is disabled");
+  session_destroy();
+  exit;
+}
+
+// Set pagination variables
+$start = 0;
+$max = 25;
+
+// lock sync if already running
+$lock_file = '/tmp/iam-sync.lock';
+if (file_exists($lock_file)) {
+  $lock_file_parts = explode("\n", file_get_contents($lock_file));
+  $pid = $lock_file_parts[0];
+  if (count($lock_file_parts) > 1){
+    $last_execution = $lock_file_parts[1];
+    $elapsed_time = (time() - $last_execution) / 60;
+    if ($elapsed_time < intval($iam_settings['sync_interval'])) {
+      logMsg("warning", "Sync Interval not ready (".number_format((float)$elapsed_time, 2, '.', '')."min / ".$iam_settings['sync_interval']."min)");
+      session_destroy();
+      exit;
+    }
+  }
+
+  if (posix_kill($pid, 0)) {
+    logMsg("warning", "Sync is already running");
+    session_destroy();
+    exit;
+  } else {
+    unlink($lock_file);
+  }
+}
+$lock_file_handle = fopen($lock_file, 'w');
+fwrite($lock_file_handle, getmypid());
+fclose($lock_file_handle);
+
+// Loop until all users have been retrieved
+while (true) {
+  // Get admin access token
+  $admin_token = identity_provider("get-keycloak-admin-token");
+  
+  // Make the API request to retrieve the users
+  $url = "{$iam_settings['server_url']}/admin/realms/{$iam_settings['realm']}/users?first=$start&max=$max";
+  $ch = curl_init();
+  curl_setopt($ch, CURLOPT_URL, $url);
+  curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+  curl_setopt($ch, CURLOPT_HTTPHEADER, [
+    "Content-Type: application/json",
+    "Authorization: Bearer " . $admin_token
+  ]);
+  $response = curl_exec($ch);
+  $code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
+  curl_close($ch);
+  
+  if ($code != 200){
+    logMsg("danger", "Recieved HTTP {$code}");
+    session_destroy();
+    exit;
+  }
+  try {
+    $response = json_decode($response, true);
+  } catch (Exception $e) {
+    logMsg("danger", $e->getMessage());
+    break;
+  }
+  if (!is_array($response)){
+    logMsg("danger", "Recieved malformed response from keycloak api");
+    break;
+  }
+  if (count($response) == 0) {
+    break;
+  }
+
+  // Process the batch of users
+  foreach ($response as $user) {
+    if (empty($user['email'])){
+      logMsg("warning", "No email address in keycloak found for user " . $user['name']);
+      continue;
+    }
+    if (!isset($user['attributes'])){
+      logMsg("warning", "No attributes in keycloak found for user " . $user['email']);
+      continue;
+    }
+    if (count($user['attributes']['mailcow_template']) == 0) {
+      logMsg("warning", "No mailcow_template in keycloak found for user " . $user['email']);
+      continue;
+    };
+    $mailcow_template = $user['attributes']['mailcow_template'];
+
+    // try get mailbox user
+    $stmt = $pdo->prepare("SELECT `mailbox`.* FROM `mailbox`
+    INNER JOIN domain on mailbox.domain = domain.domain
+    WHERE `kind` NOT REGEXP 'location|thing|group'
+      AND `domain`.`active`='1'
+      AND `username` = :user");
+    $stmt->execute(array(':user' => $user['email']));
+    $row = $stmt->fetch(PDO::FETCH_ASSOC);
+
+    // check if matching attribute mapping exists
+    $mbox_template = null;
+    foreach ($iam_settings['mappers'] as $index => $mapper){
+      if (in_array($mapper, $user['attributes']['mailcow_template'])) {
+        $mbox_template = $mapper;
+        break;
+      }
+    }
+    if (!$mbox_template){
+      logMsg("warning", "No matching mapper found for mailbox_template");
+      continue;
+    }
+
+    if (!$row && intval($iam_settings['import_users']) == 1){
+      // mailbox user does not exist, create...
+      logMsg("info", "Creating user " . $user['email']);
+      mailbox('add', 'mailbox_from_template', array(
+        'domain' => explode('@', $user['email'])[1],
+        'local_part' => explode('@', $user['email'])[0],
+        'authsource' => 'keycloak',
+        'template' => $mbox_template
+      ));
+    } else if ($row) {
+      // mailbox user does exist, sync attribtues...
+      logMsg("info", "Syncing attributes for user " . $user['email']);
+      mailbox('edit', 'mailbox_from_template', array(
+        'username' => $user['email'],
+        'template' => $mbox_template
+      ));
+    } else {
+      // skip mailbox user
+      logMsg("info", "Skipping user " . $user['email']);
+    }
+
+    sleep(0.025);
+  }
+  
+  // Update the pagination variables for the next batch
+  $start += $max;
+  sleep(1);
+}
+
+logMsg("info", "DONE!");
+// add last execution time to lock file
+$lock_file_handle = fopen($lock_file, 'w');
+fwrite($lock_file_handle, getmypid() . "\n" . time());
+fclose($lock_file_handle);
+session_destroy();
diff --git a/docker-compose.yml b/docker-compose.yml
index fffa193c8..a330e1689 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -128,6 +128,7 @@ services:
         - mysql-socket-vol-1:/var/run/mysqld/
         - ./data/conf/sogo/:/etc/sogo/:z
         - ./data/conf/rspamd/meta_exporter:/meta_exporter:ro,z
+        - ./data/conf/phpfpm/crons:/crons:z
         - ./data/conf/phpfpm/sogo-sso/:/etc/sogo-sso/:z
         - ./data/conf/phpfpm/php-fpm.d/pools.conf:/usr/local/etc/php-fpm.d/z-pools.conf:Z
         - ./data/conf/phpfpm/php-conf.d/opcache-recommended.ini:/usr/local/etc/php/conf.d/opcache-recommended.ini:Z
@@ -173,6 +174,11 @@ services:
         - WEBAUTHN_ONLY_TRUSTED_VENDORS=${WEBAUTHN_ONLY_TRUSTED_VENDORS:-n}
         - CLUSTERMODE=${CLUSTERMODE:-}
       restart: always
+      labels:
+        ofelia.enabled: "true"
+        ofelia.job-exec.phpfpm_keycloak_sync.schedule: "@every 1m"
+        ofelia.job-exec.phpfpm_keycloak_sync.no-overlap: "true"
+        ofelia.job-exec.phpfpm_keycloak_sync.command: "/bin/bash -c \"php /crons/keycloak-sync.php || exit 0\""
       networks:
         mailcow-network:
           aliases:

From b176585a9c621f69f9244dc31f041456a7c07e05 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Thu, 6 Jul 2023 15:53:33 +0200
Subject: [PATCH 050/378] [Web] add crontasks logs

---
 data/web/inc/functions.inc.php | 14 ++++++++
 data/web/js/site/debug.js      | 61 ++++++++++++++++++++++++++++++++++
 data/web/json_api.php          | 11 ++++++
 data/web/templates/debug.twig  | 24 +++++++++++++
 4 files changed, 110 insertions(+)

diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index 4e353dd0b..081f26e7d 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -2537,6 +2537,20 @@ function get_logs($application, $lines = false) {
       return $data_array;
     }
   }
+  if ($application == "cron-mailcow") {
+    if (isset($from) && isset($to)) {
+      $data = $redis->lRange('CRON_LOG', $from - 1, $to - 1);
+    }
+    else {
+      $data = $redis->lRange('CRON_LOG', 0, $lines);
+    }
+    if ($data) {
+      foreach ($data as $json_line) {
+        $data_array[] = json_decode($json_line, true);
+      }
+      return $data_array;
+    }
+  }
   if ($application == "postfix-mailcow") {
     if (isset($from) && isset($to)) {
       $data = $redis->lRange('POSTFIX_MAILLOG', $from - 1, $to - 1);
diff --git a/data/web/js/site/debug.js b/data/web/js/site/debug.js
index 512d9551e..61e7d480a 100644
--- a/data/web/js/site/debug.js
+++ b/data/web/js/site/debug.js
@@ -814,6 +814,66 @@ jQuery(function($){
       hideTableExpandCollapseBtn('#tab-dovecot-logs', '#dovecot_log');
     });
   }
+  function draw_cron_logs() {
+    // just recalc width if instance already exists
+    if ($.fn.DataTable.isDataTable('#cron_log') ) {
+      $('#cron_log').DataTable().columns.adjust().responsive.recalc();
+      return;
+    }
+
+    var table = $('#cron_log').DataTable({
+      responsive: true,
+      processing: true,
+      serverSide: false,
+      stateSave: true,
+      pageLength: log_pagination_size,
+      dom: "<'row'<'col-sm-12 col-md-6'f><'col-sm-12 col-md-6'l>>" +
+           "tr" +
+           "<'row'<'col-sm-12 col-md-5'i><'col-sm-12 col-md-7'p>>",
+      language: lang_datatables,
+      order: [[0, 'desc']],
+      initComplete: function(){
+        hideTableExpandCollapseBtn('#tab-cron-logs', '#cron_log');
+      },
+      ajax: {
+        type: "GET",
+        url: "/api/v1/get/logs/cron",
+        dataSrc: function(data){
+          return process_table_data(data, 'general_syslog');
+        }
+      },
+      columns: [
+        {
+          title: lang.time,
+          data: 'time',
+          defaultContent: '',
+          createdCell: function(td, cellData) {
+            createSortableDate(td, cellData)
+          }
+        },
+        {
+          title: lang.task,
+          data: 'task',
+          defaultContent: ''
+        },
+        {
+          title: lang.priority,
+          data: 'priority',
+          defaultContent: ''
+        },
+        {
+          title: lang.message,
+          data: 'message',
+          defaultContent: '',
+          className: 'dtr-col-md text-break'
+        }
+      ]
+    });
+
+    table.on('responsive-resize', function (e, datatable, columns){
+      hideTableExpandCollapseBtn('#tab-cron-logs', '#cron_log');
+    });
+  }
   function rspamd_pie_graph() {
     $.ajax({
       url: '/api/v1/get/rspamd/actions',
@@ -1219,6 +1279,7 @@ jQuery(function($){
   onVisible("[id^=ui_logs]", () => draw_ui_logs());
   onVisible("[id^=sasl_logs]", () => draw_sasl_logs());
   onVisible("[id^=netfilter_log]", () => draw_netfilter_logs());
+  onVisible("[id^=cron_log]", () => draw_cron_logs());
   onVisible("[id^=rspamd_history]", () => draw_rspamd_history());
   onVisible("[id^=rspamd_donut]", () => rspamd_pie_graph());
 
diff --git a/data/web/json_api.php b/data/web/json_api.php
index 69b236d7a..ac8963e45 100644
--- a/data/web/json_api.php
+++ b/data/web/json_api.php
@@ -947,6 +947,17 @@ if (isset($_GET['query'])) {
                 }
                 echo (isset($logs) && !empty($logs)) ? json_encode($logs, JSON_UNESCAPED_UNICODE | JSON_PRETTY_PRINT) : '{}';
               break;
+              case "cron":
+                // 0 is first record, so empty is fine
+                if (isset($extra)) {
+                  $extra = preg_replace('/[^\d\-]/i', '', $extra);
+                  $logs = get_logs('cron-mailcow', $extra);
+                }
+                else {
+                  $logs = get_logs('cron-mailcow');
+                }
+                echo (isset($logs) && !empty($logs)) ? json_encode($logs, JSON_UNESCAPED_UNICODE | JSON_PRETTY_PRINT) : '{}';
+              break;
               case "postfix":
                 // 0 is first record, so empty is fine
                 if (isset($extra)) {
diff --git a/data/web/templates/debug.twig b/data/web/templates/debug.twig
index 867371177..c148856cb 100644
--- a/data/web/templates/debug.twig
+++ b/data/web/templates/debug.twig
@@ -16,6 +16,7 @@
       <li role="presentation"><button class="dropdown-item" data-bs-target="#tab-acme-logs" aria-selected="false" aria-controls="tab-acme-logs" role="tab" data-bs-toggle="tab">ACME</button></li>
       <li role="presentation"><button class="dropdown-item" data-bs-target="#tab-api-logs" aria-selected="false" aria-controls="tab-api-logs" role="tab" data-bs-toggle="tab">API</button></li>
       <li role="presentation"><button class="dropdown-item" data-bs-target="#tab-api-rl" aria-selected="false" aria-controls="tab-api-rl" role="tab" data-bs-toggle="tab">Ratelimits</button></li>
+      <li role="presentation"><button class="dropdown-item" data-bs-target="#tab-cron-logs" aria-selected="false" aria-controls="tab-api-rl" role="tab" data-bs-toggle="tab">Crontasks</button></li>
       <li role="presentation"><span class="dropdown-header fs-6">{{ lang.debug.external_logs }}</span></li>
       <li role="presentation"><button class="dropdown-item" data-bs-target="#tab-rspamd-history" aria-selected="false" aria-controls="tab-rspamd-history" role="tab" data-bs-toggle="tab">Rspamd</button></li>
       <li role="presentation"><span class="dropdown-header fs-6">{{ lang.debug.static_logs }}</span></li>
@@ -625,6 +626,29 @@
         </div>
       </div>
 
+      <div role="tabpanel" class="tab-pane" id="tab-cron-logs">
+        <div class="debug-log-info">{{ lang.debug.log_info|format(log_lines+1)|raw }}</div>
+        <div class="card">
+          <div class="card-header d-flex align-items-center fs-5">
+            <span class="mt-2 ms-2">Crontasks</span>
+            <div class="btn-group ms-auto">
+              <button class="btn btn-sm btn-secondary refresh_table" data-draw="draw_cron_logs" data-table="cron_log">{{ lang.admin.refresh }}</button>
+            </div>
+          </div>
+          <div class="card-body">
+            <a class="btn btn-sm btn-secondary dropdown-toggle mb-4" data-bs-toggle="dropdown" href="#">{{ lang.mailbox.quick_actions }}</a>
+            <ul class="dropdown-menu">
+              <li><a class="dropdown-item add_log_lines" data-post-process="general_syslog" data-table="cron_log" data-log-url="cron" data-nrows="100" href="#">+ 100</a></li>
+              <li><a class="dropdown-item add_log_lines" data-post-process="general_syslog" data-table="cron_log" data-log-url="cron" data-nrows="1000" href="#">+ 1000</a></li>
+              <li class="table_collapse_option"><hr class="dropdown-divider"></li>
+              <li class="table_collapse_option"><a class="dropdown-item" data-datatables-expand="cron_log" data-table="cron_log" href="#">{{ lang.datatables.expand_all }}</a></li>
+              <li class="table_collapse_option"><a class="dropdown-item" data-datatables-collapse="cron_log" data-table="cron_log" href="#">{{ lang.datatables.collapse_all }}</a></li>
+            </ul>
+            <table id="cron_log" class="table table-striped dt-responsive w-100"></table>
+          </div>
+        </div>
+      </div>
+
     </div> <!-- /tab-content -->
   </div> <!-- /col-md-12 -->
 </div> <!-- /row -->

From a4cce147aa3fa9c5d8a28ab295a5869751b4e38e Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Thu, 6 Jul 2023 15:56:39 +0200
Subject: [PATCH 051/378] [Web] improve attribute sync performance & make
 authsource editable

---
 data/web/inc/functions.mailbox.inc.php | 65 ++++++++++++++++++--------
 data/web/templates/edit/mailbox.twig   |  8 +++-
 2 files changed, 52 insertions(+), 21 deletions(-)

diff --git a/data/web/inc/functions.mailbox.inc.php b/data/web/inc/functions.mailbox.inc.php
index 30d927398..d76b8fa50 100644
--- a/data/web/inc/functions.mailbox.inc.php
+++ b/data/web/inc/functions.mailbox.inc.php
@@ -1073,6 +1073,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
           $quarantine_notification = (isset($_data['quarantine_notification'])) ? strval($_data['quarantine_notification']) : strval($MAILBOX_DEFAULT_ATTRIBUTES['quarantine_notification']);
           $quarantine_category = (isset($_data['quarantine_category'])) ? strval($_data['quarantine_category']) : strval($MAILBOX_DEFAULT_ATTRIBUTES['quarantine_category']);
           $quota_b    = ($quota_m * 1048576);
+          $attribute_hash = (!empty($_data['attribute_hash'])) ? $_data['attribute_hash'] : '';
           $mailbox_attrs = json_encode(
             array(
               'force_pw_update' => strval($force_pw_update),
@@ -1087,7 +1088,8 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               'passwd_update' => time(),
               'mailbox_format' => strval($MAILBOX_DEFAULT_ATTRIBUTES['mailbox_format']),
               'quarantine_notification' => strval($quarantine_notification),
-              'quarantine_category' => strval($quarantine_category)
+              'quarantine_category' => strval($quarantine_category),
+              'attribute_hash' => $attribute_hash
             )
           );
           if (!is_valid_domain_name($domain)) {
@@ -1223,11 +1225,14 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               );
               break;
             }
-            $stmt = $pdo->prepare("INSERT INTO `tags_mailbox` (`username`, `tag_name`) VALUES (:username, :tag_name)");
-            $stmt->execute(array(
-              ':username' => $username,
-              ':tag_name' => $tag,
-            ));
+            try {
+              $stmt = $pdo->prepare("INSERT INTO `tags_mailbox` (`username`, `tag_name`) VALUES (:username, :tag_name)");
+              $stmt->execute(array(
+                ':username' => $username,
+                ':tag_name' => $tag,
+              ));
+            } catch (Exception $e) {
+            }
           }
           $stmt = $pdo->prepare("INSERT INTO `quota2` (`username`, `bytes`, `messages`)
             VALUES (:username, '0', '0') ON DUPLICATE KEY UPDATE `bytes` = '0', `messages` = '0';");
@@ -1344,10 +1349,12 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             return false;
           }  
           
+          $attribute_hash = sha1(json_encode($mbox_template_data["attributes"]));
           $mbox_template_data = json_decode($mbox_template_data["attributes"], true);  
           $mbox_template_data['domain'] = $_data['domain'];
           $mbox_template_data['local_part'] = $_data['local_part'];
           $mbox_template_data['authsource'] = $_data['authsource'];
+          $mbox_template_data['attribute_hash'] = $attribute_hash;
           $mbox_template_data['quota'] = intval($mbox_template_data['quota'] / 1048576);
         
           $mailbox_attributes = array('acl' => array());
@@ -2921,12 +2928,17 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               (int)$sieve_access = (isset($_data['sieve_access']) && isset($_SESSION['acl']['protocol_access']) && $_SESSION['acl']['protocol_access'] == "1") ? intval($_data['sieve_access']) : intval($is_now['attributes']['sieve_access']);
               (int)$relayhost = (isset($_data['relayhost']) && isset($_SESSION['acl']['mailbox_relayhost']) && $_SESSION['acl']['mailbox_relayhost'] == "1") ? intval($_data['relayhost']) : intval($is_now['attributes']['relayhost']);
               (int)$quota_m = (isset_has_content($_data['quota'])) ? intval($_data['quota']) : ($is_now['quota'] / 1048576);
-              $name       = (!empty($_data['name'])) ? ltrim(rtrim($_data['name'], '>'), '<') : $is_now['name'];
-              $domain     = $is_now['domain'];
-              $quota_b    = $quota_m * 1048576;
-              $password   = (!empty($_data['password'])) ? $_data['password'] : null;
-              $password2  = (!empty($_data['password2'])) ? $_data['password2'] : null;
-              $tags       = (is_array($_data['tags']) ? $_data['tags'] : array());
+              $name           = (!empty($_data['name'])) ? ltrim(rtrim($_data['name'], '>'), '<') : $is_now['name'];
+              $domain         = $is_now['domain'];
+              $quota_b        = $quota_m * 1048576;
+              $password       = (!empty($_data['password'])) ? $_data['password'] : null;
+              $password2      = (!empty($_data['password2'])) ? $_data['password2'] : null;
+              $tags           = (is_array($_data['tags']) ? $_data['tags'] : array());
+              $attribute_hash = (!empty($_data['attribute_hash'])) ? $_data['attribute_hash'] : '';
+              $authsource     = $is_now['authsource'];
+              if (in_array($_data['authsource'], array('mailcow', 'keycloak', 'generic-oidc'))){
+                $authsource = $_data['authsource'];
+              }
             }
             else {
               $_SESSION['return'][] = array(
@@ -3183,18 +3195,21 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
                 `active` = :active,
                 `name`= :name,
                 `quota` = :quota_b,
+                `authsource` = :authsource,
                 `attributes` = JSON_SET(`attributes`, '$.force_pw_update', :force_pw_update),
                 `attributes` = JSON_SET(`attributes`, '$.sogo_access', :sogo_access),
                 `attributes` = JSON_SET(`attributes`, '$.imap_access', :imap_access),
                 `attributes` = JSON_SET(`attributes`, '$.sieve_access', :sieve_access),
                 `attributes` = JSON_SET(`attributes`, '$.pop3_access', :pop3_access),
                 `attributes` = JSON_SET(`attributes`, '$.relayhost', :relayhost),
-                `attributes` = JSON_SET(`attributes`, '$.smtp_access', :smtp_access)
+                `attributes` = JSON_SET(`attributes`, '$.smtp_access', :smtp_access),
+                `attributes` = JSON_SET(`attributes`, '$.attribute_hash', :attribute_hash)
                   WHERE `username` = :username");
             $stmt->execute(array(
               ':active' => $active,
               ':name' => $name,
               ':quota_b' => $quota_b,
+              ':attribute_hash' => $attribute_hash,
               ':force_pw_update' => $force_pw_update,
               ':sogo_access' => $sogo_access,
               ':imap_access' => $imap_access,
@@ -3202,7 +3217,8 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               ':sieve_access' => $sieve_access,
               ':smtp_access' => $smtp_access,
               ':relayhost' => $relayhost,
-              ':username' => $username
+              ':username' => $username,
+              ':authsource' => $authsource
             ));
             // save tags
             foreach($tags as $index => $tag){
@@ -3215,11 +3231,14 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
                 );
                 break;
               }
-              $stmt = $pdo->prepare("INSERT INTO `tags_mailbox` (`username`, `tag_name`) VALUES (:username, :tag_name)");
-              $stmt->execute(array(
-                ':username' => $username,
-                ':tag_name' => $tag,
-              ));
+              try {
+                $stmt = $pdo->prepare("INSERT INTO `tags_mailbox` (`username`, `tag_name`) VALUES (:username, :tag_name)");
+                $stmt->execute(array(
+                  ':username' => $username,
+                  ':tag_name' => $tag,
+                ));
+              } catch (Exception $e) {
+              }
             }
             
             $_SESSION['return'][] = array(
@@ -3248,7 +3267,13 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             return false;
           }
 
-          $mbox_template_data = json_decode($mbox_template_data["attributes"], true);  
+          $attribute_hash = sha1(json_encode($mbox_template_data["attributes"]));
+          $is_now = mailbox('get', 'mailbox_details', $_data['username']);
+          if ($is_now['attributes']['attribute_hash'] == $attribute_hash)
+            return true;
+
+          $mbox_template_data = json_decode($mbox_template_data["attributes"], true);
+          $mbox_template_data['attribute_hash'] = $attribute_hash;
           $quarantine_attributes = array('username' => $_data['username']);
           $tls_attributes = array('username' => $_data['username']);
           $ratelimit_attributes = array('object' => $_data['username']);
diff --git a/data/web/templates/edit/mailbox.twig b/data/web/templates/edit/mailbox.twig
index d2275cdd2..c31e0f440 100644
--- a/data/web/templates/edit/mailbox.twig
+++ b/data/web/templates/edit/mailbox.twig
@@ -28,7 +28,13 @@
                   <div class="row mb-2">
                     <label class="control-label col-sm-2">{{ lang.admin.iam }}</label>
                     <div class="col-sm-10">
-                      <h4><span class="badge bg-primary">{{ result.authsource }}<i class="ms-2 bi bi-person-circle"></i></i></span></h4>
+                      <select
+                        data-style="btn btn-secondary"
+                        name="authsource" class="full-width-select form-control" required>
+                          <option value="mailcow" {% if result.authsource == "mailcow" %}selected{% endif %}>mailcow</option>
+                          <option value="keycloak" {% if result.authsource == "keycloak" %}selected{% endif %}>Keycloak</option>
+                          <option value="generic-oidc" {% if result.authsource == "generic-oidc" %}selected{% endif %}>Generic-OIDC</option>
+                      </select>
                     </div>
                   </div>
                   <div class="row mb-2">

From 37254738e207ec2ef5f2921081b6ced19703432a Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Thu, 6 Jul 2023 15:59:16 +0200
Subject: [PATCH 052/378] [Web] improve identity-provider template

---
 data/web/inc/functions.inc.php                |   2 +-
 data/web/js/site/admin.js                     |  43 ++-
 .../admin/tab-config-identity-provider.twig   | 246 +++++++++++-------
 3 files changed, 182 insertions(+), 109 deletions(-)

diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index 081f26e7d..d93dc0aa3 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -2126,7 +2126,7 @@ function identity_provider($_action, $_data = null, $_extra = null) {
         $_data['mailpassword_flow'] = isset($_data['mailpassword_flow']) ? intval($_data['mailpassword_flow']) : 0;
         $_data['periodic_sync'] = isset($_data['periodic_sync']) ? intval($_data['periodic_sync']) : 0;
         $_data['import_users'] = isset($_data['import_users']) ? intval($_data['import_users']) : 0;
-        $required_settings = array('authsource', 'server_url', 'realm', 'client_id', 'client_secret', 'redirect_url', 'version', 'mailpassword_flow', 'periodic_sync', 'import_users');
+        $required_settings = array('authsource', 'server_url', 'realm', 'client_id', 'client_secret', 'redirect_url', 'version', 'mailpassword_flow', 'periodic_sync', 'import_users', 'sync_interval');
       } else if ($_data['authsource'] == "generic-oidc") {
         $required_settings = array('authsource', 'authorize_url', 'token_url', 'client_id', 'client_secret', 'redirect_url', 'userinfo_url');
       }
diff --git a/data/web/js/site/admin.js b/data/web/js/site/admin.js
index d2b206d22..3397a1a59 100644
--- a/data/web/js/site/admin.js
+++ b/data/web/js/site/admin.js
@@ -768,10 +768,10 @@ jQuery(function($){
     return mailcow_alert_box(lang_danger.iam_test_connection, 'danger');
   });
 
-  $('.iam_rolemap_add').click(async function(e){
+  $('.iam_rolemap_add_keycloak').click(async function(e){
     e.preventDefault();
 
-    var parent = $('#iam_mapping_list')
+    var parent = $('#iam_keycloak_mapping_list')
     $(parent).children().last().clone().appendTo(parent);
     var newChild = $(parent).children().last();
     $(newChild).find('input').val('');
@@ -781,17 +781,42 @@ jQuery(function($){
     $(newChild).find('select').selectpicker('destroy');
     $(newChild).find('select').selectpicker();
 
-    $('.iam_rolemap_del').off('click');
-    $('.iam_rolemap_del').click(async function(e){
+    $('.iam_keycloak_rolemap_del').off('click');
+    $('.iam_keycloak_rolemap_del').click(async function(e){
       e.preventDefault();
-      if ($(this).parent().parent().children().length > 1)
-        $(this).parent().remove();
+      if ($(this).parent().parent().parent().parent().children().length > 1)
+        $(this).parent().parent().parent().remove();
     });
   });
-  $('.iam_rolemap_del').click(async function(e){
+  $('.iam_rolemap_add_generic').click(async function(e){
     e.preventDefault();
-    if ($(this).parent().parent().children().length > 1)
-      $(this).parent().remove();
+
+    var parent = $('#iam_generic_mapping_list')
+    $(parent).children().last().clone().appendTo(parent);
+    var newChild = $(parent).children().last();
+    $(newChild).find('input').val('');
+    $(newChild).find('.dropdown-toggle').remove();
+    $(newChild).find('.dropdown-menu').remove();
+    $(newChild).find('.bs-title-option').remove();
+    $(newChild).find('select').selectpicker('destroy');
+    $(newChild).find('select').selectpicker();
+
+    $('.iam_generic_rolemap_del').off('click');
+    $('.iam_generic_rolemap_del').click(async function(e){
+      e.preventDefault();
+      if ($(this).parent().parent().parent().parent().children().length > 1)
+        $(this).parent().parent().parent().remove();
+    });
+  });
+  $('.iam_keycloak_rolemap_del').click(async function(e){
+    e.preventDefault();
+    if ($(this).parent().parent().parent().parent().children().length > 1)
+      $(this).parent().parent().parent().remove();
+  });
+  $('.iam_generic_rolemap_del').click(async function(e){
+    e.preventDefault();
+    if ($(this).parent().parent().parent().parent().children().length > 1)
+      $(this).parent().parent().parent().remove();
   });
   // selecting identity provider
   $('#iam_provider').on('change', function(){
diff --git a/data/web/templates/admin/tab-config-identity-provider.twig b/data/web/templates/admin/tab-config-identity-provider.twig
index a2aff987c..e7ba01b86 100644
--- a/data/web/templates/admin/tab-config-identity-provider.twig
+++ b/data/web/templates/admin/tab-config-identity-provider.twig
@@ -7,10 +7,10 @@
       <span class="d-none d-md-block">{{ lang.admin.iam }}</span>
     </div>
     <div id="collapse-tab-config-identity-provider" class="card-body collapse" data-bs-parent="#admin-content">
-      <p class="offset-sm-3 mb-4">{{ lang.admin.iam_description }}</p>
+      <p class="offset-sm-3 mb-4">{{ lang.admin.iam_description|raw }}</p>
       <div class="row mb-4">
-        <label class="control-label col-sm-3 text-sm-end" for="iam_realm">{{ lang.admin.iam }}:</label>
-        <div class="col-sm-4">
+        <label class="control-label col-md-3 text-sm-end" for="iam_realm">{{ lang.admin.iam }}:</label>
+        <div class="col-12 col-md-9 col-lg-4">
           <select
             data-style="btn btn-secondary"
             data-id="iam_provider"
@@ -25,26 +25,26 @@
         <form class="form-horizontal" autocapitalize="none" data-id="iam_keycloak" autocorrect="off" role="form" method="post">
           <input type="hidden" name="authsource" value="keycloak">
           <div class="row mb-2">
-            <label class="control-label col-sm-3 text-sm-end" for="iam_keycloak_url">{{ lang.admin.iam_server_url }}:</label>
-            <div class="col-sm-4">
+            <label class="control-label col-md-3 text-sm-end" for="iam_keycloak_url">{{ lang.admin.iam_server_url }}:</label>
+            <div class="col-12 col-md-9 col-lg-4">
               <input type="text" class="form-control" id="iam_keycloak_url" name="server_url" value="{{ iam_settings.server_url }}" required>
             </div>
           </div>
           <div class="row mb-2">
-            <label class="control-label col-sm-3 text-sm-end" for="iam_keycloak_realm">{{ lang.admin.iam_realm }}:</label>
-            <div class="col-sm-4">
+            <label class="control-label col-md-3 text-sm-end" for="iam_keycloak_realm">{{ lang.admin.iam_realm }}:</label>
+            <div class="col-12 col-md-9 col-lg-4">
               <input type="text" class="form-control" id="iam_keycloak_realm" name="realm" value="{{ iam_settings.realm }}" required>
             </div>
           </div>
           <div class="row mb-2">
-            <label class="control-label col-sm-3 text-sm-end" for="iam_keycloak_clientid">{{ lang.admin.iam_client_id }}:</label>
-            <div class="col-sm-4">
+            <label class="control-label col-md-3 text-sm-end" for="iam_keycloak_clientid">{{ lang.admin.iam_client_id }}:</label>
+            <div class="col-12 col-md-9 col-lg-4">
               <input type="text" class="form-control" id="iam_keycloak_clientid" name="client_id" value="{{ iam_settings.client_id }}" required>
             </div>
           </div>
           <div class="row mb-2">
-            <label class="control-label col-sm-3 text-sm-end" for="iam_keycloak_clientsecret">{{ lang.admin.iam_client_secret }}:</label>
-            <div class="col-sm-4">
+            <label class="control-label col-md-3 text-sm-end" for="iam_keycloak_clientsecret">{{ lang.admin.iam_client_secret }}:</label>
+            <div class="col-12 col-md-9 col-lg-4">
               <div class="reveal-password-input input-group">
                 <input type="password" class="password-field form-control" id="iam_keycloak_clientsecret" name="client_secret" value="{{ iam_settings.client_secret }}" required>
                 <button class="toggle-password btn btn-secondary" type="button"><i class="bi bi-eye"></i></button>
@@ -52,62 +52,82 @@
             </div>
           </div>
           <div class="row mb-2">
-            <label class="control-label col-sm-3 text-sm-end" for="iam_keycloak_redirecturl">{{ lang.admin.iam_redirect_url }}:</label>
-            <div class="col-sm-4">
+            <label class="control-label col-md-3 text-sm-end" for="iam_keycloak_redirecturl">{{ lang.admin.iam_redirect_url }}:</label>
+            <div class="col-12 col-md-9 col-lg-4">
               <input type="text" class="form-control" id="iam_keycloak_redirecturl" name="redirect_url" value="{{ iam_settings.redirect_url }}" required>
             </div>
           </div>
           <div class="row mb-4">
-            <label class="control-label col-sm-3 text-sm-end" for="iam_keycloak_version">{{ lang.admin.iam_version }}:</label>
+            <label class="control-label col-md-3 text-sm-end" for="iam_keycloak_version">{{ lang.admin.iam_version }}:</label>
             <div class="col-sm-4">
               <input type="text" class="form-control" id="iam_keycloak_version" name="version" value="{{ iam_settings.version }}" required>
             </div>
           </div>
-          <div class="row mb-4">
-            <label class="control-label col-sm-3 text-sm-end">{{ lang.admin.iam_mapping }}:</label>
-            <div class="col-4 d-flex mb-2">
-              <span class="w-100 me-2">Attribute</span>
-              <span class="w-100 ms-2">Template</span>
-              <button class="btn btn-sm d-block d-sm-inline btn-secondary ms-2 iam_rolemap_add"><i class="bi bi-plus-lg"></i></button>
-            </div>
-            <div id="iam_mapping_list">
-              {% for key, role in iam_settings.mappers %}
-              <div class="offset-sm-3 col-4 d-flex mb-2">
-                <input type="text" class="form-control me-2" name="mappers" value="{{ iam_settings.mappers[key] }}" required>
-                <select data-live-search="true" name="templates" class="form-control" title="{{ lang.mailbox.template }}" required>
-                {% for mbox_template in mbox_templates %}
-                  <option{% if mbox_template.template == iam_settings.templates[key] %} selected{% endif %}>
-                    {{ mbox_template.template }}
-                  </option>
-                {% endfor %}
-                </select>
-                <button class="iam_rolemap_del btn btn-sm d-block d-sm-inline btn-secondary ms-2"><i class="bi bi-x-lg"></i></button>
+          <div class="row mb-2">
+            <label class="control-label col-md-3 text-sm-end">{{ lang.admin.iam_mapping }}:</label>
+            <div class="col-12 col-md-9 col-lg-4">
+              <div class="row px-2 align-items-center">
+                <span class="col-5 p-0 pe-2">Attribute</span>
+                <span class="col-5 p-0 pe-2">{{ lang.mailbox.template }}</span>
+                <div class="col-2 p-0 d-flex">
+                  <button class="btn btn-sm d-block d-sm-inline btn-secondary ms-auto iam_rolemap_add_keycloak"><i class="bi bi-plus-lg"></i></button>
+                </div>
               </div>
-              {% endfor %}
-              {% if not iam_settings.mappers %}
-              <div class="offset-sm-3 col-4 d-flex mb-2">
-                <input type="text" class="form-control me-2" name="mappers" value="" required>
-                <select data-live-search="true" name="templates" class="form-control" title="{{ lang.mailbox.template }}" required>
-                {% for mbox_template in mbox_templates %}
-                  <option>
-                    {{ mbox_template.template }}
-                  </option>
-                {% endfor %}
-                </select>
-                <button class="iam_rolemap_del btn btn-sm d-block d-sm-inline btn-secondary ms-2"><i class="bi bi-x-lg"></i></button>
-              </div>
-              {% endif %}
             </div>
           </div>
+          <div class="row mb-2" id="iam_keycloak_mapping_list">
+            {% for key, role in iam_settings.mappers %}
+            <div class="offset-md-3 col-12 col-md-9 col-lg-4 mb-2">
+              <div class="row px-2">
+                <div class="col-5 p-0 pe-2">
+                  <input type="text" class="form-control me-2" name="mappers" value="{{ iam_settings.mappers[key] }}" required>
+                </div>
+                <div class="col-5 p-0 pe-2">
+                  <select data-live-search="true" name="templates" class="form-control" title="{{ lang.mailbox.template }}" required>
+                  {% for mbox_template in mbox_templates %}
+                    <option{% if mbox_template.template == iam_settings.templates[key] %} selected{% endif %}>
+                      {{ mbox_template.template }}
+                    </option>
+                  {% endfor %}
+                  </select>
+                </div>
+                <div class="col-2 p-0 d-flex">
+                  <button class="iam_keycloak_rolemap_del btn btn-sm d-block d-sm-inline btn-secondary ms-auto"><i class="bi bi-x-lg"></i></button>
+                </div>
+              </div>
+            </div>
+            {% endfor %}
+            {% if not iam_settings.mappers %}
+            <div class="offset-md-3 col-12 col-md-9 col-lg-4 d-flex mb-2">
+              <div class="row px-2">
+                <div class="col-5 p-0 pe-2">
+                  <input type="text" class="form-control me-2" name="mappers" value="" required>
+                </div>
+                <div class="col-5 p-0 pe-2">
+                  <select data-live-search="true" name="templates" class="form-control" title="{{ lang.mailbox.template }}" required>
+                  {% for mbox_template in mbox_templates %}
+                    <option>
+                      {{ mbox_template.template }}
+                    </option>
+                  {% endfor %}
+                  </select>
+                </div>
+                <div class="col-2 p-0 d-flex">
+                  <button class="iam_keycloak_rolemap_del btn btn-sm d-block d-sm-inline btn-secondary ms-2"><i class="bi bi-x-lg"></i></button>
+                </div>
+              </div>
+            </div>
+            {% endif %}
+          </div>
           <div class="row mb-2 mt-4">
-            <label class="control-label col-sm-3 text-sm-end"></label>
-            <div class="col-sm-9">
+            <label class="control-label col-md-3 text-sm-end"></label>
+            <div class="col-12 col-md-9">
               <span>{{ lang.admin.iam_extra_permission|raw }}</span>
             </div>
           </div>
           <div class="row mb-2">
-            <label class="control-label col-sm-3 text-sm-end">{{ lang.admin.iam_rest_flow }}</label>
-            <div class="col-sm-9">
+            <label class="control-label col-md-3 text-sm-end">{{ lang.admin.iam_rest_flow }}</label>
+            <div class="col-12 col-md-9">
               <div class="form-check form-switch">
                 <input class="form-check-input" type="checkbox" role="switch" name="mailpassword_flow" value="1" {% if iam_settings.mailpassword_flow == 1 %}checked{% endif %}>
               </div>
@@ -119,28 +139,34 @@
             </div>
           </div>
           <div class="row mb-2">
-            <label class="control-label col-sm-3 text-sm-end">Periodic Full Sync</label>
-            <div class="col-sm-9">
+            <label class="control-label col-md-3 text-sm-end">{{ lang.admin.iam_periodic_full_sync }}</label>
+            <div class="col-12 col-md-9">
               <div class="form-check form-switch">
                 <input class="form-check-input" type="checkbox" role="switch" name="periodic_sync"  value="1" {% if iam_settings.periodic_sync == 1 %}checked{% endif %}>
               </div>
             </div>
           </div>
           <div class="row mb-2">
-            <label class="control-label col-sm-3 text-sm-end">Import Users</label>
-            <div class="col-sm-9">
+            <label class="control-label col-md-3 text-sm-end">{{ lang.admin.iam_import_users }}</label>
+            <div class="col-12 col-md-9">
               <div class="form-check form-switch">
                 <input class="form-check-input" type="checkbox" role="switch" name="import_users"  value="1" {% if iam_settings.import_users == 1 %}checked{% endif %}>
               </div>
             </div>
           </div>
+          <div class="row mb-2">
+            <label class="control-label col-md-3 text-sm-end">{{ lang.admin.iam_sync_interval }}</label>
+            <div class="col-12 col-md-9 col-lg-4">
+              <input class="form-control" type="number" name="sync_interval" style="width: 80px;"  {% if iam_settings.sync_interval %}value="{{ iam_settings.sync_interval }}"{% else %}value="15"{% endif %}>
+            </div>
+          </div>
           <div class="row mt-4 mb-2">
-            <div class="offset-sm-3 col-sm-9 d-flex">
-              <div class="btn-group">   
+            <div class="offset-md-3 col-12 col-md-9 d-flex flex-wrap">
+              <div class="btn-group mb-2">   
                 <button class="btn btn-sm d-block d-sm-inline btn-secondary iam_test_connection iam_test_connection" data-id="iam_keycloak"><i class="bi bi-play"></i> {{ lang.admin.iam_test_connection }}</button>
                 <button class="btn btn-sm d-block d-sm-inline btn-success" data-item="identity-provider" data-action="edit_selected" data-id="iam_keycloak" data-api-url='edit/identity-provider' data-api-attr='{}'><i class="bi bi-check-lg"></i> {{ lang.admin.save }}</button>
               </div>
-              <button class="btn btn-sm d-block d-sm-inline btn-danger ms-auto" data-item="identity-provider" data-action="delete_selected" data-id="iam_keycloak" data-api-url='delete/identity-provider'><i class="bi bi-trash"></i> {{ lang.mailbox.remove }}</button>
+              <button class="btn btn-sm d-block d-sm-inline btn-danger ms-auto mb-2" data-item="identity-provider" data-action="delete_selected" data-id="iam_keycloak" data-api-url='delete/identity-provider'><i class="bi bi-trash"></i> {{ lang.mailbox.remove }}</button>
             </div>
           </div>
         </form>
@@ -149,32 +175,32 @@
         <form class="form-horizontal" autocapitalize="none" data-id="iam_generic" autocorrect="off" role="form" method="post">
           <input type="hidden" name="authsource" value="generic-oidc">
           <div class="row mb-2">
-            <label class="control-label col-sm-3 text-sm-end" for="iam_authorize_url">{{ lang.admin.iam_authorize_url }}:</label>
-            <div class="col-sm-4">
+            <label class="control-label col-md-3 text-sm-end" for="iam_authorize_url">{{ lang.admin.iam_authorize_url }}:</label>
+            <div class="col-12 col-md-9 col-lg-4">
               <input type="text" class="form-control" id="iam_authorize_url" name="authorize_url" value="{{ iam_settings.authorize_url }}" required>
             </div>
           </div>
           <div class="row mb-2">
-            <label class="control-label col-sm-3 text-sm-end" for="iam_token_url">{{ lang.admin.iam_token_url }}:</label>
-            <div class="col-sm-4">
+            <label class="control-label col-md-3 text-sm-end" for="iam_token_url">{{ lang.admin.iam_token_url }}:</label>
+            <div class="col-12 col-md-9 col-lg-4">
               <input type="text" class="form-control" id="iam_token_url" name="token_url" value="{{ iam_settings.token_url }}" required>
             </div>
           </div>
           <div class="row mb-2">
-            <label class="control-label col-sm-3 text-sm-end" for="iam_userinfo_url">{{ lang.admin.iam_userinfo_url }}:</label>
-            <div class="col-sm-4">
+            <label class="control-label col-md-3 text-sm-end" for="iam_userinfo_url">{{ lang.admin.iam_userinfo_url }}:</label>
+            <div class="col-12 col-md-9 col-lg-4">
               <input type="text" class="form-control" id="iam_userinfo_url" name="userinfo_url" value="{{ iam_settings.userinfo_url }}" required>
             </div>
           </div>
           <div class="row mb-2">
-            <label class="control-label col-sm-3 text-sm-end" for="iam_client_id">{{ lang.admin.iam_client_id }}:</label>
-            <div class="col-sm-4">
+            <label class="control-label col-md-3 text-sm-end" for="iam_client_id">{{ lang.admin.iam_client_id }}:</label>
+            <div class="col-12 col-md-9 col-lg-4">
               <input type="text" class="form-control" id="iam_client_id" name="client_id" value="{{ iam_settings.client_id }}" required>
             </div>
           </div>
           <div class="row mb-2">
-            <label class="control-label col-sm-3 text-sm-end" for="iam_client_secret">{{ lang.admin.iam_client_secret }}:</label>
-            <div class="col-sm-4">
+            <label class="control-label col-md-3 text-sm-end" for="iam_client_secret">{{ lang.admin.iam_client_secret }}:</label>
+            <div class="col-12 col-md-9 col-lg-4">
               <div class="reveal-password-input input-group">
                 <input type="password" class="password-field form-control" id="iam_client_secret" name="client_secret" value="{{ iam_settings.client_secret }}" required>
                 <button class="toggle-password btn btn-secondary" type="button"><i class="bi bi-eye"></i></button>
@@ -182,52 +208,74 @@
             </div>
           </div>
           <div class="row mb-4">
-            <label class="control-label col-sm-3 text-sm-end" for="iam_redirect_url">{{ lang.admin.iam_redirect_url }}:</label>
-            <div class="col-sm-4">
+            <label class="control-label col-md-3 text-sm-end" for="iam_redirect_url">{{ lang.admin.iam_redirect_url }}:</label>
+            <div class="col-12 col-md-9 col-lg-4">
               <input type="text" class="form-control" id="iam_redirect_url" name="redirect_url" value="{{ iam_settings.redirect_url }}" required>
             </div>
           </div>
-          <div class="row mb-4">
-            <label class="control-label col-sm-3 text-sm-end">{{ lang.admin.iam_mapping }}:</label>
-            <div class="col-4 d-flex mb-2">
-              <span class="w-100 me-2">Attribute</span>
-              <span class="w-100 ms-2">Template</span>
-              <button class="btn btn-sm d-block d-sm-inline btn-secondary ms-2 iam_rolemap_add"><i class="bi bi-plus-lg"></i></button>
+          <div class="row mb-2">
+            <label class="control-label col-md-3 text-sm-end">{{ lang.admin.iam_mapping }}:</label>
+            <div class="col-12 col-md-9 col-lg-4">
+              <div class="row px-2 align-items-center">
+                <span class="col-5 p-0 pe-2">Attribute</span>
+                <span class="col-5 p-0 pe-2">Template</span>
+                <div class="col-2 p-0 d-flex">
+                  <button class="btn btn-sm d-block d-sm-inline btn-secondary ms-auto iam_rolemap_add_generic"><i class="bi bi-plus-lg"></i></button>
+                </div>
+              </div>
             </div>
+          </div>
+          <div class="row mb-2" id="iam_generic_mapping_list">
             {% for key, role in iam_settings.mappers %}
-            <div class="offset-sm-3 col-4 d-flex mb-2">
-              <input type="text" class="form-control me-2" name="mappers" value="{{ iam_settings.mappers[key] }}" required>
-              <select data-live-search="true" name="templates" class="form-control" title="{{ lang.mailbox.template }}" required>
-              {% for mbox_template in mbox_templates %}
-                <option{% if mbox_template.template == iam_settings.templates[key] %} selected{% endif %}>
-                  {{ mbox_template.template }}
-                </option>
-              {% endfor %}
-              </select>
-              <button class="iam_rolemap_del btn btn-sm d-block d-sm-inline btn-secondary ms-2"><i class="bi bi-x-lg"></i></button>
+            <div class="offset-md-3 col-12 col-md-9 col-lg-4 mb-2">
+              <div class="row px-2">
+                <div class="col-5 p-0 pe-2">
+                  <input type="text" class="form-control me-2" name="mappers" value="{{ iam_settings.mappers[key] }}" required>
+                </div>
+                <div class="col-5 p-0 pe-2">
+                  <select data-live-search="true" name="templates" class="form-control" title="{{ lang.mailbox.template }}" required>
+                  {% for mbox_template in mbox_templates %}
+                    <option{% if mbox_template.template == iam_settings.templates[key] %} selected{% endif %}>
+                      {{ mbox_template.template }}
+                    </option>
+                  {% endfor %}
+                  </select>
+                </div>
+                <div class="col-2 p-0 d-flex">
+                  <button class="iam_generic_rolemap_del btn btn-sm d-block d-sm-inline btn-secondary ms-auto"><i class="bi bi-x-lg"></i></button>
+                </div>
+              </div>
             </div>
             {% endfor %}
             {% if not iam_settings.mappers %}
-            <div class="offset-sm-3 col-4 d-flex mb-2">
-              <input type="text" class="form-control me-2" name="mappers" value="" required>
-              <select data-live-search="true" name="templates" class="form-control" title="{{ lang.mailbox.template }}" required>
-              {% for mbox_template in mbox_templates %}
-                <option>
-                  {{ mbox_template.template }}
-                </option>
-              {% endfor %}
-              </select>
-              <button class="iam_rolemap_del btn btn-sm d-block d-sm-inline btn-secondary ms-2"><i class="bi bi-x-lg"></i></button>
+            <div class="offset-md-3 col-12 col-md-9 col-lg-4 d-flex mb-2">
+              <div class="row px-2">
+                <div class="col-5 p-0 pe-2">
+                  <input type="text" class="form-control me-2" name="mappers" value="" required>
+                </div>
+                <div class="col-5 p-0 pe-2">
+                  <select data-live-search="true" name="templates" class="form-control" title="{{ lang.mailbox.template }}" required>
+                  {% for mbox_template in mbox_templates %}
+                    <option>
+                      {{ mbox_template.template }}
+                    </option>
+                  {% endfor %}
+                  </select>
+                </div>
+                <div class="col-2 p-0 d-flex">
+                  <button class="iam_generic_rolemap_del btn btn-sm d-block d-sm-inline btn-secondary ms-2"><i class="bi bi-x-lg"></i></button>
+                </div>
+              </div>
             </div>
             {% endif %}
           </div>
           <div class="row mt-4 mb-2">
-            <div class="offset-sm-3 col-sm-9 d-flex">
-              <div class="btn-group">   
+            <div class="offset-md-3 col-12 col-md-9 d-flex flex-wrap">
+              <div class="btn-group mb-2">   
                 <button class="btn btn-sm d-block d-sm-inline btn-secondary iam_test_connection" data-id="iam_generic"><i class="bi bi-play"></i> {{ lang.admin.iam_test_connection }}</button>
                 <button class="btn btn-sm d-block d-sm-inline btn-success" data-item="identity-provider" data-action="edit_selected" data-id="iam_generic" data-api-url='edit/identity-provider' data-api-attr='{}'><i class="bi bi-check-lg"></i> {{ lang.admin.save }}</button>
               </div>
-              <button class="btn btn-sm d-block d-sm-inline btn-danger ms-auto" data-item="identity-provider" data-action="delete_selected" data-id="iam_generic" data-api-url='delete/identity-provider'><i class="bi bi-trash"></i> {{ lang.mailbox.remove }}</button>
+              <button class="btn btn-sm d-block d-sm-inline btn-danger ms-auto mb-2" data-item="identity-provider" data-action="delete_selected" data-id="iam_generic" data-api-url='delete/identity-provider'><i class="bi bi-trash"></i> {{ lang.mailbox.remove }}</button>
             </div>
           </div>
         </form>

From 3179c0e712258b8a9e2149b78aa9a31d5d35ca1a Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Thu, 6 Jul 2023 16:00:26 +0200
Subject: [PATCH 053/378] [Dovecot] mailcowauth minor fixes

---
 data/conf/dovecot/auth/mailcowauth.php | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/data/conf/dovecot/auth/mailcowauth.php b/data/conf/dovecot/auth/mailcowauth.php
index fa505d709..0adb5d45a 100644
--- a/data/conf/dovecot/auth/mailcowauth.php
+++ b/data/conf/dovecot/auth/mailcowauth.php
@@ -18,7 +18,6 @@ if (file_exists('../../../web/inc/vars.local.inc.php')) {
 }
 require_once '../../../web/inc/lib/vendor/autoload.php';
 
-// Do not show errors, we log to using error_log
 ini_set('error_reporting', 0);
 // Init database
 //$dsn = $database_type . ':host=' . $database_host . ';dbname=' . $database_name;
@@ -32,8 +31,8 @@ try {
   $pdo = new PDO($dsn, $database_user, $database_pass, $opt);
 }
 catch (PDOException $e) {
-  error_log("MAILCOWAUTH: " . $e . PHP_EOL);
-  http_response_code(501);
+  $return = array("success" => false, "role" => '');
+  echo json_encode($return); 
   exit;
 }
 
@@ -48,7 +47,9 @@ $iam_provider = identity_provider('init');
 $result = check_login($post['username'], $post['password'], $post['protocol'], true);
 if ($result) {
   $return = array("success" => true, "role" => $result);
+} else {
+  $return = array("success" => false, "role" => '');
 }
 
 echo json_encode($return); 
-exit();
+exit;

From 8ce4600562c2571168cfb6a43977affbdba780c6 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Thu, 6 Jul 2023 16:00:51 +0200
Subject: [PATCH 054/378] [Web] update lang files

---
 data/web/lang/lang.de-de.json | 1 +
 data/web/lang/lang.en-gb.json | 6 +++++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/data/web/lang/lang.de-de.json b/data/web/lang/lang.de-de.json
index 3813871ce..fd3442132 100644
--- a/data/web/lang/lang.de-de.json
+++ b/data/web/lang/lang.de-de.json
@@ -317,6 +317,7 @@
         "subject": "Betreff",
         "success": "Erfolg",
         "sys_mails": "System-E-Mails",
+        "task": "Aufgabe",
         "text": "Text",
         "time": "Zeit",
         "title": "Title",
diff --git a/data/web/lang/lang.en-gb.json b/data/web/lang/lang.en-gb.json
index 748d9bf7d..391ad58b5 100644
--- a/data/web/lang/lang.en-gb.json
+++ b/data/web/lang/lang.en-gb.json
@@ -217,14 +217,17 @@
         "iam_auth_flow_info": "In addition to the Authorization Code Flow (Standard Flow in Keycloak), which is used for Single-Sign On login, mailcow also supports Authentication Flow with direct Credentials. The Mailpassword Flow attempts to validate the user's credentials by using the Keycloak Admin REST API. mailcow retrieves the hashed password from the <code>mailcow_password</code> attribute, which is mapped in Keycloak.",
         "iam_client_id": "Client ID",
         "iam_client_secret": "Client Secret",
-        "iam_description": "Here, you can configure the integration with an external Keycloak service. The Keycloak user's mailboxes will be automatically created upon their first login, provided that a attribute mapping has been set.",
+        "iam_description": "Configure an external OIDC Provider for Authentication<br>User's mailboxes will be automatically created upon their first login, provided that an attribute mapping has been set.",
         "iam_extra_permission": "For the following settings to work, the mailcow client in Keycloak needs a <code>Service account</code> and the permission to <code>view-users</code>.",
+        "iam_import_users": "Import Users",
         "iam_mapping": "Attribute Mapping",
+        "iam_periodic_full_sync": "Periodic Full Sync",
         "iam_realm": "Realm",
         "iam_redirect_url": "Redirect Url",
         "iam_rest_flow": "Mailpassword Flow",
         "iam_server_url": "Server Url",
         "iam_sso": "SSO",
+        "iam_sync_interval": "Sync / Import interval (min)",
         "iam_test_connection": "Test Connection",
         "iam_token_url": "Token endpoint",
         "iam_userinfo_url": "User info endpoint",
@@ -344,6 +347,7 @@
         "subject": "Subject",
         "success": "Success",
         "sys_mails": "System mails",
+        "task": "Task",
         "text": "Text",
         "time": "Time",
         "title": "Title",

From 6df663825aaecdb05b2dcda3d27882f1397eee85 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 7 Jul 2023 08:52:54 +0200
Subject: [PATCH 055/378] [Web] add curl timeouts to oidc requests

---
 data/web/inc/functions.auth.inc.php |  7 +++++++
 data/web/inc/functions.inc.php      | 16 ++++++++++++----
 2 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php
index f7a2a3519..db0da00d0 100644
--- a/data/web/inc/functions.auth.inc.php
+++ b/data/web/inc/functions.auth.inc.php
@@ -299,6 +299,7 @@ function keycloak_mbox_login_rest($user, $pass, $iam_settings, $is_internal = fa
   $queryParams = array('email' => $user, 'exact' => true);
   $queryString = http_build_query($queryParams);
   $curl = curl_init();
+  curl_setopt($curl, CURLOPT_TIMEOUT, 7);
   curl_setopt($curl, CURLOPT_URL, $url . '?' . $queryString);
   curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
   curl_setopt($curl, CURLOPT_HTTPHEADER, array(
@@ -311,6 +312,12 @@ function keycloak_mbox_login_rest($user, $pass, $iam_settings, $is_internal = fa
   if ($code != 200) {
     return false;
   }
+  if (!isset($user_res['attributes']['mailcow_password']) || !is_array($user_res['attributes']['mailcow_password'])){
+    return false;
+  }
+  if (empty($user_res['attributes']['mailcow_password'][0])){
+    return false;
+  }
 
   // validate mailcow_password
   $mailcow_password = $user_res['attributes']['mailcow_password'][0];
diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index d93dc0aa3..a7063fa2c 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -2123,12 +2123,17 @@ function identity_provider($_action, $_data = null, $_extra = null) {
       }
 
       if ($_data['authsource'] == "keycloak") {
+        $_data['server_url']        = (!empty($_data['server_url'])) ? rtrim($_data['server_url'], '/') : null;
         $_data['mailpassword_flow'] = isset($_data['mailpassword_flow']) ? intval($_data['mailpassword_flow']) : 0;
-        $_data['periodic_sync'] = isset($_data['periodic_sync']) ? intval($_data['periodic_sync']) : 0;
-        $_data['import_users'] = isset($_data['import_users']) ? intval($_data['import_users']) : 0;
-        $required_settings = array('authsource', 'server_url', 'realm', 'client_id', 'client_secret', 'redirect_url', 'version', 'mailpassword_flow', 'periodic_sync', 'import_users', 'sync_interval');
+        $_data['periodic_sync']     = isset($_data['periodic_sync']) ? intval($_data['periodic_sync']) : 0;
+        $_data['import_users']      = isset($_data['import_users']) ? intval($_data['import_users']) : 0;
+        $_data['sync_interval']     = isset($_data['sync_interval']) ? intval($_data['sync_interval']) : 15;
+        $required_settings          = array('authsource', 'server_url', 'realm', 'client_id', 'client_secret', 'redirect_url', 'version', 'mailpassword_flow', 'periodic_sync', 'import_users', 'sync_interval');
       } else if ($_data['authsource'] == "generic-oidc") {
-        $required_settings = array('authsource', 'authorize_url', 'token_url', 'client_id', 'client_secret', 'redirect_url', 'userinfo_url');
+        $_data['authorize_url']     = (!empty($_data['authorize_url'])) ? rtrim($_data['authorize_url'], '/') : null;
+        $_data['token_url']         = (!empty($_data['token_url'])) ? rtrim($_data['token_url'], '/') : null;
+        $_data['userinfo_url']      = (!empty($_data['userinfo_url'])) ? rtrim($_data['userinfo_url'], '/') : null;
+        $required_settings          = array('authsource', 'authorize_url', 'token_url', 'client_id', 'client_secret', 'redirect_url', 'userinfo_url');
       }
       
       $pdo->beginTransaction();
@@ -2206,6 +2211,7 @@ function identity_provider($_action, $_data = null, $_extra = null) {
       ));
       $curl = curl_init();
       curl_setopt($curl, CURLOPT_URL, $url);
+      curl_setopt($curl, CURLOPT_TIMEOUT, 7);
       curl_setopt($curl, CURLOPT_POST, 1);
       curl_setopt($curl, CURLOPT_POSTFIELDS, $req);
       curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));
@@ -2413,6 +2419,7 @@ function identity_provider($_action, $_data = null, $_extra = null) {
         ));
         $curl = curl_init();
         curl_setopt($curl, CURLOPT_URL, $url);
+        curl_setopt($curl, CURLOPT_TIMEOUT, 7);
         curl_setopt($curl, CURLOPT_POST, 1);
         curl_setopt($curl, CURLOPT_POSTFIELDS, $req);
         curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));
@@ -2435,6 +2442,7 @@ function identity_provider($_action, $_data = null, $_extra = null) {
       ));
       $curl = curl_init();
       curl_setopt($curl, CURLOPT_URL, $url);
+      curl_setopt($curl, CURLOPT_TIMEOUT, 7);
       curl_setopt($curl, CURLOPT_POST, 1);
       curl_setopt($curl, CURLOPT_POSTFIELDS, $req);
       curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));

From 21fa3c845889b82fa7807f8b6a9b8ef1ee6e0584 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 7 Jul 2023 09:30:32 +0200
Subject: [PATCH 056/378] [Web] remove unnecessary if block

---
 data/web/inc/functions.auth.inc.php | 45 ++++++++++++++---------------
 1 file changed, 21 insertions(+), 24 deletions(-)

diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php
index db0da00d0..1df5f690a 100644
--- a/data/web/inc/functions.auth.inc.php
+++ b/data/web/inc/functions.auth.inc.php
@@ -182,37 +182,34 @@ function mailcow_mbox_login($user, $pass, $app_passwd_data = false, $is_internal
   foreach ($rows as $row) { 
     // verify password
     if (verify_hash($row['password'], $pass) !== false) {
-      if (!array_key_exists("app_passwd_id", $row)){ 
-        // password is not a app password
-        // check for tfa authenticators
-        $authenticators = get_tfa($user);
-        if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 && !$is_internal) {
-          // authenticators found, init TFA flow
-          $_SESSION['pending_mailcow_cc_username'] = $user;
-          $_SESSION['pending_mailcow_cc_role'] = "user";
-          $_SESSION['pending_tfa_methods'] = $authenticators['additional'];
+      // check for tfa authenticators
+      $authenticators = get_tfa($user);
+      if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 && !$is_internal) {
+        // authenticators found, init TFA flow
+        $_SESSION['pending_mailcow_cc_username'] = $user;
+        $_SESSION['pending_mailcow_cc_role'] = "user";
+        $_SESSION['pending_tfa_methods'] = $authenticators['additional'];
+        unset($_SESSION['ldelay']);
+        $_SESSION['return'][] =  array(
+          'type' => 'success',
+          'log' => array(__FUNCTION__, $user, '*'),
+          'msg' => array('logged_in_as', $user)
+        );
+        return "pending";
+      } else if (!isset($authenticators['additional']) || !is_array($authenticators['additional']) || count($authenticators['additional']) == 0) {
+        // no authenticators found, login successfull
+        if (!$is_internal){
           unset($_SESSION['ldelay']);
+          // Reactivate TFA if it was set to "deactivate TFA for next login"
+          $stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user");
+          $stmt->execute(array(':user' => $user));
           $_SESSION['return'][] =  array(
             'type' => 'success',
             'log' => array(__FUNCTION__, $user, '*'),
             'msg' => array('logged_in_as', $user)
           );
-          return "pending";
-        } else if (!isset($authenticators['additional']) || !is_array($authenticators['additional']) || count($authenticators['additional']) == 0) {
-          // no authenticators found, login successfull
-          if (!$is_internal){
-            unset($_SESSION['ldelay']);
-            // Reactivate TFA if it was set to "deactivate TFA for next login"
-            $stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user");
-            $stmt->execute(array(':user' => $user));
-            $_SESSION['return'][] =  array(
-              'type' => 'success',
-              'log' => array(__FUNCTION__, $user, '*'),
-              'msg' => array('logged_in_as', $user)
-            );
-          }
-          return "user";
         }
+        return "user";
       }
     }
   }

From 6d3a32c1d9486e5a40994e03a5c6bfa3ab81655b Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 7 Jul 2023 09:46:04 +0200
Subject: [PATCH 057/378] [Web] trim CRON_LOG

---
 data/Dockerfiles/dovecot/trim_logs.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/data/Dockerfiles/dovecot/trim_logs.sh b/data/Dockerfiles/dovecot/trim_logs.sh
index 9b0824e1c..6b14c0c76 100755
--- a/data/Dockerfiles/dovecot/trim_logs.sh
+++ b/data/Dockerfiles/dovecot/trim_logs.sh
@@ -23,3 +23,4 @@ catch_non_zero "${REDIS_CMDLINE} LTRIM AUTODISCOVER_LOG 0 ${LOG_LINES}"
 catch_non_zero "${REDIS_CMDLINE} LTRIM API_LOG 0 ${LOG_LINES}"
 catch_non_zero "${REDIS_CMDLINE} LTRIM RL_LOG 0 ${LOG_LINES}"
 catch_non_zero "${REDIS_CMDLINE} LTRIM WATCHDOG_LOG 0 ${LOG_LINES}"
+catch_non_zero "${REDIS_CMDLINE} LTRIM CRON_LOG 0 ${LOG_LINES}"

From 43600cd127708319e0e79f9e503358d55bacfd25 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 28 Jul 2023 15:35:09 +0200
Subject: [PATCH 058/378] [Web] fix identity-provider settings layout

---
 .../web/templates/admin/tab-config-identity-provider.twig | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/data/web/templates/admin/tab-config-identity-provider.twig b/data/web/templates/admin/tab-config-identity-provider.twig
index e7ba01b86..c3d9181e0 100644
--- a/data/web/templates/admin/tab-config-identity-provider.twig
+++ b/data/web/templates/admin/tab-config-identity-provider.twig
@@ -98,7 +98,7 @@
             </div>
             {% endfor %}
             {% if not iam_settings.mappers %}
-            <div class="offset-md-3 col-12 col-md-9 col-lg-4 d-flex mb-2">
+            <div class="offset-md-3 col-12 col-md-9 col-lg-4 mb-2">
               <div class="row px-2">
                 <div class="col-5 p-0 pe-2">
                   <input type="text" class="form-control me-2" name="mappers" value="" required>
@@ -113,7 +113,7 @@
                   </select>
                 </div>
                 <div class="col-2 p-0 d-flex">
-                  <button class="iam_keycloak_rolemap_del btn btn-sm d-block d-sm-inline btn-secondary ms-2"><i class="bi bi-x-lg"></i></button>
+                  <button class="iam_keycloak_rolemap_del btn btn-sm d-block d-sm-inline btn-secondary ms-auto"><i class="bi bi-x-lg"></i></button>
                 </div>
               </div>
             </div>
@@ -248,7 +248,7 @@
             </div>
             {% endfor %}
             {% if not iam_settings.mappers %}
-            <div class="offset-md-3 col-12 col-md-9 col-lg-4 d-flex mb-2">
+            <div class="offset-md-3 col-12 col-md-9 col-lg-4 mb-2">
               <div class="row px-2">
                 <div class="col-5 p-0 pe-2">
                   <input type="text" class="form-control me-2" name="mappers" value="" required>
@@ -263,7 +263,7 @@
                   </select>
                 </div>
                 <div class="col-2 p-0 d-flex">
-                  <button class="iam_generic_rolemap_del btn btn-sm d-block d-sm-inline btn-secondary ms-2"><i class="bi bi-x-lg"></i></button>
+                  <button class="iam_generic_rolemap_del btn btn-sm d-block d-sm-inline btn-secondary ms-auto"><i class="bi bi-x-lg"></i></button>
                 </div>
               </div>
             </div>

From 17b6ac331305e9f4a9b81c144969263c15f6a47d Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 28 Jul 2023 15:36:48 +0200
Subject: [PATCH 059/378] [Web] allow mailbox authsource to be switchable

---
 data/web/edit.php                    | 4 +++-
 data/web/templates/edit/mailbox.twig | 4 ++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/data/web/edit.php b/data/web/edit.php
index 83ae1467e..f13bc28d2 100644
--- a/data/web/edit.php
+++ b/data/web/edit.php
@@ -118,6 +118,7 @@ if (isset($_SESSION['mailcow_cc_role'])) {
         $quarantine_category = mailbox('get', 'quarantine_category', $mailbox);
         $get_tls_policy = mailbox('get', 'tls_policy', $mailbox);
         $rlyhosts = relayhost('get');
+        $iam_settings = identity_provider('get');
         $template = 'edit/mailbox.twig';
         $template_data = [
           'acl' => $_SESSION['acl'],
@@ -130,7 +131,8 @@ if (isset($_SESSION['mailcow_cc_role'])) {
           'rlyhosts' => $rlyhosts,
           'sender_acl_handles' => mailbox('get', 'sender_acl_handles', $mailbox),
           'user_acls' => acl('get', 'user', $mailbox),
-          'mailbox_details' => $result
+          'mailbox_details' => $result,
+          'iam_settings' => $iam_settings,
         ];
       }
     }
diff --git a/data/web/templates/edit/mailbox.twig b/data/web/templates/edit/mailbox.twig
index c31e0f440..b3ac8223b 100644
--- a/data/web/templates/edit/mailbox.twig
+++ b/data/web/templates/edit/mailbox.twig
@@ -32,8 +32,12 @@
                         data-style="btn btn-secondary"
                         name="authsource" class="full-width-select form-control" required>
                           <option value="mailcow" {% if result.authsource == "mailcow" %}selected{% endif %}>mailcow</option>
+                          {% if iam_settings.authsource == 'keycloak' %}
                           <option value="keycloak" {% if result.authsource == "keycloak" %}selected{% endif %}>Keycloak</option>
+                          {% endif %}
+                          {% if iam_settings.authsource == 'generic-oidc' %}
                           <option value="generic-oidc" {% if result.authsource == "generic-oidc" %}selected{% endif %}>Generic-OIDC</option>
+                          {% endif %}
                       </select>
                     </div>
                   </div>

From 7b4715947889b051fba6464e8c5470fbc04122ab Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Sun, 30 Jul 2023 10:07:56 +0200
Subject: [PATCH 060/378] rework auth - move dovecot sasl log to php

---
 data/Dockerfiles/dovecot/docker-entrypoint.sh |  57 +--
 data/conf/dovecot/auth/mailcowauth.php        |  39 +-
 data/web/inc/functions.auth.inc.php           | 363 ++++++++++--------
 3 files changed, 236 insertions(+), 223 deletions(-)

diff --git a/data/Dockerfiles/dovecot/docker-entrypoint.sh b/data/Dockerfiles/dovecot/docker-entrypoint.sh
index a2a4554bc..673452267 100755
--- a/data/Dockerfiles/dovecot/docker-entrypoint.sh
+++ b/data/Dockerfiles/dovecot/docker-entrypoint.sh
@@ -138,18 +138,17 @@ function auth_password_verify(request, password)
   ltn12 = require "ltn12"
   https = require "ssl.https"
   https.TIMEOUT = 5
-  mysql = require "luasql.mysql"
-  env  = mysql.mysql()
-  con = env:connect("__DBNAME__","__DBUSER__","__DBPASS__","localhost")
 
   local req = {
     username = request.user,
-    password = password
+    password = password,
+    real_rip = request.real_rip,
+    protocol = {}
   }
+  req.protocol[request.service] = true
   local req_json = json.encode(req)
   local res = {} 
   
-  -- check against mailbox passwds
   local b, c = https.request {
     method = "POST",
     url = "https://nginx:9082",
@@ -162,48 +161,10 @@ function auth_password_verify(request, password)
     insecure = true
   }
   local api_response = json.decode(table.concat(res))
-  if api_response.role == 'user' then
-    con:execute(string.format([[REPLACE INTO sasl_log (service, app_password, username, real_rip)
-      VALUES ("%s", 0, "%s", "%s")]], con:escape(request.service), con:escape(request.user), con:escape(request.real_rip)))
-    con:close()
-    return dovecot.auth.PASSDB_RESULT_OK, "password=" .. password
-  end
-
-  
-  -- check against app passwds for imap and smtp
-  -- app passwords are only available for imap, smtp, sieve and pop3 when using sasl
-  if request.service == "smtp" or request.service == "imap" or request.service == "sieve" or request.service == "pop3" then
-    skip_sasl_log = false
-    req.protocol = {}
-    if tostring(req.real_rip) ~= "__IPV4_SOGO__" then
-      skip_sasl_log = true
-      req.protocol[request.service] = true
-    end
-    req_json = json.encode(req)
-
-    local b, c = https.request {
-      method = "POST",
-      url = "https://nginx:9082",
-      source = ltn12.source.string(req_json),
-      headers = {
-        ["content-type"] = "application/json",
-        ["content-length"] = tostring(#req_json)
-      },
-      sink = ltn12.sink.table(res),
-      insecure = true
-    }
-    local api_response = json.decode(table.concat(res))
-    if api_response.role == 'user' then
-      if skip_sasl_log == false then
-        con:execute(string.format([[REPLACE INTO sasl_log (service, app_password, username, real_rip)
-          VALUES ("%s", %d, "%s", "%s")]], con:escape(req.service), row.id, con:escape(req.user), con:escape(req.real_rip)))
-      end
-      con:close()
-      return dovecot.auth.PASSDB_RESULT_OK, "password=" .. password
-    end
+  if api_response.success == true then
+    return dovecot.auth.PASSDB_RESULT_OK, ""
   end
   
-  con:close()
   return dovecot.auth.PASSDB_RESULT_PASSWORD_MISMATCH, "Failed to authenticate"
 end
 
@@ -212,12 +173,6 @@ function auth_passdb_lookup(req)
 end
 EOF
 
-# Replace patterns in app-passdb.lua
-sed -i "s/__DBUSER__/${DBUSER}/g" /etc/dovecot/auth/passwd-verify.lua
-sed -i "s/__DBPASS__/${DBPASS}/g" /etc/dovecot/auth/passwd-verify.lua
-sed -i "s/__DBNAME__/${DBNAME}/g" /etc/dovecot/auth/passwd-verify.lua
-sed -i "s/__IPV4_SOGO__/${IPV4_NETWORK}.248/g" /etc/dovecot/auth/passwd-verify.lua
-
 
 # Migrate old sieve_after file
 [[ -f /etc/dovecot/sieve_after ]] && mv /etc/dovecot/sieve_after /etc/dovecot/global_sieve_after
diff --git a/data/conf/dovecot/auth/mailcowauth.php b/data/conf/dovecot/auth/mailcowauth.php
index 0adb5d45a..e38abd82b 100644
--- a/data/conf/dovecot/auth/mailcowauth.php
+++ b/data/conf/dovecot/auth/mailcowauth.php
@@ -1,4 +1,5 @@
 <?php
+ini_set('error_reporting', 0);
 header('Content-Type: application/json');
 
 $post = trim(file_get_contents('php://input'));
@@ -6,8 +7,11 @@ if ($post) {
   $post = json_decode($post, true);
 }
 
-$return = array("success" => false, "role" => false);
-if(!isset($post['username']) || !isset($post['password'])){
+
+$return = array("success" => false);
+if(!isset($post['username']) || !isset($post['password']) || !isset($post['real_rip'])){
+  error_log("MAILCOWAUTH: Bad Request");
+  http_response_code(400); // Bad Request
   echo json_encode($return); 
   exit();
 }
@@ -18,9 +22,7 @@ if (file_exists('../../../web/inc/vars.local.inc.php')) {
 }
 require_once '../../../web/inc/lib/vendor/autoload.php';
 
-ini_set('error_reporting', 0);
 // Init database
-//$dsn = $database_type . ':host=' . $database_host . ';dbname=' . $database_name;
 $dsn = $database_type . ":unix_socket=" . $database_sock . ";dbname=" . $database_name;
 $opt = [
     PDO::ATTR_ERRMODE            => PDO::ERRMODE_EXCEPTION,
@@ -31,7 +33,8 @@ try {
   $pdo = new PDO($dsn, $database_user, $database_pass, $opt);
 }
 catch (PDOException $e) {
-  $return = array("success" => false, "role" => '');
+  error_log("MAILCOWAUTH: " . $e . PHP_EOL);
+  http_response_code(500); // Internal Server Error
   echo json_encode($return); 
   exit;
 }
@@ -44,12 +47,28 @@ require_once 'sessions.inc.php';
 // Init provider
 $iam_provider = identity_provider('init');
 
-$result = check_login($post['username'], $post['password'], $post['protocol'], true);
-if ($result) {
-  $return = array("success" => true, "role" => $result);
-} else {
-  $return = array("success" => false, "role" => '');
+
+$protocol = $post['protocol'];
+if ($post['real_rip'] == getenv('IPV4_NETWORK') . '.248') {
+  $protocol = null;
+}
+$result = user_login($post['username'], $post['password'], $protocol, array('is_internal' => true));
+if ($result === false){
+  $result = apppass_login($post['username'], $post['password'], $protocol, array(
+    'is_internal' => true,
+    'remote_addr' => $post['real_rip']
+  ));
 }
 
+if ($result) {
+  http_response_code(200); // OK
+  $return['success'] = true;
+} else {
+  error_log("MAILCOWAUTH: Login failed for user " . $post['username']);
+  http_response_code(401); // Unauthorized
+}
+
+
 echo json_encode($return); 
+session_destroy();
 exit;
diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php
index 1df5f690a..6cc0166f1 100644
--- a/data/web/inc/functions.auth.inc.php
+++ b/data/web/inc/functions.auth.inc.php
@@ -1,64 +1,29 @@
 <?php
-function check_login($user, $pass, $app_passwd_data = false, $is_internal = false) {
+function check_login($user, $pass, $app_passwd_data = false, $extra = null) {
   global $pdo;
   global $redis;
+  
+  $is_internal = $extra['is_internal'];
 
-  if (!filter_var($user, FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $user))) {
-    $_SESSION['return'][] =  array(
-      'type' => 'danger',
-      'log' => array(__FUNCTION__, $user, '*'),
-      'msg' => 'malformed_username'
-    );
-    return false;
-  }
-
-  // Validate admin
-  $result = mailcow_admin_login($user, $pass);
+  // Try validate admin
+  $result = admin_login($user, $pass);
   if ($result !== false) return $result;
 
-  // Validate domain admin
-  $result = mailcow_domainadmin_login($user, $pass);
+  // Try validate domain admin
+  $result = domainadmin_login($user, $pass);
   if ($result !== false) return $result;
 
-  // Validate mailbox user
-  // check authsource
-  $stmt = $pdo->prepare("SELECT authsource, mailbox.active AS mailbox_active, domain.active AS domain_active FROM `mailbox`
-      INNER JOIN domain on mailbox.domain = domain.domain
-      WHERE `kind` NOT REGEXP 'location|thing|group'
-        AND `username` = :user");
-  $stmt->execute(array(':user' => $user));
-  $row = $stmt->fetch(PDO::FETCH_ASSOC);
-  if (!$row && $row['domain_active'] == 1){
-    // mbox does not exist, call keycloak login and create mbox if possible via rest flow
-    $iam_settings = identity_provider('get');
-    if ($iam_settings['authsource'] == 'keycloak' && intval($iam_settings['mailboxpassword_flow']) == 1){
-      $result = keycloak_mbox_login_rest($user, $pass, $iam_settings, $is_internal, true);
-      if ($result !== false) return $result;
-    }
-  } else if ($row && $row['mailbox_active'] == 1 && $row['domain_active'] == 1) {
-    // mbox does exist and is active
-    if (isset($app_passwd_data)){
-      // first check if password is app_password
-      $result = mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_internal);
-      if ($result !== false) return $result;
-    }
+  // Try validate user
+  $result = user_login($user, $pass);
+  if ($result !== false) return $result;
 
-    if ($row['authsource'] == 'mailcow') {
-      // mbox authsource is mailcow
-      $result = mailcow_mbox_login($user, $pass, $app_passwd_data, $is_internal);
-      if ($result !== false) return $result;
-    } else if ($row['authsource'] == 'keycloak'){
-      // mbox authsource is keycloak, try using via rest flow
-      $iam_settings = identity_provider('get');
-      if (intval($iam_settings['mailboxpassword_flow']) == 1){
-        $result = keycloak_mbox_login_rest($user, $pass, $iam_settings, $is_internal);
-        if ($result !== false) return $result;
-      }
-    }
-  }
+  // Try validate app password
+  $result = apppass_login($user, $pass, $app_passwd_data);
+  if ($result !== false) return $result;
 
   // skip log and only return false if it's an internal request
   if ($is_internal == true) return false;
+
   if (!isset($_SESSION['ldelay'])) {
     $_SESSION['ldelay'] = "0";
     $redis->publish("F2B_CHANNEL", "mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);
@@ -79,77 +44,175 @@ function check_login($user, $pass, $app_passwd_data = false, $is_internal = fals
   return false;
 }
 
-function mailcow_admin_login($user, $pass){
+function admin_login($user, $pass){
   global $pdo;
 
+  if (!ctype_alnum(str_replace(array('_', '.', '-'), '', $user))) {
+    $_SESSION['return'][] =  array(
+      'type' => 'danger',
+      'log' => array(__FUNCTION__, $user, '*'),
+      'msg' => 'malformed_username'
+    );
+    return false;
+  }
+
   $user = strtolower(trim($user));
   $stmt = $pdo->prepare("SELECT `password` FROM `admin`
       WHERE `superadmin` = '1'
       AND `active` = '1'
       AND `username` = :user");
   $stmt->execute(array(':user' => $user));
-  $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
-  foreach ($rows as $row) {
-    // verify password
-    if (verify_hash($row['password'], $pass)) {
-      // check for tfa authenticators
-      $authenticators = get_tfa($user);
-      if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0) {
-        // active tfa authenticators found, set pending user login
-        $_SESSION['pending_mailcow_cc_username'] = $user;
-        $_SESSION['pending_mailcow_cc_role'] = "admin";
-        $_SESSION['pending_tfa_methods'] = $authenticators['additional'];
-        unset($_SESSION['ldelay']);
-        $_SESSION['return'][] =  array(
-          'type' => 'info',
-          'log' => array(__FUNCTION__, $user, '*'),
-          'msg' => 'awaiting_tfa_confirmation'
-        );
-        return "pending";
-      } else {
-        unset($_SESSION['ldelay']);
-        // Reactivate TFA if it was set to "deactivate TFA for next login"
-        $stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user");
-        $stmt->execute(array(':user' => $user));
-        $_SESSION['return'][] =  array(
-          'type' => 'success',
-          'log' => array(__FUNCTION__, $user, '*'),
-          'msg' => array('logged_in_as', $user)
-        );
-        return "admin";
-      }
+  $row = $stmt->fetch(PDO::FETCH_ASSOC);
+
+  // verify password
+  if (verify_hash($row['password'], $pass)) {
+    // check for tfa authenticators
+    $authenticators = get_tfa($user);
+    if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0) {
+      // active tfa authenticators found, set pending user login
+      $_SESSION['pending_mailcow_cc_username'] = $user;
+      $_SESSION['pending_mailcow_cc_role'] = "admin";
+      $_SESSION['pending_tfa_methods'] = $authenticators['additional'];
+      unset($_SESSION['ldelay']);
+      $_SESSION['return'][] =  array(
+        'type' => 'info',
+        'log' => array(__FUNCTION__, $user, '*'),
+        'msg' => 'awaiting_tfa_confirmation'
+      );
+      return "pending";
+    } else {
+      unset($_SESSION['ldelay']);
+      // Reactivate TFA if it was set to "deactivate TFA for next login"
+      $stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user");
+      $stmt->execute(array(':user' => $user));
+      $_SESSION['return'][] =  array(
+        'type' => 'success',
+        'log' => array(__FUNCTION__, $user, '*'),
+        'msg' => array('logged_in_as', $user)
+      );
+      return "admin";
     }
   }
 
   return false;
 }
-function mailcow_domainadmin_login($user, $pass){
+function domainadmin_login($user, $pass){
   global $pdo;
 
+  if (!ctype_alnum(str_replace(array('_', '.', '-'), '', $user))) {
+    $_SESSION['return'][] =  array(
+      'type' => 'danger',
+      'log' => array(__FUNCTION__, $user, '*'),
+      'msg' => 'malformed_username'
+    );
+    return false;
+  }
+
   $stmt = $pdo->prepare("SELECT `password` FROM `admin`
       WHERE `superadmin` = '0'
       AND `active`='1'
       AND `username` = :user");
   $stmt->execute(array(':user' => $user));
-  $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
-  foreach ($rows as $row) {
-    // verify password
-    if (verify_hash($row['password'], $pass) !== false) {
-      // check for tfa authenticators
-      $authenticators = get_tfa($user);
-      if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0) {
-        $_SESSION['pending_mailcow_cc_username'] = $user;
-        $_SESSION['pending_mailcow_cc_role'] = "domainadmin";
-        $_SESSION['pending_tfa_methods'] = $authenticators['additional'];
-        unset($_SESSION['ldelay']);
-        $_SESSION['return'][] =  array(
-          'type' => 'info',
-          'log' => array(__FUNCTION__, $user, '*'),
-          'msg' => 'awaiting_tfa_confirmation'
-        );
-        return "pending";
-      }
-      else {
+  $row = $stmt->fetch(PDO::FETCH_ASSOC);
+
+  // verify password
+  if (verify_hash($row['password'], $pass) !== false) {
+    // check for tfa authenticators
+    $authenticators = get_tfa($user);
+    if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0) {
+      $_SESSION['pending_mailcow_cc_username'] = $user;
+      $_SESSION['pending_mailcow_cc_role'] = "domainadmin";
+      $_SESSION['pending_tfa_methods'] = $authenticators['additional'];
+      unset($_SESSION['ldelay']);
+      $_SESSION['return'][] =  array(
+        'type' => 'info',
+        'log' => array(__FUNCTION__, $user, '*'),
+        'msg' => 'awaiting_tfa_confirmation'
+      );
+      return "pending";
+    }
+    else {
+      unset($_SESSION['ldelay']);
+      // Reactivate TFA if it was set to "deactivate TFA for next login"
+      $stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user");
+      $stmt->execute(array(':user' => $user));
+      $_SESSION['return'][] =  array(
+        'type' => 'success',
+        'log' => array(__FUNCTION__, $user, '*'),
+        'msg' => array('logged_in_as', $user)
+      );
+      return "domainadmin";
+    }
+  }
+
+  return false;
+}
+function user_login($user, $pass, $extra = null){
+  global $pdo;
+
+  $is_internal = $extra['is_internal'];
+
+  if (!filter_var($user, FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $user))) {
+    if (!$is_internal){
+      $_SESSION['return'][] =  array(
+        'type' => 'danger',
+        'log' => array(__FUNCTION__, $user, '*'),
+        'msg' => 'malformed_username'
+      );
+    }
+    return false;
+  }
+
+  $stmt = $pdo->prepare("SELECT * FROM `mailbox`
+      INNER JOIN domain on mailbox.domain = domain.domain
+      WHERE `kind` NOT REGEXP 'location|thing|group'
+        AND `domain`.`active`='1'
+        AND `username` = :user");
+  $stmt->execute(array(':user' => $user));
+  $row = $stmt->fetch(PDO::FETCH_ASSOC);
+
+  // user does not exist, try call keycloak login and create user if possible via rest flow
+  if (!$row){
+    $iam_settings = identity_provider('get');
+    if ($iam_settings['authsource'] == 'keycloak' && intval($iam_settings['mailboxpassword_flow']) == 1){
+      $result = keycloak_mbox_login_rest($user, $pass, $iam_settings, array('is_internal' => $is_internal, 'create' => true));
+      if ($result !== false) return $result;
+    }
+  } 
+  if ($row['active'] != 1) {
+    return false;
+  }
+
+  if ($row['authsource'] == 'keycloak'){
+    // user authsource is keycloak, try using via rest flow
+    $iam_settings = identity_provider('get');
+    if (intval($iam_settings['mailboxpassword_flow']) == 1){
+      $result = keycloak_mbox_login_rest($user, $pass, $iam_settings, array('is_internal' => $is_internal));
+      return $result;
+    } else {
+      return false;
+    }
+  }
+ 
+  // verify password
+  if (verify_hash($row['password'], $pass) !== false) {
+    // check for tfa authenticators
+    $authenticators = get_tfa($user);
+    if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 && !$is_internal) {
+      // authenticators found, init TFA flow
+      $_SESSION['pending_mailcow_cc_username'] = $user;
+      $_SESSION['pending_mailcow_cc_role'] = "user";
+      $_SESSION['pending_tfa_methods'] = $authenticators['additional'];
+      unset($_SESSION['ldelay']);
+      $_SESSION['return'][] =  array(
+        'type' => 'success',
+        'log' => array(__FUNCTION__, $user, '*'),
+        'msg' => array('logged_in_as', $user)
+      );
+      return "pending";
+    } else if (!isset($authenticators['additional']) || !is_array($authenticators['additional']) || count($authenticators['additional']) == 0) {
+      // no authenticators found, login successfull
+      if (!$is_internal){
         unset($_SESSION['ldelay']);
         // Reactivate TFA if it was set to "deactivate TFA for next login"
         $stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user");
@@ -159,66 +222,29 @@ function mailcow_domainadmin_login($user, $pass){
           'log' => array(__FUNCTION__, $user, '*'),
           'msg' => array('logged_in_as', $user)
         );
-        return "domainadmin";
       }
+      return "user";
     }
   }
 
   return false;
 }
-function mailcow_mbox_login($user, $pass, $app_passwd_data = false, $is_internal = false){
+function apppass_login($user, $pass, $app_passwd_data, $extra = null){
   global $pdo;
 
-  $stmt = $pdo->prepare("SELECT * FROM `mailbox`
-      INNER JOIN domain on mailbox.domain = domain.domain
-      WHERE `kind` NOT REGEXP 'location|thing|group'
-        AND `mailbox`.`active`='1'
-        AND `domain`.`active`='1'
-        AND (`mailbox`.`authsource`='mailcow' OR `mailbox`.`authsource` IS NULL)
-        AND `username` = :user");
-  $stmt->execute(array(':user' => $user));
-  $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
+  $is_internal = $extra['is_internal'];
 
-  foreach ($rows as $row) { 
-    // verify password
-    if (verify_hash($row['password'], $pass) !== false) {
-      // check for tfa authenticators
-      $authenticators = get_tfa($user);
-      if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 && !$is_internal) {
-        // authenticators found, init TFA flow
-        $_SESSION['pending_mailcow_cc_username'] = $user;
-        $_SESSION['pending_mailcow_cc_role'] = "user";
-        $_SESSION['pending_tfa_methods'] = $authenticators['additional'];
-        unset($_SESSION['ldelay']);
-        $_SESSION['return'][] =  array(
-          'type' => 'success',
-          'log' => array(__FUNCTION__, $user, '*'),
-          'msg' => array('logged_in_as', $user)
-        );
-        return "pending";
-      } else if (!isset($authenticators['additional']) || !is_array($authenticators['additional']) || count($authenticators['additional']) == 0) {
-        // no authenticators found, login successfull
-        if (!$is_internal){
-          unset($_SESSION['ldelay']);
-          // Reactivate TFA if it was set to "deactivate TFA for next login"
-          $stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user");
-          $stmt->execute(array(':user' => $user));
-          $_SESSION['return'][] =  array(
-            'type' => 'success',
-            'log' => array(__FUNCTION__, $user, '*'),
-            'msg' => array('logged_in_as', $user)
-          );
-        }
-        return "user";
-      }
+  if (!filter_var($user, FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $user))) {
+    if (!$is_internal){
+      $_SESSION['return'][] =  array(
+        'type' => 'danger',
+        'log' => array(__FUNCTION__, $user, '*'),
+        'msg' => 'malformed_username'
+      );
     }
+    return false;
   }
 
-  return false;
-}
-function mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_internal = false){
-  global $pdo;
-
   $protocol = false;
   if ($app_passwd_data['eas']){
     $protocol = 'eas';
@@ -236,34 +262,33 @@ function mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_internal
     return false;
   }
 
-
   // fetch app password data
-  $stmt = $pdo->prepare("SELECT `app_passwd`.`password` as `password`, `app_passwd`.`id` as `app_passwd_id` FROM `app_passwd`
+  $stmt = $pdo->prepare("SELECT `app_passwd`.*, `app_passwd`.`password` as `password`, `app_passwd`.`id` as `app_passwd_id` FROM `app_passwd`
     INNER JOIN `mailbox` ON `mailbox`.`username` = `app_passwd`.`mailbox`
     INNER JOIN `domain` ON `mailbox`.`domain` = `domain`.`domain`
     WHERE `mailbox`.`kind` NOT REGEXP 'location|thing|group'
       AND `mailbox`.`active` = '1'
       AND `domain`.`active` = '1'
       AND `app_passwd`.`active` = '1'
-      AND `app_passwd`.`mailbox` = :user
-      :has_access_query"
+      AND `app_passwd`.`mailbox` = :user"
   );
-  // check if app password has protocol access
-  // skip if protocol is false and the call is internal
-  $has_access_query = ($is_internal && $protocol === false) ? "" : " AND `app_passwd`.`" . $protocol . "_access` = '1'";
   // fetch password data
   $stmt->execute(array(
     ':user' => $user,
-    ':has_access_query' => $has_access_query
   ));
-  $rows = array_merge($rows, $stmt->fetchAll(PDO::FETCH_ASSOC));
+  $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
   
-  foreach ($rows as $row) { 
+  foreach ($rows as $row) {
+    if ($protocol && $row[$protocol . '_access'] != '1'){
+      continue;
+    }
+
     // verify password
     if (verify_hash($row['password'], $pass) !== false) {
       if ($is_internal){
-        // skip sasl_log, dovecot does the job
-        return "user";
+        $remote_addr = $extra['remote_addr'];
+      } else {
+        $remote_addr = ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR']);
       }
 
       $service = strtoupper($is_app_passwd);
@@ -272,7 +297,7 @@ function mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_internal
         ':service' => $service,
         ':app_id' => $row['app_passwd_id'],
         ':username' => $user,
-        ':remote_addr' => ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR'])
+        ':remote_addr' => $remote_addr
       ));
 
       unset($_SESSION['ldelay']);
@@ -285,9 +310,23 @@ function mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_internal
 // Keycloak REST Api Flow - auth user by mailcow_password attribute
 // This password will be used for direct UI, IMAP and SMTP Auth
 // To use direct user credentials, only Authorization Code Flow is valid
-function keycloak_mbox_login_rest($user, $pass, $iam_settings, $is_internal = false, $create = false){
+function keycloak_mbox_login_rest($user, $pass, $iam_settings, $extra = null){
   global $pdo;
 
+  $is_internal = $extra['is_internal'];
+  $create = $extra['create'];
+  
+  if (!filter_var($user, FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $user))) {
+    if (!$is_internal){
+      $_SESSION['return'][] =  array(
+        'type' => 'danger',
+        'log' => array(__FUNCTION__, $user, '*'),
+        'msg' => 'malformed_username'
+      );
+    }
+    return false;
+  }
+
   // get access_token for service account of mailcow client
   $admin_token = identity_provider("get-keycloak-admin-token");
 

From 04e2494af8abb732f2b6808a266fa0d775542977 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Sun, 30 Jul 2023 11:24:07 +0200
Subject: [PATCH 061/378] deny changes on identity provider if it's in use

---
 data/web/inc/functions.inc.php | 36 ++++++++++++++++++++++++++++++++--
 data/web/lang/lang.en-gb.json  |  1 +
 2 files changed, 35 insertions(+), 2 deletions(-)

diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index a7063fa2c..782a12733 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -2122,6 +2122,21 @@ function identity_provider($_action, $_data = null, $_extra = null) {
         return false;
       }
 
+      $stmt = $pdo->prepare("SELECT * FROM `mailbox`
+          WHERE `authsource` != 'mailcow'
+          AND `authsource` IS NOT NULL
+          AND `authsource` != :authsource");  
+      $stmt->execute(array(':authsource' => $_data['authsource']));
+      $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
+      if ($rows) {
+        $_SESSION['return'][] =  array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $_action, $data_log),
+          'msg' => array('authsource_in_use', $setting)
+        );
+        return false;
+      }
+
       if ($_data['authsource'] == "keycloak") {
         $_data['server_url']        = (!empty($_data['server_url'])) ? rtrim($_data['server_url'], '/') : null;
         $_data['mailpassword_flow'] = isset($_data['mailpassword_flow']) ? intval($_data['mailpassword_flow']) : 0;
@@ -2235,9 +2250,26 @@ function identity_provider($_action, $_data = null, $_extra = null) {
         return false;
       }
       
-      $stmt = $pdo->prepare("DELETE FROM identity_provider;");
-      $stmt->execute();
+      $stmt = $pdo->query("SELECT * FROM `mailbox`
+          WHERE `authsource` != 'mailcow'
+          AND `authsource` IS NOT NULL");
+      $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
+      if ($rows) {
+        $_SESSION['return'][] =  array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $_action, $data_log),
+          'msg' => array('authsource_in_use', $setting)
+        );
+        return false;
+      }
 
+      $stmt = $pdo->query("DELETE FROM identity_provider;");
+
+      $_SESSION['return'][] =  array(
+        'type' => 'success',
+        'log' => array(__FUNCTION__, $_action, $data_log),
+        'msg' => array('item_deleted', '')
+      );
       return true;
     break;
     case "init":
diff --git a/data/web/lang/lang.en-gb.json b/data/web/lang/lang.en-gb.json
index 391ad58b5..a6f32105a 100644
--- a/data/web/lang/lang.en-gb.json
+++ b/data/web/lang/lang.en-gb.json
@@ -387,6 +387,7 @@
         "aliases_in_use": "Max. aliases must be greater or equal to %d",
         "app_name_empty": "App name cannot be empty",
         "app_passwd_id_invalid": "App password ID %s invalid",
+        "authsource_in_use": "The identity provider cannot be changed or deleted as it is currently in use by one or more users.",
         "bcc_empty": "BCC destination cannot be empty",
         "bcc_exists": "A BCC map %s exists for type %s",
         "bcc_must_be_email": "BCC destination %s is not a valid email address",

From 3d486678ae275895fe8242af7cca3ef4fb2f0839 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Mon, 7 Aug 2023 09:18:36 +0200
Subject: [PATCH 062/378] [Web] remove keycloak sync disabled warning

---
 data/conf/phpfpm/crons/keycloak-sync.php | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/data/conf/phpfpm/crons/keycloak-sync.php b/data/conf/phpfpm/crons/keycloak-sync.php
index f401f0ae7..baeec21d5 100644
--- a/data/conf/phpfpm/crons/keycloak-sync.php
+++ b/data/conf/phpfpm/crons/keycloak-sync.php
@@ -73,7 +73,6 @@ $_SESSION['acl']['mailbox_relayhost'] = "1";
 $iam_provider = identity_provider('init');
 $iam_settings = identity_provider('get');
 if (intval($iam_settings['periodic_sync']) != 1 && $iam_settings['import_users'] != 1) {
-  logMsg("warning", "IAM Sync is disabled");
   session_destroy();
   exit;
 }
@@ -91,7 +90,7 @@ if (file_exists($lock_file)) {
     $last_execution = $lock_file_parts[1];
     $elapsed_time = (time() - $last_execution) / 60;
     if ($elapsed_time < intval($iam_settings['sync_interval'])) {
-      logMsg("warning", "Sync Interval not ready (".number_format((float)$elapsed_time, 2, '.', '')."min / ".$iam_settings['sync_interval']."min)");
+      logMsg("warning", "Sync not ready (".number_format((float)$elapsed_time, 2, '.', '')."min / ".$iam_settings['sync_interval']."min)");
       session_destroy();
       exit;
     }

From 9beb47c0676962440d94b2bedac6a6f5bc8c5f8e Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Mon, 7 Aug 2023 09:20:06 +0200
Subject: [PATCH 063/378] [Web] fix malformed_username check

---
 data/web/inc/functions.auth.inc.php | 30 ++++++++++++++++-------------
 1 file changed, 17 insertions(+), 13 deletions(-)

diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php
index 6cc0166f1..8c35c1184 100644
--- a/data/web/inc/functions.auth.inc.php
+++ b/data/web/inc/functions.auth.inc.php
@@ -47,12 +47,14 @@ function check_login($user, $pass, $app_passwd_data = false, $extra = null) {
 function admin_login($user, $pass){
   global $pdo;
 
-  if (!ctype_alnum(str_replace(array('_', '.', '-'), '', $user))) {
-    $_SESSION['return'][] =  array(
-      'type' => 'danger',
-      'log' => array(__FUNCTION__, $user, '*'),
-      'msg' => 'malformed_username'
-    );
+  if (!filter_var($user, FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $user))) {
+    if (!$is_internal){
+      $_SESSION['return'][] =  array(
+        'type' => 'danger',
+        'log' => array(__FUNCTION__, $user, '*'),
+        'msg' => 'malformed_username'
+      );
+    }
     return false;
   }
 
@@ -99,12 +101,14 @@ function admin_login($user, $pass){
 function domainadmin_login($user, $pass){
   global $pdo;
 
-  if (!ctype_alnum(str_replace(array('_', '.', '-'), '', $user))) {
-    $_SESSION['return'][] =  array(
-      'type' => 'danger',
-      'log' => array(__FUNCTION__, $user, '*'),
-      'msg' => 'malformed_username'
-    );
+  if (!filter_var($user, FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $user))) {
+    if (!$is_internal){
+      $_SESSION['return'][] =  array(
+        'type' => 'danger',
+        'log' => array(__FUNCTION__, $user, '*'),
+        'msg' => 'malformed_username'
+      );
+    }
     return false;
   }
 
@@ -315,7 +319,7 @@ function keycloak_mbox_login_rest($user, $pass, $iam_settings, $extra = null){
 
   $is_internal = $extra['is_internal'];
   $create = $extra['create'];
-  
+
   if (!filter_var($user, FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $user))) {
     if (!$is_internal){
       $_SESSION['return'][] =  array(

From 185c36cdfe466a0dfcbfb633846d3548952bf24d Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Mon, 7 Aug 2023 09:24:07 +0200
Subject: [PATCH 064/378] [Web] catch update_sogo exceptions

---
 data/web/inc/functions.mailbox.inc.php | 46 ++++++++++++++++++++++----
 1 file changed, 39 insertions(+), 7 deletions(-)

diff --git a/data/web/inc/functions.mailbox.inc.php b/data/web/inc/functions.mailbox.inc.php
index d76b8fa50..457b53d60 100644
--- a/data/web/inc/functions.mailbox.inc.php
+++ b/data/web/inc/functions.mailbox.inc.php
@@ -1325,8 +1325,16 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               'rl_value' => $_data['rl_value']
             ), $_extra);
           }
-
-          update_sogo_static_view($username);
+       
+          try {
+            update_sogo_static_view($username);
+          }catch (PDOException $e) {
+            $_SESSION['return'][] = array(
+              'type' => 'success',
+              'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
+              'msg' => $e->getMessage()
+            );
+          }
           $_SESSION['return'][] = array(
             'type' => 'success',
             'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@@ -3247,7 +3255,15 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               'msg' => array('mailbox_modified', $username)
             );
 
-            update_sogo_static_view($username);
+            try {
+              update_sogo_static_view($username);
+            }catch (PDOException $e) {
+              $_SESSION['return'][] = array(
+                'type' => 'success',
+                'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
+                'msg' => $e->getMessage()
+              );
+            }
           }
           return true;
         break;
@@ -5467,8 +5483,16 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               );
               continue;
             }
-            
-            update_sogo_static_view($username);
+                 
+            try {
+              update_sogo_static_view($username);
+            }catch (PDOException $e) {
+              $_SESSION['return'][] = array(
+                'type' => 'success',
+                'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
+                'msg' => $e->getMessage()
+              );
+            }
             $_SESSION['return'][] = array(
               'type' => 'success',
               'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@@ -5681,8 +5705,16 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
       }
     break;
   }
-  if ($_action != 'get' && in_array($_type, array('domain', 'alias', 'alias_domain', 'resource')) && getenv('SKIP_SOGO') != "y") {
-    update_sogo_static_view();
+  if ($_action != 'get' && in_array($_type, array('domain', 'alias', 'alias_domain', 'resource')) && getenv('SKIP_SOGO') != "y") {            
+    try {
+      update_sogo_static_view();
+    }catch (PDOException $e) {
+      $_SESSION['return'][] = array(
+        'type' => 'success',
+        'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
+        'msg' => $e->getMessage()
+      );
+    }
   }
   
   return true;

From a53ef2ed7a536fbfe3e910912e496f793c37749e Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Mon, 7 Aug 2023 09:26:15 +0200
Subject: [PATCH 065/378] [SOGo] remove sogo_view and triggers

---
 data/Dockerfiles/sogo/bootstrap-sogo.sh | 104 ------------------------
 data/web/inc/init_db.inc.php            |   8 +-
 2 files changed, 5 insertions(+), 107 deletions(-)

diff --git a/data/Dockerfiles/sogo/bootstrap-sogo.sh b/data/Dockerfiles/sogo/bootstrap-sogo.sh
index aa15525c9..3eb591186 100755
--- a/data/Dockerfiles/sogo/bootstrap-sogo.sh
+++ b/data/Dockerfiles/sogo/bootstrap-sogo.sh
@@ -24,110 +24,6 @@ while [[ "${DBV_NOW}" != "${DBV_NEW}" ]]; do
 done
 echo "DB schema is ${DBV_NOW}"
 
-# Recreate view
-if [[ "${MASTER}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
-  echo "We are master, preparing sogo_view..."
-  mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "DROP VIEW IF EXISTS sogo_view"
-  while [[ ${VIEW_OK} != 'OK' ]]; do
-    mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
-CREATE VIEW sogo_view (c_uid, domain, c_name, c_password, c_cn, mail, aliases, ad_aliases, ext_acl, kind, multiple_bookings) AS 
-SELECT
-   mailbox.username,
-   mailbox.domain,
-   mailbox.username,
-   IF(JSON_UNQUOTE(JSON_VALUE(attributes, '$.force_pw_update')) = '0', IF(JSON_UNQUOTE(JSON_VALUE(attributes, '$.sogo_access')) = 1, password, '{SSHA256}A123A123A321A321A321B321B321B123B123B321B432F123E321123123321321'), '{SSHA256}A123A123A321A321A321B321B321B123B123B321B432F123E321123123321321'),
-   mailbox.name,
-   mailbox.username,
-   IFNULL(GROUP_CONCAT(ga.aliases ORDER BY ga.aliases SEPARATOR ' '), ''),
-   IFNULL(gda.ad_alias, ''),
-   IFNULL(external_acl.send_as_acl, ''),
-   mailbox.kind,
-   mailbox.multiple_bookings
-FROM
-   mailbox
-   LEFT OUTER JOIN
-      grouped_mail_aliases ga
-      ON ga.username REGEXP CONCAT('(^|,)', mailbox.username, '($|,)')
-   LEFT OUTER JOIN
-      grouped_domain_alias_address gda
-      ON gda.username = mailbox.username
-   LEFT OUTER JOIN
-      grouped_sender_acl_external external_acl
-      ON external_acl.username = mailbox.username
-WHERE
-   mailbox.active = '1'
-GROUP BY
-   mailbox.username;
-EOF
-    if [[ ! -z $(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "SELECT 'OK' FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME = 'sogo_view'") ]]; then
-      VIEW_OK=OK
-    else
-      echo "Will retry to setup SOGo view in 3s..."
-      sleep 3
-    fi
-  done
-else
-  while [[ ${VIEW_OK} != 'OK' ]]; do
-    if [[ ! -z $(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "SELECT 'OK' FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME = 'sogo_view'") ]]; then
-      VIEW_OK=OK
-    else
-      echo "Waiting for SOGo view to be created by master..."
-      sleep 3
-    fi
-  done
-fi
-
-# Wait for static view table if missing after update and update content
-if [[ "${MASTER}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
-  echo "We are master, preparing _sogo_static_view..."
-  while [[ ${STATIC_VIEW_OK} != 'OK' ]]; do
-    if [[ ! -z $(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "SELECT 'OK' FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME = '_sogo_static_view'") ]]; then
-      STATIC_VIEW_OK=OK
-      echo "Updating _sogo_static_view content..."
-      # If changed, also update init_db.inc.php
-      mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "REPLACE INTO _sogo_static_view (c_uid, domain, c_name, c_password, c_cn, mail, aliases, ad_aliases, ext_acl, kind, multiple_bookings) SELECT c_uid, domain, c_name, c_password, c_cn, mail, aliases, ad_aliases, ext_acl, kind, multiple_bookings from sogo_view;"
-      mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "DELETE FROM _sogo_static_view WHERE c_uid NOT IN (SELECT username FROM mailbox WHERE active = '1')"
-    else
-      echo "Waiting for database initialization..."
-      sleep 3
-    fi
-  done
-else
-  while [[ ${STATIC_VIEW_OK} != 'OK' ]]; do
-    if [[ ! -z $(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "SELECT 'OK' FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME = '_sogo_static_view'") ]]; then
-      STATIC_VIEW_OK=OK
-    else
-      echo "Waiting for database initialization by master..."
-      sleep 3
-    fi
-  done
-fi
-
-
-# Recreate password update trigger
-if [[ "${MASTER}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
-  echo "We are master, preparing update trigger..."
-  mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "DROP TRIGGER IF EXISTS sogo_update_password"
-  while [[ ${TRIGGER_OK} != 'OK' ]]; do
-  mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
-DELIMITER -
-CREATE TRIGGER sogo_update_password AFTER UPDATE ON _sogo_static_view
-FOR EACH ROW
-BEGIN
-UPDATE mailbox SET password = NEW.c_password WHERE NEW.c_uid = username;
-END;
--
-DELIMITER ;
-EOF
-    if [[ ! -z $(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "SELECT 'OK' FROM INFORMATION_SCHEMA.TRIGGERS WHERE TRIGGER_NAME = 'sogo_update_password'") ]]; then
-      TRIGGER_OK=OK
-    else
-      echo "Will retry to setup SOGo password update trigger in 3s"
-      sleep 3
-    fi
-  done
-fi
-
 # cat /dev/urandom seems to hang here occasionally and is not recommended anyway, better use openssl
 RAND_PASS=$(openssl rand -base64 16 | tr -dc _A-Z-a-z-0-9)
 
diff --git a/data/web/inc/init_db.inc.php b/data/web/inc/init_db.inc.php
index 7447b5f4b..4f73911a6 100644
--- a/data/web/inc/init_db.inc.php
+++ b/data/web/inc/init_db.inc.php
@@ -1443,6 +1443,9 @@ function init_db_schema() {
       )); 
     } 
 
+    // remove old sogo views and triggers
+    $pdo->query("DROP TRIGGER IF EXISTS sogo_update_password");
+
     if (php_sapi_name() == "cli") {
       echo "DB initialization completed" . PHP_EOL;
     } else {
@@ -1467,6 +1470,7 @@ function init_db_schema() {
 }
 if (php_sapi_name() == "cli") {
   include '/web/inc/vars.inc.php';
+  include '/web/inc/functions.inc.php';
   include '/web/inc/functions.docker.inc.php';
   // $now = new DateTime();
   // $mins = $now->getOffset() / 60;
@@ -1488,9 +1492,7 @@ if (php_sapi_name() == "cli") {
   if (intval($res['OK_C']) === 2) {
     // Be more precise when replacing into _sogo_static_view, col orders may change
     try {
-      $stmt = $pdo->query("REPLACE INTO _sogo_static_view (`c_uid`, `domain`, `c_name`, `c_password`, `c_cn`, `mail`, `aliases`, `ad_aliases`, `ext_acl`, `kind`, `multiple_bookings`)
-        SELECT `c_uid`, `domain`, `c_name`, `c_password`, `c_cn`, `mail`, `aliases`, `ad_aliases`, `ext_acl`, `kind`, `multiple_bookings` from sogo_view");
-      $stmt = $pdo->query("DELETE FROM _sogo_static_view WHERE `c_uid` NOT IN (SELECT `username` FROM `mailbox` WHERE `active` = '1');");
+      update_sogo_static_view();
       echo "Fixed _sogo_static_view" . PHP_EOL;
     }
     catch ( Exception $e ) {

From ccc17e4a201ba35311ceef1be37e7a06c49c0896 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Mon, 7 Aug 2023 09:27:32 +0200
Subject: [PATCH 066/378] [SOGo] deny direct login on external users

---
 data/web/inc/functions.inc.php | 68 ++++++++++++++++++++++------------
 1 file changed, 44 insertions(+), 24 deletions(-)

diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index 782a12733..0b55e75e1 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -840,35 +840,54 @@ function update_sogo_static_view($mailbox = null) {
     }
   }
 
-  $query = "REPLACE INTO _sogo_static_view (`c_uid`, `domain`, `c_name`, `c_password`, `c_cn`, `mail`, `aliases`, `ad_aliases`, `ext_acl`, `kind`, `multiple_bookings`)
-            SELECT
-              mailbox.username,
-              mailbox.domain,
-              mailbox.username,
-              IF(JSON_UNQUOTE(JSON_VALUE(attributes, '$.force_pw_update')) = '0',
-                 IF(JSON_UNQUOTE(JSON_VALUE(attributes, '$.sogo_access')) = 1, password, '{SSHA256}A123A123A321A321A321B321B321B123B123B321B432F123E321123123321321'),
-                 '{SSHA256}A123A123A321A321A321B321B321B123B123B321B432F123E321123123321321'),
-              mailbox.name,
-              mailbox.username,
-              IFNULL(GROUP_CONCAT(ga.aliases ORDER BY ga.aliases SEPARATOR ' '), ''),
-              IFNULL(gda.ad_alias, ''),
-              IFNULL(external_acl.send_as_acl, ''),
-              mailbox.kind,
-              mailbox.multiple_bookings
-            FROM
-              mailbox
-              LEFT OUTER JOIN grouped_mail_aliases ga ON ga.username REGEXP CONCAT('(^|,)', mailbox.username, '($|,)')
-              LEFT OUTER JOIN grouped_domain_alias_address gda ON gda.username = mailbox.username
-              LEFT OUTER JOIN grouped_sender_acl_external external_acl ON external_acl.username = mailbox.username
-            WHERE
-              mailbox.active = '1'";
+  $subquery = "GROUP BY mailbox.username";
+  if ($mailbox_exists) {
+    $subquery = "AND mailbox.username = :mailbox";
+  }
+  $query = "INSERT INTO _sogo_static_view (`c_uid`, `domain`, `c_name`, `c_password`, `c_cn`, `mail`, `aliases`, `ad_aliases`, `ext_acl`, `kind`, `multiple_bookings`)
+      SELECT
+        mailbox.username,
+        mailbox.domain,
+        mailbox.username,
+        CASE 
+          WHEN mailbox.authsource IS NOT NULL AND mailbox.authsource <> 'mailcow' THEN '{SSHA256}A123A123A321A321A321B321B321B123B123B321B432F123E321123123321321'
+          ELSE 
+            IF(JSON_UNQUOTE(JSON_VALUE(attributes, '$.force_pw_update')) = '0',
+              IF(JSON_UNQUOTE(JSON_VALUE(attributes, '$.sogo_access')) = 1, password, '{SSHA256}A123A123A321A321A321B321B321B123B123B321B432F123E321123123321321'),
+              '{SSHA256}A123A123A321A321A321B321B321B123B123B321B432F123E321123123321321')
+        END AS c_password,
+        mailbox.name,
+        mailbox.username,
+        IFNULL(GROUP_CONCAT(ga.aliases ORDER BY ga.aliases SEPARATOR ' '), ''),
+        IFNULL(gda.ad_alias, ''),
+        IFNULL(external_acl.send_as_acl, ''),
+        mailbox.kind,
+        mailbox.multiple_bookings
+      FROM
+        mailbox
+        LEFT OUTER JOIN grouped_mail_aliases ga ON ga.username REGEXP CONCAT('(^|,)', mailbox.username, '($|,)')
+        LEFT OUTER JOIN grouped_domain_alias_address gda ON gda.username = mailbox.username
+        LEFT OUTER JOIN grouped_sender_acl_external external_acl ON external_acl.username = mailbox.username
+      WHERE
+        mailbox.active = '1'
+        $subquery
+      ON DUPLICATE KEY UPDATE
+        `domain` = VALUES(`domain`),
+        `c_name` = VALUES(`c_name`),
+        `c_password` = VALUES(`c_password`),
+        `c_cn` = VALUES(`c_cn`),
+        `mail` = VALUES(`mail`),
+        `aliases` = VALUES(`aliases`),
+        `ad_aliases` = VALUES(`ad_aliases`),
+        `ext_acl` = VALUES(`ext_acl`),
+        `kind` = VALUES(`kind`),
+        `multiple_bookings` = VALUES(`multiple_bookings`)";
+
   
   if ($mailbox_exists) {
-    $query .= " AND mailbox.username = :mailbox";
     $stmt = $pdo->prepare($query);
     $stmt->execute(array(':mailbox' => $mailbox));
   } else {
-    $query .= " GROUP BY mailbox.username";
     $stmt = $pdo->query($query);
   }
   
@@ -2143,6 +2162,7 @@ function identity_provider($_action, $_data = null, $_extra = null) {
         $_data['periodic_sync']     = isset($_data['periodic_sync']) ? intval($_data['periodic_sync']) : 0;
         $_data['import_users']      = isset($_data['import_users']) ? intval($_data['import_users']) : 0;
         $_data['sync_interval']     = isset($_data['sync_interval']) ? intval($_data['sync_interval']) : 15;
+        $_data['sync_interval']     = $_data['sync_interval'] < 1 ? 1 : $_data['sync_interval'];
         $required_settings          = array('authsource', 'server_url', 'realm', 'client_id', 'client_secret', 'redirect_url', 'version', 'mailpassword_flow', 'periodic_sync', 'import_users', 'sync_interval');
       } else if ($_data['authsource'] == "generic-oidc") {
         $_data['authorize_url']     = (!empty($_data['authorize_url'])) ? rtrim($_data['authorize_url'], '/') : null;

From e64293c82f45b250580ed69d3451756ed47662aa Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Mon, 7 Aug 2023 09:28:26 +0200
Subject: [PATCH 067/378] [Web] minor fixes

---
 data/web/lang/lang.en-gb.json                              | 2 +-
 data/web/templates/admin/tab-config-identity-provider.twig | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/data/web/lang/lang.en-gb.json b/data/web/lang/lang.en-gb.json
index a6f32105a..d77de7373 100644
--- a/data/web/lang/lang.en-gb.json
+++ b/data/web/lang/lang.en-gb.json
@@ -1086,7 +1086,7 @@
         "forwarding_host_removed": "Forwarding host %s has been removed",
         "global_filter_written": "Filter was successfully written to file",
         "hash_deleted": "Hash deleted",
-        "iam_test_connection": "Connection successfull",
+        "iam_test_connection": "Connection successful",
         "ip_check_opt_in_modified": "IP check was saved successfully",
         "item_deleted": "Item %s successfully deleted",
         "item_released": "Item %s released",
diff --git a/data/web/templates/admin/tab-config-identity-provider.twig b/data/web/templates/admin/tab-config-identity-provider.twig
index c3d9181e0..88ccc95ee 100644
--- a/data/web/templates/admin/tab-config-identity-provider.twig
+++ b/data/web/templates/admin/tab-config-identity-provider.twig
@@ -157,7 +157,7 @@
           <div class="row mb-2">
             <label class="control-label col-md-3 text-sm-end">{{ lang.admin.iam_sync_interval }}</label>
             <div class="col-12 col-md-9 col-lg-4">
-              <input class="form-control" type="number" name="sync_interval" style="width: 80px;"  {% if iam_settings.sync_interval %}value="{{ iam_settings.sync_interval }}"{% else %}value="15"{% endif %}>
+              <input class="form-control" type="number" min="1" name="sync_interval" style="width: 80px;"  {% if iam_settings.sync_interval %}value="{{ iam_settings.sync_interval }}"{% else %}value="15"{% endif %}>
             </div>
           </div>
           <div class="row mt-4 mb-2">

From ddaeebc822b4a5cc07a84df9e1432bc96bf42d0c Mon Sep 17 00:00:00 2001
From: DerLinkman <derlinkman@gmail.com>
Date: Fri, 4 Aug 2023 08:56:59 +0200
Subject: [PATCH 068/378] [Rspamd] Update to 3.6 (Ratelimit fix)

---
 data/Dockerfiles/rspamd/Dockerfile | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/data/Dockerfiles/rspamd/Dockerfile b/data/Dockerfiles/rspamd/Dockerfile
index 2511a6f2f..06a988449 100644
--- a/data/Dockerfiles/rspamd/Dockerfile
+++ b/data/Dockerfiles/rspamd/Dockerfile
@@ -1,17 +1,17 @@
-FROM debian:bullseye-slim
-LABEL maintainer "The Infrastructure Company GmbH GmbH <info@servercow.de>"
+FROM debian:bookworm-slim
+LABEL maintainer "The Infrastructure Company GmbH <info@servercow.de>"
 
 ARG DEBIAN_FRONTEND=noninteractive
-ARG CODENAME=bullseye
+ARG CODENAME=bookworm
 ENV LC_ALL C
 
-RUN apt-get update && apt-get install -y \
+RUN apt-get update && apt-get install -y --no-install-recommends \
   tzdata \
   ca-certificates \
   gnupg2 \
   apt-transport-https \
   dnsutils \
-  netcat \
+  netcat-traditional \
   && apt-key adv --fetch-keys https://rspamd.com/apt-stable/gpg.key \
   && echo "deb https://rspamd.com/apt-stable/ $CODENAME main" > /etc/apt/sources.list.d/rspamd.list \
   && apt-get update \

From c15ab10b1bb0b0edde1a2b5ce421879553f7e85e Mon Sep 17 00:00:00 2001
From: DerLinkman <derlinkman@gmail.com>
Date: Wed, 26 Apr 2023 08:37:20 +0000
Subject: [PATCH 069/378] Updated Clamd Building to be x86 and ARM Compatible

---
 data/Dockerfiles/clamd/Dockerfile | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/data/Dockerfiles/clamd/Dockerfile b/data/Dockerfiles/clamd/Dockerfile
index 8e107516b..3aebff433 100644
--- a/data/Dockerfiles/clamd/Dockerfile
+++ b/data/Dockerfiles/clamd/Dockerfile
@@ -10,9 +10,7 @@ RUN apk upgrade --no-cache \
   bash \
   tini
 
-# init
-COPY clamd.sh /clamd.sh
-RUN chmod +x /sbin/tini
+COPY clamd.sh ./
 
 # healthcheck
 COPY healthcheck.sh /healthcheck.sh

From 2bd46ae0fdcee5458fd9fd0c1490a94ddfe0f54d Mon Sep 17 00:00:00 2001
From: DerLinkman <derlinkman@gmail.com>
Date: Sun, 30 Apr 2023 17:28:50 +0000
Subject: [PATCH 070/378] Changed Maintainer to tinc within Dockerfiles

---
 data/Dockerfiles/sogo/Dockerfile.custom | 118 ++++++++++++++++++++++++
 1 file changed, 118 insertions(+)
 create mode 100644 data/Dockerfiles/sogo/Dockerfile.custom

diff --git a/data/Dockerfiles/sogo/Dockerfile.custom b/data/Dockerfiles/sogo/Dockerfile.custom
new file mode 100644
index 000000000..a0dffbae1
--- /dev/null
+++ b/data/Dockerfiles/sogo/Dockerfile.custom
@@ -0,0 +1,118 @@
+FROM debian:bullseye-slim AS build
+LABEL maintainer "The Infrastructure Company <info@servercow.de>"
+
+ARG DEBIAN_FRONTEND=noninteractive
+ARG SOGO_VERSION=5.8.2
+
+RUN apt update && apt install -y --no-install-recommends \
+libgnustep-base-dev \
+cmake \
+pkg-config \
+make \
+gobjc \
+libz-dev \
+libexpat1-dev \
+zlib1g-dev \
+libpq-dev \
+libcurl4-openssl-dev \
+libsodium-dev \
+libxml2-dev \
+libssl-dev \
+libldap2-dev \
+libzip-dev \
+default-libmysqlclient-dev \
+mariadb-client \
+libmemcached-dev \
+libytnef0 \
+libytnef0-dev \
+libwbxml2-0 \
+libwbxml2-dev \
+curl \
+pkg-config \
+wget \
+git
+
+RUN mkdir /tmp/libwbxml && git clone https://github.com/libwbxml/libwbxml.git /tmp/libwbxml/ \
+&& cd /tmp/libwbxml/ \
+&& cmake . -B/tmp/build/libwbxml -DCMAKE_INSTALL_PREFIX=$prefix \ 
+&& cd /tmp/build/libwbxml \
+&& make \
+&& make install \
+&& ln -s /include/libwbxml-1.0 /usr/include/libwbxml-1.0
+
+RUN cd /tmp && mkdir sope && wget https://packages.sogo.nu/sources/SOPE-${SOGO_VERSION}.tar.gz -O - | tar -xz -C /tmp/sope --strip-components=1 && cd /tmp/sope \
+&& ./configure --with-gnustep --enable-debug --disable-strip \
+&& make \
+&& make install
+
+RUN cd /tmp && mkdir sogo && wget https://packages.sogo.nu/sources/SOGo-${SOGO_VERSION}.tar.gz -O - | tar -xz -C /tmp/sogo --strip-components=1 && cd /tmp/sogo \
+&& ./configure --enable-debug --disable-strip \
+&& make \
+&& make install
+
+RUN cd /tmp/sogo/ActiveSync \
+&& make VERBOSE=1 \
+&& make install
+
+FROM debian:bullseye-slim
+ARG GOSU_VERSION=1.16
+ENV LC_ALL C
+LABEL maintainer "The Infrastructure Company <info@servercow.de>"
+
+RUN apt update && apt install -y --no-install-recommends \
+    apt-transport-https \
+    ca-certificates \
+    gettext \
+    gnupg \
+    mariadb-client \
+    rsync \
+    supervisor \
+    syslog-ng \
+    syslog-ng-core \
+    syslog-ng-mod-redis \
+    dirmngr \
+    netcat \
+    psmisc \
+    wget \
+    patch \
+    && dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')" \
+    && wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch" \
+    && chmod +x /usr/local/bin/gosu \
+    && gosu nobody true \
+    && mkdir /usr/share/doc/sogo \
+    && touch /usr/share/doc/sogo/empty.sh \
+    && rm -rf /var/lib/apt/lists/*
+
+COPY --from=build /usr/local/sbin /usr/local/sbin
+COPY --from=build /usr/local/lib /usr/local/lib
+COPY --from=build /usr/lib /usr/lib
+COPY --from=build /lib/aarch64-linux-gnu /lib/aarch64-linux-gnu
+COPY ./bootstrap-sogo.sh /bootstrap-sogo.sh
+COPY syslog-ng.conf /etc/syslog-ng/syslog-ng.conf
+COPY syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng-redis_slave.conf
+COPY supervisord.conf /etc/supervisor/supervisord.conf
+COPY acl.diff /acl.diff
+COPY stop-supervisor.sh /usr/local/sbin/stop-supervisor.sh
+COPY docker-entrypoint.sh /
+
+RUN chmod +x /bootstrap-sogo.sh \
+  /usr/local/sbin/stop-supervisor.sh
+
+RUN echo "/usr/local/lib/sogo" > /etc/ld.so.conf.d/sogo.conf \
+&& ldconfig
+
+RUN groupadd --system sogo && useradd --system --gid sogo sogo \
+   && echo "create directories and enforce permissions" \
+   && install -o sogo -g sogo -m 755 -d /var/run/sogo  \
+   && install -o sogo -g sogo -m 750 -d /var/spool/sogo  \
+   && install -o sogo -g sogo -m 750 -d /var/log/sogo
+
+RUN rm -rf /usr/lib/GNUstep/SOGo
+RUN mkdir -p /usr/lib/GNUstep && ln -s /usr/local/lib/GNUstep/SOGo /usr/lib/GNUstep/SOGo
+RUN ln -s /usr/local/sbin/sogo-tool /usr/sbin/sogo-tool
+RUN ln -s /usr/local/sbin/sogo-ealarms-notify /usr/sbin/sogo-ealarms-notify
+RUN ln -s /usr/local/sbin/sogo-slapd-sockd /usr/sbin/sogo-slapd-sockd 
+
+ENTRYPOINT ["/docker-entrypoint.sh"]
+
+CMD exec /usr/bin/supervisord -c /etc/supervisor/supervisord.conf
\ No newline at end of file

From 6da41b10278fb83a4297239ad6bf5658f006c67e Mon Sep 17 00:00:00 2001
From: DerLinkman <derlinkman@gmail.com>
Date: Sun, 30 Apr 2023 17:30:25 +0000
Subject: [PATCH 071/378] Removed Test self compiled SOGo Dockerfile

---
 data/Dockerfiles/sogo/Dockerfile.custom | 118 ------------------------
 1 file changed, 118 deletions(-)
 delete mode 100644 data/Dockerfiles/sogo/Dockerfile.custom

diff --git a/data/Dockerfiles/sogo/Dockerfile.custom b/data/Dockerfiles/sogo/Dockerfile.custom
deleted file mode 100644
index a0dffbae1..000000000
--- a/data/Dockerfiles/sogo/Dockerfile.custom
+++ /dev/null
@@ -1,118 +0,0 @@
-FROM debian:bullseye-slim AS build
-LABEL maintainer "The Infrastructure Company <info@servercow.de>"
-
-ARG DEBIAN_FRONTEND=noninteractive
-ARG SOGO_VERSION=5.8.2
-
-RUN apt update && apt install -y --no-install-recommends \
-libgnustep-base-dev \
-cmake \
-pkg-config \
-make \
-gobjc \
-libz-dev \
-libexpat1-dev \
-zlib1g-dev \
-libpq-dev \
-libcurl4-openssl-dev \
-libsodium-dev \
-libxml2-dev \
-libssl-dev \
-libldap2-dev \
-libzip-dev \
-default-libmysqlclient-dev \
-mariadb-client \
-libmemcached-dev \
-libytnef0 \
-libytnef0-dev \
-libwbxml2-0 \
-libwbxml2-dev \
-curl \
-pkg-config \
-wget \
-git
-
-RUN mkdir /tmp/libwbxml && git clone https://github.com/libwbxml/libwbxml.git /tmp/libwbxml/ \
-&& cd /tmp/libwbxml/ \
-&& cmake . -B/tmp/build/libwbxml -DCMAKE_INSTALL_PREFIX=$prefix \ 
-&& cd /tmp/build/libwbxml \
-&& make \
-&& make install \
-&& ln -s /include/libwbxml-1.0 /usr/include/libwbxml-1.0
-
-RUN cd /tmp && mkdir sope && wget https://packages.sogo.nu/sources/SOPE-${SOGO_VERSION}.tar.gz -O - | tar -xz -C /tmp/sope --strip-components=1 && cd /tmp/sope \
-&& ./configure --with-gnustep --enable-debug --disable-strip \
-&& make \
-&& make install
-
-RUN cd /tmp && mkdir sogo && wget https://packages.sogo.nu/sources/SOGo-${SOGO_VERSION}.tar.gz -O - | tar -xz -C /tmp/sogo --strip-components=1 && cd /tmp/sogo \
-&& ./configure --enable-debug --disable-strip \
-&& make \
-&& make install
-
-RUN cd /tmp/sogo/ActiveSync \
-&& make VERBOSE=1 \
-&& make install
-
-FROM debian:bullseye-slim
-ARG GOSU_VERSION=1.16
-ENV LC_ALL C
-LABEL maintainer "The Infrastructure Company <info@servercow.de>"
-
-RUN apt update && apt install -y --no-install-recommends \
-    apt-transport-https \
-    ca-certificates \
-    gettext \
-    gnupg \
-    mariadb-client \
-    rsync \
-    supervisor \
-    syslog-ng \
-    syslog-ng-core \
-    syslog-ng-mod-redis \
-    dirmngr \
-    netcat \
-    psmisc \
-    wget \
-    patch \
-    && dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')" \
-    && wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch" \
-    && chmod +x /usr/local/bin/gosu \
-    && gosu nobody true \
-    && mkdir /usr/share/doc/sogo \
-    && touch /usr/share/doc/sogo/empty.sh \
-    && rm -rf /var/lib/apt/lists/*
-
-COPY --from=build /usr/local/sbin /usr/local/sbin
-COPY --from=build /usr/local/lib /usr/local/lib
-COPY --from=build /usr/lib /usr/lib
-COPY --from=build /lib/aarch64-linux-gnu /lib/aarch64-linux-gnu
-COPY ./bootstrap-sogo.sh /bootstrap-sogo.sh
-COPY syslog-ng.conf /etc/syslog-ng/syslog-ng.conf
-COPY syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng-redis_slave.conf
-COPY supervisord.conf /etc/supervisor/supervisord.conf
-COPY acl.diff /acl.diff
-COPY stop-supervisor.sh /usr/local/sbin/stop-supervisor.sh
-COPY docker-entrypoint.sh /
-
-RUN chmod +x /bootstrap-sogo.sh \
-  /usr/local/sbin/stop-supervisor.sh
-
-RUN echo "/usr/local/lib/sogo" > /etc/ld.so.conf.d/sogo.conf \
-&& ldconfig
-
-RUN groupadd --system sogo && useradd --system --gid sogo sogo \
-   && echo "create directories and enforce permissions" \
-   && install -o sogo -g sogo -m 755 -d /var/run/sogo  \
-   && install -o sogo -g sogo -m 750 -d /var/spool/sogo  \
-   && install -o sogo -g sogo -m 750 -d /var/log/sogo
-
-RUN rm -rf /usr/lib/GNUstep/SOGo
-RUN mkdir -p /usr/lib/GNUstep && ln -s /usr/local/lib/GNUstep/SOGo /usr/lib/GNUstep/SOGo
-RUN ln -s /usr/local/sbin/sogo-tool /usr/sbin/sogo-tool
-RUN ln -s /usr/local/sbin/sogo-ealarms-notify /usr/sbin/sogo-ealarms-notify
-RUN ln -s /usr/local/sbin/sogo-slapd-sockd /usr/sbin/sogo-slapd-sockd 
-
-ENTRYPOINT ["/docker-entrypoint.sh"]
-
-CMD exec /usr/bin/supervisord -c /etc/supervisor/supervisord.conf
\ No newline at end of file

From 737c0502accf67c9bcce66d47af64c8986858ed1 Mon Sep 17 00:00:00 2001
From: DerLinkman <derlinkman@gmail.com>
Date: Tue, 2 May 2023 14:37:35 +0000
Subject: [PATCH 072/378] Rebased Dovecot on Alpine 3.17 instead Bullseye
 (ARM64 Support)

---
 data/Dockerfiles/dovecot/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/Dockerfiles/dovecot/Dockerfile b/data/Dockerfiles/dovecot/Dockerfile
index a9d4739cf..45f03fefa 100644
--- a/data/Dockerfiles/dovecot/Dockerfile
+++ b/data/Dockerfiles/dovecot/Dockerfile
@@ -133,4 +133,4 @@ COPY quota_notify.py /usr/local/bin/quota_notify.py
 COPY repl_health.sh /usr/local/bin/repl_health.sh
 
 ENTRYPOINT ["/docker-entrypoint.sh"]
-CMD exec /usr/bin/supervisord -c /etc/supervisor/supervisord.conf
+CMD exec /usr/bin/supervisord -c /etc/supervisor/supervisord.conf
\ No newline at end of file

From 60f9412bb8cc45e1b8effa6ea58ac740017b13d4 Mon Sep 17 00:00:00 2001
From: DerLinkman <derlinkman@gmail.com>
Date: Tue, 2 May 2023 15:29:21 +0000
Subject: [PATCH 073/378] Switched to Alpine Edge (for IMAPSYNC Deps)

---
 data/Dockerfiles/dovecot/Dockerfile | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/data/Dockerfiles/dovecot/Dockerfile b/data/Dockerfiles/dovecot/Dockerfile
index 45f03fefa..8b315b45a 100644
--- a/data/Dockerfiles/dovecot/Dockerfile
+++ b/data/Dockerfiles/dovecot/Dockerfile
@@ -33,10 +33,13 @@ RUN addgroup -g 5000 vmail \
   lua5.3-sql-mysql \
   icu-data-full \
   mariadb-connector-c \
-  gcompat \
   lua-sec \
+  mariadb-dev \
+  glib-dev \
+  gcompat \
   mariadb-client \
   perl \
+  perl-dev \
   perl-ntlm \
   perl-cgi \
   perl-crypt-openssl-rsa \

From 38db7226a8991576d8fd11009fcd5ec24d9b44ee Mon Sep 17 00:00:00 2001
From: DerLinkman <derlinkman@gmail.com>
Date: Wed, 3 May 2023 08:37:00 +0000
Subject: [PATCH 074/378] Optimized CLAMAV Builds to match exact version
 instead of Repo

---
 data/Dockerfiles/clamd/Dockerfile | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/data/Dockerfiles/clamd/Dockerfile b/data/Dockerfiles/clamd/Dockerfile
index 3aebff433..8e107516b 100644
--- a/data/Dockerfiles/clamd/Dockerfile
+++ b/data/Dockerfiles/clamd/Dockerfile
@@ -10,7 +10,9 @@ RUN apk upgrade --no-cache \
   bash \
   tini
 
-COPY clamd.sh ./
+# init
+COPY clamd.sh /clamd.sh
+RUN chmod +x /sbin/tini
 
 # healthcheck
 COPY healthcheck.sh /healthcheck.sh

From 7ec7bd21cbfecf814a98608ffd14590fab6fd2e9 Mon Sep 17 00:00:00 2001
From: DerLinkman <derlinkman@gmail.com>
Date: Wed, 3 May 2023 09:36:43 +0000
Subject: [PATCH 075/378] Changed Dovecot Base to Bullseye again (Self compile)

---
 data/Dockerfiles/dovecot/Dockerfile | 34 ++++++++++++++++-------------
 data/conf/dovecot/dovecot.conf      |  4 ++--
 2 files changed, 21 insertions(+), 17 deletions(-)

diff --git a/data/Dockerfiles/dovecot/Dockerfile b/data/Dockerfiles/dovecot/Dockerfile
index 8b315b45a..dd13fae7c 100644
--- a/data/Dockerfiles/dovecot/Dockerfile
+++ b/data/Dockerfiles/dovecot/Dockerfile
@@ -3,9 +3,10 @@ LABEL maintainer "The Infrastructure Company GmbH GmbH <info@servercow.de>"
 
 # renovate: datasource=github-releases depName=tianon/gosu versioning=semver-coerced extractVersion=^(?<version>.*)$
 ARG GOSU_VERSION=1.16
+ARG DOVECOT_VERSION=2.3.20
+ARG PIGEONHOLE_VERSION=0.5.20
+ENV LC_ALL C
 
-ENV LANG C.UTF-8
-ENV LC_ALL C.UTF-8
 
 # Add groups and users before installing Dovecot to not break compatibility
 RUN addgroup -g 5000 vmail \
@@ -98,19 +99,22 @@ RUN addgroup -g 5000 vmail \
   supervisor \
   tzdata \
   wget \
-  dovecot \
-  dovecot-dev \
-  dovecot-lmtpd \
-  dovecot-lua \
-  dovecot-ldap \
-  dovecot-mysql \
-  dovecot-sql \
-  dovecot-submissiond \
-  dovecot-pigeonhole-plugin \
-  dovecot-pop3d \
-  dovecot-fts-solr \
-  && arch=$(arch | sed s/aarch64/arm64/ | sed s/x86_64/amd64/) \
-  && wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$arch" \
+  git \
+  bison \
+  flex \
+  build-essential \
+  autoconf \
+  automake \
+  libtool \
+  make \
+  default-libmysqlclient-dev \
+  libicu-dev \
+  zlib1g-dev \
+  pkg-config \
+  libsqlite3-dev \
+  liblua5.3-dev \
+  && dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')" \
+  && wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch" \
   && chmod +x /usr/local/bin/gosu \
   && gosu nobody true
 
diff --git a/data/conf/dovecot/dovecot.conf b/data/conf/dovecot/dovecot.conf
index f2c917eff..9284d2cf8 100644
--- a/data/conf/dovecot/dovecot.conf
+++ b/data/conf/dovecot/dovecot.conf
@@ -241,8 +241,8 @@ plugin {
   mail_crypt_global_public_key = </mail_crypt/ecpubkey.pem
   mail_crypt_save_version = 2
 
-  # Enable compression while saving, lz4 Dovecot v2.2.11+
-  zlib_save = lz4
+  # Enable compression while saving, zstd Dovecot v2.3.17+
+  zlib_save = zstd
 
   mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
   mail_log_fields = uid box msgid size

From 466e36ecbbd8965fb83379a5c8858b32cdc18b0a Mon Sep 17 00:00:00 2001
From: DerLinkman <derlinkman@gmail.com>
Date: Wed, 3 May 2023 09:55:55 +0000
Subject: [PATCH 076/378] Optimized Build Process for Dovecot

---
 data/Dockerfiles/dovecot/Dockerfile | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/data/Dockerfiles/dovecot/Dockerfile b/data/Dockerfiles/dovecot/Dockerfile
index dd13fae7c..0af13e69f 100644
--- a/data/Dockerfiles/dovecot/Dockerfile
+++ b/data/Dockerfiles/dovecot/Dockerfile
@@ -112,11 +112,7 @@ RUN addgroup -g 5000 vmail \
   zlib1g-dev \
   pkg-config \
   libsqlite3-dev \
-  liblua5.3-dev \
-  && dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')" \
-  && wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch" \
-  && chmod +x /usr/local/bin/gosu \
-  && gosu nobody true
+  liblua5.3-dev
 
 # RUN cpan LockFile::Simple
 

From 92d2cca7c33032a51b258c9909419115f4199877 Mon Sep 17 00:00:00 2001
From: DerLinkman <derlinkman@gmail.com>
Date: Fri, 5 May 2023 10:05:40 +0000
Subject: [PATCH 077/378] Added missing Labels to Dockerfiles

---
 data/Dockerfiles/solr/Dockerfile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/data/Dockerfiles/solr/Dockerfile b/data/Dockerfiles/solr/Dockerfile
index 429133519..ecbd6a37a 100644
--- a/data/Dockerfiles/solr/Dockerfile
+++ b/data/Dockerfiles/solr/Dockerfile
@@ -1,4 +1,5 @@
 FROM solr:7.7-slim
+LABEL maintainer "The Infrastructure Company GmbH <info@servercow.de>"
 
 USER root
 

From 4b18a99e556e5037b06e953ee535213a55255bdb Mon Sep 17 00:00:00 2001
From: DerLinkman <derlinkman@gmail.com>
Date: Fri, 12 May 2023 08:30:55 +0000
Subject: [PATCH 078/378] Small fixes for CLAMD Health Check

---
 data/Dockerfiles/clamd/Dockerfile    | 1 +
 data/Dockerfiles/clamd/clamdcheck.sh | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/data/Dockerfiles/clamd/Dockerfile b/data/Dockerfiles/clamd/Dockerfile
index 8e107516b..7ff58ed80 100644
--- a/data/Dockerfiles/clamd/Dockerfile
+++ b/data/Dockerfiles/clamd/Dockerfile
@@ -12,6 +12,7 @@ RUN apk upgrade --no-cache \
 
 # init
 COPY clamd.sh /clamd.sh
+COPY clamdcheck.sh /usr/local/bin/
 RUN chmod +x /sbin/tini
 
 # healthcheck
diff --git a/data/Dockerfiles/clamd/clamdcheck.sh b/data/Dockerfiles/clamd/clamdcheck.sh
index 7884d48a9..e7e53a65f 100644
--- a/data/Dockerfiles/clamd/clamdcheck.sh
+++ b/data/Dockerfiles/clamd/clamdcheck.sh
@@ -11,4 +11,4 @@ if [ "${CLAMAV_NO_CLAMD:-}" != "false" ]; then
 	echo "Clamd is up"
 fi
 
-exit 0
\ No newline at end of file
+exit 0

From 89c50642138a9514fd3a188cd1be434f29298e0e Mon Sep 17 00:00:00 2001
From: DerLinkman <derlinkman@gmail.com>
Date: Thu, 3 Aug 2023 09:29:23 +0000
Subject: [PATCH 079/378] Rebased Dovecot on Alpine + fixed logging

---
 data/Dockerfiles/dovecot/Dockerfile | 31 +++++++++++++++--------------
 1 file changed, 16 insertions(+), 15 deletions(-)

diff --git a/data/Dockerfiles/dovecot/Dockerfile b/data/Dockerfiles/dovecot/Dockerfile
index 0af13e69f..a3bdc8472 100644
--- a/data/Dockerfiles/dovecot/Dockerfile
+++ b/data/Dockerfiles/dovecot/Dockerfile
@@ -99,22 +99,23 @@ RUN addgroup -g 5000 vmail \
   supervisor \
   tzdata \
   wget \
-  git \
-  bison \
-  flex \
-  build-essential \
-  autoconf \
-  automake \
-  libtool \
-  make \
-  default-libmysqlclient-dev \
-  libicu-dev \
-  zlib1g-dev \
-  pkg-config \
-  libsqlite3-dev \
-  liblua5.3-dev
+  dovecot \
+  dovecot-dev \
+  dovecot-lmtpd \
+  dovecot-lua \
+  dovecot-ldap \
+  dovecot-mysql \
+  dovecot-sql \
+  dovecot-submissiond \
+  dovecot-pigeonhole-plugin \
+  dovecot-pop3d \
+  dovecot-fts-solr \
+  && arch=$(arch | sed s/aarch64/arm64/ | sed s/x86_64/amd64/) \
+  && wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$arch" \
+  && chmod +x /usr/local/bin/gosu \
+  && gosu nobody true
 
-# RUN cpan LockFile::Simple
+#RUN cpan LockFile::Simple
 
 COPY trim_logs.sh /usr/local/bin/trim_logs.sh
 COPY clean_q_aged.sh /usr/local/bin/clean_q_aged.sh

From 81024b8c126949afc62ea0515928bab683243149 Mon Sep 17 00:00:00 2001
From: DerLinkman <derlinkman@gmail.com>
Date: Fri, 4 Aug 2023 09:28:07 +0000
Subject: [PATCH 080/378] Clamd using Alpine Packages instead self compile

---
 data/Dockerfiles/clamd/Dockerfile | 1 -
 1 file changed, 1 deletion(-)

diff --git a/data/Dockerfiles/clamd/Dockerfile b/data/Dockerfiles/clamd/Dockerfile
index 7ff58ed80..8e107516b 100644
--- a/data/Dockerfiles/clamd/Dockerfile
+++ b/data/Dockerfiles/clamd/Dockerfile
@@ -12,7 +12,6 @@ RUN apk upgrade --no-cache \
 
 # init
 COPY clamd.sh /clamd.sh
-COPY clamdcheck.sh /usr/local/bin/
 RUN chmod +x /sbin/tini
 
 # healthcheck

From 788f03e99337a7cc60474ba1d2ecdac0be552589 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Tue, 8 Aug 2023 10:13:14 +0200
Subject: [PATCH 081/378] [Dovecot] remove passwd-verify.lua generation

---
 .gitignore                                    |  1 -
 data/Dockerfiles/dovecot/docker-entrypoint.sh | 46 -------------------
 data/conf/dovecot/auth/passwd-verify.lua      | 42 +++++++++++++++++
 3 files changed, 42 insertions(+), 47 deletions(-)
 create mode 100644 data/conf/dovecot/auth/passwd-verify.lua

diff --git a/.gitignore b/.gitignore
index 22ea38bd0..e1e8e8882 100644
--- a/.gitignore
+++ b/.gitignore
@@ -17,7 +17,6 @@ data/conf/dovecot/mail_replica.conf
 data/conf/dovecot/global_sieve_*
 data/conf/dovecot/last_login
 data/conf/dovecot/lua
-data/conf/dovecot/auth/passwd-verify.lua
 data/conf/dovecot/mail_plugins*
 data/conf/dovecot/shared_namespace.conf
 data/conf/dovecot/sni.conf
diff --git a/data/Dockerfiles/dovecot/docker-entrypoint.sh b/data/Dockerfiles/dovecot/docker-entrypoint.sh
index 673452267..fef099cc6 100755
--- a/data/Dockerfiles/dovecot/docker-entrypoint.sh
+++ b/data/Dockerfiles/dovecot/docker-entrypoint.sh
@@ -128,52 +128,6 @@ user_query = SELECT CONCAT(JSON_UNQUOTE(JSON_VALUE(attributes, '$.mailbox_format
 iterate_query = SELECT username FROM mailbox WHERE active = '1' OR active = '2';
 EOF
 
-cat <<EOF > /etc/dovecot/auth/passwd-verify.lua
-function auth_password_verify(request, password)
-  if request.domain == nil then
-    return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, "No such user"
-  end
-
-  json = require "json"
-  ltn12 = require "ltn12"
-  https = require "ssl.https"
-  https.TIMEOUT = 5
-
-  local req = {
-    username = request.user,
-    password = password,
-    real_rip = request.real_rip,
-    protocol = {}
-  }
-  req.protocol[request.service] = true
-  local req_json = json.encode(req)
-  local res = {} 
-  
-  local b, c = https.request {
-    method = "POST",
-    url = "https://nginx:9082",
-    source = ltn12.source.string(req_json),
-    headers = {
-      ["content-type"] = "application/json",
-      ["content-length"] = tostring(#req_json)
-    },
-    sink = ltn12.sink.table(res),
-    insecure = true
-  }
-  local api_response = json.decode(table.concat(res))
-  if api_response.success == true then
-    return dovecot.auth.PASSDB_RESULT_OK, ""
-  end
-  
-  return dovecot.auth.PASSDB_RESULT_PASSWORD_MISMATCH, "Failed to authenticate"
-end
-
-function auth_passdb_lookup(req)
-   return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, ""
-end
-EOF
-
-
 # Migrate old sieve_after file
 [[ -f /etc/dovecot/sieve_after ]] && mv /etc/dovecot/sieve_after /etc/dovecot/global_sieve_after
 # Create global sieve scripts
diff --git a/data/conf/dovecot/auth/passwd-verify.lua b/data/conf/dovecot/auth/passwd-verify.lua
new file mode 100644
index 000000000..cb2e928d0
--- /dev/null
+++ b/data/conf/dovecot/auth/passwd-verify.lua
@@ -0,0 +1,42 @@
+function auth_password_verify(request, password)
+  if request.domain == nil then
+    return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, "No such user"
+  end
+
+  json = require "cjson"
+  ltn12 = require "ltn12"
+  https = require "ssl.https"
+  https.TIMEOUT = 5
+
+  local req = {
+    username = request.user,
+    password = password,
+    real_rip = request.real_rip,
+    protocol = {}
+  }
+  req.protocol[request.service] = true
+  local req_json = json.encode(req)
+  local res = {} 
+  
+  local b, c = https.request {
+    method = "POST",
+    url = "https://nginx:9082",
+    source = ltn12.source.string(req_json),
+    headers = {
+      ["content-type"] = "application/json",
+      ["content-length"] = tostring(#req_json)
+    },
+    sink = ltn12.sink.table(res),
+    insecure = true
+  }
+  local api_response = json.decode(table.concat(res))
+  if api_response.success == true then
+    return dovecot.auth.PASSDB_RESULT_OK, ""
+  end
+  
+  return dovecot.auth.PASSDB_RESULT_PASSWORD_MISMATCH, "Failed to authenticate"
+end
+
+function auth_passdb_lookup(req)
+   return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, ""
+end

From 2d51881ae38b3675b9bc4305f66e2dcb1c58c2b4 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Tue, 8 Aug 2023 10:49:12 +0200
Subject: [PATCH 082/378] [Web] fix user protocol badges

---
 data/web/templates/user/tab-user-auth.twig | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/data/web/templates/user/tab-user-auth.twig b/data/web/templates/user/tab-user-auth.twig
index f8429821e..f4d364d7b 100644
--- a/data/web/templates/user/tab-user-auth.twig
+++ b/data/web/templates/user/tab-user-auth.twig
@@ -47,11 +47,11 @@
             <div class="col-12 col-md-9 d-flex">
               <i style="font-size: 16px; cursor: pointer;" class="bi bi-patch-question-fill m-2 ms-0" data-bs-toggle="tooltip" data-bs-html="true" data-bs-placement="bottom" title="{{ lang.user.direct_protocol_access|raw }}"></i>
               <div class="d-flex flex-wrap">
-              {% if mailboxdata.attributes.imap_access == 1 %}<div class="badge fs-6 bg-success m-2">IMAP <i class="bi bi-check-lg"></i></div>{% else %}<div class="badge fs-6 bg-danger">IMAP <i class="bi bi-x-lg"></i></div>{% endif %}
-              {% if mailboxdata.attributes.smtp_access == 1 %}<div class="badge fs-6 bg-success m-2">SMTP <i class="bi bi-check-lg"></i></div>{% else %}<div class="badge fs-6 bg-danger">SMTP <i class="bi bi-x-lg"></i></div>{% endif %}
-              {% if mailboxdata.attributes.sieve_access == 1 %}<div class="badge fs-6 bg-success m-2">Sieve <i class="bi bi-check-lg"></i></div>{% else %}<div class="badge fs-6 bg-danger">Sieve <i class="bi bi-x-lg"></i></div>{% endif %}
-              {% if mailboxdata.attributes.pop3_access == 1 %}<div class="badge fs-6 bg-success m-2">POP3 <i class="bi bi-check-lg"></i></div>{% else %}<div class="badge fs-6 bg-danger">POP3 <i class="bi bi-x-lg"></i></div>{% endif %}
-              {% if not skip_sogo %}{% if mailboxdata.attributes.sogo_access == 1 %}<div class="badge fs-6 bg-success m-2">SOGo <i class="bi bi-check-lg"></i></div>{% else %}<div class="badge fs-6 bg-danger">SOGo <i class="bi bi-x-lg"></i></div>{% endif %}{% endif %}       
+              {% if mailboxdata.attributes.imap_access == 1 %}<div class="badge fs-6 bg-success m-2">IMAP <i class="bi bi-check-lg"></i></div>{% else %}<div class="badge fs-6 bg-danger m-2">IMAP <i class="bi bi-x-lg"></i></div>{% endif %}
+              {% if mailboxdata.attributes.smtp_access == 1 %}<div class="badge fs-6 bg-success m-2">SMTP <i class="bi bi-check-lg"></i></div>{% else %}<div class="badge fs-6 bg-danger m-2">SMTP <i class="bi bi-x-lg"></i></div>{% endif %}
+              {% if mailboxdata.attributes.sieve_access == 1 %}<div class="badge fs-6 bg-success m-2">Sieve <i class="bi bi-check-lg"></i></div>{% else %}<div class="badge fs-6 bg-danger m-2">Sieve <i class="bi bi-x-lg"></i></div>{% endif %}
+              {% if mailboxdata.attributes.pop3_access == 1 %}<div class="badge fs-6 bg-success m-2">POP3 <i class="bi bi-check-lg"></i></div>{% else %}<div class="badge fs-6 bg-danger m-2">POP3 <i class="bi bi-x-lg"></i></div>{% endif %}
+              {% if not skip_sogo %}{% if mailboxdata.attributes.sogo_access == 1 %}<div class="badge fs-6 bg-success m-2">SOGo <i class="bi bi-check-lg"></i></div>{% else %}<div class="badge fs-6 bg-danger m-2">SOGo <i class="bi bi-x-lg"></i></div>{% endif %}{% endif %}       
               </div>
             </div>
           </div>

From 981307a1c68616df0bf06b50a75be57c7aea00a3 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Tue, 8 Aug 2023 10:51:09 +0200
Subject: [PATCH 083/378] [Web] add missing break

---
 data/web/json_api.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/data/web/json_api.php b/data/web/json_api.php
index ac8963e45..07820d75d 100644
--- a/data/web/json_api.php
+++ b/data/web/json_api.php
@@ -2085,6 +2085,9 @@ if (isset($_GET['query'])) {
         case "identity-provider-test":
           process_edit_return(identity_provider('test', $attr));
         break;
+        case "cors":
+          process_edit_return(cors('edit', $attr));
+        break;
         // return no route found if no case is matched
         default:
           http_response_code(404);

From 597d98e1d775687bdb74269e6a75a1c7aed8ba54 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Tue, 12 Sep 2023 10:07:46 +0200
Subject: [PATCH 084/378] Fixes #5408

---
 data/conf/phpfpm/crons/keycloak-sync.php | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/data/conf/phpfpm/crons/keycloak-sync.php b/data/conf/phpfpm/crons/keycloak-sync.php
index baeec21d5..da26ca5be 100644
--- a/data/conf/phpfpm/crons/keycloak-sync.php
+++ b/data/conf/phpfpm/crons/keycloak-sync.php
@@ -155,10 +155,12 @@ while (true) {
       logMsg("warning", "No attributes in keycloak found for user " . $user['email']);
       continue;
     }
-    if (count($user['attributes']['mailcow_template']) == 0) {
+    if (!isset($user['attributes']['mailcow_template']) || 
+        !is_array($user['attributes']['mailcow_template']) || 
+        count($user['attributes']['mailcow_template']) == 0) {
       logMsg("warning", "No mailcow_template in keycloak found for user " . $user['email']);
       continue;
-    };
+    }
     $mailcow_template = $user['attributes']['mailcow_template'];
 
     // try get mailbox user

From 389eb99c10b37a730716fa0e60cdfaa27c7588b3 Mon Sep 17 00:00:00 2001
From: Mirko Ceroni <mirkoceroni@mirkoceroni.it>
Date: Fri, 1 Sep 2023 20:06:03 +0200
Subject: [PATCH 085/378] Update sogo-auth.php

initialize db before validating credentials
---
 data/web/sogo-auth.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/data/web/sogo-auth.php b/data/web/sogo-auth.php
index af6f851ba..d15527101 100644
--- a/data/web/sogo-auth.php
+++ b/data/web/sogo-auth.php
@@ -11,6 +11,7 @@ $session_var_pass = 'sogo-sso-pass';
 // validate credentials for basic auth requests
 if (isset($_SERVER['PHP_AUTH_USER'])) {
   // load prerequisites only when required
+  require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php';
   require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.inc.php';
   require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.auth.inc.php';
   $username = $_SERVER['PHP_AUTH_USER'];

From 73a044ec1432dafc223fbc0417830a6ae26cef5a Mon Sep 17 00:00:00 2001
From: Mirko Ceroni <mirkoceroni@mirkoceroni.it>
Date: Tue, 5 Sep 2023 20:50:14 +0200
Subject: [PATCH 086/378] Update sogo-auth.php

---
 data/web/sogo-auth.php | 2 --
 1 file changed, 2 deletions(-)

diff --git a/data/web/sogo-auth.php b/data/web/sogo-auth.php
index d15527101..c34a60def 100644
--- a/data/web/sogo-auth.php
+++ b/data/web/sogo-auth.php
@@ -12,8 +12,6 @@ $session_var_pass = 'sogo-sso-pass';
 if (isset($_SERVER['PHP_AUTH_USER'])) {
   // load prerequisites only when required
   require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php';
-  require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.inc.php';
-  require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.auth.inc.php';
   $username = $_SERVER['PHP_AUTH_USER'];
   $password = $_SERVER['PHP_AUTH_PW'];
   $is_eas = false;

From 3a4c0c84a3e79058750f0786f5fddc42a29e576b Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Tue, 26 Sep 2023 16:06:35 +0200
Subject: [PATCH 087/378] fix keycloak mailpassword flow

---
 data/conf/dovecot/auth/mailcowauth.php |  1 +
 data/web/inc/functions.auth.inc.php    | 13 ++++---------
 docker-compose.yml                     |  2 ++
 3 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/data/conf/dovecot/auth/mailcowauth.php b/data/conf/dovecot/auth/mailcowauth.php
index e38abd82b..d2da46598 100644
--- a/data/conf/dovecot/auth/mailcowauth.php
+++ b/data/conf/dovecot/auth/mailcowauth.php
@@ -43,6 +43,7 @@ catch (PDOException $e) {
 require_once 'functions.inc.php';
 require_once 'functions.auth.inc.php';
 require_once 'sessions.inc.php';
+require_once 'functions.mailbox.inc.php';
 
 // Init provider
 $iam_provider = identity_provider('init');
diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php
index 8c35c1184..7183cc8c1 100644
--- a/data/web/inc/functions.auth.inc.php
+++ b/data/web/inc/functions.auth.inc.php
@@ -178,7 +178,7 @@ function user_login($user, $pass, $extra = null){
   // user does not exist, try call keycloak login and create user if possible via rest flow
   if (!$row){
     $iam_settings = identity_provider('get');
-    if ($iam_settings['authsource'] == 'keycloak' && intval($iam_settings['mailboxpassword_flow']) == 1){
+    if ($iam_settings['authsource'] == 'keycloak' && intval($iam_settings['mailpassword_flow']) == 1){
       $result = keycloak_mbox_login_rest($user, $pass, $iam_settings, array('is_internal' => $is_internal, 'create' => true));
       if ($result !== false) return $result;
     }
@@ -190,7 +190,7 @@ function user_login($user, $pass, $extra = null){
   if ($row['authsource'] == 'keycloak'){
     // user authsource is keycloak, try using via rest flow
     $iam_settings = identity_provider('get');
-    if (intval($iam_settings['mailboxpassword_flow']) == 1){
+    if (intval($iam_settings['mailpassword_flow']) == 1){
       $result = keycloak_mbox_login_rest($user, $pass, $iam_settings, array('is_internal' => $is_internal));
       return $result;
     } else {
@@ -367,8 +367,8 @@ function keycloak_mbox_login_rest($user, $pass, $iam_settings, $extra = null){
 
   // get mapped template, if not set return false
   // also return false if no mappers were defined
-  $user_template = $user_data['attributes']['mailcow_template'][0];
-  if ($create && (empty($iam_settings['mappers']) || $user_template)){
+  $user_template = $user_res['attributes']['mailcow_template'][0];
+  if ($create && (empty($iam_settings['mappers']) || !$user_template)){
     return false;
   } else if (!$create) {
     // login success - dont create mailbox
@@ -393,11 +393,6 @@ function keycloak_mbox_login_rest($user, $pass, $iam_settings, $extra = null){
   ));
   if (!$create_res) return false;
 
-  // check if created mailbox from template is even active
-  // maybe dont even create it if active != 1
-  if ($mailbox_attributes['active'] != 1){
-    return false;
-  }
 
   $_SESSION['return'][] =  array(
     'type' => 'success',
diff --git a/docker-compose.yml b/docker-compose.yml
index a330e1689..fa915bafa 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -124,6 +124,8 @@ services:
         - ./data/web/inc/functions.inc.php:/mailcowauth/functions.inc.php:z
         - ./data/web/inc/functions.auth.inc.php:/mailcowauth/functions.auth.inc.php:z
         - ./data/web/inc/sessions.inc.php:/mailcowauth/sessions.inc.php:z
+        - ./data/web/inc/functions.mailbox.inc.php:/mailcowauth/functions.mailbox.inc.php:z
+        - ./data/web/inc/functions.ratelimit.inc.php:/mailcowauth/functions.ratelimit.inc.php:z
         - rspamd-vol-1:/var/lib/rspamd
         - mysql-socket-vol-1:/var/run/mysqld/
         - ./data/conf/sogo/:/etc/sogo/:z

From b3a94e79e334107c7535285cbb1400fdefaeb00e Mon Sep 17 00:00:00 2001
From: DerLinkman <derlinkman@gmail.com>
Date: Wed, 11 Oct 2023 14:48:40 +0200
Subject: [PATCH 088/378] Use dedicated nightly images on nightly branch +
 updates of images itself

---
 docker-compose.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index fa915bafa..572d203b0 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -569,7 +569,7 @@ services:
     
     ##### Will be removed soon #####
     solr-mailcow:
-      image: mailcow/solr:1.8.2
+      image: mailcow/solr:nightly-20231011
       restart: always
       depends_on:
         - netfilter-mailcow
@@ -588,7 +588,7 @@ services:
     ################################
 
     olefy-mailcow:
-      image: mailcow/olefy:1.12
+      image: mailcow/olefy:nightly-20231011
       restart: always
       environment:
         - TZ=${TZ}

From 27ef04baa09cc928b7e6a6e0d84ca4f239cde9e0 Mon Sep 17 00:00:00 2001
From: DerLinkman <derlinkman@gmail.com>
Date: Mon, 16 Oct 2023 10:15:15 +0200
Subject: [PATCH 089/378] Update Dovecot to reuse lz4 compression

---
 data/conf/dovecot/dovecot.conf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/data/conf/dovecot/dovecot.conf b/data/conf/dovecot/dovecot.conf
index 9284d2cf8..c61d9a1b6 100644
--- a/data/conf/dovecot/dovecot.conf
+++ b/data/conf/dovecot/dovecot.conf
@@ -241,8 +241,8 @@ plugin {
   mail_crypt_global_public_key = </mail_crypt/ecpubkey.pem
   mail_crypt_save_version = 2
 
-  # Enable compression while saving, zstd Dovecot v2.3.17+
-  zlib_save = zstd
+  # Enable compression while saving, lz4 Dovecot v2.3.17+
+  zlib_save = lz4
 
   mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
   mail_log_fields = uid box msgid size

From ba32f1131e35ed27b3a609ae579c0fe5dc1d7ca8 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 20 Oct 2023 09:07:04 +0200
Subject: [PATCH 090/378] [Web] dont rtrim generic-oidc urls

---
 data/web/inc/functions.inc.php | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index 0b55e75e1..efa34ef2e 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -2165,9 +2165,9 @@ function identity_provider($_action, $_data = null, $_extra = null) {
         $_data['sync_interval']     = $_data['sync_interval'] < 1 ? 1 : $_data['sync_interval'];
         $required_settings          = array('authsource', 'server_url', 'realm', 'client_id', 'client_secret', 'redirect_url', 'version', 'mailpassword_flow', 'periodic_sync', 'import_users', 'sync_interval');
       } else if ($_data['authsource'] == "generic-oidc") {
-        $_data['authorize_url']     = (!empty($_data['authorize_url'])) ? rtrim($_data['authorize_url'], '/') : null;
-        $_data['token_url']         = (!empty($_data['token_url'])) ? rtrim($_data['token_url'], '/') : null;
-        $_data['userinfo_url']      = (!empty($_data['userinfo_url'])) ? rtrim($_data['userinfo_url'], '/') : null;
+        $_data['authorize_url']     = (!empty($_data['authorize_url'])) ? $_data['authorize_url'] : null;
+        $_data['token_url']         = (!empty($_data['token_url'])) ? $_data['token_url'] : null;
+        $_data['userinfo_url']      = (!empty($_data['userinfo_url'])) ? $_data['userinfo_url'] : null;
         $required_settings          = array('authsource', 'authorize_url', 'token_url', 'client_id', 'client_secret', 'redirect_url', 'userinfo_url');
       }
       
@@ -2184,9 +2184,6 @@ function identity_provider($_action, $_data = null, $_extra = null) {
           $pdo->rollback();
           return false;
         }
-        if ($setting == "server_url" || $setting == "authorize_url" || $setting == "token_url" || $setting == "userinfo_url") {
-          $_data[$setting] = rtrim($_data[$setting], '/');
-        }
 
         $stmt->bindParam(':key', $setting);
         $stmt->bindParam(':value', $_data[$setting]);

From eb9e3b8391a5d8f24e92ba9b5d00b1093e162747 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 20 Oct 2023 12:30:50 +0200
Subject: [PATCH 091/378] [Web] add configurable client scopes for generic-oidc

---
 data/web/inc/functions.inc.php                           | 9 +++++++--
 data/web/lang/lang.en-gb.json                            | 1 +
 .../templates/admin/tab-config-identity-provider.twig    | 8 +++++++-
 3 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index efa34ef2e..221ef5c71 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -2108,6 +2108,10 @@ function identity_provider($_action, $_data = null, $_extra = null) {
           $settings[$row["key"]] = $row["value"];
         }
       }
+      // return default client_scopes for generic-oidc if none is set
+      if ($settings["authsource"] == "generic-oidc" && empty($settings["client_scopes"])){
+        $settings["client_scopes"] = "openid profile email";
+      }
       if ($_extra['hide_sensitive']){
         $settings['client_secret'] = '';
         $settings['access_token'] = '';
@@ -2168,7 +2172,8 @@ function identity_provider($_action, $_data = null, $_extra = null) {
         $_data['authorize_url']     = (!empty($_data['authorize_url'])) ? $_data['authorize_url'] : null;
         $_data['token_url']         = (!empty($_data['token_url'])) ? $_data['token_url'] : null;
         $_data['userinfo_url']      = (!empty($_data['userinfo_url'])) ? $_data['userinfo_url'] : null;
-        $required_settings          = array('authsource', 'authorize_url', 'token_url', 'client_id', 'client_secret', 'redirect_url', 'userinfo_url');
+        $_data['client_scopes']     = (!empty($_data['client_scopes'])) ? $_data['client_scopes'] : "openid profile email";
+        $required_settings          = array('authsource', 'authorize_url', 'token_url', 'client_id', 'client_secret', 'redirect_url', 'userinfo_url', 'client_scopes');
       }
       
       $pdo->beginTransaction();
@@ -2318,7 +2323,7 @@ function identity_provider($_action, $_data = null, $_extra = null) {
             'urlAuthorize'            => $iam_settings['authorize_url'],
             'urlAccessToken'          => $iam_settings['token_url'],
             'urlResourceOwnerDetails' => $iam_settings['userinfo_url'],
-            'scopes'                  => 'openid profile email'
+            'scopes'                  => $iam_settings['client_scopes']
           ]);
         }
       }
diff --git a/data/web/lang/lang.en-gb.json b/data/web/lang/lang.en-gb.json
index d77de7373..869e69d16 100644
--- a/data/web/lang/lang.en-gb.json
+++ b/data/web/lang/lang.en-gb.json
@@ -217,6 +217,7 @@
         "iam_auth_flow_info": "In addition to the Authorization Code Flow (Standard Flow in Keycloak), which is used for Single-Sign On login, mailcow also supports Authentication Flow with direct Credentials. The Mailpassword Flow attempts to validate the user's credentials by using the Keycloak Admin REST API. mailcow retrieves the hashed password from the <code>mailcow_password</code> attribute, which is mapped in Keycloak.",
         "iam_client_id": "Client ID",
         "iam_client_secret": "Client Secret",
+        "iam_client_scopes": "Client Scopes",
         "iam_description": "Configure an external OIDC Provider for Authentication<br>User's mailboxes will be automatically created upon their first login, provided that an attribute mapping has been set.",
         "iam_extra_permission": "For the following settings to work, the mailcow client in Keycloak needs a <code>Service account</code> and the permission to <code>view-users</code>.",
         "iam_import_users": "Import Users",
diff --git a/data/web/templates/admin/tab-config-identity-provider.twig b/data/web/templates/admin/tab-config-identity-provider.twig
index 88ccc95ee..32c20feab 100644
--- a/data/web/templates/admin/tab-config-identity-provider.twig
+++ b/data/web/templates/admin/tab-config-identity-provider.twig
@@ -207,12 +207,18 @@
               </div>
             </div>
           </div>
-          <div class="row mb-4">
+          <div class="row mb-2">
             <label class="control-label col-md-3 text-sm-end" for="iam_redirect_url">{{ lang.admin.iam_redirect_url }}:</label>
             <div class="col-12 col-md-9 col-lg-4">
               <input type="text" class="form-control" id="iam_redirect_url" name="redirect_url" value="{{ iam_settings.redirect_url }}" required>
             </div>
           </div>
+          <div class="row mb-4">
+            <label class="control-label col-md-3 text-sm-end" for="iam_client_scopes">{{ lang.admin.iam_client_scopes }}:</label>
+            <div class="col-12 col-md-9 col-lg-4">
+              <input type="text" placeholder="openid profile email" class="form-control" id="iam_client_scopes" name="client_scopes" value="{{ iam_settings.client_scopes }}">
+            </div>
+          </div>
           <div class="row mb-2">
             <label class="control-label col-md-3 text-sm-end">{{ lang.admin.iam_mapping }}:</label>
             <div class="col-12 col-md-9 col-lg-4">

From db47696ba7eaa4a1236f52d6e557d94aa505bde4 Mon Sep 17 00:00:00 2001
From: DerLinkman <niklas.meyer@tinc.gmbh>
Date: Tue, 24 Oct 2023 11:43:19 +0200
Subject: [PATCH 092/378] Updated Dovecot Image to use OpenSSL 3.0 fix

---
 data/dmarcparser.conf | 36 ++++++++++++++++++++++++++
 test.conf             |  3 +++
 test.sh               | 59 +++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 98 insertions(+)
 create mode 100644 data/dmarcparser.conf
 create mode 100644 test.conf
 create mode 100644 test.sh

diff --git a/data/dmarcparser.conf b/data/dmarcparser.conf
new file mode 100644
index 000000000..2bf611d6a
--- /dev/null
+++ b/data/dmarcparser.conf
@@ -0,0 +1,36 @@
+server {
+  ssl_certificate /etc/ssl/mail/cert.pem;
+  ssl_certificate_key /etc/ssl/mail/key.pem;
+  ssl_protocols TLSv1.2 TLSv1.3;
+  ssl_prefer_server_ciphers on;
+  ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
+  ssl_ecdh_curve X25519:X448:secp384r1:secp256k1;
+  ssl_session_cache shared:SSL:50m;
+  ssl_session_timeout 1d;
+  ssl_session_tickets off;
+  index index.php index.html;
+  client_max_body_size 0;
+  root /web;
+  include /etc/nginx/conf.d/listen_plain.active;
+  include /etc/nginx/conf.d/listen_ssl.active;
+  server_name dmarcparse.derlinkman.de;
+  server_tokens off;
+
+  location ^~ /.well-known/acme-challenge/ {
+    allow all;
+    default_type "text/plain";
+  }
+
+  if ($scheme = http) {
+    return 301 https://$host$request_uri;
+  }
+
+  location / {
+    proxy_pass http://dmarcparser:8080/;
+    proxy_set_header Host $http_host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    client_max_body_size 0;
+  }
+}
\ No newline at end of file
diff --git a/test.conf b/test.conf
new file mode 100644
index 000000000..4cad7795b
--- /dev/null
+++ b/test.conf
@@ -0,0 +1,3 @@
+# Solr heap size in MB, there is no recommendation, please see Solr docs.
+# Solr is a prone to run OOM and should be monitored. Unmonitored Solr setups are not recommended.
+# Solr will refuse to start with total system memory below or equal to 2 GB.
\ No newline at end of file
diff --git a/test.sh b/test.sh
new file mode 100644
index 000000000..1e38b3907
--- /dev/null
+++ b/test.sh
@@ -0,0 +1,59 @@
+#!/bin/bash
+source mailcow.conf
+SOLR_OPTIONS=(
+  "SOLR_HEAP"
+  "SOLR_PORT"
+  "SKIP_SOLR"
+  )
+remove_solr_config_options() {
+  sed -i --follow-symlinks '$a\' mailcow.conf
+  for option in "${SOLR_OPTIONS[@]}"; do
+  if [[ $option == "SOLR_HEAP" ]]; then
+    if grep -q "${option}" mailcow.conf; then
+      echo "Replacing SOLR_HEAP with \"${option}\" in mailcow.conf"
+      sed -i '/# Solr heap size in MB\b/c\# Dovecot Indexing (FTS) Process heap size in MB, there is no recommendation, please see Dovecot docs.' mailcow.conf
+      sed -i '/# Solr is a prone to run\b/c\# Flatcurve is replacing solr as FTS Indexer completely. It is supposed to be much more efficient in CPU and RAM consumption.'  mailcow.conf
+      sed -i 's/SOLR_HEAP/FTS_HEAP/g' mailcow.conf
+    fi
+  fi
+  if [[ $option == "SKIP_SOLR" ]]; then
+    if grep -q "${option}" mailcow.conf; then
+      echo "Replacing $option in mailcow.conf with SKIP_FLATCURVE"
+      sed -i '/\bSkip Solr on low-memory\b/c\# Skip Flatcurve (FTS) on low-memory systems or if you simply want to disable it.' mailcow.conf
+      sed -i '/\bSolr is disabled by default\b/d' mailcow.conf
+      sed -i '/\bDisable Solr or\b/d' mailcow.conf
+      sed -i 's/SKIP_SOLR/SKIP_FLATCURVE/g' mailcow.conf
+    fi
+  fi
+  if [[ $option == "SOLR_PORT" ]]; then
+    if grep -q "${option}" mailcow.conf; then
+      echo "Removing ${option} in mailcow.conf"
+      sed -i '/\bSOLR_PORT\b/d' mailcow.conf
+    fi
+  fi
+  done
+
+  solr_volume=$(docker volume ls -qf name=^${COMPOSE_PROJECT_NAME}_solr-vol-1)
+  if [[ -n $solr_volume ]]; then
+    echo -e "\e[34mSolr has been replaced within mailcow since 2024-XX.\e[0m"
+    sleep 1
+    echo -e "\e[34mTherefore the volume $solr_volume is unused.\e[0m"
+    sleep 1
+    read -r -p "Would you like to remove the $solr_volume? " response
+    if [[ "$response" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
+      echo -e "\e[33mRemoving $solr_volume...\e[0m"
+      docker volume rm $solr_volume
+      if [[ $? != 0 ]]; then
+        echo -e "\e[31mCould not remove the volume... Please remove it manually!\e[0m"
+      else
+        echo -e "\e[32mSucessfully removed $solr_volume!\e[0m"
+      fi
+    else
+      echo "Ok! Not removing $solr_volume then."
+      echo "Once you decided on removing the volume simply run docker volume rm $solr_volume to remove it manually."
+      echo "This can be done anytime. mailcow does not use this volume anymore."
+    fi
+  fi  
+}
+
+remove_solr_config_options
\ No newline at end of file

From 9039ab4e12b134f99b331b30f06850286e16d5f7 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Thu, 26 Oct 2023 12:46:53 +0200
Subject: [PATCH 093/378] [Web] add missing file to autodiscover.php

---
 data/web/autodiscover.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/data/web/autodiscover.php b/data/web/autodiscover.php
index 992524b35..cff10b4c6 100644
--- a/data/web/autodiscover.php
+++ b/data/web/autodiscover.php
@@ -1,6 +1,7 @@
 <?php
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/vars.inc.php';
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.inc.php';
+require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.auth.inc.php';
 $default_autodiscover_config = $autodiscover_config;
 if(file_exists('inc/vars.local.inc.php')) {
   include_once 'inc/vars.local.inc.php';

From 2f1e1438e9a2f266e1ddbe9e85c6fef4d3afc016 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Mon, 30 Oct 2023 10:04:43 +0100
Subject: [PATCH 094/378] [Web] add log messages to verify-sso function

---
 data/web/inc/functions.inc.php | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index 221ef5c71..0b69a4a69 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -2378,8 +2378,8 @@ function identity_provider($_action, $_data = null, $_extra = null) {
         clear_session();  
         $_SESSION['return'][] =  array(
           'type' => 'danger',
-          'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
-          'msg' => 'login_failed'
+          'log' => array(__FUNCTION__, $info['email']),
+          'msg' => array('login_failed', 'empty attribute mapping or missing template attribute')
         );
         return false;
       }
@@ -2390,8 +2390,8 @@ function identity_provider($_action, $_data = null, $_extra = null) {
         clear_session();  
         $_SESSION['return'][] =  array(
           'type' => 'danger',
-          'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
-          'msg' => 'login_failed'
+          'log' => array(__FUNCTION__, $info['email']),
+          'msg' => array('login_failed', 'specified template not found')
         );
         return false;
       }
@@ -2407,8 +2407,8 @@ function identity_provider($_action, $_data = null, $_extra = null) {
         clear_session();  
         $_SESSION['return'][] =  array(
           'type' => 'danger',
-          'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
-          'msg' => 'login_failed'
+          'log' => array(__FUNCTION__, $info['email']),
+          'msg' => array('login_failed', 'mailbox creation failed')
         );
         return false;
       }

From 1cda16523dac97e5dfc51f2a02f1a17f58ea1844 Mon Sep 17 00:00:00 2001
From: Geert Hauwaerts <geert@hauwaerts.be>
Date: Thu, 2 Nov 2023 17:42:08 +0200
Subject: [PATCH 095/378] Fixed SQL query for retrieving SSO users.

---
 data/web/inc/functions.inc.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index 0b69a4a69..36b1213bc 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -2355,7 +2355,7 @@ function identity_provider($_action, $_data = null, $_extra = null) {
           AND `mailbox`.`active`='1'
           AND `domain`.`active`='1'
           AND `username` = :user
-          AND `authsource`='keycloak' OR `authsource`='generic-oidc'");
+          AND (`authsource`='keycloak' OR `authsource`='generic-oidc')");
       $stmt->execute(array(':user' => $info['email']));
       $row = $stmt->fetch(PDO::FETCH_ASSOC);
       if ($row){

From 216398355be8c137cc894e48d0f9bfdb00beab7d Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Mon, 5 Feb 2024 15:22:02 +0100
Subject: [PATCH 096/378] fix functions.inc.php, update sogo and dovecot
 nightly image

---
 data/web/inc/functions.inc.php | 2 --
 docker-compose.yml             | 4 ++--
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index 36b1213bc..215a95fdd 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -2086,8 +2086,6 @@ function uuid4() {
 
   return vsprintf('%s%s-%s-%s-%s-%s%s%s', str_split(bin2hex($data), 4));
 }
-function identity_provider($_action, $_data = null) {
-function identity_provider($_action, $_data = null, $hide_secret = false) {
 function identity_provider($_action, $_data = null, $_extra = null) {
   global $pdo;
 
diff --git a/docker-compose.yml b/docker-compose.yml
index 572d203b0..d7cf072d0 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -187,7 +187,7 @@ services:
             - phpfpm
 
     sogo-mailcow:
-      image: mailcow/sogo:1.122.1
+      image: mailcow/sogo:nightly-20240205
       environment:
         - DBNAME=${DBNAME}
         - DBUSER=${DBUSER}
@@ -234,7 +234,7 @@ services:
             - sogo
 
     dovecot-mailcow:
-      image: mailcow/dovecot:1.28.2
+      image: mailcow/dovecot:nightly-20240205
       depends_on:
         - mysql-mailcow
         - netfilter-mailcow

From 058b79ed5c7029bb0927f3265bd467f0dfbf4a45 Mon Sep 17 00:00:00 2001
From: DerLinkman <derlinkman@gmail.com>
Date: Mon, 5 Feb 2024 15:57:44 +0100
Subject: [PATCH 097/378] dovecot: corrected dockerfile inside nightly

---
 data/Dockerfiles/dovecot/Dockerfile | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/data/Dockerfiles/dovecot/Dockerfile b/data/Dockerfiles/dovecot/Dockerfile
index a3bdc8472..20831fab2 100644
--- a/data/Dockerfiles/dovecot/Dockerfile
+++ b/data/Dockerfiles/dovecot/Dockerfile
@@ -3,8 +3,6 @@ LABEL maintainer "The Infrastructure Company GmbH GmbH <info@servercow.de>"
 
 # renovate: datasource=github-releases depName=tianon/gosu versioning=semver-coerced extractVersion=^(?<version>.*)$
 ARG GOSU_VERSION=1.16
-ARG DOVECOT_VERSION=2.3.20
-ARG PIGEONHOLE_VERSION=0.5.20
 ENV LC_ALL C
 
 
@@ -27,7 +25,6 @@ RUN addgroup -g 5000 vmail \
   curl \
   jq \
   lua \
-  lua-json \
   lua-cjson \
   lua-socket \
   lua-sql-mysql \

From 9a4b79a6296452a8cf2c9365b4a245bc4ecef5d5 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Mon, 5 Feb 2024 17:11:36 +0100
Subject: [PATCH 098/378] [Web] fix idp mailbox login

---
 data/web/inc/functions.mailbox.inc.php | 6 +++---
 data/web/templates/index.twig          | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/data/web/inc/functions.mailbox.inc.php b/data/web/inc/functions.mailbox.inc.php
index 457b53d60..46658274e 100644
--- a/data/web/inc/functions.mailbox.inc.php
+++ b/data/web/inc/functions.mailbox.inc.php
@@ -1027,10 +1027,10 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
           }
           $template_attr = null;
           if ($_data['template']){
-            $template_attr = mailbox('get', 'mailbox_templates', $_data['template'])['attributes'];
+            $template_attr = mailbox('get', 'mailbox_templates', $_data['template'], $_extra)['attributes'];
           }
           if (empty($template_attr)) {
-            $template_attr = mailbox('get', 'mailbox_templates')[0]['attributes'];
+            $template_attr = mailbox('get', 'mailbox_templates', null, $_extra)[0]['attributes'];
           }
           $MAILBOX_DEFAULT_ATTRIBUTES = array_merge($MAILBOX_DEFAULT_ATTRIBUTES, $template_attr);
 
@@ -4711,7 +4711,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
           return $mailboxdata;
         break;
         case 'mailbox_templates':
-          if ($_SESSION['mailcow_cc_role'] != "admin" && $_SESSION['mailcow_cc_role'] != "domainadmin") {
+          if ($_SESSION['mailcow_cc_role'] != "admin" && $_SESSION['mailcow_cc_role'] != "domainadmin" && !$_extra['iam_create_login']) {
             return false;
           }
           $_data = (isset($_data)) ? intval($_data) : null;
diff --git a/data/web/templates/index.twig b/data/web/templates/index.twig
index 98847d53e..3c752b132 100644
--- a/data/web/templates/index.twig
+++ b/data/web/templates/index.twig
@@ -40,7 +40,7 @@
               <input name="pass_user" type="password" id="pass_user" class="form-control" placeholder="{{ lang.login.password }}" required="" autocomplete="current-password">
             </div>
           </div>
-          <div class="d-flex mt-4" style="position: relative">
+          <div class="d-flex justify-content-between mt-4" style="position: relative">
             <div class="btn-group">
               <button type="submit" class="btn btn-xs-lg btn-success" value="Login">{{ lang.login.login }}</button>
               <button type="button" class="btn btn-xs-lg btn-success dropdown-toggle" data-bs-toggle="dropdown" aria-haspopup="true" aria-expanded="false"></button>

From 448f85abe81aa4b63c0143ad352acbf843f78b8f Mon Sep 17 00:00:00 2001
From: DerLinkman <derlinkman@gmail.com>
Date: Wed, 7 Feb 2024 15:28:42 +0100
Subject: [PATCH 099/378] Remove unused files

---
 data/dmarcparser.conf | 36 --------------------------
 test.conf             |  3 ---
 test.sh               | 59 -------------------------------------------
 3 files changed, 98 deletions(-)
 delete mode 100644 data/dmarcparser.conf
 delete mode 100644 test.conf
 delete mode 100644 test.sh

diff --git a/data/dmarcparser.conf b/data/dmarcparser.conf
deleted file mode 100644
index 2bf611d6a..000000000
--- a/data/dmarcparser.conf
+++ /dev/null
@@ -1,36 +0,0 @@
-server {
-  ssl_certificate /etc/ssl/mail/cert.pem;
-  ssl_certificate_key /etc/ssl/mail/key.pem;
-  ssl_protocols TLSv1.2 TLSv1.3;
-  ssl_prefer_server_ciphers on;
-  ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
-  ssl_ecdh_curve X25519:X448:secp384r1:secp256k1;
-  ssl_session_cache shared:SSL:50m;
-  ssl_session_timeout 1d;
-  ssl_session_tickets off;
-  index index.php index.html;
-  client_max_body_size 0;
-  root /web;
-  include /etc/nginx/conf.d/listen_plain.active;
-  include /etc/nginx/conf.d/listen_ssl.active;
-  server_name dmarcparse.derlinkman.de;
-  server_tokens off;
-
-  location ^~ /.well-known/acme-challenge/ {
-    allow all;
-    default_type "text/plain";
-  }
-
-  if ($scheme = http) {
-    return 301 https://$host$request_uri;
-  }
-
-  location / {
-    proxy_pass http://dmarcparser:8080/;
-    proxy_set_header Host $http_host;
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header X-Forwarded-Proto $scheme;
-    client_max_body_size 0;
-  }
-}
\ No newline at end of file
diff --git a/test.conf b/test.conf
deleted file mode 100644
index 4cad7795b..000000000
--- a/test.conf
+++ /dev/null
@@ -1,3 +0,0 @@
-# Solr heap size in MB, there is no recommendation, please see Solr docs.
-# Solr is a prone to run OOM and should be monitored. Unmonitored Solr setups are not recommended.
-# Solr will refuse to start with total system memory below or equal to 2 GB.
\ No newline at end of file
diff --git a/test.sh b/test.sh
deleted file mode 100644
index 1e38b3907..000000000
--- a/test.sh
+++ /dev/null
@@ -1,59 +0,0 @@
-#!/bin/bash
-source mailcow.conf
-SOLR_OPTIONS=(
-  "SOLR_HEAP"
-  "SOLR_PORT"
-  "SKIP_SOLR"
-  )
-remove_solr_config_options() {
-  sed -i --follow-symlinks '$a\' mailcow.conf
-  for option in "${SOLR_OPTIONS[@]}"; do
-  if [[ $option == "SOLR_HEAP" ]]; then
-    if grep -q "${option}" mailcow.conf; then
-      echo "Replacing SOLR_HEAP with \"${option}\" in mailcow.conf"
-      sed -i '/# Solr heap size in MB\b/c\# Dovecot Indexing (FTS) Process heap size in MB, there is no recommendation, please see Dovecot docs.' mailcow.conf
-      sed -i '/# Solr is a prone to run\b/c\# Flatcurve is replacing solr as FTS Indexer completely. It is supposed to be much more efficient in CPU and RAM consumption.'  mailcow.conf
-      sed -i 's/SOLR_HEAP/FTS_HEAP/g' mailcow.conf
-    fi
-  fi
-  if [[ $option == "SKIP_SOLR" ]]; then
-    if grep -q "${option}" mailcow.conf; then
-      echo "Replacing $option in mailcow.conf with SKIP_FLATCURVE"
-      sed -i '/\bSkip Solr on low-memory\b/c\# Skip Flatcurve (FTS) on low-memory systems or if you simply want to disable it.' mailcow.conf
-      sed -i '/\bSolr is disabled by default\b/d' mailcow.conf
-      sed -i '/\bDisable Solr or\b/d' mailcow.conf
-      sed -i 's/SKIP_SOLR/SKIP_FLATCURVE/g' mailcow.conf
-    fi
-  fi
-  if [[ $option == "SOLR_PORT" ]]; then
-    if grep -q "${option}" mailcow.conf; then
-      echo "Removing ${option} in mailcow.conf"
-      sed -i '/\bSOLR_PORT\b/d' mailcow.conf
-    fi
-  fi
-  done
-
-  solr_volume=$(docker volume ls -qf name=^${COMPOSE_PROJECT_NAME}_solr-vol-1)
-  if [[ -n $solr_volume ]]; then
-    echo -e "\e[34mSolr has been replaced within mailcow since 2024-XX.\e[0m"
-    sleep 1
-    echo -e "\e[34mTherefore the volume $solr_volume is unused.\e[0m"
-    sleep 1
-    read -r -p "Would you like to remove the $solr_volume? " response
-    if [[ "$response" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
-      echo -e "\e[33mRemoving $solr_volume...\e[0m"
-      docker volume rm $solr_volume
-      if [[ $? != 0 ]]; then
-        echo -e "\e[31mCould not remove the volume... Please remove it manually!\e[0m"
-      else
-        echo -e "\e[32mSucessfully removed $solr_volume!\e[0m"
-      fi
-    else
-      echo "Ok! Not removing $solr_volume then."
-      echo "Once you decided on removing the volume simply run docker volume rm $solr_volume to remove it manually."
-      echo "This can be done anytime. mailcow does not use this volume anymore."
-    fi
-  fi  
-}
-
-remove_solr_config_options
\ No newline at end of file

From 40146839efb3754b2db4045f0111178ffd1883c5 Mon Sep 17 00:00:00 2001
From: DerLinkman <derlinkman@gmail.com>
Date: Thu, 8 Feb 2024 09:47:41 +0100
Subject: [PATCH 100/378] docker-compose: bumped versions

---
 docker-compose.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index d7cf072d0..a62ea1212 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -187,7 +187,7 @@ services:
             - phpfpm
 
     sogo-mailcow:
-      image: mailcow/sogo:nightly-20240205
+      image: mailcow/sogo:nightly-20240208
       environment:
         - DBNAME=${DBNAME}
         - DBUSER=${DBUSER}
@@ -234,7 +234,7 @@ services:
             - sogo
 
     dovecot-mailcow:
-      image: mailcow/dovecot:nightly-20240205
+      image: mailcow/dovecot:nightly-20240208
       depends_on:
         - mysql-mailcow
         - netfilter-mailcow

From d479d18507325c5cd236a429116ae4a56cb3cfb0 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Tue, 20 Feb 2024 10:30:11 +0100
Subject: [PATCH 101/378] [Web] update directorytree/ldaprecord

---
 data/web/inc/lib/composer.json                |    2 +-
 data/web/inc/lib/composer.lock                |  340 ++--
 data/web/inc/lib/vendor/autoload.php          |   17 +-
 data/web/inc/lib/vendor/bin/carbon            |   46 +-
 data/web/inc/lib/vendor/bin/var-dump-server   |   46 +-
 .../carbonphp/carbon-doctrine-types/LICENSE   |   21 +
 .../carbonphp/carbon-doctrine-types/README.md |   14 +
 .../carbon-doctrine-types/composer.json       |   36 +
 .../Carbon/Doctrine/CarbonDoctrineType.php    |   16 +
 .../Carbon/Doctrine/CarbonImmutableType.php   |    9 +
 .../src/Carbon/Doctrine/CarbonType.php        |    9 +
 .../Carbon/Doctrine/CarbonTypeConverter.php   |   92 +-
 .../Doctrine/DateTimeDefaultPrecision.php     |    9 +-
 .../Carbon/Doctrine/DateTimeImmutableType.php |   16 +-
 .../src/Carbon/Doctrine/DateTimeType.php      |   24 +
 .../inc/lib/vendor/composer/ClassLoader.php   |  137 +-
 .../lib/vendor/composer/InstalledVersions.php |   17 +-
 .../lib/vendor/composer/autoload_classmap.php |    1 +
 .../lib/vendor/composer/autoload_files.php    |    4 +-
 .../inc/lib/vendor/composer/autoload_psr4.php |    2 +
 .../inc/lib/vendor/composer/autoload_real.php |   27 +-
 .../lib/vendor/composer/autoload_static.php   |   15 +-
 .../inc/lib/vendor/composer/installed.json    |  364 +++--
 .../web/inc/lib/vendor/composer/installed.php |   88 +-
 .../.github/ISSUE_TEMPLATE/bug_report.md      |    5 +-
 .../ISSUE_TEMPLATE/support---help-request.md  |    5 +-
 .../workflows/run-integration-tests.yml       |   62 +
 .../.github/workflows/run-tests.yml           |   47 +-
 .../directorytree/ldaprecord/.styleci.yml     |    7 -
 .../directorytree/ldaprecord/composer.json    |    7 +-
 .../ldaprecord/docker-compose.yml             |   35 +
 .../directorytree/ldaprecord/phpunit.xml      |    7 +-
 .../vendor/directorytree/ldaprecord/psalm.xml |   15 -
 .../vendor/directorytree/ldaprecord/readme.md |    4 +-
 .../ldaprecord/src/Auth/Events/Event.php      |    6 +-
 .../ldaprecord/src/Auth/Guard.php             |   43 +-
 .../src/Configuration/DomainConfiguration.php |   22 +-
 .../Configuration/Validators/Validator.php    |    4 +-
 .../ldaprecord/src/Connection.php             |   79 +-
 .../ldaprecord/src/ConnectionManager.php      |   28 +-
 .../ldaprecord/src/Container.php              |   13 +-
 .../ldaprecord/src/DetailedError.php          |    6 +-
 .../ldaprecord/src/DetectsErrors.php          |   19 +-
 .../ldaprecord/src/EscapesValues.php          |    7 +-
 .../ldaprecord/src/Events/ConnectionEvent.php |    2 +-
 .../ldaprecord/src/Events/Dispatcher.php      |   45 +-
 .../src/Events/DispatcherInterface.php        |   33 +-
 .../ldaprecord/src/Events/Logger.php          |   17 +-
 .../ldaprecord/src/Events/NullDispatcher.php  |   35 +-
 .../ldaprecord/src/HandlesConnection.php      |   19 +-
 .../directorytree/ldaprecord/src/Ldap.php     |   33 +-
 .../ldaprecord/src/LdapInterface.php          |  202 ++-
 .../ldaprecord/src/LdapRecordException.php    |    8 +-
 .../Concerns/HasPrimaryGroup.php              |    7 +-
 .../src/Models/ActiveDirectory/Entry.php      |  102 +-
 .../Relations/HasOnePrimaryGroup.php          |    6 +-
 .../Scopes/HasServerRoleAttribute.php         |    5 +-
 .../Scopes/InConfigurationContext.php         |    8 +-
 .../Scopes/RejectComputerObjectClass.php      |    5 +-
 .../src/Models/ActiveDirectory/User.php       |   44 +-
 .../src/Models/Attributes/AccountControl.php  |   67 +-
 .../Models/Attributes/DistinguishedName.php   |   52 +-
 .../Attributes/DistinguishedNameBuilder.php   |   46 +-
 .../src/Models/Attributes/EscapedValue.php    |    9 +-
 .../ldaprecord/src/Models/Attributes/Guid.php |   15 +-
 .../src/Models/Attributes/MbString.php        |   12 +-
 .../src/Models/Attributes/Password.php        |  106 +-
 .../ldaprecord/src/Models/Attributes/Sid.php  |    8 +-
 .../src/Models/Attributes/TSProperty.php      |   56 +-
 .../src/Models/Attributes/TSPropertyArray.php |   38 +-
 .../src/Models/Attributes/Timestamp.php       |   59 +-
 .../src/Models/BatchModification.php          |   32 +-
 .../ldaprecord/src/Models/Collection.php      |   37 +-
 .../src/Models/Concerns/CanAuthenticate.php   |    6 +-
 .../src/Models/Concerns/HasAttributes.php     |  276 ++--
 .../src/Models/Concerns/HasEvents.php         |   44 +-
 .../src/Models/Concerns/HasGlobalScopes.php   |   12 +-
 .../src/Models/Concerns/HasPassword.php       |   27 +-
 .../src/Models/Concerns/HasRelationships.php  |   45 +-
 .../src/Models/Concerns/HasScopes.php         |    1 +
 .../src/Models/Concerns/HidesAttributes.php   |   20 +-
 .../SerializesAndRestoresPropertyValues.php   |   47 +
 .../Models/Concerns/SerializesProperties.php  |  143 ++
 .../src/Models/DetectsResetIntegers.php       |    3 +-
 .../src/Models/DirectoryServer/Entry.php      |    3 +-
 .../ldaprecord/src/Models/Events/Event.php    |    2 +-
 .../ldaprecord/src/Models/Events/Renaming.php |    6 +-
 .../ldaprecord/src/Models/FreeIPA/Entry.php   |    3 +-
 .../FreeIPA/Scopes/AddEntryUuidToSelects.php  |    5 +-
 .../ldaprecord/src/Models/Model.php           |  405 ++---
 .../src/Models/ModelDoesNotExistException.php |    6 +-
 .../ldaprecord/src/Models/OpenLDAP/Entry.php  |    3 +-
 .../ldaprecord/src/Models/OpenLDAP/Group.php  |   12 +
 .../OpenLDAP/Scopes/AddEntryUuidToSelects.php |    5 +-
 .../ldaprecord/src/Models/OpenLDAP/User.php   |    2 +-
 .../src/Models/Relations/HasMany.php          |  144 +-
 .../src/Models/Relations/HasOne.php           |    3 +-
 .../src/Models/Relations/OneToMany.php        |   33 +-
 .../src/Models/Relations/Relation.php         |  157 +-
 .../ldaprecord/src/Models/Scope.php           |    5 +-
 .../src/Models/Types/ActiveDirectory.php      |   11 +-
 .../src/Models/Types/DirectoryServer.php      |    8 +
 .../ldaprecord/src/Query/ArrayCacheStore.php  |    6 +-
 .../ldaprecord/src/Query/Builder.php          |  540 ++++---
 .../ldaprecord/src/Query/Cache.php            |   22 +-
 .../src/Query/Events/QueryExecuted.php        |    4 +-
 .../src/Query/Filter/ConditionNode.php        |  100 ++
 .../ldaprecord/src/Query/Filter/GroupNode.php |   54 +
 .../ldaprecord/src/Query/Filter/Node.php      |   30 +
 .../ldaprecord/src/Query/Filter/Parser.php    |  162 ++
 .../src/Query/Filter/ParserException.php      |    9 +
 .../ldaprecord/src/Query/Grammar.php          |  129 +-
 .../src/Query/InteractsWithTime.php           |    9 +-
 .../Query/Model/ActiveDirectoryBuilder.php    |   70 +-
 .../ldaprecord/src/Query/Model/Builder.php    |   70 +-
 .../src/Query/ObjectNotFoundException.php     |   10 +-
 .../Query/Pagination/AbstractPaginator.php    |   16 +-
 .../src/Query/Pagination/LazyPaginator.php    |    3 +-
 .../ldaprecord/src/Query/Slice.php            |  283 ++++
 .../ldaprecord/src/Support/Arr.php            |   34 +-
 .../ldaprecord/src/Support/Helpers.php        |    8 +-
 .../ldaprecord/src/Support/Str.php            |  129 ++
 .../ldaprecord/src/Testing/ConnectionFake.php |    8 +-
 .../ldaprecord/src/Testing/DirectoryFake.php  |    6 +-
 .../src/Testing/LdapExpectation.php           |   39 +-
 .../ldaprecord/src/Testing/LdapFake.php       |   54 +-
 .../ldaprecord/src/Utilities.php              |   37 +-
 .../illuminate/contracts/Auth/Access/Gate.php |    8 +-
 .../contracts/Broadcasting/ShouldBeUnique.php |    8 +
 .../illuminate/contracts/Cache/Repository.php |   28 +-
 .../contracts/Console/Isolatable.php          |    8 +
 .../Console/PromptsForMissingInput.php        |    8 +
 .../contracts/Container/Container.php         |    9 +
 .../Container/ContextualBindingBuilder.php    |    2 +-
 .../contracts/Cookie/QueueingFactory.php      |    2 +-
 .../contracts/Database/Eloquent/Castable.php  |    3 +-
 .../Database/Eloquent/CastsAttributes.php     |   18 +-
 .../Eloquent/CastsInboundAttributes.php       |    4 +-
 .../Eloquent/SerializesCastableAttributes.php |    4 +-
 .../contracts/Database/ModelIdentifier.php    |   20 +
 .../Database/Query/ConditionExpression.php    |    7 +
 .../contracts/Database/Query/Expression.php   |   16 +
 .../contracts/Events/Dispatcher.php           |    2 +-
 .../Events/ShouldDispatchAfterCommit.php      |    8 +
 .../Events/ShouldHandleEventsAfterCommit.php  |    8 +
 .../contracts/Filesystem/Filesystem.php       |    2 +-
 .../contracts/Foundation/Application.php      |   25 +-
 .../illuminate/contracts/Mail/Attachable.php  |   13 +
 .../illuminate/contracts/Mail/Mailable.php    |    2 +-
 .../illuminate/contracts/Mail/Mailer.php      |    4 +-
 .../contracts/Pagination/CursorPaginator.php  |    7 +
 .../contracts/Pagination/Paginator.php        |    8 +-
 .../contracts/Process/InvokedProcess.php      |   64 +
 .../contracts/Process/ProcessResult.php       |   65 +
 .../illuminate/contracts/Queue/Monitor.php    |    2 +-
 .../Queue/ShouldQueueAfterCommit.php          |    8 +
 .../contracts/Routing/ResponseFactory.php     |    6 +-
 .../Middleware/AuthenticatesSessions.php      |    8 +
 .../contracts/Support/MessageBag.php          |    8 +
 .../contracts/Translation/Translator.php      |    2 +-
 .../contracts/Validation/DataAwareRule.php    |    2 +-
 .../contracts/Validation/Factory.php          |    4 +-
 .../contracts/Validation/ImplicitRule.php     |    3 +
 .../contracts/Validation/InvokableRule.php    |   21 +
 .../illuminate/contracts/Validation/Rule.php  |    3 +
 .../contracts/Validation/ValidationRule.php   |   18 +
 .../Validation/ValidatorAwareRule.php         |    4 +-
 .../View/ViewCompilationException.php         |   10 +
 .../vendor/illuminate/contracts/composer.json |    4 +-
 .../vendor/nesbot/carbon/.phpstorm.meta.php   |   10 +
 .../lib/vendor/nesbot/carbon/composer.json    |   96 +-
 .../MessageFormatterMapperStrongType.php      |   28 +
 .../MessageFormatterMapperWeakType.php        |   36 +
 .../Carbon/PHPStan/AbstractMacroBuiltin.php   |   36 +
 .../Carbon/PHPStan/AbstractMacroStatic.php    |   45 +
 .../lazy/Carbon/PHPStan/MacroStrongType.php   |    6 +-
 .../lazy/Carbon/PHPStan/MacroWeakType.php     |    6 +-
 .../inc/lib/vendor/nesbot/carbon/readme.md    |   51 +-
 .../inc/lib/vendor/nesbot/carbon/sponsors.php |  129 ++
 .../carbon/src/Carbon/AbstractTranslator.php  |   27 +-
 .../nesbot/carbon/src/Carbon/Carbon.php       |  934 +++++------
 .../carbon/src/Carbon/CarbonImmutable.php     |  958 ++++++------
 .../carbon/src/Carbon/CarbonInterface.php     |  113 +-
 .../carbon/src/Carbon/CarbonInterval.php      |  445 +++++-
 .../nesbot/carbon/src/Carbon/CarbonPeriod.php |  540 ++++---
 .../src/Carbon/CarbonPeriodImmutable.php      |   40 +
 .../carbon/src/Carbon/CarbonTimeZone.php      |   42 +-
 .../Carbon/Doctrine/CarbonDoctrineType.php    |   23 -
 .../Carbon/Doctrine/CarbonImmutableType.php   |   37 -
 .../carbon/src/Carbon/Doctrine/CarbonType.php |   37 -
 .../src/Carbon/Doctrine/DateTimeType.php      |   16 -
 .../Exceptions/BadComparisonUnitException.php |   25 +-
 .../BadFluentConstructorException.php         |   25 +-
 .../Exceptions/BadFluentSetterException.php   |   29 +-
 .../Exceptions/BadMethodCallException.php     |    1 +
 .../Exceptions/EndLessPeriodException.php     |   19 +
 .../src/Carbon/Exceptions/Exception.php       |    1 +
 .../Carbon/Exceptions/ImmutableException.php  |   24 +-
 .../Exceptions/InvalidArgumentException.php   |    1 +
 .../Exceptions/InvalidCastException.php       |   13 +-
 .../Exceptions/InvalidDateException.php       |    6 +-
 .../Exceptions/InvalidFormatException.php     |   13 +-
 .../Exceptions/InvalidIntervalException.php   |   13 +-
 .../Exceptions/InvalidPeriodDateException.php |   13 +-
 .../InvalidPeriodParameterException.php       |   13 +-
 .../Exceptions/InvalidTimeZoneException.php   |   13 +-
 .../Exceptions/InvalidTypeException.php       |   13 +-
 .../Exceptions/NotACarbonClassException.php   |   31 +-
 .../Carbon/Exceptions/NotAPeriodException.php |   13 +-
 .../Exceptions/NotLocaleAwareException.php    |    6 +-
 .../Carbon/Exceptions/OutOfRangeException.php |    6 +-
 .../Carbon/Exceptions/ParseErrorException.php |   61 +-
 .../Carbon/Exceptions/RuntimeException.php    |    1 +
 .../src/Carbon/Exceptions/UnitException.php   |   13 +-
 .../Exceptions/UnitNotConfiguredException.php |   25 +-
 .../Exceptions/UnknownGetterException.php     |   29 +-
 .../Exceptions/UnknownMethodException.php     |   25 +-
 .../Exceptions/UnknownSetterException.php     |   29 +-
 .../Exceptions/UnknownUnitException.php       |   25 +-
 .../Exceptions/UnreachableException.php       |   13 +-
 .../nesbot/carbon/src/Carbon/Factory.php      |    8 +-
 .../carbon/src/Carbon/FactoryImmutable.php    |   28 +-
 .../nesbot/carbon/src/Carbon/Lang/ar_AE.php   |    2 +
 .../nesbot/carbon/src/Carbon/Lang/ar_BH.php   |    2 +
 .../nesbot/carbon/src/Carbon/Lang/ar_EG.php   |    2 +
 .../nesbot/carbon/src/Carbon/Lang/ar_IQ.php   |    2 +
 .../nesbot/carbon/src/Carbon/Lang/ar_JO.php   |    2 +
 .../nesbot/carbon/src/Carbon/Lang/ar_KW.php   |    2 +
 .../nesbot/carbon/src/Carbon/Lang/ar_LB.php   |    2 +
 .../nesbot/carbon/src/Carbon/Lang/ar_OM.php   |    2 +
 .../nesbot/carbon/src/Carbon/Lang/ar_PS.php   |    5 +
 .../nesbot/carbon/src/Carbon/Lang/ar_QA.php   |    2 +
 .../nesbot/carbon/src/Carbon/Lang/ar_SA.php   |    2 +
 .../nesbot/carbon/src/Carbon/Lang/ar_SD.php   |    2 +
 .../nesbot/carbon/src/Carbon/Lang/ar_SY.php   |    2 +
 .../nesbot/carbon/src/Carbon/Lang/ar_YE.php   |    2 +
 .../nesbot/carbon/src/Carbon/Lang/be.php      |    7 +-
 .../carbon/src/Carbon/Lang/ca_ES_Valencia.php |   10 +
 .../nesbot/carbon/src/Carbon/Lang/ckb.php     |   89 ++
 .../nesbot/carbon/src/Carbon/Lang/cs.php      |    3 +-
 .../nesbot/carbon/src/Carbon/Lang/cy.php      |    2 +-
 .../nesbot/carbon/src/Carbon/Lang/da.php      |    7 +-
 .../nesbot/carbon/src/Carbon/Lang/de.php      |    9 +
 .../nesbot/carbon/src/Carbon/Lang/en.php      |    2 +-
 .../nesbot/carbon/src/Carbon/Lang/en_CH.php   |    8 +
 .../nesbot/carbon/src/Carbon/Lang/es.php      |   10 +
 .../nesbot/carbon/src/Carbon/Lang/fi.php      |    2 +
 .../nesbot/carbon/src/Carbon/Lang/fr.php      |   11 +-
 .../nesbot/carbon/src/Carbon/Lang/hu.php      |    2 +-
 .../nesbot/carbon/src/Carbon/Lang/it.php      |   11 +-
 .../nesbot/carbon/src/Carbon/Lang/ku.php      |   42 +-
 .../nesbot/carbon/src/Carbon/Lang/lv.php      |    3 +-
 .../nesbot/carbon/src/Carbon/Lang/mn.php      |   62 +-
 .../nesbot/carbon/src/Carbon/Lang/ms.php      |    2 +-
 .../nesbot/carbon/src/Carbon/Lang/oc.php      |    2 +-
 .../nesbot/carbon/src/Carbon/Lang/pl.php      |    2 +-
 .../nesbot/carbon/src/Carbon/Lang/pt.php      |    9 +
 .../nesbot/carbon/src/Carbon/Lang/sh.php      |    2 +-
 .../nesbot/carbon/src/Carbon/Lang/sk.php      |  112 +-
 .../nesbot/carbon/src/Carbon/Lang/sl.php      |    6 +-
 .../nesbot/carbon/src/Carbon/Lang/sr_Cyrl.php |   22 +-
 .../carbon/src/Carbon/Lang/sr_Cyrl_BA.php     |   10 +
 .../carbon/src/Carbon/Lang/sr_Cyrl_ME.php     |   31 +-
 .../carbon/src/Carbon/Lang/sr_Cyrl_XK.php     |   10 +
 .../carbon/src/Carbon/Lang/sr_Latn_BA.php     |   10 +
 .../carbon/src/Carbon/Lang/sr_Latn_ME.php     |   10 +
 .../carbon/src/Carbon/Lang/sr_Latn_XK.php     |   10 +
 .../nesbot/carbon/src/Carbon/Lang/ss.php      |    2 +-
 .../nesbot/carbon/src/Carbon/Lang/sv.php      |    2 +-
 .../nesbot/carbon/src/Carbon/Lang/uk.php      |    3 +-
 .../src/Carbon/Laravel/ServiceProvider.php    |   52 +-
 .../MessageFormatterMapper.php                |   44 +
 .../src/Carbon/PHPStan/AbstractMacro.php      |  104 +-
 .../carbon/src/Carbon/PHPStan/Macro.php       |    7 +
 .../src/Carbon/PHPStan/MacroExtension.php     |   18 +-
 .../src/Carbon/PHPStan/MacroScanner.php       |   40 +-
 .../carbon/src/Carbon/Traits/Comparison.php   |   97 +-
 .../carbon/src/Carbon/Traits/Converter.php    |   64 +-
 .../carbon/src/Carbon/Traits/Creator.php      |   80 +-
 .../nesbot/carbon/src/Carbon/Traits/Date.php  |   93 +-
 .../carbon/src/Carbon/Traits/Difference.php   |   39 +-
 .../src/Carbon/Traits/IntervalRounding.php    |    2 +-
 .../carbon/src/Carbon/Traits/Localization.php |   38 +-
 .../src/Carbon/Traits/MagicParameter.php      |   33 +
 .../nesbot/carbon/src/Carbon/Traits/Mixin.php |   67 +-
 .../carbon/src/Carbon/Traits/Modifiers.php    |    6 +-
 .../carbon/src/Carbon/Traits/Options.php      |    8 +-
 .../carbon/src/Carbon/Traits/Rounding.php     |   31 +-
 .../src/Carbon/Traits/Serialization.php       |  100 +-
 .../nesbot/carbon/src/Carbon/Traits/Test.php  |   32 +-
 .../carbon/src/Carbon/Traits/Timestamp.php    |    6 +-
 .../src/Carbon/Traits/ToStringFormat.php      |   56 +
 .../nesbot/carbon/src/Carbon/Traits/Units.php |   36 +-
 .../carbon/src/Carbon/TranslatorImmutable.php |    2 +-
 .../web/inc/lib/vendor/psr/clock/CHANGELOG.md |   11 +
 data/web/inc/lib/vendor/psr/clock/LICENSE     |   19 +
 data/web/inc/lib/vendor/psr/clock/README.md   |   61 +
 .../inc/lib/vendor/psr/clock/composer.json    |   21 +
 .../vendor/psr/clock/src/ClockInterface.php   |   13 +
 .../deprecation-contracts/composer.json       |    2 +-
 .../vendor/symfony/polyfill-mbstring/LICENSE  |    2 +-
 .../symfony/polyfill-mbstring/Mbstring.php    |  148 +-
 .../symfony/polyfill-mbstring/README.md       |    2 +-
 .../Resources/unidata/caseFolding.php         |  119 ++
 .../symfony/polyfill-mbstring/bootstrap.php   |    4 +
 .../symfony/polyfill-mbstring/bootstrap80.php |    4 +
 .../symfony/polyfill-mbstring/composer.json   |    3 -
 .../lib/vendor/symfony/polyfill-php80/LICENSE |    2 +-
 .../vendor/symfony/polyfill-php80/Php80.php   |   12 +-
 .../symfony/polyfill-php80/PhpToken.php       |  103 ++
 .../vendor/symfony/polyfill-php80/README.md   |    7 +-
 .../Resources/stubs/Attribute.php             |    9 +
 .../Resources/stubs/PhpToken.php              |   16 +
 .../Resources/stubs/Stringable.php            |    9 +
 .../Resources/stubs/UnhandledMatchError.php   |    9 +
 .../Resources/stubs/ValueError.php            |    9 +
 .../symfony/polyfill-php80/composer.json      |    3 -
 .../symfony/translation-contracts/.gitignore  |    3 -
 .../symfony/translation-contracts/LICENSE     |    2 +-
 .../LocaleAwareInterface.php                  |    2 +
 .../symfony/translation-contracts/README.md   |    2 +-
 .../Test/TranslatorTest.php                   |   31 +-
 .../translation-contracts/TranslatorTrait.php |  211 ++-
 .../translation-contracts/composer.json       |   12 +-
 .../vendor/symfony/translation/CHANGELOG.md   |   29 +
 .../Catalogue/AbstractOperation.php           |   38 +-
 .../translation/Catalogue/MergeOperation.php  |   14 +-
 .../translation/Catalogue/TargetOperation.php |   14 +-
 .../CatalogueMetadataAwareInterface.php       |   48 +
 .../Command/TranslationPullCommand.php        |   27 +-
 .../Command/TranslationPushCommand.php        |   21 +-
 .../translation/Command/XliffLintCommand.php  |   71 +-
 .../TranslationDataCollector.php              |   30 +-
 .../translation/DataCollectorTranslator.php   |   37 +-
 .../DataCollectorTranslatorPass.php           |   36 +
 .../LoggingTranslatorPass.php                 |   59 +
 .../TranslationDumperPass.php                 |    3 +
 .../TranslationExtractorPass.php              |    3 +
 .../DependencyInjection/TranslatorPass.php    |   20 +
 .../TranslatorPathsPass.php                   |   34 +-
 .../translation/Dumper/CsvFileDumper.php      |    8 +-
 .../translation/Dumper/DumperInterface.php    |    2 +
 .../symfony/translation/Dumper/FileDumper.php |    4 +-
 .../translation/Dumper/IcuResFileDumper.php   |   15 +-
 .../translation/Dumper/IniFileDumper.php      |    6 -
 .../translation/Dumper/JsonFileDumper.php     |    6 -
 .../translation/Dumper/MoFileDumper.php       |   10 +-
 .../translation/Dumper/PhpFileDumper.php      |    6 -
 .../translation/Dumper/PoFileDumper.php       |    8 +-
 .../translation/Dumper/QtFileDumper.php       |    6 -
 .../translation/Dumper/XliffFileDumper.php    |   38 +-
 .../translation/Dumper/YamlFileDumper.php     |    6 -
 .../Exception/IncompleteDsnException.php      |    2 +-
 .../MissingRequiredOptionException.php        |    2 +-
 .../Exception/ProviderException.php           |    4 +-
 .../Exception/UnsupportedSchemeException.php  |    8 +-
 .../translation/Extractor/ChainExtractor.php  |    6 +-
 .../Extractor/ExtractorInterface.php          |    4 +
 .../translation/Extractor/PhpAstExtractor.php |   85 +
 .../translation/Extractor/PhpExtractor.php    |   19 +-
 .../Extractor/PhpStringTokenParser.php        |    7 +-
 .../Extractor/Visitor/AbstractVisitor.php     |  135 ++
 .../Extractor/Visitor/ConstraintVisitor.php   |  112 ++
 .../Extractor/Visitor/TransMethodVisitor.php  |   65 +
 .../Visitor/TranslatableMessageVisitor.php    |   65 +
 .../translation/Formatter/IntlFormatter.php   |    9 +-
 .../Formatter/MessageFormatter.php            |   18 +-
 .../lib/vendor/symfony/translation/LICENSE    |    2 +-
 .../translation/Loader/ArrayLoader.php        |    9 +-
 .../translation/Loader/CsvFileLoader.php      |    7 +-
 .../symfony/translation/Loader/FileLoader.php |    7 +-
 .../translation/Loader/IcuDatFileLoader.php   |    5 +-
 .../translation/Loader/IcuResFileLoader.php   |    9 +-
 .../translation/Loader/IniFileLoader.php      |    3 -
 .../translation/Loader/JsonFileLoader.php     |   25 +-
 .../translation/Loader/MoFileLoader.php       |    2 -
 .../translation/Loader/PhpFileLoader.php      |   11 +-
 .../translation/Loader/PoFileLoader.php       |   14 +-
 .../translation/Loader/QtFileLoader.php       |    4 -
 .../translation/Loader/XliffFileLoader.php    |   23 +-
 .../translation/Loader/YamlFileLoader.php     |    7 +-
 .../symfony/translation/LocaleSwitcher.php    |   78 +
 .../symfony/translation/LoggingTranslator.php |   30 +-
 .../symfony/translation/MessageCatalogue.php  |  126 +-
 .../translation/MessageCatalogueInterface.php |   16 +-
 .../translation/MetadataAwareInterface.php    |    6 +-
 .../Provider/AbstractProviderFactory.php      |   12 +-
 .../symfony/translation/Provider/Dsn.php      |   34 +-
 .../Provider/FilteringProvider.php            |    5 +-
 .../Provider/ProviderInterface.php            |    4 +-
 .../TranslationProviderCollection.php         |    2 +-
 .../PseudoLocalizationTranslator.php          |   11 +-
 .../lib/vendor/symfony/translation/README.md  |   12 +-
 .../translation/Reader/TranslationReader.php  |    4 +-
 .../Reader/TranslationReaderInterface.php     |    2 +
 .../Resources/bin/translation-status.php      |   18 +-
 .../translation/Resources/data/parents.json   |    4 +
 .../translation/Resources/functions.php       |    2 +-
 ...ct.xsd => xliff-core-1.2-transitional.xsd} |   84 +-
 .../Test/ProviderFactoryTestCase.php          |   32 +-
 .../translation/Test/ProviderTestCase.php     |   24 +-
 .../translation/TranslatableMessage.php       |    8 +-
 .../vendor/symfony/translation/Translator.php |   63 +-
 .../symfony/translation/TranslatorBag.php     |   15 +-
 .../translation/TranslatorBagInterface.php    |    2 +-
 .../translation/Util/ArrayConverter.php       |   51 +-
 .../symfony/translation/Util/XliffUtils.php   |    2 +-
 .../translation/Writer/TranslationWriter.php  |    4 +
 .../Writer/TranslationWriterInterface.php     |    2 +
 .../vendor/symfony/translation/composer.json  |   32 +-
 .../vendor/symfony/var-dumper/CHANGELOG.md    |   19 +
 .../symfony/var-dumper/Caster/AmqpCaster.php  |   15 +
 .../symfony/var-dumper/Caster/ArgsStub.php    |    4 +-
 .../symfony/var-dumper/Caster/Caster.php      |   50 +-
 .../symfony/var-dumper/Caster/ClassStub.php   |   13 +-
 .../symfony/var-dumper/Caster/ConstStub.php   |    2 +-
 .../symfony/var-dumper/Caster/CutStub.php     |    2 +-
 .../symfony/var-dumper/Caster/DOMCaster.php   |   82 +-
 .../symfony/var-dumper/Caster/DateCaster.php  |   24 +-
 .../var-dumper/Caster/DoctrineCaster.php      |    9 +
 .../symfony/var-dumper/Caster/DsPairStub.php  |    2 +-
 .../var-dumper/Caster/ExceptionCaster.php     |   47 +-
 .../symfony/var-dumper/Caster/FFICaster.php   |  161 ++
 .../symfony/var-dumper/Caster/FiberCaster.php |    3 +
 .../symfony/var-dumper/Caster/IntlCaster.php  |   17 +-
 .../symfony/var-dumper/Caster/LinkStub.php    |    9 +-
 .../var-dumper/Caster/MemcachedCaster.php     |    9 +-
 .../symfony/var-dumper/Caster/PdoCaster.php   |    8 +-
 .../symfony/var-dumper/Caster/PgSqlCaster.php |    9 +
 .../var-dumper/Caster/ProxyManagerCaster.php  |    3 +
 .../var-dumper/Caster/RdKafkaCaster.php       |   40 +-
 .../symfony/var-dumper/Caster/RedisCaster.php |   32 +-
 .../var-dumper/Caster/ReflectionCaster.php    |   61 +-
 .../var-dumper/Caster/ResourceCaster.php      |   28 +-
 .../symfony/var-dumper/Caster/ScalarStub.php  |   27 +
 .../symfony/var-dumper/Caster/SplCaster.php   |   62 +-
 .../symfony/var-dumper/Caster/StubCaster.php  |   23 +
 .../var-dumper/Caster/SymfonyCaster.php       |   50 +-
 .../symfony/var-dumper/Caster/TraceStub.php   |    2 +-
 .../var-dumper/Caster/UninitializedStub.php   |   25 +
 .../var-dumper/Caster/XmlReaderCaster.php     |    7 +-
 .../var-dumper/Caster/XmlResourceCaster.php   |    3 +
 .../var-dumper/Cloner/AbstractCloner.php      |   27 +-
 .../vendor/symfony/var-dumper/Cloner/Data.php |   34 +-
 .../var-dumper/Cloner/DumperInterface.php     |    8 +
 .../vendor/symfony/var-dumper/Cloner/Stub.php |    1 +
 .../symfony/var-dumper/Cloner/VarCloner.php   |   49 +-
 .../Command/Descriptor/CliDescriptor.php      |    2 +-
 .../Command/Descriptor/HtmlDescriptor.php     |    2 +-
 .../var-dumper/Command/ServerDumpCommand.php  |    4 +-
 .../var-dumper/Dumper/AbstractDumper.php      |   24 +-
 .../symfony/var-dumper/Dumper/CliDumper.php   |  102 +-
 .../RequestContextProvider.php                |    4 +-
 .../ContextProvider/SourceContextProvider.php |    9 +-
 .../Dumper/ContextualizedDumper.php           |   11 +-
 .../var-dumper/Dumper/DataDumperInterface.php |    3 +
 .../symfony/var-dumper/Dumper/HtmlDumper.php  |   96 +-
 .../var-dumper/Dumper/ServerDumper.php        |   12 +-
 .../Exception/ThrowingCasterException.php     |    2 +-
 .../inc/lib/vendor/symfony/var-dumper/LICENSE |    2 +-
 .../var-dumper/Resources/bin/var-dump-server  |    4 +
 .../var-dumper/Resources/functions/dump.php   |   40 +-
 .../symfony/var-dumper/Server/Connection.php  |   14 +-
 .../symfony/var-dumper/Server/DumpServer.php  |   16 +-
 .../var-dumper/Test/VarDumperTestTrait.php    |    4 +-
 .../vendor/symfony/var-dumper/VarDumper.php   |   33 +-
 .../vendor/symfony/var-dumper/composer.json   |   17 +-
 .../collect/.github/workflows/run-tests.yml   |    4 +-
 .../vendor/tightenco/collect/composer.json    |    3 +-
 .../vendor/tightenco/collect/framework-.zip   |    0
 .../Conditionable/HigherOrderWhenProxy.php    |  109 ++
 .../Collect/Contracts/Support/Arrayable.php   |    6 +-
 .../collect/src/Collect/Support/Arr.php       |  133 +-
 .../src/Collect/Support/Collection.php        |  427 ++---
 .../src/Collect/Support/Enumerable.php        |  524 +++++--
 .../Collect/Support/HigherOrderWhenProxy.php  |   63 -
 .../src/Collect/Support/LazyCollection.php    |  373 +++--
 .../collect/src/Collect/Support/Str.php       | 1367 +++++++++++++++++
 .../Collect/Support/Traits/Conditionable.php  |   73 +
 .../Support/Traits/EnumeratesValues.php       |  428 +++---
 .../collect/src/Collect/Support/alias.php     |    1 -
 481 files changed, 13919 insertions(+), 6171 deletions(-)
 create mode 100644 data/web/inc/lib/vendor/carbonphp/carbon-doctrine-types/LICENSE
 create mode 100644 data/web/inc/lib/vendor/carbonphp/carbon-doctrine-types/README.md
 create mode 100644 data/web/inc/lib/vendor/carbonphp/carbon-doctrine-types/composer.json
 create mode 100644 data/web/inc/lib/vendor/carbonphp/carbon-doctrine-types/src/Carbon/Doctrine/CarbonDoctrineType.php
 create mode 100644 data/web/inc/lib/vendor/carbonphp/carbon-doctrine-types/src/Carbon/Doctrine/CarbonImmutableType.php
 create mode 100644 data/web/inc/lib/vendor/carbonphp/carbon-doctrine-types/src/Carbon/Doctrine/CarbonType.php
 rename data/web/inc/lib/vendor/{nesbot/carbon => carbonphp/carbon-doctrine-types}/src/Carbon/Doctrine/CarbonTypeConverter.php (59%)
 rename data/web/inc/lib/vendor/{nesbot/carbon => carbonphp/carbon-doctrine-types}/src/Carbon/Doctrine/DateTimeDefaultPrecision.php (70%)
 rename data/web/inc/lib/vendor/{nesbot/carbon => carbonphp/carbon-doctrine-types}/src/Carbon/Doctrine/DateTimeImmutableType.php (58%)
 create mode 100644 data/web/inc/lib/vendor/carbonphp/carbon-doctrine-types/src/Carbon/Doctrine/DateTimeType.php
 create mode 100644 data/web/inc/lib/vendor/directorytree/ldaprecord/.github/workflows/run-integration-tests.yml
 create mode 100644 data/web/inc/lib/vendor/directorytree/ldaprecord/docker-compose.yml
 delete mode 100644 data/web/inc/lib/vendor/directorytree/ldaprecord/psalm.xml
 create mode 100644 data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Concerns/SerializesAndRestoresPropertyValues.php
 create mode 100644 data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Concerns/SerializesProperties.php
 create mode 100644 data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Types/DirectoryServer.php
 create mode 100644 data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Filter/ConditionNode.php
 create mode 100644 data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Filter/GroupNode.php
 create mode 100644 data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Filter/Node.php
 create mode 100644 data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Filter/Parser.php
 create mode 100644 data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Filter/ParserException.php
 create mode 100644 data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Slice.php
 create mode 100644 data/web/inc/lib/vendor/directorytree/ldaprecord/src/Support/Str.php
 create mode 100644 data/web/inc/lib/vendor/illuminate/contracts/Broadcasting/ShouldBeUnique.php
 create mode 100644 data/web/inc/lib/vendor/illuminate/contracts/Console/Isolatable.php
 create mode 100644 data/web/inc/lib/vendor/illuminate/contracts/Console/PromptsForMissingInput.php
 create mode 100644 data/web/inc/lib/vendor/illuminate/contracts/Database/Query/ConditionExpression.php
 create mode 100644 data/web/inc/lib/vendor/illuminate/contracts/Database/Query/Expression.php
 create mode 100644 data/web/inc/lib/vendor/illuminate/contracts/Events/ShouldDispatchAfterCommit.php
 create mode 100644 data/web/inc/lib/vendor/illuminate/contracts/Events/ShouldHandleEventsAfterCommit.php
 create mode 100644 data/web/inc/lib/vendor/illuminate/contracts/Mail/Attachable.php
 create mode 100644 data/web/inc/lib/vendor/illuminate/contracts/Process/InvokedProcess.php
 create mode 100644 data/web/inc/lib/vendor/illuminate/contracts/Process/ProcessResult.php
 create mode 100644 data/web/inc/lib/vendor/illuminate/contracts/Queue/ShouldQueueAfterCommit.php
 create mode 100644 data/web/inc/lib/vendor/illuminate/contracts/Session/Middleware/AuthenticatesSessions.php
 create mode 100644 data/web/inc/lib/vendor/illuminate/contracts/Validation/InvokableRule.php
 create mode 100644 data/web/inc/lib/vendor/illuminate/contracts/Validation/ValidationRule.php
 create mode 100644 data/web/inc/lib/vendor/illuminate/contracts/View/ViewCompilationException.php
 create mode 100644 data/web/inc/lib/vendor/nesbot/carbon/.phpstorm.meta.php
 create mode 100644 data/web/inc/lib/vendor/nesbot/carbon/lazy/Carbon/MessageFormatter/MessageFormatterMapperStrongType.php
 create mode 100644 data/web/inc/lib/vendor/nesbot/carbon/lazy/Carbon/MessageFormatter/MessageFormatterMapperWeakType.php
 create mode 100644 data/web/inc/lib/vendor/nesbot/carbon/lazy/Carbon/PHPStan/AbstractMacroBuiltin.php
 create mode 100644 data/web/inc/lib/vendor/nesbot/carbon/lazy/Carbon/PHPStan/AbstractMacroStatic.php
 create mode 100644 data/web/inc/lib/vendor/nesbot/carbon/sponsors.php
 create mode 100644 data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/CarbonPeriodImmutable.php
 delete mode 100644 data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Doctrine/CarbonDoctrineType.php
 delete mode 100644 data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Doctrine/CarbonImmutableType.php
 delete mode 100644 data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Doctrine/CarbonType.php
 delete mode 100644 data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Doctrine/DateTimeType.php
 create mode 100644 data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/EndLessPeriodException.php
 create mode 100644 data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ckb.php
 create mode 100644 data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/MessageFormatter/MessageFormatterMapper.php
 create mode 100644 data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/MagicParameter.php
 create mode 100644 data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/ToStringFormat.php
 create mode 100644 data/web/inc/lib/vendor/psr/clock/CHANGELOG.md
 create mode 100644 data/web/inc/lib/vendor/psr/clock/LICENSE
 create mode 100644 data/web/inc/lib/vendor/psr/clock/README.md
 create mode 100644 data/web/inc/lib/vendor/psr/clock/composer.json
 create mode 100644 data/web/inc/lib/vendor/psr/clock/src/ClockInterface.php
 create mode 100644 data/web/inc/lib/vendor/symfony/polyfill-mbstring/Resources/unidata/caseFolding.php
 create mode 100644 data/web/inc/lib/vendor/symfony/polyfill-php80/PhpToken.php
 create mode 100644 data/web/inc/lib/vendor/symfony/polyfill-php80/Resources/stubs/PhpToken.php
 delete mode 100644 data/web/inc/lib/vendor/symfony/translation-contracts/.gitignore
 create mode 100644 data/web/inc/lib/vendor/symfony/translation/CatalogueMetadataAwareInterface.php
 create mode 100644 data/web/inc/lib/vendor/symfony/translation/DependencyInjection/DataCollectorTranslatorPass.php
 create mode 100644 data/web/inc/lib/vendor/symfony/translation/DependencyInjection/LoggingTranslatorPass.php
 create mode 100644 data/web/inc/lib/vendor/symfony/translation/Extractor/PhpAstExtractor.php
 create mode 100644 data/web/inc/lib/vendor/symfony/translation/Extractor/Visitor/AbstractVisitor.php
 create mode 100644 data/web/inc/lib/vendor/symfony/translation/Extractor/Visitor/ConstraintVisitor.php
 create mode 100644 data/web/inc/lib/vendor/symfony/translation/Extractor/Visitor/TransMethodVisitor.php
 create mode 100644 data/web/inc/lib/vendor/symfony/translation/Extractor/Visitor/TranslatableMessageVisitor.php
 create mode 100644 data/web/inc/lib/vendor/symfony/translation/LocaleSwitcher.php
 rename data/web/inc/lib/vendor/symfony/translation/Resources/schemas/{xliff-core-1.2-strict.xsd => xliff-core-1.2-transitional.xsd} (96%)
 create mode 100644 data/web/inc/lib/vendor/symfony/var-dumper/Caster/FFICaster.php
 create mode 100644 data/web/inc/lib/vendor/symfony/var-dumper/Caster/ScalarStub.php
 create mode 100644 data/web/inc/lib/vendor/symfony/var-dumper/Caster/UninitializedStub.php
 create mode 100644 data/web/inc/lib/vendor/tightenco/collect/framework-.zip
 create mode 100644 data/web/inc/lib/vendor/tightenco/collect/src/Collect/Conditionable/HigherOrderWhenProxy.php
 delete mode 100644 data/web/inc/lib/vendor/tightenco/collect/src/Collect/Support/HigherOrderWhenProxy.php
 create mode 100644 data/web/inc/lib/vendor/tightenco/collect/src/Collect/Support/Str.php
 create mode 100644 data/web/inc/lib/vendor/tightenco/collect/src/Collect/Support/Traits/Conditionable.php

diff --git a/data/web/inc/lib/composer.json b/data/web/inc/lib/composer.json
index a803291f8..91a50bcbf 100644
--- a/data/web/inc/lib/composer.json
+++ b/data/web/inc/lib/composer.json
@@ -8,7 +8,7 @@
         "matthiasmullie/minify": "^1.3",
         "bshaffer/oauth2-server-php": "^1.11",
         "mustangostang/spyc": "^0.6.3",
-        "directorytree/ldaprecord": "^2.4",
+        "directorytree/ldaprecord": "^3.3",
         "twig/twig": "^3.0",
         "stevenmaguire/oauth2-keycloak": "^4.0",
         "league/oauth2-client": "^2.7"
diff --git a/data/web/inc/lib/composer.lock b/data/web/inc/lib/composer.lock
index 516e9fec3..f0659ee80 100644
--- a/data/web/inc/lib/composer.lock
+++ b/data/web/inc/lib/composer.lock
@@ -68,6 +68,75 @@
             },
             "time": "2018-12-04T00:29:32+00:00"
         },
+        {
+            "name": "carbonphp/carbon-doctrine-types",
+            "version": "3.2.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/CarbonPHP/carbon-doctrine-types.git",
+                "reference": "18ba5ddfec8976260ead6e866180bd5d2f71aa1d"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/CarbonPHP/carbon-doctrine-types/zipball/18ba5ddfec8976260ead6e866180bd5d2f71aa1d",
+                "reference": "18ba5ddfec8976260ead6e866180bd5d2f71aa1d",
+                "shasum": ""
+            },
+            "require": {
+                "php": "^8.1"
+            },
+            "conflict": {
+                "doctrine/dbal": "<4.0.0 || >=5.0.0"
+            },
+            "require-dev": {
+                "doctrine/dbal": "^4.0.0",
+                "nesbot/carbon": "^2.71.0 || ^3.0.0",
+                "phpunit/phpunit": "^10.3"
+            },
+            "type": "library",
+            "autoload": {
+                "psr-4": {
+                    "Carbon\\Doctrine\\": "src/Carbon/Doctrine/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "KyleKatarn",
+                    "email": "kylekatarnls@gmail.com"
+                }
+            ],
+            "description": "Types to use Carbon in Doctrine",
+            "keywords": [
+                "carbon",
+                "date",
+                "datetime",
+                "doctrine",
+                "time"
+            ],
+            "support": {
+                "issues": "https://github.com/CarbonPHP/carbon-doctrine-types/issues",
+                "source": "https://github.com/CarbonPHP/carbon-doctrine-types/tree/3.2.0"
+            },
+            "funding": [
+                {
+                    "url": "https://github.com/kylekatarnls",
+                    "type": "github"
+                },
+                {
+                    "url": "https://opencollective.com/Carbon",
+                    "type": "open_collective"
+                },
+                {
+                    "url": "https://tidelift.com/funding/github/packagist/nesbot/carbon",
+                    "type": "tidelift"
+                }
+            ],
+            "time": "2024-02-09T16:56:22+00:00"
+        },
         {
             "name": "ddeboer/imap",
             "version": "1.13.1",
@@ -145,27 +214,28 @@
         },
         {
             "name": "directorytree/ldaprecord",
-            "version": "v2.10.1",
+            "version": "v2.20.5",
             "source": {
                 "type": "git",
                 "url": "https://github.com/DirectoryTree/LdapRecord.git",
-                "reference": "bf512d9af7a7b0e2ed7a666ab29cefdd027bee88"
+                "reference": "5bd0a5a9d257cf1049ae83055dbba4c3479ddf16"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/DirectoryTree/LdapRecord/zipball/bf512d9af7a7b0e2ed7a666ab29cefdd027bee88",
-                "reference": "bf512d9af7a7b0e2ed7a666ab29cefdd027bee88",
+                "url": "https://api.github.com/repos/DirectoryTree/LdapRecord/zipball/5bd0a5a9d257cf1049ae83055dbba4c3479ddf16",
+                "reference": "5bd0a5a9d257cf1049ae83055dbba4c3479ddf16",
                 "shasum": ""
             },
             "require": {
                 "ext-json": "*",
                 "ext-ldap": "*",
-                "illuminate/contracts": "^5.0|^6.0|^7.0|^8.0|^9.0",
+                "illuminate/contracts": "^5.0|^6.0|^7.0|^8.0|^9.0|^10.0",
                 "nesbot/carbon": "^1.0|^2.0",
                 "php": ">=7.3",
-                "psr/log": "*",
+                "psr/log": "^1.0|^2.0|^3.0",
                 "psr/simple-cache": "^1.0|^2.0",
-                "tightenco/collect": "^5.6|^6.0|^7.0|^8.0"
+                "symfony/polyfill-php80": "^1.25",
+                "tightenco/collect": "^5.6|^6.0|^7.0|^8.0|^9.0"
             },
             "require-dev": {
                 "mockery/mockery": "^1.0",
@@ -214,7 +284,7 @@
                     "type": "github"
                 }
             ],
-            "time": "2022-02-25T16:00:51+00:00"
+            "time": "2023-10-11T16:34:34+00:00"
         },
         {
             "name": "firebase/php-jwt",
@@ -609,27 +679,27 @@
         },
         {
             "name": "illuminate/contracts",
-            "version": "v9.3.0",
+            "version": "v10.44.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/illuminate/contracts.git",
-                "reference": "bf4b3c254c49d28157645d01e4883b5951b1e1d0"
+                "reference": "8d7152c4a1f5d9cf7da3e8b71f23e4556f6138ac"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/illuminate/contracts/zipball/bf4b3c254c49d28157645d01e4883b5951b1e1d0",
-                "reference": "bf4b3c254c49d28157645d01e4883b5951b1e1d0",
+                "url": "https://api.github.com/repos/illuminate/contracts/zipball/8d7152c4a1f5d9cf7da3e8b71f23e4556f6138ac",
+                "reference": "8d7152c4a1f5d9cf7da3e8b71f23e4556f6138ac",
                 "shasum": ""
             },
             "require": {
-                "php": "^8.0.2",
+                "php": "^8.1",
                 "psr/container": "^1.1.1|^2.0.1",
                 "psr/simple-cache": "^1.0|^2.0|^3.0"
             },
             "type": "library",
             "extra": {
                 "branch-alias": {
-                    "dev-master": "9.x-dev"
+                    "dev-master": "10.x-dev"
                 }
             },
             "autoload": {
@@ -653,7 +723,7 @@
                 "issues": "https://github.com/laravel/framework/issues",
                 "source": "https://github.com/laravel/framework"
             },
-            "time": "2022-02-22T14:45:39+00:00"
+            "time": "2024-01-15T18:52:32+00:00"
         },
         {
             "name": "league/oauth2-client",
@@ -908,34 +978,41 @@
         },
         {
             "name": "nesbot/carbon",
-            "version": "2.57.0",
+            "version": "2.72.3",
             "source": {
                 "type": "git",
                 "url": "https://github.com/briannesbitt/Carbon.git",
-                "reference": "4a54375c21eea4811dbd1149fe6b246517554e78"
+                "reference": "0c6fd108360c562f6e4fd1dedb8233b423e91c83"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/briannesbitt/Carbon/zipball/4a54375c21eea4811dbd1149fe6b246517554e78",
-                "reference": "4a54375c21eea4811dbd1149fe6b246517554e78",
+                "url": "https://api.github.com/repos/briannesbitt/Carbon/zipball/0c6fd108360c562f6e4fd1dedb8233b423e91c83",
+                "reference": "0c6fd108360c562f6e4fd1dedb8233b423e91c83",
                 "shasum": ""
             },
             "require": {
+                "carbonphp/carbon-doctrine-types": "*",
                 "ext-json": "*",
                 "php": "^7.1.8 || ^8.0",
+                "psr/clock": "^1.0",
                 "symfony/polyfill-mbstring": "^1.0",
                 "symfony/polyfill-php80": "^1.16",
                 "symfony/translation": "^3.4 || ^4.0 || ^5.0 || ^6.0"
             },
+            "provide": {
+                "psr/clock-implementation": "1.0"
+            },
             "require-dev": {
-                "doctrine/dbal": "^2.0 || ^3.0",
-                "doctrine/orm": "^2.7",
+                "doctrine/dbal": "^2.0 || ^3.1.4 || ^4.0",
+                "doctrine/orm": "^2.7 || ^3.0",
                 "friendsofphp/php-cs-fixer": "^3.0",
                 "kylekatarnls/multi-tester": "^2.0",
+                "ondrejmirtes/better-reflection": "*",
                 "phpmd/phpmd": "^2.9",
                 "phpstan/extension-installer": "^1.0",
-                "phpstan/phpstan": "^0.12.54 || ^1.0",
-                "phpunit/phpunit": "^7.5.20 || ^8.5.14",
+                "phpstan/phpstan": "^0.12.99 || ^1.7.14",
+                "phpunit/php-file-iterator": "^2.0.5 || ^3.0.6",
+                "phpunit/phpunit": "^7.5.20 || ^8.5.26 || ^9.5.20",
                 "squizlabs/php_codesniffer": "^3.4"
             },
             "bin": [
@@ -992,15 +1069,19 @@
             },
             "funding": [
                 {
-                    "url": "https://opencollective.com/Carbon",
-                    "type": "open_collective"
+                    "url": "https://github.com/sponsors/kylekatarnls",
+                    "type": "github"
                 },
                 {
-                    "url": "https://tidelift.com/funding/github/packagist/nesbot/carbon",
+                    "url": "https://opencollective.com/Carbon#sponsor",
+                    "type": "opencollective"
+                },
+                {
+                    "url": "https://tidelift.com/subscription/pkg/packagist-nesbot-carbon?utm_source=packagist-nesbot-carbon&utm_medium=referral&utm_campaign=readme",
                     "type": "tidelift"
                 }
             ],
-            "time": "2022-02-13T18:13:33+00:00"
+            "time": "2024-01-25T10:35:09+00:00"
         },
         {
             "name": "paragonie/random_compat",
@@ -1221,6 +1302,54 @@
             ],
             "time": "2022-02-28T15:31:21+00:00"
         },
+        {
+            "name": "psr/clock",
+            "version": "1.0.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/php-fig/clock.git",
+                "reference": "e41a24703d4560fd0acb709162f73b8adfc3aa0d"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/php-fig/clock/zipball/e41a24703d4560fd0acb709162f73b8adfc3aa0d",
+                "reference": "e41a24703d4560fd0acb709162f73b8adfc3aa0d",
+                "shasum": ""
+            },
+            "require": {
+                "php": "^7.0 || ^8.0"
+            },
+            "type": "library",
+            "autoload": {
+                "psr-4": {
+                    "Psr\\Clock\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "PHP-FIG",
+                    "homepage": "https://www.php-fig.org/"
+                }
+            ],
+            "description": "Common interface for reading the clock.",
+            "homepage": "https://github.com/php-fig/clock",
+            "keywords": [
+                "clock",
+                "now",
+                "psr",
+                "psr-20",
+                "time"
+            ],
+            "support": {
+                "issues": "https://github.com/php-fig/clock/issues",
+                "source": "https://github.com/php-fig/clock/tree/1.0.0"
+            },
+            "time": "2022-11-25T14:36:26+00:00"
+        },
         {
             "name": "psr/container",
             "version": "2.0.2",
@@ -1767,16 +1896,16 @@
         },
         {
             "name": "symfony/deprecation-contracts",
-            "version": "v3.2.1",
+            "version": "v3.4.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/deprecation-contracts.git",
-                "reference": "e2d1534420bd723d0ef5aec58a22c5fe60ce6f5e"
+                "reference": "7c3aff79d10325257a001fcf92d991f24fc967cf"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/deprecation-contracts/zipball/e2d1534420bd723d0ef5aec58a22c5fe60ce6f5e",
-                "reference": "e2d1534420bd723d0ef5aec58a22c5fe60ce6f5e",
+                "url": "https://api.github.com/repos/symfony/deprecation-contracts/zipball/7c3aff79d10325257a001fcf92d991f24fc967cf",
+                "reference": "7c3aff79d10325257a001fcf92d991f24fc967cf",
                 "shasum": ""
             },
             "require": {
@@ -1785,7 +1914,7 @@
             "type": "library",
             "extra": {
                 "branch-alias": {
-                    "dev-main": "3.3-dev"
+                    "dev-main": "3.4-dev"
                 },
                 "thanks": {
                     "name": "symfony/contracts",
@@ -1814,7 +1943,7 @@
             "description": "A generic function and convention to trigger deprecation notices",
             "homepage": "https://symfony.com",
             "support": {
-                "source": "https://github.com/symfony/deprecation-contracts/tree/v3.2.1"
+                "source": "https://github.com/symfony/deprecation-contracts/tree/v3.4.0"
             },
             "funding": [
                 {
@@ -1830,7 +1959,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2023-03-01T10:25:55+00:00"
+            "time": "2023-05-23T14:45:45+00:00"
         },
         {
             "name": "symfony/polyfill-ctype",
@@ -1916,16 +2045,16 @@
         },
         {
             "name": "symfony/polyfill-mbstring",
-            "version": "v1.24.0",
+            "version": "v1.29.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/polyfill-mbstring.git",
-                "reference": "0abb51d2f102e00a4eefcf46ba7fec406d245825"
+                "reference": "9773676c8a1bb1f8d4340a62efe641cf76eda7ec"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/polyfill-mbstring/zipball/0abb51d2f102e00a4eefcf46ba7fec406d245825",
-                "reference": "0abb51d2f102e00a4eefcf46ba7fec406d245825",
+                "url": "https://api.github.com/repos/symfony/polyfill-mbstring/zipball/9773676c8a1bb1f8d4340a62efe641cf76eda7ec",
+                "reference": "9773676c8a1bb1f8d4340a62efe641cf76eda7ec",
                 "shasum": ""
             },
             "require": {
@@ -1939,9 +2068,6 @@
             },
             "type": "library",
             "extra": {
-                "branch-alias": {
-                    "dev-main": "1.23-dev"
-                },
                 "thanks": {
                     "name": "symfony/polyfill",
                     "url": "https://github.com/symfony/polyfill"
@@ -1979,7 +2105,7 @@
                 "shim"
             ],
             "support": {
-                "source": "https://github.com/symfony/polyfill-mbstring/tree/v1.24.0"
+                "source": "https://github.com/symfony/polyfill-mbstring/tree/v1.29.0"
             },
             "funding": [
                 {
@@ -1995,20 +2121,20 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2021-11-30T18:21:41+00:00"
+            "time": "2024-01-29T20:11:03+00:00"
         },
         {
             "name": "symfony/polyfill-php80",
-            "version": "v1.24.0",
+            "version": "v1.29.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/polyfill-php80.git",
-                "reference": "57b712b08eddb97c762a8caa32c84e037892d2e9"
+                "reference": "87b68208d5c1188808dd7839ee1e6c8ec3b02f1b"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/polyfill-php80/zipball/57b712b08eddb97c762a8caa32c84e037892d2e9",
-                "reference": "57b712b08eddb97c762a8caa32c84e037892d2e9",
+                "url": "https://api.github.com/repos/symfony/polyfill-php80/zipball/87b68208d5c1188808dd7839ee1e6c8ec3b02f1b",
+                "reference": "87b68208d5c1188808dd7839ee1e6c8ec3b02f1b",
                 "shasum": ""
             },
             "require": {
@@ -2016,9 +2142,6 @@
             },
             "type": "library",
             "extra": {
-                "branch-alias": {
-                    "dev-main": "1.23-dev"
-                },
                 "thanks": {
                     "name": "symfony/polyfill",
                     "url": "https://github.com/symfony/polyfill"
@@ -2062,7 +2185,7 @@
                 "shim"
             ],
             "support": {
-                "source": "https://github.com/symfony/polyfill-php80/tree/v1.24.0"
+                "source": "https://github.com/symfony/polyfill-php80/tree/v1.29.0"
             },
             "funding": [
                 {
@@ -2078,32 +2201,35 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2021-09-13T13:58:33+00:00"
+            "time": "2024-01-29T20:11:03+00:00"
         },
         {
             "name": "symfony/translation",
-            "version": "v6.0.5",
+            "version": "v6.4.3",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/translation.git",
-                "reference": "e69501c71107cc3146b32aaa45f4edd0c3427875"
+                "reference": "637c51191b6b184184bbf98937702bcf554f7d04"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/translation/zipball/e69501c71107cc3146b32aaa45f4edd0c3427875",
-                "reference": "e69501c71107cc3146b32aaa45f4edd0c3427875",
+                "url": "https://api.github.com/repos/symfony/translation/zipball/637c51191b6b184184bbf98937702bcf554f7d04",
+                "reference": "637c51191b6b184184bbf98937702bcf554f7d04",
                 "shasum": ""
             },
             "require": {
-                "php": ">=8.0.2",
+                "php": ">=8.1",
+                "symfony/deprecation-contracts": "^2.5|^3",
                 "symfony/polyfill-mbstring": "~1.0",
-                "symfony/translation-contracts": "^2.3|^3.0"
+                "symfony/translation-contracts": "^2.5|^3.0"
             },
             "conflict": {
                 "symfony/config": "<5.4",
                 "symfony/console": "<5.4",
                 "symfony/dependency-injection": "<5.4",
+                "symfony/http-client-contracts": "<2.5",
                 "symfony/http-kernel": "<5.4",
+                "symfony/service-contracts": "<2.5",
                 "symfony/twig-bundle": "<5.4",
                 "symfony/yaml": "<5.4"
             },
@@ -2111,22 +2237,19 @@
                 "symfony/translation-implementation": "2.3|3.0"
             },
             "require-dev": {
+                "nikic/php-parser": "^4.18|^5.0",
                 "psr/log": "^1|^2|^3",
-                "symfony/config": "^5.4|^6.0",
-                "symfony/console": "^5.4|^6.0",
-                "symfony/dependency-injection": "^5.4|^6.0",
-                "symfony/finder": "^5.4|^6.0",
-                "symfony/http-client-contracts": "^1.1|^2.0|^3.0",
-                "symfony/http-kernel": "^5.4|^6.0",
-                "symfony/intl": "^5.4|^6.0",
+                "symfony/config": "^5.4|^6.0|^7.0",
+                "symfony/console": "^5.4|^6.0|^7.0",
+                "symfony/dependency-injection": "^5.4|^6.0|^7.0",
+                "symfony/finder": "^5.4|^6.0|^7.0",
+                "symfony/http-client-contracts": "^2.5|^3.0",
+                "symfony/http-kernel": "^5.4|^6.0|^7.0",
+                "symfony/intl": "^5.4|^6.0|^7.0",
                 "symfony/polyfill-intl-icu": "^1.21",
-                "symfony/service-contracts": "^1.1.2|^2|^3",
-                "symfony/yaml": "^5.4|^6.0"
-            },
-            "suggest": {
-                "psr/log-implementation": "To use logging capability in translator",
-                "symfony/config": "",
-                "symfony/yaml": ""
+                "symfony/routing": "^5.4|^6.0|^7.0",
+                "symfony/service-contracts": "^2.5|^3",
+                "symfony/yaml": "^5.4|^6.0|^7.0"
             },
             "type": "library",
             "autoload": {
@@ -2157,7 +2280,7 @@
             "description": "Provides tools to internationalize your application",
             "homepage": "https://symfony.com",
             "support": {
-                "source": "https://github.com/symfony/translation/tree/v6.0.5"
+                "source": "https://github.com/symfony/translation/tree/v6.4.3"
             },
             "funding": [
                 {
@@ -2173,32 +2296,29 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2022-02-09T15:52:48+00:00"
+            "time": "2024-01-29T13:11:52+00:00"
         },
         {
             "name": "symfony/translation-contracts",
-            "version": "v3.0.0",
+            "version": "v3.4.1",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/translation-contracts.git",
-                "reference": "1b6ea5a7442af5a12dba3dbd6d71034b5b234e77"
+                "reference": "06450585bf65e978026bda220cdebca3f867fde7"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/translation-contracts/zipball/1b6ea5a7442af5a12dba3dbd6d71034b5b234e77",
-                "reference": "1b6ea5a7442af5a12dba3dbd6d71034b5b234e77",
+                "url": "https://api.github.com/repos/symfony/translation-contracts/zipball/06450585bf65e978026bda220cdebca3f867fde7",
+                "reference": "06450585bf65e978026bda220cdebca3f867fde7",
                 "shasum": ""
             },
             "require": {
-                "php": ">=8.0.2"
-            },
-            "suggest": {
-                "symfony/translation-implementation": ""
+                "php": ">=8.1"
             },
             "type": "library",
             "extra": {
                 "branch-alias": {
-                    "dev-main": "3.0-dev"
+                    "dev-main": "3.4-dev"
                 },
                 "thanks": {
                     "name": "symfony/contracts",
@@ -2208,7 +2328,10 @@
             "autoload": {
                 "psr-4": {
                     "Symfony\\Contracts\\Translation\\": ""
-                }
+                },
+                "exclude-from-classmap": [
+                    "/Test/"
+                ]
             },
             "notification-url": "https://packagist.org/downloads/",
             "license": [
@@ -2235,7 +2358,7 @@
                 "standards"
             ],
             "support": {
-                "source": "https://github.com/symfony/translation-contracts/tree/v3.0.0"
+                "source": "https://github.com/symfony/translation-contracts/tree/v3.4.1"
             },
             "funding": [
                 {
@@ -2251,42 +2374,39 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2021-09-07T12:43:40+00:00"
+            "time": "2023-12-26T14:02:43+00:00"
         },
         {
             "name": "symfony/var-dumper",
-            "version": "v6.0.5",
+            "version": "v6.4.3",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/var-dumper.git",
-                "reference": "60d6a756d5f485df5e6e40b337334848f79f61ce"
+                "reference": "0435a08f69125535336177c29d56af3abc1f69da"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/var-dumper/zipball/60d6a756d5f485df5e6e40b337334848f79f61ce",
-                "reference": "60d6a756d5f485df5e6e40b337334848f79f61ce",
+                "url": "https://api.github.com/repos/symfony/var-dumper/zipball/0435a08f69125535336177c29d56af3abc1f69da",
+                "reference": "0435a08f69125535336177c29d56af3abc1f69da",
                 "shasum": ""
             },
             "require": {
-                "php": ">=8.0.2",
+                "php": ">=8.1",
+                "symfony/deprecation-contracts": "^2.5|^3",
                 "symfony/polyfill-mbstring": "~1.0"
             },
             "conflict": {
-                "phpunit/phpunit": "<5.4.3",
                 "symfony/console": "<5.4"
             },
             "require-dev": {
                 "ext-iconv": "*",
-                "symfony/console": "^5.4|^6.0",
-                "symfony/process": "^5.4|^6.0",
-                "symfony/uid": "^5.4|^6.0",
+                "symfony/console": "^5.4|^6.0|^7.0",
+                "symfony/error-handler": "^6.3|^7.0",
+                "symfony/http-kernel": "^5.4|^6.0|^7.0",
+                "symfony/process": "^5.4|^6.0|^7.0",
+                "symfony/uid": "^5.4|^6.0|^7.0",
                 "twig/twig": "^2.13|^3.0.4"
             },
-            "suggest": {
-                "ext-iconv": "To convert non-UTF-8 strings to UTF-8 (or symfony/polyfill-iconv in case ext-iconv cannot be used).",
-                "ext-intl": "To show region name in time zone dump",
-                "symfony/console": "To use the ServerDumpCommand and/or the bin/var-dump-server script"
-            },
             "bin": [
                 "Resources/bin/var-dump-server"
             ],
@@ -2323,7 +2443,7 @@
                 "dump"
             ],
             "support": {
-                "source": "https://github.com/symfony/var-dumper/tree/v6.0.5"
+                "source": "https://github.com/symfony/var-dumper/tree/v6.4.3"
             },
             "funding": [
                 {
@@ -2339,24 +2459,24 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2022-02-21T17:15:17+00:00"
+            "time": "2024-01-23T14:53:30+00:00"
         },
         {
             "name": "tightenco/collect",
-            "version": "v8.83.2",
+            "version": "v9.52.7",
             "source": {
                 "type": "git",
                 "url": "https://github.com/tighten/collect.git",
-                "reference": "d9c66d586ec2d216d8a31283d73f8df1400cc722"
+                "reference": "b15143cd11fe01a700fcc449df61adc64452fa6d"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/tighten/collect/zipball/d9c66d586ec2d216d8a31283d73f8df1400cc722",
-                "reference": "d9c66d586ec2d216d8a31283d73f8df1400cc722",
+                "url": "https://api.github.com/repos/tighten/collect/zipball/b15143cd11fe01a700fcc449df61adc64452fa6d",
+                "reference": "b15143cd11fe01a700fcc449df61adc64452fa6d",
                 "shasum": ""
             },
             "require": {
-                "php": "^7.3|^8.0",
+                "php": "^8.0",
                 "symfony/var-dumper": "^3.4 || ^4.0 || ^5.0 || ^6.0"
             },
             "require-dev": {
@@ -2391,9 +2511,9 @@
             ],
             "support": {
                 "issues": "https://github.com/tighten/collect/issues",
-                "source": "https://github.com/tighten/collect/tree/v8.83.2"
+                "source": "https://github.com/tighten/collect/tree/v9.52.7"
             },
-            "time": "2022-02-16T16:15:54+00:00"
+            "time": "2023-04-14T21:51:36+00:00"
         },
         {
             "name": "twig/twig",
@@ -2480,5 +2600,5 @@
     "prefer-lowest": false,
     "platform": [],
     "platform-dev": [],
-    "plugin-api-version": "2.3.0"
+    "plugin-api-version": "2.6.0"
 }
diff --git a/data/web/inc/lib/vendor/autoload.php b/data/web/inc/lib/vendor/autoload.php
index c21364e81..a0fb8f4ac 100644
--- a/data/web/inc/lib/vendor/autoload.php
+++ b/data/web/inc/lib/vendor/autoload.php
@@ -3,8 +3,21 @@
 // autoload.php @generated by Composer
 
 if (PHP_VERSION_ID < 50600) {
-    echo 'Composer 2.3.0 dropped support for autoloading on PHP <5.6 and you are running '.PHP_VERSION.', please upgrade PHP or use Composer 2.2 LTS via "composer self-update --2.2". Aborting.'.PHP_EOL;
-    exit(1);
+    if (!headers_sent()) {
+        header('HTTP/1.1 500 Internal Server Error');
+    }
+    $err = 'Composer 2.3.0 dropped support for autoloading on PHP <5.6 and you are running '.PHP_VERSION.', please upgrade PHP or use Composer 2.2 LTS via "composer self-update --2.2". Aborting.'.PHP_EOL;
+    if (!ini_get('display_errors')) {
+        if (PHP_SAPI === 'cli' || PHP_SAPI === 'phpdbg') {
+            fwrite(STDERR, $err);
+        } elseif (!headers_sent()) {
+            echo $err;
+        }
+    }
+    trigger_error(
+        $err,
+        E_USER_ERROR
+    );
 }
 
 require_once __DIR__ . '/composer/autoload_real.php';
diff --git a/data/web/inc/lib/vendor/bin/carbon b/data/web/inc/lib/vendor/bin/carbon
index 7b63379a0..86fbfdfd8 100755
--- a/data/web/inc/lib/vendor/bin/carbon
+++ b/data/web/inc/lib/vendor/bin/carbon
@@ -12,6 +12,7 @@
 
 namespace Composer;
 
+$GLOBALS['_composer_bin_dir'] = __DIR__;
 $GLOBALS['_composer_autoload_path'] = __DIR__ . '/..'.'/autoload.php';
 
 if (PHP_VERSION_ID < 80000) {
@@ -23,18 +24,17 @@ if (PHP_VERSION_ID < 80000) {
         {
             private $handle;
             private $position;
+            private $realpath;
 
             public function stream_open($path, $mode, $options, &$opened_path)
             {
-                // get rid of composer-bin-proxy:// prefix for __FILE__ & __DIR__ resolution
-                $opened_path = substr($path, 21);
-                $opened_path = realpath($opened_path) ?: $opened_path;
-                $this->handle = fopen($opened_path, $mode);
+                // get rid of phpvfscomposer:// prefix for __FILE__ & __DIR__ resolution
+                $opened_path = substr($path, 17);
+                $this->realpath = realpath($opened_path) ?: $opened_path;
+                $opened_path = $this->realpath;
+                $this->handle = fopen($this->realpath, $mode);
                 $this->position = 0;
 
-                // remove all traces of this stream wrapper once it has been used
-                stream_wrapper_unregister('composer-bin-proxy');
-
                 return (bool) $this->handle;
             }
 
@@ -66,6 +66,16 @@ if (PHP_VERSION_ID < 80000) {
                 return $operation ? flock($this->handle, $operation) : true;
             }
 
+            public function stream_seek($offset, $whence)
+            {
+                if (0 === fseek($this->handle, $offset, $whence)) {
+                    $this->position = ftell($this->handle);
+                    return true;
+                }
+
+                return false;
+            }
+
             public function stream_tell()
             {
                 return $this->position;
@@ -78,20 +88,32 @@ if (PHP_VERSION_ID < 80000) {
 
             public function stream_stat()
             {
-                return fstat($this->handle);
+                return array();
             }
 
             public function stream_set_option($option, $arg1, $arg2)
             {
                 return true;
             }
+
+            public function url_stat($path, $flags)
+            {
+                $path = substr($path, 17);
+                if (file_exists($path)) {
+                    return stat($path);
+                }
+
+                return false;
+            }
         }
     }
 
-    if (function_exists('stream_wrapper_register') && stream_wrapper_register('composer-bin-proxy', 'Composer\BinProxyWrapper')) {
-        include("composer-bin-proxy://" . __DIR__ . '/..'.'/nesbot/carbon/bin/carbon');
-        exit(0);
+    if (
+        (function_exists('stream_get_wrappers') && in_array('phpvfscomposer', stream_get_wrappers(), true))
+        || (function_exists('stream_wrapper_register') && stream_wrapper_register('phpvfscomposer', 'Composer\BinProxyWrapper'))
+    ) {
+        return include("phpvfscomposer://" . __DIR__ . '/..'.'/nesbot/carbon/bin/carbon');
     }
 }
 
-include __DIR__ . '/..'.'/nesbot/carbon/bin/carbon';
+return include __DIR__ . '/..'.'/nesbot/carbon/bin/carbon';
diff --git a/data/web/inc/lib/vendor/bin/var-dump-server b/data/web/inc/lib/vendor/bin/var-dump-server
index 1eafd5d9b..18db1c1eb 100755
--- a/data/web/inc/lib/vendor/bin/var-dump-server
+++ b/data/web/inc/lib/vendor/bin/var-dump-server
@@ -12,6 +12,7 @@
 
 namespace Composer;
 
+$GLOBALS['_composer_bin_dir'] = __DIR__;
 $GLOBALS['_composer_autoload_path'] = __DIR__ . '/..'.'/autoload.php';
 
 if (PHP_VERSION_ID < 80000) {
@@ -23,18 +24,17 @@ if (PHP_VERSION_ID < 80000) {
         {
             private $handle;
             private $position;
+            private $realpath;
 
             public function stream_open($path, $mode, $options, &$opened_path)
             {
-                // get rid of composer-bin-proxy:// prefix for __FILE__ & __DIR__ resolution
-                $opened_path = substr($path, 21);
-                $opened_path = realpath($opened_path) ?: $opened_path;
-                $this->handle = fopen($opened_path, $mode);
+                // get rid of phpvfscomposer:// prefix for __FILE__ & __DIR__ resolution
+                $opened_path = substr($path, 17);
+                $this->realpath = realpath($opened_path) ?: $opened_path;
+                $opened_path = $this->realpath;
+                $this->handle = fopen($this->realpath, $mode);
                 $this->position = 0;
 
-                // remove all traces of this stream wrapper once it has been used
-                stream_wrapper_unregister('composer-bin-proxy');
-
                 return (bool) $this->handle;
             }
 
@@ -66,6 +66,16 @@ if (PHP_VERSION_ID < 80000) {
                 return $operation ? flock($this->handle, $operation) : true;
             }
 
+            public function stream_seek($offset, $whence)
+            {
+                if (0 === fseek($this->handle, $offset, $whence)) {
+                    $this->position = ftell($this->handle);
+                    return true;
+                }
+
+                return false;
+            }
+
             public function stream_tell()
             {
                 return $this->position;
@@ -78,20 +88,32 @@ if (PHP_VERSION_ID < 80000) {
 
             public function stream_stat()
             {
-                return fstat($this->handle);
+                return array();
             }
 
             public function stream_set_option($option, $arg1, $arg2)
             {
                 return true;
             }
+
+            public function url_stat($path, $flags)
+            {
+                $path = substr($path, 17);
+                if (file_exists($path)) {
+                    return stat($path);
+                }
+
+                return false;
+            }
         }
     }
 
-    if (function_exists('stream_wrapper_register') && stream_wrapper_register('composer-bin-proxy', 'Composer\BinProxyWrapper')) {
-        include("composer-bin-proxy://" . __DIR__ . '/..'.'/symfony/var-dumper/Resources/bin/var-dump-server');
-        exit(0);
+    if (
+        (function_exists('stream_get_wrappers') && in_array('phpvfscomposer', stream_get_wrappers(), true))
+        || (function_exists('stream_wrapper_register') && stream_wrapper_register('phpvfscomposer', 'Composer\BinProxyWrapper'))
+    ) {
+        return include("phpvfscomposer://" . __DIR__ . '/..'.'/symfony/var-dumper/Resources/bin/var-dump-server');
     }
 }
 
-include __DIR__ . '/..'.'/symfony/var-dumper/Resources/bin/var-dump-server';
+return include __DIR__ . '/..'.'/symfony/var-dumper/Resources/bin/var-dump-server';
diff --git a/data/web/inc/lib/vendor/carbonphp/carbon-doctrine-types/LICENSE b/data/web/inc/lib/vendor/carbonphp/carbon-doctrine-types/LICENSE
new file mode 100644
index 000000000..2ee1671db
--- /dev/null
+++ b/data/web/inc/lib/vendor/carbonphp/carbon-doctrine-types/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2023 Carbon
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/data/web/inc/lib/vendor/carbonphp/carbon-doctrine-types/README.md b/data/web/inc/lib/vendor/carbonphp/carbon-doctrine-types/README.md
new file mode 100644
index 000000000..5a18121b6
--- /dev/null
+++ b/data/web/inc/lib/vendor/carbonphp/carbon-doctrine-types/README.md
@@ -0,0 +1,14 @@
+# carbonphp/carbon-doctrine-types
+
+Types to use Carbon in Doctrine
+
+## Documentation
+
+[Check how to use in the official Carbon documentation](https://carbon.nesbot.com/symfony/)
+
+This package is an externalization of [src/Carbon/Doctrine](https://github.com/briannesbitt/Carbon/tree/2.71.0/src/Carbon/Doctrine)
+from `nestbot/carbon` package.
+
+Externalization allows to better deal with different versions of dbal. With
+version 4.0 of dbal, it no longer sustainable to be compatible with all version
+using a single code.
diff --git a/data/web/inc/lib/vendor/carbonphp/carbon-doctrine-types/composer.json b/data/web/inc/lib/vendor/carbonphp/carbon-doctrine-types/composer.json
new file mode 100644
index 000000000..abf45c5fb
--- /dev/null
+++ b/data/web/inc/lib/vendor/carbonphp/carbon-doctrine-types/composer.json
@@ -0,0 +1,36 @@
+{
+    "name": "carbonphp/carbon-doctrine-types",
+    "description": "Types to use Carbon in Doctrine",
+    "type": "library",
+    "keywords": [
+        "date",
+        "time",
+        "DateTime",
+        "Carbon",
+        "Doctrine"
+    ],
+    "require": {
+        "php": "^8.1"
+    },
+    "require-dev": {
+        "doctrine/dbal": "^4.0.0",
+        "nesbot/carbon": "^2.71.0 || ^3.0.0",
+        "phpunit/phpunit": "^10.3"
+    },
+    "conflict": {
+        "doctrine/dbal": "<4.0.0 || >=5.0.0"
+    },
+    "license": "MIT",
+    "autoload": {
+        "psr-4": {
+            "Carbon\\Doctrine\\": "src/Carbon/Doctrine/"
+        }
+    },
+    "authors": [
+        {
+            "name": "KyleKatarn",
+            "email": "kylekatarnls@gmail.com"
+        }
+    ],
+    "minimum-stability": "dev"
+}
diff --git a/data/web/inc/lib/vendor/carbonphp/carbon-doctrine-types/src/Carbon/Doctrine/CarbonDoctrineType.php b/data/web/inc/lib/vendor/carbonphp/carbon-doctrine-types/src/Carbon/Doctrine/CarbonDoctrineType.php
new file mode 100644
index 000000000..a63a9b8d2
--- /dev/null
+++ b/data/web/inc/lib/vendor/carbonphp/carbon-doctrine-types/src/Carbon/Doctrine/CarbonDoctrineType.php
@@ -0,0 +1,16 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Carbon\Doctrine;
+
+use Doctrine\DBAL\Platforms\AbstractPlatform;
+
+interface CarbonDoctrineType
+{
+    public function getSQLDeclaration(array $fieldDeclaration, AbstractPlatform $platform);
+
+    public function convertToPHPValue(mixed $value, AbstractPlatform $platform);
+
+    public function convertToDatabaseValue($value, AbstractPlatform $platform);
+}
diff --git a/data/web/inc/lib/vendor/carbonphp/carbon-doctrine-types/src/Carbon/Doctrine/CarbonImmutableType.php b/data/web/inc/lib/vendor/carbonphp/carbon-doctrine-types/src/Carbon/Doctrine/CarbonImmutableType.php
new file mode 100644
index 000000000..8fc6bef33
--- /dev/null
+++ b/data/web/inc/lib/vendor/carbonphp/carbon-doctrine-types/src/Carbon/Doctrine/CarbonImmutableType.php
@@ -0,0 +1,9 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Carbon\Doctrine;
+
+class CarbonImmutableType extends DateTimeImmutableType implements CarbonDoctrineType
+{
+}
diff --git a/data/web/inc/lib/vendor/carbonphp/carbon-doctrine-types/src/Carbon/Doctrine/CarbonType.php b/data/web/inc/lib/vendor/carbonphp/carbon-doctrine-types/src/Carbon/Doctrine/CarbonType.php
new file mode 100644
index 000000000..206b0e373
--- /dev/null
+++ b/data/web/inc/lib/vendor/carbonphp/carbon-doctrine-types/src/Carbon/Doctrine/CarbonType.php
@@ -0,0 +1,9 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Carbon\Doctrine;
+
+class CarbonType extends DateTimeType implements CarbonDoctrineType
+{
+}
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Doctrine/CarbonTypeConverter.php b/data/web/inc/lib/vendor/carbonphp/carbon-doctrine-types/src/Carbon/Doctrine/CarbonTypeConverter.php
similarity index 59%
rename from data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Doctrine/CarbonTypeConverter.php
rename to data/web/inc/lib/vendor/carbonphp/carbon-doctrine-types/src/Carbon/Doctrine/CarbonTypeConverter.php
index ecfe17e79..a81331177 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Doctrine/CarbonTypeConverter.php
+++ b/data/web/inc/lib/vendor/carbonphp/carbon-doctrine-types/src/Carbon/Doctrine/CarbonTypeConverter.php
@@ -1,13 +1,6 @@
 <?php
 
-/**
- * This file is part of the Carbon package.
- *
- * (c) Brian Nesbitt <brian@nesbot.com>
- *
- * For the full copyright and license information, please view the LICENSE
- * file that was distributed with this source code.
- */
+declare(strict_types=1);
 
 namespace Carbon\Doctrine;
 
@@ -15,7 +8,12 @@ use Carbon\Carbon;
 use Carbon\CarbonInterface;
 use DateTimeInterface;
 use Doctrine\DBAL\Platforms\AbstractPlatform;
-use Doctrine\DBAL\Types\ConversionException;
+use Doctrine\DBAL\Platforms\DB2Platform;
+use Doctrine\DBAL\Platforms\OraclePlatform;
+use Doctrine\DBAL\Platforms\SQLitePlatform;
+use Doctrine\DBAL\Platforms\SQLServerPlatform;
+use Doctrine\DBAL\Types\Exception\InvalidType;
+use Doctrine\DBAL\Types\Exception\ValueNotConvertible;
 use Exception;
 
 /**
@@ -23,6 +21,14 @@ use Exception;
  */
 trait CarbonTypeConverter
 {
+    /**
+     * This property differentiates types installed by carbonphp/carbon-doctrine-types
+     * from the ones embedded previously in nesbot/carbon source directly.
+     *
+     * @readonly
+     */
+    public bool $external = true;
+
     /**
      * @return class-string<T>
      */
@@ -31,20 +37,12 @@ trait CarbonTypeConverter
         return Carbon::class;
     }
 
-    /**
-     * @return string
-     */
-    public function getSQLDeclaration(array $fieldDeclaration, AbstractPlatform $platform)
+    public function getSQLDeclaration(array $fieldDeclaration, AbstractPlatform $platform): string
     {
-        $precision = $fieldDeclaration['precision'] ?: 10;
-
-        if ($fieldDeclaration['secondPrecision'] ?? false) {
-            $precision = 0;
-        }
-
-        if ($precision === 10) {
-            $precision = DateTimeDefaultPrecision::get();
-        }
+        $precision = min(
+            $fieldDeclaration['precision'] ?? DateTimeDefaultPrecision::get(),
+            $this->getMaximumPrecision($platform),
+        );
 
         $type = parent::getSQLDeclaration($fieldDeclaration, $platform);
 
@@ -63,10 +61,25 @@ trait CarbonTypeConverter
 
     /**
      * @SuppressWarnings(PHPMD.UnusedFormalParameter)
-     *
-     * @return T|null
      */
-    public function convertToPHPValue($value, AbstractPlatform $platform)
+    public function convertToDatabaseValue($value, AbstractPlatform $platform): ?string
+    {
+        if ($value === null) {
+            return $value;
+        }
+
+        if ($value instanceof DateTimeInterface) {
+            return $value->format('Y-m-d H:i:s.u');
+        }
+
+        throw InvalidType::new(
+            $value,
+            static::class,
+            ['null', 'DateTime', 'Carbon']
+        );
+    }
+
+    private function doConvertToPHPValue(mixed $value)
     {
         $class = $this->getCarbonClassName();
 
@@ -88,9 +101,9 @@ trait CarbonTypeConverter
         }
 
         if (!$date) {
-            throw ConversionException::conversionFailedFormat(
+            throw ValueNotConvertible::new(
                 $value,
-                $this->getName(),
+                static::class,
                 'Y-m-d H:i:s.u or any format supported by '.$class.'::parse()',
                 $error
             );
@@ -99,25 +112,20 @@ trait CarbonTypeConverter
         return $date;
     }
 
-    /**
-     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
-     *
-     * @return string|null
-     */
-    public function convertToDatabaseValue($value, AbstractPlatform $platform)
+    private function getMaximumPrecision(AbstractPlatform $platform): int
     {
-        if ($value === null) {
-            return $value;
+        if ($platform instanceof DB2Platform) {
+            return 12;
         }
 
-        if ($value instanceof DateTimeInterface) {
-            return $value->format('Y-m-d H:i:s.u');
+        if ($platform instanceof OraclePlatform) {
+            return 9;
         }
 
-        throw ConversionException::conversionFailedInvalidType(
-            $value,
-            $this->getName(),
-            ['null', 'DateTime', 'Carbon']
-        );
+        if ($platform instanceof SQLServerPlatform || $platform instanceof SQLitePlatform) {
+            return 3;
+        }
+
+        return 6;
     }
 }
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Doctrine/DateTimeDefaultPrecision.php b/data/web/inc/lib/vendor/carbonphp/carbon-doctrine-types/src/Carbon/Doctrine/DateTimeDefaultPrecision.php
similarity index 70%
rename from data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Doctrine/DateTimeDefaultPrecision.php
rename to data/web/inc/lib/vendor/carbonphp/carbon-doctrine-types/src/Carbon/Doctrine/DateTimeDefaultPrecision.php
index 642fd4135..cd9896f9c 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Doctrine/DateTimeDefaultPrecision.php
+++ b/data/web/inc/lib/vendor/carbonphp/carbon-doctrine-types/src/Carbon/Doctrine/DateTimeDefaultPrecision.php
@@ -1,13 +1,6 @@
 <?php
 
-/**
- * This file is part of the Carbon package.
- *
- * (c) Brian Nesbitt <brian@nesbot.com>
- *
- * For the full copyright and license information, please view the LICENSE
- * file that was distributed with this source code.
- */
+declare(strict_types=1);
 
 namespace Carbon\Doctrine;
 
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Doctrine/DateTimeImmutableType.php b/data/web/inc/lib/vendor/carbonphp/carbon-doctrine-types/src/Carbon/Doctrine/DateTimeImmutableType.php
similarity index 58%
rename from data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Doctrine/DateTimeImmutableType.php
rename to data/web/inc/lib/vendor/carbonphp/carbon-doctrine-types/src/Carbon/Doctrine/DateTimeImmutableType.php
index 499271031..fd6467e3d 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Doctrine/DateTimeImmutableType.php
+++ b/data/web/inc/lib/vendor/carbonphp/carbon-doctrine-types/src/Carbon/Doctrine/DateTimeImmutableType.php
@@ -1,12 +1,12 @@
 <?php
 
-/**
- * Thanks to https://github.com/flaushi for his suggestion:
- * https://github.com/doctrine/dbal/issues/2873#issuecomment-534956358
- */
+declare(strict_types=1);
+
 namespace Carbon\Doctrine;
 
 use Carbon\CarbonImmutable;
+use DateTimeImmutable;
+use Doctrine\DBAL\Platforms\AbstractPlatform;
 use Doctrine\DBAL\Types\VarDateTimeImmutableType;
 
 class DateTimeImmutableType extends VarDateTimeImmutableType implements CarbonDoctrineType
@@ -14,6 +14,14 @@ class DateTimeImmutableType extends VarDateTimeImmutableType implements CarbonDo
     /** @use CarbonTypeConverter<CarbonImmutable> */
     use CarbonTypeConverter;
 
+    /**
+     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
+     */
+    public function convertToPHPValue(mixed $value, AbstractPlatform $platform): ?CarbonImmutable
+    {
+        return $this->doConvertToPHPValue($value);
+    }
+
     /**
      * @return class-string<CarbonImmutable>
      */
diff --git a/data/web/inc/lib/vendor/carbonphp/carbon-doctrine-types/src/Carbon/Doctrine/DateTimeType.php b/data/web/inc/lib/vendor/carbonphp/carbon-doctrine-types/src/Carbon/Doctrine/DateTimeType.php
new file mode 100644
index 000000000..89e4b7903
--- /dev/null
+++ b/data/web/inc/lib/vendor/carbonphp/carbon-doctrine-types/src/Carbon/Doctrine/DateTimeType.php
@@ -0,0 +1,24 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Carbon\Doctrine;
+
+use Carbon\Carbon;
+use DateTime;
+use Doctrine\DBAL\Platforms\AbstractPlatform;
+use Doctrine\DBAL\Types\VarDateTimeType;
+
+class DateTimeType extends VarDateTimeType implements CarbonDoctrineType
+{
+    /** @use CarbonTypeConverter<Carbon> */
+    use CarbonTypeConverter;
+
+    /**
+     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
+     */
+    public function convertToPHPValue(mixed $value, AbstractPlatform $platform): ?Carbon
+    {
+        return $this->doConvertToPHPValue($value);
+    }
+}
diff --git a/data/web/inc/lib/vendor/composer/ClassLoader.php b/data/web/inc/lib/vendor/composer/ClassLoader.php
index afef3fa2a..7824d8f7e 100644
--- a/data/web/inc/lib/vendor/composer/ClassLoader.php
+++ b/data/web/inc/lib/vendor/composer/ClassLoader.php
@@ -42,35 +42,37 @@ namespace Composer\Autoload;
  */
 class ClassLoader
 {
-    /** @var ?string */
+    /** @var \Closure(string):void */
+    private static $includeFile;
+
+    /** @var string|null */
     private $vendorDir;
 
     // PSR-4
     /**
-     * @var array[]
-     * @psalm-var array<string, array<string, int>>
+     * @var array<string, array<string, int>>
      */
     private $prefixLengthsPsr4 = array();
     /**
-     * @var array[]
-     * @psalm-var array<string, array<int, string>>
+     * @var array<string, list<string>>
      */
     private $prefixDirsPsr4 = array();
     /**
-     * @var array[]
-     * @psalm-var array<string, string>
+     * @var list<string>
      */
     private $fallbackDirsPsr4 = array();
 
     // PSR-0
     /**
-     * @var array[]
-     * @psalm-var array<string, array<string, string[]>>
+     * List of PSR-0 prefixes
+     *
+     * Structured as array('F (first letter)' => array('Foo\Bar (full prefix)' => array('path', 'path2')))
+     *
+     * @var array<string, array<string, list<string>>>
      */
     private $prefixesPsr0 = array();
     /**
-     * @var array[]
-     * @psalm-var array<string, string>
+     * @var list<string>
      */
     private $fallbackDirsPsr0 = array();
 
@@ -78,8 +80,7 @@ class ClassLoader
     private $useIncludePath = false;
 
     /**
-     * @var string[]
-     * @psalm-var array<string, string>
+     * @var array<string, string>
      */
     private $classMap = array();
 
@@ -87,29 +88,29 @@ class ClassLoader
     private $classMapAuthoritative = false;
 
     /**
-     * @var bool[]
-     * @psalm-var array<string, bool>
+     * @var array<string, bool>
      */
     private $missingClasses = array();
 
-    /** @var ?string */
+    /** @var string|null */
     private $apcuPrefix;
 
     /**
-     * @var self[]
+     * @var array<string, self>
      */
     private static $registeredLoaders = array();
 
     /**
-     * @param ?string $vendorDir
+     * @param string|null $vendorDir
      */
     public function __construct($vendorDir = null)
     {
         $this->vendorDir = $vendorDir;
+        self::initializeIncludeClosure();
     }
 
     /**
-     * @return string[]
+     * @return array<string, list<string>>
      */
     public function getPrefixes()
     {
@@ -121,8 +122,7 @@ class ClassLoader
     }
 
     /**
-     * @return array[]
-     * @psalm-return array<string, array<int, string>>
+     * @return array<string, list<string>>
      */
     public function getPrefixesPsr4()
     {
@@ -130,8 +130,7 @@ class ClassLoader
     }
 
     /**
-     * @return array[]
-     * @psalm-return array<string, string>
+     * @return list<string>
      */
     public function getFallbackDirs()
     {
@@ -139,8 +138,7 @@ class ClassLoader
     }
 
     /**
-     * @return array[]
-     * @psalm-return array<string, string>
+     * @return list<string>
      */
     public function getFallbackDirsPsr4()
     {
@@ -148,8 +146,7 @@ class ClassLoader
     }
 
     /**
-     * @return string[] Array of classname => path
-     * @psalm-return array<string, string>
+     * @return array<string, string> Array of classname => path
      */
     public function getClassMap()
     {
@@ -157,8 +154,7 @@ class ClassLoader
     }
 
     /**
-     * @param string[] $classMap Class to filename map
-     * @psalm-param array<string, string> $classMap
+     * @param array<string, string> $classMap Class to filename map
      *
      * @return void
      */
@@ -175,24 +171,25 @@ class ClassLoader
      * Registers a set of PSR-0 directories for a given prefix, either
      * appending or prepending to the ones previously set for this prefix.
      *
-     * @param string          $prefix  The prefix
-     * @param string[]|string $paths   The PSR-0 root directories
-     * @param bool            $prepend Whether to prepend the directories
+     * @param string              $prefix  The prefix
+     * @param list<string>|string $paths   The PSR-0 root directories
+     * @param bool                $prepend Whether to prepend the directories
      *
      * @return void
      */
     public function add($prefix, $paths, $prepend = false)
     {
+        $paths = (array) $paths;
         if (!$prefix) {
             if ($prepend) {
                 $this->fallbackDirsPsr0 = array_merge(
-                    (array) $paths,
+                    $paths,
                     $this->fallbackDirsPsr0
                 );
             } else {
                 $this->fallbackDirsPsr0 = array_merge(
                     $this->fallbackDirsPsr0,
-                    (array) $paths
+                    $paths
                 );
             }
 
@@ -201,19 +198,19 @@ class ClassLoader
 
         $first = $prefix[0];
         if (!isset($this->prefixesPsr0[$first][$prefix])) {
-            $this->prefixesPsr0[$first][$prefix] = (array) $paths;
+            $this->prefixesPsr0[$first][$prefix] = $paths;
 
             return;
         }
         if ($prepend) {
             $this->prefixesPsr0[$first][$prefix] = array_merge(
-                (array) $paths,
+                $paths,
                 $this->prefixesPsr0[$first][$prefix]
             );
         } else {
             $this->prefixesPsr0[$first][$prefix] = array_merge(
                 $this->prefixesPsr0[$first][$prefix],
-                (array) $paths
+                $paths
             );
         }
     }
@@ -222,9 +219,9 @@ class ClassLoader
      * Registers a set of PSR-4 directories for a given namespace, either
      * appending or prepending to the ones previously set for this namespace.
      *
-     * @param string          $prefix  The prefix/namespace, with trailing '\\'
-     * @param string[]|string $paths   The PSR-4 base directories
-     * @param bool            $prepend Whether to prepend the directories
+     * @param string              $prefix  The prefix/namespace, with trailing '\\'
+     * @param list<string>|string $paths   The PSR-4 base directories
+     * @param bool                $prepend Whether to prepend the directories
      *
      * @throws \InvalidArgumentException
      *
@@ -232,17 +229,18 @@ class ClassLoader
      */
     public function addPsr4($prefix, $paths, $prepend = false)
     {
+        $paths = (array) $paths;
         if (!$prefix) {
             // Register directories for the root namespace.
             if ($prepend) {
                 $this->fallbackDirsPsr4 = array_merge(
-                    (array) $paths,
+                    $paths,
                     $this->fallbackDirsPsr4
                 );
             } else {
                 $this->fallbackDirsPsr4 = array_merge(
                     $this->fallbackDirsPsr4,
-                    (array) $paths
+                    $paths
                 );
             }
         } elseif (!isset($this->prefixDirsPsr4[$prefix])) {
@@ -252,18 +250,18 @@ class ClassLoader
                 throw new \InvalidArgumentException("A non-empty PSR-4 prefix must end with a namespace separator.");
             }
             $this->prefixLengthsPsr4[$prefix[0]][$prefix] = $length;
-            $this->prefixDirsPsr4[$prefix] = (array) $paths;
+            $this->prefixDirsPsr4[$prefix] = $paths;
         } elseif ($prepend) {
             // Prepend directories for an already registered namespace.
             $this->prefixDirsPsr4[$prefix] = array_merge(
-                (array) $paths,
+                $paths,
                 $this->prefixDirsPsr4[$prefix]
             );
         } else {
             // Append directories for an already registered namespace.
             $this->prefixDirsPsr4[$prefix] = array_merge(
                 $this->prefixDirsPsr4[$prefix],
-                (array) $paths
+                $paths
             );
         }
     }
@@ -272,8 +270,8 @@ class ClassLoader
      * Registers a set of PSR-0 directories for a given prefix,
      * replacing any others previously set for this prefix.
      *
-     * @param string          $prefix The prefix
-     * @param string[]|string $paths  The PSR-0 base directories
+     * @param string              $prefix The prefix
+     * @param list<string>|string $paths  The PSR-0 base directories
      *
      * @return void
      */
@@ -290,8 +288,8 @@ class ClassLoader
      * Registers a set of PSR-4 directories for a given namespace,
      * replacing any others previously set for this namespace.
      *
-     * @param string          $prefix The prefix/namespace, with trailing '\\'
-     * @param string[]|string $paths  The PSR-4 base directories
+     * @param string              $prefix The prefix/namespace, with trailing '\\'
+     * @param list<string>|string $paths  The PSR-4 base directories
      *
      * @throws \InvalidArgumentException
      *
@@ -425,7 +423,8 @@ class ClassLoader
     public function loadClass($class)
     {
         if ($file = $this->findFile($class)) {
-            includeFile($file);
+            $includeFile = self::$includeFile;
+            $includeFile($file);
 
             return true;
         }
@@ -476,9 +475,9 @@ class ClassLoader
     }
 
     /**
-     * Returns the currently registered loaders indexed by their corresponding vendor directories.
+     * Returns the currently registered loaders keyed by their corresponding vendor directories.
      *
-     * @return self[]
+     * @return array<string, self>
      */
     public static function getRegisteredLoaders()
     {
@@ -555,18 +554,26 @@ class ClassLoader
 
         return false;
     }
-}
 
-/**
- * Scope isolated include.
- *
- * Prevents access to $this/self from included files.
- *
- * @param  string $file
- * @return void
- * @private
- */
-function includeFile($file)
-{
-    include $file;
+    /**
+     * @return void
+     */
+    private static function initializeIncludeClosure()
+    {
+        if (self::$includeFile !== null) {
+            return;
+        }
+
+        /**
+         * Scope isolated include.
+         *
+         * Prevents access to $this/self from included files.
+         *
+         * @param  string $file
+         * @return void
+         */
+        self::$includeFile = \Closure::bind(static function($file) {
+            include $file;
+        }, null, null);
+    }
 }
diff --git a/data/web/inc/lib/vendor/composer/InstalledVersions.php b/data/web/inc/lib/vendor/composer/InstalledVersions.php
index c6b54af7b..51e734a77 100644
--- a/data/web/inc/lib/vendor/composer/InstalledVersions.php
+++ b/data/web/inc/lib/vendor/composer/InstalledVersions.php
@@ -98,7 +98,7 @@ class InstalledVersions
     {
         foreach (self::getInstalled() as $installed) {
             if (isset($installed['versions'][$packageName])) {
-                return $includeDevRequirements || empty($installed['versions'][$packageName]['dev_requirement']);
+                return $includeDevRequirements || !isset($installed['versions'][$packageName]['dev_requirement']) || $installed['versions'][$packageName]['dev_requirement'] === false;
             }
         }
 
@@ -119,7 +119,7 @@ class InstalledVersions
      */
     public static function satisfies(VersionParser $parser, $packageName, $constraint)
     {
-        $constraint = $parser->parseConstraints($constraint);
+        $constraint = $parser->parseConstraints((string) $constraint);
         $provided = $parser->parseConstraints(self::getVersionRanges($packageName));
 
         return $provided->matches($constraint);
@@ -328,7 +328,9 @@ class InstalledVersions
                 if (isset(self::$installedByVendor[$vendorDir])) {
                     $installed[] = self::$installedByVendor[$vendorDir];
                 } elseif (is_file($vendorDir.'/composer/installed.php')) {
-                    $installed[] = self::$installedByVendor[$vendorDir] = require $vendorDir.'/composer/installed.php';
+                    /** @var array{root: array{name: string, pretty_version: string, version: string, reference: string|null, type: string, install_path: string, aliases: string[], dev: bool}, versions: array<string, array{pretty_version?: string, version?: string, reference?: string|null, type?: string, install_path?: string, aliases?: string[], dev_requirement: bool, replaced?: string[], provided?: string[]}>} $required */
+                    $required = require $vendorDir.'/composer/installed.php';
+                    $installed[] = self::$installedByVendor[$vendorDir] = $required;
                     if (null === self::$installed && strtr($vendorDir.'/composer', '\\', '/') === strtr(__DIR__, '\\', '/')) {
                         self::$installed = $installed[count($installed) - 1];
                     }
@@ -340,12 +342,17 @@ class InstalledVersions
             // only require the installed.php file if this file is loaded from its dumped location,
             // and not from its source location in the composer/composer package, see https://github.com/composer/composer/issues/9937
             if (substr(__DIR__, -8, 1) !== 'C') {
-                self::$installed = require __DIR__ . '/installed.php';
+                /** @var array{root: array{name: string, pretty_version: string, version: string, reference: string|null, type: string, install_path: string, aliases: string[], dev: bool}, versions: array<string, array{pretty_version?: string, version?: string, reference?: string|null, type?: string, install_path?: string, aliases?: string[], dev_requirement: bool, replaced?: string[], provided?: string[]}>} $required */
+                $required = require __DIR__ . '/installed.php';
+                self::$installed = $required;
             } else {
                 self::$installed = array();
             }
         }
-        $installed[] = self::$installed;
+
+        if (self::$installed !== array()) {
+            $installed[] = self::$installed;
+        }
 
         return $installed;
     }
diff --git a/data/web/inc/lib/vendor/composer/autoload_classmap.php b/data/web/inc/lib/vendor/composer/autoload_classmap.php
index a986241bd..5490b88d8 100644
--- a/data/web/inc/lib/vendor/composer/autoload_classmap.php
+++ b/data/web/inc/lib/vendor/composer/autoload_classmap.php
@@ -8,6 +8,7 @@ $baseDir = dirname($vendorDir);
 return array(
     'Attribute' => $vendorDir . '/symfony/polyfill-php80/Resources/stubs/Attribute.php',
     'Composer\\InstalledVersions' => $vendorDir . '/composer/InstalledVersions.php',
+    'PhpToken' => $vendorDir . '/symfony/polyfill-php80/Resources/stubs/PhpToken.php',
     'Stringable' => $vendorDir . '/symfony/polyfill-php80/Resources/stubs/Stringable.php',
     'UnhandledMatchError' => $vendorDir . '/symfony/polyfill-php80/Resources/stubs/UnhandledMatchError.php',
     'ValueError' => $vendorDir . '/symfony/polyfill-php80/Resources/stubs/ValueError.php',
diff --git a/data/web/inc/lib/vendor/composer/autoload_files.php b/data/web/inc/lib/vendor/composer/autoload_files.php
index 2730ec34b..bac0d960a 100644
--- a/data/web/inc/lib/vendor/composer/autoload_files.php
+++ b/data/web/inc/lib/vendor/composer/autoload_files.php
@@ -6,12 +6,12 @@ $vendorDir = dirname(__DIR__);
 $baseDir = dirname($vendorDir);
 
 return array(
+    '6e3fae29631ef280660b3cdad06f25a8' => $vendorDir . '/symfony/deprecation-contracts/function.php',
     '0e6d7bf4a5811bfa5cf40c5ccd6fae6a' => $vendorDir . '/symfony/polyfill-mbstring/bootstrap.php',
     '7b11c4dc42b3b3023073cb14e519683c' => $vendorDir . '/ralouphie/getallheaders/src/getallheaders.php',
     'c964ee0ededf28c96ebd9db5099ef910' => $vendorDir . '/guzzlehttp/promises/src/functions_include.php',
-    '6e3fae29631ef280660b3cdad06f25a8' => $vendorDir . '/symfony/deprecation-contracts/function.php',
-    '37a3dc5111fe8f707ab4c132ef1dbc62' => $vendorDir . '/guzzlehttp/guzzle/src/functions_include.php',
     'a4a119a56e50fbb293281d9a48007e0e' => $vendorDir . '/symfony/polyfill-php80/bootstrap.php',
+    '37a3dc5111fe8f707ab4c132ef1dbc62' => $vendorDir . '/guzzlehttp/guzzle/src/functions_include.php',
     'a1105708a18b76903365ca1c4aa61b02' => $vendorDir . '/symfony/translation/Resources/functions.php',
     '667aeda72477189d0494fecd327c3641' => $vendorDir . '/symfony/var-dumper/Resources/functions/dump.php',
     '320cde22f66dd4f5d3fd621d3e88b98f' => $vendorDir . '/symfony/polyfill-ctype/bootstrap.php',
diff --git a/data/web/inc/lib/vendor/composer/autoload_psr4.php b/data/web/inc/lib/vendor/composer/autoload_psr4.php
index 8e959eac3..9b7aef887 100644
--- a/data/web/inc/lib/vendor/composer/autoload_psr4.php
+++ b/data/web/inc/lib/vendor/composer/autoload_psr4.php
@@ -21,6 +21,7 @@ return array(
     'Psr\\Http\\Message\\' => array($vendorDir . '/psr/http-factory/src', $vendorDir . '/psr/http-message/src'),
     'Psr\\Http\\Client\\' => array($vendorDir . '/psr/http-client/src'),
     'Psr\\Container\\' => array($vendorDir . '/psr/container/src'),
+    'Psr\\Clock\\' => array($vendorDir . '/psr/clock/src'),
     'PhpMimeMailParser\\' => array($vendorDir . '/php-mime-mail-parser/php-mime-mail-parser/src'),
     'PHPMailer\\PHPMailer\\' => array($vendorDir . '/phpmailer/phpmailer/src'),
     'MatthiasMullie\\PathConverter\\' => array($vendorDir . '/matthiasmullie/path-converter/src'),
@@ -34,5 +35,6 @@ return array(
     'GuzzleHttp\\' => array($vendorDir . '/guzzlehttp/guzzle/src'),
     'Firebase\\JWT\\' => array($vendorDir . '/firebase/php-jwt/src'),
     'Ddeboer\\Imap\\' => array($vendorDir . '/ddeboer/imap/src'),
+    'Carbon\\Doctrine\\' => array($vendorDir . '/carbonphp/carbon-doctrine-types/src/Carbon/Doctrine'),
     'Carbon\\' => array($vendorDir . '/nesbot/carbon/src/Carbon'),
 );
diff --git a/data/web/inc/lib/vendor/composer/autoload_real.php b/data/web/inc/lib/vendor/composer/autoload_real.php
index 6891b0c9e..5e2082534 100644
--- a/data/web/inc/lib/vendor/composer/autoload_real.php
+++ b/data/web/inc/lib/vendor/composer/autoload_real.php
@@ -33,25 +33,18 @@ class ComposerAutoloaderInit873464e4bd965a3168f133248b1b218b
 
         $loader->register(true);
 
-        $includeFiles = \Composer\Autoload\ComposerStaticInit873464e4bd965a3168f133248b1b218b::$files;
-        foreach ($includeFiles as $fileIdentifier => $file) {
-            composerRequire873464e4bd965a3168f133248b1b218b($fileIdentifier, $file);
+        $filesToLoad = \Composer\Autoload\ComposerStaticInit873464e4bd965a3168f133248b1b218b::$files;
+        $requireFile = \Closure::bind(static function ($fileIdentifier, $file) {
+            if (empty($GLOBALS['__composer_autoload_files'][$fileIdentifier])) {
+                $GLOBALS['__composer_autoload_files'][$fileIdentifier] = true;
+
+                require $file;
+            }
+        }, null, null);
+        foreach ($filesToLoad as $fileIdentifier => $file) {
+            $requireFile($fileIdentifier, $file);
         }
 
         return $loader;
     }
 }
-
-/**
- * @param string $fileIdentifier
- * @param string $file
- * @return void
- */
-function composerRequire873464e4bd965a3168f133248b1b218b($fileIdentifier, $file)
-{
-    if (empty($GLOBALS['__composer_autoload_files'][$fileIdentifier])) {
-        $GLOBALS['__composer_autoload_files'][$fileIdentifier] = true;
-
-        require $file;
-    }
-}
diff --git a/data/web/inc/lib/vendor/composer/autoload_static.php b/data/web/inc/lib/vendor/composer/autoload_static.php
index 27a95eda8..7564e9725 100644
--- a/data/web/inc/lib/vendor/composer/autoload_static.php
+++ b/data/web/inc/lib/vendor/composer/autoload_static.php
@@ -7,12 +7,12 @@ namespace Composer\Autoload;
 class ComposerStaticInit873464e4bd965a3168f133248b1b218b
 {
     public static $files = array (
+        '6e3fae29631ef280660b3cdad06f25a8' => __DIR__ . '/..' . '/symfony/deprecation-contracts/function.php',
         '0e6d7bf4a5811bfa5cf40c5ccd6fae6a' => __DIR__ . '/..' . '/symfony/polyfill-mbstring/bootstrap.php',
         '7b11c4dc42b3b3023073cb14e519683c' => __DIR__ . '/..' . '/ralouphie/getallheaders/src/getallheaders.php',
         'c964ee0ededf28c96ebd9db5099ef910' => __DIR__ . '/..' . '/guzzlehttp/promises/src/functions_include.php',
-        '6e3fae29631ef280660b3cdad06f25a8' => __DIR__ . '/..' . '/symfony/deprecation-contracts/function.php',
-        '37a3dc5111fe8f707ab4c132ef1dbc62' => __DIR__ . '/..' . '/guzzlehttp/guzzle/src/functions_include.php',
         'a4a119a56e50fbb293281d9a48007e0e' => __DIR__ . '/..' . '/symfony/polyfill-php80/bootstrap.php',
+        '37a3dc5111fe8f707ab4c132ef1dbc62' => __DIR__ . '/..' . '/guzzlehttp/guzzle/src/functions_include.php',
         'a1105708a18b76903365ca1c4aa61b02' => __DIR__ . '/..' . '/symfony/translation/Resources/functions.php',
         '667aeda72477189d0494fecd327c3641' => __DIR__ . '/..' . '/symfony/var-dumper/Resources/functions/dump.php',
         '320cde22f66dd4f5d3fd621d3e88b98f' => __DIR__ . '/..' . '/symfony/polyfill-ctype/bootstrap.php',
@@ -48,6 +48,7 @@ class ComposerStaticInit873464e4bd965a3168f133248b1b218b
             'Psr\\Http\\Message\\' => 17,
             'Psr\\Http\\Client\\' => 16,
             'Psr\\Container\\' => 14,
+            'Psr\\Clock\\' => 10,
             'PhpMimeMailParser\\' => 18,
             'PHPMailer\\PHPMailer\\' => 20,
         ),
@@ -85,6 +86,7 @@ class ComposerStaticInit873464e4bd965a3168f133248b1b218b
         ),
         'C' => 
         array (
+            'Carbon\\Doctrine\\' => 16,
             'Carbon\\' => 7,
         ),
     );
@@ -151,6 +153,10 @@ class ComposerStaticInit873464e4bd965a3168f133248b1b218b
         array (
             0 => __DIR__ . '/..' . '/psr/container/src',
         ),
+        'Psr\\Clock\\' => 
+        array (
+            0 => __DIR__ . '/..' . '/psr/clock/src',
+        ),
         'PhpMimeMailParser\\' => 
         array (
             0 => __DIR__ . '/..' . '/php-mime-mail-parser/php-mime-mail-parser/src',
@@ -203,6 +209,10 @@ class ComposerStaticInit873464e4bd965a3168f133248b1b218b
         array (
             0 => __DIR__ . '/..' . '/ddeboer/imap/src',
         ),
+        'Carbon\\Doctrine\\' => 
+        array (
+            0 => __DIR__ . '/..' . '/carbonphp/carbon-doctrine-types/src/Carbon/Doctrine',
+        ),
         'Carbon\\' => 
         array (
             0 => __DIR__ . '/..' . '/nesbot/carbon/src/Carbon',
@@ -222,6 +232,7 @@ class ComposerStaticInit873464e4bd965a3168f133248b1b218b
     public static $classMap = array (
         'Attribute' => __DIR__ . '/..' . '/symfony/polyfill-php80/Resources/stubs/Attribute.php',
         'Composer\\InstalledVersions' => __DIR__ . '/..' . '/composer/InstalledVersions.php',
+        'PhpToken' => __DIR__ . '/..' . '/symfony/polyfill-php80/Resources/stubs/PhpToken.php',
         'Stringable' => __DIR__ . '/..' . '/symfony/polyfill-php80/Resources/stubs/Stringable.php',
         'UnhandledMatchError' => __DIR__ . '/..' . '/symfony/polyfill-php80/Resources/stubs/UnhandledMatchError.php',
         'ValueError' => __DIR__ . '/..' . '/symfony/polyfill-php80/Resources/stubs/ValueError.php',
diff --git a/data/web/inc/lib/vendor/composer/installed.json b/data/web/inc/lib/vendor/composer/installed.json
index c5f82771a..a9a3966f5 100644
--- a/data/web/inc/lib/vendor/composer/installed.json
+++ b/data/web/inc/lib/vendor/composer/installed.json
@@ -61,6 +61,78 @@
             ],
             "install-path": "../bshaffer/oauth2-server-php"
         },
+        {
+            "name": "carbonphp/carbon-doctrine-types",
+            "version": "3.2.0",
+            "version_normalized": "3.2.0.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/CarbonPHP/carbon-doctrine-types.git",
+                "reference": "18ba5ddfec8976260ead6e866180bd5d2f71aa1d"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/CarbonPHP/carbon-doctrine-types/zipball/18ba5ddfec8976260ead6e866180bd5d2f71aa1d",
+                "reference": "18ba5ddfec8976260ead6e866180bd5d2f71aa1d",
+                "shasum": ""
+            },
+            "require": {
+                "php": "^8.1"
+            },
+            "conflict": {
+                "doctrine/dbal": "<4.0.0 || >=5.0.0"
+            },
+            "require-dev": {
+                "doctrine/dbal": "^4.0.0",
+                "nesbot/carbon": "^2.71.0 || ^3.0.0",
+                "phpunit/phpunit": "^10.3"
+            },
+            "time": "2024-02-09T16:56:22+00:00",
+            "type": "library",
+            "installation-source": "dist",
+            "autoload": {
+                "psr-4": {
+                    "Carbon\\Doctrine\\": "src/Carbon/Doctrine/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "KyleKatarn",
+                    "email": "kylekatarnls@gmail.com"
+                }
+            ],
+            "description": "Types to use Carbon in Doctrine",
+            "keywords": [
+                "carbon",
+                "date",
+                "datetime",
+                "doctrine",
+                "time"
+            ],
+            "support": {
+                "issues": "https://github.com/CarbonPHP/carbon-doctrine-types/issues",
+                "source": "https://github.com/CarbonPHP/carbon-doctrine-types/tree/3.2.0"
+            },
+            "funding": [
+                {
+                    "url": "https://github.com/kylekatarnls",
+                    "type": "github"
+                },
+                {
+                    "url": "https://opencollective.com/Carbon",
+                    "type": "open_collective"
+                },
+                {
+                    "url": "https://tidelift.com/funding/github/packagist/nesbot/carbon",
+                    "type": "tidelift"
+                }
+            ],
+            "install-path": "../carbonphp/carbon-doctrine-types"
+        },
         {
             "name": "ddeboer/imap",
             "version": "1.13.1",
@@ -141,35 +213,36 @@
         },
         {
             "name": "directorytree/ldaprecord",
-            "version": "v2.10.1",
-            "version_normalized": "2.10.1.0",
+            "version": "v2.20.5",
+            "version_normalized": "2.20.5.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/DirectoryTree/LdapRecord.git",
-                "reference": "bf512d9af7a7b0e2ed7a666ab29cefdd027bee88"
+                "reference": "5bd0a5a9d257cf1049ae83055dbba4c3479ddf16"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/DirectoryTree/LdapRecord/zipball/bf512d9af7a7b0e2ed7a666ab29cefdd027bee88",
-                "reference": "bf512d9af7a7b0e2ed7a666ab29cefdd027bee88",
+                "url": "https://api.github.com/repos/DirectoryTree/LdapRecord/zipball/5bd0a5a9d257cf1049ae83055dbba4c3479ddf16",
+                "reference": "5bd0a5a9d257cf1049ae83055dbba4c3479ddf16",
                 "shasum": ""
             },
             "require": {
                 "ext-json": "*",
                 "ext-ldap": "*",
-                "illuminate/contracts": "^5.0|^6.0|^7.0|^8.0|^9.0",
+                "illuminate/contracts": "^5.0|^6.0|^7.0|^8.0|^9.0|^10.0",
                 "nesbot/carbon": "^1.0|^2.0",
                 "php": ">=7.3",
-                "psr/log": "*",
+                "psr/log": "^1.0|^2.0|^3.0",
                 "psr/simple-cache": "^1.0|^2.0",
-                "tightenco/collect": "^5.6|^6.0|^7.0|^8.0"
+                "symfony/polyfill-php80": "^1.25",
+                "tightenco/collect": "^5.6|^6.0|^7.0|^8.0|^9.0"
             },
             "require-dev": {
                 "mockery/mockery": "^1.0",
                 "phpunit/phpunit": "^9.0",
                 "spatie/ray": "^1.24"
             },
-            "time": "2022-02-25T16:00:51+00:00",
+            "time": "2023-10-11T16:34:34+00:00",
             "type": "library",
             "installation-source": "dist",
             "autoload": {
@@ -620,29 +693,29 @@
         },
         {
             "name": "illuminate/contracts",
-            "version": "v9.3.0",
-            "version_normalized": "9.3.0.0",
+            "version": "v10.44.0",
+            "version_normalized": "10.44.0.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/illuminate/contracts.git",
-                "reference": "bf4b3c254c49d28157645d01e4883b5951b1e1d0"
+                "reference": "8d7152c4a1f5d9cf7da3e8b71f23e4556f6138ac"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/illuminate/contracts/zipball/bf4b3c254c49d28157645d01e4883b5951b1e1d0",
-                "reference": "bf4b3c254c49d28157645d01e4883b5951b1e1d0",
+                "url": "https://api.github.com/repos/illuminate/contracts/zipball/8d7152c4a1f5d9cf7da3e8b71f23e4556f6138ac",
+                "reference": "8d7152c4a1f5d9cf7da3e8b71f23e4556f6138ac",
                 "shasum": ""
             },
             "require": {
-                "php": "^8.0.2",
+                "php": "^8.1",
                 "psr/container": "^1.1.1|^2.0.1",
                 "psr/simple-cache": "^1.0|^2.0|^3.0"
             },
-            "time": "2022-02-22T14:45:39+00:00",
+            "time": "2024-01-15T18:52:32+00:00",
             "type": "library",
             "extra": {
                 "branch-alias": {
-                    "dev-master": "9.x-dev"
+                    "dev-master": "10.x-dev"
                 }
             },
             "installation-source": "dist",
@@ -930,38 +1003,45 @@
         },
         {
             "name": "nesbot/carbon",
-            "version": "2.57.0",
-            "version_normalized": "2.57.0.0",
+            "version": "2.72.3",
+            "version_normalized": "2.72.3.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/briannesbitt/Carbon.git",
-                "reference": "4a54375c21eea4811dbd1149fe6b246517554e78"
+                "reference": "0c6fd108360c562f6e4fd1dedb8233b423e91c83"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/briannesbitt/Carbon/zipball/4a54375c21eea4811dbd1149fe6b246517554e78",
-                "reference": "4a54375c21eea4811dbd1149fe6b246517554e78",
+                "url": "https://api.github.com/repos/briannesbitt/Carbon/zipball/0c6fd108360c562f6e4fd1dedb8233b423e91c83",
+                "reference": "0c6fd108360c562f6e4fd1dedb8233b423e91c83",
                 "shasum": ""
             },
             "require": {
+                "carbonphp/carbon-doctrine-types": "*",
                 "ext-json": "*",
                 "php": "^7.1.8 || ^8.0",
+                "psr/clock": "^1.0",
                 "symfony/polyfill-mbstring": "^1.0",
                 "symfony/polyfill-php80": "^1.16",
                 "symfony/translation": "^3.4 || ^4.0 || ^5.0 || ^6.0"
             },
+            "provide": {
+                "psr/clock-implementation": "1.0"
+            },
             "require-dev": {
-                "doctrine/dbal": "^2.0 || ^3.0",
-                "doctrine/orm": "^2.7",
+                "doctrine/dbal": "^2.0 || ^3.1.4 || ^4.0",
+                "doctrine/orm": "^2.7 || ^3.0",
                 "friendsofphp/php-cs-fixer": "^3.0",
                 "kylekatarnls/multi-tester": "^2.0",
+                "ondrejmirtes/better-reflection": "*",
                 "phpmd/phpmd": "^2.9",
                 "phpstan/extension-installer": "^1.0",
-                "phpstan/phpstan": "^0.12.54 || ^1.0",
-                "phpunit/phpunit": "^7.5.20 || ^8.5.14",
+                "phpstan/phpstan": "^0.12.99 || ^1.7.14",
+                "phpunit/php-file-iterator": "^2.0.5 || ^3.0.6",
+                "phpunit/phpunit": "^7.5.20 || ^8.5.26 || ^9.5.20",
                 "squizlabs/php_codesniffer": "^3.4"
             },
-            "time": "2022-02-13T18:13:33+00:00",
+            "time": "2024-01-25T10:35:09+00:00",
             "bin": [
                 "bin/carbon"
             ],
@@ -1017,11 +1097,15 @@
             },
             "funding": [
                 {
-                    "url": "https://opencollective.com/Carbon",
-                    "type": "open_collective"
+                    "url": "https://github.com/sponsors/kylekatarnls",
+                    "type": "github"
                 },
                 {
-                    "url": "https://tidelift.com/funding/github/packagist/nesbot/carbon",
+                    "url": "https://opencollective.com/Carbon#sponsor",
+                    "type": "opencollective"
+                },
+                {
+                    "url": "https://tidelift.com/subscription/pkg/packagist-nesbot-carbon?utm_source=packagist-nesbot-carbon&utm_medium=referral&utm_campaign=readme",
                     "type": "tidelift"
                 }
             ],
@@ -1255,6 +1339,57 @@
             ],
             "install-path": "../phpmailer/phpmailer"
         },
+        {
+            "name": "psr/clock",
+            "version": "1.0.0",
+            "version_normalized": "1.0.0.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/php-fig/clock.git",
+                "reference": "e41a24703d4560fd0acb709162f73b8adfc3aa0d"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/php-fig/clock/zipball/e41a24703d4560fd0acb709162f73b8adfc3aa0d",
+                "reference": "e41a24703d4560fd0acb709162f73b8adfc3aa0d",
+                "shasum": ""
+            },
+            "require": {
+                "php": "^7.0 || ^8.0"
+            },
+            "time": "2022-11-25T14:36:26+00:00",
+            "type": "library",
+            "installation-source": "dist",
+            "autoload": {
+                "psr-4": {
+                    "Psr\\Clock\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "PHP-FIG",
+                    "homepage": "https://www.php-fig.org/"
+                }
+            ],
+            "description": "Common interface for reading the clock.",
+            "homepage": "https://github.com/php-fig/clock",
+            "keywords": [
+                "clock",
+                "now",
+                "psr",
+                "psr-20",
+                "time"
+            ],
+            "support": {
+                "issues": "https://github.com/php-fig/clock/issues",
+                "source": "https://github.com/php-fig/clock/tree/1.0.0"
+            },
+            "install-path": "../psr/clock"
+        },
         {
             "name": "psr/container",
             "version": "2.0.2",
@@ -1826,27 +1961,27 @@
         },
         {
             "name": "symfony/deprecation-contracts",
-            "version": "v3.2.1",
-            "version_normalized": "3.2.1.0",
+            "version": "v3.4.0",
+            "version_normalized": "3.4.0.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/deprecation-contracts.git",
-                "reference": "e2d1534420bd723d0ef5aec58a22c5fe60ce6f5e"
+                "reference": "7c3aff79d10325257a001fcf92d991f24fc967cf"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/deprecation-contracts/zipball/e2d1534420bd723d0ef5aec58a22c5fe60ce6f5e",
-                "reference": "e2d1534420bd723d0ef5aec58a22c5fe60ce6f5e",
+                "url": "https://api.github.com/repos/symfony/deprecation-contracts/zipball/7c3aff79d10325257a001fcf92d991f24fc967cf",
+                "reference": "7c3aff79d10325257a001fcf92d991f24fc967cf",
                 "shasum": ""
             },
             "require": {
                 "php": ">=8.1"
             },
-            "time": "2023-03-01T10:25:55+00:00",
+            "time": "2023-05-23T14:45:45+00:00",
             "type": "library",
             "extra": {
                 "branch-alias": {
-                    "dev-main": "3.3-dev"
+                    "dev-main": "3.4-dev"
                 },
                 "thanks": {
                     "name": "symfony/contracts",
@@ -1876,7 +2011,7 @@
             "description": "A generic function and convention to trigger deprecation notices",
             "homepage": "https://symfony.com",
             "support": {
-                "source": "https://github.com/symfony/deprecation-contracts/tree/v3.2.1"
+                "source": "https://github.com/symfony/deprecation-contracts/tree/v3.4.0"
             },
             "funding": [
                 {
@@ -1981,17 +2116,17 @@
         },
         {
             "name": "symfony/polyfill-mbstring",
-            "version": "v1.24.0",
-            "version_normalized": "1.24.0.0",
+            "version": "v1.29.0",
+            "version_normalized": "1.29.0.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/polyfill-mbstring.git",
-                "reference": "0abb51d2f102e00a4eefcf46ba7fec406d245825"
+                "reference": "9773676c8a1bb1f8d4340a62efe641cf76eda7ec"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/polyfill-mbstring/zipball/0abb51d2f102e00a4eefcf46ba7fec406d245825",
-                "reference": "0abb51d2f102e00a4eefcf46ba7fec406d245825",
+                "url": "https://api.github.com/repos/symfony/polyfill-mbstring/zipball/9773676c8a1bb1f8d4340a62efe641cf76eda7ec",
+                "reference": "9773676c8a1bb1f8d4340a62efe641cf76eda7ec",
                 "shasum": ""
             },
             "require": {
@@ -2003,12 +2138,9 @@
             "suggest": {
                 "ext-mbstring": "For best performance"
             },
-            "time": "2021-11-30T18:21:41+00:00",
+            "time": "2024-01-29T20:11:03+00:00",
             "type": "library",
             "extra": {
-                "branch-alias": {
-                    "dev-main": "1.23-dev"
-                },
                 "thanks": {
                     "name": "symfony/polyfill",
                     "url": "https://github.com/symfony/polyfill"
@@ -2047,7 +2179,7 @@
                 "shim"
             ],
             "support": {
-                "source": "https://github.com/symfony/polyfill-mbstring/tree/v1.24.0"
+                "source": "https://github.com/symfony/polyfill-mbstring/tree/v1.29.0"
             },
             "funding": [
                 {
@@ -2067,28 +2199,25 @@
         },
         {
             "name": "symfony/polyfill-php80",
-            "version": "v1.24.0",
-            "version_normalized": "1.24.0.0",
+            "version": "v1.29.0",
+            "version_normalized": "1.29.0.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/polyfill-php80.git",
-                "reference": "57b712b08eddb97c762a8caa32c84e037892d2e9"
+                "reference": "87b68208d5c1188808dd7839ee1e6c8ec3b02f1b"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/polyfill-php80/zipball/57b712b08eddb97c762a8caa32c84e037892d2e9",
-                "reference": "57b712b08eddb97c762a8caa32c84e037892d2e9",
+                "url": "https://api.github.com/repos/symfony/polyfill-php80/zipball/87b68208d5c1188808dd7839ee1e6c8ec3b02f1b",
+                "reference": "87b68208d5c1188808dd7839ee1e6c8ec3b02f1b",
                 "shasum": ""
             },
             "require": {
                 "php": ">=7.1"
             },
-            "time": "2021-09-13T13:58:33+00:00",
+            "time": "2024-01-29T20:11:03+00:00",
             "type": "library",
             "extra": {
-                "branch-alias": {
-                    "dev-main": "1.23-dev"
-                },
                 "thanks": {
                     "name": "symfony/polyfill",
                     "url": "https://github.com/symfony/polyfill"
@@ -2133,7 +2262,7 @@
                 "shim"
             ],
             "support": {
-                "source": "https://github.com/symfony/polyfill-php80/tree/v1.24.0"
+                "source": "https://github.com/symfony/polyfill-php80/tree/v1.29.0"
             },
             "funding": [
                 {
@@ -2153,29 +2282,32 @@
         },
         {
             "name": "symfony/translation",
-            "version": "v6.0.5",
-            "version_normalized": "6.0.5.0",
+            "version": "v6.4.3",
+            "version_normalized": "6.4.3.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/translation.git",
-                "reference": "e69501c71107cc3146b32aaa45f4edd0c3427875"
+                "reference": "637c51191b6b184184bbf98937702bcf554f7d04"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/translation/zipball/e69501c71107cc3146b32aaa45f4edd0c3427875",
-                "reference": "e69501c71107cc3146b32aaa45f4edd0c3427875",
+                "url": "https://api.github.com/repos/symfony/translation/zipball/637c51191b6b184184bbf98937702bcf554f7d04",
+                "reference": "637c51191b6b184184bbf98937702bcf554f7d04",
                 "shasum": ""
             },
             "require": {
-                "php": ">=8.0.2",
+                "php": ">=8.1",
+                "symfony/deprecation-contracts": "^2.5|^3",
                 "symfony/polyfill-mbstring": "~1.0",
-                "symfony/translation-contracts": "^2.3|^3.0"
+                "symfony/translation-contracts": "^2.5|^3.0"
             },
             "conflict": {
                 "symfony/config": "<5.4",
                 "symfony/console": "<5.4",
                 "symfony/dependency-injection": "<5.4",
+                "symfony/http-client-contracts": "<2.5",
                 "symfony/http-kernel": "<5.4",
+                "symfony/service-contracts": "<2.5",
                 "symfony/twig-bundle": "<5.4",
                 "symfony/yaml": "<5.4"
             },
@@ -2183,24 +2315,21 @@
                 "symfony/translation-implementation": "2.3|3.0"
             },
             "require-dev": {
+                "nikic/php-parser": "^4.18|^5.0",
                 "psr/log": "^1|^2|^3",
-                "symfony/config": "^5.4|^6.0",
-                "symfony/console": "^5.4|^6.0",
-                "symfony/dependency-injection": "^5.4|^6.0",
-                "symfony/finder": "^5.4|^6.0",
-                "symfony/http-client-contracts": "^1.1|^2.0|^3.0",
-                "symfony/http-kernel": "^5.4|^6.0",
-                "symfony/intl": "^5.4|^6.0",
+                "symfony/config": "^5.4|^6.0|^7.0",
+                "symfony/console": "^5.4|^6.0|^7.0",
+                "symfony/dependency-injection": "^5.4|^6.0|^7.0",
+                "symfony/finder": "^5.4|^6.0|^7.0",
+                "symfony/http-client-contracts": "^2.5|^3.0",
+                "symfony/http-kernel": "^5.4|^6.0|^7.0",
+                "symfony/intl": "^5.4|^6.0|^7.0",
                 "symfony/polyfill-intl-icu": "^1.21",
-                "symfony/service-contracts": "^1.1.2|^2|^3",
-                "symfony/yaml": "^5.4|^6.0"
+                "symfony/routing": "^5.4|^6.0|^7.0",
+                "symfony/service-contracts": "^2.5|^3",
+                "symfony/yaml": "^5.4|^6.0|^7.0"
             },
-            "suggest": {
-                "psr/log-implementation": "To use logging capability in translator",
-                "symfony/config": "",
-                "symfony/yaml": ""
-            },
-            "time": "2022-02-09T15:52:48+00:00",
+            "time": "2024-01-29T13:11:52+00:00",
             "type": "library",
             "installation-source": "dist",
             "autoload": {
@@ -2231,7 +2360,7 @@
             "description": "Provides tools to internationalize your application",
             "homepage": "https://symfony.com",
             "support": {
-                "source": "https://github.com/symfony/translation/tree/v6.0.5"
+                "source": "https://github.com/symfony/translation/tree/v6.4.3"
             },
             "funding": [
                 {
@@ -2251,30 +2380,27 @@
         },
         {
             "name": "symfony/translation-contracts",
-            "version": "v3.0.0",
-            "version_normalized": "3.0.0.0",
+            "version": "v3.4.1",
+            "version_normalized": "3.4.1.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/translation-contracts.git",
-                "reference": "1b6ea5a7442af5a12dba3dbd6d71034b5b234e77"
+                "reference": "06450585bf65e978026bda220cdebca3f867fde7"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/translation-contracts/zipball/1b6ea5a7442af5a12dba3dbd6d71034b5b234e77",
-                "reference": "1b6ea5a7442af5a12dba3dbd6d71034b5b234e77",
+                "url": "https://api.github.com/repos/symfony/translation-contracts/zipball/06450585bf65e978026bda220cdebca3f867fde7",
+                "reference": "06450585bf65e978026bda220cdebca3f867fde7",
                 "shasum": ""
             },
             "require": {
-                "php": ">=8.0.2"
+                "php": ">=8.1"
             },
-            "suggest": {
-                "symfony/translation-implementation": ""
-            },
-            "time": "2021-09-07T12:43:40+00:00",
+            "time": "2023-12-26T14:02:43+00:00",
             "type": "library",
             "extra": {
                 "branch-alias": {
-                    "dev-main": "3.0-dev"
+                    "dev-main": "3.4-dev"
                 },
                 "thanks": {
                     "name": "symfony/contracts",
@@ -2285,7 +2411,10 @@
             "autoload": {
                 "psr-4": {
                     "Symfony\\Contracts\\Translation\\": ""
-                }
+                },
+                "exclude-from-classmap": [
+                    "/Test/"
+                ]
             },
             "notification-url": "https://packagist.org/downloads/",
             "license": [
@@ -2312,7 +2441,7 @@
                 "standards"
             ],
             "support": {
-                "source": "https://github.com/symfony/translation-contracts/tree/v3.0.0"
+                "source": "https://github.com/symfony/translation-contracts/tree/v3.4.1"
             },
             "funding": [
                 {
@@ -2332,40 +2461,37 @@
         },
         {
             "name": "symfony/var-dumper",
-            "version": "v6.0.5",
-            "version_normalized": "6.0.5.0",
+            "version": "v6.4.3",
+            "version_normalized": "6.4.3.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/var-dumper.git",
-                "reference": "60d6a756d5f485df5e6e40b337334848f79f61ce"
+                "reference": "0435a08f69125535336177c29d56af3abc1f69da"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/var-dumper/zipball/60d6a756d5f485df5e6e40b337334848f79f61ce",
-                "reference": "60d6a756d5f485df5e6e40b337334848f79f61ce",
+                "url": "https://api.github.com/repos/symfony/var-dumper/zipball/0435a08f69125535336177c29d56af3abc1f69da",
+                "reference": "0435a08f69125535336177c29d56af3abc1f69da",
                 "shasum": ""
             },
             "require": {
-                "php": ">=8.0.2",
+                "php": ">=8.1",
+                "symfony/deprecation-contracts": "^2.5|^3",
                 "symfony/polyfill-mbstring": "~1.0"
             },
             "conflict": {
-                "phpunit/phpunit": "<5.4.3",
                 "symfony/console": "<5.4"
             },
             "require-dev": {
                 "ext-iconv": "*",
-                "symfony/console": "^5.4|^6.0",
-                "symfony/process": "^5.4|^6.0",
-                "symfony/uid": "^5.4|^6.0",
+                "symfony/console": "^5.4|^6.0|^7.0",
+                "symfony/error-handler": "^6.3|^7.0",
+                "symfony/http-kernel": "^5.4|^6.0|^7.0",
+                "symfony/process": "^5.4|^6.0|^7.0",
+                "symfony/uid": "^5.4|^6.0|^7.0",
                 "twig/twig": "^2.13|^3.0.4"
             },
-            "suggest": {
-                "ext-iconv": "To convert non-UTF-8 strings to UTF-8 (or symfony/polyfill-iconv in case ext-iconv cannot be used).",
-                "ext-intl": "To show region name in time zone dump",
-                "symfony/console": "To use the ServerDumpCommand and/or the bin/var-dump-server script"
-            },
-            "time": "2022-02-21T17:15:17+00:00",
+            "time": "2024-01-23T14:53:30+00:00",
             "bin": [
                 "Resources/bin/var-dump-server"
             ],
@@ -2403,7 +2529,7 @@
                 "dump"
             ],
             "support": {
-                "source": "https://github.com/symfony/var-dumper/tree/v6.0.5"
+                "source": "https://github.com/symfony/var-dumper/tree/v6.4.3"
             },
             "funding": [
                 {
@@ -2423,21 +2549,21 @@
         },
         {
             "name": "tightenco/collect",
-            "version": "v8.83.2",
-            "version_normalized": "8.83.2.0",
+            "version": "v9.52.7",
+            "version_normalized": "9.52.7.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/tighten/collect.git",
-                "reference": "d9c66d586ec2d216d8a31283d73f8df1400cc722"
+                "reference": "b15143cd11fe01a700fcc449df61adc64452fa6d"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/tighten/collect/zipball/d9c66d586ec2d216d8a31283d73f8df1400cc722",
-                "reference": "d9c66d586ec2d216d8a31283d73f8df1400cc722",
+                "url": "https://api.github.com/repos/tighten/collect/zipball/b15143cd11fe01a700fcc449df61adc64452fa6d",
+                "reference": "b15143cd11fe01a700fcc449df61adc64452fa6d",
                 "shasum": ""
             },
             "require": {
-                "php": "^7.3|^8.0",
+                "php": "^8.0",
                 "symfony/var-dumper": "^3.4 || ^4.0 || ^5.0 || ^6.0"
             },
             "require-dev": {
@@ -2445,7 +2571,7 @@
                 "nesbot/carbon": "^2.23.0",
                 "phpunit/phpunit": "^8.3"
             },
-            "time": "2022-02-16T16:15:54+00:00",
+            "time": "2023-04-14T21:51:36+00:00",
             "type": "library",
             "installation-source": "dist",
             "autoload": {
@@ -2474,7 +2600,7 @@
             ],
             "support": {
                 "issues": "https://github.com/tighten/collect/issues",
-                "source": "https://github.com/tighten/collect/tree/v8.83.2"
+                "source": "https://github.com/tighten/collect/tree/v9.52.7"
             },
             "install-path": "../tightenco/collect"
         },
diff --git a/data/web/inc/lib/vendor/composer/installed.php b/data/web/inc/lib/vendor/composer/installed.php
index 0616e9a82..fed449fa2 100644
--- a/data/web/inc/lib/vendor/composer/installed.php
+++ b/data/web/inc/lib/vendor/composer/installed.php
@@ -3,7 +3,7 @@
         'name' => '__root__',
         'pretty_version' => 'dev-master',
         'version' => 'dev-master',
-        'reference' => '96390c2e12fd8d886495fde5514ad431e4e66069',
+        'reference' => '40146839efb3754b2db4045f0111178ffd1883c5',
         'type' => 'library',
         'install_path' => __DIR__ . '/../../',
         'aliases' => array(),
@@ -13,7 +13,7 @@
         '__root__' => array(
             'pretty_version' => 'dev-master',
             'version' => 'dev-master',
-            'reference' => '96390c2e12fd8d886495fde5514ad431e4e66069',
+            'reference' => '40146839efb3754b2db4045f0111178ffd1883c5',
             'type' => 'library',
             'install_path' => __DIR__ . '/../../',
             'aliases' => array(),
@@ -28,6 +28,15 @@
             'aliases' => array(),
             'dev_requirement' => false,
         ),
+        'carbonphp/carbon-doctrine-types' => array(
+            'pretty_version' => '3.2.0',
+            'version' => '3.2.0.0',
+            'reference' => '18ba5ddfec8976260ead6e866180bd5d2f71aa1d',
+            'type' => 'library',
+            'install_path' => __DIR__ . '/../carbonphp/carbon-doctrine-types',
+            'aliases' => array(),
+            'dev_requirement' => false,
+        ),
         'ddeboer/imap' => array(
             'pretty_version' => '1.13.1',
             'version' => '1.13.1.0',
@@ -38,9 +47,9 @@
             'dev_requirement' => false,
         ),
         'directorytree/ldaprecord' => array(
-            'pretty_version' => 'v2.10.1',
-            'version' => '2.10.1.0',
-            'reference' => 'bf512d9af7a7b0e2ed7a666ab29cefdd027bee88',
+            'pretty_version' => 'v2.20.5',
+            'version' => '2.20.5.0',
+            'reference' => '5bd0a5a9d257cf1049ae83055dbba4c3479ddf16',
             'type' => 'library',
             'install_path' => __DIR__ . '/../directorytree/ldaprecord',
             'aliases' => array(),
@@ -89,9 +98,9 @@
             'dev_requirement' => false,
         ),
         'illuminate/contracts' => array(
-            'pretty_version' => 'v9.3.0',
-            'version' => '9.3.0.0',
-            'reference' => 'bf4b3c254c49d28157645d01e4883b5951b1e1d0',
+            'pretty_version' => 'v10.44.0',
+            'version' => '10.44.0.0',
+            'reference' => '8d7152c4a1f5d9cf7da3e8b71f23e4556f6138ac',
             'type' => 'library',
             'install_path' => __DIR__ . '/../illuminate/contracts',
             'aliases' => array(),
@@ -140,9 +149,9 @@
             'dev_requirement' => false,
         ),
         'nesbot/carbon' => array(
-            'pretty_version' => '2.57.0',
-            'version' => '2.57.0.0',
-            'reference' => '4a54375c21eea4811dbd1149fe6b246517554e78',
+            'pretty_version' => '2.72.3',
+            'version' => '2.72.3.0',
+            'reference' => '0c6fd108360c562f6e4fd1dedb8233b423e91c83',
             'type' => 'library',
             'install_path' => __DIR__ . '/../nesbot/carbon',
             'aliases' => array(),
@@ -175,6 +184,21 @@
             'aliases' => array(),
             'dev_requirement' => false,
         ),
+        'psr/clock' => array(
+            'pretty_version' => '1.0.0',
+            'version' => '1.0.0.0',
+            'reference' => 'e41a24703d4560fd0acb709162f73b8adfc3aa0d',
+            'type' => 'library',
+            'install_path' => __DIR__ . '/../psr/clock',
+            'aliases' => array(),
+            'dev_requirement' => false,
+        ),
+        'psr/clock-implementation' => array(
+            'dev_requirement' => false,
+            'provided' => array(
+                0 => '1.0',
+            ),
+        ),
         'psr/container' => array(
             'pretty_version' => '2.0.2',
             'version' => '2.0.2.0',
@@ -284,9 +308,9 @@
             'dev_requirement' => false,
         ),
         'symfony/deprecation-contracts' => array(
-            'pretty_version' => 'v3.2.1',
-            'version' => '3.2.1.0',
-            'reference' => 'e2d1534420bd723d0ef5aec58a22c5fe60ce6f5e',
+            'pretty_version' => 'v3.4.0',
+            'version' => '3.4.0.0',
+            'reference' => '7c3aff79d10325257a001fcf92d991f24fc967cf',
             'type' => 'library',
             'install_path' => __DIR__ . '/../symfony/deprecation-contracts',
             'aliases' => array(),
@@ -302,36 +326,36 @@
             'dev_requirement' => false,
         ),
         'symfony/polyfill-mbstring' => array(
-            'pretty_version' => 'v1.24.0',
-            'version' => '1.24.0.0',
-            'reference' => '0abb51d2f102e00a4eefcf46ba7fec406d245825',
+            'pretty_version' => 'v1.29.0',
+            'version' => '1.29.0.0',
+            'reference' => '9773676c8a1bb1f8d4340a62efe641cf76eda7ec',
             'type' => 'library',
             'install_path' => __DIR__ . '/../symfony/polyfill-mbstring',
             'aliases' => array(),
             'dev_requirement' => false,
         ),
         'symfony/polyfill-php80' => array(
-            'pretty_version' => 'v1.24.0',
-            'version' => '1.24.0.0',
-            'reference' => '57b712b08eddb97c762a8caa32c84e037892d2e9',
+            'pretty_version' => 'v1.29.0',
+            'version' => '1.29.0.0',
+            'reference' => '87b68208d5c1188808dd7839ee1e6c8ec3b02f1b',
             'type' => 'library',
             'install_path' => __DIR__ . '/../symfony/polyfill-php80',
             'aliases' => array(),
             'dev_requirement' => false,
         ),
         'symfony/translation' => array(
-            'pretty_version' => 'v6.0.5',
-            'version' => '6.0.5.0',
-            'reference' => 'e69501c71107cc3146b32aaa45f4edd0c3427875',
+            'pretty_version' => 'v6.4.3',
+            'version' => '6.4.3.0',
+            'reference' => '637c51191b6b184184bbf98937702bcf554f7d04',
             'type' => 'library',
             'install_path' => __DIR__ . '/../symfony/translation',
             'aliases' => array(),
             'dev_requirement' => false,
         ),
         'symfony/translation-contracts' => array(
-            'pretty_version' => 'v3.0.0',
-            'version' => '3.0.0.0',
-            'reference' => '1b6ea5a7442af5a12dba3dbd6d71034b5b234e77',
+            'pretty_version' => 'v3.4.1',
+            'version' => '3.4.1.0',
+            'reference' => '06450585bf65e978026bda220cdebca3f867fde7',
             'type' => 'library',
             'install_path' => __DIR__ . '/../symfony/translation-contracts',
             'aliases' => array(),
@@ -344,18 +368,18 @@
             ),
         ),
         'symfony/var-dumper' => array(
-            'pretty_version' => 'v6.0.5',
-            'version' => '6.0.5.0',
-            'reference' => '60d6a756d5f485df5e6e40b337334848f79f61ce',
+            'pretty_version' => 'v6.4.3',
+            'version' => '6.4.3.0',
+            'reference' => '0435a08f69125535336177c29d56af3abc1f69da',
             'type' => 'library',
             'install_path' => __DIR__ . '/../symfony/var-dumper',
             'aliases' => array(),
             'dev_requirement' => false,
         ),
         'tightenco/collect' => array(
-            'pretty_version' => 'v8.83.2',
-            'version' => '8.83.2.0',
-            'reference' => 'd9c66d586ec2d216d8a31283d73f8df1400cc722',
+            'pretty_version' => 'v9.52.7',
+            'version' => '9.52.7.0',
+            'reference' => 'b15143cd11fe01a700fcc449df61adc64452fa6d',
             'type' => 'library',
             'install_path' => __DIR__ . '/../tightenco/collect',
             'aliases' => array(),
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/.github/ISSUE_TEMPLATE/bug_report.md b/data/web/inc/lib/vendor/directorytree/ldaprecord/.github/ISSUE_TEMPLATE/bug_report.md
index a56a2afbc..4cbf18f9c 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/.github/ISSUE_TEMPLATE/bug_report.md
@@ -7,7 +7,10 @@ assignees: ''
 
 ---
 
-<!-- Please update the below information with your environment. -->
+<!--
+  Please update the below information with your environment.
+  Issues filed without the below information will be closed.
+-->
 **Environment:**
  - LDAP Server Type: [e.g. ActiveDirectory / OpenLDAP / FreeIPA]
  - PHP Version: [e.g. 7.3 / 7.4 / 8.0]
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/.github/ISSUE_TEMPLATE/support---help-request.md b/data/web/inc/lib/vendor/directorytree/ldaprecord/.github/ISSUE_TEMPLATE/support---help-request.md
index 230916cf1..731d5cea0 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/.github/ISSUE_TEMPLATE/support---help-request.md
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/.github/ISSUE_TEMPLATE/support---help-request.md
@@ -11,7 +11,10 @@ assignees: ''
 <!-- https://github.com/sponsors/stevebauman -->
 <!-- Thank you for your understanding. -->
 
-<!-- Please update the below information with your environment. -->
+<!--
+  Please update the below information with your environment.
+  Issues filed without the below information will be closed.
+-->
 **Environment:**
  - LDAP Server Type: [e.g. ActiveDirectory / OpenLDAP / FreeIPA]
  - PHP Version: [e.g. 7.3 / 7.4 / 8.0]
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/.github/workflows/run-integration-tests.yml b/data/web/inc/lib/vendor/directorytree/ldaprecord/.github/workflows/run-integration-tests.yml
new file mode 100644
index 000000000..6a6b2f9e5
--- /dev/null
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/.github/workflows/run-integration-tests.yml
@@ -0,0 +1,62 @@
+name: run-integration-tests
+
+on:
+  push:
+  pull_request:
+  schedule:
+    - cron: "0 0 * * *"
+
+jobs:
+  run-tests:
+    runs-on: ${{ matrix.os }}
+
+    services:
+      ldap:
+        image: osixia/openldap:1.4.0
+        env:
+          LDAP_TLS_VERIFY_CLIENT: try
+          LDAP_OPENLDAP_UID: 1000
+          LDAP_OPENLDAP_GID: 1000
+          LDAP_ORGANISATION: Local
+          LDAP_DOMAIN: local.com
+          LDAP_ADMIN_PASSWORD: secret
+        ports:
+          - 389:389
+          - 636:636
+
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest]
+        php: [8.1, 8.0, 7.4]
+
+    name: ${{ matrix.os }} - P${{ matrix.php }}
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Cache dependencies
+        uses: actions/cache@v2
+        with:
+          path: ~/.composer/cache/files
+          key: dependencies-php-${{ matrix.php }}-composer-${{ hashFiles('composer.json') }}
+
+      - name: Set ldap.conf file permissions
+        run: sudo chown -R $USER:$USER /etc/ldap/ldap.conf
+
+      - name: Create ldap.conf file disabling TLS verification
+        run: sudo echo "TLS_REQCERT never" > "/etc/ldap/ldap.conf"
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: ${{ matrix.php }}
+          extensions: ldap, json
+          coverage: none
+
+      - name: Install dependencies
+        run: composer update --prefer-dist --no-interaction
+
+      - name: Execute tests
+        run: vendor/bin/phpunit --testsuite Integration
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/.github/workflows/run-tests.yml b/data/web/inc/lib/vendor/directorytree/ldaprecord/.github/workflows/run-tests.yml
index 44825dc20..6aaa3fd4a 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/.github/workflows/run-tests.yml
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/.github/workflows/run-tests.yml
@@ -9,20 +9,20 @@ on:
 jobs:
   run-tests:
     runs-on: ${{ matrix.os }}
+    name: ${{ matrix.os }} - P${{ matrix.php }}
+
     strategy:
       fail-fast: false
       matrix:
         os: [ubuntu-latest, windows-latest]
         php: [8.1, 8.0, 7.4, 7.3]
 
-    name: ${{ matrix.os }} - P${{ matrix.php }}
-
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v2
 
       - name: Cache dependencies
-        uses: actions/cache@v3
+        uses: actions/cache@v2
         with:
           path: ~/.composer/cache/files
           key: dependencies-php-${{ matrix.php }}-composer-${{ hashFiles('composer.json') }}
@@ -38,41 +38,4 @@ jobs:
         run: composer update --prefer-dist --no-interaction
 
       - name: Execute tests
-        run: vendor/bin/phpunit
-
-  run-analysis:
-    runs-on: ${{ matrix.os }}
-    name: Static code analysis (PHP ${{ matrix.php }})
-
-    strategy:
-      fail-fast: false
-      matrix:
-        os: [ubuntu-latest]
-        php: [8.0]
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Cache dependencies
-        uses: actions/cache@v3
-        with:
-          path: ~/.composer/cache/files
-          key: dependencies-php-${{ matrix.php }}-composer-${{ hashFiles('composer.json') }}
-
-      - name: Setup PHP
-        uses: shivammathur/setup-php@v2
-        with:
-          php-version: ${{ matrix.php }}
-          extensions: ldap, json
-          coverage: none
-          tools: psalm
-
-      - name: Validate composer.json
-        run: composer validate
-
-      - name: Install dependencies
-        run: composer update --prefer-dist --no-interaction
-
-      - name: Run Psalm
-        run: psalm
+        run: vendor/bin/phpunit --testsuite Unit
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/.styleci.yml b/data/web/inc/lib/vendor/directorytree/ldaprecord/.styleci.yml
index 9f5e38cfa..0285f1790 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/.styleci.yml
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/.styleci.yml
@@ -1,8 +1 @@
 preset: laravel
-enabled:
-  - phpdoc_align
-  - phpdoc_separation
-  - unalign_double_arrow
-disabled:
-  - laravel_phpdoc_alignment
-  - laravel_phpdoc_separation
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/composer.json b/data/web/inc/lib/vendor/directorytree/ldaprecord/composer.json
index 35c605766..65d7dd8f6 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/composer.json
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/composer.json
@@ -32,11 +32,12 @@
         "php": ">=7.3",
         "ext-ldap": "*",
         "ext-json": "*",
-        "psr/log": "*",
+        "psr/log": "^1.0|^2.0|^3.0",
         "psr/simple-cache": "^1.0|^2.0",
         "nesbot/carbon": "^1.0|^2.0",
-        "tightenco/collect": "^5.6|^6.0|^7.0|^8.0",
-        "illuminate/contracts": "^5.0|^6.0|^7.0|^8.0|^9.0"
+        "tightenco/collect": "^5.6|^6.0|^7.0|^8.0|^9.0",
+        "illuminate/contracts": "^5.0|^6.0|^7.0|^8.0|^9.0|^10.0",
+        "symfony/polyfill-php80": "^1.25"
     },
     "require-dev": {
         "phpunit/phpunit": "^9.0",
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/docker-compose.yml b/data/web/inc/lib/vendor/directorytree/ldaprecord/docker-compose.yml
new file mode 100644
index 000000000..de96b1398
--- /dev/null
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/docker-compose.yml
@@ -0,0 +1,35 @@
+version: '3'
+
+services:
+    ldap:
+        image: osixia/openldap:1.4.0
+        container_name: ldap
+        restart: always
+        hostname: local.com
+        environment:
+            LDAP_TLS_VERIFY_CLIENT: try
+            LDAP_OPENLDAP_UID: 1000
+            LDAP_OPENLDAP_GID: 1000
+            LDAP_ORGANISATION: Local
+            LDAP_DOMAIN : local.com
+            LDAP_ADMIN_PASSWORD: secret
+        ports:
+            - "389:389"
+            - "636:636"
+        networks:
+            - local
+  
+    ldapadmin:
+        image: osixia/phpldapadmin:0.9.0
+        container_name: ldapadmin
+        environment:
+            PHPLDAPADMIN_LDAP_HOSTS: ldap
+        restart: always
+        ports:
+            - "6443:443"
+        networks:
+            - local
+
+networks:
+    local:
+        driver: bridge
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/phpunit.xml b/data/web/inc/lib/vendor/directorytree/ldaprecord/phpunit.xml
index d03fdc20e..aed09e4d6 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/phpunit.xml
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/phpunit.xml
@@ -10,8 +10,11 @@
          stopOnFailure="false"
         >
     <testsuites>
-        <testsuite name="LdapRecord Test Suite">
-            <directory suffix="Test.php">./tests/</directory>
+        <testsuite name="Unit">
+            <directory suffix="Test.php">./tests/Unit</directory>
+        </testsuite>
+        <testsuite name="Integration">
+            <directory suffix="Test.php">./tests/Integration</directory>
         </testsuite>
     </testsuites>
 </phpunit>
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/psalm.xml b/data/web/inc/lib/vendor/directorytree/ldaprecord/psalm.xml
deleted file mode 100644
index 7c0333df3..000000000
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/psalm.xml
+++ /dev/null
@@ -1,15 +0,0 @@
-<?xml version="1.0"?>
-<psalm
-    errorLevel="7"
-    resolveFromConfigFile="true"
-    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xmlns="https://getpsalm.org/schema/config"
-    xsi:schemaLocation="https://getpsalm.org/schema/config vendor/vimeo/psalm/config.xsd"
->
-    <projectFiles>
-        <directory name="src" />
-        <ignoreFiles>
-            <directory name="vendor" />
-        </ignoreFiles>
-    </projectFiles>
-</psalm>
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/readme.md b/data/web/inc/lib/vendor/directorytree/ldaprecord/readme.md
index 505d6992c..e00f8ef69 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/readme.md
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/readme.md
@@ -6,7 +6,7 @@
 
 <p align="center">
     <a href="https://github.com/DirectoryTree/LdapRecord/actions">
-        <img src="https://img.shields.io/github/workflow/status/directorytree/ldaprecord/run-tests.svg?style=flat-square">
+        <img src="https://img.shields.io/github/actions/workflow/status/directorytree/ldaprecord/run-tests.yml?branch=master&style=flat-square">
     </a>
     <a href="https://scrutinizer-ci.com/g/DirectoryTree/LdapRecord/?branch=master">
         <img src="https://img.shields.io/scrutinizer/g/DirectoryTree/LdapRecord/master.svg?style=flat-square"/>
@@ -45,7 +45,7 @@
 
 ⏲ **Up and Running Fast**
 
-Connect to your LDAP servers and start running queries at lightning speed.
+Connect to your LDAP servers and start running queries in a matter of minutes.
 
 💡 **Fluent Filter Builder**
 
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Auth/Events/Event.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Auth/Events/Event.php
index 83716b422..7c1bb3c87 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Auth/Events/Event.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Auth/Events/Event.php
@@ -30,9 +30,9 @@ abstract class Event
     /**
      * Constructor.
      *
-     * @param LdapInterface $connection
-     * @param string        $username
-     * @param string        $password
+     * @param  LdapInterface  $connection
+     * @param  string  $username
+     * @param  string  $password
      */
     public function __construct(LdapInterface $connection, $username, $password)
     {
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Auth/Guard.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Auth/Guard.php
index d41af1569..c00989ae6 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Auth/Guard.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Auth/Guard.php
@@ -38,8 +38,8 @@ class Guard
     /**
      * Constructor.
      *
-     * @param LdapInterface       $connection
-     * @param DomainConfiguration $configuration
+     * @param  LdapInterface  $connection
+     * @param  DomainConfiguration  $configuration
      */
     public function __construct(LdapInterface $connection, DomainConfiguration $configuration)
     {
@@ -50,10 +50,9 @@ class Guard
     /**
      * Attempt binding a user to the LDAP server.
      *
-     * @param string $username
-     * @param string $password
-     * @param bool   $stayBound
-     *
+     * @param  string  $username
+     * @param  string  $password
+     * @param  bool  $stayBound
      * @return bool
      *
      * @throws UsernameRequiredException
@@ -90,8 +89,8 @@ class Guard
     /**
      * Attempt binding a user to the LDAP server. Supports anonymous binding.
      *
-     * @param string|null $username
-     * @param string|null $password
+     * @param  string|null  $username
+     * @param  string|null  $password
      *
      * @throws BindException
      * @throws \LdapRecord\ConnectionException
@@ -148,8 +147,7 @@ class Guard
     /**
      * Set the event dispatcher instance.
      *
-     * @param DispatcherInterface $dispatcher
-     *
+     * @param  DispatcherInterface  $dispatcher
      * @return void
      */
     public function setDispatcher(DispatcherInterface $dispatcher)
@@ -160,9 +158,8 @@ class Guard
     /**
      * Fire the attempting event.
      *
-     * @param string $username
-     * @param string $password
-     *
+     * @param  string  $username
+     * @param  string  $password
      * @return void
      */
     protected function fireAttemptingEvent($username, $password)
@@ -175,9 +172,8 @@ class Guard
     /**
      * Fire the passed event.
      *
-     * @param string $username
-     * @param string $password
-     *
+     * @param  string  $username
+     * @param  string  $password
      * @return void
      */
     protected function firePassedEvent($username, $password)
@@ -190,9 +186,8 @@ class Guard
     /**
      * Fire the failed event.
      *
-     * @param string $username
-     * @param string $password
-     *
+     * @param  string  $username
+     * @param  string  $password
      * @return void
      */
     protected function fireFailedEvent($username, $password)
@@ -205,9 +200,8 @@ class Guard
     /**
      * Fire the binding event.
      *
-     * @param string $username
-     * @param string $password
-     *
+     * @param  string  $username
+     * @param  string  $password
      * @return void
      */
     protected function fireBindingEvent($username, $password)
@@ -220,9 +214,8 @@ class Guard
     /**
      * Fire the bound event.
      *
-     * @param string $username
-     * @param string $password
-     *
+     * @param  string  $username
+     * @param  string  $password
      * @return void
      */
     protected function fireBoundEvent($username, $password)
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Configuration/DomainConfiguration.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Configuration/DomainConfiguration.php
index d1124bfc9..f71f63d87 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Configuration/DomainConfiguration.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Configuration/DomainConfiguration.php
@@ -58,7 +58,7 @@ class DomainConfiguration
     /**
      * Constructor.
      *
-     * @param array $options
+     * @param  array  $options
      *
      * @throws ConfigurationException When an option value given is an invalid type.
      */
@@ -74,9 +74,8 @@ class DomainConfiguration
     /**
      * Extend the configuration with a custom option, or override an existing.
      *
-     * @param string $option
-     * @param mixed  $default
-     *
+     * @param  string  $option
+     * @param  mixed  $default
      * @return void
      */
     public static function extend($option, $default = null)
@@ -107,8 +106,8 @@ class DomainConfiguration
     /**
      * Set a configuration option.
      *
-     * @param string $key
-     * @param mixed  $value
+     * @param  string  $key
+     * @param  mixed  $value
      *
      * @throws ConfigurationException When an option value given is an invalid type.
      */
@@ -122,8 +121,7 @@ class DomainConfiguration
     /**
      * Returns the value for the specified configuration options.
      *
-     * @param string $key
-     *
+     * @param  string  $key
      * @return mixed
      *
      * @throws ConfigurationException When the option specified does not exist.
@@ -140,8 +138,7 @@ class DomainConfiguration
     /**
      * Checks if a configuration option exists.
      *
-     * @param string $key
-     *
+     * @param  string  $key
      * @return bool
      */
     public function has($key)
@@ -152,9 +149,8 @@ class DomainConfiguration
     /**
      * Validate the configuration option.
      *
-     * @param string $key
-     * @param mixed  $value
-     *
+     * @param  string  $key
+     * @param  mixed  $value
      * @return bool
      *
      * @throws ConfigurationException When an option value given is an invalid type.
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Configuration/Validators/Validator.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Configuration/Validators/Validator.php
index de2f13f56..d107314d5 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Configuration/Validators/Validator.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Configuration/Validators/Validator.php
@@ -30,8 +30,8 @@ abstract class Validator
     /**
      * Constructor.
      *
-     * @param string $key
-     * @param mixed  $value
+     * @param  string  $key
+     * @param  mixed  $value
      */
     public function __construct($key, $value)
     {
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Connection.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Connection.php
index d429aa462..6e55cffc9 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Connection.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Connection.php
@@ -88,8 +88,8 @@ class Connection
     /**
      * Constructor.
      *
-     * @param array              $config
-     * @param LdapInterface|null $ldap
+     * @param  array|DomainConfiguration  $config
+     * @param  LdapInterface|null  $ldap
      */
     public function __construct($config = [], LdapInterface $ldap = null)
     {
@@ -109,15 +109,18 @@ class Connection
     /**
      * Set the connection configuration.
      *
-     * @param array $config
-     *
+     * @param  array|DomainConfiguration  $config
      * @return $this
      *
      * @throws Configuration\ConfigurationException
      */
     public function setConfiguration($config = [])
     {
-        $this->configuration = new DomainConfiguration($config);
+        if (! $config instanceof DomainConfiguration) {
+            $config = new DomainConfiguration($config);
+        }
+
+        $this->configuration = $config;
 
         $this->hosts = $this->configuration->get('hosts');
 
@@ -129,8 +132,7 @@ class Connection
     /**
      * Set the LDAP connection.
      *
-     * @param LdapInterface $ldap
-     *
+     * @param  LdapInterface  $ldap
      * @return $this
      */
     public function setLdapConnection(LdapInterface $ldap)
@@ -143,8 +145,7 @@ class Connection
     /**
      * Set the event dispatcher.
      *
-     * @param DispatcherInterface $dispatcher
-     *
+     * @param  DispatcherInterface  $dispatcher
      * @return $this
      */
     public function setDispatcher(DispatcherInterface $dispatcher)
@@ -192,8 +193,7 @@ class Connection
     /**
      * Set the cache store.
      *
-     * @param CacheInterface $store
-     *
+     * @param  CacheInterface  $store
      * @return $this
      */
     public function setCache(CacheInterface $store)
@@ -238,9 +238,8 @@ class Connection
      *
      * If no username or password is specified, then the configured credentials are used.
      *
-     * @param string|null $username
-     * @param string|null $password
-     *
+     * @param  string|null  $username
+     * @param  string|null  $password
      * @return Connection
      *
      * @throws Auth\BindException
@@ -298,6 +297,16 @@ class Connection
         $this->initialize();
     }
 
+    /**
+     * Clone the connection.
+     *
+     * @return static
+     */
+    public function replicate()
+    {
+        return new static($this->configuration, new $this->ldap);
+    }
+
     /**
      * Disconnect from the LDAP server.
      *
@@ -311,8 +320,7 @@ class Connection
     /**
      * Dispatch an event.
      *
-     * @param object $event
-     *
+     * @param  object  $event
      * @return void
      */
     public function dispatch($event)
@@ -335,8 +343,7 @@ class Connection
     /**
      * Perform the operation on the LDAP connection.
      *
-     * @param Closure $operation
-     *
+     * @param  Closure  $operation
      * @return mixed
      */
     public function run(Closure $operation)
@@ -359,11 +366,27 @@ class Connection
         }
     }
 
+    /**
+     * Perform the operation on an isolated LDAP connection.
+     *
+     * @param  Closure  $operation
+     * @return mixed
+     */
+    public function isolate(Closure $operation)
+    {
+        $connection = $this->replicate();
+
+        try {
+            return $operation($connection);
+        } finally {
+            $connection->disconnect();
+        }
+    }
+
     /**
      * Attempt to get an exception for the cause of failure.
      *
-     * @param LdapRecordException $e
-     *
+     * @param  LdapRecordException  $e
      * @return mixed
      */
     protected function getExceptionForCauseOfFailure(LdapRecordException $e)
@@ -383,8 +406,7 @@ class Connection
     /**
      * Run the operation callback on the current LDAP connection.
      *
-     * @param Closure $operation
-     *
+     * @param  Closure  $operation
      * @return mixed
      *
      * @throws LdapRecordException
@@ -439,9 +461,8 @@ class Connection
     /**
      * Attempt to retry an LDAP operation if due to a lost connection.
      *
-     * @param LdapRecordException $e
-     * @param Closure             $operation
-     *
+     * @param  LdapRecordException  $e
+     * @param  Closure  $operation
      * @return mixed
      *
      * @throws LdapRecordException
@@ -461,8 +482,7 @@ class Connection
     /**
      * Retry the operation on the current host.
      *
-     * @param Closure $operation
-     *
+     * @param  Closure  $operation
      * @return mixed
      *
      * @throws LdapRecordException
@@ -483,9 +503,8 @@ class Connection
     /**
      * Attempt the operation again on the next host.
      *
-     * @param LdapRecordException $e
-     * @param Closure             $operation
-     *
+     * @param  LdapRecordException  $e
+     * @param  Closure  $operation
      * @return mixed
      *
      * @throws LdapRecordException
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/ConnectionManager.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/ConnectionManager.php
index 01b072b4e..0597f1f68 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/ConnectionManager.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/ConnectionManager.php
@@ -81,9 +81,8 @@ class ConnectionManager
     /**
      * Forward missing method calls onto the instance.
      *
-     * @param string $method
-     * @param mixed  $args
-     *
+     * @param  string  $method
+     * @param  mixed  $args
      * @return mixed
      */
     public function __call($method, $args)
@@ -104,9 +103,8 @@ class ConnectionManager
     /**
      * Add a new connection.
      *
-     * @param Connection  $connection
-     * @param string|null $name
-     *
+     * @param  Connection  $connection
+     * @param  string|null  $name
      * @return $this
      */
     public function add(Connection $connection, $name = null)
@@ -123,8 +121,7 @@ class ConnectionManager
     /**
      * Remove a connection.
      *
-     * @param $name
-     *
+     * @param  $name
      * @return $this
      */
     public function remove($name)
@@ -147,8 +144,7 @@ class ConnectionManager
     /**
      * Get a connection by name or return the default.
      *
-     * @param string|null $name
-     *
+     * @param  string|null  $name
      * @return Connection
      *
      * @throws ContainerException If the given connection does not exist.
@@ -185,8 +181,7 @@ class ConnectionManager
     /**
      * Checks if the connection exists.
      *
-     * @param string $name
-     *
+     * @param  string  $name
      * @return bool
      */
     public function exists($name)
@@ -197,8 +192,7 @@ class ConnectionManager
     /**
      * Set the default connection name.
      *
-     * @param string $name
-     *
+     * @param  string  $name
      * @return $this
      */
     public function setDefault($name = null)
@@ -237,8 +231,7 @@ class ConnectionManager
     /**
      * Set the event logger to use.
      *
-     * @param LoggerInterface $logger
-     *
+     * @param  LoggerInterface  $logger
      * @return void
      */
     public function setLogger(LoggerInterface $logger)
@@ -299,8 +292,7 @@ class ConnectionManager
     /**
      * Set the event dispatcher.
      *
-     * @param DispatcherInterface $dispatcher
-     *
+     * @param  DispatcherInterface  $dispatcher
      * @return void
      */
     public function setDispatcher(DispatcherInterface $dispatcher)
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Container.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Container.php
index f458951e7..0c125593d 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Container.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Container.php
@@ -48,9 +48,8 @@ class Container
     /**
      * Forward missing static calls onto the current instance.
      *
-     * @param string $method
-     * @param mixed  $args
-     *
+     * @param  string  $method
+     * @param  mixed  $args
      * @return mixed
      */
     public static function __callStatic($method, $args)
@@ -71,8 +70,7 @@ class Container
     /**
      * Set the container instance.
      *
-     * @param Container|null $container
-     *
+     * @param  Container|null  $container
      * @return Container|null
      */
     public static function setInstance(self $container = null)
@@ -103,9 +101,8 @@ class Container
     /**
      * Forward missing method calls onto the connection manager.
      *
-     * @param string $method
-     * @param mixed  $args
-     *
+     * @param  string  $method
+     * @param  mixed  $args
      * @return mixed
      */
     public function __call($method, $args)
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/DetailedError.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/DetailedError.php
index d61159ed3..fff528c98 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/DetailedError.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/DetailedError.php
@@ -28,9 +28,9 @@ class DetailedError
     /**
      * Constructor.
      *
-     * @param int    $errorCode
-     * @param string $errorMessage
-     * @param string $diagnosticMessage
+     * @param  int  $errorCode
+     * @param  string  $errorMessage
+     * @param  string  $diagnosticMessage
      */
     public function __construct($errorCode, $errorMessage, $diagnosticMessage)
     {
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/DetectsErrors.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/DetectsErrors.php
index e8997a931..61fc4a02e 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/DetectsErrors.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/DetectsErrors.php
@@ -7,8 +7,7 @@ trait DetectsErrors
     /**
      * Determine if the error was caused by a lost connection.
      *
-     * @param string $error
-     *
+     * @param  string  $error
      * @return bool
      */
     protected function causedByLostConnection($error)
@@ -19,8 +18,7 @@ trait DetectsErrors
     /**
      * Determine if the error was caused by lack of pagination support.
      *
-     * @param string $error
-     *
+     * @param  string  $error
      * @return bool
      */
     protected function causedByPaginationSupport($error)
@@ -31,8 +29,7 @@ trait DetectsErrors
     /**
      * Determine if the error was caused by a size limit warning.
      *
-     * @param $error
-     *
+     * @param  $error
      * @return bool
      */
     protected function causedBySizeLimit($error)
@@ -43,8 +40,7 @@ trait DetectsErrors
     /**
      * Determine if the error was caused by a "No such object" warning.
      *
-     * @param string $error
-     *
+     * @param  string  $error
      * @return bool
      */
     protected function causedByNoSuchObject($error)
@@ -55,15 +51,14 @@ trait DetectsErrors
     /**
      * Determine if the error contains the any of the messages.
      *
-     * @param string       $error
-     * @param string|array $messages
-     *
+     * @param  string  $error
+     * @param  string|array  $messages
      * @return bool
      */
     protected function errorContainsMessage($error, $messages = [])
     {
         foreach ((array) $messages as $message) {
-            if (strpos($error, $message) !== false) {
+            if (str_contains((string) $error, $message)) {
                 return true;
             }
         }
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/EscapesValues.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/EscapesValues.php
index acfc020bf..ea53a2f93 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/EscapesValues.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/EscapesValues.php
@@ -9,10 +9,9 @@ trait EscapesValues
     /**
      * Prepare a value to be escaped.
      *
-     * @param string $value
-     * @param string $ignore
-     * @param int    $flags
-     *
+     * @param  string  $value
+     * @param  string  $ignore
+     * @param  int  $flags
      * @return EscapedValue
      */
     public function escape($value, $ignore = '', $flags = 0)
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Events/ConnectionEvent.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Events/ConnectionEvent.php
index e9c2c352c..d2d77e2fc 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Events/ConnectionEvent.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Events/ConnectionEvent.php
@@ -16,7 +16,7 @@ abstract class ConnectionEvent
     /**
      * Constructor.
      *
-     * @param Connection $connection
+     * @param  Connection  $connection
      */
     public function __construct(Connection $connection)
     {
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Events/Dispatcher.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Events/Dispatcher.php
index a4ae3def0..4fedbc2ef 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Events/Dispatcher.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Events/Dispatcher.php
@@ -46,7 +46,7 @@ class Dispatcher implements DispatcherInterface
     public function listen($events, $listener)
     {
         foreach ((array) $events as $event) {
-            if (strpos($event, '*') !== false) {
+            if (str_contains((string) $event, '*')) {
                 $this->setupWildcardListen($event, $listener);
             } else {
                 $this->listeners[$event][] = $this->makeListener($listener);
@@ -57,9 +57,8 @@ class Dispatcher implements DispatcherInterface
     /**
      * Setup a wildcard listener callback.
      *
-     * @param string $event
-     * @param mixed  $listener
-     *
+     * @param  string  $event
+     * @param  mixed  $listener
      * @return void
      */
     protected function setupWildcardListen($event, $listener)
@@ -134,9 +133,8 @@ class Dispatcher implements DispatcherInterface
     /**
      * Parse the given event and payload and prepare them for dispatching.
      *
-     * @param mixed $event
-     * @param mixed $payload
-     *
+     * @param  mixed  $event
+     * @param  mixed  $payload
      * @return array
      */
     protected function parseEventAndPayload($event, $payload)
@@ -168,8 +166,7 @@ class Dispatcher implements DispatcherInterface
     /**
      * Get the wildcard listeners for the event.
      *
-     * @param string $eventName
-     *
+     * @param  string  $eventName
      * @return array
      */
     protected function getWildcardListeners($eventName)
@@ -190,9 +187,8 @@ class Dispatcher implements DispatcherInterface
      *
      * This function is a direct excerpt from Laravel's Str::is().
      *
-     * @param string $wildcard
-     * @param string $eventName
-     *
+     * @param  string  $wildcard
+     * @param  string  $eventName
      * @return bool
      */
     protected function wildcardContainsEvent($wildcard, $eventName)
@@ -229,9 +225,8 @@ class Dispatcher implements DispatcherInterface
     /**
      * Add the listeners for the event's interfaces to the given array.
      *
-     * @param string $eventName
-     * @param array  $listeners
-     *
+     * @param  string  $eventName
+     * @param  array  $listeners
      * @return array
      */
     protected function addInterfaceListeners($eventName, array $listeners = [])
@@ -250,9 +245,8 @@ class Dispatcher implements DispatcherInterface
     /**
      * Register an event listener with the dispatcher.
      *
-     * @param \Closure|string $listener
-     * @param bool            $wildcard
-     *
+     * @param  \Closure|string  $listener
+     * @param  bool  $wildcard
      * @return \Closure
      */
     public function makeListener($listener, $wildcard = false)
@@ -273,9 +267,8 @@ class Dispatcher implements DispatcherInterface
     /**
      * Create a class based listener.
      *
-     * @param string $listener
-     * @param bool   $wildcard
-     *
+     * @param  string  $listener
+     * @param  bool  $wildcard
      * @return \Closure
      */
     protected function createClassListener($listener, $wildcard = false)
@@ -295,8 +288,7 @@ class Dispatcher implements DispatcherInterface
     /**
      * Create the class based event callable.
      *
-     * @param string $listener
-     *
+     * @param  string  $listener
      * @return callable
      */
     protected function createClassCallable($listener)
@@ -309,13 +301,12 @@ class Dispatcher implements DispatcherInterface
     /**
      * Parse the class listener into class and method.
      *
-     * @param string $listener
-     *
+     * @param  string  $listener
      * @return array
      */
     protected function parseListenerCallback($listener)
     {
-        return strpos($listener, '@') !== false
+        return str_contains((string) $listener, '@')
             ? explode('@', $listener, 2)
             : [$listener, 'handle'];
     }
@@ -325,7 +316,7 @@ class Dispatcher implements DispatcherInterface
      */
     public function forget($event)
     {
-        if (strpos($event, '*') !== false) {
+        if (str_contains((string) $event, '*')) {
             unset($this->wildcards[$event]);
         } else {
             unset($this->listeners[$event]);
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Events/DispatcherInterface.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Events/DispatcherInterface.php
index 6b7cb10c6..590328f09 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Events/DispatcherInterface.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Events/DispatcherInterface.php
@@ -7,9 +7,8 @@ interface DispatcherInterface
     /**
      * Register an event listener with the dispatcher.
      *
-     * @param string|array $events
-     * @param mixed        $listener
-     *
+     * @param  string|array  $events
+     * @param  mixed  $listener
      * @return void
      */
     public function listen($events, $listener);
@@ -17,8 +16,7 @@ interface DispatcherInterface
     /**
      * Determine if a given event has listeners.
      *
-     * @param string $eventName
-     *
+     * @param  string  $eventName
      * @return bool
      */
     public function hasListeners($eventName);
@@ -26,9 +24,8 @@ interface DispatcherInterface
     /**
      * Fire an event until the first non-null response is returned.
      *
-     * @param string|object $event
-     * @param mixed         $payload
-     *
+     * @param  string|object  $event
+     * @param  mixed  $payload
      * @return array|null
      */
     public function until($event, $payload = []);
@@ -36,10 +33,9 @@ interface DispatcherInterface
     /**
      * Fire an event and call the listeners.
      *
-     * @param string|object $event
-     * @param mixed         $payload
-     * @param bool          $halt
-     *
+     * @param  string|object  $event
+     * @param  mixed  $payload
+     * @param  bool  $halt
      * @return mixed
      */
     public function fire($event, $payload = [], $halt = false);
@@ -47,10 +43,9 @@ interface DispatcherInterface
     /**
      * Fire an event and call the listeners.
      *
-     * @param string|object $event
-     * @param mixed         $payload
-     * @param bool          $halt
-     *
+     * @param  string|object  $event
+     * @param  mixed  $payload
+     * @param  bool  $halt
      * @return array|null
      */
     public function dispatch($event, $payload = [], $halt = false);
@@ -58,8 +53,7 @@ interface DispatcherInterface
     /**
      * Get all of the listeners for a given event name.
      *
-     * @param string $eventName
-     *
+     * @param  string  $eventName
      * @return array
      */
     public function getListeners($eventName);
@@ -67,8 +61,7 @@ interface DispatcherInterface
     /**
      * Remove a set of listeners from the dispatcher.
      *
-     * @param string $event
-     *
+     * @param  string  $event
      * @return void
      */
     public function forget($event);
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Events/Logger.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Events/Logger.php
index b2082e596..b8a849169 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Events/Logger.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Events/Logger.php
@@ -21,7 +21,7 @@ class Logger
     /**
      * Constructor.
      *
-     * @param LoggerInterface|null $logger
+     * @param  LoggerInterface|null  $logger
      */
     public function __construct(LoggerInterface $logger = null)
     {
@@ -31,8 +31,7 @@ class Logger
     /**
      * Logs the given event.
      *
-     * @param mixed $event
-     *
+     * @param  mixed  $event
      * @return void
      */
     public function log($event)
@@ -53,8 +52,7 @@ class Logger
     /**
      * Logs an authentication event.
      *
-     * @param AuthEvent $event
-     *
+     * @param  AuthEvent  $event
      * @return void
      */
     public function auth(AuthEvent $event)
@@ -81,8 +79,7 @@ class Logger
     /**
      * Logs a model event.
      *
-     * @param ModelEvent $event
-     *
+     * @param  ModelEvent  $event
      * @return void
      */
     public function model(ModelEvent $event)
@@ -106,8 +103,7 @@ class Logger
     /**
      * Logs a query event.
      *
-     * @param QueryEvent $event
-     *
+     * @param  QueryEvent  $event
      * @return void
      */
     public function query(QueryEvent $event)
@@ -133,8 +129,7 @@ class Logger
     /**
      * Returns the operational name of the given event.
      *
-     * @param mixed $event
-     *
+     * @param  mixed  $event
      * @return string
      */
     protected function getOperationName($event)
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Events/NullDispatcher.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Events/NullDispatcher.php
index 73b1f5a8e..7683d1f80 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Events/NullDispatcher.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Events/NullDispatcher.php
@@ -14,7 +14,7 @@ class NullDispatcher implements DispatcherInterface
     /**
      * Constructor.
      *
-     * @param DispatcherInterface $dispatcher
+     * @param  DispatcherInterface  $dispatcher
      */
     public function __construct(DispatcherInterface $dispatcher)
     {
@@ -24,9 +24,8 @@ class NullDispatcher implements DispatcherInterface
     /**
      * Register an event listener with the dispatcher.
      *
-     * @param string|array $events
-     * @param mixed        $listener
-     *
+     * @param  string|array  $events
+     * @param  mixed  $listener
      * @return void
      */
     public function listen($events, $listener)
@@ -37,8 +36,7 @@ class NullDispatcher implements DispatcherInterface
     /**
      * Determine if a given event has listeners.
      *
-     * @param string $eventName
-     *
+     * @param  string  $eventName
      * @return bool
      */
     public function hasListeners($eventName)
@@ -49,9 +47,8 @@ class NullDispatcher implements DispatcherInterface
     /**
      * Fire an event until the first non-null response is returned.
      *
-     * @param string|object $event
-     * @param mixed         $payload
-     *
+     * @param  string|object  $event
+     * @param  mixed  $payload
      * @return null
      */
     public function until($event, $payload = [])
@@ -62,10 +59,9 @@ class NullDispatcher implements DispatcherInterface
     /**
      * Fire an event and call the listeners.
      *
-     * @param string|object $event
-     * @param mixed         $payload
-     * @param bool          $halt
-     *
+     * @param  string|object  $event
+     * @param  mixed  $payload
+     * @param  bool  $halt
      * @return null
      */
     public function fire($event, $payload = [], $halt = false)
@@ -76,10 +72,9 @@ class NullDispatcher implements DispatcherInterface
     /**
      * Fire an event and call the listeners.
      *
-     * @param string|object $event
-     * @param mixed         $payload
-     * @param bool          $halt
-     *
+     * @param  string|object  $event
+     * @param  mixed  $payload
+     * @param  bool  $halt
      * @return null
      */
     public function dispatch($event, $payload = [], $halt = false)
@@ -90,8 +85,7 @@ class NullDispatcher implements DispatcherInterface
     /**
      * Get all of the listeners for a given event name.
      *
-     * @param string $eventName
-     *
+     * @param  string  $eventName
      * @return array
      */
     public function getListeners($eventName)
@@ -102,8 +96,7 @@ class NullDispatcher implements DispatcherInterface
     /**
      * Remove a set of listeners from the dispatcher.
      *
-     * @param string $event
-     *
+     * @param  string  $event
      * @return void
      */
     public function forget($event)
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/HandlesConnection.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/HandlesConnection.php
index 9af7ad751..4a2e27598 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/HandlesConnection.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/HandlesConnection.php
@@ -148,8 +148,7 @@ trait HandlesConnection
     /**
      * Convert warnings to exceptions for the given operation.
      *
-     * @param Closure $operation
-     *
+     * @param  Closure  $operation
      * @return mixed
      *
      * @throws LdapRecordException
@@ -190,8 +189,7 @@ trait HandlesConnection
     /**
      * Determine if the failed operation should be bypassed.
      *
-     * @param string $method
-     *
+     * @param  string  $method
      * @return bool
      */
     protected function shouldBypassFailure($method)
@@ -202,8 +200,7 @@ trait HandlesConnection
     /**
      * Determine if the error should be bypassed.
      *
-     * @param string $error
-     *
+     * @param  string  $error
      * @return bool
      */
     protected function shouldBypassError($error)
@@ -226,9 +223,8 @@ trait HandlesConnection
     /**
      * Generates an LDAP connection string for each host given.
      *
-     * @param string|array $hosts
-     * @param string       $port
-     *
+     * @param  string|array  $hosts
+     * @param  string  $port
      * @return string
      */
     protected function makeConnectionUris($hosts, $port)
@@ -249,9 +245,8 @@ trait HandlesConnection
     /**
      * Assemble the host URI strings.
      *
-     * @param array|string $hosts
-     * @param string       $port
-     *
+     * @param  array|string  $hosts
+     * @param  string  $port
      * @return array
      */
     protected function assembleHostUris($hosts, $port)
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Ldap.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Ldap.php
index 0c3574f13..76c372040 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Ldap.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Ldap.php
@@ -4,7 +4,6 @@ namespace LdapRecord;
 
 use LDAP\Connection as RawLdapConnection;
 
-/** @psalm-suppress UndefinedClass */
 class Ldap implements LdapInterface
 {
     use HandlesConnection, DetectsErrors;
@@ -24,8 +23,7 @@ class Ldap implements LdapInterface
      *
      * @see http://php.net/manual/en/function.ldap-first-entry.php
      *
-     * @param resource $searchResults
-     *
+     * @param  resource  $searchResults
      * @return resource
      */
     public function getFirstEntry($searchResults)
@@ -40,8 +38,7 @@ class Ldap implements LdapInterface
      *
      * @see http://php.net/manual/en/function.ldap-next-entry.php
      *
-     * @param resource $entry
-     *
+     * @param  resource  $entry
      * @return resource
      */
     public function getNextEntry($entry)
@@ -56,8 +53,7 @@ class Ldap implements LdapInterface
      *
      * @see http://php.net/manual/en/function.ldap-get-attributes.php
      *
-     * @param resource $entry
-     *
+     * @param  resource  $entry
      * @return array|false
      */
     public function getAttributes($entry)
@@ -72,8 +68,7 @@ class Ldap implements LdapInterface
      *
      * @see http://php.net/manual/en/function.ldap-count-entries.php
      *
-     * @param resource $searchResults
-     *
+     * @param  resource  $searchResults
      * @return int
      */
     public function countEntries($searchResults)
@@ -88,10 +83,9 @@ class Ldap implements LdapInterface
      *
      * @see http://php.net/manual/en/function.ldap-compare.php
      *
-     * @param string $dn
-     * @param string $attribute
-     * @param string $value
-     *
+     * @param  string  $dn
+     * @param  string  $attribute
+     * @param  string  $value
      * @return mixed
      */
     public function compare($dn, $attribute, $value)
@@ -132,9 +126,8 @@ class Ldap implements LdapInterface
      *
      * @see http://php.net/manual/en/function.ldap-get-values-len.php
      *
-     * @param $entry
-     * @param $attribute
-     *
+     * @param  $entry
+     * @param  $attribute
      * @return array
      */
     public function getValuesLen($entry, $attribute)
@@ -167,8 +160,7 @@ class Ldap implements LdapInterface
      *
      * @see http://php.net/manual/en/function.ldap-set-rebind-proc.php
      *
-     * @param callable $callback
-     *
+     * @param  callable  $callback
      * @return bool
      */
     public function setRebindCallback(callable $callback)
@@ -304,7 +296,7 @@ class Ldap implements LdapInterface
     public function bind($username, $password)
     {
         return $this->bound = $this->executeFailableOperation(function () use ($username, $password) {
-            return ldap_bind($this->connection, $username, html_entity_decode($password));
+            return ldap_bind($this->connection, $username, $password ? html_entity_decode($password) : null);
         });
     }
 
@@ -462,8 +454,7 @@ class Ldap implements LdapInterface
     /**
      * Extract the diagnostic code from the message.
      *
-     * @param string $message
-     *
+     * @param  string  $message
      * @return string|bool
      */
     public function extractDiagnosticCode($message)
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/LdapInterface.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/LdapInterface.php
index c74fe4e89..fcff57f48 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/LdapInterface.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/LdapInterface.php
@@ -9,28 +9,28 @@ interface LdapInterface
      *
      * @var string
      */
-    const PROTOCOL_SSL = 'ldaps://';
+    public const PROTOCOL_SSL = 'ldaps://';
 
     /**
      * The standard LDAP protocol string.
      *
      * @var string
      */
-    const PROTOCOL = 'ldap://';
+    public const PROTOCOL = 'ldap://';
 
     /**
      * The LDAP SSL port number.
      *
      * @var string
      */
-    const PORT_SSL = 636;
+    public const PORT_SSL = 636;
 
     /**
      * The standard LDAP port number.
      *
      * @var string
      */
-    const PORT = 389;
+    public const PORT = 389;
 
     /**
      * Various useful server control OID's.
@@ -38,37 +38,36 @@ interface LdapInterface
      * @see https://ldap.com/ldap-oid-reference-guide/
      * @see http://msdn.microsoft.com/en-us/library/cc223359.aspx
      */
-    const OID_SERVER_START_TLS = '1.3.6.1.4.1.1466.20037';
-    const OID_SERVER_PAGED_RESULTS = '1.2.840.113556.1.4.319';
-    const OID_SERVER_SHOW_DELETED = '1.2.840.113556.1.4.417';
-    const OID_SERVER_SORT = '1.2.840.113556.1.4.473';
-    const OID_SERVER_CROSSDOM_MOVE_TARGET = '1.2.840.113556.1.4.521';
-    const OID_SERVER_NOTIFICATION = '1.2.840.113556.1.4.528';
-    const OID_SERVER_EXTENDED_DN = '1.2.840.113556.1.4.529';
-    const OID_SERVER_LAZY_COMMIT = '1.2.840.113556.1.4.619';
-    const OID_SERVER_SD_FLAGS = '1.2.840.113556.1.4.801';
-    const OID_SERVER_TREE_DELETE = '1.2.840.113556.1.4.805';
-    const OID_SERVER_DIRSYNC = '1.2.840.113556.1.4.841';
-    const OID_SERVER_VERIFY_NAME = '1.2.840.113556.1.4.1338';
-    const OID_SERVER_DOMAIN_SCOPE = '1.2.840.113556.1.4.1339';
-    const OID_SERVER_SEARCH_OPTIONS = '1.2.840.113556.1.4.1340';
-    const OID_SERVER_PERMISSIVE_MODIFY = '1.2.840.113556.1.4.1413';
-    const OID_SERVER_ASQ = '1.2.840.113556.1.4.1504';
-    const OID_SERVER_FAST_BIND = '1.2.840.113556.1.4.1781';
-    const OID_SERVER_CONTROL_VLVREQUEST = '2.16.840.1.113730.3.4.9';
+    public const OID_SERVER_START_TLS = '1.3.6.1.4.1.1466.20037';
+    public const OID_SERVER_PAGED_RESULTS = '1.2.840.113556.1.4.319';
+    public const OID_SERVER_SHOW_DELETED = '1.2.840.113556.1.4.417';
+    public const OID_SERVER_SORT = '1.2.840.113556.1.4.473';
+    public const OID_SERVER_CROSSDOM_MOVE_TARGET = '1.2.840.113556.1.4.521';
+    public const OID_SERVER_NOTIFICATION = '1.2.840.113556.1.4.528';
+    public const OID_SERVER_EXTENDED_DN = '1.2.840.113556.1.4.529';
+    public const OID_SERVER_LAZY_COMMIT = '1.2.840.113556.1.4.619';
+    public const OID_SERVER_SD_FLAGS = '1.2.840.113556.1.4.801';
+    public const OID_SERVER_TREE_DELETE = '1.2.840.113556.1.4.805';
+    public const OID_SERVER_DIRSYNC = '1.2.840.113556.1.4.841';
+    public const OID_SERVER_VERIFY_NAME = '1.2.840.113556.1.4.1338';
+    public const OID_SERVER_DOMAIN_SCOPE = '1.2.840.113556.1.4.1339';
+    public const OID_SERVER_SEARCH_OPTIONS = '1.2.840.113556.1.4.1340';
+    public const OID_SERVER_PERMISSIVE_MODIFY = '1.2.840.113556.1.4.1413';
+    public const OID_SERVER_ASQ = '1.2.840.113556.1.4.1504';
+    public const OID_SERVER_FAST_BIND = '1.2.840.113556.1.4.1781';
+    public const OID_SERVER_CONTROL_VLVREQUEST = '2.16.840.1.113730.3.4.9';
 
     /**
      * Query OID's.
      *
      * @see https://ldapwiki.com/wiki/LDAP_MATCHING_RULE_IN_CHAIN
      */
-    const OID_MATCHING_RULE_IN_CHAIN = '1.2.840.113556.1.4.1941';
+    public const OID_MATCHING_RULE_IN_CHAIN = '1.2.840.113556.1.4.1941';
 
     /**
      * Set the current connection to use SSL.
      *
-     * @param bool $enabled
-     *
+     * @param  bool  $enabled
      * @return $this
      */
     public function ssl();
@@ -83,8 +82,7 @@ interface LdapInterface
     /**
      * Set the current connection to use TLS.
      *
-     * @param bool $enabled
-     *
+     * @param  bool  $enabled
      * @return $this
      */
     public function tls();
@@ -138,8 +136,7 @@ interface LdapInterface
      *
      * @see http://php.net/manual/en/function.ldap-get-entries.php
      *
-     * @param resource $searchResults
-     *
+     * @param  resource  $searchResults
      * @return array
      */
     public function getEntries($searchResults);
@@ -169,9 +166,8 @@ interface LdapInterface
      *
      * @see http://php.net/manual/en/function.ldap-set-option.php
      *
-     * @param int   $option
-     * @param mixed $value
-     *
+     * @param  int  $option
+     * @param  mixed  $value
      * @return bool
      */
     public function setOption($option, $value);
@@ -179,8 +175,7 @@ interface LdapInterface
     /**
      * Set options on the current connection.
      *
-     * @param array $options
-     *
+     * @param  array  $options
      * @return void
      */
     public function setOptions(array $options = []);
@@ -190,9 +185,8 @@ interface LdapInterface
      *
      * @see https://www.php.net/manual/en/function.ldap-get-option.php
      *
-     * @param int   $option
-     * @param mixed $value
-     *
+     * @param  int  $option
+     * @param  mixed  $value
      * @return mixed
      */
     public function getOption($option, &$value = null);
@@ -213,9 +207,8 @@ interface LdapInterface
      *
      * @see http://php.net/manual/en/function.ldap-start-tls.php
      *
-     * @param string|array $hosts
-     * @param int          $port
-     *
+     * @param  string|array  $hosts
+     * @param  int  $port
      * @return resource|false
      */
     public function connect($hosts = [], $port = 389);
@@ -236,15 +229,14 @@ interface LdapInterface
      *
      * @see http://php.net/manual/en/function.ldap-search.php
      *
-     * @param string $dn
-     * @param string $filter
-     * @param array  $fields
-     * @param bool   $onlyAttributes
-     * @param int    $size
-     * @param int    $time
-     * @param int    $deref
-     * @param array  $serverControls
-     *
+     * @param  string  $dn
+     * @param  string  $filter
+     * @param  array  $fields
+     * @param  bool  $onlyAttributes
+     * @param  int  $size
+     * @param  int  $time
+     * @param  int  $deref
+     * @param  array  $serverControls
      * @return resource
      */
     public function search($dn, $filter, array $fields, $onlyAttributes = false, $size = 0, $time = 0, $deref = LDAP_DEREF_NEVER, $serverControls = []);
@@ -254,15 +246,14 @@ interface LdapInterface
      *
      * @see http://php.net/manual/en/function.ldap-list.php
      *
-     * @param string $dn
-     * @param string $filter
-     * @param array  $fields
-     * @param bool   $onlyAttributes
-     * @param int    $size
-     * @param int    $time
-     * @param int    $deref
-     * @param array  $serverControls
-     *
+     * @param  string  $dn
+     * @param  string  $filter
+     * @param  array  $fields
+     * @param  bool  $onlyAttributes
+     * @param  int  $size
+     * @param  int  $time
+     * @param  int  $deref
+     * @param  array  $serverControls
      * @return resource
      */
     public function listing($dn, $filter, array $fields, $onlyAttributes = false, $size = 0, $time = 0, $deref = LDAP_DEREF_NEVER, $serverControls = []);
@@ -272,15 +263,14 @@ interface LdapInterface
      *
      * @see http://php.net/manual/en/function.ldap-read.php
      *
-     * @param string $dn
-     * @param string $filter
-     * @param array  $fields
-     * @param bool   $onlyAttributes
-     * @param int    $size
-     * @param int    $time
-     * @param int    $deref
-     * @param array  $serverControls
-     *
+     * @param  string  $dn
+     * @param  string  $filter
+     * @param  array  $fields
+     * @param  bool  $onlyAttributes
+     * @param  int  $size
+     * @param  int  $time
+     * @param  int  $deref
+     * @param  array  $serverControls
      * @return resource
      */
     public function read($dn, $filter, array $fields, $onlyAttributes = false, $size = 0, $time = 0, $deref = LDAP_DEREF_NEVER, $serverControls = []);
@@ -290,13 +280,12 @@ interface LdapInterface
      *
      * @see https://www.php.net/manual/en/function.ldap-parse-result.php
      *
-     * @param resource $result
-     * @param int      $errorCode
-     * @param ?string  $dn
-     * @param ?string  $errorMessage
-     * @param ?array   $referrals
-     * @param ?array   $serverControls
-     *
+     * @param  resource  $result
+     * @param  int  $errorCode
+     * @param  ?string  $dn
+     * @param  ?string  $errorMessage
+     * @param  ?array  $referrals
+     * @param  ?array  $serverControls
      * @return bool
      */
     public function parseResult($result, &$errorCode, &$dn, &$errorMessage, &$referrals, &$serverControls = []);
@@ -307,9 +296,8 @@ interface LdapInterface
      *
      * @see http://php.net/manual/en/function.ldap-bind.php
      *
-     * @param string $username
-     * @param string $password
-     *
+     * @param  string  $username
+     * @param  string  $password
      * @return bool
      *
      * @throws LdapRecordException
@@ -321,9 +309,8 @@ interface LdapInterface
      *
      * @see http://php.net/manual/en/function.ldap-add.php
      *
-     * @param string $dn
-     * @param array  $entry
-     *
+     * @param  string  $dn
+     * @param  array  $entry
      * @return bool
      *
      * @throws LdapRecordException
@@ -335,8 +322,7 @@ interface LdapInterface
      *
      * @see http://php.net/manual/en/function.ldap-delete.php
      *
-     * @param string $dn
-     *
+     * @param  string  $dn
      * @return bool
      *
      * @throws LdapRecordException
@@ -348,11 +334,10 @@ interface LdapInterface
      *
      * @see http://php.net/manual/en/function.ldap-rename.php
      *
-     * @param string $dn
-     * @param string $newRdn
-     * @param string $newParent
-     * @param bool   $deleteOldRdn
-     *
+     * @param  string  $dn
+     * @param  string  $newRdn
+     * @param  string  $newParent
+     * @param  bool  $deleteOldRdn
      * @return bool
      *
      * @throws LdapRecordException
@@ -364,9 +349,8 @@ interface LdapInterface
      *
      * @see http://php.net/manual/en/function.ldap-modify.php
      *
-     * @param string $dn
-     * @param array  $entry
-     *
+     * @param  string  $dn
+     * @param  array  $entry
      * @return bool
      *
      * @throws LdapRecordException
@@ -378,9 +362,8 @@ interface LdapInterface
      *
      * @see http://php.net/manual/en/function.ldap-modify-batch.php
      *
-     * @param string $dn
-     * @param array  $values
-     *
+     * @param  string  $dn
+     * @param  array  $values
      * @return bool
      *
      * @throws LdapRecordException
@@ -392,9 +375,8 @@ interface LdapInterface
      *
      * @see http://php.net/manual/en/function.ldap-mod-add.php
      *
-     * @param string $dn
-     * @param array  $entry
-     *
+     * @param  string  $dn
+     * @param  array  $entry
      * @return bool
      *
      * @throws LdapRecordException
@@ -406,9 +388,8 @@ interface LdapInterface
      *
      * @see http://php.net/manual/en/function.ldap-mod-replace.php
      *
-     * @param string $dn
-     * @param array  $entry
-     *
+     * @param  string  $dn
+     * @param  array  $entry
      * @return bool
      *
      * @throws LdapRecordException
@@ -420,9 +401,8 @@ interface LdapInterface
      *
      * @see http://php.net/manual/en/function.ldap-mod-del.php
      *
-     * @param string $dn
-     * @param array  $entry
-     *
+     * @param  string  $dn
+     * @param  array  $entry
      * @return bool
      *
      * @throws LdapRecordException
@@ -434,10 +414,9 @@ interface LdapInterface
      *
      * @see http://php.net/manual/en/function.ldap-control-paged-result.php
      *
-     * @param int    $pageSize
-     * @param bool   $isCritical
-     * @param string $cookie
-     *
+     * @param  int  $pageSize
+     * @param  bool  $isCritical
+     * @param  string  $cookie
      * @return bool
      */
     public function controlPagedResult($pageSize = 1000, $isCritical = false, $cookie = '');
@@ -447,9 +426,8 @@ interface LdapInterface
      *
      * @see http://php.net/manual/en/function.ldap-control-paged-result-response.php
      *
-     * @param resource $result
-     * @param string   $cookie
-     *
+     * @param  resource  $result
+     * @param  string  $cookie
      * @return bool
      */
     public function controlPagedResultResponse($result, &$cookie);
@@ -459,8 +437,7 @@ interface LdapInterface
      *
      * @see https://www.php.net/manual/en/function.ldap-free-result.php
      *
-     * @param resource $result
-     *
+     * @param  resource  $result
      * @return bool
      */
     public function freeResult($result);
@@ -479,8 +456,7 @@ interface LdapInterface
      *
      * @see http://php.net/manual/en/function.ldap-err2str.php
      *
-     * @param int $number
-     *
+     * @param  int  $number
      * @return string
      */
     public function err2Str($number);
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/LdapRecordException.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/LdapRecordException.php
index b2439bf83..0669b4c65 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/LdapRecordException.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/LdapRecordException.php
@@ -16,9 +16,8 @@ class LdapRecordException extends Exception
     /**
      * Create a new Bind Exception with a detailed connection error.
      *
-     * @param Exception          $e
-     * @param DetailedError|null $error
-     *
+     * @param  Exception  $e
+     * @param  DetailedError|null  $error
      * @return $this
      */
     public static function withDetailedError(Exception $e, DetailedError $error = null)
@@ -29,8 +28,7 @@ class LdapRecordException extends Exception
     /**
      * Set the detailed error.
      *
-     * @param DetailedError|null $error
-     *
+     * @param  DetailedError|null  $error
      * @return $this
      */
     public function setDetailedError(DetailedError $error = null)
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/ActiveDirectory/Concerns/HasPrimaryGroup.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/ActiveDirectory/Concerns/HasPrimaryGroup.php
index 97fd3a1fb..b7138d30c 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/ActiveDirectory/Concerns/HasPrimaryGroup.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/ActiveDirectory/Concerns/HasPrimaryGroup.php
@@ -9,10 +9,9 @@ trait HasPrimaryGroup
     /**
      * Returns a new has one primary group relationship.
      *
-     * @param mixed  $related
-     * @param string $relationKey
-     * @param string $foreignKey
-     *
+     * @param  mixed  $related
+     * @param  string  $relationKey
+     * @param  string  $foreignKey
      * @return HasOnePrimaryGroup
      */
     public function hasOnePrimaryGroup($related, $relationKey, $foreignKey = 'primarygroupid')
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/ActiveDirectory/Entry.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/ActiveDirectory/Entry.php
index 652ad563f..e1a0233cc 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/ActiveDirectory/Entry.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/ActiveDirectory/Entry.php
@@ -9,6 +9,7 @@ use LdapRecord\Models\Entry as BaseEntry;
 use LdapRecord\Models\Events\Updated;
 use LdapRecord\Models\Types\ActiveDirectory;
 use LdapRecord\Query\Model\ActiveDirectoryBuilder;
+use LdapRecord\Support\Arr;
 
 /** @mixin ActiveDirectoryBuilder */
 class Entry extends BaseEntry implements ActiveDirectory
@@ -50,20 +51,46 @@ class Entry extends BaseEntry implements ActiveDirectory
     /**
      * @inheritdoc
      */
-    public function getConvertedSid()
+    public function getConvertedSid($sid = null)
     {
         try {
-            return (string) new Sid($this->getObjectSid());
+            return (string) $this->newObjectSid(
+                $sid ?? $this->getObjectSid()
+            );
         } catch (InvalidArgumentException $e) {
             return;
         }
     }
 
+    /**
+     * @inheritdoc
+     */
+    public function getBinarySid($sid = null)
+    {
+        try {
+            return $this->newObjectSid(
+                $sid ?? $this->getObjectSid()
+            )->getBinary();
+        } catch (InvalidArgumentException $e) {
+            return;
+        }
+    }
+
+    /**
+     * Make a new object Sid instance.
+     *
+     * @param  string  $value
+     * @return Sid
+     */
+    protected function newObjectSid($value)
+    {
+        return new Sid($value);
+    }
+
     /**
      * Create a new query builder.
      *
-     * @param Connection $connection
-     *
+     * @param  Connection  $connection
      * @return ActiveDirectoryBuilder
      */
     public function newQueryBuilder(Connection $connection)
@@ -84,8 +111,7 @@ class Entry extends BaseEntry implements ActiveDirectory
     /**
      * Restore a deleted object.
      *
-     * @param string|null $newParentDn
-     *
+     * @param  string|null  $newParentDn
      * @return bool
      *
      * @throws \LdapRecord\LdapRecordException
@@ -114,24 +140,6 @@ class Entry extends BaseEntry implements ActiveDirectory
         $this->save(['isDeleted' => null]);
     }
 
-    /**
-     * Get the RootDSE (AD schema) record from the directory.
-     *
-     * @param string|null $connection
-     *
-     * @return static
-     *
-     * @throws \LdapRecord\Models\ModelNotFoundException
-     */
-    public static function getRootDse($connection = null)
-    {
-        return static::on($connection ?? (new static())->getConnectionName())
-            ->in(null)
-            ->read()
-            ->whereHas('objectclass')
-            ->firstOrFail();
-    }
-
     /**
      * Get the objects restore location.
      *
@@ -143,22 +151,50 @@ class Entry extends BaseEntry implements ActiveDirectory
     }
 
     /**
-     * Converts attributes for JSON serialization.
-     *
-     * @param array $attributes
+     * Convert the attributes for JSON serialization.
      *
+     * @param  array  $attributes
      * @return array
      */
     protected function convertAttributesForJson(array $attributes = [])
     {
         $attributes = parent::convertAttributesForJson($attributes);
 
-        if ($this->hasAttribute($this->sidKey)) {
-            // If the model has a SID set, we need to convert it due to it being in
-            // binary. Otherwise we will receive a JSON serialization exception.
-            return array_replace($attributes, [
-                $this->sidKey => [$this->getConvertedSid()],
-            ]);
+        // If the model has a SID set, we need to convert it to its
+        // string format, due to it being in binary. Otherwise
+        // we will receive a JSON serialization exception.
+        if (isset($attributes[$this->sidKey])) {
+            $attributes[$this->sidKey] = [$this->getConvertedSid(
+                Arr::first($attributes[$this->sidKey])
+            )];
+        }
+
+        return $attributes;
+    }
+
+    /**
+     * Convert the attributes from JSON serialization.
+     *
+     * @param  array  $attributes
+     * @return array
+     */
+    protected function convertAttributesFromJson(array $attributes = [])
+    {
+        $attributes = parent::convertAttributesFromJson($attributes);
+
+        // Here we are converting the model's GUID and SID attributes
+        // back to their original values from serialization, so that
+        // their original value may be used and compared against.
+        if (isset($attributes[$this->guidKey])) {
+            $attributes[$this->guidKey] = [$this->getBinaryGuid(
+                Arr::first($attributes[$this->guidKey])
+            )];
+        }
+
+        if (isset($attributes[$this->sidKey])) {
+            $attributes[$this->sidKey] = [$this->getBinarySid(
+                Arr::first($attributes[$this->sidKey])
+            )];
         }
 
         return $attributes;
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/ActiveDirectory/Relations/HasOnePrimaryGroup.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/ActiveDirectory/Relations/HasOnePrimaryGroup.php
index 540ec7717..40350c97a 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/ActiveDirectory/Relations/HasOnePrimaryGroup.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/ActiveDirectory/Relations/HasOnePrimaryGroup.php
@@ -10,8 +10,7 @@ class HasOnePrimaryGroup extends HasOne
     /**
      * Get the foreign model by the given value.
      *
-     * @param string $value
-     *
+     * @param  string  $value
      * @return Model|null
      */
     protected function getForeignModelByValue($value)
@@ -26,8 +25,7 @@ class HasOnePrimaryGroup extends HasOne
      *
      * Retrieves the last RID from the models Object SID.
      *
-     * @param Model $model
-     *
+     * @param  Model  $model
      * @return string
      */
     protected function getForeignValueFromModel(Model $model)
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/ActiveDirectory/Scopes/HasServerRoleAttribute.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/ActiveDirectory/Scopes/HasServerRoleAttribute.php
index cd08648da..76df79ca3 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/ActiveDirectory/Scopes/HasServerRoleAttribute.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/ActiveDirectory/Scopes/HasServerRoleAttribute.php
@@ -11,9 +11,8 @@ class HasServerRoleAttribute implements Scope
     /**
      * Includes condition of having a serverRole attribute.
      *
-     * @param Builder $query
-     * @param Model   $model
-     *
+     * @param  Builder  $query
+     * @param  Model  $model
      * @return void
      */
     public function apply(Builder $query, Model $model)
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/ActiveDirectory/Scopes/InConfigurationContext.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/ActiveDirectory/Scopes/InConfigurationContext.php
index 9f2fbe4d7..dc8a4d21b 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/ActiveDirectory/Scopes/InConfigurationContext.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/ActiveDirectory/Scopes/InConfigurationContext.php
@@ -12,9 +12,8 @@ class InConfigurationContext implements Scope
     /**
      * Refines the base dn to be inside the configuration context.
      *
-     * @param Builder $query
-     * @param Model   $model
-     *
+     * @param  Builder  $query
+     * @param  Model  $model
      * @return void
      *
      * @throws \LdapRecord\Models\ModelNotFoundException
@@ -27,8 +26,7 @@ class InConfigurationContext implements Scope
     /**
      * Get the LDAP server configuration naming context distinguished name.
      *
-     * @param Model $model
-     *
+     * @param  Model  $model
      * @return mixed
      *
      * @throws \LdapRecord\Models\ModelNotFoundException
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/ActiveDirectory/Scopes/RejectComputerObjectClass.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/ActiveDirectory/Scopes/RejectComputerObjectClass.php
index a616db1c0..9d00cf8fa 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/ActiveDirectory/Scopes/RejectComputerObjectClass.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/ActiveDirectory/Scopes/RejectComputerObjectClass.php
@@ -11,9 +11,8 @@ class RejectComputerObjectClass implements Scope
     /**
      * Prevent computer objects from being included in results.
      *
-     * @param Builder $query
-     * @param Model   $model
-     *
+     * @param  Builder  $query
+     * @param  Model  $model
      * @return void
      */
     public function apply(Builder $query, Model $model)
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/ActiveDirectory/User.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/ActiveDirectory/User.php
index b735b03b2..c2ea0325d 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/ActiveDirectory/User.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/ActiveDirectory/User.php
@@ -6,6 +6,7 @@ use Carbon\Carbon;
 use Illuminate\Contracts\Auth\Authenticatable;
 use LdapRecord\Models\ActiveDirectory\Concerns\HasPrimaryGroup;
 use LdapRecord\Models\ActiveDirectory\Scopes\RejectComputerObjectClass;
+use LdapRecord\Models\Attributes\AccountControl;
 use LdapRecord\Models\Concerns\CanAuthenticate;
 use LdapRecord\Models\Concerns\HasPassword;
 use LdapRecord\Query\Model\Builder;
@@ -71,6 +72,38 @@ class User extends Entry implements Authenticatable
         static::addGlobalScope(new RejectComputerObjectClass());
     }
 
+    /**
+     * Determine if the user's account is enabled.
+     *
+     * @return bool
+     */
+    public function isEnabled()
+    {
+        return ! $this->isDisabled();
+    }
+
+    /**
+     * Determine if the user's account is disabled.
+     *
+     * @return bool
+     */
+    public function isDisabled()
+    {
+        return $this->accountControl()->has(AccountControl::ACCOUNTDISABLE);
+    }
+
+    /**
+     * Get the user's account control.
+     *
+     * @return AccountControl
+     */
+    public function accountControl()
+    {
+        return new AccountControl(
+            $this->getFirstAttribute('userAccountControl')
+        );
+    }
+
     /**
      * The groups relationship.
      *
@@ -110,8 +143,7 @@ class User extends Entry implements Authenticatable
     /**
      * Scopes the query to exchange mailbox users.
      *
-     * @param Builder $query
-     *
+     * @param  Builder  $query
      * @return Builder
      */
     public function scopeWhereHasMailbox(Builder $query)
@@ -122,8 +154,7 @@ class User extends Entry implements Authenticatable
     /**
      * Scopes the query to users having a lockout value set.
      *
-     * @param Builder $query
-     *
+     * @param  Builder  $query
      * @return Builder
      */
     public function scopeWhereHasLockout(Builder $query)
@@ -137,9 +168,8 @@ class User extends Entry implements Authenticatable
      * @see https://ldapwiki.com/wiki/Active%20Directory%20Account%20Lockout
      * @see https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account-lockout-duration
      *
-     * @param string|int $localTimezone
-     * @param int|null   $durationInMinutes
-     *
+     * @param  string|int  $localTimezone
+     * @param  int|null  $durationInMinutes
      * @return bool
      */
     public function isLockedOut($localTimezone, $durationInMinutes = null)
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Attributes/AccountControl.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Attributes/AccountControl.php
index 7e2414629..45fae214d 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Attributes/AccountControl.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Attributes/AccountControl.php
@@ -6,49 +6,49 @@ use ReflectionClass;
 
 class AccountControl
 {
-    const SCRIPT = 1;
+    public const SCRIPT = 1;
 
-    const ACCOUNTDISABLE = 2;
+    public const ACCOUNTDISABLE = 2;
 
-    const HOMEDIR_REQUIRED = 8;
+    public const HOMEDIR_REQUIRED = 8;
 
-    const LOCKOUT = 16;
+    public const LOCKOUT = 16;
 
-    const PASSWD_NOTREQD = 32;
+    public const PASSWD_NOTREQD = 32;
 
-    const PASSWD_CANT_CHANGE = 64;
+    public const PASSWD_CANT_CHANGE = 64;
 
-    const ENCRYPTED_TEXT_PWD_ALLOWED = 128;
+    public const ENCRYPTED_TEXT_PWD_ALLOWED = 128;
 
-    const TEMP_DUPLICATE_ACCOUNT = 256;
+    public const TEMP_DUPLICATE_ACCOUNT = 256;
 
-    const NORMAL_ACCOUNT = 512;
+    public const NORMAL_ACCOUNT = 512;
 
-    const INTERDOMAIN_TRUST_ACCOUNT = 2048;
+    public const INTERDOMAIN_TRUST_ACCOUNT = 2048;
 
-    const WORKSTATION_TRUST_ACCOUNT = 4096;
+    public const WORKSTATION_TRUST_ACCOUNT = 4096;
 
-    const SERVER_TRUST_ACCOUNT = 8192;
+    public const SERVER_TRUST_ACCOUNT = 8192;
 
-    const DONT_EXPIRE_PASSWORD = 65536;
+    public const DONT_EXPIRE_PASSWORD = 65536;
 
-    const MNS_LOGON_ACCOUNT = 131072;
+    public const MNS_LOGON_ACCOUNT = 131072;
 
-    const SMARTCARD_REQUIRED = 262144;
+    public const SMARTCARD_REQUIRED = 262144;
 
-    const TRUSTED_FOR_DELEGATION = 524288;
+    public const TRUSTED_FOR_DELEGATION = 524288;
 
-    const NOT_DELEGATED = 1048576;
+    public const NOT_DELEGATED = 1048576;
 
-    const USE_DES_KEY_ONLY = 2097152;
+    public const USE_DES_KEY_ONLY = 2097152;
 
-    const DONT_REQ_PREAUTH = 4194304;
+    public const DONT_REQ_PREAUTH = 4194304;
 
-    const PASSWORD_EXPIRED = 8388608;
+    public const PASSWORD_EXPIRED = 8388608;
 
-    const TRUSTED_TO_AUTH_FOR_DELEGATION = 16777216;
+    public const TRUSTED_TO_AUTH_FOR_DELEGATION = 16777216;
 
-    const PARTIAL_SECRETS_ACCOUNT = 67108864;
+    public const PARTIAL_SECRETS_ACCOUNT = 67108864;
 
     /**
      * The account control flag values.
@@ -60,7 +60,7 @@ class AccountControl
     /**
      * Constructor.
      *
-     * @param ?int $flag
+     * @param  ?int  $flag
      */
     public function __construct($flag = null)
     {
@@ -92,8 +92,7 @@ class AccountControl
     /**
      * Add the flag to the account control values.
      *
-     * @param int $flag
-     *
+     * @param  int  $flag
      * @return $this
      */
     public function add($flag)
@@ -108,8 +107,7 @@ class AccountControl
     /**
      * Remove the flag from the account control.
      *
-     * @param int $flag
-     *
+     * @param  int  $flag
      * @return $this
      */
     public function remove($flag)
@@ -122,8 +120,7 @@ class AccountControl
     /**
      * Extract and apply the flag.
      *
-     * @param int $flag
-     *
+     * @param  int  $flag
      * @return void
      */
     public function apply($flag)
@@ -134,8 +131,7 @@ class AccountControl
     /**
      * Determine if the account control contains the given UAC flag(s).
      *
-     * @param int $flag
-     *
+     * @param  int  $flag
      * @return bool
      */
     public function has($flag)
@@ -154,8 +150,7 @@ class AccountControl
     /**
      * Determine if the account control does not contain the given UAC flag(s).
      *
-     * @param int $flag
-     *
+     * @param  int  $flag
      * @return bool
      */
     public function doesntHave($flag)
@@ -441,8 +436,7 @@ class AccountControl
     /**
      * Set the account control values.
      *
-     * @param array<int, int> $flags
-     *
+     * @param  array<int, int>  $flags
      * @return void
      */
     public function setValues(array $flags)
@@ -483,8 +477,7 @@ class AccountControl
     /**
      * Extracts the given flag into an array of flags used.
      *
-     * @param int $flag
-     *
+     * @param  int  $flag
      * @return array
      */
     public function extractFlags($flag)
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Attributes/DistinguishedName.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Attributes/DistinguishedName.php
index c6977a8e8..fc981299a 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Attributes/DistinguishedName.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Attributes/DistinguishedName.php
@@ -19,7 +19,7 @@ class DistinguishedName
     /**
      * Constructor.
      *
-     * @param string|null $value
+     * @param  string|null  $value
      */
     public function __construct($value = null)
     {
@@ -39,8 +39,7 @@ class DistinguishedName
     /**
      * Alias of the "build" method.
      *
-     * @param string|null $value
-     *
+     * @param  string|null  $value
      * @return DistinguishedNameBuilder
      */
     public static function of($value = null)
@@ -51,8 +50,7 @@ class DistinguishedName
     /**
      * Get a new DN builder object from the given DN.
      *
-     * @param string|null $value
-     *
+     * @param  string|null  $value
      * @return DistinguishedNameBuilder
      */
     public static function build($value = null)
@@ -63,8 +61,7 @@ class DistinguishedName
     /**
      * Make a new distinguished name instance.
      *
-     * @param string|null $value
-     *
+     * @param  string|null  $value
      * @return static
      */
     public static function make($value = null)
@@ -75,8 +72,7 @@ class DistinguishedName
     /**
      * Determine if the given value is a valid distinguished name.
      *
-     * @param string $value
-     *
+     * @param  string  $value
      * @return bool
      */
     public static function isValid($value)
@@ -87,8 +83,7 @@ class DistinguishedName
     /**
      * Explode a distinguished name into relative distinguished names.
      *
-     * @param string $dn
-     *
+     * @param  string  $dn
      * @return array
      */
     public static function explode($dn)
@@ -111,8 +106,7 @@ class DistinguishedName
     /**
      * Un-escapes a hexadecimal string into its original string representation.
      *
-     * @param string $value
-     *
+     * @param  string  $value
      * @return string
      */
     public static function unescape($value)
@@ -125,8 +119,7 @@ class DistinguishedName
     /**
      * Explode the RDN into an attribute and value.
      *
-     * @param string $rdn
-     *
+     * @param  string  $rdn
      * @return array
      */
     public static function explodeRdn($rdn)
@@ -137,8 +130,7 @@ class DistinguishedName
     /**
      * Implode the component attribute and value into an RDN.
      *
-     * @param string $rdn
-     *
+     * @param  string  $rdn
      * @return string
      */
     public static function makeRdn(array $component)
@@ -159,8 +151,7 @@ class DistinguishedName
     /**
      * Set the underlying value.
      *
-     * @param string|null $value
-     *
+     * @param  string|null  $value
      * @return $this
      */
     public function set($value)
@@ -337,8 +328,7 @@ class DistinguishedName
     /**
      * Determine if the current distinguished name is a parent of the given child.
      *
-     * @param DistinguishedName $child
-     *
+     * @param  DistinguishedName  $child
      * @return bool
      */
     public function isParentOf(self $child)
@@ -349,8 +339,7 @@ class DistinguishedName
     /**
      * Determine if the current distinguished name is a child of the given parent.
      *
-     * @param DistinguishedName $parent
-     *
+     * @param  DistinguishedName  $parent
      * @return bool
      */
     public function isChildOf(self $parent)
@@ -370,8 +359,7 @@ class DistinguishedName
     /**
      * Determine if the current distinguished name is an ancestor of the descendant.
      *
-     * @param DistinguishedName $descendant
-     *
+     * @param  DistinguishedName  $descendant
      * @return bool
      */
     public function isAncestorOf(self $descendant)
@@ -382,8 +370,7 @@ class DistinguishedName
     /**
      * Determine if the current distinguished name is a descendant of the ancestor.
      *
-     * @param DistinguishedName $ancestor
-     *
+     * @param  DistinguishedName  $ancestor
      * @return bool
      */
     public function isDescendantOf(self $ancestor)
@@ -407,9 +394,8 @@ class DistinguishedName
     /**
      * Compare whether the two distinguished name values are equal.
      *
-     * @param array $values
-     * @param array $other
-     *
+     * @param  array  $values
+     * @param  array  $other
      * @return bool
      */
     protected function compare(array $values, array $other)
@@ -420,8 +406,7 @@ class DistinguishedName
     /**
      * Recase the array values.
      *
-     * @param array $values
-     *
+     * @param  array  $values
      * @return array
      */
     protected function recase(array $values)
@@ -432,8 +417,7 @@ class DistinguishedName
     /**
      * Normalize the string value.
      *
-     * @param string $value
-     *
+     * @param  string  $value
      * @return string
      */
     protected function normalize($value)
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Attributes/DistinguishedNameBuilder.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Attributes/DistinguishedNameBuilder.php
index 601902bf7..a0d84d828 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Attributes/DistinguishedNameBuilder.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Attributes/DistinguishedNameBuilder.php
@@ -26,7 +26,7 @@ class DistinguishedNameBuilder
     /**
      * Constructor.
      *
-     * @param string|null $value
+     * @param  string|null  $value
      */
     public function __construct($dn = null)
     {
@@ -38,9 +38,8 @@ class DistinguishedNameBuilder
     /**
      * Forward missing method calls onto the Distinguished Name object.
      *
-     * @param string $method
-     * @param array  $args
-     *
+     * @param  string  $method
+     * @param  array  $args
      * @return mixed
      */
     public function __call($method, $args)
@@ -61,9 +60,8 @@ class DistinguishedNameBuilder
     /**
      * Prepend an RDN onto the DN.
      *
-     * @param string|array $attribute
-     * @param string|null  $value
-     *
+     * @param  string|array  $attribute
+     * @param  string|null  $value
      * @return $this
      */
     public function prepend($attribute, $value = null)
@@ -79,9 +77,8 @@ class DistinguishedNameBuilder
     /**
      * Append an RDN onto the DN.
      *
-     * @param string|array $attribute
-     * @param string|null  $value
-     *
+     * @param  string|array  $attribute
+     * @param  string|null  $value
      * @return $this
      */
     public function append($attribute, $value = null)
@@ -97,9 +94,8 @@ class DistinguishedNameBuilder
     /**
      * Componentize the attribute and value.
      *
-     * @param string|array $attribute
-     * @param string|null  $value
-     *
+     * @param  string|array  $attribute
+     * @param  string|null  $value
      * @return array
      */
     protected function componentize($attribute, $value = null)
@@ -125,8 +121,7 @@ class DistinguishedNameBuilder
     /**
      * Make a componentized array by exploding the value if it's a string.
      *
-     * @param string $value
-     *
+     * @param  string  $value
      * @return array
      */
     protected function makeComponentizedArray($value)
@@ -137,9 +132,8 @@ class DistinguishedNameBuilder
     /**
      * Make an appendable component array from the attribute and value.
      *
-     * @param string|array $attribute
-     * @param string|null  $value
-     *
+     * @param  string|array  $attribute
+     * @param  string|null  $value
      * @return array
      */
     protected function makeAppendableComponent($attribute, $value = null)
@@ -150,9 +144,8 @@ class DistinguishedNameBuilder
     /**
      * Pop an RDN off of the end of the DN.
      *
-     * @param int   $amount
-     * @param array $removed
-     *
+     * @param  int  $amount
+     * @param  array  $removed
      * @return $this
      */
     public function pop($amount = 1, &$removed = [])
@@ -167,9 +160,8 @@ class DistinguishedNameBuilder
     /**
      * Shift an RDN off of the beginning of the DN.
      *
-     * @param int   $amount
-     * @param array $removed
-     *
+     * @param  int  $amount
+     * @param  array  $removed
      * @return $this
      */
     public function shift($amount = 1, &$removed = [])
@@ -196,8 +188,7 @@ class DistinguishedNameBuilder
     /**
      * Get the components of the DN.
      *
-     * @param null|string $type
-     *
+     * @param  null|string  $type
      * @return array
      */
     public function components($type = null)
@@ -210,8 +201,7 @@ class DistinguishedNameBuilder
     /**
      * Get the components of a particular type.
      *
-     * @param string $type
-     *
+     * @param  string  $type
      * @return array
      */
     protected function componentsOfType($type)
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Attributes/EscapedValue.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Attributes/EscapedValue.php
index 2f6111297..3c9d4db0a 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Attributes/EscapedValue.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Attributes/EscapedValue.php
@@ -28,9 +28,9 @@ class EscapedValue
     /**
      * Constructor.
      *
-     * @param string $value
-     * @param string $ignore
-     * @param int    $flags
+     * @param  string  $value
+     * @param  string  $ignore
+     * @param  int  $flags
      */
     public function __construct($value, $ignore = '', $flags = 0)
     {
@@ -72,8 +72,7 @@ class EscapedValue
     /**
      * Set the characters to exclude from being escaped.
      *
-     * @param string $characters
-     *
+     * @param  string  $characters
      * @return $this
      */
     public function ignore($characters)
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Attributes/Guid.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Attributes/Guid.php
index d139f5f86..e04b5cd3f 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Attributes/Guid.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Attributes/Guid.php
@@ -50,8 +50,7 @@ class Guid
     /**
      * Determines if the specified GUID is valid.
      *
-     * @param string $guid
-     *
+     * @param  string  $guid
      * @return bool
      */
     public static function isValid($guid)
@@ -62,7 +61,7 @@ class Guid
     /**
      * Constructor.
      *
-     * @param mixed $value
+     * @param  mixed  $value
      *
      * @throws InvalidArgumentException
      */
@@ -128,8 +127,7 @@ class Guid
     /**
      * Returns the string variant of a binary GUID.
      *
-     * @param string $binary
-     *
+     * @param  string  $binary
      * @return string|null
      */
     protected function binaryGuidToString($binary)
@@ -144,10 +142,9 @@ class Guid
      *
      * @see https://github.com/ldaptools/ldaptools
      *
-     * @param string $hex      The full hex string.
-     * @param array  $sections An array of start and length (unless octet is true, then length is always 2).
-     * @param bool   $octet    Whether this is for octet string form.
-     *
+     * @param  string  $hex  The full hex string.
+     * @param  array  $sections  An array of start and length (unless octet is true, then length is always 2).
+     * @param  bool  $octet  Whether this is for octet string form.
      * @return string The concatenated sections in upper-case.
      */
     protected function parseSection($hex, array $sections, $octet = false)
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Attributes/MbString.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Attributes/MbString.php
index 672e60df1..72d4c6f48 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Attributes/MbString.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Attributes/MbString.php
@@ -7,8 +7,7 @@ class MbString
     /**
      * Get the integer value of a specific character.
      *
-     * @param $string
-     *
+     * @param  $string
      * @return int
      */
     public static function ord($string)
@@ -27,8 +26,7 @@ class MbString
     /**
      * Get the character for a specific integer value.
      *
-     * @param $int
-     *
+     * @param  $int
      * @return string
      */
     public static function chr($int)
@@ -43,8 +41,7 @@ class MbString
     /**
      * Split a string into its individual characters and return it as an array.
      *
-     * @param string $value
-     *
+     * @param  string  $value
      * @return string[]
      */
     public static function split($value)
@@ -55,8 +52,7 @@ class MbString
     /**
      * Detects if the given string is UTF 8.
      *
-     * @param $string
-     *
+     * @param  $string
      * @return string|false
      */
     public static function isUtf8($string)
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Attributes/Password.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Attributes/Password.php
index 644f0a8d3..d7047a375 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Attributes/Password.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Attributes/Password.php
@@ -8,15 +8,14 @@ use ReflectionMethod;
 
 class Password
 {
-    const CRYPT_SALT_TYPE_MD5 = 1;
-    const CRYPT_SALT_TYPE_SHA256 = 5;
-    const CRYPT_SALT_TYPE_SHA512 = 6;
+    public const CRYPT_SALT_TYPE_MD5 = 1;
+    public const CRYPT_SALT_TYPE_SHA256 = 5;
+    public const CRYPT_SALT_TYPE_SHA512 = 6;
 
     /**
      * Make an encoded password for transmission over LDAP.
      *
-     * @param string $password
-     *
+     * @param  string  $password
      * @return string
      */
     public static function encode($password)
@@ -27,9 +26,8 @@ class Password
     /**
      * Make a salted md5 password.
      *
-     * @param string      $password
-     * @param null|string $salt
-     *
+     * @param  string  $password
+     * @param  null|string  $salt
      * @return string
      */
     public static function smd5($password, $salt = null)
@@ -40,9 +38,8 @@ class Password
     /**
      * Make a salted SHA password.
      *
-     * @param string      $password
-     * @param null|string $salt
-     *
+     * @param  string  $password
+     * @param  null|string  $salt
      * @return string
      */
     public static function ssha($password, $salt = null)
@@ -53,9 +50,8 @@ class Password
     /**
      * Make a salted SSHA256 password.
      *
-     * @param string      $password
-     * @param null|string $salt
-     *
+     * @param  string  $password
+     * @param  null|string  $salt
      * @return string
      */
     public static function ssha256($password, $salt = null)
@@ -66,9 +62,8 @@ class Password
     /**
      * Make a salted SSHA384 password.
      *
-     * @param string      $password
-     * @param null|string $salt
-     *
+     * @param  string  $password
+     * @param  null|string  $salt
      * @return string
      */
     public static function ssha384($password, $salt = null)
@@ -79,9 +74,8 @@ class Password
     /**
      * Make a salted SSHA512 password.
      *
-     * @param string      $password
-     * @param null|string $salt
-     *
+     * @param  string  $password
+     * @param  null|string  $salt
      * @return string
      */
     public static function ssha512($password, $salt = null)
@@ -92,8 +86,7 @@ class Password
     /**
      * Make a non-salted SHA password.
      *
-     * @param string $password
-     *
+     * @param  string  $password
      * @return string
      */
     public static function sha($password)
@@ -104,8 +97,7 @@ class Password
     /**
      * Make a non-salted SHA256 password.
      *
-     * @param string $password
-     *
+     * @param  string  $password
      * @return string
      */
     public static function sha256($password)
@@ -116,8 +108,7 @@ class Password
     /**
      * Make a non-salted SHA384 password.
      *
-     * @param string $password
-     *
+     * @param  string  $password
      * @return string
      */
     public static function sha384($password)
@@ -128,8 +119,7 @@ class Password
     /**
      * Make a non-salted SHA512 password.
      *
-     * @param string $password
-     *
+     * @param  string  $password
      * @return string
      */
     public static function sha512($password)
@@ -140,8 +130,7 @@ class Password
     /**
      * Make a non-salted md5 password.
      *
-     * @param string $password
-     *
+     * @param  string  $password
      * @return string
      */
     public static function md5($password)
@@ -149,12 +138,22 @@ class Password
         return '{MD5}'.static::makeHash($password, 'md5');
     }
 
+    /**
+     * Make a non-salted NThash password.
+     *
+     * @param  string  $password
+     * @return string
+     */
+    public static function nthash($password)
+    {
+        return '{NTHASH}'.strtoupper(hash('md4', iconv('UTF-8', 'UTF-16LE', $password)));
+    }
+
     /**
      * Crypt password with an MD5 salt.
      *
-     * @param string $password
-     * @param string $salt
-     *
+     * @param  string  $password
+     * @param  string  $salt
      * @return string
      */
     public static function md5Crypt($password, $salt = null)
@@ -165,9 +164,8 @@ class Password
     /**
      * Crypt password with a SHA256 salt.
      *
-     * @param string $password
-     * @param string $salt
-     *
+     * @param  string  $password
+     * @param  string  $salt
      * @return string
      */
     public static function sha256Crypt($password, $salt = null)
@@ -178,9 +176,8 @@ class Password
     /**
      * Crypt a password with a SHA512 salt.
      *
-     * @param string $password
-     * @param string $salt
-     *
+     * @param  string  $password
+     * @param  string  $salt
      * @return string
      */
     public static function sha512Crypt($password, $salt = null)
@@ -191,11 +188,10 @@ class Password
     /**
      * Make a new password hash.
      *
-     * @param string      $password The password to make a hash of.
-     * @param string      $method   The hash function to use.
-     * @param string|null $algo     The algorithm to use for hashing.
-     * @param string|null $salt     The salt to append onto the hash.
-     *
+     * @param  string  $password  The password to make a hash of.
+     * @param  string  $method  The hash function to use.
+     * @param  string|null  $algo  The algorithm to use for hashing.
+     * @param  string|null  $salt  The salt to append onto the hash.
      * @return string
      */
     protected static function makeHash($password, $method, $algo = null, $salt = null)
@@ -208,10 +204,9 @@ class Password
     /**
      * Make a hashed password.
      *
-     * @param string      $password
-     * @param int         $type
-     * @param null|string $salt
-     *
+     * @param  string  $password
+     * @param  int  $type
+     * @param  null|string  $salt
      * @return string
      */
     protected static function makeCrypt($password, $type, $salt = null)
@@ -222,8 +217,7 @@ class Password
     /**
      * Make a salt for the crypt() method using the given type.
      *
-     * @param int $type
-     *
+     * @param  int  $type
      * @return string
      */
     protected static function makeCryptSalt($type)
@@ -242,8 +236,7 @@ class Password
     /**
      * Determine the crypt prefix and length.
      *
-     * @param int $type
-     *
+     * @param  int  $type
      * @return array
      *
      * @throws InvalidArgumentException
@@ -265,8 +258,7 @@ class Password
     /**
      * Attempt to retrieve the hash method used for the password.
      *
-     * @param string $password
-     *
+     * @param  string  $password
      * @return string|void
      */
     public static function getHashMethod($password)
@@ -281,8 +273,7 @@ class Password
     /**
      * Attempt to retrieve the hash method and algorithm used for the password.
      *
-     * @param string $password
-     *
+     * @param  string  $password
      * @return array|void
      */
     public static function getHashMethodAndAlgo($password)
@@ -319,8 +310,7 @@ class Password
     /**
      * Determine if the hash method requires a salt to be given.
      *
-     * @param string $method
-     *
+     * @param  string  $method
      * @return bool
      *
      * @throws \ReflectionException
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Attributes/Sid.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Attributes/Sid.php
index 4ec46ea71..7760453ce 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Attributes/Sid.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Attributes/Sid.php
@@ -17,8 +17,7 @@ class Sid
     /**
      * Determines if the specified SID is valid.
      *
-     * @param string $sid
-     *
+     * @param  string  $sid
      * @return bool
      */
     public static function isValid($sid)
@@ -29,7 +28,7 @@ class Sid
     /**
      * Constructor.
      *
-     * @param mixed $value
+     * @param  mixed  $value
      *
      * @throws InvalidArgumentException
      */
@@ -90,8 +89,7 @@ class Sid
     /**
      * Returns the string variant of a binary SID.
      *
-     * @param string $binary
-     *
+     * @param  string  $binary
      * @return string|null
      */
     protected function binarySidToString($binary)
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Attributes/TSProperty.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Attributes/TSProperty.php
index ad56aa130..499579f82 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Attributes/TSProperty.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Attributes/TSProperty.php
@@ -7,7 +7,7 @@ class TSProperty
     /**
      * Nibble control values. The first value for each is if the nibble is <= 9, otherwise the second value is used.
      */
-    const NIBBLE_CONTROL = [
+    public const NIBBLE_CONTROL = [
         'X' => ['001011', '011010'],
         'Y' => ['001110', '011010'],
     ];
@@ -15,12 +15,12 @@ class TSProperty
     /**
      * The nibble header.
      */
-    const NIBBLE_HEADER = '1110';
+    public const NIBBLE_HEADER = '1110';
 
     /**
      * Conversion factor needed for time values in the TSPropertyArray (stored in microseconds).
      */
-    const TIME_CONVERSION = 60 * 1000;
+    public const TIME_CONVERSION = 60 * 1000;
 
     /**
      * A simple map to help determine how the property needs to be decoded/encoded from/to its binary value.
@@ -85,7 +85,7 @@ class TSProperty
     /**
      * Pass binary TSProperty data to construct its object representation.
      *
-     * @param string|null $value
+     * @param  string|null  $value
      */
     public function __construct($value = null)
     {
@@ -97,8 +97,7 @@ class TSProperty
     /**
      * Set the name for the TSProperty.
      *
-     * @param string $name
-     *
+     * @param  string  $name
      * @return TSProperty
      */
     public function setName($name)
@@ -121,8 +120,7 @@ class TSProperty
     /**
      * Set the value for the TSProperty.
      *
-     * @param string|int $value
-     *
+     * @param  string|int  $value
      * @return TSProperty
      */
     public function setValue($value)
@@ -169,7 +167,7 @@ class TSProperty
     /**
      * Given a TSProperty blob, decode the name/value/type/etc.
      *
-     * @param string $tsProperty
+     * @param  string  $tsProperty
      */
     protected function decode($tsProperty)
     {
@@ -186,9 +184,8 @@ class TSProperty
     /**
      * Based on the property name/value in question, get its encoded form.
      *
-     * @param string     $propName
-     * @param string|int $propValue
-     *
+     * @param  string  $propName
+     * @param  string|int  $propValue
      * @return string
      */
     protected function getEncodedValueForProp($propName, $propValue)
@@ -210,9 +207,8 @@ class TSProperty
     /**
      * Based on the property name in question, get its actual value from the binary blob value.
      *
-     * @param string $propName
-     * @param string $propValue
-     *
+     * @param  string  $propName
+     * @param  string  $propValue
      * @return string|int
      */
     protected function getDecodedValueForProp($propName, $propValue)
@@ -238,9 +234,8 @@ class TSProperty
      * Decode the property by inspecting the nibbles of each blob, checking
      * the control, and adding up the results into a final value.
      *
-     * @param string $hex
-     * @param bool   $string Whether or not this is simple string data.
-     *
+     * @param  string  $hex
+     * @param  bool  $string  Whether or not this is simple string data.
      * @return string
      */
     protected function decodePropValue($hex, $string = false)
@@ -272,9 +267,8 @@ class TSProperty
     /**
      * Get the encoded property value as a binary blob.
      *
-     * @param string $value
-     * @param bool   $string
-     *
+     * @param  string  $value
+     * @param  bool  $string
      * @return string
      */
     protected function encodePropValue($value, $string = false)
@@ -314,9 +308,8 @@ class TSProperty
      * a workaround that turns a literal bit-string into a
      * packed byte-string with 8 bits per byte.
      *
-     * @param string $bits
-     * @param bool   $len
-     *
+     * @param  string  $bits
+     * @param  bool  $len
      * @return string
      */
     protected function packBitString($bits, $len)
@@ -337,9 +330,8 @@ class TSProperty
     /**
      * Based on the control, adjust the nibble accordingly.
      *
-     * @param string $nibble
-     * @param string $control
-     *
+     * @param  string  $nibble
+     * @param  string  $control
      * @return string
      */
     protected function nibbleControl($nibble, $control)
@@ -362,9 +354,8 @@ class TSProperty
      * the control for X or Y equals 011010. Additionally, if the dec value of the nibble is > 9, then the nibble value
      * must be subtracted by 9 before the final value is constructed.
      *
-     * @param string $nibbleType Either X or Y
-     * @param string $nibble
-     *
+     * @param  string  $nibbleType  Either X or Y
+     * @param  string  $nibble
      * @return string
      */
     protected function getNibbleWithControl($nibbleType, $nibble)
@@ -384,9 +375,8 @@ class TSProperty
     /**
      * Need to make sure hex values are always an even length, so pad as needed.
      *
-     * @param int $int
-     * @param int $padLength The hex string must be padded to this length (with zeros).
-     *
+     * @param  int  $int
+     * @param  int  $padLength  The hex string must be padded to this length (with zeros).
      * @return string
      */
     protected function dec2hex($int, $padLength = 2)
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Attributes/TSPropertyArray.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Attributes/TSPropertyArray.php
index 18316888f..8320dd8ed 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Attributes/TSPropertyArray.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Attributes/TSPropertyArray.php
@@ -9,14 +9,14 @@ class TSPropertyArray
     /**
      * Represents that the TSPropertyArray data is valid.
      */
-    const VALID_SIGNATURE = 'P';
+    public const VALID_SIGNATURE = 'P';
 
     /**
      * The default values for the TSPropertyArray structure.
      *
      * @var array
      */
-    const DEFAULTS = [
+    public const DEFAULTS = [
         'CtxCfgPresent' => 2953518677,
         'CtxWFProfilePath' => '',
         'CtxWFProfilePathW' => '',
@@ -71,7 +71,7 @@ class TSPropertyArray
      *   - Pass the userParameters binary value. The object representation of that will be decoded and constructed.
      *   - Pass nothing and a default set of TSProperty key => value pairs will be used (See DEFAULTS constant).
      *
-     * @param mixed $tsPropertyArray
+     * @param  mixed  $tsPropertyArray
      */
     public function __construct($tsPropertyArray = null)
     {
@@ -93,8 +93,7 @@ class TSPropertyArray
     /**
      * Check if a specific TSProperty exists by its property name.
      *
-     * @param string $propName
-     *
+     * @param  string  $propName
      * @return bool
      */
     public function has($propName)
@@ -105,8 +104,7 @@ class TSPropertyArray
     /**
      * Get a TSProperty object by its property name (ie. CtxWFProfilePath).
      *
-     * @param string $propName
-     *
+     * @param  string  $propName
      * @return TSProperty
      */
     public function get($propName)
@@ -119,8 +117,7 @@ class TSPropertyArray
     /**
      * Add a TSProperty object. If it already exists, it will be overwritten.
      *
-     * @param TSProperty $tsProperty
-     *
+     * @param  TSProperty  $tsProperty
      * @return $this
      */
     public function add(TSProperty $tsProperty)
@@ -133,8 +130,7 @@ class TSPropertyArray
     /**
      * Remove a TSProperty by its property name (ie. CtxMinEncryptionLevel).
      *
-     * @param string $propName
-     *
+     * @param  string  $propName
      * @return $this
      */
     public function remove($propName)
@@ -151,9 +147,8 @@ class TSPropertyArray
     /**
      * Set the value for a specific TSProperty by its name.
      *
-     * @param string $propName
-     * @param mixed  $propValue
-     *
+     * @param  string  $propName
+     * @param  mixed  $propValue
      * @return $this
      */
     public function set($propName, $propValue)
@@ -214,7 +209,7 @@ class TSPropertyArray
     /**
      * Validates that the given property name exists.
      *
-     * @param string $propName
+     * @param  string  $propName
      */
     protected function validateProp($propName)
     {
@@ -224,8 +219,7 @@ class TSPropertyArray
     }
 
     /**
-     * @param string $propName
-     *
+     * @param  string  $propName
      * @return TSProperty
      */
     protected function getTsPropObj($propName)
@@ -236,8 +230,7 @@ class TSPropertyArray
     /**
      * Get an associative array with all of the userParameters property names and values.
      *
-     * @param string $userParameters
-     *
+     * @param  string  $userParameters
      * @return void
      */
     protected function decodeUserParameters($userParameters)
@@ -260,7 +253,7 @@ class TSPropertyArray
         // Reserved data length + (count and sig length == 4) + the added lengths of the TSPropertyArray
         // This saves anything after that variable TSPropertyArray data, so as to not squash anything stored there
         if (strlen($userParameters) > (96 + 4 + $length)) {
-            $this->postBinary = hex2bin(substr($userParameters, (96 + 4 + $length)));
+            $this->postBinary = hex2bin(substr($userParameters, 96 + 4 + $length));
         }
     }
 
@@ -270,9 +263,8 @@ class TSPropertyArray
      * individual TSProperty structures. Return the full length
      * of the TSPropertyArray data.
      *
-     * @param string $tsPropertyArray
-     * @param int    $tsPropCount
-     *
+     * @param  string  $tsPropertyArray
+     * @param  int  $tsPropCount
      * @return int The length of the data in the TSPropertyArray
      */
     protected function addTSPropData($tsPropertyArray, $tsPropCount)
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Attributes/Timestamp.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Attributes/Timestamp.php
index e5d9dc341..0f07bc5a0 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Attributes/Timestamp.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Attributes/Timestamp.php
@@ -5,11 +5,14 @@ namespace LdapRecord\Models\Attributes;
 use Carbon\Carbon;
 use Carbon\CarbonInterface;
 use DateTime;
+use DateTimeZone;
 use LdapRecord\LdapRecordException;
 use LdapRecord\Utilities;
 
 class Timestamp
 {
+    public const WINDOWS_INT_MAX = 9223372036854775807;
+
     /**
      * The current timestamp type.
      *
@@ -31,7 +34,7 @@ class Timestamp
     /**
      * Constructor.
      *
-     * @param string $type
+     * @param  string  $type
      *
      * @throws LdapRecordException
      */
@@ -43,7 +46,7 @@ class Timestamp
     /**
      * Set the type of timestamp to convert from / to.
      *
-     * @param string $type
+     * @param  string  $type
      *
      * @throws LdapRecordException
      */
@@ -59,8 +62,7 @@ class Timestamp
     /**
      * Converts the value to an LDAP date string.
      *
-     * @param mixed $value
-     *
+     * @param  mixed  $value
      * @return float|string
      *
      * @throws LdapRecordException
@@ -107,21 +109,19 @@ class Timestamp
     /**
      * Determine if the value given is in Windows Integer (NTFS Filetime) format.
      *
-     * @param int|string $value
-     *
+     * @param  int|string  $value
      * @return bool
      */
     protected function valueIsWindowsIntegerType($value)
     {
-        return is_numeric($value) && strlen((string) $value) === 18;
+        return is_numeric($value) && in_array(strlen((string) $value), [18, 19]);
     }
 
     /**
      * Converts the LDAP timestamp value to a Carbon instance.
      *
-     * @param mixed $value
-     *
-     * @return Carbon|false
+     * @param  mixed  $value
+     * @return Carbon|int|false
      *
      * @throws LdapRecordException
      */
@@ -153,14 +153,13 @@ class Timestamp
     /**
      * Converts standard LDAP timestamps to a date time object.
      *
-     * @param string $value
-     *
+     * @param  string  $value
      * @return DateTime|false
      */
     protected function convertLdapTimeToDateTime($value)
     {
         return DateTime::createFromFormat(
-            strpos($value, 'Z') !== false ? 'YmdHis\Z' : 'YmdHisT',
+            str_contains((string) $value, 'Z') ? 'YmdHis\Z' : 'YmdHisT',
             $value
         );
     }
@@ -168,8 +167,7 @@ class Timestamp
     /**
      * Converts date objects to a standard LDAP timestamp.
      *
-     * @param DateTime $date
-     *
+     * @param  DateTime  $date
      * @return string
      */
     protected function convertDateTimeToLdapTime(DateTime $date)
@@ -182,23 +180,22 @@ class Timestamp
     /**
      * Converts standard windows timestamps to a date time object.
      *
-     * @param string $value
-     *
+     * @param  string  $value
      * @return DateTime|false
      */
     protected function convertWindowsTimeToDateTime($value)
     {
         return DateTime::createFromFormat(
-            strpos($value, '0Z') !== false ? 'YmdHis.0\Z' : 'YmdHis.0T',
-            $value
+            str_contains((string) $value, '0Z') ? 'YmdHis.0\Z' : 'YmdHis.0T',
+            $value,
+            new DateTimeZone('UTC')
         );
     }
 
     /**
      * Converts date objects to a windows timestamp.
      *
-     * @param DateTime $date
-     *
+     * @param  DateTime  $date
      * @return string
      */
     protected function convertDateTimeToWindows(DateTime $date)
@@ -211,20 +208,25 @@ class Timestamp
     /**
      * Converts standard windows integer dates to a date time object.
      *
-     * @param int $value
-     *
-     * @return DateTime|false
+     * @param  int  $value
+     * @return DateTime|int|false
      *
      * @throws \Exception
      */
     protected function convertWindowsIntegerTimeToDateTime($value)
     {
-        // ActiveDirectory dates that contain integers may return
-        // "0" when they are not set. We will validate that here.
-        if (! $value) {
+        if (is_null($value) || $value === '') {
             return false;
         }
 
+        if ($value == 0) {
+            return (int) $value;
+        }
+
+        if ($value == static::WINDOWS_INT_MAX) {
+            return (int) $value;
+        }
+
         return (new DateTime())->setTimestamp(
             Utilities::convertWindowsTimeToUnixTime($value)
         );
@@ -233,8 +235,7 @@ class Timestamp
     /**
      * Converts date objects to a windows integer timestamp.
      *
-     * @param DateTime $date
-     *
+     * @param  DateTime  $date
      * @return float
      */
     protected function convertDateTimeToWindowsInteger(DateTime $date)
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/BatchModification.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/BatchModification.php
index 37f0e876b..954c58fcf 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/BatchModification.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/BatchModification.php
@@ -11,9 +11,9 @@ class BatchModification
     /**
      * The array keys to be used in batch modifications.
      */
-    const KEY_ATTRIB = 'attrib';
-    const KEY_MODTYPE = 'modtype';
-    const KEY_VALUES = 'values';
+    public const KEY_ATTRIB = 'attrib';
+    public const KEY_MODTYPE = 'modtype';
+    public const KEY_VALUES = 'values';
 
     /**
      * The attribute of the modification.
@@ -46,9 +46,9 @@ class BatchModification
     /**
      * Constructor.
      *
-     * @param string|null     $attribute
-     * @param string|int|null $type
-     * @param array           $values
+     * @param  string|null  $attribute
+     * @param  string|int|null  $type
+     * @param  array  $values
      */
     public function __construct($attribute = null, $type = null, array $values = [])
     {
@@ -60,8 +60,7 @@ class BatchModification
     /**
      * Set the original value of the attribute before modification.
      *
-     * @param array|string $original
-     *
+     * @param  array|string  $original
      * @return $this
      */
     public function setOriginal($original = [])
@@ -84,8 +83,7 @@ class BatchModification
     /**
      * Set the attribute of the modification.
      *
-     * @param string $attribute
-     *
+     * @param  string  $attribute
      * @return $this
      */
     public function setAttribute($attribute)
@@ -108,8 +106,7 @@ class BatchModification
     /**
      * Set the values of the modification.
      *
-     * @param array $values
-     *
+     * @param  array  $values
      * @return $this
      */
     public function setValues(array $values = [])
@@ -127,8 +124,7 @@ class BatchModification
     /**
      * Normalize all of the attribute values.
      *
-     * @param array|string $values
-     *
+     * @param  array|string  $values
      * @return array
      */
     protected function normalizeAttributeValues($values = [])
@@ -152,8 +148,7 @@ class BatchModification
     /**
      * Set the type of the modification.
      *
-     * @param int|null $type
-     *
+     * @param  int|null  $type
      * @return $this
      */
     public function setType($type = null)
@@ -207,7 +202,7 @@ class BatchModification
             case empty($this->original) && ! empty($this->values):
                 return $this->setType(LDAP_MODIFY_BATCH_ADD);
             default:
-               return $this->determineBatchTypeFromOriginal();
+                return $this->determineBatchTypeFromOriginal();
         }
     }
 
@@ -291,8 +286,7 @@ class BatchModification
     /**
      * Determines if the given modtype is valid.
      *
-     * @param int $type
-     *
+     * @param  int  $type
      * @return bool
      */
     protected function isValidType($type)
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Collection.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Collection.php
index 850167b7e..11b4ca522 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Collection.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Collection.php
@@ -9,11 +9,22 @@ use LdapRecord\Support\Arr;
 
 class Collection extends QueryCollection
 {
+    /**
+     * Get a collection of the model's distinguished names.
+     *
+     * @return static
+     */
+    public function modelDns()
+    {
+        return $this->map(function (Model $model) {
+            return $model->getDn();
+        });
+    }
+
     /**
      * Determine if the collection contains all of the given models, or any models.
      *
-     * @param mixed $models
-     *
+     * @param  mixed  $models
      * @return bool
      */
     public function exists($models = null)
@@ -47,10 +58,9 @@ class Collection extends QueryCollection
     /**
      * Determine if any of the given models are contained in the collection.
      *
-     * @param mixed $key
-     * @param mixed $operator
-     * @param mixed $value
-     *
+     * @param  mixed  $key
+     * @param  mixed  $operator
+     * @param  mixed  $value
      * @return bool
      */
     public function contains($key, $operator = null, $value = null)
@@ -78,8 +88,7 @@ class Collection extends QueryCollection
     /**
      * Get the provided models as an array.
      *
-     * @param mixed $models
-     *
+     * @param  mixed  $models
      * @return array
      */
     protected function getArrayableModels($models = null)
@@ -92,17 +101,16 @@ class Collection extends QueryCollection
     /**
      * Compare the related model with the given.
      *
-     * @param Model|string $model
-     * @param Model        $related
-     *
+     * @param  Model|string  $model
+     * @param  Model  $related
      * @return bool
      */
     protected function compareModelWithRelated($model, $related)
     {
         if (is_string($model)) {
             return $this->isValidDn($model)
-                ? $related->getDn() == $model
-                : $related->getName() == $model;
+                ? strcasecmp($related->getDn(), $model) === 0
+                : strcasecmp($related->getName(), $model) === 0;
         }
 
         return $related->is($model);
@@ -111,8 +119,7 @@ class Collection extends QueryCollection
     /**
      * Determine if the given string is a valid distinguished name.
      *
-     * @param string $dn
-     *
+     * @param  string  $dn
      * @return bool
      */
     protected function isValidDn($dn)
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Concerns/CanAuthenticate.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Concerns/CanAuthenticate.php
index 451738abe..6e8d4fb5d 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Concerns/CanAuthenticate.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Concerns/CanAuthenticate.php
@@ -2,6 +2,7 @@
 
 namespace LdapRecord\Models\Concerns;
 
+/** @mixin \LdapRecord\Models\Model */
 trait CanAuthenticate
 {
     /**
@@ -17,7 +18,7 @@ trait CanAuthenticate
     /**
      * Get the unique identifier for the user.
      *
-     * @return mixed
+     * @return string
      */
     public function getAuthIdentifier()
     {
@@ -47,8 +48,7 @@ trait CanAuthenticate
     /**
      * Set the token value for the "remember me" session.
      *
-     * @param string $value
-     *
+     * @param  string  $value
      * @return void
      */
     public function setRememberToken($value)
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Concerns/HasAttributes.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Concerns/HasAttributes.php
index b5f333579..a3d9df7d9 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Concerns/HasAttributes.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Concerns/HasAttributes.php
@@ -74,6 +74,18 @@ trait HasAttributes
      */
     protected static $mutatorCache = [];
 
+    /**
+     * Convert the model's original attributes to an array.
+     *
+     * @return array
+     */
+    public function originalToArray()
+    {
+        return $this->encodeAttributes(
+            $this->convertAttributesForJson($this->original)
+        );
+    }
+
     /**
      * Convert the model's attributes to an array.
      *
@@ -111,11 +123,38 @@ trait HasAttributes
         return $this->encodeAttributes($attributes);
     }
 
+    /**
+     * Convert the model's serialized original attributes to their original form.
+     *
+     * @param  array  $attributes
+     * @return array
+     */
+    public function arrayToOriginal(array $attributes)
+    {
+        return $this->decodeAttributes(
+            $this->convertAttributesFromJson($attributes)
+        );
+    }
+
+    /**
+     * Convert the model's serialized attributes to their original form.
+     *
+     * @param  array  $attributes
+     * @return array
+     */
+    public function arrayToAttributes(array $attributes)
+    {
+        $attributes = $this->restoreDateAttributesFromArray($attributes);
+
+        return $this->decodeAttributes(
+            $this->convertAttributesFromJson($attributes)
+        );
+    }
+
     /**
      * Add the date attributes to the attributes array.
      *
-     * @param array $attributes
-     *
+     * @param  array  $attributes
      * @return array
      */
     protected function addDateAttributesToArray(array $attributes)
@@ -135,11 +174,31 @@ trait HasAttributes
         return $attributes;
     }
 
+    /**
+     * Restore the date attributes to their true value from serialized attributes.
+     *
+     * @param  array  $attributes
+     * @return array
+     */
+    protected function restoreDateAttributesFromArray(array $attributes)
+    {
+        foreach ($this->getDates() as $attribute => $type) {
+            if (! isset($attributes[$attribute])) {
+                continue;
+            }
+
+            $date = $this->fromDateTime($type, $attributes[$attribute]);
+
+            $attributes[$attribute] = Arr::wrap($date);
+        }
+
+        return $attributes;
+    }
+
     /**
      * Prepare a date for array / JSON serialization.
      *
-     * @param DateTimeInterface $date
-     *
+     * @param  DateTimeInterface  $date
      * @return string
      */
     protected function serializeDate(DateTimeInterface $date)
@@ -162,10 +221,24 @@ trait HasAttributes
     }
 
     /**
-     * Encode the given value for proper serialization.
+     * Recursively UTF-8 decode the given attributes.
      *
-     * @param string $value
+     * @param  array  $attributes
+     * @return array
+     */
+    public function decodeAttributes($attributes)
+    {
+        array_walk_recursive($attributes, function (&$value) {
+            $value = $this->decodeValue($value);
+        });
+
+        return $attributes;
+    }
+
+    /**
+     * Encode the value for serialization.
      *
+     * @param  string  $value
      * @return string
      */
     protected function encodeValue($value)
@@ -173,15 +246,33 @@ trait HasAttributes
         // If we are able to detect the encoding, we will
         // encode only the attributes that need to be,
         // so that we do not double encode values.
-        return MbString::isLoaded() && MbString::isUtf8($value) ? $value : utf8_encode($value);
+        if (MbString::isLoaded() && MbString::isUtf8($value)) {
+            return $value;
+        }
+
+        return utf8_encode($value);
+    }
+
+    /**
+     * Decode the value from serialization.
+     *
+     * @param  string  $value
+     * @return string
+     */
+    protected function decodeValue($value)
+    {
+        if (MbString::isLoaded() && MbString::isUtf8($value)) {
+            return mb_convert_encoding($value, 'UTF-8', 'ISO-8859-1');
+        }
+
+        return $value;
     }
 
     /**
      * Add the mutated attributes to the attributes array.
      *
-     * @param array $attributes
-     * @param array $mutatedAttributes
-     *
+     * @param  array  $attributes
+     * @param  array  $mutatedAttributes
      * @return array
      */
     protected function addMutatedAttributesToArray(array $attributes, array $mutatedAttributes)
@@ -221,8 +312,7 @@ trait HasAttributes
     /**
      * Fills the entry with the supplied attributes.
      *
-     * @param array $attributes
-     *
+     * @param  array  $attributes
      * @return $this
      */
     public function fill(array $attributes = [])
@@ -237,9 +327,8 @@ trait HasAttributes
     /**
      * Returns the models attribute by its key.
      *
-     * @param int|string $key
-     * @param mixed      $default
-     *
+     * @param  int|string  $key
+     * @param  mixed  $default
      * @return mixed
      */
     public function getAttribute($key, $default = null)
@@ -254,9 +343,8 @@ trait HasAttributes
     /**
      * Get an attributes value.
      *
-     * @param string $key
-     * @param mixed  $default
-     *
+     * @param  string  $key
+     * @param  mixed  $default
      * @return mixed
      */
     public function getAttributeValue($key, $default = null)
@@ -282,8 +370,7 @@ trait HasAttributes
     /**
      * Determine if the given attribute is a date.
      *
-     * @param string $key
-     *
+     * @param  string  $key
      * @return bool
      */
     public function isDateAttribute($key)
@@ -310,9 +397,8 @@ trait HasAttributes
     /**
      * Convert the given date value to an LDAP compatible value.
      *
-     * @param string $type
-     * @param mixed  $value
-     *
+     * @param  string  $type
+     * @param  mixed  $value
      * @return float|string
      *
      * @throws LdapRecordException
@@ -325,9 +411,8 @@ trait HasAttributes
     /**
      * Convert the given LDAP date value to a Carbon instance.
      *
-     * @param mixed  $value
-     * @param string $type
-     *
+     * @param  mixed  $value
+     * @param  string  $type
      * @return Carbon|false
      *
      * @throws LdapRecordException
@@ -340,9 +425,8 @@ trait HasAttributes
     /**
      * Determine whether an attribute should be cast to a native type.
      *
-     * @param string            $key
-     * @param array|string|null $types
-     *
+     * @param  string  $key
+     * @param  array|string|null  $types
      * @return bool
      */
     public function hasCast($key, $types = null)
@@ -367,8 +451,7 @@ trait HasAttributes
     /**
      * Determine whether a value is JSON castable for inbound manipulation.
      *
-     * @param string $key
-     *
+     * @param  string  $key
      * @return bool
      */
     protected function isJsonCastable($key)
@@ -379,8 +462,7 @@ trait HasAttributes
     /**
      * Get the type of cast for a model attribute.
      *
-     * @param string $key
-     *
+     * @param  string  $key
      * @return string
      */
     protected function getCastType($key)
@@ -399,8 +481,7 @@ trait HasAttributes
     /**
      * Determine if the cast is a decimal.
      *
-     * @param string $cast
-     *
+     * @param  string  $cast
      * @return bool
      */
     protected function isDecimalCast($cast)
@@ -411,8 +492,7 @@ trait HasAttributes
     /**
      * Determine if the cast is a datetime.
      *
-     * @param string $cast
-     *
+     * @param  string  $cast
      * @return bool
      */
     protected function isDateTimeCast($cast)
@@ -423,8 +503,7 @@ trait HasAttributes
     /**
      * Determine if the given attribute must be casted.
      *
-     * @param string $key
-     *
+     * @param  string  $key
      * @return bool
      */
     protected function isCastedAttribute($key)
@@ -435,9 +514,8 @@ trait HasAttributes
     /**
      * Cast an attribute to a native PHP type.
      *
-     * @param string     $key
-     * @param array|null $value
-     *
+     * @param  string  $key
+     * @param  array|null  $value
      * @return mixed
      */
     protected function castAttribute($key, $value)
@@ -490,9 +568,8 @@ trait HasAttributes
     /**
      * Cast the given attribute to JSON.
      *
-     * @param string $key
-     * @param mixed  $value
-     *
+     * @param  string  $key
+     * @param  mixed  $value
      * @return string
      */
     protected function castAttributeAsJson($key, $value)
@@ -522,8 +599,7 @@ trait HasAttributes
     /**
      * Encode the given value as JSON.
      *
-     * @param mixed $value
-     *
+     * @param  mixed  $value
      * @return string
      */
     protected function asJson($value)
@@ -534,9 +610,8 @@ trait HasAttributes
     /**
      * Decode the given JSON back into an array or object.
      *
-     * @param string $value
-     * @param bool   $asObject
-     *
+     * @param  string  $value
+     * @param  bool  $asObject
      * @return mixed
      */
     public function fromJson($value, $asObject = false)
@@ -547,8 +622,7 @@ trait HasAttributes
     /**
      * Decode the given float.
      *
-     * @param mixed $value
-     *
+     * @param  mixed  $value
      * @return mixed
      */
     public function fromFloat($value)
@@ -568,8 +642,7 @@ trait HasAttributes
     /**
      * Cast the value to a boolean.
      *
-     * @param mixed $value
-     *
+     * @param  mixed  $value
      * @return bool
      */
     protected function asBoolean($value)
@@ -582,9 +655,8 @@ trait HasAttributes
     /**
      * Cast a decimal value as a string.
      *
-     * @param float $value
-     * @param int   $decimals
-     *
+     * @param  float  $value
+     * @param  int  $decimals
      * @return string
      */
     protected function asDecimal($value, $decimals)
@@ -605,8 +677,7 @@ trait HasAttributes
     /**
      * Get an attribute array of all arrayable values.
      *
-     * @param array $values
-     *
+     * @param  array  $values
      * @return array
      */
     protected function getArrayableItems(array $values)
@@ -651,8 +722,7 @@ trait HasAttributes
     /**
      * Set the date format used by the model for serialization.
      *
-     * @param string $format
-     *
+     * @param  string  $format
      * @return $this
      */
     public function setDateFormat($format)
@@ -665,8 +735,7 @@ trait HasAttributes
     /**
      * Get an attribute from the $attributes array.
      *
-     * @param string $key
-     *
+     * @param  string  $key
      * @return mixed
      */
     protected function getAttributeFromArray($key)
@@ -687,9 +756,8 @@ trait HasAttributes
     /**
      * Returns the first attribute by the specified key.
      *
-     * @param string $key
-     * @param mixed  $default
-     *
+     * @param  string  $key
+     * @param  mixed  $default
      * @return mixed
      */
     public function getFirstAttribute($key, $default = null)
@@ -712,9 +780,8 @@ trait HasAttributes
     /**
      * Set an attribute value by the specified key.
      *
-     * @param string $key
-     * @param mixed  $value
-     *
+     * @param  string  $key
+     * @param  mixed  $value
      * @return $this
      */
     public function setAttribute($key, $value)
@@ -743,9 +810,8 @@ trait HasAttributes
     /**
      * Set an attribute on the model. No checking is done.
      *
-     * @param string $key
-     * @param mixed  $value
-     *
+     * @param  string  $key
+     * @param  mixed  $value
      * @return $this
      */
     public function setRawAttribute($key, $value)
@@ -760,9 +826,8 @@ trait HasAttributes
     /**
      * Set the models first attribute value.
      *
-     * @param string $key
-     * @param mixed  $value
-     *
+     * @param  string  $key
+     * @param  mixed  $value
      * @return $this
      */
     public function setFirstAttribute($key, $value)
@@ -773,9 +838,8 @@ trait HasAttributes
     /**
      * Add a unique value to the given attribute.
      *
-     * @param string $key
-     * @param mixed  $value
-     *
+     * @param  string  $key
+     * @param  mixed  $value
      * @return $this
      */
     public function addAttributeValue($key, $value)
@@ -791,8 +855,7 @@ trait HasAttributes
     /**
      * Determine if a get mutator exists for an attribute.
      *
-     * @param string $key
-     *
+     * @param  string  $key
      * @return bool
      */
     public function hasGetMutator($key)
@@ -803,8 +866,7 @@ trait HasAttributes
     /**
      * Determine if a set mutator exists for an attribute.
      *
-     * @param string $key
-     *
+     * @param  string  $key
      * @return bool
      */
     public function hasSetMutator($key)
@@ -815,9 +877,8 @@ trait HasAttributes
     /**
      * Set the value of an attribute using its mutator.
      *
-     * @param string $key
-     * @param mixed  $value
-     *
+     * @param  string  $key
+     * @param  mixed  $value
      * @return mixed
      */
     protected function setMutatedAttributeValue($key, $value)
@@ -828,9 +889,8 @@ trait HasAttributes
     /**
      * Get the value of an attribute using its mutator.
      *
-     * @param string $key
-     * @param mixed  $value
-     *
+     * @param  string  $key
+     * @param  mixed  $value
      * @return mixed
      */
     protected function getMutatedAttributeValue($key, $value)
@@ -843,8 +903,7 @@ trait HasAttributes
      *
      * Hyphenated attributes will use pascal cased methods.
      *
-     * @param string $key
-     *
+     * @param  string  $key
      * @return mixed
      */
     protected function getMutatorMethodName($key)
@@ -857,9 +916,8 @@ trait HasAttributes
     /**
      * Get the value of an attribute using its mutator for array conversion.
      *
-     * @param string $key
-     * @param mixed  $value
-     *
+     * @param  string  $key
+     * @param  mixed  $value
      * @return array
      */
     protected function mutateAttributeForArray($key, $value)
@@ -874,8 +932,7 @@ trait HasAttributes
      *
      * Used when constructing an existing LDAP record.
      *
-     * @param array $attributes
-     *
+     * @param  array  $attributes
      * @return $this
      */
     public function setRawAttributes(array $attributes = [])
@@ -915,9 +972,8 @@ trait HasAttributes
     /**
      * Filters the count key recursively from raw LDAP attributes.
      *
-     * @param array $attributes
-     * @param array $keys
-     *
+     * @param  array  $attributes
+     * @param  array  $keys
      * @return array
      */
     public function filterRawAttributes(array $attributes = [], array $keys = ['count', 'dn'])
@@ -938,8 +994,7 @@ trait HasAttributes
     /**
      * Determine if the model has the given attribute.
      *
-     * @param int|string $key
-     *
+     * @param  int|string  $key
      * @return bool
      */
     public function hasAttribute($key)
@@ -991,8 +1046,7 @@ trait HasAttributes
     /**
      * Determine if the given attribute is dirty.
      *
-     * @param string $key
-     *
+     * @param  string  $key
      * @return bool
      */
     public function isDirty($key)
@@ -1013,8 +1067,7 @@ trait HasAttributes
     /**
      * Set the accessors to append to model arrays.
      *
-     * @param array $appends
-     *
+     * @param  array  $appends
      * @return $this
      */
     public function setAppends(array $appends)
@@ -1027,8 +1080,7 @@ trait HasAttributes
     /**
      * Return whether the accessor attribute has been appended.
      *
-     * @param string $attribute
-     *
+     * @param  string  $attribute
      * @return bool
      */
     public function hasAppended($attribute)
@@ -1039,8 +1091,7 @@ trait HasAttributes
     /**
      * Returns a normalized attribute key.
      *
-     * @param string $key
-     *
+     * @param  string  $key
      * @return string
      */
     public function normalizeAttributeKey($key)
@@ -1056,8 +1107,7 @@ trait HasAttributes
     /**
      * Determine if the new and old values for a given key are equivalent.
      *
-     * @param string $key
-     *
+     * @param  string  $key
      * @return bool
      */
     protected function originalIsEquivalent($key)
@@ -1097,8 +1147,7 @@ trait HasAttributes
     /**
      * Extract and cache all the mutated attributes of a class.
      *
-     * @param string $class
-     *
+     * @param  string  $class
      * @return void
      */
     public static function cacheMutatedAttributes($class)
@@ -1113,8 +1162,7 @@ trait HasAttributes
     /**
      * Get all of the attribute mutator methods.
      *
-     * @param mixed $class
-     *
+     * @param  mixed  $class
      * @return array
      */
     protected static function getMutatorMethods($class)
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Concerns/HasEvents.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Concerns/HasEvents.php
index 5adec96ea..d9a41b892 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Concerns/HasEvents.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Concerns/HasEvents.php
@@ -4,15 +4,17 @@ namespace LdapRecord\Models\Concerns;
 
 use Closure;
 use LdapRecord\Events\NullDispatcher;
+use LdapRecord\Models\Events;
 use LdapRecord\Models\Events\Event;
+use LdapRecord\Support\Arr;
 
+/** @mixin \LdapRecord\Models\Model */
 trait HasEvents
 {
     /**
      * Execute the callback without raising any events.
      *
-     * @param Closure $callback
-     *
+     * @param  Closure  $callback
      * @return mixed
      */
     protected static function withoutEvents(Closure $callback)
@@ -37,10 +39,37 @@ trait HasEvents
     }
 
     /**
-     * Fires the specified model event.
+     * Dispatch the given model events.
      *
-     * @param Event $event
+     * @param  string|array  $events
+     * @param  array  $args
+     * @return void
+     */
+    protected function dispatch($events, array $args = [])
+    {
+        foreach (Arr::wrap($events) as $name) {
+            $this->fireCustomModelEvent($name, $args);
+        }
+    }
+
+    /**
+     * Fire a custom model event.
      *
+     * @param  string  $name
+     * @param  array  $args
+     * @return mixed
+     */
+    protected function fireCustomModelEvent($name, array $args = [])
+    {
+        $event = implode('\\', [Events::class, ucfirst($name)]);
+
+        return $this->fireModelEvent(new $event($this, ...$args));
+    }
+
+    /**
+     * Fire a model event.
+     *
+     * @param  Event  $event
      * @return mixed
      */
     protected function fireModelEvent(Event $event)
@@ -49,11 +78,10 @@ trait HasEvents
     }
 
     /**
-     * Listens to a model event.
-     *
-     * @param string  $event
-     * @param Closure $listener
+     * Listen to a model event.
      *
+     * @param  string  $event
+     * @param  Closure  $listener
      * @return mixed
      */
     protected function listenForModelEvent($event, Closure $listener)
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Concerns/HasGlobalScopes.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Concerns/HasGlobalScopes.php
index f7552c1b4..4d0f2968f 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Concerns/HasGlobalScopes.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Concerns/HasGlobalScopes.php
@@ -6,14 +6,14 @@ use Closure;
 use InvalidArgumentException;
 use LdapRecord\Models\Scope;
 
+/** @mixin \LdapRecord\Models\Model */
 trait HasGlobalScopes
 {
     /**
      * Register a new global scope on the model.
      *
-     * @param Scope|Closure|string $scope
-     * @param Closure|null         $implementation
-     *
+     * @param  Scope|Closure|string  $scope
+     * @param  Closure|null  $implementation
      * @return mixed
      *
      * @throws InvalidArgumentException
@@ -34,8 +34,7 @@ trait HasGlobalScopes
     /**
      * Determine if a model has a global scope.
      *
-     * @param Scope|string $scope
-     *
+     * @param  Scope|string  $scope
      * @return bool
      */
     public static function hasGlobalScope($scope)
@@ -46,8 +45,7 @@ trait HasGlobalScopes
     /**
      * Get a global scope registered with the model.
      *
-     * @param Scope|string $scope
-     *
+     * @param  Scope|string  $scope
      * @return Scope|Closure|null
      */
     public static function getGlobalScope($scope)
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Concerns/HasPassword.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Concerns/HasPassword.php
index 1a938c144..194efa8cf 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Concerns/HasPassword.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Concerns/HasPassword.php
@@ -6,12 +6,13 @@ use LdapRecord\ConnectionException;
 use LdapRecord\LdapRecordException;
 use LdapRecord\Models\Attributes\Password;
 
+/** @mixin \LdapRecord\Models\Model */
 trait HasPassword
 {
     /**
      * Set the password on the user.
      *
-     * @param string|array $password
+     * @param  string|array  $password
      *
      * @throws ConnectionException
      */
@@ -48,7 +49,7 @@ trait HasPassword
     /**
      * Alias for setting the password on the user.
      *
-     * @param string|array $password
+     * @param  string|array  $password
      *
      * @throws ConnectionException
      */
@@ -106,10 +107,9 @@ trait HasPassword
     /**
      * Set the changed password.
      *
-     * @param string $oldPassword
-     * @param string $newPassword
-     * @param string $attribute
-     *
+     * @param  string  $oldPassword
+     * @param  string  $newPassword
+     * @param  string  $attribute
      * @return void
      */
     protected function setChangedPassword($oldPassword, $newPassword, $attribute)
@@ -136,9 +136,8 @@ trait HasPassword
     /**
      * Set the password on the model.
      *
-     * @param string $password
-     * @param string $attribute
-     *
+     * @param  string  $password
+     * @param  string  $attribute
      * @return void
      */
     protected function setPassword($password, $attribute)
@@ -155,10 +154,9 @@ trait HasPassword
     /**
      * Encode / hash the given password.
      *
-     * @param string $method
-     * @param string $password
-     * @param string $salt
-     *
+     * @param  string  $method
+     * @param  string  $password
+     * @param  string  $salt
      * @return string
      *
      * @throws LdapRecordException
@@ -203,8 +201,7 @@ trait HasPassword
     /**
      * Attempt to retrieve the password's salt.
      *
-     * @param string $method
-     *
+     * @param  string  $method
      * @return string|null
      */
     public function getPasswordSalt($method)
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Concerns/HasRelationships.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Concerns/HasRelationships.php
index a8a5cacf2..87c0a7cc8 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Concerns/HasRelationships.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Concerns/HasRelationships.php
@@ -5,6 +5,7 @@ namespace LdapRecord\Models\Concerns;
 use LdapRecord\Models\Relations\HasMany;
 use LdapRecord\Models\Relations\HasManyIn;
 use LdapRecord\Models\Relations\HasOne;
+use LdapRecord\Models\Relations\Relation;
 use LdapRecord\Support\Arr;
 
 trait HasRelationships
@@ -12,10 +13,9 @@ trait HasRelationships
     /**
      * Returns a new has one relationship.
      *
-     * @param mixed  $related
-     * @param string $relationKey
-     * @param string $foreignKey
-     *
+     * @param  mixed  $related
+     * @param  string  $relationKey
+     * @param  string  $foreignKey
      * @return HasOne
      */
     public function hasOne($related, $relationKey, $foreignKey = 'dn')
@@ -26,10 +26,9 @@ trait HasRelationships
     /**
      * Returns a new has many relationship.
      *
-     * @param mixed  $related
-     * @param string $relationKey
-     * @param string $foreignKey
-     *
+     * @param  mixed  $related
+     * @param  string  $relationKey
+     * @param  string  $foreignKey
      * @return HasMany
      */
     public function hasMany($related, $relationKey, $foreignKey = 'dn')
@@ -40,10 +39,9 @@ trait HasRelationships
     /**
      * Returns a new has many in relationship.
      *
-     * @param mixed  $related
-     * @param string $relationKey
-     * @param string $foreignKey
-     *
+     * @param  mixed  $related
+     * @param  string  $relationKey
+     * @param  string  $foreignKey
      * @return HasManyIn
      */
     public function hasManyIn($related, $relationKey, $foreignKey = 'dn')
@@ -51,6 +49,29 @@ trait HasRelationships
         return new HasManyIn($this->newQuery(), $this, $related, $relationKey, $foreignKey, $this->guessRelationshipName());
     }
 
+    /**
+     * Get a relationship by its name.
+     *
+     * @param  string  $relationName
+     * @return Relation|null
+     */
+    public function getRelation($relationName)
+    {
+        if (! method_exists($this, $relationName)) {
+            return;
+        }
+
+        if (! $relation = $this->{$relationName}()) {
+            return;
+        }
+
+        if (! $relation instanceof Relation) {
+            return;
+        }
+
+        return $relation;
+    }
+
     /**
      * Get the relationships name.
      *
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Concerns/HasScopes.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Concerns/HasScopes.php
index 6c97cf925..cb227fecc 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Concerns/HasScopes.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Concerns/HasScopes.php
@@ -2,6 +2,7 @@
 
 namespace LdapRecord\Models\Concerns;
 
+/** @mixin \LdapRecord\Models\Model */
 trait HasScopes
 {
     /**
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Concerns/HidesAttributes.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Concerns/HidesAttributes.php
index 9cc210057..ecd328dab 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Concerns/HidesAttributes.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Concerns/HidesAttributes.php
@@ -6,6 +6,8 @@ namespace LdapRecord\Models\Concerns;
  * @author Taylor Otwell
  *
  * @see https://laravel.com
+ *
+ * @mixin \LdapRecord\Models\Model
  */
 trait HidesAttributes
 {
@@ -38,8 +40,7 @@ trait HidesAttributes
     /**
      * Set the hidden attributes for the model.
      *
-     * @param array $hidden
-     *
+     * @param  array  $hidden
      * @return $this
      */
     public function setHidden(array $hidden)
@@ -52,8 +53,7 @@ trait HidesAttributes
     /**
      * Add hidden attributes for the model.
      *
-     * @param array|string|null $attributes
-     *
+     * @param  array|string|null  $attributes
      * @return void
      */
     public function addHidden($attributes = null)
@@ -79,8 +79,7 @@ trait HidesAttributes
     /**
      * Set the visible attributes for the model.
      *
-     * @param array $visible
-     *
+     * @param  array  $visible
      * @return $this
      */
     public function setVisible(array $visible)
@@ -93,8 +92,7 @@ trait HidesAttributes
     /**
      * Add visible attributes for the model.
      *
-     * @param array|string|null $attributes
-     *
+     * @param  array|string|null  $attributes
      * @return void
      */
     public function addVisible($attributes = null)
@@ -108,8 +106,7 @@ trait HidesAttributes
     /**
      * Make the given, typically hidden, attributes visible.
      *
-     * @param array|string $attributes
-     *
+     * @param  array|string  $attributes
      * @return $this
      */
     public function makeVisible($attributes)
@@ -126,8 +123,7 @@ trait HidesAttributes
     /**
      * Make the given, typically visible, attributes hidden.
      *
-     * @param array|string $attributes
-     *
+     * @param  array|string  $attributes
      * @return $this
      */
     public function makeHidden($attributes)
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Concerns/SerializesAndRestoresPropertyValues.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Concerns/SerializesAndRestoresPropertyValues.php
new file mode 100644
index 000000000..cf550c749
--- /dev/null
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Concerns/SerializesAndRestoresPropertyValues.php
@@ -0,0 +1,47 @@
+<?php
+
+namespace LdapRecord\Models\Concerns;
+
+/** @mixin HasAttributes */
+trait SerializesAndRestoresPropertyValues
+{
+    /**
+     * Get the property value prepared for serialization.
+     *
+     * @param  string  $property
+     * @param  mixed  $value
+     * @return mixed
+     */
+    protected function getSerializedPropertyValue($property, $value)
+    {
+        if ($property === 'original') {
+            return $this->originalToArray();
+        }
+
+        if ($property === 'attributes') {
+            return $this->attributesToArray();
+        }
+
+        return $value;
+    }
+
+    /**
+     * Get the unserialized property value after deserialization.
+     *
+     * @param  string  $property
+     * @param  mixed  $value
+     * @return mixed
+     */
+    protected function getUnserializedPropertyValue($property, $value)
+    {
+        if ($property === 'original') {
+            return $this->arrayToOriginal($value);
+        }
+
+        if ($property === 'attributes') {
+            return $this->arrayToAttributes($value);
+        }
+
+        return $value;
+    }
+}
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Concerns/SerializesProperties.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Concerns/SerializesProperties.php
new file mode 100644
index 000000000..91f4bcfe3
--- /dev/null
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Concerns/SerializesProperties.php
@@ -0,0 +1,143 @@
+<?php
+
+namespace LdapRecord\Models\Concerns;
+
+use ReflectionClass;
+use ReflectionProperty;
+
+trait SerializesProperties
+{
+    use SerializesAndRestoresPropertyValues;
+
+    /**
+     * Prepare the attributes for serialization.
+     *
+     * @return array
+     */
+    public function __sleep()
+    {
+        $properties = (new ReflectionClass($this))->getProperties();
+
+        foreach ($properties as $property) {
+            $property->setValue($this, $this->getSerializedPropertyValue(
+                $property->getName(),
+                $this->getPropertyValue($property)
+            ));
+        }
+
+        return array_values(array_filter(array_map(function ($p) {
+            return $p->isStatic() ? null : $p->getName();
+        }, $properties)));
+    }
+
+    /**
+     * Restore the attributes after serialization.
+     *
+     * @return void
+     */
+    public function __wakeup()
+    {
+        foreach ((new ReflectionClass($this))->getProperties() as $property) {
+            if ($property->isStatic()) {
+                continue;
+            }
+
+            $property->setValue($this, $this->getUnserializedPropertyValue(
+                $property->getName(),
+                $this->getPropertyValue($property)
+            ));
+        }
+    }
+
+    /**
+     * Prepare the model for serialization.
+     *
+     * @return array
+     */
+    public function __serialize()
+    {
+        $values = [];
+
+        $properties = (new ReflectionClass($this))->getProperties();
+
+        $class = get_class($this);
+
+        foreach ($properties as $property) {
+            if ($property->isStatic()) {
+                continue;
+            }
+
+            $property->setAccessible(true);
+
+            if (! $property->isInitialized($this)) {
+                continue;
+            }
+
+            $name = $property->getName();
+
+            if ($property->isPrivate()) {
+                $name = "\0{$class}\0{$name}";
+            } elseif ($property->isProtected()) {
+                $name = "\0*\0{$name}";
+            }
+
+            $values[$name] = $this->getSerializedPropertyValue(
+                $property->getName(),
+                $this->getPropertyValue($property)
+            );
+        }
+
+        return $values;
+    }
+
+    /**
+     * Restore the model after serialization.
+     *
+     * @param  array  $values
+     * @return void
+     */
+    public function __unserialize(array $values)
+    {
+        $properties = (new ReflectionClass($this))->getProperties();
+
+        $class = get_class($this);
+
+        foreach ($properties as $property) {
+            if ($property->isStatic()) {
+                continue;
+            }
+
+            $name = $property->getName();
+
+            if ($property->isPrivate()) {
+                $name = "\0{$class}\0{$name}";
+            } elseif ($property->isProtected()) {
+                $name = "\0*\0{$name}";
+            }
+
+            if (! array_key_exists($name, $values)) {
+                continue;
+            }
+
+            $property->setAccessible(true);
+
+            $property->setValue(
+                $this,
+                $this->getUnserializedPropertyValue($property->getName(), $values[$name])
+            );
+        }
+    }
+
+    /**
+     * Get the property value for the given property.
+     *
+     * @param  ReflectionProperty  $property
+     * @return mixed
+     */
+    protected function getPropertyValue(ReflectionProperty $property)
+    {
+        $property->setAccessible(true);
+
+        return $property->getValue($this);
+    }
+}
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/DetectsResetIntegers.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/DetectsResetIntegers.php
index 8712ef755..7b8d1830e 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/DetectsResetIntegers.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/DetectsResetIntegers.php
@@ -11,8 +11,7 @@ trait DetectsResetIntegers
      * LDAP attributes to instruct the server to reset the
      * value to an 'unset' or 'cleared' state.
      *
-     * @param mixed $value
-     *
+     * @param  mixed  $value
      * @return bool
      */
     protected function valueIsResetInteger($value)
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/DirectoryServer/Entry.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/DirectoryServer/Entry.php
index 1bf832587..a67200e94 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/DirectoryServer/Entry.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/DirectoryServer/Entry.php
@@ -3,8 +3,9 @@
 namespace LdapRecord\Models\DirectoryServer;
 
 use LdapRecord\Models\Model;
+use LdapRecord\Models\Types\DirectoryServer;
 
-class Entry extends Model
+class Entry extends Model implements DirectoryServer
 {
     /**
      * The attribute key that contains the models object GUID.
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Events/Event.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Events/Event.php
index 20de0b7a6..8dbd1d29a 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Events/Event.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Events/Event.php
@@ -16,7 +16,7 @@ abstract class Event
     /**
      * Constructor.
      *
-     * @param Model $model
+     * @param  Model  $model
      */
     public function __construct(Model $model)
     {
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Events/Renaming.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Events/Renaming.php
index 83427ca1a..5e7be97d7 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Events/Renaming.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Events/Renaming.php
@@ -23,9 +23,9 @@ class Renaming extends Event
     /**
      * Constructor.
      *
-     * @param Model  $model
-     * @param string $rdn
-     * @param string $newParentDn
+     * @param  Model  $model
+     * @param  string  $rdn
+     * @param  string  $newParentDn
      */
     public function __construct(Model $model, $rdn, $newParentDn)
     {
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/FreeIPA/Entry.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/FreeIPA/Entry.php
index 7fdda9c86..be6322b15 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/FreeIPA/Entry.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/FreeIPA/Entry.php
@@ -44,8 +44,7 @@ class Entry extends BaseEntry implements FreeIPA
     /**
      * Create a new query builder.
      *
-     * @param Connection $connection
-     *
+     * @param  Connection  $connection
      * @return FreeIpaBuilder
      */
     public function newQueryBuilder(Connection $connection)
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/FreeIPA/Scopes/AddEntryUuidToSelects.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/FreeIPA/Scopes/AddEntryUuidToSelects.php
index 039c05e4f..581b5beed 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/FreeIPA/Scopes/AddEntryUuidToSelects.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/FreeIPA/Scopes/AddEntryUuidToSelects.php
@@ -11,9 +11,8 @@ class AddEntryUuidToSelects implements Scope
     /**
      * Add the entry UUID to the selected attributes.
      *
-     * @param Builder $query
-     * @param Model   $model
-     *
+     * @param  Builder  $query
+     * @param  Model  $model
      * @return void
      */
     public function apply(Builder $query, Model $model)
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Model.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Model.php
index 2e11696b4..932c1a3b1 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Model.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Model.php
@@ -11,8 +11,6 @@ use LdapRecord\Container;
 use LdapRecord\EscapesValues;
 use LdapRecord\Models\Attributes\DistinguishedName;
 use LdapRecord\Models\Attributes\Guid;
-use LdapRecord\Models\Events\Renamed;
-use LdapRecord\Models\Events\Renaming;
 use LdapRecord\Query\Model\Builder;
 use LdapRecord\Support\Arr;
 use UnexpectedValueException;
@@ -27,6 +25,7 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     use Concerns\HasGlobalScopes;
     use Concerns\HidesAttributes;
     use Concerns\HasRelationships;
+    use Concerns\SerializesProperties;
 
     /**
      * Indicates if the model exists in the directory.
@@ -115,7 +114,7 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     /**
      * Constructor.
      *
-     * @param array $attributes
+     * @param  array  $attributes
      */
     public function __construct(array $attributes = [])
     {
@@ -163,9 +162,8 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     /**
      * Handle dynamic method calls into the model.
      *
-     * @param string $method
-     * @param array  $parameters
-     *
+     * @param  string  $method
+     * @param  array  $parameters
      * @return mixed
      */
     public function __call($method, $parameters)
@@ -180,9 +178,8 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     /**
      * Handle dynamic static method calls into the method.
      *
-     * @param string $method
-     * @param array  $parameters
-     *
+     * @param  string  $method
+     * @param  array  $parameters
      * @return mixed
      */
     public static function __callStatic($method, $parameters)
@@ -203,8 +200,7 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     /**
      * Set the models distinguished name.
      *
-     * @param string $dn
-     *
+     * @param  string  $dn
      * @return $this
      */
     public function setDn($dn)
@@ -217,8 +213,7 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     /**
      * A mutator for setting the models distinguished name.
      *
-     * @param string $dn
-     *
+     * @param  string  $dn
      * @return $this
      */
     public function setDnAttribute($dn)
@@ -229,8 +224,7 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     /**
      * A mutator for setting the models distinguished name.
      *
-     * @param string $dn
-     *
+     * @param  string  $dn
      * @return $this
      */
     public function setDistinguishedNameAttribute($dn)
@@ -261,8 +255,7 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     /**
      * Set the connection associated with the model.
      *
-     * @param string $name
-     *
+     * @param  string  $name
      * @return $this
      */
     public function setConnection($name)
@@ -272,11 +265,21 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
         return $this;
     }
 
+    /**
+     * Make a new model instance.
+     *
+     * @param  array  $attributes
+     * @return static
+     */
+    public static function make($attributes = [])
+    {
+        return new static($attributes);
+    }
+
     /**
      * Begin querying the model on a given connection.
      *
-     * @param string|null $connection
-     *
+     * @param  string|null  $connection
      * @return Builder
      */
     public static function on($connection = null)
@@ -291,8 +294,7 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     /**
      * Get all the models from the directory.
      *
-     * @param array|mixed $attributes
-     *
+     * @param  array|mixed  $attributes
      * @return Collection|static[]
      */
     public static function all($attributes = ['*'])
@@ -301,15 +303,45 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     }
 
     /**
-     * Make a new model instance.
+     * Get the RootDSE (AD schema) record from the directory.
      *
-     * @param array $attributes
+     * @param  string|null  $connection
+     * @return Model
      *
-     * @return static
+     * @throws \LdapRecord\Models\ModelNotFoundException
      */
-    public static function make($attributes = [])
+    public static function getRootDse($connection = null)
     {
-        return new static($attributes);
+        $model = static::getRootDseModel();
+
+        return $model::on($connection ?? (new $model)->getConnectionName())
+            ->in(null)
+            ->read()
+            ->whereHas('objectclass')
+            ->firstOrFail();
+    }
+
+    /**
+     * Get the root DSE model.
+     *
+     * @return class-string<Model>
+     */
+    protected static function getRootDseModel()
+    {
+        $instance = (new static);
+
+        switch (true) {
+            case $instance instanceof Types\ActiveDirectory:
+                return ActiveDirectory\Entry::class;
+            case $instance instanceof Types\DirectoryServer:
+                return OpenLDAP\Entry::class;
+            case $instance instanceof Types\OpenLDAP:
+                return OpenLDAP\Entry::class;
+            case $instance instanceof Types\FreeIPA:
+                return FreeIPA\Entry::class;
+            default:
+                return Entry::class;
+        }
     }
 
     /**
@@ -349,8 +381,7 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     /**
      * Create a new query builder.
      *
-     * @param Connection $connection
-     *
+     * @param  Connection  $connection
      * @return Builder
      */
     public function newQueryBuilder(Connection $connection)
@@ -361,8 +392,7 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     /**
      * Create a new model instance.
      *
-     * @param array $attributes
-     *
+     * @param  array  $attributes
      * @return static
      */
     public function newInstance(array $attributes = [])
@@ -373,8 +403,7 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     /**
      * Resolve a connection instance.
      *
-     * @param string|null $connection
-     *
+     * @param  string|null  $connection
      * @return Connection
      */
     public static function resolveConnection($connection = null)
@@ -405,8 +434,7 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     /**
      * Set the connection container.
      *
-     * @param Container $container
-     *
+     * @param  Container  $container
      * @return void
      */
     public static function setConnectionContainer(Container $container)
@@ -427,8 +455,7 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     /**
      * Register the query scopes for this builder instance.
      *
-     * @param Builder $builder
-     *
+     * @param  Builder  $builder
      * @return Builder
      */
     public function registerModelScopes($builder)
@@ -443,8 +470,7 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     /**
      * Register the global model scopes.
      *
-     * @param Builder $builder
-     *
+     * @param  Builder  $builder
      * @return Builder
      */
     public function registerGlobalScopes($builder)
@@ -459,8 +485,7 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     /**
      * Apply the model object class scopes to the given builder instance.
      *
-     * @param Builder $query
-     *
+     * @param  Builder  $query
      * @return void
      */
     public function applyObjectClassScopes(Builder $query)
@@ -483,10 +508,9 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     /**
      * Returns a new batch modification.
      *
-     * @param string|null     $attribute
-     * @param string|int|null $type
-     * @param array           $values
-     *
+     * @param  string|null  $attribute
+     * @param  string|int|null  $type
+     * @param  array  $values
      * @return BatchModification
      */
     public function newBatchModification($attribute = null, $type = null, $values = [])
@@ -497,8 +521,7 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     /**
      * Returns a new collection with the specified items.
      *
-     * @param mixed $items
-     *
+     * @param  mixed  $items
      * @return Collection
      */
     public function newCollection($items = [])
@@ -509,9 +532,8 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     /**
      * Dynamically retrieve attributes on the object.
      *
-     * @param mixed $key
-     *
-     * @return bool
+     * @param  string  $key
+     * @return mixed
      */
     public function __get($key)
     {
@@ -521,9 +543,8 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     /**
      * Dynamically set attributes on the object.
      *
-     * @param mixed $key
-     * @param mixed $value
-     *
+     * @param  string  $key
+     * @param  mixed  $value
      * @return $this
      */
     public function __set($key, $value)
@@ -534,8 +555,7 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     /**
      * Determine if the given offset exists.
      *
-     * @param string $offset
-     *
+     * @param  string  $offset
      * @return bool
      */
     #[\ReturnTypeWillChange]
@@ -547,8 +567,7 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     /**
      * Get the value for a given offset.
      *
-     * @param string $offset
-     *
+     * @param  string  $offset
      * @return mixed
      */
     #[\ReturnTypeWillChange]
@@ -560,9 +579,8 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     /**
      * Set the value at the given offset.
      *
-     * @param string $offset
-     * @param mixed  $value
-     *
+     * @param  string  $offset
+     * @param  mixed  $value
      * @return void
      */
     #[\ReturnTypeWillChange]
@@ -574,8 +592,7 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     /**
      * Unset the value at the given offset.
      *
-     * @param string $offset
-     *
+     * @param  string  $offset
      * @return void
      */
     #[\ReturnTypeWillChange]
@@ -587,8 +604,7 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     /**
      * Determine if an attribute exists on the model.
      *
-     * @param string $key
-     *
+     * @param  string  $key
      * @return bool
      */
     public function __isset($key)
@@ -599,8 +615,7 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     /**
      * Unset an attribute on the model.
      *
-     * @param string $key
-     *
+     * @param  string  $key
      * @return void
      */
     public function __unset($key)
@@ -630,26 +645,36 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     }
 
     /**
-     * Converts extra attributes for JSON serialization.
-     *
-     * @param array $attributes
+     * Convert the attributes for JSON serialization.
      *
+     * @param  array  $attributes
      * @return array
      */
     protected function convertAttributesForJson(array $attributes = [])
     {
-        // If the model has a GUID set, we need to convert
-        // it due to it being in binary. Otherwise we'll
-        // receive a JSON serialization exception.
-        if ($this->hasAttribute($this->guidKey)) {
-            return array_replace($attributes, [
-                $this->guidKey => [$this->getConvertedGuid()],
-            ]);
+        // If the model has a GUID set, we need to convert it to its
+        // string format, due to it being in binary. Otherwise
+        // we will receive a JSON serialization exception.
+        if (isset($attributes[$this->guidKey])) {
+            $attributes[$this->guidKey] = [$this->getConvertedGuid(
+                Arr::first($attributes[$this->guidKey])
+            )];
         }
 
         return $attributes;
     }
 
+    /**
+     * Convert the attributes from JSON serialization.
+     *
+     * @param  array  $attributes
+     * @return array
+     */
+    protected function convertAttributesFromJson(array $attributes = [])
+    {
+        return $attributes;
+    }
+
     /**
      * Reload a fresh model instance from the directory.
      *
@@ -667,8 +692,7 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     /**
      * Determine if two models have the same distinguished name and belong to the same connection.
      *
-     * @param Model|null $model
-     *
+     * @param  Model|null  $model
      * @return bool
      */
     public function is($model)
@@ -681,8 +705,7 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     /**
      * Determine if two models are not the same.
      *
-     * @param Model|null $model
-     *
+     * @param  Model|null  $model
      * @return bool
      */
     public function isNot($model)
@@ -693,8 +716,7 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     /**
      * Hydrate a new collection of models from search results.
      *
-     * @param array $records
-     *
+     * @param  array  $records
      * @return Collection
      */
     public function hydrate($records)
@@ -709,8 +731,7 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     /**
      * Converts the current model into the given model.
      *
-     * @param Model $into
-     *
+     * @param  Model  $into
      * @return Model
      */
     public function convert(self $into)
@@ -760,8 +781,7 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     /**
      * Set the models batch modifications.
      *
-     * @param array $modifications
-     *
+     * @param  array  $modifications
      * @return $this
      */
     public function setModifications(array $modifications = [])
@@ -778,8 +798,7 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     /**
      * Adds a batch modification to the model.
      *
-     * @param array|BatchModification $mod
-     *
+     * @param  array|BatchModification  $mod
      * @return $this
      *
      * @throws InvalidArgumentException
@@ -824,8 +843,7 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     /**
      * Get the name of the model, or the given DN.
      *
-     * @param string|null $dn
-     *
+     * @param  string|null  $dn
      * @return string|null
      */
     public function getName($dn = null)
@@ -836,8 +854,7 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     /**
      * Get the head attribute of the model, or the given DN.
      *
-     * @param string|null $dn
-     *
+     * @param  string|null  $dn
      * @return string|null
      */
     public function getHead($dn = null)
@@ -849,7 +866,6 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
      * Get the RDN of the model, of the given DN.
      *
      * @param string|null
-     *
      * @return string|null
      */
     public function getRdn($dn = null)
@@ -861,7 +877,6 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
      * Get the parent distinguished name of the model, or the given DN.
      *
      * @param string|null
-     *
      * @return string|null
      */
     public function getParentDn($dn = null)
@@ -872,8 +887,7 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     /**
      * Create a new Distinguished Name object.
      *
-     * @param string|null $dn
-     *
+     * @param  string|null  $dn
      * @return DistinguishedName
      */
     public function newDn($dn = null)
@@ -910,28 +924,58 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
      */
     public function getObjectClasses()
     {
-        return $this->getAttribute('objectclass') ?: [];
+        return $this->getAttribute('objectclass', static::$objectClasses);
     }
 
     /**
      * Get the model's string GUID.
      *
+     * @param  string|null  $guid
      * @return string|null
      */
-    public function getConvertedGuid()
+    public function getConvertedGuid($guid = null)
     {
         try {
-            return (string) new Guid($this->getObjectGuid());
+            return (string) $this->newObjectGuid(
+                $guid ?? $this->getObjectGuid()
+            );
         } catch (InvalidArgumentException $e) {
             return;
         }
     }
 
+    /**
+     * Get the model's binary GUID.
+     *
+     * @param  string|null  $guid
+     * @return string|null
+     */
+    public function getBinaryGuid($guid = null)
+    {
+        try {
+            return $this->newObjectGuid(
+                $guid ?? $this->getObjectGuid()
+            )->getBinary();
+        } catch (InvalidArgumentException $e) {
+            return;
+        }
+    }
+
+    /**
+     * Make a new object Guid instance.
+     *
+     * @param  string  $value
+     * @return Guid
+     */
+    protected function newObjectGuid($value)
+    {
+        return new Guid($value);
+    }
+
     /**
      * Determine if the current model is a direct descendant of the given.
      *
-     * @param static|string $parent
-     *
+     * @param  static|string  $parent
      * @return bool
      */
     public function isChildOf($parent)
@@ -944,8 +988,7 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     /**
      * Determine if the current model is a direct ascendant of the given.
      *
-     * @param static|string $child
-     *
+     * @param  static|string  $child
      * @return bool
      */
     public function isParentOf($child)
@@ -958,8 +1001,7 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     /**
      * Determine if the current model is a descendant of the given.
      *
-     * @param static|string $model
-     *
+     * @param  static|string  $model
      * @return bool
      */
     public function isDescendantOf($model)
@@ -970,8 +1012,7 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     /**
      * Determine if the current model is a ancestor of the given.
      *
-     * @param static|string $model
-     *
+     * @param  static|string  $model
      * @return bool
      */
     public function isAncestorOf($model)
@@ -982,9 +1023,8 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     /**
      * Determines if the DN is inside of the parent DN.
      *
-     * @param static|string $dn
-     * @param static|string $parentDn
-     *
+     * @param  static|string  $dn
+     * @param  static|string  $parentDn
      * @return bool
      */
     protected function dnIsInside($dn, $parentDn)
@@ -997,8 +1037,7 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     /**
      * Set the base DN of where the model should be created in.
      *
-     * @param static|string $dn
-     *
+     * @param  static|string  $dn
      * @return $this
      */
     public function inside($dn)
@@ -1011,8 +1050,7 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     /**
      * Save the model to the directory without raising any events.
      *
-     * @param array $attributes
-     *
+     * @param  array  $attributes
      * @return void
      *
      * @throws \LdapRecord\LdapRecordException
@@ -1027,8 +1065,7 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     /**
      * Save the model to the directory.
      *
-     * @param array $attributes The attributes to update or create for the current entry.
-     *
+     * @param  array  $attributes  The attributes to update or create for the current entry.
      * @return void
      *
      * @throws \LdapRecord\LdapRecordException
@@ -1037,11 +1074,13 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     {
         $this->fill($attributes);
 
-        $this->fireModelEvent(new Events\Saving($this));
+        $this->dispatch('saving');
 
         $this->exists ? $this->performUpdate() : $this->performInsert();
 
-        $this->fireModelEvent(new Events\Saved($this));
+        $this->dispatch('saved');
+
+        $this->modifications = [];
 
         $this->in = null;
     }
@@ -1071,7 +1110,7 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
             $this->setDn($this->getCreatableDn());
         }
 
-        $this->fireModelEvent(new Events\Creating($this));
+        $this->dispatch('creating');
 
         // Here we perform the insert of new object in the directory,
         // but filter out any empty attributes before sending them
@@ -1079,7 +1118,7 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
         // attributes have been given empty or null values.
         $query->insert($this->getDn(), array_filter($this->getAttributes()));
 
-        $this->fireModelEvent(new Events\Created($this));
+        $this->dispatch('created');
 
         $this->syncOriginal();
 
@@ -1101,22 +1140,19 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
             return;
         }
 
-        $this->fireModelEvent(new Events\Updating($this));
+        $this->dispatch('updating');
 
         $this->newQuery()->update($this->dn, $modifications);
 
-        $this->fireModelEvent(new Events\Updated($this));
+        $this->dispatch('updated');
 
         $this->syncOriginal();
-
-        $this->modifications = [];
     }
 
     /**
      * Create the model in the directory.
      *
-     * @param array $attributes The attributes for the new entry.
-     *
+     * @param  array  $attributes  The attributes for the new entry.
      * @return Model
      *
      * @throws \LdapRecord\LdapRecordException
@@ -1133,9 +1169,8 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     /**
      * Create an attribute on the model.
      *
-     * @param string $attribute The attribute to create
-     * @param mixed  $value     The value of the new attribute
-     *
+     * @param  string  $attribute  The attribute to create
+     * @param  mixed  $value  The value of the new attribute
      * @return void
      *
      * @throws ModelDoesNotExistException
@@ -1143,18 +1178,21 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
      */
     public function createAttribute($attribute, $value)
     {
-        $this->requireExistence();
+        $this->assertExists();
+
+        $this->dispatch(['saving', 'updating']);
 
         $this->newQuery()->insertAttributes($this->dn, [$attribute => (array) $value]);
 
         $this->addAttributeValue($attribute, $value);
+
+        $this->dispatch(['updated', 'saved']);
     }
 
     /**
      * Update the model.
      *
-     * @param array $attributes The attributes to update for the current entry.
-     *
+     * @param  array  $attributes  The attributes to update for the current entry.
      * @return void
      *
      * @throws ModelDoesNotExistException
@@ -1162,7 +1200,7 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
      */
     public function update(array $attributes = [])
     {
-        $this->requireExistence();
+        $this->assertExists();
 
         $this->save($attributes);
     }
@@ -1170,9 +1208,8 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     /**
      * Update the model attribute with the specified value.
      *
-     * @param string $attribute The attribute to modify
-     * @param mixed  $value     The new value for the attribute
-     *
+     * @param  string  $attribute  The attribute to modify
+     * @param  mixed  $value  The new value for the attribute
      * @return void
      *
      * @throws ModelDoesNotExistException
@@ -1180,19 +1217,22 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
      */
     public function updateAttribute($attribute, $value)
     {
-        $this->requireExistence();
+        $this->assertExists();
+
+        $this->dispatch(['saving', 'updating']);
 
         $this->newQuery()->updateAttributes($this->dn, [$attribute => (array) $value]);
 
         $this->addAttributeValue($attribute, $value);
+
+        $this->dispatch(['updated', 'saved']);
     }
 
     /**
      * Destroy the models for the given distinguished names.
      *
-     * @param Collection|array|string $dns
-     * @param bool                    $recursive
-     *
+     * @param  Collection|array|string  $dns
+     * @param  bool  $recursive
      * @return int
      *
      * @throws \LdapRecord\LdapRecordException
@@ -1201,11 +1241,17 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     {
         $count = 0;
 
-        $dns = is_string($dns) ? (array) $dns : $dns;
-
         $instance = new static();
 
-        foreach ($dns as $dn) {
+        if ($dns instanceof Collection) {
+            $dns = $dns->modelDns()->toArray();
+        }
+
+        // Here we are iterating through each distinguished name and locating
+        // the associated model. While it's more resource intensive, we must
+        // do this in case of leaf nodes being given alongside any parent
+        // node, ensuring they can be deleted inside of the directory.
+        foreach ((array) $dns as $dn) {
             if (! $model = $instance->find($dn)) {
                 continue;
             }
@@ -1224,8 +1270,7 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
      * Throws a ModelNotFoundException if the current model does
      * not exist or does not contain a distinguished name.
      *
-     * @param bool $recursive Whether to recursively delete leaf nodes (models that are children).
-     *
+     * @param  bool  $recursive  Whether to recursively delete leaf nodes (models that are children).
      * @return void
      *
      * @throws ModelDoesNotExistException
@@ -1233,9 +1278,9 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
      */
     public function delete($recursive = false)
     {
-        $this->requireExistence();
+        $this->assertExists();
 
-        $this->fireModelEvent(new Events\Deleting($this));
+        $this->dispatch('deleting');
 
         if ($recursive) {
             $this->deleteLeafNodes();
@@ -1248,7 +1293,7 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
         // developers can hook in and run further operations.
         $this->exists = false;
 
-        $this->fireModelEvent(new Events\Deleted($this));
+        $this->dispatch('deleted');
     }
 
     /**
@@ -1263,15 +1308,15 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
         $this->newQueryWithoutScopes()
             ->in($this->dn)
             ->listing()
-            ->chunk(250, function ($models) {
-                $models->each->delete($recursive = true);
+            ->each(function (Model $model) {
+                $model->delete($recursive = true);
             });
     }
 
     /**
      * Delete an attribute on the model.
      *
-     * @param string|array $attributes The attribute(s) to delete
+     * @param  string|array  $attributes  The attribute(s) to delete
      *
      * Delete specific values in attributes:
      *
@@ -1280,7 +1325,6 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
      * Delete an entire attribute:
      *
      *     ["memberuid" => []]
-     *
      * @return void
      *
      * @throws ModelDoesNotExistException
@@ -1288,10 +1332,12 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
      */
     public function deleteAttribute($attributes)
     {
-        $this->requireExistence();
+        $this->assertExists();
 
         $attributes = $this->makeDeletableAttributes($attributes);
 
+        $this->dispatch(['saving', 'updating']);
+
         $this->newQuery()->deleteAttributes($this->dn, $attributes);
 
         foreach ($attributes as $attribute => $value) {
@@ -1311,14 +1357,15 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
             }
         }
 
+        $this->dispatch(['updated', 'saved']);
+
         $this->syncOriginal();
     }
 
     /**
      * Make a deletable attribute array.
      *
-     * @param string|array $attributes
-     *
+     * @param  string|array  $attributes
      * @return array
      */
     protected function makeDeletableAttributes($attributes)
@@ -1339,9 +1386,8 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
      *
      * For example: $user->move($ou);
      *
-     * @param static|string $newParentDn  The new parent of the current model.
-     * @param bool          $deleteOldRdn Whether to delete the old models relative distinguished name once renamed / moved.
-     *
+     * @param  static|string  $newParentDn  The new parent of the current model.
+     * @param  bool  $deleteOldRdn  Whether to delete the old models relative distinguished name once renamed / moved.
      * @return void
      *
      * @throws UnexpectedValueException
@@ -1350,7 +1396,7 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
      */
     public function move($newParentDn, $deleteOldRdn = true)
     {
-        $this->requireExistence();
+        $this->assertExists();
 
         if (! $rdn = $this->getRdn()) {
             throw new UnexpectedValueException('Current model does not contain an RDN to move.');
@@ -1362,10 +1408,9 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     /**
      * Rename the model to a new RDN and new parent.
      *
-     * @param string             $rdn          The models new relative distinguished name. Example: "cn=JohnDoe"
-     * @param static|string|null $newParentDn  The models new parent distinguished name (if moving). Leave this null if you are only renaming. Example: "ou=MovedUsers,dc=acme,dc=org"
-     * @param bool|true          $deleteOldRdn Whether to delete the old models relative distinguished name once renamed / moved.
-     *
+     * @param  string  $rdn  The models new relative distinguished name. Example: "cn=JohnDoe"
+     * @param  static|string|null  $newParentDn  The models new parent distinguished name (if moving). Leave this null if you are only renaming. Example: "ou=MovedUsers,dc=acme,dc=org"
+     * @param  bool|true  $deleteOldRdn  Whether to delete the old models relative distinguished name once renamed / moved.
      * @return void
      *
      * @throws ModelDoesNotExistException
@@ -1373,7 +1418,7 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
      */
     public function rename($rdn, $newParentDn = null, $deleteOldRdn = true)
     {
-        $this->requireExistence();
+        $this->assertExists();
 
         if ($newParentDn instanceof self) {
             $newParentDn = $newParentDn->getDn();
@@ -1400,7 +1445,7 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
             $rdn = $this->getUpdateableRdn($rdn);
         }
 
-        $this->fireModelEvent(new Renaming($this, $rdn, $newParentDn));
+        $this->dispatch('renaming', [$rdn, $newParentDn]);
 
         $this->newQuery()->rename($this->dn, $rdn, $newParentDn, $deleteOldRdn);
 
@@ -1420,7 +1465,7 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
             = $this->original[$modelNameAttribute]
             = [reset($map[$modelNameAttribute])];
 
-        $this->fireModelEvent(new Renamed($this));
+        $this->dispatch('renamed');
 
         $this->wasRecentlyRenamed = true;
     }
@@ -1428,8 +1473,7 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     /**
      * Get an updateable RDN for the model.
      *
-     * @param string $name
-     *
+     * @param  string  $name
      * @return string
      */
     public function getUpdateableRdn($name)
@@ -1440,9 +1484,8 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     /**
      * Get a distinguished name that is creatable for the model.
      *
-     * @param string|null $name
-     * @param string|null $attribute
-     *
+     * @param  string|null  $name
+     * @param  string|null  $attribute
      * @return string
      */
     public function getCreatableDn($name = null, $attribute = null)
@@ -1456,9 +1499,8 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     /**
      * Get a creatable (escaped) RDN for the model.
      *
-     * @param string|null $name
-     * @param string|null $attribute
-     *
+     * @param  string|null  $name
+     * @param  string|null  $attribute
      * @return string
      */
     public function getCreatableRdn($name = null, $attribute = null)
@@ -1485,8 +1527,7 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     /**
      * Determines if the given modification is valid.
      *
-     * @param mixed $mod
-     *
+     * @param  mixed  $mod
      * @return bool
      */
     protected function isValidModification($mod)
@@ -1528,11 +1569,25 @@ abstract class Model implements ArrayAccess, Arrayable, JsonSerializable
     /**
      * Throw an exception if the model does not exist.
      *
+     * @deprecated
+     *
      * @return void
      *
      * @throws ModelDoesNotExistException
      */
     protected function requireExistence()
+    {
+        return $this->assertExists();
+    }
+
+    /**
+     * Throw an exception if the model does not exist.
+     *
+     * @return void
+     *
+     * @throws ModelDoesNotExistException
+     */
+    protected function assertExists()
     {
         if (! $this->exists || is_null($this->dn)) {
             throw ModelDoesNotExistException::forModel($this);
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/ModelDoesNotExistException.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/ModelDoesNotExistException.php
index 2dd2ba9bd..508414911 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/ModelDoesNotExistException.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/ModelDoesNotExistException.php
@@ -16,8 +16,7 @@ class ModelDoesNotExistException extends LdapRecordException
     /**
      * Create a new exception for the given model.
      *
-     * @param Model $model
-     *
+     * @param  Model  $model
      * @return ModelDoesNotExistException
      */
     public static function forModel(Model $model)
@@ -28,8 +27,7 @@ class ModelDoesNotExistException extends LdapRecordException
     /**
      * Set the model that does not exist.
      *
-     * @param Model $model
-     *
+     * @param  Model  $model
      * @return ModelDoesNotExistException
      */
     public function setModel(Model $model)
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/OpenLDAP/Entry.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/OpenLDAP/Entry.php
index b7ad37a44..c11ca72d4 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/OpenLDAP/Entry.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/OpenLDAP/Entry.php
@@ -34,8 +34,7 @@ class Entry extends BaseEntry implements OpenLDAP
     /**
      * Create a new query builder.
      *
-     * @param Connection $connection
-     *
+     * @param  Connection  $connection
      * @return OpenLdapBuilder
      */
     public function newQueryBuilder(Connection $connection)
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/OpenLDAP/Group.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/OpenLDAP/Group.php
index 2d8d94e39..a9a682a06 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/OpenLDAP/Group.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/OpenLDAP/Group.php
@@ -13,4 +13,16 @@ class Group extends Entry
         'top',
         'groupofuniquenames',
     ];
+
+    /**
+     * The members relationship.
+     *
+     * Retrieves members that are apart of the group.
+     *
+     * @return \LdapRecord\Models\Relations\HasMany
+     */
+    public function members()
+    {
+        return $this->hasMany([static::class, User::class], 'memberUid');
+    }
 }
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/OpenLDAP/Scopes/AddEntryUuidToSelects.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/OpenLDAP/Scopes/AddEntryUuidToSelects.php
index 54376c2ba..780a633f3 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/OpenLDAP/Scopes/AddEntryUuidToSelects.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/OpenLDAP/Scopes/AddEntryUuidToSelects.php
@@ -11,9 +11,8 @@ class AddEntryUuidToSelects implements Scope
     /**
      * Add the entry UUID to the selected attributes.
      *
-     * @param Builder $query
-     * @param Model   $model
-     *
+     * @param  Builder  $query
+     * @param  Model  $model
      * @return void
      */
     public function apply(Builder $query, Model $model)
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/OpenLDAP/User.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/OpenLDAP/User.php
index b37f39056..c8626de6d 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/OpenLDAP/User.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/OpenLDAP/User.php
@@ -40,7 +40,7 @@ class User extends Entry implements Authenticatable
     /**
      * The groups relationship.
      *
-     * Retrieves groups that the user is apart of.
+     * Retrieve groups that the user is a part of.
      *
      * @return \LdapRecord\Models\Relations\HasMany
      */
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Relations/HasMany.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Relations/HasMany.php
index ae36720c2..583f81c30 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Relations/HasMany.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Relations/HasMany.php
@@ -5,9 +5,9 @@ namespace LdapRecord\Models\Relations;
 use Closure;
 use LdapRecord\DetectsErrors;
 use LdapRecord\LdapRecordException;
+use LdapRecord\Models\Collection;
 use LdapRecord\Models\Model;
 use LdapRecord\Models\ModelNotFoundException;
-use LdapRecord\Query\Collection;
 
 class HasMany extends OneToMany
 {
@@ -51,9 +51,8 @@ class HasMany extends OneToMany
     /**
      * Set the model and attribute to use for attaching / detaching.
      *
-     * @param Model  $using
-     * @param string $usingKey
-     *
+     * @param  Model  $using
+     * @param  string  $usingKey
      * @return $this
      */
     public function using(Model $using, $usingKey)
@@ -67,8 +66,7 @@ class HasMany extends OneToMany
     /**
      * Set the pagination page size of the relation query.
      *
-     * @param int $pageSize
-     *
+     * @param  int  $pageSize
      * @return $this
      */
     public function setPageSize($pageSize)
@@ -81,8 +79,7 @@ class HasMany extends OneToMany
     /**
      * Paginate the relation using the given page size.
      *
-     * @param int $pageSize
-     *
+     * @param  int  $pageSize
      * @return Collection
      */
     public function paginate($pageSize = 1000)
@@ -93,8 +90,7 @@ class HasMany extends OneToMany
     /**
      * Paginate the relation using the page size once.
      *
-     * @param int $pageSize
-     *
+     * @param  int  $pageSize
      * @return Collection
      */
     protected function paginateOnceUsing($pageSize)
@@ -108,18 +104,67 @@ class HasMany extends OneToMany
         return $result;
     }
 
+    /**
+     * Execute a callback over each result while chunking.
+     *
+     * @param  Closure  $callback
+     * @param  int  $pageSize
+     * @return bool
+     */
+    public function each(Closure $callback, $pageSize = 1000)
+    {
+        $this->chunk($pageSize, function ($results) use ($callback) {
+            foreach ($results as $key => $value) {
+                if ($callback($value, $key) === false) {
+                    return false;
+                }
+            }
+        });
+    }
+
     /**
      * Chunk the relation results using the given callback.
      *
-     * @param int     $pageSize
-     * @param Closure $callback
-     *
-     * @return void
+     * @param  int  $pageSize
+     * @param  Closure  $callback
+     * @param  array  $loaded
+     * @return bool
      */
     public function chunk($pageSize, Closure $callback)
     {
-        $this->getRelationQuery()->chunk($pageSize, function ($entries) use ($callback) {
-            $callback($this->transformResults($entries));
+        return $this->chunkRelation($pageSize, $callback);
+    }
+
+    /**
+     * Execute the callback over chunks of relation results.
+     *
+     * @param  int  $pageSize
+     * @param  Closure  $callback
+     * @param  array  $loaded
+     * @return bool
+     */
+    protected function chunkRelation($pageSize, Closure $callback, $loaded = [])
+    {
+        return $this->getRelationQuery()->chunk($pageSize, function (Collection $results) use ($pageSize, $callback, $loaded) {
+            $models = $this->transformResults($results)->when($this->recursive, function (Collection $models) use ($loaded) {
+                return $models->reject(function (Model $model) use ($loaded) {
+                    return in_array($model->getDn(), $loaded);
+                });
+            });
+
+            if ($callback($models) === false) {
+                return false;
+            }
+
+            $models->when($this->recursive, function (Collection $models) use ($pageSize, $callback, $loaded) {
+                $models->each(function (Model $model) use ($pageSize, $callback, $loaded) {
+                    if ($relation = $model->getRelation($this->relationName)) {
+                        $loaded[] = $model->getDn();
+
+                        return $relation->recursive()->chunkRelation($pageSize, $callback, $loaded);
+                    }
+                });
+            });
         });
     }
 
@@ -168,8 +213,7 @@ class HasMany extends OneToMany
     /**
      * Attach a model to the relation.
      *
-     * @param Model|string $model
-     *
+     * @param  Model|string  $model
      * @return Model|string|false
      */
     public function attach($model)
@@ -184,8 +228,7 @@ class HasMany extends OneToMany
     /**
      * Build the attach callback.
      *
-     * @param Model|string $model
-     *
+     * @param  Model|string  $model
      * @return \Closure
      */
     protected function buildAttachCallback($model)
@@ -208,8 +251,7 @@ class HasMany extends OneToMany
     /**
      * Attach a collection of models to the parent instance.
      *
-     * @param iterable $models
-     *
+     * @param  iterable  $models
      * @return iterable
      */
     public function attachMany($models)
@@ -224,8 +266,7 @@ class HasMany extends OneToMany
     /**
      * Detach the model from the relation.
      *
-     * @param Model|string $model
-     *
+     * @param  Model|string  $model
      * @return Model|string|false
      */
     public function detach($model)
@@ -237,11 +278,29 @@ class HasMany extends OneToMany
         );
     }
 
+    /**
+     * Detach the model or delete the parent if the relation is empty.
+     *
+     * @param  Model|string  $model
+     * @return void
+     */
+    public function detachOrDeleteParent($model)
+    {
+        $count = $this->onceWithoutMerging(function () {
+            return $this->count();
+        });
+
+        if ($count <= 1) {
+            return $this->getParent()->delete();
+        }
+
+        return $this->detach($model);
+    }
+
     /**
      * Build the detach callback.
      *
-     * @param Model|string $model
-     *
+     * @param  Model|string  $model
      * @return \Closure
      */
     protected function buildDetachCallback($model)
@@ -264,8 +323,7 @@ class HasMany extends OneToMany
     /**
      * Get the attachable foreign value from the model.
      *
-     * @param Model|string $model
-     *
+     * @param  Model|string  $model
      * @return string
      */
     protected function getAttachableForeignValue($model)
@@ -282,8 +340,7 @@ class HasMany extends OneToMany
     /**
      * Get the foreign model by the given value, or fail.
      *
-     * @param string $model
-     *
+     * @param  string  $model
      * @return Model
      *
      * @throws ModelNotFoundException
@@ -305,10 +362,9 @@ class HasMany extends OneToMany
      *
      * If a bypassable exception is encountered, the value will be returned.
      *
-     * @param callable     $operation
-     * @param string|array $bypass
-     * @param mixed        $value
-     *
+     * @param  callable  $operation
+     * @param  string|array  $bypass
+     * @param  mixed  $value
      * @return mixed
      *
      * @throws LdapRecordException
@@ -341,4 +397,24 @@ class HasMany extends OneToMany
             });
         });
     }
+
+    /**
+     * Detach all relation models or delete the model if its relation is empty.
+     *
+     * @return Collection
+     */
+    public function detachAllOrDelete()
+    {
+        return $this->onceWithoutMerging(function () {
+            return $this->get()->each(function (Model $model) {
+                $relation = $model->getRelation($this->relationName);
+
+                if ($relation && $relation->count() >= 1) {
+                    $model->delete();
+                } else {
+                    $this->detach($model);
+                }
+            });
+        });
+    }
 }
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Relations/HasOne.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Relations/HasOne.php
index 7bad4ab63..243cd2ed9 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Relations/HasOne.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Relations/HasOne.php
@@ -25,8 +25,7 @@ class HasOne extends Relation
     /**
      * Attach a model instance to the parent model.
      *
-     * @param Model|string $model
-     *
+     * @param  Model|string  $model
      * @return Model|string
      *
      * @throws \LdapRecord\LdapRecordException
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Relations/OneToMany.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Relations/OneToMany.php
index 6d14c8574..aa873b60b 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Relations/OneToMany.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Relations/OneToMany.php
@@ -32,12 +32,12 @@ abstract class OneToMany extends Relation
     /**
      * Constructor.
      *
-     * @param Builder $query
-     * @param Model   $parent
-     * @param string  $related
-     * @param string  $relationKey
-     * @param string  $foreignKey
-     * @param string  $relationName
+     * @param  Builder  $query
+     * @param  Model  $parent
+     * @param  string  $related
+     * @param  string  $relationKey
+     * @param  string  $foreignKey
+     * @param  string  $relationName
      */
     public function __construct(Builder $query, Model $parent, $related, $relationKey, $foreignKey, $relationName)
     {
@@ -49,8 +49,7 @@ abstract class OneToMany extends Relation
     /**
      * Set the relation to load with its parent.
      *
-     * @param Relation $relation
-     *
+     * @param  Relation  $relation
      * @return $this
      */
     public function with(Relation $relation)
@@ -63,8 +62,7 @@ abstract class OneToMany extends Relation
     /**
      * Whether to include recursive results.
      *
-     * @param bool $enable
-     *
+     * @param  bool  $enable
      * @return $this
      */
     public function recursive($enable = true)
@@ -100,8 +98,7 @@ abstract class OneToMany extends Relation
     /**
      * Execute the callback excluding the merged query result.
      *
-     * @param callable $callback
-     *
+     * @param  callable  $callback
      * @return mixed
      */
     protected function onceWithoutMerging($callback)
@@ -142,8 +139,7 @@ abstract class OneToMany extends Relation
     /**
      * Get the results for the models relation recursively.
      *
-     * @param string[] $loaded The distinguished names of models already loaded
-     *
+     * @param  string[]  $loaded  The distinguished names of models already loaded
      * @return Collection
      */
     protected function getRecursiveResults(array $loaded = [])
@@ -172,15 +168,14 @@ abstract class OneToMany extends Relation
     /**
      * Get the recursive relation results for given model.
      *
-     * @param Model $model
-     * @param array $loaded
-     *
+     * @param  Model  $model
+     * @param  array  $loaded
      * @return Collection
      */
     protected function getRecursiveRelationResults(Model $model, array $loaded)
     {
-        return method_exists($model, $this->relationName)
-            ? $model->{$this->relationName}()->getRecursiveResults($loaded)
+        return ($relation = $model->getRelation($this->relationName))
+            ? $relation->getRecursiveResults($loaded)
             : $model->newCollection();
     }
 }
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Relations/Relation.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Relations/Relation.php
index 1b108fd91..31b0969c9 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Relations/Relation.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Relations/Relation.php
@@ -2,6 +2,7 @@
 
 namespace LdapRecord\Models\Relations;
 
+use Closure;
 use LdapRecord\Models\Entry;
 use LdapRecord\Models\Model;
 use LdapRecord\Query\Collection;
@@ -9,7 +10,8 @@ use LdapRecord\Query\Model\Builder;
 
 /**
  * @method bool exists($models = null) Determine if the relation contains all of the given models, or any models
- * @method bool contains($models)      Determine if any of the given models are contained in the relation
+ * @method bool contains($models) Determine if any of the given models are contained in the relation
+ * @method bool count() Retrieve the "count" result of the query.
  */
 abstract class Relation
 {
@@ -28,7 +30,7 @@ abstract class Relation
     protected $parent;
 
     /**
-     * The related models.
+     * The related model class names.
      *
      * @var array
      */
@@ -55,14 +57,28 @@ abstract class Relation
      */
     protected $default = Entry::class;
 
+    /**
+     * The callback to use for resolving relation models.
+     *
+     * @var Closure
+     */
+    protected static $modelResolver;
+
+    /**
+     * The methods that should be passed along to a relation collection.
+     *
+     * @var string[]
+     */
+    protected $passthru = ['count', 'exists', 'contains'];
+
     /**
      * Constructor.
      *
-     * @param Builder $query
-     * @param Model   $parent
-     * @param mixed   $related
-     * @param string  $relationKey
-     * @param string  $foreignKey
+     * @param  Builder  $query
+     * @param  Model  $parent
+     * @param  string|array  $related
+     * @param  string  $relationKey
+     * @param  string  $foreignKey
      */
     public function __construct(Builder $query, Model $parent, $related, $relationKey, $foreignKey)
     {
@@ -72,20 +88,23 @@ abstract class Relation
         $this->relationKey = $relationKey;
         $this->foreignKey = $foreignKey;
 
+        static::$modelResolver = static::$modelResolver ?? function (array $modelObjectClasses, array $relationMap) {
+            return array_search($modelObjectClasses, $relationMap);
+        };
+
         $this->initRelation();
     }
 
     /**
      * Handle dynamic method calls to the relationship.
      *
-     * @param string $method
-     * @param array  $parameters
-     *
+     * @param  string  $method
+     * @param  array  $parameters
      * @return mixed
      */
     public function __call($method, $parameters)
     {
-        if (in_array($method, ['exists', 'contains'])) {
+        if (in_array($method, $this->passthru)) {
             return $this->get('objectclass')->$method(...$parameters);
         }
 
@@ -98,6 +117,45 @@ abstract class Relation
         return $result;
     }
 
+    /**
+     * Set the callback to use for resolving models from relation results.
+     *
+     * @param  Closure  $callback
+     * @return void
+     */
+    public static function resolveModelsUsing(Closure $callback)
+    {
+        static::$modelResolver = $callback;
+    }
+
+    /**
+     * Only return objects matching the related model's object classes.
+     *
+     * @return $this
+     */
+    public function onlyRelated()
+    {
+        $relations = [];
+
+        foreach ($this->related as $related) {
+            $relations[$related] = $related::$objectClasses;
+        }
+
+        $relations = array_filter($relations);
+
+        if (empty($relations)) {
+            return $this;
+        }
+
+        $this->query->andFilter(function (Builder $query) use ($relations) {
+            foreach ($relations as $relation => $objectClasses) {
+                $query->whereIn('objectclass', $objectClasses);
+            }
+        });
+
+        return $this;
+    }
+
     /**
      * Get the results of the relationship.
      *
@@ -108,8 +166,7 @@ abstract class Relation
     /**
      * Execute the relationship query.
      *
-     * @param array|string $columns
-     *
+     * @param  array|string  $columns
      * @return Collection
      */
     public function get($columns = ['*'])
@@ -122,8 +179,7 @@ abstract class Relation
      *
      * If the query columns are empty, the given columns are applied.
      *
-     * @param array $columns
-     *
+     * @param  array  $columns
      * @return Collection
      */
     protected function getResultsWithColumns($columns)
@@ -138,8 +194,7 @@ abstract class Relation
     /**
      * Get the first result of the relationship.
      *
-     * @param array|string $columns
-     *
+     * @param  array|string  $columns
      * @return Model|null
      */
     public function first($columns = ['*'])
@@ -162,6 +217,21 @@ abstract class Relation
         return $this;
     }
 
+    /**
+     * Set the underlying query for the relation.
+     *
+     * @param  Builder  $query
+     * @return $this
+     */
+    public function setQuery(Builder $query)
+    {
+        $this->query = $query;
+
+        $this->initRelation();
+
+        return $this;
+    }
+
     /**
      * Get the underlying query for the relation.
      *
@@ -239,8 +309,7 @@ abstract class Relation
     /**
      * Get the foreign model by the given value.
      *
-     * @param string $value
-     *
+     * @param  string  $value
      * @return Model|null
      */
     protected function getForeignModelByValue($value)
@@ -253,8 +322,7 @@ abstract class Relation
     /**
      * Returns the escaped foreign key value for use in an LDAP filter from the model.
      *
-     * @param Model $model
-     *
+     * @param  Model  $model
      * @return string
      */
     protected function getEscapedForeignValueFromModel(Model $model)
@@ -277,8 +345,7 @@ abstract class Relation
     /**
      * Get the foreign key value from the model.
      *
-     * @param Model $model
-     *
+     * @param  Model  $model
      * @return string
      */
     protected function getForeignValueFromModel(Model $model)
@@ -291,9 +358,8 @@ abstract class Relation
     /**
      * Get the first attribute value from the model.
      *
-     * @param Model  $model
-     * @param string $attribute
-     *
+     * @param  Model  $model
+     * @param  string  $attribute
      * @return string|null
      */
     protected function getFirstAttributeValue(Model $model, $attribute)
@@ -304,20 +370,21 @@ abstract class Relation
     /**
      * Transforms the results by converting the models into their related.
      *
-     * @param Collection $results
-     *
+     * @param  Collection  $results
      * @return Collection
      */
     protected function transformResults(Collection $results)
     {
-        $related = [];
+        $relationMap = [];
 
         foreach ($this->related as $relation) {
-            $related[$relation] = $relation::$objectClasses;
+            $relationMap[$relation] = $this->normalizeObjectClasses(
+                $relation::$objectClasses
+            );
         }
 
-        return $results->transform(function (Model $entry) use ($related) {
-            $model = $this->determineModelFromRelated($entry, $related);
+        return $results->transform(function (Model $entry) use ($relationMap) {
+            $model = $this->determineModelFromRelated($entry, $relationMap);
 
             return class_exists($model) ? $entry->convert(new $model()) : $entry;
         });
@@ -334,29 +401,33 @@ abstract class Relation
     }
 
     /**
-     * Determines the model from the given relations.
+     * Determines the model from the given relation map.
      *
-     * @param Model $model
-     * @param array $related
-     *
-     * @return string|bool
+     * @param  Model  $model
+     * @param  array  $relationMap
+     * @return class-string|bool
      */
-    protected function determineModelFromRelated(Model $model, array $related)
+    protected function determineModelFromRelated(Model $model, array $relationMap)
     {
         // We must normalize all the related models object class
         // names to the same case so we are able to properly
         // determine the owning model from search results.
-        return array_search(
-            $this->normalizeObjectClasses($model->getObjectClasses()),
-            array_map([$this, 'normalizeObjectClasses'], $related)
+        $modelObjectClasses = $this->normalizeObjectClasses(
+            $model->getObjectClasses()
+        );
+
+        return call_user_func(
+            static::$modelResolver,
+            $modelObjectClasses,
+            $relationMap,
+            $model,
         );
     }
 
     /**
      * Sort and normalize the object classes.
      *
-     * @param array $classes
-     *
+     * @param  array  $classes
      * @return array
      */
     protected function normalizeObjectClasses($classes)
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Scope.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Scope.php
index 321cae357..f61cf686b 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Scope.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Scope.php
@@ -9,9 +9,8 @@ interface Scope
     /**
      * Apply the scope to the given query.
      *
-     * @param Builder $query
-     * @param Model   $model
-     *
+     * @param  Builder  $query
+     * @param  Model  $model
      * @return void
      */
     public function apply(Builder $query, Model $model);
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Types/ActiveDirectory.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Types/ActiveDirectory.php
index 61d21ef28..3edcf88c9 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Types/ActiveDirectory.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Types/ActiveDirectory.php
@@ -23,7 +23,16 @@ interface ActiveDirectory extends TypeInterface
     /**
      * Returns the model's SID.
      *
+     * @param  string|null  $sid
      * @return string|null
      */
-    public function getConvertedSid();
+    public function getConvertedSid($sid = null);
+
+    /**
+     * Returns the model's binary SID.
+     *
+     * @param  string|null  $sid
+     * @return string|null
+     */
+    public function getBinarySid($sid = null);
 }
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Types/DirectoryServer.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Types/DirectoryServer.php
new file mode 100644
index 000000000..f06216cd5
--- /dev/null
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Models/Types/DirectoryServer.php
@@ -0,0 +1,8 @@
+<?php
+
+namespace LdapRecord\Models\Types;
+
+interface DirectoryServer extends TypeInterface
+{
+    //
+}
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/ArrayCacheStore.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/ArrayCacheStore.php
index d7480a7b5..2fb9c9a72 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/ArrayCacheStore.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/ArrayCacheStore.php
@@ -53,8 +53,7 @@ class ArrayCacheStore implements CacheInterface
     /**
      * Get the expiration time of the key.
      *
-     * @param int $seconds
-     *
+     * @param  int  $seconds
      * @return int
      */
     protected function calculateExpiration($seconds)
@@ -65,8 +64,7 @@ class ArrayCacheStore implements CacheInterface
     /**
      * Get the UNIX timestamp for the given number of seconds.
      *
-     * @param int $seconds
-     *
+     * @param  int  $seconds
      * @return int
      */
     protected function toTimestamp($seconds)
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Builder.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Builder.php
index b9e31960e..c93c17809 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Builder.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Builder.php
@@ -20,7 +20,6 @@ use LdapRecord\Query\Pagination\Paginator;
 use LdapRecord\Support\Arr;
 use LdapRecord\Utilities;
 
-/** @psalm-suppress UndefinedClass */
 class Builder
 {
     use EscapesValues;
@@ -144,7 +143,7 @@ class Builder
     /**
      * Constructor.
      *
-     * @param Connection $connection
+     * @param  Connection  $connection
      */
     public function __construct(Connection $connection)
     {
@@ -155,8 +154,7 @@ class Builder
     /**
      * Set the current connection.
      *
-     * @param Connection $connection
-     *
+     * @param  Connection  $connection
      * @return $this
      */
     public function setConnection(Connection $connection)
@@ -169,8 +167,7 @@ class Builder
     /**
      * Set the current filter grammar.
      *
-     * @param Grammar $grammar
-     *
+     * @param  Grammar  $grammar
      * @return $this
      */
     public function setGrammar(Grammar $grammar)
@@ -183,8 +180,7 @@ class Builder
     /**
      * Set the cache to store query results.
      *
-     * @param Cache|null $cache
-     *
+     * @param  Cache|null  $cache
      * @return $this
      */
     public function setCache(Cache $cache = null)
@@ -197,8 +193,7 @@ class Builder
     /**
      * Returns a new Query Builder instance.
      *
-     * @param string $baseDn
-     *
+     * @param  string  $baseDn
      * @return $this
      */
     public function newInstance($baseDn = null)
@@ -213,8 +208,7 @@ class Builder
     /**
      * Returns a new nested Query Builder instance.
      *
-     * @param Closure|null $closure
-     *
+     * @param  Closure|null  $closure
      * @return $this
      */
     public function newNestedInstance(Closure $closure = null)
@@ -231,8 +225,7 @@ class Builder
     /**
      * Executes the LDAP query.
      *
-     * @param string|array $columns
-     *
+     * @param  string|array  $columns
      * @return Collection|array
      */
     public function get($columns = ['*'])
@@ -247,9 +240,8 @@ class Builder
      *
      * After running the callback, the columns are reset to the original value.
      *
-     * @param array   $columns
-     * @param Closure $callback
-     *
+     * @param  array  $columns
+     * @param  Closure  $callback
      * @return mixed
      */
     protected function onceWithColumns($columns, Closure $callback)
@@ -336,8 +328,7 @@ class Builder
     /**
      * Set the base distinguished name of the query.
      *
-     * @param Model|string $dn
-     *
+     * @param  Model|string  $dn
      * @return $this
      */
     public function setBaseDn($dn)
@@ -370,8 +361,7 @@ class Builder
     /**
      * Set the distinguished name for the query.
      *
-     * @param string|Model|null $dn
-     *
+     * @param  string|Model|null  $dn
      * @return $this
      */
     public function setDn($dn = null)
@@ -384,8 +374,7 @@ class Builder
     /**
      * Substitute the base DN string template for the current base.
      *
-     * @param Model|string $dn
-     *
+     * @param  Model|string  $dn
      * @return string
      */
     protected function substituteBaseInDn($dn)
@@ -400,8 +389,7 @@ class Builder
     /**
      * Alias for setting the distinguished name for the query.
      *
-     * @param string|Model|null $dn
-     *
+     * @param  string|Model|null  $dn
      * @return $this
      */
     public function in($dn = null)
@@ -412,8 +400,7 @@ class Builder
     /**
      * Set the size limit of the current query.
      *
-     * @param int $limit
-     *
+     * @param  int  $limit
      * @return $this
      */
     public function limit($limit = 0)
@@ -426,8 +413,7 @@ class Builder
     /**
      * Returns a new query for the given model.
      *
-     * @param Model $model
-     *
+     * @param  Model  $model
      * @return ModelBuilder
      */
     public function model(Model $model)
@@ -441,8 +427,7 @@ class Builder
     /**
      * Performs the specified query on the current LDAP connection.
      *
-     * @param string $query
-     *
+     * @param  string  $query
      * @return Collection|array
      */
     public function query($query)
@@ -466,9 +451,8 @@ class Builder
     /**
      * Paginates the current LDAP query.
      *
-     * @param int  $pageSize
-     * @param bool $isCritical
-     *
+     * @param  int  $pageSize
+     * @param  bool  $isCritical
      * @return Collection|array
      */
     public function paginate($pageSize = 1000, $isCritical = false)
@@ -496,10 +480,9 @@ class Builder
     /**
      * Runs the paginate operation with the given filter.
      *
-     * @param string $filter
-     * @param int    $perPage
-     * @param bool   $isCritical
-     *
+     * @param  string  $filter
+     * @param  int  $perPage
+     * @param  bool  $isCritical
      * @return array
      */
     protected function runPaginate($filter, $perPage, $isCritical)
@@ -512,46 +495,51 @@ class Builder
     /**
      * Execute a callback over each item while chunking.
      *
-     * @param Closure $callback
-     * @param int     $count
-     *
+     * @param  Closure  $callback
+     * @param  int  $pageSize
+     * @param  bool  $isCritical
+     * @param  bool  $isolate
      * @return bool
      */
-    public function each(Closure $callback, $count = 1000)
+    public function each(Closure $callback, $pageSize = 1000, $isCritical = false, $isolate = false)
     {
-        return $this->chunk($count, function ($results) use ($callback) {
+        return $this->chunk($pageSize, function ($results) use ($callback) {
             foreach ($results as $key => $value) {
                 if ($callback($value, $key) === false) {
                     return false;
                 }
             }
-        });
+        }, $isCritical, $isolate);
     }
 
     /**
      * Chunk the results of a paginated LDAP query.
      *
-     * @param int     $pageSize
-     * @param Closure $callback
-     * @param bool    $isCritical
-     *
+     * @param  int  $pageSize
+     * @param  Closure  $callback
+     * @param  bool  $isCritical
+     * @param  bool  $isolate
      * @return bool
      */
-    public function chunk($pageSize, Closure $callback, $isCritical = false)
+    public function chunk($pageSize, Closure $callback, $isCritical = false, $isolate = false)
     {
         $start = microtime(true);
 
-        $query = $this->getQuery();
+        $chunk = function (Builder $query) use ($pageSize, $callback, $isCritical) {
+            $page = 1;
 
-        $page = 1;
+            foreach ($query->runChunk($this->getQuery(), $pageSize, $isCritical) as $chunk) {
+                if ($callback($this->process($chunk), $page) === false) {
+                    return false;
+                }
 
-        foreach ($this->runChunk($query, $pageSize, $isCritical) as $chunk) {
-            if ($callback($this->process($chunk), $page) === false) {
-                return false;
+                $page++;
             }
+        };
 
-            $page++;
-        }
+        $isolate ? $this->connection->isolate(function (Connection $replicate) use ($chunk) {
+            $chunk($this->clone()->setConnection($replicate));
+        }) : $chunk($this);
 
         $this->logQuery($this, 'chunk', $this->getElapsedTime($start));
 
@@ -561,11 +549,10 @@ class Builder
     /**
      * Runs the chunk operation with the given filter.
      *
-     * @param string $filter
-     * @param int    $perPage
-     * @param bool   $isCritical
-     *
-     * @return array
+     * @param  string  $filter
+     * @param  int  $perPage
+     * @param  bool  $isCritical
+     * @return \Generator
      */
     protected function runChunk($filter, $perPage, $isCritical)
     {
@@ -574,11 +561,61 @@ class Builder
         });
     }
 
+    /**
+     * Create a slice of the LDAP query into a page.
+     *
+     * @param  int  $page
+     * @param  int  $perPage
+     * @param  string  $orderBy
+     * @param  string  $orderByDir
+     * @return Slice
+     */
+    public function slice($page = 1, $perPage = 100, $orderBy = 'cn', $orderByDir = 'asc')
+    {
+        $results = $this->forPage($page, $perPage, $orderBy, $orderByDir);
+
+        $total = $this->controlsResponse[LDAP_CONTROL_VLVRESPONSE]['value']['count'] ?? 0;
+
+        // Some LDAP servers seem to have an issue where the last result in a virtual
+        // list view will always be returned, regardless of the offset being larger
+        // than the result itself. In this case, we will manually return an empty
+        // response so that no objects are deceivingly included in the slice.
+        $objects = $page > max((int) ceil($total / $perPage), 1)
+            ? ($this instanceof ModelBuilder ? $this->model->newCollection() : [])
+            : $results;
+
+        return new Slice($objects, $total, $perPage, $page);
+    }
+
+    /**
+     * Get the results of a query for a given page.
+     *
+     * @param  int  $page
+     * @param  int  $perPage
+     * @param  string  $orderBy
+     * @param  string  $orderByDir
+     * @return Collection|array
+     */
+    public function forPage($page = 1, $perPage = 100, $orderBy = 'cn', $orderByDir = 'asc')
+    {
+        if (! $this->hasOrderBy()) {
+            $this->orderBy($orderBy, $orderByDir);
+        }
+
+        $this->addControl(LDAP_CONTROL_VLVREQUEST, true, [
+            'before' => 0,
+            'after' => $perPage - 1,
+            'offset' => ($page * $perPage) - $perPage + 1,
+            'count' => 0,
+        ]);
+
+        return $this->get();
+    }
+
     /**
      * Processes and converts the given LDAP results into models.
      *
-     * @param array $results
-     *
+     * @param  array  $results
      * @return array
      */
     protected function process(array $results)
@@ -595,8 +632,7 @@ class Builder
     /**
      * Flattens LDAP paged results into a single array.
      *
-     * @param array $pages
-     *
+     * @param  array  $pages
      * @return array
      */
     protected function flattenPages(array $pages)
@@ -615,9 +651,8 @@ class Builder
     /**
      * Get the cached response or execute and cache the callback value.
      *
-     * @param string  $query
-     * @param Closure $callback
-     *
+     * @param  string  $query
+     * @param  Closure  $callback
      * @return mixed
      */
     protected function getCachedResponse($query, Closure $callback)
@@ -638,8 +673,7 @@ class Builder
     /**
      * Runs the query operation with the given filter.
      *
-     * @param string $filter
-     *
+     * @param  string  $filter
      * @return resource
      */
     public function run($filter)
@@ -668,8 +702,7 @@ class Builder
     /**
      * Parses the given LDAP resource by retrieving its entries.
      *
-     * @param resource $resource
-     *
+     * @param  resource  $resource
      * @return array
      */
     public function parse($resource)
@@ -708,13 +741,14 @@ class Builder
     /**
      * Returns the cache key.
      *
-     * @param string $query
-     *
+     * @param  string  $query
      * @return string
      */
     protected function getCacheKey($query)
     {
-        $host = $this->connection->getLdapConnection()->getHost();
+        $host = $this->connection->run(function (LdapInterface $ldap) {
+            return $ldap->getHost();
+        });
 
         $key = $host
             .$this->type
@@ -730,8 +764,7 @@ class Builder
     /**
      * Returns the first entry in a search result.
      *
-     * @param array|string $columns
-     *
+     * @param  array|string  $columns
      * @return Model|null
      */
     public function first($columns = ['*'])
@@ -746,8 +779,7 @@ class Builder
      *
      * If no entry is found, an exception is thrown.
      *
-     * @param array|string $columns
-     *
+     * @param  array|string  $columns
      * @return Model|array
      *
      * @throws ObjectNotFoundException
@@ -764,8 +796,7 @@ class Builder
     /**
      * Return the first entry in a result, or execute the callback.
      *
-     * @param Closure $callback
-     *
+     * @param  Closure  $callback
      * @return Model|mixed
      */
     public function firstOr(Closure $callback)
@@ -776,8 +807,7 @@ class Builder
     /**
      * Execute the query and get the first result if it's the sole matching record.
      *
-     * @param array|string $columns
-     *
+     * @param  array|string  $columns
      * @return Model|array
      *
      * @throws ObjectsNotFoundException
@@ -821,8 +851,7 @@ class Builder
     /**
      * Execute the given callback if no rows exist for the current query.
      *
-     * @param Closure $callback
-     *
+     * @param  Closure  $callback
      * @return bool|mixed
      */
     public function existsOr(Closure $callback)
@@ -833,8 +862,8 @@ class Builder
     /**
      * Throws a not found exception.
      *
-     * @param string $query
-     * @param string $dn
+     * @param  string  $query
+     * @param  string  $dn
      *
      * @throws ObjectNotFoundException
      */
@@ -846,10 +875,9 @@ class Builder
     /**
      * Finds a record by the specified attribute and value.
      *
-     * @param string       $attribute
-     * @param string       $value
-     * @param array|string $columns
-     *
+     * @param  string  $attribute
+     * @param  string  $value
+     * @param  array|string  $columns
      * @return Model|static|null
      */
     public function findBy($attribute, $value, $columns = ['*'])
@@ -866,10 +894,9 @@ class Builder
      *
      * If no record is found an exception is thrown.
      *
-     * @param string       $attribute
-     * @param string       $value
-     * @param array|string $columns
-     *
+     * @param  string  $attribute
+     * @param  string  $value
+     * @param  array|string  $columns
      * @return Model
      *
      * @throws ObjectNotFoundException
@@ -882,9 +909,8 @@ class Builder
     /**
      * Find many records by distinguished name.
      *
-     * @param array $dns
-     * @param array $columns
-     *
+     * @param  string|array  $dns
+     * @param  array  $columns
      * @return array|Collection
      */
     public function findMany($dns, $columns = ['*'])
@@ -895,7 +921,7 @@ class Builder
 
         $objects = [];
 
-        foreach ($dns as $dn) {
+        foreach ((array) $dns as $dn) {
             if (! is_null($object = $this->find($dn, $columns))) {
                 $objects[] = $object;
             }
@@ -907,10 +933,9 @@ class Builder
     /**
      * Finds many records by the specified attribute.
      *
-     * @param string $attribute
-     * @param array  $values
-     * @param array  $columns
-     *
+     * @param  string  $attribute
+     * @param  array  $values
+     * @param  array  $columns
      * @return Collection
      */
     public function findManyBy($attribute, array $values = [], $columns = ['*'])
@@ -927,9 +952,8 @@ class Builder
     /**
      * Finds a record by its distinguished name.
      *
-     * @param string|array $dn
-     * @param array|string $columns
-     *
+     * @param  string|array  $dn
+     * @param  array|string  $columns
      * @return Model|static|array|Collection|null
      */
     public function find($dn, $columns = ['*'])
@@ -950,9 +974,8 @@ class Builder
      *
      * Fails upon no records returned.
      *
-     * @param string       $dn
-     * @param array|string $columns
-     *
+     * @param  string  $dn
+     * @param  array|string  $columns
      * @return Model|static
      *
      * @throws ObjectNotFoundException
@@ -968,8 +991,7 @@ class Builder
     /**
      * Adds the inserted fields to query on the current LDAP connection.
      *
-     * @param array|string $columns
-     *
+     * @param  array|string  $columns
      * @return $this
      */
     public function select($columns = ['*'])
@@ -986,8 +1008,7 @@ class Builder
     /**
      * Add a new select column to the query.
      *
-     * @param array|mixed $column
-     *
+     * @param  array|mixed  $column
      * @return $this
      */
     public function addSelect($column)
@@ -1002,9 +1023,8 @@ class Builder
     /**
      * Add an order by control to the query.
      *
-     * @param string $attribute
-     * @param string $direction
-     *
+     * @param  string  $attribute
+     * @param  string  $direction
      * @return $this
      */
     public function orderBy($attribute, $direction = 'asc')
@@ -1017,8 +1037,7 @@ class Builder
     /**
      * Add an order by descending control to the query.
      *
-     * @param string $attribute
-     *
+     * @param  string  $attribute
      * @return $this
      */
     public function orderByDesc($attribute)
@@ -1026,11 +1045,20 @@ class Builder
         return $this->orderBy($attribute, 'desc');
     }
 
+    /**
+     * Determine if the query has a sotr request control header.
+     *
+     * @return bool
+     */
+    public function hasOrderBy()
+    {
+        return $this->hasControl(LDAP_CONTROL_SORTREQUEST);
+    }
+
     /**
      * Adds a raw filter to the current query.
      *
-     * @param array|string $filters
-     *
+     * @param  array|string  $filters
      * @return $this
      */
     public function rawFilter($filters = [])
@@ -1047,8 +1075,7 @@ class Builder
     /**
      * Adds a nested 'and' filter to the current query.
      *
-     * @param Closure $closure
-     *
+     * @param  Closure  $closure
      * @return $this
      */
     public function andFilter(Closure $closure)
@@ -1063,8 +1090,7 @@ class Builder
     /**
      * Adds a nested 'or' filter to the current query.
      *
-     * @param Closure $closure
-     *
+     * @param  Closure  $closure
      * @return $this
      */
     public function orFilter(Closure $closure)
@@ -1079,8 +1105,7 @@ class Builder
     /**
      * Adds a nested 'not' filter to the current query.
      *
-     * @param Closure $closure
-     *
+     * @param  Closure  $closure
      * @return $this
      */
     public function notFilter(Closure $closure)
@@ -1095,12 +1120,11 @@ class Builder
     /**
      * Adds a where clause to the current query.
      *
-     * @param string|array $field
-     * @param string       $operator
-     * @param string       $value
-     * @param string       $boolean
-     * @param bool         $raw
-     *
+     * @param  string|array  $field
+     * @param  string  $operator
+     * @param  string  $value
+     * @param  string  $boolean
+     * @param  bool  $raw
      * @return $this
      *
      * @throws InvalidArgumentException
@@ -1138,10 +1162,9 @@ class Builder
     /**
      * Prepare the value for being queried.
      *
-     * @param string $field
-     * @param string $value
-     * @param bool   $raw
-     *
+     * @param  string  $field
+     * @param  string  $value
+     * @param  bool  $raw
      * @return string
      */
     protected function prepareWhereValue($field, $value, $raw = false)
@@ -1154,10 +1177,9 @@ class Builder
      *
      * Values given to this method are not escaped.
      *
-     * @param string|array $field
-     * @param string       $operator
-     * @param string       $value
-     *
+     * @param  string|array  $field
+     * @param  string  $operator
+     * @param  string  $value
      * @return $this
      */
     public function whereRaw($field, $operator = null, $value = null)
@@ -1168,9 +1190,8 @@ class Builder
     /**
      * Adds a 'where equals' clause to the current query.
      *
-     * @param string $field
-     * @param string $value
-     *
+     * @param  string  $field
+     * @param  string  $value
      * @return $this
      */
     public function whereEquals($field, $value)
@@ -1181,9 +1202,8 @@ class Builder
     /**
      * Adds a 'where not equals' clause to the current query.
      *
-     * @param string $field
-     * @param string $value
-     *
+     * @param  string  $field
+     * @param  string  $value
      * @return $this
      */
     public function whereNotEquals($field, $value)
@@ -1194,9 +1214,8 @@ class Builder
     /**
      * Adds a 'where approximately equals' clause to the current query.
      *
-     * @param string $field
-     * @param string $value
-     *
+     * @param  string  $field
+     * @param  string  $value
      * @return $this
      */
     public function whereApproximatelyEquals($field, $value)
@@ -1207,8 +1226,7 @@ class Builder
     /**
      * Adds a 'where has' clause to the current query.
      *
-     * @param string $field
-     *
+     * @param  string  $field
      * @return $this
      */
     public function whereHas($field)
@@ -1219,8 +1237,7 @@ class Builder
     /**
      * Adds a 'where not has' clause to the current query.
      *
-     * @param string $field
-     *
+     * @param  string  $field
      * @return $this
      */
     public function whereNotHas($field)
@@ -1231,9 +1248,8 @@ class Builder
     /**
      * Adds a 'where contains' clause to the current query.
      *
-     * @param string $field
-     * @param string $value
-     *
+     * @param  string  $field
+     * @param  string  $value
      * @return $this
      */
     public function whereContains($field, $value)
@@ -1244,9 +1260,8 @@ class Builder
     /**
      * Adds a 'where contains' clause to the current query.
      *
-     * @param string $field
-     * @param string $value
-     *
+     * @param  string  $field
+     * @param  string  $value
      * @return $this
      */
     public function whereNotContains($field, $value)
@@ -1257,9 +1272,8 @@ class Builder
     /**
      * Query for entries that match any of the values provided for the given field.
      *
-     * @param string $field
-     * @param array  $values
-     *
+     * @param  string  $field
+     * @param  array  $values
      * @return $this
      */
     public function whereIn($field, array $values)
@@ -1274,9 +1288,8 @@ class Builder
     /**
      * Adds a 'between' clause to the current query.
      *
-     * @param string $field
-     * @param array  $values
-     *
+     * @param  string  $field
+     * @param  array  $values
      * @return $this
      */
     public function whereBetween($field, array $values)
@@ -1290,9 +1303,8 @@ class Builder
     /**
      * Adds a 'where starts with' clause to the current query.
      *
-     * @param string $field
-     * @param string $value
-     *
+     * @param  string  $field
+     * @param  string  $value
      * @return $this
      */
     public function whereStartsWith($field, $value)
@@ -1303,9 +1315,8 @@ class Builder
     /**
      * Adds a 'where *not* starts with' clause to the current query.
      *
-     * @param string $field
-     * @param string $value
-     *
+     * @param  string  $field
+     * @param  string  $value
      * @return $this
      */
     public function whereNotStartsWith($field, $value)
@@ -1316,9 +1327,8 @@ class Builder
     /**
      * Adds a 'where ends with' clause to the current query.
      *
-     * @param string $field
-     * @param string $value
-     *
+     * @param  string  $field
+     * @param  string  $value
      * @return $this
      */
     public function whereEndsWith($field, $value)
@@ -1329,9 +1339,8 @@ class Builder
     /**
      * Adds a 'where *not* ends with' clause to the current query.
      *
-     * @param string $field
-     * @param string $value
-     *
+     * @param  string  $field
+     * @param  string  $value
      * @return $this
      */
     public function whereNotEndsWith($field, $value)
@@ -1362,10 +1371,9 @@ class Builder
     /**
      * Add a server control to the query.
      *
-     * @param string $oid
-     * @param bool   $isCritical
-     * @param mixed  $value
-     *
+     * @param  string  $oid
+     * @param  bool  $isCritical
+     * @param  mixed  $value
      * @return $this
      */
     public function addControl($oid, $isCritical = false, $value = null)
@@ -1378,8 +1386,7 @@ class Builder
     /**
      * Determine if the server control exists on the query.
      *
-     * @param string $oid
-     *
+     * @param  string  $oid
      * @return bool
      */
     public function hasControl($oid)
@@ -1390,10 +1397,9 @@ class Builder
     /**
      * Adds an 'or where' clause to the current query.
      *
-     * @param array|string $field
-     * @param string|null  $operator
-     * @param string|null  $value
-     *
+     * @param  array|string  $field
+     * @param  string|null  $operator
+     * @param  string|null  $value
      * @return $this
      */
     public function orWhere($field, $operator = null, $value = null)
@@ -1406,10 +1412,9 @@ class Builder
      *
      * Values given to this method are not escaped.
      *
-     * @param string $field
-     * @param string $operator
-     * @param string $value
-     *
+     * @param  string  $field
+     * @param  string  $operator
+     * @param  string  $value
      * @return $this
      */
     public function orWhereRaw($field, $operator = null, $value = null)
@@ -1420,8 +1425,7 @@ class Builder
     /**
      * Adds an 'or where has' clause to the current query.
      *
-     * @param string $field
-     *
+     * @param  string  $field
      * @return $this
      */
     public function orWhereHas($field)
@@ -1432,8 +1436,7 @@ class Builder
     /**
      * Adds a 'where not has' clause to the current query.
      *
-     * @param string $field
-     *
+     * @param  string  $field
      * @return $this
      */
     public function orWhereNotHas($field)
@@ -1444,9 +1447,8 @@ class Builder
     /**
      * Adds an 'or where equals' clause to the current query.
      *
-     * @param string $field
-     * @param string $value
-     *
+     * @param  string  $field
+     * @param  string  $value
      * @return $this
      */
     public function orWhereEquals($field, $value)
@@ -1457,9 +1459,8 @@ class Builder
     /**
      * Adds an 'or where not equals' clause to the current query.
      *
-     * @param string $field
-     * @param string $value
-     *
+     * @param  string  $field
+     * @param  string  $value
      * @return $this
      */
     public function orWhereNotEquals($field, $value)
@@ -1470,9 +1471,8 @@ class Builder
     /**
      * Adds a 'or where approximately equals' clause to the current query.
      *
-     * @param string $field
-     * @param string $value
-     *
+     * @param  string  $field
+     * @param  string  $value
      * @return $this
      */
     public function orWhereApproximatelyEquals($field, $value)
@@ -1483,9 +1483,8 @@ class Builder
     /**
      * Adds an 'or where contains' clause to the current query.
      *
-     * @param string $field
-     * @param string $value
-     *
+     * @param  string  $field
+     * @param  string  $value
      * @return $this
      */
     public function orWhereContains($field, $value)
@@ -1496,9 +1495,8 @@ class Builder
     /**
      * Adds an 'or where *not* contains' clause to the current query.
      *
-     * @param string $field
-     * @param string $value
-     *
+     * @param  string  $field
+     * @param  string  $value
      * @return $this
      */
     public function orWhereNotContains($field, $value)
@@ -1509,9 +1507,8 @@ class Builder
     /**
      * Adds an 'or where starts with' clause to the current query.
      *
-     * @param string $field
-     * @param string $value
-     *
+     * @param  string  $field
+     * @param  string  $value
      * @return $this
      */
     public function orWhereStartsWith($field, $value)
@@ -1522,9 +1519,8 @@ class Builder
     /**
      * Adds an 'or where *not* starts with' clause to the current query.
      *
-     * @param string $field
-     * @param string $value
-     *
+     * @param  string  $field
+     * @param  string  $value
      * @return $this
      */
     public function orWhereNotStartsWith($field, $value)
@@ -1535,9 +1531,8 @@ class Builder
     /**
      * Adds an 'or where ends with' clause to the current query.
      *
-     * @param string $field
-     * @param string $value
-     *
+     * @param  string  $field
+     * @param  string  $value
      * @return $this
      */
     public function orWhereEndsWith($field, $value)
@@ -1548,9 +1543,8 @@ class Builder
     /**
      * Adds an 'or where *not* ends with' clause to the current query.
      *
-     * @param string $field
-     * @param string $value
-     *
+     * @param  string  $field
+     * @param  string  $value
      * @return $this
      */
     public function orWhereNotEndsWith($field, $value)
@@ -1561,9 +1555,8 @@ class Builder
     /**
      * Adds a filter binding onto the current query.
      *
-     * @param string $type     The type of filter to add.
-     * @param array  $bindings The bindings of the filter.
-     *
+     * @param  string  $type  The type of filter to add.
+     * @param  array  $bindings  The bindings of the filter.
      * @return $this
      *
      * @throws InvalidArgumentException
@@ -1591,8 +1584,7 @@ class Builder
     /**
      * Extract any missing required binding keys.
      *
-     * @param array $bindings
-     *
+     * @param  array  $bindings
      * @return array
      */
     protected function missingBindingKeys($bindings)
@@ -1704,8 +1696,7 @@ class Builder
     /**
      * Whether to mark the current query as nested.
      *
-     * @param bool $nested
-     *
+     * @param  bool  $nested
      * @return $this
      */
     public function nested($nested = true)
@@ -1720,9 +1711,8 @@ class Builder
      *
      * If flushing is enabled, the query cache will be flushed and then re-cached.
      *
-     * @param DateTimeInterface $until When to expire the query cache.
-     * @param bool              $flush Whether to force-flush the query cache.
-     *
+     * @param  DateTimeInterface  $until  When to expire the query cache.
+     * @param  bool  $flush  Whether to force-flush the query cache.
      * @return $this
      */
     public function cache(DateTimeInterface $until = null, $flush = false)
@@ -1757,9 +1747,8 @@ class Builder
     /**
      * Insert an entry into the directory.
      *
-     * @param string $dn
-     * @param array  $attributes
-     *
+     * @param  string  $dn
+     * @param  array  $attributes
      * @return bool
      *
      * @throws LdapRecordException
@@ -1784,9 +1773,8 @@ class Builder
     /**
      * Create attributes on the entry in the directory.
      *
-     * @param string $dn
-     * @param array  $attributes
-     *
+     * @param  string  $dn
+     * @param  array  $attributes
      * @return bool
      */
     public function insertAttributes($dn, array $attributes)
@@ -1799,9 +1787,8 @@ class Builder
     /**
      * Update the entry with the given modifications.
      *
-     * @param string $dn
-     * @param array  $modifications
-     *
+     * @param  string  $dn
+     * @param  array  $modifications
      * @return bool
      */
     public function update($dn, array $modifications)
@@ -1814,9 +1801,8 @@ class Builder
     /**
      * Update an entries attribute in the directory.
      *
-     * @param string $dn
-     * @param array  $attributes
-     *
+     * @param  string  $dn
+     * @param  array  $attributes
      * @return bool
      */
     public function updateAttributes($dn, array $attributes)
@@ -1829,8 +1815,7 @@ class Builder
     /**
      * Delete an entry from the directory.
      *
-     * @param string $dn
-     *
+     * @param  string  $dn
      * @return bool
      */
     public function delete($dn)
@@ -1843,9 +1828,8 @@ class Builder
     /**
      * Delete attributes on the entry in the directory.
      *
-     * @param string $dn
-     * @param array  $attributes
-     *
+     * @param  string  $dn
+     * @param  array  $attributes
      * @return bool
      */
     public function deleteAttributes($dn, array $attributes)
@@ -1858,11 +1842,10 @@ class Builder
     /**
      * Rename an entry in the directory.
      *
-     * @param string $dn
-     * @param string $rdn
-     * @param string $newParentDn
-     * @param bool   $deleteOldRdn
-     *
+     * @param  string  $dn
+     * @param  string  $rdn
+     * @param  string  $newParentDn
+     * @param  bool  $deleteOldRdn
      * @return bool
      */
     public function rename($dn, $rdn, $newParentDn, $deleteOldRdn = true)
@@ -1872,12 +1855,21 @@ class Builder
         });
     }
 
+    /**
+     * Clone the query.
+     *
+     * @return static
+     */
+    public function clone()
+    {
+        return clone $this;
+    }
+
     /**
      * Handle dynamic method calls on the query builder.
      *
-     * @param string $method
-     * @param array  $parameters
-     *
+     * @param  string  $method
+     * @param  array  $parameters
      * @return mixed
      *
      * @throws BadMethodCallException
@@ -1901,9 +1893,8 @@ class Builder
     /**
      * Handles dynamic "where" clauses to the query.
      *
-     * @param string $method
-     * @param array  $parameters
-     *
+     * @param  string  $method
+     * @param  array  $parameters
      * @return $this
      */
     public function dynamicWhere($method, $parameters)
@@ -1943,10 +1934,9 @@ class Builder
     /**
      * Adds an array of wheres to the current query.
      *
-     * @param array  $wheres
-     * @param string $boolean
-     * @param bool   $raw
-     *
+     * @param  array  $wheres
+     * @param  string  $boolean
+     * @param  bool  $raw
      * @return $this
      */
     protected function addArrayOfWheres($wheres, $boolean, $raw)
@@ -1975,11 +1965,10 @@ class Builder
     /**
      * Add a single dynamic where clause statement to the query.
      *
-     * @param string $segment
-     * @param string $connector
-     * @param array  $parameters
-     * @param int    $index
-     *
+     * @param  string  $segment
+     * @param  string  $connector
+     * @param  array  $parameters
+     * @param  int  $index
      * @return void
      */
     protected function addDynamic($segment, $connector, $parameters, $index)
@@ -1996,10 +1985,9 @@ class Builder
     /**
      * Logs the given executed query information by firing its query event.
      *
-     * @param Builder    $query
-     * @param string     $type
-     * @param null|float $time
-     *
+     * @param  Builder  $query
+     * @param  string  $type
+     * @param  null|float  $time
      * @return void
      */
     protected function logQuery($query, $type, $time = null)
@@ -2030,8 +2018,7 @@ class Builder
     /**
      * Fires the given query event.
      *
-     * @param QueryExecuted $event
-     *
+     * @param  QueryExecuted  $event
      * @return void
      */
     protected function fireQueryEvent(QueryExecuted $event)
@@ -2042,8 +2029,7 @@ class Builder
     /**
      * Get the elapsed time since a given starting point.
      *
-     * @param int $start
-     *
+     * @param  int  $start
      * @return float
      */
     protected function getElapsedTime($start)
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Cache.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Cache.php
index dfbf8cd28..d6057bfb3 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Cache.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Cache.php
@@ -21,7 +21,7 @@ class Cache
     /**
      * Constructor.
      *
-     * @param CacheInterface $store
+     * @param  CacheInterface  $store
      */
     public function __construct(CacheInterface $store)
     {
@@ -31,8 +31,7 @@ class Cache
     /**
      * Get an item from the cache.
      *
-     * @param string $key
-     *
+     * @param  string  $key
      * @return mixed
      */
     public function get($key)
@@ -43,10 +42,9 @@ class Cache
     /**
      * Store an item in the cache.
      *
-     * @param string                                  $key
-     * @param mixed                                   $value
-     * @param DateTimeInterface|DateInterval|int|null $ttl
-     *
+     * @param  string  $key
+     * @param  mixed  $value
+     * @param  DateTimeInterface|DateInterval|int|null  $ttl
      * @return bool
      */
     public function put($key, $value, $ttl = null)
@@ -63,10 +61,9 @@ class Cache
     /**
      * Get an item from the cache, or execute the given Closure and store the result.
      *
-     * @param string                                  $key
-     * @param DateTimeInterface|DateInterval|int|null $ttl
-     * @param Closure                                 $callback
-     *
+     * @param  string  $key
+     * @param  DateTimeInterface|DateInterval|int|null  $ttl
+     * @param  Closure  $callback
      * @return mixed
      */
     public function remember($key, $ttl, Closure $callback)
@@ -85,8 +82,7 @@ class Cache
     /**
      * Delete an item from the cache.
      *
-     * @param string $key
-     *
+     * @param  string  $key
      * @return bool
      */
     public function delete($key)
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Events/QueryExecuted.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Events/QueryExecuted.php
index 4f17ea2a4..8ed8f835d 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Events/QueryExecuted.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Events/QueryExecuted.php
@@ -23,8 +23,8 @@ class QueryExecuted
     /**
      * Constructor.
      *
-     * @param Builder    $query
-     * @param null|float $time
+     * @param  Builder  $query
+     * @param  null|float  $time
      */
     public function __construct(Builder $query, $time = null)
     {
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Filter/ConditionNode.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Filter/ConditionNode.php
new file mode 100644
index 000000000..6203360c5
--- /dev/null
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Filter/ConditionNode.php
@@ -0,0 +1,100 @@
+<?php
+
+namespace LdapRecord\Query\Filter;
+
+use LdapRecord\Support\Str;
+
+class ConditionNode extends Node
+{
+    /**
+     * The condition's attribute.
+     *
+     * @var string
+     */
+    protected $attribute;
+
+    /**
+     * The condition's operator.
+     *
+     * @var string
+     */
+    protected $operator;
+
+    /**
+     * The condition's value.
+     *
+     * @var string
+     */
+    protected $value;
+
+    /**
+     * The available condition operators.
+     *
+     * @var array
+     */
+    protected $operators = ['>=', '<=', '~=', '='];
+
+    /**
+     * Constructor.
+     *
+     * @param  string  $filter
+     */
+    public function __construct($filter)
+    {
+        $this->raw = $filter;
+
+        [$this->attribute, $this->value] = $this->extractComponents($filter);
+    }
+
+    /**
+     * Get the condition's attribute.
+     *
+     * @return string
+     */
+    public function getAttribute()
+    {
+        return $this->attribute;
+    }
+
+    /**
+     * Get the condition's operator.
+     *
+     * @return string
+     */
+    public function getOperator()
+    {
+        return $this->operator;
+    }
+
+    /**
+     * Get the condition's value.
+     *
+     * @return string
+     */
+    public function getValue()
+    {
+        return $this->value;
+    }
+
+    /**
+     * Extract the condition components from the filter.
+     *
+     * @param  string  $filter
+     * @return array
+     */
+    protected function extractComponents($filter)
+    {
+        $components = Str::whenContains(
+            $filter,
+            $this->operators,
+            function ($operator, $filter) {
+                return explode($this->operator = $operator, $filter, 2);
+            },
+            function ($filter) {
+                throw new ParserException("Invalid query condition. No operator found in [$filter]");
+            },
+        );
+
+        return $components;
+    }
+}
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Filter/GroupNode.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Filter/GroupNode.php
new file mode 100644
index 000000000..1a3596f3e
--- /dev/null
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Filter/GroupNode.php
@@ -0,0 +1,54 @@
+<?php
+
+namespace LdapRecord\Query\Filter;
+
+class GroupNode extends Node
+{
+    /**
+     * The group's operator.
+     *
+     * @var string
+     */
+    protected $operator;
+
+    /**
+     * The group's sub-nodes.
+     *
+     * @var Node[]
+     */
+    protected $nodes = [];
+
+    /**
+     * Constructor.
+     *
+     * @param  string  $filter
+     */
+    public function __construct($filter)
+    {
+        $this->raw = $filter;
+
+        $this->operator = substr($filter, 0, 1);
+
+        $this->nodes = Parser::parse($filter);
+    }
+
+    /**
+     * Get the group's operator.
+     *
+     * @return string
+     */
+    public function getOperator()
+    {
+        return $this->operator;
+    }
+
+    /**
+     * Get the group's sub-nodes.
+     *
+     * @return Node[]
+     */
+    public function getNodes()
+    {
+        return $this->nodes;
+    }
+}
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Filter/Node.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Filter/Node.php
new file mode 100644
index 000000000..faf88d41f
--- /dev/null
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Filter/Node.php
@@ -0,0 +1,30 @@
+<?php
+
+namespace LdapRecord\Query\Filter;
+
+abstract class Node
+{
+    /**
+     * The raw value of the node.
+     *
+     * @var string
+     */
+    protected $raw;
+
+    /**
+     * Create a new filter node.
+     *
+     * @param  string  $filter
+     */
+    abstract public function __construct($filter);
+
+    /**
+     * Get the raw value of the node.
+     *
+     * @return string
+     */
+    public function getRaw()
+    {
+        return $this->raw;
+    }
+}
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Filter/Parser.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Filter/Parser.php
new file mode 100644
index 000000000..7717ac522
--- /dev/null
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Filter/Parser.php
@@ -0,0 +1,162 @@
+<?php
+
+namespace LdapRecord\Query\Filter;
+
+use LdapRecord\Support\Arr;
+use LdapRecord\Support\Str;
+
+class Parser
+{
+    /**
+     * Parse an LDAP filter into nodes.
+     *
+     * @param  string  $string
+     * @return (ConditionNode|GroupNode)[]
+     *
+     * @throws ParserException
+     */
+    public static function parse($string)
+    {
+        [$open, $close] = static::countParenthesis($string);
+
+        if ($open !== $close) {
+            $errors = [-1 => '"("', 1 => '")"'];
+
+            throw new ParserException(
+                sprintf('Unclosed filter group. Missing %s parenthesis', $errors[$open <=> $close])
+            );
+        }
+
+        return static::buildNodes(
+            array_map('trim', static::match($string))
+        );
+    }
+
+    /**
+     * Perform a match for all filters in the string.
+     *
+     * @param  string  $string
+     * @return array
+     */
+    protected static function match($string)
+    {
+        preg_match_all("/\((((?>[^()]+)|(?R))*)\)/", trim($string), $matches);
+
+        return $matches[1] ?? [];
+    }
+
+    /**
+     * Assemble the parsed nodes into a single filter.
+     *
+     * @param  Node|Node[]  $nodes
+     * @return string
+     */
+    public static function assemble($nodes = [])
+    {
+        return array_reduce(Arr::wrap($nodes), function ($carry, Node $node) {
+            return $carry .= static::compileNode($node);
+        });
+    }
+
+    /**
+     * Assemble the node into its string based format.
+     *
+     * @param  GroupNode|ConditionNode  $node
+     * @return string
+     */
+    protected static function compileNode(Node $node)
+    {
+        switch (true) {
+            case $node instanceof GroupNode:
+                return static::wrap($node->getOperator().static::assemble($node->getNodes()));
+            case $node instanceof ConditionNode:
+                return static::wrap($node->getAttribute().$node->getOperator().$node->getValue());
+            default:
+                return $node->getRaw();
+        }
+    }
+
+    /**
+     * Build an array of nodes from the given filters.
+     *
+     * @param  string[]  $filters
+     * @return (ConditionNode|GroupNode)[]
+     *
+     * @throws ParserException
+     */
+    protected static function buildNodes(array $filters = [])
+    {
+        return array_map(function ($filter) {
+            if (static::isWrapped($filter)) {
+                $filter = static::unwrap($filter);
+            }
+
+            if (static::isGroup($filter) && ! Str::endsWith($filter, ')')) {
+                throw new ParserException(sprintf('Unclosed filter group [%s]', Str::afterLast($filter, ')')));
+            }
+
+            return static::isGroup($filter)
+                ? new GroupNode($filter)
+                : new ConditionNode($filter);
+        }, $filters);
+    }
+
+    /**
+     * Count the open and close parenthesis of the sting.
+     *
+     * @param  string  $string
+     * @return array
+     */
+    protected static function countParenthesis($string)
+    {
+        return [Str::substrCount($string, '('), Str::substrCount($string, ')')];
+    }
+
+    /**
+     * Wrap the value in parentheses.
+     *
+     * @param  string  $value
+     * @return string
+     */
+    protected static function wrap($value)
+    {
+        return "($value)";
+    }
+
+    /**
+     * Recursively unwrwap the value from its parentheses.
+     *
+     * @param  string  $value
+     * @return string
+     */
+    protected static function unwrap($value)
+    {
+        $nodes = static::parse($value);
+
+        $unwrapped = Arr::first($nodes);
+
+        return $unwrapped instanceof Node ? $unwrapped->getRaw() : $value;
+    }
+
+    /**
+     * Determine if the filter is wrapped.
+     *
+     * @param  string  $filter
+     * @return bool
+     */
+    protected static function isWrapped($filter)
+    {
+        return Str::startsWith($filter, '(') && Str::endsWith($filter, ')');
+    }
+
+    /**
+     * Determine if the filter is a group.
+     *
+     * @param  string  $filter
+     * @return bool
+     */
+    protected static function isGroup($filter)
+    {
+        return Str::startsWith($filter, ['&', '|', '!']);
+    }
+}
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Filter/ParserException.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Filter/ParserException.php
new file mode 100644
index 000000000..68a4ca171
--- /dev/null
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Filter/ParserException.php
@@ -0,0 +1,9 @@
+<?php
+
+namespace LdapRecord\Query\Filter;
+
+use LdapRecord\LdapRecordException;
+
+class ParserException extends LdapRecordException
+{
+}
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Grammar.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Grammar.php
index 35a6c4844..84c4b8d0c 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Grammar.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Grammar.php
@@ -50,10 +50,9 @@ class Grammar
      *
      * Produces: (query)
      *
-     * @param string $query
-     * @param string $prefix
-     * @param string $suffix
-     *
+     * @param  string  $query
+     * @param  string  $prefix
+     * @param  string  $suffix
      * @return string
      */
     public function wrap($query, $prefix = '(', $suffix = ')')
@@ -64,8 +63,7 @@ class Grammar
     /**
      * Compiles the Builder instance into an LDAP query string.
      *
-     * @param Builder $query
-     *
+     * @param  Builder  $query
      * @return string
      */
     public function compile(Builder $query)
@@ -91,8 +89,7 @@ class Grammar
     /**
      * Determine if the query must be wrapped in an encapsulating statement.
      *
-     * @param Builder $query
-     *
+     * @param  Builder  $query
      * @return bool
      */
     protected function queryMustBeWrapped(Builder $query)
@@ -103,8 +100,7 @@ class Grammar
     /**
      * Assembles all of the "raw" filters on the query.
      *
-     * @param Builder $builder
-     *
+     * @param  Builder  $builder
      * @return string
      */
     protected function compileRaws(Builder $builder)
@@ -115,9 +111,8 @@ class Grammar
     /**
      * Assembles all where clauses in the current wheres property.
      *
-     * @param Builder $builder
-     * @param string  $type
-     *
+     * @param  Builder  $builder
+     * @param  string  $type
      * @return string
      */
     protected function compileWheres(Builder $builder, $type = 'and')
@@ -134,8 +129,7 @@ class Grammar
     /**
      * Assembles all or where clauses in the current orWheres property.
      *
-     * @param Builder $query
-     *
+     * @param  Builder  $query
      * @return string
      */
     protected function compileOrWheres(Builder $query)
@@ -161,8 +155,7 @@ class Grammar
     /**
      * Determine if the query can be wrapped in a single or statement.
      *
-     * @param Builder $query
-     *
+     * @param  Builder  $query
      * @return bool
      */
     protected function queryCanBeWrappedInSingleOrStatement(Builder $query)
@@ -175,8 +168,7 @@ class Grammar
     /**
      * Concatenates filters into a single string.
      *
-     * @param array $bindings
-     *
+     * @param  array  $bindings
      * @return string
      */
     public function concatenate(array $bindings = [])
@@ -190,8 +182,7 @@ class Grammar
     /**
      * Determine if the binding value is not empty.
      *
-     * @param string $value
-     *
+     * @param  string  $value
      * @return bool
      */
     protected function bindingValueIsNotEmpty($value)
@@ -202,8 +193,7 @@ class Grammar
     /**
      * Determine if the query is using multiple filters.
      *
-     * @param Builder $query
-     *
+     * @param  Builder  $query
      * @return bool
      */
     protected function hasMultipleFilters(Builder $query)
@@ -214,11 +204,10 @@ class Grammar
     /**
      * Determine if the query contains the given filter statement type.
      *
-     * @param Builder      $query
-     * @param string|array $type
-     * @param string       $operator
-     * @param int          $count
-     *
+     * @param  Builder  $query
+     * @param  string|array  $type
+     * @param  string  $operator
+     * @param  int  $count
      * @return bool
      */
     protected function has(Builder $query, $type, $operator = '>=', $count = 1)
@@ -250,9 +239,8 @@ class Grammar
      *
      * Produces: (field=value)
      *
-     * @param string $field
-     * @param string $value
-     *
+     * @param  string  $field
+     * @param  string  $value
      * @return string
      */
     public function compileEquals($field, $value)
@@ -265,9 +253,8 @@ class Grammar
      *
      * Produces: (!(field=value))
      *
-     * @param string $field
-     * @param string $value
-     *
+     * @param  string  $field
+     * @param  string  $value
      * @return string
      */
     public function compileDoesNotEqual($field, $value)
@@ -282,9 +269,8 @@ class Grammar
      *
      * Produces: (!(field=value))
      *
-     * @param string $field
-     * @param string $value
-     *
+     * @param  string  $field
+     * @param  string  $value
      * @return string
      */
     public function compileDoesNotEqualAlias($field, $value)
@@ -297,9 +283,8 @@ class Grammar
      *
      * Produces: (field>=value)
      *
-     * @param string $field
-     * @param string $value
-     *
+     * @param  string  $field
+     * @param  string  $value
      * @return string
      */
     public function compileGreaterThanOrEquals($field, $value)
@@ -312,9 +297,8 @@ class Grammar
      *
      * Produces: (field<=value)
      *
-     * @param string $field
-     * @param string $value
-     *
+     * @param  string  $field
+     * @param  string  $value
      * @return string
      */
     public function compileLessThanOrEquals($field, $value)
@@ -327,9 +311,8 @@ class Grammar
      *
      * Produces: (field~=value)
      *
-     * @param string $field
-     * @param string $value
-     *
+     * @param  string  $field
+     * @param  string  $value
      * @return string
      */
     public function compileApproximatelyEquals($field, $value)
@@ -342,9 +325,8 @@ class Grammar
      *
      * Produces: (field=value*)
      *
-     * @param string $field
-     * @param string $value
-     *
+     * @param  string  $field
+     * @param  string  $value
      * @return string
      */
     public function compileStartsWith($field, $value)
@@ -357,9 +339,8 @@ class Grammar
      *
      * Produces: (!(field=*value))
      *
-     * @param string $field
-     * @param string $value
-     *
+     * @param  string  $field
+     * @param  string  $value
      * @return string
      */
     public function compileNotStartsWith($field, $value)
@@ -374,9 +355,8 @@ class Grammar
      *
      * Produces: (field=*value)
      *
-     * @param string $field
-     * @param string $value
-     *
+     * @param  string  $field
+     * @param  string  $value
      * @return string
      */
     public function compileEndsWith($field, $value)
@@ -389,9 +369,8 @@ class Grammar
      *
      * Produces: (!(field=value*))
      *
-     * @param string $field
-     * @param string $value
-     *
+     * @param  string  $field
+     * @param  string  $value
      * @return string
      */
     public function compileNotEndsWith($field, $value)
@@ -404,9 +383,8 @@ class Grammar
      *
      * Produces: (field=*value*)
      *
-     * @param string $field
-     * @param string $value
-     *
+     * @param  string  $field
+     * @param  string  $value
      * @return string
      */
     public function compileContains($field, $value)
@@ -419,9 +397,8 @@ class Grammar
      *
      * Produces: (!(field=*value*))
      *
-     * @param string $field
-     * @param string $value
-     *
+     * @param  string  $field
+     * @param  string  $value
      * @return string
      */
     public function compileNotContains($field, $value)
@@ -436,8 +413,7 @@ class Grammar
      *
      * Produces: (field=*)
      *
-     * @param string $field
-     *
+     * @param  string  $field
      * @return string
      */
     public function compileHas($field)
@@ -450,8 +426,7 @@ class Grammar
      *
      * Produces: (!(field=*))
      *
-     * @param string $field
-     *
+     * @param  string  $field
      * @return string
      */
     public function compileNotHas($field)
@@ -466,8 +441,7 @@ class Grammar
      *
      * Produces: (&query)
      *
-     * @param string $query
-     *
+     * @param  string  $query
      * @return string
      */
     public function compileAnd($query)
@@ -480,8 +454,7 @@ class Grammar
      *
      * Produces: (|query)
      *
-     * @param string $query
-     *
+     * @param  string  $query
      * @return string
      */
     public function compileOr($query)
@@ -492,8 +465,7 @@ class Grammar
     /**
      * Wraps the inserted query inside an NOT operator.
      *
-     * @param string $query
-     *
+     * @param  string  $query
      * @return string
      */
     public function compileNot($query)
@@ -504,8 +476,7 @@ class Grammar
     /**
      * Assembles a single where query.
      *
-     * @param array $where
-     *
+     * @param  array  $where
      * @return string
      *
      * @throws UnexpectedValueException
@@ -520,8 +491,7 @@ class Grammar
     /**
      * Make the compile method name for the operator.
      *
-     * @param string $operator
-     *
+     * @param  string  $operator
      * @return string
      *
      * @throws UnexpectedValueException
@@ -538,8 +508,7 @@ class Grammar
     /**
      * Determine if the operator exists.
      *
-     * @param string $operator
-     *
+     * @param  string  $operator
      * @return bool
      */
     protected function operatorExists($operator)
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/InteractsWithTime.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/InteractsWithTime.php
index 1562ec0a4..e8024c033 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/InteractsWithTime.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/InteractsWithTime.php
@@ -16,8 +16,7 @@ trait InteractsWithTime
     /**
      * Get the number of seconds until the given DateTime.
      *
-     * @param DateTimeInterface|DateInterval|int $delay
-     *
+     * @param  DateTimeInterface|DateInterval|int  $delay
      * @return int
      */
     protected function secondsUntil($delay)
@@ -32,8 +31,7 @@ trait InteractsWithTime
     /**
      * Get the "available at" UNIX timestamp.
      *
-     * @param DateTimeInterface|DateInterval|int $delay
-     *
+     * @param  DateTimeInterface|DateInterval|int  $delay
      * @return int
      */
     protected function availableAt($delay = 0)
@@ -48,8 +46,7 @@ trait InteractsWithTime
     /**
      * If the given value is an interval, convert it to a DateTime instance.
      *
-     * @param DateTimeInterface|DateInterval|int $delay
-     *
+     * @param  DateTimeInterface|DateInterval|int  $delay
      * @return DateTimeInterface|int
      */
     protected function parseDateInterval($delay)
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Model/ActiveDirectoryBuilder.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Model/ActiveDirectoryBuilder.php
index c3911d80e..3b0e96f79 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Model/ActiveDirectoryBuilder.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Model/ActiveDirectoryBuilder.php
@@ -12,9 +12,8 @@ class ActiveDirectoryBuilder extends Builder
     /**
      * Finds a record by its Object SID.
      *
-     * @param string       $sid
-     * @param array|string $columns
-     *
+     * @param  string  $sid
+     * @param  array|string  $columns
      * @return \LdapRecord\Models\ActiveDirectory\Entry|static|null
      */
     public function findBySid($sid, $columns = [])
@@ -31,9 +30,8 @@ class ActiveDirectoryBuilder extends Builder
      *
      * Fails upon no records returned.
      *
-     * @param string       $sid
-     * @param array|string $columns
-     *
+     * @param  string  $sid
+     * @param  array|string  $columns
      * @return \LdapRecord\Models\ActiveDirectory\Entry|static
      *
      * @throws ModelNotFoundException
@@ -70,9 +68,8 @@ class ActiveDirectoryBuilder extends Builder
     /**
      * Adds a 'where member' filter to the current query.
      *
-     * @param string $dn
-     * @param bool   $nested
-     *
+     * @param  string  $dn
+     * @param  bool  $nested
      * @return $this
      */
     public function whereMember($dn, $nested = false)
@@ -85,9 +82,8 @@ class ActiveDirectoryBuilder extends Builder
     /**
      * Adds an 'or where member' filter to the current query.
      *
-     * @param string $dn
-     * @param bool   $nested
-     *
+     * @param  string  $dn
+     * @param  bool  $nested
      * @return $this
      */
     public function orWhereMember($dn, $nested = false)
@@ -100,9 +96,8 @@ class ActiveDirectoryBuilder extends Builder
     /**
      * Adds a 'where member of' filter to the current query.
      *
-     * @param string $dn
-     * @param bool   $nested
-     *
+     * @param  string  $dn
+     * @param  bool  $nested
      * @return $this
      */
     public function whereMemberOf($dn, $nested = false)
@@ -115,9 +110,8 @@ class ActiveDirectoryBuilder extends Builder
     /**
      * Adds a 'where not member of' filter to the current query.
      *
-     * @param string $dn
-     * @param bool   $nested
-     *
+     * @param  string  $dn
+     * @param  bool  $nested
      * @return $this
      */
     public function whereNotMemberof($dn, $nested = false)
@@ -130,9 +124,8 @@ class ActiveDirectoryBuilder extends Builder
     /**
      * Adds an 'or where member of' filter to the current query.
      *
-     * @param string $dn
-     * @param bool   $nested
-     *
+     * @param  string  $dn
+     * @param  bool  $nested
      * @return $this
      */
     public function orWhereMemberOf($dn, $nested = false)
@@ -145,9 +138,8 @@ class ActiveDirectoryBuilder extends Builder
     /**
      * Adds a 'or where not member of' filter to the current query.
      *
-     * @param string $dn
-     * @param bool   $nested
-     *
+     * @param  string  $dn
+     * @param  bool  $nested
      * @return $this
      */
     public function orWhereNotMemberof($dn, $nested = false)
@@ -160,9 +152,8 @@ class ActiveDirectoryBuilder extends Builder
     /**
      * Adds a 'where manager' filter to the current query.
      *
-     * @param string $dn
-     * @param bool   $nested
-     *
+     * @param  string  $dn
+     * @param  bool  $nested
      * @return $this
      */
     public function whereManager($dn, $nested = false)
@@ -175,9 +166,8 @@ class ActiveDirectoryBuilder extends Builder
     /**
      * Adds a 'where not manager' filter to the current query.
      *
-     * @param string $dn
-     * @param bool   $nested
-     *
+     * @param  string  $dn
+     * @param  bool  $nested
      * @return $this
      */
     public function whereNotManager($dn, $nested = false)
@@ -190,9 +180,8 @@ class ActiveDirectoryBuilder extends Builder
     /**
      * Adds an 'or where manager' filter to the current query.
      *
-     * @param string $dn
-     * @param bool   $nested
-     *
+     * @param  string  $dn
+     * @param  bool  $nested
      * @return $this
      */
     public function orWhereManager($dn, $nested = false)
@@ -205,9 +194,8 @@ class ActiveDirectoryBuilder extends Builder
     /**
      * Adds an 'or where not manager' filter to the current query.
      *
-     * @param string $dn
-     * @param bool   $nested
-     *
+     * @param  string  $dn
+     * @param  bool  $nested
      * @return $this
      */
     public function orWhereNotManager($dn, $nested = false)
@@ -220,10 +208,9 @@ class ActiveDirectoryBuilder extends Builder
     /**
      * Execute the callback with a nested match attribute.
      *
-     * @param Closure $callback
-     * @param string  $attribute
-     * @param bool    $nested
-     *
+     * @param  Closure  $callback
+     * @param  string  $attribute
+     * @param  bool  $nested
      * @return $this
      */
     protected function nestedMatchQuery(Closure $callback, $attribute, $nested = false)
@@ -236,8 +223,7 @@ class ActiveDirectoryBuilder extends Builder
     /**
      * Make a "nested match" filter attribute for querying descendants.
      *
-     * @param string $attribute
-     *
+     * @param  string  $attribute
      * @return string
      */
     protected function makeNestedMatchAttribute($attribute)
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Model/Builder.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Model/Builder.php
index 234dd0ad7..a6886ea96 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Model/Builder.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Model/Builder.php
@@ -44,9 +44,8 @@ class Builder extends BaseBuilder
     /**
      * Dynamically handle calls into the query instance.
      *
-     * @param string $method
-     * @param array  $parameters
-     *
+     * @param  string  $method
+     * @param  array  $parameters
      * @return mixed
      */
     public function __call($method, $parameters)
@@ -61,9 +60,8 @@ class Builder extends BaseBuilder
     /**
      * Apply the given scope on the current builder instance.
      *
-     * @param callable $scope
-     * @param array    $parameters
-     *
+     * @param  callable  $scope
+     * @param  array  $parameters
      * @return mixed
      */
     protected function callScope(callable $scope, $parameters = [])
@@ -91,8 +89,7 @@ class Builder extends BaseBuilder
     /**
      * Set the model instance for the model being queried.
      *
-     * @param Model $model
-     *
+     * @param  Model  $model
      * @return $this
      */
     public function setModel(Model $model)
@@ -115,8 +112,7 @@ class Builder extends BaseBuilder
     /**
      * Get a new model query builder instance.
      *
-     * @param string|null $baseDn
-     *
+     * @param  string|null  $baseDn
      * @return static
      */
     public function newInstance($baseDn = null)
@@ -127,9 +123,8 @@ class Builder extends BaseBuilder
     /**
      * Finds a model by its distinguished name.
      *
-     * @param array|string          $dn
-     * @param array|string|string[] $columns
-     *
+     * @param  array|string  $dn
+     * @param  array|string|string[]  $columns
      * @return Model|\LdapRecord\Query\Collection|static|null
      */
     public function find($dn, $columns = ['*'])
@@ -142,9 +137,8 @@ class Builder extends BaseBuilder
     /**
      * Finds a record using ambiguous name resolution.
      *
-     * @param string|array $value
-     * @param array|string $columns
-     *
+     * @param  string|array  $value
+     * @param  array|string  $columns
      * @return Model|\LdapRecord\Query\Collection|static|null
      */
     public function findByAnr($value, $columns = ['*'])
@@ -178,9 +172,8 @@ class Builder extends BaseBuilder
      *
      * If a record is not found, an exception is thrown.
      *
-     * @param string       $value
-     * @param array|string $columns
-     *
+     * @param  string  $value
+     * @param  array|string  $columns
      * @return Model
      *
      * @throws ModelNotFoundException
@@ -197,8 +190,8 @@ class Builder extends BaseBuilder
     /**
      * Throws a not found exception.
      *
-     * @param string $query
-     * @param string $dn
+     * @param  string  $query
+     * @param  string  $dn
      *
      * @throws ModelNotFoundException
      */
@@ -210,9 +203,8 @@ class Builder extends BaseBuilder
     /**
      * Finds multiple records using ambiguous name resolution.
      *
-     * @param array $values
-     * @param array $columns
-     *
+     * @param  array  $values
+     * @param  array  $columns
      * @return \LdapRecord\Query\Collection
      */
     public function findManyByAnr(array $values = [], $columns = ['*'])
@@ -233,8 +225,7 @@ class Builder extends BaseBuilder
     /**
      * Creates an ANR equivalent query for LDAP distributions that do not support ANR.
      *
-     * @param string $value
-     *
+     * @param  string  $value
      * @return $this
      */
     protected function prepareAnrEquivalentQuery($value)
@@ -249,9 +240,8 @@ class Builder extends BaseBuilder
     /**
      * Finds a record by its string GUID.
      *
-     * @param string       $guid
-     * @param array|string $columns
-     *
+     * @param  string  $guid
+     * @param  array|string  $columns
      * @return Model|static|null
      */
     public function findByGuid($guid, $columns = ['*'])
@@ -268,9 +258,8 @@ class Builder extends BaseBuilder
      *
      * Fails upon no records returned.
      *
-     * @param string       $guid
-     * @param array|string $columns
-     *
+     * @param  string  $guid
+     * @param  array|string  $columns
      * @return Model|static
      *
      * @throws ModelNotFoundException
@@ -299,8 +288,7 @@ class Builder extends BaseBuilder
     /**
      * Apply the query scopes and execute the callback.
      *
-     * @param Closure $callback
-     *
+     * @param  Closure  $callback
      * @return mixed
      */
     protected function afterScopes(Closure $callback)
@@ -339,9 +327,8 @@ class Builder extends BaseBuilder
     /**
      * Register a new global scope.
      *
-     * @param string         $identifier
-     * @param Scope|\Closure $scope
-     *
+     * @param  string  $identifier
+     * @param  Scope|\Closure  $scope
      * @return $this
      */
     public function withGlobalScope($identifier, $scope)
@@ -354,8 +341,7 @@ class Builder extends BaseBuilder
     /**
      * Remove a registered global scope.
      *
-     * @param Scope|string $scope
-     *
+     * @param  Scope|string  $scope
      * @return $this
      */
     public function withoutGlobalScope($scope)
@@ -374,8 +360,7 @@ class Builder extends BaseBuilder
     /**
      * Remove all or passed registered global scopes.
      *
-     * @param array|null $scopes
-     *
+     * @param  array|null  $scopes
      * @return $this
      */
     public function withoutGlobalScopes(array $scopes = null)
@@ -414,8 +399,7 @@ class Builder extends BaseBuilder
     /**
      * Processes and converts the given LDAP results into models.
      *
-     * @param array $results
-     *
+     * @param  array  $results
      * @return \LdapRecord\Query\Collection
      */
     protected function process(array $results)
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/ObjectNotFoundException.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/ObjectNotFoundException.php
index c22563cfa..99c2e85e3 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/ObjectNotFoundException.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/ObjectNotFoundException.php
@@ -23,9 +23,8 @@ class ObjectNotFoundException extends LdapRecordException
     /**
      * Create a new exception for the executed filter.
      *
-     * @param string  $query
-     * @param ?string $baseDn
-     *
+     * @param  string  $query
+     * @param  ?string  $baseDn
      * @return static
      */
     public static function forQuery($query, $baseDn = null)
@@ -36,9 +35,8 @@ class ObjectNotFoundException extends LdapRecordException
     /**
      * Set the query that was used.
      *
-     * @param string      $query
-     * @param string|null $baseDn
-     *
+     * @param  string  $query
+     * @param  string|null  $baseDn
      * @return $this
      */
     public function setQuery($query, $baseDn = null)
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Pagination/AbstractPaginator.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Pagination/AbstractPaginator.php
index e2b048242..11e2dc547 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Pagination/AbstractPaginator.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Pagination/AbstractPaginator.php
@@ -38,7 +38,7 @@ abstract class AbstractPaginator
     /**
      * Constructor.
      *
-     * @param Builder $query
+     * @param  Builder  $query
      */
     public function __construct(Builder $query, $filter, $perPage, $isCritical)
     {
@@ -51,8 +51,7 @@ abstract class AbstractPaginator
     /**
      * Execute the pagination request.
      *
-     * @param LdapInterface $ldap
-     *
+     * @param  LdapInterface  $ldap
      * @return array
      */
     public function execute(LdapInterface $ldap)
@@ -107,8 +106,7 @@ abstract class AbstractPaginator
     /**
      * Apply the server controls.
      *
-     * @param LdapInterface $ldap
-     *
+     * @param  LdapInterface  $ldap
      * @return void
      */
     abstract protected function applyServerControls(LdapInterface $ldap);
@@ -116,8 +114,7 @@ abstract class AbstractPaginator
     /**
      * Reset the server controls.
      *
-     * @param LdapInterface $ldap
-     *
+     * @param  LdapInterface  $ldap
      * @return void
      */
     abstract protected function resetServerControls(LdapInterface $ldap);
@@ -125,9 +122,8 @@ abstract class AbstractPaginator
     /**
      * Update the server controls.
      *
-     * @param LdapInterface $ldap
-     * @param resource      $resource
-     *
+     * @param  LdapInterface  $ldap
+     * @param  resource  $resource
      * @return void
      */
     abstract protected function updateServerControls(LdapInterface $ldap, $resource);
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Pagination/LazyPaginator.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Pagination/LazyPaginator.php
index b9df77e4e..8b12d526c 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Pagination/LazyPaginator.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Pagination/LazyPaginator.php
@@ -9,8 +9,7 @@ class LazyPaginator extends Paginator
     /**
      * Execute the pagination request.
      *
-     * @param LdapInterface $ldap
-     *
+     * @param  LdapInterface  $ldap
      * @return \Generator
      */
     public function execute(LdapInterface $ldap)
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Slice.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Slice.php
new file mode 100644
index 000000000..12faa5bd1
--- /dev/null
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Query/Slice.php
@@ -0,0 +1,283 @@
+<?php
+
+namespace LdapRecord\Query;
+
+use ArrayAccess;
+use ArrayIterator;
+use IteratorAggregate;
+use JsonSerializable;
+
+class Slice implements ArrayAccess, IteratorAggregate, JsonSerializable
+{
+    /**
+     * All of the items being paginated.
+     *
+     * @var \LdapRecord\Query\Collection|array
+     */
+    protected $items;
+
+    /**
+     * The number of items to be shown per page.
+     *
+     * @var int
+     */
+    protected $perPage;
+
+    /**
+     * The total number of items before slicing.
+     *
+     * @var int
+     */
+    protected $total;
+
+    /**
+     * The last available page.
+     *
+     * @var int
+     */
+    protected $lastPage;
+
+    /**
+     * The current page being "viewed".
+     *
+     * @var int
+     */
+    protected $currentPage;
+
+    /**
+     * Constructor.
+     *
+     * @param  \LdapRecord\Query\Collection|array  $items
+     * @param  int  $total
+     * @param  int  $perPage
+     * @param  int|null  $currentPage
+     */
+    public function __construct($items, $total, $perPage, $currentPage = null)
+    {
+        $this->items = $items;
+        $this->total = $total;
+        $this->perPage = $perPage;
+        $this->lastPage = max((int) ceil($total / $perPage), 1);
+        $this->currentPage = $currentPage ?? 1;
+    }
+
+    /**
+     * Get the slice of items being paginated.
+     *
+     * @return \LdapRecord\Query\Collection|array
+     */
+    public function items()
+    {
+        return $this->items;
+    }
+
+    /**
+     * Get the total number of items being paginated.
+     *
+     * @return int
+     */
+    public function total()
+    {
+        return $this->total;
+    }
+
+    /**
+     * Get the number of items shown per page.
+     *
+     * @return int
+     */
+    public function perPage()
+    {
+        return $this->perPage;
+    }
+
+    /**
+     * Determine if there are more items in the data source.
+     *
+     * @return bool
+     */
+    public function hasMorePages()
+    {
+        return $this->currentPage() < $this->lastPage();
+    }
+
+    /**
+     * Determine if there are enough items to split into multiple pages.
+     *
+     * @return bool
+     */
+    public function hasPages()
+    {
+        return $this->currentPage() != 1 || $this->hasMorePages();
+    }
+
+    /**
+     * Determine if the paginator is on the first page.
+     *
+     * @return bool
+     */
+    public function onFirstPage()
+    {
+        return $this->currentPage() <= 1;
+    }
+
+    /**
+     * Determine if the paginator is on the last page.
+     *
+     * @return bool
+     */
+    public function onLastPage()
+    {
+        return ! $this->hasMorePages();
+    }
+
+    /**
+     * Get the current page.
+     *
+     * @return int
+     */
+    public function currentPage()
+    {
+        return $this->currentPage;
+    }
+
+    /**
+     * Get the last page.
+     *
+     * @return int
+     */
+    public function lastPage()
+    {
+        return $this->lastPage;
+    }
+
+    /**
+     * Get an iterator for the items.
+     *
+     * @return \ArrayIterator
+     */
+    #[\ReturnTypeWillChange]
+    public function getIterator()
+    {
+        return new ArrayIterator($this->items);
+    }
+
+    /**
+     * Determine if the list of items is empty.
+     *
+     * @return bool
+     */
+    public function isEmpty()
+    {
+        return empty($this->items);
+    }
+
+    /**
+     * Determine if the list of items is not empty.
+     *
+     * @return bool
+     */
+    public function isNotEmpty()
+    {
+        return ! $this->isEmpty();
+    }
+
+    /**
+     * Get the number of items for the current page.
+     *
+     * @return int
+     */
+    #[\ReturnTypeWillChange]
+    public function count()
+    {
+        return count($this->items);
+    }
+
+    /**
+     * Determine if the given item exists.
+     *
+     * @param  mixed  $key
+     * @return bool
+     */
+    #[\ReturnTypeWillChange]
+    public function offsetExists($key)
+    {
+        return array_key_exists($key, $this->items);
+    }
+
+    /**
+     * Get the item at the given offset.
+     *
+     * @param  mixed  $key
+     * @return mixed
+     */
+    #[\ReturnTypeWillChange]
+    public function offsetGet($key)
+    {
+        return $this->items[$key] ?? null;
+    }
+
+    /**
+     * Set the item at the given offset.
+     *
+     * @param  mixed  $key
+     * @param  mixed  $value
+     * @return void
+     */
+    #[\ReturnTypeWillChange]
+    public function offsetSet($key, $value)
+    {
+        $this->items[$key] = $value;
+    }
+
+    /**
+     * Unset the item at the given key.
+     *
+     * @param  mixed  $key
+     * @return void
+     */
+    #[\ReturnTypeWillChange]
+    public function offsetUnset($key)
+    {
+        unset($this->items[$key]);
+    }
+
+    /**
+     * Convert the object into something JSON serializable.
+     *
+     * @return array
+     */
+    #[\ReturnTypeWillChange]
+    public function jsonSerialize()
+    {
+        return $this->toArray();
+    }
+
+    /**
+     * Get the arrayable items.
+     *
+     * @return array
+     */
+    public function getArrayableItems()
+    {
+        return $this->items instanceof Collection
+            ? $this->items->all()
+            : $this->items;
+    }
+
+    /**
+     * Get the instance as an array.
+     *
+     * @return array
+     */
+    public function toArray()
+    {
+        return [
+            'current_page' => $this->currentPage(),
+            'data' => $this->getArrayableItems(),
+            'last_page' => $this->lastPage(),
+            'per_page' => $this->perPage(),
+            'total' => $this->total(),
+        ];
+    }
+}
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Support/Arr.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Support/Arr.php
index 8fa87a2b3..7475859ae 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Support/Arr.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Support/Arr.php
@@ -9,8 +9,7 @@ class Arr
     /**
      * Determine whether the given value is array accessible.
      *
-     * @param mixed $value
-     *
+     * @param  mixed  $value
      * @return bool
      */
     public static function accessible($value)
@@ -21,9 +20,8 @@ class Arr
     /**
      * Determine if the given key exists in the provided array.
      *
-     * @param \ArrayAccess|array $array
-     * @param string|int         $key
-     *
+     * @param  \ArrayAccess|array  $array
+     * @param  string|int  $key
      * @return bool
      */
     public static function exists($array, $key)
@@ -38,8 +36,7 @@ class Arr
     /**
      * If the given value is not an array and not null, wrap it in one.
      *
-     * @param mixed $value
-     *
+     * @param  mixed  $value
      * @return array
      */
     public static function wrap($value)
@@ -54,10 +51,9 @@ class Arr
     /**
      * Return the first element in an array passing a given truth test.
      *
-     * @param iterable      $array
-     * @param callable|null $callback
-     * @param mixed         $default
-     *
+     * @param  iterable  $array
+     * @param  callable|null  $callback
+     * @param  mixed  $default
      * @return mixed
      */
     public static function first($array, callable $callback = null, $default = null)
@@ -84,10 +80,9 @@ class Arr
     /**
      * Return the last element in an array passing a given truth test.
      *
-     * @param array         $array
-     * @param callable|null $callback
-     * @param mixed         $default
-     *
+     * @param  array  $array
+     * @param  callable|null  $callback
+     * @param  mixed  $default
      * @return mixed
      */
     public static function last($array, callable $callback = null, $default = null)
@@ -102,10 +97,9 @@ class Arr
     /**
      * Get an item from an array using "dot" notation.
      *
-     * @param ArrayAccess|array $array
-     * @param string|int|null   $key
-     * @param mixed             $default
-     *
+     * @param  ArrayAccess|array  $array
+     * @param  string|int|null  $key
+     * @param  mixed  $default
      * @return mixed
      */
     public static function get($array, $key, $default = null)
@@ -122,7 +116,7 @@ class Arr
             return $array[$key];
         }
 
-        if (strpos($key, '.') === false) {
+        if (str_contains($key, '.')) {
             return $array[$key] ?? Helpers::value($default);
         }
 
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Support/Helpers.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Support/Helpers.php
index a55d1d22a..ab217d6ff 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Support/Helpers.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Support/Helpers.php
@@ -9,12 +9,12 @@ class Helpers
     /**
      * Return the default value of the given value.
      *
-     * @param mixed $value
-     *
+     * @param  mixed  $value
+     * @param  mixed  $args
      * @return mixed
      */
-    public static function value($value)
+    public static function value($value, ...$args)
     {
-        return $value instanceof Closure ? $value() : $value;
+        return $value instanceof Closure ? $value(...$args) : $value;
     }
 }
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Support/Str.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Support/Str.php
new file mode 100644
index 000000000..820834e21
--- /dev/null
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Support/Str.php
@@ -0,0 +1,129 @@
+<?php
+
+namespace LdapRecord\Support;
+
+class Str
+{
+    /**
+     * Return the remainder of a string after the last occurrence of a given value.
+     *
+     * @param  string  $subject
+     * @param  string  $search
+     * @return string
+     */
+    public static function afterLast($subject, $search)
+    {
+        if ($search === '') {
+            return $subject;
+        }
+
+        $position = strrpos($subject, (string) $search);
+
+        if ($position === false) {
+            return $subject;
+        }
+
+        return substr($subject, $position + strlen($search));
+    }
+
+    /**
+     * Determine if a given string starts with a given substring.
+     *
+     * @param  string  $haystack
+     * @param  string|string[]  $needles
+     * @return bool
+     */
+    public static function startsWith($haystack, $needles)
+    {
+        foreach ((array) $needles as $needle) {
+            if ((string) $needle !== '' && str_starts_with($haystack, $needle)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    /**
+     * Determine if a given string ends with a given substring.
+     *
+     * @param  string  $haystack
+     * @param  string|string[]  $needles
+     * @return bool
+     */
+    public static function endsWith($haystack, $needles)
+    {
+        foreach ((array) $needles as $needle) {
+            if (
+                $needle !== '' && $needle !== null
+                && str_ends_with($haystack, $needle)
+            ) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    /**
+     * Execute a callback when a needle is found in the haystack.
+     *
+     * @param  string  $haystack
+     * @param  string|string[]  $needles
+     * @param  \Closure|mixed  $callback
+     * @param  \Closure|mixed  $default
+     * @return mixed
+     */
+    public static function whenContains($haystack, $needles, $callback, $default = null)
+    {
+        foreach ((array) $needles as $needle) {
+            if (static::contains($haystack, $needle)) {
+                return Helpers::value($callback, $needle, $haystack);
+            }
+        }
+
+        return Helpers::value($default, $haystack);
+    }
+
+    /**
+     * Determine if a given string contains a given substring.
+     *
+     * @param  string  $haystack
+     * @param  string|string[]  $needles
+     * @param  bool  $ignoreCase
+     * @return bool
+     */
+    public static function contains($haystack, $needles, $ignoreCase = false)
+    {
+        if ($ignoreCase) {
+            $haystack = mb_strtolower($haystack);
+            $needles = array_map('mb_strtolower', (array) $needles);
+        }
+
+        foreach ((array) $needles as $needle) {
+            if ($needle !== '' && str_contains((string) $haystack, $needle)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    /**
+     * Returns the number of substring occurrences.
+     *
+     * @param  string  $haystack
+     * @param  string  $needle
+     * @param  int  $offset
+     * @param  int|null  $length
+     * @return int
+     */
+    public static function substrCount($haystack, $needle, $offset = 0, $length = null)
+    {
+        if (! is_null($length)) {
+            return substr_count($haystack, $needle, $offset, $length);
+        } else {
+            return substr_count($haystack, $needle, $offset);
+        }
+    }
+}
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Testing/ConnectionFake.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Testing/ConnectionFake.php
index 0aa12a1e3..09530f5c7 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Testing/ConnectionFake.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Testing/ConnectionFake.php
@@ -25,9 +25,8 @@ class ConnectionFake extends Connection
     /**
      * Make a new fake LDAP connection instance.
      *
-     * @param array  $config
-     * @param string $ldap
-     *
+     * @param  array  $config
+     * @param  string  $ldap
      * @return static
      */
     public static function make(array $config = [], $ldap = LdapFake::class)
@@ -42,8 +41,7 @@ class ConnectionFake extends Connection
     /**
      * Set the user to authenticate as.
      *
-     * @param Model|string $user
-     *
+     * @param  Model|string  $user
      * @return $this
      */
     public function actingAs($user)
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Testing/DirectoryFake.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Testing/DirectoryFake.php
index 9d50dcdfa..72be02af3 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Testing/DirectoryFake.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Testing/DirectoryFake.php
@@ -9,8 +9,7 @@ class DirectoryFake
     /**
      * Setup the fake connection.
      *
-     * @param string|null $name
-     *
+     * @param  string|null  $name
      * @return ConnectionFake
      *
      * @throws \LdapRecord\ContainerException
@@ -42,8 +41,7 @@ class DirectoryFake
     /**
      * Make a connection fake.
      *
-     * @param array $config
-     *
+     * @param  array  $config
      * @return ConnectionFake
      */
     public static function makeConnectionFake(array $config = [])
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Testing/LdapExpectation.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Testing/LdapExpectation.php
index 90a5fa2ed..693459149 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Testing/LdapExpectation.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Testing/LdapExpectation.php
@@ -2,7 +2,9 @@
 
 namespace LdapRecord\Testing;
 
+use Closure;
 use LdapRecord\LdapRecordException;
+use PHPUnit\Framework\Constraint\Callback;
 use PHPUnit\Framework\Constraint\Constraint;
 use PHPUnit\Framework\Constraint\IsEqual;
 use UnexpectedValueException;
@@ -82,7 +84,7 @@ class LdapExpectation
     /**
      * Constructor.
      *
-     * @param string $method
+     * @param  string  $method
      */
     public function __construct($method)
     {
@@ -92,21 +94,22 @@ class LdapExpectation
     /**
      * Set the arguments that the operation should receive.
      *
-     * @param mixed $args
-     *
+     * @param  mixed  $args
      * @return $this
      */
     public function with($args)
     {
-        $args = is_array($args) ? $args : func_get_args();
-
-        foreach ($args as $key => $arg) {
-            if (! $arg instanceof Constraint) {
-                $args[$key] = new IsEqual($arg);
+        $this->args = array_map(function ($arg) {
+            if ($arg instanceof Closure) {
+                return new Callback($arg);
             }
-        }
 
-        $this->args = $args;
+            if (! $arg instanceof Constraint) {
+                return new IsEqual($arg);
+            }
+
+            return $arg;
+        }, is_array($args) ? $args : func_get_args());
 
         return $this;
     }
@@ -114,8 +117,7 @@ class LdapExpectation
     /**
      * Set the expected value to return.
      *
-     * @param mixed $value
-     *
+     * @param  mixed  $value
      * @return $this
      */
     public function andReturn($value)
@@ -128,10 +130,9 @@ class LdapExpectation
     /**
      * The error message to return from the expectation.
      *
-     * @param int    $code
-     * @param string $error
-     * @param string $diagnosticMessage
-     *
+     * @param  int  $code
+     * @param  string  $error
+     * @param  string  $diagnosticMessage
      * @return $this
      */
     public function andReturnError($code = 1, $error = '', $diagnosticMessage = '')
@@ -148,8 +149,7 @@ class LdapExpectation
     /**
      * Set the expected exception to throw.
      *
-     * @param string|\Exception|LdapRecordException $exception
-     *
+     * @param  string|\Exception|LdapRecordException  $exception
      * @return $this
      */
     public function andThrow($exception)
@@ -186,8 +186,7 @@ class LdapExpectation
     /**
      * Set the expectation to be called the given number of times.
      *
-     * @param int $count
-     *
+     * @param  int  $count
      * @return $this
      */
     public function times($count = 1)
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Testing/LdapFake.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Testing/LdapFake.php
index 00470e14a..5a0003549 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Testing/LdapFake.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Testing/LdapFake.php
@@ -47,8 +47,7 @@ class LdapFake implements LdapInterface
     /**
      * Create a new expected operation.
      *
-     * @param string $method
-     *
+     * @param  string  $method
      * @return LdapExpectation
      */
     public static function operation($method)
@@ -59,8 +58,7 @@ class LdapFake implements LdapInterface
     /**
      * Set the user that will pass binding.
      *
-     * @param string $dn
-     *
+     * @param  string  $dn
      * @return $this
      */
     public function shouldAuthenticateWith($dn)
@@ -73,8 +71,7 @@ class LdapFake implements LdapInterface
     /**
      * Add an LDAP method expectation.
      *
-     * @param LdapExpectation|array $expectations
-     *
+     * @param  LdapExpectation|array  $expectations
      * @return $this
      */
     public function expect($expectations = [])
@@ -105,8 +102,7 @@ class LdapFake implements LdapInterface
     /**
      * Determine if the method has any expectations.
      *
-     * @param string $method
-     *
+     * @param  string  $method
      * @return bool
      */
     public function hasExpectations($method)
@@ -117,8 +113,7 @@ class LdapFake implements LdapInterface
     /**
      * Get expectations by method.
      *
-     * @param string $method
-     *
+     * @param  string  $method
      * @return LdapExpectation[]|mixed
      */
     public function getExpectations($method)
@@ -129,9 +124,8 @@ class LdapFake implements LdapInterface
     /**
      * Remove an expectation by method and key.
      *
-     * @param string $method
-     * @param int    $key
-     *
+     * @param  string  $method
+     * @param  int  $key
      * @return void
      */
     public function removeExpectation($method, $key)
@@ -142,8 +136,7 @@ class LdapFake implements LdapInterface
     /**
      * Set the error number of a failed bind attempt.
      *
-     * @param int $number
-     *
+     * @param  int  $number
      * @return $this
      */
     public function shouldReturnErrorNumber($number = 1)
@@ -156,8 +149,7 @@ class LdapFake implements LdapInterface
     /**
      * Set the last error of a failed bind attempt.
      *
-     * @param string $message
-     *
+     * @param  string  $message
      * @return $this
      */
     public function shouldReturnError($message = '')
@@ -170,8 +162,7 @@ class LdapFake implements LdapInterface
     /**
      * Set the diagnostic message of a failed bind attempt.
      *
-     * @param string $message
-     *
+     * @param  string  $message
      * @return $this
      */
     public function shouldReturnDiagnosticMessage($message = '')
@@ -261,6 +252,16 @@ class LdapFake implements LdapInterface
             : $this->bound;
     }
 
+    /**
+     * @inheritdoc
+     */
+    public function getHost()
+    {
+        return $this->hasExpectations('getHost')
+            ? $this->resolveExpectation('getHost')
+            : $this->host;
+    }
+
     /**
      * @inheritdoc
      */
@@ -454,9 +455,8 @@ class LdapFake implements LdapInterface
     /**
      * Resolve the methods expectations.
      *
-     * @param string $method
-     * @param array  $args
-     *
+     * @param  string  $method
+     * @param  array  $args
      * @return mixed
      *
      * @throws Exception
@@ -489,8 +489,7 @@ class LdapFake implements LdapInterface
     /**
      * Apply the expectation error to the fake.
      *
-     * @param LdapExpectation $expectation
-     *
+     * @param  LdapExpectation  $expectation
      * @return void
      */
     protected function applyExpectationError(LdapExpectation $expectation)
@@ -503,10 +502,9 @@ class LdapFake implements LdapInterface
     /**
      * Assert that the expected arguments match the operations arguments.
      *
-     * @param string       $method
-     * @param Constraint[] $expectedArgs
-     * @param array        $methodArgs
-     *
+     * @param  string  $method
+     * @param  Constraint[]  $expectedArgs
+     * @param  array  $methodArgs
      * @return void
      */
     protected function assertMethodArgumentsMatch($method, array $expectedArgs = [], array $methodArgs = [])
diff --git a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Utilities.php b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Utilities.php
index 01d55c797..c4f5190d8 100644
--- a/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Utilities.php
+++ b/data/web/inc/lib/vendor/directorytree/ldaprecord/src/Utilities.php
@@ -10,14 +10,13 @@ class Utilities
      * This will also decode hex characters into their true
      * UTF-8 representation embedded inside the DN as well.
      *
-     * @param string $dn
-     * @param bool   $removeAttributePrefixes
-     *
+     * @param  string  $dn
+     * @param  bool  $removeAttributePrefixes
      * @return array|false
      */
     public static function explodeDn($dn, $removeAttributePrefixes = true)
     {
-        $dn = ldap_explode_dn($dn, ($removeAttributePrefixes ? 1 : 0));
+        $dn = ldap_explode_dn($dn, $removeAttributePrefixes ? 1 : 0);
 
         if (! is_array($dn)) {
             return false;
@@ -39,8 +38,7 @@ class Utilities
     /**
      * Un-escapes a hexadecimal string into its original string representation.
      *
-     * @param string $value
-     *
+     * @param  string  $value
      * @return string
      */
     public static function unescape($value)
@@ -58,8 +56,7 @@ class Utilities
      * @see https://github.com/ChadSikorra
      * @see https://stackoverflow.com/questions/39533560/php-ldap-get-user-sid
      *
-     * @param string $value The Binary SID
-     *
+     * @param  string  $value  The Binary SID
      * @return string|null
      */
     public static function binarySidToString($value)
@@ -106,8 +103,7 @@ class Utilities
     /**
      * Convert a binary GUID to a string GUID.
      *
-     * @param string $binGuid
-     *
+     * @param  string  $binGuid
      * @return string|null
      */
     public static function binaryGuidToString($binGuid)
@@ -130,8 +126,7 @@ class Utilities
     /**
      * Converts a string GUID to it's hex variant.
      *
-     * @param string $string
-     *
+     * @param  string  $string
      * @return string
      */
     public static function stringGuidToHex($string)
@@ -149,21 +144,19 @@ class Utilities
      * Round a Windows timestamp down to seconds and remove
      * the seconds between 1601-01-01 and 1970-01-01.
      *
-     * @param float $windowsTime
-     *
-     * @return float
+     * @param  int  $windowsTime
+     * @return int
      */
     public static function convertWindowsTimeToUnixTime($windowsTime)
     {
-        return round($windowsTime / 10000000) - 11644473600;
+        return (int) (round($windowsTime / 10000000) - 11644473600);
     }
 
     /**
      * Convert a Unix timestamp to Windows timestamp.
      *
-     * @param float $unixTime
-     *
-     * @return float
+     * @param  int  $unixTime
+     * @return int
      */
     public static function convertUnixTimeToWindowsTime($unixTime)
     {
@@ -173,8 +166,7 @@ class Utilities
     /**
      * Validates that the inserted string is an object SID.
      *
-     * @param string $sid
-     *
+     * @param  string  $sid
      * @return bool
      */
     public static function isValidSid($sid)
@@ -185,8 +177,7 @@ class Utilities
     /**
      * Validates that the inserted string is an object GUID.
      *
-     * @param string $guid
-     *
+     * @param  string  $guid
      * @return bool
      */
     public static function isValidGuid($guid)
diff --git a/data/web/inc/lib/vendor/illuminate/contracts/Auth/Access/Gate.php b/data/web/inc/lib/vendor/illuminate/contracts/Auth/Access/Gate.php
index b88ab1796..eb605d827 100644
--- a/data/web/inc/lib/vendor/illuminate/contracts/Auth/Access/Gate.php
+++ b/data/web/inc/lib/vendor/illuminate/contracts/Auth/Access/Gate.php
@@ -57,18 +57,18 @@ interface Gate
     public function after(callable $callback);
 
     /**
-     * Determine if the given ability should be granted for the current user.
+     * Determine if all of the given abilities should be granted for the current user.
      *
-     * @param  string  $ability
+     * @param  iterable|string  $ability
      * @param  array|mixed  $arguments
      * @return bool
      */
     public function allows($ability, $arguments = []);
 
     /**
-     * Determine if the given ability should be denied for the current user.
+     * Determine if any of the given abilities should be denied for the current user.
      *
-     * @param  string  $ability
+     * @param  iterable|string  $ability
      * @param  array|mixed  $arguments
      * @return bool
      */
diff --git a/data/web/inc/lib/vendor/illuminate/contracts/Broadcasting/ShouldBeUnique.php b/data/web/inc/lib/vendor/illuminate/contracts/Broadcasting/ShouldBeUnique.php
new file mode 100644
index 000000000..c72b7a800
--- /dev/null
+++ b/data/web/inc/lib/vendor/illuminate/contracts/Broadcasting/ShouldBeUnique.php
@@ -0,0 +1,8 @@
+<?php
+
+namespace Illuminate\Contracts\Broadcasting;
+
+interface ShouldBeUnique
+{
+    //
+}
diff --git a/data/web/inc/lib/vendor/illuminate/contracts/Cache/Repository.php b/data/web/inc/lib/vendor/illuminate/contracts/Cache/Repository.php
index 5b78af57e..4bc4638e4 100644
--- a/data/web/inc/lib/vendor/illuminate/contracts/Cache/Repository.php
+++ b/data/web/inc/lib/vendor/illuminate/contracts/Cache/Repository.php
@@ -10,9 +10,11 @@ interface Repository extends CacheInterface
     /**
      * Retrieve an item from the cache and delete it.
      *
-     * @param  string  $key
-     * @param  mixed  $default
-     * @return mixed
+     * @template TCacheValue
+     *
+     * @param  array|string  $key
+     * @param  TCacheValue|(\Closure(): TCacheValue)  $default
+     * @return (TCacheValue is null ? mixed : TCacheValue)
      */
     public function pull($key, $default = null);
 
@@ -66,28 +68,34 @@ interface Repository extends CacheInterface
     /**
      * Get an item from the cache, or execute the given Closure and store the result.
      *
+     * @template TCacheValue
+     *
      * @param  string  $key
-     * @param  \DateTimeInterface|\DateInterval|int|null  $ttl
-     * @param  \Closure  $callback
-     * @return mixed
+     * @param  \DateTimeInterface|\DateInterval|\Closure|int|null  $ttl
+     * @param  \Closure(): TCacheValue  $callback
+     * @return TCacheValue
      */
     public function remember($key, $ttl, Closure $callback);
 
     /**
      * Get an item from the cache, or execute the given Closure and store the result forever.
      *
+     * @template TCacheValue
+     *
      * @param  string  $key
-     * @param  \Closure  $callback
-     * @return mixed
+     * @param  \Closure(): TCacheValue  $callback
+     * @return TCacheValue
      */
     public function sear($key, Closure $callback);
 
     /**
      * Get an item from the cache, or execute the given Closure and store the result forever.
      *
+     * @template TCacheValue
+     *
      * @param  string  $key
-     * @param  \Closure  $callback
-     * @return mixed
+     * @param  \Closure(): TCacheValue  $callback
+     * @return TCacheValue
      */
     public function rememberForever($key, Closure $callback);
 
diff --git a/data/web/inc/lib/vendor/illuminate/contracts/Console/Isolatable.php b/data/web/inc/lib/vendor/illuminate/contracts/Console/Isolatable.php
new file mode 100644
index 000000000..d652be3b8
--- /dev/null
+++ b/data/web/inc/lib/vendor/illuminate/contracts/Console/Isolatable.php
@@ -0,0 +1,8 @@
+<?php
+
+namespace Illuminate\Contracts\Console;
+
+interface Isolatable
+{
+    //
+}
diff --git a/data/web/inc/lib/vendor/illuminate/contracts/Console/PromptsForMissingInput.php b/data/web/inc/lib/vendor/illuminate/contracts/Console/PromptsForMissingInput.php
new file mode 100644
index 000000000..ccac1edac
--- /dev/null
+++ b/data/web/inc/lib/vendor/illuminate/contracts/Console/PromptsForMissingInput.php
@@ -0,0 +1,8 @@
+<?php
+
+namespace Illuminate\Contracts\Console;
+
+interface PromptsForMissingInput
+{
+    //
+}
diff --git a/data/web/inc/lib/vendor/illuminate/contracts/Container/Container.php b/data/web/inc/lib/vendor/illuminate/contracts/Container/Container.php
index 7d7f2c96a..1472a2e5f 100644
--- a/data/web/inc/lib/vendor/illuminate/contracts/Container/Container.php
+++ b/data/web/inc/lib/vendor/illuminate/contracts/Container/Container.php
@@ -53,6 +53,15 @@ interface Container extends ContainerInterface
      */
     public function bind($abstract, $concrete = null, $shared = false);
 
+    /**
+     * Bind a callback to resolve with Container::call.
+     *
+     * @param  array|string  $method
+     * @param  \Closure  $callback
+     * @return void
+     */
+    public function bindMethod($method, $callback);
+
     /**
      * Register a binding if it hasn't already been registered.
      *
diff --git a/data/web/inc/lib/vendor/illuminate/contracts/Container/ContextualBindingBuilder.php b/data/web/inc/lib/vendor/illuminate/contracts/Container/ContextualBindingBuilder.php
index 1fc7fc159..1d84ef8c7 100644
--- a/data/web/inc/lib/vendor/illuminate/contracts/Container/ContextualBindingBuilder.php
+++ b/data/web/inc/lib/vendor/illuminate/contracts/Container/ContextualBindingBuilder.php
@@ -32,7 +32,7 @@ interface ContextualBindingBuilder
      * Specify the configuration item to bind as a primitive.
      *
      * @param  string  $key
-     * @param  ?string  $default
+     * @param  mixed  $default
      * @return void
      */
     public function giveConfig($key, $default = null);
diff --git a/data/web/inc/lib/vendor/illuminate/contracts/Cookie/QueueingFactory.php b/data/web/inc/lib/vendor/illuminate/contracts/Cookie/QueueingFactory.php
index d6c74b8f9..2d5f51acd 100644
--- a/data/web/inc/lib/vendor/illuminate/contracts/Cookie/QueueingFactory.php
+++ b/data/web/inc/lib/vendor/illuminate/contracts/Cookie/QueueingFactory.php
@@ -7,7 +7,7 @@ interface QueueingFactory extends Factory
     /**
      * Queue a cookie to send with the next response.
      *
-     * @param  array  $parameters
+     * @param  mixed  ...$parameters
      * @return void
      */
     public function queue(...$parameters);
diff --git a/data/web/inc/lib/vendor/illuminate/contracts/Database/Eloquent/Castable.php b/data/web/inc/lib/vendor/illuminate/contracts/Database/Eloquent/Castable.php
index 911b1cf86..776d4fc3c 100644
--- a/data/web/inc/lib/vendor/illuminate/contracts/Database/Eloquent/Castable.php
+++ b/data/web/inc/lib/vendor/illuminate/contracts/Database/Eloquent/Castable.php
@@ -8,8 +8,7 @@ interface Castable
      * Get the name of the caster class to use when casting from / to this cast target.
      *
      * @param  array  $arguments
-     * @return string
-     * @return string|\Illuminate\Contracts\Database\Eloquent\CastsAttributes|\Illuminate\Contracts\Database\Eloquent\CastsInboundAttributes
+     * @return class-string<CastsAttributes|CastsInboundAttributes>|CastsAttributes|CastsInboundAttributes
      */
     public static function castUsing(array $arguments);
 }
diff --git a/data/web/inc/lib/vendor/illuminate/contracts/Database/Eloquent/CastsAttributes.php b/data/web/inc/lib/vendor/illuminate/contracts/Database/Eloquent/CastsAttributes.php
index 808d005f5..89cec66a7 100644
--- a/data/web/inc/lib/vendor/illuminate/contracts/Database/Eloquent/CastsAttributes.php
+++ b/data/web/inc/lib/vendor/illuminate/contracts/Database/Eloquent/CastsAttributes.php
@@ -2,6 +2,12 @@
 
 namespace Illuminate\Contracts\Database\Eloquent;
 
+use Illuminate\Database\Eloquent\Model;
+
+/**
+ * @template TGet
+ * @template TSet
+ */
 interface CastsAttributes
 {
     /**
@@ -10,19 +16,19 @@ interface CastsAttributes
      * @param  \Illuminate\Database\Eloquent\Model  $model
      * @param  string  $key
      * @param  mixed  $value
-     * @param  array  $attributes
-     * @return mixed
+     * @param  array<string, mixed>  $attributes
+     * @return TGet|null
      */
-    public function get($model, string $key, $value, array $attributes);
+    public function get(Model $model, string $key, mixed $value, array $attributes);
 
     /**
      * Transform the attribute to its underlying model values.
      *
      * @param  \Illuminate\Database\Eloquent\Model  $model
      * @param  string  $key
-     * @param  mixed  $value
-     * @param  array  $attributes
+     * @param  TSet|null  $value
+     * @param  array<string, mixed>  $attributes
      * @return mixed
      */
-    public function set($model, string $key, $value, array $attributes);
+    public function set(Model $model, string $key, mixed $value, array $attributes);
 }
diff --git a/data/web/inc/lib/vendor/illuminate/contracts/Database/Eloquent/CastsInboundAttributes.php b/data/web/inc/lib/vendor/illuminate/contracts/Database/Eloquent/CastsInboundAttributes.php
index 4c7801b58..6a3e2ef18 100644
--- a/data/web/inc/lib/vendor/illuminate/contracts/Database/Eloquent/CastsInboundAttributes.php
+++ b/data/web/inc/lib/vendor/illuminate/contracts/Database/Eloquent/CastsInboundAttributes.php
@@ -2,6 +2,8 @@
 
 namespace Illuminate\Contracts\Database\Eloquent;
 
+use Illuminate\Database\Eloquent\Model;
+
 interface CastsInboundAttributes
 {
     /**
@@ -13,5 +15,5 @@ interface CastsInboundAttributes
      * @param  array  $attributes
      * @return mixed
      */
-    public function set($model, string $key, $value, array $attributes);
+    public function set(Model $model, string $key, mixed $value, array $attributes);
 }
diff --git a/data/web/inc/lib/vendor/illuminate/contracts/Database/Eloquent/SerializesCastableAttributes.php b/data/web/inc/lib/vendor/illuminate/contracts/Database/Eloquent/SerializesCastableAttributes.php
index a89f91010..a2ecf16f5 100644
--- a/data/web/inc/lib/vendor/illuminate/contracts/Database/Eloquent/SerializesCastableAttributes.php
+++ b/data/web/inc/lib/vendor/illuminate/contracts/Database/Eloquent/SerializesCastableAttributes.php
@@ -2,6 +2,8 @@
 
 namespace Illuminate\Contracts\Database\Eloquent;
 
+use Illuminate\Database\Eloquent\Model;
+
 interface SerializesCastableAttributes
 {
     /**
@@ -13,5 +15,5 @@ interface SerializesCastableAttributes
      * @param  array  $attributes
      * @return mixed
      */
-    public function serialize($model, string $key, $value, array $attributes);
+    public function serialize(Model $model, string $key, mixed $value, array $attributes);
 }
diff --git a/data/web/inc/lib/vendor/illuminate/contracts/Database/ModelIdentifier.php b/data/web/inc/lib/vendor/illuminate/contracts/Database/ModelIdentifier.php
index 9893d280e..aacd18c07 100644
--- a/data/web/inc/lib/vendor/illuminate/contracts/Database/ModelIdentifier.php
+++ b/data/web/inc/lib/vendor/illuminate/contracts/Database/ModelIdentifier.php
@@ -34,6 +34,13 @@ class ModelIdentifier
      */
     public $connection;
 
+    /**
+     * The class name of the model collection.
+     *
+     * @var string|null
+     */
+    public $collectionClass;
+
     /**
      * Create a new model identifier.
      *
@@ -50,4 +57,17 @@ class ModelIdentifier
         $this->relations = $relations;
         $this->connection = $connection;
     }
+
+    /**
+     * Specify the collection class that should be used when serializing / restoring collections.
+     *
+     * @param  string|null  $collectionClass
+     * @return $this
+     */
+    public function useCollectionClass(?string $collectionClass)
+    {
+        $this->collectionClass = $collectionClass;
+
+        return $this;
+    }
 }
diff --git a/data/web/inc/lib/vendor/illuminate/contracts/Database/Query/ConditionExpression.php b/data/web/inc/lib/vendor/illuminate/contracts/Database/Query/ConditionExpression.php
new file mode 100644
index 000000000..b2e97a6e8
--- /dev/null
+++ b/data/web/inc/lib/vendor/illuminate/contracts/Database/Query/ConditionExpression.php
@@ -0,0 +1,7 @@
+<?php
+
+namespace Illuminate\Contracts\Database\Query;
+
+interface ConditionExpression extends Expression
+{
+}
diff --git a/data/web/inc/lib/vendor/illuminate/contracts/Database/Query/Expression.php b/data/web/inc/lib/vendor/illuminate/contracts/Database/Query/Expression.php
new file mode 100644
index 000000000..9e08682fe
--- /dev/null
+++ b/data/web/inc/lib/vendor/illuminate/contracts/Database/Query/Expression.php
@@ -0,0 +1,16 @@
+<?php
+
+namespace Illuminate\Contracts\Database\Query;
+
+use Illuminate\Database\Grammar;
+
+interface Expression
+{
+    /**
+     * Get the value of the expression.
+     *
+     * @param  \Illuminate\Database\Grammar  $grammar
+     * @return string|int|float
+     */
+    public function getValue(Grammar $grammar);
+}
diff --git a/data/web/inc/lib/vendor/illuminate/contracts/Events/Dispatcher.php b/data/web/inc/lib/vendor/illuminate/contracts/Events/Dispatcher.php
index 638610698..7f4096af0 100644
--- a/data/web/inc/lib/vendor/illuminate/contracts/Events/Dispatcher.php
+++ b/data/web/inc/lib/vendor/illuminate/contracts/Events/Dispatcher.php
@@ -34,7 +34,7 @@ interface Dispatcher
      *
      * @param  string|object  $event
      * @param  mixed  $payload
-     * @return array|null
+     * @return mixed
      */
     public function until($event, $payload = []);
 
diff --git a/data/web/inc/lib/vendor/illuminate/contracts/Events/ShouldDispatchAfterCommit.php b/data/web/inc/lib/vendor/illuminate/contracts/Events/ShouldDispatchAfterCommit.php
new file mode 100644
index 000000000..8f1fbdd4d
--- /dev/null
+++ b/data/web/inc/lib/vendor/illuminate/contracts/Events/ShouldDispatchAfterCommit.php
@@ -0,0 +1,8 @@
+<?php
+
+namespace Illuminate\Contracts\Events;
+
+interface ShouldDispatchAfterCommit
+{
+    //
+}
diff --git a/data/web/inc/lib/vendor/illuminate/contracts/Events/ShouldHandleEventsAfterCommit.php b/data/web/inc/lib/vendor/illuminate/contracts/Events/ShouldHandleEventsAfterCommit.php
new file mode 100644
index 000000000..8c7051037
--- /dev/null
+++ b/data/web/inc/lib/vendor/illuminate/contracts/Events/ShouldHandleEventsAfterCommit.php
@@ -0,0 +1,8 @@
+<?php
+
+namespace Illuminate\Contracts\Events;
+
+interface ShouldHandleEventsAfterCommit
+{
+    //
+}
diff --git a/data/web/inc/lib/vendor/illuminate/contracts/Filesystem/Filesystem.php b/data/web/inc/lib/vendor/illuminate/contracts/Filesystem/Filesystem.php
index 6d2fd5787..e92d7efc9 100644
--- a/data/web/inc/lib/vendor/illuminate/contracts/Filesystem/Filesystem.php
+++ b/data/web/inc/lib/vendor/illuminate/contracts/Filesystem/Filesystem.php
@@ -46,7 +46,7 @@ interface Filesystem
      * Write the contents of a file.
      *
      * @param  string  $path
-     * @param  string|resource  $contents
+     * @param  \Psr\Http\Message\StreamInterface|\Illuminate\Http\File|\Illuminate\Http\UploadedFile|string|resource  $contents
      * @param  mixed  $options
      * @return bool
      */
diff --git a/data/web/inc/lib/vendor/illuminate/contracts/Foundation/Application.php b/data/web/inc/lib/vendor/illuminate/contracts/Foundation/Application.php
index b46c6de4d..f768eb963 100644
--- a/data/web/inc/lib/vendor/illuminate/contracts/Foundation/Application.php
+++ b/data/web/inc/lib/vendor/illuminate/contracts/Foundation/Application.php
@@ -45,6 +45,22 @@ interface Application extends Container
      */
     public function databasePath($path = '');
 
+    /**
+     * Get the path to the language files.
+     *
+     * @param  string  $path
+     * @return string
+     */
+    public function langPath($path = '');
+
+    /**
+     * Get the path to the public directory.
+     *
+     * @param  string  $path
+     * @return string
+     */
+    public function publicPath($path = '');
+
     /**
      * Get the path to the resources directory.
      *
@@ -64,7 +80,7 @@ interface Application extends Container
     /**
      * Get or check the current application environment.
      *
-     * @param  string|array  $environments
+     * @param  string|array  ...$environments
      * @return string|bool
      */
     public function environment(...$environments);
@@ -83,6 +99,13 @@ interface Application extends Container
      */
     public function runningUnitTests();
 
+    /**
+     * Determine if the application is running with debug mode enabled.
+     *
+     * @return bool
+     */
+    public function hasDebugModeEnabled();
+
     /**
      * Get an instance of the maintenance mode manager implementation.
      *
diff --git a/data/web/inc/lib/vendor/illuminate/contracts/Mail/Attachable.php b/data/web/inc/lib/vendor/illuminate/contracts/Mail/Attachable.php
new file mode 100644
index 000000000..6804ec3d4
--- /dev/null
+++ b/data/web/inc/lib/vendor/illuminate/contracts/Mail/Attachable.php
@@ -0,0 +1,13 @@
+<?php
+
+namespace Illuminate\Contracts\Mail;
+
+interface Attachable
+{
+    /**
+     * Get an attachment instance for this entity.
+     *
+     * @return \Illuminate\Mail\Attachment
+     */
+    public function toMailAttachment();
+}
diff --git a/data/web/inc/lib/vendor/illuminate/contracts/Mail/Mailable.php b/data/web/inc/lib/vendor/illuminate/contracts/Mail/Mailable.php
index c5df7e852..b7fdd42ef 100644
--- a/data/web/inc/lib/vendor/illuminate/contracts/Mail/Mailable.php
+++ b/data/web/inc/lib/vendor/illuminate/contracts/Mail/Mailable.php
@@ -10,7 +10,7 @@ interface Mailable
      * Send the message using the given mailer.
      *
      * @param  \Illuminate\Contracts\Mail\Factory|\Illuminate\Contracts\Mail\Mailer  $mailer
-     * @return void
+     * @return \Illuminate\Mail\SentMessage|null
      */
     public function send($mailer);
 
diff --git a/data/web/inc/lib/vendor/illuminate/contracts/Mail/Mailer.php b/data/web/inc/lib/vendor/illuminate/contracts/Mail/Mailer.php
index 38f9e3b56..4d97f3ea5 100644
--- a/data/web/inc/lib/vendor/illuminate/contracts/Mail/Mailer.php
+++ b/data/web/inc/lib/vendor/illuminate/contracts/Mail/Mailer.php
@@ -25,7 +25,7 @@ interface Mailer
      *
      * @param  string  $text
      * @param  mixed  $callback
-     * @return void
+     * @return \Illuminate\Mail\SentMessage|null
      */
     public function raw($text, $callback);
 
@@ -35,7 +35,7 @@ interface Mailer
      * @param  \Illuminate\Contracts\Mail\Mailable|string|array  $view
      * @param  array  $data
      * @param  \Closure|string|null  $callback
-     * @return void
+     * @return \Illuminate\Mail\SentMessage|null
      */
     public function send($view, array $data = [], $callback = null);
 }
diff --git a/data/web/inc/lib/vendor/illuminate/contracts/Pagination/CursorPaginator.php b/data/web/inc/lib/vendor/illuminate/contracts/Pagination/CursorPaginator.php
index 2d62d3a51..c6b96fbe4 100644
--- a/data/web/inc/lib/vendor/illuminate/contracts/Pagination/CursorPaginator.php
+++ b/data/web/inc/lib/vendor/illuminate/contracts/Pagination/CursorPaginator.php
@@ -29,6 +29,13 @@ interface CursorPaginator
      */
     public function fragment($fragment = null);
 
+    /**
+     * Add all current query string values to the paginator.
+     *
+     * @return $this
+     */
+    public function withQueryString();
+
     /**
      * Get the URL for the previous page, or null.
      *
diff --git a/data/web/inc/lib/vendor/illuminate/contracts/Pagination/Paginator.php b/data/web/inc/lib/vendor/illuminate/contracts/Pagination/Paginator.php
index 49bafaa77..04201cef4 100644
--- a/data/web/inc/lib/vendor/illuminate/contracts/Pagination/Paginator.php
+++ b/data/web/inc/lib/vendor/illuminate/contracts/Pagination/Paginator.php
@@ -15,7 +15,7 @@ interface Paginator
     /**
      * Add a set of query string values to the paginator.
      *
-     * @param  array|string  $key
+     * @param  array|string|null  $key
      * @param  string|null  $value
      * @return $this
      */
@@ -25,7 +25,7 @@ interface Paginator
      * Get / set the URL fragment to be appended to URLs.
      *
      * @param  string|null  $fragment
-     * @return $this|string
+     * @return $this|string|null
      */
     public function fragment($fragment = null);
 
@@ -53,14 +53,14 @@ interface Paginator
     /**
      * Get the "index" of the first item being paginated.
      *
-     * @return int
+     * @return int|null
      */
     public function firstItem();
 
     /**
      * Get the "index" of the last item being paginated.
      *
-     * @return int
+     * @return int|null
      */
     public function lastItem();
 
diff --git a/data/web/inc/lib/vendor/illuminate/contracts/Process/InvokedProcess.php b/data/web/inc/lib/vendor/illuminate/contracts/Process/InvokedProcess.php
new file mode 100644
index 000000000..d272d3772
--- /dev/null
+++ b/data/web/inc/lib/vendor/illuminate/contracts/Process/InvokedProcess.php
@@ -0,0 +1,64 @@
+<?php
+
+namespace Illuminate\Contracts\Process;
+
+interface InvokedProcess
+{
+    /**
+     * Get the process ID if the process is still running.
+     *
+     * @return int|null
+     */
+    public function id();
+
+    /**
+     * Send a signal to the process.
+     *
+     * @param  int  $signal
+     * @return $this
+     */
+    public function signal(int $signal);
+
+    /**
+     * Determine if the process is still running.
+     *
+     * @return bool
+     */
+    public function running();
+
+    /**
+     * Get the standard output for the process.
+     *
+     * @return string
+     */
+    public function output();
+
+    /**
+     * Get the error output for the process.
+     *
+     * @return string
+     */
+    public function errorOutput();
+
+    /**
+     * Get the latest standard output for the process.
+     *
+     * @return string
+     */
+    public function latestOutput();
+
+    /**
+     * Get the latest error output for the process.
+     *
+     * @return string
+     */
+    public function latestErrorOutput();
+
+    /**
+     * Wait for the process to finish.
+     *
+     * @param  callable|null  $output
+     * @return \Illuminate\Console\Process\ProcessResult
+     */
+    public function wait(callable $output = null);
+}
diff --git a/data/web/inc/lib/vendor/illuminate/contracts/Process/ProcessResult.php b/data/web/inc/lib/vendor/illuminate/contracts/Process/ProcessResult.php
new file mode 100644
index 000000000..702701ea1
--- /dev/null
+++ b/data/web/inc/lib/vendor/illuminate/contracts/Process/ProcessResult.php
@@ -0,0 +1,65 @@
+<?php
+
+namespace Illuminate\Contracts\Process;
+
+interface ProcessResult
+{
+    /**
+     * Get the original command executed by the process.
+     *
+     * @return string
+     */
+    public function command();
+
+    /**
+     * Determine if the process was successful.
+     *
+     * @return bool
+     */
+    public function successful();
+
+    /**
+     * Determine if the process failed.
+     *
+     * @return bool
+     */
+    public function failed();
+
+    /**
+     * Get the exit code of the process.
+     *
+     * @return int|null
+     */
+    public function exitCode();
+
+    /**
+     * Get the standard output of the process.
+     *
+     * @return string
+     */
+    public function output();
+
+    /**
+     * Get the error output of the process.
+     *
+     * @return string
+     */
+    public function errorOutput();
+
+    /**
+     * Throw an exception if the process failed.
+     *
+     * @param  callable|null  $callback
+     * @return $this
+     */
+    public function throw(callable $callback = null);
+
+    /**
+     * Throw an exception if the process failed and the given condition is true.
+     *
+     * @param  bool  $condition
+     * @param  callable|null  $callback
+     * @return $this
+     */
+    public function throwIf(bool $condition, callable $callback = null);
+}
diff --git a/data/web/inc/lib/vendor/illuminate/contracts/Queue/Monitor.php b/data/web/inc/lib/vendor/illuminate/contracts/Queue/Monitor.php
index 7da62d3ad..87677f0e7 100644
--- a/data/web/inc/lib/vendor/illuminate/contracts/Queue/Monitor.php
+++ b/data/web/inc/lib/vendor/illuminate/contracts/Queue/Monitor.php
@@ -13,7 +13,7 @@ interface Monitor
     public function looping($callback);
 
     /**
-     * Register a callback to be executed when a job fails after the maximum amount of retries.
+     * Register a callback to be executed when a job fails after the maximum number of retries.
      *
      * @param  mixed  $callback
      * @return void
diff --git a/data/web/inc/lib/vendor/illuminate/contracts/Queue/ShouldQueueAfterCommit.php b/data/web/inc/lib/vendor/illuminate/contracts/Queue/ShouldQueueAfterCommit.php
new file mode 100644
index 000000000..8545ad30d
--- /dev/null
+++ b/data/web/inc/lib/vendor/illuminate/contracts/Queue/ShouldQueueAfterCommit.php
@@ -0,0 +1,8 @@
+<?php
+
+namespace Illuminate\Contracts\Queue;
+
+interface ShouldQueueAfterCommit extends ShouldQueue
+{
+    //
+}
diff --git a/data/web/inc/lib/vendor/illuminate/contracts/Routing/ResponseFactory.php b/data/web/inc/lib/vendor/illuminate/contracts/Routing/ResponseFactory.php
index 86c16cab8..0aa51d551 100644
--- a/data/web/inc/lib/vendor/illuminate/contracts/Routing/ResponseFactory.php
+++ b/data/web/inc/lib/vendor/illuminate/contracts/Routing/ResponseFactory.php
@@ -60,7 +60,7 @@ interface ResponseFactory
     /**
      * Create a new streamed response instance.
      *
-     * @param  \Closure  $callback
+     * @param  callable  $callback
      * @param  int  $status
      * @param  array  $headers
      * @return \Symfony\Component\HttpFoundation\StreamedResponse
@@ -70,7 +70,7 @@ interface ResponseFactory
     /**
      * Create a new streamed response instance as a file download.
      *
-     * @param  \Closure  $callback
+     * @param  callable  $callback
      * @param  string|null  $name
      * @param  array  $headers
      * @param  string|null  $disposition
@@ -123,7 +123,7 @@ interface ResponseFactory
     /**
      * Create a new redirect response to a controller action.
      *
-     * @param  string  $action
+     * @param  array|string  $action
      * @param  mixed  $parameters
      * @param  int  $status
      * @param  array  $headers
diff --git a/data/web/inc/lib/vendor/illuminate/contracts/Session/Middleware/AuthenticatesSessions.php b/data/web/inc/lib/vendor/illuminate/contracts/Session/Middleware/AuthenticatesSessions.php
new file mode 100644
index 000000000..113f42007
--- /dev/null
+++ b/data/web/inc/lib/vendor/illuminate/contracts/Session/Middleware/AuthenticatesSessions.php
@@ -0,0 +1,8 @@
+<?php
+
+namespace Illuminate\Contracts\Session\Middleware;
+
+interface AuthenticatesSessions
+{
+    //
+}
diff --git a/data/web/inc/lib/vendor/illuminate/contracts/Support/MessageBag.php b/data/web/inc/lib/vendor/illuminate/contracts/Support/MessageBag.php
index 7f708aca5..14855d06e 100644
--- a/data/web/inc/lib/vendor/illuminate/contracts/Support/MessageBag.php
+++ b/data/web/inc/lib/vendor/illuminate/contracts/Support/MessageBag.php
@@ -64,6 +64,14 @@ interface MessageBag extends Arrayable, Countable
      */
     public function all($format = null);
 
+    /**
+     * Remove a message from the bag.
+     *
+     * @param  string  $key
+     * @return $this
+     */
+    public function forget($key);
+
     /**
      * Get the raw messages in the container.
      *
diff --git a/data/web/inc/lib/vendor/illuminate/contracts/Translation/Translator.php b/data/web/inc/lib/vendor/illuminate/contracts/Translation/Translator.php
index 6eae4915d..ded1a8b86 100644
--- a/data/web/inc/lib/vendor/illuminate/contracts/Translation/Translator.php
+++ b/data/web/inc/lib/vendor/illuminate/contracts/Translation/Translator.php
@@ -18,7 +18,7 @@ interface Translator
      * Get a translation according to an integer value.
      *
      * @param  string  $key
-     * @param  \Countable|int|array  $number
+     * @param  \Countable|int|float|array  $number
      * @param  array  $replace
      * @param  string|null  $locale
      * @return string
diff --git a/data/web/inc/lib/vendor/illuminate/contracts/Validation/DataAwareRule.php b/data/web/inc/lib/vendor/illuminate/contracts/Validation/DataAwareRule.php
index 7ec7ab5a9..739626c2e 100644
--- a/data/web/inc/lib/vendor/illuminate/contracts/Validation/DataAwareRule.php
+++ b/data/web/inc/lib/vendor/illuminate/contracts/Validation/DataAwareRule.php
@@ -10,5 +10,5 @@ interface DataAwareRule
      * @param  array  $data
      * @return $this
      */
-    public function setData($data);
+    public function setData(array $data);
 }
diff --git a/data/web/inc/lib/vendor/illuminate/contracts/Validation/Factory.php b/data/web/inc/lib/vendor/illuminate/contracts/Validation/Factory.php
index 104675a4d..70687e87f 100644
--- a/data/web/inc/lib/vendor/illuminate/contracts/Validation/Factory.php
+++ b/data/web/inc/lib/vendor/illuminate/contracts/Validation/Factory.php
@@ -10,10 +10,10 @@ interface Factory
      * @param  array  $data
      * @param  array  $rules
      * @param  array  $messages
-     * @param  array  $customAttributes
+     * @param  array  $attributes
      * @return \Illuminate\Contracts\Validation\Validator
      */
-    public function make(array $data, array $rules, array $messages = [], array $customAttributes = []);
+    public function make(array $data, array $rules, array $messages = [], array $attributes = []);
 
     /**
      * Register a custom validator extension.
diff --git a/data/web/inc/lib/vendor/illuminate/contracts/Validation/ImplicitRule.php b/data/web/inc/lib/vendor/illuminate/contracts/Validation/ImplicitRule.php
index bbc64f44e..ac5df83f9 100644
--- a/data/web/inc/lib/vendor/illuminate/contracts/Validation/ImplicitRule.php
+++ b/data/web/inc/lib/vendor/illuminate/contracts/Validation/ImplicitRule.php
@@ -2,6 +2,9 @@
 
 namespace Illuminate\Contracts\Validation;
 
+/**
+ * @deprecated see ValidationRule
+ */
 interface ImplicitRule extends Rule
 {
     //
diff --git a/data/web/inc/lib/vendor/illuminate/contracts/Validation/InvokableRule.php b/data/web/inc/lib/vendor/illuminate/contracts/Validation/InvokableRule.php
new file mode 100644
index 000000000..c7ac9c248
--- /dev/null
+++ b/data/web/inc/lib/vendor/illuminate/contracts/Validation/InvokableRule.php
@@ -0,0 +1,21 @@
+<?php
+
+namespace Illuminate\Contracts\Validation;
+
+use Closure;
+
+/**
+ * @deprecated see ValidationRule
+ */
+interface InvokableRule
+{
+    /**
+     * Run the validation rule.
+     *
+     * @param  string  $attribute
+     * @param  mixed  $value
+     * @param  \Closure(string): \Illuminate\Translation\PotentiallyTranslatedString  $fail
+     * @return void
+     */
+    public function __invoke(string $attribute, mixed $value, Closure $fail);
+}
diff --git a/data/web/inc/lib/vendor/illuminate/contracts/Validation/Rule.php b/data/web/inc/lib/vendor/illuminate/contracts/Validation/Rule.php
index cc03777af..102cc5342 100644
--- a/data/web/inc/lib/vendor/illuminate/contracts/Validation/Rule.php
+++ b/data/web/inc/lib/vendor/illuminate/contracts/Validation/Rule.php
@@ -2,6 +2,9 @@
 
 namespace Illuminate\Contracts\Validation;
 
+/**
+ * @deprecated see ValidationRule
+ */
 interface Rule
 {
     /**
diff --git a/data/web/inc/lib/vendor/illuminate/contracts/Validation/ValidationRule.php b/data/web/inc/lib/vendor/illuminate/contracts/Validation/ValidationRule.php
new file mode 100644
index 000000000..1c95b975c
--- /dev/null
+++ b/data/web/inc/lib/vendor/illuminate/contracts/Validation/ValidationRule.php
@@ -0,0 +1,18 @@
+<?php
+
+namespace Illuminate\Contracts\Validation;
+
+use Closure;
+
+interface ValidationRule
+{
+    /**
+     * Run the validation rule.
+     *
+     * @param  string  $attribute
+     * @param  mixed  $value
+     * @param  \Closure(string): \Illuminate\Translation\PotentiallyTranslatedString  $fail
+     * @return void
+     */
+    public function validate(string $attribute, mixed $value, Closure $fail): void;
+}
diff --git a/data/web/inc/lib/vendor/illuminate/contracts/Validation/ValidatorAwareRule.php b/data/web/inc/lib/vendor/illuminate/contracts/Validation/ValidatorAwareRule.php
index 053f4fa8b..0baf2742b 100644
--- a/data/web/inc/lib/vendor/illuminate/contracts/Validation/ValidatorAwareRule.php
+++ b/data/web/inc/lib/vendor/illuminate/contracts/Validation/ValidatorAwareRule.php
@@ -2,6 +2,8 @@
 
 namespace Illuminate\Contracts\Validation;
 
+use Illuminate\Validation\Validator;
+
 interface ValidatorAwareRule
 {
     /**
@@ -10,5 +12,5 @@ interface ValidatorAwareRule
      * @param  \Illuminate\Validation\Validator  $validator
      * @return $this
      */
-    public function setValidator($validator);
+    public function setValidator(Validator $validator);
 }
diff --git a/data/web/inc/lib/vendor/illuminate/contracts/View/ViewCompilationException.php b/data/web/inc/lib/vendor/illuminate/contracts/View/ViewCompilationException.php
new file mode 100644
index 000000000..5c57619ef
--- /dev/null
+++ b/data/web/inc/lib/vendor/illuminate/contracts/View/ViewCompilationException.php
@@ -0,0 +1,10 @@
+<?php
+
+namespace Illuminate\Contracts\View;
+
+use Exception;
+
+class ViewCompilationException extends Exception
+{
+    //
+}
diff --git a/data/web/inc/lib/vendor/illuminate/contracts/composer.json b/data/web/inc/lib/vendor/illuminate/contracts/composer.json
index 9296ba9e5..acae4bef8 100644
--- a/data/web/inc/lib/vendor/illuminate/contracts/composer.json
+++ b/data/web/inc/lib/vendor/illuminate/contracts/composer.json
@@ -14,7 +14,7 @@
         }
     ],
     "require": {
-        "php": "^8.0.2",
+        "php": "^8.1",
         "psr/container": "^1.1.1|^2.0.1",
         "psr/simple-cache": "^1.0|^2.0|^3.0"
     },
@@ -25,7 +25,7 @@
     },
     "extra": {
         "branch-alias": {
-            "dev-master": "9.x-dev"
+            "dev-master": "10.x-dev"
         }
     },
     "config": {
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/.phpstorm.meta.php b/data/web/inc/lib/vendor/nesbot/carbon/.phpstorm.meta.php
new file mode 100644
index 000000000..bd7c7e0e7
--- /dev/null
+++ b/data/web/inc/lib/vendor/nesbot/carbon/.phpstorm.meta.php
@@ -0,0 +1,10 @@
+<?php
+namespace PHPSTORM_META {
+    registerArgumentsSet("date_units", "millenania", "millennium", "century", "centuries", "decade", "decades", "year", "years", "y", "yr", "yrs", "quarter", "quarters", "month", "months", "mo", "mos", "week", "weeks", "w", "day", "days", "d", "hour", "hours", "h", "minute", "minutes", "m", "second", "seconds", "s", "millisecond", "milliseconds", "milli", "ms", "microsecond", "microseconds", "micro", "µs");
+    expectedArguments(\Carbon\Traits\Units::add(), 0, argumentsSet("date_units"));
+    expectedArguments(\Carbon\Traits\Units::add(), 1, argumentsSet("date_units"));
+    expectedArguments(\Carbon\CarbonInterface::add(), 0, argumentsSet("date_units"));
+    expectedArguments(\Carbon\CarbonInterface::add(), 1, argumentsSet("date_units"));
+
+    expectedArguments(\Carbon\CarbonInterface::getTimeFormatByPrecision(), 0, "minute", "second", "m", "millisecond", "µ", "microsecond", "minutes", "seconds", "ms", "milliseconds", "µs", "microseconds");
+}
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/composer.json b/data/web/inc/lib/vendor/nesbot/carbon/composer.json
index 84ec1361c..48366b5dd 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/composer.json
+++ b/data/web/inc/lib/vendor/nesbot/carbon/composer.json
@@ -1,14 +1,13 @@
 {
     "name": "nesbot/carbon",
-    "type": "library",
     "description": "An API extension for DateTime that supports 281 different languages.",
+    "license": "MIT",
+    "type": "library",
     "keywords": [
         "date",
         "time",
         "DateTime"
     ],
-    "homepage": "https://carbon.nesbot.com",
-    "license": "MIT",
     "authors": [
         {
             "name": "Brian Nesbitt",
@@ -20,31 +19,77 @@
             "homepage": "https://github.com/kylekatarnls"
         }
     ],
+    "homepage": "https://carbon.nesbot.com",
+    "support": {
+        "issues": "https://github.com/briannesbitt/Carbon/issues",
+        "source": "https://github.com/briannesbitt/Carbon",
+        "docs": "https://carbon.nesbot.com/docs"
+    },
+    "funding": [
+        {
+            "url": "https://github.com/sponsors/kylekatarnls",
+            "type": "github"
+        },
+        {
+            "url": "https://tidelift.com/subscription/pkg/packagist-nesbot-carbon?utm_source=packagist-nesbot-carbon&utm_medium=referral&utm_campaign=readme",
+            "type": "tidelift"
+        },
+        {
+            "url": "https://opencollective.com/Carbon#sponsor",
+            "type": "opencollective"
+        }
+    ],
     "require": {
         "php": "^7.1.8 || ^8.0",
         "ext-json": "*",
+        "carbonphp/carbon-doctrine-types": "*",
+        "psr/clock": "^1.0",
         "symfony/polyfill-mbstring": "^1.0",
         "symfony/polyfill-php80": "^1.16",
         "symfony/translation": "^3.4 || ^4.0 || ^5.0 || ^6.0"
     },
     "require-dev": {
-        "doctrine/dbal": "^2.0 || ^3.0",
-        "doctrine/orm": "^2.7",
+        "doctrine/dbal": "^2.0 || ^3.1.4 || ^4.0",
+        "doctrine/orm": "^2.7 || ^3.0",
         "friendsofphp/php-cs-fixer": "^3.0",
         "kylekatarnls/multi-tester": "^2.0",
+        "ondrejmirtes/better-reflection": "*",
         "phpmd/phpmd": "^2.9",
         "phpstan/extension-installer": "^1.0",
-        "phpstan/phpstan": "^0.12.54 || ^1.0",
-        "phpunit/phpunit": "^7.5.20 || ^8.5.14",
+        "phpstan/phpstan": "^0.12.99 || ^1.7.14",
+        "phpunit/php-file-iterator": "^2.0.5 || ^3.0.6",
+        "phpunit/phpunit": "^7.5.20 || ^8.5.26 || ^9.5.20",
         "squizlabs/php_codesniffer": "^3.4"
     },
-    "config": {
-        "process-timeout": 0,
-        "sort-packages": true,
-        "allow-plugins": {
-            "phpstan/extension-installer": true
+    "provide": {
+        "psr/clock-implementation": "1.0"
+    },
+    "minimum-stability": "dev",
+    "prefer-stable": true,
+    "autoload": {
+        "psr-4": {
+            "Carbon\\": "src/Carbon/"
         }
     },
+    "autoload-dev": {
+        "psr-4": {
+            "Tests\\": "tests/"
+        },
+        "files": [
+            "tests/Laravel/ServiceProvider.php"
+        ]
+    },
+    "bin": [
+        "bin/carbon"
+    ],
+    "config": {
+        "allow-plugins": {
+            "phpstan/extension-installer": true,
+            "composer/package-versions-deprecated": true
+        },
+        "process-timeout": 0,
+        "sort-packages": true
+    },
     "extra": {
         "branch-alias": {
             "dev-3.x": "3.x-dev",
@@ -61,28 +106,11 @@
             ]
         }
     },
-    "autoload": {
-        "psr-4": {
-            "Carbon\\": "src/Carbon/"
-        }
-    },
-    "autoload-dev": {
-        "psr-4": {
-            "Tests\\": "tests/"
-        },
-        "files": [
-            "tests/Laravel/ServiceProvider.php"
-        ]
-    },
-    "minimum-stability": "dev",
-    "prefer-stable": true,
-    "bin": [
-        "bin/carbon"
-    ],
     "scripts": {
         "phpcs": "php-cs-fixer fix -v --diff --dry-run",
         "phpdoc": "php phpdoc.php",
         "phpmd": "phpmd src text /phpmd.xml",
+        "phpmd-test": "phpmd tests text /tests/phpmd-test.xml",
         "phpstan": "phpstan analyse --configuration phpstan.neon",
         "phpunit": "phpunit --verbose",
         "style-check": [
@@ -93,11 +121,7 @@
         "test": [
             "@phpunit",
             "@style-check"
-        ]
-    },
-    "support": {
-        "issues": "https://github.com/briannesbitt/Carbon/issues",
-        "source": "https://github.com/briannesbitt/Carbon",
-        "docs": "https://carbon.nesbot.com/docs"
+        ],
+        "sponsors": "php sponsors.php"
     }
 }
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/lazy/Carbon/MessageFormatter/MessageFormatterMapperStrongType.php b/data/web/inc/lib/vendor/nesbot/carbon/lazy/Carbon/MessageFormatter/MessageFormatterMapperStrongType.php
new file mode 100644
index 000000000..c2f4bf013
--- /dev/null
+++ b/data/web/inc/lib/vendor/nesbot/carbon/lazy/Carbon/MessageFormatter/MessageFormatterMapperStrongType.php
@@ -0,0 +1,28 @@
+<?php
+
+/**
+ * This file is part of the Carbon package.
+ *
+ * (c) Brian Nesbitt <brian@nesbot.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Carbon\MessageFormatter;
+
+use Symfony\Component\Translation\Formatter\MessageFormatterInterface;
+
+if (!class_exists(LazyMessageFormatter::class, false)) {
+    abstract class LazyMessageFormatter implements MessageFormatterInterface
+    {
+        public function format(string $message, string $locale, array $parameters = []): string
+        {
+            return $this->formatter->format(
+                $message,
+                $this->transformLocale($locale),
+                $parameters
+            );
+        }
+    }
+}
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/lazy/Carbon/MessageFormatter/MessageFormatterMapperWeakType.php b/data/web/inc/lib/vendor/nesbot/carbon/lazy/Carbon/MessageFormatter/MessageFormatterMapperWeakType.php
new file mode 100644
index 000000000..cbd890d5b
--- /dev/null
+++ b/data/web/inc/lib/vendor/nesbot/carbon/lazy/Carbon/MessageFormatter/MessageFormatterMapperWeakType.php
@@ -0,0 +1,36 @@
+<?php
+
+/**
+ * This file is part of the Carbon package.
+ *
+ * (c) Brian Nesbitt <brian@nesbot.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Carbon\MessageFormatter;
+
+use Symfony\Component\Translation\Formatter\ChoiceMessageFormatterInterface;
+use Symfony\Component\Translation\Formatter\MessageFormatterInterface;
+
+if (!class_exists(LazyMessageFormatter::class, false)) {
+    abstract class LazyMessageFormatter implements MessageFormatterInterface, ChoiceMessageFormatterInterface
+    {
+        abstract protected function transformLocale(?string $locale): ?string;
+
+        public function format($message, $locale, array $parameters = [])
+        {
+            return $this->formatter->format(
+                $message,
+                $this->transformLocale($locale),
+                $parameters
+            );
+        }
+
+        public function choiceFormat($message, $number, $locale, array $parameters = [])
+        {
+            return $this->formatter->choiceFormat($message, $number, $locale, $parameters);
+        }
+    }
+}
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/lazy/Carbon/PHPStan/AbstractMacroBuiltin.php b/data/web/inc/lib/vendor/nesbot/carbon/lazy/Carbon/PHPStan/AbstractMacroBuiltin.php
new file mode 100644
index 000000000..ba7cf6320
--- /dev/null
+++ b/data/web/inc/lib/vendor/nesbot/carbon/lazy/Carbon/PHPStan/AbstractMacroBuiltin.php
@@ -0,0 +1,36 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * This file is part of the Carbon package.
+ *
+ * (c) Brian Nesbitt <brian@nesbot.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Carbon\PHPStan;
+
+use PHPStan\BetterReflection\Reflection;
+use ReflectionMethod;
+
+if (!class_exists(AbstractReflectionMacro::class, false)) {
+    abstract class AbstractReflectionMacro extends AbstractMacro
+    {
+        /**
+         * {@inheritdoc}
+         */
+        public function getReflection(): ?ReflectionMethod
+        {
+            if ($this->reflectionFunction instanceof Reflection\ReflectionMethod) {
+                return new Reflection\Adapter\ReflectionMethod($this->reflectionFunction);
+            }
+
+            return $this->reflectionFunction instanceof ReflectionMethod
+                ? $this->reflectionFunction
+                : null;
+        }
+    }
+}
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/lazy/Carbon/PHPStan/AbstractMacroStatic.php b/data/web/inc/lib/vendor/nesbot/carbon/lazy/Carbon/PHPStan/AbstractMacroStatic.php
new file mode 100644
index 000000000..bd4c8e804
--- /dev/null
+++ b/data/web/inc/lib/vendor/nesbot/carbon/lazy/Carbon/PHPStan/AbstractMacroStatic.php
@@ -0,0 +1,45 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * This file is part of the Carbon package.
+ *
+ * (c) Brian Nesbitt <brian@nesbot.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Carbon\PHPStan;
+
+use PHPStan\BetterReflection\Reflection;
+use ReflectionMethod;
+
+if (!class_exists(AbstractReflectionMacro::class, false)) {
+    abstract class AbstractReflectionMacro extends AbstractMacro
+    {
+        /**
+         * {@inheritdoc}
+         */
+        public function getReflection(): ?Reflection\Adapter\ReflectionMethod
+        {
+            if ($this->reflectionFunction instanceof Reflection\Adapter\ReflectionMethod) {
+                return $this->reflectionFunction;
+            }
+
+            if ($this->reflectionFunction instanceof Reflection\ReflectionMethod) {
+                return new Reflection\Adapter\ReflectionMethod($this->reflectionFunction);
+            }
+
+            return $this->reflectionFunction instanceof ReflectionMethod
+                ? new Reflection\Adapter\ReflectionMethod(
+                    Reflection\ReflectionMethod::createFromName(
+                        $this->reflectionFunction->getDeclaringClass()->getName(),
+                        $this->reflectionFunction->getName()
+                    )
+                )
+                : null;
+        }
+    }
+}
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/lazy/Carbon/PHPStan/MacroStrongType.php b/data/web/inc/lib/vendor/nesbot/carbon/lazy/Carbon/PHPStan/MacroStrongType.php
index eacd9c1ea..f615b3a64 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/lazy/Carbon/PHPStan/MacroStrongType.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/lazy/Carbon/PHPStan/MacroStrongType.php
@@ -14,14 +14,16 @@ declare(strict_types=1);
 namespace Carbon\PHPStan;
 
 if (!class_exists(LazyMacro::class, false)) {
-    abstract class LazyMacro extends AbstractMacro
+    abstract class LazyMacro extends AbstractReflectionMacro
     {
         /**
          * {@inheritdoc}
          */
         public function getFileName(): ?string
         {
-            return $this->reflectionFunction->getFileName();
+            $file = $this->reflectionFunction->getFileName();
+
+            return (($file ? realpath($file) : null) ?: $file) ?: null;
         }
 
         /**
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/lazy/Carbon/PHPStan/MacroWeakType.php b/data/web/inc/lib/vendor/nesbot/carbon/lazy/Carbon/PHPStan/MacroWeakType.php
index 3e9fcf4f7..bf64c1dd9 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/lazy/Carbon/PHPStan/MacroWeakType.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/lazy/Carbon/PHPStan/MacroWeakType.php
@@ -14,7 +14,7 @@ declare(strict_types=1);
 namespace Carbon\PHPStan;
 
 if (!class_exists(LazyMacro::class, false)) {
-    abstract class LazyMacro extends AbstractMacro
+    abstract class LazyMacro extends AbstractReflectionMacro
     {
         /**
          * {@inheritdoc}
@@ -23,7 +23,9 @@ if (!class_exists(LazyMacro::class, false)) {
          */
         public function getFileName()
         {
-            return $this->reflectionFunction->getFileName();
+            $file = $this->reflectionFunction->getFileName();
+
+            return (($file ? realpath($file) : null) ?: $file) ?: null;
         }
 
         /**
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/readme.md b/data/web/inc/lib/vendor/nesbot/carbon/readme.md
index 5d827219e..3f4117706 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/readme.md
+++ b/data/web/inc/lib/vendor/nesbot/carbon/readme.md
@@ -2,7 +2,7 @@
 
 [![Latest Stable Version](https://img.shields.io/packagist/v/nesbot/carbon.svg?style=flat-square)](https://packagist.org/packages/nesbot/carbon)
 [![Total Downloads](https://img.shields.io/packagist/dt/nesbot/carbon.svg?style=flat-square)](https://packagist.org/packages/nesbot/carbon)
-[![GitHub Actions](https://img.shields.io/endpoint.svg?url=https%3A%2F%2Factions-badge.atrox.dev%2Fbriannesbitt%2FCarbon%2Fbadge&style=flat-square&label=Build&logo=none)](https://actions-badge.atrox.dev/briannesbitt/Carbon/goto)
+[![GitHub Actions](https://img.shields.io/endpoint.svg?url=https%3A%2F%2Factions-badge.atrox.dev%2Fbriannesbitt%2FCarbon%2Fbadge&style=flat-square&label=Build&logo=none)](https://github.com/briannesbitt/Carbon/actions)
 [![codecov.io](https://img.shields.io/codecov/c/github/briannesbitt/Carbon.svg?style=flat-square)](https://codecov.io/github/briannesbitt/Carbon?branch=master)
 [![Tidelift](https://tidelift.com/badges/github/briannesbitt/Carbon)](https://tidelift.com/subscription/pkg/packagist-nesbot-carbon?utm_source=packagist-nesbot-carbon&utm_medium=referral&utm_campaign=readme)
 
@@ -119,21 +119,52 @@ This project exists thanks to all the people who contribute.
 
 Support this project by becoming a sponsor. Your logo will show up here with a link to your website.
 
-<a href="https://tidelift.com/subscription/pkg/packagist-nesbot-carbon?utm_source=packagist-nesbot-carbon&utm_medium=referral&utm_campaign=readme" target="_blank"><img src="https://carbon.nesbot.com/tidelift-brand.png" width="256" height="64"></a>
-<a href="https://onlinecasinohex.ca/?utm_source=opencollective&amp;utm_medium=github&amp;utm_campaign=Carbon" target="_blank"><img src="https://images.opencollective.com/hexcasinoca/2da3af2/logo/256.png" width="85" height="64"></a>
-<a href="https://opencollective.com/Carbon/sponsor/0/website" target="_blank"><img src="https://opencollective.com/Carbon/sponsor/0/avatar.svg"></a>
-<a href="https://opencollective.com/Carbon/sponsor/1/website" target="_blank"><img src="https://opencollective.com/Carbon/sponsor/1/avatar.svg"></a>
-<a href="https://opencollective.com/Carbon/sponsor/2/website" target="_blank"><img src="https://opencollective.com/Carbon/sponsor/2/avatar.svg"></a>
-<a href="https://opencollective.com/Carbon/sponsor/3/website" target="_blank"><img src="https://opencollective.com/Carbon/sponsor/3/avatar.svg"></a>
-<a href="https://opencollective.com/Carbon/sponsor/4/website" target="_blank"><img src="https://opencollective.com/Carbon/sponsor/4/avatar.svg"></a>
+<a href="https://tidelift.com/subscription/pkg/packagist-nesbot-carbon?utm_source=packagist-nesbot-carbon&utm_medium=referral&utm_campaign=readme" target="_blank"><img src="https://carbon.nesbot.com/tidelift-brand.png" width="256" height="64"></a><!-- <open-collective-sponsors> -->
+<a title="Онлайн казино 777 Україна" href="https://777.ua/?utm_source=opencollective&amp;utm_medium=github&amp;utm_campaign=Carbon" target="_blank"><img alt="Онлайн казино" src="https://opencollective-production.s3.us-west-1.amazonaws.com/account-avatar/7e572d50-1ce8-4d69-ae12-86cc80371373/ok-ua-777.png" width="64" height="64"></a>
+<a title="#1 Guide To Online Gambling In Canada" href="https://casinohex.org/canada/?utm_source=opencollective&amp;utm_medium=github&amp;utm_campaign=Carbon" target="_blank"><img alt="CasinoHex Canada" src="https://opencollective-production.s3.us-west-1.amazonaws.com/79fdbcc0-a997-11eb-abbc-25e48b63c6dc.jpg" width="85" height="64"></a>
+<a title="Znajdź najlepsze zakłady bukmacherskie w Polsce w 2023 roku. Probukmacher.pl to Twoje kompendium wiedzy na temat bukmacherów!" href="https://www.probukmacher.pl?utm_source=opencollective&amp;utm_medium=github&amp;utm_campaign=Carbon" target="_blank"><img alt="Probukmacher" src="https://opencollective-production.s3.us-west-1.amazonaws.com/account-avatar/caf50271-4560-4ffe-a434-ea15239168db/Screenshot_1.png" width="89" height="64"></a>
+<a title="Gives a fun for our users" href="https://slotoking.ua/games/?utm_source=opencollective&amp;utm_medium=github&amp;utm_campaign=Carbon" target="_blank"><img alt="Игровые автоматы" src="https://opencollective-production.s3.us-west-1.amazonaws.com/account-avatar/94601d07-3205-4c60-9c2d-9b8194dbefb7/skg-blue.png" width="64" height="64"></a>
+<a title="Casino-portugal.pt" href="https://casino-portugal.pt/?utm_source=opencollective&amp;utm_medium=github&amp;utm_campaign=Carbon" target="_blank"><img alt="Casino-portugal.pt" src="https://logo.clearbit.com/casino-portugal.pt" width="64" height="64"></a>
+<a title="Slots City® ➢ Лучшее лицензионно казино онлайн и оффлайн на гривны в Украине. 【 Более1500 игровых автоматов и слотов】✅ Официально и Безопасно" href="https://slotscity.ua/?utm_source=opencollective&amp;utm_medium=github&amp;utm_campaign=Carbon" target="_blank"><img alt="Slots City" src="https://opencollective-production.s3.us-west-1.amazonaws.com/d7e298c0-7abe-11ed-8553-230872f5e54d.png" width="90" height="64"></a>
+<a title="inkedin" href="https://inkedin.com?utm_source=opencollective&amp;utm_medium=github&amp;utm_campaign=Carbon" target="_blank"><img alt="inkedin" src="https://logo.clearbit.com/inkedin.com" width="64" height="64"></a>
+<a title="Актуальний та повносправний рейтинг онлайн казино України, ґрунтований на відгуках реальних гравців." href="https://uk.onlinecasino.in.ua/?utm_source=opencollective&amp;utm_medium=github&amp;utm_campaign=Carbon" target="_blank"><img alt="Онлайн казино України" src="https://opencollective-production.s3.us-west-1.amazonaws.com/c0b4b090-eef8-11ec-9cb7-0527a205b226.png" width="64" height="64"></a>
+<a title="OnlineCasinosSpelen" href="https://onlinecasinosspelen.com?utm_source=opencollective&amp;utm_medium=github&amp;utm_campaign=Carbon" target="_blank"><img alt="OnlineCasinosSpelen" src="https://logo.clearbit.com/onlinecasinosspelen.com" width="64" height="64"></a>
+<a title="Best non Gamstop sites in the UK" href="https://nongamstopcasinos.net/gb/?utm_source=opencollective&amp;utm_medium=github&amp;utm_campaign=Carbon" target="_blank"><img alt="Best non Gamstop sites in the UK" src="https://opencollective-production.s3.us-west-1.amazonaws.com/account-avatar/34e340b8-e1de-4932-8a76-1b3ce2ec7ee8/logo_white%20bg%20(8).png" width="64" height="64"></a>
+<a title="Real Money Pokies" href="https://www.nzfirst.org.nz/real-money-pokies/?utm_source=opencollective&amp;utm_medium=github&amp;utm_campaign=Carbon" target="_blank"><img alt="Real Money Pokies" src="https://opencollective-production.s3.us-west-1.amazonaws.com/account-avatar/30d38232-a9d6-4e95-a48c-641fdc4d96fd/NZ_logo%20(6)%20(1)%20(1).jpg" width="64" height="64"></a>
+<a title="Non GamStop Bookies UK" href="https://nongamstopbookies.com/uk/?utm_source=opencollective&amp;utm_medium=github&amp;utm_campaign=Carbon" target="_blank"><img alt="Non GamStop Bookies UK" src="https://opencollective-production.s3.us-west-1.amazonaws.com/account-avatar/43c5561c-8907-4ef7-a4ee-c6da054788b8/logo-site%20(3).jpg" width="64" height="64"></a>
+<a title="Актуальний топ-рейтинг українських онлайн казино на гривні! Щоденне оновлення топу та унікальна система ранжування, основана на відгуках гравців!" href="https://onlinecasino.in.ua/?utm_source=opencollective&amp;utm_medium=github&amp;utm_campaign=Carbon" target="_blank"><img alt="Онлайн Казино Украины" src="https://opencollective-production.s3.us-west-1.amazonaws.com/8fdd8aa0-e273-11ec-a95e-d38fd331cabf.png" width="64" height="64"></a>
+<a title="Twitter Video Downloader HD Tool allows you to store tweets on your device (mobile or PC) for free." href="https://ssstwitter.online/?utm_source=opencollective&amp;utm_medium=github&amp;utm_campaign=Carbon" target="_blank"><img alt="SSSTwitter" src="https://opencollective-production.s3.us-west-1.amazonaws.com/account-avatar/ba0d1daf-a894-4d98-95f7-a44d321364b3/Screenshot%202024-01-16%20at%2011.43.22.png" width="76" height="64"></a>
+<a title="Entertainment" href="https://www.nongamstopbets.com/casinos-not-on-gamstop/?utm_source=opencollective&amp;utm_medium=github&amp;utm_campaign=Carbon" target="_blank"><img alt="Non-GamStop Bets UK" src="https://logo.clearbit.com/nongamstopbets.com" width="64" height="64"></a>
+<a title="Chudovo - international software development company with representative offices in Kyiv, Cologne, New York, Tallinn and London. It has been working on the market since 2006. Company has domain expertise in video security, logistics, medicine, finance and" href="https://chudovo.com/?utm_source=opencollective&amp;utm_medium=github&amp;utm_campaign=Carbon" target="_blank"><img alt="Chudovo" src="https://opencollective-production.s3.us-west-1.amazonaws.com/326c19a0-2e87-11eb-a13a-c99a2a201d11.png" width="84" height="42"></a>
+<a title="Entertainment" href="https://casinogap.org/uk/?utm_source=opencollective&amp;utm_medium=github&amp;utm_campaign=Carbon" target="_blank"><img alt="UK Casino Gap" src="https://opencollective-production.s3.us-west-1.amazonaws.com/account-avatar/143f9301-beec-4118-89d5-9a07a01345f3/casinogap-uk.png" width="42" height="42"></a>
+<a title="NZ Gaming Portal" href="https://casinodeps.co.nz?utm_source=opencollective&amp;utm_medium=github&amp;utm_campaign=Carbon" target="_blank"><img alt="NZ Casino Deps" src="https://logo.clearbit.com/casinodeps.co.nz" width="42" height="42"></a>
+<a title="NonStop Sites" href="https://uk.nonstopcasino.org/non-gamstop-casinos/?utm_source=opencollective&amp;utm_medium=github&amp;utm_campaign=Carbon" target="_blank"><img alt="NonStopCasino.org" src="https://opencollective-production.s3.us-west-1.amazonaws.com/account-avatar/fd7ad905-8752-468f-ad20-582a24cca9d9/non-stop-casino.png" width="42" height="42"></a>
+<a title="Siti Non AAMS" href="https://www.outlookindia.com/outlook-spotlight/migliori-siti-non-aams-siti-scommesse-senza-licenza-sicuri-news-294715?utm_source=opencollective&amp;utm_medium=github&amp;utm_campaign=Carbon" target="_blank"><img alt="Migliori Siti Non AAMS" src="https://opencollective-production.s3.us-west-1.amazonaws.com/account-avatar/392810da-6cb6-4938-a3cb-38bd0e1eb7de/migliori-siti-non-aams.png" width="42" height="42"></a>
+<a title="List of trusted non GamStop casino reviews" href="https://nongamstopcasinos.org?utm_source=opencollective&amp;utm_medium=github&amp;utm_campaign=Carbon" target="_blank"><img alt="UK NonGamStopCasinos" src="https://opencollective-production.s3.us-west-1.amazonaws.com/account-avatar/cbda0ee1-26ea-4252-9580-f1f9b317b1f7/nongamstopcasinos-uk.png" width="42" height="42"></a>
+<a title="Online TikTok Video Download Tool" href="https://snaptik.pro?utm_source=opencollective&amp;utm_medium=github&amp;utm_campaign=Carbon" target="_blank"><img alt="SnapTik" src="https://opencollective-production.s3.us-west-1.amazonaws.com/account-avatar/546bcd53-6615-457d-ab21-1db1c52b3af5/logo.jpg" width="42" height="42"></a>
+<a title="IG Downloader is an Instagram Downloader service that offers a variety of tools to download Instagram content for free. Listed below are all the tools" href="https://indownloader.app/?utm_source=opencollective&amp;utm_medium=github&amp;utm_campaign=Carbon" target="_blank"><img alt="IG Downloader" src="https://logo.clearbit.com/indownloader.app" width="42" height="42"></a>
+<a title="Proxidize is a mobile proxy creation and management platform that provides all needed components from hardware to cloud software and SIM cards." href="https://proxidize.com/?utm_source=opencollective&amp;utm_medium=github&amp;utm_campaign=Carbon" target="_blank"><img alt="Proxidize" src="https://logo.clearbit.com/proxidize.com" width="42" height="42"></a>
+<a title="Blastup offers Instagram growth services like buying likes, views, and followers, emphasizing real user engagement and instant delivery." href="https://blastup.com/buy-instagram-likes?utm_source=opencollective&amp;utm_medium=github&amp;utm_campaign=Carbon" target="_blank"><img alt="Blastup" src="https://opencollective-production.s3.us-west-1.amazonaws.com/account-avatar/955a0beb-9fe8-4753-ad92-fae8ef5382fc/favicon--dark.jpg" width="42" height="42"></a>
+<a title="A self-hosted web radio management suite, including turnkey installer tools and an easy-to-use web app to manage your stations." href="https://azuracast.com?utm_source=opencollective&amp;utm_medium=github&amp;utm_campaign=Carbon" target="_blank"><img alt="AzuraCast" src="https://opencollective-production.s3.us-west-1.amazonaws.com/3c12ea10-cdfb-11eb-9cf4-3760b386b76d.png" width="42" height="42"></a>
+<a title="Triplebyte is the first software engineering job platform that is on the developer&#039;s side. Take our coding quiz!" href="https://triplebyte.com/os/opencollective?utm_source=opencollective&amp;utm_medium=github&amp;utm_campaign=Carbon" target="_blank"><img alt="Triplebyte" src="https://opencollective-production.s3.us-west-1.amazonaws.com/43e4f9d0-30cd-11ea-9c6b-e1142996e8b2.png" width="42" height="42"></a>
+<a title="Connect your Collective to GitHub Sponsors: https://docs.opencollective.com/help/collectives/github-sponsors" href="https://github.com/sponsors/?utm_source=opencollective&amp;utm_medium=github&amp;utm_campaign=Carbon" target="_blank"><img alt="GitHub Sponsors" src="https://opencollective-production.s3.us-west-1.amazonaws.com/87b1d240-f617-11ea-9960-fd7e8ab20fe4.png" width="48" height="42"></a>
+<a title="Salesforce" href="https://engineering.salesforce.com?utm_source=opencollective&amp;utm_medium=github&amp;utm_campaign=Carbon" target="_blank"><img alt="Salesforce" src="https://opencollective-production.s3.us-west-1.amazonaws.com/24d34880-df8d-11e9-949c-6bc2037b6bd5.png" width="42" height="42"></a>
+<!-- </open-collective-sponsors> -->
 
-[[Become a sponsor](https://opencollective.com/Carbon#sponsor)]
+[[Become a sponsor via OpenCollective](https://opencollective.com/Carbon#sponsor)]
+
+<a href="https://github.com/johnrsimeone" target="_blank"><img src="https://avatars.githubusercontent.com/u/22871068?s=70&v=4" width="64" height="64"></a>
+<a href="https://github.com/taylorotwell" target="_blank"><img src="https://avatars.githubusercontent.com/u/463230?s=128&v=4" width="64" height="64"></a>
+<a href="https://github.com/getsentry" target="_blank"><img src="https://avatars.githubusercontent.com/u/1396951?s=128&v=4" width="64" height="64"></a>
+<a href="https://github.com/codecov" target="_blank"><img src="https://avatars.githubusercontent.com/u/8226205?s=128&v=4" width="64" height="64"></a>
+
+[[Become a sponsor via GitHub](https://github.com/sponsors/kylekatarnls)]
 
 ### Backers
 
 Thank you to all our backers! 🙏
 
-<a href="https://opencollective.com/Carbon#backers" target="_blank"><img src="https://opencollective.com/Carbon/backers.svg?width=890"></a>
+<a href="https://opencollective.com/Carbon#backers" target="_blank"><img src="https://opencollective.com/Carbon/backers.svg?width=890&version=2023-06-08-07-12"></a>
 
 [[Become a backer](https://opencollective.com/Carbon#backer)]
 
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/sponsors.php b/data/web/inc/lib/vendor/nesbot/carbon/sponsors.php
new file mode 100644
index 000000000..67b217161
--- /dev/null
+++ b/data/web/inc/lib/vendor/nesbot/carbon/sponsors.php
@@ -0,0 +1,129 @@
+<?php
+
+/**
+ * This file is part of the Carbon package.
+ *
+ * (c) Brian Nesbitt <brian@nesbot.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+use Carbon\CarbonImmutable;
+
+require_once __DIR__.'/vendor/autoload.php';
+
+function getMaxHistoryMonthsByAmount($amount): int
+{
+    if ($amount >= 50) {
+        return 6;
+    }
+
+    if ($amount >= 20) {
+        return 4;
+    }
+
+    return 2;
+}
+
+function getHtmlAttribute($rawValue): string
+{
+    return str_replace(
+        ['​', "\r"],
+        '',
+        trim(htmlspecialchars((string) $rawValue), "  \n\r\t\v\0"),
+    );
+}
+
+function getOpenCollectiveSponsors(): string
+{
+    $customSponsorImages = [
+        // For consistency and equity among sponsors, as of now, we kindly ask our sponsors
+        // to provide an image having a width/height ratio between 1/1 and 2/1.
+        // By default, we'll show the member picture from OpenCollective, and will resize it if bigger
+        // int(OpenCollective.MemberId) => ImageURL
+    ];
+
+    $members = json_decode(file_get_contents('https://opencollective.com/carbon/members/all.json'), true);
+
+    $list = array_filter($members, static function ($member): bool {
+        return ($member['lastTransactionAmount'] > 3 || $member['isActive']) &&
+            $member['role'] === 'BACKER' &&
+            $member['type'] !== 'USER' &&
+            (
+                $member['totalAmountDonated'] > 100 ||
+                $member['lastTransactionAt'] > CarbonImmutable::now()
+                    ->subMonthsNoOverflow(getMaxHistoryMonthsByAmount($member['lastTransactionAmount']))
+                    ->format('Y-m-d h:i') ||
+                $member['isActive'] && $member['lastTransactionAmount'] >= 30
+            );
+    });
+
+    $list = array_map(static function (array $member): array {
+        $createdAt = CarbonImmutable::parse($member['createdAt']);
+        $lastTransactionAt = CarbonImmutable::parse($member['lastTransactionAt']);
+
+        if ($createdAt->format('d H:i:s.u') > $lastTransactionAt->format('d H:i:s.u')) {
+            $createdAt = $createdAt
+                ->setDay($lastTransactionAt->day)
+                ->modify($lastTransactionAt->format('H:i:s.u'));
+        }
+
+        $monthlyContribution = (float) ($member['totalAmountDonated'] / ceil($createdAt->floatDiffInMonths()));
+
+        if (
+            $lastTransactionAt->isAfter('last month') &&
+            $member['lastTransactionAmount'] > $monthlyContribution
+        ) {
+            $monthlyContribution = (float) $member['lastTransactionAmount'];
+        }
+
+        $yearlyContribution = (float) ($member['totalAmountDonated'] / max(1, $createdAt->floatDiffInYears()));
+        $status = null;
+
+        if ($monthlyContribution > 29) {
+            $status = 'sponsor';
+        } elseif ($monthlyContribution > 4.5 || $yearlyContribution > 29) {
+            $status = 'backer';
+        } elseif ($member['totalAmountDonated'] > 0) {
+            $status = 'helper';
+        }
+
+        return array_merge($member, [
+            'star' => ($monthlyContribution > 98 || $yearlyContribution > 500),
+            'status' => $status,
+            'monthlyContribution' => $monthlyContribution,
+            'yearlyContribution' => $yearlyContribution,
+        ]);
+    }, $list);
+
+    usort($list, static function (array $a, array $b): int {
+        return ($b['monthlyContribution'] <=> $a['monthlyContribution'])
+            ?: ($b['totalAmountDonated'] <=> $a['totalAmountDonated']);
+    });
+
+    return implode('', array_map(static function (array $member) use ($customSponsorImages): string {
+        $href = htmlspecialchars($member['website'] ?? $member['profile']);
+        $src = $customSponsorImages[$member['MemberId'] ?? ''] ?? $member['image'] ?? (strtr($member['profile'], ['https://opencollective.com/' => 'https://images.opencollective.com/']).'/avatar/256.png');
+        [$x, $y] = @getimagesize($src) ?: [0, 0];
+        $validImage = ($x && $y);
+        $src = $validImage ? htmlspecialchars($src) : 'https://opencollective.com/static/images/default-guest-logo.svg';
+        $height = $member['status'] === 'sponsor' ? 64 : 42;
+        $width = min($height * 2, $validImage ? round($x * $height / $y) : $height);
+        $href .= (strpos($href, '?') === false ? '?' : '&amp;').'utm_source=opencollective&amp;utm_medium=github&amp;utm_campaign=Carbon';
+        $title = getHtmlAttribute(($member['description'] ?? null) ?: $member['name']);
+        $alt = getHtmlAttribute($member['name']);
+
+        return "\n".'<a title="'.$title.'" href="'.$href.'" target="_blank">'.
+            '<img alt="'.$alt.'" src="'.$src.'" width="'.$width.'" height="'.$height.'">'.
+            '</a>';
+    }, $list))."\n";
+}
+
+file_put_contents('readme.md', preg_replace_callback(
+    '/(<!-- <open-collective-sponsors> -->)[\s\S]+(<!-- <\/open-collective-sponsors> -->)/',
+    static function (array $match): string {
+        return $match[1].getOpenCollectiveSponsors().$match[2];
+    },
+    file_get_contents('readme.md')
+));
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/AbstractTranslator.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/AbstractTranslator.php
index 48441e7c2..8b8fe089e 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/AbstractTranslator.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/AbstractTranslator.php
@@ -11,6 +11,7 @@
 
 namespace Carbon;
 
+use Carbon\MessageFormatter\MessageFormatterMapper;
 use Closure;
 use ReflectionException;
 use ReflectionFunction;
@@ -51,7 +52,7 @@ abstract class AbstractTranslator extends Translation\Translator
     /**
      * List of locales aliases.
      *
-     * @var string[]
+     * @var array<string, string>
      */
     protected $aliases = [
         'me' => 'sr_Latn_ME',
@@ -83,7 +84,7 @@ abstract class AbstractTranslator extends Translation\Translator
         $this->initializing = true;
         $this->directories = [__DIR__.'/Lang'];
         $this->addLoader('array', new ArrayLoader());
-        parent::__construct($locale, $formatter, $cacheDir, $debug);
+        parent::__construct($locale, new MessageFormatterMapper($formatter), $cacheDir, $debug);
         $this->initializing = false;
     }
 
@@ -220,8 +221,8 @@ abstract class AbstractTranslator extends Translation\Translator
 
         $catalogue = $this->getCatalogue($locale);
         $format = $this instanceof TranslatorStrongTypeInterface
-            ? $this->getFromCatalogue($catalogue, (string) $id, $domain) // @codeCoverageIgnore
-            : $this->getCatalogue($locale)->get((string) $id, $domain);
+            ? $this->getFromCatalogue($catalogue, (string) $id, $domain)
+            : $this->getCatalogue($locale)->get((string) $id, $domain); // @codeCoverageIgnore
 
         if ($format instanceof Closure) {
             // @codeCoverageIgnoreStart
@@ -250,11 +251,7 @@ abstract class AbstractTranslator extends Translation\Translator
      */
     protected function loadMessagesFromFile($locale)
     {
-        if (isset($this->messages[$locale])) {
-            return true;
-        }
-
-        return $this->resetMessages($locale);
+        return isset($this->messages[$locale]) || $this->resetMessages($locale);
     }
 
     /**
@@ -311,7 +308,7 @@ abstract class AbstractTranslator extends Translation\Translator
      */
     public function setLocale($locale)
     {
-        $locale = preg_replace_callback('/[-_]([a-z]{2,}|[0-9]{2,})/', function ($matches) {
+        $locale = preg_replace_callback('/[-_]([a-z]{2,}|\d{2,})/', function ($matches) {
             // _2-letters or YUE is a region, _3+-letters is a variant
             $upper = strtoupper($matches[1]);
 
@@ -359,13 +356,13 @@ abstract class AbstractTranslator extends Translation\Translator
             parent::setLocale($macroLocale);
         }
 
-        if ($this->loadMessagesFromFile($locale) || $this->initializing) {
-            parent::setLocale($locale);
-
-            return true;
+        if (!$this->loadMessagesFromFile($locale) && !$this->initializing) {
+            return false;
         }
 
-        return false;
+        parent::setLocale($locale);
+
+        return true;
     }
 
     /**
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Carbon.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Carbon.php
index e327590e2..e32569ae3 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Carbon.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Carbon.php
@@ -33,477 +33,477 @@ use DateTimeZone;
  * @property      int                 $second
  * @property      int                 $micro
  * @property      int                 $microsecond
- * @property      int|float|string    $timestamp                                                                           seconds since the Unix Epoch
- * @property      string              $englishDayOfWeek                                                                    the day of week in English
- * @property      string              $shortEnglishDayOfWeek                                                               the abbreviated day of week in English
- * @property      string              $englishMonth                                                                        the month in English
- * @property      string              $shortEnglishMonth                                                                   the abbreviated month in English
+ * @property      int|float|string    $timestamp                                                                                      seconds since the Unix Epoch
+ * @property      string              $englishDayOfWeek                                                                               the day of week in English
+ * @property      string              $shortEnglishDayOfWeek                                                                          the abbreviated day of week in English
+ * @property      string              $englishMonth                                                                                   the month in English
+ * @property      string              $shortEnglishMonth                                                                              the abbreviated month in English
  * @property      int                 $milliseconds
  * @property      int                 $millisecond
  * @property      int                 $milli
- * @property      int                 $week                                                                                1 through 53
- * @property      int                 $isoWeek                                                                             1 through 53
- * @property      int                 $weekYear                                                                            year according to week format
- * @property      int                 $isoWeekYear                                                                         year according to ISO week format
- * @property      int                 $dayOfYear                                                                           1 through 366
- * @property      int                 $age                                                                                 does a diffInYears() with default parameters
- * @property      int                 $offset                                                                              the timezone offset in seconds from UTC
- * @property      int                 $offsetMinutes                                                                       the timezone offset in minutes from UTC
- * @property      int                 $offsetHours                                                                         the timezone offset in hours from UTC
- * @property      CarbonTimeZone      $timezone                                                                            the current timezone
- * @property      CarbonTimeZone      $tz                                                                                  alias of $timezone
- * @property-read int                 $dayOfWeek                                                                           0 (for Sunday) through 6 (for Saturday)
- * @property-read int                 $dayOfWeekIso                                                                        1 (for Monday) through 7 (for Sunday)
- * @property-read int                 $weekOfYear                                                                          ISO-8601 week number of year, weeks starting on Monday
- * @property-read int                 $daysInMonth                                                                         number of days in the given month
- * @property-read string              $latinMeridiem                                                                       "am"/"pm" (Ante meridiem or Post meridiem latin lowercase mark)
- * @property-read string              $latinUpperMeridiem                                                                  "AM"/"PM" (Ante meridiem or Post meridiem latin uppercase mark)
- * @property-read string              $timezoneAbbreviatedName                                                             the current timezone abbreviated name
- * @property-read string              $tzAbbrName                                                                          alias of $timezoneAbbreviatedName
- * @property-read string              $dayName                                                                             long name of weekday translated according to Carbon locale, in english if no translation available for current language
- * @property-read string              $shortDayName                                                                        short name of weekday translated according to Carbon locale, in english if no translation available for current language
- * @property-read string              $minDayName                                                                          very short name of weekday translated according to Carbon locale, in english if no translation available for current language
- * @property-read string              $monthName                                                                           long name of month translated according to Carbon locale, in english if no translation available for current language
- * @property-read string              $shortMonthName                                                                      short name of month translated according to Carbon locale, in english if no translation available for current language
- * @property-read string              $meridiem                                                                            lowercase meridiem mark translated according to Carbon locale, in latin if no translation available for current language
- * @property-read string              $upperMeridiem                                                                       uppercase meridiem mark translated according to Carbon locale, in latin if no translation available for current language
- * @property-read int                 $noZeroHour                                                                          current hour from 1 to 24
- * @property-read int                 $weeksInYear                                                                         51 through 53
- * @property-read int                 $isoWeeksInYear                                                                      51 through 53
- * @property-read int                 $weekOfMonth                                                                         1 through 5
- * @property-read int                 $weekNumberInMonth                                                                   1 through 5
- * @property-read int                 $firstWeekDay                                                                        0 through 6
- * @property-read int                 $lastWeekDay                                                                         0 through 6
- * @property-read int                 $daysInYear                                                                          365 or 366
- * @property-read int                 $quarter                                                                             the quarter of this instance, 1 - 4
- * @property-read int                 $decade                                                                              the decade of this instance
- * @property-read int                 $century                                                                             the century of this instance
- * @property-read int                 $millennium                                                                          the millennium of this instance
- * @property-read bool                $dst                                                                                 daylight savings time indicator, true if DST, false otherwise
- * @property-read bool                $local                                                                               checks if the timezone is local, true if local, false otherwise
- * @property-read bool                $utc                                                                                 checks if the timezone is UTC, true if UTC, false otherwise
- * @property-read string              $timezoneName                                                                        the current timezone name
- * @property-read string              $tzName                                                                              alias of $timezoneName
- * @property-read string              $locale                                                                              locale of the current instance
+ * @property      int                 $week                                                                                           1 through 53
+ * @property      int                 $isoWeek                                                                                        1 through 53
+ * @property      int                 $weekYear                                                                                       year according to week format
+ * @property      int                 $isoWeekYear                                                                                    year according to ISO week format
+ * @property      int                 $dayOfYear                                                                                      1 through 366
+ * @property      int                 $age                                                                                            does a diffInYears() with default parameters
+ * @property      int                 $offset                                                                                         the timezone offset in seconds from UTC
+ * @property      int                 $offsetMinutes                                                                                  the timezone offset in minutes from UTC
+ * @property      int                 $offsetHours                                                                                    the timezone offset in hours from UTC
+ * @property      CarbonTimeZone      $timezone                                                                                       the current timezone
+ * @property      CarbonTimeZone      $tz                                                                                             alias of $timezone
+ * @property-read int                 $dayOfWeek                                                                                      0 (for Sunday) through 6 (for Saturday)
+ * @property-read int                 $dayOfWeekIso                                                                                   1 (for Monday) through 7 (for Sunday)
+ * @property-read int                 $weekOfYear                                                                                     ISO-8601 week number of year, weeks starting on Monday
+ * @property-read int                 $daysInMonth                                                                                    number of days in the given month
+ * @property-read string              $latinMeridiem                                                                                  "am"/"pm" (Ante meridiem or Post meridiem latin lowercase mark)
+ * @property-read string              $latinUpperMeridiem                                                                             "AM"/"PM" (Ante meridiem or Post meridiem latin uppercase mark)
+ * @property-read string              $timezoneAbbreviatedName                                                                        the current timezone abbreviated name
+ * @property-read string              $tzAbbrName                                                                                     alias of $timezoneAbbreviatedName
+ * @property-read string              $dayName                                                                                        long name of weekday translated according to Carbon locale, in english if no translation available for current language
+ * @property-read string              $shortDayName                                                                                   short name of weekday translated according to Carbon locale, in english if no translation available for current language
+ * @property-read string              $minDayName                                                                                     very short name of weekday translated according to Carbon locale, in english if no translation available for current language
+ * @property-read string              $monthName                                                                                      long name of month translated according to Carbon locale, in english if no translation available for current language
+ * @property-read string              $shortMonthName                                                                                 short name of month translated according to Carbon locale, in english if no translation available for current language
+ * @property-read string              $meridiem                                                                                       lowercase meridiem mark translated according to Carbon locale, in latin if no translation available for current language
+ * @property-read string              $upperMeridiem                                                                                  uppercase meridiem mark translated according to Carbon locale, in latin if no translation available for current language
+ * @property-read int                 $noZeroHour                                                                                     current hour from 1 to 24
+ * @property-read int                 $weeksInYear                                                                                    51 through 53
+ * @property-read int                 $isoWeeksInYear                                                                                 51 through 53
+ * @property-read int                 $weekOfMonth                                                                                    1 through 5
+ * @property-read int                 $weekNumberInMonth                                                                              1 through 5
+ * @property-read int                 $firstWeekDay                                                                                   0 through 6
+ * @property-read int                 $lastWeekDay                                                                                    0 through 6
+ * @property-read int                 $daysInYear                                                                                     365 or 366
+ * @property-read int                 $quarter                                                                                        the quarter of this instance, 1 - 4
+ * @property-read int                 $decade                                                                                         the decade of this instance
+ * @property-read int                 $century                                                                                        the century of this instance
+ * @property-read int                 $millennium                                                                                     the millennium of this instance
+ * @property-read bool                $dst                                                                                            daylight savings time indicator, true if DST, false otherwise
+ * @property-read bool                $local                                                                                          checks if the timezone is local, true if local, false otherwise
+ * @property-read bool                $utc                                                                                            checks if the timezone is UTC, true if UTC, false otherwise
+ * @property-read string              $timezoneName                                                                                   the current timezone name
+ * @property-read string              $tzName                                                                                         alias of $timezoneName
+ * @property-read string              $locale                                                                                         locale of the current instance
  *
- * @method        bool                isUtc()                                                                              Check if the current instance has UTC timezone. (Both isUtc and isUTC cases are valid.)
- * @method        bool                isLocal()                                                                            Check if the current instance has non-UTC timezone.
- * @method        bool                isValid()                                                                            Check if the current instance is a valid date.
- * @method        bool                isDST()                                                                              Check if the current instance is in a daylight saving time.
- * @method        bool                isSunday()                                                                           Checks if the instance day is sunday.
- * @method        bool                isMonday()                                                                           Checks if the instance day is monday.
- * @method        bool                isTuesday()                                                                          Checks if the instance day is tuesday.
- * @method        bool                isWednesday()                                                                        Checks if the instance day is wednesday.
- * @method        bool                isThursday()                                                                         Checks if the instance day is thursday.
- * @method        bool                isFriday()                                                                           Checks if the instance day is friday.
- * @method        bool                isSaturday()                                                                         Checks if the instance day is saturday.
- * @method        bool                isSameYear(Carbon|DateTimeInterface|string|null $date = null)                        Checks if the given date is in the same year as the instance. If null passed, compare to now (with the same timezone).
- * @method        bool                isCurrentYear()                                                                      Checks if the instance is in the same year as the current moment.
- * @method        bool                isNextYear()                                                                         Checks if the instance is in the same year as the current moment next year.
- * @method        bool                isLastYear()                                                                         Checks if the instance is in the same year as the current moment last year.
- * @method        bool                isSameWeek(Carbon|DateTimeInterface|string|null $date = null)                        Checks if the given date is in the same week as the instance. If null passed, compare to now (with the same timezone).
- * @method        bool                isCurrentWeek()                                                                      Checks if the instance is in the same week as the current moment.
- * @method        bool                isNextWeek()                                                                         Checks if the instance is in the same week as the current moment next week.
- * @method        bool                isLastWeek()                                                                         Checks if the instance is in the same week as the current moment last week.
- * @method        bool                isSameDay(Carbon|DateTimeInterface|string|null $date = null)                         Checks if the given date is in the same day as the instance. If null passed, compare to now (with the same timezone).
- * @method        bool                isCurrentDay()                                                                       Checks if the instance is in the same day as the current moment.
- * @method        bool                isNextDay()                                                                          Checks if the instance is in the same day as the current moment next day.
- * @method        bool                isLastDay()                                                                          Checks if the instance is in the same day as the current moment last day.
- * @method        bool                isSameHour(Carbon|DateTimeInterface|string|null $date = null)                        Checks if the given date is in the same hour as the instance. If null passed, compare to now (with the same timezone).
- * @method        bool                isCurrentHour()                                                                      Checks if the instance is in the same hour as the current moment.
- * @method        bool                isNextHour()                                                                         Checks if the instance is in the same hour as the current moment next hour.
- * @method        bool                isLastHour()                                                                         Checks if the instance is in the same hour as the current moment last hour.
- * @method        bool                isSameMinute(Carbon|DateTimeInterface|string|null $date = null)                      Checks if the given date is in the same minute as the instance. If null passed, compare to now (with the same timezone).
- * @method        bool                isCurrentMinute()                                                                    Checks if the instance is in the same minute as the current moment.
- * @method        bool                isNextMinute()                                                                       Checks if the instance is in the same minute as the current moment next minute.
- * @method        bool                isLastMinute()                                                                       Checks if the instance is in the same minute as the current moment last minute.
- * @method        bool                isSameSecond(Carbon|DateTimeInterface|string|null $date = null)                      Checks if the given date is in the same second as the instance. If null passed, compare to now (with the same timezone).
- * @method        bool                isCurrentSecond()                                                                    Checks if the instance is in the same second as the current moment.
- * @method        bool                isNextSecond()                                                                       Checks if the instance is in the same second as the current moment next second.
- * @method        bool                isLastSecond()                                                                       Checks if the instance is in the same second as the current moment last second.
- * @method        bool                isSameMicro(Carbon|DateTimeInterface|string|null $date = null)                       Checks if the given date is in the same microsecond as the instance. If null passed, compare to now (with the same timezone).
- * @method        bool                isCurrentMicro()                                                                     Checks if the instance is in the same microsecond as the current moment.
- * @method        bool                isNextMicro()                                                                        Checks if the instance is in the same microsecond as the current moment next microsecond.
- * @method        bool                isLastMicro()                                                                        Checks if the instance is in the same microsecond as the current moment last microsecond.
- * @method        bool                isSameMicrosecond(Carbon|DateTimeInterface|string|null $date = null)                 Checks if the given date is in the same microsecond as the instance. If null passed, compare to now (with the same timezone).
- * @method        bool                isCurrentMicrosecond()                                                               Checks if the instance is in the same microsecond as the current moment.
- * @method        bool                isNextMicrosecond()                                                                  Checks if the instance is in the same microsecond as the current moment next microsecond.
- * @method        bool                isLastMicrosecond()                                                                  Checks if the instance is in the same microsecond as the current moment last microsecond.
- * @method        bool                isCurrentMonth()                                                                     Checks if the instance is in the same month as the current moment.
- * @method        bool                isNextMonth()                                                                        Checks if the instance is in the same month as the current moment next month.
- * @method        bool                isLastMonth()                                                                        Checks if the instance is in the same month as the current moment last month.
- * @method        bool                isCurrentQuarter()                                                                   Checks if the instance is in the same quarter as the current moment.
- * @method        bool                isNextQuarter()                                                                      Checks if the instance is in the same quarter as the current moment next quarter.
- * @method        bool                isLastQuarter()                                                                      Checks if the instance is in the same quarter as the current moment last quarter.
- * @method        bool                isSameDecade(Carbon|DateTimeInterface|string|null $date = null)                      Checks if the given date is in the same decade as the instance. If null passed, compare to now (with the same timezone).
- * @method        bool                isCurrentDecade()                                                                    Checks if the instance is in the same decade as the current moment.
- * @method        bool                isNextDecade()                                                                       Checks if the instance is in the same decade as the current moment next decade.
- * @method        bool                isLastDecade()                                                                       Checks if the instance is in the same decade as the current moment last decade.
- * @method        bool                isSameCentury(Carbon|DateTimeInterface|string|null $date = null)                     Checks if the given date is in the same century as the instance. If null passed, compare to now (with the same timezone).
- * @method        bool                isCurrentCentury()                                                                   Checks if the instance is in the same century as the current moment.
- * @method        bool                isNextCentury()                                                                      Checks if the instance is in the same century as the current moment next century.
- * @method        bool                isLastCentury()                                                                      Checks if the instance is in the same century as the current moment last century.
- * @method        bool                isSameMillennium(Carbon|DateTimeInterface|string|null $date = null)                  Checks if the given date is in the same millennium as the instance. If null passed, compare to now (with the same timezone).
- * @method        bool                isCurrentMillennium()                                                                Checks if the instance is in the same millennium as the current moment.
- * @method        bool                isNextMillennium()                                                                   Checks if the instance is in the same millennium as the current moment next millennium.
- * @method        bool                isLastMillennium()                                                                   Checks if the instance is in the same millennium as the current moment last millennium.
- * @method        $this               years(int $value)                                                                    Set current instance year to the given value.
- * @method        $this               year(int $value)                                                                     Set current instance year to the given value.
- * @method        $this               setYears(int $value)                                                                 Set current instance year to the given value.
- * @method        $this               setYear(int $value)                                                                  Set current instance year to the given value.
- * @method        $this               months(int $value)                                                                   Set current instance month to the given value.
- * @method        $this               month(int $value)                                                                    Set current instance month to the given value.
- * @method        $this               setMonths(int $value)                                                                Set current instance month to the given value.
- * @method        $this               setMonth(int $value)                                                                 Set current instance month to the given value.
- * @method        $this               days(int $value)                                                                     Set current instance day to the given value.
- * @method        $this               day(int $value)                                                                      Set current instance day to the given value.
- * @method        $this               setDays(int $value)                                                                  Set current instance day to the given value.
- * @method        $this               setDay(int $value)                                                                   Set current instance day to the given value.
- * @method        $this               hours(int $value)                                                                    Set current instance hour to the given value.
- * @method        $this               hour(int $value)                                                                     Set current instance hour to the given value.
- * @method        $this               setHours(int $value)                                                                 Set current instance hour to the given value.
- * @method        $this               setHour(int $value)                                                                  Set current instance hour to the given value.
- * @method        $this               minutes(int $value)                                                                  Set current instance minute to the given value.
- * @method        $this               minute(int $value)                                                                   Set current instance minute to the given value.
- * @method        $this               setMinutes(int $value)                                                               Set current instance minute to the given value.
- * @method        $this               setMinute(int $value)                                                                Set current instance minute to the given value.
- * @method        $this               seconds(int $value)                                                                  Set current instance second to the given value.
- * @method        $this               second(int $value)                                                                   Set current instance second to the given value.
- * @method        $this               setSeconds(int $value)                                                               Set current instance second to the given value.
- * @method        $this               setSecond(int $value)                                                                Set current instance second to the given value.
- * @method        $this               millis(int $value)                                                                   Set current instance millisecond to the given value.
- * @method        $this               milli(int $value)                                                                    Set current instance millisecond to the given value.
- * @method        $this               setMillis(int $value)                                                                Set current instance millisecond to the given value.
- * @method        $this               setMilli(int $value)                                                                 Set current instance millisecond to the given value.
- * @method        $this               milliseconds(int $value)                                                             Set current instance millisecond to the given value.
- * @method        $this               millisecond(int $value)                                                              Set current instance millisecond to the given value.
- * @method        $this               setMilliseconds(int $value)                                                          Set current instance millisecond to the given value.
- * @method        $this               setMillisecond(int $value)                                                           Set current instance millisecond to the given value.
- * @method        $this               micros(int $value)                                                                   Set current instance microsecond to the given value.
- * @method        $this               micro(int $value)                                                                    Set current instance microsecond to the given value.
- * @method        $this               setMicros(int $value)                                                                Set current instance microsecond to the given value.
- * @method        $this               setMicro(int $value)                                                                 Set current instance microsecond to the given value.
- * @method        $this               microseconds(int $value)                                                             Set current instance microsecond to the given value.
- * @method        $this               microsecond(int $value)                                                              Set current instance microsecond to the given value.
- * @method        $this               setMicroseconds(int $value)                                                          Set current instance microsecond to the given value.
- * @method        $this               setMicrosecond(int $value)                                                           Set current instance microsecond to the given value.
- * @method        $this               addYears(int $value = 1)                                                             Add years (the $value count passed in) to the instance (using date interval).
- * @method        $this               addYear()                                                                            Add one year to the instance (using date interval).
- * @method        $this               subYears(int $value = 1)                                                             Sub years (the $value count passed in) to the instance (using date interval).
- * @method        $this               subYear()                                                                            Sub one year to the instance (using date interval).
- * @method        $this               addYearsWithOverflow(int $value = 1)                                                 Add years (the $value count passed in) to the instance (using date interval) with overflow explicitly allowed.
- * @method        $this               addYearWithOverflow()                                                                Add one year to the instance (using date interval) with overflow explicitly allowed.
- * @method        $this               subYearsWithOverflow(int $value = 1)                                                 Sub years (the $value count passed in) to the instance (using date interval) with overflow explicitly allowed.
- * @method        $this               subYearWithOverflow()                                                                Sub one year to the instance (using date interval) with overflow explicitly allowed.
- * @method        $this               addYearsWithoutOverflow(int $value = 1)                                              Add years (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               addYearWithoutOverflow()                                                             Add one year to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               subYearsWithoutOverflow(int $value = 1)                                              Sub years (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               subYearWithoutOverflow()                                                             Sub one year to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               addYearsWithNoOverflow(int $value = 1)                                               Add years (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               addYearWithNoOverflow()                                                              Add one year to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               subYearsWithNoOverflow(int $value = 1)                                               Sub years (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               subYearWithNoOverflow()                                                              Sub one year to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               addYearsNoOverflow(int $value = 1)                                                   Add years (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               addYearNoOverflow()                                                                  Add one year to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               subYearsNoOverflow(int $value = 1)                                                   Sub years (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               subYearNoOverflow()                                                                  Sub one year to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               addMonths(int $value = 1)                                                            Add months (the $value count passed in) to the instance (using date interval).
- * @method        $this               addMonth()                                                                           Add one month to the instance (using date interval).
- * @method        $this               subMonths(int $value = 1)                                                            Sub months (the $value count passed in) to the instance (using date interval).
- * @method        $this               subMonth()                                                                           Sub one month to the instance (using date interval).
- * @method        $this               addMonthsWithOverflow(int $value = 1)                                                Add months (the $value count passed in) to the instance (using date interval) with overflow explicitly allowed.
- * @method        $this               addMonthWithOverflow()                                                               Add one month to the instance (using date interval) with overflow explicitly allowed.
- * @method        $this               subMonthsWithOverflow(int $value = 1)                                                Sub months (the $value count passed in) to the instance (using date interval) with overflow explicitly allowed.
- * @method        $this               subMonthWithOverflow()                                                               Sub one month to the instance (using date interval) with overflow explicitly allowed.
- * @method        $this               addMonthsWithoutOverflow(int $value = 1)                                             Add months (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               addMonthWithoutOverflow()                                                            Add one month to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               subMonthsWithoutOverflow(int $value = 1)                                             Sub months (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               subMonthWithoutOverflow()                                                            Sub one month to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               addMonthsWithNoOverflow(int $value = 1)                                              Add months (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               addMonthWithNoOverflow()                                                             Add one month to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               subMonthsWithNoOverflow(int $value = 1)                                              Sub months (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               subMonthWithNoOverflow()                                                             Sub one month to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               addMonthsNoOverflow(int $value = 1)                                                  Add months (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               addMonthNoOverflow()                                                                 Add one month to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               subMonthsNoOverflow(int $value = 1)                                                  Sub months (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               subMonthNoOverflow()                                                                 Sub one month to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               addDays(int $value = 1)                                                              Add days (the $value count passed in) to the instance (using date interval).
- * @method        $this               addDay()                                                                             Add one day to the instance (using date interval).
- * @method        $this               subDays(int $value = 1)                                                              Sub days (the $value count passed in) to the instance (using date interval).
- * @method        $this               subDay()                                                                             Sub one day to the instance (using date interval).
- * @method        $this               addHours(int $value = 1)                                                             Add hours (the $value count passed in) to the instance (using date interval).
- * @method        $this               addHour()                                                                            Add one hour to the instance (using date interval).
- * @method        $this               subHours(int $value = 1)                                                             Sub hours (the $value count passed in) to the instance (using date interval).
- * @method        $this               subHour()                                                                            Sub one hour to the instance (using date interval).
- * @method        $this               addMinutes(int $value = 1)                                                           Add minutes (the $value count passed in) to the instance (using date interval).
- * @method        $this               addMinute()                                                                          Add one minute to the instance (using date interval).
- * @method        $this               subMinutes(int $value = 1)                                                           Sub minutes (the $value count passed in) to the instance (using date interval).
- * @method        $this               subMinute()                                                                          Sub one minute to the instance (using date interval).
- * @method        $this               addSeconds(int $value = 1)                                                           Add seconds (the $value count passed in) to the instance (using date interval).
- * @method        $this               addSecond()                                                                          Add one second to the instance (using date interval).
- * @method        $this               subSeconds(int $value = 1)                                                           Sub seconds (the $value count passed in) to the instance (using date interval).
- * @method        $this               subSecond()                                                                          Sub one second to the instance (using date interval).
- * @method        $this               addMillis(int $value = 1)                                                            Add milliseconds (the $value count passed in) to the instance (using date interval).
- * @method        $this               addMilli()                                                                           Add one millisecond to the instance (using date interval).
- * @method        $this               subMillis(int $value = 1)                                                            Sub milliseconds (the $value count passed in) to the instance (using date interval).
- * @method        $this               subMilli()                                                                           Sub one millisecond to the instance (using date interval).
- * @method        $this               addMilliseconds(int $value = 1)                                                      Add milliseconds (the $value count passed in) to the instance (using date interval).
- * @method        $this               addMillisecond()                                                                     Add one millisecond to the instance (using date interval).
- * @method        $this               subMilliseconds(int $value = 1)                                                      Sub milliseconds (the $value count passed in) to the instance (using date interval).
- * @method        $this               subMillisecond()                                                                     Sub one millisecond to the instance (using date interval).
- * @method        $this               addMicros(int $value = 1)                                                            Add microseconds (the $value count passed in) to the instance (using date interval).
- * @method        $this               addMicro()                                                                           Add one microsecond to the instance (using date interval).
- * @method        $this               subMicros(int $value = 1)                                                            Sub microseconds (the $value count passed in) to the instance (using date interval).
- * @method        $this               subMicro()                                                                           Sub one microsecond to the instance (using date interval).
- * @method        $this               addMicroseconds(int $value = 1)                                                      Add microseconds (the $value count passed in) to the instance (using date interval).
- * @method        $this               addMicrosecond()                                                                     Add one microsecond to the instance (using date interval).
- * @method        $this               subMicroseconds(int $value = 1)                                                      Sub microseconds (the $value count passed in) to the instance (using date interval).
- * @method        $this               subMicrosecond()                                                                     Sub one microsecond to the instance (using date interval).
- * @method        $this               addMillennia(int $value = 1)                                                         Add millennia (the $value count passed in) to the instance (using date interval).
- * @method        $this               addMillennium()                                                                      Add one millennium to the instance (using date interval).
- * @method        $this               subMillennia(int $value = 1)                                                         Sub millennia (the $value count passed in) to the instance (using date interval).
- * @method        $this               subMillennium()                                                                      Sub one millennium to the instance (using date interval).
- * @method        $this               addMillenniaWithOverflow(int $value = 1)                                             Add millennia (the $value count passed in) to the instance (using date interval) with overflow explicitly allowed.
- * @method        $this               addMillenniumWithOverflow()                                                          Add one millennium to the instance (using date interval) with overflow explicitly allowed.
- * @method        $this               subMillenniaWithOverflow(int $value = 1)                                             Sub millennia (the $value count passed in) to the instance (using date interval) with overflow explicitly allowed.
- * @method        $this               subMillenniumWithOverflow()                                                          Sub one millennium to the instance (using date interval) with overflow explicitly allowed.
- * @method        $this               addMillenniaWithoutOverflow(int $value = 1)                                          Add millennia (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               addMillenniumWithoutOverflow()                                                       Add one millennium to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               subMillenniaWithoutOverflow(int $value = 1)                                          Sub millennia (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               subMillenniumWithoutOverflow()                                                       Sub one millennium to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               addMillenniaWithNoOverflow(int $value = 1)                                           Add millennia (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               addMillenniumWithNoOverflow()                                                        Add one millennium to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               subMillenniaWithNoOverflow(int $value = 1)                                           Sub millennia (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               subMillenniumWithNoOverflow()                                                        Sub one millennium to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               addMillenniaNoOverflow(int $value = 1)                                               Add millennia (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               addMillenniumNoOverflow()                                                            Add one millennium to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               subMillenniaNoOverflow(int $value = 1)                                               Sub millennia (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               subMillenniumNoOverflow()                                                            Sub one millennium to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               addCenturies(int $value = 1)                                                         Add centuries (the $value count passed in) to the instance (using date interval).
- * @method        $this               addCentury()                                                                         Add one century to the instance (using date interval).
- * @method        $this               subCenturies(int $value = 1)                                                         Sub centuries (the $value count passed in) to the instance (using date interval).
- * @method        $this               subCentury()                                                                         Sub one century to the instance (using date interval).
- * @method        $this               addCenturiesWithOverflow(int $value = 1)                                             Add centuries (the $value count passed in) to the instance (using date interval) with overflow explicitly allowed.
- * @method        $this               addCenturyWithOverflow()                                                             Add one century to the instance (using date interval) with overflow explicitly allowed.
- * @method        $this               subCenturiesWithOverflow(int $value = 1)                                             Sub centuries (the $value count passed in) to the instance (using date interval) with overflow explicitly allowed.
- * @method        $this               subCenturyWithOverflow()                                                             Sub one century to the instance (using date interval) with overflow explicitly allowed.
- * @method        $this               addCenturiesWithoutOverflow(int $value = 1)                                          Add centuries (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               addCenturyWithoutOverflow()                                                          Add one century to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               subCenturiesWithoutOverflow(int $value = 1)                                          Sub centuries (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               subCenturyWithoutOverflow()                                                          Sub one century to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               addCenturiesWithNoOverflow(int $value = 1)                                           Add centuries (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               addCenturyWithNoOverflow()                                                           Add one century to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               subCenturiesWithNoOverflow(int $value = 1)                                           Sub centuries (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               subCenturyWithNoOverflow()                                                           Sub one century to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               addCenturiesNoOverflow(int $value = 1)                                               Add centuries (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               addCenturyNoOverflow()                                                               Add one century to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               subCenturiesNoOverflow(int $value = 1)                                               Sub centuries (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               subCenturyNoOverflow()                                                               Sub one century to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               addDecades(int $value = 1)                                                           Add decades (the $value count passed in) to the instance (using date interval).
- * @method        $this               addDecade()                                                                          Add one decade to the instance (using date interval).
- * @method        $this               subDecades(int $value = 1)                                                           Sub decades (the $value count passed in) to the instance (using date interval).
- * @method        $this               subDecade()                                                                          Sub one decade to the instance (using date interval).
- * @method        $this               addDecadesWithOverflow(int $value = 1)                                               Add decades (the $value count passed in) to the instance (using date interval) with overflow explicitly allowed.
- * @method        $this               addDecadeWithOverflow()                                                              Add one decade to the instance (using date interval) with overflow explicitly allowed.
- * @method        $this               subDecadesWithOverflow(int $value = 1)                                               Sub decades (the $value count passed in) to the instance (using date interval) with overflow explicitly allowed.
- * @method        $this               subDecadeWithOverflow()                                                              Sub one decade to the instance (using date interval) with overflow explicitly allowed.
- * @method        $this               addDecadesWithoutOverflow(int $value = 1)                                            Add decades (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               addDecadeWithoutOverflow()                                                           Add one decade to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               subDecadesWithoutOverflow(int $value = 1)                                            Sub decades (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               subDecadeWithoutOverflow()                                                           Sub one decade to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               addDecadesWithNoOverflow(int $value = 1)                                             Add decades (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               addDecadeWithNoOverflow()                                                            Add one decade to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               subDecadesWithNoOverflow(int $value = 1)                                             Sub decades (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               subDecadeWithNoOverflow()                                                            Sub one decade to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               addDecadesNoOverflow(int $value = 1)                                                 Add decades (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               addDecadeNoOverflow()                                                                Add one decade to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               subDecadesNoOverflow(int $value = 1)                                                 Sub decades (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               subDecadeNoOverflow()                                                                Sub one decade to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               addQuarters(int $value = 1)                                                          Add quarters (the $value count passed in) to the instance (using date interval).
- * @method        $this               addQuarter()                                                                         Add one quarter to the instance (using date interval).
- * @method        $this               subQuarters(int $value = 1)                                                          Sub quarters (the $value count passed in) to the instance (using date interval).
- * @method        $this               subQuarter()                                                                         Sub one quarter to the instance (using date interval).
- * @method        $this               addQuartersWithOverflow(int $value = 1)                                              Add quarters (the $value count passed in) to the instance (using date interval) with overflow explicitly allowed.
- * @method        $this               addQuarterWithOverflow()                                                             Add one quarter to the instance (using date interval) with overflow explicitly allowed.
- * @method        $this               subQuartersWithOverflow(int $value = 1)                                              Sub quarters (the $value count passed in) to the instance (using date interval) with overflow explicitly allowed.
- * @method        $this               subQuarterWithOverflow()                                                             Sub one quarter to the instance (using date interval) with overflow explicitly allowed.
- * @method        $this               addQuartersWithoutOverflow(int $value = 1)                                           Add quarters (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               addQuarterWithoutOverflow()                                                          Add one quarter to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               subQuartersWithoutOverflow(int $value = 1)                                           Sub quarters (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               subQuarterWithoutOverflow()                                                          Sub one quarter to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               addQuartersWithNoOverflow(int $value = 1)                                            Add quarters (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               addQuarterWithNoOverflow()                                                           Add one quarter to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               subQuartersWithNoOverflow(int $value = 1)                                            Sub quarters (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               subQuarterWithNoOverflow()                                                           Sub one quarter to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               addQuartersNoOverflow(int $value = 1)                                                Add quarters (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               addQuarterNoOverflow()                                                               Add one quarter to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               subQuartersNoOverflow(int $value = 1)                                                Sub quarters (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               subQuarterNoOverflow()                                                               Sub one quarter to the instance (using date interval) with overflow explicitly forbidden.
- * @method        $this               addWeeks(int $value = 1)                                                             Add weeks (the $value count passed in) to the instance (using date interval).
- * @method        $this               addWeek()                                                                            Add one week to the instance (using date interval).
- * @method        $this               subWeeks(int $value = 1)                                                             Sub weeks (the $value count passed in) to the instance (using date interval).
- * @method        $this               subWeek()                                                                            Sub one week to the instance (using date interval).
- * @method        $this               addWeekdays(int $value = 1)                                                          Add weekdays (the $value count passed in) to the instance (using date interval).
- * @method        $this               addWeekday()                                                                         Add one weekday to the instance (using date interval).
- * @method        $this               subWeekdays(int $value = 1)                                                          Sub weekdays (the $value count passed in) to the instance (using date interval).
- * @method        $this               subWeekday()                                                                         Sub one weekday to the instance (using date interval).
- * @method        $this               addRealMicros(int $value = 1)                                                        Add microseconds (the $value count passed in) to the instance (using timestamp).
- * @method        $this               addRealMicro()                                                                       Add one microsecond to the instance (using timestamp).
- * @method        $this               subRealMicros(int $value = 1)                                                        Sub microseconds (the $value count passed in) to the instance (using timestamp).
- * @method        $this               subRealMicro()                                                                       Sub one microsecond to the instance (using timestamp).
- * @method        CarbonPeriod        microsUntil($endDate = null, int $factor = 1)                                        Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each microsecond or every X microseconds if a factor is given.
- * @method        $this               addRealMicroseconds(int $value = 1)                                                  Add microseconds (the $value count passed in) to the instance (using timestamp).
- * @method        $this               addRealMicrosecond()                                                                 Add one microsecond to the instance (using timestamp).
- * @method        $this               subRealMicroseconds(int $value = 1)                                                  Sub microseconds (the $value count passed in) to the instance (using timestamp).
- * @method        $this               subRealMicrosecond()                                                                 Sub one microsecond to the instance (using timestamp).
- * @method        CarbonPeriod        microsecondsUntil($endDate = null, int $factor = 1)                                  Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each microsecond or every X microseconds if a factor is given.
- * @method        $this               addRealMillis(int $value = 1)                                                        Add milliseconds (the $value count passed in) to the instance (using timestamp).
- * @method        $this               addRealMilli()                                                                       Add one millisecond to the instance (using timestamp).
- * @method        $this               subRealMillis(int $value = 1)                                                        Sub milliseconds (the $value count passed in) to the instance (using timestamp).
- * @method        $this               subRealMilli()                                                                       Sub one millisecond to the instance (using timestamp).
- * @method        CarbonPeriod        millisUntil($endDate = null, int $factor = 1)                                        Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each millisecond or every X milliseconds if a factor is given.
- * @method        $this               addRealMilliseconds(int $value = 1)                                                  Add milliseconds (the $value count passed in) to the instance (using timestamp).
- * @method        $this               addRealMillisecond()                                                                 Add one millisecond to the instance (using timestamp).
- * @method        $this               subRealMilliseconds(int $value = 1)                                                  Sub milliseconds (the $value count passed in) to the instance (using timestamp).
- * @method        $this               subRealMillisecond()                                                                 Sub one millisecond to the instance (using timestamp).
- * @method        CarbonPeriod        millisecondsUntil($endDate = null, int $factor = 1)                                  Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each millisecond or every X milliseconds if a factor is given.
- * @method        $this               addRealSeconds(int $value = 1)                                                       Add seconds (the $value count passed in) to the instance (using timestamp).
- * @method        $this               addRealSecond()                                                                      Add one second to the instance (using timestamp).
- * @method        $this               subRealSeconds(int $value = 1)                                                       Sub seconds (the $value count passed in) to the instance (using timestamp).
- * @method        $this               subRealSecond()                                                                      Sub one second to the instance (using timestamp).
- * @method        CarbonPeriod        secondsUntil($endDate = null, int $factor = 1)                                       Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each second or every X seconds if a factor is given.
- * @method        $this               addRealMinutes(int $value = 1)                                                       Add minutes (the $value count passed in) to the instance (using timestamp).
- * @method        $this               addRealMinute()                                                                      Add one minute to the instance (using timestamp).
- * @method        $this               subRealMinutes(int $value = 1)                                                       Sub minutes (the $value count passed in) to the instance (using timestamp).
- * @method        $this               subRealMinute()                                                                      Sub one minute to the instance (using timestamp).
- * @method        CarbonPeriod        minutesUntil($endDate = null, int $factor = 1)                                       Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each minute or every X minutes if a factor is given.
- * @method        $this               addRealHours(int $value = 1)                                                         Add hours (the $value count passed in) to the instance (using timestamp).
- * @method        $this               addRealHour()                                                                        Add one hour to the instance (using timestamp).
- * @method        $this               subRealHours(int $value = 1)                                                         Sub hours (the $value count passed in) to the instance (using timestamp).
- * @method        $this               subRealHour()                                                                        Sub one hour to the instance (using timestamp).
- * @method        CarbonPeriod        hoursUntil($endDate = null, int $factor = 1)                                         Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each hour or every X hours if a factor is given.
- * @method        $this               addRealDays(int $value = 1)                                                          Add days (the $value count passed in) to the instance (using timestamp).
- * @method        $this               addRealDay()                                                                         Add one day to the instance (using timestamp).
- * @method        $this               subRealDays(int $value = 1)                                                          Sub days (the $value count passed in) to the instance (using timestamp).
- * @method        $this               subRealDay()                                                                         Sub one day to the instance (using timestamp).
- * @method        CarbonPeriod        daysUntil($endDate = null, int $factor = 1)                                          Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each day or every X days if a factor is given.
- * @method        $this               addRealWeeks(int $value = 1)                                                         Add weeks (the $value count passed in) to the instance (using timestamp).
- * @method        $this               addRealWeek()                                                                        Add one week to the instance (using timestamp).
- * @method        $this               subRealWeeks(int $value = 1)                                                         Sub weeks (the $value count passed in) to the instance (using timestamp).
- * @method        $this               subRealWeek()                                                                        Sub one week to the instance (using timestamp).
- * @method        CarbonPeriod        weeksUntil($endDate = null, int $factor = 1)                                         Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each week or every X weeks if a factor is given.
- * @method        $this               addRealMonths(int $value = 1)                                                        Add months (the $value count passed in) to the instance (using timestamp).
- * @method        $this               addRealMonth()                                                                       Add one month to the instance (using timestamp).
- * @method        $this               subRealMonths(int $value = 1)                                                        Sub months (the $value count passed in) to the instance (using timestamp).
- * @method        $this               subRealMonth()                                                                       Sub one month to the instance (using timestamp).
- * @method        CarbonPeriod        monthsUntil($endDate = null, int $factor = 1)                                        Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each month or every X months if a factor is given.
- * @method        $this               addRealQuarters(int $value = 1)                                                      Add quarters (the $value count passed in) to the instance (using timestamp).
- * @method        $this               addRealQuarter()                                                                     Add one quarter to the instance (using timestamp).
- * @method        $this               subRealQuarters(int $value = 1)                                                      Sub quarters (the $value count passed in) to the instance (using timestamp).
- * @method        $this               subRealQuarter()                                                                     Sub one quarter to the instance (using timestamp).
- * @method        CarbonPeriod        quartersUntil($endDate = null, int $factor = 1)                                      Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each quarter or every X quarters if a factor is given.
- * @method        $this               addRealYears(int $value = 1)                                                         Add years (the $value count passed in) to the instance (using timestamp).
- * @method        $this               addRealYear()                                                                        Add one year to the instance (using timestamp).
- * @method        $this               subRealYears(int $value = 1)                                                         Sub years (the $value count passed in) to the instance (using timestamp).
- * @method        $this               subRealYear()                                                                        Sub one year to the instance (using timestamp).
- * @method        CarbonPeriod        yearsUntil($endDate = null, int $factor = 1)                                         Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each year or every X years if a factor is given.
- * @method        $this               addRealDecades(int $value = 1)                                                       Add decades (the $value count passed in) to the instance (using timestamp).
- * @method        $this               addRealDecade()                                                                      Add one decade to the instance (using timestamp).
- * @method        $this               subRealDecades(int $value = 1)                                                       Sub decades (the $value count passed in) to the instance (using timestamp).
- * @method        $this               subRealDecade()                                                                      Sub one decade to the instance (using timestamp).
- * @method        CarbonPeriod        decadesUntil($endDate = null, int $factor = 1)                                       Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each decade or every X decades if a factor is given.
- * @method        $this               addRealCenturies(int $value = 1)                                                     Add centuries (the $value count passed in) to the instance (using timestamp).
- * @method        $this               addRealCentury()                                                                     Add one century to the instance (using timestamp).
- * @method        $this               subRealCenturies(int $value = 1)                                                     Sub centuries (the $value count passed in) to the instance (using timestamp).
- * @method        $this               subRealCentury()                                                                     Sub one century to the instance (using timestamp).
- * @method        CarbonPeriod        centuriesUntil($endDate = null, int $factor = 1)                                     Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each century or every X centuries if a factor is given.
- * @method        $this               addRealMillennia(int $value = 1)                                                     Add millennia (the $value count passed in) to the instance (using timestamp).
- * @method        $this               addRealMillennium()                                                                  Add one millennium to the instance (using timestamp).
- * @method        $this               subRealMillennia(int $value = 1)                                                     Sub millennia (the $value count passed in) to the instance (using timestamp).
- * @method        $this               subRealMillennium()                                                                  Sub one millennium to the instance (using timestamp).
- * @method        CarbonPeriod        millenniaUntil($endDate = null, int $factor = 1)                                     Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each millennium or every X millennia if a factor is given.
- * @method        $this               roundYear(float $precision = 1, string $function = "round")                          Round the current instance year with given precision using the given function.
- * @method        $this               roundYears(float $precision = 1, string $function = "round")                         Round the current instance year with given precision using the given function.
- * @method        $this               floorYear(float $precision = 1)                                                      Truncate the current instance year with given precision.
- * @method        $this               floorYears(float $precision = 1)                                                     Truncate the current instance year with given precision.
- * @method        $this               ceilYear(float $precision = 1)                                                       Ceil the current instance year with given precision.
- * @method        $this               ceilYears(float $precision = 1)                                                      Ceil the current instance year with given precision.
- * @method        $this               roundMonth(float $precision = 1, string $function = "round")                         Round the current instance month with given precision using the given function.
- * @method        $this               roundMonths(float $precision = 1, string $function = "round")                        Round the current instance month with given precision using the given function.
- * @method        $this               floorMonth(float $precision = 1)                                                     Truncate the current instance month with given precision.
- * @method        $this               floorMonths(float $precision = 1)                                                    Truncate the current instance month with given precision.
- * @method        $this               ceilMonth(float $precision = 1)                                                      Ceil the current instance month with given precision.
- * @method        $this               ceilMonths(float $precision = 1)                                                     Ceil the current instance month with given precision.
- * @method        $this               roundDay(float $precision = 1, string $function = "round")                           Round the current instance day with given precision using the given function.
- * @method        $this               roundDays(float $precision = 1, string $function = "round")                          Round the current instance day with given precision using the given function.
- * @method        $this               floorDay(float $precision = 1)                                                       Truncate the current instance day with given precision.
- * @method        $this               floorDays(float $precision = 1)                                                      Truncate the current instance day with given precision.
- * @method        $this               ceilDay(float $precision = 1)                                                        Ceil the current instance day with given precision.
- * @method        $this               ceilDays(float $precision = 1)                                                       Ceil the current instance day with given precision.
- * @method        $this               roundHour(float $precision = 1, string $function = "round")                          Round the current instance hour with given precision using the given function.
- * @method        $this               roundHours(float $precision = 1, string $function = "round")                         Round the current instance hour with given precision using the given function.
- * @method        $this               floorHour(float $precision = 1)                                                      Truncate the current instance hour with given precision.
- * @method        $this               floorHours(float $precision = 1)                                                     Truncate the current instance hour with given precision.
- * @method        $this               ceilHour(float $precision = 1)                                                       Ceil the current instance hour with given precision.
- * @method        $this               ceilHours(float $precision = 1)                                                      Ceil the current instance hour with given precision.
- * @method        $this               roundMinute(float $precision = 1, string $function = "round")                        Round the current instance minute with given precision using the given function.
- * @method        $this               roundMinutes(float $precision = 1, string $function = "round")                       Round the current instance minute with given precision using the given function.
- * @method        $this               floorMinute(float $precision = 1)                                                    Truncate the current instance minute with given precision.
- * @method        $this               floorMinutes(float $precision = 1)                                                   Truncate the current instance minute with given precision.
- * @method        $this               ceilMinute(float $precision = 1)                                                     Ceil the current instance minute with given precision.
- * @method        $this               ceilMinutes(float $precision = 1)                                                    Ceil the current instance minute with given precision.
- * @method        $this               roundSecond(float $precision = 1, string $function = "round")                        Round the current instance second with given precision using the given function.
- * @method        $this               roundSeconds(float $precision = 1, string $function = "round")                       Round the current instance second with given precision using the given function.
- * @method        $this               floorSecond(float $precision = 1)                                                    Truncate the current instance second with given precision.
- * @method        $this               floorSeconds(float $precision = 1)                                                   Truncate the current instance second with given precision.
- * @method        $this               ceilSecond(float $precision = 1)                                                     Ceil the current instance second with given precision.
- * @method        $this               ceilSeconds(float $precision = 1)                                                    Ceil the current instance second with given precision.
- * @method        $this               roundMillennium(float $precision = 1, string $function = "round")                    Round the current instance millennium with given precision using the given function.
- * @method        $this               roundMillennia(float $precision = 1, string $function = "round")                     Round the current instance millennium with given precision using the given function.
- * @method        $this               floorMillennium(float $precision = 1)                                                Truncate the current instance millennium with given precision.
- * @method        $this               floorMillennia(float $precision = 1)                                                 Truncate the current instance millennium with given precision.
- * @method        $this               ceilMillennium(float $precision = 1)                                                 Ceil the current instance millennium with given precision.
- * @method        $this               ceilMillennia(float $precision = 1)                                                  Ceil the current instance millennium with given precision.
- * @method        $this               roundCentury(float $precision = 1, string $function = "round")                       Round the current instance century with given precision using the given function.
- * @method        $this               roundCenturies(float $precision = 1, string $function = "round")                     Round the current instance century with given precision using the given function.
- * @method        $this               floorCentury(float $precision = 1)                                                   Truncate the current instance century with given precision.
- * @method        $this               floorCenturies(float $precision = 1)                                                 Truncate the current instance century with given precision.
- * @method        $this               ceilCentury(float $precision = 1)                                                    Ceil the current instance century with given precision.
- * @method        $this               ceilCenturies(float $precision = 1)                                                  Ceil the current instance century with given precision.
- * @method        $this               roundDecade(float $precision = 1, string $function = "round")                        Round the current instance decade with given precision using the given function.
- * @method        $this               roundDecades(float $precision = 1, string $function = "round")                       Round the current instance decade with given precision using the given function.
- * @method        $this               floorDecade(float $precision = 1)                                                    Truncate the current instance decade with given precision.
- * @method        $this               floorDecades(float $precision = 1)                                                   Truncate the current instance decade with given precision.
- * @method        $this               ceilDecade(float $precision = 1)                                                     Ceil the current instance decade with given precision.
- * @method        $this               ceilDecades(float $precision = 1)                                                    Ceil the current instance decade with given precision.
- * @method        $this               roundQuarter(float $precision = 1, string $function = "round")                       Round the current instance quarter with given precision using the given function.
- * @method        $this               roundQuarters(float $precision = 1, string $function = "round")                      Round the current instance quarter with given precision using the given function.
- * @method        $this               floorQuarter(float $precision = 1)                                                   Truncate the current instance quarter with given precision.
- * @method        $this               floorQuarters(float $precision = 1)                                                  Truncate the current instance quarter with given precision.
- * @method        $this               ceilQuarter(float $precision = 1)                                                    Ceil the current instance quarter with given precision.
- * @method        $this               ceilQuarters(float $precision = 1)                                                   Ceil the current instance quarter with given precision.
- * @method        $this               roundMillisecond(float $precision = 1, string $function = "round")                   Round the current instance millisecond with given precision using the given function.
- * @method        $this               roundMilliseconds(float $precision = 1, string $function = "round")                  Round the current instance millisecond with given precision using the given function.
- * @method        $this               floorMillisecond(float $precision = 1)                                               Truncate the current instance millisecond with given precision.
- * @method        $this               floorMilliseconds(float $precision = 1)                                              Truncate the current instance millisecond with given precision.
- * @method        $this               ceilMillisecond(float $precision = 1)                                                Ceil the current instance millisecond with given precision.
- * @method        $this               ceilMilliseconds(float $precision = 1)                                               Ceil the current instance millisecond with given precision.
- * @method        $this               roundMicrosecond(float $precision = 1, string $function = "round")                   Round the current instance microsecond with given precision using the given function.
- * @method        $this               roundMicroseconds(float $precision = 1, string $function = "round")                  Round the current instance microsecond with given precision using the given function.
- * @method        $this               floorMicrosecond(float $precision = 1)                                               Truncate the current instance microsecond with given precision.
- * @method        $this               floorMicroseconds(float $precision = 1)                                              Truncate the current instance microsecond with given precision.
- * @method        $this               ceilMicrosecond(float $precision = 1)                                                Ceil the current instance microsecond with given precision.
- * @method        $this               ceilMicroseconds(float $precision = 1)                                               Ceil the current instance microsecond with given precision.
- * @method        string              shortAbsoluteDiffForHumans(DateTimeInterface $other = null, int $parts = 1)          Get the difference (short format, 'Absolute' mode) in a human readable format in the current locale. ($other and $parts parameters can be swapped.)
- * @method        string              longAbsoluteDiffForHumans(DateTimeInterface $other = null, int $parts = 1)           Get the difference (long format, 'Absolute' mode) in a human readable format in the current locale. ($other and $parts parameters can be swapped.)
- * @method        string              shortRelativeDiffForHumans(DateTimeInterface $other = null, int $parts = 1)          Get the difference (short format, 'Relative' mode) in a human readable format in the current locale. ($other and $parts parameters can be swapped.)
- * @method        string              longRelativeDiffForHumans(DateTimeInterface $other = null, int $parts = 1)           Get the difference (long format, 'Relative' mode) in a human readable format in the current locale. ($other and $parts parameters can be swapped.)
- * @method        string              shortRelativeToNowDiffForHumans(DateTimeInterface $other = null, int $parts = 1)     Get the difference (short format, 'RelativeToNow' mode) in a human readable format in the current locale. ($other and $parts parameters can be swapped.)
- * @method        string              longRelativeToNowDiffForHumans(DateTimeInterface $other = null, int $parts = 1)      Get the difference (long format, 'RelativeToNow' mode) in a human readable format in the current locale. ($other and $parts parameters can be swapped.)
- * @method        string              shortRelativeToOtherDiffForHumans(DateTimeInterface $other = null, int $parts = 1)   Get the difference (short format, 'RelativeToOther' mode) in a human readable format in the current locale. ($other and $parts parameters can be swapped.)
- * @method        string              longRelativeToOtherDiffForHumans(DateTimeInterface $other = null, int $parts = 1)    Get the difference (long format, 'RelativeToOther' mode) in a human readable format in the current locale. ($other and $parts parameters can be swapped.)
- * @method        static Carbon|false createFromFormat(string $format, string $time, string|DateTimeZone $timezone = null) Parse a string into a new Carbon object according to the specified format.
- * @method        static Carbon       __set_state(array $array)                                                            https://php.net/manual/en/datetime.set-state.php
+ * @method        bool                isUtc()                                                                                         Check if the current instance has UTC timezone. (Both isUtc and isUTC cases are valid.)
+ * @method        bool                isLocal()                                                                                       Check if the current instance has non-UTC timezone.
+ * @method        bool                isValid()                                                                                       Check if the current instance is a valid date.
+ * @method        bool                isDST()                                                                                         Check if the current instance is in a daylight saving time.
+ * @method        bool                isSunday()                                                                                      Checks if the instance day is sunday.
+ * @method        bool                isMonday()                                                                                      Checks if the instance day is monday.
+ * @method        bool                isTuesday()                                                                                     Checks if the instance day is tuesday.
+ * @method        bool                isWednesday()                                                                                   Checks if the instance day is wednesday.
+ * @method        bool                isThursday()                                                                                    Checks if the instance day is thursday.
+ * @method        bool                isFriday()                                                                                      Checks if the instance day is friday.
+ * @method        bool                isSaturday()                                                                                    Checks if the instance day is saturday.
+ * @method        bool                isSameYear(Carbon|DateTimeInterface|string|null $date = null)                                   Checks if the given date is in the same year as the instance. If null passed, compare to now (with the same timezone).
+ * @method        bool                isCurrentYear()                                                                                 Checks if the instance is in the same year as the current moment.
+ * @method        bool                isNextYear()                                                                                    Checks if the instance is in the same year as the current moment next year.
+ * @method        bool                isLastYear()                                                                                    Checks if the instance is in the same year as the current moment last year.
+ * @method        bool                isSameWeek(Carbon|DateTimeInterface|string|null $date = null)                                   Checks if the given date is in the same week as the instance. If null passed, compare to now (with the same timezone).
+ * @method        bool                isCurrentWeek()                                                                                 Checks if the instance is in the same week as the current moment.
+ * @method        bool                isNextWeek()                                                                                    Checks if the instance is in the same week as the current moment next week.
+ * @method        bool                isLastWeek()                                                                                    Checks if the instance is in the same week as the current moment last week.
+ * @method        bool                isSameDay(Carbon|DateTimeInterface|string|null $date = null)                                    Checks if the given date is in the same day as the instance. If null passed, compare to now (with the same timezone).
+ * @method        bool                isCurrentDay()                                                                                  Checks if the instance is in the same day as the current moment.
+ * @method        bool                isNextDay()                                                                                     Checks if the instance is in the same day as the current moment next day.
+ * @method        bool                isLastDay()                                                                                     Checks if the instance is in the same day as the current moment last day.
+ * @method        bool                isSameHour(Carbon|DateTimeInterface|string|null $date = null)                                   Checks if the given date is in the same hour as the instance. If null passed, compare to now (with the same timezone).
+ * @method        bool                isCurrentHour()                                                                                 Checks if the instance is in the same hour as the current moment.
+ * @method        bool                isNextHour()                                                                                    Checks if the instance is in the same hour as the current moment next hour.
+ * @method        bool                isLastHour()                                                                                    Checks if the instance is in the same hour as the current moment last hour.
+ * @method        bool                isSameMinute(Carbon|DateTimeInterface|string|null $date = null)                                 Checks if the given date is in the same minute as the instance. If null passed, compare to now (with the same timezone).
+ * @method        bool                isCurrentMinute()                                                                               Checks if the instance is in the same minute as the current moment.
+ * @method        bool                isNextMinute()                                                                                  Checks if the instance is in the same minute as the current moment next minute.
+ * @method        bool                isLastMinute()                                                                                  Checks if the instance is in the same minute as the current moment last minute.
+ * @method        bool                isSameSecond(Carbon|DateTimeInterface|string|null $date = null)                                 Checks if the given date is in the same second as the instance. If null passed, compare to now (with the same timezone).
+ * @method        bool                isCurrentSecond()                                                                               Checks if the instance is in the same second as the current moment.
+ * @method        bool                isNextSecond()                                                                                  Checks if the instance is in the same second as the current moment next second.
+ * @method        bool                isLastSecond()                                                                                  Checks if the instance is in the same second as the current moment last second.
+ * @method        bool                isSameMicro(Carbon|DateTimeInterface|string|null $date = null)                                  Checks if the given date is in the same microsecond as the instance. If null passed, compare to now (with the same timezone).
+ * @method        bool                isCurrentMicro()                                                                                Checks if the instance is in the same microsecond as the current moment.
+ * @method        bool                isNextMicro()                                                                                   Checks if the instance is in the same microsecond as the current moment next microsecond.
+ * @method        bool                isLastMicro()                                                                                   Checks if the instance is in the same microsecond as the current moment last microsecond.
+ * @method        bool                isSameMicrosecond(Carbon|DateTimeInterface|string|null $date = null)                            Checks if the given date is in the same microsecond as the instance. If null passed, compare to now (with the same timezone).
+ * @method        bool                isCurrentMicrosecond()                                                                          Checks if the instance is in the same microsecond as the current moment.
+ * @method        bool                isNextMicrosecond()                                                                             Checks if the instance is in the same microsecond as the current moment next microsecond.
+ * @method        bool                isLastMicrosecond()                                                                             Checks if the instance is in the same microsecond as the current moment last microsecond.
+ * @method        bool                isCurrentMonth()                                                                                Checks if the instance is in the same month as the current moment.
+ * @method        bool                isNextMonth()                                                                                   Checks if the instance is in the same month as the current moment next month.
+ * @method        bool                isLastMonth()                                                                                   Checks if the instance is in the same month as the current moment last month.
+ * @method        bool                isCurrentQuarter()                                                                              Checks if the instance is in the same quarter as the current moment.
+ * @method        bool                isNextQuarter()                                                                                 Checks if the instance is in the same quarter as the current moment next quarter.
+ * @method        bool                isLastQuarter()                                                                                 Checks if the instance is in the same quarter as the current moment last quarter.
+ * @method        bool                isSameDecade(Carbon|DateTimeInterface|string|null $date = null)                                 Checks if the given date is in the same decade as the instance. If null passed, compare to now (with the same timezone).
+ * @method        bool                isCurrentDecade()                                                                               Checks if the instance is in the same decade as the current moment.
+ * @method        bool                isNextDecade()                                                                                  Checks if the instance is in the same decade as the current moment next decade.
+ * @method        bool                isLastDecade()                                                                                  Checks if the instance is in the same decade as the current moment last decade.
+ * @method        bool                isSameCentury(Carbon|DateTimeInterface|string|null $date = null)                                Checks if the given date is in the same century as the instance. If null passed, compare to now (with the same timezone).
+ * @method        bool                isCurrentCentury()                                                                              Checks if the instance is in the same century as the current moment.
+ * @method        bool                isNextCentury()                                                                                 Checks if the instance is in the same century as the current moment next century.
+ * @method        bool                isLastCentury()                                                                                 Checks if the instance is in the same century as the current moment last century.
+ * @method        bool                isSameMillennium(Carbon|DateTimeInterface|string|null $date = null)                             Checks if the given date is in the same millennium as the instance. If null passed, compare to now (with the same timezone).
+ * @method        bool                isCurrentMillennium()                                                                           Checks if the instance is in the same millennium as the current moment.
+ * @method        bool                isNextMillennium()                                                                              Checks if the instance is in the same millennium as the current moment next millennium.
+ * @method        bool                isLastMillennium()                                                                              Checks if the instance is in the same millennium as the current moment last millennium.
+ * @method        $this               years(int $value)                                                                               Set current instance year to the given value.
+ * @method        $this               year(int $value)                                                                                Set current instance year to the given value.
+ * @method        $this               setYears(int $value)                                                                            Set current instance year to the given value.
+ * @method        $this               setYear(int $value)                                                                             Set current instance year to the given value.
+ * @method        $this               months(int $value)                                                                              Set current instance month to the given value.
+ * @method        $this               month(int $value)                                                                               Set current instance month to the given value.
+ * @method        $this               setMonths(int $value)                                                                           Set current instance month to the given value.
+ * @method        $this               setMonth(int $value)                                                                            Set current instance month to the given value.
+ * @method        $this               days(int $value)                                                                                Set current instance day to the given value.
+ * @method        $this               day(int $value)                                                                                 Set current instance day to the given value.
+ * @method        $this               setDays(int $value)                                                                             Set current instance day to the given value.
+ * @method        $this               setDay(int $value)                                                                              Set current instance day to the given value.
+ * @method        $this               hours(int $value)                                                                               Set current instance hour to the given value.
+ * @method        $this               hour(int $value)                                                                                Set current instance hour to the given value.
+ * @method        $this               setHours(int $value)                                                                            Set current instance hour to the given value.
+ * @method        $this               setHour(int $value)                                                                             Set current instance hour to the given value.
+ * @method        $this               minutes(int $value)                                                                             Set current instance minute to the given value.
+ * @method        $this               minute(int $value)                                                                              Set current instance minute to the given value.
+ * @method        $this               setMinutes(int $value)                                                                          Set current instance minute to the given value.
+ * @method        $this               setMinute(int $value)                                                                           Set current instance minute to the given value.
+ * @method        $this               seconds(int $value)                                                                             Set current instance second to the given value.
+ * @method        $this               second(int $value)                                                                              Set current instance second to the given value.
+ * @method        $this               setSeconds(int $value)                                                                          Set current instance second to the given value.
+ * @method        $this               setSecond(int $value)                                                                           Set current instance second to the given value.
+ * @method        $this               millis(int $value)                                                                              Set current instance millisecond to the given value.
+ * @method        $this               milli(int $value)                                                                               Set current instance millisecond to the given value.
+ * @method        $this               setMillis(int $value)                                                                           Set current instance millisecond to the given value.
+ * @method        $this               setMilli(int $value)                                                                            Set current instance millisecond to the given value.
+ * @method        $this               milliseconds(int $value)                                                                        Set current instance millisecond to the given value.
+ * @method        $this               millisecond(int $value)                                                                         Set current instance millisecond to the given value.
+ * @method        $this               setMilliseconds(int $value)                                                                     Set current instance millisecond to the given value.
+ * @method        $this               setMillisecond(int $value)                                                                      Set current instance millisecond to the given value.
+ * @method        $this               micros(int $value)                                                                              Set current instance microsecond to the given value.
+ * @method        $this               micro(int $value)                                                                               Set current instance microsecond to the given value.
+ * @method        $this               setMicros(int $value)                                                                           Set current instance microsecond to the given value.
+ * @method        $this               setMicro(int $value)                                                                            Set current instance microsecond to the given value.
+ * @method        $this               microseconds(int $value)                                                                        Set current instance microsecond to the given value.
+ * @method        $this               microsecond(int $value)                                                                         Set current instance microsecond to the given value.
+ * @method        $this               setMicroseconds(int $value)                                                                     Set current instance microsecond to the given value.
+ * @method        $this               setMicrosecond(int $value)                                                                      Set current instance microsecond to the given value.
+ * @method        $this               addYears(int $value = 1)                                                                        Add years (the $value count passed in) to the instance (using date interval).
+ * @method        $this               addYear()                                                                                       Add one year to the instance (using date interval).
+ * @method        $this               subYears(int $value = 1)                                                                        Sub years (the $value count passed in) to the instance (using date interval).
+ * @method        $this               subYear()                                                                                       Sub one year to the instance (using date interval).
+ * @method        $this               addYearsWithOverflow(int $value = 1)                                                            Add years (the $value count passed in) to the instance (using date interval) with overflow explicitly allowed.
+ * @method        $this               addYearWithOverflow()                                                                           Add one year to the instance (using date interval) with overflow explicitly allowed.
+ * @method        $this               subYearsWithOverflow(int $value = 1)                                                            Sub years (the $value count passed in) to the instance (using date interval) with overflow explicitly allowed.
+ * @method        $this               subYearWithOverflow()                                                                           Sub one year to the instance (using date interval) with overflow explicitly allowed.
+ * @method        $this               addYearsWithoutOverflow(int $value = 1)                                                         Add years (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               addYearWithoutOverflow()                                                                        Add one year to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               subYearsWithoutOverflow(int $value = 1)                                                         Sub years (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               subYearWithoutOverflow()                                                                        Sub one year to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               addYearsWithNoOverflow(int $value = 1)                                                          Add years (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               addYearWithNoOverflow()                                                                         Add one year to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               subYearsWithNoOverflow(int $value = 1)                                                          Sub years (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               subYearWithNoOverflow()                                                                         Sub one year to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               addYearsNoOverflow(int $value = 1)                                                              Add years (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               addYearNoOverflow()                                                                             Add one year to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               subYearsNoOverflow(int $value = 1)                                                              Sub years (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               subYearNoOverflow()                                                                             Sub one year to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               addMonths(int $value = 1)                                                                       Add months (the $value count passed in) to the instance (using date interval).
+ * @method        $this               addMonth()                                                                                      Add one month to the instance (using date interval).
+ * @method        $this               subMonths(int $value = 1)                                                                       Sub months (the $value count passed in) to the instance (using date interval).
+ * @method        $this               subMonth()                                                                                      Sub one month to the instance (using date interval).
+ * @method        $this               addMonthsWithOverflow(int $value = 1)                                                           Add months (the $value count passed in) to the instance (using date interval) with overflow explicitly allowed.
+ * @method        $this               addMonthWithOverflow()                                                                          Add one month to the instance (using date interval) with overflow explicitly allowed.
+ * @method        $this               subMonthsWithOverflow(int $value = 1)                                                           Sub months (the $value count passed in) to the instance (using date interval) with overflow explicitly allowed.
+ * @method        $this               subMonthWithOverflow()                                                                          Sub one month to the instance (using date interval) with overflow explicitly allowed.
+ * @method        $this               addMonthsWithoutOverflow(int $value = 1)                                                        Add months (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               addMonthWithoutOverflow()                                                                       Add one month to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               subMonthsWithoutOverflow(int $value = 1)                                                        Sub months (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               subMonthWithoutOverflow()                                                                       Sub one month to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               addMonthsWithNoOverflow(int $value = 1)                                                         Add months (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               addMonthWithNoOverflow()                                                                        Add one month to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               subMonthsWithNoOverflow(int $value = 1)                                                         Sub months (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               subMonthWithNoOverflow()                                                                        Sub one month to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               addMonthsNoOverflow(int $value = 1)                                                             Add months (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               addMonthNoOverflow()                                                                            Add one month to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               subMonthsNoOverflow(int $value = 1)                                                             Sub months (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               subMonthNoOverflow()                                                                            Sub one month to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               addDays(int $value = 1)                                                                         Add days (the $value count passed in) to the instance (using date interval).
+ * @method        $this               addDay()                                                                                        Add one day to the instance (using date interval).
+ * @method        $this               subDays(int $value = 1)                                                                         Sub days (the $value count passed in) to the instance (using date interval).
+ * @method        $this               subDay()                                                                                        Sub one day to the instance (using date interval).
+ * @method        $this               addHours(int $value = 1)                                                                        Add hours (the $value count passed in) to the instance (using date interval).
+ * @method        $this               addHour()                                                                                       Add one hour to the instance (using date interval).
+ * @method        $this               subHours(int $value = 1)                                                                        Sub hours (the $value count passed in) to the instance (using date interval).
+ * @method        $this               subHour()                                                                                       Sub one hour to the instance (using date interval).
+ * @method        $this               addMinutes(int $value = 1)                                                                      Add minutes (the $value count passed in) to the instance (using date interval).
+ * @method        $this               addMinute()                                                                                     Add one minute to the instance (using date interval).
+ * @method        $this               subMinutes(int $value = 1)                                                                      Sub minutes (the $value count passed in) to the instance (using date interval).
+ * @method        $this               subMinute()                                                                                     Sub one minute to the instance (using date interval).
+ * @method        $this               addSeconds(int $value = 1)                                                                      Add seconds (the $value count passed in) to the instance (using date interval).
+ * @method        $this               addSecond()                                                                                     Add one second to the instance (using date interval).
+ * @method        $this               subSeconds(int $value = 1)                                                                      Sub seconds (the $value count passed in) to the instance (using date interval).
+ * @method        $this               subSecond()                                                                                     Sub one second to the instance (using date interval).
+ * @method        $this               addMillis(int $value = 1)                                                                       Add milliseconds (the $value count passed in) to the instance (using date interval).
+ * @method        $this               addMilli()                                                                                      Add one millisecond to the instance (using date interval).
+ * @method        $this               subMillis(int $value = 1)                                                                       Sub milliseconds (the $value count passed in) to the instance (using date interval).
+ * @method        $this               subMilli()                                                                                      Sub one millisecond to the instance (using date interval).
+ * @method        $this               addMilliseconds(int $value = 1)                                                                 Add milliseconds (the $value count passed in) to the instance (using date interval).
+ * @method        $this               addMillisecond()                                                                                Add one millisecond to the instance (using date interval).
+ * @method        $this               subMilliseconds(int $value = 1)                                                                 Sub milliseconds (the $value count passed in) to the instance (using date interval).
+ * @method        $this               subMillisecond()                                                                                Sub one millisecond to the instance (using date interval).
+ * @method        $this               addMicros(int $value = 1)                                                                       Add microseconds (the $value count passed in) to the instance (using date interval).
+ * @method        $this               addMicro()                                                                                      Add one microsecond to the instance (using date interval).
+ * @method        $this               subMicros(int $value = 1)                                                                       Sub microseconds (the $value count passed in) to the instance (using date interval).
+ * @method        $this               subMicro()                                                                                      Sub one microsecond to the instance (using date interval).
+ * @method        $this               addMicroseconds(int $value = 1)                                                                 Add microseconds (the $value count passed in) to the instance (using date interval).
+ * @method        $this               addMicrosecond()                                                                                Add one microsecond to the instance (using date interval).
+ * @method        $this               subMicroseconds(int $value = 1)                                                                 Sub microseconds (the $value count passed in) to the instance (using date interval).
+ * @method        $this               subMicrosecond()                                                                                Sub one microsecond to the instance (using date interval).
+ * @method        $this               addMillennia(int $value = 1)                                                                    Add millennia (the $value count passed in) to the instance (using date interval).
+ * @method        $this               addMillennium()                                                                                 Add one millennium to the instance (using date interval).
+ * @method        $this               subMillennia(int $value = 1)                                                                    Sub millennia (the $value count passed in) to the instance (using date interval).
+ * @method        $this               subMillennium()                                                                                 Sub one millennium to the instance (using date interval).
+ * @method        $this               addMillenniaWithOverflow(int $value = 1)                                                        Add millennia (the $value count passed in) to the instance (using date interval) with overflow explicitly allowed.
+ * @method        $this               addMillenniumWithOverflow()                                                                     Add one millennium to the instance (using date interval) with overflow explicitly allowed.
+ * @method        $this               subMillenniaWithOverflow(int $value = 1)                                                        Sub millennia (the $value count passed in) to the instance (using date interval) with overflow explicitly allowed.
+ * @method        $this               subMillenniumWithOverflow()                                                                     Sub one millennium to the instance (using date interval) with overflow explicitly allowed.
+ * @method        $this               addMillenniaWithoutOverflow(int $value = 1)                                                     Add millennia (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               addMillenniumWithoutOverflow()                                                                  Add one millennium to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               subMillenniaWithoutOverflow(int $value = 1)                                                     Sub millennia (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               subMillenniumWithoutOverflow()                                                                  Sub one millennium to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               addMillenniaWithNoOverflow(int $value = 1)                                                      Add millennia (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               addMillenniumWithNoOverflow()                                                                   Add one millennium to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               subMillenniaWithNoOverflow(int $value = 1)                                                      Sub millennia (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               subMillenniumWithNoOverflow()                                                                   Sub one millennium to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               addMillenniaNoOverflow(int $value = 1)                                                          Add millennia (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               addMillenniumNoOverflow()                                                                       Add one millennium to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               subMillenniaNoOverflow(int $value = 1)                                                          Sub millennia (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               subMillenniumNoOverflow()                                                                       Sub one millennium to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               addCenturies(int $value = 1)                                                                    Add centuries (the $value count passed in) to the instance (using date interval).
+ * @method        $this               addCentury()                                                                                    Add one century to the instance (using date interval).
+ * @method        $this               subCenturies(int $value = 1)                                                                    Sub centuries (the $value count passed in) to the instance (using date interval).
+ * @method        $this               subCentury()                                                                                    Sub one century to the instance (using date interval).
+ * @method        $this               addCenturiesWithOverflow(int $value = 1)                                                        Add centuries (the $value count passed in) to the instance (using date interval) with overflow explicitly allowed.
+ * @method        $this               addCenturyWithOverflow()                                                                        Add one century to the instance (using date interval) with overflow explicitly allowed.
+ * @method        $this               subCenturiesWithOverflow(int $value = 1)                                                        Sub centuries (the $value count passed in) to the instance (using date interval) with overflow explicitly allowed.
+ * @method        $this               subCenturyWithOverflow()                                                                        Sub one century to the instance (using date interval) with overflow explicitly allowed.
+ * @method        $this               addCenturiesWithoutOverflow(int $value = 1)                                                     Add centuries (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               addCenturyWithoutOverflow()                                                                     Add one century to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               subCenturiesWithoutOverflow(int $value = 1)                                                     Sub centuries (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               subCenturyWithoutOverflow()                                                                     Sub one century to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               addCenturiesWithNoOverflow(int $value = 1)                                                      Add centuries (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               addCenturyWithNoOverflow()                                                                      Add one century to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               subCenturiesWithNoOverflow(int $value = 1)                                                      Sub centuries (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               subCenturyWithNoOverflow()                                                                      Sub one century to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               addCenturiesNoOverflow(int $value = 1)                                                          Add centuries (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               addCenturyNoOverflow()                                                                          Add one century to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               subCenturiesNoOverflow(int $value = 1)                                                          Sub centuries (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               subCenturyNoOverflow()                                                                          Sub one century to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               addDecades(int $value = 1)                                                                      Add decades (the $value count passed in) to the instance (using date interval).
+ * @method        $this               addDecade()                                                                                     Add one decade to the instance (using date interval).
+ * @method        $this               subDecades(int $value = 1)                                                                      Sub decades (the $value count passed in) to the instance (using date interval).
+ * @method        $this               subDecade()                                                                                     Sub one decade to the instance (using date interval).
+ * @method        $this               addDecadesWithOverflow(int $value = 1)                                                          Add decades (the $value count passed in) to the instance (using date interval) with overflow explicitly allowed.
+ * @method        $this               addDecadeWithOverflow()                                                                         Add one decade to the instance (using date interval) with overflow explicitly allowed.
+ * @method        $this               subDecadesWithOverflow(int $value = 1)                                                          Sub decades (the $value count passed in) to the instance (using date interval) with overflow explicitly allowed.
+ * @method        $this               subDecadeWithOverflow()                                                                         Sub one decade to the instance (using date interval) with overflow explicitly allowed.
+ * @method        $this               addDecadesWithoutOverflow(int $value = 1)                                                       Add decades (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               addDecadeWithoutOverflow()                                                                      Add one decade to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               subDecadesWithoutOverflow(int $value = 1)                                                       Sub decades (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               subDecadeWithoutOverflow()                                                                      Sub one decade to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               addDecadesWithNoOverflow(int $value = 1)                                                        Add decades (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               addDecadeWithNoOverflow()                                                                       Add one decade to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               subDecadesWithNoOverflow(int $value = 1)                                                        Sub decades (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               subDecadeWithNoOverflow()                                                                       Sub one decade to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               addDecadesNoOverflow(int $value = 1)                                                            Add decades (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               addDecadeNoOverflow()                                                                           Add one decade to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               subDecadesNoOverflow(int $value = 1)                                                            Sub decades (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               subDecadeNoOverflow()                                                                           Sub one decade to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               addQuarters(int $value = 1)                                                                     Add quarters (the $value count passed in) to the instance (using date interval).
+ * @method        $this               addQuarter()                                                                                    Add one quarter to the instance (using date interval).
+ * @method        $this               subQuarters(int $value = 1)                                                                     Sub quarters (the $value count passed in) to the instance (using date interval).
+ * @method        $this               subQuarter()                                                                                    Sub one quarter to the instance (using date interval).
+ * @method        $this               addQuartersWithOverflow(int $value = 1)                                                         Add quarters (the $value count passed in) to the instance (using date interval) with overflow explicitly allowed.
+ * @method        $this               addQuarterWithOverflow()                                                                        Add one quarter to the instance (using date interval) with overflow explicitly allowed.
+ * @method        $this               subQuartersWithOverflow(int $value = 1)                                                         Sub quarters (the $value count passed in) to the instance (using date interval) with overflow explicitly allowed.
+ * @method        $this               subQuarterWithOverflow()                                                                        Sub one quarter to the instance (using date interval) with overflow explicitly allowed.
+ * @method        $this               addQuartersWithoutOverflow(int $value = 1)                                                      Add quarters (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               addQuarterWithoutOverflow()                                                                     Add one quarter to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               subQuartersWithoutOverflow(int $value = 1)                                                      Sub quarters (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               subQuarterWithoutOverflow()                                                                     Sub one quarter to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               addQuartersWithNoOverflow(int $value = 1)                                                       Add quarters (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               addQuarterWithNoOverflow()                                                                      Add one quarter to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               subQuartersWithNoOverflow(int $value = 1)                                                       Sub quarters (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               subQuarterWithNoOverflow()                                                                      Sub one quarter to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               addQuartersNoOverflow(int $value = 1)                                                           Add quarters (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               addQuarterNoOverflow()                                                                          Add one quarter to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               subQuartersNoOverflow(int $value = 1)                                                           Sub quarters (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               subQuarterNoOverflow()                                                                          Sub one quarter to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        $this               addWeeks(int $value = 1)                                                                        Add weeks (the $value count passed in) to the instance (using date interval).
+ * @method        $this               addWeek()                                                                                       Add one week to the instance (using date interval).
+ * @method        $this               subWeeks(int $value = 1)                                                                        Sub weeks (the $value count passed in) to the instance (using date interval).
+ * @method        $this               subWeek()                                                                                       Sub one week to the instance (using date interval).
+ * @method        $this               addWeekdays(int $value = 1)                                                                     Add weekdays (the $value count passed in) to the instance (using date interval).
+ * @method        $this               addWeekday()                                                                                    Add one weekday to the instance (using date interval).
+ * @method        $this               subWeekdays(int $value = 1)                                                                     Sub weekdays (the $value count passed in) to the instance (using date interval).
+ * @method        $this               subWeekday()                                                                                    Sub one weekday to the instance (using date interval).
+ * @method        $this               addRealMicros(int $value = 1)                                                                   Add microseconds (the $value count passed in) to the instance (using timestamp).
+ * @method        $this               addRealMicro()                                                                                  Add one microsecond to the instance (using timestamp).
+ * @method        $this               subRealMicros(int $value = 1)                                                                   Sub microseconds (the $value count passed in) to the instance (using timestamp).
+ * @method        $this               subRealMicro()                                                                                  Sub one microsecond to the instance (using timestamp).
+ * @method        CarbonPeriod        microsUntil($endDate = null, int $factor = 1)                                                   Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each microsecond or every X microseconds if a factor is given.
+ * @method        $this               addRealMicroseconds(int $value = 1)                                                             Add microseconds (the $value count passed in) to the instance (using timestamp).
+ * @method        $this               addRealMicrosecond()                                                                            Add one microsecond to the instance (using timestamp).
+ * @method        $this               subRealMicroseconds(int $value = 1)                                                             Sub microseconds (the $value count passed in) to the instance (using timestamp).
+ * @method        $this               subRealMicrosecond()                                                                            Sub one microsecond to the instance (using timestamp).
+ * @method        CarbonPeriod        microsecondsUntil($endDate = null, int $factor = 1)                                             Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each microsecond or every X microseconds if a factor is given.
+ * @method        $this               addRealMillis(int $value = 1)                                                                   Add milliseconds (the $value count passed in) to the instance (using timestamp).
+ * @method        $this               addRealMilli()                                                                                  Add one millisecond to the instance (using timestamp).
+ * @method        $this               subRealMillis(int $value = 1)                                                                   Sub milliseconds (the $value count passed in) to the instance (using timestamp).
+ * @method        $this               subRealMilli()                                                                                  Sub one millisecond to the instance (using timestamp).
+ * @method        CarbonPeriod        millisUntil($endDate = null, int $factor = 1)                                                   Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each millisecond or every X milliseconds if a factor is given.
+ * @method        $this               addRealMilliseconds(int $value = 1)                                                             Add milliseconds (the $value count passed in) to the instance (using timestamp).
+ * @method        $this               addRealMillisecond()                                                                            Add one millisecond to the instance (using timestamp).
+ * @method        $this               subRealMilliseconds(int $value = 1)                                                             Sub milliseconds (the $value count passed in) to the instance (using timestamp).
+ * @method        $this               subRealMillisecond()                                                                            Sub one millisecond to the instance (using timestamp).
+ * @method        CarbonPeriod        millisecondsUntil($endDate = null, int $factor = 1)                                             Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each millisecond or every X milliseconds if a factor is given.
+ * @method        $this               addRealSeconds(int $value = 1)                                                                  Add seconds (the $value count passed in) to the instance (using timestamp).
+ * @method        $this               addRealSecond()                                                                                 Add one second to the instance (using timestamp).
+ * @method        $this               subRealSeconds(int $value = 1)                                                                  Sub seconds (the $value count passed in) to the instance (using timestamp).
+ * @method        $this               subRealSecond()                                                                                 Sub one second to the instance (using timestamp).
+ * @method        CarbonPeriod        secondsUntil($endDate = null, int $factor = 1)                                                  Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each second or every X seconds if a factor is given.
+ * @method        $this               addRealMinutes(int $value = 1)                                                                  Add minutes (the $value count passed in) to the instance (using timestamp).
+ * @method        $this               addRealMinute()                                                                                 Add one minute to the instance (using timestamp).
+ * @method        $this               subRealMinutes(int $value = 1)                                                                  Sub minutes (the $value count passed in) to the instance (using timestamp).
+ * @method        $this               subRealMinute()                                                                                 Sub one minute to the instance (using timestamp).
+ * @method        CarbonPeriod        minutesUntil($endDate = null, int $factor = 1)                                                  Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each minute or every X minutes if a factor is given.
+ * @method        $this               addRealHours(int $value = 1)                                                                    Add hours (the $value count passed in) to the instance (using timestamp).
+ * @method        $this               addRealHour()                                                                                   Add one hour to the instance (using timestamp).
+ * @method        $this               subRealHours(int $value = 1)                                                                    Sub hours (the $value count passed in) to the instance (using timestamp).
+ * @method        $this               subRealHour()                                                                                   Sub one hour to the instance (using timestamp).
+ * @method        CarbonPeriod        hoursUntil($endDate = null, int $factor = 1)                                                    Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each hour or every X hours if a factor is given.
+ * @method        $this               addRealDays(int $value = 1)                                                                     Add days (the $value count passed in) to the instance (using timestamp).
+ * @method        $this               addRealDay()                                                                                    Add one day to the instance (using timestamp).
+ * @method        $this               subRealDays(int $value = 1)                                                                     Sub days (the $value count passed in) to the instance (using timestamp).
+ * @method        $this               subRealDay()                                                                                    Sub one day to the instance (using timestamp).
+ * @method        CarbonPeriod        daysUntil($endDate = null, int $factor = 1)                                                     Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each day or every X days if a factor is given.
+ * @method        $this               addRealWeeks(int $value = 1)                                                                    Add weeks (the $value count passed in) to the instance (using timestamp).
+ * @method        $this               addRealWeek()                                                                                   Add one week to the instance (using timestamp).
+ * @method        $this               subRealWeeks(int $value = 1)                                                                    Sub weeks (the $value count passed in) to the instance (using timestamp).
+ * @method        $this               subRealWeek()                                                                                   Sub one week to the instance (using timestamp).
+ * @method        CarbonPeriod        weeksUntil($endDate = null, int $factor = 1)                                                    Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each week or every X weeks if a factor is given.
+ * @method        $this               addRealMonths(int $value = 1)                                                                   Add months (the $value count passed in) to the instance (using timestamp).
+ * @method        $this               addRealMonth()                                                                                  Add one month to the instance (using timestamp).
+ * @method        $this               subRealMonths(int $value = 1)                                                                   Sub months (the $value count passed in) to the instance (using timestamp).
+ * @method        $this               subRealMonth()                                                                                  Sub one month to the instance (using timestamp).
+ * @method        CarbonPeriod        monthsUntil($endDate = null, int $factor = 1)                                                   Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each month or every X months if a factor is given.
+ * @method        $this               addRealQuarters(int $value = 1)                                                                 Add quarters (the $value count passed in) to the instance (using timestamp).
+ * @method        $this               addRealQuarter()                                                                                Add one quarter to the instance (using timestamp).
+ * @method        $this               subRealQuarters(int $value = 1)                                                                 Sub quarters (the $value count passed in) to the instance (using timestamp).
+ * @method        $this               subRealQuarter()                                                                                Sub one quarter to the instance (using timestamp).
+ * @method        CarbonPeriod        quartersUntil($endDate = null, int $factor = 1)                                                 Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each quarter or every X quarters if a factor is given.
+ * @method        $this               addRealYears(int $value = 1)                                                                    Add years (the $value count passed in) to the instance (using timestamp).
+ * @method        $this               addRealYear()                                                                                   Add one year to the instance (using timestamp).
+ * @method        $this               subRealYears(int $value = 1)                                                                    Sub years (the $value count passed in) to the instance (using timestamp).
+ * @method        $this               subRealYear()                                                                                   Sub one year to the instance (using timestamp).
+ * @method        CarbonPeriod        yearsUntil($endDate = null, int $factor = 1)                                                    Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each year or every X years if a factor is given.
+ * @method        $this               addRealDecades(int $value = 1)                                                                  Add decades (the $value count passed in) to the instance (using timestamp).
+ * @method        $this               addRealDecade()                                                                                 Add one decade to the instance (using timestamp).
+ * @method        $this               subRealDecades(int $value = 1)                                                                  Sub decades (the $value count passed in) to the instance (using timestamp).
+ * @method        $this               subRealDecade()                                                                                 Sub one decade to the instance (using timestamp).
+ * @method        CarbonPeriod        decadesUntil($endDate = null, int $factor = 1)                                                  Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each decade or every X decades if a factor is given.
+ * @method        $this               addRealCenturies(int $value = 1)                                                                Add centuries (the $value count passed in) to the instance (using timestamp).
+ * @method        $this               addRealCentury()                                                                                Add one century to the instance (using timestamp).
+ * @method        $this               subRealCenturies(int $value = 1)                                                                Sub centuries (the $value count passed in) to the instance (using timestamp).
+ * @method        $this               subRealCentury()                                                                                Sub one century to the instance (using timestamp).
+ * @method        CarbonPeriod        centuriesUntil($endDate = null, int $factor = 1)                                                Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each century or every X centuries if a factor is given.
+ * @method        $this               addRealMillennia(int $value = 1)                                                                Add millennia (the $value count passed in) to the instance (using timestamp).
+ * @method        $this               addRealMillennium()                                                                             Add one millennium to the instance (using timestamp).
+ * @method        $this               subRealMillennia(int $value = 1)                                                                Sub millennia (the $value count passed in) to the instance (using timestamp).
+ * @method        $this               subRealMillennium()                                                                             Sub one millennium to the instance (using timestamp).
+ * @method        CarbonPeriod        millenniaUntil($endDate = null, int $factor = 1)                                                Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each millennium or every X millennia if a factor is given.
+ * @method        $this               roundYear(float $precision = 1, string $function = "round")                                     Round the current instance year with given precision using the given function.
+ * @method        $this               roundYears(float $precision = 1, string $function = "round")                                    Round the current instance year with given precision using the given function.
+ * @method        $this               floorYear(float $precision = 1)                                                                 Truncate the current instance year with given precision.
+ * @method        $this               floorYears(float $precision = 1)                                                                Truncate the current instance year with given precision.
+ * @method        $this               ceilYear(float $precision = 1)                                                                  Ceil the current instance year with given precision.
+ * @method        $this               ceilYears(float $precision = 1)                                                                 Ceil the current instance year with given precision.
+ * @method        $this               roundMonth(float $precision = 1, string $function = "round")                                    Round the current instance month with given precision using the given function.
+ * @method        $this               roundMonths(float $precision = 1, string $function = "round")                                   Round the current instance month with given precision using the given function.
+ * @method        $this               floorMonth(float $precision = 1)                                                                Truncate the current instance month with given precision.
+ * @method        $this               floorMonths(float $precision = 1)                                                               Truncate the current instance month with given precision.
+ * @method        $this               ceilMonth(float $precision = 1)                                                                 Ceil the current instance month with given precision.
+ * @method        $this               ceilMonths(float $precision = 1)                                                                Ceil the current instance month with given precision.
+ * @method        $this               roundDay(float $precision = 1, string $function = "round")                                      Round the current instance day with given precision using the given function.
+ * @method        $this               roundDays(float $precision = 1, string $function = "round")                                     Round the current instance day with given precision using the given function.
+ * @method        $this               floorDay(float $precision = 1)                                                                  Truncate the current instance day with given precision.
+ * @method        $this               floorDays(float $precision = 1)                                                                 Truncate the current instance day with given precision.
+ * @method        $this               ceilDay(float $precision = 1)                                                                   Ceil the current instance day with given precision.
+ * @method        $this               ceilDays(float $precision = 1)                                                                  Ceil the current instance day with given precision.
+ * @method        $this               roundHour(float $precision = 1, string $function = "round")                                     Round the current instance hour with given precision using the given function.
+ * @method        $this               roundHours(float $precision = 1, string $function = "round")                                    Round the current instance hour with given precision using the given function.
+ * @method        $this               floorHour(float $precision = 1)                                                                 Truncate the current instance hour with given precision.
+ * @method        $this               floorHours(float $precision = 1)                                                                Truncate the current instance hour with given precision.
+ * @method        $this               ceilHour(float $precision = 1)                                                                  Ceil the current instance hour with given precision.
+ * @method        $this               ceilHours(float $precision = 1)                                                                 Ceil the current instance hour with given precision.
+ * @method        $this               roundMinute(float $precision = 1, string $function = "round")                                   Round the current instance minute with given precision using the given function.
+ * @method        $this               roundMinutes(float $precision = 1, string $function = "round")                                  Round the current instance minute with given precision using the given function.
+ * @method        $this               floorMinute(float $precision = 1)                                                               Truncate the current instance minute with given precision.
+ * @method        $this               floorMinutes(float $precision = 1)                                                              Truncate the current instance minute with given precision.
+ * @method        $this               ceilMinute(float $precision = 1)                                                                Ceil the current instance minute with given precision.
+ * @method        $this               ceilMinutes(float $precision = 1)                                                               Ceil the current instance minute with given precision.
+ * @method        $this               roundSecond(float $precision = 1, string $function = "round")                                   Round the current instance second with given precision using the given function.
+ * @method        $this               roundSeconds(float $precision = 1, string $function = "round")                                  Round the current instance second with given precision using the given function.
+ * @method        $this               floorSecond(float $precision = 1)                                                               Truncate the current instance second with given precision.
+ * @method        $this               floorSeconds(float $precision = 1)                                                              Truncate the current instance second with given precision.
+ * @method        $this               ceilSecond(float $precision = 1)                                                                Ceil the current instance second with given precision.
+ * @method        $this               ceilSeconds(float $precision = 1)                                                               Ceil the current instance second with given precision.
+ * @method        $this               roundMillennium(float $precision = 1, string $function = "round")                               Round the current instance millennium with given precision using the given function.
+ * @method        $this               roundMillennia(float $precision = 1, string $function = "round")                                Round the current instance millennium with given precision using the given function.
+ * @method        $this               floorMillennium(float $precision = 1)                                                           Truncate the current instance millennium with given precision.
+ * @method        $this               floorMillennia(float $precision = 1)                                                            Truncate the current instance millennium with given precision.
+ * @method        $this               ceilMillennium(float $precision = 1)                                                            Ceil the current instance millennium with given precision.
+ * @method        $this               ceilMillennia(float $precision = 1)                                                             Ceil the current instance millennium with given precision.
+ * @method        $this               roundCentury(float $precision = 1, string $function = "round")                                  Round the current instance century with given precision using the given function.
+ * @method        $this               roundCenturies(float $precision = 1, string $function = "round")                                Round the current instance century with given precision using the given function.
+ * @method        $this               floorCentury(float $precision = 1)                                                              Truncate the current instance century with given precision.
+ * @method        $this               floorCenturies(float $precision = 1)                                                            Truncate the current instance century with given precision.
+ * @method        $this               ceilCentury(float $precision = 1)                                                               Ceil the current instance century with given precision.
+ * @method        $this               ceilCenturies(float $precision = 1)                                                             Ceil the current instance century with given precision.
+ * @method        $this               roundDecade(float $precision = 1, string $function = "round")                                   Round the current instance decade with given precision using the given function.
+ * @method        $this               roundDecades(float $precision = 1, string $function = "round")                                  Round the current instance decade with given precision using the given function.
+ * @method        $this               floorDecade(float $precision = 1)                                                               Truncate the current instance decade with given precision.
+ * @method        $this               floorDecades(float $precision = 1)                                                              Truncate the current instance decade with given precision.
+ * @method        $this               ceilDecade(float $precision = 1)                                                                Ceil the current instance decade with given precision.
+ * @method        $this               ceilDecades(float $precision = 1)                                                               Ceil the current instance decade with given precision.
+ * @method        $this               roundQuarter(float $precision = 1, string $function = "round")                                  Round the current instance quarter with given precision using the given function.
+ * @method        $this               roundQuarters(float $precision = 1, string $function = "round")                                 Round the current instance quarter with given precision using the given function.
+ * @method        $this               floorQuarter(float $precision = 1)                                                              Truncate the current instance quarter with given precision.
+ * @method        $this               floorQuarters(float $precision = 1)                                                             Truncate the current instance quarter with given precision.
+ * @method        $this               ceilQuarter(float $precision = 1)                                                               Ceil the current instance quarter with given precision.
+ * @method        $this               ceilQuarters(float $precision = 1)                                                              Ceil the current instance quarter with given precision.
+ * @method        $this               roundMillisecond(float $precision = 1, string $function = "round")                              Round the current instance millisecond with given precision using the given function.
+ * @method        $this               roundMilliseconds(float $precision = 1, string $function = "round")                             Round the current instance millisecond with given precision using the given function.
+ * @method        $this               floorMillisecond(float $precision = 1)                                                          Truncate the current instance millisecond with given precision.
+ * @method        $this               floorMilliseconds(float $precision = 1)                                                         Truncate the current instance millisecond with given precision.
+ * @method        $this               ceilMillisecond(float $precision = 1)                                                           Ceil the current instance millisecond with given precision.
+ * @method        $this               ceilMilliseconds(float $precision = 1)                                                          Ceil the current instance millisecond with given precision.
+ * @method        $this               roundMicrosecond(float $precision = 1, string $function = "round")                              Round the current instance microsecond with given precision using the given function.
+ * @method        $this               roundMicroseconds(float $precision = 1, string $function = "round")                             Round the current instance microsecond with given precision using the given function.
+ * @method        $this               floorMicrosecond(float $precision = 1)                                                          Truncate the current instance microsecond with given precision.
+ * @method        $this               floorMicroseconds(float $precision = 1)                                                         Truncate the current instance microsecond with given precision.
+ * @method        $this               ceilMicrosecond(float $precision = 1)                                                           Ceil the current instance microsecond with given precision.
+ * @method        $this               ceilMicroseconds(float $precision = 1)                                                          Ceil the current instance microsecond with given precision.
+ * @method        string              shortAbsoluteDiffForHumans(DateTimeInterface $other = null, int $parts = 1)                     Get the difference (short format, 'Absolute' mode) in a human readable format in the current locale. ($other and $parts parameters can be swapped.)
+ * @method        string              longAbsoluteDiffForHumans(DateTimeInterface $other = null, int $parts = 1)                      Get the difference (long format, 'Absolute' mode) in a human readable format in the current locale. ($other and $parts parameters can be swapped.)
+ * @method        string              shortRelativeDiffForHumans(DateTimeInterface $other = null, int $parts = 1)                     Get the difference (short format, 'Relative' mode) in a human readable format in the current locale. ($other and $parts parameters can be swapped.)
+ * @method        string              longRelativeDiffForHumans(DateTimeInterface $other = null, int $parts = 1)                      Get the difference (long format, 'Relative' mode) in a human readable format in the current locale. ($other and $parts parameters can be swapped.)
+ * @method        string              shortRelativeToNowDiffForHumans(DateTimeInterface $other = null, int $parts = 1)                Get the difference (short format, 'RelativeToNow' mode) in a human readable format in the current locale. ($other and $parts parameters can be swapped.)
+ * @method        string              longRelativeToNowDiffForHumans(DateTimeInterface $other = null, int $parts = 1)                 Get the difference (long format, 'RelativeToNow' mode) in a human readable format in the current locale. ($other and $parts parameters can be swapped.)
+ * @method        string              shortRelativeToOtherDiffForHumans(DateTimeInterface $other = null, int $parts = 1)              Get the difference (short format, 'RelativeToOther' mode) in a human readable format in the current locale. ($other and $parts parameters can be swapped.)
+ * @method        string              longRelativeToOtherDiffForHumans(DateTimeInterface $other = null, int $parts = 1)               Get the difference (long format, 'RelativeToOther' mode) in a human readable format in the current locale. ($other and $parts parameters can be swapped.)
+ * @method        static static|false createFromFormat(string $format, string $time, DateTimeZone|string|false|null $timezone = null) Parse a string into a new Carbon object according to the specified format.
+ * @method        static static       __set_state(array $array)                                                                       https://php.net/manual/en/datetime.set-state.php
  *
  * </autodoc>
  */
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/CarbonImmutable.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/CarbonImmutable.php
index 6d1194ee7..4c9c1cfef 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/CarbonImmutable.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/CarbonImmutable.php
@@ -24,486 +24,486 @@ use DateTimeZone;
  *
  * <autodoc generated by `composer phpdoc`>
  *
- * @property      int                          $year
- * @property      int                          $yearIso
- * @property      int                          $month
- * @property      int                          $day
- * @property      int                          $hour
- * @property      int                          $minute
- * @property      int                          $second
- * @property      int                          $micro
- * @property      int                          $microsecond
- * @property      int|float|string             $timestamp                                                                           seconds since the Unix Epoch
- * @property      string                       $englishDayOfWeek                                                                    the day of week in English
- * @property      string                       $shortEnglishDayOfWeek                                                               the abbreviated day of week in English
- * @property      string                       $englishMonth                                                                        the month in English
- * @property      string                       $shortEnglishMonth                                                                   the abbreviated month in English
- * @property      int                          $milliseconds
- * @property      int                          $millisecond
- * @property      int                          $milli
- * @property      int                          $week                                                                                1 through 53
- * @property      int                          $isoWeek                                                                             1 through 53
- * @property      int                          $weekYear                                                                            year according to week format
- * @property      int                          $isoWeekYear                                                                         year according to ISO week format
- * @property      int                          $dayOfYear                                                                           1 through 366
- * @property      int                          $age                                                                                 does a diffInYears() with default parameters
- * @property      int                          $offset                                                                              the timezone offset in seconds from UTC
- * @property      int                          $offsetMinutes                                                                       the timezone offset in minutes from UTC
- * @property      int                          $offsetHours                                                                         the timezone offset in hours from UTC
- * @property      CarbonTimeZone               $timezone                                                                            the current timezone
- * @property      CarbonTimeZone               $tz                                                                                  alias of $timezone
- * @property-read int                          $dayOfWeek                                                                           0 (for Sunday) through 6 (for Saturday)
- * @property-read int                          $dayOfWeekIso                                                                        1 (for Monday) through 7 (for Sunday)
- * @property-read int                          $weekOfYear                                                                          ISO-8601 week number of year, weeks starting on Monday
- * @property-read int                          $daysInMonth                                                                         number of days in the given month
- * @property-read string                       $latinMeridiem                                                                       "am"/"pm" (Ante meridiem or Post meridiem latin lowercase mark)
- * @property-read string                       $latinUpperMeridiem                                                                  "AM"/"PM" (Ante meridiem or Post meridiem latin uppercase mark)
- * @property-read string                       $timezoneAbbreviatedName                                                             the current timezone abbreviated name
- * @property-read string                       $tzAbbrName                                                                          alias of $timezoneAbbreviatedName
- * @property-read string                       $dayName                                                                             long name of weekday translated according to Carbon locale, in english if no translation available for current language
- * @property-read string                       $shortDayName                                                                        short name of weekday translated according to Carbon locale, in english if no translation available for current language
- * @property-read string                       $minDayName                                                                          very short name of weekday translated according to Carbon locale, in english if no translation available for current language
- * @property-read string                       $monthName                                                                           long name of month translated according to Carbon locale, in english if no translation available for current language
- * @property-read string                       $shortMonthName                                                                      short name of month translated according to Carbon locale, in english if no translation available for current language
- * @property-read string                       $meridiem                                                                            lowercase meridiem mark translated according to Carbon locale, in latin if no translation available for current language
- * @property-read string                       $upperMeridiem                                                                       uppercase meridiem mark translated according to Carbon locale, in latin if no translation available for current language
- * @property-read int                          $noZeroHour                                                                          current hour from 1 to 24
- * @property-read int                          $weeksInYear                                                                         51 through 53
- * @property-read int                          $isoWeeksInYear                                                                      51 through 53
- * @property-read int                          $weekOfMonth                                                                         1 through 5
- * @property-read int                          $weekNumberInMonth                                                                   1 through 5
- * @property-read int                          $firstWeekDay                                                                        0 through 6
- * @property-read int                          $lastWeekDay                                                                         0 through 6
- * @property-read int                          $daysInYear                                                                          365 or 366
- * @property-read int                          $quarter                                                                             the quarter of this instance, 1 - 4
- * @property-read int                          $decade                                                                              the decade of this instance
- * @property-read int                          $century                                                                             the century of this instance
- * @property-read int                          $millennium                                                                          the millennium of this instance
- * @property-read bool                         $dst                                                                                 daylight savings time indicator, true if DST, false otherwise
- * @property-read bool                         $local                                                                               checks if the timezone is local, true if local, false otherwise
- * @property-read bool                         $utc                                                                                 checks if the timezone is UTC, true if UTC, false otherwise
- * @property-read string                       $timezoneName                                                                        the current timezone name
- * @property-read string                       $tzName                                                                              alias of $timezoneName
- * @property-read string                       $locale                                                                              locale of the current instance
+ * @property      int                 $year
+ * @property      int                 $yearIso
+ * @property      int                 $month
+ * @property      int                 $day
+ * @property      int                 $hour
+ * @property      int                 $minute
+ * @property      int                 $second
+ * @property      int                 $micro
+ * @property      int                 $microsecond
+ * @property      int|float|string    $timestamp                                                                                      seconds since the Unix Epoch
+ * @property      string              $englishDayOfWeek                                                                               the day of week in English
+ * @property      string              $shortEnglishDayOfWeek                                                                          the abbreviated day of week in English
+ * @property      string              $englishMonth                                                                                   the month in English
+ * @property      string              $shortEnglishMonth                                                                              the abbreviated month in English
+ * @property      int                 $milliseconds
+ * @property      int                 $millisecond
+ * @property      int                 $milli
+ * @property      int                 $week                                                                                           1 through 53
+ * @property      int                 $isoWeek                                                                                        1 through 53
+ * @property      int                 $weekYear                                                                                       year according to week format
+ * @property      int                 $isoWeekYear                                                                                    year according to ISO week format
+ * @property      int                 $dayOfYear                                                                                      1 through 366
+ * @property      int                 $age                                                                                            does a diffInYears() with default parameters
+ * @property      int                 $offset                                                                                         the timezone offset in seconds from UTC
+ * @property      int                 $offsetMinutes                                                                                  the timezone offset in minutes from UTC
+ * @property      int                 $offsetHours                                                                                    the timezone offset in hours from UTC
+ * @property      CarbonTimeZone      $timezone                                                                                       the current timezone
+ * @property      CarbonTimeZone      $tz                                                                                             alias of $timezone
+ * @property-read int                 $dayOfWeek                                                                                      0 (for Sunday) through 6 (for Saturday)
+ * @property-read int                 $dayOfWeekIso                                                                                   1 (for Monday) through 7 (for Sunday)
+ * @property-read int                 $weekOfYear                                                                                     ISO-8601 week number of year, weeks starting on Monday
+ * @property-read int                 $daysInMonth                                                                                    number of days in the given month
+ * @property-read string              $latinMeridiem                                                                                  "am"/"pm" (Ante meridiem or Post meridiem latin lowercase mark)
+ * @property-read string              $latinUpperMeridiem                                                                             "AM"/"PM" (Ante meridiem or Post meridiem latin uppercase mark)
+ * @property-read string              $timezoneAbbreviatedName                                                                        the current timezone abbreviated name
+ * @property-read string              $tzAbbrName                                                                                     alias of $timezoneAbbreviatedName
+ * @property-read string              $dayName                                                                                        long name of weekday translated according to Carbon locale, in english if no translation available for current language
+ * @property-read string              $shortDayName                                                                                   short name of weekday translated according to Carbon locale, in english if no translation available for current language
+ * @property-read string              $minDayName                                                                                     very short name of weekday translated according to Carbon locale, in english if no translation available for current language
+ * @property-read string              $monthName                                                                                      long name of month translated according to Carbon locale, in english if no translation available for current language
+ * @property-read string              $shortMonthName                                                                                 short name of month translated according to Carbon locale, in english if no translation available for current language
+ * @property-read string              $meridiem                                                                                       lowercase meridiem mark translated according to Carbon locale, in latin if no translation available for current language
+ * @property-read string              $upperMeridiem                                                                                  uppercase meridiem mark translated according to Carbon locale, in latin if no translation available for current language
+ * @property-read int                 $noZeroHour                                                                                     current hour from 1 to 24
+ * @property-read int                 $weeksInYear                                                                                    51 through 53
+ * @property-read int                 $isoWeeksInYear                                                                                 51 through 53
+ * @property-read int                 $weekOfMonth                                                                                    1 through 5
+ * @property-read int                 $weekNumberInMonth                                                                              1 through 5
+ * @property-read int                 $firstWeekDay                                                                                   0 through 6
+ * @property-read int                 $lastWeekDay                                                                                    0 through 6
+ * @property-read int                 $daysInYear                                                                                     365 or 366
+ * @property-read int                 $quarter                                                                                        the quarter of this instance, 1 - 4
+ * @property-read int                 $decade                                                                                         the decade of this instance
+ * @property-read int                 $century                                                                                        the century of this instance
+ * @property-read int                 $millennium                                                                                     the millennium of this instance
+ * @property-read bool                $dst                                                                                            daylight savings time indicator, true if DST, false otherwise
+ * @property-read bool                $local                                                                                          checks if the timezone is local, true if local, false otherwise
+ * @property-read bool                $utc                                                                                            checks if the timezone is UTC, true if UTC, false otherwise
+ * @property-read string              $timezoneName                                                                                   the current timezone name
+ * @property-read string              $tzName                                                                                         alias of $timezoneName
+ * @property-read string              $locale                                                                                         locale of the current instance
  *
- * @method        bool                         isUtc()                                                                              Check if the current instance has UTC timezone. (Both isUtc and isUTC cases are valid.)
- * @method        bool                         isLocal()                                                                            Check if the current instance has non-UTC timezone.
- * @method        bool                         isValid()                                                                            Check if the current instance is a valid date.
- * @method        bool                         isDST()                                                                              Check if the current instance is in a daylight saving time.
- * @method        bool                         isSunday()                                                                           Checks if the instance day is sunday.
- * @method        bool                         isMonday()                                                                           Checks if the instance day is monday.
- * @method        bool                         isTuesday()                                                                          Checks if the instance day is tuesday.
- * @method        bool                         isWednesday()                                                                        Checks if the instance day is wednesday.
- * @method        bool                         isThursday()                                                                         Checks if the instance day is thursday.
- * @method        bool                         isFriday()                                                                           Checks if the instance day is friday.
- * @method        bool                         isSaturday()                                                                         Checks if the instance day is saturday.
- * @method        bool                         isSameYear(Carbon|DateTimeInterface|string|null $date = null)                        Checks if the given date is in the same year as the instance. If null passed, compare to now (with the same timezone).
- * @method        bool                         isCurrentYear()                                                                      Checks if the instance is in the same year as the current moment.
- * @method        bool                         isNextYear()                                                                         Checks if the instance is in the same year as the current moment next year.
- * @method        bool                         isLastYear()                                                                         Checks if the instance is in the same year as the current moment last year.
- * @method        bool                         isSameWeek(Carbon|DateTimeInterface|string|null $date = null)                        Checks if the given date is in the same week as the instance. If null passed, compare to now (with the same timezone).
- * @method        bool                         isCurrentWeek()                                                                      Checks if the instance is in the same week as the current moment.
- * @method        bool                         isNextWeek()                                                                         Checks if the instance is in the same week as the current moment next week.
- * @method        bool                         isLastWeek()                                                                         Checks if the instance is in the same week as the current moment last week.
- * @method        bool                         isSameDay(Carbon|DateTimeInterface|string|null $date = null)                         Checks if the given date is in the same day as the instance. If null passed, compare to now (with the same timezone).
- * @method        bool                         isCurrentDay()                                                                       Checks if the instance is in the same day as the current moment.
- * @method        bool                         isNextDay()                                                                          Checks if the instance is in the same day as the current moment next day.
- * @method        bool                         isLastDay()                                                                          Checks if the instance is in the same day as the current moment last day.
- * @method        bool                         isSameHour(Carbon|DateTimeInterface|string|null $date = null)                        Checks if the given date is in the same hour as the instance. If null passed, compare to now (with the same timezone).
- * @method        bool                         isCurrentHour()                                                                      Checks if the instance is in the same hour as the current moment.
- * @method        bool                         isNextHour()                                                                         Checks if the instance is in the same hour as the current moment next hour.
- * @method        bool                         isLastHour()                                                                         Checks if the instance is in the same hour as the current moment last hour.
- * @method        bool                         isSameMinute(Carbon|DateTimeInterface|string|null $date = null)                      Checks if the given date is in the same minute as the instance. If null passed, compare to now (with the same timezone).
- * @method        bool                         isCurrentMinute()                                                                    Checks if the instance is in the same minute as the current moment.
- * @method        bool                         isNextMinute()                                                                       Checks if the instance is in the same minute as the current moment next minute.
- * @method        bool                         isLastMinute()                                                                       Checks if the instance is in the same minute as the current moment last minute.
- * @method        bool                         isSameSecond(Carbon|DateTimeInterface|string|null $date = null)                      Checks if the given date is in the same second as the instance. If null passed, compare to now (with the same timezone).
- * @method        bool                         isCurrentSecond()                                                                    Checks if the instance is in the same second as the current moment.
- * @method        bool                         isNextSecond()                                                                       Checks if the instance is in the same second as the current moment next second.
- * @method        bool                         isLastSecond()                                                                       Checks if the instance is in the same second as the current moment last second.
- * @method        bool                         isSameMicro(Carbon|DateTimeInterface|string|null $date = null)                       Checks if the given date is in the same microsecond as the instance. If null passed, compare to now (with the same timezone).
- * @method        bool                         isCurrentMicro()                                                                     Checks if the instance is in the same microsecond as the current moment.
- * @method        bool                         isNextMicro()                                                                        Checks if the instance is in the same microsecond as the current moment next microsecond.
- * @method        bool                         isLastMicro()                                                                        Checks if the instance is in the same microsecond as the current moment last microsecond.
- * @method        bool                         isSameMicrosecond(Carbon|DateTimeInterface|string|null $date = null)                 Checks if the given date is in the same microsecond as the instance. If null passed, compare to now (with the same timezone).
- * @method        bool                         isCurrentMicrosecond()                                                               Checks if the instance is in the same microsecond as the current moment.
- * @method        bool                         isNextMicrosecond()                                                                  Checks if the instance is in the same microsecond as the current moment next microsecond.
- * @method        bool                         isLastMicrosecond()                                                                  Checks if the instance is in the same microsecond as the current moment last microsecond.
- * @method        bool                         isCurrentMonth()                                                                     Checks if the instance is in the same month as the current moment.
- * @method        bool                         isNextMonth()                                                                        Checks if the instance is in the same month as the current moment next month.
- * @method        bool                         isLastMonth()                                                                        Checks if the instance is in the same month as the current moment last month.
- * @method        bool                         isCurrentQuarter()                                                                   Checks if the instance is in the same quarter as the current moment.
- * @method        bool                         isNextQuarter()                                                                      Checks if the instance is in the same quarter as the current moment next quarter.
- * @method        bool                         isLastQuarter()                                                                      Checks if the instance is in the same quarter as the current moment last quarter.
- * @method        bool                         isSameDecade(Carbon|DateTimeInterface|string|null $date = null)                      Checks if the given date is in the same decade as the instance. If null passed, compare to now (with the same timezone).
- * @method        bool                         isCurrentDecade()                                                                    Checks if the instance is in the same decade as the current moment.
- * @method        bool                         isNextDecade()                                                                       Checks if the instance is in the same decade as the current moment next decade.
- * @method        bool                         isLastDecade()                                                                       Checks if the instance is in the same decade as the current moment last decade.
- * @method        bool                         isSameCentury(Carbon|DateTimeInterface|string|null $date = null)                     Checks if the given date is in the same century as the instance. If null passed, compare to now (with the same timezone).
- * @method        bool                         isCurrentCentury()                                                                   Checks if the instance is in the same century as the current moment.
- * @method        bool                         isNextCentury()                                                                      Checks if the instance is in the same century as the current moment next century.
- * @method        bool                         isLastCentury()                                                                      Checks if the instance is in the same century as the current moment last century.
- * @method        bool                         isSameMillennium(Carbon|DateTimeInterface|string|null $date = null)                  Checks if the given date is in the same millennium as the instance. If null passed, compare to now (with the same timezone).
- * @method        bool                         isCurrentMillennium()                                                                Checks if the instance is in the same millennium as the current moment.
- * @method        bool                         isNextMillennium()                                                                   Checks if the instance is in the same millennium as the current moment next millennium.
- * @method        bool                         isLastMillennium()                                                                   Checks if the instance is in the same millennium as the current moment last millennium.
- * @method        CarbonImmutable              years(int $value)                                                                    Set current instance year to the given value.
- * @method        CarbonImmutable              year(int $value)                                                                     Set current instance year to the given value.
- * @method        CarbonImmutable              setYears(int $value)                                                                 Set current instance year to the given value.
- * @method        CarbonImmutable              setYear(int $value)                                                                  Set current instance year to the given value.
- * @method        CarbonImmutable              months(int $value)                                                                   Set current instance month to the given value.
- * @method        CarbonImmutable              month(int $value)                                                                    Set current instance month to the given value.
- * @method        CarbonImmutable              setMonths(int $value)                                                                Set current instance month to the given value.
- * @method        CarbonImmutable              setMonth(int $value)                                                                 Set current instance month to the given value.
- * @method        CarbonImmutable              days(int $value)                                                                     Set current instance day to the given value.
- * @method        CarbonImmutable              day(int $value)                                                                      Set current instance day to the given value.
- * @method        CarbonImmutable              setDays(int $value)                                                                  Set current instance day to the given value.
- * @method        CarbonImmutable              setDay(int $value)                                                                   Set current instance day to the given value.
- * @method        CarbonImmutable              hours(int $value)                                                                    Set current instance hour to the given value.
- * @method        CarbonImmutable              hour(int $value)                                                                     Set current instance hour to the given value.
- * @method        CarbonImmutable              setHours(int $value)                                                                 Set current instance hour to the given value.
- * @method        CarbonImmutable              setHour(int $value)                                                                  Set current instance hour to the given value.
- * @method        CarbonImmutable              minutes(int $value)                                                                  Set current instance minute to the given value.
- * @method        CarbonImmutable              minute(int $value)                                                                   Set current instance minute to the given value.
- * @method        CarbonImmutable              setMinutes(int $value)                                                               Set current instance minute to the given value.
- * @method        CarbonImmutable              setMinute(int $value)                                                                Set current instance minute to the given value.
- * @method        CarbonImmutable              seconds(int $value)                                                                  Set current instance second to the given value.
- * @method        CarbonImmutable              second(int $value)                                                                   Set current instance second to the given value.
- * @method        CarbonImmutable              setSeconds(int $value)                                                               Set current instance second to the given value.
- * @method        CarbonImmutable              setSecond(int $value)                                                                Set current instance second to the given value.
- * @method        CarbonImmutable              millis(int $value)                                                                   Set current instance millisecond to the given value.
- * @method        CarbonImmutable              milli(int $value)                                                                    Set current instance millisecond to the given value.
- * @method        CarbonImmutable              setMillis(int $value)                                                                Set current instance millisecond to the given value.
- * @method        CarbonImmutable              setMilli(int $value)                                                                 Set current instance millisecond to the given value.
- * @method        CarbonImmutable              milliseconds(int $value)                                                             Set current instance millisecond to the given value.
- * @method        CarbonImmutable              millisecond(int $value)                                                              Set current instance millisecond to the given value.
- * @method        CarbonImmutable              setMilliseconds(int $value)                                                          Set current instance millisecond to the given value.
- * @method        CarbonImmutable              setMillisecond(int $value)                                                           Set current instance millisecond to the given value.
- * @method        CarbonImmutable              micros(int $value)                                                                   Set current instance microsecond to the given value.
- * @method        CarbonImmutable              micro(int $value)                                                                    Set current instance microsecond to the given value.
- * @method        CarbonImmutable              setMicros(int $value)                                                                Set current instance microsecond to the given value.
- * @method        CarbonImmutable              setMicro(int $value)                                                                 Set current instance microsecond to the given value.
- * @method        CarbonImmutable              microseconds(int $value)                                                             Set current instance microsecond to the given value.
- * @method        CarbonImmutable              microsecond(int $value)                                                              Set current instance microsecond to the given value.
- * @method        CarbonImmutable              setMicroseconds(int $value)                                                          Set current instance microsecond to the given value.
- * @method        CarbonImmutable              setMicrosecond(int $value)                                                           Set current instance microsecond to the given value.
- * @method        CarbonImmutable              addYears(int $value = 1)                                                             Add years (the $value count passed in) to the instance (using date interval).
- * @method        CarbonImmutable              addYear()                                                                            Add one year to the instance (using date interval).
- * @method        CarbonImmutable              subYears(int $value = 1)                                                             Sub years (the $value count passed in) to the instance (using date interval).
- * @method        CarbonImmutable              subYear()                                                                            Sub one year to the instance (using date interval).
- * @method        CarbonImmutable              addYearsWithOverflow(int $value = 1)                                                 Add years (the $value count passed in) to the instance (using date interval) with overflow explicitly allowed.
- * @method        CarbonImmutable              addYearWithOverflow()                                                                Add one year to the instance (using date interval) with overflow explicitly allowed.
- * @method        CarbonImmutable              subYearsWithOverflow(int $value = 1)                                                 Sub years (the $value count passed in) to the instance (using date interval) with overflow explicitly allowed.
- * @method        CarbonImmutable              subYearWithOverflow()                                                                Sub one year to the instance (using date interval) with overflow explicitly allowed.
- * @method        CarbonImmutable              addYearsWithoutOverflow(int $value = 1)                                              Add years (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              addYearWithoutOverflow()                                                             Add one year to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              subYearsWithoutOverflow(int $value = 1)                                              Sub years (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              subYearWithoutOverflow()                                                             Sub one year to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              addYearsWithNoOverflow(int $value = 1)                                               Add years (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              addYearWithNoOverflow()                                                              Add one year to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              subYearsWithNoOverflow(int $value = 1)                                               Sub years (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              subYearWithNoOverflow()                                                              Sub one year to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              addYearsNoOverflow(int $value = 1)                                                   Add years (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              addYearNoOverflow()                                                                  Add one year to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              subYearsNoOverflow(int $value = 1)                                                   Sub years (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              subYearNoOverflow()                                                                  Sub one year to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              addMonths(int $value = 1)                                                            Add months (the $value count passed in) to the instance (using date interval).
- * @method        CarbonImmutable              addMonth()                                                                           Add one month to the instance (using date interval).
- * @method        CarbonImmutable              subMonths(int $value = 1)                                                            Sub months (the $value count passed in) to the instance (using date interval).
- * @method        CarbonImmutable              subMonth()                                                                           Sub one month to the instance (using date interval).
- * @method        CarbonImmutable              addMonthsWithOverflow(int $value = 1)                                                Add months (the $value count passed in) to the instance (using date interval) with overflow explicitly allowed.
- * @method        CarbonImmutable              addMonthWithOverflow()                                                               Add one month to the instance (using date interval) with overflow explicitly allowed.
- * @method        CarbonImmutable              subMonthsWithOverflow(int $value = 1)                                                Sub months (the $value count passed in) to the instance (using date interval) with overflow explicitly allowed.
- * @method        CarbonImmutable              subMonthWithOverflow()                                                               Sub one month to the instance (using date interval) with overflow explicitly allowed.
- * @method        CarbonImmutable              addMonthsWithoutOverflow(int $value = 1)                                             Add months (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              addMonthWithoutOverflow()                                                            Add one month to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              subMonthsWithoutOverflow(int $value = 1)                                             Sub months (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              subMonthWithoutOverflow()                                                            Sub one month to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              addMonthsWithNoOverflow(int $value = 1)                                              Add months (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              addMonthWithNoOverflow()                                                             Add one month to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              subMonthsWithNoOverflow(int $value = 1)                                              Sub months (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              subMonthWithNoOverflow()                                                             Sub one month to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              addMonthsNoOverflow(int $value = 1)                                                  Add months (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              addMonthNoOverflow()                                                                 Add one month to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              subMonthsNoOverflow(int $value = 1)                                                  Sub months (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              subMonthNoOverflow()                                                                 Sub one month to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              addDays(int $value = 1)                                                              Add days (the $value count passed in) to the instance (using date interval).
- * @method        CarbonImmutable              addDay()                                                                             Add one day to the instance (using date interval).
- * @method        CarbonImmutable              subDays(int $value = 1)                                                              Sub days (the $value count passed in) to the instance (using date interval).
- * @method        CarbonImmutable              subDay()                                                                             Sub one day to the instance (using date interval).
- * @method        CarbonImmutable              addHours(int $value = 1)                                                             Add hours (the $value count passed in) to the instance (using date interval).
- * @method        CarbonImmutable              addHour()                                                                            Add one hour to the instance (using date interval).
- * @method        CarbonImmutable              subHours(int $value = 1)                                                             Sub hours (the $value count passed in) to the instance (using date interval).
- * @method        CarbonImmutable              subHour()                                                                            Sub one hour to the instance (using date interval).
- * @method        CarbonImmutable              addMinutes(int $value = 1)                                                           Add minutes (the $value count passed in) to the instance (using date interval).
- * @method        CarbonImmutable              addMinute()                                                                          Add one minute to the instance (using date interval).
- * @method        CarbonImmutable              subMinutes(int $value = 1)                                                           Sub minutes (the $value count passed in) to the instance (using date interval).
- * @method        CarbonImmutable              subMinute()                                                                          Sub one minute to the instance (using date interval).
- * @method        CarbonImmutable              addSeconds(int $value = 1)                                                           Add seconds (the $value count passed in) to the instance (using date interval).
- * @method        CarbonImmutable              addSecond()                                                                          Add one second to the instance (using date interval).
- * @method        CarbonImmutable              subSeconds(int $value = 1)                                                           Sub seconds (the $value count passed in) to the instance (using date interval).
- * @method        CarbonImmutable              subSecond()                                                                          Sub one second to the instance (using date interval).
- * @method        CarbonImmutable              addMillis(int $value = 1)                                                            Add milliseconds (the $value count passed in) to the instance (using date interval).
- * @method        CarbonImmutable              addMilli()                                                                           Add one millisecond to the instance (using date interval).
- * @method        CarbonImmutable              subMillis(int $value = 1)                                                            Sub milliseconds (the $value count passed in) to the instance (using date interval).
- * @method        CarbonImmutable              subMilli()                                                                           Sub one millisecond to the instance (using date interval).
- * @method        CarbonImmutable              addMilliseconds(int $value = 1)                                                      Add milliseconds (the $value count passed in) to the instance (using date interval).
- * @method        CarbonImmutable              addMillisecond()                                                                     Add one millisecond to the instance (using date interval).
- * @method        CarbonImmutable              subMilliseconds(int $value = 1)                                                      Sub milliseconds (the $value count passed in) to the instance (using date interval).
- * @method        CarbonImmutable              subMillisecond()                                                                     Sub one millisecond to the instance (using date interval).
- * @method        CarbonImmutable              addMicros(int $value = 1)                                                            Add microseconds (the $value count passed in) to the instance (using date interval).
- * @method        CarbonImmutable              addMicro()                                                                           Add one microsecond to the instance (using date interval).
- * @method        CarbonImmutable              subMicros(int $value = 1)                                                            Sub microseconds (the $value count passed in) to the instance (using date interval).
- * @method        CarbonImmutable              subMicro()                                                                           Sub one microsecond to the instance (using date interval).
- * @method        CarbonImmutable              addMicroseconds(int $value = 1)                                                      Add microseconds (the $value count passed in) to the instance (using date interval).
- * @method        CarbonImmutable              addMicrosecond()                                                                     Add one microsecond to the instance (using date interval).
- * @method        CarbonImmutable              subMicroseconds(int $value = 1)                                                      Sub microseconds (the $value count passed in) to the instance (using date interval).
- * @method        CarbonImmutable              subMicrosecond()                                                                     Sub one microsecond to the instance (using date interval).
- * @method        CarbonImmutable              addMillennia(int $value = 1)                                                         Add millennia (the $value count passed in) to the instance (using date interval).
- * @method        CarbonImmutable              addMillennium()                                                                      Add one millennium to the instance (using date interval).
- * @method        CarbonImmutable              subMillennia(int $value = 1)                                                         Sub millennia (the $value count passed in) to the instance (using date interval).
- * @method        CarbonImmutable              subMillennium()                                                                      Sub one millennium to the instance (using date interval).
- * @method        CarbonImmutable              addMillenniaWithOverflow(int $value = 1)                                             Add millennia (the $value count passed in) to the instance (using date interval) with overflow explicitly allowed.
- * @method        CarbonImmutable              addMillenniumWithOverflow()                                                          Add one millennium to the instance (using date interval) with overflow explicitly allowed.
- * @method        CarbonImmutable              subMillenniaWithOverflow(int $value = 1)                                             Sub millennia (the $value count passed in) to the instance (using date interval) with overflow explicitly allowed.
- * @method        CarbonImmutable              subMillenniumWithOverflow()                                                          Sub one millennium to the instance (using date interval) with overflow explicitly allowed.
- * @method        CarbonImmutable              addMillenniaWithoutOverflow(int $value = 1)                                          Add millennia (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              addMillenniumWithoutOverflow()                                                       Add one millennium to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              subMillenniaWithoutOverflow(int $value = 1)                                          Sub millennia (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              subMillenniumWithoutOverflow()                                                       Sub one millennium to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              addMillenniaWithNoOverflow(int $value = 1)                                           Add millennia (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              addMillenniumWithNoOverflow()                                                        Add one millennium to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              subMillenniaWithNoOverflow(int $value = 1)                                           Sub millennia (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              subMillenniumWithNoOverflow()                                                        Sub one millennium to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              addMillenniaNoOverflow(int $value = 1)                                               Add millennia (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              addMillenniumNoOverflow()                                                            Add one millennium to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              subMillenniaNoOverflow(int $value = 1)                                               Sub millennia (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              subMillenniumNoOverflow()                                                            Sub one millennium to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              addCenturies(int $value = 1)                                                         Add centuries (the $value count passed in) to the instance (using date interval).
- * @method        CarbonImmutable              addCentury()                                                                         Add one century to the instance (using date interval).
- * @method        CarbonImmutable              subCenturies(int $value = 1)                                                         Sub centuries (the $value count passed in) to the instance (using date interval).
- * @method        CarbonImmutable              subCentury()                                                                         Sub one century to the instance (using date interval).
- * @method        CarbonImmutable              addCenturiesWithOverflow(int $value = 1)                                             Add centuries (the $value count passed in) to the instance (using date interval) with overflow explicitly allowed.
- * @method        CarbonImmutable              addCenturyWithOverflow()                                                             Add one century to the instance (using date interval) with overflow explicitly allowed.
- * @method        CarbonImmutable              subCenturiesWithOverflow(int $value = 1)                                             Sub centuries (the $value count passed in) to the instance (using date interval) with overflow explicitly allowed.
- * @method        CarbonImmutable              subCenturyWithOverflow()                                                             Sub one century to the instance (using date interval) with overflow explicitly allowed.
- * @method        CarbonImmutable              addCenturiesWithoutOverflow(int $value = 1)                                          Add centuries (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              addCenturyWithoutOverflow()                                                          Add one century to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              subCenturiesWithoutOverflow(int $value = 1)                                          Sub centuries (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              subCenturyWithoutOverflow()                                                          Sub one century to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              addCenturiesWithNoOverflow(int $value = 1)                                           Add centuries (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              addCenturyWithNoOverflow()                                                           Add one century to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              subCenturiesWithNoOverflow(int $value = 1)                                           Sub centuries (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              subCenturyWithNoOverflow()                                                           Sub one century to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              addCenturiesNoOverflow(int $value = 1)                                               Add centuries (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              addCenturyNoOverflow()                                                               Add one century to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              subCenturiesNoOverflow(int $value = 1)                                               Sub centuries (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              subCenturyNoOverflow()                                                               Sub one century to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              addDecades(int $value = 1)                                                           Add decades (the $value count passed in) to the instance (using date interval).
- * @method        CarbonImmutable              addDecade()                                                                          Add one decade to the instance (using date interval).
- * @method        CarbonImmutable              subDecades(int $value = 1)                                                           Sub decades (the $value count passed in) to the instance (using date interval).
- * @method        CarbonImmutable              subDecade()                                                                          Sub one decade to the instance (using date interval).
- * @method        CarbonImmutable              addDecadesWithOverflow(int $value = 1)                                               Add decades (the $value count passed in) to the instance (using date interval) with overflow explicitly allowed.
- * @method        CarbonImmutable              addDecadeWithOverflow()                                                              Add one decade to the instance (using date interval) with overflow explicitly allowed.
- * @method        CarbonImmutable              subDecadesWithOverflow(int $value = 1)                                               Sub decades (the $value count passed in) to the instance (using date interval) with overflow explicitly allowed.
- * @method        CarbonImmutable              subDecadeWithOverflow()                                                              Sub one decade to the instance (using date interval) with overflow explicitly allowed.
- * @method        CarbonImmutable              addDecadesWithoutOverflow(int $value = 1)                                            Add decades (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              addDecadeWithoutOverflow()                                                           Add one decade to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              subDecadesWithoutOverflow(int $value = 1)                                            Sub decades (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              subDecadeWithoutOverflow()                                                           Sub one decade to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              addDecadesWithNoOverflow(int $value = 1)                                             Add decades (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              addDecadeWithNoOverflow()                                                            Add one decade to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              subDecadesWithNoOverflow(int $value = 1)                                             Sub decades (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              subDecadeWithNoOverflow()                                                            Sub one decade to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              addDecadesNoOverflow(int $value = 1)                                                 Add decades (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              addDecadeNoOverflow()                                                                Add one decade to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              subDecadesNoOverflow(int $value = 1)                                                 Sub decades (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              subDecadeNoOverflow()                                                                Sub one decade to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              addQuarters(int $value = 1)                                                          Add quarters (the $value count passed in) to the instance (using date interval).
- * @method        CarbonImmutable              addQuarter()                                                                         Add one quarter to the instance (using date interval).
- * @method        CarbonImmutable              subQuarters(int $value = 1)                                                          Sub quarters (the $value count passed in) to the instance (using date interval).
- * @method        CarbonImmutable              subQuarter()                                                                         Sub one quarter to the instance (using date interval).
- * @method        CarbonImmutable              addQuartersWithOverflow(int $value = 1)                                              Add quarters (the $value count passed in) to the instance (using date interval) with overflow explicitly allowed.
- * @method        CarbonImmutable              addQuarterWithOverflow()                                                             Add one quarter to the instance (using date interval) with overflow explicitly allowed.
- * @method        CarbonImmutable              subQuartersWithOverflow(int $value = 1)                                              Sub quarters (the $value count passed in) to the instance (using date interval) with overflow explicitly allowed.
- * @method        CarbonImmutable              subQuarterWithOverflow()                                                             Sub one quarter to the instance (using date interval) with overflow explicitly allowed.
- * @method        CarbonImmutable              addQuartersWithoutOverflow(int $value = 1)                                           Add quarters (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              addQuarterWithoutOverflow()                                                          Add one quarter to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              subQuartersWithoutOverflow(int $value = 1)                                           Sub quarters (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              subQuarterWithoutOverflow()                                                          Sub one quarter to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              addQuartersWithNoOverflow(int $value = 1)                                            Add quarters (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              addQuarterWithNoOverflow()                                                           Add one quarter to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              subQuartersWithNoOverflow(int $value = 1)                                            Sub quarters (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              subQuarterWithNoOverflow()                                                           Sub one quarter to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              addQuartersNoOverflow(int $value = 1)                                                Add quarters (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              addQuarterNoOverflow()                                                               Add one quarter to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              subQuartersNoOverflow(int $value = 1)                                                Sub quarters (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              subQuarterNoOverflow()                                                               Sub one quarter to the instance (using date interval) with overflow explicitly forbidden.
- * @method        CarbonImmutable              addWeeks(int $value = 1)                                                             Add weeks (the $value count passed in) to the instance (using date interval).
- * @method        CarbonImmutable              addWeek()                                                                            Add one week to the instance (using date interval).
- * @method        CarbonImmutable              subWeeks(int $value = 1)                                                             Sub weeks (the $value count passed in) to the instance (using date interval).
- * @method        CarbonImmutable              subWeek()                                                                            Sub one week to the instance (using date interval).
- * @method        CarbonImmutable              addWeekdays(int $value = 1)                                                          Add weekdays (the $value count passed in) to the instance (using date interval).
- * @method        CarbonImmutable              addWeekday()                                                                         Add one weekday to the instance (using date interval).
- * @method        CarbonImmutable              subWeekdays(int $value = 1)                                                          Sub weekdays (the $value count passed in) to the instance (using date interval).
- * @method        CarbonImmutable              subWeekday()                                                                         Sub one weekday to the instance (using date interval).
- * @method        CarbonImmutable              addRealMicros(int $value = 1)                                                        Add microseconds (the $value count passed in) to the instance (using timestamp).
- * @method        CarbonImmutable              addRealMicro()                                                                       Add one microsecond to the instance (using timestamp).
- * @method        CarbonImmutable              subRealMicros(int $value = 1)                                                        Sub microseconds (the $value count passed in) to the instance (using timestamp).
- * @method        CarbonImmutable              subRealMicro()                                                                       Sub one microsecond to the instance (using timestamp).
- * @method        CarbonPeriod                 microsUntil($endDate = null, int $factor = 1)                                        Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each microsecond or every X microseconds if a factor is given.
- * @method        CarbonImmutable              addRealMicroseconds(int $value = 1)                                                  Add microseconds (the $value count passed in) to the instance (using timestamp).
- * @method        CarbonImmutable              addRealMicrosecond()                                                                 Add one microsecond to the instance (using timestamp).
- * @method        CarbonImmutable              subRealMicroseconds(int $value = 1)                                                  Sub microseconds (the $value count passed in) to the instance (using timestamp).
- * @method        CarbonImmutable              subRealMicrosecond()                                                                 Sub one microsecond to the instance (using timestamp).
- * @method        CarbonPeriod                 microsecondsUntil($endDate = null, int $factor = 1)                                  Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each microsecond or every X microseconds if a factor is given.
- * @method        CarbonImmutable              addRealMillis(int $value = 1)                                                        Add milliseconds (the $value count passed in) to the instance (using timestamp).
- * @method        CarbonImmutable              addRealMilli()                                                                       Add one millisecond to the instance (using timestamp).
- * @method        CarbonImmutable              subRealMillis(int $value = 1)                                                        Sub milliseconds (the $value count passed in) to the instance (using timestamp).
- * @method        CarbonImmutable              subRealMilli()                                                                       Sub one millisecond to the instance (using timestamp).
- * @method        CarbonPeriod                 millisUntil($endDate = null, int $factor = 1)                                        Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each millisecond or every X milliseconds if a factor is given.
- * @method        CarbonImmutable              addRealMilliseconds(int $value = 1)                                                  Add milliseconds (the $value count passed in) to the instance (using timestamp).
- * @method        CarbonImmutable              addRealMillisecond()                                                                 Add one millisecond to the instance (using timestamp).
- * @method        CarbonImmutable              subRealMilliseconds(int $value = 1)                                                  Sub milliseconds (the $value count passed in) to the instance (using timestamp).
- * @method        CarbonImmutable              subRealMillisecond()                                                                 Sub one millisecond to the instance (using timestamp).
- * @method        CarbonPeriod                 millisecondsUntil($endDate = null, int $factor = 1)                                  Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each millisecond or every X milliseconds if a factor is given.
- * @method        CarbonImmutable              addRealSeconds(int $value = 1)                                                       Add seconds (the $value count passed in) to the instance (using timestamp).
- * @method        CarbonImmutable              addRealSecond()                                                                      Add one second to the instance (using timestamp).
- * @method        CarbonImmutable              subRealSeconds(int $value = 1)                                                       Sub seconds (the $value count passed in) to the instance (using timestamp).
- * @method        CarbonImmutable              subRealSecond()                                                                      Sub one second to the instance (using timestamp).
- * @method        CarbonPeriod                 secondsUntil($endDate = null, int $factor = 1)                                       Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each second or every X seconds if a factor is given.
- * @method        CarbonImmutable              addRealMinutes(int $value = 1)                                                       Add minutes (the $value count passed in) to the instance (using timestamp).
- * @method        CarbonImmutable              addRealMinute()                                                                      Add one minute to the instance (using timestamp).
- * @method        CarbonImmutable              subRealMinutes(int $value = 1)                                                       Sub minutes (the $value count passed in) to the instance (using timestamp).
- * @method        CarbonImmutable              subRealMinute()                                                                      Sub one minute to the instance (using timestamp).
- * @method        CarbonPeriod                 minutesUntil($endDate = null, int $factor = 1)                                       Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each minute or every X minutes if a factor is given.
- * @method        CarbonImmutable              addRealHours(int $value = 1)                                                         Add hours (the $value count passed in) to the instance (using timestamp).
- * @method        CarbonImmutable              addRealHour()                                                                        Add one hour to the instance (using timestamp).
- * @method        CarbonImmutable              subRealHours(int $value = 1)                                                         Sub hours (the $value count passed in) to the instance (using timestamp).
- * @method        CarbonImmutable              subRealHour()                                                                        Sub one hour to the instance (using timestamp).
- * @method        CarbonPeriod                 hoursUntil($endDate = null, int $factor = 1)                                         Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each hour or every X hours if a factor is given.
- * @method        CarbonImmutable              addRealDays(int $value = 1)                                                          Add days (the $value count passed in) to the instance (using timestamp).
- * @method        CarbonImmutable              addRealDay()                                                                         Add one day to the instance (using timestamp).
- * @method        CarbonImmutable              subRealDays(int $value = 1)                                                          Sub days (the $value count passed in) to the instance (using timestamp).
- * @method        CarbonImmutable              subRealDay()                                                                         Sub one day to the instance (using timestamp).
- * @method        CarbonPeriod                 daysUntil($endDate = null, int $factor = 1)                                          Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each day or every X days if a factor is given.
- * @method        CarbonImmutable              addRealWeeks(int $value = 1)                                                         Add weeks (the $value count passed in) to the instance (using timestamp).
- * @method        CarbonImmutable              addRealWeek()                                                                        Add one week to the instance (using timestamp).
- * @method        CarbonImmutable              subRealWeeks(int $value = 1)                                                         Sub weeks (the $value count passed in) to the instance (using timestamp).
- * @method        CarbonImmutable              subRealWeek()                                                                        Sub one week to the instance (using timestamp).
- * @method        CarbonPeriod                 weeksUntil($endDate = null, int $factor = 1)                                         Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each week or every X weeks if a factor is given.
- * @method        CarbonImmutable              addRealMonths(int $value = 1)                                                        Add months (the $value count passed in) to the instance (using timestamp).
- * @method        CarbonImmutable              addRealMonth()                                                                       Add one month to the instance (using timestamp).
- * @method        CarbonImmutable              subRealMonths(int $value = 1)                                                        Sub months (the $value count passed in) to the instance (using timestamp).
- * @method        CarbonImmutable              subRealMonth()                                                                       Sub one month to the instance (using timestamp).
- * @method        CarbonPeriod                 monthsUntil($endDate = null, int $factor = 1)                                        Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each month or every X months if a factor is given.
- * @method        CarbonImmutable              addRealQuarters(int $value = 1)                                                      Add quarters (the $value count passed in) to the instance (using timestamp).
- * @method        CarbonImmutable              addRealQuarter()                                                                     Add one quarter to the instance (using timestamp).
- * @method        CarbonImmutable              subRealQuarters(int $value = 1)                                                      Sub quarters (the $value count passed in) to the instance (using timestamp).
- * @method        CarbonImmutable              subRealQuarter()                                                                     Sub one quarter to the instance (using timestamp).
- * @method        CarbonPeriod                 quartersUntil($endDate = null, int $factor = 1)                                      Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each quarter or every X quarters if a factor is given.
- * @method        CarbonImmutable              addRealYears(int $value = 1)                                                         Add years (the $value count passed in) to the instance (using timestamp).
- * @method        CarbonImmutable              addRealYear()                                                                        Add one year to the instance (using timestamp).
- * @method        CarbonImmutable              subRealYears(int $value = 1)                                                         Sub years (the $value count passed in) to the instance (using timestamp).
- * @method        CarbonImmutable              subRealYear()                                                                        Sub one year to the instance (using timestamp).
- * @method        CarbonPeriod                 yearsUntil($endDate = null, int $factor = 1)                                         Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each year or every X years if a factor is given.
- * @method        CarbonImmutable              addRealDecades(int $value = 1)                                                       Add decades (the $value count passed in) to the instance (using timestamp).
- * @method        CarbonImmutable              addRealDecade()                                                                      Add one decade to the instance (using timestamp).
- * @method        CarbonImmutable              subRealDecades(int $value = 1)                                                       Sub decades (the $value count passed in) to the instance (using timestamp).
- * @method        CarbonImmutable              subRealDecade()                                                                      Sub one decade to the instance (using timestamp).
- * @method        CarbonPeriod                 decadesUntil($endDate = null, int $factor = 1)                                       Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each decade or every X decades if a factor is given.
- * @method        CarbonImmutable              addRealCenturies(int $value = 1)                                                     Add centuries (the $value count passed in) to the instance (using timestamp).
- * @method        CarbonImmutable              addRealCentury()                                                                     Add one century to the instance (using timestamp).
- * @method        CarbonImmutable              subRealCenturies(int $value = 1)                                                     Sub centuries (the $value count passed in) to the instance (using timestamp).
- * @method        CarbonImmutable              subRealCentury()                                                                     Sub one century to the instance (using timestamp).
- * @method        CarbonPeriod                 centuriesUntil($endDate = null, int $factor = 1)                                     Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each century or every X centuries if a factor is given.
- * @method        CarbonImmutable              addRealMillennia(int $value = 1)                                                     Add millennia (the $value count passed in) to the instance (using timestamp).
- * @method        CarbonImmutable              addRealMillennium()                                                                  Add one millennium to the instance (using timestamp).
- * @method        CarbonImmutable              subRealMillennia(int $value = 1)                                                     Sub millennia (the $value count passed in) to the instance (using timestamp).
- * @method        CarbonImmutable              subRealMillennium()                                                                  Sub one millennium to the instance (using timestamp).
- * @method        CarbonPeriod                 millenniaUntil($endDate = null, int $factor = 1)                                     Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each millennium or every X millennia if a factor is given.
- * @method        CarbonImmutable              roundYear(float $precision = 1, string $function = "round")                          Round the current instance year with given precision using the given function.
- * @method        CarbonImmutable              roundYears(float $precision = 1, string $function = "round")                         Round the current instance year with given precision using the given function.
- * @method        CarbonImmutable              floorYear(float $precision = 1)                                                      Truncate the current instance year with given precision.
- * @method        CarbonImmutable              floorYears(float $precision = 1)                                                     Truncate the current instance year with given precision.
- * @method        CarbonImmutable              ceilYear(float $precision = 1)                                                       Ceil the current instance year with given precision.
- * @method        CarbonImmutable              ceilYears(float $precision = 1)                                                      Ceil the current instance year with given precision.
- * @method        CarbonImmutable              roundMonth(float $precision = 1, string $function = "round")                         Round the current instance month with given precision using the given function.
- * @method        CarbonImmutable              roundMonths(float $precision = 1, string $function = "round")                        Round the current instance month with given precision using the given function.
- * @method        CarbonImmutable              floorMonth(float $precision = 1)                                                     Truncate the current instance month with given precision.
- * @method        CarbonImmutable              floorMonths(float $precision = 1)                                                    Truncate the current instance month with given precision.
- * @method        CarbonImmutable              ceilMonth(float $precision = 1)                                                      Ceil the current instance month with given precision.
- * @method        CarbonImmutable              ceilMonths(float $precision = 1)                                                     Ceil the current instance month with given precision.
- * @method        CarbonImmutable              roundDay(float $precision = 1, string $function = "round")                           Round the current instance day with given precision using the given function.
- * @method        CarbonImmutable              roundDays(float $precision = 1, string $function = "round")                          Round the current instance day with given precision using the given function.
- * @method        CarbonImmutable              floorDay(float $precision = 1)                                                       Truncate the current instance day with given precision.
- * @method        CarbonImmutable              floorDays(float $precision = 1)                                                      Truncate the current instance day with given precision.
- * @method        CarbonImmutable              ceilDay(float $precision = 1)                                                        Ceil the current instance day with given precision.
- * @method        CarbonImmutable              ceilDays(float $precision = 1)                                                       Ceil the current instance day with given precision.
- * @method        CarbonImmutable              roundHour(float $precision = 1, string $function = "round")                          Round the current instance hour with given precision using the given function.
- * @method        CarbonImmutable              roundHours(float $precision = 1, string $function = "round")                         Round the current instance hour with given precision using the given function.
- * @method        CarbonImmutable              floorHour(float $precision = 1)                                                      Truncate the current instance hour with given precision.
- * @method        CarbonImmutable              floorHours(float $precision = 1)                                                     Truncate the current instance hour with given precision.
- * @method        CarbonImmutable              ceilHour(float $precision = 1)                                                       Ceil the current instance hour with given precision.
- * @method        CarbonImmutable              ceilHours(float $precision = 1)                                                      Ceil the current instance hour with given precision.
- * @method        CarbonImmutable              roundMinute(float $precision = 1, string $function = "round")                        Round the current instance minute with given precision using the given function.
- * @method        CarbonImmutable              roundMinutes(float $precision = 1, string $function = "round")                       Round the current instance minute with given precision using the given function.
- * @method        CarbonImmutable              floorMinute(float $precision = 1)                                                    Truncate the current instance minute with given precision.
- * @method        CarbonImmutable              floorMinutes(float $precision = 1)                                                   Truncate the current instance minute with given precision.
- * @method        CarbonImmutable              ceilMinute(float $precision = 1)                                                     Ceil the current instance minute with given precision.
- * @method        CarbonImmutable              ceilMinutes(float $precision = 1)                                                    Ceil the current instance minute with given precision.
- * @method        CarbonImmutable              roundSecond(float $precision = 1, string $function = "round")                        Round the current instance second with given precision using the given function.
- * @method        CarbonImmutable              roundSeconds(float $precision = 1, string $function = "round")                       Round the current instance second with given precision using the given function.
- * @method        CarbonImmutable              floorSecond(float $precision = 1)                                                    Truncate the current instance second with given precision.
- * @method        CarbonImmutable              floorSeconds(float $precision = 1)                                                   Truncate the current instance second with given precision.
- * @method        CarbonImmutable              ceilSecond(float $precision = 1)                                                     Ceil the current instance second with given precision.
- * @method        CarbonImmutable              ceilSeconds(float $precision = 1)                                                    Ceil the current instance second with given precision.
- * @method        CarbonImmutable              roundMillennium(float $precision = 1, string $function = "round")                    Round the current instance millennium with given precision using the given function.
- * @method        CarbonImmutable              roundMillennia(float $precision = 1, string $function = "round")                     Round the current instance millennium with given precision using the given function.
- * @method        CarbonImmutable              floorMillennium(float $precision = 1)                                                Truncate the current instance millennium with given precision.
- * @method        CarbonImmutable              floorMillennia(float $precision = 1)                                                 Truncate the current instance millennium with given precision.
- * @method        CarbonImmutable              ceilMillennium(float $precision = 1)                                                 Ceil the current instance millennium with given precision.
- * @method        CarbonImmutable              ceilMillennia(float $precision = 1)                                                  Ceil the current instance millennium with given precision.
- * @method        CarbonImmutable              roundCentury(float $precision = 1, string $function = "round")                       Round the current instance century with given precision using the given function.
- * @method        CarbonImmutable              roundCenturies(float $precision = 1, string $function = "round")                     Round the current instance century with given precision using the given function.
- * @method        CarbonImmutable              floorCentury(float $precision = 1)                                                   Truncate the current instance century with given precision.
- * @method        CarbonImmutable              floorCenturies(float $precision = 1)                                                 Truncate the current instance century with given precision.
- * @method        CarbonImmutable              ceilCentury(float $precision = 1)                                                    Ceil the current instance century with given precision.
- * @method        CarbonImmutable              ceilCenturies(float $precision = 1)                                                  Ceil the current instance century with given precision.
- * @method        CarbonImmutable              roundDecade(float $precision = 1, string $function = "round")                        Round the current instance decade with given precision using the given function.
- * @method        CarbonImmutable              roundDecades(float $precision = 1, string $function = "round")                       Round the current instance decade with given precision using the given function.
- * @method        CarbonImmutable              floorDecade(float $precision = 1)                                                    Truncate the current instance decade with given precision.
- * @method        CarbonImmutable              floorDecades(float $precision = 1)                                                   Truncate the current instance decade with given precision.
- * @method        CarbonImmutable              ceilDecade(float $precision = 1)                                                     Ceil the current instance decade with given precision.
- * @method        CarbonImmutable              ceilDecades(float $precision = 1)                                                    Ceil the current instance decade with given precision.
- * @method        CarbonImmutable              roundQuarter(float $precision = 1, string $function = "round")                       Round the current instance quarter with given precision using the given function.
- * @method        CarbonImmutable              roundQuarters(float $precision = 1, string $function = "round")                      Round the current instance quarter with given precision using the given function.
- * @method        CarbonImmutable              floorQuarter(float $precision = 1)                                                   Truncate the current instance quarter with given precision.
- * @method        CarbonImmutable              floorQuarters(float $precision = 1)                                                  Truncate the current instance quarter with given precision.
- * @method        CarbonImmutable              ceilQuarter(float $precision = 1)                                                    Ceil the current instance quarter with given precision.
- * @method        CarbonImmutable              ceilQuarters(float $precision = 1)                                                   Ceil the current instance quarter with given precision.
- * @method        CarbonImmutable              roundMillisecond(float $precision = 1, string $function = "round")                   Round the current instance millisecond with given precision using the given function.
- * @method        CarbonImmutable              roundMilliseconds(float $precision = 1, string $function = "round")                  Round the current instance millisecond with given precision using the given function.
- * @method        CarbonImmutable              floorMillisecond(float $precision = 1)                                               Truncate the current instance millisecond with given precision.
- * @method        CarbonImmutable              floorMilliseconds(float $precision = 1)                                              Truncate the current instance millisecond with given precision.
- * @method        CarbonImmutable              ceilMillisecond(float $precision = 1)                                                Ceil the current instance millisecond with given precision.
- * @method        CarbonImmutable              ceilMilliseconds(float $precision = 1)                                               Ceil the current instance millisecond with given precision.
- * @method        CarbonImmutable              roundMicrosecond(float $precision = 1, string $function = "round")                   Round the current instance microsecond with given precision using the given function.
- * @method        CarbonImmutable              roundMicroseconds(float $precision = 1, string $function = "round")                  Round the current instance microsecond with given precision using the given function.
- * @method        CarbonImmutable              floorMicrosecond(float $precision = 1)                                               Truncate the current instance microsecond with given precision.
- * @method        CarbonImmutable              floorMicroseconds(float $precision = 1)                                              Truncate the current instance microsecond with given precision.
- * @method        CarbonImmutable              ceilMicrosecond(float $precision = 1)                                                Ceil the current instance microsecond with given precision.
- * @method        CarbonImmutable              ceilMicroseconds(float $precision = 1)                                               Ceil the current instance microsecond with given precision.
- * @method        string                       shortAbsoluteDiffForHumans(DateTimeInterface $other = null, int $parts = 1)          Get the difference (short format, 'Absolute' mode) in a human readable format in the current locale. ($other and $parts parameters can be swapped.)
- * @method        string                       longAbsoluteDiffForHumans(DateTimeInterface $other = null, int $parts = 1)           Get the difference (long format, 'Absolute' mode) in a human readable format in the current locale. ($other and $parts parameters can be swapped.)
- * @method        string                       shortRelativeDiffForHumans(DateTimeInterface $other = null, int $parts = 1)          Get the difference (short format, 'Relative' mode) in a human readable format in the current locale. ($other and $parts parameters can be swapped.)
- * @method        string                       longRelativeDiffForHumans(DateTimeInterface $other = null, int $parts = 1)           Get the difference (long format, 'Relative' mode) in a human readable format in the current locale. ($other and $parts parameters can be swapped.)
- * @method        string                       shortRelativeToNowDiffForHumans(DateTimeInterface $other = null, int $parts = 1)     Get the difference (short format, 'RelativeToNow' mode) in a human readable format in the current locale. ($other and $parts parameters can be swapped.)
- * @method        string                       longRelativeToNowDiffForHumans(DateTimeInterface $other = null, int $parts = 1)      Get the difference (long format, 'RelativeToNow' mode) in a human readable format in the current locale. ($other and $parts parameters can be swapped.)
- * @method        string                       shortRelativeToOtherDiffForHumans(DateTimeInterface $other = null, int $parts = 1)   Get the difference (short format, 'RelativeToOther' mode) in a human readable format in the current locale. ($other and $parts parameters can be swapped.)
- * @method        string                       longRelativeToOtherDiffForHumans(DateTimeInterface $other = null, int $parts = 1)    Get the difference (long format, 'RelativeToOther' mode) in a human readable format in the current locale. ($other and $parts parameters can be swapped.)
- * @method        static CarbonImmutable|false createFromFormat(string $format, string $time, string|DateTimeZone $timezone = null) Parse a string into a new CarbonImmutable object according to the specified format.
- * @method        static CarbonImmutable       __set_state(array $array)                                                            https://php.net/manual/en/datetime.set-state.php
+ * @method        bool                isUtc()                                                                                         Check if the current instance has UTC timezone. (Both isUtc and isUTC cases are valid.)
+ * @method        bool                isLocal()                                                                                       Check if the current instance has non-UTC timezone.
+ * @method        bool                isValid()                                                                                       Check if the current instance is a valid date.
+ * @method        bool                isDST()                                                                                         Check if the current instance is in a daylight saving time.
+ * @method        bool                isSunday()                                                                                      Checks if the instance day is sunday.
+ * @method        bool                isMonday()                                                                                      Checks if the instance day is monday.
+ * @method        bool                isTuesday()                                                                                     Checks if the instance day is tuesday.
+ * @method        bool                isWednesday()                                                                                   Checks if the instance day is wednesday.
+ * @method        bool                isThursday()                                                                                    Checks if the instance day is thursday.
+ * @method        bool                isFriday()                                                                                      Checks if the instance day is friday.
+ * @method        bool                isSaturday()                                                                                    Checks if the instance day is saturday.
+ * @method        bool                isSameYear(Carbon|DateTimeInterface|string|null $date = null)                                   Checks if the given date is in the same year as the instance. If null passed, compare to now (with the same timezone).
+ * @method        bool                isCurrentYear()                                                                                 Checks if the instance is in the same year as the current moment.
+ * @method        bool                isNextYear()                                                                                    Checks if the instance is in the same year as the current moment next year.
+ * @method        bool                isLastYear()                                                                                    Checks if the instance is in the same year as the current moment last year.
+ * @method        bool                isSameWeek(Carbon|DateTimeInterface|string|null $date = null)                                   Checks if the given date is in the same week as the instance. If null passed, compare to now (with the same timezone).
+ * @method        bool                isCurrentWeek()                                                                                 Checks if the instance is in the same week as the current moment.
+ * @method        bool                isNextWeek()                                                                                    Checks if the instance is in the same week as the current moment next week.
+ * @method        bool                isLastWeek()                                                                                    Checks if the instance is in the same week as the current moment last week.
+ * @method        bool                isSameDay(Carbon|DateTimeInterface|string|null $date = null)                                    Checks if the given date is in the same day as the instance. If null passed, compare to now (with the same timezone).
+ * @method        bool                isCurrentDay()                                                                                  Checks if the instance is in the same day as the current moment.
+ * @method        bool                isNextDay()                                                                                     Checks if the instance is in the same day as the current moment next day.
+ * @method        bool                isLastDay()                                                                                     Checks if the instance is in the same day as the current moment last day.
+ * @method        bool                isSameHour(Carbon|DateTimeInterface|string|null $date = null)                                   Checks if the given date is in the same hour as the instance. If null passed, compare to now (with the same timezone).
+ * @method        bool                isCurrentHour()                                                                                 Checks if the instance is in the same hour as the current moment.
+ * @method        bool                isNextHour()                                                                                    Checks if the instance is in the same hour as the current moment next hour.
+ * @method        bool                isLastHour()                                                                                    Checks if the instance is in the same hour as the current moment last hour.
+ * @method        bool                isSameMinute(Carbon|DateTimeInterface|string|null $date = null)                                 Checks if the given date is in the same minute as the instance. If null passed, compare to now (with the same timezone).
+ * @method        bool                isCurrentMinute()                                                                               Checks if the instance is in the same minute as the current moment.
+ * @method        bool                isNextMinute()                                                                                  Checks if the instance is in the same minute as the current moment next minute.
+ * @method        bool                isLastMinute()                                                                                  Checks if the instance is in the same minute as the current moment last minute.
+ * @method        bool                isSameSecond(Carbon|DateTimeInterface|string|null $date = null)                                 Checks if the given date is in the same second as the instance. If null passed, compare to now (with the same timezone).
+ * @method        bool                isCurrentSecond()                                                                               Checks if the instance is in the same second as the current moment.
+ * @method        bool                isNextSecond()                                                                                  Checks if the instance is in the same second as the current moment next second.
+ * @method        bool                isLastSecond()                                                                                  Checks if the instance is in the same second as the current moment last second.
+ * @method        bool                isSameMicro(Carbon|DateTimeInterface|string|null $date = null)                                  Checks if the given date is in the same microsecond as the instance. If null passed, compare to now (with the same timezone).
+ * @method        bool                isCurrentMicro()                                                                                Checks if the instance is in the same microsecond as the current moment.
+ * @method        bool                isNextMicro()                                                                                   Checks if the instance is in the same microsecond as the current moment next microsecond.
+ * @method        bool                isLastMicro()                                                                                   Checks if the instance is in the same microsecond as the current moment last microsecond.
+ * @method        bool                isSameMicrosecond(Carbon|DateTimeInterface|string|null $date = null)                            Checks if the given date is in the same microsecond as the instance. If null passed, compare to now (with the same timezone).
+ * @method        bool                isCurrentMicrosecond()                                                                          Checks if the instance is in the same microsecond as the current moment.
+ * @method        bool                isNextMicrosecond()                                                                             Checks if the instance is in the same microsecond as the current moment next microsecond.
+ * @method        bool                isLastMicrosecond()                                                                             Checks if the instance is in the same microsecond as the current moment last microsecond.
+ * @method        bool                isCurrentMonth()                                                                                Checks if the instance is in the same month as the current moment.
+ * @method        bool                isNextMonth()                                                                                   Checks if the instance is in the same month as the current moment next month.
+ * @method        bool                isLastMonth()                                                                                   Checks if the instance is in the same month as the current moment last month.
+ * @method        bool                isCurrentQuarter()                                                                              Checks if the instance is in the same quarter as the current moment.
+ * @method        bool                isNextQuarter()                                                                                 Checks if the instance is in the same quarter as the current moment next quarter.
+ * @method        bool                isLastQuarter()                                                                                 Checks if the instance is in the same quarter as the current moment last quarter.
+ * @method        bool                isSameDecade(Carbon|DateTimeInterface|string|null $date = null)                                 Checks if the given date is in the same decade as the instance. If null passed, compare to now (with the same timezone).
+ * @method        bool                isCurrentDecade()                                                                               Checks if the instance is in the same decade as the current moment.
+ * @method        bool                isNextDecade()                                                                                  Checks if the instance is in the same decade as the current moment next decade.
+ * @method        bool                isLastDecade()                                                                                  Checks if the instance is in the same decade as the current moment last decade.
+ * @method        bool                isSameCentury(Carbon|DateTimeInterface|string|null $date = null)                                Checks if the given date is in the same century as the instance. If null passed, compare to now (with the same timezone).
+ * @method        bool                isCurrentCentury()                                                                              Checks if the instance is in the same century as the current moment.
+ * @method        bool                isNextCentury()                                                                                 Checks if the instance is in the same century as the current moment next century.
+ * @method        bool                isLastCentury()                                                                                 Checks if the instance is in the same century as the current moment last century.
+ * @method        bool                isSameMillennium(Carbon|DateTimeInterface|string|null $date = null)                             Checks if the given date is in the same millennium as the instance. If null passed, compare to now (with the same timezone).
+ * @method        bool                isCurrentMillennium()                                                                           Checks if the instance is in the same millennium as the current moment.
+ * @method        bool                isNextMillennium()                                                                              Checks if the instance is in the same millennium as the current moment next millennium.
+ * @method        bool                isLastMillennium()                                                                              Checks if the instance is in the same millennium as the current moment last millennium.
+ * @method        CarbonImmutable     years(int $value)                                                                               Set current instance year to the given value.
+ * @method        CarbonImmutable     year(int $value)                                                                                Set current instance year to the given value.
+ * @method        CarbonImmutable     setYears(int $value)                                                                            Set current instance year to the given value.
+ * @method        CarbonImmutable     setYear(int $value)                                                                             Set current instance year to the given value.
+ * @method        CarbonImmutable     months(int $value)                                                                              Set current instance month to the given value.
+ * @method        CarbonImmutable     month(int $value)                                                                               Set current instance month to the given value.
+ * @method        CarbonImmutable     setMonths(int $value)                                                                           Set current instance month to the given value.
+ * @method        CarbonImmutable     setMonth(int $value)                                                                            Set current instance month to the given value.
+ * @method        CarbonImmutable     days(int $value)                                                                                Set current instance day to the given value.
+ * @method        CarbonImmutable     day(int $value)                                                                                 Set current instance day to the given value.
+ * @method        CarbonImmutable     setDays(int $value)                                                                             Set current instance day to the given value.
+ * @method        CarbonImmutable     setDay(int $value)                                                                              Set current instance day to the given value.
+ * @method        CarbonImmutable     hours(int $value)                                                                               Set current instance hour to the given value.
+ * @method        CarbonImmutable     hour(int $value)                                                                                Set current instance hour to the given value.
+ * @method        CarbonImmutable     setHours(int $value)                                                                            Set current instance hour to the given value.
+ * @method        CarbonImmutable     setHour(int $value)                                                                             Set current instance hour to the given value.
+ * @method        CarbonImmutable     minutes(int $value)                                                                             Set current instance minute to the given value.
+ * @method        CarbonImmutable     minute(int $value)                                                                              Set current instance minute to the given value.
+ * @method        CarbonImmutable     setMinutes(int $value)                                                                          Set current instance minute to the given value.
+ * @method        CarbonImmutable     setMinute(int $value)                                                                           Set current instance minute to the given value.
+ * @method        CarbonImmutable     seconds(int $value)                                                                             Set current instance second to the given value.
+ * @method        CarbonImmutable     second(int $value)                                                                              Set current instance second to the given value.
+ * @method        CarbonImmutable     setSeconds(int $value)                                                                          Set current instance second to the given value.
+ * @method        CarbonImmutable     setSecond(int $value)                                                                           Set current instance second to the given value.
+ * @method        CarbonImmutable     millis(int $value)                                                                              Set current instance millisecond to the given value.
+ * @method        CarbonImmutable     milli(int $value)                                                                               Set current instance millisecond to the given value.
+ * @method        CarbonImmutable     setMillis(int $value)                                                                           Set current instance millisecond to the given value.
+ * @method        CarbonImmutable     setMilli(int $value)                                                                            Set current instance millisecond to the given value.
+ * @method        CarbonImmutable     milliseconds(int $value)                                                                        Set current instance millisecond to the given value.
+ * @method        CarbonImmutable     millisecond(int $value)                                                                         Set current instance millisecond to the given value.
+ * @method        CarbonImmutable     setMilliseconds(int $value)                                                                     Set current instance millisecond to the given value.
+ * @method        CarbonImmutable     setMillisecond(int $value)                                                                      Set current instance millisecond to the given value.
+ * @method        CarbonImmutable     micros(int $value)                                                                              Set current instance microsecond to the given value.
+ * @method        CarbonImmutable     micro(int $value)                                                                               Set current instance microsecond to the given value.
+ * @method        CarbonImmutable     setMicros(int $value)                                                                           Set current instance microsecond to the given value.
+ * @method        CarbonImmutable     setMicro(int $value)                                                                            Set current instance microsecond to the given value.
+ * @method        CarbonImmutable     microseconds(int $value)                                                                        Set current instance microsecond to the given value.
+ * @method        CarbonImmutable     microsecond(int $value)                                                                         Set current instance microsecond to the given value.
+ * @method        CarbonImmutable     setMicroseconds(int $value)                                                                     Set current instance microsecond to the given value.
+ * @method        CarbonImmutable     setMicrosecond(int $value)                                                                      Set current instance microsecond to the given value.
+ * @method        CarbonImmutable     addYears(int $value = 1)                                                                        Add years (the $value count passed in) to the instance (using date interval).
+ * @method        CarbonImmutable     addYear()                                                                                       Add one year to the instance (using date interval).
+ * @method        CarbonImmutable     subYears(int $value = 1)                                                                        Sub years (the $value count passed in) to the instance (using date interval).
+ * @method        CarbonImmutable     subYear()                                                                                       Sub one year to the instance (using date interval).
+ * @method        CarbonImmutable     addYearsWithOverflow(int $value = 1)                                                            Add years (the $value count passed in) to the instance (using date interval) with overflow explicitly allowed.
+ * @method        CarbonImmutable     addYearWithOverflow()                                                                           Add one year to the instance (using date interval) with overflow explicitly allowed.
+ * @method        CarbonImmutable     subYearsWithOverflow(int $value = 1)                                                            Sub years (the $value count passed in) to the instance (using date interval) with overflow explicitly allowed.
+ * @method        CarbonImmutable     subYearWithOverflow()                                                                           Sub one year to the instance (using date interval) with overflow explicitly allowed.
+ * @method        CarbonImmutable     addYearsWithoutOverflow(int $value = 1)                                                         Add years (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     addYearWithoutOverflow()                                                                        Add one year to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     subYearsWithoutOverflow(int $value = 1)                                                         Sub years (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     subYearWithoutOverflow()                                                                        Sub one year to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     addYearsWithNoOverflow(int $value = 1)                                                          Add years (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     addYearWithNoOverflow()                                                                         Add one year to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     subYearsWithNoOverflow(int $value = 1)                                                          Sub years (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     subYearWithNoOverflow()                                                                         Sub one year to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     addYearsNoOverflow(int $value = 1)                                                              Add years (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     addYearNoOverflow()                                                                             Add one year to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     subYearsNoOverflow(int $value = 1)                                                              Sub years (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     subYearNoOverflow()                                                                             Sub one year to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     addMonths(int $value = 1)                                                                       Add months (the $value count passed in) to the instance (using date interval).
+ * @method        CarbonImmutable     addMonth()                                                                                      Add one month to the instance (using date interval).
+ * @method        CarbonImmutable     subMonths(int $value = 1)                                                                       Sub months (the $value count passed in) to the instance (using date interval).
+ * @method        CarbonImmutable     subMonth()                                                                                      Sub one month to the instance (using date interval).
+ * @method        CarbonImmutable     addMonthsWithOverflow(int $value = 1)                                                           Add months (the $value count passed in) to the instance (using date interval) with overflow explicitly allowed.
+ * @method        CarbonImmutable     addMonthWithOverflow()                                                                          Add one month to the instance (using date interval) with overflow explicitly allowed.
+ * @method        CarbonImmutable     subMonthsWithOverflow(int $value = 1)                                                           Sub months (the $value count passed in) to the instance (using date interval) with overflow explicitly allowed.
+ * @method        CarbonImmutable     subMonthWithOverflow()                                                                          Sub one month to the instance (using date interval) with overflow explicitly allowed.
+ * @method        CarbonImmutable     addMonthsWithoutOverflow(int $value = 1)                                                        Add months (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     addMonthWithoutOverflow()                                                                       Add one month to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     subMonthsWithoutOverflow(int $value = 1)                                                        Sub months (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     subMonthWithoutOverflow()                                                                       Sub one month to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     addMonthsWithNoOverflow(int $value = 1)                                                         Add months (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     addMonthWithNoOverflow()                                                                        Add one month to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     subMonthsWithNoOverflow(int $value = 1)                                                         Sub months (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     subMonthWithNoOverflow()                                                                        Sub one month to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     addMonthsNoOverflow(int $value = 1)                                                             Add months (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     addMonthNoOverflow()                                                                            Add one month to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     subMonthsNoOverflow(int $value = 1)                                                             Sub months (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     subMonthNoOverflow()                                                                            Sub one month to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     addDays(int $value = 1)                                                                         Add days (the $value count passed in) to the instance (using date interval).
+ * @method        CarbonImmutable     addDay()                                                                                        Add one day to the instance (using date interval).
+ * @method        CarbonImmutable     subDays(int $value = 1)                                                                         Sub days (the $value count passed in) to the instance (using date interval).
+ * @method        CarbonImmutable     subDay()                                                                                        Sub one day to the instance (using date interval).
+ * @method        CarbonImmutable     addHours(int $value = 1)                                                                        Add hours (the $value count passed in) to the instance (using date interval).
+ * @method        CarbonImmutable     addHour()                                                                                       Add one hour to the instance (using date interval).
+ * @method        CarbonImmutable     subHours(int $value = 1)                                                                        Sub hours (the $value count passed in) to the instance (using date interval).
+ * @method        CarbonImmutable     subHour()                                                                                       Sub one hour to the instance (using date interval).
+ * @method        CarbonImmutable     addMinutes(int $value = 1)                                                                      Add minutes (the $value count passed in) to the instance (using date interval).
+ * @method        CarbonImmutable     addMinute()                                                                                     Add one minute to the instance (using date interval).
+ * @method        CarbonImmutable     subMinutes(int $value = 1)                                                                      Sub minutes (the $value count passed in) to the instance (using date interval).
+ * @method        CarbonImmutable     subMinute()                                                                                     Sub one minute to the instance (using date interval).
+ * @method        CarbonImmutable     addSeconds(int $value = 1)                                                                      Add seconds (the $value count passed in) to the instance (using date interval).
+ * @method        CarbonImmutable     addSecond()                                                                                     Add one second to the instance (using date interval).
+ * @method        CarbonImmutable     subSeconds(int $value = 1)                                                                      Sub seconds (the $value count passed in) to the instance (using date interval).
+ * @method        CarbonImmutable     subSecond()                                                                                     Sub one second to the instance (using date interval).
+ * @method        CarbonImmutable     addMillis(int $value = 1)                                                                       Add milliseconds (the $value count passed in) to the instance (using date interval).
+ * @method        CarbonImmutable     addMilli()                                                                                      Add one millisecond to the instance (using date interval).
+ * @method        CarbonImmutable     subMillis(int $value = 1)                                                                       Sub milliseconds (the $value count passed in) to the instance (using date interval).
+ * @method        CarbonImmutable     subMilli()                                                                                      Sub one millisecond to the instance (using date interval).
+ * @method        CarbonImmutable     addMilliseconds(int $value = 1)                                                                 Add milliseconds (the $value count passed in) to the instance (using date interval).
+ * @method        CarbonImmutable     addMillisecond()                                                                                Add one millisecond to the instance (using date interval).
+ * @method        CarbonImmutable     subMilliseconds(int $value = 1)                                                                 Sub milliseconds (the $value count passed in) to the instance (using date interval).
+ * @method        CarbonImmutable     subMillisecond()                                                                                Sub one millisecond to the instance (using date interval).
+ * @method        CarbonImmutable     addMicros(int $value = 1)                                                                       Add microseconds (the $value count passed in) to the instance (using date interval).
+ * @method        CarbonImmutable     addMicro()                                                                                      Add one microsecond to the instance (using date interval).
+ * @method        CarbonImmutable     subMicros(int $value = 1)                                                                       Sub microseconds (the $value count passed in) to the instance (using date interval).
+ * @method        CarbonImmutable     subMicro()                                                                                      Sub one microsecond to the instance (using date interval).
+ * @method        CarbonImmutable     addMicroseconds(int $value = 1)                                                                 Add microseconds (the $value count passed in) to the instance (using date interval).
+ * @method        CarbonImmutable     addMicrosecond()                                                                                Add one microsecond to the instance (using date interval).
+ * @method        CarbonImmutable     subMicroseconds(int $value = 1)                                                                 Sub microseconds (the $value count passed in) to the instance (using date interval).
+ * @method        CarbonImmutable     subMicrosecond()                                                                                Sub one microsecond to the instance (using date interval).
+ * @method        CarbonImmutable     addMillennia(int $value = 1)                                                                    Add millennia (the $value count passed in) to the instance (using date interval).
+ * @method        CarbonImmutable     addMillennium()                                                                                 Add one millennium to the instance (using date interval).
+ * @method        CarbonImmutable     subMillennia(int $value = 1)                                                                    Sub millennia (the $value count passed in) to the instance (using date interval).
+ * @method        CarbonImmutable     subMillennium()                                                                                 Sub one millennium to the instance (using date interval).
+ * @method        CarbonImmutable     addMillenniaWithOverflow(int $value = 1)                                                        Add millennia (the $value count passed in) to the instance (using date interval) with overflow explicitly allowed.
+ * @method        CarbonImmutable     addMillenniumWithOverflow()                                                                     Add one millennium to the instance (using date interval) with overflow explicitly allowed.
+ * @method        CarbonImmutable     subMillenniaWithOverflow(int $value = 1)                                                        Sub millennia (the $value count passed in) to the instance (using date interval) with overflow explicitly allowed.
+ * @method        CarbonImmutable     subMillenniumWithOverflow()                                                                     Sub one millennium to the instance (using date interval) with overflow explicitly allowed.
+ * @method        CarbonImmutable     addMillenniaWithoutOverflow(int $value = 1)                                                     Add millennia (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     addMillenniumWithoutOverflow()                                                                  Add one millennium to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     subMillenniaWithoutOverflow(int $value = 1)                                                     Sub millennia (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     subMillenniumWithoutOverflow()                                                                  Sub one millennium to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     addMillenniaWithNoOverflow(int $value = 1)                                                      Add millennia (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     addMillenniumWithNoOverflow()                                                                   Add one millennium to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     subMillenniaWithNoOverflow(int $value = 1)                                                      Sub millennia (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     subMillenniumWithNoOverflow()                                                                   Sub one millennium to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     addMillenniaNoOverflow(int $value = 1)                                                          Add millennia (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     addMillenniumNoOverflow()                                                                       Add one millennium to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     subMillenniaNoOverflow(int $value = 1)                                                          Sub millennia (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     subMillenniumNoOverflow()                                                                       Sub one millennium to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     addCenturies(int $value = 1)                                                                    Add centuries (the $value count passed in) to the instance (using date interval).
+ * @method        CarbonImmutable     addCentury()                                                                                    Add one century to the instance (using date interval).
+ * @method        CarbonImmutable     subCenturies(int $value = 1)                                                                    Sub centuries (the $value count passed in) to the instance (using date interval).
+ * @method        CarbonImmutable     subCentury()                                                                                    Sub one century to the instance (using date interval).
+ * @method        CarbonImmutable     addCenturiesWithOverflow(int $value = 1)                                                        Add centuries (the $value count passed in) to the instance (using date interval) with overflow explicitly allowed.
+ * @method        CarbonImmutable     addCenturyWithOverflow()                                                                        Add one century to the instance (using date interval) with overflow explicitly allowed.
+ * @method        CarbonImmutable     subCenturiesWithOverflow(int $value = 1)                                                        Sub centuries (the $value count passed in) to the instance (using date interval) with overflow explicitly allowed.
+ * @method        CarbonImmutable     subCenturyWithOverflow()                                                                        Sub one century to the instance (using date interval) with overflow explicitly allowed.
+ * @method        CarbonImmutable     addCenturiesWithoutOverflow(int $value = 1)                                                     Add centuries (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     addCenturyWithoutOverflow()                                                                     Add one century to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     subCenturiesWithoutOverflow(int $value = 1)                                                     Sub centuries (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     subCenturyWithoutOverflow()                                                                     Sub one century to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     addCenturiesWithNoOverflow(int $value = 1)                                                      Add centuries (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     addCenturyWithNoOverflow()                                                                      Add one century to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     subCenturiesWithNoOverflow(int $value = 1)                                                      Sub centuries (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     subCenturyWithNoOverflow()                                                                      Sub one century to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     addCenturiesNoOverflow(int $value = 1)                                                          Add centuries (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     addCenturyNoOverflow()                                                                          Add one century to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     subCenturiesNoOverflow(int $value = 1)                                                          Sub centuries (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     subCenturyNoOverflow()                                                                          Sub one century to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     addDecades(int $value = 1)                                                                      Add decades (the $value count passed in) to the instance (using date interval).
+ * @method        CarbonImmutable     addDecade()                                                                                     Add one decade to the instance (using date interval).
+ * @method        CarbonImmutable     subDecades(int $value = 1)                                                                      Sub decades (the $value count passed in) to the instance (using date interval).
+ * @method        CarbonImmutable     subDecade()                                                                                     Sub one decade to the instance (using date interval).
+ * @method        CarbonImmutable     addDecadesWithOverflow(int $value = 1)                                                          Add decades (the $value count passed in) to the instance (using date interval) with overflow explicitly allowed.
+ * @method        CarbonImmutable     addDecadeWithOverflow()                                                                         Add one decade to the instance (using date interval) with overflow explicitly allowed.
+ * @method        CarbonImmutable     subDecadesWithOverflow(int $value = 1)                                                          Sub decades (the $value count passed in) to the instance (using date interval) with overflow explicitly allowed.
+ * @method        CarbonImmutable     subDecadeWithOverflow()                                                                         Sub one decade to the instance (using date interval) with overflow explicitly allowed.
+ * @method        CarbonImmutable     addDecadesWithoutOverflow(int $value = 1)                                                       Add decades (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     addDecadeWithoutOverflow()                                                                      Add one decade to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     subDecadesWithoutOverflow(int $value = 1)                                                       Sub decades (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     subDecadeWithoutOverflow()                                                                      Sub one decade to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     addDecadesWithNoOverflow(int $value = 1)                                                        Add decades (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     addDecadeWithNoOverflow()                                                                       Add one decade to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     subDecadesWithNoOverflow(int $value = 1)                                                        Sub decades (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     subDecadeWithNoOverflow()                                                                       Sub one decade to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     addDecadesNoOverflow(int $value = 1)                                                            Add decades (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     addDecadeNoOverflow()                                                                           Add one decade to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     subDecadesNoOverflow(int $value = 1)                                                            Sub decades (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     subDecadeNoOverflow()                                                                           Sub one decade to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     addQuarters(int $value = 1)                                                                     Add quarters (the $value count passed in) to the instance (using date interval).
+ * @method        CarbonImmutable     addQuarter()                                                                                    Add one quarter to the instance (using date interval).
+ * @method        CarbonImmutable     subQuarters(int $value = 1)                                                                     Sub quarters (the $value count passed in) to the instance (using date interval).
+ * @method        CarbonImmutable     subQuarter()                                                                                    Sub one quarter to the instance (using date interval).
+ * @method        CarbonImmutable     addQuartersWithOverflow(int $value = 1)                                                         Add quarters (the $value count passed in) to the instance (using date interval) with overflow explicitly allowed.
+ * @method        CarbonImmutable     addQuarterWithOverflow()                                                                        Add one quarter to the instance (using date interval) with overflow explicitly allowed.
+ * @method        CarbonImmutable     subQuartersWithOverflow(int $value = 1)                                                         Sub quarters (the $value count passed in) to the instance (using date interval) with overflow explicitly allowed.
+ * @method        CarbonImmutable     subQuarterWithOverflow()                                                                        Sub one quarter to the instance (using date interval) with overflow explicitly allowed.
+ * @method        CarbonImmutable     addQuartersWithoutOverflow(int $value = 1)                                                      Add quarters (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     addQuarterWithoutOverflow()                                                                     Add one quarter to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     subQuartersWithoutOverflow(int $value = 1)                                                      Sub quarters (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     subQuarterWithoutOverflow()                                                                     Sub one quarter to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     addQuartersWithNoOverflow(int $value = 1)                                                       Add quarters (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     addQuarterWithNoOverflow()                                                                      Add one quarter to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     subQuartersWithNoOverflow(int $value = 1)                                                       Sub quarters (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     subQuarterWithNoOverflow()                                                                      Sub one quarter to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     addQuartersNoOverflow(int $value = 1)                                                           Add quarters (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     addQuarterNoOverflow()                                                                          Add one quarter to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     subQuartersNoOverflow(int $value = 1)                                                           Sub quarters (the $value count passed in) to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     subQuarterNoOverflow()                                                                          Sub one quarter to the instance (using date interval) with overflow explicitly forbidden.
+ * @method        CarbonImmutable     addWeeks(int $value = 1)                                                                        Add weeks (the $value count passed in) to the instance (using date interval).
+ * @method        CarbonImmutable     addWeek()                                                                                       Add one week to the instance (using date interval).
+ * @method        CarbonImmutable     subWeeks(int $value = 1)                                                                        Sub weeks (the $value count passed in) to the instance (using date interval).
+ * @method        CarbonImmutable     subWeek()                                                                                       Sub one week to the instance (using date interval).
+ * @method        CarbonImmutable     addWeekdays(int $value = 1)                                                                     Add weekdays (the $value count passed in) to the instance (using date interval).
+ * @method        CarbonImmutable     addWeekday()                                                                                    Add one weekday to the instance (using date interval).
+ * @method        CarbonImmutable     subWeekdays(int $value = 1)                                                                     Sub weekdays (the $value count passed in) to the instance (using date interval).
+ * @method        CarbonImmutable     subWeekday()                                                                                    Sub one weekday to the instance (using date interval).
+ * @method        CarbonImmutable     addRealMicros(int $value = 1)                                                                   Add microseconds (the $value count passed in) to the instance (using timestamp).
+ * @method        CarbonImmutable     addRealMicro()                                                                                  Add one microsecond to the instance (using timestamp).
+ * @method        CarbonImmutable     subRealMicros(int $value = 1)                                                                   Sub microseconds (the $value count passed in) to the instance (using timestamp).
+ * @method        CarbonImmutable     subRealMicro()                                                                                  Sub one microsecond to the instance (using timestamp).
+ * @method        CarbonPeriod        microsUntil($endDate = null, int $factor = 1)                                                   Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each microsecond or every X microseconds if a factor is given.
+ * @method        CarbonImmutable     addRealMicroseconds(int $value = 1)                                                             Add microseconds (the $value count passed in) to the instance (using timestamp).
+ * @method        CarbonImmutable     addRealMicrosecond()                                                                            Add one microsecond to the instance (using timestamp).
+ * @method        CarbonImmutable     subRealMicroseconds(int $value = 1)                                                             Sub microseconds (the $value count passed in) to the instance (using timestamp).
+ * @method        CarbonImmutable     subRealMicrosecond()                                                                            Sub one microsecond to the instance (using timestamp).
+ * @method        CarbonPeriod        microsecondsUntil($endDate = null, int $factor = 1)                                             Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each microsecond or every X microseconds if a factor is given.
+ * @method        CarbonImmutable     addRealMillis(int $value = 1)                                                                   Add milliseconds (the $value count passed in) to the instance (using timestamp).
+ * @method        CarbonImmutable     addRealMilli()                                                                                  Add one millisecond to the instance (using timestamp).
+ * @method        CarbonImmutable     subRealMillis(int $value = 1)                                                                   Sub milliseconds (the $value count passed in) to the instance (using timestamp).
+ * @method        CarbonImmutable     subRealMilli()                                                                                  Sub one millisecond to the instance (using timestamp).
+ * @method        CarbonPeriod        millisUntil($endDate = null, int $factor = 1)                                                   Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each millisecond or every X milliseconds if a factor is given.
+ * @method        CarbonImmutable     addRealMilliseconds(int $value = 1)                                                             Add milliseconds (the $value count passed in) to the instance (using timestamp).
+ * @method        CarbonImmutable     addRealMillisecond()                                                                            Add one millisecond to the instance (using timestamp).
+ * @method        CarbonImmutable     subRealMilliseconds(int $value = 1)                                                             Sub milliseconds (the $value count passed in) to the instance (using timestamp).
+ * @method        CarbonImmutable     subRealMillisecond()                                                                            Sub one millisecond to the instance (using timestamp).
+ * @method        CarbonPeriod        millisecondsUntil($endDate = null, int $factor = 1)                                             Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each millisecond or every X milliseconds if a factor is given.
+ * @method        CarbonImmutable     addRealSeconds(int $value = 1)                                                                  Add seconds (the $value count passed in) to the instance (using timestamp).
+ * @method        CarbonImmutable     addRealSecond()                                                                                 Add one second to the instance (using timestamp).
+ * @method        CarbonImmutable     subRealSeconds(int $value = 1)                                                                  Sub seconds (the $value count passed in) to the instance (using timestamp).
+ * @method        CarbonImmutable     subRealSecond()                                                                                 Sub one second to the instance (using timestamp).
+ * @method        CarbonPeriod        secondsUntil($endDate = null, int $factor = 1)                                                  Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each second or every X seconds if a factor is given.
+ * @method        CarbonImmutable     addRealMinutes(int $value = 1)                                                                  Add minutes (the $value count passed in) to the instance (using timestamp).
+ * @method        CarbonImmutable     addRealMinute()                                                                                 Add one minute to the instance (using timestamp).
+ * @method        CarbonImmutable     subRealMinutes(int $value = 1)                                                                  Sub minutes (the $value count passed in) to the instance (using timestamp).
+ * @method        CarbonImmutable     subRealMinute()                                                                                 Sub one minute to the instance (using timestamp).
+ * @method        CarbonPeriod        minutesUntil($endDate = null, int $factor = 1)                                                  Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each minute or every X minutes if a factor is given.
+ * @method        CarbonImmutable     addRealHours(int $value = 1)                                                                    Add hours (the $value count passed in) to the instance (using timestamp).
+ * @method        CarbonImmutable     addRealHour()                                                                                   Add one hour to the instance (using timestamp).
+ * @method        CarbonImmutable     subRealHours(int $value = 1)                                                                    Sub hours (the $value count passed in) to the instance (using timestamp).
+ * @method        CarbonImmutable     subRealHour()                                                                                   Sub one hour to the instance (using timestamp).
+ * @method        CarbonPeriod        hoursUntil($endDate = null, int $factor = 1)                                                    Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each hour or every X hours if a factor is given.
+ * @method        CarbonImmutable     addRealDays(int $value = 1)                                                                     Add days (the $value count passed in) to the instance (using timestamp).
+ * @method        CarbonImmutable     addRealDay()                                                                                    Add one day to the instance (using timestamp).
+ * @method        CarbonImmutable     subRealDays(int $value = 1)                                                                     Sub days (the $value count passed in) to the instance (using timestamp).
+ * @method        CarbonImmutable     subRealDay()                                                                                    Sub one day to the instance (using timestamp).
+ * @method        CarbonPeriod        daysUntil($endDate = null, int $factor = 1)                                                     Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each day or every X days if a factor is given.
+ * @method        CarbonImmutable     addRealWeeks(int $value = 1)                                                                    Add weeks (the $value count passed in) to the instance (using timestamp).
+ * @method        CarbonImmutable     addRealWeek()                                                                                   Add one week to the instance (using timestamp).
+ * @method        CarbonImmutable     subRealWeeks(int $value = 1)                                                                    Sub weeks (the $value count passed in) to the instance (using timestamp).
+ * @method        CarbonImmutable     subRealWeek()                                                                                   Sub one week to the instance (using timestamp).
+ * @method        CarbonPeriod        weeksUntil($endDate = null, int $factor = 1)                                                    Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each week or every X weeks if a factor is given.
+ * @method        CarbonImmutable     addRealMonths(int $value = 1)                                                                   Add months (the $value count passed in) to the instance (using timestamp).
+ * @method        CarbonImmutable     addRealMonth()                                                                                  Add one month to the instance (using timestamp).
+ * @method        CarbonImmutable     subRealMonths(int $value = 1)                                                                   Sub months (the $value count passed in) to the instance (using timestamp).
+ * @method        CarbonImmutable     subRealMonth()                                                                                  Sub one month to the instance (using timestamp).
+ * @method        CarbonPeriod        monthsUntil($endDate = null, int $factor = 1)                                                   Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each month or every X months if a factor is given.
+ * @method        CarbonImmutable     addRealQuarters(int $value = 1)                                                                 Add quarters (the $value count passed in) to the instance (using timestamp).
+ * @method        CarbonImmutable     addRealQuarter()                                                                                Add one quarter to the instance (using timestamp).
+ * @method        CarbonImmutable     subRealQuarters(int $value = 1)                                                                 Sub quarters (the $value count passed in) to the instance (using timestamp).
+ * @method        CarbonImmutable     subRealQuarter()                                                                                Sub one quarter to the instance (using timestamp).
+ * @method        CarbonPeriod        quartersUntil($endDate = null, int $factor = 1)                                                 Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each quarter or every X quarters if a factor is given.
+ * @method        CarbonImmutable     addRealYears(int $value = 1)                                                                    Add years (the $value count passed in) to the instance (using timestamp).
+ * @method        CarbonImmutable     addRealYear()                                                                                   Add one year to the instance (using timestamp).
+ * @method        CarbonImmutable     subRealYears(int $value = 1)                                                                    Sub years (the $value count passed in) to the instance (using timestamp).
+ * @method        CarbonImmutable     subRealYear()                                                                                   Sub one year to the instance (using timestamp).
+ * @method        CarbonPeriod        yearsUntil($endDate = null, int $factor = 1)                                                    Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each year or every X years if a factor is given.
+ * @method        CarbonImmutable     addRealDecades(int $value = 1)                                                                  Add decades (the $value count passed in) to the instance (using timestamp).
+ * @method        CarbonImmutable     addRealDecade()                                                                                 Add one decade to the instance (using timestamp).
+ * @method        CarbonImmutable     subRealDecades(int $value = 1)                                                                  Sub decades (the $value count passed in) to the instance (using timestamp).
+ * @method        CarbonImmutable     subRealDecade()                                                                                 Sub one decade to the instance (using timestamp).
+ * @method        CarbonPeriod        decadesUntil($endDate = null, int $factor = 1)                                                  Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each decade or every X decades if a factor is given.
+ * @method        CarbonImmutable     addRealCenturies(int $value = 1)                                                                Add centuries (the $value count passed in) to the instance (using timestamp).
+ * @method        CarbonImmutable     addRealCentury()                                                                                Add one century to the instance (using timestamp).
+ * @method        CarbonImmutable     subRealCenturies(int $value = 1)                                                                Sub centuries (the $value count passed in) to the instance (using timestamp).
+ * @method        CarbonImmutable     subRealCentury()                                                                                Sub one century to the instance (using timestamp).
+ * @method        CarbonPeriod        centuriesUntil($endDate = null, int $factor = 1)                                                Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each century or every X centuries if a factor is given.
+ * @method        CarbonImmutable     addRealMillennia(int $value = 1)                                                                Add millennia (the $value count passed in) to the instance (using timestamp).
+ * @method        CarbonImmutable     addRealMillennium()                                                                             Add one millennium to the instance (using timestamp).
+ * @method        CarbonImmutable     subRealMillennia(int $value = 1)                                                                Sub millennia (the $value count passed in) to the instance (using timestamp).
+ * @method        CarbonImmutable     subRealMillennium()                                                                             Sub one millennium to the instance (using timestamp).
+ * @method        CarbonPeriod        millenniaUntil($endDate = null, int $factor = 1)                                                Return an iterable period from current date to given end (string, DateTime or Carbon instance) for each millennium or every X millennia if a factor is given.
+ * @method        CarbonImmutable     roundYear(float $precision = 1, string $function = "round")                                     Round the current instance year with given precision using the given function.
+ * @method        CarbonImmutable     roundYears(float $precision = 1, string $function = "round")                                    Round the current instance year with given precision using the given function.
+ * @method        CarbonImmutable     floorYear(float $precision = 1)                                                                 Truncate the current instance year with given precision.
+ * @method        CarbonImmutable     floorYears(float $precision = 1)                                                                Truncate the current instance year with given precision.
+ * @method        CarbonImmutable     ceilYear(float $precision = 1)                                                                  Ceil the current instance year with given precision.
+ * @method        CarbonImmutable     ceilYears(float $precision = 1)                                                                 Ceil the current instance year with given precision.
+ * @method        CarbonImmutable     roundMonth(float $precision = 1, string $function = "round")                                    Round the current instance month with given precision using the given function.
+ * @method        CarbonImmutable     roundMonths(float $precision = 1, string $function = "round")                                   Round the current instance month with given precision using the given function.
+ * @method        CarbonImmutable     floorMonth(float $precision = 1)                                                                Truncate the current instance month with given precision.
+ * @method        CarbonImmutable     floorMonths(float $precision = 1)                                                               Truncate the current instance month with given precision.
+ * @method        CarbonImmutable     ceilMonth(float $precision = 1)                                                                 Ceil the current instance month with given precision.
+ * @method        CarbonImmutable     ceilMonths(float $precision = 1)                                                                Ceil the current instance month with given precision.
+ * @method        CarbonImmutable     roundDay(float $precision = 1, string $function = "round")                                      Round the current instance day with given precision using the given function.
+ * @method        CarbonImmutable     roundDays(float $precision = 1, string $function = "round")                                     Round the current instance day with given precision using the given function.
+ * @method        CarbonImmutable     floorDay(float $precision = 1)                                                                  Truncate the current instance day with given precision.
+ * @method        CarbonImmutable     floorDays(float $precision = 1)                                                                 Truncate the current instance day with given precision.
+ * @method        CarbonImmutable     ceilDay(float $precision = 1)                                                                   Ceil the current instance day with given precision.
+ * @method        CarbonImmutable     ceilDays(float $precision = 1)                                                                  Ceil the current instance day with given precision.
+ * @method        CarbonImmutable     roundHour(float $precision = 1, string $function = "round")                                     Round the current instance hour with given precision using the given function.
+ * @method        CarbonImmutable     roundHours(float $precision = 1, string $function = "round")                                    Round the current instance hour with given precision using the given function.
+ * @method        CarbonImmutable     floorHour(float $precision = 1)                                                                 Truncate the current instance hour with given precision.
+ * @method        CarbonImmutable     floorHours(float $precision = 1)                                                                Truncate the current instance hour with given precision.
+ * @method        CarbonImmutable     ceilHour(float $precision = 1)                                                                  Ceil the current instance hour with given precision.
+ * @method        CarbonImmutable     ceilHours(float $precision = 1)                                                                 Ceil the current instance hour with given precision.
+ * @method        CarbonImmutable     roundMinute(float $precision = 1, string $function = "round")                                   Round the current instance minute with given precision using the given function.
+ * @method        CarbonImmutable     roundMinutes(float $precision = 1, string $function = "round")                                  Round the current instance minute with given precision using the given function.
+ * @method        CarbonImmutable     floorMinute(float $precision = 1)                                                               Truncate the current instance minute with given precision.
+ * @method        CarbonImmutable     floorMinutes(float $precision = 1)                                                              Truncate the current instance minute with given precision.
+ * @method        CarbonImmutable     ceilMinute(float $precision = 1)                                                                Ceil the current instance minute with given precision.
+ * @method        CarbonImmutable     ceilMinutes(float $precision = 1)                                                               Ceil the current instance minute with given precision.
+ * @method        CarbonImmutable     roundSecond(float $precision = 1, string $function = "round")                                   Round the current instance second with given precision using the given function.
+ * @method        CarbonImmutable     roundSeconds(float $precision = 1, string $function = "round")                                  Round the current instance second with given precision using the given function.
+ * @method        CarbonImmutable     floorSecond(float $precision = 1)                                                               Truncate the current instance second with given precision.
+ * @method        CarbonImmutable     floorSeconds(float $precision = 1)                                                              Truncate the current instance second with given precision.
+ * @method        CarbonImmutable     ceilSecond(float $precision = 1)                                                                Ceil the current instance second with given precision.
+ * @method        CarbonImmutable     ceilSeconds(float $precision = 1)                                                               Ceil the current instance second with given precision.
+ * @method        CarbonImmutable     roundMillennium(float $precision = 1, string $function = "round")                               Round the current instance millennium with given precision using the given function.
+ * @method        CarbonImmutable     roundMillennia(float $precision = 1, string $function = "round")                                Round the current instance millennium with given precision using the given function.
+ * @method        CarbonImmutable     floorMillennium(float $precision = 1)                                                           Truncate the current instance millennium with given precision.
+ * @method        CarbonImmutable     floorMillennia(float $precision = 1)                                                            Truncate the current instance millennium with given precision.
+ * @method        CarbonImmutable     ceilMillennium(float $precision = 1)                                                            Ceil the current instance millennium with given precision.
+ * @method        CarbonImmutable     ceilMillennia(float $precision = 1)                                                             Ceil the current instance millennium with given precision.
+ * @method        CarbonImmutable     roundCentury(float $precision = 1, string $function = "round")                                  Round the current instance century with given precision using the given function.
+ * @method        CarbonImmutable     roundCenturies(float $precision = 1, string $function = "round")                                Round the current instance century with given precision using the given function.
+ * @method        CarbonImmutable     floorCentury(float $precision = 1)                                                              Truncate the current instance century with given precision.
+ * @method        CarbonImmutable     floorCenturies(float $precision = 1)                                                            Truncate the current instance century with given precision.
+ * @method        CarbonImmutable     ceilCentury(float $precision = 1)                                                               Ceil the current instance century with given precision.
+ * @method        CarbonImmutable     ceilCenturies(float $precision = 1)                                                             Ceil the current instance century with given precision.
+ * @method        CarbonImmutable     roundDecade(float $precision = 1, string $function = "round")                                   Round the current instance decade with given precision using the given function.
+ * @method        CarbonImmutable     roundDecades(float $precision = 1, string $function = "round")                                  Round the current instance decade with given precision using the given function.
+ * @method        CarbonImmutable     floorDecade(float $precision = 1)                                                               Truncate the current instance decade with given precision.
+ * @method        CarbonImmutable     floorDecades(float $precision = 1)                                                              Truncate the current instance decade with given precision.
+ * @method        CarbonImmutable     ceilDecade(float $precision = 1)                                                                Ceil the current instance decade with given precision.
+ * @method        CarbonImmutable     ceilDecades(float $precision = 1)                                                               Ceil the current instance decade with given precision.
+ * @method        CarbonImmutable     roundQuarter(float $precision = 1, string $function = "round")                                  Round the current instance quarter with given precision using the given function.
+ * @method        CarbonImmutable     roundQuarters(float $precision = 1, string $function = "round")                                 Round the current instance quarter with given precision using the given function.
+ * @method        CarbonImmutable     floorQuarter(float $precision = 1)                                                              Truncate the current instance quarter with given precision.
+ * @method        CarbonImmutable     floorQuarters(float $precision = 1)                                                             Truncate the current instance quarter with given precision.
+ * @method        CarbonImmutable     ceilQuarter(float $precision = 1)                                                               Ceil the current instance quarter with given precision.
+ * @method        CarbonImmutable     ceilQuarters(float $precision = 1)                                                              Ceil the current instance quarter with given precision.
+ * @method        CarbonImmutable     roundMillisecond(float $precision = 1, string $function = "round")                              Round the current instance millisecond with given precision using the given function.
+ * @method        CarbonImmutable     roundMilliseconds(float $precision = 1, string $function = "round")                             Round the current instance millisecond with given precision using the given function.
+ * @method        CarbonImmutable     floorMillisecond(float $precision = 1)                                                          Truncate the current instance millisecond with given precision.
+ * @method        CarbonImmutable     floorMilliseconds(float $precision = 1)                                                         Truncate the current instance millisecond with given precision.
+ * @method        CarbonImmutable     ceilMillisecond(float $precision = 1)                                                           Ceil the current instance millisecond with given precision.
+ * @method        CarbonImmutable     ceilMilliseconds(float $precision = 1)                                                          Ceil the current instance millisecond with given precision.
+ * @method        CarbonImmutable     roundMicrosecond(float $precision = 1, string $function = "round")                              Round the current instance microsecond with given precision using the given function.
+ * @method        CarbonImmutable     roundMicroseconds(float $precision = 1, string $function = "round")                             Round the current instance microsecond with given precision using the given function.
+ * @method        CarbonImmutable     floorMicrosecond(float $precision = 1)                                                          Truncate the current instance microsecond with given precision.
+ * @method        CarbonImmutable     floorMicroseconds(float $precision = 1)                                                         Truncate the current instance microsecond with given precision.
+ * @method        CarbonImmutable     ceilMicrosecond(float $precision = 1)                                                           Ceil the current instance microsecond with given precision.
+ * @method        CarbonImmutable     ceilMicroseconds(float $precision = 1)                                                          Ceil the current instance microsecond with given precision.
+ * @method        string              shortAbsoluteDiffForHumans(DateTimeInterface $other = null, int $parts = 1)                     Get the difference (short format, 'Absolute' mode) in a human readable format in the current locale. ($other and $parts parameters can be swapped.)
+ * @method        string              longAbsoluteDiffForHumans(DateTimeInterface $other = null, int $parts = 1)                      Get the difference (long format, 'Absolute' mode) in a human readable format in the current locale. ($other and $parts parameters can be swapped.)
+ * @method        string              shortRelativeDiffForHumans(DateTimeInterface $other = null, int $parts = 1)                     Get the difference (short format, 'Relative' mode) in a human readable format in the current locale. ($other and $parts parameters can be swapped.)
+ * @method        string              longRelativeDiffForHumans(DateTimeInterface $other = null, int $parts = 1)                      Get the difference (long format, 'Relative' mode) in a human readable format in the current locale. ($other and $parts parameters can be swapped.)
+ * @method        string              shortRelativeToNowDiffForHumans(DateTimeInterface $other = null, int $parts = 1)                Get the difference (short format, 'RelativeToNow' mode) in a human readable format in the current locale. ($other and $parts parameters can be swapped.)
+ * @method        string              longRelativeToNowDiffForHumans(DateTimeInterface $other = null, int $parts = 1)                 Get the difference (long format, 'RelativeToNow' mode) in a human readable format in the current locale. ($other and $parts parameters can be swapped.)
+ * @method        string              shortRelativeToOtherDiffForHumans(DateTimeInterface $other = null, int $parts = 1)              Get the difference (short format, 'RelativeToOther' mode) in a human readable format in the current locale. ($other and $parts parameters can be swapped.)
+ * @method        string              longRelativeToOtherDiffForHumans(DateTimeInterface $other = null, int $parts = 1)               Get the difference (long format, 'RelativeToOther' mode) in a human readable format in the current locale. ($other and $parts parameters can be swapped.)
+ * @method        static static|false createFromFormat(string $format, string $time, DateTimeZone|string|false|null $timezone = null) Parse a string into a new CarbonImmutable object according to the specified format.
+ * @method        static static       __set_state(array $array)                                                                       https://php.net/manual/en/datetime.set-state.php
  *
  * </autodoc>
  */
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/CarbonInterface.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/CarbonInterface.php
index 15e2061c7..b90e29817 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/CarbonInterface.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/CarbonInterface.php
@@ -586,6 +586,7 @@ interface CarbonInterface extends DateTimeInterface, JsonSerializable
     public const YEARS_PER_DECADE = 10;
     public const MONTHS_PER_YEAR = 12;
     public const MONTHS_PER_QUARTER = 3;
+    public const QUARTERS_PER_YEAR = 4;
     public const WEEKS_PER_YEAR = 52;
     public const WEEKS_PER_MONTH = 4;
     public const DAYS_PER_YEAR = 365;
@@ -726,6 +727,8 @@ interface CarbonInterface extends DateTimeInterface, JsonSerializable
     /**
      * Returns the list of properties to dump on serialize() called on.
      *
+     * Only used by PHP < 7.4.
+     *
      * @return array
      */
     public function __sleep();
@@ -735,7 +738,7 @@ interface CarbonInterface extends DateTimeInterface, JsonSerializable
      *
      * @example
      * ```
-     * echo Carbon::now(); // Carbon instances can be casted to string
+     * echo Carbon::now(); // Carbon instances can be cast to string
      * ```
      *
      * @return string
@@ -987,7 +990,7 @@ interface CarbonInterface extends DateTimeInterface, JsonSerializable
      *
      * @param string $modifier
      *
-     * @return static
+     * @return static|false
      */
     public function change($modifier);
 
@@ -1038,13 +1041,13 @@ interface CarbonInterface extends DateTimeInterface, JsonSerializable
      * If $hour is not null then the default values for $minute and $second
      * will be 0.
      *
-     * @param int|null                 $year
-     * @param int|null                 $month
-     * @param int|null                 $day
-     * @param int|null                 $hour
-     * @param int|null                 $minute
-     * @param int|null                 $second
-     * @param DateTimeZone|string|null $tz
+     * @param DateTimeInterface|int|null $year
+     * @param int|null                   $month
+     * @param int|null                   $day
+     * @param int|null                   $hour
+     * @param int|null                   $minute
+     * @param int|null                   $second
+     * @param DateTimeZone|string|null   $tz
      *
      * @throws InvalidFormatException
      *
@@ -1276,7 +1279,7 @@ interface CarbonInterface extends DateTimeInterface, JsonSerializable
      *
      * @return CarbonInterval
      */
-    public function diffAsCarbonInterval($date = null, $absolute = true);
+    public function diffAsCarbonInterval($date = null, $absolute = true, array $skip = []);
 
     /**
      * Get the difference by the given interval using a filter closure.
@@ -2116,6 +2119,18 @@ interface CarbonInterface extends DateTimeInterface, JsonSerializable
      */
     public static function getDays();
 
+    /**
+     * Return the number of days since the start of the week (using the current locale or the first parameter
+     * if explicitly given).
+     *
+     * @param int|null $weekStartsAt optional start allow you to specify the day of week to use to start the week,
+     *                               if not provided, start of week is inferred from the locale
+     *                               (Sunday for en_US, Monday for de_DE, etc.)
+     *
+     * @return int
+     */
+    public function getDaysFromStartOfWeek(?int $weekStartsAt = null): int;
+
     /**
      * Get the fallback locale.
      *
@@ -2738,12 +2753,35 @@ interface CarbonInterface extends DateTimeInterface, JsonSerializable
     public function isLeapYear();
 
     /**
-     * Determines if the instance is a long year
+     * Determines if the instance is a long year (using ISO 8601 year).
      *
      * @example
      * ```
-     * Carbon::parse('2015-01-01')->isLongYear(); // true
-     * Carbon::parse('2016-01-01')->isLongYear(); // false
+     * Carbon::parse('2015-01-01')->isLongIsoYear(); // true
+     * Carbon::parse('2016-01-01')->isLongIsoYear(); // true
+     * Carbon::parse('2016-01-03')->isLongIsoYear(); // false
+     * Carbon::parse('2019-12-29')->isLongIsoYear(); // false
+     * Carbon::parse('2019-12-30')->isLongIsoYear(); // true
+     * ```
+     *
+     * @see https://en.wikipedia.org/wiki/ISO_8601#Week_dates
+     *
+     * @return bool
+     */
+    public function isLongIsoYear();
+
+    /**
+     * Determines if the instance is a long year (using calendar year).
+     *
+     * ⚠️ This method completely ignores month and day to use the numeric year number,
+     * it's not correct if the exact date matters. For instance as `2019-12-30` is already
+     * in the first week of the 2020 year, if you want to know from this date if ISO week
+     * year 2020 is a long year, use `isLongIsoYear` instead.
+     *
+     * @example
+     * ```
+     * Carbon::create(2015)->isLongYear(); // true
+     * Carbon::create(2016)->isLongYear(); // false
      * ```
      *
      * @see https://en.wikipedia.org/wiki/ISO_8601#Week_dates
@@ -3382,7 +3420,7 @@ interface CarbonInterface extends DateTimeInterface, JsonSerializable
      *
      * @param string|int|null $modifier
      *
-     * @return static
+     * @return static|false
      */
     public function next($modifier = null);
 
@@ -3528,7 +3566,7 @@ interface CarbonInterface extends DateTimeInterface, JsonSerializable
      *
      * @param string|int|null $modifier
      *
-     * @return static
+     * @return static|false
      */
     public function previous($modifier = null);
 
@@ -3773,6 +3811,19 @@ interface CarbonInterface extends DateTimeInterface, JsonSerializable
      */
     public function setDateTimeFrom($date = null);
 
+    /**
+     * Set the day (keeping the current time) to the start of the week + the number of days passed as the first
+     * parameter. First day of week is driven by the locale unless explicitly set with the second parameter.
+     *
+     * @param int      $numberOfDays number of days to add after the start of the current week
+     * @param int|null $weekStartsAt optional start allow you to specify the day of week to use to start the week,
+     *                               if not provided, start of week is inferred from the locale
+     *                               (Sunday for en_US, Monday for de_DE, etc.)
+     *
+     * @return static
+     */
+    public function setDaysFromStartOfWeek(int $numberOfDays, ?int $weekStartsAt = null);
+
     /**
      * Set the fallback locale.
      *
@@ -3860,7 +3911,7 @@ interface CarbonInterface extends DateTimeInterface, JsonSerializable
      *
      * /!\ Use this method for unit tests only.
      *
-     * @param Closure|static|string|false|null $testNow real or mock Carbon instance
+     * @param DateTimeInterface|Closure|static|string|false|null $testNow real or mock Carbon instance
      */
     public static function setTestNow($testNow = null);
 
@@ -3881,7 +3932,7 @@ interface CarbonInterface extends DateTimeInterface, JsonSerializable
      *
      * /!\ Use this method for unit tests only.
      *
-     * @param Closure|static|string|false|null $testNow real or mock Carbon instance
+     * @param DateTimeInterface|Closure|static|string|false|null $testNow real or mock Carbon instance
      */
     public static function setTestNowAndTimezone($testNow = null, $tz = null);
 
@@ -3942,11 +3993,11 @@ interface CarbonInterface extends DateTimeInterface, JsonSerializable
 
     /**
      * @deprecated To avoid conflict between different third-party libraries, static setters should not be used.
-     *             You should rather let Carbon object being casted to string with DEFAULT_TO_STRING_FORMAT, and
-     *             use other method or custom format passed to format() method if you need to dump an other string
+     *             You should rather let Carbon object being cast to string with DEFAULT_TO_STRING_FORMAT, and
+     *             use other method or custom format passed to format() method if you need to dump another string
      *             format.
      *
-     * Set the default format used when type juggling a Carbon instance to a string
+     * Set the default format used when type juggling a Carbon instance to a string.
      *
      * @param string|Closure|null $format
      *
@@ -4537,6 +4588,18 @@ interface CarbonInterface extends DateTimeInterface, JsonSerializable
      */
     public function toFormattedDateString();
 
+    /**
+     * Format the instance with the day, and a readable date
+     *
+     * @example
+     * ```
+     * echo Carbon::now()->toFormattedDayDateString();
+     * ```
+     *
+     * @return string
+     */
+    public function toFormattedDayDateString(): string;
+
     /**
      * Return the ISO-8601 string (ex: 1977-04-22T06:00:00Z, if $keepOffset truthy, offset will be kept:
      * 1977-04-22T01:00:00-05:00).
@@ -5057,12 +5120,14 @@ interface CarbonInterface extends DateTimeInterface, JsonSerializable
      *
      * /!\ Use this method for unit tests only.
      *
-     * @param Closure|static|string|false|null $testNow  real or mock Carbon instance
-     * @param Closure|null                     $callback
+     * @template T
      *
-     * @return mixed
+     * @param DateTimeInterface|Closure|static|string|false|null $testNow  real or mock Carbon instance
+     * @param Closure(): T                                       $callback
+     *
+     * @return T
      */
-    public static function withTestNow($testNow = null, $callback = null);
+    public static function withTestNow($testNow, $callback);
 
     /**
      * Create a Carbon instance for yesterday.
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/CarbonInterval.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/CarbonInterval.php
index d465beac7..8437c545e 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/CarbonInterval.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/CarbonInterval.php
@@ -15,6 +15,7 @@ use Carbon\Exceptions\BadFluentConstructorException;
 use Carbon\Exceptions\BadFluentSetterException;
 use Carbon\Exceptions\InvalidCastException;
 use Carbon\Exceptions\InvalidIntervalException;
+use Carbon\Exceptions\OutOfRangeException;
 use Carbon\Exceptions\ParseErrorException;
 use Carbon\Exceptions\UnitNotConfiguredException;
 use Carbon\Exceptions\UnknownGetterException;
@@ -22,15 +23,20 @@ use Carbon\Exceptions\UnknownSetterException;
 use Carbon\Exceptions\UnknownUnitException;
 use Carbon\Traits\IntervalRounding;
 use Carbon\Traits\IntervalStep;
+use Carbon\Traits\MagicParameter;
 use Carbon\Traits\Mixin;
 use Carbon\Traits\Options;
+use Carbon\Traits\ToStringFormat;
 use Closure;
 use DateInterval;
+use DateMalformedIntervalStringException;
 use DateTimeInterface;
 use DateTimeZone;
 use Exception;
+use InvalidArgumentException;
 use ReflectionException;
 use ReturnTypeWillChange;
+use RuntimeException;
 use Throwable;
 
 /**
@@ -46,7 +52,7 @@ use Throwable;
  * @property int $minutes Total minutes of the current interval.
  * @property int $seconds Total seconds of the current interval.
  * @property int $microseconds Total microseconds of the current interval.
- * @property int $milliseconds Total microseconds of the current interval.
+ * @property int $milliseconds Total milliseconds of the current interval.
  * @property int $microExcludeMilli Remaining microseconds without the milliseconds.
  * @property int $dayzExcludeWeeks Total days remaining in the final week of the current instance (days % 7).
  * @property int $daysExcludeWeeks alias of dayzExcludeWeeks
@@ -184,10 +190,12 @@ class CarbonInterval extends DateInterval implements CarbonConverterInterface
 {
     use IntervalRounding;
     use IntervalStep;
+    use MagicParameter;
     use Mixin {
         Mixin::mixin as baseMixin;
     }
     use Options;
+    use ToStringFormat;
 
     /**
      * Interval spec period designators
@@ -241,6 +249,11 @@ class CarbonInterval extends DateInterval implements CarbonConverterInterface
      */
     private static $flipCascadeFactors;
 
+    /**
+     * @var bool
+     */
+    private static $floatSettersEnabled = false;
+
     /**
      * The registered macros.
      *
@@ -294,7 +307,12 @@ class CarbonInterval extends DateInterval implements CarbonConverterInterface
      */
     public static function getCascadeFactors()
     {
-        return static::$cascadeFactors ?: [
+        return static::$cascadeFactors ?: static::getDefaultCascadeFactors();
+    }
+
+    protected static function getDefaultCascadeFactors(): array
+    {
+        return [
             'milliseconds' => [Carbon::MICROSECONDS_PER_MILLISECOND, 'microseconds'],
             'seconds' => [Carbon::MILLISECONDS_PER_SECOND, 'milliseconds'],
             'minutes' => [Carbon::SECONDS_PER_MINUTE, 'seconds'],
@@ -337,6 +355,19 @@ class CarbonInterval extends DateInterval implements CarbonConverterInterface
         static::$cascadeFactors = $cascadeFactors;
     }
 
+    /**
+     * This option allow you to opt-in for the Carbon 3 behavior where float
+     * values will no longer be cast to integer (so truncated).
+     *
+     * ⚠️ This settings will be applied globally, which mean your whole application
+     * code including the third-party dependencies that also may use Carbon will
+     * adopt the new behavior.
+     */
+    public static function enableFloatSetters(bool $floatSettersEnabled = true): void
+    {
+        self::$floatSettersEnabled = $floatSettersEnabled;
+    }
+
     ///////////////////////////////////////////////////////////////////
     //////////////////////////// CONSTRUCTORS /////////////////////////
     ///////////////////////////////////////////////////////////////////
@@ -344,14 +375,14 @@ class CarbonInterval extends DateInterval implements CarbonConverterInterface
     /**
      * Create a new CarbonInterval instance.
      *
-     * @param int|null $years
-     * @param int|null $months
-     * @param int|null $weeks
-     * @param int|null $days
-     * @param int|null $hours
-     * @param int|null $minutes
-     * @param int|null $seconds
-     * @param int|null $microseconds
+     * @param Closure|DateInterval|string|int|null $years
+     * @param int|float|null                       $months
+     * @param int|float|null                       $weeks
+     * @param int|float|null                       $days
+     * @param int|float|null                       $hours
+     * @param int|float|null                       $minutes
+     * @param int|float|null                       $seconds
+     * @param int|float|null                       $microseconds
      *
      * @throws Exception when the interval_spec (passed as $years) cannot be parsed as an interval.
      */
@@ -371,8 +402,9 @@ class CarbonInterval extends DateInterval implements CarbonConverterInterface
         }
 
         $spec = $years;
+        $isStringSpec = (\is_string($spec) && !preg_match('/^[\d.]/', $spec));
 
-        if (!\is_string($spec) || (float) $years || preg_match('/^[0-9.]/', $years)) {
+        if (!$isStringSpec || (float) $years) {
             $spec = static::PERIOD_PREFIX;
 
             $spec .= $years > 0 ? $years.static::PERIOD_YEARS : '';
@@ -397,7 +429,74 @@ class CarbonInterval extends DateInterval implements CarbonConverterInterface
             }
         }
 
-        parent::__construct($spec);
+        try {
+            parent::__construct($spec);
+        } catch (Throwable $exception) {
+            try {
+                parent::__construct('PT0S');
+
+                if ($isStringSpec) {
+                    if (!preg_match('/^P
+                        (?:(?<year>[+-]?\d*(?:\.\d+)?)Y)?
+                        (?:(?<month>[+-]?\d*(?:\.\d+)?)M)?
+                        (?:(?<week>[+-]?\d*(?:\.\d+)?)W)?
+                        (?:(?<day>[+-]?\d*(?:\.\d+)?)D)?
+                        (?:T
+                            (?:(?<hour>[+-]?\d*(?:\.\d+)?)H)?
+                            (?:(?<minute>[+-]?\d*(?:\.\d+)?)M)?
+                            (?:(?<second>[+-]?\d*(?:\.\d+)?)S)?
+                        )?
+                    $/x', $spec, $match)) {
+                        throw new InvalidArgumentException("Invalid duration: $spec");
+                    }
+
+                    $years = (float) ($match['year'] ?? 0);
+                    $this->assertSafeForInteger('year', $years);
+                    $months = (float) ($match['month'] ?? 0);
+                    $this->assertSafeForInteger('month', $months);
+                    $weeks = (float) ($match['week'] ?? 0);
+                    $this->assertSafeForInteger('week', $weeks);
+                    $days = (float) ($match['day'] ?? 0);
+                    $this->assertSafeForInteger('day', $days);
+                    $hours = (float) ($match['hour'] ?? 0);
+                    $this->assertSafeForInteger('hour', $hours);
+                    $minutes = (float) ($match['minute'] ?? 0);
+                    $this->assertSafeForInteger('minute', $minutes);
+                    $seconds = (float) ($match['second'] ?? 0);
+                    $this->assertSafeForInteger('second', $seconds);
+                }
+
+                $totalDays = (($weeks * static::getDaysPerWeek()) + $days);
+                $this->assertSafeForInteger('days total (including weeks)', $totalDays);
+
+                $this->y = (int) $years;
+                $this->m = (int) $months;
+                $this->d = (int) $totalDays;
+                $this->h = (int) $hours;
+                $this->i = (int) $minutes;
+                $this->s = (int) $seconds;
+
+                if (
+                    ((float) $this->y) !== $years ||
+                    ((float) $this->m) !== $months ||
+                    ((float) $this->d) !== $totalDays ||
+                    ((float) $this->h) !== $hours ||
+                    ((float) $this->i) !== $minutes ||
+                    ((float) $this->s) !== $seconds
+                ) {
+                    $this->add(static::fromString(
+                        ($years - $this->y).' years '.
+                        ($months - $this->m).' months '.
+                        ($totalDays - $this->d).' days '.
+                        ($hours - $this->h).' hours '.
+                        ($minutes - $this->i).' minutes '.
+                        ($seconds - $this->s).' seconds '
+                    ));
+                }
+            } catch (Throwable $secondException) {
+                throw $secondException instanceof OutOfRangeException ? $secondException : $exception;
+            }
+        }
 
         if ($microseconds !== null) {
             $this->f = $microseconds / Carbon::MICROSECONDS_PER_SECOND;
@@ -410,7 +509,7 @@ class CarbonInterval extends DateInterval implements CarbonConverterInterface
      * @param string $source
      * @param string $target
      *
-     * @return int|null
+     * @return int|float|null
      */
     public static function getFactor($source, $target)
     {
@@ -438,7 +537,7 @@ class CarbonInterval extends DateInterval implements CarbonConverterInterface
      * @param string $source
      * @param string $target
      *
-     * @return int|null
+     * @return int|float|null
      */
     public static function getFactorWithDefault($source, $target)
     {
@@ -465,7 +564,7 @@ class CarbonInterval extends DateInterval implements CarbonConverterInterface
     /**
      * Returns current config for days per week.
      *
-     * @return int
+     * @return int|float
      */
     public static function getDaysPerWeek()
     {
@@ -475,7 +574,7 @@ class CarbonInterval extends DateInterval implements CarbonConverterInterface
     /**
      * Returns current config for hours per day.
      *
-     * @return int
+     * @return int|float
      */
     public static function getHoursPerDay()
     {
@@ -485,7 +584,7 @@ class CarbonInterval extends DateInterval implements CarbonConverterInterface
     /**
      * Returns current config for minutes per hour.
      *
-     * @return int
+     * @return int|float
      */
     public static function getMinutesPerHour()
     {
@@ -495,7 +594,7 @@ class CarbonInterval extends DateInterval implements CarbonConverterInterface
     /**
      * Returns current config for seconds per minute.
      *
-     * @return int
+     * @return int|float
      */
     public static function getSecondsPerMinute()
     {
@@ -505,7 +604,7 @@ class CarbonInterval extends DateInterval implements CarbonConverterInterface
     /**
      * Returns current config for microseconds per second.
      *
-     * @return int
+     * @return int|float
      */
     public static function getMillisecondsPerSecond()
     {
@@ -515,7 +614,7 @@ class CarbonInterval extends DateInterval implements CarbonConverterInterface
     /**
      * Returns current config for microseconds per second.
      *
-     * @return int
+     * @return int|float
      */
     public static function getMicrosecondsPerMillisecond()
     {
@@ -673,6 +772,23 @@ class CarbonInterval extends DateInterval implements CarbonConverterInterface
         }
     }
 
+    /**
+     * Evaluate the PHP generated by var_export() and recreate the exported CarbonInterval instance.
+     *
+     * @param array $dump data as exported by var_export()
+     *
+     * @return static
+     */
+    #[ReturnTypeWillChange]
+    public static function __set_state($dump)
+    {
+        /** @noinspection PhpVoidFunctionResultUsedInspection */
+        /** @var DateInterval $dateInterval */
+        $dateInterval = parent::__set_state($dump);
+
+        return static::instance($dateInterval);
+    }
+
     /**
      * Return the current context from inside a macro callee or a new one if static.
      *
@@ -767,6 +883,8 @@ class CarbonInterval extends DateInterval implements CarbonConverterInterface
                 case 'year':
                 case 'years':
                 case 'y':
+                case 'yr':
+                case 'yrs':
                     $years += $intValue;
 
                     break;
@@ -780,6 +898,7 @@ class CarbonInterval extends DateInterval implements CarbonConverterInterface
                 case 'month':
                 case 'months':
                 case 'mo':
+                case 'mos':
                     $months += $intValue;
 
                     break;
@@ -882,7 +1001,7 @@ class CarbonInterval extends DateInterval implements CarbonConverterInterface
         return static::fromString(Carbon::translateTimeString($interval, $locale ?: static::getLocale(), 'en'));
     }
 
-    private static function castIntervalToClass(DateInterval $interval, string $className)
+    private static function castIntervalToClass(DateInterval $interval, string $className, array $skip = [])
     {
         $mainClass = DateInterval::class;
 
@@ -891,7 +1010,7 @@ class CarbonInterval extends DateInterval implements CarbonConverterInterface
         }
 
         $microseconds = $interval->f;
-        $instance = new $className(static::getDateIntervalSpec($interval));
+        $instance = new $className(static::getDateIntervalSpec($interval, false, $skip));
 
         if ($microseconds) {
             $instance->f = $microseconds;
@@ -940,12 +1059,19 @@ class CarbonInterval extends DateInterval implements CarbonConverterInterface
      * set the $days field.
      *
      * @param DateInterval $interval
+     * @param bool         $skipCopy set to true to return the passed object
+     *                               (without copying it) if it's already of the
+     *                               current class
      *
      * @return static
      */
-    public static function instance(DateInterval $interval)
+    public static function instance(DateInterval $interval, array $skip = [], bool $skipCopy = false)
     {
-        return self::castIntervalToClass($interval, static::class);
+        if ($skipCopy && $interval instanceof static) {
+            return $interval;
+        }
+
+        return self::castIntervalToClass($interval, static::class, $skip);
     }
 
     /**
@@ -956,17 +1082,20 @@ class CarbonInterval extends DateInterval implements CarbonConverterInterface
      *
      * @param mixed|int|DateInterval|string|Closure|null $interval interval or number of the given $unit
      * @param string|null                                $unit     if specified, $interval must be an integer
+     * @param bool                                       $skipCopy set to true to return the passed object
+     *                                                             (without copying it) if it's already of the
+     *                                                             current class
      *
      * @return static|null
      */
-    public static function make($interval, $unit = null)
+    public static function make($interval, $unit = null, bool $skipCopy = false)
     {
         if ($unit) {
             $interval = "$interval ".Carbon::pluralUnit($unit);
         }
 
         if ($interval instanceof DateInterval) {
-            return static::instance($interval);
+            return static::instance($interval, [], $skipCopy);
         }
 
         if ($interval instanceof Closure) {
@@ -984,7 +1113,7 @@ class CarbonInterval extends DateInterval implements CarbonConverterInterface
     {
         $interval = preg_replace('/\s+/', ' ', trim($interval));
 
-        if (preg_match('/^P[T0-9]/', $interval)) {
+        if (preg_match('/^P[T\d]/', $interval)) {
             return new static($interval);
         }
 
@@ -992,8 +1121,14 @@ class CarbonInterval extends DateInterval implements CarbonConverterInterface
             return static::fromString($interval);
         }
 
-        /** @var static $interval */
-        $interval = static::createFromDateString($interval);
+        // @codeCoverageIgnoreStart
+        try {
+            /** @var static $interval */
+            $interval = static::createFromDateString($interval);
+        } catch (DateMalformedIntervalStringException $e) {
+            return null;
+        }
+        // @codeCoverageIgnoreEnd
 
         return !$interval || $interval->isEmpty() ? null : $interval;
     }
@@ -1081,11 +1216,11 @@ class CarbonInterval extends DateInterval implements CarbonConverterInterface
                 return (int) round($this->f * Carbon::MICROSECONDS_PER_SECOND) % Carbon::MICROSECONDS_PER_MILLISECOND;
 
             case 'weeks':
-                return (int) ($this->d / static::getDaysPerWeek());
+                return (int) ($this->d / (int) static::getDaysPerWeek());
 
             case 'daysExcludeWeeks':
             case 'dayzExcludeWeeks':
-                return $this->d % static::getDaysPerWeek();
+                return $this->d % (int) static::getDaysPerWeek();
 
             case 'locale':
                 return $this->getTranslatorLocale();
@@ -1126,43 +1261,63 @@ class CarbonInterval extends DateInterval implements CarbonConverterInterface
         foreach ($properties as $key => $value) {
             switch (Carbon::singularUnit(rtrim($key, 'z'))) {
                 case 'year':
+                    $this->checkIntegerValue($key, $value);
                     $this->y = $value;
+                    $this->handleDecimalPart('year', $value, $this->y);
 
                     break;
 
                 case 'month':
+                    $this->checkIntegerValue($key, $value);
                     $this->m = $value;
+                    $this->handleDecimalPart('month', $value, $this->m);
 
                     break;
 
                 case 'week':
-                    $this->d = $value * static::getDaysPerWeek();
+                    $this->checkIntegerValue($key, $value);
+                    $days = $value * (int) static::getDaysPerWeek();
+                    $this->assertSafeForInteger('days total (including weeks)', $days);
+                    $this->d = $days;
+                    $this->handleDecimalPart('day', $days, $this->d);
 
                     break;
 
                 case 'day':
+                    $this->checkIntegerValue($key, $value);
                     $this->d = $value;
+                    $this->handleDecimalPart('day', $value, $this->d);
 
                     break;
 
                 case 'daysexcludeweek':
                 case 'dayzexcludeweek':
-                    $this->d = $this->weeks * static::getDaysPerWeek() + $value;
+                    $this->checkIntegerValue($key, $value);
+                    $days = $this->weeks * (int) static::getDaysPerWeek() + $value;
+                    $this->assertSafeForInteger('days total (including weeks)', $days);
+                    $this->d = $days;
+                    $this->handleDecimalPart('day', $days, $this->d);
 
                     break;
 
                 case 'hour':
+                    $this->checkIntegerValue($key, $value);
                     $this->h = $value;
+                    $this->handleDecimalPart('hour', $value, $this->h);
 
                     break;
 
                 case 'minute':
+                    $this->checkIntegerValue($key, $value);
                     $this->i = $value;
+                    $this->handleDecimalPart('minute', $value, $this->i);
 
                     break;
 
                 case 'second':
+                    $this->checkIntegerValue($key, $value);
                     $this->s = $value;
+                    $this->handleDecimalPart('second', $value, $this->s);
 
                     break;
 
@@ -1355,11 +1510,15 @@ class CarbonInterval extends DateInterval implements CarbonConverterInterface
         }
 
         if (preg_match('/^(?<method>add|sub)(?<unit>[A-Z].*)$/', $method, $match)) {
-            return $this->{$match['method']}($parameters[0], $match['unit']);
+            $value = $this->getMagicParameter($parameters, 0, Carbon::pluralUnit($match['unit']), 0);
+
+            return $this->{$match['method']}($value, $match['unit']);
         }
 
+        $value = $this->getMagicParameter($parameters, 0, Carbon::pluralUnit($method), 1);
+
         try {
-            $this->set($method, \count($parameters) === 0 ? 1 : $parameters[0]);
+            $this->set($method, $value);
         } catch (UnknownSetterException $exception) {
             if ($this->localStrictModeEnabled ?? Carbon::isStrictModeEnabled()) {
                 throw new BadFluentSetterException($method, 0, $exception);
@@ -1410,9 +1569,9 @@ class CarbonInterval extends DateInterval implements CarbonConverterInterface
         $minimumUnit = 's';
         $skip = [];
         extract($this->getForHumansInitialVariables($syntax, $short));
-        $skip = array_filter((array) $skip, static function ($value) {
+        $skip = array_map('strtolower', array_filter((array) $skip, static function ($value) {
             return \is_string($value) && $value !== '';
-        });
+        }));
 
         if ($syntax === null) {
             $syntax = CarbonInterface::DIFF_ABSOLUTE;
@@ -1435,11 +1594,9 @@ class CarbonInterval extends DateInterval implements CarbonConverterInterface
             ];
         }
 
-        if ($altNumbers) {
-            if ($altNumbers !== true) {
-                $language = new Language($this->locale);
-                $altNumbers = \in_array($language->getCode(), (array) $altNumbers);
-            }
+        if ($altNumbers && $altNumbers !== true) {
+            $language = new Language($this->locale);
+            $altNumbers = \in_array($language->getCode(), (array) $altNumbers, true);
         }
 
         if (\is_array($join)) {
@@ -1620,18 +1777,23 @@ class CarbonInterval extends DateInterval implements CarbonConverterInterface
         $unit = $short ? 's' : 'second';
         $isFuture = $this->invert === 1;
         $transId = $relativeToNow ? ($isFuture ? 'from_now' : 'ago') : ($isFuture ? 'after' : 'before');
+        $declensionMode = null;
 
         /** @var \Symfony\Component\Translation\Translator $translator */
         $translator = $this->getLocalTranslator();
 
-        $handleDeclensions = function ($unit, $count) use ($interpolations, $transId, $translator, $altNumbers, $absolute) {
+        $handleDeclensions = function ($unit, $count, $index = 0, $parts = 1) use ($interpolations, $transId, $translator, $altNumbers, $absolute, &$declensionMode) {
             if (!$absolute) {
-                // Some languages have special pluralization for past and future tense.
-                $key = $unit.'_'.$transId;
-                $result = $this->translate($key, $interpolations, $count, $translator, $altNumbers);
+                $declensionMode = $declensionMode ?? $this->translate($transId.'_mode');
 
-                if ($result !== $key) {
-                    return $result;
+                if ($this->needsDeclension($declensionMode, $index, $parts)) {
+                    // Some languages have special pluralization for past and future tense.
+                    $key = $unit.'_'.$transId;
+                    $result = $this->translate($key, $interpolations, $count, $translator, $altNumbers);
+
+                    if ($result !== $key) {
+                        return $result;
+                    }
                 }
             }
 
@@ -1696,17 +1858,17 @@ class CarbonInterval extends DateInterval implements CarbonConverterInterface
             }
         }
 
-        $transChoice = function ($short, $unitData) use ($absolute, $handleDeclensions, $translator, $aUnit, $altNumbers, $interpolations) {
+        $transChoice = function ($short, $unitData, $index, $parts) use ($absolute, $handleDeclensions, $translator, $aUnit, $altNumbers, $interpolations) {
             $count = $unitData['value'];
 
             if ($short) {
-                $result = $handleDeclensions($unitData['unitShort'], $count);
+                $result = $handleDeclensions($unitData['unitShort'], $count, $index, $parts);
 
                 if ($result !== null) {
                     return $result;
                 }
             } elseif ($aUnit) {
-                $result = $handleDeclensions('a_'.$unitData['unit'], $count);
+                $result = $handleDeclensions('a_'.$unitData['unit'], $count, $index, $parts);
 
                 if ($result !== null) {
                     return $result;
@@ -1714,7 +1876,7 @@ class CarbonInterval extends DateInterval implements CarbonConverterInterface
             }
 
             if (!$absolute) {
-                return $handleDeclensions($unitData['unit'], $count);
+                return $handleDeclensions($unitData['unit'], $count, $index, $parts);
             }
 
             return $this->translate($unitData['unit'], $interpolations, $count, $translator, $altNumbers);
@@ -1726,7 +1888,7 @@ class CarbonInterval extends DateInterval implements CarbonConverterInterface
             if ($diffIntervalData['value'] > 0) {
                 $unit = $short ? $diffIntervalData['unitShort'] : $diffIntervalData['unit'];
                 $count = $diffIntervalData['value'];
-                $interval[] = $transChoice($short, $diffIntervalData);
+                $interval[] = [$short, $diffIntervalData];
             } elseif ($options & CarbonInterface::SEQUENTIAL_PARTS_ONLY && \count($interval) > 0) {
                 break;
             }
@@ -1737,13 +1899,19 @@ class CarbonInterval extends DateInterval implements CarbonConverterInterface
             }
 
             // break the loop after we have reached the minimum unit
-            if (\in_array($minimumUnit, [$diffIntervalData['unit'], $diffIntervalData['unitShort']])) {
+            if (\in_array($minimumUnit, [$diffIntervalData['unit'], $diffIntervalData['unitShort']], true)) {
                 $fallbackUnit = [$diffIntervalData['unit'], $diffIntervalData['unitShort']];
 
                 break;
             }
         }
 
+        $actualParts = \count($interval);
+
+        foreach ($interval as $index => &$item) {
+            $item = $transChoice($item[0], $item[1], $index, $actualParts);
+        }
+
         if (\count($interval) === 0) {
             if ($relativeToNow && $options & CarbonInterface::JUST_NOW) {
                 $key = 'diff_now';
@@ -1812,17 +1980,17 @@ class CarbonInterval extends DateInterval implements CarbonConverterInterface
      */
     public function __toString()
     {
-        $format = $this->localToStringFormat;
+        $format = $this->localToStringFormat ?? static::$toStringFormat;
 
-        if ($format) {
-            if ($format instanceof Closure) {
-                return $format($this);
-            }
-
-            return $this->format($format);
+        if (!$format) {
+            return $this->forHumans();
         }
 
-        return $this->forHumans();
+        if ($format instanceof Closure) {
+            return $format($this);
+        }
+
+        return $this->format($format);
     }
 
     /**
@@ -1863,7 +2031,7 @@ class CarbonInterval extends DateInterval implements CarbonConverterInterface
     /**
      * Invert the interval.
      *
-     * @param bool|int $inverted if a parameter is passed, the passed value casted as 1 or 0 is used
+     * @param bool|int $inverted if a parameter is passed, the passed value cast as 1 or 0 is used
      *                           as the new value of the ->invert property.
      *
      * @return $this
@@ -2141,7 +2309,7 @@ class CarbonInterval extends DateInterval implements CarbonConverterInterface
      *
      * @return string
      */
-    public static function getDateIntervalSpec(DateInterval $interval)
+    public static function getDateIntervalSpec(DateInterval $interval, bool $microseconds = false, array $skip = [])
     {
         $date = array_filter([
             static::PERIOD_YEARS => abs($interval->y),
@@ -2149,10 +2317,25 @@ class CarbonInterval extends DateInterval implements CarbonConverterInterface
             static::PERIOD_DAYS => abs($interval->d),
         ]);
 
+        if (
+            $interval->days >= CarbonInterface::DAYS_PER_WEEK * CarbonInterface::WEEKS_PER_MONTH &&
+            (!isset($date[static::PERIOD_YEARS]) || \count(array_intersect(['y', 'year', 'years'], $skip))) &&
+            (!isset($date[static::PERIOD_MONTHS]) || \count(array_intersect(['m', 'month', 'months'], $skip)))
+        ) {
+            $date = [
+                static::PERIOD_DAYS => abs($interval->days),
+            ];
+        }
+
+        $seconds = abs($interval->s);
+        if ($microseconds && $interval->f > 0) {
+            $seconds = sprintf('%d.%06d', $seconds, abs($interval->f) * 1000000);
+        }
+
         $time = array_filter([
             static::PERIOD_HOURS => abs($interval->h),
             static::PERIOD_MINUTES => abs($interval->i),
-            static::PERIOD_SECONDS => abs($interval->s),
+            static::PERIOD_SECONDS => $seconds,
         ]);
 
         $specString = static::PERIOD_PREFIX;
@@ -2176,9 +2359,9 @@ class CarbonInterval extends DateInterval implements CarbonConverterInterface
      *
      * @return string
      */
-    public function spec()
+    public function spec(bool $microseconds = false)
     {
-        return static::getDateIntervalSpec($this);
+        return static::getDateIntervalSpec($this, $microseconds);
     }
 
     /**
@@ -2229,9 +2412,11 @@ class CarbonInterval extends DateInterval implements CarbonConverterInterface
         $originalData = $this->toArray();
         $originalData['milliseconds'] = (int) ($originalData['microseconds'] / static::getMicrosecondsPerMillisecond());
         $originalData['microseconds'] = $originalData['microseconds'] % static::getMicrosecondsPerMillisecond();
-        $originalData['daysExcludeWeeks'] = $originalData['days'];
+        $originalData['weeks'] = (int) ($this->d / static::getDaysPerWeek());
+        $originalData['daysExcludeWeeks'] = fmod($this->d, static::getDaysPerWeek());
         unset($originalData['days']);
         $newData = $originalData;
+        $previous = [];
 
         foreach (self::getFlipCascadeFactors() as $source => [$target, $factor]) {
             foreach (['source', 'target'] as $key) {
@@ -2241,9 +2426,29 @@ class CarbonInterval extends DateInterval implements CarbonConverterInterface
             }
 
             $value = $newData[$source];
-            $modulo = ($factor + ($value % $factor)) % $factor;
+            $modulo = fmod($factor + fmod($value, $factor), $factor);
             $newData[$source] = $modulo;
             $newData[$target] += ($value - $modulo) / $factor;
+
+            $decimalPart = fmod($newData[$source], 1);
+
+            if ($decimalPart !== 0.0) {
+                $unit = $source;
+
+                foreach ($previous as [$subUnit, $subFactor]) {
+                    $newData[$unit] -= $decimalPart;
+                    $newData[$subUnit] += $decimalPart * $subFactor;
+                    $decimalPart = fmod($newData[$subUnit], 1);
+
+                    if ($decimalPart === 0.0) {
+                        break;
+                    }
+
+                    $unit = $subUnit;
+                }
+            }
+
+            array_unshift($previous, [$source, $factor]);
         }
 
         $positive = null;
@@ -2324,13 +2529,13 @@ class CarbonInterval extends DateInterval implements CarbonConverterInterface
         $cumulativeFactor = 0;
         $unitFound = false;
         $factors = self::getFlipCascadeFactors();
-        $daysPerWeek = static::getDaysPerWeek();
+        $daysPerWeek = (int) static::getDaysPerWeek();
 
         $values = [
             'years' => $this->years,
             'months' => $this->months,
             'weeks' => (int) ($this->d / $daysPerWeek),
-            'dayz' => $this->d % $daysPerWeek,
+            'dayz' => fmod($this->d, $daysPerWeek),
             'hours' => $this->hours,
             'minutes' => $this->minutes,
             'seconds' => $this->seconds,
@@ -2391,10 +2596,11 @@ class CarbonInterval extends DateInterval implements CarbonConverterInterface
         }
 
         if ($unit === 'weeks') {
-            return $result / $daysPerWeek;
+            $result /= $daysPerWeek;
         }
 
-        return $result;
+        // Cast as int numbers with no decimal part
+        return fmod($result, 1) === 0.0 ? (int) $result : $result;
     }
 
     /**
@@ -2662,6 +2868,15 @@ class CarbonInterval extends DateInterval implements CarbonConverterInterface
      */
     public function roundUnit($unit, $precision = 1, $function = 'round')
     {
+        if (static::getCascadeFactors() !== static::getDefaultCascadeFactors()) {
+            $value = $function($this->total($unit) / $precision) * $precision;
+            $inverted = $value < 0;
+
+            return $this->copyProperties(self::fromString(
+                number_format(abs($value), 12, '.', '').' '.$unit
+            )->invert($inverted)->cascade());
+        }
+
         $base = CarbonImmutable::parse('2000-01-01 00:00:00', 'UTC')
             ->roundUnit($unit, $precision, $function);
         $next = $base->add($this);
@@ -2752,4 +2967,88 @@ class CarbonInterval extends DateInterval implements CarbonConverterInterface
     {
         return $this->round($precision, 'ceil');
     }
+
+    private function needsDeclension(string $mode, int $index, int $parts): bool
+    {
+        switch ($mode) {
+            case 'last':
+                return $index === $parts - 1;
+            default:
+                return true;
+        }
+    }
+
+    private function checkIntegerValue(string $name, $value)
+    {
+        if (\is_int($value)) {
+            return;
+        }
+
+        $this->assertSafeForInteger($name, $value);
+
+        if (\is_float($value) && (((float) (int) $value) === $value)) {
+            return;
+        }
+
+        if (!self::$floatSettersEnabled) {
+            $type = \gettype($value);
+            @trigger_error(
+                "Since 2.70.0, it's deprecated to pass $type value for $name.\n".
+                "It's truncated when stored as an integer interval unit.\n".
+                "From 3.0.0, decimal part will no longer be truncated and will be cascaded to smaller units.\n".
+                "- To maintain the current behavior, use explicit cast: $name((int) \$value)\n".
+                "- To adopt the new behavior globally, call CarbonInterval::enableFloatSetters()\n",
+                \E_USER_DEPRECATED
+            );
+        }
+    }
+
+    /**
+     * Throw an exception if precision loss when storing the given value as an integer would be >= 1.0.
+     */
+    private function assertSafeForInteger(string $name, $value)
+    {
+        if ($value && !\is_int($value) && ($value >= 0x7fffffffffffffff || $value <= -0x7fffffffffffffff)) {
+            throw new OutOfRangeException($name, -0x7fffffffffffffff, 0x7fffffffffffffff, $value);
+        }
+    }
+
+    private function handleDecimalPart(string $unit, $value, $integerValue)
+    {
+        if (self::$floatSettersEnabled) {
+            $floatValue = (float) $value;
+            $base = (float) $integerValue;
+
+            if ($floatValue === $base) {
+                return;
+            }
+
+            $units = [
+                'y' => 'year',
+                'm' => 'month',
+                'd' => 'day',
+                'h' => 'hour',
+                'i' => 'minute',
+                's' => 'second',
+            ];
+            $upper = true;
+
+            foreach ($units as $property => $name) {
+                if ($name === $unit) {
+                    $upper = false;
+
+                    continue;
+                }
+
+                if (!$upper && $this->$property !== 0) {
+                    throw new RuntimeException(
+                        "You cannot set $unit to a float value as $name would be overridden, ".
+                        'set it first to 0 explicitly if you really want to erase its value'
+                    );
+                }
+            }
+
+            $this->add($unit, $floatValue - $base);
+        }
+    }
 }
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/CarbonPeriod.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/CarbonPeriod.php
index 0e81e7573..d12a98697 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/CarbonPeriod.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/CarbonPeriod.php
@@ -11,6 +11,7 @@
 
 namespace Carbon;
 
+use Carbon\Exceptions\EndLessPeriodException;
 use Carbon\Exceptions\InvalidCastException;
 use Carbon\Exceptions\InvalidIntervalException;
 use Carbon\Exceptions\InvalidPeriodDateException;
@@ -23,11 +24,13 @@ use Carbon\Exceptions\UnreachableException;
 use Carbon\Traits\IntervalRounding;
 use Carbon\Traits\Mixin;
 use Carbon\Traits\Options;
+use Carbon\Traits\ToStringFormat;
 use Closure;
 use Countable;
 use DateInterval;
 use DatePeriod;
 use DateTime;
+use DateTimeImmutable;
 use DateTimeInterface;
 use DateTimeZone;
 use InvalidArgumentException;
@@ -48,43 +51,47 @@ use RuntimeException;
  * @property-read CarbonInterface $end Period end date.
  * @property-read CarbonInterval $interval Underlying date interval instance. Always present, one day by default.
  *
- * @method static CarbonPeriod start($date, $inclusive = null) Create instance specifying start date or modify the start date if called on an instance.
- * @method static CarbonPeriod since($date, $inclusive = null) Alias for start().
- * @method static CarbonPeriod sinceNow($inclusive = null) Create instance with start date set to now or set the start date to now if called on an instance.
- * @method static CarbonPeriod end($date = null, $inclusive = null) Create instance specifying end date or modify the end date if called on an instance.
- * @method static CarbonPeriod until($date = null, $inclusive = null) Alias for end().
- * @method static CarbonPeriod untilNow($inclusive = null) Create instance with end date set to now or set the end date to now if called on an instance.
- * @method static CarbonPeriod dates($start, $end = null) Create instance with start and end dates or modify the start and end dates if called on an instance.
- * @method static CarbonPeriod between($start, $end = null) Create instance with start and end dates or modify the start and end dates if called on an instance.
- * @method static CarbonPeriod recurrences($recurrences = null) Create instance with maximum number of recurrences or modify the number of recurrences if called on an instance.
- * @method static CarbonPeriod times($recurrences = null) Alias for recurrences().
- * @method static CarbonPeriod options($options = null) Create instance with options or modify the options if called on an instance.
- * @method static CarbonPeriod toggle($options, $state = null) Create instance with options toggled on or off, or toggle options if called on an instance.
- * @method static CarbonPeriod filter($callback, $name = null) Create instance with filter added to the stack or append a filter if called on an instance.
- * @method static CarbonPeriod push($callback, $name = null) Alias for filter().
- * @method static CarbonPeriod prepend($callback, $name = null) Create instance with filter prepended to the stack or prepend a filter if called on an instance.
- * @method static CarbonPeriod filters(array $filters = []) Create instance with filters stack or replace the whole filters stack if called on an instance.
- * @method static CarbonPeriod interval($interval) Create instance with given date interval or modify the interval if called on an instance.
- * @method static CarbonPeriod each($interval) Create instance with given date interval or modify the interval if called on an instance.
- * @method static CarbonPeriod every($interval) Create instance with given date interval or modify the interval if called on an instance.
- * @method static CarbonPeriod step($interval) Create instance with given date interval or modify the interval if called on an instance.
- * @method static CarbonPeriod stepBy($interval) Create instance with given date interval or modify the interval if called on an instance.
- * @method static CarbonPeriod invert() Create instance with inverted date interval or invert the interval if called on an instance.
- * @method static CarbonPeriod years($years = 1) Create instance specifying a number of years for date interval or replace the interval by the given a number of years if called on an instance.
- * @method static CarbonPeriod year($years = 1) Alias for years().
- * @method static CarbonPeriod months($months = 1) Create instance specifying a number of months for date interval or replace the interval by the given a number of months if called on an instance.
- * @method static CarbonPeriod month($months = 1) Alias for months().
- * @method static CarbonPeriod weeks($weeks = 1) Create instance specifying a number of weeks for date interval or replace the interval by the given a number of weeks if called on an instance.
- * @method static CarbonPeriod week($weeks = 1) Alias for weeks().
- * @method static CarbonPeriod days($days = 1) Create instance specifying a number of days for date interval or replace the interval by the given a number of days if called on an instance.
- * @method static CarbonPeriod dayz($days = 1) Alias for days().
- * @method static CarbonPeriod day($days = 1) Alias for days().
- * @method static CarbonPeriod hours($hours = 1) Create instance specifying a number of hours for date interval or replace the interval by the given a number of hours if called on an instance.
- * @method static CarbonPeriod hour($hours = 1) Alias for hours().
- * @method static CarbonPeriod minutes($minutes = 1) Create instance specifying a number of minutes for date interval or replace the interval by the given a number of minutes if called on an instance.
- * @method static CarbonPeriod minute($minutes = 1) Alias for minutes().
- * @method static CarbonPeriod seconds($seconds = 1) Create instance specifying a number of seconds for date interval or replace the interval by the given a number of seconds if called on an instance.
- * @method static CarbonPeriod second($seconds = 1) Alias for seconds().
+ * @method static static start($date, $inclusive = null) Create instance specifying start date or modify the start date if called on an instance.
+ * @method static static since($date, $inclusive = null) Alias for start().
+ * @method static static sinceNow($inclusive = null) Create instance with start date set to now or set the start date to now if called on an instance.
+ * @method static static end($date = null, $inclusive = null) Create instance specifying end date or modify the end date if called on an instance.
+ * @method static static until($date = null, $inclusive = null) Alias for end().
+ * @method static static untilNow($inclusive = null) Create instance with end date set to now or set the end date to now if called on an instance.
+ * @method static static dates($start, $end = null) Create instance with start and end dates or modify the start and end dates if called on an instance.
+ * @method static static between($start, $end = null) Create instance with start and end dates or modify the start and end dates if called on an instance.
+ * @method static static recurrences($recurrences = null) Create instance with maximum number of recurrences or modify the number of recurrences if called on an instance.
+ * @method static static times($recurrences = null) Alias for recurrences().
+ * @method static static options($options = null) Create instance with options or modify the options if called on an instance.
+ * @method static static toggle($options, $state = null) Create instance with options toggled on or off, or toggle options if called on an instance.
+ * @method static static filter($callback, $name = null) Create instance with filter added to the stack or append a filter if called on an instance.
+ * @method static static push($callback, $name = null) Alias for filter().
+ * @method static static prepend($callback, $name = null) Create instance with filter prepended to the stack or prepend a filter if called on an instance.
+ * @method static static filters(array $filters = []) Create instance with filters stack or replace the whole filters stack if called on an instance.
+ * @method static static interval($interval) Create instance with given date interval or modify the interval if called on an instance.
+ * @method static static each($interval) Create instance with given date interval or modify the interval if called on an instance.
+ * @method static static every($interval) Create instance with given date interval or modify the interval if called on an instance.
+ * @method static static step($interval) Create instance with given date interval or modify the interval if called on an instance.
+ * @method static static stepBy($interval) Create instance with given date interval or modify the interval if called on an instance.
+ * @method static static invert() Create instance with inverted date interval or invert the interval if called on an instance.
+ * @method static static years($years = 1) Create instance specifying a number of years for date interval or replace the interval by the given a number of years if called on an instance.
+ * @method static static year($years = 1) Alias for years().
+ * @method static static months($months = 1) Create instance specifying a number of months for date interval or replace the interval by the given a number of months if called on an instance.
+ * @method static static month($months = 1) Alias for months().
+ * @method static static weeks($weeks = 1) Create instance specifying a number of weeks for date interval or replace the interval by the given a number of weeks if called on an instance.
+ * @method static static week($weeks = 1) Alias for weeks().
+ * @method static static days($days = 1) Create instance specifying a number of days for date interval or replace the interval by the given a number of days if called on an instance.
+ * @method static static dayz($days = 1) Alias for days().
+ * @method static static day($days = 1) Alias for days().
+ * @method static static hours($hours = 1) Create instance specifying a number of hours for date interval or replace the interval by the given a number of hours if called on an instance.
+ * @method static static hour($hours = 1) Alias for hours().
+ * @method static static minutes($minutes = 1) Create instance specifying a number of minutes for date interval or replace the interval by the given a number of minutes if called on an instance.
+ * @method static static minute($minutes = 1) Alias for minutes().
+ * @method static static seconds($seconds = 1) Create instance specifying a number of seconds for date interval or replace the interval by the given a number of seconds if called on an instance.
+ * @method static static second($seconds = 1) Alias for seconds().
+ * @method static static milliseconds($milliseconds = 1) Create instance specifying a number of milliseconds for date interval or replace the interval by the given a number of milliseconds if called on an instance.
+ * @method static static millisecond($milliseconds = 1) Alias for milliseconds().
+ * @method static static microseconds($microseconds = 1) Create instance specifying a number of microseconds for date interval or replace the interval by the given a number of microseconds if called on an instance.
+ * @method static static microsecond($microseconds = 1) Alias for microseconds().
  * @method $this roundYear(float $precision = 1, string $function = "round") Round the current instance year with given precision using the given function.
  * @method $this roundYears(float $precision = 1, string $function = "round") Round the current instance year with given precision using the given function.
  * @method $this floorYear(float $precision = 1) Truncate the current instance year with given precision.
@@ -173,6 +180,7 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
         Mixin::mixin as baseMixin;
     }
     use Options;
+    use ToStringFormat;
 
     /**
      * Built-in filter for limit by recurrences.
@@ -230,6 +238,13 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
      */
     public const END_MAX_ATTEMPTS = 10000;
 
+    /**
+     * Default date class of iteration items.
+     *
+     * @var string
+     */
+    protected const DEFAULT_DATE_CLASS = Carbon::class;
+
     /**
      * The registered macros.
      *
@@ -251,6 +266,13 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
      */
     protected $dateInterval;
 
+    /**
+     * True once __construct is finished.
+     *
+     * @var bool
+     */
+    protected $constructed = false;
+
     /**
      * Whether current date interval was set by default.
      *
@@ -377,7 +399,7 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
             );
         }
 
-        $class = \get_called_class();
+        $class = static::class;
         $type = \gettype($period);
 
         throw new NotAPeriodException(
@@ -482,15 +504,16 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
         $interval = null;
         $start = null;
         $end = null;
+        $dateClass = static::DEFAULT_DATE_CLASS;
 
         foreach (explode('/', $iso) as $key => $part) {
-            if ($key === 0 && preg_match('/^R([0-9]*|INF)$/', $part, $match)) {
+            if ($key === 0 && preg_match('/^R(\d*|INF)$/', $part, $match)) {
                 $parsed = \strlen($match[1]) ? (($match[1] !== 'INF') ? (int) $match[1] : INF) : null;
             } elseif ($interval === null && $parsed = CarbonInterval::make($part)) {
                 $interval = $part;
-            } elseif ($start === null && $parsed = Carbon::make($part)) {
+            } elseif ($start === null && $parsed = $dateClass::make($part)) {
                 $start = $part;
-            } elseif ($end === null && $parsed = Carbon::make(static::addMissingParts($start ?? '', $part))) {
+            } elseif ($end === null && $parsed = $dateClass::make(static::addMissingParts($start ?? '', $part))) {
                 $end = $part;
             } else {
                 throw new InvalidPeriodParameterException("Invalid ISO 8601 specification: $iso.");
@@ -503,7 +526,7 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
     }
 
     /**
-     * Add missing parts of the target date from the soure date.
+     * Add missing parts of the target date from the source date.
      *
      * @param string $source
      * @param string $target
@@ -512,7 +535,7 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
      */
     protected static function addMissingParts($source, $target)
     {
-        $pattern = '/'.preg_replace('/[0-9]+/', '[0-9]+', preg_quote($target, '/')).'$/';
+        $pattern = '/'.preg_replace('/\d+/', '[0-9]+', preg_quote($target, '/')).'$/';
 
         $result = preg_replace($pattern, $target, $source, 1, $count);
 
@@ -621,6 +644,10 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
      */
     public function __construct(...$arguments)
     {
+        if (is_a($this->dateClass, DateTimeImmutable::class, true)) {
+            $this->options = static::IMMUTABLE;
+        }
+
         // Parse and assign arguments one by one. First argument may be an ISO 8601 spec,
         // which will be first parsed into parts and then processed the same way.
 
@@ -648,6 +675,8 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
             }
         }
 
+        $optionsSet = false;
+
         foreach ($arguments as $argument) {
             $parsedDate = null;
 
@@ -655,10 +684,10 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
                 $this->setTimezone($argument);
             } elseif ($this->dateInterval === null &&
                 (
-                    \is_string($argument) && preg_match(
-                        '/^(-?\d(\d(?![\/-])|[^\d\/-]([\/-])?)*|P[T0-9].*|(?:\h*\d+(?:\.\d+)?\h*[a-z]+)+)$/i',
+                    (\is_string($argument) && preg_match(
+                        '/^(-?\d(\d(?![\/-])|[^\d\/-]([\/-])?)*|P[T\d].*|(?:\h*\d+(?:\.\d+)?\h*[a-z]+)+)$/i',
                         $argument
-                    ) ||
+                    )) ||
                     $argument instanceof DateInterval ||
                     $argument instanceof Closure
                 ) &&
@@ -671,15 +700,17 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
                 $this->setEndDate($parsedDate);
             } elseif ($this->recurrences === null && $this->endDate === null && is_numeric($argument)) {
                 $this->setRecurrences($argument);
-            } elseif ($this->options === null && (\is_int($argument) || $argument === null)) {
-                $this->setOptions($argument);
+            } elseif (!$optionsSet && (\is_int($argument) || $argument === null)) {
+                $optionsSet = true;
+                $this->setOptions(((int) $this->options) | ((int) $argument));
             } else {
                 throw new InvalidPeriodParameterException('Invalid constructor parameters.');
             }
         }
 
         if ($this->startDate === null) {
-            $this->setStartDate(Carbon::now());
+            $dateClass = $this->dateClass;
+            $this->setStartDate($dateClass::now());
         }
 
         if ($this->dateInterval === null) {
@@ -691,6 +722,8 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
         if ($this->options === null) {
             $this->setOptions(0);
         }
+
+        $this->constructed = true;
     }
 
     /**
@@ -703,6 +736,17 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
         return clone $this;
     }
 
+    /**
+     * Prepare the instance to be set (self if mutable to be mutated,
+     * copy if immutable to generate a new instance).
+     *
+     * @return static
+     */
+    protected function copyIfImmutable()
+    {
+        return $this;
+    }
+
     /**
      * Get the getter for a property allowing both `DatePeriod` snakeCase and camelCase names.
      *
@@ -794,7 +838,7 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
      *
      * @param string $dateClass
      *
-     * @return $this
+     * @return static
      */
     public function setDateClass(string $dateClass)
     {
@@ -802,15 +846,16 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
             throw new NotACarbonClassException($dateClass);
         }
 
-        $this->dateClass = $dateClass;
+        $self = $this->copyIfImmutable();
+        $self->dateClass = $dateClass;
 
         if (is_a($dateClass, Carbon::class, true)) {
-            $this->toggleOptions(static::IMMUTABLE, false);
+            $self->options = $self->options & ~static::IMMUTABLE;
         } elseif (is_a($dateClass, CarbonImmutable::class, true)) {
-            $this->toggleOptions(static::IMMUTABLE, true);
+            $self->options = $self->options | static::IMMUTABLE;
         }
 
-        return $this;
+        return $self;
     }
 
     /**
@@ -830,7 +875,7 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
      *
      * @throws InvalidIntervalException
      *
-     * @return $this
+     * @return static
      */
     public function setDateInterval($interval)
     {
@@ -842,25 +887,24 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
             throw new InvalidIntervalException('Empty interval is not accepted.');
         }
 
-        $this->dateInterval = $interval;
+        $self = $this->copyIfImmutable();
+        $self->dateInterval = $interval;
 
-        $this->isDefaultInterval = false;
+        $self->isDefaultInterval = false;
 
-        $this->handleChangedParameters();
+        $self->handleChangedParameters();
 
-        return $this;
+        return $self;
     }
 
     /**
      * Invert the period date interval.
      *
-     * @return $this
+     * @return static
      */
     public function invertDateInterval()
     {
-        $interval = $this->dateInterval->invert();
-
-        return $this->setDateInterval($interval);
+        return $this->setDateInterval($this->dateInterval->invert());
     }
 
     /**
@@ -869,14 +913,11 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
      * @param DateTime|DateTimeInterface|string      $start
      * @param DateTime|DateTimeInterface|string|null $end
      *
-     * @return $this
+     * @return static
      */
     public function setDates($start, $end)
     {
-        $this->setStartDate($start);
-        $this->setEndDate($end);
-
-        return $this;
+        return $this->setStartDate($start)->setEndDate($end);
     }
 
     /**
@@ -886,7 +927,7 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
      *
      * @throws InvalidArgumentException
      *
-     * @return $this
+     * @return static
      */
     public function setOptions($options)
     {
@@ -894,11 +935,12 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
             throw new InvalidPeriodParameterException('Invalid options.');
         }
 
-        $this->options = $options ?: 0;
+        $self = $this->copyIfImmutable();
+        $self->options = $options ?: 0;
 
-        $this->handleChangedParameters();
+        $self->handleChangedParameters();
 
-        return $this;
+        return $self;
     }
 
     /**
@@ -919,7 +961,7 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
      *
      * @throws \InvalidArgumentException
      *
-     * @return $this
+     * @return static
      */
     public function toggleOptions($options, $state = null)
     {
@@ -939,7 +981,7 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
      *
      * @param bool $state
      *
-     * @return $this
+     * @return static
      */
     public function excludeStartDate($state = true)
     {
@@ -951,7 +993,7 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
      *
      * @param bool $state
      *
-     * @return $this
+     * @return static
      */
     public function excludeEndDate($state = true)
     {
@@ -1095,17 +1137,18 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
      * @param callable $callback
      * @param string   $name
      *
-     * @return $this
+     * @return static
      */
     public function addFilter($callback, $name = null)
     {
-        $tuple = $this->createFilterTuple(\func_get_args());
+        $self = $this->copyIfImmutable();
+        $tuple = $self->createFilterTuple(\func_get_args());
 
-        $this->filters[] = $tuple;
+        $self->filters[] = $tuple;
 
-        $this->handleChangedParameters();
+        $self->handleChangedParameters();
 
-        return $this;
+        return $self;
     }
 
     /**
@@ -1116,17 +1159,18 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
      * @param callable $callback
      * @param string   $name
      *
-     * @return $this
+     * @return static
      */
     public function prependFilter($callback, $name = null)
     {
-        $tuple = $this->createFilterTuple(\func_get_args());
+        $self = $this->copyIfImmutable();
+        $tuple = $self->createFilterTuple(\func_get_args());
 
-        array_unshift($this->filters, $tuple);
+        array_unshift($self->filters, $tuple);
 
-        $this->handleChangedParameters();
+        $self->handleChangedParameters();
 
-        return $this;
+        return $self;
     }
 
     /**
@@ -1134,24 +1178,25 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
      *
      * @param callable|string $filter
      *
-     * @return $this
+     * @return static
      */
     public function removeFilter($filter)
     {
+        $self = $this->copyIfImmutable();
         $key = \is_callable($filter) ? 0 : 1;
 
-        $this->filters = array_values(array_filter(
+        $self->filters = array_values(array_filter(
             $this->filters,
             function ($tuple) use ($key, $filter) {
                 return $tuple[$key] !== $filter;
             }
         ));
 
-        $this->updateInternalState();
+        $self->updateInternalState();
 
-        $this->handleChangedParameters();
+        $self->handleChangedParameters();
 
-        return $this;
+        return $self;
     }
 
     /**
@@ -1189,39 +1234,41 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
      *
      * @param array $filters
      *
-     * @return $this
+     * @return static
      */
     public function setFilters(array $filters)
     {
-        $this->filters = $filters;
+        $self = $this->copyIfImmutable();
+        $self->filters = $filters;
 
-        $this->updateInternalState();
+        $self->updateInternalState();
 
-        $this->handleChangedParameters();
+        $self->handleChangedParameters();
 
-        return $this;
+        return $self;
     }
 
     /**
      * Reset filters stack.
      *
-     * @return $this
+     * @return static
      */
     public function resetFilters()
     {
-        $this->filters = [];
+        $self = $this->copyIfImmutable();
+        $self->filters = [];
 
-        if ($this->endDate !== null) {
-            $this->filters[] = [static::END_DATE_FILTER, null];
+        if ($self->endDate !== null) {
+            $self->filters[] = [static::END_DATE_FILTER, null];
         }
 
-        if ($this->recurrences !== null) {
-            $this->filters[] = [static::RECURRENCES_FILTER, null];
+        if ($self->recurrences !== null) {
+            $self->filters[] = [static::RECURRENCES_FILTER, null];
         }
 
-        $this->handleChangedParameters();
+        $self->handleChangedParameters();
 
-        return $this;
+        return $self;
     }
 
     /**
@@ -1231,11 +1278,11 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
      *
      * @throws InvalidArgumentException
      *
-     * @return $this
+     * @return static
      */
     public function setRecurrences($recurrences)
     {
-        if (!is_numeric($recurrences) && $recurrences !== null || $recurrences < 0) {
+        if ((!is_numeric($recurrences) && $recurrences !== null) || $recurrences < 0) {
             throw new InvalidPeriodParameterException('Invalid number of recurrences.');
         }
 
@@ -1243,15 +1290,17 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
             return $this->removeFilter(static::RECURRENCES_FILTER);
         }
 
-        $this->recurrences = $recurrences === INF ? INF : (int) $recurrences;
+        /** @var self $self */
+        $self = $this->copyIfImmutable();
+        $self->recurrences = $recurrences === INF ? INF : (int) $recurrences;
 
-        if (!$this->hasFilter(static::RECURRENCES_FILTER)) {
-            return $this->addFilter(static::RECURRENCES_FILTER);
+        if (!$self->hasFilter(static::RECURRENCES_FILTER)) {
+            return $self->addFilter(static::RECURRENCES_FILTER);
         }
 
-        $this->handleChangedParameters();
+        $self->handleChangedParameters();
 
-        return $this;
+        return $self;
     }
 
     /**
@@ -1262,21 +1311,22 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
      *
      * @throws InvalidPeriodDateException
      *
-     * @return $this
+     * @return static
      */
     public function setStartDate($date, $inclusive = null)
     {
-        if (!$date = ([$this->dateClass, 'make'])($date)) {
+        if (!$this->isInfiniteDate($date) && !($date = ([$this->dateClass, 'make'])($date))) {
             throw new InvalidPeriodDateException('Invalid start date.');
         }
 
-        $this->startDate = $date;
+        $self = $this->copyIfImmutable();
+        $self->startDate = $date;
 
         if ($inclusive !== null) {
-            $this->toggleOptions(static::EXCLUDE_START_DATE, !$inclusive);
+            $self = $self->toggleOptions(static::EXCLUDE_START_DATE, !$inclusive);
         }
 
-        return $this;
+        return $self;
     }
 
     /**
@@ -1287,11 +1337,11 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
      *
      * @throws \InvalidArgumentException
      *
-     * @return $this
+     * @return static
      */
     public function setEndDate($date, $inclusive = null)
     {
-        if ($date !== null && !$date = ([$this->dateClass, 'make'])($date)) {
+        if ($date !== null && !$this->isInfiniteDate($date) && !$date = ([$this->dateClass, 'make'])($date)) {
             throw new InvalidPeriodDateException('Invalid end date.');
         }
 
@@ -1299,19 +1349,20 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
             return $this->removeFilter(static::END_DATE_FILTER);
         }
 
-        $this->endDate = $date;
+        $self = $this->copyIfImmutable();
+        $self->endDate = $date;
 
         if ($inclusive !== null) {
-            $this->toggleOptions(static::EXCLUDE_END_DATE, !$inclusive);
+            $self = $self->toggleOptions(static::EXCLUDE_END_DATE, !$inclusive);
         }
 
-        if (!$this->hasFilter(static::END_DATE_FILTER)) {
-            return $this->addFilter(static::END_DATE_FILTER);
+        if (!$self->hasFilter(static::END_DATE_FILTER)) {
+            return $self->addFilter(static::END_DATE_FILTER);
         }
 
-        $this->handleChangedParameters();
+        $self->handleChangedParameters();
 
-        return $this;
+        return $self;
     }
 
     /**
@@ -1457,13 +1508,21 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
      */
     public function toString()
     {
+        $format = $this->localToStringFormat ?? static::$toStringFormat;
+
+        if ($format instanceof Closure) {
+            return $format($this);
+        }
+
         $translator = ([$this->dateClass, 'getTranslator'])();
 
         $parts = [];
 
-        $format = !$this->startDate->isStartOfDay() || $this->endDate && !$this->endDate->isStartOfDay()
-            ? 'Y-m-d H:i:s'
-            : 'Y-m-d';
+        $format = $format ?? (
+            !$this->startDate->isStartOfDay() || ($this->endDate && !$this->endDate->isStartOfDay())
+                ? 'Y-m-d H:i:s'
+                : 'Y-m-d'
+        );
 
         if ($this->recurrences !== null) {
             $parts[] = $this->translate('period_recurrences', [], $this->recurrences, $translator);
@@ -1506,9 +1565,9 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
         if (!method_exists($className, 'instance')) {
             if (is_a($className, DatePeriod::class, true)) {
                 return new $className(
-                    $this->getStartDate(),
+                    $this->rawDate($this->getStartDate()),
                     $this->getDateInterval(),
-                    $this->getEndDate() ? $this->getIncludedEndDate() : $this->getRecurrences(),
+                    $this->getEndDate() ? $this->rawDate($this->getIncludedEndDate()) : $this->getRecurrences(),
                     $this->isStartExcluded() ? DatePeriod::EXCLUDE_START_DATE : 0
                 );
             }
@@ -1534,6 +1593,39 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
         return $this->cast(DatePeriod::class);
     }
 
+    /**
+     * Return `true` if the period has no custom filter and is guaranteed to be endless.
+     *
+     * Note that we can't check if a period is endless as soon as it has custom filters
+     * because filters can emit `CarbonPeriod::END_ITERATION` to stop the iteration in
+     * a way we can't predict without actually iterating the period.
+     */
+    public function isUnfilteredAndEndLess(): bool
+    {
+        foreach ($this->filters as $filter) {
+            switch ($filter) {
+                case [static::RECURRENCES_FILTER, null]:
+                    if ($this->recurrences !== null && is_finite($this->recurrences)) {
+                        return false;
+                    }
+
+                    break;
+
+                case [static::END_DATE_FILTER, null]:
+                    if ($this->endDate !== null && !$this->endDate->isEndOfTime()) {
+                        return false;
+                    }
+
+                    break;
+
+                default:
+                    return false;
+            }
+        }
+
+        return true;
+    }
+
     /**
      * Convert the date period into an array without changing current iteration state.
      *
@@ -1541,6 +1633,10 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
      */
     public function toArray()
     {
+        if ($this->isUnfilteredAndEndLess()) {
+            throw new EndLessPeriodException("Endless period can't be converted to array nor counted.");
+        }
+
         $state = [
             $this->key,
             $this->current ? $this->current->avoidMutation() : null,
@@ -1572,6 +1668,16 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
      */
     public function first()
     {
+        if ($this->isUnfilteredAndEndLess()) {
+            foreach ($this as $date) {
+                $this->rewind();
+
+                return $date;
+            }
+
+            return null;
+        }
+
         return ($this->toArray() ?: [])[0] ?? null;
     }
 
@@ -1626,54 +1732,80 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
             return $roundedValue;
         }
 
-        $first = \count($parameters) >= 1 ? $parameters[0] : null;
-        $second = \count($parameters) >= 2 ? $parameters[1] : null;
-
         switch ($method) {
             case 'start':
             case 'since':
-                return $this->setStartDate($first, $second);
+                self::setDefaultParameters($parameters, [
+                    [0, 'date', null],
+                ]);
+
+                return $this->setStartDate(...$parameters);
 
             case 'sinceNow':
-                return $this->setStartDate(new Carbon(), $first);
+                return $this->setStartDate(new Carbon(), ...$parameters);
 
             case 'end':
             case 'until':
-                return $this->setEndDate($first, $second);
+                self::setDefaultParameters($parameters, [
+                    [0, 'date', null],
+                ]);
+
+                return $this->setEndDate(...$parameters);
 
             case 'untilNow':
-                return $this->setEndDate(new Carbon(), $first);
+                return $this->setEndDate(new Carbon(), ...$parameters);
 
             case 'dates':
             case 'between':
-                return $this->setDates($first, $second);
+                self::setDefaultParameters($parameters, [
+                    [0, 'start', null],
+                    [1, 'end', null],
+                ]);
+
+                return $this->setDates(...$parameters);
 
             case 'recurrences':
             case 'times':
-                return $this->setRecurrences($first);
+                self::setDefaultParameters($parameters, [
+                    [0, 'recurrences', null],
+                ]);
+
+                return $this->setRecurrences(...$parameters);
 
             case 'options':
-                return $this->setOptions($first);
+                self::setDefaultParameters($parameters, [
+                    [0, 'options', null],
+                ]);
+
+                return $this->setOptions(...$parameters);
 
             case 'toggle':
-                return $this->toggleOptions($first, $second);
+                self::setDefaultParameters($parameters, [
+                    [0, 'options', null],
+                ]);
+
+                return $this->toggleOptions(...$parameters);
 
             case 'filter':
             case 'push':
-                return $this->addFilter($first, $second);
+                return $this->addFilter(...$parameters);
 
             case 'prepend':
-                return $this->prependFilter($first, $second);
+                return $this->prependFilter(...$parameters);
 
             case 'filters':
-                return $this->setFilters($first ?: []);
+                self::setDefaultParameters($parameters, [
+                    [0, 'filters', []],
+                ]);
+
+                return $this->setFilters(...$parameters);
 
             case 'interval':
             case 'each':
             case 'every':
             case 'step':
             case 'stepBy':
-                return $this->setDateInterval($first);
+                return $this->setDateInterval(...$parameters);
 
             case 'invert':
                 return $this->invertDateInterval();
@@ -1693,15 +1825,19 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
             case 'minute':
             case 'seconds':
             case 'second':
+            case 'milliseconds':
+            case 'millisecond':
+            case 'microseconds':
+            case 'microsecond':
                 return $this->setDateInterval((
                     // Override default P1D when instantiating via fluent setters.
                     [$this->isDefaultInterval ? new CarbonInterval('PT0S') : $this->dateInterval, $method]
-                )(
-                    \count($parameters) === 0 ? 1 : $first
-                ));
+                )(...$parameters));
         }
 
-        if ($this->localStrictModeEnabled ?? Carbon::isStrictModeEnabled()) {
+        $dateClass = $this->dateClass;
+
+        if ($this->localStrictModeEnabled ?? $dateClass::isStrictModeEnabled()) {
             throw new UnknownMethodException($method);
         }
 
@@ -1717,18 +1853,19 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
      */
     public function setTimezone($timezone)
     {
-        $this->tzName = $timezone;
-        $this->timezone = $timezone;
+        $self = $this->copyIfImmutable();
+        $self->tzName = $timezone;
+        $self->timezone = $timezone;
 
-        if ($this->startDate) {
-            $this->setStartDate($this->startDate->setTimezone($timezone));
+        if ($self->startDate) {
+            $self = $self->setStartDate($self->startDate->setTimezone($timezone));
         }
 
-        if ($this->endDate) {
-            $this->setEndDate($this->endDate->setTimezone($timezone));
+        if ($self->endDate) {
+            $self = $self->setEndDate($self->endDate->setTimezone($timezone));
         }
 
-        return $this;
+        return $self;
     }
 
     /**
@@ -1740,18 +1877,19 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
      */
     public function shiftTimezone($timezone)
     {
-        $this->tzName = $timezone;
-        $this->timezone = $timezone;
+        $self = $this->copyIfImmutable();
+        $self->tzName = $timezone;
+        $self->timezone = $timezone;
 
-        if ($this->startDate) {
-            $this->setStartDate($this->startDate->shiftTimezone($timezone));
+        if ($self->startDate) {
+            $self = $self->setStartDate($self->startDate->shiftTimezone($timezone));
         }
 
-        if ($this->endDate) {
-            $this->setEndDate($this->endDate->shiftTimezone($timezone));
+        if ($self->endDate) {
+            $self = $self->setEndDate($self->endDate->shiftTimezone($timezone));
         }
 
-        return $this;
+        return $self;
     }
 
     /**
@@ -1896,7 +2034,7 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
 
     /**
      * Determines if the instance is equal to another.
-     * Warning: if options differ, instances wil never be equal.
+     * Warning: if options differ, instances will never be equal.
      *
      * @param mixed $period
      *
@@ -1911,7 +2049,7 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
 
     /**
      * Determines if the instance is equal to another.
-     * Warning: if options differ, instances wil never be equal.
+     * Warning: if options differ, instances will never be equal.
      *
      * @param mixed $period
      *
@@ -1934,7 +2072,7 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
 
     /**
      * Determines if the instance is not equal to another.
-     * Warning: if options differ, instances wil never be equal.
+     * Warning: if options differ, instances will never be equal.
      *
      * @param mixed $period
      *
@@ -1949,7 +2087,7 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
 
     /**
      * Determines if the instance is not equal to another.
-     * Warning: if options differ, instances wil never be equal.
+     * Warning: if options differ, instances will never be equal.
      *
      * @param mixed $period
      *
@@ -2130,19 +2268,18 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
      * @param float|int|string|\DateInterval|null $precision
      * @param string                              $function
      *
-     * @return $this
+     * @return static
      */
     public function roundUnit($unit, $precision = 1, $function = 'round')
     {
-        $this->setStartDate($this->getStartDate()->roundUnit($unit, $precision, $function));
+        $self = $this->copyIfImmutable();
+        $self = $self->setStartDate($self->getStartDate()->roundUnit($unit, $precision, $function));
 
-        if ($this->endDate) {
-            $this->setEndDate($this->getEndDate()->roundUnit($unit, $precision, $function));
+        if ($self->endDate) {
+            $self = $self->setEndDate($self->getEndDate()->roundUnit($unit, $precision, $function));
         }
 
-        $this->setDateInterval($this->getDateInterval()->roundUnit($unit, $precision, $function));
-
-        return $this;
+        return $self->setDateInterval($self->getDateInterval()->roundUnit($unit, $precision, $function));
     }
 
     /**
@@ -2151,7 +2288,7 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
      * @param string                              $unit
      * @param float|int|string|\DateInterval|null $precision
      *
-     * @return $this
+     * @return static
      */
     public function floorUnit($unit, $precision = 1)
     {
@@ -2164,7 +2301,7 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
      * @param string                              $unit
      * @param float|int|string|\DateInterval|null $precision
      *
-     * @return $this
+     * @return static
      */
     public function ceilUnit($unit, $precision = 1)
     {
@@ -2177,7 +2314,7 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
      * @param float|int|string|\DateInterval|null $precision
      * @param string                              $function
      *
-     * @return $this
+     * @return static
      */
     public function round($precision = null, $function = 'round')
     {
@@ -2192,7 +2329,7 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
      *
      * @param float|int|string|\DateInterval|null $precision
      *
-     * @return $this
+     * @return static
      */
     public function floor($precision = null)
     {
@@ -2204,7 +2341,7 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
      *
      * @param float|int|string|\DateInterval|null $precision
      *
-     * @return $this
+     * @return static
      */
     public function ceil($precision = null)
     {
@@ -2393,9 +2530,9 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
     protected function handleChangedParameters()
     {
         if (($this->getOptions() & static::IMMUTABLE) && $this->dateClass === Carbon::class) {
-            $this->setDateClass(CarbonImmutable::class);
+            $this->dateClass = CarbonImmutable::class;
         } elseif (!($this->getOptions() & static::IMMUTABLE) && $this->dateClass === CarbonImmutable::class) {
-            $this->setDateClass(Carbon::class);
+            $this->dateClass = Carbon::class;
         }
 
         $this->validationResult = null;
@@ -2555,14 +2692,51 @@ class CarbonPeriod implements Iterator, Countable, JsonSerializable
         if (\is_string($value)) {
             $value = trim($value);
 
-            if (!preg_match('/^P[0-9T]/', $value) &&
-                !preg_match('/^R[0-9]/', $value) &&
-                preg_match('/[a-z0-9]/i', $value)
+            if (!preg_match('/^P[\dT]/', $value) &&
+                !preg_match('/^R\d/', $value) &&
+                preg_match('/[a-z\d]/i', $value)
             ) {
-                return Carbon::parse($value, $this->tzName);
+                $dateClass = $this->dateClass;
+
+                return $dateClass::parse($value, $this->tzName);
             }
         }
 
         return null;
     }
+
+    private function isInfiniteDate($date): bool
+    {
+        return $date instanceof CarbonInterface && ($date->isEndOfTime() || $date->isStartOfTime());
+    }
+
+    private function rawDate($date): ?DateTimeInterface
+    {
+        if ($date === false || $date === null) {
+            return null;
+        }
+
+        if ($date instanceof CarbonInterface) {
+            return $date->isMutable()
+                ? $date->toDateTime()
+                : $date->toDateTimeImmutable();
+        }
+
+        if (\in_array(\get_class($date), [DateTime::class, DateTimeImmutable::class], true)) {
+            return $date;
+        }
+
+        $class = $date instanceof DateTime ? DateTime::class : DateTimeImmutable::class;
+
+        return new $class($date->format('Y-m-d H:i:s.u'), $date->getTimezone());
+    }
+
+    private static function setDefaultParameters(array &$parameters, array $defaults): void
+    {
+        foreach ($defaults as [$index, $name, $value]) {
+            if (!\array_key_exists($index, $parameters) && !\array_key_exists($name, $parameters)) {
+                $parameters[$index] = $value;
+            }
+        }
+    }
 }
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/CarbonPeriodImmutable.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/CarbonPeriodImmutable.php
new file mode 100644
index 000000000..f0d0ee281
--- /dev/null
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/CarbonPeriodImmutable.php
@@ -0,0 +1,40 @@
+<?php
+
+/**
+ * This file is part of the Carbon package.
+ *
+ * (c) Brian Nesbitt <brian@nesbot.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Carbon;
+
+class CarbonPeriodImmutable extends CarbonPeriod
+{
+    /**
+     * Default date class of iteration items.
+     *
+     * @var string
+     */
+    protected const DEFAULT_DATE_CLASS = CarbonImmutable::class;
+
+    /**
+     * Date class of iteration items.
+     *
+     * @var string
+     */
+    protected $dateClass = CarbonImmutable::class;
+
+    /**
+     * Prepare the instance to be set (self if mutable to be mutated,
+     * copy if immutable to generate a new instance).
+     *
+     * @return static
+     */
+    protected function copyIfImmutable()
+    {
+        return $this->constructed ? clone $this : $this;
+    }
+}
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/CarbonTimeZone.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/CarbonTimeZone.php
index b4d16ba97..c81899f1e 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/CarbonTimeZone.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/CarbonTimeZone.php
@@ -30,7 +30,7 @@ class CarbonTimeZone extends DateTimeZone
             throw new InvalidTimeZoneException('Absolute timezone offset cannot be greater than 100.');
         }
 
-        return ($timezone >= 0 ? '+' : '').$timezone.':00';
+        return ($timezone >= 0 ? '+' : '').ltrim($timezone, '+').':00';
     }
 
     protected static function getDateTimeZoneNameFromMixed($timezone)
@@ -101,15 +101,15 @@ class CarbonTimeZone extends DateTimeZone
             $tz = static::getDateTimeZoneFromName($object);
         }
 
-        if ($tz === false) {
-            if (Carbon::isStrictModeEnabled()) {
-                throw new InvalidTimeZoneException('Unknown or bad timezone ('.($objectDump ?: $object).')');
-            }
-
-            return false;
+        if ($tz !== false) {
+            return new static($tz->getName());
         }
 
-        return new static($tz->getName());
+        if (Carbon::isStrictModeEnabled()) {
+            throw new InvalidTimeZoneException('Unknown or bad timezone ('.($objectDump ?: $object).')');
+        }
+
+        return false;
     }
 
     /**
@@ -231,15 +231,15 @@ class CarbonTimeZone extends DateTimeZone
     {
         $tz = $this->toRegionName($date);
 
-        if ($tz === false) {
-            if (Carbon::isStrictModeEnabled()) {
-                throw new InvalidTimeZoneException('Unknown timezone for offset '.$this->getOffset($date ?: Carbon::now($this)).' seconds.');
-            }
-
-            return false;
+        if ($tz !== false) {
+            return new static($tz);
         }
 
-        return new static($tz);
+        if (Carbon::isStrictModeEnabled()) {
+            throw new InvalidTimeZoneException('Unknown timezone for offset '.$this->getOffset($date ?: Carbon::now($this)).' seconds.');
+        }
+
+        return false;
     }
 
     /**
@@ -252,6 +252,18 @@ class CarbonTimeZone extends DateTimeZone
         return $this->getName();
     }
 
+    /**
+     * Return the type number:
+     *
+     * Type 1; A UTC offset, such as -0300
+     * Type 2; A timezone abbreviation, such as GMT
+     * Type 3: A timezone identifier, such as Europe/London
+     */
+    public function getType(): int
+    {
+        return preg_match('/"timezone_type";i:(\d)/', serialize($this), $match) ? (int) $match[1] : 3;
+    }
+
     /**
      * Create a CarbonTimeZone from mixed input.
      *
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Doctrine/CarbonDoctrineType.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Doctrine/CarbonDoctrineType.php
deleted file mode 100644
index ccc457fcd..000000000
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Doctrine/CarbonDoctrineType.php
+++ /dev/null
@@ -1,23 +0,0 @@
-<?php
-
-/**
- * This file is part of the Carbon package.
- *
- * (c) Brian Nesbitt <brian@nesbot.com>
- *
- * For the full copyright and license information, please view the LICENSE
- * file that was distributed with this source code.
- */
-
-namespace Carbon\Doctrine;
-
-use Doctrine\DBAL\Platforms\AbstractPlatform;
-
-interface CarbonDoctrineType
-{
-    public function getSQLDeclaration(array $fieldDeclaration, AbstractPlatform $platform);
-
-    public function convertToPHPValue($value, AbstractPlatform $platform);
-
-    public function convertToDatabaseValue($value, AbstractPlatform $platform);
-}
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Doctrine/CarbonImmutableType.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Doctrine/CarbonImmutableType.php
deleted file mode 100644
index bf476a77e..000000000
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Doctrine/CarbonImmutableType.php
+++ /dev/null
@@ -1,37 +0,0 @@
-<?php
-
-/**
- * This file is part of the Carbon package.
- *
- * (c) Brian Nesbitt <brian@nesbot.com>
- *
- * For the full copyright and license information, please view the LICENSE
- * file that was distributed with this source code.
- */
-
-namespace Carbon\Doctrine;
-
-use Doctrine\DBAL\Platforms\AbstractPlatform;
-
-class CarbonImmutableType extends DateTimeImmutableType implements CarbonDoctrineType
-{
-    /**
-     * {@inheritdoc}
-     *
-     * @return string
-     */
-    public function getName()
-    {
-        return 'carbon_immutable';
-    }
-
-    /**
-     * {@inheritdoc}
-     *
-     * @return bool
-     */
-    public function requiresSQLCommentHint(AbstractPlatform $platform)
-    {
-        return true;
-    }
-}
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Doctrine/CarbonType.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Doctrine/CarbonType.php
deleted file mode 100644
index 9289d84d3..000000000
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Doctrine/CarbonType.php
+++ /dev/null
@@ -1,37 +0,0 @@
-<?php
-
-/**
- * This file is part of the Carbon package.
- *
- * (c) Brian Nesbitt <brian@nesbot.com>
- *
- * For the full copyright and license information, please view the LICENSE
- * file that was distributed with this source code.
- */
-
-namespace Carbon\Doctrine;
-
-use Doctrine\DBAL\Platforms\AbstractPlatform;
-
-class CarbonType extends DateTimeType implements CarbonDoctrineType
-{
-    /**
-     * {@inheritdoc}
-     *
-     * @return string
-     */
-    public function getName()
-    {
-        return 'carbon';
-    }
-
-    /**
-     * {@inheritdoc}
-     *
-     * @return bool
-     */
-    public function requiresSQLCommentHint(AbstractPlatform $platform)
-    {
-        return true;
-    }
-}
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Doctrine/DateTimeType.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Doctrine/DateTimeType.php
deleted file mode 100644
index 29b0bb955..000000000
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Doctrine/DateTimeType.php
+++ /dev/null
@@ -1,16 +0,0 @@
-<?php
-
-/**
- * Thanks to https://github.com/flaushi for his suggestion:
- * https://github.com/doctrine/dbal/issues/2873#issuecomment-534956358
- */
-namespace Carbon\Doctrine;
-
-use Carbon\Carbon;
-use Doctrine\DBAL\Types\VarDateTimeType;
-
-class DateTimeType extends VarDateTimeType implements CarbonDoctrineType
-{
-    /** @use CarbonTypeConverter<Carbon> */
-    use CarbonTypeConverter;
-}
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/BadComparisonUnitException.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/BadComparisonUnitException.php
index b3a087190..3ca8837d1 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/BadComparisonUnitException.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/BadComparisonUnitException.php
@@ -11,19 +11,38 @@
 
 namespace Carbon\Exceptions;
 
-use Exception;
+use Throwable;
 
 class BadComparisonUnitException extends UnitException
 {
+    /**
+     * The unit.
+     *
+     * @var string
+     */
+    protected $unit;
+
     /**
      * Constructor.
      *
      * @param string         $unit
      * @param int            $code
-     * @param Exception|null $previous
+     * @param Throwable|null $previous
      */
-    public function __construct($unit, $code = 0, Exception $previous = null)
+    public function __construct($unit, $code = 0, Throwable $previous = null)
     {
+        $this->unit = $unit;
+
         parent::__construct("Bad comparison unit: '$unit'", $code, $previous);
     }
+
+    /**
+     * Get the unit.
+     *
+     * @return string
+     */
+    public function getUnit(): string
+    {
+        return $this->unit;
+    }
 }
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/BadFluentConstructorException.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/BadFluentConstructorException.php
index d5cd5564c..2e222e54e 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/BadFluentConstructorException.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/BadFluentConstructorException.php
@@ -12,19 +12,38 @@
 namespace Carbon\Exceptions;
 
 use BadMethodCallException as BaseBadMethodCallException;
-use Exception;
+use Throwable;
 
 class BadFluentConstructorException extends BaseBadMethodCallException implements BadMethodCallException
 {
+    /**
+     * The method.
+     *
+     * @var string
+     */
+    protected $method;
+
     /**
      * Constructor.
      *
      * @param string         $method
      * @param int            $code
-     * @param Exception|null $previous
+     * @param Throwable|null $previous
      */
-    public function __construct($method, $code = 0, Exception $previous = null)
+    public function __construct($method, $code = 0, Throwable $previous = null)
     {
+        $this->method = $method;
+
         parent::__construct(sprintf("Unknown fluent constructor '%s'.", $method), $code, $previous);
     }
+
+    /**
+     * Get the method.
+     *
+     * @return string
+     */
+    public function getMethod(): string
+    {
+        return $this->method;
+    }
 }
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/BadFluentSetterException.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/BadFluentSetterException.php
index 1d7ec542a..4ceaa2ef0 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/BadFluentSetterException.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/BadFluentSetterException.php
@@ -12,19 +12,38 @@
 namespace Carbon\Exceptions;
 
 use BadMethodCallException as BaseBadMethodCallException;
-use Exception;
+use Throwable;
 
 class BadFluentSetterException extends BaseBadMethodCallException implements BadMethodCallException
 {
+    /**
+     * The setter.
+     *
+     * @var string
+     */
+    protected $setter;
+
     /**
      * Constructor.
      *
-     * @param string         $method
+     * @param string         $setter
      * @param int            $code
-     * @param Exception|null $previous
+     * @param Throwable|null $previous
      */
-    public function __construct($method, $code = 0, Exception $previous = null)
+    public function __construct($setter, $code = 0, Throwable $previous = null)
     {
-        parent::__construct(sprintf("Unknown fluent setter '%s'", $method), $code, $previous);
+        $this->setter = $setter;
+
+        parent::__construct(sprintf("Unknown fluent setter '%s'", $setter), $code, $previous);
+    }
+
+    /**
+     * Get the setter.
+     *
+     * @return string
+     */
+    public function getSetter(): string
+    {
+        return $this->setter;
     }
 }
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/BadMethodCallException.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/BadMethodCallException.php
index 73c2dd86f..108206d3e 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/BadMethodCallException.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/BadMethodCallException.php
@@ -13,4 +13,5 @@ namespace Carbon\Exceptions;
 
 interface BadMethodCallException extends Exception
 {
+    //
 }
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/EndLessPeriodException.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/EndLessPeriodException.php
new file mode 100644
index 000000000..e10492693
--- /dev/null
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/EndLessPeriodException.php
@@ -0,0 +1,19 @@
+<?php
+
+/**
+ * This file is part of the Carbon package.
+ *
+ * (c) Brian Nesbitt <brian@nesbot.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Carbon\Exceptions;
+
+use RuntimeException as BaseRuntimeException;
+
+final class EndLessPeriodException extends BaseRuntimeException implements RuntimeException
+{
+    //
+}
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/Exception.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/Exception.php
index 3bbbd77d5..8ad747e75 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/Exception.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/Exception.php
@@ -13,4 +13,5 @@ namespace Carbon\Exceptions;
 
 interface Exception
 {
+    //
 }
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/ImmutableException.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/ImmutableException.php
index a48d4f936..db334c6c9 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/ImmutableException.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/ImmutableException.php
@@ -11,20 +11,38 @@
 
 namespace Carbon\Exceptions;
 
-use Exception;
 use RuntimeException as BaseRuntimeException;
+use Throwable;
 
 class ImmutableException extends BaseRuntimeException implements RuntimeException
 {
+    /**
+     * The value.
+     *
+     * @var string
+     */
+    protected $value;
+
     /**
      * Constructor.
      *
      * @param string         $value    the immutable type/value
      * @param int            $code
-     * @param Exception|null $previous
+     * @param Throwable|null $previous
      */
-    public function __construct($value, $code = 0, Exception $previous = null)
+    public function __construct($value, $code = 0, Throwable $previous = null)
     {
+        $this->value = $value;
         parent::__construct("$value is immutable.", $code, $previous);
     }
+
+    /**
+     * Get the value.
+     *
+     * @return string
+     */
+    public function getValue(): string
+    {
+        return $this->value;
+    }
 }
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/InvalidArgumentException.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/InvalidArgumentException.php
index 9739f4d18..5b013cd50 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/InvalidArgumentException.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/InvalidArgumentException.php
@@ -13,4 +13,5 @@ namespace Carbon\Exceptions;
 
 interface InvalidArgumentException extends Exception
 {
+    //
 }
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/InvalidCastException.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/InvalidCastException.php
index d2f370199..a421401f6 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/InvalidCastException.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/InvalidCastException.php
@@ -11,20 +11,9 @@
 
 namespace Carbon\Exceptions;
 
-use Exception;
 use InvalidArgumentException as BaseInvalidArgumentException;
 
 class InvalidCastException extends BaseInvalidArgumentException implements InvalidArgumentException
 {
-    /**
-     * Constructor.
-     *
-     * @param string         $message
-     * @param int            $code
-     * @param Exception|null $previous
-     */
-    public function __construct($message, $code = 0, Exception $previous = null)
-    {
-        parent::__construct($message, $code, $previous);
-    }
+    //
 }
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/InvalidDateException.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/InvalidDateException.php
index 99bb91c05..c9ecb6b06 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/InvalidDateException.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/InvalidDateException.php
@@ -11,8 +11,8 @@
 
 namespace Carbon\Exceptions;
 
-use Exception;
 use InvalidArgumentException as BaseInvalidArgumentException;
+use Throwable;
 
 class InvalidDateException extends BaseInvalidArgumentException implements InvalidArgumentException
 {
@@ -36,9 +36,9 @@ class InvalidDateException extends BaseInvalidArgumentException implements Inval
      * @param string         $field
      * @param mixed          $value
      * @param int            $code
-     * @param Exception|null $previous
+     * @param Throwable|null $previous
      */
-    public function __construct($field, $value, $code = 0, Exception $previous = null)
+    public function __construct($field, $value, $code = 0, Throwable $previous = null)
     {
         $this->field = $field;
         $this->value = $value;
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/InvalidFormatException.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/InvalidFormatException.php
index 3341b49d0..92d55fe35 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/InvalidFormatException.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/InvalidFormatException.php
@@ -11,20 +11,9 @@
 
 namespace Carbon\Exceptions;
 
-use Exception;
 use InvalidArgumentException as BaseInvalidArgumentException;
 
 class InvalidFormatException extends BaseInvalidArgumentException implements InvalidArgumentException
 {
-    /**
-     * Constructor.
-     *
-     * @param string         $message
-     * @param int            $code
-     * @param Exception|null $previous
-     */
-    public function __construct($message, $code = 0, Exception $previous = null)
-    {
-        parent::__construct($message, $code, $previous);
-    }
+    //
 }
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/InvalidIntervalException.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/InvalidIntervalException.php
index 5f9f142ee..69cf4128a 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/InvalidIntervalException.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/InvalidIntervalException.php
@@ -11,20 +11,9 @@
 
 namespace Carbon\Exceptions;
 
-use Exception;
 use InvalidArgumentException as BaseInvalidArgumentException;
 
 class InvalidIntervalException extends BaseInvalidArgumentException implements InvalidArgumentException
 {
-    /**
-     * Constructor.
-     *
-     * @param string         $message
-     * @param int            $code
-     * @param Exception|null $previous
-     */
-    public function __construct($message, $code = 0, Exception $previous = null)
-    {
-        parent::__construct($message, $code, $previous);
-    }
+    //
 }
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/InvalidPeriodDateException.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/InvalidPeriodDateException.php
index a37e3f5ec..9bd84a96d 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/InvalidPeriodDateException.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/InvalidPeriodDateException.php
@@ -11,20 +11,9 @@
 
 namespace Carbon\Exceptions;
 
-use Exception;
 use InvalidArgumentException as BaseInvalidArgumentException;
 
 class InvalidPeriodDateException extends BaseInvalidArgumentException implements InvalidArgumentException
 {
-    /**
-     * Constructor.
-     *
-     * @param string         $message
-     * @param int            $code
-     * @param Exception|null $previous
-     */
-    public function __construct($message, $code = 0, Exception $previous = null)
-    {
-        parent::__construct($message, $code, $previous);
-    }
+    //
 }
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/InvalidPeriodParameterException.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/InvalidPeriodParameterException.php
index ede47712b..cf2c90240 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/InvalidPeriodParameterException.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/InvalidPeriodParameterException.php
@@ -11,20 +11,9 @@
 
 namespace Carbon\Exceptions;
 
-use Exception;
 use InvalidArgumentException as BaseInvalidArgumentException;
 
 class InvalidPeriodParameterException extends BaseInvalidArgumentException implements InvalidArgumentException
 {
-    /**
-     * Constructor.
-     *
-     * @param string         $message
-     * @param int            $code
-     * @param Exception|null $previous
-     */
-    public function __construct($message, $code = 0, Exception $previous = null)
-    {
-        parent::__construct($message, $code, $previous);
-    }
+    //
 }
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/InvalidTimeZoneException.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/InvalidTimeZoneException.php
index 892e16e81..f72595583 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/InvalidTimeZoneException.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/InvalidTimeZoneException.php
@@ -11,20 +11,9 @@
 
 namespace Carbon\Exceptions;
 
-use Exception;
 use InvalidArgumentException as BaseInvalidArgumentException;
 
 class InvalidTimeZoneException extends BaseInvalidArgumentException implements InvalidArgumentException
 {
-    /**
-     * Constructor.
-     *
-     * @param string         $message
-     * @param int            $code
-     * @param Exception|null $previous
-     */
-    public function __construct($message, $code = 0, Exception $previous = null)
-    {
-        parent::__construct($message, $code, $previous);
-    }
+    //
 }
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/InvalidTypeException.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/InvalidTypeException.php
index 3fbe3fc47..2c8ec9ba0 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/InvalidTypeException.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/InvalidTypeException.php
@@ -11,20 +11,9 @@
 
 namespace Carbon\Exceptions;
 
-use Exception;
 use InvalidArgumentException as BaseInvalidArgumentException;
 
 class InvalidTypeException extends BaseInvalidArgumentException implements InvalidArgumentException
 {
-    /**
-     * Constructor.
-     *
-     * @param string         $message
-     * @param int            $code
-     * @param Exception|null $previous
-     */
-    public function __construct($message, $code = 0, Exception $previous = null)
-    {
-        parent::__construct($message, $code, $previous);
-    }
+    //
 }
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/NotACarbonClassException.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/NotACarbonClassException.php
index 2b4c48e32..7a87632c4 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/NotACarbonClassException.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/NotACarbonClassException.php
@@ -12,24 +12,39 @@
 namespace Carbon\Exceptions;
 
 use Carbon\CarbonInterface;
-use Exception;
 use InvalidArgumentException as BaseInvalidArgumentException;
+use Throwable;
 
 class NotACarbonClassException extends BaseInvalidArgumentException implements InvalidArgumentException
 {
+    /**
+     * The className.
+     *
+     * @var string
+     */
+    protected $className;
+
     /**
      * Constructor.
      *
      * @param string         $className
      * @param int            $code
-     * @param Exception|null $previous
+     * @param Throwable|null $previous
      */
-    public function __construct($className, $code = 0, Exception $previous = null)
+    public function __construct($className, $code = 0, Throwable $previous = null)
     {
-        parent::__construct(sprintf(
-            'Given class does not implement %s: %s',
-            CarbonInterface::class,
-            $className
-        ), $code, $previous);
+        $this->className = $className;
+
+        parent::__construct(sprintf('Given class does not implement %s: %s', CarbonInterface::class, $className), $code, $previous);
+    }
+
+    /**
+     * Get the className.
+     *
+     * @return string
+     */
+    public function getClassName(): string
+    {
+        return $this->className;
     }
 }
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/NotAPeriodException.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/NotAPeriodException.php
index 41bb62902..4edd7a484 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/NotAPeriodException.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/NotAPeriodException.php
@@ -11,20 +11,9 @@
 
 namespace Carbon\Exceptions;
 
-use Exception;
 use InvalidArgumentException as BaseInvalidArgumentException;
 
 class NotAPeriodException extends BaseInvalidArgumentException implements InvalidArgumentException
 {
-    /**
-     * Constructor.
-     *
-     * @param string         $message
-     * @param int            $code
-     * @param Exception|null $previous
-     */
-    public function __construct($message, $code = 0, Exception $previous = null)
-    {
-        parent::__construct($message, $code, $previous);
-    }
+    //
 }
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/NotLocaleAwareException.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/NotLocaleAwareException.php
index adbc36cd5..f2c546843 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/NotLocaleAwareException.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/NotLocaleAwareException.php
@@ -11,8 +11,8 @@
 
 namespace Carbon\Exceptions;
 
-use Exception;
 use InvalidArgumentException as BaseInvalidArgumentException;
+use Throwable;
 
 class NotLocaleAwareException extends BaseInvalidArgumentException implements InvalidArgumentException
 {
@@ -21,9 +21,9 @@ class NotLocaleAwareException extends BaseInvalidArgumentException implements In
      *
      * @param mixed          $object
      * @param int            $code
-     * @param Exception|null $previous
+     * @param Throwable|null $previous
      */
-    public function __construct($object, $code = 0, Exception $previous = null)
+    public function __construct($object, $code = 0, Throwable $previous = null)
     {
         $dump = \is_object($object) ? \get_class($object) : \gettype($object);
 
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/OutOfRangeException.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/OutOfRangeException.php
index 54822d954..2c586d0b7 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/OutOfRangeException.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/OutOfRangeException.php
@@ -11,8 +11,8 @@
 
 namespace Carbon\Exceptions;
 
-use Exception;
 use InvalidArgumentException as BaseInvalidArgumentException;
+use Throwable;
 
 // This will extends OutOfRangeException instead of InvalidArgumentException since 3.0.0
 // use OutOfRangeException as BaseOutOfRangeException;
@@ -55,9 +55,9 @@ class OutOfRangeException extends BaseInvalidArgumentException implements Invali
      * @param mixed          $max
      * @param mixed          $value
      * @param int            $code
-     * @param Exception|null $previous
+     * @param Throwable|null $previous
      */
-    public function __construct($unit, $min, $max, $value, $code = 0, Exception $previous = null)
+    public function __construct($unit, $min, $max, $value, $code = 0, Throwable $previous = null)
     {
         $this->unit = $unit;
         $this->min = $min;
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/ParseErrorException.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/ParseErrorException.php
index 0314c5d88..5416fd149 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/ParseErrorException.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/ParseErrorException.php
@@ -11,23 +11,78 @@
 
 namespace Carbon\Exceptions;
 
-use Exception;
 use InvalidArgumentException as BaseInvalidArgumentException;
+use Throwable;
 
 class ParseErrorException extends BaseInvalidArgumentException implements InvalidArgumentException
 {
+    /**
+     * The expected.
+     *
+     * @var string
+     */
+    protected $expected;
+
+    /**
+     * The actual.
+     *
+     * @var string
+     */
+    protected $actual;
+
+    /**
+     * The help message.
+     *
+     * @var string
+     */
+    protected $help;
+
     /**
      * Constructor.
      *
      * @param string         $expected
      * @param string         $actual
      * @param int            $code
-     * @param Exception|null $previous
+     * @param Throwable|null $previous
      */
-    public function __construct($expected, $actual, $help = '', $code = 0, Exception $previous = null)
+    public function __construct($expected, $actual, $help = '', $code = 0, Throwable $previous = null)
     {
+        $this->expected = $expected;
+        $this->actual = $actual;
+        $this->help = $help;
+
         $actual = $actual === '' ? 'data is missing' : "get '$actual'";
 
         parent::__construct(trim("Format expected $expected but $actual\n$help"), $code, $previous);
     }
+
+    /**
+     * Get the expected.
+     *
+     * @return string
+     */
+    public function getExpected(): string
+    {
+        return $this->expected;
+    }
+
+    /**
+     * Get the actual.
+     *
+     * @return string
+     */
+    public function getActual(): string
+    {
+        return $this->actual;
+    }
+
+    /**
+     * Get the help message.
+     *
+     * @return string
+     */
+    public function getHelp(): string
+    {
+        return $this->help;
+    }
 }
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/RuntimeException.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/RuntimeException.php
index 24bf5a68b..ad196f79d 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/RuntimeException.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/RuntimeException.php
@@ -13,4 +13,5 @@ namespace Carbon\Exceptions;
 
 interface RuntimeException extends Exception
 {
+    //
 }
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/UnitException.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/UnitException.php
index 8bd8653e1..ee99953b4 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/UnitException.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/UnitException.php
@@ -11,20 +11,9 @@
 
 namespace Carbon\Exceptions;
 
-use Exception;
 use InvalidArgumentException as BaseInvalidArgumentException;
 
 class UnitException extends BaseInvalidArgumentException implements InvalidArgumentException
 {
-    /**
-     * Constructor.
-     *
-     * @param string         $message
-     * @param int            $code
-     * @param Exception|null $previous
-     */
-    public function __construct($message, $code = 0, Exception $previous = null)
-    {
-        parent::__construct($message, $code, $previous);
-    }
+    //
 }
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/UnitNotConfiguredException.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/UnitNotConfiguredException.php
index 39ee12c5b..0e7230563 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/UnitNotConfiguredException.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/UnitNotConfiguredException.php
@@ -11,19 +11,38 @@
 
 namespace Carbon\Exceptions;
 
-use Exception;
+use Throwable;
 
 class UnitNotConfiguredException extends UnitException
 {
+    /**
+     * The unit.
+     *
+     * @var string
+     */
+    protected $unit;
+
     /**
      * Constructor.
      *
      * @param string         $unit
      * @param int            $code
-     * @param Exception|null $previous
+     * @param Throwable|null $previous
      */
-    public function __construct($unit, $code = 0, Exception $previous = null)
+    public function __construct($unit, $code = 0, Throwable $previous = null)
     {
+        $this->unit = $unit;
+
         parent::__construct("Unit $unit have no configuration to get total from other units.", $code, $previous);
     }
+
+    /**
+     * Get the unit.
+     *
+     * @return string
+     */
+    public function getUnit(): string
+    {
+        return $this->unit;
+    }
 }
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/UnknownGetterException.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/UnknownGetterException.php
index 6c8c01b6c..5c504975a 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/UnknownGetterException.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/UnknownGetterException.php
@@ -11,20 +11,39 @@
 
 namespace Carbon\Exceptions;
 
-use Exception;
 use InvalidArgumentException as BaseInvalidArgumentException;
+use Throwable;
 
 class UnknownGetterException extends BaseInvalidArgumentException implements InvalidArgumentException
 {
+    /**
+     * The getter.
+     *
+     * @var string
+     */
+    protected $getter;
+
     /**
      * Constructor.
      *
-     * @param string         $name     getter name
+     * @param string         $getter   getter name
      * @param int            $code
-     * @param Exception|null $previous
+     * @param Throwable|null $previous
      */
-    public function __construct($name, $code = 0, Exception $previous = null)
+    public function __construct($getter, $code = 0, Throwable $previous = null)
     {
-        parent::__construct("Unknown getter '$name'", $code, $previous);
+        $this->getter = $getter;
+
+        parent::__construct("Unknown getter '$getter'", $code, $previous);
+    }
+
+    /**
+     * Get the getter.
+     *
+     * @return string
+     */
+    public function getGetter(): string
+    {
+        return $this->getter;
     }
 }
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/UnknownMethodException.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/UnknownMethodException.php
index 901db986a..75273a706 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/UnknownMethodException.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/UnknownMethodException.php
@@ -12,19 +12,38 @@
 namespace Carbon\Exceptions;
 
 use BadMethodCallException as BaseBadMethodCallException;
-use Exception;
+use Throwable;
 
 class UnknownMethodException extends BaseBadMethodCallException implements BadMethodCallException
 {
+    /**
+     * The method.
+     *
+     * @var string
+     */
+    protected $method;
+
     /**
      * Constructor.
      *
      * @param string         $method
      * @param int            $code
-     * @param Exception|null $previous
+     * @param Throwable|null $previous
      */
-    public function __construct($method, $code = 0, Exception $previous = null)
+    public function __construct($method, $code = 0, Throwable $previous = null)
     {
+        $this->method = $method;
+
         parent::__construct("Method $method does not exist.", $code, $previous);
     }
+
+    /**
+     * Get the method.
+     *
+     * @return string
+     */
+    public function getMethod(): string
+    {
+        return $this->method;
+    }
 }
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/UnknownSetterException.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/UnknownSetterException.php
index c9e9c9ff2..a795f5d72 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/UnknownSetterException.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/UnknownSetterException.php
@@ -11,20 +11,39 @@
 
 namespace Carbon\Exceptions;
 
-use Exception;
 use InvalidArgumentException as BaseInvalidArgumentException;
+use Throwable;
 
 class UnknownSetterException extends BaseInvalidArgumentException implements BadMethodCallException
 {
+    /**
+     * The setter.
+     *
+     * @var string
+     */
+    protected $setter;
+
     /**
      * Constructor.
      *
-     * @param string         $name     setter name
+     * @param string         $setter   setter name
      * @param int            $code
-     * @param Exception|null $previous
+     * @param Throwable|null $previous
      */
-    public function __construct($name, $code = 0, Exception $previous = null)
+    public function __construct($setter, $code = 0, Throwable $previous = null)
     {
-        parent::__construct("Unknown setter '$name'", $code, $previous);
+        $this->setter = $setter;
+
+        parent::__construct("Unknown setter '$setter'", $code, $previous);
+    }
+
+    /**
+     * Get the setter.
+     *
+     * @return string
+     */
+    public function getSetter(): string
+    {
+        return $this->setter;
     }
 }
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/UnknownUnitException.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/UnknownUnitException.php
index d965c82ae..ecd7f7a59 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/UnknownUnitException.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/UnknownUnitException.php
@@ -11,19 +11,38 @@
 
 namespace Carbon\Exceptions;
 
-use Exception;
+use Throwable;
 
 class UnknownUnitException extends UnitException
 {
+    /**
+     * The unit.
+     *
+     * @var string
+     */
+    protected $unit;
+
     /**
      * Constructor.
      *
      * @param string         $unit
      * @param int            $code
-     * @param Exception|null $previous
+     * @param Throwable|null $previous
      */
-    public function __construct($unit, $code = 0, Exception $previous = null)
+    public function __construct($unit, $code = 0, Throwable $previous = null)
     {
+        $this->unit = $unit;
+
         parent::__construct("Unknown unit '$unit'.", $code, $previous);
     }
+
+    /**
+     * Get the unit.
+     *
+     * @return string
+     */
+    public function getUnit(): string
+    {
+        return $this->unit;
+    }
 }
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/UnreachableException.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/UnreachableException.php
index 6f8b39f5f..1654ab11b 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/UnreachableException.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Exceptions/UnreachableException.php
@@ -11,20 +11,9 @@
 
 namespace Carbon\Exceptions;
 
-use Exception;
 use RuntimeException as BaseRuntimeException;
 
 class UnreachableException extends BaseRuntimeException implements RuntimeException
 {
-    /**
-     * Constructor.
-     *
-     * @param string         $message
-     * @param int            $code
-     * @param Exception|null $previous
-     */
-    public function __construct($message, $code = 0, Exception $previous = null)
-    {
-        parent::__construct($message, $code, $previous);
-    }
+    //
 }
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Factory.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Factory.php
index f8c72890c..d497535f7 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Factory.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Factory.php
@@ -177,10 +177,10 @@ use ReflectionMethod;
  *                                                                                                                                                                                         parameter of null.
  *                                                                                                                                                                                         /!\ Use this method for unit tests only.
  * @method void                                               setToStringFormat($format)                                                                                                   @deprecated To avoid conflict between different third-party libraries, static setters should not be used.
- *                                                                                                                                                                                                     You should rather let Carbon object being casted to string with DEFAULT_TO_STRING_FORMAT, and
- *                                                                                                                                                                                                     use other method or custom format passed to format() method if you need to dump an other string
+ *                                                                                                                                                                                                     You should rather let Carbon object being cast to string with DEFAULT_TO_STRING_FORMAT, and
+ *                                                                                                                                                                                                     use other method or custom format passed to format() method if you need to dump another string
  *                                                                                                                                                                                                     format.
- *                                                                                                                                                                                         Set the default format used when type juggling a Carbon instance to a string
+ *                                                                                                                                                                                         Set the default format used when type juggling a Carbon instance to a string.
  * @method void                                               setTranslator(TranslatorInterface $translator)                                                                               Set the default translator instance to use.
  * @method Carbon                                             setUtf8($utf8)                                                                                                               @deprecated To avoid conflict between different third-party libraries, static setters should not be used.
  *                                                                                                                                                                                                     You should rather use UTF-8 language packages on every machine.
@@ -231,7 +231,7 @@ use ReflectionMethod;
  *                                                                                                                                                                                                     You should rather use the ->settings() method.
  *                                                                                                                                                                                                     Or you can use method variants: addYearsWithOverflow/addYearsNoOverflow, same variants
  *                                                                                                                                                                                                     are available for quarters, years, decade, centuries, millennia (singular and plural forms).
- * @method mixed                                              withTestNow($testNow = null, $callback = null)                                                                               Temporarily sets a static date to be used within the callback.
+ * @method mixed                                              withTestNow($testNow, $callback)                                                                                             Temporarily sets a static date to be used within the callback.
  *                                                                                                                                                                                         Using setTestNow to set the date, executing the callback, then
  *                                                                                                                                                                                         clearing the test instance.
  *                                                                                                                                                                                         /!\ Use this method for unit tests only.
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/FactoryImmutable.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/FactoryImmutable.php
index 596ee8064..d88a1cf67 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/FactoryImmutable.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/FactoryImmutable.php
@@ -12,6 +12,9 @@
 namespace Carbon;
 
 use Closure;
+use DateTimeImmutable;
+use DateTimeZone;
+use Psr\Clock\ClockInterface;
 
 /**
  * A factory to generate CarbonImmutable instances with common settings.
@@ -111,7 +114,6 @@ use Closure;
  * @method CarbonImmutable                                    maxValue()                                                                                                                   Create a Carbon instance for the greatest supported date.
  * @method CarbonImmutable                                    minValue()                                                                                                                   Create a Carbon instance for the lowest supported date.
  * @method void                                               mixin($mixin)                                                                                                                Mix another object into the class.
- * @method CarbonImmutable                                    now($tz = null)                                                                                                              Get a Carbon instance for the current date and time.
  * @method CarbonImmutable                                    parse($time = null, $tz = null)                                                                                              Create a carbon instance from a string.
  *                                                                                                                                                                                         This is an alias for the constructor that allows better fluent syntax
  *                                                                                                                                                                                         as it allows you to do Carbon::parse('Monday next week')->fn() rather
@@ -175,10 +177,10 @@ use Closure;
  *                                                                                                                                                                                         parameter of null.
  *                                                                                                                                                                                         /!\ Use this method for unit tests only.
  * @method void                                               setToStringFormat($format)                                                                                                   @deprecated To avoid conflict between different third-party libraries, static setters should not be used.
- *                                                                                                                                                                                                     You should rather let Carbon object being casted to string with DEFAULT_TO_STRING_FORMAT, and
- *                                                                                                                                                                                                     use other method or custom format passed to format() method if you need to dump an other string
+ *                                                                                                                                                                                                     You should rather let Carbon object being cast to string with DEFAULT_TO_STRING_FORMAT, and
+ *                                                                                                                                                                                                     use other method or custom format passed to format() method if you need to dump another string
  *                                                                                                                                                                                                     format.
- *                                                                                                                                                                                         Set the default format used when type juggling a Carbon instance to a string
+ *                                                                                                                                                                                         Set the default format used when type juggling a Carbon instance to a string.
  * @method void                                               setTranslator(TranslatorInterface $translator)                                                                               Set the default translator instance to use.
  * @method CarbonImmutable                                    setUtf8($utf8)                                                                                                               @deprecated To avoid conflict between different third-party libraries, static setters should not be used.
  *                                                                                                                                                                                                     You should rather use UTF-8 language packages on every machine.
@@ -229,7 +231,7 @@ use Closure;
  *                                                                                                                                                                                                     You should rather use the ->settings() method.
  *                                                                                                                                                                                                     Or you can use method variants: addYearsWithOverflow/addYearsNoOverflow, same variants
  *                                                                                                                                                                                                     are available for quarters, years, decade, centuries, millennia (singular and plural forms).
- * @method mixed                                              withTestNow($testNow = null, $callback = null)                                                                               Temporarily sets a static date to be used within the callback.
+ * @method mixed                                              withTestNow($testNow, $callback)                                                                                             Temporarily sets a static date to be used within the callback.
  *                                                                                                                                                                                         Using setTestNow to set the date, executing the callback, then
  *                                                                                                                                                                                         clearing the test instance.
  *                                                                                                                                                                                         /!\ Use this method for unit tests only.
@@ -237,7 +239,21 @@ use Closure;
  *
  * </autodoc>
  */
-class FactoryImmutable extends Factory
+class FactoryImmutable extends Factory implements ClockInterface
 {
     protected $className = CarbonImmutable::class;
+
+    /**
+     * Get a Carbon instance for the current date and time.
+     *
+     * @param DateTimeZone|string|int|null $tz
+     *
+     * @return CarbonImmutable
+     */
+    public function now($tz = null): DateTimeImmutable
+    {
+        $className = $this->className;
+
+        return new $className(null, $tz);
+    }
 }
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_AE.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_AE.php
index 75fe47f6d..35a22b1d2 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_AE.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_AE.php
@@ -12,6 +12,7 @@
 /*
  * Authors:
  * - IBM Globalization Center of Competency, Yamato Software Laboratory    bug-glibc-locales@gnu.org
+ * - Abdullah-Alhariri
  */
 return array_replace_recursive(require __DIR__.'/ar.php', [
     'formats' => [
@@ -24,4 +25,5 @@ return array_replace_recursive(require __DIR__.'/ar.php', [
     'weekdays_min' => ['ح', 'ن', 'ث', 'ر', 'خ', 'ج', 'س'],
     'first_day_of_week' => 6,
     'day_of_first_week_of_year' => 1,
+    'alt_numbers' => ['۰۰', '۰۱', '۰۲', '۰۳', '۰٤', '۰٥', '۰٦', '۰۷', '۰۸', '۰۹', '۱۰', '۱۱', '۱۲', '۱۳', '۱٤', '۱٥', '۱٦', '۱۷', '۱۸', '۱۹', '۲۰', '۲۱', '۲۲', '۲۳', '۲٤', '۲٥', '۲٦', '۲۷', '۲۸', '۲۹', '۳۰', '۳۱', '۳۲', '۳۳', '۳٤', '۳٥', '۳٦', '۳۷', '۳۸', '۳۹', '٤۰', '٤۱', '٤۲', '٤۳', '٤٤', '٤٥', '٤٦', '٤۷', '٤۸', '٤۹', '٥۰', '٥۱', '٥۲', '٥۳', '٥٤', '٥٥', '٥٦', '٥۷', '٥۸', '٥۹', '٦۰', '٦۱', '٦۲', '٦۳', '٦٤', '٦٥', '٦٦', '٦۷', '٦۸', '٦۹', '۷۰', '۷۱', '۷۲', '۷۳', '۷٤', '۷٥', '۷٦', '۷۷', '۷۸', '۷۹', '۸۰', '۸۱', '۸۲', '۸۳', '۸٤', '۸٥', '۸٦', '۸۷', '۸۸', '۸۹', '۹۰', '۹۱', '۹۲', '۹۳', '۹٤', '۹٥', '۹٦', '۹۷', '۹۸', '۹۹'],
 ]);
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_BH.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_BH.php
index 362009e29..35180965a 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_BH.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_BH.php
@@ -12,6 +12,7 @@
 /*
  * Authors:
  * - IBM Globalization Center of Competency, Yamato Software Laboratory    bug-glibc-locales@gnu.org
+ * - Abdullah-Alhariri
  */
 return array_replace_recursive(require __DIR__.'/ar.php', [
     'formats' => [
@@ -24,4 +25,5 @@ return array_replace_recursive(require __DIR__.'/ar.php', [
     'weekdays_min' => ['ح', 'ن', 'ث', 'ر', 'خ', 'ج', 'س'],
     'first_day_of_week' => 6,
     'day_of_first_week_of_year' => 1,
+    'alt_numbers' => ['۰۰', '۰۱', '۰۲', '۰۳', '۰٤', '۰٥', '۰٦', '۰۷', '۰۸', '۰۹', '۱۰', '۱۱', '۱۲', '۱۳', '۱٤', '۱٥', '۱٦', '۱۷', '۱۸', '۱۹', '۲۰', '۲۱', '۲۲', '۲۳', '۲٤', '۲٥', '۲٦', '۲۷', '۲۸', '۲۹', '۳۰', '۳۱', '۳۲', '۳۳', '۳٤', '۳٥', '۳٦', '۳۷', '۳۸', '۳۹', '٤۰', '٤۱', '٤۲', '٤۳', '٤٤', '٤٥', '٤٦', '٤۷', '٤۸', '٤۹', '٥۰', '٥۱', '٥۲', '٥۳', '٥٤', '٥٥', '٥٦', '٥۷', '٥۸', '٥۹', '٦۰', '٦۱', '٦۲', '٦۳', '٦٤', '٦٥', '٦٦', '٦۷', '٦۸', '٦۹', '۷۰', '۷۱', '۷۲', '۷۳', '۷٤', '۷٥', '۷٦', '۷۷', '۷۸', '۷۹', '۸۰', '۸۱', '۸۲', '۸۳', '۸٤', '۸٥', '۸٦', '۸۷', '۸۸', '۸۹', '۹۰', '۹۱', '۹۲', '۹۳', '۹٤', '۹٥', '۹٦', '۹۷', '۹۸', '۹۹'],
 ]);
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_EG.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_EG.php
index 362009e29..35180965a 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_EG.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_EG.php
@@ -12,6 +12,7 @@
 /*
  * Authors:
  * - IBM Globalization Center of Competency, Yamato Software Laboratory    bug-glibc-locales@gnu.org
+ * - Abdullah-Alhariri
  */
 return array_replace_recursive(require __DIR__.'/ar.php', [
     'formats' => [
@@ -24,4 +25,5 @@ return array_replace_recursive(require __DIR__.'/ar.php', [
     'weekdays_min' => ['ح', 'ن', 'ث', 'ر', 'خ', 'ج', 'س'],
     'first_day_of_week' => 6,
     'day_of_first_week_of_year' => 1,
+    'alt_numbers' => ['۰۰', '۰۱', '۰۲', '۰۳', '۰٤', '۰٥', '۰٦', '۰۷', '۰۸', '۰۹', '۱۰', '۱۱', '۱۲', '۱۳', '۱٤', '۱٥', '۱٦', '۱۷', '۱۸', '۱۹', '۲۰', '۲۱', '۲۲', '۲۳', '۲٤', '۲٥', '۲٦', '۲۷', '۲۸', '۲۹', '۳۰', '۳۱', '۳۲', '۳۳', '۳٤', '۳٥', '۳٦', '۳۷', '۳۸', '۳۹', '٤۰', '٤۱', '٤۲', '٤۳', '٤٤', '٤٥', '٤٦', '٤۷', '٤۸', '٤۹', '٥۰', '٥۱', '٥۲', '٥۳', '٥٤', '٥٥', '٥٦', '٥۷', '٥۸', '٥۹', '٦۰', '٦۱', '٦۲', '٦۳', '٦٤', '٦٥', '٦٦', '٦۷', '٦۸', '٦۹', '۷۰', '۷۱', '۷۲', '۷۳', '۷٤', '۷٥', '۷٦', '۷۷', '۷۸', '۷۹', '۸۰', '۸۱', '۸۲', '۸۳', '۸٤', '۸٥', '۸٦', '۸۷', '۸۸', '۸۹', '۹۰', '۹۱', '۹۲', '۹۳', '۹٤', '۹٥', '۹٦', '۹۷', '۹۸', '۹۹'],
 ]);
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_IQ.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_IQ.php
index 0ac09958e..2d4200845 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_IQ.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_IQ.php
@@ -12,6 +12,7 @@
 /*
  * Authors:
  * - IBM Globalization Center of Competency, Yamato Software Laboratory    bug-glibc-locales@gnu.org
+ * - Abdullah-Alhariri
  */
 return array_replace_recursive(require __DIR__.'/ar.php', [
     'formats' => [
@@ -24,4 +25,5 @@ return array_replace_recursive(require __DIR__.'/ar.php', [
     'weekdays_min' => ['ح', 'ن', 'ث', 'ر', 'خ', 'ج', 'س'],
     'first_day_of_week' => 6,
     'day_of_first_week_of_year' => 1,
+    'alt_numbers' => ['۰۰', '۰۱', '۰۲', '۰۳', '۰٤', '۰٥', '۰٦', '۰۷', '۰۸', '۰۹', '۱۰', '۱۱', '۱۲', '۱۳', '۱٤', '۱٥', '۱٦', '۱۷', '۱۸', '۱۹', '۲۰', '۲۱', '۲۲', '۲۳', '۲٤', '۲٥', '۲٦', '۲۷', '۲۸', '۲۹', '۳۰', '۳۱', '۳۲', '۳۳', '۳٤', '۳٥', '۳٦', '۳۷', '۳۸', '۳۹', '٤۰', '٤۱', '٤۲', '٤۳', '٤٤', '٤٥', '٤٦', '٤۷', '٤۸', '٤۹', '٥۰', '٥۱', '٥۲', '٥۳', '٥٤', '٥٥', '٥٦', '٥۷', '٥۸', '٥۹', '٦۰', '٦۱', '٦۲', '٦۳', '٦٤', '٦٥', '٦٦', '٦۷', '٦۸', '٦۹', '۷۰', '۷۱', '۷۲', '۷۳', '۷٤', '۷٥', '۷٦', '۷۷', '۷۸', '۷۹', '۸۰', '۸۱', '۸۲', '۸۳', '۸٤', '۸٥', '۸٦', '۸۷', '۸۸', '۸۹', '۹۰', '۹۱', '۹۲', '۹۳', '۹٤', '۹٥', '۹٦', '۹۷', '۹۸', '۹۹'],
 ]);
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_JO.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_JO.php
index 0ac09958e..2d4200845 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_JO.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_JO.php
@@ -12,6 +12,7 @@
 /*
  * Authors:
  * - IBM Globalization Center of Competency, Yamato Software Laboratory    bug-glibc-locales@gnu.org
+ * - Abdullah-Alhariri
  */
 return array_replace_recursive(require __DIR__.'/ar.php', [
     'formats' => [
@@ -24,4 +25,5 @@ return array_replace_recursive(require __DIR__.'/ar.php', [
     'weekdays_min' => ['ح', 'ن', 'ث', 'ر', 'خ', 'ج', 'س'],
     'first_day_of_week' => 6,
     'day_of_first_week_of_year' => 1,
+    'alt_numbers' => ['۰۰', '۰۱', '۰۲', '۰۳', '۰٤', '۰٥', '۰٦', '۰۷', '۰۸', '۰۹', '۱۰', '۱۱', '۱۲', '۱۳', '۱٤', '۱٥', '۱٦', '۱۷', '۱۸', '۱۹', '۲۰', '۲۱', '۲۲', '۲۳', '۲٤', '۲٥', '۲٦', '۲۷', '۲۸', '۲۹', '۳۰', '۳۱', '۳۲', '۳۳', '۳٤', '۳٥', '۳٦', '۳۷', '۳۸', '۳۹', '٤۰', '٤۱', '٤۲', '٤۳', '٤٤', '٤٥', '٤٦', '٤۷', '٤۸', '٤۹', '٥۰', '٥۱', '٥۲', '٥۳', '٥٤', '٥٥', '٥٦', '٥۷', '٥۸', '٥۹', '٦۰', '٦۱', '٦۲', '٦۳', '٦٤', '٦٥', '٦٦', '٦۷', '٦۸', '٦۹', '۷۰', '۷۱', '۷۲', '۷۳', '۷٤', '۷٥', '۷٦', '۷۷', '۷۸', '۷۹', '۸۰', '۸۱', '۸۲', '۸۳', '۸٤', '۸٥', '۸٦', '۸۷', '۸۸', '۸۹', '۹۰', '۹۱', '۹۲', '۹۳', '۹٤', '۹٥', '۹٦', '۹۷', '۹۸', '۹۹'],
 ]);
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_KW.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_KW.php
index e6f0531d4..b3fb1cfec 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_KW.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_KW.php
@@ -16,6 +16,7 @@
  * - JD Isaacks
  * - Atef Ben Ali (atefBB)
  * - Mohamed Sabil (mohamedsabil83)
+ * - Abdullah-Alhariri
  */
 $months = [
     'يناير',
@@ -90,4 +91,5 @@ return [
     ],
     'meridiem' => ['ص', 'م'],
     'weekend' => [5, 6],
+    'alt_numbers' => ['۰۰', '۰۱', '۰۲', '۰۳', '۰٤', '۰٥', '۰٦', '۰۷', '۰۸', '۰۹', '۱۰', '۱۱', '۱۲', '۱۳', '۱٤', '۱٥', '۱٦', '۱۷', '۱۸', '۱۹', '۲۰', '۲۱', '۲۲', '۲۳', '۲٤', '۲٥', '۲٦', '۲۷', '۲۸', '۲۹', '۳۰', '۳۱', '۳۲', '۳۳', '۳٤', '۳٥', '۳٦', '۳۷', '۳۸', '۳۹', '٤۰', '٤۱', '٤۲', '٤۳', '٤٤', '٤٥', '٤٦', '٤۷', '٤۸', '٤۹', '٥۰', '٥۱', '٥۲', '٥۳', '٥٤', '٥٥', '٥٦', '٥۷', '٥۸', '٥۹', '٦۰', '٦۱', '٦۲', '٦۳', '٦٤', '٦٥', '٦٦', '٦۷', '٦۸', '٦۹', '۷۰', '۷۱', '۷۲', '۷۳', '۷٤', '۷٥', '۷٦', '۷۷', '۷۸', '۷۹', '۸۰', '۸۱', '۸۲', '۸۳', '۸٤', '۸٥', '۸٦', '۸۷', '۸۸', '۸۹', '۹۰', '۹۱', '۹۲', '۹۳', '۹٤', '۹٥', '۹٦', '۹۷', '۹۸', '۹۹'],
 ];
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_LB.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_LB.php
index 55bb10c33..2792745c6 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_LB.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_LB.php
@@ -12,6 +12,7 @@
 /*
  * Authors:
  * - IBM Globalization Center of Competency, Yamato Software Laboratory    bug-glibc-locales@gnu.org
+ * - Abdullah-Alhariri
  */
 return array_replace_recursive(require __DIR__.'/ar.php', [
     'formats' => [
@@ -24,4 +25,5 @@ return array_replace_recursive(require __DIR__.'/ar.php', [
     'weekdays_min' => ['ح', 'ن', 'ث', 'ر', 'خ', 'ج', 'س'],
     'first_day_of_week' => 1,
     'day_of_first_week_of_year' => 1,
+    'alt_numbers' => ['۰۰', '۰۱', '۰۲', '۰۳', '۰٤', '۰٥', '۰٦', '۰۷', '۰۸', '۰۹', '۱۰', '۱۱', '۱۲', '۱۳', '۱٤', '۱٥', '۱٦', '۱۷', '۱۸', '۱۹', '۲۰', '۲۱', '۲۲', '۲۳', '۲٤', '۲٥', '۲٦', '۲۷', '۲۸', '۲۹', '۳۰', '۳۱', '۳۲', '۳۳', '۳٤', '۳٥', '۳٦', '۳۷', '۳۸', '۳۹', '٤۰', '٤۱', '٤۲', '٤۳', '٤٤', '٤٥', '٤٦', '٤۷', '٤۸', '٤۹', '٥۰', '٥۱', '٥۲', '٥۳', '٥٤', '٥٥', '٥٦', '٥۷', '٥۸', '٥۹', '٦۰', '٦۱', '٦۲', '٦۳', '٦٤', '٦٥', '٦٦', '٦۷', '٦۸', '٦۹', '۷۰', '۷۱', '۷۲', '۷۳', '۷٤', '۷٥', '۷٦', '۷۷', '۷۸', '۷۹', '۸۰', '۸۱', '۸۲', '۸۳', '۸٤', '۸٥', '۸٦', '۸۷', '۸۸', '۸۹', '۹۰', '۹۱', '۹۲', '۹۳', '۹٤', '۹٥', '۹٦', '۹۷', '۹۸', '۹۹'],
 ]);
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_OM.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_OM.php
index 362009e29..35180965a 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_OM.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_OM.php
@@ -12,6 +12,7 @@
 /*
  * Authors:
  * - IBM Globalization Center of Competency, Yamato Software Laboratory    bug-glibc-locales@gnu.org
+ * - Abdullah-Alhariri
  */
 return array_replace_recursive(require __DIR__.'/ar.php', [
     'formats' => [
@@ -24,4 +25,5 @@ return array_replace_recursive(require __DIR__.'/ar.php', [
     'weekdays_min' => ['ح', 'ن', 'ث', 'ر', 'خ', 'ج', 'س'],
     'first_day_of_week' => 6,
     'day_of_first_week_of_year' => 1,
+    'alt_numbers' => ['۰۰', '۰۱', '۰۲', '۰۳', '۰٤', '۰٥', '۰٦', '۰۷', '۰۸', '۰۹', '۱۰', '۱۱', '۱۲', '۱۳', '۱٤', '۱٥', '۱٦', '۱۷', '۱۸', '۱۹', '۲۰', '۲۱', '۲۲', '۲۳', '۲٤', '۲٥', '۲٦', '۲۷', '۲۸', '۲۹', '۳۰', '۳۱', '۳۲', '۳۳', '۳٤', '۳٥', '۳٦', '۳۷', '۳۸', '۳۹', '٤۰', '٤۱', '٤۲', '٤۳', '٤٤', '٤٥', '٤٦', '٤۷', '٤۸', '٤۹', '٥۰', '٥۱', '٥۲', '٥۳', '٥٤', '٥٥', '٥٦', '٥۷', '٥۸', '٥۹', '٦۰', '٦۱', '٦۲', '٦۳', '٦٤', '٦٥', '٦٦', '٦۷', '٦۸', '٦۹', '۷۰', '۷۱', '۷۲', '۷۳', '۷٤', '۷٥', '۷٦', '۷۷', '۷۸', '۷۹', '۸۰', '۸۱', '۸۲', '۸۳', '۸٤', '۸٥', '۸٦', '۸۷', '۸۸', '۸۹', '۹۰', '۹۱', '۹۲', '۹۳', '۹٤', '۹٥', '۹٦', '۹۷', '۹۸', '۹۹'],
 ]);
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_PS.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_PS.php
index e790b99e6..503c60d2e 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_PS.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_PS.php
@@ -9,5 +9,10 @@
  * file that was distributed with this source code.
  */
 
+/*
+ * Authors:
+ * - Abdullah-Alhariri
+ */
 return array_replace_recursive(require __DIR__.'/ar.php', [
+    'alt_numbers' => ['۰۰', '۰۱', '۰۲', '۰۳', '۰٤', '۰٥', '۰٦', '۰۷', '۰۸', '۰۹', '۱۰', '۱۱', '۱۲', '۱۳', '۱٤', '۱٥', '۱٦', '۱۷', '۱۸', '۱۹', '۲۰', '۲۱', '۲۲', '۲۳', '۲٤', '۲٥', '۲٦', '۲۷', '۲۸', '۲۹', '۳۰', '۳۱', '۳۲', '۳۳', '۳٤', '۳٥', '۳٦', '۳۷', '۳۸', '۳۹', '٤۰', '٤۱', '٤۲', '٤۳', '٤٤', '٤٥', '٤٦', '٤۷', '٤۸', '٤۹', '٥۰', '٥۱', '٥۲', '٥۳', '٥٤', '٥٥', '٥٦', '٥۷', '٥۸', '٥۹', '٦۰', '٦۱', '٦۲', '٦۳', '٦٤', '٦٥', '٦٦', '٦۷', '٦۸', '٦۹', '۷۰', '۷۱', '۷۲', '۷۳', '۷٤', '۷٥', '۷٦', '۷۷', '۷۸', '۷۹', '۸۰', '۸۱', '۸۲', '۸۳', '۸٤', '۸٥', '۸٦', '۸۷', '۸۸', '۸۹', '۹۰', '۹۱', '۹۲', '۹۳', '۹٤', '۹٥', '۹٦', '۹۷', '۹۸', '۹۹'],
 ]);
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_QA.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_QA.php
index 362009e29..35180965a 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_QA.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_QA.php
@@ -12,6 +12,7 @@
 /*
  * Authors:
  * - IBM Globalization Center of Competency, Yamato Software Laboratory    bug-glibc-locales@gnu.org
+ * - Abdullah-Alhariri
  */
 return array_replace_recursive(require __DIR__.'/ar.php', [
     'formats' => [
@@ -24,4 +25,5 @@ return array_replace_recursive(require __DIR__.'/ar.php', [
     'weekdays_min' => ['ح', 'ن', 'ث', 'ر', 'خ', 'ج', 'س'],
     'first_day_of_week' => 6,
     'day_of_first_week_of_year' => 1,
+    'alt_numbers' => ['۰۰', '۰۱', '۰۲', '۰۳', '۰٤', '۰٥', '۰٦', '۰۷', '۰۸', '۰۹', '۱۰', '۱۱', '۱۲', '۱۳', '۱٤', '۱٥', '۱٦', '۱۷', '۱۸', '۱۹', '۲۰', '۲۱', '۲۲', '۲۳', '۲٤', '۲٥', '۲٦', '۲۷', '۲۸', '۲۹', '۳۰', '۳۱', '۳۲', '۳۳', '۳٤', '۳٥', '۳٦', '۳۷', '۳۸', '۳۹', '٤۰', '٤۱', '٤۲', '٤۳', '٤٤', '٤٥', '٤٦', '٤۷', '٤۸', '٤۹', '٥۰', '٥۱', '٥۲', '٥۳', '٥٤', '٥٥', '٥٦', '٥۷', '٥۸', '٥۹', '٦۰', '٦۱', '٦۲', '٦۳', '٦٤', '٦٥', '٦٦', '٦۷', '٦۸', '٦۹', '۷۰', '۷۱', '۷۲', '۷۳', '۷٤', '۷٥', '۷٦', '۷۷', '۷۸', '۷۹', '۸۰', '۸۱', '۸۲', '۸۳', '۸٤', '۸٥', '۸٦', '۸۷', '۸۸', '۸۹', '۹۰', '۹۱', '۹۲', '۹۳', '۹٤', '۹٥', '۹٦', '۹۷', '۹۸', '۹۹'],
 ]);
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_SA.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_SA.php
index 10aaa2ede..550b0c73a 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_SA.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_SA.php
@@ -15,6 +15,7 @@
  * - JD Isaacks
  * - Atef Ben Ali (atefBB)
  * - Mohamed Sabil (mohamedsabil83)
+ * - Abdullah-Alhariri
  */
 $months = [
     'يناير',
@@ -89,4 +90,5 @@ return [
     ],
     'meridiem' => ['ص', 'م'],
     'weekend' => [5, 6],
+    'alt_numbers' => ['۰۰', '۰۱', '۰۲', '۰۳', '۰٤', '۰٥', '۰٦', '۰۷', '۰۸', '۰۹', '۱۰', '۱۱', '۱۲', '۱۳', '۱٤', '۱٥', '۱٦', '۱۷', '۱۸', '۱۹', '۲۰', '۲۱', '۲۲', '۲۳', '۲٤', '۲٥', '۲٦', '۲۷', '۲۸', '۲۹', '۳۰', '۳۱', '۳۲', '۳۳', '۳٤', '۳٥', '۳٦', '۳۷', '۳۸', '۳۹', '٤۰', '٤۱', '٤۲', '٤۳', '٤٤', '٤٥', '٤٦', '٤۷', '٤۸', '٤۹', '٥۰', '٥۱', '٥۲', '٥۳', '٥٤', '٥٥', '٥٦', '٥۷', '٥۸', '٥۹', '٦۰', '٦۱', '٦۲', '٦۳', '٦٤', '٦٥', '٦٦', '٦۷', '٦۸', '٦۹', '۷۰', '۷۱', '۷۲', '۷۳', '۷٤', '۷٥', '۷٦', '۷۷', '۷۸', '۷۹', '۸۰', '۸۱', '۸۲', '۸۳', '۸٤', '۸٥', '۸٦', '۸۷', '۸۸', '۸۹', '۹۰', '۹۱', '۹۲', '۹۳', '۹٤', '۹٥', '۹٦', '۹۷', '۹۸', '۹۹'],
 ];
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_SD.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_SD.php
index 362009e29..35180965a 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_SD.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_SD.php
@@ -12,6 +12,7 @@
 /*
  * Authors:
  * - IBM Globalization Center of Competency, Yamato Software Laboratory    bug-glibc-locales@gnu.org
+ * - Abdullah-Alhariri
  */
 return array_replace_recursive(require __DIR__.'/ar.php', [
     'formats' => [
@@ -24,4 +25,5 @@ return array_replace_recursive(require __DIR__.'/ar.php', [
     'weekdays_min' => ['ح', 'ن', 'ث', 'ر', 'خ', 'ج', 'س'],
     'first_day_of_week' => 6,
     'day_of_first_week_of_year' => 1,
+    'alt_numbers' => ['۰۰', '۰۱', '۰۲', '۰۳', '۰٤', '۰٥', '۰٦', '۰۷', '۰۸', '۰۹', '۱۰', '۱۱', '۱۲', '۱۳', '۱٤', '۱٥', '۱٦', '۱۷', '۱۸', '۱۹', '۲۰', '۲۱', '۲۲', '۲۳', '۲٤', '۲٥', '۲٦', '۲۷', '۲۸', '۲۹', '۳۰', '۳۱', '۳۲', '۳۳', '۳٤', '۳٥', '۳٦', '۳۷', '۳۸', '۳۹', '٤۰', '٤۱', '٤۲', '٤۳', '٤٤', '٤٥', '٤٦', '٤۷', '٤۸', '٤۹', '٥۰', '٥۱', '٥۲', '٥۳', '٥٤', '٥٥', '٥٦', '٥۷', '٥۸', '٥۹', '٦۰', '٦۱', '٦۲', '٦۳', '٦٤', '٦٥', '٦٦', '٦۷', '٦۸', '٦۹', '۷۰', '۷۱', '۷۲', '۷۳', '۷٤', '۷٥', '۷٦', '۷۷', '۷۸', '۷۹', '۸۰', '۸۱', '۸۲', '۸۳', '۸٤', '۸٥', '۸٦', '۸۷', '۸۸', '۸۹', '۹۰', '۹۱', '۹۲', '۹۳', '۹٤', '۹٥', '۹٦', '۹۷', '۹۸', '۹۹'],
 ]);
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_SY.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_SY.php
index 0ac09958e..2d4200845 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_SY.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_SY.php
@@ -12,6 +12,7 @@
 /*
  * Authors:
  * - IBM Globalization Center of Competency, Yamato Software Laboratory    bug-glibc-locales@gnu.org
+ * - Abdullah-Alhariri
  */
 return array_replace_recursive(require __DIR__.'/ar.php', [
     'formats' => [
@@ -24,4 +25,5 @@ return array_replace_recursive(require __DIR__.'/ar.php', [
     'weekdays_min' => ['ح', 'ن', 'ث', 'ر', 'خ', 'ج', 'س'],
     'first_day_of_week' => 6,
     'day_of_first_week_of_year' => 1,
+    'alt_numbers' => ['۰۰', '۰۱', '۰۲', '۰۳', '۰٤', '۰٥', '۰٦', '۰۷', '۰۸', '۰۹', '۱۰', '۱۱', '۱۲', '۱۳', '۱٤', '۱٥', '۱٦', '۱۷', '۱۸', '۱۹', '۲۰', '۲۱', '۲۲', '۲۳', '۲٤', '۲٥', '۲٦', '۲۷', '۲۸', '۲۹', '۳۰', '۳۱', '۳۲', '۳۳', '۳٤', '۳٥', '۳٦', '۳۷', '۳۸', '۳۹', '٤۰', '٤۱', '٤۲', '٤۳', '٤٤', '٤٥', '٤٦', '٤۷', '٤۸', '٤۹', '٥۰', '٥۱', '٥۲', '٥۳', '٥٤', '٥٥', '٥٦', '٥۷', '٥۸', '٥۹', '٦۰', '٦۱', '٦۲', '٦۳', '٦٤', '٦٥', '٦٦', '٦۷', '٦۸', '٦۹', '۷۰', '۷۱', '۷۲', '۷۳', '۷٤', '۷٥', '۷٦', '۷۷', '۷۸', '۷۹', '۸۰', '۸۱', '۸۲', '۸۳', '۸٤', '۸٥', '۸٦', '۸۷', '۸۸', '۸۹', '۹۰', '۹۱', '۹۲', '۹۳', '۹٤', '۹٥', '۹٦', '۹۷', '۹۸', '۹۹'],
 ]);
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_YE.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_YE.php
index 5dc29388e..169fe88a9 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_YE.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ar_YE.php
@@ -12,6 +12,7 @@
 /*
  * Authors:
  * - IBM Globalization Center of Competency, Yamato Software Laboratory    bug-glibc-locales@gnu.org
+ * - Abdullah-Alhariri
  */
 return array_replace_recursive(require __DIR__.'/ar.php', [
     'formats' => [
@@ -23,4 +24,5 @@ return array_replace_recursive(require __DIR__.'/ar.php', [
     'weekdays_short' => ['ح', 'ن', 'ث', 'ر', 'خ', 'ج', 'س'],
     'weekdays_min' => ['ح', 'ن', 'ث', 'ر', 'خ', 'ج', 'س'],
     'day_of_first_week_of_year' => 1,
+    'alt_numbers' => ['۰۰', '۰۱', '۰۲', '۰۳', '۰٤', '۰٥', '۰٦', '۰۷', '۰۸', '۰۹', '۱۰', '۱۱', '۱۲', '۱۳', '۱٤', '۱٥', '۱٦', '۱۷', '۱۸', '۱۹', '۲۰', '۲۱', '۲۲', '۲۳', '۲٤', '۲٥', '۲٦', '۲۷', '۲۸', '۲۹', '۳۰', '۳۱', '۳۲', '۳۳', '۳٤', '۳٥', '۳٦', '۳۷', '۳۸', '۳۹', '٤۰', '٤۱', '٤۲', '٤۳', '٤٤', '٤٥', '٤٦', '٤۷', '٤۸', '٤۹', '٥۰', '٥۱', '٥۲', '٥۳', '٥٤', '٥٥', '٥٦', '٥۷', '٥۸', '٥۹', '٦۰', '٦۱', '٦۲', '٦۳', '٦٤', '٦٥', '٦٦', '٦۷', '٦۸', '٦۹', '۷۰', '۷۱', '۷۲', '۷۳', '۷٤', '۷٥', '۷٦', '۷۷', '۷۸', '۷۹', '۸۰', '۸۱', '۸۲', '۸۳', '۸٤', '۸٥', '۸٦', '۸۷', '۸۸', '۸۹', '۹۰', '۹۱', '۹۲', '۹۳', '۹٤', '۹٥', '۹٦', '۹۷', '۹۸', '۹۹'],
 ]);
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/be.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/be.php
index 51b4d0cc1..ee736365a 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/be.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/be.php
@@ -9,13 +9,12 @@
  * file that was distributed with this source code.
  */
 
-// @codeCoverageIgnoreStart
-
 use Carbon\CarbonInterface;
 use Symfony\Component\Translation\PluralizationRules;
 
-if (class_exists('Symfony\\Component\\Translation\\PluralizationRules')) {
-    PluralizationRules::set(function ($number) {
+// @codeCoverageIgnoreStart
+if (class_exists(PluralizationRules::class)) {
+    PluralizationRules::set(static function ($number) {
         return (($number % 10 == 1) && ($number % 100 != 11)) ? 0 : ((($number % 10 >= 2) && ($number % 10 <= 4) && (($number % 100 < 10) || ($number % 100 >= 20))) ? 1 : 2);
     }, 'be');
 }
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ca_ES_Valencia.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ca_ES_Valencia.php
index 861acd2a0..1c16421ad 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ca_ES_Valencia.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ca_ES_Valencia.php
@@ -9,5 +9,15 @@
  * file that was distributed with this source code.
  */
 
+use Symfony\Component\Translation\PluralizationRules;
+
+// @codeCoverageIgnoreStart
+if (class_exists(PluralizationRules::class)) {
+    PluralizationRules::set(static function ($number) {
+        return PluralizationRules::get($number, 'ca');
+    }, 'ca_ES_Valencia');
+}
+// @codeCoverageIgnoreEnd
+
 return array_replace_recursive(require __DIR__.'/ca.php', [
 ]);
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ckb.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ckb.php
new file mode 100644
index 000000000..acf4dc280
--- /dev/null
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ckb.php
@@ -0,0 +1,89 @@
+<?php
+
+/**
+ * This file is part of the Carbon package.
+ *
+ * (c) Brian Nesbitt <brian@nesbot.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+/*
+ * Authors:
+ * - Swara Mohammed
+ */
+$months = [
+    'ڕێبەندان',
+    'ڕەشەمە',
+    'نەورۆز',
+    'گوڵان',
+    'جۆزەردان',
+    'پوشپەڕ',
+    'گەلاوێژ',
+    'خەرمانان',
+    'ڕەزبەر',
+    'گەڵاڕێزان',
+    'سەرماوەرز',
+    'بەفرانبار',
+];
+
+return [
+    'year' => implode('|', ['{0}:count ساڵێک', '{1}ساڵێک', '{2}دوو ساڵ', ']2,11[:count ساڵ', ']10,Inf[:count ساڵ']),
+    'a_year' => implode('|', ['{0}:count ساڵێک', '{1}ساڵێک', '{2}دوو ساڵ', ']2,11[:count ساڵ', ']10,Inf[:count ساڵ']),
+    'month' => implode('|', ['{0}:count مانگێک', '{1}مانگێک', '{2}دوو مانگ', ']2,11[:count مانگ', ']10,Inf[:count مانگ']),
+    'a_month' => implode('|', ['{0}:count مانگێک', '{1}مانگێک', '{2}دوو مانگ', ']2,11[:count مانگ', ']10,Inf[:count مانگ']),
+    'week' => implode('|', ['{0}:count هەفتەیەک', '{1}هەفتەیەک', '{2}دوو هەفتە', ']2,11[:count هەفتە', ']10,Inf[:count هەفتە']),
+    'a_week' => implode('|', ['{0}:count هەفتەیەک', '{1}هەفتەیەک', '{2}دوو هەفتە', ']2,11[:count هەفتە', ']10,Inf[:count هەفتە']),
+    'day' => implode('|', ['{0}:count ڕۆژێک', '{1}ڕۆژێک', '{2}دوو ڕۆژ', ']2,11[:count ڕۆژ', ']10,Inf[:count ڕۆژ']),
+    'a_day' => implode('|', ['{0}:count ڕۆژێک', '{1}ڕۆژێک', '{2}دوو ڕۆژ', ']2,11[:count ڕۆژ', ']10,Inf[:count ڕۆژ']),
+    'hour' => implode('|', ['{0}:count کاتژمێرێک', '{1}کاتژمێرێک', '{2}دوو کاتژمێر', ']2,11[:count کاتژمێر', ']10,Inf[:count کاتژمێر']),
+    'a_hour' => implode('|', ['{0}:count کاتژمێرێک', '{1}کاتژمێرێک', '{2}دوو کاتژمێر', ']2,11[:count کاتژمێر', ']10,Inf[:count کاتژمێر']),
+    'minute' => implode('|', ['{0}:count خولەکێک', '{1}خولەکێک', '{2}دوو خولەک', ']2,11[:count خولەک', ']10,Inf[:count خولەک']),
+    'a_minute' => implode('|', ['{0}:count خولەکێک', '{1}خولەکێک', '{2}دوو خولەک', ']2,11[:count خولەک', ']10,Inf[:count خولەک']),
+    'second' => implode('|', ['{0}:count چرکەیەک', '{1}چرکەیەک', '{2}دوو چرکە', ']2,11[:count چرکە', ']10,Inf[:count چرکە']),
+    'a_second' => implode('|', ['{0}:count چرکەیەک', '{1}چرکەیەک', '{2}دوو چرکە', ']2,11[:count چرکە', ']10,Inf[:count چرکە']),
+    'ago' => 'پێش :time',
+    'from_now' => ':time لە ئێستاوە',
+    'after' => 'دوای :time',
+    'before' => 'پێش :time',
+    'diff_now' => 'ئێستا',
+    'diff_today' => 'ئەمڕۆ',
+    'diff_today_regexp' => 'ڕۆژ(?:\\s+لە)?(?:\\s+کاتژمێر)?',
+    'diff_yesterday' => 'دوێنێ',
+    'diff_yesterday_regexp' => 'دوێنێ(?:\\s+لە)?(?:\\s+کاتژمێر)?',
+    'diff_tomorrow' => 'سبەینێ',
+    'diff_tomorrow_regexp' => 'سبەینێ(?:\\s+لە)?(?:\\s+کاتژمێر)?',
+    'diff_before_yesterday' => 'پێش دوێنێ',
+    'diff_after_tomorrow' => 'دوای سبەینێ',
+    'period_recurrences' => implode('|', ['{0}جار', '{1}جار', '{2}:count دووجار', ']2,11[:count جار', ']10,Inf[:count جار']),
+    'period_interval' => 'هەموو :interval',
+    'period_start_date' => 'لە :date',
+    'period_end_date' => 'بۆ :date',
+    'months' => $months,
+    'months_short' => $months,
+    'weekdays' => ['یەکشەممە', 'دووشەممە', 'سێشەممە', 'چوارشەممە', 'پێنجشەممە', 'هەینی', 'شەممە'],
+    'weekdays_short' => ['یەکشەممە', 'دووشەممە', 'سێشەممە', 'چوارشەممە', 'پێنجشەممە', 'هەینی', 'شەممە'],
+    'weekdays_min' => ['یەکشەممە', 'دووشەممە', 'سێشەممە', 'چوارشەممە', 'پێنجشەممە', 'هەینی', 'شەممە'],
+    'list' => ['، ', ' و '],
+    'first_day_of_week' => 6,
+    'day_of_first_week_of_year' => 1,
+    'formats' => [
+        'LT' => 'HH:mm',
+        'LTS' => 'HH:mm:ss',
+        'L' => 'D/M/YYYY',
+        'LL' => 'D MMMM YYYY',
+        'LLL' => 'D MMMM YYYY HH:mm',
+        'LLLL' => 'dddd D MMMM YYYY HH:mm',
+    ],
+    'calendar' => [
+        'sameDay' => '[ئەمڕۆ لە کاتژمێر] LT',
+        'nextDay' => '[سبەینێ لە کاتژمێر] LT',
+        'nextWeek' => 'dddd [لە کاتژمێر] LT',
+        'lastDay' => '[دوێنێ لە کاتژمێر] LT',
+        'lastWeek' => 'dddd [لە کاتژمێر] LT',
+        'sameElse' => 'L',
+    ],
+    'meridiem' => ['پ.ن', 'د.ن'],
+    'weekend' => [5, 6],
+];
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/cs.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/cs.php
index 8cff9a019..c01e3ccc8 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/cs.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/cs.php
@@ -101,7 +101,8 @@ return [
     'after' => $za,
     'first_day_of_week' => 1,
     'day_of_first_week_of_year' => 4,
-    'months' => ['leden', 'únor', 'březen', 'duben', 'květen', 'červen', 'červenec', 'srpen', 'září', 'říjen', 'listopad', 'prosinec'],
+    'months' => ['ledna', 'února', 'března', 'dubna', 'května', 'června', 'července', 'srpna', 'září', 'října', 'listopadu', 'prosince'],
+    'months_standalone' => ['leden', 'únor', 'březen', 'duben', 'květen', 'červen', 'červenec', 'srpen', 'září', 'říjen', 'listopad', 'prosinec'],
     'months_short' => ['led', 'úno', 'bře', 'dub', 'kvě', 'čvn', 'čvc', 'srp', 'zář', 'říj', 'lis', 'pro'],
     'weekdays' => ['neděle', 'pondělí', 'úterý', 'středa', 'čtvrtek', 'pátek', 'sobota'],
     'weekdays_short' => ['ned', 'pon', 'úte', 'stř', 'čtv', 'pát', 'sob'],
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/cy.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/cy.php
index ab7c45a4f..119274f01 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/cy.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/cy.php
@@ -60,7 +60,7 @@ return [
     'ordinal' => function ($number) {
         return $number.(
             $number > 20
-                ? (\in_array($number, [40, 50, 60, 80, 100]) ? 'fed' : 'ain')
+                ? (\in_array((int) $number, [40, 50, 60, 80, 100], true) ? 'fed' : 'ain')
                 : ([
                     '', 'af', 'il', 'ydd', 'ydd', 'ed', 'ed', 'ed', 'fed', 'fed', 'fed', // 1af to 10fed
                     'eg', 'fed', 'eg', 'eg', 'fed', 'eg', 'eg', 'fed', 'eg', 'fed', // 11eg to 20fed
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/da.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/da.php
index 4e6640a67..322f91d5b 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/da.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/da.php
@@ -18,6 +18,7 @@
  * - Jens Herlevsen
  * - Ulrik McArdle (mcardle)
  * - Frederik Sauer (FrittenKeeZ)
+ * - Janus Bahs Jacquet (kokoshneta)
  */
 return [
     'year' => ':count år|:count år',
@@ -41,7 +42,7 @@ return [
     'second' => ':count sekund|:count sekunder',
     'a_second' => 'få sekunder|:count sekunder',
     's' => ':count s.',
-    'ago' => ':time siden',
+    'ago' => 'for :time siden',
     'from_now' => 'om :time',
     'after' => ':time efter',
     'before' => ':time før',
@@ -70,9 +71,9 @@ return [
     ],
     'ordinal' => ':number.',
     'months' => ['januar', 'februar', 'marts', 'april', 'maj', 'juni', 'juli', 'august', 'september', 'oktober', 'november', 'december'],
-    'months_short' => ['jan', 'feb', 'mar', 'apr', 'maj', 'jun', 'jul', 'aug', 'sep', 'okt', 'nov', 'dec'],
+    'months_short' => ['jan.', 'feb.', 'mar.', 'apr.', 'maj.', 'jun.', 'jul.', 'aug.', 'sep.', 'okt.', 'nov.', 'dec.'],
     'weekdays' => ['søndag', 'mandag', 'tirsdag', 'onsdag', 'torsdag', 'fredag', 'lørdag'],
-    'weekdays_short' => ['søn', 'man', 'tir', 'ons', 'tor', 'fre', 'lør'],
+    'weekdays_short' => ['søn.', 'man.', 'tir.', 'ons.', 'tor.', 'fre.', 'lør.'],
     'weekdays_min' => ['sø', 'ma', 'ti', 'on', 'to', 'fr', 'lø'],
     'first_day_of_week' => 1,
     'day_of_first_week_of_year' => 4,
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/de.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/de.php
index ff00c9745..3b70750e4 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/de.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/de.php
@@ -105,4 +105,13 @@ return [
     'first_day_of_week' => 1,
     'day_of_first_week_of_year' => 4,
     'list' => [', ', ' und '],
+    'ordinal_words' => [
+        'of' => 'im',
+        'first' => 'erster',
+        'second' => 'zweiter',
+        'third' => 'dritter',
+        'fourth' => 'vierten',
+        'fifth' => 'fünfter',
+        'last' => 'letzten',
+    ],
 ];
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/en.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/en.php
index a8633fef0..f81f617e3 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/en.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/en.php
@@ -72,7 +72,7 @@ return [
         $lastDigit = $number % 10;
 
         return $number.(
-            (~~($number % 100 / 10) === 1) ? 'th' : (
+            ((int) ($number % 100 / 10) === 1) ? 'th' : (
                 ($lastDigit === 1) ? 'st' : (
                     ($lastDigit === 2) ? 'nd' : (
                         ($lastDigit === 3) ? 'rd' : 'th'
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/en_CH.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/en_CH.php
index e2dd81db5..10d9cd8f1 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/en_CH.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/en_CH.php
@@ -11,4 +11,12 @@
 
 return array_replace_recursive(require __DIR__.'/en.php', [
     'first_day_of_week' => 1,
+    'formats' => [
+        'LT' => 'HH:mm',
+        'LTS' => 'HH:mm:ss',
+        'L' => 'DD.MM.YYYY',
+        'LL' => 'D MMMM YYYY',
+        'LLL' => 'D MMMM YYYY HH:mm',
+        'LLLL' => 'dddd D MMMM YYYY HH:mm',
+    ],
 ]);
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/es.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/es.php
index f77ec39c6..1c4fcfd0b 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/es.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/es.php
@@ -26,6 +26,7 @@
  * - quinterocesar
  * - Daniel Commesse Liévanos (danielcommesse)
  * - Pete Scopes (pdscopes)
+ * - gam04
  */
 
 use Carbon\CarbonInterface;
@@ -108,4 +109,13 @@ return [
     'day_of_first_week_of_year' => 4,
     'list' => [', ', ' y '],
     'meridiem' => ['a. m.', 'p. m.'],
+    'ordinal_words' => [
+        'of' => 'de',
+        'first' => 'primer',
+        'second' => 'segundo',
+        'third' => 'tercer',
+        'fourth' => 'cuarto',
+        'fifth' => 'quinto',
+        'last' => 'último',
+    ],
 ];
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/fi.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/fi.php
index 2003e1eab..edf2d6d35 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/fi.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/fi.php
@@ -74,8 +74,10 @@ return [
         'LTS' => 'HH.mm:ss',
         'L' => 'D.M.YYYY',
         'LL' => 'dddd D. MMMM[ta] YYYY',
+        'll' => 'ddd D. MMM YYYY',
         'LLL' => 'D.MM. HH.mm',
         'LLLL' => 'D. MMMM[ta] YYYY HH.mm',
+        'llll' => 'D. MMM YY HH.mm',
     ],
     'weekdays' => ['sunnuntai', 'maanantai', 'tiistai', 'keskiviikko', 'torstai', 'perjantai', 'lauantai'],
     'weekdays_short' => ['su', 'ma', 'ti', 'ke', 'to', 'pe', 'la'],
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/fr.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/fr.php
index 73fe5e41b..f4c7247b4 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/fr.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/fr.php
@@ -90,7 +90,7 @@ return [
     'weekdays_min' => ['di', 'lu', 'ma', 'me', 'je', 've', 'sa'],
     'ordinal' => function ($number, $period) {
         switch ($period) {
-            // In french, only the first has be ordinal, other number remains cardinal
+            // In French, only the first has to be ordinal, other number remains cardinal
             // @link https://fr.wikihow.com/%C3%A9crire-la-date-en-fran%C3%A7ais
             case 'D':
                 return $number.($number === 1 ? 'er' : '');
@@ -111,4 +111,13 @@ return [
     'first_day_of_week' => 1,
     'day_of_first_week_of_year' => 4,
     'list' => [', ', ' et '],
+    'ordinal_words' => [
+        'of' => 'de',
+        'first' => 'premier',
+        'second' => 'deuxième',
+        'third' => 'troisième',
+        'fourth' => 'quatrième',
+        'fifth' => 'cinquième',
+        'last' => 'dernier',
+    ],
 ];
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/hu.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/hu.php
index b2d2ac113..b7583eecd 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/hu.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/hu.php
@@ -82,7 +82,7 @@ return [
     'second_before' => ':count másodperccel',
     's_before' => ':count másodperccel',
     'months' => ['január', 'február', 'március', 'április', 'május', 'június', 'július', 'augusztus', 'szeptember', 'október', 'november', 'december'],
-    'months_short' => ['jan.', 'feb.', 'márc.', 'ápr.', 'máj.', 'jún.', 'júl.', 'aug.', 'szept.', 'okt.', 'nov.', 'dec.'],
+    'months_short' => ['jan.', 'febr.', 'márc.', 'ápr.', 'máj.', 'jún.', 'júl.', 'aug.', 'szept.', 'okt.', 'nov.', 'dec.'],
     'weekdays' => ['vasárnap', 'hétfő', 'kedd', 'szerda', 'csütörtök', 'péntek', 'szombat'],
     'weekdays_short' => ['vas', 'hét', 'kedd', 'sze', 'csüt', 'pén', 'szo'],
     'weekdays_min' => ['v', 'h', 'k', 'sze', 'cs', 'p', 'sz'],
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/it.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/it.php
index 605bcbb5a..49875d7ef 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/it.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/it.php
@@ -55,7 +55,7 @@ return [
     'µs' => ':countµs',
     'ago' => ':time fa',
     'from_now' => function ($time) {
-        return (preg_match('/^[0-9].+$/', $time) ? 'tra' : 'in')." $time";
+        return (preg_match('/^\d.+$/', $time) ? 'tra' : 'in')." $time";
     },
     'after' => ':time dopo',
     'before' => ':time prima',
@@ -103,4 +103,13 @@ return [
     'first_day_of_week' => 1,
     'day_of_first_week_of_year' => 4,
     'list' => [', ', ' e '],
+    'ordinal_words' => [
+        'of' => 'di',
+        'first' => 'primo',
+        'second' => 'secondo',
+        'third' => 'terzo',
+        'fourth' => 'quarto',
+        'fifth' => 'quinto',
+        'last' => 'ultimo',
+    ],
 ];
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ku.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ku.php
index b001e3015..189960c8a 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ku.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ku.php
@@ -11,31 +11,29 @@
 
 /*
  * Authors:
- * - Halwest Manguri
- * - Kardo Qadir
+ * - Unicode, Inc.
  */
-$months = ['کانونی دووەم', 'شوبات', 'ئازار', 'نیسان', 'ئایار', '‌حوزەیران', 'تەمموز', 'ئاب', 'ئەیلول', 'تشرینی یەکەم', 'تشرینی دووەم', 'کانونی یەکەم'];
-
-$weekdays = ['دوو شەممە', 'سێ شەممە', 'چوار شەممە', 'پێنج شەممە', 'هەینی', 'شەممە', 'یەک شەممە'];
 
 return [
-    'ago' => 'پێش :time',
-    'from_now' => ':time لە ئێستاوە',
-    'after' => 'دوای :time',
-    'before' => 'پێش :time',
-    'year' => '{0}ساڵ|{1}ساڵێک|{2}٢ ساڵ|[3,10]:count ساڵ|[11,Inf]:count ساڵ',
-    'month' => '{0}مانگ|{1}مانگێک|{2}٢ مانگ|[3,10]:count مانگ|[11,Inf]:count مانگ',
-    'week' => '{0}هەفتە|{1}هەفتەیەک|{2}٢ هەفتە|[3,10]:count هەفتە|[11,Inf]:count هەفتە',
-    'day' => '{0}ڕۆژ|{1}ڕۆژێک|{2}٢ ڕۆژ|[3,10]:count ڕۆژ|[11,Inf]:count ڕۆژ',
-    'hour' => '{0}کاتژمێر|{1}کاتژمێرێک|{2}٢ کاتژمێر|[3,10]:count کاتژمێر|[11,Inf]:count کاتژمێر',
-    'minute' => '{0}خولەک|{1}خولەکێک|{2}٢ خولەک|[3,10]:count خولەک|[11,Inf]:count خولەک',
-    'second' => '{0}چرکە|{1}چرکەیەک|{2}٢ چرکە|[3,10]:count چرکە|[11,Inf]:count چرکە',
-    'months' => $months,
-    'months_standalone' => $months,
-    'months_short' => $months,
-    'weekdays' => $weekdays,
-    'weekdays_short' => $weekdays,
-    'weekdays_min' => $weekdays,
+    'ago' => 'berî :time',
+    'from_now' => 'di :time de',
+    'after' => ':time piştî',
+    'before' => ':time berê',
+    'year' => ':count sal',
+    'year_ago' => ':count salê|:count salan',
+    'year_from_now' => 'salekê|:count salan',
+    'month' => ':count meh',
+    'week' => ':count hefte',
+    'day' => ':count roj',
+    'hour' => ':count saet',
+    'minute' => ':count deqîqe',
+    'second' => ':count saniye',
+    'months' => ['rêbendanê', 'reşemiyê', 'adarê', 'avrêlê', 'gulanê', 'pûşperê', 'tîrmehê', 'gelawêjê', 'rezberê', 'kewçêrê', 'sermawezê', 'berfanbarê'],
+    'months_standalone' => ['rêbendan', 'reşemî', 'adar', 'avrêl', 'gulan', 'pûşper', 'tîrmeh', 'gelawêj', 'rezber', 'kewçêr', 'sermawez', 'berfanbar'],
+    'months_short' => ['rêb', 'reş', 'ada', 'avr', 'gul', 'pûş', 'tîr', 'gel', 'rez', 'kew', 'ser', 'ber'],
+    'weekdays' => ['yekşem', 'duşem', 'sêşem', 'çarşem', 'pêncşem', 'în', 'şemî'],
+    'weekdays_short' => ['yş', 'dş', 'sş', 'çş', 'pş', 'în', 'ş'],
+    'weekdays_min' => ['Y', 'D', 'S', 'Ç', 'P', 'Î', 'Ş'],
     'list' => [', ', ' û '],
     'first_day_of_week' => 6,
     'day_of_first_week_of_year' => 1,
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/lv.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/lv.php
index 693eceb5a..d5cba7ca0 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/lv.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/lv.php
@@ -176,7 +176,8 @@ return [
     'weekdays' => $daysOfWeek,
     'weekdays_short' => ['Sv.', 'P.', 'O.', 'T.', 'C.', 'Pk.', 'S.'],
     'weekdays_min' => ['Sv.', 'P.', 'O.', 'T.', 'C.', 'Pk.', 'S.'],
-    'months' => ['janvārī', 'februārī', 'martā', 'aprīlī', 'maijā', 'jūnijā', 'jūlijā', 'augustā', 'septembrī', 'oktobrī', 'novembrī', 'decembrī'],
+    'months' => ['janvāris', 'februāris', 'marts', 'aprīlis', 'maijs', 'jūnijs', 'jūlijs', 'augusts', 'septembris', 'oktobris', 'novembris', 'decembris'],
+    'months_standalone' => ['janvārī', 'februārī', 'martā', 'aprīlī', 'maijā', 'jūnijā', 'jūlijā', 'augustā', 'septembrī', 'oktobrī', 'novembrī', 'decembrī'],
     'months_short' => ['janv.', 'febr.', 'martā', 'apr.', 'maijā', 'jūn.', 'jūl.', 'aug.', 'sept.', 'okt.', 'nov.', 'dec.'],
     'meridiem' => ['priekšpusdiena', 'pēcpusdiena'],
 ];
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/mn.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/mn.php
index 717d199bc..38c6434d3 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/mn.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/mn.php
@@ -26,6 +26,7 @@
  * - Nicolás Hock Isaza
  * - Ochirkhuyag
  * - Batmandakh
+ * - lucifer-crybaby
  */
 return [
     'year' => ':count жил',
@@ -43,38 +44,55 @@ return [
     'second' => ':count секунд',
     's' => ':countс',
 
-    'ago' => ':timeн өмнө',
-    'year_ago' => ':count жилий',
-    'month_ago' => ':count сары',
-    'day_ago' => ':count хоногий',
-    'hour_ago' => ':count цагий',
-    'minute_ago' => ':count минуты',
-    'second_ago' => ':count секунды',
+    'ago_mode' => 'last',
+    'ago' => ':time өмнө',
+    'year_ago' => ':count жилийн',
+    'y_ago' => ':count жилийн',
+    'month_ago' => ':count сарын',
+    'm_ago' => ':count сарын',
+    'day_ago' => ':count хоногийн',
+    'd_ago' => ':count хоногийн',
+    'week_ago' => ':count долоо хоногийн',
+    'w_ago' => ':count долоо хоногийн',
+    'hour_ago' => ':count цагийн',
+    'minute_ago' => ':count минутын',
+    'second_ago' => ':count секундын',
 
+    'from_now_mode' => 'last',
     'from_now' => 'одоогоос :time',
     'year_from_now' => ':count жилийн дараа',
+    'y_from_now' => ':count жилийн дараа',
     'month_from_now' => ':count сарын дараа',
+    'm_from_now' => ':count сарын дараа',
     'day_from_now' => ':count хоногийн дараа',
+    'd_from_now' => ':count хоногийн дараа',
     'hour_from_now' => ':count цагийн дараа',
     'minute_from_now' => ':count минутын дараа',
     'second_from_now' => ':count секундын дараа',
 
-    // Does it required to make translation for before, after as follows? hmm, I think we've made it with ago and from now keywords already. Anyway, I've included it just in case of undesired action...
-    'after' => ':timeн дараа',
-    'year_after' => ':count жилий',
-    'month_after' => ':count сары',
-    'day_after' => ':count хоногий',
-    'hour_after' => ':count цагий',
-    'minute_after' => ':count минуты',
-    'second_after' => ':count секунды',
+    'after_mode' => 'last',
+    'after' => ':time дараа',
+    'year_after' => ':count жилийн',
+    'y_after' => ':count жилийн',
+    'month_after' => ':count сарын',
+    'm_after' => ':count сарын',
+    'day_after' => ':count хоногийн',
+    'd_after' => ':count хоногийн',
+    'hour_after' => ':count цагийн',
+    'minute_after' => ':count минутын',
+    'second_after' => ':count секундын',
 
-    'before' => ':timeн өмнө',
-    'year_before' => ':count жилий',
-    'month_before' => ':count сары',
-    'day_before' => ':count хоногий',
-    'hour_before' => ':count цагий',
-    'minute_before' => ':count минуты',
-    'second_before' => ':count секунды',
+    'before_mode' => 'last',
+    'before' => ':time өмнө',
+    'year_before' => ':count жилийн',
+    'y_before' => ':count жилийн',
+    'month_before' => ':count сарын',
+    'm_before' => ':count сарын',
+    'day_before' => ':count хоногийн',
+    'd_before' => ':count хоногийн',
+    'hour_before' => ':count цагийн',
+    'minute_before' => ':count минутын',
+    'second_before' => ':count секундын',
 
     'list' => ', ',
     'diff_now' => 'одоо',
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ms.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ms.php
index 36934eeb1..c9e80854f 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ms.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ms.php
@@ -48,7 +48,7 @@ return [
     'ago' => ':time yang lepas',
     'from_now' => ':time dari sekarang',
     'after' => ':time kemudian',
-    'before' => ':time lepas',
+    'before' => ':time sebelum',
     'diff_now' => 'sekarang',
     'diff_today' => 'Hari',
     'diff_today_regexp' => 'Hari(?:\\s+ini)?(?:\\s+pukul)?',
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/oc.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/oc.php
index 89693e674..c9411d69d 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/oc.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/oc.php
@@ -17,7 +17,7 @@
 use Symfony\Component\Translation\PluralizationRules;
 
 if (class_exists('Symfony\\Component\\Translation\\PluralizationRules')) {
-    PluralizationRules::set(function ($number) {
+    PluralizationRules::set(static function ($number) {
         return $number == 1 ? 0 : 1;
     }, 'oc');
 }
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/pl.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/pl.php
index f0196c0d6..b72053549 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/pl.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/pl.php
@@ -62,7 +62,7 @@ return [
     },
     'after' => ':time po',
     'before' => ':time przed',
-    'diff_now' => 'przed chwilą',
+    'diff_now' => 'teraz',
     'diff_today' => 'Dziś',
     'diff_today_regexp' => 'Dziś(?:\\s+o)?',
     'diff_yesterday' => 'wczoraj',
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/pt.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/pt.php
index 0af894994..bb6359b14 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/pt.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/pt.php
@@ -104,4 +104,13 @@ return [
     'first_day_of_week' => 1,
     'day_of_first_week_of_year' => 4,
     'list' => [', ', ' e '],
+    'ordinal_words' => [
+        'of' => 'de',
+        'first' => 'primeira',
+        'second' => 'segunda',
+        'third' => 'terceira',
+        'fourth' => 'quarta',
+        'fifth' => 'quinta',
+        'last' => 'última',
+    ],
 ];
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/sh.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/sh.php
index e4aa5a1c7..e03b50675 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/sh.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/sh.php
@@ -13,7 +13,7 @@
 use Symfony\Component\Translation\PluralizationRules;
 
 if (class_exists('Symfony\\Component\\Translation\\PluralizationRules')) {
-    PluralizationRules::set(function ($number) {
+    PluralizationRules::set(static function ($number) {
         return (($number % 10 == 1) && ($number % 100 != 11)) ? 0 : ((($number % 10 >= 2) && ($number % 10 <= 4) && (($number % 100 < 10) || ($number % 100 >= 20))) ? 1 : 2);
     }, 'sh');
 }
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/sk.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/sk.php
index fd0f6b3e9..f9702e960 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/sk.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/sk.php
@@ -31,33 +31,89 @@
  * - jofi
  * - Jakub ADAMEC
  * - Marek Adamický
+ * - AlterwebStudio
  */
+
+use Carbon\CarbonInterface;
+
+$fromNow = function ($time) {
+    return 'o '.strtr($time, [
+            'hodina' => 'hodinu',
+            'minúta' => 'minútu',
+            'sekunda' => 'sekundu',
+        ]);
+};
+
+$ago = function ($time) {
+    $replacements = [
+        '/\bhodina\b/' => 'hodinou',
+        '/\bminúta\b/' => 'minútou',
+        '/\bsekunda\b/' => 'sekundou',
+        '/\bdeň\b/u' => 'dňom',
+        '/\btýždeň\b/u' => 'týždňom',
+        '/\bmesiac\b/' => 'mesiacom',
+        '/\brok\b/' => 'rokom',
+    ];
+
+    $replacementsPlural = [
+        '/\bhodiny\b/' => 'hodinami',
+        '/\bminúty\b/' => 'minútami',
+        '/\bsekundy\b/' => 'sekundami',
+        '/\bdni\b/' => 'dňami',
+        '/\btýždne\b/' => 'týždňami',
+        '/\bmesiace\b/' => 'mesiacmi',
+        '/\broky\b/' => 'rokmi',
+    ];
+
+    foreach ($replacements + $replacementsPlural as $pattern => $replacement) {
+        $time = preg_replace($pattern, $replacement, $time);
+    }
+
+    return "pred $time";
+};
+
 return [
-    'year' => 'rok|:count roky|:count rokov',
+    'year' => ':count rok|:count roky|:count rokov',
+    'a_year' => 'rok|:count roky|:count rokov',
     'y' => ':count r',
-    'month' => 'mesiac|:count mesiace|:count mesiacov',
+    'month' => ':count mesiac|:count mesiace|:count mesiacov',
+    'a_month' => 'mesiac|:count mesiace|:count mesiacov',
     'm' => ':count m',
-    'week' => 'týždeň|:count týždne|:count týždňov',
+    'week' => ':count týždeň|:count týždne|:count týždňov',
+    'a_week' => 'týždeň|:count týždne|:count týždňov',
     'w' => ':count t',
-    'day' => 'deň|:count dni|:count dní',
+    'day' => ':count deň|:count dni|:count dní',
+    'a_day' => 'deň|:count dni|:count dní',
     'd' => ':count d',
-    'hour' => 'hodinu|:count hodiny|:count hodín',
+    'hour' => ':count hodina|:count hodiny|:count hodín',
+    'a_hour' => 'hodina|:count hodiny|:count hodín',
     'h' => ':count h',
-    'minute' => 'minútu|:count minúty|:count minút',
+    'minute' => ':count minúta|:count minúty|:count minút',
+    'a_minute' => 'minúta|:count minúty|:count minút',
     'min' => ':count min',
-    'second' => 'sekundu|:count sekundy|:count sekúnd',
+    'second' => ':count sekunda|:count sekundy|:count sekúnd',
+    'a_second' => 'sekunda|:count sekundy|:count sekúnd',
     's' => ':count s',
-    'ago' => 'pred :time',
-    'from_now' => 'za :time',
-    'after' => 'o :time neskôr',
-    'before' => ':time predtým',
-    'year_ago' => 'rokom|:count rokmi|:count rokmi',
-    'month_ago' => 'mesiacom|:count mesiacmi|:count mesiacmi',
-    'week_ago' => 'týždňom|:count týždňami|:count týždňami',
-    'day_ago' => 'dňom|:count dňami|:count dňami',
-    'hour_ago' => 'hodinou|:count hodinami|:count hodinami',
-    'minute_ago' => 'minútou|:count minútami|:count minútami',
-    'second_ago' => 'sekundou|:count sekundami|:count sekundami',
+    'millisecond' => ':count milisekunda|:count milisekundy|:count milisekúnd',
+    'a_millisecond' => 'milisekunda|:count milisekundy|:count milisekúnd',
+    'ms' => ':count ms',
+    'microsecond' => ':count mikrosekunda|:count mikrosekundy|:count mikrosekúnd',
+    'a_microsecond' => 'mikrosekunda|:count mikrosekundy|:count mikrosekúnd',
+    'µs' => ':count µs',
+
+    'ago' => $ago,
+    'from_now' => $fromNow,
+    'before' => ':time pred',
+    'after' => ':time po',
+
+    'hour_after' => ':count hodinu|:count hodiny|:count hodín',
+    'minute_after' => ':count minútu|:count minúty|:count minút',
+    'second_after' => ':count sekundu|:count sekundy|:count sekúnd',
+
+    'hour_before' => ':count hodinu|:count hodiny|:count hodín',
+    'minute_before' => ':count minútu|:count minúty|:count minút',
+    'second_before' => ':count sekundu|:count sekundy|:count sekúnd',
+
     'first_day_of_week' => 1,
     'day_of_first_week_of_year' => 4,
     'list' => [', ', ' a '],
@@ -72,8 +128,26 @@ return [
         'LLL' => 'D. M. HH:mm',
         'LLLL' => 'dddd D. MMMM YYYY HH:mm',
     ],
+    'calendar' => [
+        'sameDay' => '[dnes o] LT',
+        'nextDay' => '[zajtra o] LT',
+        'lastDay' => '[včera o] LT',
+        'nextWeek' => 'dddd [o] LT',
+        'lastWeek' => static function (CarbonInterface $date) {
+            switch ($date->dayOfWeek) {
+                case 1:
+                case 2:
+                case 4:
+                case 5:
+                    return '[minulý] dddd [o] LT'; //pondelok/utorok/štvrtok/piatok
+                default:
+                    return '[minulá] dddd [o] LT';
+            }
+        },
+        'sameElse' => 'L',
+    ],
     'weekdays' => ['nedeľa', 'pondelok', 'utorok', 'streda', 'štvrtok', 'piatok', 'sobota'],
-    'weekdays_short' => ['ne', 'po', 'ut', 'st', 'št', 'pi', 'so'],
+    'weekdays_short' => ['ned', 'pon', 'uto', 'str', 'štv', 'pia', 'sob'],
     'weekdays_min' => ['ne', 'po', 'ut', 'st', 'št', 'pi', 'so'],
     'months' => ['január', 'február', 'marec', 'apríl', 'máj', 'jún', 'júl', 'august', 'september', 'október', 'november', 'december'],
     'months_short' => ['jan', 'feb', 'mar', 'apr', 'máj', 'jún', 'júl', 'aug', 'sep', 'okt', 'nov', 'dec'],
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/sl.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/sl.php
index 2e197212b..1f1d1b338 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/sl.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/sl.php
@@ -49,9 +49,9 @@ return [
     'a_second' => '{1}nekaj sekund|:count sekunda|:count sekundi|:count sekunde|:count sekund',
     's' => ':count s',
 
-    'year_ago' => ':count letom|:count leti|:count leti|:count leti',
-    'y_ago' => ':count letom|:count leti|:count leti|:count leti',
-    'month_ago' => ':count mesecem|:count meseci|:count meseci|:count meseci',
+    'year_ago' => ':count letom|:count letoma|:count leti|:count leti',
+    'y_ago' => ':count letom|:count letoma|:count leti|:count leti',
+    'month_ago' => ':count mesecem|:count mesecema|:count meseci|:count meseci',
     'week_ago' => ':count tednom|:count tednoma|:count tedni|:count tedni',
     'day_ago' => ':count dnem|:count dnevoma|:count dnevi|:count dnevi',
     'd_ago' => ':count dnem|:count dnevoma|:count dnevi|:count dnevi',
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/sr_Cyrl.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/sr_Cyrl.php
index c09df19cf..8becbc576 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/sr_Cyrl.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/sr_Cyrl.php
@@ -24,28 +24,28 @@
 use Carbon\CarbonInterface;
 
 return [
-    'year' => '{2,3,4,22,23,24,32,33,34,42,43,44,52,53,54}:count године|[0,Inf[:count година',
+    'year' => ':count година|:count године|:count година',
     'y' => ':count г.',
-    'month' => '{1}:count месец|{2,3,4}:count месеца|[0,Inf[:count месеци',
+    'month' => ':count месец|:count месеца|:count месеци',
     'm' => ':count м.',
-    'week' => '{1}:count недеља|{2,3,4}:count недеље|[0,Inf[:count недеља',
+    'week' => ':count недеља|:count недеље|:count недеља',
     'w' => ':count нед.',
-    'day' => '{1,21,31}:count дан|[0,Inf[:count дана',
+    'day' => ':count дан|:count дана|:count дана',
     'd' => ':count д.',
-    'hour' => '{1,21}:count сат|{2,3,4,22,23,24}:count сата|[0,Inf[:count сати',
+    'hour' => ':count сат|:count сата|:count сати',
     'h' => ':count ч.',
-    'minute' => '{1,21,31,41,51}:count минут|[0,Inf[:count минута',
+    'minute' => ':count минут|:count минута|:count минута',
     'min' => ':count мин.',
-    'second' => '{1,21,31,41,51}:count секунд|{2,3,4,22,23,24,32,33,34,42,43,44,52,53,54}:count секунде|[0,Inf[:count секунди',
+    'second' => ':count секунд|:count секунде|:count секунди',
     's' => ':count сек.',
     'ago' => 'пре :time',
     'from_now' => 'за :time',
     'after' => ':time након',
     'before' => ':time пре',
-    'year_from_now' => '{1,21,31,41,51}:count годину|{2,3,4,22,23,24,32,33,34,42,43,44,52,53,54}:count године|[0,Inf[:count година',
-    'year_ago' => '{1,21,31,41,51}:count годину|{2,3,4,22,23,24,32,33,34,42,43,44,52,53,54}:count године|[0,Inf[:count година',
-    'week_from_now' => '{1}:count недељу|{2,3,4}:count недеље|[0,Inf[:count недеља',
-    'week_ago' => '{1}:count недељу|{2,3,4}:count недеље|[0,Inf[:count недеља',
+    'year_from_now' => ':count годину|:count године|:count година',
+    'year_ago' => ':count годину|:count године|:count година',
+    'week_from_now' => ':count недељу|:count недеље|:count недеља',
+    'week_ago' => ':count недељу|:count недеље|:count недеља',
     'diff_now' => 'управо сада',
     'diff_today' => 'данас',
     'diff_today_regexp' => 'данас(?:\\s+у)?',
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/sr_Cyrl_BA.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/sr_Cyrl_BA.php
index 0fb63d769..4b29a45c7 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/sr_Cyrl_BA.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/sr_Cyrl_BA.php
@@ -9,6 +9,16 @@
  * file that was distributed with this source code.
  */
 
+use Symfony\Component\Translation\PluralizationRules;
+
+// @codeCoverageIgnoreStart
+if (class_exists(PluralizationRules::class)) {
+    PluralizationRules::set(static function ($number) {
+        return PluralizationRules::get($number, 'sr');
+    }, 'sr_Cyrl_BA');
+}
+// @codeCoverageIgnoreEnd
+
 return array_replace_recursive(require __DIR__.'/sr_Cyrl.php', [
     'formats' => [
         'LT' => 'HH:mm',
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/sr_Cyrl_ME.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/sr_Cyrl_ME.php
index d13229abc..28d22fd2c 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/sr_Cyrl_ME.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/sr_Cyrl_ME.php
@@ -16,32 +16,41 @@
  */
 
 use Carbon\CarbonInterface;
+use Symfony\Component\Translation\PluralizationRules;
+
+// @codeCoverageIgnoreStart
+if (class_exists(PluralizationRules::class)) {
+    PluralizationRules::set(static function ($number) {
+        return PluralizationRules::get($number, 'sr');
+    }, 'sr_Cyrl_ME');
+}
+// @codeCoverageIgnoreEnd
 
 return [
-    'year' => '{2,3,4,22,23,24,32,33,34,42,43,44,52,53,54}:count године|[0,Inf[:count година',
+    'year' => ':count година|:count године|:count година',
     'y' => ':count г.',
-    'month' => '{1}:count мјесец|{2,3,4}:count мјесеца|[0,Inf[:count мјесеци',
+    'month' => ':count мјесец|:count мјесеца|:count мјесеци',
     'm' => ':count мј.',
-    'week' => '{1}:count недјеља|{2,3,4}:count недјеље|[0,Inf[:count недјеља',
+    'week' => ':count недјеља|:count недјеље|:count недјеља',
     'w' => ':count нед.',
-    'day' => '{1,21,31}:count дан|[0,Inf[:count дана',
+    'day' => ':count дан|:count дана|:count дана',
     'd' => ':count д.',
-    'hour' => '{1,21}:count сат|{2,3,4,22,23,24}:count сата|[0,Inf[:count сати',
+    'hour' => ':count сат|:count сата|:count сати',
     'h' => ':count ч.',
-    'minute' => '{1,21,31,41,51}:count минут|[0,Inf[:count минута',
+    'minute' => ':count минут|:count минута|:count минута',
     'min' => ':count мин.',
-    'second' => '{1,21,31,41,51}:count секунд|{2,3,4,22,23,24,32,33,34,42,43,44,52,53,54}:count секунде|[0,Inf[:count секунди',
+    'second' => ':count секунд|:count секунде|:count секунди',
     's' => ':count сек.',
     'ago' => 'прије :time',
     'from_now' => 'за :time',
     'after' => ':time након',
     'before' => ':time прије',
 
-    'year_from_now' => '{1,21,31,41,51}:count годину|{2,3,4,22,23,24,32,33,34,42,43,44,52,53,54}:count године|[0,Inf[:count година',
-    'year_ago' => '{1,21,31,41,51}:count годину|{2,3,4,22,23,24,32,33,34,42,43,44,52,53,54}:count године|[0,Inf[:count година',
+    'year_from_now' => ':count годину|:count године|:count година',
+    'year_ago' => ':count годину|:count године|:count година',
 
-    'week_from_now' => '{1}:count недјељу|{2,3,4}:count недјеље|[0,Inf[:count недјеља',
-    'week_ago' => '{1}:count недјељу|{2,3,4}:count недјеље|[0,Inf[:count недјеља',
+    'week_from_now' => ':count недјељу|:count недјеље|:count недјеља',
+    'week_ago' => ':count недјељу|:count недјеље|:count недјеља',
 
     'diff_now' => 'управо сада',
     'diff_today' => 'данас',
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/sr_Cyrl_XK.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/sr_Cyrl_XK.php
index 492baf0cb..d6e29b86b 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/sr_Cyrl_XK.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/sr_Cyrl_XK.php
@@ -9,6 +9,16 @@
  * file that was distributed with this source code.
  */
 
+use Symfony\Component\Translation\PluralizationRules;
+
+// @codeCoverageIgnoreStart
+if (class_exists(PluralizationRules::class)) {
+    PluralizationRules::set(static function ($number) {
+        return PluralizationRules::get($number, 'sr');
+    }, 'sr_Cyrl_XK');
+}
+// @codeCoverageIgnoreEnd
+
 return array_replace_recursive(require __DIR__.'/sr_Cyrl_BA.php', [
     'weekdays' => ['недеља', 'понедељак', 'уторак', 'среда', 'четвртак', 'петак', 'субота'],
 ]);
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/sr_Latn_BA.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/sr_Latn_BA.php
index 897c674a5..95b2770db 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/sr_Latn_BA.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/sr_Latn_BA.php
@@ -9,6 +9,16 @@
  * file that was distributed with this source code.
  */
 
+use Symfony\Component\Translation\PluralizationRules;
+
+// @codeCoverageIgnoreStart
+if (class_exists(PluralizationRules::class)) {
+    PluralizationRules::set(static function ($number) {
+        return PluralizationRules::get($number, 'sr');
+    }, 'sr_Latn_BA');
+}
+// @codeCoverageIgnoreEnd
+
 return array_replace_recursive(require __DIR__.'/sr_Latn.php', [
     'formats' => [
         'LT' => 'HH:mm',
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/sr_Latn_ME.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/sr_Latn_ME.php
index e2133ef1a..5b8f2d062 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/sr_Latn_ME.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/sr_Latn_ME.php
@@ -16,6 +16,15 @@
  */
 
 use Carbon\CarbonInterface;
+use Symfony\Component\Translation\PluralizationRules;
+
+// @codeCoverageIgnoreStart
+if (class_exists(PluralizationRules::class)) {
+    PluralizationRules::set(static function ($number) {
+        return PluralizationRules::get($number, 'sr');
+    }, 'sr_Latn_ME');
+}
+// @codeCoverageIgnoreEnd
 
 return array_replace_recursive(require __DIR__.'/sr.php', [
     'month' => ':count mjesec|:count mjeseca|:count mjeseci',
@@ -27,6 +36,7 @@ return array_replace_recursive(require __DIR__.'/sr.php', [
     'before' => ':time prije',
     'week_from_now' => ':count nedjelju|:count nedjelje|:count nedjelja',
     'week_ago' => ':count nedjelju|:count nedjelje|:count nedjelja',
+    'second_ago' => ':count sekund|:count sekunde|:count sekundi',
     'diff_tomorrow' => 'sjutra',
     'calendar' => [
         'nextDay' => '[sjutra u] LT',
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/sr_Latn_XK.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/sr_Latn_XK.php
index d0b9d10bb..5278e2e5a 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/sr_Latn_XK.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/sr_Latn_XK.php
@@ -9,6 +9,16 @@
  * file that was distributed with this source code.
  */
 
+use Symfony\Component\Translation\PluralizationRules;
+
+// @codeCoverageIgnoreStart
+if (class_exists(PluralizationRules::class)) {
+    PluralizationRules::set(static function ($number) {
+        return PluralizationRules::get($number, 'sr');
+    }, 'sr_Latn_XK');
+}
+// @codeCoverageIgnoreEnd
+
 return array_replace_recursive(require __DIR__.'/sr_Latn_BA.php', [
     'weekdays' => ['nedelja', 'ponedeljak', 'utorak', 'sreda', 'četvrtak', 'petak', 'subota'],
 ]);
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ss.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ss.php
index cd4b91901..1c52c9bf6 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ss.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/ss.php
@@ -50,7 +50,7 @@ return [
         $lastDigit = $number % 10;
 
         return $number.(
-            (~~($number % 100 / 10) === 1) ? 'e' : (
+            ((int) ($number % 100 / 10) === 1) ? 'e' : (
                 ($lastDigit === 1 || $lastDigit === 2) ? 'a' : 'e'
             )
         );
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/sv.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/sv.php
index ca33e1c45..1706c7191 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/sv.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/sv.php
@@ -70,7 +70,7 @@ return [
         $lastDigit = $number % 10;
 
         return $number.(
-            (~~($number % 100 / 10) === 1) ? 'e' : (
+            ((int) ($number % 100 / 10) === 1) ? 'e' : (
                 ($lastDigit === 1 || $lastDigit === 2) ? 'a' : 'e'
             )
         );
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/uk.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/uk.php
index b267b0002..4217d16ed 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/uk.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Lang/uk.php
@@ -55,7 +55,7 @@ $processHoursFunction = function (CarbonInterface $date, string $format) {
  */
 return [
     'year' => ':count рік|:count роки|:count років',
-    'y' => ':countр',
+    'y' => ':countр|:countрр|:countрр',
     'a_year' => '{1}рік|:count рік|:count роки|:count років',
     'month' => ':count місяць|:count місяці|:count місяців',
     'm' => ':countм',
@@ -193,6 +193,7 @@ return [
             'genitive' => ['неділі', 'понеділка', 'вівторка', 'середи', 'четверга', 'п’ятниці', 'суботи'],
         ];
 
+        $format = $format ?? '';
         $nounCase = preg_match('/(\[(В|в|У|у)\])\s+dddd/u', $format)
             ? 'accusative'
             : (
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Laravel/ServiceProvider.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Laravel/ServiceProvider.php
index 8be0569e8..84e241e3e 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Laravel/ServiceProvider.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Laravel/ServiceProvider.php
@@ -24,6 +24,22 @@ use Throwable;
 
 class ServiceProvider extends \Illuminate\Support\ServiceProvider
 {
+    /** @var callable|null */
+    protected $appGetter = null;
+
+    /** @var callable|null */
+    protected $localeGetter = null;
+
+    public function setAppGetter(?callable $appGetter): void
+    {
+        $this->appGetter = $appGetter;
+    }
+
+    public function setLocaleGetter(?callable $localeGetter): void
+    {
+        $this->localeGetter = $localeGetter;
+    }
+
     public function boot()
     {
         $this->updateLocale();
@@ -44,8 +60,12 @@ class ServiceProvider extends \Illuminate\Support\ServiceProvider
 
     public function updateLocale()
     {
-        $app = $this->app && method_exists($this->app, 'getLocale') ? $this->app : app('translator');
-        $locale = $app->getLocale();
+        $locale = $this->getLocale();
+
+        if ($locale === null) {
+            return;
+        }
+
         Carbon::setLocale($locale);
         CarbonImmutable::setLocale($locale);
         CarbonPeriod::setLocale($locale);
@@ -70,6 +90,34 @@ class ServiceProvider extends \Illuminate\Support\ServiceProvider
         // Needed for Laravel < 5.3 compatibility
     }
 
+    protected function getLocale()
+    {
+        if ($this->localeGetter) {
+            return ($this->localeGetter)();
+        }
+
+        $app = $this->getApp();
+        $app = $app && method_exists($app, 'getLocale')
+            ? $app
+            : $this->getGlobalApp('translator');
+
+        return $app ? $app->getLocale() : null;
+    }
+
+    protected function getApp()
+    {
+        if ($this->appGetter) {
+            return ($this->appGetter)();
+        }
+
+        return $this->app ?? $this->getGlobalApp();
+    }
+
+    protected function getGlobalApp(...$args)
+    {
+        return \function_exists('app') ? \app(...$args) : null;
+    }
+
     protected function isEventDispatcher($instance)
     {
         return $instance instanceof EventDispatcher
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/MessageFormatter/MessageFormatterMapper.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/MessageFormatter/MessageFormatterMapper.php
new file mode 100644
index 000000000..c05480876
--- /dev/null
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/MessageFormatter/MessageFormatterMapper.php
@@ -0,0 +1,44 @@
+<?php
+
+/**
+ * This file is part of the Carbon package.
+ *
+ * (c) Brian Nesbitt <brian@nesbot.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Carbon\MessageFormatter;
+
+use ReflectionMethod;
+use Symfony\Component\Translation\Formatter\MessageFormatter;
+use Symfony\Component\Translation\Formatter\MessageFormatterInterface;
+
+// @codeCoverageIgnoreStart
+$transMethod = new ReflectionMethod(MessageFormatterInterface::class, 'format');
+
+require $transMethod->getParameters()[0]->hasType()
+    ? __DIR__.'/../../../lazy/Carbon/MessageFormatter/MessageFormatterMapperStrongType.php'
+    : __DIR__.'/../../../lazy/Carbon/MessageFormatter/MessageFormatterMapperWeakType.php';
+// @codeCoverageIgnoreEnd
+
+final class MessageFormatterMapper extends LazyMessageFormatter
+{
+    /**
+     * Wrapped formatter.
+     *
+     * @var MessageFormatterInterface
+     */
+    protected $formatter;
+
+    public function __construct(?MessageFormatterInterface $formatter = null)
+    {
+        $this->formatter = $formatter ?? new MessageFormatter();
+    }
+
+    protected function transformLocale(?string $locale): ?string
+    {
+        return $locale ? preg_replace('/[_@][A-Za-z][a-z]{2,}/', '', $locale) : $locale;
+    }
+}
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/PHPStan/AbstractMacro.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/PHPStan/AbstractMacro.php
index fc6fd2a79..fde67b36a 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/PHPStan/AbstractMacro.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/PHPStan/AbstractMacro.php
@@ -14,6 +14,12 @@ declare(strict_types=1);
 namespace Carbon\PHPStan;
 
 use Closure;
+use InvalidArgumentException;
+use PHPStan\BetterReflection\Reflection\Adapter\ReflectionParameter as AdapterReflectionParameter;
+use PHPStan\BetterReflection\Reflection\Adapter\ReflectionType as AdapterReflectionType;
+use PHPStan\BetterReflection\Reflection\ReflectionClass as BetterReflectionClass;
+use PHPStan\BetterReflection\Reflection\ReflectionFunction as BetterReflectionFunction;
+use PHPStan\BetterReflection\Reflection\ReflectionParameter as BetterReflectionParameter;
 use PHPStan\Reflection\Php\BuiltinMethodReflection;
 use PHPStan\TrinaryLogic;
 use ReflectionClass;
@@ -64,24 +70,34 @@ abstract class AbstractMacro implements BuiltinMethodReflection
     /**
      * Macro constructor.
      *
-     * @param string $className
-     * @phpstan-param class-string $className
-     *
-     * @param string   $methodName
-     * @param callable $macro
+     * @param class-string $className
+     * @param string       $methodName
+     * @param callable     $macro
      */
     public function __construct(string $className, string $methodName, $macro)
     {
         $this->className = $className;
         $this->methodName = $methodName;
-        $this->reflectionFunction = \is_array($macro)
+        $rawReflectionFunction = \is_array($macro)
             ? new ReflectionMethod($macro[0], $macro[1])
             : new ReflectionFunction($macro);
-        $this->parameters = $this->reflectionFunction->getParameters();
+        $this->reflectionFunction = self::hasModernParser()
+            ? $this->getReflectionFunction($macro)
+            : $rawReflectionFunction; // @codeCoverageIgnore
+        $this->parameters = array_map(
+            function ($parameter) {
+                if ($parameter instanceof BetterReflectionParameter) {
+                    return new AdapterReflectionParameter($parameter);
+                }
 
-        if ($this->reflectionFunction->isClosure()) {
+                return $parameter; // @codeCoverageIgnore
+            },
+            $this->reflectionFunction->getParameters()
+        );
+
+        if ($rawReflectionFunction->isClosure()) {
             try {
-                $closure = $this->reflectionFunction->getClosure();
+                $closure = $rawReflectionFunction->getClosure();
                 $boundClosure = Closure::bind($closure, new stdClass());
                 $this->static = (!$boundClosure || (new ReflectionFunction($boundClosure))->getClosureThis() === null);
             } catch (Throwable $e) {
@@ -90,6 +106,31 @@ abstract class AbstractMacro implements BuiltinMethodReflection
         }
     }
 
+    private function getReflectionFunction($spec)
+    {
+        if (\is_array($spec) && \count($spec) === 2 && \is_string($spec[1])) {
+            \assert($spec[1] !== '');
+
+            if (\is_object($spec[0])) {
+                return BetterReflectionClass::createFromInstance($spec[0])
+                    ->getMethod($spec[1]);
+            }
+
+            return BetterReflectionClass::createFromName($spec[0])
+                ->getMethod($spec[1]);
+        }
+
+        if (\is_string($spec)) {
+            return BetterReflectionFunction::createFromName($spec);
+        }
+
+        if ($spec instanceof Closure) {
+            return BetterReflectionFunction::createFromClosure($spec);
+        }
+
+        throw new InvalidArgumentException('Could not create reflection from the spec given'); // @codeCoverageIgnore
+    }
+
     /**
      * {@inheritdoc}
      */
@@ -175,7 +216,13 @@ abstract class AbstractMacro implements BuiltinMethodReflection
      */
     public function getReturnType(): ?ReflectionType
     {
-        return $this->reflectionFunction->getReturnType();
+        $type = $this->reflectionFunction->getReturnType();
+
+        if ($type instanceof ReflectionType) {
+            return $type; // @codeCoverageIgnore
+        }
+
+        return self::adaptType($type);
     }
 
     /**
@@ -205,18 +252,35 @@ abstract class AbstractMacro implements BuiltinMethodReflection
         return $this;
     }
 
-    /**
-     * {@inheritdoc}
-     */
-    public function getReflection(): ?ReflectionMethod
-    {
-        return $this->reflectionFunction instanceof ReflectionMethod
-            ? $this->reflectionFunction
-            : null;
-    }
-
     public function getTentativeReturnType(): ?ReflectionType
     {
         return null;
     }
+
+    public function returnsByReference(): TrinaryLogic
+    {
+        return TrinaryLogic::createNo();
+    }
+
+    private static function adaptType($type)
+    {
+        $method = method_exists(AdapterReflectionType::class, 'fromTypeOrNull')
+            ? 'fromTypeOrNull'
+            : 'fromReturnTypeOrNull'; // @codeCoverageIgnore
+
+        return AdapterReflectionType::$method($type);
+    }
+
+    private static function hasModernParser(): bool
+    {
+        static $modernParser = null;
+
+        if ($modernParser !== null) {
+            return $modernParser;
+        }
+
+        $modernParser = method_exists(AdapterReflectionType::class, 'fromTypeOrNull');
+
+        return $modernParser;
+    }
 }
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/PHPStan/Macro.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/PHPStan/Macro.php
index 839258736..de3e51f6a 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/PHPStan/Macro.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/PHPStan/Macro.php
@@ -13,9 +13,16 @@ declare(strict_types=1);
 
 namespace Carbon\PHPStan;
 
+use PHPStan\BetterReflection\Reflection\Adapter;
 use PHPStan\Reflection\Php\BuiltinMethodReflection;
 use ReflectionMethod;
 
+$method = new ReflectionMethod(BuiltinMethodReflection::class, 'getReflection');
+
+require $method->hasReturnType() && $method->getReturnType()->getName() === Adapter\ReflectionMethod::class
+    ? __DIR__.'/../../../lazy/Carbon/PHPStan/AbstractMacroStatic.php'
+    : __DIR__.'/../../../lazy/Carbon/PHPStan/AbstractMacroBuiltin.php';
+
 $method = new ReflectionMethod(BuiltinMethodReflection::class, 'getFileName');
 
 require $method->hasReturnType()
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/PHPStan/MacroExtension.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/PHPStan/MacroExtension.php
index 8e2524c09..2cd6fce54 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/PHPStan/MacroExtension.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/PHPStan/MacroExtension.php
@@ -11,10 +11,12 @@
 
 namespace Carbon\PHPStan;
 
+use PHPStan\Reflection\Assertions;
 use PHPStan\Reflection\ClassReflection;
 use PHPStan\Reflection\MethodReflection;
 use PHPStan\Reflection\MethodsClassReflectionExtension;
 use PHPStan\Reflection\Php\PhpMethodReflectionFactory;
+use PHPStan\Reflection\ReflectionProvider;
 use PHPStan\Type\TypehintHelper;
 
 /**
@@ -38,10 +40,13 @@ final class MacroExtension implements MethodsClassReflectionExtension
      * Extension constructor.
      *
      * @param PhpMethodReflectionFactory $methodReflectionFactory
+     * @param ReflectionProvider         $reflectionProvider
      */
-    public function __construct(PhpMethodReflectionFactory $methodReflectionFactory)
-    {
-        $this->scanner = new MacroScanner();
+    public function __construct(
+        PhpMethodReflectionFactory $methodReflectionFactory,
+        ReflectionProvider $reflectionProvider
+    ) {
+        $this->scanner = new MacroScanner($reflectionProvider);
         $this->methodReflectionFactory = $methodReflectionFactory;
     }
 
@@ -59,6 +64,7 @@ final class MacroExtension implements MethodsClassReflectionExtension
     public function getMethod(ClassReflection $classReflection, string $methodName): MethodReflection
     {
         $builtinMacro = $this->scanner->getMethod($classReflection->getName(), $methodName);
+        $supportAssertions = class_exists(Assertions::class);
 
         return $this->methodReflectionFactory->create(
             $classReflection,
@@ -72,7 +78,11 @@ final class MacroExtension implements MethodsClassReflectionExtension
             $builtinMacro->isDeprecated()->yes(),
             $builtinMacro->isInternal(),
             $builtinMacro->isFinal(),
-            $builtinMacro->getDocComment()
+            $supportAssertions ? null : $builtinMacro->getDocComment(),
+            $supportAssertions ? Assertions::createEmpty() : null,
+            null,
+            $builtinMacro->getDocComment(),
+            []
         );
     }
 }
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/PHPStan/MacroScanner.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/PHPStan/MacroScanner.php
index d169939d8..eb8957d4d 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/PHPStan/MacroScanner.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/PHPStan/MacroScanner.php
@@ -12,35 +12,55 @@
 namespace Carbon\PHPStan;
 
 use Carbon\CarbonInterface;
+use PHPStan\Reflection\ReflectionProvider;
 use ReflectionClass;
 use ReflectionException;
 
 final class MacroScanner
 {
+    /**
+     * @var \PHPStan\Reflection\ReflectionProvider
+     */
+    private $reflectionProvider;
+
+    /**
+     * MacroScanner constructor.
+     *
+     * @param \PHPStan\Reflection\ReflectionProvider $reflectionProvider
+     */
+    public function __construct(ReflectionProvider $reflectionProvider)
+    {
+        $this->reflectionProvider = $reflectionProvider;
+    }
+
     /**
      * Return true if the given pair class-method is a Carbon macro.
      *
-     * @param string $className
-     * @phpstan-param class-string $className
-     *
-     * @param string $methodName
+     * @param class-string $className
+     * @param string       $methodName
      *
      * @return bool
      */
     public function hasMethod(string $className, string $methodName): bool
     {
-        return is_a($className, CarbonInterface::class, true) &&
-            \is_callable([$className, 'hasMacro']) &&
+        $classReflection = $this->reflectionProvider->getClass($className);
+
+        if (
+            $classReflection->getName() !== CarbonInterface::class &&
+            !$classReflection->isSubclassOf(CarbonInterface::class)
+        ) {
+            return false;
+        }
+
+        return \is_callable([$className, 'hasMacro']) &&
             $className::hasMacro($methodName);
     }
 
     /**
      * Return the Macro for a given pair class-method.
      *
-     * @param string $className
-     * @phpstan-param class-string $className
-     *
-     * @param string $methodName
+     * @param class-string $className
+     * @param string       $methodName
      *
      * @throws ReflectionException
      *
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Comparison.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Comparison.php
index a23e6ed0c..f6261d882 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Comparison.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Comparison.php
@@ -75,6 +75,9 @@ trait Comparison
      */
     public function equalTo($date): bool
     {
+        $this->discourageNull($date);
+        $this->discourageBoolean($date);
+
         return $this == $this->resolveCarbon($date);
     }
 
@@ -155,6 +158,9 @@ trait Comparison
      */
     public function greaterThan($date): bool
     {
+        $this->discourageNull($date);
+        $this->discourageBoolean($date);
+
         return $this > $this->resolveCarbon($date);
     }
 
@@ -216,7 +222,10 @@ trait Comparison
      */
     public function greaterThanOrEqualTo($date): bool
     {
-        return $this >= $date;
+        $this->discourageNull($date);
+        $this->discourageBoolean($date);
+
+        return $this >= $this->resolveCarbon($date);
     }
 
     /**
@@ -256,6 +265,9 @@ trait Comparison
      */
     public function lessThan($date): bool
     {
+        $this->discourageNull($date);
+        $this->discourageBoolean($date);
+
         return $this < $this->resolveCarbon($date);
     }
 
@@ -317,7 +329,10 @@ trait Comparison
      */
     public function lessThanOrEqualTo($date): bool
     {
-        return $this <= $date;
+        $this->discourageNull($date);
+        $this->discourageBoolean($date);
+
+        return $this <= $this->resolveCarbon($date);
     }
 
     /**
@@ -351,10 +366,10 @@ trait Comparison
         }
 
         if ($equal) {
-            return $this->greaterThanOrEqualTo($date1) && $this->lessThanOrEqualTo($date2);
+            return $this >= $date1 && $this <= $date2;
         }
 
-        return $this->greaterThan($date1) && $this->lessThan($date2);
+        return $this > $date1 && $this < $date2;
     }
 
     /**
@@ -448,7 +463,7 @@ trait Comparison
      */
     public function isWeekend()
     {
-        return \in_array($this->dayOfWeek, static::$weekendDays);
+        return \in_array($this->dayOfWeek, static::$weekendDays, true);
     }
 
     /**
@@ -548,12 +563,17 @@ trait Comparison
     }
 
     /**
-     * Determines if the instance is a long year
+     * Determines if the instance is a long year (using calendar year).
+     *
+     * ⚠️ This method completely ignores month and day to use the numeric year number,
+     * it's not correct if the exact date matters. For instance as `2019-12-30` is already
+     * in the first week of the 2020 year, if you want to know from this date if ISO week
+     * year 2020 is a long year, use `isLongIsoYear` instead.
      *
      * @example
      * ```
-     * Carbon::parse('2015-01-01')->isLongYear(); // true
-     * Carbon::parse('2016-01-01')->isLongYear(); // false
+     * Carbon::create(2015)->isLongYear(); // true
+     * Carbon::create(2016)->isLongYear(); // false
      * ```
      *
      * @see https://en.wikipedia.org/wiki/ISO_8601#Week_dates
@@ -565,6 +585,27 @@ trait Comparison
         return static::create($this->year, 12, 28, 0, 0, 0, $this->tz)->weekOfYear === 53;
     }
 
+    /**
+     * Determines if the instance is a long year (using ISO 8601 year).
+     *
+     * @example
+     * ```
+     * Carbon::parse('2015-01-01')->isLongIsoYear(); // true
+     * Carbon::parse('2016-01-01')->isLongIsoYear(); // true
+     * Carbon::parse('2016-01-03')->isLongIsoYear(); // false
+     * Carbon::parse('2019-12-29')->isLongIsoYear(); // false
+     * Carbon::parse('2019-12-30')->isLongIsoYear(); // true
+     * ```
+     *
+     * @see https://en.wikipedia.org/wiki/ISO_8601#Week_dates
+     *
+     * @return bool
+     */
+    public function isLongIsoYear()
+    {
+        return static::create($this->isoWeekYear, 12, 28, 0, 0, 0, $this->tz)->weekOfYear === 53;
+    }
+
     /**
      * Compares the formatted values of the two dates.
      *
@@ -621,19 +662,19 @@ trait Comparison
             'microsecond' => 'Y-m-d H:i:s.u',
         ];
 
-        if (!isset($units[$unit])) {
-            if (isset($this->$unit)) {
-                return $this->resolveCarbon($date)->$unit === $this->$unit;
-            }
-
-            if ($this->localStrictModeEnabled ?? static::isStrictModeEnabled()) {
-                throw new BadComparisonUnitException($unit);
-            }
-
-            return false;
+        if (isset($units[$unit])) {
+            return $this->isSameAs($units[$unit], $date);
         }
 
-        return $this->isSameAs($units[$unit], $date);
+        if (isset($this->$unit)) {
+            return $this->resolveCarbon($date)->$unit === $this->$unit;
+        }
+
+        if ($this->localStrictModeEnabled ?? static::isStrictModeEnabled()) {
+            throw new BadComparisonUnitException($unit);
+        }
+
+        return false;
     }
 
     /**
@@ -981,12 +1022,12 @@ trait Comparison
             return $current->startOfMinute()->eq($other);
         }
 
-        if (preg_match('/\d(h|am|pm)$/', $tester)) {
+        if (preg_match('/\d(?:h|am|pm)$/', $tester)) {
             return $current->startOfHour()->eq($other);
         }
 
         if (preg_match(
-            '/^(january|february|march|april|may|june|july|august|september|october|november|december)\s+\d+$/i',
+            '/^(?:january|february|march|april|may|june|july|august|september|october|november|december)(?:\s+\d+)?$/i',
             $tester
         )) {
             return $current->startOfMonth()->eq($other->startOfMonth());
@@ -1067,4 +1108,18 @@ trait Comparison
     {
         return $this->endOfTime ?? false;
     }
+
+    private function discourageNull($value): void
+    {
+        if ($value === null) {
+            @trigger_error("Since 2.61.0, it's deprecated to compare a date to null, meaning of such comparison is ambiguous and will no longer be possible in 3.0.0, you should explicitly pass 'now' or make an other check to eliminate null values.", \E_USER_DEPRECATED);
+        }
+    }
+
+    private function discourageBoolean($value): void
+    {
+        if (\is_bool($value)) {
+            @trigger_error("Since 2.61.0, it's deprecated to compare a date to true or false, meaning of such comparison is ambiguous and will no longer be possible in 3.0.0, you should explicitly pass 'now' or make an other check to eliminate boolean values.", \E_USER_DEPRECATED);
+        }
+    }
 }
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Converter.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Converter.php
index 8fe008a5c..fff8a600a 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Converter.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Converter.php
@@ -16,6 +16,7 @@ use Carbon\CarbonImmutable;
 use Carbon\CarbonInterface;
 use Carbon\CarbonInterval;
 use Carbon\CarbonPeriod;
+use Carbon\CarbonPeriodImmutable;
 use Carbon\Exceptions\UnitException;
 use Closure;
 use DateTime;
@@ -34,39 +35,7 @@ use ReturnTypeWillChange;
  */
 trait Converter
 {
-    /**
-     * Format to use for __toString method when type juggling occurs.
-     *
-     * @var string|Closure|null
-     */
-    protected static $toStringFormat;
-
-    /**
-     * Reset the format used to the default when type juggling a Carbon instance to a string
-     *
-     * @return void
-     */
-    public static function resetToStringFormat()
-    {
-        static::setToStringFormat(null);
-    }
-
-    /**
-     * @deprecated To avoid conflict between different third-party libraries, static setters should not be used.
-     *             You should rather let Carbon object being casted to string with DEFAULT_TO_STRING_FORMAT, and
-     *             use other method or custom format passed to format() method if you need to dump an other string
-     *             format.
-     *
-     * Set the default format used when type juggling a Carbon instance to a string
-     *
-     * @param string|Closure|null $format
-     *
-     * @return void
-     */
-    public static function setToStringFormat($format)
-    {
-        static::$toStringFormat = $format;
-    }
+    use ToStringFormat;
 
     /**
      * Returns the formatted date string on success or FALSE on failure.
@@ -110,7 +79,7 @@ trait Converter
      *
      * @example
      * ```
-     * echo Carbon::now(); // Carbon instances can be casted to string
+     * echo Carbon::now(); // Carbon instances can be cast to string
      * ```
      *
      * @return string
@@ -158,6 +127,21 @@ trait Converter
         return $this->rawFormat('M j, Y');
     }
 
+    /**
+     * Format the instance with the day, and a readable date
+     *
+     * @example
+     * ```
+     * echo Carbon::now()->toFormattedDayDateString();
+     * ```
+     *
+     * @return string
+     */
+    public function toFormattedDayDateString(): string
+    {
+        return $this->rawFormat('D, M j, Y');
+    }
+
     /**
      * Format the instance as time
      *
@@ -622,16 +606,18 @@ trait Converter
             $interval = CarbonInterval::make("$interval ".static::pluralUnit($unit));
         }
 
-        $period = (new CarbonPeriod())->setDateClass(static::class)->setStartDate($this);
+        $period = ($this->isMutable() ? new CarbonPeriod() : new CarbonPeriodImmutable())
+            ->setDateClass(static::class)
+            ->setStartDate($this);
 
         if ($interval) {
-            $period->setDateInterval($interval);
+            $period = $period->setDateInterval($interval);
         }
 
-        if (\is_int($end) || \is_string($end) && ctype_digit($end)) {
-            $period->setRecurrences($end);
+        if (\is_int($end) || (\is_string($end) && ctype_digit($end))) {
+            $period = $period->setRecurrences($end);
         } elseif ($end) {
-            $period->setEndDate($end);
+            $period = $period->setEndDate($end);
         }
 
         return $period;
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Creator.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Creator.php
index f2adee5fd..0d611ea22 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Creator.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Creator.php
@@ -19,6 +19,8 @@ use Carbon\Exceptions\InvalidFormatException;
 use Carbon\Exceptions\OutOfRangeException;
 use Carbon\Translator;
 use Closure;
+use DateMalformedStringException;
+use DateTimeImmutable;
 use DateTimeInterface;
 use DateTimeZone;
 use Exception;
@@ -79,8 +81,8 @@ trait Creator
 
         // Work-around for PHP bug https://bugs.php.net/bug.php?id=67127
         if (!str_contains((string) .1, '.')) {
-            $locale = setlocale(LC_NUMERIC, '0');
-            setlocale(LC_NUMERIC, 'C');
+            $locale = setlocale(LC_NUMERIC, '0'); // @codeCoverageIgnore
+            setlocale(LC_NUMERIC, 'C'); // @codeCoverageIgnore
         }
 
         try {
@@ -92,7 +94,7 @@ trait Creator
         $this->constructedObjectId = spl_object_hash($this);
 
         if (isset($locale)) {
-            setlocale(LC_NUMERIC, $locale);
+            setlocale(LC_NUMERIC, $locale); // @codeCoverageIgnore
         }
 
         self::setLastErrors(parent::getLastErrors());
@@ -112,7 +114,7 @@ trait Creator
             $safeTz = static::safeCreateDateTimeZone($tz);
 
             if ($safeTz) {
-                return $date->setTimezone($safeTz);
+                return ($date instanceof DateTimeImmutable ? $date : clone $date)->setTimezone($safeTz);
             }
 
             return $date;
@@ -148,7 +150,7 @@ trait Creator
 
         $instance = new static($date->format('Y-m-d H:i:s.u'), $date->getTimezone());
 
-        if ($date instanceof CarbonInterface || $date instanceof Options) {
+        if ($date instanceof CarbonInterface) {
             $settings = $date->getSettings();
 
             if (!$date->hasLocalTranslator()) {
@@ -184,7 +186,13 @@ trait Creator
         try {
             return new static($time, $tz);
         } catch (Exception $exception) {
-            $date = @static::now($tz)->change($time);
+            // @codeCoverageIgnoreStart
+            try {
+                $date = @static::now($tz)->change($time);
+            } catch (DateMalformedStringException $ignoredException) {
+                $date = null;
+            }
+            // @codeCoverageIgnoreEnd
 
             if (!$date) {
                 throw new InvalidFormatException("Could not parse '$time': ".$exception->getMessage(), 0, $exception);
@@ -354,13 +362,13 @@ trait Creator
      * If $hour is not null then the default values for $minute and $second
      * will be 0.
      *
-     * @param int|null                 $year
-     * @param int|null                 $month
-     * @param int|null                 $day
-     * @param int|null                 $hour
-     * @param int|null                 $minute
-     * @param int|null                 $second
-     * @param DateTimeZone|string|null $tz
+     * @param DateTimeInterface|int|null $year
+     * @param int|null                   $month
+     * @param int|null                   $day
+     * @param int|null                   $hour
+     * @param int|null                   $minute
+     * @param int|null                   $second
+     * @param DateTimeZone|string|null   $tz
      *
      * @throws InvalidFormatException
      *
@@ -368,7 +376,7 @@ trait Creator
      */
     public static function create($year = 0, $month = 1, $day = 1, $hour = 0, $minute = 0, $second = 0, $tz = null)
     {
-        if (\is_string($year) && !is_numeric($year) || $year instanceof DateTimeInterface) {
+        if ((\is_string($year) && !is_numeric($year)) || $year instanceof DateTimeInterface) {
             return static::parse($year, $tz ?: (\is_string($month) || $month instanceof DateTimeZone ? $month : null));
         }
 
@@ -634,6 +642,10 @@ trait Creator
             $time = preg_replace('/^(.*)(am|pm|AM|PM)(.*)$/U', '$1$3 $2', $time);
         }
 
+        if ($tz === false) {
+            $tz = null;
+        }
+
         // First attempt to create an instance, so that error messages are based on the unmodified format.
         $date = self::createFromFormatAndTimezone($format, $time, $tz);
         $lastErrors = parent::getLastErrors();
@@ -651,12 +663,14 @@ trait Creator
                 $tz = clone $mock->getTimezone();
             }
 
-            // Set microseconds to zero to match behavior of DateTime::createFromFormat()
-            // See https://bugs.php.net/bug.php?id=74332
-            $mock = $mock->copy()->microsecond(0);
+            $mock = $mock->copy();
 
             // Prepend mock datetime only if the format does not contain non escaped unix epoch reset flag.
             if (!preg_match("/{$nonEscaped}[!|]/", $format)) {
+                if (preg_match('/[HhGgisvuB]/', $format)) {
+                    $mock = $mock->setTime(0, 0);
+                }
+
                 $format = static::MOCK_DATETIME_FORMAT.' '.$format;
                 $time = ($mock instanceof self ? $mock->rawFormat(static::MOCK_DATETIME_FORMAT) : $mock->format(static::MOCK_DATETIME_FORMAT)).' '.$time;
             }
@@ -862,6 +876,19 @@ trait Creator
      */
     public static function createFromLocaleFormat($format, $locale, $time, $tz = null)
     {
+        $format = preg_replace_callback(
+            '/(?:\\\\[a-zA-Z]|[bfkqCEJKQRV]){2,}/',
+            static function (array $match) use ($locale): string {
+                $word = str_replace('\\', '', $match[0]);
+                $translatedWord = static::translateTimeString($word, $locale, 'en');
+
+                return $word === $translatedWord
+                    ? $match[0]
+                    : preg_replace('/[a-zA-Z]/', '\\\\$0', $translatedWord);
+            },
+            $format
+        );
+
         return static::rawCreateFromFormat($format, static::translateTimeString($time, $locale, 'en'), $tz);
     }
 
@@ -907,9 +934,9 @@ trait Creator
         if (\is_string($var)) {
             $var = trim($var);
 
-            if (!preg_match('/^P[0-9T]/', $var) &&
-                !preg_match('/^R[0-9]/', $var) &&
-                preg_match('/[a-z0-9]/i', $var)
+            if (!preg_match('/^P[\dT]/', $var) &&
+                !preg_match('/^R\d/', $var) &&
+                preg_match('/[a-z\d]/i', $var)
             ) {
                 $date = static::parse($var);
             }
@@ -921,13 +948,20 @@ trait Creator
     /**
      * Set last errors.
      *
-     * @param array $lastErrors
+     * @param array|bool $lastErrors
      *
      * @return void
      */
-    private static function setLastErrors(array $lastErrors)
+    private static function setLastErrors($lastErrors)
     {
-        static::$lastErrors = $lastErrors;
+        if (\is_array($lastErrors) || $lastErrors === false) {
+            static::$lastErrors = \is_array($lastErrors) ? $lastErrors : [
+                'warning_count' => 0,
+                'warnings' => [],
+                'error_count' => 0,
+                'errors' => [],
+            ];
+        }
     }
 
     /**
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Date.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Date.php
index 8c8af6fb0..8ae5c1781 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Date.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Date.php
@@ -532,6 +532,7 @@ trait Date
     use Creator;
     use Difference;
     use Macro;
+    use MagicParameter;
     use Modifiers;
     use Mutability;
     use ObjectInitialisation;
@@ -641,9 +642,11 @@ trait Date
     /**
      * List of minimum and maximums for each unit.
      *
+     * @param int $daysInMonth
+     *
      * @return array
      */
-    protected static function getRangesByUnit()
+    protected static function getRangesByUnit(int $daysInMonth = 31): array
     {
         return [
             // @call roundUnit
@@ -651,7 +654,7 @@ trait Date
             // @call roundUnit
             'month' => [1, static::MONTHS_PER_YEAR],
             // @call roundUnit
-            'day' => [1, 31],
+            'day' => [1, $daysInMonth],
             // @call roundUnit
             'hour' => [0, static::HOURS_PER_DAY - 1],
             // @call roundUnit
@@ -940,7 +943,7 @@ trait Date
             case $name === 'millisecond':
             // @property int
             case $name === 'milli':
-                return (int) floor($this->rawFormat('u') / 1000);
+                return (int) floor(((int) $this->rawFormat('u')) / 1000);
 
             // @property int 1 through 53
             case $name === 'week':
@@ -1250,7 +1253,7 @@ trait Date
     protected function getTranslatedFormByRegExp($baseKey, $keySuffix, $context, $subKey, $defaultValue)
     {
         $key = $baseKey.$keySuffix;
-        $standaloneKey = "${key}_standalone";
+        $standaloneKey = "{$key}_standalone";
         $baseTranslation = $this->getTranslationMessage($key);
 
         if ($baseTranslation instanceof Closure) {
@@ -1259,7 +1262,7 @@ trait Date
 
         if (
             $this->getTranslationMessage("$standaloneKey.$subKey") &&
-            (!$context || ($regExp = $this->getTranslationMessage("${baseKey}_regexp")) && !preg_match($regExp, $context))
+            (!$context || (($regExp = $this->getTranslationMessage("{$baseKey}_regexp")) && !preg_match($regExp, $context)))
         ) {
             $key = $standaloneKey;
         }
@@ -1354,9 +1357,14 @@ trait Date
      */
     public function weekday($value = null)
     {
-        $dayOfWeek = ($this->dayOfWeek + 7 - (int) ($this->getTranslationMessage('first_day_of_week') ?? 0)) % 7;
+        if ($value === null) {
+            return $this->dayOfWeek;
+        }
 
-        return $value === null ? $dayOfWeek : $this->addDays($value - $dayOfWeek);
+        $firstDay = (int) ($this->getTranslationMessage('first_day_of_week') ?? 0);
+        $dayOfWeek = ($this->dayOfWeek + 7 - $firstDay) % 7;
+
+        return $this->addDays((($value + 7 - $firstDay) % 7) - $dayOfWeek);
     }
 
     /**
@@ -1373,6 +1381,39 @@ trait Date
         return $value === null ? $dayOfWeekIso : $this->addDays($value - $dayOfWeekIso);
     }
 
+    /**
+     * Return the number of days since the start of the week (using the current locale or the first parameter
+     * if explicitly given).
+     *
+     * @param int|null $weekStartsAt optional start allow you to specify the day of week to use to start the week,
+     *                               if not provided, start of week is inferred from the locale
+     *                               (Sunday for en_US, Monday for de_DE, etc.)
+     *
+     * @return int
+     */
+    public function getDaysFromStartOfWeek(int $weekStartsAt = null): int
+    {
+        $firstDay = (int) ($weekStartsAt ?? $this->getTranslationMessage('first_day_of_week') ?? 0);
+
+        return ($this->dayOfWeek + 7 - $firstDay) % 7;
+    }
+
+    /**
+     * Set the day (keeping the current time) to the start of the week + the number of days passed as the first
+     * parameter. First day of week is driven by the locale unless explicitly set with the second parameter.
+     *
+     * @param int      $numberOfDays number of days to add after the start of the current week
+     * @param int|null $weekStartsAt optional start allow you to specify the day of week to use to start the week,
+     *                               if not provided, start of week is inferred from the locale
+     *                               (Sunday for en_US, Monday for de_DE, etc.)
+     *
+     * @return static
+     */
+    public function setDaysFromStartOfWeek(int $numberOfDays, int $weekStartsAt = null)
+    {
+        return $this->addDays($numberOfDays - $this->getDaysFromStartOfWeek($weekStartsAt));
+    }
+
     /**
      * Set any unit to a new value without overflowing current other unit given.
      *
@@ -1848,9 +1889,18 @@ trait Date
             $format = preg_replace('#(?<!%)((?:%%)*)%e#', '\1%#d', $format); // @codeCoverageIgnore
         }
 
-        $formatted = strftime($format, strtotime($this->toDateTimeString()));
+        $time = strtotime($this->toDateTimeString());
+        $formatted = ($this->localStrictModeEnabled ?? static::isStrictModeEnabled())
+            ? strftime($format, $time)
+            : @strftime($format, $time);
 
-        return static::$utf8 ? utf8_encode($formatted) : $formatted;
+        return static::$utf8
+            ? (
+                \function_exists('mb_convert_encoding')
+                ? mb_convert_encoding($formatted, 'UTF-8', mb_list_encodings())
+                : utf8_encode($formatted)
+            )
+            : $formatted;
     }
 
     /**
@@ -1869,6 +1919,10 @@ trait Date
             'LL' => $this->getTranslationMessage('formats.LL', $locale, 'MMMM D, YYYY'),
             'LLL' => $this->getTranslationMessage('formats.LLL', $locale, 'MMMM D, YYYY h:mm A'),
             'LLLL' => $this->getTranslationMessage('formats.LLLL', $locale, 'dddd, MMMM D, YYYY h:mm A'),
+            'l' => $this->getTranslationMessage('formats.l', $locale),
+            'll' => $this->getTranslationMessage('formats.ll', $locale),
+            'lll' => $this->getTranslationMessage('formats.lll', $locale),
+            'llll' => $this->getTranslationMessage('formats.llll', $locale),
         ];
     }
 
@@ -2152,7 +2206,7 @@ trait Date
 
             $input = mb_substr($format, $i);
 
-            if (preg_match('/^(LTS|LT|[Ll]{1,4})/', $input, $match)) {
+            if (preg_match('/^(LTS|LT|l{1,4}|L{1,4})/', $input, $match)) {
                 if ($formats === null) {
                     $formats = $this->getIsoFormats();
                 }
@@ -2256,6 +2310,7 @@ trait Date
                 'c' => true,
                 'r' => true,
                 'U' => true,
+                'T' => true,
             ];
         }
 
@@ -2359,7 +2414,7 @@ trait Date
         $symbol = $second < 0 ? '-' : '+';
         $minute = abs($second) / static::SECONDS_PER_MINUTE;
         $hour = str_pad((string) floor($minute / static::MINUTES_PER_HOUR), 2, '0', STR_PAD_LEFT);
-        $minute = str_pad((string) ($minute % static::MINUTES_PER_HOUR), 2, '0', STR_PAD_LEFT);
+        $minute = str_pad((string) (((int) $minute) % static::MINUTES_PER_HOUR), 2, '0', STR_PAD_LEFT);
 
         return "$symbol$hour$separator$minute";
     }
@@ -2479,7 +2534,7 @@ trait Date
             return 'millennia';
         }
 
-        return "${unit}s";
+        return "{$unit}s";
     }
 
     protected function executeCallable($macro, ...$parameters)
@@ -2566,7 +2621,7 @@ trait Date
         if (str_starts_with($unit, 'is')) {
             $word = substr($unit, 2);
 
-            if (\in_array($word, static::$days)) {
+            if (\in_array($word, static::$days, true)) {
                 return $this->isDayOfWeek($word);
             }
 
@@ -2594,7 +2649,7 @@ trait Date
             $unit = strtolower(substr($unit, 3));
         }
 
-        if (\in_array($unit, static::$units)) {
+        if (\in_array($unit, static::$units, true)) {
             return $this->setUnit($unit, ...$parameters);
         }
 
@@ -2604,7 +2659,7 @@ trait Date
             if (str_starts_with($unit, 'Real')) {
                 $unit = static::singularUnit(substr($unit, 4));
 
-                return $this->{"${action}RealUnit"}($unit, ...$parameters);
+                return $this->{"{$action}RealUnit"}($unit, ...$parameters);
             }
 
             if (preg_match('/^(Month|Quarter|Year|Decade|Century|Centurie|Millennium|Millennia)s?(No|With|Without|WithNo)Overflow$/', $unit, $match)) {
@@ -2616,7 +2671,7 @@ trait Date
         }
 
         if (static::isModifiableUnit($unit)) {
-            return $this->{"${action}Unit"}($unit, $parameters[0] ?? 1, $overflow);
+            return $this->{"{$action}Unit"}($unit, $this->getMagicParameter($parameters, 0, 'value', 1), $overflow);
         }
 
         $sixFirstLetters = substr($unit, 0, 6);
@@ -2655,7 +2710,11 @@ trait Date
             try {
                 $unit = static::singularUnit(substr($method, 0, -5));
 
-                return $this->range($parameters[0] ?? $this, $parameters[1] ?? 1, $unit);
+                return $this->range(
+                    $this->getMagicParameter($parameters, 0, 'endDate', $this),
+                    $this->getMagicParameter($parameters, 1, 'factor', 1),
+                    $unit
+                );
             } catch (InvalidArgumentException $exception) {
                 // Try macros
             }
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Difference.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Difference.php
index cce1d2c3f..ab5b65d23 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Difference.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Difference.php
@@ -83,9 +83,9 @@ trait Difference
      *
      * @return CarbonInterval
      */
-    protected static function fixDiffInterval(DateInterval $diff, $absolute)
+    protected static function fixDiffInterval(DateInterval $diff, $absolute, array $skip = [])
     {
-        $diff = CarbonInterval::instance($diff);
+        $diff = CarbonInterval::instance($diff, $skip);
 
         // Work-around for https://bugs.php.net/bug.php?id=77145
         // @codeCoverageIgnoreStart
@@ -148,9 +148,9 @@ trait Difference
      *
      * @return CarbonInterval
      */
-    public function diffAsCarbonInterval($date = null, $absolute = true)
+    public function diffAsCarbonInterval($date = null, $absolute = true, array $skip = [])
     {
-        return static::fixDiffInterval($this->diff($this->resolveCarbon($date), $absolute), $absolute);
+        return static::fixDiffInterval($this->diff($this->resolveCarbon($date), $absolute), $absolute, $skip);
     }
 
     /**
@@ -189,9 +189,21 @@ trait Difference
      */
     public function diffInMonths($date = null, $absolute = true)
     {
-        $date = $this->resolveCarbon($date);
+        $date = $this->resolveCarbon($date)->avoidMutation()->tz($this->tz);
 
-        return $this->diffInYears($date, $absolute) * static::MONTHS_PER_YEAR + (int) $this->diff($date, $absolute)->format('%r%m');
+        [$yearStart, $monthStart, $dayStart] = explode('-', $this->format('Y-m-dHisu'));
+        [$yearEnd, $monthEnd, $dayEnd] = explode('-', $date->format('Y-m-dHisu'));
+
+        $diff = (((int) $yearEnd) - ((int) $yearStart)) * static::MONTHS_PER_YEAR +
+            ((int) $monthEnd) - ((int) $monthStart);
+
+        if ($diff > 0) {
+            $diff -= ($dayStart > $dayEnd ? 1 : 0);
+        } elseif ($diff < 0) {
+            $diff += ($dayStart < $dayEnd ? 1 : 0);
+        }
+
+        return $absolute ? abs($diff) : $diff;
     }
 
     /**
@@ -286,9 +298,9 @@ trait Difference
      */
     public function diffInWeekdays($date = null, $absolute = true)
     {
-        return $this->diffInDaysFiltered(function (CarbonInterface $date) {
+        return $this->diffInDaysFiltered(static function (CarbonInterface $date) {
             return $date->isWeekday();
-        }, $date, $absolute);
+        }, $this->resolveCarbon($date)->avoidMutation()->modify($this->format('H:i:s.u')), $absolute);
     }
 
     /**
@@ -301,9 +313,9 @@ trait Difference
      */
     public function diffInWeekendDays($date = null, $absolute = true)
     {
-        return $this->diffInDaysFiltered(function (CarbonInterface $date) {
+        return $this->diffInDaysFiltered(static function (CarbonInterface $date) {
             return $date->isWeekend();
-        }, $date, $absolute);
+        }, $this->resolveCarbon($date)->avoidMutation()->modify($this->format('H:i:s.u')), $absolute);
     }
 
     /**
@@ -472,7 +484,7 @@ trait Difference
      */
     public function floatDiffInSeconds($date = null, $absolute = true)
     {
-        return $this->diffInMicroseconds($date, $absolute) / static::MICROSECONDS_PER_SECOND;
+        return (float) ($this->diffInMicroseconds($date, $absolute) / static::MICROSECONDS_PER_SECOND);
     }
 
     /**
@@ -830,8 +842,9 @@ trait Difference
         $intSyntax = $intSyntax === static::DIFF_RELATIVE_AUTO && $other === null ? static::DIFF_RELATIVE_TO_NOW : $intSyntax;
 
         $parts = min(7, max(1, (int) $parts));
+        $skip = \is_array($syntax) ? ($syntax['skip'] ?? []) : [];
 
-        return $this->diffAsCarbonInterval($other, false)
+        return $this->diffAsCarbonInterval($other, false, (array) $skip)
             ->setLocalTranslator($this->getLocalTranslator())
             ->forHumans($syntax, (bool) $short, $parts, $options ?? $this->localHumanDiffOptions ?? static::getHumanDiffOptions());
     }
@@ -1161,7 +1174,7 @@ trait Difference
             version_compare(PHP_VERSION, '8.1.0-dev', '<') &&
             abs($interval->d - $daysDiff) === 1
         ) {
-            $daysDiff = abs($interval->d);
+            $daysDiff = abs($interval->d); // @codeCoverageIgnore
         }
 
         return $daysDiff * $sign;
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/IntervalRounding.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/IntervalRounding.php
index 4cd66b676..f069c280d 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/IntervalRounding.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/IntervalRounding.php
@@ -40,7 +40,7 @@ trait IntervalRounding
         $unit = 'second';
 
         if ($precision instanceof DateInterval) {
-            $precision = (string) CarbonInterval::instance($precision);
+            $precision = (string) CarbonInterval::instance($precision, [], true);
         }
 
         if (\is_string($precision) && preg_match('/^\s*(?<precision>\d+)?\s*(?<unit>\w+)(?<other>\W.*)?$/', $precision, $match)) {
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Localization.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Localization.php
index ddd2b4e98..46aff113e 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Localization.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Localization.php
@@ -23,12 +23,16 @@ use Symfony\Component\Translation\TranslatorInterface;
 use Symfony\Contracts\Translation\LocaleAwareInterface;
 use Symfony\Contracts\Translation\TranslatorInterface as ContractsTranslatorInterface;
 
-if (!interface_exists('Symfony\\Component\\Translation\\TranslatorInterface')) {
+// @codeCoverageIgnoreStart
+if (interface_exists('Symfony\\Contracts\\Translation\\TranslatorInterface') &&
+    !interface_exists('Symfony\\Component\\Translation\\TranslatorInterface')
+) {
     class_alias(
         'Symfony\\Contracts\\Translation\\TranslatorInterface',
         'Symfony\\Component\\Translation\\TranslatorInterface'
     );
 }
+// @codeCoverageIgnoreEnd
 
 /**
  * Trait Localization.
@@ -355,6 +359,13 @@ trait Localization
             $weekdays = $messages['weekdays'] ?? [];
             $meridiem = $messages['meridiem'] ?? ['AM', 'PM'];
 
+            if (isset($messages['ordinal_words'])) {
+                $timeString = self::replaceOrdinalWords(
+                    $timeString,
+                    $key === 'from' ? array_flip($messages['ordinal_words']) : $messages['ordinal_words']
+                );
+            }
+
             if ($key === 'from') {
                 foreach (['months', 'weekdays'] as $variable) {
                     $list = $messages[$variable.'_standalone'] ?? null;
@@ -454,7 +465,7 @@ trait Localization
                 }
             }
 
-            $this->setLocalTranslator($translator);
+            $this->localTranslator = $translator;
         }
 
         return $this;
@@ -555,17 +566,13 @@ trait Localization
     public static function localeHasShortUnits($locale)
     {
         return static::executeWithLocale($locale, function ($newLocale, TranslatorInterface $translator) {
-            return $newLocale &&
-                (
-                    ($y = static::translateWith($translator, 'y')) !== 'y' &&
-                    $y !== static::translateWith($translator, 'year')
-                ) || (
-                    ($y = static::translateWith($translator, 'd')) !== 'd' &&
+            return ($newLocale && (($y = static::translateWith($translator, 'y')) !== 'y' && $y !== static::translateWith($translator, 'year'))) || (
+                ($y = static::translateWith($translator, 'd')) !== 'd' &&
                     $y !== static::translateWith($translator, 'day')
-                ) || (
-                    ($y = static::translateWith($translator, 'h')) !== 'h' &&
+            ) || (
+                ($y = static::translateWith($translator, 'h')) !== 'h' &&
                     $y !== static::translateWith($translator, 'hour')
-                );
+            );
         });
     }
 
@@ -734,7 +741,7 @@ trait Localization
         }
 
         if ($translator && !($translator instanceof LocaleAwareInterface || method_exists($translator, 'getLocale'))) {
-            throw new NotLocaleAwareException($translator);
+            throw new NotLocaleAwareException($translator); // @codeCoverageIgnore
         }
 
         return $translator;
@@ -823,4 +830,11 @@ trait Localization
 
         return $list;
     }
+
+    private static function replaceOrdinalWords(string $timeString, array $ordinalWords): string
+    {
+        return preg_replace_callback('/(?<![a-z])[a-z]+(?![a-z])/i', function (array $match) use ($ordinalWords) {
+            return $ordinalWords[mb_strtolower($match[0])] ?? $match[0];
+        }, $timeString);
+    }
 }
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/MagicParameter.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/MagicParameter.php
new file mode 100644
index 000000000..310a44d0c
--- /dev/null
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/MagicParameter.php
@@ -0,0 +1,33 @@
+<?php
+
+/**
+ * This file is part of the Carbon package.
+ *
+ * (c) Brian Nesbitt <brian@nesbot.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Carbon\Traits;
+
+/**
+ * Trait MagicParameter.
+ *
+ * Allows to retrieve parameter in magic calls by index or name.
+ */
+trait MagicParameter
+{
+    private function getMagicParameter(array $parameters, int $index, string $key, $default)
+    {
+        if (\array_key_exists($index, $parameters)) {
+            return $parameters[$index];
+        }
+
+        if (\array_key_exists($key, $parameters)) {
+            return $parameters[$key];
+        }
+
+        return $default;
+    }
+}
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Mixin.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Mixin.php
index 88b251df4..582245456 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Mixin.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Mixin.php
@@ -11,6 +11,9 @@
 
 namespace Carbon\Traits;
 
+use Carbon\CarbonInterface;
+use Carbon\CarbonInterval;
+use Carbon\CarbonPeriod;
 use Closure;
 use Generator;
 use ReflectionClass;
@@ -99,12 +102,13 @@ trait Mixin
     {
         $context = eval(self::getAnonymousClassCodeForTrait($trait));
         $className = \get_class($context);
+        $baseClass = static::class;
 
         foreach (self::getMixableMethods($context) as $name) {
             $closureBase = Closure::fromCallable([$context, $name]);
 
-            static::macro($name, function () use ($closureBase, $className) {
-                /** @phpstan-ignore-next-line */
+            static::macro($name, function (...$parameters) use ($closureBase, $className, $baseClass) {
+                $downContext = isset($this) ? ($this) : new $baseClass();
                 $context = isset($this) ? $this->cast($className) : new $className();
 
                 try {
@@ -117,7 +121,48 @@ trait Mixin
                 // in case of errors not converted into exceptions
                 $closure = $closure ?: $closureBase;
 
-                return $closure(...\func_get_args());
+                $result = $closure(...$parameters);
+
+                if (!($result instanceof $className)) {
+                    return $result;
+                }
+
+                if ($downContext instanceof CarbonInterface && $result instanceof CarbonInterface) {
+                    if ($context !== $result) {
+                        $downContext = $downContext->copy();
+                    }
+
+                    return $downContext
+                        ->setTimezone($result->getTimezone())
+                        ->modify($result->format('Y-m-d H:i:s.u'))
+                        ->settings($result->getSettings());
+                }
+
+                if ($downContext instanceof CarbonInterval && $result instanceof CarbonInterval) {
+                    if ($context !== $result) {
+                        $downContext = $downContext->copy();
+                    }
+
+                    $downContext->copyProperties($result);
+                    self::copyStep($downContext, $result);
+                    self::copyNegativeUnits($downContext, $result);
+
+                    return $downContext->settings($result->getSettings());
+                }
+
+                if ($downContext instanceof CarbonPeriod && $result instanceof CarbonPeriod) {
+                    if ($context !== $result) {
+                        $downContext = $downContext->copy();
+                    }
+
+                    return $downContext
+                        ->setDates($result->getStartDate(), $result->getEndDate())
+                        ->setRecurrences($result->getRecurrences())
+                        ->setOptions($result->getOptions())
+                        ->settings($result->getSettings());
+                }
+
+                return $result;
             });
         }
     }
@@ -151,22 +196,12 @@ trait Mixin
     protected static function bindMacroContext($context, callable $callable)
     {
         static::$macroContextStack[] = $context;
-        $exception = null;
-        $result = null;
 
         try {
-            $result = $callable();
-        } catch (Throwable $throwable) {
-            $exception = $throwable;
+            return $callable();
+        } finally {
+            array_pop(static::$macroContextStack);
         }
-
-        array_pop(static::$macroContextStack);
-
-        if ($exception) {
-            throw $exception;
-        }
-
-        return $result;
     }
 
     /**
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Modifiers.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Modifiers.php
index 164dbbd10..39343d8fa 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Modifiers.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Modifiers.php
@@ -75,7 +75,7 @@ trait Modifiers
      *
      * @param string|int|null $modifier
      *
-     * @return static
+     * @return static|false
      */
     public function next($modifier = null)
     {
@@ -157,7 +157,7 @@ trait Modifiers
      *
      * @param string|int|null $modifier
      *
-     * @return static
+     * @return static|false
      */
     public function previous($modifier = null)
     {
@@ -451,7 +451,7 @@ trait Modifiers
      *
      * @param string $modifier
      *
-     * @return static
+     * @return static|false
      */
     public function change($modifier)
     {
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Options.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Options.php
index 0ddee8dd6..48f973977 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Options.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Options.php
@@ -22,7 +22,7 @@ use Throwable;
  *
  * Depends on the following methods:
  *
- * @method \Carbon\Carbon|\Carbon\CarbonImmutable shiftTimezone($timezone) Set the timezone
+ * @method static shiftTimezone($timezone) Set the timezone
  */
 trait Options
 {
@@ -422,7 +422,7 @@ trait Options
         foreach ($map as $property => $key) {
             $value = $this->$property ?? null;
 
-            if ($value !== null) {
+            if ($value !== null && ($key !== 'locale' || $value !== 'en' || $this->localTranslator)) {
                 $settings[$key] = $value;
             }
         }
@@ -437,11 +437,11 @@ trait Options
      */
     public function __debugInfo()
     {
-        $infos = array_filter(get_object_vars($this), function ($var) {
+        $infos = array_filter(get_object_vars($this), static function ($var) {
             return $var;
         });
 
-        foreach (['dumpProperties', 'constructedObjectId'] as $property) {
+        foreach (['dumpProperties', 'constructedObjectId', 'constructed'] as $property) {
             if (isset($infos[$property])) {
                 unset($infos[$property]);
             }
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Rounding.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Rounding.php
index 33062397f..85ff5a711 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Rounding.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Rounding.php
@@ -52,12 +52,11 @@ trait Rounding
             'millisecond' => [1000, 'microsecond'],
         ];
         $normalizedUnit = static::singularUnit($unit);
-        $ranges = array_merge(static::getRangesByUnit(), [
+        $ranges = array_merge(static::getRangesByUnit($this->daysInMonth), [
             // @call roundUnit
             'microsecond' => [0, 999999],
         ]);
         $factor = 1;
-        $initialMonth = $this->month;
 
         if ($normalizedUnit === 'week') {
             $normalizedUnit = 'day';
@@ -77,12 +76,15 @@ trait Rounding
         $found = false;
         $fraction = 0;
         $arguments = null;
+        $initialValue = null;
         $factor = $this->year < 0 ? -1 : 1;
         $changes = [];
+        $minimumInc = null;
 
         foreach ($ranges as $unit => [$minimum, $maximum]) {
             if ($normalizedUnit === $unit) {
                 $arguments = [$this->$unit, $minimum];
+                $initialValue = $this->$unit;
                 $fraction = $precision - floor($precision);
                 $found = true;
 
@@ -93,7 +95,23 @@ trait Rounding
                 $delta = $maximum + 1 - $minimum;
                 $factor /= $delta;
                 $fraction *= $delta;
-                $arguments[0] += $this->$unit * $factor;
+                $inc = ($this->$unit - $minimum) * $factor;
+
+                if ($inc !== 0.0) {
+                    $minimumInc = $minimumInc ?? ($arguments[0] / pow(2, 52));
+
+                    // If value is still the same when adding a non-zero increment/decrement,
+                    // it means precision got lost in the addition
+                    if (abs($inc) < $minimumInc) {
+                        $inc = $minimumInc * ($inc < 0 ? -1 : 1);
+                    }
+
+                    // If greater than $precision, assume precision loss caused an overflow
+                    if ($function !== 'floor' || abs($arguments[0] + $inc - $initialValue) >= $precision) {
+                        $arguments[0] += $inc;
+                    }
+                }
+
                 $changes[$unit] = round(
                     $minimum + ($fraction ? $fraction * $function(($this->$unit - $minimum) / $fraction) : 0)
                 );
@@ -111,16 +129,13 @@ trait Rounding
         $normalizedValue = floor($function(($value - $minimum) / $precision) * $precision + $minimum);
 
         /** @var CarbonInterface $result */
-        $result = $this->$normalizedUnit($normalizedValue);
+        $result = $this;
 
         foreach ($changes as $unit => $value) {
             $result = $result->$unit($value);
         }
 
-        return $normalizedUnit === 'month' && $precision <= 1 && abs($result->month - $initialMonth) === 2
-            // Re-run the change in case an overflow occurred
-            ? $result->$normalizedUnit($normalizedValue)
-            : $result;
+        return $result->$normalizedUnit($normalizedValue);
     }
 
     /**
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Serialization.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Serialization.php
index eebc69bd0..c1d5c5e13 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Serialization.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Serialization.php
@@ -120,6 +120,8 @@ trait Serialization
     /**
      * Returns the list of properties to dump on serialize() called on.
      *
+     * Only used by PHP < 7.4.
+     *
      * @return array
      */
     public function __sleep()
@@ -134,22 +136,70 @@ trait Serialization
         return $properties;
     }
 
+    /**
+     * Returns the values to dump on serialize() called on.
+     *
+     * Only used by PHP >= 7.4.
+     *
+     * @return array
+     */
+    public function __serialize(): array
+    {
+        // @codeCoverageIgnoreStart
+        if (isset($this->timezone_type, $this->timezone, $this->date)) {
+            return [
+                'date' => $this->date ?? null,
+                'timezone_type' => $this->timezone_type,
+                'timezone' => $this->timezone ?? null,
+            ];
+        }
+        // @codeCoverageIgnoreEnd
+
+        $timezone = $this->getTimezone();
+        $export = [
+            'date' => $this->format('Y-m-d H:i:s.u'),
+            'timezone_type' => $timezone->getType(),
+            'timezone' => $timezone->getName(),
+        ];
+
+        // @codeCoverageIgnoreStart
+        if (\extension_loaded('msgpack') && isset($this->constructedObjectId)) {
+            $export['dumpDateProperties'] = [
+                'date' => $this->format('Y-m-d H:i:s.u'),
+                'timezone' => serialize($this->timezone ?? null),
+            ];
+        }
+        // @codeCoverageIgnoreEnd
+
+        if ($this->localTranslator ?? null) {
+            $export['dumpLocale'] = $this->locale ?? null;
+        }
+
+        return $export;
+    }
+
     /**
      * Set locale if specified on unserialize() called.
      *
+     * Only used by PHP < 7.4.
+     *
      * @return void
      */
     #[ReturnTypeWillChange]
     public function __wakeup()
     {
-        if (get_parent_class() && method_exists(parent::class, '__wakeup')) {
+        if (parent::class && method_exists(parent::class, '__wakeup')) {
             // @codeCoverageIgnoreStart
             try {
                 parent::__wakeup();
             } catch (Throwable $exception) {
-                // FatalError occurs when calling msgpack_unpack() in PHP 7.4 or later.
-                ['date' => $date, 'timezone' => $timezone] = $this->dumpDateProperties;
-                parent::__construct($date, unserialize($timezone));
+                try {
+                    // FatalError occurs when calling msgpack_unpack() in PHP 7.4 or later.
+                    ['date' => $date, 'timezone' => $timezone] = $this->dumpDateProperties;
+                    parent::__construct($date, unserialize($timezone));
+                } catch (Throwable $ignoredException) {
+                    throw $exception;
+                }
             }
             // @codeCoverageIgnoreEnd
         }
@@ -164,6 +214,38 @@ trait Serialization
         $this->cleanupDumpProperties();
     }
 
+    /**
+     * Set locale if specified on unserialize() called.
+     *
+     * Only used by PHP >= 7.4.
+     *
+     * @return void
+     */
+    public function __unserialize(array $data): void
+    {
+        // @codeCoverageIgnoreStart
+        try {
+            $this->__construct($data['date'] ?? null, $data['timezone'] ?? null);
+        } catch (Throwable $exception) {
+            if (!isset($data['dumpDateProperties']['date'], $data['dumpDateProperties']['timezone'])) {
+                throw $exception;
+            }
+
+            try {
+                // FatalError occurs when calling msgpack_unpack() in PHP 7.4 or later.
+                ['date' => $date, 'timezone' => $timezone] = $data['dumpDateProperties'];
+                $this->__construct($date, unserialize($timezone));
+            } catch (Throwable $ignoredException) {
+                throw $exception;
+            }
+        }
+        // @codeCoverageIgnoreEnd
+
+        if (isset($data['dumpLocale'])) {
+            $this->locale($data['dumpLocale']);
+        }
+    }
+
     /**
      * Prepare the object for JSON serialization.
      *
@@ -207,11 +289,15 @@ trait Serialization
      */
     public function cleanupDumpProperties()
     {
-        foreach ($this->dumpProperties as $property) {
-            if (isset($this->$property)) {
-                unset($this->$property);
+        // @codeCoverageIgnoreStart
+        if (PHP_VERSION < 8.2) {
+            foreach ($this->dumpProperties as $property) {
+                if (isset($this->$property)) {
+                    unset($this->$property);
+                }
             }
         }
+        // @codeCoverageIgnoreEnd
 
         return $this;
     }
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Test.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Test.php
index c86faa74c..f23c72e8f 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Test.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Test.php
@@ -28,7 +28,7 @@ trait Test
     /**
      * A test Carbon instance to be returned when now instances are created.
      *
-     * @var static
+     * @var Closure|static|null
      */
     protected static $testNow;
 
@@ -59,15 +59,13 @@ trait Test
      *
      * /!\ Use this method for unit tests only.
      *
-     * @param Closure|static|string|false|null $testNow real or mock Carbon instance
+     * @param DateTimeInterface|Closure|static|string|false|null $testNow real or mock Carbon instance
      */
     public static function setTestNow($testNow = null)
     {
-        if ($testNow === false) {
-            $testNow = null;
-        }
-
-        static::$testNow = \is_string($testNow) ? static::parse($testNow) : $testNow;
+        static::$testNow = $testNow instanceof self || $testNow instanceof Closure
+            ? $testNow
+            : static::make($testNow);
     }
 
     /**
@@ -87,7 +85,7 @@ trait Test
      *
      * /!\ Use this method for unit tests only.
      *
-     * @param Closure|static|string|false|null $testNow real or mock Carbon instance
+     * @param DateTimeInterface|Closure|static|string|false|null $testNow real or mock Carbon instance
      */
     public static function setTestNowAndTimezone($testNow = null, $tz = null)
     {
@@ -121,16 +119,22 @@ trait Test
      *
      * /!\ Use this method for unit tests only.
      *
-     * @param Closure|static|string|false|null $testNow  real or mock Carbon instance
-     * @param Closure|null                     $callback
+     * @template T
      *
-     * @return mixed
+     * @param DateTimeInterface|Closure|static|string|false|null $testNow  real or mock Carbon instance
+     * @param Closure(): T                                       $callback
+     *
+     * @return T
      */
-    public static function withTestNow($testNow = null, $callback = null)
+    public static function withTestNow($testNow, $callback)
     {
         static::setTestNow($testNow);
-        $result = $callback();
-        static::setTestNow();
+
+        try {
+            $result = $callback();
+        } finally {
+            static::setTestNow();
+        }
 
         return $result;
     }
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Timestamp.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Timestamp.php
index 2cb5c48d7..88a465c93 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Timestamp.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Timestamp.php
@@ -63,7 +63,7 @@ trait Timestamp
     public static function createFromTimestampMsUTC($timestamp)
     {
         [$milliseconds, $microseconds] = self::getIntegerAndDecimalParts($timestamp, 3);
-        $sign = $milliseconds < 0 || $milliseconds === 0.0 && $microseconds < 0 ? -1 : 1;
+        $sign = $milliseconds < 0 || ($milliseconds === 0.0 && $microseconds < 0) ? -1 : 1;
         $milliseconds = abs($milliseconds);
         $microseconds = $sign * abs($microseconds) + static::MICROSECONDS_PER_MILLISECOND * ($milliseconds % static::MILLISECONDS_PER_SECOND);
         $seconds = $sign * floor($milliseconds / static::MILLISECONDS_PER_SECOND);
@@ -125,7 +125,7 @@ trait Timestamp
      */
     public function getPreciseTimestamp($precision = 6)
     {
-        return round($this->rawFormat('Uu') / pow(10, 6 - $precision));
+        return round(((float) $this->rawFormat('Uu')) / pow(10, 6 - $precision));
     }
 
     /**
@@ -182,7 +182,7 @@ trait Timestamp
         $integer = 0;
         $decimal = 0;
 
-        foreach (preg_split('`[^0-9.]+`', $numbers) as $chunk) {
+        foreach (preg_split('`[^\d.]+`', $numbers) as $chunk) {
             [$integerPart, $decimalPart] = explode('.', "$chunk.");
 
             $integer += (int) $integerPart;
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/ToStringFormat.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/ToStringFormat.php
new file mode 100644
index 000000000..a81164f99
--- /dev/null
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/ToStringFormat.php
@@ -0,0 +1,56 @@
+<?php
+
+/**
+ * This file is part of the Carbon package.
+ *
+ * (c) Brian Nesbitt <brian@nesbot.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Carbon\Traits;
+
+use Closure;
+
+/**
+ * Trait ToStringFormat.
+ *
+ * Handle global format customization for string cast of the object.
+ */
+trait ToStringFormat
+{
+    /**
+     * Format to use for __toString method when type juggling occurs.
+     *
+     * @var string|Closure|null
+     */
+    protected static $toStringFormat;
+
+    /**
+     * Reset the format used to the default when type juggling a Carbon instance to a string
+     *
+     * @return void
+     */
+    public static function resetToStringFormat()
+    {
+        static::setToStringFormat(null);
+    }
+
+    /**
+     * @deprecated To avoid conflict between different third-party libraries, static setters should not be used.
+     *             You should rather let Carbon object being cast to string with DEFAULT_TO_STRING_FORMAT, and
+     *             use other method or custom format passed to format() method if you need to dump another string
+     *             format.
+     *
+     * Set the default format used when type juggling a Carbon instance to a string.
+     *
+     * @param string|Closure|null $format
+     *
+     * @return void
+     */
+    public static function setToStringFormat($format)
+    {
+        static::$toStringFormat = $format;
+    }
+}
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Units.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Units.php
index 2902a8b10..5be14ec7e 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Units.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/Traits/Units.php
@@ -17,6 +17,7 @@ use Carbon\CarbonInterval;
 use Carbon\Exceptions\UnitException;
 use Closure;
 use DateInterval;
+use DateMalformedStringException;
 use ReturnTypeWillChange;
 
 /**
@@ -60,8 +61,6 @@ trait Units
             case 'millisecond':
                 return $this->addRealUnit('microsecond', $value * static::MICROSECONDS_PER_MILLISECOND);
 
-                break;
-
             // @call addRealUnit
             case 'second':
                 break;
@@ -167,7 +166,7 @@ trait Units
             'weekday',
         ];
 
-        return \in_array($unit, $modifiableUnits) || \in_array($unit, static::$units);
+        return \in_array($unit, $modifiableUnits, true) || \in_array($unit, static::$units, true);
     }
 
     /**
@@ -199,7 +198,7 @@ trait Units
     public function add($unit, $value = 1, $overflow = null)
     {
         if (\is_string($unit) && \func_num_args() === 1) {
-            $unit = CarbonInterval::make($unit);
+            $unit = CarbonInterval::make($unit, [], true);
         }
 
         if ($unit instanceof CarbonConverterInterface) {
@@ -232,6 +231,8 @@ trait Units
      */
     public function addUnit($unit, $value = 1, $overflow = null)
     {
+        $originalArgs = \func_get_args();
+
         $date = $this;
 
         if (!is_numeric($value) || !(float) $value) {
@@ -264,7 +265,7 @@ trait Units
                     /** @var static $date */
                     $date = $date->addDays($sign);
 
-                    while (\in_array($date->dayOfWeek, $weekendDays)) {
+                    while (\in_array($date->dayOfWeek, $weekendDays, true)) {
                         $date = $date->addDays($sign);
                     }
                 }
@@ -274,14 +275,14 @@ trait Units
             }
 
             $timeString = $date->toTimeString();
-        } elseif ($canOverflow = \in_array($unit, [
+        } elseif ($canOverflow = (\in_array($unit, [
                 'month',
                 'year',
             ]) && ($overflow === false || (
                 $overflow === null &&
                 ($ucUnit = ucfirst($unit).'s') &&
                 !($this->{'local'.$ucUnit.'Overflow'} ?? static::{'shouldOverflow'.$ucUnit}())
-            ))) {
+            )))) {
             $day = $date->day;
         }
 
@@ -304,16 +305,21 @@ trait Units
             $unit = 'second';
             $value = $second;
         }
-        $date = $date->modify("$value $unit");
 
-        if (isset($timeString)) {
-            $date = $date->setTimeFromTimeString($timeString);
-        } elseif (isset($canOverflow, $day) && $canOverflow && $day !== $date->day) {
-            $date = $date->modify('last day of previous month');
+        try {
+            $date = $date->modify("$value $unit");
+
+            if (isset($timeString)) {
+                $date = $date->setTimeFromTimeString($timeString);
+            } elseif (isset($canOverflow, $day) && $canOverflow && $day !== $date->day) {
+                $date = $date->modify('last day of previous month');
+            }
+        } catch (DateMalformedStringException $ignoredException) { // @codeCoverageIgnore
+            $date = null; // @codeCoverageIgnore
         }
 
         if (!$date) {
-            throw new UnitException('Unable to add unit '.var_export(\func_get_args(), true));
+            throw new UnitException('Unable to add unit '.var_export($originalArgs, true));
         }
 
         return $date;
@@ -362,7 +368,7 @@ trait Units
     public function sub($unit, $value = 1, $overflow = null)
     {
         if (\is_string($unit) && \func_num_args() === 1) {
-            $unit = CarbonInterval::make($unit);
+            $unit = CarbonInterval::make($unit, [], true);
         }
 
         if ($unit instanceof CarbonConverterInterface) {
@@ -398,7 +404,7 @@ trait Units
     public function subtract($unit, $value = 1, $overflow = null)
     {
         if (\is_string($unit) && \func_num_args() === 1) {
-            $unit = CarbonInterval::make($unit);
+            $unit = CarbonInterval::make($unit, [], true);
         }
 
         return $this->sub($unit, $value, $overflow);
diff --git a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/TranslatorImmutable.php b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/TranslatorImmutable.php
index ad36c6704..ce6b2f90a 100644
--- a/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/TranslatorImmutable.php
+++ b/data/web/inc/lib/vendor/nesbot/carbon/src/Carbon/TranslatorImmutable.php
@@ -66,7 +66,7 @@ class TranslatorImmutable extends Translator
     /**
      * @codeCoverageIgnore
      */
-    public function setConfigCacheFactory(ConfigCacheFactoryInterface $configCacheFactory)
+    public function setConfigCacheFactory(ConfigCacheFactoryInterface $configCacheFactory): void
     {
         $this->disallowMutation(__METHOD__);
 
diff --git a/data/web/inc/lib/vendor/psr/clock/CHANGELOG.md b/data/web/inc/lib/vendor/psr/clock/CHANGELOG.md
new file mode 100644
index 000000000..3cd6b9b75
--- /dev/null
+++ b/data/web/inc/lib/vendor/psr/clock/CHANGELOG.md
@@ -0,0 +1,11 @@
+# Changelog
+
+All notable changes to this project will be documented in this file, in reverse chronological order by release.
+
+## 1.0.0
+
+First stable release after PSR-20 acceptance
+
+## 0.1.0
+
+First release
diff --git a/data/web/inc/lib/vendor/psr/clock/LICENSE b/data/web/inc/lib/vendor/psr/clock/LICENSE
new file mode 100644
index 000000000..be6834212
--- /dev/null
+++ b/data/web/inc/lib/vendor/psr/clock/LICENSE
@@ -0,0 +1,19 @@
+Copyright (c) 2017 PHP Framework Interoperability Group
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
diff --git a/data/web/inc/lib/vendor/psr/clock/README.md b/data/web/inc/lib/vendor/psr/clock/README.md
new file mode 100644
index 000000000..6ca877eeb
--- /dev/null
+++ b/data/web/inc/lib/vendor/psr/clock/README.md
@@ -0,0 +1,61 @@
+# PSR Clock
+
+This repository holds the interface for [PSR-20][psr-url].
+
+Note that this is not a clock of its own. It is merely an interface that
+describes a clock. See the specification for more details.
+
+## Installation
+
+```bash
+composer require psr/clock
+```
+
+## Usage
+
+If you need a clock, you can use the interface like this:
+
+```php
+<?php
+
+use Psr\Clock\ClockInterface;
+
+class Foo
+{
+    private ClockInterface $clock;
+
+    public function __construct(ClockInterface $clock)
+    {
+        $this->clock = $clock;
+    }
+
+    public function doSomething()
+    {
+        /** @var DateTimeImmutable $currentDateAndTime */
+        $currentDateAndTime = $this->clock->now();
+        // do something useful with that information
+    }
+}
+```
+
+You can then pick one of the [implementations][implementation-url] of the interface to get a clock.
+
+If you want to implement the interface, you can require this package and
+implement `Psr\Clock\ClockInterface` in your code. 
+
+Don't forget to add `psr/clock-implementation` to your `composer.json`s `provides`-section like this:
+
+```json
+{
+  "provides": {
+    "psr/clock-implementation": "1.0"
+  }
+}
+```
+
+And please read the [specification text][specification-url] for details on the interface.
+
+[psr-url]: https://www.php-fig.org/psr/psr-20
+[package-url]: https://packagist.org/packages/psr/clock
+[implementation-url]: https://packagist.org/providers/psr/clock-implementation
+[specification-url]: https://github.com/php-fig/fig-standards/blob/master/proposed/clock.md
diff --git a/data/web/inc/lib/vendor/psr/clock/composer.json b/data/web/inc/lib/vendor/psr/clock/composer.json
new file mode 100644
index 000000000..77992eda7
--- /dev/null
+++ b/data/web/inc/lib/vendor/psr/clock/composer.json
@@ -0,0 +1,21 @@
+{
+  "name": "psr/clock",
+  "description": "Common interface for reading the clock.",
+  "keywords": ["psr", "psr-20", "time", "clock", "now"],
+  "homepage": "https://github.com/php-fig/clock",
+  "license": "MIT",
+  "authors": [
+    {
+      "name": "PHP-FIG",
+      "homepage": "https://www.php-fig.org/"
+    }
+  ],
+  "require": {
+    "php": "^7.0 || ^8.0"
+  },
+  "autoload": {
+    "psr-4": {
+      "Psr\\Clock\\": "src/"
+    }
+  }
+}
diff --git a/data/web/inc/lib/vendor/psr/clock/src/ClockInterface.php b/data/web/inc/lib/vendor/psr/clock/src/ClockInterface.php
new file mode 100644
index 000000000..7b6d8d8aa
--- /dev/null
+++ b/data/web/inc/lib/vendor/psr/clock/src/ClockInterface.php
@@ -0,0 +1,13 @@
+<?php
+
+namespace Psr\Clock;
+
+use DateTimeImmutable;
+
+interface ClockInterface
+{
+    /**
+     * Returns the current time as a DateTimeImmutable Object
+     */
+    public function now(): DateTimeImmutable;
+}
diff --git a/data/web/inc/lib/vendor/symfony/deprecation-contracts/composer.json b/data/web/inc/lib/vendor/symfony/deprecation-contracts/composer.json
index 774200fdc..c6d02d874 100644
--- a/data/web/inc/lib/vendor/symfony/deprecation-contracts/composer.json
+++ b/data/web/inc/lib/vendor/symfony/deprecation-contracts/composer.json
@@ -25,7 +25,7 @@
     "minimum-stability": "dev",
     "extra": {
         "branch-alias": {
-            "dev-main": "3.3-dev"
+            "dev-main": "3.4-dev"
         },
         "thanks": {
             "name": "symfony/contracts",
diff --git a/data/web/inc/lib/vendor/symfony/polyfill-mbstring/LICENSE b/data/web/inc/lib/vendor/symfony/polyfill-mbstring/LICENSE
index 4cd8bdd30..6e3afce69 100644
--- a/data/web/inc/lib/vendor/symfony/polyfill-mbstring/LICENSE
+++ b/data/web/inc/lib/vendor/symfony/polyfill-mbstring/LICENSE
@@ -1,4 +1,4 @@
-Copyright (c) 2015-2019 Fabien Potencier
+Copyright (c) 2015-present Fabien Potencier
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
diff --git a/data/web/inc/lib/vendor/symfony/polyfill-mbstring/Mbstring.php b/data/web/inc/lib/vendor/symfony/polyfill-mbstring/Mbstring.php
index b65c54a6b..2e0b96940 100644
--- a/data/web/inc/lib/vendor/symfony/polyfill-mbstring/Mbstring.php
+++ b/data/web/inc/lib/vendor/symfony/polyfill-mbstring/Mbstring.php
@@ -69,7 +69,7 @@ final class Mbstring
 {
     public const MB_CASE_FOLD = \PHP_INT_MAX;
 
-    private const CASE_FOLD = [
+    private const SIMPLE_CASE_FOLD = [
         ['µ', 'ſ', "\xCD\x85", 'ς', "\xCF\x90", "\xCF\x91", "\xCF\x95", "\xCF\x96", "\xCF\xB0", "\xCF\xB1", "\xCF\xB5", "\xE1\xBA\x9B", "\xE1\xBE\xBE"],
         ['μ', 's', 'ι',        'σ', 'β',        'θ',        'φ',        'π',        'κ',        'ρ',        'ε',        "\xE1\xB9\xA1", 'ι'],
     ];
@@ -80,7 +80,7 @@ final class Mbstring
 
     public static function mb_convert_encoding($s, $toEncoding, $fromEncoding = null)
     {
-        if (\is_array($fromEncoding) || ($fromEncoding !== null && false !== strpos($fromEncoding, ','))) {
+        if (\is_array($fromEncoding) || (null !== $fromEncoding && false !== strpos($fromEncoding, ','))) {
             $fromEncoding = self::mb_detect_encoding($s, $fromEncoding);
         } else {
             $fromEncoding = self::getEncoding($fromEncoding);
@@ -102,7 +102,7 @@ final class Mbstring
                 $fromEncoding = 'Windows-1252';
             }
             if ('UTF-8' !== $fromEncoding) {
-                $s = \iconv($fromEncoding, 'UTF-8//IGNORE', $s);
+                $s = iconv($fromEncoding, 'UTF-8//IGNORE', $s);
             }
 
             return preg_replace_callback('/[\x80-\xFF]+/', [__CLASS__, 'html_encoding_callback'], $s);
@@ -113,7 +113,7 @@ final class Mbstring
             $fromEncoding = 'UTF-8';
         }
 
-        return \iconv($fromEncoding, $toEncoding.'//IGNORE', $s);
+        return iconv($fromEncoding, $toEncoding.'//IGNORE', $s);
     }
 
     public static function mb_convert_variables($toEncoding, $fromEncoding, &...$vars)
@@ -130,7 +130,7 @@ final class Mbstring
 
     public static function mb_decode_mimeheader($s)
     {
-        return \iconv_mime_decode($s, 2, self::$internalEncoding);
+        return iconv_mime_decode($s, 2, self::$internalEncoding);
     }
 
     public static function mb_encode_mimeheader($s, $charset = null, $transferEncoding = null, $linefeed = null, $indent = null)
@@ -140,7 +140,7 @@ final class Mbstring
 
     public static function mb_decode_numericentity($s, $convmap, $encoding = null)
     {
-        if (null !== $s && !is_scalar($s) && !(\is_object($s) && method_exists($s, '__toString'))) {
+        if (null !== $s && !\is_scalar($s) && !(\is_object($s) && method_exists($s, '__toString'))) {
             trigger_error('mb_decode_numericentity() expects parameter 1 to be string, '.\gettype($s).' given', \E_USER_WARNING);
 
             return null;
@@ -150,7 +150,7 @@ final class Mbstring
             return false;
         }
 
-        if (null !== $encoding && !is_scalar($encoding)) {
+        if (null !== $encoding && !\is_scalar($encoding)) {
             trigger_error('mb_decode_numericentity() expects parameter 3 to be string, '.\gettype($s).' given', \E_USER_WARNING);
 
             return '';  // Instead of null (cf. mb_encode_numericentity).
@@ -166,10 +166,10 @@ final class Mbstring
         if ('UTF-8' === $encoding) {
             $encoding = null;
             if (!preg_match('//u', $s)) {
-                $s = @\iconv('UTF-8', 'UTF-8//IGNORE', $s);
+                $s = @iconv('UTF-8', 'UTF-8//IGNORE', $s);
             }
         } else {
-            $s = \iconv($encoding, 'UTF-8//IGNORE', $s);
+            $s = iconv($encoding, 'UTF-8//IGNORE', $s);
         }
 
         $cnt = floor(\count($convmap) / 4) * 4;
@@ -195,12 +195,12 @@ final class Mbstring
             return $s;
         }
 
-        return \iconv('UTF-8', $encoding.'//IGNORE', $s);
+        return iconv('UTF-8', $encoding.'//IGNORE', $s);
     }
 
     public static function mb_encode_numericentity($s, $convmap, $encoding = null, $is_hex = false)
     {
-        if (null !== $s && !is_scalar($s) && !(\is_object($s) && method_exists($s, '__toString'))) {
+        if (null !== $s && !\is_scalar($s) && !(\is_object($s) && method_exists($s, '__toString'))) {
             trigger_error('mb_encode_numericentity() expects parameter 1 to be string, '.\gettype($s).' given', \E_USER_WARNING);
 
             return null;
@@ -210,13 +210,13 @@ final class Mbstring
             return false;
         }
 
-        if (null !== $encoding && !is_scalar($encoding)) {
+        if (null !== $encoding && !\is_scalar($encoding)) {
             trigger_error('mb_encode_numericentity() expects parameter 3 to be string, '.\gettype($s).' given', \E_USER_WARNING);
 
             return null;  // Instead of '' (cf. mb_decode_numericentity).
         }
 
-        if (null !== $is_hex && !is_scalar($is_hex)) {
+        if (null !== $is_hex && !\is_scalar($is_hex)) {
             trigger_error('mb_encode_numericentity() expects parameter 4 to be boolean, '.\gettype($s).' given', \E_USER_WARNING);
 
             return null;
@@ -232,10 +232,10 @@ final class Mbstring
         if ('UTF-8' === $encoding) {
             $encoding = null;
             if (!preg_match('//u', $s)) {
-                $s = @\iconv('UTF-8', 'UTF-8//IGNORE', $s);
+                $s = @iconv('UTF-8', 'UTF-8//IGNORE', $s);
             }
         } else {
-            $s = \iconv($encoding, 'UTF-8//IGNORE', $s);
+            $s = iconv($encoding, 'UTF-8//IGNORE', $s);
         }
 
         static $ulenMask = ["\xC0" => 2, "\xD0" => 2, "\xE0" => 3, "\xF0" => 4];
@@ -265,7 +265,7 @@ final class Mbstring
             return $result;
         }
 
-        return \iconv('UTF-8', $encoding.'//IGNORE', $result);
+        return iconv('UTF-8', $encoding.'//IGNORE', $result);
     }
 
     public static function mb_convert_case($s, $mode, $encoding = null)
@@ -280,10 +280,10 @@ final class Mbstring
         if ('UTF-8' === $encoding) {
             $encoding = null;
             if (!preg_match('//u', $s)) {
-                $s = @\iconv('UTF-8', 'UTF-8//IGNORE', $s);
+                $s = @iconv('UTF-8', 'UTF-8//IGNORE', $s);
             }
         } else {
-            $s = \iconv($encoding, 'UTF-8//IGNORE', $s);
+            $s = iconv($encoding, 'UTF-8//IGNORE', $s);
         }
 
         if (\MB_CASE_TITLE == $mode) {
@@ -301,7 +301,11 @@ final class Mbstring
                 $map = $upper;
             } else {
                 if (self::MB_CASE_FOLD === $mode) {
-                    $s = str_replace(self::CASE_FOLD[0], self::CASE_FOLD[1], $s);
+                    static $caseFolding = null;
+                    if (null === $caseFolding) {
+                        $caseFolding = self::getData('caseFolding');
+                    }
+                    $s = strtr($s, $caseFolding);
                 }
 
                 static $lower = null;
@@ -343,7 +347,7 @@ final class Mbstring
             return $s;
         }
 
-        return \iconv('UTF-8', $encoding.'//IGNORE', $s);
+        return iconv('UTF-8', $encoding.'//IGNORE', $s);
     }
 
     public static function mb_internal_encoding($encoding = null)
@@ -354,7 +358,7 @@ final class Mbstring
 
         $normalizedEncoding = self::getEncoding($encoding);
 
-        if ('UTF-8' === $normalizedEncoding || false !== @\iconv($normalizedEncoding, $normalizedEncoding, ' ')) {
+        if ('UTF-8' === $normalizedEncoding || false !== @iconv($normalizedEncoding, $normalizedEncoding, ' ')) {
             self::$internalEncoding = $normalizedEncoding;
 
             return true;
@@ -406,6 +410,12 @@ final class Mbstring
 
     public static function mb_check_encoding($var = null, $encoding = null)
     {
+        if (PHP_VERSION_ID < 70200 && \is_array($var)) {
+            trigger_error('mb_check_encoding() expects parameter 1 to be string, array given', \E_USER_WARNING);
+
+            return null;
+        }
+
         if (null === $encoding) {
             if (null === $var) {
                 return false;
@@ -413,7 +423,21 @@ final class Mbstring
             $encoding = self::$internalEncoding;
         }
 
-        return self::mb_detect_encoding($var, [$encoding]) || false !== @\iconv($encoding, $encoding, $var);
+        if (!\is_array($var)) {
+            return self::mb_detect_encoding($var, [$encoding]) || false !== @iconv($encoding, $encoding, $var);
+        }
+
+        foreach ($var as $key => $value) {
+            if (!self::mb_check_encoding($key, $encoding)) {
+                return false;
+            }
+            if (!self::mb_check_encoding($value, $encoding)) {
+                return false;
+            }
+        }
+
+        return true;
+
     }
 
     public static function mb_detect_encoding($str, $encodingList = null, $strict = false)
@@ -488,7 +512,7 @@ final class Mbstring
             return \strlen($s);
         }
 
-        return @\iconv_strlen($s, $encoding);
+        return @iconv_strlen($s, $encoding);
     }
 
     public static function mb_strpos($haystack, $needle, $offset = 0, $encoding = null)
@@ -509,7 +533,7 @@ final class Mbstring
             return 0;
         }
 
-        return \iconv_strpos($haystack, $needle, $offset, $encoding);
+        return iconv_strpos($haystack, $needle, $offset, $encoding);
     }
 
     public static function mb_strrpos($haystack, $needle, $offset = 0, $encoding = null)
@@ -533,7 +557,7 @@ final class Mbstring
         }
 
         $pos = '' !== $needle || 80000 > \PHP_VERSION_ID
-            ? \iconv_strrpos($haystack, $needle, $encoding)
+            ? iconv_strrpos($haystack, $needle, $encoding)
             : self::mb_strlen($haystack, $encoding);
 
         return false !== $pos ? $offset + $pos : false;
@@ -541,7 +565,7 @@ final class Mbstring
 
     public static function mb_str_split($string, $split_length = 1, $encoding = null)
     {
-        if (null !== $string && !is_scalar($string) && !(\is_object($string) && method_exists($string, '__toString'))) {
+        if (null !== $string && !\is_scalar($string) && !(\is_object($string) && method_exists($string, '__toString'))) {
             trigger_error('mb_str_split() expects parameter 1 to be string, '.\gettype($string).' given', \E_USER_WARNING);
 
             return null;
@@ -550,6 +574,7 @@ final class Mbstring
         if (1 > $split_length = (int) $split_length) {
             if (80000 > \PHP_VERSION_ID) {
                 trigger_error('The length of each segment must be greater than zero', \E_USER_WARNING);
+
                 return false;
             }
 
@@ -568,7 +593,7 @@ final class Mbstring
             }
             $rx .= '.{'.$split_length.'})/us';
 
-            return preg_split($rx, $string, null, \PREG_SPLIT_DELIM_CAPTURE | \PREG_SPLIT_NO_EMPTY);
+            return preg_split($rx, $string, -1, \PREG_SPLIT_DELIM_CAPTURE | \PREG_SPLIT_NO_EMPTY);
         }
 
         $result = [];
@@ -617,7 +642,7 @@ final class Mbstring
         }
 
         if ($start < 0) {
-            $start = \iconv_strlen($s, $encoding) + $start;
+            $start = iconv_strlen($s, $encoding) + $start;
             if ($start < 0) {
                 $start = 0;
             }
@@ -626,19 +651,21 @@ final class Mbstring
         if (null === $length) {
             $length = 2147483647;
         } elseif ($length < 0) {
-            $length = \iconv_strlen($s, $encoding) + $length - $start;
+            $length = iconv_strlen($s, $encoding) + $length - $start;
             if ($length < 0) {
                 return '';
             }
         }
 
-        return (string) \iconv_substr($s, $start, $length, $encoding);
+        return (string) iconv_substr($s, $start, $length, $encoding);
     }
 
     public static function mb_stripos($haystack, $needle, $offset = 0, $encoding = null)
     {
-        $haystack = self::mb_convert_case($haystack, self::MB_CASE_FOLD, $encoding);
-        $needle = self::mb_convert_case($needle, self::MB_CASE_FOLD, $encoding);
+        [$haystack, $needle] = str_replace(self::SIMPLE_CASE_FOLD[0], self::SIMPLE_CASE_FOLD[1], [
+            self::mb_convert_case($haystack, \MB_CASE_LOWER, $encoding),
+            self::mb_convert_case($needle, \MB_CASE_LOWER, $encoding),
+        ]);
 
         return self::mb_strpos($haystack, $needle, $offset, $encoding);
     }
@@ -657,7 +684,7 @@ final class Mbstring
             $pos = strrpos($haystack, $needle);
         } else {
             $needle = self::mb_substr($needle, 0, 1, $encoding);
-            $pos = \iconv_strrpos($haystack, $needle, $encoding);
+            $pos = iconv_strrpos($haystack, $needle, $encoding);
         }
 
         return self::getSubpart($pos, $part, $haystack, $encoding);
@@ -673,8 +700,11 @@ final class Mbstring
 
     public static function mb_strripos($haystack, $needle, $offset = 0, $encoding = null)
     {
-        $haystack = self::mb_convert_case($haystack, self::MB_CASE_FOLD, $encoding);
-        $needle = self::mb_convert_case($needle, self::MB_CASE_FOLD, $encoding);
+        $haystack = self::mb_convert_case($haystack, \MB_CASE_LOWER, $encoding);
+        $needle = self::mb_convert_case($needle, \MB_CASE_LOWER, $encoding);
+
+        $haystack = str_replace(self::SIMPLE_CASE_FOLD[0], self::SIMPLE_CASE_FOLD[1], $haystack);
+        $needle = str_replace(self::SIMPLE_CASE_FOLD[0], self::SIMPLE_CASE_FOLD[1], $needle);
 
         return self::mb_strrpos($haystack, $needle, $offset, $encoding);
     }
@@ -736,12 +766,12 @@ final class Mbstring
         $encoding = self::getEncoding($encoding);
 
         if ('UTF-8' !== $encoding) {
-            $s = \iconv($encoding, 'UTF-8//IGNORE', $s);
+            $s = iconv($encoding, 'UTF-8//IGNORE', $s);
         }
 
         $s = preg_replace('/[\x{1100}-\x{115F}\x{2329}\x{232A}\x{2E80}-\x{303E}\x{3040}-\x{A4CF}\x{AC00}-\x{D7A3}\x{F900}-\x{FAFF}\x{FE10}-\x{FE19}\x{FE30}-\x{FE6F}\x{FF00}-\x{FF60}\x{FFE0}-\x{FFE6}\x{20000}-\x{2FFFD}\x{30000}-\x{3FFFD}]/u', '', $s, -1, $wide);
 
-        return ($wide << 1) + \iconv_strlen($s, 'UTF-8');
+        return ($wide << 1) + iconv_strlen($s, 'UTF-8');
     }
 
     public static function mb_substr_count($haystack, $needle, $encoding = null)
@@ -797,6 +827,50 @@ final class Mbstring
         return $code;
     }
 
+    public static function mb_str_pad(string $string, int $length, string $pad_string = ' ', int $pad_type = \STR_PAD_RIGHT, string $encoding = null): string
+    {
+        if (!\in_array($pad_type, [\STR_PAD_RIGHT, \STR_PAD_LEFT, \STR_PAD_BOTH], true)) {
+            throw new \ValueError('mb_str_pad(): Argument #4 ($pad_type) must be STR_PAD_LEFT, STR_PAD_RIGHT, or STR_PAD_BOTH');
+        }
+
+        if (null === $encoding) {
+            $encoding = self::mb_internal_encoding();
+        }
+
+        try {
+            $validEncoding = @self::mb_check_encoding('', $encoding);
+        } catch (\ValueError $e) {
+            throw new \ValueError(sprintf('mb_str_pad(): Argument #5 ($encoding) must be a valid encoding, "%s" given', $encoding));
+        }
+
+        // BC for PHP 7.3 and lower
+        if (!$validEncoding) {
+            throw new \ValueError(sprintf('mb_str_pad(): Argument #5 ($encoding) must be a valid encoding, "%s" given', $encoding));
+        }
+
+        if (self::mb_strlen($pad_string, $encoding) <= 0) {
+            throw new \ValueError('mb_str_pad(): Argument #3 ($pad_string) must be a non-empty string');
+        }
+
+        $paddingRequired = $length - self::mb_strlen($string, $encoding);
+
+        if ($paddingRequired < 1) {
+            return $string;
+        }
+
+        switch ($pad_type) {
+            case \STR_PAD_LEFT:
+                return self::mb_substr(str_repeat($pad_string, $paddingRequired), 0, $paddingRequired, $encoding).$string;
+            case \STR_PAD_RIGHT:
+                return $string.self::mb_substr(str_repeat($pad_string, $paddingRequired), 0, $paddingRequired, $encoding);
+            default:
+                $leftPaddingLength = floor($paddingRequired / 2);
+                $rightPaddingLength = $paddingRequired - $leftPaddingLength;
+
+                return self::mb_substr(str_repeat($pad_string, $leftPaddingLength), 0, $leftPaddingLength, $encoding).$string.self::mb_substr(str_repeat($pad_string, $rightPaddingLength), 0, $rightPaddingLength, $encoding);
+        }
+    }
+
     private static function getSubpart($pos, $part, $haystack, $encoding)
     {
         if (false === $pos) {
diff --git a/data/web/inc/lib/vendor/symfony/polyfill-mbstring/README.md b/data/web/inc/lib/vendor/symfony/polyfill-mbstring/README.md
index 4efb599d8..478b40da2 100644
--- a/data/web/inc/lib/vendor/symfony/polyfill-mbstring/README.md
+++ b/data/web/inc/lib/vendor/symfony/polyfill-mbstring/README.md
@@ -5,7 +5,7 @@ This component provides a partial, native PHP implementation for the
 [Mbstring](https://php.net/mbstring) extension.
 
 More information can be found in the
-[main Polyfill README](https://github.com/symfony/polyfill/blob/master/README.md).
+[main Polyfill README](https://github.com/symfony/polyfill/blob/main/README.md).
 
 License
 =======
diff --git a/data/web/inc/lib/vendor/symfony/polyfill-mbstring/Resources/unidata/caseFolding.php b/data/web/inc/lib/vendor/symfony/polyfill-mbstring/Resources/unidata/caseFolding.php
new file mode 100644
index 000000000..512bba0bf
--- /dev/null
+++ b/data/web/inc/lib/vendor/symfony/polyfill-mbstring/Resources/unidata/caseFolding.php
@@ -0,0 +1,119 @@
+<?php
+
+return [
+    'İ' => 'i̇',
+    'µ' => 'μ',
+    'ſ' => 's',
+    'ͅ' => 'ι',
+    'ς' => 'σ',
+    'ϐ' => 'β',
+    'ϑ' => 'θ',
+    'ϕ' => 'φ',
+    'ϖ' => 'π',
+    'ϰ' => 'κ',
+    'ϱ' => 'ρ',
+    'ϵ' => 'ε',
+    'ẛ' => 'ṡ',
+    'ι' => 'ι',
+    'ß' => 'ss',
+    'ʼn' => 'ʼn',
+    'ǰ' => 'ǰ',
+    'ΐ' => 'ΐ',
+    'ΰ' => 'ΰ',
+    'և' => 'եւ',
+    'ẖ' => 'ẖ',
+    'ẗ' => 'ẗ',
+    'ẘ' => 'ẘ',
+    'ẙ' => 'ẙ',
+    'ẚ' => 'aʾ',
+    'ẞ' => 'ss',
+    'ὐ' => 'ὐ',
+    'ὒ' => 'ὒ',
+    'ὔ' => 'ὔ',
+    'ὖ' => 'ὖ',
+    'ᾀ' => 'ἀι',
+    'ᾁ' => 'ἁι',
+    'ᾂ' => 'ἂι',
+    'ᾃ' => 'ἃι',
+    'ᾄ' => 'ἄι',
+    'ᾅ' => 'ἅι',
+    'ᾆ' => 'ἆι',
+    'ᾇ' => 'ἇι',
+    'ᾈ' => 'ἀι',
+    'ᾉ' => 'ἁι',
+    'ᾊ' => 'ἂι',
+    'ᾋ' => 'ἃι',
+    'ᾌ' => 'ἄι',
+    'ᾍ' => 'ἅι',
+    'ᾎ' => 'ἆι',
+    'ᾏ' => 'ἇι',
+    'ᾐ' => 'ἠι',
+    'ᾑ' => 'ἡι',
+    'ᾒ' => 'ἢι',
+    'ᾓ' => 'ἣι',
+    'ᾔ' => 'ἤι',
+    'ᾕ' => 'ἥι',
+    'ᾖ' => 'ἦι',
+    'ᾗ' => 'ἧι',
+    'ᾘ' => 'ἠι',
+    'ᾙ' => 'ἡι',
+    'ᾚ' => 'ἢι',
+    'ᾛ' => 'ἣι',
+    'ᾜ' => 'ἤι',
+    'ᾝ' => 'ἥι',
+    'ᾞ' => 'ἦι',
+    'ᾟ' => 'ἧι',
+    'ᾠ' => 'ὠι',
+    'ᾡ' => 'ὡι',
+    'ᾢ' => 'ὢι',
+    'ᾣ' => 'ὣι',
+    'ᾤ' => 'ὤι',
+    'ᾥ' => 'ὥι',
+    'ᾦ' => 'ὦι',
+    'ᾧ' => 'ὧι',
+    'ᾨ' => 'ὠι',
+    'ᾩ' => 'ὡι',
+    'ᾪ' => 'ὢι',
+    'ᾫ' => 'ὣι',
+    'ᾬ' => 'ὤι',
+    'ᾭ' => 'ὥι',
+    'ᾮ' => 'ὦι',
+    'ᾯ' => 'ὧι',
+    'ᾲ' => 'ὰι',
+    'ᾳ' => 'αι',
+    'ᾴ' => 'άι',
+    'ᾶ' => 'ᾶ',
+    'ᾷ' => 'ᾶι',
+    'ᾼ' => 'αι',
+    'ῂ' => 'ὴι',
+    'ῃ' => 'ηι',
+    'ῄ' => 'ήι',
+    'ῆ' => 'ῆ',
+    'ῇ' => 'ῆι',
+    'ῌ' => 'ηι',
+    'ῒ' => 'ῒ',
+    'ῖ' => 'ῖ',
+    'ῗ' => 'ῗ',
+    'ῢ' => 'ῢ',
+    'ῤ' => 'ῤ',
+    'ῦ' => 'ῦ',
+    'ῧ' => 'ῧ',
+    'ῲ' => 'ὼι',
+    'ῳ' => 'ωι',
+    'ῴ' => 'ώι',
+    'ῶ' => 'ῶ',
+    'ῷ' => 'ῶι',
+    'ῼ' => 'ωι',
+    'ff' => 'ff',
+    'fi' => 'fi',
+    'fl' => 'fl',
+    'ffi' => 'ffi',
+    'ffl' => 'ffl',
+    'ſt' => 'st',
+    'st' => 'st',
+    'ﬓ' => 'մն',
+    'ﬔ' => 'մե',
+    'ﬕ' => 'մի',
+    'ﬖ' => 'վն',
+    'ﬗ' => 'մխ',
+];
diff --git a/data/web/inc/lib/vendor/symfony/polyfill-mbstring/bootstrap.php b/data/web/inc/lib/vendor/symfony/polyfill-mbstring/bootstrap.php
index 1fedd1f7c..ecf1a0352 100644
--- a/data/web/inc/lib/vendor/symfony/polyfill-mbstring/bootstrap.php
+++ b/data/web/inc/lib/vendor/symfony/polyfill-mbstring/bootstrap.php
@@ -132,6 +132,10 @@ if (!function_exists('mb_str_split')) {
     function mb_str_split($string, $length = 1, $encoding = null) { return p\Mbstring::mb_str_split($string, $length, $encoding); }
 }
 
+if (!function_exists('mb_str_pad')) {
+    function mb_str_pad(string $string, int $length, string $pad_string = ' ', int $pad_type = STR_PAD_RIGHT, ?string $encoding = null): string { return p\Mbstring::mb_str_pad($string, $length, $pad_string, $pad_type, $encoding); }
+}
+
 if (extension_loaded('mbstring')) {
     return;
 }
diff --git a/data/web/inc/lib/vendor/symfony/polyfill-mbstring/bootstrap80.php b/data/web/inc/lib/vendor/symfony/polyfill-mbstring/bootstrap80.php
index 82f5ac4d0..2f9fb5b42 100644
--- a/data/web/inc/lib/vendor/symfony/polyfill-mbstring/bootstrap80.php
+++ b/data/web/inc/lib/vendor/symfony/polyfill-mbstring/bootstrap80.php
@@ -128,6 +128,10 @@ if (!function_exists('mb_str_split')) {
     function mb_str_split(?string $string, ?int $length = 1, ?string $encoding = null): array { return p\Mbstring::mb_str_split((string) $string, (int) $length, $encoding); }
 }
 
+if (!function_exists('mb_str_pad')) {
+    function mb_str_pad(string $string, int $length, string $pad_string = ' ', int $pad_type = STR_PAD_RIGHT, ?string $encoding = null): string { return p\Mbstring::mb_str_pad($string, $length, $pad_string, $pad_type, $encoding); }
+}
+
 if (extension_loaded('mbstring')) {
     return;
 }
diff --git a/data/web/inc/lib/vendor/symfony/polyfill-mbstring/composer.json b/data/web/inc/lib/vendor/symfony/polyfill-mbstring/composer.json
index 1fa21ca16..bd99d4b9d 100644
--- a/data/web/inc/lib/vendor/symfony/polyfill-mbstring/composer.json
+++ b/data/web/inc/lib/vendor/symfony/polyfill-mbstring/composer.json
@@ -30,9 +30,6 @@
     },
     "minimum-stability": "dev",
     "extra": {
-        "branch-alias": {
-            "dev-main": "1.23-dev"
-        },
         "thanks": {
             "name": "symfony/polyfill",
             "url": "https://github.com/symfony/polyfill"
diff --git a/data/web/inc/lib/vendor/symfony/polyfill-php80/LICENSE b/data/web/inc/lib/vendor/symfony/polyfill-php80/LICENSE
index 5593b1d84..0ed3a2465 100644
--- a/data/web/inc/lib/vendor/symfony/polyfill-php80/LICENSE
+++ b/data/web/inc/lib/vendor/symfony/polyfill-php80/LICENSE
@@ -1,4 +1,4 @@
-Copyright (c) 2020 Fabien Potencier
+Copyright (c) 2020-present Fabien Potencier
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
diff --git a/data/web/inc/lib/vendor/symfony/polyfill-php80/Php80.php b/data/web/inc/lib/vendor/symfony/polyfill-php80/Php80.php
index 5fef51184..362dd1a95 100644
--- a/data/web/inc/lib/vendor/symfony/polyfill-php80/Php80.php
+++ b/data/web/inc/lib/vendor/symfony/polyfill-php80/Php80.php
@@ -100,6 +100,16 @@ final class Php80
 
     public static function str_ends_with(string $haystack, string $needle): bool
     {
-        return '' === $needle || ('' !== $haystack && 0 === substr_compare($haystack, $needle, -\strlen($needle)));
+        if ('' === $needle || $needle === $haystack) {
+            return true;
+        }
+
+        if ('' === $haystack) {
+            return false;
+        }
+
+        $needleLength = \strlen($needle);
+
+        return $needleLength <= \strlen($haystack) && 0 === substr_compare($haystack, $needle, -$needleLength);
     }
 }
diff --git a/data/web/inc/lib/vendor/symfony/polyfill-php80/PhpToken.php b/data/web/inc/lib/vendor/symfony/polyfill-php80/PhpToken.php
new file mode 100644
index 000000000..fe6e69105
--- /dev/null
+++ b/data/web/inc/lib/vendor/symfony/polyfill-php80/PhpToken.php
@@ -0,0 +1,103 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Polyfill\Php80;
+
+/**
+ * @author Fedonyuk Anton <info@ensostudio.ru>
+ *
+ * @internal
+ */
+class PhpToken implements \Stringable
+{
+    /**
+     * @var int
+     */
+    public $id;
+
+    /**
+     * @var string
+     */
+    public $text;
+
+    /**
+     * @var int
+     */
+    public $line;
+
+    /**
+     * @var int
+     */
+    public $pos;
+
+    public function __construct(int $id, string $text, int $line = -1, int $position = -1)
+    {
+        $this->id = $id;
+        $this->text = $text;
+        $this->line = $line;
+        $this->pos = $position;
+    }
+
+    public function getTokenName(): ?string
+    {
+        if ('UNKNOWN' === $name = token_name($this->id)) {
+            $name = \strlen($this->text) > 1 || \ord($this->text) < 32 ? null : $this->text;
+        }
+
+        return $name;
+    }
+
+    /**
+     * @param int|string|array $kind
+     */
+    public function is($kind): bool
+    {
+        foreach ((array) $kind as $value) {
+            if (\in_array($value, [$this->id, $this->text], true)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    public function isIgnorable(): bool
+    {
+        return \in_array($this->id, [\T_WHITESPACE, \T_COMMENT, \T_DOC_COMMENT, \T_OPEN_TAG], true);
+    }
+
+    public function __toString(): string
+    {
+        return (string) $this->text;
+    }
+
+    /**
+     * @return static[]
+     */
+    public static function tokenize(string $code, int $flags = 0): array
+    {
+        $line = 1;
+        $position = 0;
+        $tokens = token_get_all($code, $flags);
+        foreach ($tokens as $index => $token) {
+            if (\is_string($token)) {
+                $id = \ord($token);
+                $text = $token;
+            } else {
+                [$id, $text, $line] = $token;
+            }
+            $tokens[$index] = new static($id, $text, $line, $position);
+            $position += \strlen($text);
+        }
+
+        return $tokens;
+    }
+}
diff --git a/data/web/inc/lib/vendor/symfony/polyfill-php80/README.md b/data/web/inc/lib/vendor/symfony/polyfill-php80/README.md
index 10b8ee49a..3816c559d 100644
--- a/data/web/inc/lib/vendor/symfony/polyfill-php80/README.md
+++ b/data/web/inc/lib/vendor/symfony/polyfill-php80/README.md
@@ -3,12 +3,13 @@ Symfony Polyfill / Php80
 
 This component provides features added to PHP 8.0 core:
 
-- `Stringable` interface
+- [`Stringable`](https://php.net/stringable) interface
 - [`fdiv`](https://php.net/fdiv)
-- `ValueError` class
-- `UnhandledMatchError` class
+- [`ValueError`](https://php.net/valueerror) class
+- [`UnhandledMatchError`](https://php.net/unhandledmatcherror) class
 - `FILTER_VALIDATE_BOOL` constant
 - [`get_debug_type`](https://php.net/get_debug_type)
+- [`PhpToken`](https://php.net/phptoken) class
 - [`preg_last_error_msg`](https://php.net/preg_last_error_msg)
 - [`str_contains`](https://php.net/str_contains)
 - [`str_starts_with`](https://php.net/str_starts_with)
diff --git a/data/web/inc/lib/vendor/symfony/polyfill-php80/Resources/stubs/Attribute.php b/data/web/inc/lib/vendor/symfony/polyfill-php80/Resources/stubs/Attribute.php
index 7ea6d2772..2b955423f 100644
--- a/data/web/inc/lib/vendor/symfony/polyfill-php80/Resources/stubs/Attribute.php
+++ b/data/web/inc/lib/vendor/symfony/polyfill-php80/Resources/stubs/Attribute.php
@@ -1,5 +1,14 @@
 <?php
 
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
 #[Attribute(Attribute::TARGET_CLASS)]
 final class Attribute
 {
diff --git a/data/web/inc/lib/vendor/symfony/polyfill-php80/Resources/stubs/PhpToken.php b/data/web/inc/lib/vendor/symfony/polyfill-php80/Resources/stubs/PhpToken.php
new file mode 100644
index 000000000..bd1212f6e
--- /dev/null
+++ b/data/web/inc/lib/vendor/symfony/polyfill-php80/Resources/stubs/PhpToken.php
@@ -0,0 +1,16 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+if (\PHP_VERSION_ID < 80000 && extension_loaded('tokenizer')) {
+    class PhpToken extends Symfony\Polyfill\Php80\PhpToken
+    {
+    }
+}
diff --git a/data/web/inc/lib/vendor/symfony/polyfill-php80/Resources/stubs/Stringable.php b/data/web/inc/lib/vendor/symfony/polyfill-php80/Resources/stubs/Stringable.php
index 77e037cb5..7c62d7508 100644
--- a/data/web/inc/lib/vendor/symfony/polyfill-php80/Resources/stubs/Stringable.php
+++ b/data/web/inc/lib/vendor/symfony/polyfill-php80/Resources/stubs/Stringable.php
@@ -1,5 +1,14 @@
 <?php
 
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
 if (\PHP_VERSION_ID < 80000) {
     interface Stringable
     {
diff --git a/data/web/inc/lib/vendor/symfony/polyfill-php80/Resources/stubs/UnhandledMatchError.php b/data/web/inc/lib/vendor/symfony/polyfill-php80/Resources/stubs/UnhandledMatchError.php
index 37937cbfa..01c6c6c8a 100644
--- a/data/web/inc/lib/vendor/symfony/polyfill-php80/Resources/stubs/UnhandledMatchError.php
+++ b/data/web/inc/lib/vendor/symfony/polyfill-php80/Resources/stubs/UnhandledMatchError.php
@@ -1,5 +1,14 @@
 <?php
 
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
 if (\PHP_VERSION_ID < 80000) {
     class UnhandledMatchError extends Error
     {
diff --git a/data/web/inc/lib/vendor/symfony/polyfill-php80/Resources/stubs/ValueError.php b/data/web/inc/lib/vendor/symfony/polyfill-php80/Resources/stubs/ValueError.php
index a3a9b88b0..783dbc28c 100644
--- a/data/web/inc/lib/vendor/symfony/polyfill-php80/Resources/stubs/ValueError.php
+++ b/data/web/inc/lib/vendor/symfony/polyfill-php80/Resources/stubs/ValueError.php
@@ -1,5 +1,14 @@
 <?php
 
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
 if (\PHP_VERSION_ID < 80000) {
     class ValueError extends Error
     {
diff --git a/data/web/inc/lib/vendor/symfony/polyfill-php80/composer.json b/data/web/inc/lib/vendor/symfony/polyfill-php80/composer.json
index 5fe679db3..46ccde203 100644
--- a/data/web/inc/lib/vendor/symfony/polyfill-php80/composer.json
+++ b/data/web/inc/lib/vendor/symfony/polyfill-php80/composer.json
@@ -29,9 +29,6 @@
     },
     "minimum-stability": "dev",
     "extra": {
-        "branch-alias": {
-            "dev-main": "1.23-dev"
-        },
         "thanks": {
             "name": "symfony/polyfill",
             "url": "https://github.com/symfony/polyfill"
diff --git a/data/web/inc/lib/vendor/symfony/translation-contracts/.gitignore b/data/web/inc/lib/vendor/symfony/translation-contracts/.gitignore
deleted file mode 100644
index c49a5d8df..000000000
--- a/data/web/inc/lib/vendor/symfony/translation-contracts/.gitignore
+++ /dev/null
@@ -1,3 +0,0 @@
-vendor/
-composer.lock
-phpunit.xml
diff --git a/data/web/inc/lib/vendor/symfony/translation-contracts/LICENSE b/data/web/inc/lib/vendor/symfony/translation-contracts/LICENSE
index 235841453..7536caeae 100644
--- a/data/web/inc/lib/vendor/symfony/translation-contracts/LICENSE
+++ b/data/web/inc/lib/vendor/symfony/translation-contracts/LICENSE
@@ -1,4 +1,4 @@
-Copyright (c) 2018-2021 Fabien Potencier
+Copyright (c) 2018-present Fabien Potencier
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
diff --git a/data/web/inc/lib/vendor/symfony/translation-contracts/LocaleAwareInterface.php b/data/web/inc/lib/vendor/symfony/translation-contracts/LocaleAwareInterface.php
index 6923b977e..db40ba13e 100644
--- a/data/web/inc/lib/vendor/symfony/translation-contracts/LocaleAwareInterface.php
+++ b/data/web/inc/lib/vendor/symfony/translation-contracts/LocaleAwareInterface.php
@@ -16,6 +16,8 @@ interface LocaleAwareInterface
     /**
      * Sets the current locale.
      *
+     * @return void
+     *
      * @throws \InvalidArgumentException If the locale contains invalid characters
      */
     public function setLocale(string $locale);
diff --git a/data/web/inc/lib/vendor/symfony/translation-contracts/README.md b/data/web/inc/lib/vendor/symfony/translation-contracts/README.md
index 42e5c5175..b211d5849 100644
--- a/data/web/inc/lib/vendor/symfony/translation-contracts/README.md
+++ b/data/web/inc/lib/vendor/symfony/translation-contracts/README.md
@@ -3,7 +3,7 @@ Symfony Translation Contracts
 
 A set of abstractions extracted out of the Symfony components.
 
-Can be used to build on semantics that the Symfony components proved useful - and
+Can be used to build on semantics that the Symfony components proved useful and
 that already have battle tested implementations.
 
 See https://github.com/symfony/contracts/blob/main/README.md for more information.
diff --git a/data/web/inc/lib/vendor/symfony/translation-contracts/Test/TranslatorTest.php b/data/web/inc/lib/vendor/symfony/translation-contracts/Test/TranslatorTest.php
index c2c30a917..756228af5 100644
--- a/data/web/inc/lib/vendor/symfony/translation-contracts/Test/TranslatorTest.php
+++ b/data/web/inc/lib/vendor/symfony/translation-contracts/Test/TranslatorTest.php
@@ -30,7 +30,7 @@ use Symfony\Contracts\Translation\TranslatorTrait;
  */
 class TranslatorTest extends TestCase
 {
-    private $defaultLocale;
+    private string $defaultLocale;
 
     protected function setUp(): void
     {
@@ -114,7 +114,7 @@ class TranslatorTest extends TestCase
         $this->assertEquals('en', $translator->getLocale());
     }
 
-    public function getTransTests()
+    public static function getTransTests()
     {
         return [
             ['Symfony is great!', 'Symfony is great!', []],
@@ -122,7 +122,7 @@ class TranslatorTest extends TestCase
         ];
     }
 
-    public function getTransChoiceTests()
+    public static function getTransChoiceTests()
     {
         return [
             ['There are no apples', '{0} There are no apples|{1} There is one apple|]1,Inf] There are %count% apples', 0],
@@ -137,7 +137,7 @@ class TranslatorTest extends TestCase
     }
 
     /**
-     * @dataProvider getInternal
+     * @dataProvider getInterval
      */
     public function testInterval($expected, $number, $interval)
     {
@@ -146,7 +146,7 @@ class TranslatorTest extends TestCase
         $this->assertEquals($expected, $translator->trans($interval.' foo|[1,Inf[ bar', ['%count%' => $number]));
     }
 
-    public function getInternal()
+    public static function getInterval()
     {
         return [
             ['foo', 3, '{1,2, 3 ,4}'],
@@ -183,13 +183,14 @@ class TranslatorTest extends TestCase
      */
     public function testThrowExceptionIfMatchingMessageCannotBeFound($id, $number)
     {
-        $this->expectException(\InvalidArgumentException::class);
         $translator = $this->getTranslator();
 
+        $this->expectException(\InvalidArgumentException::class);
+
         $translator->trans($id, ['%count%' => $number]);
     }
 
-    public function getNonMatchingMessages()
+    public static function getNonMatchingMessages()
     {
         return [
             ['{0} There are no apples|{1} There is one apple', 2],
@@ -199,7 +200,7 @@ class TranslatorTest extends TestCase
         ];
     }
 
-    public function getChooseTests()
+    public static function getChooseTests()
     {
         return [
             ['There are no apples', '{0} There are no apples|{1} There is one apple|]1,Inf] There are %count% apples', 0],
@@ -255,13 +256,13 @@ class TranslatorTest extends TestCase
             new-line in it. Selector = 0.|{1}This is a text with a
             new-line in it. Selector = 1.|[1,Inf]This is a text with a
             new-line in it. Selector > 1.', 5],
-            // with double-quotes and id split accros lines
+            // with double-quotes and id split across lines
             ['This is a text with a
             new-line in it. Selector = 1.', '{0}This is a text with a
             new-line in it. Selector = 0.|{1}This is a text with a
             new-line in it. Selector = 1.|[1,Inf]This is a text with a
             new-line in it. Selector > 1.', 1],
-            // with single-quotes and id split accros lines
+            // with single-quotes and id split across lines
             ['This is a text with a
             new-line in it. Selector > 1.', '{0}This is a text with a
             new-line in it. Selector = 0.|{1}This is a text with a
@@ -269,9 +270,9 @@ class TranslatorTest extends TestCase
             new-line in it. Selector > 1.', 5],
             // with single-quotes and \n in text
             ['This is a text with a\nnew-line in it. Selector = 0.', '{0}This is a text with a\nnew-line in it. Selector = 0.|{1}This is a text with a\nnew-line in it. Selector = 1.|[1,Inf]This is a text with a\nnew-line in it. Selector > 1.', 0],
-            // with double-quotes and id split accros lines
+            // with double-quotes and id split across lines
             ["This is a text with a\nnew-line in it. Selector = 1.", "{0}This is a text with a\nnew-line in it. Selector = 0.|{1}This is a text with a\nnew-line in it. Selector = 1.|[1,Inf]This is a text with a\nnew-line in it. Selector > 1.", 1],
-            // esacape pipe
+            // escape pipe
             ['This is a text with | in it. Selector = 0.', '{0}This is a text with || in it. Selector = 0.|{1}This is a text with || in it. Selector = 1.', 0],
             // Empty plural set (2 plural forms) from a .PO file
             ['', '|', 1],
@@ -315,7 +316,7 @@ class TranslatorTest extends TestCase
      *
      * As it is impossible to have this ever complete we should try as hard as possible to have it almost complete.
      */
-    public function successLangcodes(): array
+    public static function successLangcodes(): array
     {
         return [
             ['1', ['ay', 'bo', 'cgg', 'dz', 'id', 'ja', 'jbo', 'ka', 'kk', 'km', 'ko', 'ky']],
@@ -334,7 +335,7 @@ class TranslatorTest extends TestCase
      *
      * @return array with nplural together with langcodes
      */
-    public function failingLangcodes(): array
+    public static function failingLangcodes(): array
     {
         return [
             ['1', ['fa']],
@@ -356,7 +357,7 @@ class TranslatorTest extends TestCase
         foreach ($matrix as $langCode => $data) {
             $indexes = array_flip($data);
             if ($expectSuccess) {
-                $this->assertEquals($nplural, \count($indexes), "Langcode '$langCode' has '$nplural' plural forms.");
+                $this->assertCount($nplural, $indexes, "Langcode '$langCode' has '$nplural' plural forms.");
             } else {
                 $this->assertNotEquals((int) $nplural, \count($indexes), "Langcode '$langCode' has '$nplural' plural forms.");
             }
diff --git a/data/web/inc/lib/vendor/symfony/translation-contracts/TranslatorTrait.php b/data/web/inc/lib/vendor/symfony/translation-contracts/TranslatorTrait.php
index 9c264bd29..e3b0adff0 100644
--- a/data/web/inc/lib/vendor/symfony/translation-contracts/TranslatorTrait.php
+++ b/data/web/inc/lib/vendor/symfony/translation-contracts/TranslatorTrait.php
@@ -23,24 +23,18 @@ trait TranslatorTrait
     private ?string $locale = null;
 
     /**
-     * {@inheritdoc}
+     * @return void
      */
     public function setLocale(string $locale)
     {
         $this->locale = $locale;
     }
 
-    /**
-     * {@inheritdoc}
-     */
     public function getLocale(): string
     {
         return $this->locale ?: (class_exists(\Locale::class) ? \Locale::getDefault() : 'en');
     }
 
-    /**
-     * {@inheritdoc}
-     */
     public function trans(?string $id, array $parameters = [], string $domain = null, string $locale = null): string
     {
         if (null === $id || '' === $id) {
@@ -140,121 +134,92 @@ EOF;
     {
         $number = abs($number);
 
-        switch ('pt_BR' !== $locale && 'en_US_POSIX' !== $locale && \strlen($locale) > 3 ? substr($locale, 0, strrpos($locale, '_')) : $locale) {
-            case 'af':
-            case 'bn':
-            case 'bg':
-            case 'ca':
-            case 'da':
-            case 'de':
-            case 'el':
-            case 'en':
-            case 'en_US_POSIX':
-            case 'eo':
-            case 'es':
-            case 'et':
-            case 'eu':
-            case 'fa':
-            case 'fi':
-            case 'fo':
-            case 'fur':
-            case 'fy':
-            case 'gl':
-            case 'gu':
-            case 'ha':
-            case 'he':
-            case 'hu':
-            case 'is':
-            case 'it':
-            case 'ku':
-            case 'lb':
-            case 'ml':
-            case 'mn':
-            case 'mr':
-            case 'nah':
-            case 'nb':
-            case 'ne':
-            case 'nl':
-            case 'nn':
-            case 'no':
-            case 'oc':
-            case 'om':
-            case 'or':
-            case 'pa':
-            case 'pap':
-            case 'ps':
-            case 'pt':
-            case 'so':
-            case 'sq':
-            case 'sv':
-            case 'sw':
-            case 'ta':
-            case 'te':
-            case 'tk':
-            case 'ur':
-            case 'zu':
-                return (1 == $number) ? 0 : 1;
-
-            case 'am':
-            case 'bh':
-            case 'fil':
-            case 'fr':
-            case 'gun':
-            case 'hi':
-            case 'hy':
-            case 'ln':
-            case 'mg':
-            case 'nso':
-            case 'pt_BR':
-            case 'ti':
-            case 'wa':
-                return ($number < 2) ? 0 : 1;
-
-            case 'be':
-            case 'bs':
-            case 'hr':
-            case 'ru':
-            case 'sh':
-            case 'sr':
-            case 'uk':
-                return ((1 == $number % 10) && (11 != $number % 100)) ? 0 : ((($number % 10 >= 2) && ($number % 10 <= 4) && (($number % 100 < 10) || ($number % 100 >= 20))) ? 1 : 2);
-
-            case 'cs':
-            case 'sk':
-                return (1 == $number) ? 0 : ((($number >= 2) && ($number <= 4)) ? 1 : 2);
-
-            case 'ga':
-                return (1 == $number) ? 0 : ((2 == $number) ? 1 : 2);
-
-            case 'lt':
-                return ((1 == $number % 10) && (11 != $number % 100)) ? 0 : ((($number % 10 >= 2) && (($number % 100 < 10) || ($number % 100 >= 20))) ? 1 : 2);
-
-            case 'sl':
-                return (1 == $number % 100) ? 0 : ((2 == $number % 100) ? 1 : (((3 == $number % 100) || (4 == $number % 100)) ? 2 : 3));
-
-            case 'mk':
-                return (1 == $number % 10) ? 0 : 1;
-
-            case 'mt':
-                return (1 == $number) ? 0 : (((0 == $number) || (($number % 100 > 1) && ($number % 100 < 11))) ? 1 : ((($number % 100 > 10) && ($number % 100 < 20)) ? 2 : 3));
-
-            case 'lv':
-                return (0 == $number) ? 0 : (((1 == $number % 10) && (11 != $number % 100)) ? 1 : 2);
-
-            case 'pl':
-                return (1 == $number) ? 0 : ((($number % 10 >= 2) && ($number % 10 <= 4) && (($number % 100 < 12) || ($number % 100 > 14))) ? 1 : 2);
-
-            case 'cy':
-                return (1 == $number) ? 0 : ((2 == $number) ? 1 : (((8 == $number) || (11 == $number)) ? 2 : 3));
-
-            case 'ro':
-                return (1 == $number) ? 0 : (((0 == $number) || (($number % 100 > 0) && ($number % 100 < 20))) ? 1 : 2);
-
-            case 'ar':
-                return (0 == $number) ? 0 : ((1 == $number) ? 1 : ((2 == $number) ? 2 : ((($number % 100 >= 3) && ($number % 100 <= 10)) ? 3 : ((($number % 100 >= 11) && ($number % 100 <= 99)) ? 4 : 5))));
-
-            default:
-                return 0;
-        }
+        return match ('pt_BR' !== $locale && 'en_US_POSIX' !== $locale && \strlen($locale) > 3 ? substr($locale, 0, strrpos($locale, '_')) : $locale) {
+            'af',
+            'bn',
+            'bg',
+            'ca',
+            'da',
+            'de',
+            'el',
+            'en',
+            'en_US_POSIX',
+            'eo',
+            'es',
+            'et',
+            'eu',
+            'fa',
+            'fi',
+            'fo',
+            'fur',
+            'fy',
+            'gl',
+            'gu',
+            'ha',
+            'he',
+            'hu',
+            'is',
+            'it',
+            'ku',
+            'lb',
+            'ml',
+            'mn',
+            'mr',
+            'nah',
+            'nb',
+            'ne',
+            'nl',
+            'nn',
+            'no',
+            'oc',
+            'om',
+            'or',
+            'pa',
+            'pap',
+            'ps',
+            'pt',
+            'so',
+            'sq',
+            'sv',
+            'sw',
+            'ta',
+            'te',
+            'tk',
+            'ur',
+            'zu' => (1 == $number) ? 0 : 1,
+            'am',
+            'bh',
+            'fil',
+            'fr',
+            'gun',
+            'hi',
+            'hy',
+            'ln',
+            'mg',
+            'nso',
+            'pt_BR',
+            'ti',
+            'wa' => ($number < 2) ? 0 : 1,
+            'be',
+            'bs',
+            'hr',
+            'ru',
+            'sh',
+            'sr',
+            'uk' => ((1 == $number % 10) && (11 != $number % 100)) ? 0 : ((($number % 10 >= 2) && ($number % 10 <= 4) && (($number % 100 < 10) || ($number % 100 >= 20))) ? 1 : 2),
+            'cs',
+            'sk' => (1 == $number) ? 0 : ((($number >= 2) && ($number <= 4)) ? 1 : 2),
+            'ga' => (1 == $number) ? 0 : ((2 == $number) ? 1 : 2),
+            'lt' => ((1 == $number % 10) && (11 != $number % 100)) ? 0 : ((($number % 10 >= 2) && (($number % 100 < 10) || ($number % 100 >= 20))) ? 1 : 2),
+            'sl' => (1 == $number % 100) ? 0 : ((2 == $number % 100) ? 1 : (((3 == $number % 100) || (4 == $number % 100)) ? 2 : 3)),
+            'mk' => (1 == $number % 10) ? 0 : 1,
+            'mt' => (1 == $number) ? 0 : (((0 == $number) || (($number % 100 > 1) && ($number % 100 < 11))) ? 1 : ((($number % 100 > 10) && ($number % 100 < 20)) ? 2 : 3)),
+            'lv' => (0 == $number) ? 0 : (((1 == $number % 10) && (11 != $number % 100)) ? 1 : 2),
+            'pl' => (1 == $number) ? 0 : ((($number % 10 >= 2) && ($number % 10 <= 4) && (($number % 100 < 12) || ($number % 100 > 14))) ? 1 : 2),
+            'cy' => (1 == $number) ? 0 : ((2 == $number) ? 1 : (((8 == $number) || (11 == $number)) ? 2 : 3)),
+            'ro' => (1 == $number) ? 0 : (((0 == $number) || (($number % 100 > 0) && ($number % 100 < 20))) ? 1 : 2),
+            'ar' => (0 == $number) ? 0 : ((1 == $number) ? 1 : ((2 == $number) ? 2 : ((($number % 100 >= 3) && ($number % 100 <= 10)) ? 3 : ((($number % 100 >= 11) && ($number % 100 <= 99)) ? 4 : 5)))),
+            default => 0,
+        };
     }
 }
diff --git a/data/web/inc/lib/vendor/symfony/translation-contracts/composer.json b/data/web/inc/lib/vendor/symfony/translation-contracts/composer.json
index 875242f6d..213b5cda8 100644
--- a/data/web/inc/lib/vendor/symfony/translation-contracts/composer.json
+++ b/data/web/inc/lib/vendor/symfony/translation-contracts/composer.json
@@ -16,18 +16,18 @@
         }
     ],
     "require": {
-        "php": ">=8.0.2"
-    },
-    "suggest": {
-        "symfony/translation-implementation": ""
+        "php": ">=8.1"
     },
     "autoload": {
-        "psr-4": { "Symfony\\Contracts\\Translation\\": "" }
+        "psr-4": { "Symfony\\Contracts\\Translation\\": "" },
+        "exclude-from-classmap": [
+            "/Test/"
+        ]
     },
     "minimum-stability": "dev",
     "extra": {
         "branch-alias": {
-            "dev-main": "3.0-dev"
+            "dev-main": "3.4-dev"
         },
         "thanks": {
             "name": "symfony/contracts",
diff --git a/data/web/inc/lib/vendor/symfony/translation/CHANGELOG.md b/data/web/inc/lib/vendor/symfony/translation/CHANGELOG.md
index 160b5e694..5f9098c07 100644
--- a/data/web/inc/lib/vendor/symfony/translation/CHANGELOG.md
+++ b/data/web/inc/lib/vendor/symfony/translation/CHANGELOG.md
@@ -1,6 +1,35 @@
 CHANGELOG
 =========
 
+6.4
+---
+
+ * Give current locale to `LocaleSwitcher::runWithLocale()`'s callback
+ * Add `--as-tree` option to `translation:pull` command to write YAML messages as a tree-like structure
+ * [BC BREAK] Add argument `$buildDir` to `DataCollectorTranslator::warmUp()`
+ * Add `DataCollectorTranslatorPass` and `LoggingTranslatorPass`  (moved from `FrameworkBundle`)
+ * Add `PhraseTranslationProvider`
+
+6.2.7
+-----
+
+ * [BC BREAK] The following data providers for `ProviderFactoryTestCase` are now static:
+   `supportsProvider()`, `createProvider()`, `unsupportedSchemeProvider()`and `incompleteDsnProvider()`
+ * [BC BREAK] `ProviderTestCase::toStringProvider()` is now static
+
+6.2
+---
+
+ * Deprecate `PhpStringTokenParser`
+ * Deprecate `PhpExtractor` in favor of `PhpAstExtractor`
+ * Add `PhpAstExtractor` (requires [nikic/php-parser](https://github.com/nikic/php-parser) to be installed)
+
+6.1
+---
+
+ * Parameters implementing `TranslatableInterface` are processed
+ * Add the file extension to the `XliffFileDumper` constructor
+
 5.4
 ---
 
diff --git a/data/web/inc/lib/vendor/symfony/translation/Catalogue/AbstractOperation.php b/data/web/inc/lib/vendor/symfony/translation/Catalogue/AbstractOperation.php
index 43a52fab2..7dff58ff4 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Catalogue/AbstractOperation.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Catalogue/AbstractOperation.php
@@ -34,11 +34,6 @@ abstract class AbstractOperation implements OperationInterface
     protected $target;
     protected $result;
 
-    /**
-     * @var array|null The domains affected by this operation
-     */
-    private $domains;
-
     /**
      * This array stores 'all', 'new' and 'obsolete' messages for all valid domains.
      *
@@ -62,6 +57,8 @@ abstract class AbstractOperation implements OperationInterface
      */
     protected $messages;
 
+    private array $domains;
+
     /**
      * @throws LogicException
      */
@@ -77,12 +74,9 @@ abstract class AbstractOperation implements OperationInterface
         $this->messages = [];
     }
 
-    /**
-     * {@inheritdoc}
-     */
     public function getDomains(): array
     {
-        if (null === $this->domains) {
+        if (!isset($this->domains)) {
             $domains = [];
             foreach ([$this->source, $this->target] as $catalogue) {
                 foreach ($catalogue->getDomains() as $domain) {
@@ -100,9 +94,6 @@ abstract class AbstractOperation implements OperationInterface
         return $this->domains;
     }
 
-    /**
-     * {@inheritdoc}
-     */
     public function getMessages(string $domain): array
     {
         if (!\in_array($domain, $this->getDomains())) {
@@ -116,9 +107,6 @@ abstract class AbstractOperation implements OperationInterface
         return $this->messages[$domain][self::ALL_BATCH];
     }
 
-    /**
-     * {@inheritdoc}
-     */
     public function getNewMessages(string $domain): array
     {
         if (!\in_array($domain, $this->getDomains())) {
@@ -132,9 +120,6 @@ abstract class AbstractOperation implements OperationInterface
         return $this->messages[$domain][self::NEW_BATCH];
     }
 
-    /**
-     * {@inheritdoc}
-     */
     public function getObsoleteMessages(string $domain): array
     {
         if (!\in_array($domain, $this->getDomains())) {
@@ -148,9 +133,6 @@ abstract class AbstractOperation implements OperationInterface
         return $this->messages[$domain][self::OBSOLETE_BATCH];
     }
 
-    /**
-     * {@inheritdoc}
-     */
     public function getResult(): MessageCatalogueInterface
     {
         foreach ($this->getDomains() as $domain) {
@@ -174,12 +156,12 @@ abstract class AbstractOperation implements OperationInterface
 
         foreach ($this->getDomains() as $domain) {
             $intlDomain = $domain.MessageCatalogueInterface::INTL_DOMAIN_SUFFIX;
-            switch ($batch) {
-                case self::OBSOLETE_BATCH: $messages = $this->getObsoleteMessages($domain); break;
-                case self::NEW_BATCH: $messages = $this->getNewMessages($domain); break;
-                case self::ALL_BATCH: $messages = $this->getMessages($domain); break;
-                default: throw new \InvalidArgumentException(sprintf('$batch argument must be one of ["%s", "%s", "%s"].', self::ALL_BATCH, self::NEW_BATCH, self::OBSOLETE_BATCH));
-            }
+            $messages = match ($batch) {
+                self::OBSOLETE_BATCH => $this->getObsoleteMessages($domain),
+                self::NEW_BATCH => $this->getNewMessages($domain),
+                self::ALL_BATCH => $this->getMessages($domain),
+                default => throw new \InvalidArgumentException(sprintf('$batch argument must be one of ["%s", "%s", "%s"].', self::ALL_BATCH, self::NEW_BATCH, self::OBSOLETE_BATCH)),
+            };
 
             if (!$messages || (!$this->source->all($intlDomain) && $this->source->all($domain))) {
                 continue;
@@ -198,6 +180,8 @@ abstract class AbstractOperation implements OperationInterface
      * stores the results.
      *
      * @param string $domain The domain which the operation will be performed for
+     *
+     * @return void
      */
     abstract protected function processDomain(string $domain);
 }
diff --git a/data/web/inc/lib/vendor/symfony/translation/Catalogue/MergeOperation.php b/data/web/inc/lib/vendor/symfony/translation/Catalogue/MergeOperation.php
index 87db2fb03..1b777a843 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Catalogue/MergeOperation.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Catalogue/MergeOperation.php
@@ -25,7 +25,7 @@ use Symfony\Component\Translation\MessageCatalogueInterface;
 class MergeOperation extends AbstractOperation
 {
     /**
-     * {@inheritdoc}
+     * @return void
      */
     protected function processDomain(string $domain)
     {
@@ -36,6 +36,18 @@ class MergeOperation extends AbstractOperation
         ];
         $intlDomain = $domain.MessageCatalogueInterface::INTL_DOMAIN_SUFFIX;
 
+        foreach ($this->target->getCatalogueMetadata('', $domain) ?? [] as $key => $value) {
+            if (null === $this->result->getCatalogueMetadata($key, $domain)) {
+                $this->result->setCatalogueMetadata($key, $value, $domain);
+            }
+        }
+
+        foreach ($this->target->getCatalogueMetadata('', $intlDomain) ?? [] as $key => $value) {
+            if (null === $this->result->getCatalogueMetadata($key, $intlDomain)) {
+                $this->result->setCatalogueMetadata($key, $value, $intlDomain);
+            }
+        }
+
         foreach ($this->source->all($domain) as $id => $message) {
             $this->messages[$domain]['all'][$id] = $message;
             $d = $this->source->defines($id, $intlDomain) ? $intlDomain : $domain;
diff --git a/data/web/inc/lib/vendor/symfony/translation/Catalogue/TargetOperation.php b/data/web/inc/lib/vendor/symfony/translation/Catalogue/TargetOperation.php
index 682b5752f..2c0ec722e 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Catalogue/TargetOperation.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Catalogue/TargetOperation.php
@@ -26,7 +26,7 @@ use Symfony\Component\Translation\MessageCatalogueInterface;
 class TargetOperation extends AbstractOperation
 {
     /**
-     * {@inheritdoc}
+     * @return void
      */
     protected function processDomain(string $domain)
     {
@@ -37,6 +37,18 @@ class TargetOperation extends AbstractOperation
         ];
         $intlDomain = $domain.MessageCatalogueInterface::INTL_DOMAIN_SUFFIX;
 
+        foreach ($this->target->getCatalogueMetadata('', $domain) ?? [] as $key => $value) {
+            if (null === $this->result->getCatalogueMetadata($key, $domain)) {
+                $this->result->setCatalogueMetadata($key, $value, $domain);
+            }
+        }
+
+        foreach ($this->target->getCatalogueMetadata('', $intlDomain) ?? [] as $key => $value) {
+            if (null === $this->result->getCatalogueMetadata($key, $intlDomain)) {
+                $this->result->setCatalogueMetadata($key, $value, $intlDomain);
+            }
+        }
+
         // For 'all' messages, the code can't be simplified as ``$this->messages[$domain]['all'] = $target->all($domain);``,
         // because doing so will drop messages like {x: x ∈ source ∧ x ∉ target.all ∧ x ∈ target.fallback}
         //
diff --git a/data/web/inc/lib/vendor/symfony/translation/CatalogueMetadataAwareInterface.php b/data/web/inc/lib/vendor/symfony/translation/CatalogueMetadataAwareInterface.php
new file mode 100644
index 000000000..c845959f1
--- /dev/null
+++ b/data/web/inc/lib/vendor/symfony/translation/CatalogueMetadataAwareInterface.php
@@ -0,0 +1,48 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Translation;
+
+/**
+ * This interface is used to get, set, and delete metadata about the Catalogue.
+ *
+ * @author Hugo Alliaume <hugo@alliau.me>
+ */
+interface CatalogueMetadataAwareInterface
+{
+    /**
+     * Gets catalogue metadata for the given domain and key.
+     *
+     * Passing an empty domain will return an array with all catalogue metadata indexed by
+     * domain and then by key. Passing an empty key will return an array with all
+     * catalogue metadata for the given domain.
+     *
+     * @return mixed The value that was set or an array with the domains/keys or null
+     */
+    public function getCatalogueMetadata(string $key = '', string $domain = 'messages'): mixed;
+
+    /**
+     * Adds catalogue metadata to a message domain.
+     *
+     * @return void
+     */
+    public function setCatalogueMetadata(string $key, mixed $value, string $domain = 'messages');
+
+    /**
+     * Deletes catalogue metadata for the given key and domain.
+     *
+     * Passing an empty domain will delete all catalogue metadata. Passing an empty key will
+     * delete all metadata for the given domain.
+     *
+     * @return void
+     */
+    public function deleteCatalogueMetadata(string $key = '', string $domain = 'messages');
+}
diff --git a/data/web/inc/lib/vendor/symfony/translation/Command/TranslationPullCommand.php b/data/web/inc/lib/vendor/symfony/translation/Command/TranslationPullCommand.php
index 42513a8a8..5d9c092c3 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Command/TranslationPullCommand.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Command/TranslationPullCommand.php
@@ -34,9 +34,9 @@ final class TranslationPullCommand extends Command
 {
     use TranslationTrait;
 
-    private $providerCollection;
-    private $writer;
-    private $reader;
+    private TranslationProviderCollection $providerCollection;
+    private TranslationWriterInterface $writer;
+    private TranslationReaderInterface $reader;
     private string $defaultLocale;
     private array $transPaths;
     private array $enabledLocales;
@@ -64,9 +64,8 @@ final class TranslationPullCommand extends Command
         if ($input->mustSuggestOptionValuesFor('domains')) {
             $provider = $this->providerCollection->get($input->getArgument('provider'));
 
-            if ($provider && method_exists($provider, 'getDomains')) {
-                $domains = $provider->getDomains();
-                $suggestions->suggestValues($domains);
+            if (method_exists($provider, 'getDomains')) {
+                $suggestions->suggestValues($provider->getDomains());
             }
 
             return;
@@ -83,10 +82,7 @@ final class TranslationPullCommand extends Command
         }
     }
 
-    /**
-     * {@inheritdoc}
-     */
-    protected function configure()
+    protected function configure(): void
     {
         $keys = $this->providerCollection->keys();
         $defaultProvider = 1 === \count($keys) ? $keys[0] : null;
@@ -99,6 +95,7 @@ final class TranslationPullCommand extends Command
                 new InputOption('domains', null, InputOption::VALUE_OPTIONAL | InputOption::VALUE_IS_ARRAY, 'Specify the domains to pull.'),
                 new InputOption('locales', null, InputOption::VALUE_OPTIONAL | InputOption::VALUE_IS_ARRAY, 'Specify the locales to pull.'),
                 new InputOption('format', null, InputOption::VALUE_OPTIONAL, 'Override the default output format.', 'xlf12'),
+                new InputOption('as-tree', null, InputOption::VALUE_OPTIONAL, 'Write messages as a tree-like structure. Needs --format=yaml. The given value defines the level where to switch to inline YAML'),
             ])
             ->setHelp(<<<'EOF'
 The <info>%command.name%</> command pulls translations from the given provider. Only
@@ -120,9 +117,6 @@ EOF
         ;
     }
 
-    /**
-     * {@inheritdoc}
-     */
     protected function execute(InputInterface $input, OutputInterface $output): int
     {
         $io = new SymfonyStyle($input, $output);
@@ -133,6 +127,7 @@ EOF
         $locales = $input->getOption('locales') ?: $this->enabledLocales;
         $domains = $input->getOption('domains');
         $format = $input->getOption('format');
+        $asTree = (int) $input->getOption('as-tree');
         $xliffVersion = '1.2';
 
         if ($intlIcu && !$force) {
@@ -141,7 +136,7 @@ EOF
 
         switch ($format) {
             case 'xlf20': $xliffVersion = '2.0';
-            // no break
+                // no break
             case 'xlf12': $format = 'xlf';
         }
 
@@ -149,6 +144,8 @@ EOF
             'path' => end($this->transPaths),
             'xliff_version' => $xliffVersion,
             'default_locale' => $this->defaultLocale,
+            'as_tree' => (bool) $asTree,
+            'inline' => $asTree,
         ];
 
         if (!$domains) {
@@ -159,7 +156,7 @@ EOF
 
         if ($force) {
             foreach ($providerTranslations->getCatalogues() as $catalogue) {
-                $operation = new TargetOperation((new MessageCatalogue($catalogue->getLocale())), $catalogue);
+                $operation = new TargetOperation(new MessageCatalogue($catalogue->getLocale()), $catalogue);
                 if ($intlIcu) {
                     $operation->moveMessagesToIntlDomainsIfPossible();
                 }
diff --git a/data/web/inc/lib/vendor/symfony/translation/Command/TranslationPushCommand.php b/data/web/inc/lib/vendor/symfony/translation/Command/TranslationPushCommand.php
index dba21643d..1d04adbc9 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Command/TranslationPushCommand.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Command/TranslationPushCommand.php
@@ -21,6 +21,7 @@ use Symfony\Component\Console\Input\InputInterface;
 use Symfony\Component\Console\Input\InputOption;
 use Symfony\Component\Console\Output\OutputInterface;
 use Symfony\Component\Console\Style\SymfonyStyle;
+use Symfony\Component\Translation\Provider\FilteringProvider;
 use Symfony\Component\Translation\Provider\TranslationProviderCollection;
 use Symfony\Component\Translation\Reader\TranslationReaderInterface;
 use Symfony\Component\Translation\TranslatorBag;
@@ -33,8 +34,8 @@ final class TranslationPushCommand extends Command
 {
     use TranslationTrait;
 
-    private $providers;
-    private $reader;
+    private TranslationProviderCollection $providers;
+    private TranslationReaderInterface $reader;
     private array $transPaths;
     private array $enabledLocales;
 
@@ -72,10 +73,7 @@ final class TranslationPushCommand extends Command
         }
     }
 
-    /**
-     * {@inheritdoc}
-     */
-    protected function configure()
+    protected function configure(): void
     {
         $keys = $this->providers->keys();
         $defaultProvider = 1 === \count($keys) ? $keys[0] : null;
@@ -112,15 +110,12 @@ EOF
         ;
     }
 
-    /**
-     * {@inheritdoc}
-     */
     protected function execute(InputInterface $input, OutputInterface $output): int
     {
         $provider = $this->providers->get($input->getArgument('provider'));
 
         if (!$this->enabledLocales) {
-            throw new InvalidArgumentException(sprintf('You must define "framework.translator.enabled_locales" or "framework.translator.providers.%s.locales" config key in order to work with translation providers.', parse_url($provider, \PHP_URL_SCHEME)));
+            throw new InvalidArgumentException(sprintf('You must define "framework.enabled_locales" or "framework.translator.providers.%s.locales" config key in order to work with translation providers.', parse_url($provider, \PHP_URL_SCHEME)));
         }
 
         $io = new SymfonyStyle($input, $output);
@@ -129,6 +124,12 @@ EOF
         $force = $input->getOption('force');
         $deleteMissing = $input->getOption('delete-missing');
 
+        if (!$domains && $provider instanceof FilteringProvider) {
+            $domains = $provider->getDomains();
+        }
+
+        // Reading local translations must be done after retrieving the domains from the provider
+        // in order to manage only translations from configured domains
         $localTranslations = $this->readLocalTranslations($locales, $domains, $this->transPaths);
 
         if (!$domains) {
diff --git a/data/web/inc/lib/vendor/symfony/translation/Command/XliffLintCommand.php b/data/web/inc/lib/vendor/symfony/translation/Command/XliffLintCommand.php
index f062fb79f..ba946389e 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Command/XliffLintCommand.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Command/XliffLintCommand.php
@@ -41,23 +41,23 @@ class XliffLintCommand extends Command
     private ?\Closure $isReadableProvider;
     private bool $requireStrictFileNames;
 
-    public function __construct(string $name = null, callable $directoryIteratorProvider = null, callable $isReadableProvider = null, bool $requireStrictFileNames = true)
+    public function __construct(?string $name = null, ?callable $directoryIteratorProvider = null, ?callable $isReadableProvider = null, bool $requireStrictFileNames = true)
     {
         parent::__construct($name);
 
-        $this->directoryIteratorProvider = null === $directoryIteratorProvider || $directoryIteratorProvider instanceof \Closure ? $directoryIteratorProvider : \Closure::fromCallable($directoryIteratorProvider);
-        $this->isReadableProvider = null === $isReadableProvider || $isReadableProvider instanceof \Closure ? $isReadableProvider : \Closure::fromCallable($isReadableProvider);
+        $this->directoryIteratorProvider = null === $directoryIteratorProvider ? null : $directoryIteratorProvider(...);
+        $this->isReadableProvider = null === $isReadableProvider ? null : $isReadableProvider(...);
         $this->requireStrictFileNames = $requireStrictFileNames;
     }
 
     /**
-     * {@inheritdoc}
+     * @return void
      */
     protected function configure()
     {
         $this
             ->addArgument('filename', InputArgument::IS_ARRAY, 'A file, a directory or "-" for reading from STDIN')
-            ->addOption('format', null, InputOption::VALUE_REQUIRED, 'The output format')
+            ->addOption('format', null, InputOption::VALUE_REQUIRED, sprintf('The output format ("%s")', implode('", "', $this->getAvailableFormatOptions())))
             ->setHelp(<<<EOF
 The <info>%command.name%</info> command lints an XLIFF file and outputs to STDOUT
 the first encountered syntax error.
@@ -109,7 +109,7 @@ EOF
         return $this->display($io, $filesInfo);
     }
 
-    private function validate(string $content, string $file = null): array
+    private function validate(string $content, ?string $file = null): array
     {
         $errors = [];
 
@@ -154,21 +154,17 @@ EOF
         return ['file' => $file, 'valid' => 0 === \count($errors), 'messages' => $errors];
     }
 
-    private function display(SymfonyStyle $io, array $files)
+    private function display(SymfonyStyle $io, array $files): int
     {
-        switch ($this->format) {
-            case 'txt':
-                return $this->displayTxt($io, $files);
-            case 'json':
-                return $this->displayJson($io, $files);
-            case 'github':
-                return $this->displayTxt($io, $files, true);
-            default:
-                throw new InvalidArgumentException(sprintf('The format "%s" is not supported.', $this->format));
-        }
+        return match ($this->format) {
+            'txt' => $this->displayTxt($io, $files),
+            'json' => $this->displayJson($io, $files),
+            'github' => $this->displayTxt($io, $files, true),
+            default => throw new InvalidArgumentException(sprintf('Supported formats are "%s".', implode('", "', $this->getAvailableFormatOptions()))),
+        };
     }
 
-    private function displayTxt(SymfonyStyle $io, array $filesInfo, bool $errorAsGithubAnnotations = false)
+    private function displayTxt(SymfonyStyle $io, array $filesInfo, bool $errorAsGithubAnnotations = false): int
     {
         $countFiles = \count($filesInfo);
         $erroredFiles = 0;
@@ -184,9 +180,7 @@ EOF
                     // general document errors have a '-1' line number
                     $line = -1 === $error['line'] ? null : $error['line'];
 
-                    if ($githubReporter) {
-                        $githubReporter->error($error['message'], $info['file'], $line, null !== $line ? $error['column'] : null);
-                    }
+                    $githubReporter?->error($error['message'], $info['file'], $line, null !== $line ? $error['column'] : null);
 
                     return null === $line ? $error['message'] : sprintf('Line %d, Column %d: %s', $line, $error['column'], $error['message']);
                 }, $info['messages']));
@@ -202,7 +196,7 @@ EOF
         return min($erroredFiles, 1);
     }
 
-    private function displayJson(SymfonyStyle $io, array $filesInfo)
+    private function displayJson(SymfonyStyle $io, array $filesInfo): int
     {
         $errors = 0;
 
@@ -218,7 +212,10 @@ EOF
         return min($errors, 1);
     }
 
-    private function getFiles(string $fileOrDirectory)
+    /**
+     * @return iterable<\SplFileInfo>
+     */
+    private function getFiles(string $fileOrDirectory): iterable
     {
         if (is_file($fileOrDirectory)) {
             yield new \SplFileInfo($fileOrDirectory);
@@ -235,14 +232,15 @@ EOF
         }
     }
 
-    private function getDirectoryIterator(string $directory)
+    /**
+     * @return iterable<\SplFileInfo>
+     */
+    private function getDirectoryIterator(string $directory): iterable
     {
-        $default = function ($directory) {
-            return new \RecursiveIteratorIterator(
-                new \RecursiveDirectoryIterator($directory, \FilesystemIterator::SKIP_DOTS | \FilesystemIterator::FOLLOW_SYMLINKS),
-                \RecursiveIteratorIterator::LEAVES_ONLY
-            );
-        };
+        $default = fn ($directory) => new \RecursiveIteratorIterator(
+            new \RecursiveDirectoryIterator($directory, \FilesystemIterator::SKIP_DOTS | \FilesystemIterator::FOLLOW_SYMLINKS),
+            \RecursiveIteratorIterator::LEAVES_ONLY
+        );
 
         if (null !== $this->directoryIteratorProvider) {
             return ($this->directoryIteratorProvider)($directory, $default);
@@ -251,11 +249,9 @@ EOF
         return $default($directory);
     }
 
-    private function isReadable(string $fileOrDirectory)
+    private function isReadable(string $fileOrDirectory): bool
     {
-        $default = function ($fileOrDirectory) {
-            return is_readable($fileOrDirectory);
-        };
+        $default = fn ($fileOrDirectory) => is_readable($fileOrDirectory);
 
         if (null !== $this->isReadableProvider) {
             return ($this->isReadableProvider)($fileOrDirectory, $default);
@@ -278,7 +274,12 @@ EOF
     public function complete(CompletionInput $input, CompletionSuggestions $suggestions): void
     {
         if ($input->mustSuggestOptionValuesFor('format')) {
-            $suggestions->suggestValues(['txt', 'json', 'github']);
+            $suggestions->suggestValues($this->getAvailableFormatOptions());
         }
     }
+
+    private function getAvailableFormatOptions(): array
+    {
+        return ['txt', 'json', 'github'];
+    }
 }
diff --git a/data/web/inc/lib/vendor/symfony/translation/DataCollector/TranslationDataCollector.php b/data/web/inc/lib/vendor/symfony/translation/DataCollector/TranslationDataCollector.php
index 0f7901d52..d4f49cc66 100644
--- a/data/web/inc/lib/vendor/symfony/translation/DataCollector/TranslationDataCollector.php
+++ b/data/web/inc/lib/vendor/symfony/translation/DataCollector/TranslationDataCollector.php
@@ -25,17 +25,14 @@ use Symfony\Component\VarDumper\Cloner\Data;
  */
 class TranslationDataCollector extends DataCollector implements LateDataCollectorInterface
 {
-    private $translator;
+    private DataCollectorTranslator $translator;
 
     public function __construct(DataCollectorTranslator $translator)
     {
         $this->translator = $translator;
     }
 
-    /**
-     * {@inheritdoc}
-     */
-    public function lateCollect()
+    public function lateCollect(): void
     {
         $messages = $this->sanitizeCollectedMessages($this->translator->getCollectedMessages());
 
@@ -45,19 +42,13 @@ class TranslationDataCollector extends DataCollector implements LateDataCollecto
         $this->data = $this->cloneVar($this->data);
     }
 
-    /**
-     * {@inheritdoc}
-     */
-    public function collect(Request $request, Response $response, \Throwable $exception = null)
+    public function collect(Request $request, Response $response, ?\Throwable $exception = null): void
     {
         $this->data['locale'] = $this->translator->getLocale();
         $this->data['fallback_locales'] = $this->translator->getFallbackLocales();
     }
 
-    /**
-     * {@inheritdoc}
-     */
-    public function reset()
+    public function reset(): void
     {
         $this->data = [];
     }
@@ -82,7 +73,7 @@ class TranslationDataCollector extends DataCollector implements LateDataCollecto
         return $this->data[DataCollectorTranslator::MESSAGE_DEFINED] ?? 0;
     }
 
-    public function getLocale()
+    public function getLocale(): ?string
     {
         return !empty($this->data['locale']) ? $this->data['locale'] : null;
     }
@@ -90,20 +81,17 @@ class TranslationDataCollector extends DataCollector implements LateDataCollecto
     /**
      * @internal
      */
-    public function getFallbackLocales()
+    public function getFallbackLocales(): Data|array
     {
         return (isset($this->data['fallback_locales']) && \count($this->data['fallback_locales']) > 0) ? $this->data['fallback_locales'] : [];
     }
 
-    /**
-     * {@inheritdoc}
-     */
     public function getName(): string
     {
         return 'translation';
     }
 
-    private function sanitizeCollectedMessages(array $messages)
+    private function sanitizeCollectedMessages(array $messages): array
     {
         $result = [];
         foreach ($messages as $key => $message) {
@@ -128,7 +116,7 @@ class TranslationDataCollector extends DataCollector implements LateDataCollecto
         return $result;
     }
 
-    private function computeCount(array $messages)
+    private function computeCount(array $messages): array
     {
         $count = [
             DataCollectorTranslator::MESSAGE_DEFINED => 0,
@@ -143,7 +131,7 @@ class TranslationDataCollector extends DataCollector implements LateDataCollecto
         return $count;
     }
 
-    private function sanitizeString(string $string, int $length = 80)
+    private function sanitizeString(string $string, int $length = 80): string
     {
         $string = trim(preg_replace('/\s+/', ' ', $string));
 
diff --git a/data/web/inc/lib/vendor/symfony/translation/DataCollectorTranslator.php b/data/web/inc/lib/vendor/symfony/translation/DataCollectorTranslator.php
index 2a08b0960..a2832ee8e 100644
--- a/data/web/inc/lib/vendor/symfony/translation/DataCollectorTranslator.php
+++ b/data/web/inc/lib/vendor/symfony/translation/DataCollectorTranslator.php
@@ -25,7 +25,7 @@ class DataCollectorTranslator implements TranslatorInterface, TranslatorBagInter
     public const MESSAGE_MISSING = 1;
     public const MESSAGE_EQUALS_FALLBACK = 2;
 
-    private $translator;
+    private TranslatorInterface $translator;
     private array $messages = [];
 
     /**
@@ -40,10 +40,7 @@ class DataCollectorTranslator implements TranslatorInterface, TranslatorBagInter
         $this->translator = $translator;
     }
 
-    /**
-     * {@inheritdoc}
-     */
-    public function trans(?string $id, array $parameters = [], string $domain = null, string $locale = null): string
+    public function trans(?string $id, array $parameters = [], ?string $domain = null, ?string $locale = null): string
     {
         $trans = $this->translator->trans($id = (string) $id, $parameters, $domain, $locale);
         $this->collectMessage($locale, $domain, $id, $trans, $parameters);
@@ -52,46 +49,32 @@ class DataCollectorTranslator implements TranslatorInterface, TranslatorBagInter
     }
 
     /**
-     * {@inheritdoc}
+     * @return void
      */
     public function setLocale(string $locale)
     {
         $this->translator->setLocale($locale);
     }
 
-    /**
-     * {@inheritdoc}
-     */
     public function getLocale(): string
     {
         return $this->translator->getLocale();
     }
 
-    /**
-     * {@inheritdoc}
-     */
-    public function getCatalogue(string $locale = null): MessageCatalogueInterface
+    public function getCatalogue(?string $locale = null): MessageCatalogueInterface
     {
         return $this->translator->getCatalogue($locale);
     }
 
-    /**
-     * {@inheritdoc}
-     */
     public function getCatalogues(): array
     {
         return $this->translator->getCatalogues();
     }
 
-    /**
-     * {@inheritdoc}
-     *
-     * @return string[]
-     */
-    public function warmUp(string $cacheDir): array
+    public function warmUp(string $cacheDir, ?string $buildDir = null): array
     {
         if ($this->translator instanceof WarmableInterface) {
-            return (array) $this->translator->warmUp($cacheDir);
+            return (array) $this->translator->warmUp($cacheDir, $buildDir);
         }
 
         return [];
@@ -110,7 +93,7 @@ class DataCollectorTranslator implements TranslatorInterface, TranslatorBagInter
     }
 
     /**
-     * Passes through all unknown calls onto the translator object.
+     * @return mixed
      */
     public function __call(string $method, array $args)
     {
@@ -122,11 +105,9 @@ class DataCollectorTranslator implements TranslatorInterface, TranslatorBagInter
         return $this->messages;
     }
 
-    private function collectMessage(?string $locale, ?string $domain, string $id, string $translation, ?array $parameters = [])
+    private function collectMessage(?string $locale, ?string $domain, string $id, string $translation, ?array $parameters = []): void
     {
-        if (null === $domain) {
-            $domain = 'messages';
-        }
+        $domain ??= 'messages';
 
         $catalogue = $this->translator->getCatalogue($locale);
         $locale = $catalogue->getLocale();
diff --git a/data/web/inc/lib/vendor/symfony/translation/DependencyInjection/DataCollectorTranslatorPass.php b/data/web/inc/lib/vendor/symfony/translation/DependencyInjection/DataCollectorTranslatorPass.php
new file mode 100644
index 000000000..cdf63be4b
--- /dev/null
+++ b/data/web/inc/lib/vendor/symfony/translation/DependencyInjection/DataCollectorTranslatorPass.php
@@ -0,0 +1,36 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Translation\DependencyInjection;
+
+use Symfony\Component\DependencyInjection\Compiler\CompilerPassInterface;
+use Symfony\Component\DependencyInjection\ContainerBuilder;
+use Symfony\Component\Translation\TranslatorBagInterface;
+
+/**
+ * @author Christian Flothmann <christian.flothmann@sensiolabs.de>
+ */
+class DataCollectorTranslatorPass implements CompilerPassInterface
+{
+    public function process(ContainerBuilder $container): void
+    {
+        if (!$container->has('translator')) {
+            return;
+        }
+
+        $translatorClass = $container->getParameterBag()->resolveValue($container->findDefinition('translator')->getClass());
+
+        if (!is_subclass_of($translatorClass, TranslatorBagInterface::class)) {
+            $container->removeDefinition('translator.data_collector');
+            $container->removeDefinition('data_collector.translation');
+        }
+    }
+}
diff --git a/data/web/inc/lib/vendor/symfony/translation/DependencyInjection/LoggingTranslatorPass.php b/data/web/inc/lib/vendor/symfony/translation/DependencyInjection/LoggingTranslatorPass.php
new file mode 100644
index 000000000..c21552f97
--- /dev/null
+++ b/data/web/inc/lib/vendor/symfony/translation/DependencyInjection/LoggingTranslatorPass.php
@@ -0,0 +1,59 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Translation\DependencyInjection;
+
+use Symfony\Component\DependencyInjection\Compiler\CompilerPassInterface;
+use Symfony\Component\DependencyInjection\ContainerBuilder;
+use Symfony\Component\DependencyInjection\Exception\InvalidArgumentException;
+use Symfony\Component\Translation\TranslatorBagInterface;
+use Symfony\Contracts\Translation\TranslatorInterface;
+
+/**
+ * @author Abdellatif Ait boudad <a.aitboudad@gmail.com>
+ */
+class LoggingTranslatorPass implements CompilerPassInterface
+{
+    public function process(ContainerBuilder $container): void
+    {
+        if (!$container->hasAlias('logger') || !$container->hasAlias('translator')) {
+            return;
+        }
+
+        if (!$container->hasParameter('translator.logging') || !$container->getParameter('translator.logging')) {
+            return;
+        }
+
+        $translatorAlias = $container->getAlias('translator');
+        $definition = $container->getDefinition((string) $translatorAlias);
+        $class = $container->getParameterBag()->resolveValue($definition->getClass());
+
+        if (!$r = $container->getReflectionClass($class)) {
+            throw new InvalidArgumentException(sprintf('Class "%s" used for service "%s" cannot be found.', $class, $translatorAlias));
+        }
+
+        if (!$r->isSubclassOf(TranslatorInterface::class) || !$r->isSubclassOf(TranslatorBagInterface::class)) {
+            return;
+        }
+
+        $container->getDefinition('translator.logging')->setDecoratedService('translator');
+        $warmer = $container->getDefinition('translation.warmer');
+        $subscriberAttributes = $warmer->getTag('container.service_subscriber');
+        $warmer->clearTag('container.service_subscriber');
+
+        foreach ($subscriberAttributes as $k => $v) {
+            if ((!isset($v['id']) || 'translator' !== $v['id']) && (!isset($v['key']) || 'translator' !== $v['key'])) {
+                $warmer->addTag('container.service_subscriber', $v);
+            }
+        }
+        $warmer->addTag('container.service_subscriber', ['key' => 'translator', 'id' => 'translator.logging.inner']);
+    }
+}
diff --git a/data/web/inc/lib/vendor/symfony/translation/DependencyInjection/TranslationDumperPass.php b/data/web/inc/lib/vendor/symfony/translation/DependencyInjection/TranslationDumperPass.php
index 4020a0788..2ece6ac7b 100644
--- a/data/web/inc/lib/vendor/symfony/translation/DependencyInjection/TranslationDumperPass.php
+++ b/data/web/inc/lib/vendor/symfony/translation/DependencyInjection/TranslationDumperPass.php
@@ -20,6 +20,9 @@ use Symfony\Component\DependencyInjection\Reference;
  */
 class TranslationDumperPass implements CompilerPassInterface
 {
+    /**
+     * @return void
+     */
     public function process(ContainerBuilder $container)
     {
         if (!$container->hasDefinition('translation.writer')) {
diff --git a/data/web/inc/lib/vendor/symfony/translation/DependencyInjection/TranslationExtractorPass.php b/data/web/inc/lib/vendor/symfony/translation/DependencyInjection/TranslationExtractorPass.php
index ee7c47ae4..1baf9341e 100644
--- a/data/web/inc/lib/vendor/symfony/translation/DependencyInjection/TranslationExtractorPass.php
+++ b/data/web/inc/lib/vendor/symfony/translation/DependencyInjection/TranslationExtractorPass.php
@@ -21,6 +21,9 @@ use Symfony\Component\DependencyInjection\Reference;
  */
 class TranslationExtractorPass implements CompilerPassInterface
 {
+    /**
+     * @return void
+     */
     public function process(ContainerBuilder $container)
     {
         if (!$container->hasDefinition('translation.extractor')) {
diff --git a/data/web/inc/lib/vendor/symfony/translation/DependencyInjection/TranslatorPass.php b/data/web/inc/lib/vendor/symfony/translation/DependencyInjection/TranslatorPass.php
index be79cdaf0..dd6ea3c83 100644
--- a/data/web/inc/lib/vendor/symfony/translation/DependencyInjection/TranslatorPass.php
+++ b/data/web/inc/lib/vendor/symfony/translation/DependencyInjection/TranslatorPass.php
@@ -18,6 +18,9 @@ use Symfony\Component\DependencyInjection\Reference;
 
 class TranslatorPass implements CompilerPassInterface
 {
+    /**
+     * @return void
+     */
     public function process(ContainerBuilder $container)
     {
         if (!$container->hasDefinition('translator.default')) {
@@ -49,6 +52,23 @@ class TranslatorPass implements CompilerPassInterface
             ->replaceArgument(3, $loaders)
         ;
 
+        if ($container->hasDefinition('validator') && $container->hasDefinition('translation.extractor.visitor.constraint')) {
+            $constraintVisitorDefinition = $container->getDefinition('translation.extractor.visitor.constraint');
+            $constraintClassNames = [];
+
+            foreach ($container->getDefinitions() as $definition) {
+                if (!$definition->hasTag('validator.constraint_validator')) {
+                    continue;
+                }
+                // Resolve constraint validator FQCN even if defined as %foo.validator.class% parameter
+                $className = $container->getParameterBag()->resolveValue($definition->getClass());
+                // Extraction of the constraint class name from the Constraint Validator FQCN
+                $constraintClassNames[] = str_replace('Validator', '', substr(strrchr($className, '\\'), 1));
+            }
+
+            $constraintVisitorDefinition->setArgument(0, $constraintClassNames);
+        }
+
         if (!$container->hasParameter('twig.default_path')) {
             return;
         }
diff --git a/data/web/inc/lib/vendor/symfony/translation/DependencyInjection/TranslatorPathsPass.php b/data/web/inc/lib/vendor/symfony/translation/DependencyInjection/TranslatorPathsPass.php
index b85c06621..1756e3c8c 100644
--- a/data/web/inc/lib/vendor/symfony/translation/DependencyInjection/TranslatorPathsPass.php
+++ b/data/web/inc/lib/vendor/symfony/translation/DependencyInjection/TranslatorPathsPass.php
@@ -16,12 +16,15 @@ use Symfony\Component\DependencyInjection\ContainerBuilder;
 use Symfony\Component\DependencyInjection\Definition;
 use Symfony\Component\DependencyInjection\Reference;
 use Symfony\Component\DependencyInjection\ServiceLocator;
+use Symfony\Component\HttpKernel\Controller\ArgumentResolver\TraceableValueResolver;
 
 /**
  * @author Yonel Ceruto <yonelceruto@gmail.com>
  */
 class TranslatorPathsPass extends AbstractRecursivePass
 {
+    protected bool $skipScalars = true;
+
     private int $level = 0;
 
     /**
@@ -39,6 +42,9 @@ class TranslatorPathsPass extends AbstractRecursivePass
      */
     private array $controllers = [];
 
+    /**
+     * @return void
+     */
     public function process(ContainerBuilder $container)
     {
         if (!$container->hasDefinition('translator')) {
@@ -120,28 +126,20 @@ class TranslatorPathsPass extends AbstractRecursivePass
 
     private function findControllerArguments(ContainerBuilder $container): array
     {
-        if ($container->hasDefinition('argument_resolver.service')) {
-            $argument = $container->getDefinition('argument_resolver.service')->getArgument(0);
-            if ($argument instanceof Reference) {
-                $argument = $container->getDefinition($argument);
-            }
+        if (!$container->has('argument_resolver.service')) {
+            return [];
+        }
+        $resolverDef = $container->findDefinition('argument_resolver.service');
 
-            return $argument->getArgument(0);
+        if (TraceableValueResolver::class === $resolverDef->getClass()) {
+            $resolverDef = $container->getDefinition($resolverDef->getArgument(0));
         }
 
-        if ($container->hasDefinition('debug.'.'argument_resolver.service')) {
-            $argument = $container->getDefinition('debug.'.'argument_resolver.service')->getArgument(0);
-            if ($argument instanceof Reference) {
-                $argument = $container->getDefinition($argument);
-            }
-            $argument = $argument->getArgument(0);
-            if ($argument instanceof Reference) {
-                $argument = $container->getDefinition($argument);
-            }
-
-            return $argument->getArgument(0);
+        $argument = $resolverDef->getArgument(0);
+        if ($argument instanceof Reference) {
+            $argument = $container->getDefinition($argument);
         }
 
-        return [];
+        return $argument->getArgument(0);
     }
 }
diff --git a/data/web/inc/lib/vendor/symfony/translation/Dumper/CsvFileDumper.php b/data/web/inc/lib/vendor/symfony/translation/Dumper/CsvFileDumper.php
index 0bd3f5e0f..8f5475259 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Dumper/CsvFileDumper.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Dumper/CsvFileDumper.php
@@ -23,9 +23,6 @@ class CsvFileDumper extends FileDumper
     private string $delimiter = ';';
     private string $enclosure = '"';
 
-    /**
-     * {@inheritdoc}
-     */
     public function formatCatalogue(MessageCatalogue $messages, string $domain, array $options = []): string
     {
         $handle = fopen('php://memory', 'r+');
@@ -43,6 +40,8 @@ class CsvFileDumper extends FileDumper
 
     /**
      * Sets the delimiter and escape character for CSV.
+     *
+     * @return void
      */
     public function setCsvControl(string $delimiter = ';', string $enclosure = '"')
     {
@@ -50,9 +49,6 @@ class CsvFileDumper extends FileDumper
         $this->enclosure = $enclosure;
     }
 
-    /**
-     * {@inheritdoc}
-     */
     protected function getExtension(): string
     {
         return 'csv';
diff --git a/data/web/inc/lib/vendor/symfony/translation/Dumper/DumperInterface.php b/data/web/inc/lib/vendor/symfony/translation/Dumper/DumperInterface.php
index 7cdaef515..6bf42931e 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Dumper/DumperInterface.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Dumper/DumperInterface.php
@@ -25,6 +25,8 @@ interface DumperInterface
      * Dumps the message catalogue.
      *
      * @param array $options Options that are used by the dumper
+     *
+     * @return void
      */
     public function dump(MessageCatalogue $messages, array $options = []);
 }
diff --git a/data/web/inc/lib/vendor/symfony/translation/Dumper/FileDumper.php b/data/web/inc/lib/vendor/symfony/translation/Dumper/FileDumper.php
index 6bad4ff32..e30d4770e 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Dumper/FileDumper.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Dumper/FileDumper.php
@@ -35,7 +35,7 @@ abstract class FileDumper implements DumperInterface
     /**
      * Sets the template for the relative paths to files.
      *
-     * @param string $relativePathTemplate A template for the relative paths to files
+     * @return void
      */
     public function setRelativePathTemplate(string $relativePathTemplate)
     {
@@ -43,7 +43,7 @@ abstract class FileDumper implements DumperInterface
     }
 
     /**
-     * {@inheritdoc}
+     * @return void
      */
     public function dump(MessageCatalogue $messages, array $options = [])
     {
diff --git a/data/web/inc/lib/vendor/symfony/translation/Dumper/IcuResFileDumper.php b/data/web/inc/lib/vendor/symfony/translation/Dumper/IcuResFileDumper.php
index b62ea1536..72c1ec089 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Dumper/IcuResFileDumper.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Dumper/IcuResFileDumper.php
@@ -20,14 +20,8 @@ use Symfony\Component\Translation\MessageCatalogue;
  */
 class IcuResFileDumper extends FileDumper
 {
-    /**
-     * {@inheritdoc}
-     */
     protected $relativePathTemplate = '%domain%/%locale%.%extension%';
 
-    /**
-     * {@inheritdoc}
-     */
     public function formatCatalogue(MessageCatalogue $messages, string $domain, array $options = []): string
     {
         $data = $indexes = $resources = '';
@@ -47,7 +41,7 @@ class IcuResFileDumper extends FileDumper
             $data .= pack('V', \strlen($target))
                 .mb_convert_encoding($target."\0", 'UTF-16LE', 'UTF-8')
                 .$this->writePadding($data)
-                  ;
+            ;
         }
 
         $resOffset = $this->getPosition($data);
@@ -56,7 +50,7 @@ class IcuResFileDumper extends FileDumper
             .$indexes
             .$this->writePadding($data)
             .$resources
-              ;
+        ;
 
         $bundleTop = $this->getPosition($data);
 
@@ -89,14 +83,11 @@ class IcuResFileDumper extends FileDumper
         return $padding ? str_repeat("\xAA", 4 - $padding) : null;
     }
 
-    private function getPosition(string $data)
+    private function getPosition(string $data): float|int
     {
         return (\strlen($data) + 28) / 4;
     }
 
-    /**
-     * {@inheritdoc}
-     */
     protected function getExtension(): string
     {
         return 'res';
diff --git a/data/web/inc/lib/vendor/symfony/translation/Dumper/IniFileDumper.php b/data/web/inc/lib/vendor/symfony/translation/Dumper/IniFileDumper.php
index 75032be14..6cbdef606 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Dumper/IniFileDumper.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Dumper/IniFileDumper.php
@@ -20,9 +20,6 @@ use Symfony\Component\Translation\MessageCatalogue;
  */
 class IniFileDumper extends FileDumper
 {
-    /**
-     * {@inheritdoc}
-     */
     public function formatCatalogue(MessageCatalogue $messages, string $domain, array $options = []): string
     {
         $output = '';
@@ -35,9 +32,6 @@ class IniFileDumper extends FileDumper
         return $output;
     }
 
-    /**
-     * {@inheritdoc}
-     */
     protected function getExtension(): string
     {
         return 'ini';
diff --git a/data/web/inc/lib/vendor/symfony/translation/Dumper/JsonFileDumper.php b/data/web/inc/lib/vendor/symfony/translation/Dumper/JsonFileDumper.php
index 11027303a..e5035397f 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Dumper/JsonFileDumper.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Dumper/JsonFileDumper.php
@@ -20,9 +20,6 @@ use Symfony\Component\Translation\MessageCatalogue;
  */
 class JsonFileDumper extends FileDumper
 {
-    /**
-     * {@inheritdoc}
-     */
     public function formatCatalogue(MessageCatalogue $messages, string $domain, array $options = []): string
     {
         $flags = $options['json_encoding'] ?? \JSON_PRETTY_PRINT;
@@ -30,9 +27,6 @@ class JsonFileDumper extends FileDumper
         return json_encode($messages->all($domain), $flags);
     }
 
-    /**
-     * {@inheritdoc}
-     */
     protected function getExtension(): string
     {
         return 'json';
diff --git a/data/web/inc/lib/vendor/symfony/translation/Dumper/MoFileDumper.php b/data/web/inc/lib/vendor/symfony/translation/Dumper/MoFileDumper.php
index 08c8f8997..9ded5f4ef 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Dumper/MoFileDumper.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Dumper/MoFileDumper.php
@@ -21,9 +21,6 @@ use Symfony\Component\Translation\MessageCatalogue;
  */
 class MoFileDumper extends FileDumper
 {
-    /**
-     * {@inheritdoc}
-     */
     public function formatCatalogue(MessageCatalogue $messages, string $domain, array $options = []): string
     {
         $sources = $targets = $sourceOffsets = $targetOffsets = '';
@@ -57,19 +54,16 @@ class MoFileDumper extends FileDumper
                           .$this->writeLong($offset[2] + $sourcesStart + $sourcesSize);
         }
 
-        $output = implode('', array_map([$this, 'writeLong'], $header))
+        $output = implode('', array_map($this->writeLong(...), $header))
                .$sourceOffsets
                .$targetOffsets
                .$sources
                .$targets
-                ;
+        ;
 
         return $output;
     }
 
-    /**
-     * {@inheritdoc}
-     */
     protected function getExtension(): string
     {
         return 'mo';
diff --git a/data/web/inc/lib/vendor/symfony/translation/Dumper/PhpFileDumper.php b/data/web/inc/lib/vendor/symfony/translation/Dumper/PhpFileDumper.php
index 565d89375..51e90665d 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Dumper/PhpFileDumper.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Dumper/PhpFileDumper.php
@@ -20,17 +20,11 @@ use Symfony\Component\Translation\MessageCatalogue;
  */
 class PhpFileDumper extends FileDumper
 {
-    /**
-     * {@inheritdoc}
-     */
     public function formatCatalogue(MessageCatalogue $messages, string $domain, array $options = []): string
     {
         return "<?php\n\nreturn ".var_export($messages->all($domain), true).";\n";
     }
 
-    /**
-     * {@inheritdoc}
-     */
     protected function getExtension(): string
     {
         return 'php';
diff --git a/data/web/inc/lib/vendor/symfony/translation/Dumper/PoFileDumper.php b/data/web/inc/lib/vendor/symfony/translation/Dumper/PoFileDumper.php
index 313e50458..a2d0deb78 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Dumper/PoFileDumper.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Dumper/PoFileDumper.php
@@ -20,9 +20,6 @@ use Symfony\Component\Translation\MessageCatalogue;
  */
 class PoFileDumper extends FileDumper
 {
-    /**
-     * {@inheritdoc}
-     */
     public function formatCatalogue(MessageCatalogue $messages, string $domain, array $options = []): string
     {
         $output = 'msgid ""'."\n";
@@ -68,7 +65,7 @@ class PoFileDumper extends FileDumper
         return $output;
     }
 
-    private function getStandardRules(string $id)
+    private function getStandardRules(string $id): array
     {
         // Partly copied from TranslatorTrait::trans.
         $parts = [];
@@ -111,9 +108,6 @@ EOF;
         return $standardRules;
     }
 
-    /**
-     * {@inheritdoc}
-     */
     protected function getExtension(): string
     {
         return 'po';
diff --git a/data/web/inc/lib/vendor/symfony/translation/Dumper/QtFileDumper.php b/data/web/inc/lib/vendor/symfony/translation/Dumper/QtFileDumper.php
index 819409fc0..0373e9c10 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Dumper/QtFileDumper.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Dumper/QtFileDumper.php
@@ -20,9 +20,6 @@ use Symfony\Component\Translation\MessageCatalogue;
  */
 class QtFileDumper extends FileDumper
 {
-    /**
-     * {@inheritdoc}
-     */
     public function formatCatalogue(MessageCatalogue $messages, string $domain, array $options = []): string
     {
         $dom = new \DOMDocument('1.0', 'utf-8');
@@ -51,9 +48,6 @@ class QtFileDumper extends FileDumper
         return $dom->saveXML();
     }
 
-    /**
-     * {@inheritdoc}
-     */
     protected function getExtension(): string
     {
         return 'ts';
diff --git a/data/web/inc/lib/vendor/symfony/translation/Dumper/XliffFileDumper.php b/data/web/inc/lib/vendor/symfony/translation/Dumper/XliffFileDumper.php
index b8a109a41..d0f016b23 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Dumper/XliffFileDumper.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Dumper/XliffFileDumper.php
@@ -21,9 +21,11 @@ use Symfony\Component\Translation\MessageCatalogue;
  */
 class XliffFileDumper extends FileDumper
 {
-    /**
-     * {@inheritdoc}
-     */
+    public function __construct(
+        private string $extension = 'xlf',
+    ) {
+    }
+
     public function formatCatalogue(MessageCatalogue $messages, string $domain, array $options = []): string
     {
         $xliffVersion = '1.2';
@@ -47,15 +49,12 @@ class XliffFileDumper extends FileDumper
         throw new InvalidArgumentException(sprintf('No support implemented for dumping XLIFF version "%s".', $xliffVersion));
     }
 
-    /**
-     * {@inheritdoc}
-     */
     protected function getExtension(): string
     {
-        return 'xlf';
+        return $this->extension;
     }
 
-    private function dumpXliff1(string $defaultLocale, MessageCatalogue $messages, ?string $domain, array $options = [])
+    private function dumpXliff1(string $defaultLocale, MessageCatalogue $messages, ?string $domain, array $options = []): string
     {
         $toolInfo = ['tool-id' => 'symfony', 'tool-name' => 'Symfony'];
         if (\array_key_exists('tool_info', $options)) {
@@ -81,6 +80,15 @@ class XliffFileDumper extends FileDumper
             $xliffTool->setAttribute($id, $value);
         }
 
+        if ($catalogueMetadata = $messages->getCatalogueMetadata('', $domain) ?? []) {
+            $xliffPropGroup = $xliffHead->appendChild($dom->createElement('prop-group'));
+            foreach ($catalogueMetadata as $key => $value) {
+                $xliffProp = $xliffPropGroup->appendChild($dom->createElement('prop'));
+                $xliffProp->setAttribute('prop-type', $key);
+                $xliffProp->appendChild($dom->createTextNode($value));
+            }
+        }
+
         $xliffBody = $xliffFile->appendChild($dom->createElement('body'));
         foreach ($messages->all($domain) as $source => $target) {
             $translation = $dom->createElement('trans-unit');
@@ -129,7 +137,7 @@ class XliffFileDumper extends FileDumper
         return $dom->saveXML();
     }
 
-    private function dumpXliff2(string $defaultLocale, MessageCatalogue $messages, ?string $domain)
+    private function dumpXliff2(string $defaultLocale, MessageCatalogue $messages, ?string $domain): string
     {
         $dom = new \DOMDocument('1.0', 'utf-8');
         $dom->formatOutput = true;
@@ -147,6 +155,16 @@ class XliffFileDumper extends FileDumper
             $xliffFile->setAttribute('id', $domain.'.'.$messages->getLocale());
         }
 
+        if ($catalogueMetadata = $messages->getCatalogueMetadata('', $domain) ?? []) {
+            $xliff->setAttribute('xmlns:m', 'urn:oasis:names:tc:xliff:metadata:2.0');
+            $xliffMetadata = $xliffFile->appendChild($dom->createElement('m:metadata'));
+            foreach ($catalogueMetadata as $key => $value) {
+                $xliffMeta = $xliffMetadata->appendChild($dom->createElement('prop'));
+                $xliffMeta->setAttribute('type', $key);
+                $xliffMeta->appendChild($dom->createTextNode($value));
+            }
+        }
+
         foreach ($messages->all($domain) as $source => $target) {
             $translation = $dom->createElement('unit');
             $translation->setAttribute('id', strtr(substr(base64_encode(hash('sha256', $source, true)), 0, 7), '/+', '._'));
@@ -196,7 +214,7 @@ class XliffFileDumper extends FileDumper
         return $dom->saveXML();
     }
 
-    private function hasMetadataArrayInfo(string $key, array $metadata = null): bool
+    private function hasMetadataArrayInfo(string $key, ?array $metadata = null): bool
     {
         return is_iterable($metadata[$key] ?? null);
     }
diff --git a/data/web/inc/lib/vendor/symfony/translation/Dumper/YamlFileDumper.php b/data/web/inc/lib/vendor/symfony/translation/Dumper/YamlFileDumper.php
index d0cfbefaa..d2670331e 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Dumper/YamlFileDumper.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Dumper/YamlFileDumper.php
@@ -30,9 +30,6 @@ class YamlFileDumper extends FileDumper
         $this->extension = $extension;
     }
 
-    /**
-     * {@inheritdoc}
-     */
     public function formatCatalogue(MessageCatalogue $messages, string $domain, array $options = []): string
     {
         if (!class_exists(Yaml::class)) {
@@ -52,9 +49,6 @@ class YamlFileDumper extends FileDumper
         return Yaml::dump($data);
     }
 
-    /**
-     * {@inheritdoc}
-     */
     protected function getExtension(): string
     {
         return $this->extension;
diff --git a/data/web/inc/lib/vendor/symfony/translation/Exception/IncompleteDsnException.php b/data/web/inc/lib/vendor/symfony/translation/Exception/IncompleteDsnException.php
index cb0ce027e..b304bde01 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Exception/IncompleteDsnException.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Exception/IncompleteDsnException.php
@@ -13,7 +13,7 @@ namespace Symfony\Component\Translation\Exception;
 
 class IncompleteDsnException extends InvalidArgumentException
 {
-    public function __construct(string $message, string $dsn = null, \Throwable $previous = null)
+    public function __construct(string $message, ?string $dsn = null, ?\Throwable $previous = null)
     {
         if ($dsn) {
             $message = sprintf('Invalid "%s" provider DSN: ', $dsn).$message;
diff --git a/data/web/inc/lib/vendor/symfony/translation/Exception/MissingRequiredOptionException.php b/data/web/inc/lib/vendor/symfony/translation/Exception/MissingRequiredOptionException.php
index 2b5f80806..46152e254 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Exception/MissingRequiredOptionException.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Exception/MissingRequiredOptionException.php
@@ -16,7 +16,7 @@ namespace Symfony\Component\Translation\Exception;
  */
 class MissingRequiredOptionException extends IncompleteDsnException
 {
-    public function __construct(string $option, string $dsn = null, \Throwable $previous = null)
+    public function __construct(string $option, ?string $dsn = null, ?\Throwable $previous = null)
     {
         $message = sprintf('The option "%s" is required but missing.', $option);
 
diff --git a/data/web/inc/lib/vendor/symfony/translation/Exception/ProviderException.php b/data/web/inc/lib/vendor/symfony/translation/Exception/ProviderException.php
index 331ff7586..f2981f58b 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Exception/ProviderException.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Exception/ProviderException.php
@@ -18,10 +18,10 @@ use Symfony\Contracts\HttpClient\ResponseInterface;
  */
 class ProviderException extends RuntimeException implements ProviderExceptionInterface
 {
-    private $response;
+    private ResponseInterface $response;
     private string $debug;
 
-    public function __construct(string $message, ResponseInterface $response, int $code = 0, \Exception $previous = null)
+    public function __construct(string $message, ResponseInterface $response, int $code = 0, ?\Exception $previous = null)
     {
         $this->response = $response;
         $this->debug = $response->getInfo('debug') ?? '';
diff --git a/data/web/inc/lib/vendor/symfony/translation/Exception/UnsupportedSchemeException.php b/data/web/inc/lib/vendor/symfony/translation/Exception/UnsupportedSchemeException.php
index 7fbaa8f04..8d3295184 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Exception/UnsupportedSchemeException.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Exception/UnsupportedSchemeException.php
@@ -29,9 +29,13 @@ class UnsupportedSchemeException extends LogicException
             'class' => Bridge\Lokalise\LokaliseProviderFactory::class,
             'package' => 'symfony/lokalise-translation-provider',
         ],
+        'phrase' => [
+            'class' => Bridge\Phrase\PhraseProviderFactory::class,
+            'package' => 'symfony/phrase-translation-provider',
+        ],
     ];
 
-    public function __construct(Dsn $dsn, string $name = null, array $supported = [])
+    public function __construct(Dsn $dsn, ?string $name = null, array $supported = [])
     {
         $provider = $dsn->getScheme();
         if (false !== $pos = strpos($provider, '+')) {
@@ -39,7 +43,7 @@ class UnsupportedSchemeException extends LogicException
         }
         $package = self::SCHEME_TO_PACKAGE_MAP[$provider] ?? null;
         if ($package && !class_exists($package['class'])) {
-            parent::__construct(sprintf('Unable to synchronize translations via "%s" as the provider is not installed; try running "composer require %s".', $provider, $package['package']));
+            parent::__construct(sprintf('Unable to synchronize translations via "%s" as the provider is not installed. Try running "composer require %s".', $provider, $package['package']));
 
             return;
         }
diff --git a/data/web/inc/lib/vendor/symfony/translation/Extractor/ChainExtractor.php b/data/web/inc/lib/vendor/symfony/translation/Extractor/ChainExtractor.php
index e58e82f05..d36f7f385 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Extractor/ChainExtractor.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Extractor/ChainExtractor.php
@@ -29,6 +29,8 @@ class ChainExtractor implements ExtractorInterface
 
     /**
      * Adds a loader to the translation extractor.
+     *
+     * @return void
      */
     public function addExtractor(string $format, ExtractorInterface $extractor)
     {
@@ -36,7 +38,7 @@ class ChainExtractor implements ExtractorInterface
     }
 
     /**
-     * {@inheritdoc}
+     * @return void
      */
     public function setPrefix(string $prefix)
     {
@@ -46,7 +48,7 @@ class ChainExtractor implements ExtractorInterface
     }
 
     /**
-     * {@inheritdoc}
+     * @return void
      */
     public function extract(string|iterable $directory, MessageCatalogue $catalogue)
     {
diff --git a/data/web/inc/lib/vendor/symfony/translation/Extractor/ExtractorInterface.php b/data/web/inc/lib/vendor/symfony/translation/Extractor/ExtractorInterface.php
index b76a7f20b..642130af7 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Extractor/ExtractorInterface.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Extractor/ExtractorInterface.php
@@ -25,11 +25,15 @@ interface ExtractorInterface
      * Extracts translation messages from files, a file or a directory to the catalogue.
      *
      * @param string|iterable<string> $resource Files, a file or a directory
+     *
+     * @return void
      */
     public function extract(string|iterable $resource, MessageCatalogue $catalogue);
 
     /**
      * Sets the prefix that should be used for new found messages.
+     *
+     * @return void
      */
     public function setPrefix(string $prefix);
 }
diff --git a/data/web/inc/lib/vendor/symfony/translation/Extractor/PhpAstExtractor.php b/data/web/inc/lib/vendor/symfony/translation/Extractor/PhpAstExtractor.php
new file mode 100644
index 000000000..06fc77de3
--- /dev/null
+++ b/data/web/inc/lib/vendor/symfony/translation/Extractor/PhpAstExtractor.php
@@ -0,0 +1,85 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Translation\Extractor;
+
+use PhpParser\NodeTraverser;
+use PhpParser\NodeVisitor;
+use PhpParser\Parser;
+use PhpParser\ParserFactory;
+use Symfony\Component\Finder\Finder;
+use Symfony\Component\Translation\Extractor\Visitor\AbstractVisitor;
+use Symfony\Component\Translation\MessageCatalogue;
+
+/**
+ * PhpAstExtractor extracts translation messages from a PHP AST.
+ *
+ * @author Mathieu Santostefano <msantostefano@protonmail.com>
+ */
+final class PhpAstExtractor extends AbstractFileExtractor implements ExtractorInterface
+{
+    private Parser $parser;
+
+    public function __construct(
+        /**
+         * @param iterable<AbstractVisitor&NodeVisitor> $visitors
+         */
+        private readonly iterable $visitors,
+        private string $prefix = '',
+    ) {
+        if (!class_exists(ParserFactory::class)) {
+            throw new \LogicException(sprintf('You cannot use "%s" as the "nikic/php-parser" package is not installed. Try running "composer require nikic/php-parser".', static::class));
+        }
+
+        $this->parser = (new ParserFactory())->createForHostVersion();
+    }
+
+    public function extract(iterable|string $resource, MessageCatalogue $catalogue): void
+    {
+        foreach ($this->extractFiles($resource) as $file) {
+            $traverser = new NodeTraverser();
+
+            // This is needed to resolve namespaces in class methods/constants.
+            $nameResolver = new NodeVisitor\NameResolver();
+            $traverser->addVisitor($nameResolver);
+
+            /** @var AbstractVisitor&NodeVisitor $visitor */
+            foreach ($this->visitors as $visitor) {
+                $visitor->initialize($catalogue, $file, $this->prefix);
+                $traverser->addVisitor($visitor);
+            }
+
+            $nodes = $this->parser->parse(file_get_contents($file));
+            $traverser->traverse($nodes);
+        }
+    }
+
+    public function setPrefix(string $prefix): void
+    {
+        $this->prefix = $prefix;
+    }
+
+    protected function canBeExtracted(string $file): bool
+    {
+        return 'php' === pathinfo($file, \PATHINFO_EXTENSION)
+            && $this->isFile($file)
+            && preg_match('/\bt\(|->trans\(|TranslatableMessage|Symfony\\\\Component\\\\Validator\\\\Constraints/i', file_get_contents($file));
+    }
+
+    protected function extractFromDirectory(array|string $resource): iterable|Finder
+    {
+        if (!class_exists(Finder::class)) {
+            throw new \LogicException(sprintf('You cannot use "%s" as the "symfony/finder" package is not installed. Try running "composer require symfony/finder".', static::class));
+        }
+
+        return (new Finder())->files()->name('*.php')->in($resource);
+    }
+}
diff --git a/data/web/inc/lib/vendor/symfony/translation/Extractor/PhpExtractor.php b/data/web/inc/lib/vendor/symfony/translation/Extractor/PhpExtractor.php
index 1b86cc591..7ff27f7c8 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Extractor/PhpExtractor.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Extractor/PhpExtractor.php
@@ -11,6 +11,8 @@
 
 namespace Symfony\Component\Translation\Extractor;
 
+trigger_deprecation('symfony/translation', '6.2', '"%s" is deprecated, use "%s" instead.', PhpExtractor::class, PhpAstExtractor::class);
+
 use Symfony\Component\Finder\Finder;
 use Symfony\Component\Translation\MessageCatalogue;
 
@@ -18,6 +20,8 @@ use Symfony\Component\Translation\MessageCatalogue;
  * PhpExtractor extracts translation messages from a PHP template.
  *
  * @author Michel Salib <michelsalib@hotmail.com>
+ *
+ * @deprecated since Symfony 6.2, use the PhpAstExtractor instead
  */
 class PhpExtractor extends AbstractFileExtractor implements ExtractorInterface
 {
@@ -129,7 +133,7 @@ class PhpExtractor extends AbstractFileExtractor implements ExtractorInterface
     ];
 
     /**
-     * {@inheritdoc}
+     * @return void
      */
     public function extract(string|iterable $resource, MessageCatalogue $catalog)
     {
@@ -142,7 +146,7 @@ class PhpExtractor extends AbstractFileExtractor implements ExtractorInterface
     }
 
     /**
-     * {@inheritdoc}
+     * @return void
      */
     public function setPrefix(string $prefix)
     {
@@ -164,7 +168,7 @@ class PhpExtractor extends AbstractFileExtractor implements ExtractorInterface
     /**
      * Seeks to a non-whitespace token.
      */
-    private function seekToNextRelevantToken(\Iterator $tokenIterator)
+    private function seekToNextRelevantToken(\Iterator $tokenIterator): void
     {
         for (; $tokenIterator->valid(); $tokenIterator->next()) {
             $t = $tokenIterator->current();
@@ -174,7 +178,7 @@ class PhpExtractor extends AbstractFileExtractor implements ExtractorInterface
         }
     }
 
-    private function skipMethodArgument(\Iterator $tokenIterator)
+    private function skipMethodArgument(\Iterator $tokenIterator): void
     {
         $openBraces = 0;
 
@@ -199,7 +203,7 @@ class PhpExtractor extends AbstractFileExtractor implements ExtractorInterface
      * Extracts the message from the iterator while the tokens
      * match allowed message tokens.
      */
-    private function getValue(\Iterator $tokenIterator)
+    private function getValue(\Iterator $tokenIterator): string
     {
         $message = '';
         $docToken = '';
@@ -257,6 +261,8 @@ class PhpExtractor extends AbstractFileExtractor implements ExtractorInterface
 
     /**
      * Extracts trans message from PHP tokens.
+     *
+     * @return void
      */
     protected function parseTokens(array $tokens, MessageCatalogue $catalog, string $filename)
     {
@@ -314,9 +320,6 @@ class PhpExtractor extends AbstractFileExtractor implements ExtractorInterface
         return $this->isFile($file) && 'php' === pathinfo($file, \PATHINFO_EXTENSION);
     }
 
-    /**
-     * {@inheritdoc}
-     */
     protected function extractFromDirectory(string|array $directory): iterable
     {
         if (!class_exists(Finder::class)) {
diff --git a/data/web/inc/lib/vendor/symfony/translation/Extractor/PhpStringTokenParser.php b/data/web/inc/lib/vendor/symfony/translation/Extractor/PhpStringTokenParser.php
index 7fbd37c68..2dfc1e387 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Extractor/PhpStringTokenParser.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Extractor/PhpStringTokenParser.php
@@ -11,6 +11,8 @@
 
 namespace Symfony\Component\Translation\Extractor;
 
+trigger_deprecation('symfony/translation', '6.2', '"%s" is deprecated.', PhpStringTokenParser::class);
+
 /*
  * The following is derived from code at http://github.com/nikic/PHP-Parser
  *
@@ -47,6 +49,9 @@ namespace Symfony\Component\Translation\Extractor;
  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
+/**
+ * @deprecated since Symfony 6.2
+ */
 class PhpStringTokenParser
 {
     protected static $replacements = [
@@ -89,7 +94,7 @@ class PhpStringTokenParser
      * @param string      $str   String without quotes
      * @param string|null $quote Quote type
      */
-    public static function parseEscapeSequences(string $str, string $quote = null): string
+    public static function parseEscapeSequences(string $str, ?string $quote = null): string
     {
         if (null !== $quote) {
             $str = str_replace('\\'.$quote, $quote, $str);
diff --git a/data/web/inc/lib/vendor/symfony/translation/Extractor/Visitor/AbstractVisitor.php b/data/web/inc/lib/vendor/symfony/translation/Extractor/Visitor/AbstractVisitor.php
new file mode 100644
index 000000000..c33689616
--- /dev/null
+++ b/data/web/inc/lib/vendor/symfony/translation/Extractor/Visitor/AbstractVisitor.php
@@ -0,0 +1,135 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Translation\Extractor\Visitor;
+
+use PhpParser\Node;
+use Symfony\Component\Translation\MessageCatalogue;
+
+/**
+ * @author Mathieu Santostefano <msantostefano@protonmail.com>
+ */
+abstract class AbstractVisitor
+{
+    private MessageCatalogue $catalogue;
+    private \SplFileInfo $file;
+    private string $messagePrefix;
+
+    public function initialize(MessageCatalogue $catalogue, \SplFileInfo $file, string $messagePrefix): void
+    {
+        $this->catalogue = $catalogue;
+        $this->file = $file;
+        $this->messagePrefix = $messagePrefix;
+    }
+
+    protected function addMessageToCatalogue(string $message, ?string $domain, int $line): void
+    {
+        $domain ??= 'messages';
+        $this->catalogue->set($message, $this->messagePrefix.$message, $domain);
+        $metadata = $this->catalogue->getMetadata($message, $domain) ?? [];
+        $normalizedFilename = preg_replace('{[\\\\/]+}', '/', $this->file);
+        $metadata['sources'][] = $normalizedFilename.':'.$line;
+        $this->catalogue->setMetadata($message, $metadata, $domain);
+    }
+
+    protected function getStringArguments(Node\Expr\CallLike|Node\Attribute|Node\Expr\New_ $node, int|string $index, bool $indexIsRegex = false): array
+    {
+        if (\is_string($index)) {
+            return $this->getStringNamedArguments($node, $index, $indexIsRegex);
+        }
+
+        $args = $node instanceof Node\Expr\CallLike ? $node->getRawArgs() : $node->args;
+
+        if (!($arg = $args[$index] ?? null) instanceof Node\Arg) {
+            return [];
+        }
+
+        return (array) $this->getStringValue($arg->value);
+    }
+
+    protected function hasNodeNamedArguments(Node\Expr\CallLike|Node\Attribute|Node\Expr\New_ $node): bool
+    {
+        $args = $node instanceof Node\Expr\CallLike ? $node->getRawArgs() : $node->args;
+
+        foreach ($args as $arg) {
+            if ($arg instanceof Node\Arg && null !== $arg->name) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    protected function nodeFirstNamedArgumentIndex(Node\Expr\CallLike|Node\Attribute|Node\Expr\New_ $node): int
+    {
+        $args = $node instanceof Node\Expr\CallLike ? $node->getRawArgs() : $node->args;
+
+        foreach ($args as $i => $arg) {
+            if ($arg instanceof Node\Arg && null !== $arg->name) {
+                return $i;
+            }
+        }
+
+        return \PHP_INT_MAX;
+    }
+
+    private function getStringNamedArguments(Node\Expr\CallLike|Node\Attribute $node, ?string $argumentName = null, bool $isArgumentNamePattern = false): array
+    {
+        $args = $node instanceof Node\Expr\CallLike ? $node->getArgs() : $node->args;
+        $argumentValues = [];
+
+        foreach ($args as $arg) {
+            if (!$isArgumentNamePattern && $arg->name?->toString() === $argumentName) {
+                $argumentValues[] = $this->getStringValue($arg->value);
+            } elseif ($isArgumentNamePattern && preg_match($argumentName, $arg->name?->toString() ?? '') > 0) {
+                $argumentValues[] = $this->getStringValue($arg->value);
+            }
+        }
+
+        return array_filter($argumentValues);
+    }
+
+    private function getStringValue(Node $node): ?string
+    {
+        if ($node instanceof Node\Scalar\String_) {
+            return $node->value;
+        }
+
+        if ($node instanceof Node\Expr\BinaryOp\Concat) {
+            if (null === $left = $this->getStringValue($node->left)) {
+                return null;
+            }
+
+            if (null === $right = $this->getStringValue($node->right)) {
+                return null;
+            }
+
+            return $left.$right;
+        }
+
+        if ($node instanceof Node\Expr\Assign && $node->expr instanceof Node\Scalar\String_) {
+            return $node->expr->value;
+        }
+
+        if ($node instanceof Node\Expr\ClassConstFetch) {
+            try {
+                $reflection = new \ReflectionClass($node->class->toString());
+                $constant = $reflection->getReflectionConstant($node->name->toString());
+                if (false !== $constant && \is_string($constant->getValue())) {
+                    return $constant->getValue();
+                }
+            } catch (\ReflectionException) {
+            }
+        }
+
+        return null;
+    }
+}
diff --git a/data/web/inc/lib/vendor/symfony/translation/Extractor/Visitor/ConstraintVisitor.php b/data/web/inc/lib/vendor/symfony/translation/Extractor/Visitor/ConstraintVisitor.php
new file mode 100644
index 000000000..00fb9eedc
--- /dev/null
+++ b/data/web/inc/lib/vendor/symfony/translation/Extractor/Visitor/ConstraintVisitor.php
@@ -0,0 +1,112 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Translation\Extractor\Visitor;
+
+use PhpParser\Node;
+use PhpParser\NodeVisitor;
+
+/**
+ * @author Mathieu Santostefano <msantostefano@protonmail.com>
+ *
+ * Code mostly comes from https://github.com/php-translation/extractor/blob/master/src/Visitor/Php/Symfony/Constraint.php
+ */
+final class ConstraintVisitor extends AbstractVisitor implements NodeVisitor
+{
+    public function __construct(
+        private readonly array $constraintClassNames = []
+    ) {
+    }
+
+    public function beforeTraverse(array $nodes): ?Node
+    {
+        return null;
+    }
+
+    public function enterNode(Node $node): ?Node
+    {
+        return null;
+    }
+
+    public function leaveNode(Node $node): ?Node
+    {
+        if (!$node instanceof Node\Expr\New_ && !$node instanceof Node\Attribute) {
+            return null;
+        }
+
+        $className = $node instanceof Node\Attribute ? $node->name : $node->class;
+        if (!$className instanceof Node\Name) {
+            return null;
+        }
+
+        $parts = $className->getParts();
+        $isConstraintClass = false;
+
+        foreach ($parts as $part) {
+            if (\in_array($part, $this->constraintClassNames, true)) {
+                $isConstraintClass = true;
+
+                break;
+            }
+        }
+
+        if (!$isConstraintClass) {
+            return null;
+        }
+
+        $arg = $node->args[0] ?? null;
+        if (!$arg instanceof Node\Arg) {
+            return null;
+        }
+
+        if ($this->hasNodeNamedArguments($node)) {
+            $messages = $this->getStringArguments($node, '/message/i', true);
+        } else {
+            if (!$arg->value instanceof Node\Expr\Array_) {
+                // There is no way to guess which argument is a message to be translated.
+                return null;
+            }
+
+            $messages = [];
+            $options = $arg->value;
+
+            /** @var Node\Expr\ArrayItem $item */
+            foreach ($options->items as $item) {
+                if (!$item->key instanceof Node\Scalar\String_) {
+                    continue;
+                }
+
+                if (false === stripos($item->key->value ?? '', 'message')) {
+                    continue;
+                }
+
+                if (!$item->value instanceof Node\Scalar\String_) {
+                    continue;
+                }
+
+                $messages[] = $item->value->value;
+
+                break;
+            }
+        }
+
+        foreach ($messages as $message) {
+            $this->addMessageToCatalogue($message, 'validators', $node->getStartLine());
+        }
+
+        return null;
+    }
+
+    public function afterTraverse(array $nodes): ?Node
+    {
+        return null;
+    }
+}
diff --git a/data/web/inc/lib/vendor/symfony/translation/Extractor/Visitor/TransMethodVisitor.php b/data/web/inc/lib/vendor/symfony/translation/Extractor/Visitor/TransMethodVisitor.php
new file mode 100644
index 000000000..53a6981a2
--- /dev/null
+++ b/data/web/inc/lib/vendor/symfony/translation/Extractor/Visitor/TransMethodVisitor.php
@@ -0,0 +1,65 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Translation\Extractor\Visitor;
+
+use PhpParser\Node;
+use PhpParser\NodeVisitor;
+
+/**
+ * @author Mathieu Santostefano <msantostefano@protonmail.com>
+ */
+final class TransMethodVisitor extends AbstractVisitor implements NodeVisitor
+{
+    public function beforeTraverse(array $nodes): ?Node
+    {
+        return null;
+    }
+
+    public function enterNode(Node $node): ?Node
+    {
+        return null;
+    }
+
+    public function leaveNode(Node $node): ?Node
+    {
+        if (!$node instanceof Node\Expr\MethodCall && !$node instanceof Node\Expr\FuncCall) {
+            return null;
+        }
+
+        if (!\is_string($node->name) && !$node->name instanceof Node\Identifier && !$node->name instanceof Node\Name) {
+            return null;
+        }
+
+        $name = (string) $node->name;
+
+        if ('trans' === $name || 't' === $name) {
+            $firstNamedArgumentIndex = $this->nodeFirstNamedArgumentIndex($node);
+
+            if (!$messages = $this->getStringArguments($node, 0 < $firstNamedArgumentIndex ? 0 : 'message')) {
+                return null;
+            }
+
+            $domain = $this->getStringArguments($node, 2 < $firstNamedArgumentIndex ? 2 : 'domain')[0] ?? null;
+
+            foreach ($messages as $message) {
+                $this->addMessageToCatalogue($message, $domain, $node->getStartLine());
+            }
+        }
+
+        return null;
+    }
+
+    public function afterTraverse(array $nodes): ?Node
+    {
+        return null;
+    }
+}
diff --git a/data/web/inc/lib/vendor/symfony/translation/Extractor/Visitor/TranslatableMessageVisitor.php b/data/web/inc/lib/vendor/symfony/translation/Extractor/Visitor/TranslatableMessageVisitor.php
new file mode 100644
index 000000000..6bd8bb022
--- /dev/null
+++ b/data/web/inc/lib/vendor/symfony/translation/Extractor/Visitor/TranslatableMessageVisitor.php
@@ -0,0 +1,65 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Translation\Extractor\Visitor;
+
+use PhpParser\Node;
+use PhpParser\NodeVisitor;
+
+/**
+ * @author Mathieu Santostefano <msantostefano@protonmail.com>
+ */
+final class TranslatableMessageVisitor extends AbstractVisitor implements NodeVisitor
+{
+    public function beforeTraverse(array $nodes): ?Node
+    {
+        return null;
+    }
+
+    public function enterNode(Node $node): ?Node
+    {
+        return null;
+    }
+
+    public function leaveNode(Node $node): ?Node
+    {
+        if (!$node instanceof Node\Expr\New_) {
+            return null;
+        }
+
+        if (!($className = $node->class) instanceof Node\Name) {
+            return null;
+        }
+
+        if (!\in_array('TranslatableMessage', $className->getParts(), true)) {
+            return null;
+        }
+
+        $firstNamedArgumentIndex = $this->nodeFirstNamedArgumentIndex($node);
+
+        if (!$messages = $this->getStringArguments($node, 0 < $firstNamedArgumentIndex ? 0 : 'message')) {
+            return null;
+        }
+
+        $domain = $this->getStringArguments($node, 2 < $firstNamedArgumentIndex ? 2 : 'domain')[0] ?? null;
+
+        foreach ($messages as $message) {
+            $this->addMessageToCatalogue($message, $domain, $node->getStartLine());
+        }
+
+        return null;
+    }
+
+    public function afterTraverse(array $nodes): ?Node
+    {
+        return null;
+    }
+}
diff --git a/data/web/inc/lib/vendor/symfony/translation/Formatter/IntlFormatter.php b/data/web/inc/lib/vendor/symfony/translation/Formatter/IntlFormatter.php
index f7f1c36a2..e62de253f 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Formatter/IntlFormatter.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Formatter/IntlFormatter.php
@@ -20,12 +20,9 @@ use Symfony\Component\Translation\Exception\LogicException;
  */
 class IntlFormatter implements IntlFormatterInterface
 {
-    private $hasMessageFormatter;
-    private $cache = [];
+    private bool $hasMessageFormatter;
+    private array $cache = [];
 
-    /**
-     * {@inheritdoc}
-     */
     public function formatIntl(string $message, string $locale, array $parameters = []): string
     {
         // MessageFormatter constructor throws an exception if the message is empty
@@ -34,7 +31,7 @@ class IntlFormatter implements IntlFormatterInterface
         }
 
         if (!$formatter = $this->cache[$locale][$message] ?? null) {
-            if (!($this->hasMessageFormatter ?? $this->hasMessageFormatter = class_exists(\MessageFormatter::class))) {
+            if (!$this->hasMessageFormatter ??= class_exists(\MessageFormatter::class)) {
                 throw new LogicException('Cannot parse message translation: please install the "intl" PHP extension or the "symfony/polyfill-intl-messageformatter" package.');
             }
             try {
diff --git a/data/web/inc/lib/vendor/symfony/translation/Formatter/MessageFormatter.php b/data/web/inc/lib/vendor/symfony/translation/Formatter/MessageFormatter.php
index 68821b1d0..d5255bdcb 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Formatter/MessageFormatter.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Formatter/MessageFormatter.php
@@ -22,33 +22,23 @@ class_exists(IntlFormatter::class);
  */
 class MessageFormatter implements MessageFormatterInterface, IntlFormatterInterface
 {
-    private $translator;
-    private $intlFormatter;
+    private TranslatorInterface $translator;
+    private IntlFormatterInterface $intlFormatter;
 
     /**
      * @param TranslatorInterface|null $translator An identity translator to use as selector for pluralization
      */
-    public function __construct(TranslatorInterface $translator = null, IntlFormatterInterface $intlFormatter = null)
+    public function __construct(?TranslatorInterface $translator = null, ?IntlFormatterInterface $intlFormatter = null)
     {
         $this->translator = $translator ?? new IdentityTranslator();
         $this->intlFormatter = $intlFormatter ?? new IntlFormatter();
     }
 
-    /**
-     * {@inheritdoc}
-     */
     public function format(string $message, string $locale, array $parameters = []): string
     {
-        if ($this->translator instanceof TranslatorInterface) {
-            return $this->translator->trans($message, $parameters, null, $locale);
-        }
-
-        return strtr($message, $parameters);
+        return $this->translator->trans($message, $parameters, null, $locale);
     }
 
-    /**
-     * {@inheritdoc}
-     */
     public function formatIntl(string $message, string $locale, array $parameters = []): string
     {
         return $this->intlFormatter->formatIntl($message, $locale, $parameters);
diff --git a/data/web/inc/lib/vendor/symfony/translation/LICENSE b/data/web/inc/lib/vendor/symfony/translation/LICENSE
index 88bf75bb4..0138f8f07 100644
--- a/data/web/inc/lib/vendor/symfony/translation/LICENSE
+++ b/data/web/inc/lib/vendor/symfony/translation/LICENSE
@@ -1,4 +1,4 @@
-Copyright (c) 2004-2022 Fabien Potencier
+Copyright (c) 2004-present Fabien Potencier
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
diff --git a/data/web/inc/lib/vendor/symfony/translation/Loader/ArrayLoader.php b/data/web/inc/lib/vendor/symfony/translation/Loader/ArrayLoader.php
index 35de9ef54..e63a7d05b 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Loader/ArrayLoader.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Loader/ArrayLoader.php
@@ -20,9 +20,6 @@ use Symfony\Component\Translation\MessageCatalogue;
  */
 class ArrayLoader implements LoaderInterface
 {
-    /**
-     * {@inheritdoc}
-     */
     public function load(mixed $resource, string $locale, string $domain = 'messages'): MessageCatalogue
     {
         $resource = $this->flatten($resource);
@@ -46,9 +43,11 @@ class ArrayLoader implements LoaderInterface
         foreach ($messages as $key => $value) {
             if (\is_array($value)) {
                 foreach ($this->flatten($value) as $k => $v) {
-                    $result[$key.'.'.$k] = $v;
+                    if (null !== $v) {
+                        $result[$key.'.'.$k] = $v;
+                    }
                 }
-            } else {
+            } elseif (null !== $value) {
                 $result[$key] = $value;
             }
         }
diff --git a/data/web/inc/lib/vendor/symfony/translation/Loader/CsvFileLoader.php b/data/web/inc/lib/vendor/symfony/translation/Loader/CsvFileLoader.php
index 76b00b151..7f2f96be6 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Loader/CsvFileLoader.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Loader/CsvFileLoader.php
@@ -24,9 +24,6 @@ class CsvFileLoader extends FileLoader
     private string $enclosure = '"';
     private string $escape = '\\';
 
-    /**
-     * {@inheritdoc}
-     */
     protected function loadResource(string $resource): array
     {
         $messages = [];
@@ -45,7 +42,7 @@ class CsvFileLoader extends FileLoader
                 continue;
             }
 
-            if ('#' !== substr($data[0], 0, 1) && isset($data[1]) && 2 === \count($data)) {
+            if (!str_starts_with($data[0], '#') && isset($data[1]) && 2 === \count($data)) {
                 $messages[$data[0]] = $data[1];
             }
         }
@@ -55,6 +52,8 @@ class CsvFileLoader extends FileLoader
 
     /**
      * Sets the delimiter, enclosure, and escape character for CSV.
+     *
+     * @return void
      */
     public function setCsvControl(string $delimiter = ';', string $enclosure = '"', string $escape = '\\')
     {
diff --git a/data/web/inc/lib/vendor/symfony/translation/Loader/FileLoader.php b/data/web/inc/lib/vendor/symfony/translation/Loader/FileLoader.php
index e170d7617..877c3bbc7 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Loader/FileLoader.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Loader/FileLoader.php
@@ -21,9 +21,6 @@ use Symfony\Component\Translation\MessageCatalogue;
  */
 abstract class FileLoader extends ArrayLoader
 {
-    /**
-     * {@inheritdoc}
-     */
     public function load(mixed $resource, string $locale, string $domain = 'messages'): MessageCatalogue
     {
         if (!stream_is_local($resource)) {
@@ -37,9 +34,7 @@ abstract class FileLoader extends ArrayLoader
         $messages = $this->loadResource($resource);
 
         // empty resource
-        if (null === $messages) {
-            $messages = [];
-        }
+        $messages ??= [];
 
         // not an array
         if (!\is_array($messages)) {
diff --git a/data/web/inc/lib/vendor/symfony/translation/Loader/IcuDatFileLoader.php b/data/web/inc/lib/vendor/symfony/translation/Loader/IcuDatFileLoader.php
index c3ca5fd08..76e4e7f02 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Loader/IcuDatFileLoader.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Loader/IcuDatFileLoader.php
@@ -23,9 +23,6 @@ use Symfony\Component\Translation\MessageCatalogue;
  */
 class IcuDatFileLoader extends IcuResFileLoader
 {
-    /**
-     * {@inheritdoc}
-     */
     public function load(mixed $resource, string $locale, string $domain = 'messages'): MessageCatalogue
     {
         if (!stream_is_local($resource.'.dat')) {
@@ -38,7 +35,7 @@ class IcuDatFileLoader extends IcuResFileLoader
 
         try {
             $rb = new \ResourceBundle($locale, $resource);
-        } catch (\Exception $e) {
+        } catch (\Exception) {
             $rb = null;
         }
 
diff --git a/data/web/inc/lib/vendor/symfony/translation/Loader/IcuResFileLoader.php b/data/web/inc/lib/vendor/symfony/translation/Loader/IcuResFileLoader.php
index 54c48f813..949dd9792 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Loader/IcuResFileLoader.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Loader/IcuResFileLoader.php
@@ -23,9 +23,6 @@ use Symfony\Component\Translation\MessageCatalogue;
  */
 class IcuResFileLoader implements LoaderInterface
 {
-    /**
-     * {@inheritdoc}
-     */
     public function load(mixed $resource, string $locale, string $domain = 'messages'): MessageCatalogue
     {
         if (!stream_is_local($resource)) {
@@ -38,7 +35,7 @@ class IcuResFileLoader implements LoaderInterface
 
         try {
             $rb = new \ResourceBundle($locale, $resource);
-        } catch (\Exception $e) {
+        } catch (\Exception) {
             $rb = null;
         }
 
@@ -71,9 +68,9 @@ class IcuResFileLoader implements LoaderInterface
      *
      * @param \ResourceBundle $rb       The ResourceBundle that will be flattened
      * @param array           $messages Used internally for recursive calls
-     * @param string          $path     Current path being parsed, used internally for recursive calls
+     * @param string|null     $path     Current path being parsed, used internally for recursive calls
      */
-    protected function flatten(\ResourceBundle $rb, array &$messages = [], string $path = null): array
+    protected function flatten(\ResourceBundle $rb, array &$messages = [], ?string $path = null): array
     {
         foreach ($rb as $key => $value) {
             $nodePath = $path ? $path.'.'.$key : $key;
diff --git a/data/web/inc/lib/vendor/symfony/translation/Loader/IniFileLoader.php b/data/web/inc/lib/vendor/symfony/translation/Loader/IniFileLoader.php
index 04e294d11..3126896c8 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Loader/IniFileLoader.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Loader/IniFileLoader.php
@@ -18,9 +18,6 @@ namespace Symfony\Component\Translation\Loader;
  */
 class IniFileLoader extends FileLoader
 {
-    /**
-     * {@inheritdoc}
-     */
     protected function loadResource(string $resource): array
     {
         return parse_ini_file($resource, true);
diff --git a/data/web/inc/lib/vendor/symfony/translation/Loader/JsonFileLoader.php b/data/web/inc/lib/vendor/symfony/translation/Loader/JsonFileLoader.php
index 67a8d58ed..385553ef6 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Loader/JsonFileLoader.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Loader/JsonFileLoader.php
@@ -20,9 +20,6 @@ use Symfony\Component\Translation\Exception\InvalidResourceException;
  */
 class JsonFileLoader extends FileLoader
 {
-    /**
-     * {@inheritdoc}
-     */
     protected function loadResource(string $resource): array
     {
         $messages = [];
@@ -42,19 +39,13 @@ class JsonFileLoader extends FileLoader
      */
     private function getJSONErrorMessage(int $errorCode): string
     {
-        switch ($errorCode) {
-            case \JSON_ERROR_DEPTH:
-                return 'Maximum stack depth exceeded';
-            case \JSON_ERROR_STATE_MISMATCH:
-                return 'Underflow or the modes mismatch';
-            case \JSON_ERROR_CTRL_CHAR:
-                return 'Unexpected control character found';
-            case \JSON_ERROR_SYNTAX:
-                return 'Syntax error, malformed JSON';
-            case \JSON_ERROR_UTF8:
-                return 'Malformed UTF-8 characters, possibly incorrectly encoded';
-            default:
-                return 'Unknown error';
-        }
+        return match ($errorCode) {
+            \JSON_ERROR_DEPTH => 'Maximum stack depth exceeded',
+            \JSON_ERROR_STATE_MISMATCH => 'Underflow or the modes mismatch',
+            \JSON_ERROR_CTRL_CHAR => 'Unexpected control character found',
+            \JSON_ERROR_SYNTAX => 'Syntax error, malformed JSON',
+            \JSON_ERROR_UTF8 => 'Malformed UTF-8 characters, possibly incorrectly encoded',
+            default => 'Unknown error',
+        };
     }
 }
diff --git a/data/web/inc/lib/vendor/symfony/translation/Loader/MoFileLoader.php b/data/web/inc/lib/vendor/symfony/translation/Loader/MoFileLoader.php
index b0c891387..8427c393e 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Loader/MoFileLoader.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Loader/MoFileLoader.php
@@ -38,8 +38,6 @@ class MoFileLoader extends FileLoader
     /**
      * Parses machine object (MO) format, independent of the machine's endian it
      * was created on. Both 32bit and 64bit systems are supported.
-     *
-     * {@inheritdoc}
      */
     protected function loadResource(string $resource): array
     {
diff --git a/data/web/inc/lib/vendor/symfony/translation/Loader/PhpFileLoader.php b/data/web/inc/lib/vendor/symfony/translation/Loader/PhpFileLoader.php
index 6bc2a05f1..541b6c832 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Loader/PhpFileLoader.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Loader/PhpFileLoader.php
@@ -20,12 +20,9 @@ class PhpFileLoader extends FileLoader
 {
     private static ?array $cache = [];
 
-    /**
-     * {@inheritdoc}
-     */
     protected function loadResource(string $resource): array
     {
-        if ([] === self::$cache && \function_exists('opcache_invalidate') && filter_var(ini_get('opcache.enable'), \FILTER_VALIDATE_BOOLEAN) && (!\in_array(\PHP_SAPI, ['cli', 'phpdbg'], true) || filter_var(ini_get('opcache.enable_cli'), \FILTER_VALIDATE_BOOLEAN))) {
+        if ([] === self::$cache && \function_exists('opcache_invalidate') && filter_var(\ini_get('opcache.enable'), \FILTER_VALIDATE_BOOL) && (!\in_array(\PHP_SAPI, ['cli', 'phpdbg', 'embed'], true) || filter_var(\ini_get('opcache.enable_cli'), \FILTER_VALIDATE_BOOL))) {
             self::$cache = null;
         }
 
@@ -33,10 +30,6 @@ class PhpFileLoader extends FileLoader
             return require $resource;
         }
 
-        if (isset(self::$cache[$resource])) {
-            return self::$cache[$resource];
-        }
-
-        return self::$cache[$resource] = require $resource;
+        return self::$cache[$resource] ??= require $resource;
     }
 }
diff --git a/data/web/inc/lib/vendor/symfony/translation/Loader/PoFileLoader.php b/data/web/inc/lib/vendor/symfony/translation/Loader/PoFileLoader.php
index 6df161487..620d97339 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Loader/PoFileLoader.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Loader/PoFileLoader.php
@@ -57,8 +57,6 @@ class PoFileLoader extends FileLoader
      * - Message IDs are allowed to have other encodings as just US-ASCII.
      *
      * Items with an empty id are ignored.
-     *
-     * {@inheritdoc}
      */
     protected function loadResource(string $resource): array
     {
@@ -83,15 +81,15 @@ class PoFileLoader extends FileLoader
                 }
                 $item = $defaults;
                 $flags = [];
-            } elseif ('#,' === substr($line, 0, 2)) {
+            } elseif (str_starts_with($line, '#,')) {
                 $flags = array_map('trim', explode(',', substr($line, 2)));
-            } elseif ('msgid "' === substr($line, 0, 7)) {
+            } elseif (str_starts_with($line, 'msgid "')) {
                 // We start a new msg so save previous
                 // TODO: this fails when comments or contexts are added
                 $this->addMessage($messages, $item);
                 $item = $defaults;
                 $item['ids']['singular'] = substr($line, 7, -1);
-            } elseif ('msgstr "' === substr($line, 0, 8)) {
+            } elseif (str_starts_with($line, 'msgstr "')) {
                 $item['translated'] = substr($line, 8, -1);
             } elseif ('"' === $line[0]) {
                 $continues = isset($item['translated']) ? 'translated' : 'ids';
@@ -102,9 +100,9 @@ class PoFileLoader extends FileLoader
                 } else {
                     $item[$continues] .= substr($line, 1, -1);
                 }
-            } elseif ('msgid_plural "' === substr($line, 0, 14)) {
+            } elseif (str_starts_with($line, 'msgid_plural "')) {
                 $item['ids']['plural'] = substr($line, 14, -1);
-            } elseif ('msgstr[' === substr($line, 0, 7)) {
+            } elseif (str_starts_with($line, 'msgstr[')) {
                 $size = strpos($line, ']');
                 $item['translated'][(int) substr($line, 7, 1)] = substr($line, $size + 3, -1);
             }
@@ -124,7 +122,7 @@ class PoFileLoader extends FileLoader
      * A .po file could contain by error missing plural indexes. We need to
      * fix these before saving them.
      */
-    private function addMessage(array &$messages, array $item)
+    private function addMessage(array &$messages, array $item): void
     {
         if (!empty($item['ids']['singular'])) {
             $id = stripcslashes($item['ids']['singular']);
diff --git a/data/web/inc/lib/vendor/symfony/translation/Loader/QtFileLoader.php b/data/web/inc/lib/vendor/symfony/translation/Loader/QtFileLoader.php
index 6d5582d66..235f85ee9 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Loader/QtFileLoader.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Loader/QtFileLoader.php
@@ -25,9 +25,6 @@ use Symfony\Component\Translation\MessageCatalogue;
  */
 class QtFileLoader implements LoaderInterface
 {
-    /**
-     * {@inheritdoc}
-     */
     public function load(mixed $resource, string $locale, string $domain = 'messages'): MessageCatalogue
     {
         if (!class_exists(XmlUtils::class)) {
@@ -67,7 +64,6 @@ class QtFileLoader implements LoaderInterface
                         $domain
                     );
                 }
-                $translation = $translation->nextSibling;
             }
 
             if (class_exists(FileResource::class)) {
diff --git a/data/web/inc/lib/vendor/symfony/translation/Loader/XliffFileLoader.php b/data/web/inc/lib/vendor/symfony/translation/Loader/XliffFileLoader.php
index 670e19979..31b3251ba 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Loader/XliffFileLoader.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Loader/XliffFileLoader.php
@@ -28,9 +28,6 @@ use Symfony\Component\Translation\Util\XliffUtils;
  */
 class XliffFileLoader implements LoaderInterface
 {
-    /**
-     * {@inheritdoc}
-     */
     public function load(mixed $resource, string $locale, string $domain = 'messages'): MessageCatalogue
     {
         if (!class_exists(XmlUtils::class)) {
@@ -75,7 +72,7 @@ class XliffFileLoader implements LoaderInterface
         return $catalogue;
     }
 
-    private function extract(\DOMDocument $dom, MessageCatalogue $catalogue, string $domain)
+    private function extract(\DOMDocument $dom, MessageCatalogue $catalogue, string $domain): void
     {
         $xliffVersion = XliffUtils::getVersionNumber($dom);
 
@@ -91,7 +88,7 @@ class XliffFileLoader implements LoaderInterface
     /**
      * Extract messages and metadata from DOMDocument into a MessageCatalogue.
      */
-    private function extractXliff1(\DOMDocument $dom, MessageCatalogue $catalogue, string $domain)
+    private function extractXliff1(\DOMDocument $dom, MessageCatalogue $catalogue, string $domain): void
     {
         $xml = simplexml_import_dom($dom);
         $encoding = $dom->encoding ? strtoupper($dom->encoding) : null;
@@ -104,6 +101,10 @@ class XliffFileLoader implements LoaderInterface
 
             $file->registerXPathNamespace('xliff', $namespace);
 
+            foreach ($file->xpath('.//xliff:prop') as $prop) {
+                $catalogue->setCatalogueMetadata($prop->attributes()['prop-type'], (string) $prop, $domain);
+            }
+
             foreach ($file->xpath('.//xliff:trans-unit') as $translation) {
                 $attributes = $translation->attributes();
 
@@ -111,6 +112,10 @@ class XliffFileLoader implements LoaderInterface
                     continue;
                 }
 
+                if (isset($translation->target) && 'needs-translation' === (string) $translation->target->attributes()['state']) {
+                    continue;
+                }
+
                 $source = isset($attributes['resname']) && $attributes['resname'] ? $attributes['resname'] : $translation->source;
                 // If the xlf file has another encoding specified, try to convert it because
                 // simple_xml will always return utf-8 encoded values
@@ -144,7 +149,7 @@ class XliffFileLoader implements LoaderInterface
         }
     }
 
-    private function extractXliff2(\DOMDocument $dom, MessageCatalogue $catalogue, string $domain)
+    private function extractXliff2(\DOMDocument $dom, MessageCatalogue $catalogue, string $domain): void
     {
         $xml = simplexml_import_dom($dom);
         $encoding = $dom->encoding ? strtoupper($dom->encoding) : null;
@@ -190,7 +195,7 @@ class XliffFileLoader implements LoaderInterface
     /**
      * Convert a UTF8 string to the specified encoding.
      */
-    private function utf8ToCharset(string $content, string $encoding = null): string
+    private function utf8ToCharset(string $content, ?string $encoding = null): string
     {
         if ('UTF-8' !== $encoding && !empty($encoding)) {
             return mb_convert_encoding($content, $encoding, 'UTF-8');
@@ -199,7 +204,7 @@ class XliffFileLoader implements LoaderInterface
         return $content;
     }
 
-    private function parseNotesMetadata(\SimpleXMLElement $noteElement = null, string $encoding = null): array
+    private function parseNotesMetadata(?\SimpleXMLElement $noteElement = null, ?string $encoding = null): array
     {
         $notes = [];
 
@@ -227,6 +232,6 @@ class XliffFileLoader implements LoaderInterface
 
     private function isXmlString(string $resource): bool
     {
-        return 0 === strpos($resource, '<?xml');
+        return str_starts_with($resource, '<?xml');
     }
 }
diff --git a/data/web/inc/lib/vendor/symfony/translation/Loader/YamlFileLoader.php b/data/web/inc/lib/vendor/symfony/translation/Loader/YamlFileLoader.php
index 5eccf99de..48e735d16 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Loader/YamlFileLoader.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Loader/YamlFileLoader.php
@@ -24,14 +24,11 @@ use Symfony\Component\Yaml\Yaml;
  */
 class YamlFileLoader extends FileLoader
 {
-    private $yamlParser;
+    private YamlParser $yamlParser;
 
-    /**
-     * {@inheritdoc}
-     */
     protected function loadResource(string $resource): array
     {
-        if (null === $this->yamlParser) {
+        if (!isset($this->yamlParser)) {
             if (!class_exists(\Symfony\Component\Yaml\Parser::class)) {
                 throw new LogicException('Loading translations from the YAML format requires the Symfony Yaml component.');
             }
diff --git a/data/web/inc/lib/vendor/symfony/translation/LocaleSwitcher.php b/data/web/inc/lib/vendor/symfony/translation/LocaleSwitcher.php
new file mode 100644
index 000000000..c07809c58
--- /dev/null
+++ b/data/web/inc/lib/vendor/symfony/translation/LocaleSwitcher.php
@@ -0,0 +1,78 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Translation;
+
+use Symfony\Component\Routing\RequestContext;
+use Symfony\Contracts\Translation\LocaleAwareInterface;
+
+/**
+ * @author Kevin Bond <kevinbond@gmail.com>
+ */
+class LocaleSwitcher implements LocaleAwareInterface
+{
+    private string $defaultLocale;
+
+    /**
+     * @param LocaleAwareInterface[] $localeAwareServices
+     */
+    public function __construct(
+        private string $locale,
+        private iterable $localeAwareServices,
+        private ?RequestContext $requestContext = null,
+    ) {
+        $this->defaultLocale = $locale;
+    }
+
+    public function setLocale(string $locale): void
+    {
+        if (class_exists(\Locale::class)) {
+            \Locale::setDefault($locale);
+        }
+        $this->locale = $locale;
+        $this->requestContext?->setParameter('_locale', $locale);
+
+        foreach ($this->localeAwareServices as $service) {
+            $service->setLocale($locale);
+        }
+    }
+
+    public function getLocale(): string
+    {
+        return $this->locale;
+    }
+
+    /**
+     * Switch to a new locale, execute a callback, then switch back to the original.
+     *
+     * @template T
+     *
+     * @param callable(string $locale):T $callback
+     *
+     * @return T
+     */
+    public function runWithLocale(string $locale, callable $callback): mixed
+    {
+        $original = $this->getLocale();
+        $this->setLocale($locale);
+
+        try {
+            return $callback($locale);
+        } finally {
+            $this->setLocale($original);
+        }
+    }
+
+    public function reset(): void
+    {
+        $this->setLocale($this->defaultLocale);
+    }
+}
diff --git a/data/web/inc/lib/vendor/symfony/translation/LoggingTranslator.php b/data/web/inc/lib/vendor/symfony/translation/LoggingTranslator.php
index 8c8441cdf..4a560bd6a 100644
--- a/data/web/inc/lib/vendor/symfony/translation/LoggingTranslator.php
+++ b/data/web/inc/lib/vendor/symfony/translation/LoggingTranslator.php
@@ -21,8 +21,8 @@ use Symfony\Contracts\Translation\TranslatorInterface;
  */
 class LoggingTranslator implements TranslatorInterface, TranslatorBagInterface, LocaleAwareInterface
 {
-    private $translator;
-    private $logger;
+    private TranslatorInterface $translator;
+    private LoggerInterface $logger;
 
     /**
      * @param TranslatorInterface&TranslatorBagInterface&LocaleAwareInterface $translator The translator must implement TranslatorBagInterface
@@ -37,10 +37,7 @@ class LoggingTranslator implements TranslatorInterface, TranslatorBagInterface,
         $this->logger = $logger;
     }
 
-    /**
-     * {@inheritdoc}
-     */
-    public function trans(?string $id, array $parameters = [], string $domain = null, string $locale = null): string
+    public function trans(?string $id, array $parameters = [], ?string $domain = null, ?string $locale = null): string
     {
         $trans = $this->translator->trans($id = (string) $id, $parameters, $domain, $locale);
         $this->log($id, $domain, $locale);
@@ -49,7 +46,7 @@ class LoggingTranslator implements TranslatorInterface, TranslatorBagInterface,
     }
 
     /**
-     * {@inheritdoc}
+     * @return void
      */
     public function setLocale(string $locale)
     {
@@ -62,25 +59,16 @@ class LoggingTranslator implements TranslatorInterface, TranslatorBagInterface,
         $this->logger->debug(sprintf('The locale of the translator has changed from "%s" to "%s".', $prev, $locale));
     }
 
-    /**
-     * {@inheritdoc}
-     */
     public function getLocale(): string
     {
         return $this->translator->getLocale();
     }
 
-    /**
-     * {@inheritdoc}
-     */
-    public function getCatalogue(string $locale = null): MessageCatalogueInterface
+    public function getCatalogue(?string $locale = null): MessageCatalogueInterface
     {
         return $this->translator->getCatalogue($locale);
     }
 
-    /**
-     * {@inheritdoc}
-     */
     public function getCatalogues(): array
     {
         return $this->translator->getCatalogues();
@@ -99,7 +87,7 @@ class LoggingTranslator implements TranslatorInterface, TranslatorBagInterface,
     }
 
     /**
-     * Passes through all unknown calls onto the translator object.
+     * @return mixed
      */
     public function __call(string $method, array $args)
     {
@@ -109,11 +97,9 @@ class LoggingTranslator implements TranslatorInterface, TranslatorBagInterface,
     /**
      * Logs for missing translations.
      */
-    private function log(string $id, ?string $domain, ?string $locale)
+    private function log(string $id, ?string $domain, ?string $locale): void
     {
-        if (null === $domain) {
-            $domain = 'messages';
-        }
+        $domain ??= 'messages';
 
         $catalogue = $this->translator->getCatalogue($locale);
         if ($catalogue->defines($id, $domain)) {
diff --git a/data/web/inc/lib/vendor/symfony/translation/MessageCatalogue.php b/data/web/inc/lib/vendor/symfony/translation/MessageCatalogue.php
index 7aa27efda..d56f04393 100644
--- a/data/web/inc/lib/vendor/symfony/translation/MessageCatalogue.php
+++ b/data/web/inc/lib/vendor/symfony/translation/MessageCatalogue.php
@@ -17,13 +17,14 @@ use Symfony\Component\Translation\Exception\LogicException;
 /**
  * @author Fabien Potencier <fabien@symfony.com>
  */
-class MessageCatalogue implements MessageCatalogueInterface, MetadataAwareInterface
+class MessageCatalogue implements MessageCatalogueInterface, MetadataAwareInterface, CatalogueMetadataAwareInterface
 {
     private array $messages = [];
     private array $metadata = [];
+    private array $catalogueMetadata = [];
     private array $resources = [];
     private string $locale;
-    private $fallbackCatalogue = null;
+    private ?MessageCatalogueInterface $fallbackCatalogue = null;
     private ?self $parent = null;
 
     /**
@@ -35,17 +36,11 @@ class MessageCatalogue implements MessageCatalogueInterface, MetadataAwareInterf
         $this->messages = $messages;
     }
 
-    /**
-     * {@inheritdoc}
-     */
     public function getLocale(): string
     {
         return $this->locale;
     }
 
-    /**
-     * {@inheritdoc}
-     */
     public function getDomains(): array
     {
         $domains = [];
@@ -60,10 +55,7 @@ class MessageCatalogue implements MessageCatalogueInterface, MetadataAwareInterf
         return array_values($domains);
     }
 
-    /**
-     * {@inheritdoc}
-     */
-    public function all(string $domain = null): array
+    public function all(?string $domain = null): array
     {
         if (null !== $domain) {
             // skip messages merge if intl-icu requested explicitly
@@ -89,16 +81,13 @@ class MessageCatalogue implements MessageCatalogueInterface, MetadataAwareInterf
     }
 
     /**
-     * {@inheritdoc}
+     * @return void
      */
     public function set(string $id, string $translation, string $domain = 'messages')
     {
         $this->add([$id => $translation], $domain);
     }
 
-    /**
-     * {@inheritdoc}
-     */
     public function has(string $id, string $domain = 'messages'): bool
     {
         if (isset($this->messages[$domain][$id]) || isset($this->messages[$domain.self::INTL_DOMAIN_SUFFIX][$id])) {
@@ -112,17 +101,11 @@ class MessageCatalogue implements MessageCatalogueInterface, MetadataAwareInterf
         return false;
     }
 
-    /**
-     * {@inheritdoc}
-     */
     public function defines(string $id, string $domain = 'messages'): bool
     {
         return isset($this->messages[$domain][$id]) || isset($this->messages[$domain.self::INTL_DOMAIN_SUFFIX][$id]);
     }
 
-    /**
-     * {@inheritdoc}
-     */
     public function get(string $id, string $domain = 'messages'): string
     {
         if (isset($this->messages[$domain.self::INTL_DOMAIN_SUFFIX][$id])) {
@@ -141,7 +124,7 @@ class MessageCatalogue implements MessageCatalogueInterface, MetadataAwareInterf
     }
 
     /**
-     * {@inheritdoc}
+     * @return void
      */
     public function replace(array $messages, string $domain = 'messages')
     {
@@ -151,28 +134,23 @@ class MessageCatalogue implements MessageCatalogueInterface, MetadataAwareInterf
     }
 
     /**
-     * {@inheritdoc}
+     * @return void
      */
     public function add(array $messages, string $domain = 'messages')
     {
-        if (!isset($this->messages[$domain])) {
-            $this->messages[$domain] = [];
-        }
-        $intlDomain = $domain;
-        if (!str_ends_with($domain, self::INTL_DOMAIN_SUFFIX)) {
-            $intlDomain .= self::INTL_DOMAIN_SUFFIX;
-        }
+        $altDomain = str_ends_with($domain, self::INTL_DOMAIN_SUFFIX) ? substr($domain, 0, -\strlen(self::INTL_DOMAIN_SUFFIX)) : $domain.self::INTL_DOMAIN_SUFFIX;
         foreach ($messages as $id => $message) {
-            if (isset($this->messages[$intlDomain]) && \array_key_exists($id, $this->messages[$intlDomain])) {
-                $this->messages[$intlDomain][$id] = $message;
-            } else {
-                $this->messages[$domain][$id] = $message;
-            }
+            unset($this->messages[$altDomain][$id]);
+            $this->messages[$domain][$id] = $message;
+        }
+
+        if ([] === ($this->messages[$altDomain] ?? null)) {
+            unset($this->messages[$altDomain]);
         }
     }
 
     /**
-     * {@inheritdoc}
+     * @return void
      */
     public function addCatalogue(MessageCatalogueInterface $catalogue)
     {
@@ -196,10 +174,15 @@ class MessageCatalogue implements MessageCatalogueInterface, MetadataAwareInterf
             $metadata = $catalogue->getMetadata('', '');
             $this->addMetadata($metadata);
         }
+
+        if ($catalogue instanceof CatalogueMetadataAwareInterface) {
+            $catalogueMetadata = $catalogue->getCatalogueMetadata('', '');
+            $this->addCatalogueMetadata($catalogueMetadata);
+        }
     }
 
     /**
-     * {@inheritdoc}
+     * @return void
      */
     public function addFallbackCatalogue(MessageCatalogueInterface $catalogue)
     {
@@ -230,33 +213,24 @@ class MessageCatalogue implements MessageCatalogueInterface, MetadataAwareInterf
         }
     }
 
-    /**
-     * {@inheritdoc}
-     */
     public function getFallbackCatalogue(): ?MessageCatalogueInterface
     {
         return $this->fallbackCatalogue;
     }
 
-    /**
-     * {@inheritdoc}
-     */
     public function getResources(): array
     {
         return array_values($this->resources);
     }
 
     /**
-     * {@inheritdoc}
+     * @return void
      */
     public function addResource(ResourceInterface $resource)
     {
         $this->resources[$resource->__toString()] = $resource;
     }
 
-    /**
-     * {@inheritdoc}
-     */
     public function getMetadata(string $key = '', string $domain = 'messages'): mixed
     {
         if ('' == $domain) {
@@ -277,7 +251,7 @@ class MessageCatalogue implements MessageCatalogueInterface, MetadataAwareInterf
     }
 
     /**
-     * {@inheritdoc}
+     * @return void
      */
     public function setMetadata(string $key, mixed $value, string $domain = 'messages')
     {
@@ -285,7 +259,7 @@ class MessageCatalogue implements MessageCatalogueInterface, MetadataAwareInterf
     }
 
     /**
-     * {@inheritdoc}
+     * @return void
      */
     public function deleteMetadata(string $key = '', string $domain = 'messages')
     {
@@ -298,12 +272,53 @@ class MessageCatalogue implements MessageCatalogueInterface, MetadataAwareInterf
         }
     }
 
+    public function getCatalogueMetadata(string $key = '', string $domain = 'messages'): mixed
+    {
+        if (!$domain) {
+            return $this->catalogueMetadata;
+        }
+
+        if (isset($this->catalogueMetadata[$domain])) {
+            if (!$key) {
+                return $this->catalogueMetadata[$domain];
+            }
+
+            if (isset($this->catalogueMetadata[$domain][$key])) {
+                return $this->catalogueMetadata[$domain][$key];
+            }
+        }
+
+        return null;
+    }
+
+    /**
+     * @return void
+     */
+    public function setCatalogueMetadata(string $key, mixed $value, string $domain = 'messages')
+    {
+        $this->catalogueMetadata[$domain][$key] = $value;
+    }
+
+    /**
+     * @return void
+     */
+    public function deleteCatalogueMetadata(string $key = '', string $domain = 'messages')
+    {
+        if (!$domain) {
+            $this->catalogueMetadata = [];
+        } elseif (!$key) {
+            unset($this->catalogueMetadata[$domain]);
+        } else {
+            unset($this->catalogueMetadata[$domain][$key]);
+        }
+    }
+
     /**
      * Adds current values with the new values.
      *
      * @param array $values Values to add
      */
-    private function addMetadata(array $values)
+    private function addMetadata(array $values): void
     {
         foreach ($values as $domain => $keys) {
             foreach ($keys as $key => $value) {
@@ -311,4 +326,13 @@ class MessageCatalogue implements MessageCatalogueInterface, MetadataAwareInterf
             }
         }
     }
+
+    private function addCatalogueMetadata(array $values): void
+    {
+        foreach ($values as $domain => $keys) {
+            foreach ($keys as $key => $value) {
+                $this->setCatalogueMetadata($key, $value, $domain);
+            }
+        }
+    }
 }
diff --git a/data/web/inc/lib/vendor/symfony/translation/MessageCatalogueInterface.php b/data/web/inc/lib/vendor/symfony/translation/MessageCatalogueInterface.php
index 75e3a2fa7..fd0d26d7e 100644
--- a/data/web/inc/lib/vendor/symfony/translation/MessageCatalogueInterface.php
+++ b/data/web/inc/lib/vendor/symfony/translation/MessageCatalogueInterface.php
@@ -36,10 +36,8 @@ interface MessageCatalogueInterface
      * Gets the messages within a given domain.
      *
      * If $domain is null, it returns all messages.
-     *
-     * @param string $domain The domain name
      */
-    public function all(string $domain = null): array;
+    public function all(?string $domain = null): array;
 
     /**
      * Sets a message translation.
@@ -47,6 +45,8 @@ interface MessageCatalogueInterface
      * @param string $id          The message id
      * @param string $translation The messages translation
      * @param string $domain      The domain name
+     *
+     * @return void
      */
     public function set(string $id, string $translation, string $domain = 'messages');
 
@@ -79,6 +79,8 @@ interface MessageCatalogueInterface
      *
      * @param array  $messages An array of translations
      * @param string $domain   The domain name
+     *
+     * @return void
      */
     public function replace(array $messages, string $domain = 'messages');
 
@@ -87,6 +89,8 @@ interface MessageCatalogueInterface
      *
      * @param array  $messages An array of translations
      * @param string $domain   The domain name
+     *
+     * @return void
      */
     public function add(array $messages, string $domain = 'messages');
 
@@ -94,6 +98,8 @@ interface MessageCatalogueInterface
      * Merges translations from the given Catalogue into the current one.
      *
      * The two catalogues must have the same locale.
+     *
+     * @return void
      */
     public function addCatalogue(self $catalogue);
 
@@ -102,6 +108,8 @@ interface MessageCatalogueInterface
      * only when the translation does not exist.
      *
      * This is used to provide default translations when they do not exist for the current locale.
+     *
+     * @return void
      */
     public function addFallbackCatalogue(self $catalogue);
 
@@ -119,6 +127,8 @@ interface MessageCatalogueInterface
 
     /**
      * Adds a resource for this collection.
+     *
+     * @return void
      */
     public function addResource(ResourceInterface $resource);
 }
diff --git a/data/web/inc/lib/vendor/symfony/translation/MetadataAwareInterface.php b/data/web/inc/lib/vendor/symfony/translation/MetadataAwareInterface.php
index 2eaaceb36..39e5326c3 100644
--- a/data/web/inc/lib/vendor/symfony/translation/MetadataAwareInterface.php
+++ b/data/web/inc/lib/vendor/symfony/translation/MetadataAwareInterface.php
@@ -12,7 +12,7 @@
 namespace Symfony\Component\Translation;
 
 /**
- * MetadataAwareInterface.
+ * This interface is used to get, set, and delete metadata about the translation messages.
  *
  * @author Fabien Potencier <fabien@symfony.com>
  */
@@ -31,6 +31,8 @@ interface MetadataAwareInterface
 
     /**
      * Adds metadata to a message domain.
+     *
+     * @return void
      */
     public function setMetadata(string $key, mixed $value, string $domain = 'messages');
 
@@ -39,6 +41,8 @@ interface MetadataAwareInterface
      *
      * Passing an empty domain will delete all metadata. Passing an empty key will
      * delete all metadata for the given domain.
+     *
+     * @return void
      */
     public function deleteMetadata(string $key = '', string $domain = 'messages');
 }
diff --git a/data/web/inc/lib/vendor/symfony/translation/Provider/AbstractProviderFactory.php b/data/web/inc/lib/vendor/symfony/translation/Provider/AbstractProviderFactory.php
index 17442fde8..f0c11d85d 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Provider/AbstractProviderFactory.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Provider/AbstractProviderFactory.php
@@ -27,19 +27,11 @@ abstract class AbstractProviderFactory implements ProviderFactoryInterface
 
     protected function getUser(Dsn $dsn): string
     {
-        if (null === $user = $dsn->getUser()) {
-            throw new IncompleteDsnException('User is not set.', $dsn->getOriginalDsn());
-        }
-
-        return $user;
+        return $dsn->getUser() ?? throw new IncompleteDsnException('User is not set.', $dsn->getScheme().'://'.$dsn->getHost());
     }
 
     protected function getPassword(Dsn $dsn): string
     {
-        if (null === $password = $dsn->getPassword()) {
-            throw new IncompleteDsnException('Password is not set.', $dsn->getOriginalDsn());
-        }
-
-        return $password;
+        return $dsn->getPassword() ?? throw new IncompleteDsnException('Password is not set.', $dsn->getOriginalDsn());
     }
 }
diff --git a/data/web/inc/lib/vendor/symfony/translation/Provider/Dsn.php b/data/web/inc/lib/vendor/symfony/translation/Provider/Dsn.php
index 0f74d17fb..1d90e27f9 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Provider/Dsn.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Provider/Dsn.php
@@ -29,29 +29,29 @@ final class Dsn
     private array $options = [];
     private string $originalDsn;
 
-    public function __construct(string $dsn)
+    public function __construct(#[\SensitiveParameter] string $dsn)
     {
         $this->originalDsn = $dsn;
 
-        if (false === $parsedDsn = parse_url($dsn)) {
-            throw new InvalidArgumentException(sprintf('The "%s" translation provider DSN is invalid.', $dsn));
+        if (false === $params = parse_url($dsn)) {
+            throw new InvalidArgumentException('The translation provider DSN is invalid.');
         }
 
-        if (!isset($parsedDsn['scheme'])) {
-            throw new InvalidArgumentException(sprintf('The "%s" translation provider DSN must contain a scheme.', $dsn));
+        if (!isset($params['scheme'])) {
+            throw new InvalidArgumentException('The translation provider DSN must contain a scheme.');
         }
-        $this->scheme = $parsedDsn['scheme'];
+        $this->scheme = $params['scheme'];
 
-        if (!isset($parsedDsn['host'])) {
-            throw new InvalidArgumentException(sprintf('The "%s" translation provider DSN must contain a host (use "default" by default).', $dsn));
+        if (!isset($params['host'])) {
+            throw new InvalidArgumentException('The translation provider DSN must contain a host (use "default" by default).');
         }
-        $this->host = $parsedDsn['host'];
+        $this->host = $params['host'];
 
-        $this->user = '' !== ($parsedDsn['user'] ?? '') ? urldecode($parsedDsn['user']) : null;
-        $this->password = '' !== ($parsedDsn['pass'] ?? '') ? urldecode($parsedDsn['pass']) : null;
-        $this->port = $parsedDsn['port'] ?? null;
-        $this->path = $parsedDsn['path'] ?? null;
-        parse_str($parsedDsn['query'] ?? '', $this->options);
+        $this->user = '' !== ($params['user'] ?? '') ? rawurldecode($params['user']) : null;
+        $this->password = '' !== ($params['pass'] ?? '') ? rawurldecode($params['pass']) : null;
+        $this->port = $params['port'] ?? null;
+        $this->path = $params['path'] ?? null;
+        parse_str($params['query'] ?? '', $this->options);
     }
 
     public function getScheme(): string
@@ -74,17 +74,17 @@ final class Dsn
         return $this->password;
     }
 
-    public function getPort(int $default = null): ?int
+    public function getPort(?int $default = null): ?int
     {
         return $this->port ?? $default;
     }
 
-    public function getOption(string $key, mixed $default = null)
+    public function getOption(string $key, mixed $default = null): mixed
     {
         return $this->options[$key] ?? $default;
     }
 
-    public function getRequiredOption(string $key)
+    public function getRequiredOption(string $key): mixed
     {
         if (!\array_key_exists($key, $this->options) || '' === trim($this->options[$key])) {
             throw new MissingRequiredOptionException($key);
diff --git a/data/web/inc/lib/vendor/symfony/translation/Provider/FilteringProvider.php b/data/web/inc/lib/vendor/symfony/translation/Provider/FilteringProvider.php
index a43fedc71..d4465b9fd 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Provider/FilteringProvider.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Provider/FilteringProvider.php
@@ -21,7 +21,7 @@ use Symfony\Component\Translation\TranslatorBagInterface;
  */
 class FilteringProvider implements ProviderInterface
 {
-    private $provider;
+    private ProviderInterface $provider;
     private array $locales;
     private array $domains;
 
@@ -37,9 +37,6 @@ class FilteringProvider implements ProviderInterface
         return (string) $this->provider;
     }
 
-    /**
-     * {@inheritdoc}
-     */
     public function write(TranslatorBagInterface $translatorBag): void
     {
         $this->provider->write($translatorBag);
diff --git a/data/web/inc/lib/vendor/symfony/translation/Provider/ProviderInterface.php b/data/web/inc/lib/vendor/symfony/translation/Provider/ProviderInterface.php
index a32193f29..0e47083b6 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Provider/ProviderInterface.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Provider/ProviderInterface.php
@@ -14,10 +14,8 @@ namespace Symfony\Component\Translation\Provider;
 use Symfony\Component\Translation\TranslatorBag;
 use Symfony\Component\Translation\TranslatorBagInterface;
 
-interface ProviderInterface
+interface ProviderInterface extends \Stringable
 {
-    public function __toString(): string;
-
     /**
      * Translations available in the TranslatorBag only must be created.
      * Translations available in both the TranslatorBag and on the provider
diff --git a/data/web/inc/lib/vendor/symfony/translation/Provider/TranslationProviderCollection.php b/data/web/inc/lib/vendor/symfony/translation/Provider/TranslationProviderCollection.php
index 61ac641cd..b917415ba 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Provider/TranslationProviderCollection.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Provider/TranslationProviderCollection.php
@@ -21,7 +21,7 @@ final class TranslationProviderCollection
     /**
      * @var array<string, ProviderInterface>
      */
-    private $providers;
+    private array $providers;
 
     /**
      * @param array<string, ProviderInterface> $providers
diff --git a/data/web/inc/lib/vendor/symfony/translation/PseudoLocalizationTranslator.php b/data/web/inc/lib/vendor/symfony/translation/PseudoLocalizationTranslator.php
index 1d10e0ccb..f26909f5e 100644
--- a/data/web/inc/lib/vendor/symfony/translation/PseudoLocalizationTranslator.php
+++ b/data/web/inc/lib/vendor/symfony/translation/PseudoLocalizationTranslator.php
@@ -20,7 +20,7 @@ final class PseudoLocalizationTranslator implements TranslatorInterface
 {
     private const EXPANSION_CHARACTER = '~';
 
-    private $translator;
+    private TranslatorInterface $translator;
     private bool $accents;
     private float $expansionFactor;
     private bool $brackets;
@@ -83,10 +83,7 @@ final class PseudoLocalizationTranslator implements TranslatorInterface
         $this->localizableHTMLAttributes = $options['localizable_html_attributes'] ?? [];
     }
 
-    /**
-     * {@inheritdoc}
-     */
-    public function trans(string $id, array $parameters = [], string $domain = null, string $locale = null): string
+    public function trans(string $id, array $parameters = [], ?string $domain = null, ?string $locale = null): string
     {
         $trans = '';
         $visibleText = '';
@@ -123,7 +120,7 @@ final class PseudoLocalizationTranslator implements TranslatorInterface
             return [[true, true, $originalTrans]];
         }
 
-        $html = mb_convert_encoding($originalTrans, 'HTML-ENTITIES', mb_detect_encoding($originalTrans, null, true) ?: 'UTF-8');
+        $html = mb_encode_numericentity($originalTrans, [0x80, 0x10FFFF, 0, 0x1FFFFF], mb_detect_encoding($originalTrans, null, true) ?: 'UTF-8');
 
         $useInternalErrors = libxml_use_internal_errors(true);
 
@@ -283,7 +280,7 @@ final class PseudoLocalizationTranslator implements TranslatorInterface
         }
 
         $visibleLength = $this->strlen($visibleText);
-        $missingLength = (int) (ceil($visibleLength * $this->expansionFactor)) - $visibleLength;
+        $missingLength = (int) ceil($visibleLength * $this->expansionFactor) - $visibleLength;
         if ($this->brackets) {
             $missingLength -= 2;
         }
diff --git a/data/web/inc/lib/vendor/symfony/translation/README.md b/data/web/inc/lib/vendor/symfony/translation/README.md
index adda9a5b2..32e4017b7 100644
--- a/data/web/inc/lib/vendor/symfony/translation/README.md
+++ b/data/web/inc/lib/vendor/symfony/translation/README.md
@@ -26,12 +26,7 @@ echo $translator->trans('Hello World!'); // outputs « Bonjour ! »
 Sponsor
 -------
 
-The Translation component for Symfony 5.4/6.0 is [backed][1] by:
-
- * [Crowdin][2], a cloud-based localization management software helping teams to go global and stay agile.
- * [Lokalise][3], a continuous localization and translation management platform that integrates into your development workflow so you can ship localized products, faster.
-
-Help Symfony by [sponsoring][4] its development!
+Help Symfony by [sponsoring][1] its development!
 
 Resources
 ---------
@@ -42,7 +37,4 @@ Resources
    [send Pull Requests](https://github.com/symfony/symfony/pulls)
    in the [main Symfony repository](https://github.com/symfony/symfony)
 
-[1]: https://symfony.com/backers
-[2]: https://crowdin.com
-[3]: https://lokalise.com
-[4]: https://symfony.com/sponsor
+[1]: https://symfony.com/sponsor
diff --git a/data/web/inc/lib/vendor/symfony/translation/Reader/TranslationReader.php b/data/web/inc/lib/vendor/symfony/translation/Reader/TranslationReader.php
index bbc687e13..01408d4dc 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Reader/TranslationReader.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Reader/TranslationReader.php
@@ -33,6 +33,8 @@ class TranslationReader implements TranslationReaderInterface
      * Adds a loader to the translation extractor.
      *
      * @param string $format The format of the loader
+     *
+     * @return void
      */
     public function addLoader(string $format, LoaderInterface $loader)
     {
@@ -40,7 +42,7 @@ class TranslationReader implements TranslationReaderInterface
     }
 
     /**
-     * {@inheritdoc}
+     * @return void
      */
     public function read(string $directory, MessageCatalogue $catalogue)
     {
diff --git a/data/web/inc/lib/vendor/symfony/translation/Reader/TranslationReaderInterface.php b/data/web/inc/lib/vendor/symfony/translation/Reader/TranslationReaderInterface.php
index bc37204f9..ea74dc23f 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Reader/TranslationReaderInterface.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Reader/TranslationReaderInterface.php
@@ -22,6 +22,8 @@ interface TranslationReaderInterface
 {
     /**
      * Reads translation messages from a directory to the catalogue.
+     *
+     * @return void
      */
     public function read(string $directory, MessageCatalogue $catalogue);
 }
diff --git a/data/web/inc/lib/vendor/symfony/translation/Resources/bin/translation-status.php b/data/web/inc/lib/vendor/symfony/translation/Resources/bin/translation-status.php
index a76916427..8064190d8 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Resources/bin/translation-status.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Resources/bin/translation-status.php
@@ -9,6 +9,10 @@
  * file that was distributed with this source code.
  */
 
+if ('cli' !== \PHP_SAPI) {
+    throw new Exception('This script must be run from the command line.');
+}
+
 $usageInstructions = <<<END
 
   Usage instructions
@@ -83,19 +87,15 @@ foreach ($config['original_files'] as $originalFilePath) {
     $translationFilePaths = findTranslationFiles($originalFilePath, $config['locale_to_analyze']);
     $translationStatus = calculateTranslationStatus($originalFilePath, $translationFilePaths);
 
-    $totalMissingTranslations += array_sum(array_map(function ($translation) {
-        return count($translation['missingKeys']);
-    }, array_values($translationStatus)));
-    $totalTranslationMismatches += array_sum(array_map(function ($translation) {
-        return count($translation['mismatches']);
-    }, array_values($translationStatus)));
+    $totalMissingTranslations += array_sum(array_map(fn ($translation) => count($translation['missingKeys']), array_values($translationStatus)));
+    $totalTranslationMismatches += array_sum(array_map(fn ($translation) => count($translation['mismatches']), array_values($translationStatus)));
 
     printTranslationStatus($originalFilePath, $translationStatus, $config['verbose_output'], $config['include_completed_languages']);
 }
 
 exit($totalTranslationMismatches > 0 ? 1 : 0);
 
-function findTranslationFiles($originalFilePath, $localeToAnalyze)
+function findTranslationFiles($originalFilePath, $localeToAnalyze): array
 {
     $translations = [];
 
@@ -118,7 +118,7 @@ function findTranslationFiles($originalFilePath, $localeToAnalyze)
     return $translations;
 }
 
-function calculateTranslationStatus($originalFilePath, $translationFilePaths)
+function calculateTranslationStatus($originalFilePath, $translationFilePaths): array
 {
     $translationStatus = [];
     $allTranslationKeys = extractTranslationKeys($originalFilePath);
@@ -159,7 +159,7 @@ function extractLocaleFromFilePath($filePath)
     return $parts[count($parts) - 2];
 }
 
-function extractTranslationKeys($filePath)
+function extractTranslationKeys($filePath): array
 {
     $translationKeys = [];
     $contents = new \SimpleXMLElement(file_get_contents($filePath));
diff --git a/data/web/inc/lib/vendor/symfony/translation/Resources/data/parents.json b/data/web/inc/lib/vendor/symfony/translation/Resources/data/parents.json
index 288f16300..24d4d119e 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Resources/data/parents.json
+++ b/data/web/inc/lib/vendor/symfony/translation/Resources/data/parents.json
@@ -35,6 +35,7 @@
     "en_GM": "en_001",
     "en_GY": "en_001",
     "en_HK": "en_001",
+    "en_ID": "en_001",
     "en_IE": "en_001",
     "en_IL": "en_001",
     "en_IM": "en_001",
@@ -54,6 +55,7 @@
     "en_MS": "en_001",
     "en_MT": "en_001",
     "en_MU": "en_001",
+    "en_MV": "en_001",
     "en_MW": "en_001",
     "en_MY": "en_001",
     "en_NA": "en_001",
@@ -116,6 +118,8 @@
     "es_UY": "es_419",
     "es_VE": "es_419",
     "ff_Adlm": "root",
+    "hi_Latn": "en_IN",
+    "ks_Deva": "root",
     "nb": "no",
     "nn": "no",
     "pa_Arab": "root",
diff --git a/data/web/inc/lib/vendor/symfony/translation/Resources/functions.php b/data/web/inc/lib/vendor/symfony/translation/Resources/functions.php
index 901d2f87e..0d2a037a2 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Resources/functions.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Resources/functions.php
@@ -15,7 +15,7 @@ if (!\function_exists(t::class)) {
     /**
      * @author Nate Wiebe <nate@northern.co>
      */
-    function t(string $message, array $parameters = [], string $domain = null): TranslatableMessage
+    function t(string $message, array $parameters = [], ?string $domain = null): TranslatableMessage
     {
         return new TranslatableMessage($message, $parameters, $domain);
     }
diff --git a/data/web/inc/lib/vendor/symfony/translation/Resources/schemas/xliff-core-1.2-strict.xsd b/data/web/inc/lib/vendor/symfony/translation/Resources/schemas/xliff-core-1.2-transitional.xsd
similarity index 96%
rename from data/web/inc/lib/vendor/symfony/translation/Resources/schemas/xliff-core-1.2-strict.xsd
rename to data/web/inc/lib/vendor/symfony/translation/Resources/schemas/xliff-core-1.2-transitional.xsd
index dface628c..1f38de72f 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Resources/schemas/xliff-core-1.2-strict.xsd
+++ b/data/web/inc/lib/vendor/symfony/translation/Resources/schemas/xliff-core-1.2-transitional.xsd
@@ -1,5 +1,4 @@
 <?xml version="1.0" encoding="UTF-8"?>
-
 <!--
 
 May-19-2004:
@@ -1646,20 +1645,21 @@ Jan-10-2006
   </xsd:group>
   <xsd:attributeGroup name="AttrGroup_TextContent">
     <xsd:attribute name="id" type="xsd:string" use="required"/>
+    <xsd:attribute name="ts" type="xsd:string" use="optional"/>
     <xsd:attribute name="xid" type="xsd:string" use="optional"/>
     <xsd:attribute name="equiv-text" type="xsd:string" use="optional"/>
-    <xsd:anyAttribute namespace="##other" processContents="strict"/>
+    <xsd:anyAttribute namespace="##any" processContents="skip"/>
   </xsd:attributeGroup>
   <!-- XLIFF Structure -->
   <xsd:element name="xliff">
     <xsd:complexType>
       <xsd:sequence maxOccurs="unbounded">
-        <xsd:any maxOccurs="unbounded" minOccurs="0" namespace="##other" processContents="strict"/>
+        <xsd:any maxOccurs="unbounded" minOccurs="0" namespace="##other" processContents="skip"/>
         <xsd:element ref="xlf:file"/>
       </xsd:sequence>
       <xsd:attribute name="version" type="xlf:AttrType_Version" use="required"/>
       <xsd:attribute ref="xml:lang" use="optional"/>
-      <xsd:anyAttribute namespace="##other" processContents="strict"/>
+      <xsd:anyAttribute namespace="##any" processContents="skip"/>
     </xsd:complexType>
   </xsd:element>
   <xsd:element name="file">
@@ -1672,14 +1672,16 @@ Jan-10-2006
       <xsd:attribute name="source-language" type="xsd:language" use="required"/>
       <xsd:attribute name="datatype" type="xlf:AttrType_datatype" use="required"/>
       <xsd:attribute name="tool-id" type="xsd:string" use="optional"/>
+      <xsd:attribute default="manual" name="tool" type="xsd:string" use="optional"/>
       <xsd:attribute name="date" type="xsd:dateTime" use="optional"/>
       <xsd:attribute ref="xml:space" use="optional"/>
+      <xsd:attribute name="ts" type="xsd:string" use="optional"/>
       <xsd:attribute name="category" type="xsd:string" use="optional"/>
       <xsd:attribute name="target-language" type="xsd:language" use="optional"/>
       <xsd:attribute name="product-name" type="xsd:string" use="optional"/>
       <xsd:attribute name="product-version" type="xsd:string" use="optional"/>
       <xsd:attribute name="build-num" type="xsd:string" use="optional"/>
-      <xsd:anyAttribute namespace="##other" processContents="strict"/>
+      <xsd:anyAttribute namespace="##any" processContents="skip"/>
     </xsd:complexType>
     <xsd:unique name="U_group_id">
       <xsd:selector xpath=".//xlf:group"/>
@@ -1739,10 +1741,11 @@ Jan-10-2006
           <xsd:element name="glossary" type="xlf:ElemType_ExternalReference"/>
           <xsd:element name="reference" type="xlf:ElemType_ExternalReference"/>
           <xsd:element ref="xlf:count-group"/>
+          <xsd:element ref="xlf:prop-group"/>
           <xsd:element ref="xlf:note"/>
           <xsd:element ref="xlf:tool"/>
         </xsd:choice>
-        <xsd:any maxOccurs="unbounded" minOccurs="0" namespace="##other" processContents="strict"/>
+        <xsd:any maxOccurs="unbounded" minOccurs="0" namespace="##other" processContents="skip"/>
       </xsd:sequence>
     </xsd:complexType>
   </xsd:element>
@@ -1791,6 +1794,7 @@ Jan-10-2006
       <xsd:attribute name="process-name" type="xsd:string" use="required"/>
       <xsd:attribute name="company-name" type="xsd:string" use="optional"/>
       <xsd:attribute name="tool-id" type="xsd:string" use="optional"/>
+      <xsd:attribute name="tool" type="xsd:string" use="optional"/>
       <xsd:attribute name="date" type="xsd:dateTime" use="optional"/>
       <xsd:attribute name="job-id" type="xsd:string" use="optional"/>
       <xsd:attribute name="contact-name" type="xsd:string" use="optional"/>
@@ -1838,16 +1842,34 @@ Jan-10-2006
       </xsd:simpleContent>
     </xsd:complexType>
   </xsd:element>
+  <xsd:element name="prop-group">
+    <xsd:complexType>
+      <xsd:sequence maxOccurs="unbounded">
+        <xsd:element ref="xlf:prop"/>
+      </xsd:sequence>
+      <xsd:attribute name="name" type="xsd:string" use="optional"/>
+    </xsd:complexType>
+  </xsd:element>
+  <xsd:element name="prop">
+    <xsd:complexType>
+      <xsd:simpleContent>
+        <xsd:extension base="xsd:string">
+          <xsd:attribute name="prop-type" type="xsd:string" use="required"/>
+          <xsd:attribute ref="xml:lang" use="optional"/>
+        </xsd:extension>
+      </xsd:simpleContent>
+    </xsd:complexType>
+  </xsd:element>
   <xsd:element name="tool">
     <xsd:complexType mixed="true">
       <xsd:sequence>
-        <xsd:any namespace="##any" processContents="strict" minOccurs="0" maxOccurs="unbounded"/>
+        <xsd:any namespace="##any" processContents="skip" minOccurs="0" maxOccurs="unbounded"/>
       </xsd:sequence>
       <xsd:attribute name="tool-id" type="xsd:string" use="required"/>
       <xsd:attribute name="tool-name" type="xsd:string" use="required"/>
       <xsd:attribute name="tool-version" type="xsd:string" use="optional"/>
       <xsd:attribute name="tool-company" type="xsd:string" use="optional"/>
-      <xsd:anyAttribute namespace="##other" processContents="strict"/>
+      <xsd:anyAttribute namespace="##any" processContents="skip"/>
     </xsd:complexType>
   </xsd:element>
   <xsd:element name="body">
@@ -1865,8 +1887,9 @@ Jan-10-2006
         <xsd:sequence>
           <xsd:element maxOccurs="unbounded" minOccurs="0" ref="xlf:context-group"/>
           <xsd:element maxOccurs="unbounded" minOccurs="0" ref="xlf:count-group"/>
+          <xsd:element maxOccurs="unbounded" minOccurs="0" ref="xlf:prop-group"/>
           <xsd:element maxOccurs="unbounded" minOccurs="0" ref="xlf:note"/>
-          <xsd:any maxOccurs="unbounded" minOccurs="0" namespace="##other" processContents="strict"/>
+          <xsd:any maxOccurs="unbounded" minOccurs="0" namespace="##other" processContents="skip"/>
         </xsd:sequence>
         <xsd:choice maxOccurs="unbounded">
           <xsd:element maxOccurs="unbounded" minOccurs="0" ref="xlf:group"/>
@@ -1877,6 +1900,7 @@ Jan-10-2006
       <xsd:attribute name="id" type="xsd:string" use="optional"/>
       <xsd:attribute name="datatype" type="xlf:AttrType_datatype" use="optional"/>
       <xsd:attribute default="default" ref="xml:space" use="optional"/>
+      <xsd:attribute name="ts" type="xsd:string" use="optional"/>
       <xsd:attribute name="restype" type="xlf:AttrType_restype" use="optional"/>
       <xsd:attribute name="resname" type="xsd:string" use="optional"/>
       <xsd:attribute name="extradata" type="xsd:string" use="optional"/>
@@ -1901,7 +1925,7 @@ Jan-10-2006
       <xsd:attribute name="minbytes" type="xsd:NMTOKEN" use="optional"/>
       <xsd:attribute name="charclass" type="xsd:string" use="optional"/>
       <xsd:attribute default="no" name="merged-trans" type="xlf:AttrType_YesNo" use="optional"/>
-      <xsd:anyAttribute namespace="##other" processContents="strict"/>
+      <xsd:anyAttribute namespace="##any" processContents="skip"/>
     </xsd:complexType>
   </xsd:element>
   <xsd:element name="trans-unit">
@@ -1913,10 +1937,11 @@ Jan-10-2006
         <xsd:choice maxOccurs="unbounded" minOccurs="0">
           <xsd:element ref="xlf:context-group"/>
           <xsd:element ref="xlf:count-group"/>
+          <xsd:element ref="xlf:prop-group"/>
           <xsd:element ref="xlf:note"/>
           <xsd:element ref="xlf:alt-trans"/>
         </xsd:choice>
-        <xsd:any maxOccurs="unbounded" minOccurs="0" namespace="##other" processContents="strict"/>
+        <xsd:any maxOccurs="unbounded" minOccurs="0" namespace="##other" processContents="skip"/>
       </xsd:sequence>
       <xsd:attribute name="id" type="xsd:string" use="required"/>
       <xsd:attribute name="approved" type="xlf:AttrType_YesNo" use="optional"/>
@@ -1924,6 +1949,7 @@ Jan-10-2006
       <xsd:attribute default="yes" name="reformat" type="xlf:AttrType_reformat" use="optional"/>
       <xsd:attribute default="default" ref="xml:space" use="optional"/>
       <xsd:attribute name="datatype" type="xlf:AttrType_datatype" use="optional"/>
+      <xsd:attribute name="ts" type="xsd:string" use="optional"/>
       <xsd:attribute name="phase-name" type="xsd:string" use="optional"/>
       <xsd:attribute name="restype" type="xlf:AttrType_restype" use="optional"/>
       <xsd:attribute name="resname" type="xsd:string" use="optional"/>
@@ -1947,7 +1973,7 @@ Jan-10-2006
       <xsd:attribute name="minbytes" type="xsd:NMTOKEN" use="optional"/>
       <xsd:attribute name="charclass" type="xsd:string" use="optional"/>
       <xsd:attribute default="yes" name="merged-trans" type="xlf:AttrType_YesNo" use="optional"/>
-      <xsd:anyAttribute namespace="##other" processContents="strict"/>
+      <xsd:anyAttribute namespace="##any" processContents="skip"/>
     </xsd:complexType>
     <xsd:unique name="U_tu_segsrc_mid">
       <xsd:selector xpath="./xlf:seg-source/xlf:mrk"/>
@@ -1962,7 +1988,8 @@ Jan-10-2006
     <xsd:complexType mixed="true">
       <xsd:group maxOccurs="unbounded" minOccurs="0" ref="xlf:ElemGroup_TextContent"/>
       <xsd:attribute ref="xml:lang" use="optional"/>
-      <xsd:anyAttribute namespace="##other" processContents="strict"/>
+      <xsd:attribute name="ts" type="xsd:string" use="optional"/>
+      <xsd:anyAttribute namespace="##any" processContents="skip"/>
     </xsd:complexType>
     <xsd:unique name="U_source_bpt_rid">
       <xsd:selector xpath=".//xlf:bpt"/>
@@ -1985,7 +2012,8 @@ Jan-10-2006
     <xsd:complexType mixed="true">
       <xsd:group maxOccurs="unbounded" minOccurs="0" ref="xlf:ElemGroup_TextContent"/>
       <xsd:attribute ref="xml:lang" use="optional"/>
-      <xsd:anyAttribute namespace="##other" processContents="strict"/>
+      <xsd:attribute name="ts" type="xsd:string" use="optional"/>
+      <xsd:anyAttribute namespace="##any" processContents="skip"/>
     </xsd:complexType>
     <xsd:unique name="U_segsrc_bpt_rid">
       <xsd:selector xpath=".//xlf:bpt"/>
@@ -2011,6 +2039,8 @@ Jan-10-2006
       <xsd:attribute name="state-qualifier" type="xlf:AttrType_state-qualifier" use="optional"/>
       <xsd:attribute name="phase-name" type="xsd:NMTOKEN" use="optional"/>
       <xsd:attribute ref="xml:lang" use="optional"/>
+      <xsd:attribute name="ts" type="xsd:string" use="optional"/>
+      <xsd:attribute name="restype" type="xlf:AttrType_restype" use="optional"/>
       <xsd:attribute name="resname" type="xsd:string" use="optional"/>
       <xsd:attribute name="coord" type="xlf:AttrType_Coordinates" use="optional"/>
       <xsd:attribute name="font" type="xsd:string" use="optional"/>
@@ -2018,7 +2048,7 @@ Jan-10-2006
       <xsd:attribute name="style" type="xsd:NMTOKEN" use="optional"/>
       <xsd:attribute name="exstyle" type="xsd:NMTOKEN" use="optional"/>
       <xsd:attribute default="yes" name="equiv-trans" type="xlf:AttrType_YesNo" use="optional"/>
-      <xsd:anyAttribute namespace="##other" processContents="strict"/>
+      <xsd:anyAttribute namespace="##any" processContents="skip"/>
     </xsd:complexType>
     <xsd:unique name="U_target_bpt_rid">
       <xsd:selector xpath=".//xlf:bpt"/>
@@ -2042,18 +2072,21 @@ Jan-10-2006
       <xsd:sequence>
         <xsd:element minOccurs="0" ref="xlf:source"/>
         <xsd:element minOccurs="0" ref="xlf:seg-source"/>
-        <xsd:element maxOccurs="1" ref="xlf:target"/>
+        <xsd:element maxOccurs="unbounded" ref="xlf:target"/>
         <xsd:element maxOccurs="unbounded" minOccurs="0" ref="xlf:context-group"/>
+        <xsd:element maxOccurs="unbounded" minOccurs="0" ref="xlf:prop-group"/>
         <xsd:element maxOccurs="unbounded" minOccurs="0" ref="xlf:note"/>
-        <xsd:any maxOccurs="unbounded" minOccurs="0" namespace="##other" processContents="strict"/>
+        <xsd:any maxOccurs="unbounded" minOccurs="0" namespace="##other" processContents="skip"/>
       </xsd:sequence>
       <xsd:attribute name="match-quality" type="xsd:string" use="optional"/>
       <xsd:attribute name="tool-id" type="xsd:string" use="optional"/>
+      <xsd:attribute name="tool" type="xsd:string" use="optional"/>
       <xsd:attribute name="crc" type="xsd:NMTOKEN" use="optional"/>
       <xsd:attribute ref="xml:lang" use="optional"/>
       <xsd:attribute name="origin" type="xsd:string" use="optional"/>
       <xsd:attribute name="datatype" type="xlf:AttrType_datatype" use="optional"/>
       <xsd:attribute default="default" ref="xml:space" use="optional"/>
+      <xsd:attribute name="ts" type="xsd:string" use="optional"/>
       <xsd:attribute name="restype" type="xlf:AttrType_restype" use="optional"/>
       <xsd:attribute name="resname" type="xsd:string" use="optional"/>
       <xsd:attribute name="extradata" type="xsd:string" use="optional"/>
@@ -2070,7 +2103,7 @@ Jan-10-2006
       <xsd:attribute name="exstyle" type="xsd:NMTOKEN" use="optional"/>
       <xsd:attribute name="phase-name" type="xsd:NMTOKEN" use="optional"/>
       <xsd:attribute default="proposal" name="alttranstype" type="xlf:AttrType_alttranstype" use="optional"/>
-      <xsd:anyAttribute namespace="##other" processContents="strict"/>
+      <xsd:anyAttribute namespace="##any" processContents="skip"/>
     </xsd:complexType>
     <xsd:unique name="U_at_segsrc_mid">
       <xsd:selector xpath="./xlf:seg-source/xlf:mrk"/>
@@ -2089,20 +2122,22 @@ Jan-10-2006
         <xsd:choice maxOccurs="unbounded" minOccurs="0">
           <xsd:element ref="xlf:context-group"/>
           <xsd:element ref="xlf:count-group"/>
+          <xsd:element ref="xlf:prop-group"/>
           <xsd:element ref="xlf:note"/>
           <xsd:element ref="xlf:trans-unit"/>
         </xsd:choice>
-        <xsd:any maxOccurs="unbounded" minOccurs="0" namespace="##other" processContents="strict"/>
+        <xsd:any maxOccurs="unbounded" minOccurs="0" namespace="##other" processContents="skip"/>
       </xsd:sequence>
       <xsd:attribute name="id" type="xsd:string" use="required"/>
       <xsd:attribute name="mime-type" type="xlf:mime-typeValueList" use="required"/>
       <xsd:attribute name="approved" type="xlf:AttrType_YesNo" use="optional"/>
       <xsd:attribute default="yes" name="translate" type="xlf:AttrType_YesNo" use="optional"/>
       <xsd:attribute default="yes" name="reformat" type="xlf:AttrType_reformat" use="optional"/>
+      <xsd:attribute name="ts" type="xsd:string" use="optional"/>
       <xsd:attribute name="restype" type="xlf:AttrType_restype" use="optional"/>
       <xsd:attribute name="resname" type="xsd:string" use="optional"/>
       <xsd:attribute name="phase-name" type="xsd:string" use="optional"/>
-      <xsd:anyAttribute namespace="##other" processContents="strict"/>
+      <xsd:anyAttribute namespace="##any" processContents="skip"/>
     </xsd:complexType>
   </xsd:element>
   <xsd:element name="bin-source">
@@ -2111,7 +2146,8 @@ Jan-10-2006
         <xsd:element ref="xlf:internal-file"/>
         <xsd:element ref="xlf:external-file"/>
       </xsd:choice>
-      <xsd:anyAttribute namespace="##other" processContents="strict"/>
+      <xsd:attribute name="ts" type="xsd:string" use="optional"/>
+      <xsd:anyAttribute namespace="##any" processContents="skip"/>
     </xsd:complexType>
   </xsd:element>
   <xsd:element name="bin-target">
@@ -2121,12 +2157,13 @@ Jan-10-2006
         <xsd:element ref="xlf:external-file"/>
       </xsd:choice>
       <xsd:attribute name="mime-type" type="xlf:mime-typeValueList" use="optional"/>
+      <xsd:attribute name="ts" type="xsd:string" use="optional"/>
       <xsd:attribute name="state" type="xlf:AttrType_state" use="optional"/>
       <xsd:attribute name="state-qualifier" type="xlf:AttrType_state-qualifier" use="optional"/>
       <xsd:attribute name="phase-name" type="xsd:NMTOKEN" use="optional"/>
       <xsd:attribute name="restype" type="xlf:AttrType_restype" use="optional"/>
       <xsd:attribute name="resname" type="xsd:string" use="optional"/>
-      <xsd:anyAttribute namespace="##other" processContents="strict"/>
+      <xsd:anyAttribute namespace="##any" processContents="skip"/>
     </xsd:complexType>
   </xsd:element>
   <!-- Element for inline codes -->
@@ -2217,7 +2254,8 @@ Jan-10-2006
       <xsd:attribute name="mtype" type="xlf:AttrType_mtype" use="required"/>
       <xsd:attribute name="mid" type="xsd:NMTOKEN" use="optional"/>
       <xsd:attribute name="comment" type="xsd:string" use="optional"/>
-      <xsd:anyAttribute namespace="##other" processContents="strict"/>
+      <xsd:attribute name="ts" type="xsd:string" use="optional"/>
+      <xsd:anyAttribute namespace="##any" processContents="skip"/>
     </xsd:complexType>
   </xsd:element>
 </xsd:schema>
diff --git a/data/web/inc/lib/vendor/symfony/translation/Test/ProviderFactoryTestCase.php b/data/web/inc/lib/vendor/symfony/translation/Test/ProviderFactoryTestCase.php
index d6510e0dd..95ffcb1e5 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Test/ProviderFactoryTestCase.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Test/ProviderFactoryTestCase.php
@@ -11,6 +11,7 @@
 
 namespace Symfony\Component\Translation\Test;
 
+use PHPUnit\Framework\MockObject\MockObject;
 use PHPUnit\Framework\TestCase;
 use Psr\Log\LoggerInterface;
 use Symfony\Component\HttpClient\MockHttpClient;
@@ -20,39 +21,39 @@ use Symfony\Component\Translation\Exception\UnsupportedSchemeException;
 use Symfony\Component\Translation\Loader\LoaderInterface;
 use Symfony\Component\Translation\Provider\Dsn;
 use Symfony\Component\Translation\Provider\ProviderFactoryInterface;
+use Symfony\Component\Translation\TranslatorBagInterface;
 use Symfony\Contracts\HttpClient\HttpClientInterface;
 
 /**
  * A test case to ease testing a translation provider factory.
  *
  * @author Mathieu Santostefano <msantostefano@protonmail.com>
- *
- * @internal
  */
 abstract class ProviderFactoryTestCase extends TestCase
 {
-    protected $client;
-    protected $logger;
+    protected HttpClientInterface $client;
+    protected LoggerInterface|MockObject $logger;
     protected string $defaultLocale;
-    protected $loader;
-    protected $xliffFileDumper;
+    protected LoaderInterface|MockObject $loader;
+    protected XliffFileDumper|MockObject $xliffFileDumper;
+    protected TranslatorBagInterface|MockObject $translatorBag;
 
     abstract public function createFactory(): ProviderFactoryInterface;
 
     /**
      * @return iterable<array{0: bool, 1: string}>
      */
-    abstract public function supportsProvider(): iterable;
+    abstract public static function supportsProvider(): iterable;
 
     /**
-     * @return iterable<array{0: string, 1: string, 2: TransportInterface}>
+     * @return iterable<array{0: string, 1: string}>
      */
-    abstract public function createProvider(): iterable;
+    abstract public static function createProvider(): iterable;
 
     /**
      * @return iterable<array{0: string, 1: string|null}>
      */
-    public function unsupportedSchemeProvider(): iterable
+    public static function unsupportedSchemeProvider(): iterable
     {
         return [];
     }
@@ -60,7 +61,7 @@ abstract class ProviderFactoryTestCase extends TestCase
     /**
      * @return iterable<array{0: string, 1: string|null}>
      */
-    public function incompleteDsnProvider(): iterable
+    public static function incompleteDsnProvider(): iterable
     {
         return [];
     }
@@ -89,7 +90,7 @@ abstract class ProviderFactoryTestCase extends TestCase
     /**
      * @dataProvider unsupportedSchemeProvider
      */
-    public function testUnsupportedSchemeException(string $dsn, string $message = null)
+    public function testUnsupportedSchemeException(string $dsn, ?string $message = null)
     {
         $factory = $this->createFactory();
 
@@ -106,7 +107,7 @@ abstract class ProviderFactoryTestCase extends TestCase
     /**
      * @dataProvider incompleteDsnProvider
      */
-    public function testIncompleteDsnException(string $dsn, string $message = null)
+    public function testIncompleteDsnException(string $dsn, ?string $message = null)
     {
         $factory = $this->createFactory();
 
@@ -144,4 +145,9 @@ abstract class ProviderFactoryTestCase extends TestCase
     {
         return $this->xliffFileDumper ??= $this->createMock(XliffFileDumper::class);
     }
+
+    protected function getTranslatorBag(): TranslatorBagInterface
+    {
+        return $this->translatorBag ??= $this->createMock(TranslatorBagInterface::class);
+    }
 }
diff --git a/data/web/inc/lib/vendor/symfony/translation/Test/ProviderTestCase.php b/data/web/inc/lib/vendor/symfony/translation/Test/ProviderTestCase.php
index 5ae26829b..a8fa0b8bb 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Test/ProviderTestCase.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Test/ProviderTestCase.php
@@ -11,35 +11,36 @@
 
 namespace Symfony\Component\Translation\Test;
 
+use PHPUnit\Framework\MockObject\MockObject;
 use PHPUnit\Framework\TestCase;
 use Psr\Log\LoggerInterface;
 use Symfony\Component\HttpClient\MockHttpClient;
 use Symfony\Component\Translation\Dumper\XliffFileDumper;
 use Symfony\Component\Translation\Loader\LoaderInterface;
 use Symfony\Component\Translation\Provider\ProviderInterface;
+use Symfony\Component\Translation\TranslatorBagInterface;
 use Symfony\Contracts\HttpClient\HttpClientInterface;
 
 /**
  * A test case to ease testing a translation provider.
  *
  * @author Mathieu Santostefano <msantostefano@protonmail.com>
- *
- * @internal
  */
 abstract class ProviderTestCase extends TestCase
 {
-    protected $client;
-    protected $logger;
+    protected HttpClientInterface $client;
+    protected LoggerInterface|MockObject $logger;
     protected string $defaultLocale;
-    protected $loader;
-    protected $xliffFileDumper;
+    protected LoaderInterface|MockObject $loader;
+    protected XliffFileDumper|MockObject $xliffFileDumper;
+    protected TranslatorBagInterface|MockObject $translatorBag;
 
-    abstract public function createProvider(HttpClientInterface $client, LoaderInterface $loader, LoggerInterface $logger, string $defaultLocale, string $endpoint): ProviderInterface;
+    abstract public static function createProvider(HttpClientInterface $client, LoaderInterface $loader, LoggerInterface $logger, string $defaultLocale, string $endpoint): ProviderInterface;
 
     /**
-     * @return iterable<array{0: string, 1: ProviderInterface}>
+     * @return iterable<array{0: ProviderInterface, 1: string}>
      */
-    abstract public function toStringProvider(): iterable;
+    abstract public static function toStringProvider(): iterable;
 
     /**
      * @dataProvider toStringProvider
@@ -73,4 +74,9 @@ abstract class ProviderTestCase extends TestCase
     {
         return $this->xliffFileDumper ??= $this->createMock(XliffFileDumper::class);
     }
+
+    protected function getTranslatorBag(): TranslatorBagInterface
+    {
+        return $this->translatorBag ??= $this->createMock(TranslatorBagInterface::class);
+    }
 }
diff --git a/data/web/inc/lib/vendor/symfony/translation/TranslatableMessage.php b/data/web/inc/lib/vendor/symfony/translation/TranslatableMessage.php
index b1a3b6b13..c591e68c2 100644
--- a/data/web/inc/lib/vendor/symfony/translation/TranslatableMessage.php
+++ b/data/web/inc/lib/vendor/symfony/translation/TranslatableMessage.php
@@ -23,7 +23,7 @@ class TranslatableMessage implements TranslatableInterface
     private array $parameters;
     private ?string $domain;
 
-    public function __construct(string $message, array $parameters = [], string $domain = null)
+    public function __construct(string $message, array $parameters = [], ?string $domain = null)
     {
         $this->message = $message;
         $this->parameters = $parameters;
@@ -50,12 +50,10 @@ class TranslatableMessage implements TranslatableInterface
         return $this->domain;
     }
 
-    public function trans(TranslatorInterface $translator, string $locale = null): string
+    public function trans(TranslatorInterface $translator, ?string $locale = null): string
     {
         return $translator->trans($this->getMessage(), array_map(
-            static function ($parameter) use ($translator, $locale) {
-                return $parameter instanceof TranslatableInterface ? $parameter->trans($translator, $locale) : $parameter;
-            },
+            static fn ($parameter) => $parameter instanceof TranslatableInterface ? $parameter->trans($translator, $locale) : $parameter,
             $this->getParameters()
         ), $this->getDomain(), $locale);
     }
diff --git a/data/web/inc/lib/vendor/symfony/translation/Translator.php b/data/web/inc/lib/vendor/symfony/translation/Translator.php
index 05e84d0cc..1973d079f 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Translator.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Translator.php
@@ -22,6 +22,7 @@ use Symfony\Component\Translation\Formatter\MessageFormatter;
 use Symfony\Component\Translation\Formatter\MessageFormatterInterface;
 use Symfony\Component\Translation\Loader\LoaderInterface;
 use Symfony\Contracts\Translation\LocaleAwareInterface;
+use Symfony\Contracts\Translation\TranslatableInterface;
 use Symfony\Contracts\Translation\TranslatorInterface;
 
 // Help opcache.preload discover always-needed symbols
@@ -51,7 +52,7 @@ class Translator implements TranslatorInterface, TranslatorBagInterface, LocaleA
 
     private array $resources = [];
 
-    private $formatter;
+    private MessageFormatterInterface $formatter;
 
     private ?string $cacheDir;
 
@@ -59,7 +60,7 @@ class Translator implements TranslatorInterface, TranslatorBagInterface, LocaleA
 
     private array $cacheVary;
 
-    private $configCacheFactory;
+    private ?ConfigCacheFactoryInterface $configCacheFactory;
 
     private array $parentLocales;
 
@@ -68,21 +69,20 @@ class Translator implements TranslatorInterface, TranslatorBagInterface, LocaleA
     /**
      * @throws InvalidArgumentException If a locale contains invalid characters
      */
-    public function __construct(string $locale, MessageFormatterInterface $formatter = null, string $cacheDir = null, bool $debug = false, array $cacheVary = [])
+    public function __construct(string $locale, ?MessageFormatterInterface $formatter = null, ?string $cacheDir = null, bool $debug = false, array $cacheVary = [])
     {
         $this->setLocale($locale);
 
-        if (null === $formatter) {
-            $formatter = new MessageFormatter();
-        }
-
-        $this->formatter = $formatter;
+        $this->formatter = $formatter ??= new MessageFormatter();
         $this->cacheDir = $cacheDir;
         $this->debug = $debug;
         $this->cacheVary = $cacheVary;
         $this->hasIntlFormatter = $formatter instanceof IntlFormatterInterface;
     }
 
+    /**
+     * @return void
+     */
     public function setConfigCacheFactory(ConfigCacheFactoryInterface $configCacheFactory)
     {
         $this->configCacheFactory = $configCacheFactory;
@@ -92,6 +92,8 @@ class Translator implements TranslatorInterface, TranslatorBagInterface, LocaleA
      * Adds a Loader.
      *
      * @param string $format The name of the loader (@see addResource())
+     *
+     * @return void
      */
     public function addLoader(string $format, LoaderInterface $loader)
     {
@@ -104,13 +106,13 @@ class Translator implements TranslatorInterface, TranslatorBagInterface, LocaleA
      * @param string $format   The name of the loader (@see addLoader())
      * @param mixed  $resource The resource name
      *
+     * @return void
+     *
      * @throws InvalidArgumentException If the locale contains invalid characters
      */
-    public function addResource(string $format, mixed $resource, string $locale, string $domain = null)
+    public function addResource(string $format, mixed $resource, string $locale, ?string $domain = null)
     {
-        if (null === $domain) {
-            $domain = 'messages';
-        }
+        $domain ??= 'messages';
 
         $this->assertValidLocale($locale);
         $locale ?: $locale = class_exists(\Locale::class) ? \Locale::getDefault() : 'en';
@@ -125,7 +127,7 @@ class Translator implements TranslatorInterface, TranslatorBagInterface, LocaleA
     }
 
     /**
-     * {@inheritdoc}
+     * @return void
      */
     public function setLocale(string $locale)
     {
@@ -133,9 +135,6 @@ class Translator implements TranslatorInterface, TranslatorBagInterface, LocaleA
         $this->locale = $locale;
     }
 
-    /**
-     * {@inheritdoc}
-     */
     public function getLocale(): string
     {
         return $this->locale ?: (class_exists(\Locale::class) ? \Locale::getDefault() : 'en');
@@ -146,6 +145,8 @@ class Translator implements TranslatorInterface, TranslatorBagInterface, LocaleA
      *
      * @param string[] $locales
      *
+     * @return void
+     *
      * @throws InvalidArgumentException If a locale contains invalid characters
      */
     public function setFallbackLocales(array $locales)
@@ -170,18 +171,13 @@ class Translator implements TranslatorInterface, TranslatorBagInterface, LocaleA
         return $this->fallbackLocales;
     }
 
-    /**
-     * {@inheritdoc}
-     */
-    public function trans(?string $id, array $parameters = [], string $domain = null, string $locale = null): string
+    public function trans(?string $id, array $parameters = [], ?string $domain = null, ?string $locale = null): string
     {
         if (null === $id || '' === $id) {
             return '';
         }
 
-        if (null === $domain) {
-            $domain = 'messages';
-        }
+        $domain ??= 'messages';
 
         $catalogue = $this->getCatalogue($locale);
         $locale = $catalogue->getLocale();
@@ -194,6 +190,8 @@ class Translator implements TranslatorInterface, TranslatorBagInterface, LocaleA
             }
         }
 
+        $parameters = array_map(fn ($parameter) => $parameter instanceof TranslatableInterface ? $parameter->trans($this, $locale) : $parameter, $parameters);
+
         $len = \strlen(MessageCatalogue::INTL_DOMAIN_SUFFIX);
         if ($this->hasIntlFormatter
             && ($catalogue->defines($id, $domain.MessageCatalogue::INTL_DOMAIN_SUFFIX)
@@ -205,10 +203,7 @@ class Translator implements TranslatorInterface, TranslatorBagInterface, LocaleA
         return $this->formatter->format($catalogue->get($id, $domain), $locale, $parameters);
     }
 
-    /**
-     * {@inheritdoc}
-     */
-    public function getCatalogue(string $locale = null): MessageCatalogueInterface
+    public function getCatalogue(?string $locale = null): MessageCatalogueInterface
     {
         if (!$locale) {
             $locale = $this->getLocale();
@@ -223,9 +218,6 @@ class Translator implements TranslatorInterface, TranslatorBagInterface, LocaleA
         return $this->catalogues[$locale];
     }
 
-    /**
-     * {@inheritdoc}
-     */
     public function getCatalogues(): array
     {
         return array_values($this->catalogues);
@@ -241,6 +233,9 @@ class Translator implements TranslatorInterface, TranslatorBagInterface, LocaleA
         return $this->loaders;
     }
 
+    /**
+     * @return void
+     */
     protected function loadCatalogue(string $locale)
     {
         if (null === $this->cacheDir) {
@@ -250,6 +245,9 @@ class Translator implements TranslatorInterface, TranslatorBagInterface, LocaleA
         }
     }
 
+    /**
+     * @return void
+     */
     protected function initializeCatalogue(string $locale)
     {
         $this->assertValidLocale($locale);
@@ -386,6 +384,9 @@ EOF
         }
     }
 
+    /**
+     * @return array
+     */
     protected function computeFallbackLocales(string $locale)
     {
         $this->parentLocales ??= json_decode(file_get_contents(__DIR__.'/Resources/data/parents.json'), true);
@@ -430,6 +431,8 @@ EOF
     /**
      * Asserts that the locale is valid, throws an Exception if not.
      *
+     * @return void
+     *
      * @throws InvalidArgumentException If the locale contains invalid characters
      */
     protected function assertValidLocale(string $locale)
diff --git a/data/web/inc/lib/vendor/symfony/translation/TranslatorBag.php b/data/web/inc/lib/vendor/symfony/translation/TranslatorBag.php
index ffd109f17..3b47aecee 100644
--- a/data/web/inc/lib/vendor/symfony/translation/TranslatorBag.php
+++ b/data/web/inc/lib/vendor/symfony/translation/TranslatorBag.php
@@ -35,10 +35,7 @@ final class TranslatorBag implements TranslatorBagInterface
         }
     }
 
-    /**
-     * {@inheritdoc}
-     */
-    public function getCatalogue(string $locale = null): MessageCatalogueInterface
+    public function getCatalogue(?string $locale = null): MessageCatalogueInterface
     {
         if (null === $locale || !isset($this->catalogues[$locale])) {
             $this->catalogues[$locale] = new MessageCatalogue($locale);
@@ -47,9 +44,6 @@ final class TranslatorBag implements TranslatorBagInterface
         return $this->catalogues[$locale];
     }
 
-    /**
-     * {@inheritdoc}
-     */
     public function getCatalogues(): array
     {
         return array_values($this->catalogues);
@@ -70,7 +64,7 @@ final class TranslatorBag implements TranslatorBagInterface
             $operation->moveMessagesToIntlDomainsIfPossible(AbstractOperation::NEW_BATCH);
             $newCatalogue = new MessageCatalogue($locale);
 
-            foreach ($operation->getDomains() as $domain) {
+            foreach ($catalogue->getDomains() as $domain) {
                 $newCatalogue->add($operation->getNewMessages($domain), $domain);
             }
 
@@ -94,7 +88,10 @@ final class TranslatorBag implements TranslatorBagInterface
             $obsoleteCatalogue = new MessageCatalogue($locale);
 
             foreach ($operation->getDomains() as $domain) {
-                $obsoleteCatalogue->add($operation->getObsoleteMessages($domain), $domain);
+                $obsoleteCatalogue->add(
+                    array_diff($operation->getMessages($domain), $operation->getNewMessages($domain)),
+                    $domain
+                );
             }
 
             $diff->addCatalogue($obsoleteCatalogue);
diff --git a/data/web/inc/lib/vendor/symfony/translation/TranslatorBagInterface.php b/data/web/inc/lib/vendor/symfony/translation/TranslatorBagInterface.php
index a787acf12..365d1f13b 100644
--- a/data/web/inc/lib/vendor/symfony/translation/TranslatorBagInterface.php
+++ b/data/web/inc/lib/vendor/symfony/translation/TranslatorBagInterface.php
@@ -25,7 +25,7 @@ interface TranslatorBagInterface
      *
      * @throws InvalidArgumentException If the locale contains invalid characters
      */
-    public function getCatalogue(string $locale = null): MessageCatalogueInterface;
+    public function getCatalogue(?string $locale = null): MessageCatalogueInterface;
 
     /**
      * Returns all catalogues of the instance.
diff --git a/data/web/inc/lib/vendor/symfony/translation/Util/ArrayConverter.php b/data/web/inc/lib/vendor/symfony/translation/Util/ArrayConverter.php
index 60b8be6e0..64e15b485 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Util/ArrayConverter.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Util/ArrayConverter.php
@@ -36,7 +36,7 @@ class ArrayConverter
         $tree = [];
 
         foreach ($messages as $id => $value) {
-            $referenceToElement = &self::getElementByPath($tree, explode('.', $id));
+            $referenceToElement = &self::getElementByPath($tree, self::getKeyParts($id));
 
             $referenceToElement = $value;
 
@@ -46,7 +46,7 @@ class ArrayConverter
         return $tree;
     }
 
-    private static function &getElementByPath(array &$tree, array $parts)
+    private static function &getElementByPath(array &$tree, array $parts): mixed
     {
         $elem = &$tree;
         $parentOfElem = null;
@@ -63,6 +63,7 @@ class ArrayConverter
                 $elem = &$elem[implode('.', \array_slice($parts, $i))];
                 break;
             }
+
             $parentOfElem = &$elem;
             $elem = &$elem[$part];
         }
@@ -82,7 +83,7 @@ class ArrayConverter
         return $elem;
     }
 
-    private static function cancelExpand(array &$tree, string $prefix, array $node)
+    private static function cancelExpand(array &$tree, string $prefix, array $node): void
     {
         $prefix .= '.';
 
@@ -94,4 +95,48 @@ class ArrayConverter
             }
         }
     }
+
+    /**
+     * @return string[]
+     */
+    private static function getKeyParts(string $key): array
+    {
+        $parts = explode('.', $key);
+        $partsCount = \count($parts);
+
+        $result = [];
+        $buffer = '';
+
+        foreach ($parts as $index => $part) {
+            if (0 === $index && '' === $part) {
+                $buffer = '.';
+
+                continue;
+            }
+
+            if ($index === $partsCount - 1 && '' === $part) {
+                $buffer .= '.';
+                $result[] = $buffer;
+
+                continue;
+            }
+
+            if (isset($parts[$index + 1]) && '' === $parts[$index + 1]) {
+                $buffer .= $part;
+
+                continue;
+            }
+
+            if ($buffer) {
+                $result[] = $buffer.$part;
+                $buffer = '';
+
+                continue;
+            }
+
+            $result[] = $part;
+        }
+
+        return $result;
+    }
 }
diff --git a/data/web/inc/lib/vendor/symfony/translation/Util/XliffUtils.php b/data/web/inc/lib/vendor/symfony/translation/Util/XliffUtils.php
index 85ecc8504..335c34beb 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Util/XliffUtils.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Util/XliffUtils.php
@@ -129,7 +129,7 @@ class XliffUtils
     private static function getSchema(string $xliffVersion): string
     {
         if ('1.2' === $xliffVersion) {
-            $schemaSource = file_get_contents(__DIR__.'/../Resources/schemas/xliff-core-1.2-strict.xsd');
+            $schemaSource = file_get_contents(__DIR__.'/../Resources/schemas/xliff-core-1.2-transitional.xsd');
             $xmlUri = 'http://www.w3.org/2001/xml.xsd';
         } elseif ('2.0' === $xliffVersion) {
             $schemaSource = file_get_contents(__DIR__.'/../Resources/schemas/xliff-core-2.0.xsd');
diff --git a/data/web/inc/lib/vendor/symfony/translation/Writer/TranslationWriter.php b/data/web/inc/lib/vendor/symfony/translation/Writer/TranslationWriter.php
index 5dd3a5c40..61e03cb0e 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Writer/TranslationWriter.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Writer/TranslationWriter.php
@@ -30,6 +30,8 @@ class TranslationWriter implements TranslationWriterInterface
 
     /**
      * Adds a dumper to the writer.
+     *
+     * @return void
      */
     public function addDumper(string $format, DumperInterface $dumper)
     {
@@ -50,6 +52,8 @@ class TranslationWriter implements TranslationWriterInterface
      * @param string $format  The format to use to dump the messages
      * @param array  $options Options that are passed to the dumper
      *
+     * @return void
+     *
      * @throws InvalidArgumentException
      */
     public function write(MessageCatalogue $catalogue, string $format, array $options = [])
diff --git a/data/web/inc/lib/vendor/symfony/translation/Writer/TranslationWriterInterface.php b/data/web/inc/lib/vendor/symfony/translation/Writer/TranslationWriterInterface.php
index 43213097e..5ebb9794a 100644
--- a/data/web/inc/lib/vendor/symfony/translation/Writer/TranslationWriterInterface.php
+++ b/data/web/inc/lib/vendor/symfony/translation/Writer/TranslationWriterInterface.php
@@ -27,6 +27,8 @@ interface TranslationWriterInterface
      * @param string $format  The format to use to dump the messages
      * @param array  $options Options that are passed to the dumper
      *
+     * @return void
+     *
      * @throws InvalidArgumentException
      */
     public function write(MessageCatalogue $catalogue, string $format, array $options = []);
diff --git a/data/web/inc/lib/vendor/symfony/translation/composer.json b/data/web/inc/lib/vendor/symfony/translation/composer.json
index abe8b972c..af6f7a3df 100644
--- a/data/web/inc/lib/vendor/symfony/translation/composer.json
+++ b/data/web/inc/lib/vendor/symfony/translation/composer.json
@@ -16,27 +16,32 @@
         }
     ],
     "require": {
-        "php": ">=8.0.2",
+        "php": ">=8.1",
+        "symfony/deprecation-contracts": "^2.5|^3",
         "symfony/polyfill-mbstring": "~1.0",
-        "symfony/translation-contracts": "^2.3|^3.0"
+        "symfony/translation-contracts": "^2.5|^3.0"
     },
     "require-dev": {
-        "symfony/config": "^5.4|^6.0",
-        "symfony/console": "^5.4|^6.0",
-        "symfony/dependency-injection": "^5.4|^6.0",
-        "symfony/http-client-contracts": "^1.1|^2.0|^3.0",
-        "symfony/http-kernel": "^5.4|^6.0",
-        "symfony/intl": "^5.4|^6.0",
+        "nikic/php-parser": "^4.18|^5.0",
+        "symfony/config": "^5.4|^6.0|^7.0",
+        "symfony/console": "^5.4|^6.0|^7.0",
+        "symfony/dependency-injection": "^5.4|^6.0|^7.0",
+        "symfony/http-client-contracts": "^2.5|^3.0",
+        "symfony/http-kernel": "^5.4|^6.0|^7.0",
+        "symfony/intl": "^5.4|^6.0|^7.0",
         "symfony/polyfill-intl-icu": "^1.21",
-        "symfony/service-contracts": "^1.1.2|^2|^3",
-        "symfony/yaml": "^5.4|^6.0",
-        "symfony/finder": "^5.4|^6.0",
+        "symfony/routing": "^5.4|^6.0|^7.0",
+        "symfony/service-contracts": "^2.5|^3",
+        "symfony/yaml": "^5.4|^6.0|^7.0",
+        "symfony/finder": "^5.4|^6.0|^7.0",
         "psr/log": "^1|^2|^3"
     },
     "conflict": {
         "symfony/config": "<5.4",
         "symfony/dependency-injection": "<5.4",
+        "symfony/http-client-contracts": "<2.5",
         "symfony/http-kernel": "<5.4",
+        "symfony/service-contracts": "<2.5",
         "symfony/twig-bundle": "<5.4",
         "symfony/yaml": "<5.4",
         "symfony/console": "<5.4"
@@ -44,11 +49,6 @@
     "provide": {
         "symfony/translation-implementation": "2.3|3.0"
     },
-    "suggest": {
-        "symfony/config": "",
-        "symfony/yaml": "",
-        "psr/log-implementation": "To use logging capability in translator"
-    },
     "autoload": {
         "files": [ "Resources/functions.php" ],
         "psr-4": { "Symfony\\Component\\Translation\\": "" },
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/CHANGELOG.md b/data/web/inc/lib/vendor/symfony/var-dumper/CHANGELOG.md
index f58ed3170..7481cff1a 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/CHANGELOG.md
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/CHANGELOG.md
@@ -1,6 +1,25 @@
 CHANGELOG
 =========
 
+6.4
+---
+
+ * Dump uninitialized properties
+
+6.3
+---
+
+ * Add caster for `WeakMap`
+ * Add support of named arguments to `dd()` and `dump()` to display the argument name
+ * Add support for `Relay\Relay`
+ * Add display of invisible characters
+
+6.2
+---
+
+ * Add support for `FFI\CData` and `FFI\CType`
+ * Deprecate calling `VarDumper::setHandler()` without arguments
+
 5.4
 ---
 
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/AmqpCaster.php b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/AmqpCaster.php
index dc3b62198..22026f46a 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/AmqpCaster.php
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/AmqpCaster.php
@@ -46,6 +46,9 @@ class AmqpCaster
         \AMQP_EX_TYPE_HEADERS => 'AMQP_EX_TYPE_HEADERS',
     ];
 
+    /**
+     * @return array
+     */
     public static function castConnection(\AMQPConnection $c, array $a, Stub $stub, bool $isNested)
     {
         $prefix = Caster::PREFIX_VIRTUAL;
@@ -79,6 +82,9 @@ class AmqpCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castChannel(\AMQPChannel $c, array $a, Stub $stub, bool $isNested)
     {
         $prefix = Caster::PREFIX_VIRTUAL;
@@ -102,6 +108,9 @@ class AmqpCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castQueue(\AMQPQueue $c, array $a, Stub $stub, bool $isNested)
     {
         $prefix = Caster::PREFIX_VIRTUAL;
@@ -125,6 +134,9 @@ class AmqpCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castExchange(\AMQPExchange $c, array $a, Stub $stub, bool $isNested)
     {
         $prefix = Caster::PREFIX_VIRTUAL;
@@ -153,6 +165,9 @@ class AmqpCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castEnvelope(\AMQPEnvelope $c, array $a, Stub $stub, bool $isNested, int $filter = 0)
     {
         $prefix = Caster::PREFIX_VIRTUAL;
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/ArgsStub.php b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/ArgsStub.php
index a89a71b1f..9dc24c1b1 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/ArgsStub.php
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/ArgsStub.php
@@ -28,7 +28,7 @@ class ArgsStub extends EnumStub
 
         $values = [];
         foreach ($args as $k => $v) {
-            $values[$k] = !is_scalar($v) && !$v instanceof Stub ? new CutStub($v) : $v;
+            $values[$k] = !\is_scalar($v) && !$v instanceof Stub ? new CutStub($v) : $v;
         }
         if (null === $params) {
             parent::__construct($values, false);
@@ -57,7 +57,7 @@ class ArgsStub extends EnumStub
 
         try {
             $r = null !== $class ? new \ReflectionMethod($class, $function) : new \ReflectionFunction($function);
-        } catch (\ReflectionException $e) {
+        } catch (\ReflectionException) {
             return [null, null];
         }
 
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/Caster.php b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/Caster.php
index 53f4461d0..d9577e7ae 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/Caster.php
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/Caster.php
@@ -32,22 +32,27 @@ class Caster
     public const EXCLUDE_EMPTY = 128;
     public const EXCLUDE_NOT_IMPORTANT = 256;
     public const EXCLUDE_STRICT = 512;
+    public const EXCLUDE_UNINITIALIZED = 1024;
 
     public const PREFIX_VIRTUAL = "\0~\0";
     public const PREFIX_DYNAMIC = "\0+\0";
     public const PREFIX_PROTECTED = "\0*\0";
+    // usage: sprintf(Caster::PATTERN_PRIVATE, $class, $property)
+    public const PATTERN_PRIVATE = "\0%s\0%s";
+
+    private static array $classProperties = [];
 
     /**
      * Casts objects to arrays and adds the dynamic property prefix.
      *
      * @param bool $hasDebugInfo Whether the __debugInfo method exists on $obj or not
      */
-    public static function castObject(object $obj, string $class, bool $hasDebugInfo = false, string $debugClass = null): array
+    public static function castObject(object $obj, string $class, bool $hasDebugInfo = false, ?string $debugClass = null): array
     {
         if ($hasDebugInfo) {
             try {
                 $debugInfo = $obj->__debugInfo();
-            } catch (\Exception $e) {
+            } catch (\Throwable) {
                 // ignore failing __debugInfo()
                 $hasDebugInfo = false;
             }
@@ -59,20 +64,17 @@ class Caster
             return $a;
         }
 
+        $classProperties = self::$classProperties[$class] ??= self::getClassProperties(new \ReflectionClass($class));
+        $a = array_replace($classProperties, $a);
+
         if ($a) {
-            static $publicProperties = [];
-            $debugClass = $debugClass ?? get_debug_type($obj);
+            $debugClass ??= get_debug_type($obj);
 
             $i = 0;
             $prefixedKeys = [];
             foreach ($a as $k => $v) {
                 if ("\0" !== ($k[0] ?? '')) {
-                    if (!isset($publicProperties[$class])) {
-                        foreach ((new \ReflectionClass($class))->getProperties(\ReflectionProperty::IS_PUBLIC) as $prop) {
-                            $publicProperties[$class][$prop->name] = true;
-                        }
-                    }
-                    if (!isset($publicProperties[$class][$k])) {
+                    if (!isset($classProperties[$k])) {
                         $prefixedKeys[$i] = self::PREFIX_DYNAMIC.$k;
                     }
                 } elseif ($debugClass !== $class && 1 === strpos($k, $class)) {
@@ -115,7 +117,7 @@ class Caster
      * @param array    $a                The array containing the properties to filter
      * @param int      $filter           A bit field of Caster::EXCLUDE_* constants specifying which properties to filter out
      * @param string[] $listedProperties List of properties to exclude when Caster::EXCLUDE_VERBOSE is set, and to preserve when Caster::EXCLUDE_NOT_IMPORTANT is set
-     * @param int      &$count           Set to the number of removed properties
+     * @param int|null &$count           Set to the number of removed properties
      */
     public static function filter(array $a, int $filter, array $listedProperties = [], ?int &$count = 0): array
     {
@@ -129,6 +131,8 @@ class Caster
                 $type |= self::EXCLUDE_EMPTY & $filter;
             } elseif (false === $v || '' === $v || '0' === $v || 0 === $v || 0.0 === $v || [] === $v) {
                 $type |= self::EXCLUDE_EMPTY & $filter;
+            } elseif ($v instanceof UninitializedStub) {
+                $type |= self::EXCLUDE_UNINITIALIZED & $filter;
             }
             if ((self::EXCLUDE_NOT_IMPORTANT & $filter) && !\in_array($k, $listedProperties, true)) {
                 $type |= self::EXCLUDE_NOT_IMPORTANT;
@@ -167,4 +171,28 @@ class Caster
 
         return $a;
     }
+
+    private static function getClassProperties(\ReflectionClass $class): array
+    {
+        $classProperties = [];
+        $className = $class->name;
+
+        if ($parent = $class->getParentClass()) {
+            $classProperties += self::$classProperties[$parent->name] ??= self::getClassProperties($parent);
+        }
+
+        foreach ($class->getProperties() as $p) {
+            if ($p->isStatic()) {
+                continue;
+            }
+
+            $classProperties[match (true) {
+                $p->isPublic() => $p->name,
+                $p->isProtected() => self::PREFIX_PROTECTED.$p->name,
+                default => "\0".$className."\0".$p->name,
+            }] = new UninitializedStub($p);
+        }
+
+        return $classProperties;
+    }
 }
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/ClassStub.php b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/ClassStub.php
index 1ac6d0ac3..914728663 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/ClassStub.php
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/ClassStub.php
@@ -24,7 +24,7 @@ class ClassStub extends ConstStub
      * @param string   $identifier A PHP identifier, e.g. a class, method, interface, etc. name
      * @param callable $callable   The callable targeted by the identifier when it is ambiguous or not a real PHP identifier
      */
-    public function __construct(string $identifier, callable|array|string $callable = null)
+    public function __construct(string $identifier, callable|array|string|null $callable = null)
     {
         $this->value = $identifier;
 
@@ -50,15 +50,13 @@ class ClassStub extends ConstStub
             if (\is_array($r)) {
                 try {
                     $r = new \ReflectionMethod($r[0], $r[1]);
-                } catch (\ReflectionException $e) {
+                } catch (\ReflectionException) {
                     $r = new \ReflectionClass($r[0]);
                 }
             }
 
             if (str_contains($identifier, "@anonymous\0")) {
-                $this->value = $identifier = preg_replace_callback('/[a-zA-Z_\x7f-\xff][\\\\a-zA-Z0-9_\x7f-\xff]*+@anonymous\x00.*?\.php(?:0x?|:[0-9]++\$)[0-9a-fA-F]++/', function ($m) {
-                    return class_exists($m[0], false) ? (get_parent_class($m[0]) ?: key(class_implements($m[0])) ?: 'class').'@anonymous' : $m[0];
-                }, $identifier);
+                $this->value = $identifier = preg_replace_callback('/[a-zA-Z_\x7f-\xff][\\\\a-zA-Z0-9_\x7f-\xff]*+@anonymous\x00.*?\.php(?:0x?|:[0-9]++\$)[0-9a-fA-F]++/', fn ($m) => class_exists($m[0], false) ? (get_parent_class($m[0]) ?: key(class_implements($m[0])) ?: 'class').'@anonymous' : $m[0], $identifier);
             }
 
             if (null !== $callable && $r instanceof \ReflectionFunctionAbstract) {
@@ -71,7 +69,7 @@ class ClassStub extends ConstStub
                     $this->value .= $s;
                 }
             }
-        } catch (\ReflectionException $e) {
+        } catch (\ReflectionException) {
             return;
         } finally {
             if (0 < $i = strrpos($this->value, '\\')) {
@@ -87,6 +85,9 @@ class ClassStub extends ConstStub
         }
     }
 
+    /**
+     * @return mixed
+     */
     public static function wrapCallable(mixed $callable)
     {
         if (\is_object($callable) || !\is_callable($callable)) {
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/ConstStub.php b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/ConstStub.php
index d7d1812bd..587c6c398 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/ConstStub.php
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/ConstStub.php
@@ -20,7 +20,7 @@ use Symfony\Component\VarDumper\Cloner\Stub;
  */
 class ConstStub extends Stub
 {
-    public function __construct(string $name, string|int|float $value = null)
+    public function __construct(string $name, string|int|float|null $value = null)
     {
         $this->class = $name;
         $this->value = 1 < \func_num_args() ? $value : $name;
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/CutStub.php b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/CutStub.php
index b5a96a02c..772399ef6 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/CutStub.php
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/CutStub.php
@@ -27,7 +27,7 @@ class CutStub extends Stub
         switch (\gettype($value)) {
             case 'object':
                 $this->type = self::TYPE_OBJECT;
-                $this->class = \get_class($value);
+                $this->class = $value::class;
 
                 if ($value instanceof \Closure) {
                     ReflectionCaster::castClosure($value, [], $this, true, Caster::EXCLUDE_VERBOSE);
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/DOMCaster.php b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/DOMCaster.php
index 4dd16e0ee..d2d3fc129 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/DOMCaster.php
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/DOMCaster.php
@@ -63,6 +63,9 @@ class DOMCaster
         \XML_NAMESPACE_DECL_NODE => 'XML_NAMESPACE_DECL_NODE',
     ];
 
+    /**
+     * @return array
+     */
     public static function castException(\DOMException $e, array $a, Stub $stub, bool $isNested)
     {
         $k = Caster::PREFIX_PROTECTED.'code';
@@ -73,6 +76,9 @@ class DOMCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castLength($dom, array $a, Stub $stub, bool $isNested)
     {
         $a += [
@@ -82,6 +88,9 @@ class DOMCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castImplementation(\DOMImplementation $dom, array $a, Stub $stub, bool $isNested)
     {
         $a += [
@@ -92,6 +101,9 @@ class DOMCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castNode(\DOMNode $dom, array $a, Stub $stub, bool $isNested)
     {
         $a += [
@@ -116,6 +128,9 @@ class DOMCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castNameSpaceNode(\DOMNameSpaceNode $dom, array $a, Stub $stub, bool $isNested)
     {
         $a += [
@@ -132,6 +147,9 @@ class DOMCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castDocument(\DOMDocument $dom, array $a, Stub $stub, bool $isNested, int $filter = 0)
     {
         $a += [
@@ -166,6 +184,9 @@ class DOMCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castCharacterData(\DOMCharacterData $dom, array $a, Stub $stub, bool $isNested)
     {
         $a += [
@@ -176,6 +197,9 @@ class DOMCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castAttr(\DOMAttr $dom, array $a, Stub $stub, bool $isNested)
     {
         $a += [
@@ -189,6 +213,9 @@ class DOMCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castElement(\DOMElement $dom, array $a, Stub $stub, bool $isNested)
     {
         $a += [
@@ -199,6 +226,9 @@ class DOMCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castText(\DOMText $dom, array $a, Stub $stub, bool $isNested)
     {
         $a += [
@@ -208,43 +238,9 @@ class DOMCaster
         return $a;
     }
 
-    public static function castTypeinfo(\DOMTypeinfo $dom, array $a, Stub $stub, bool $isNested)
-    {
-        $a += [
-            'typeName' => $dom->typeName,
-            'typeNamespace' => $dom->typeNamespace,
-        ];
-
-        return $a;
-    }
-
-    public static function castDomError(\DOMDomError $dom, array $a, Stub $stub, bool $isNested)
-    {
-        $a += [
-            'severity' => $dom->severity,
-            'message' => $dom->message,
-            'type' => $dom->type,
-            'relatedException' => $dom->relatedException,
-            'related_data' => $dom->related_data,
-            'location' => $dom->location,
-        ];
-
-        return $a;
-    }
-
-    public static function castLocator(\DOMLocator $dom, array $a, Stub $stub, bool $isNested)
-    {
-        $a += [
-            'lineNumber' => $dom->lineNumber,
-            'columnNumber' => $dom->columnNumber,
-            'offset' => $dom->offset,
-            'relatedNode' => $dom->relatedNode,
-            'uri' => $dom->uri ? new LinkStub($dom->uri, $dom->lineNumber) : $dom->uri,
-        ];
-
-        return $a;
-    }
-
+    /**
+     * @return array
+     */
     public static function castDocumentType(\DOMDocumentType $dom, array $a, Stub $stub, bool $isNested)
     {
         $a += [
@@ -259,6 +255,9 @@ class DOMCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castNotation(\DOMNotation $dom, array $a, Stub $stub, bool $isNested)
     {
         $a += [
@@ -269,6 +268,9 @@ class DOMCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castEntity(\DOMEntity $dom, array $a, Stub $stub, bool $isNested)
     {
         $a += [
@@ -283,6 +285,9 @@ class DOMCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castProcessingInstruction(\DOMProcessingInstruction $dom, array $a, Stub $stub, bool $isNested)
     {
         $a += [
@@ -293,6 +298,9 @@ class DOMCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castXPath(\DOMXPath $dom, array $a, Stub $stub, bool $isNested)
     {
         $a += [
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/DateCaster.php b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/DateCaster.php
index 99f53849b..a0cbddb76 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/DateCaster.php
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/DateCaster.php
@@ -24,11 +24,14 @@ class DateCaster
 {
     private const PERIOD_LIMIT = 3;
 
+    /**
+     * @return array
+     */
     public static function castDateTime(\DateTimeInterface $d, array $a, Stub $stub, bool $isNested, int $filter)
     {
         $prefix = Caster::PREFIX_VIRTUAL;
-        $location = $d->getTimezone()->getLocation();
-        $fromNow = (new \DateTime())->diff($d);
+        $location = $d->getTimezone() ? $d->getTimezone()->getLocation() : null;
+        $fromNow = (new \DateTimeImmutable())->diff($d);
 
         $title = $d->format('l, F j, Y')
             ."\n".self::formatInterval($fromNow).' from now'
@@ -47,6 +50,9 @@ class DateCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castInterval(\DateInterval $interval, array $a, Stub $stub, bool $isNested, int $filter)
     {
         $now = new \DateTimeImmutable('@0', new \DateTimeZone('UTC'));
@@ -76,10 +82,13 @@ class DateCaster
         return $i->format(rtrim($format));
     }
 
+    /**
+     * @return array
+     */
     public static function castTimeZone(\DateTimeZone $timeZone, array $a, Stub $stub, bool $isNested, int $filter)
     {
         $location = $timeZone->getLocation();
-        $formatted = (new \DateTime('now', $timeZone))->format($location ? 'e (P)' : 'P');
+        $formatted = (new \DateTimeImmutable('now', $timeZone))->format($location ? 'e (P)' : 'P');
         $title = $location && \extension_loaded('intl') ? \Locale::getDisplayRegion('-'.$location['country_code']) : '';
 
         $z = [Caster::PREFIX_VIRTUAL.'timezone' => new ConstStub($formatted, $title)];
@@ -87,6 +96,9 @@ class DateCaster
         return $filter & Caster::EXCLUDE_VERBOSE ? $z : $z + $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castPeriod(\DatePeriod $p, array $a, Stub $stub, bool $isNested, int $filter)
     {
         $dates = [];
@@ -103,11 +115,11 @@ class DateCaster
         }
 
         $period = sprintf(
-            'every %s, from %s (%s) %s',
+            'every %s, from %s%s %s',
             self::formatInterval($p->getDateInterval()),
+            $p->include_start_date ? '[' : ']',
             self::formatDateTime($p->getStartDate()),
-            $p->include_start_date ? 'included' : 'excluded',
-            ($end = $p->getEndDate()) ? 'to '.self::formatDateTime($end) : 'recurring '.$p->recurrences.' time/s'
+            ($end = $p->getEndDate()) ? 'to '.self::formatDateTime($end).(\PHP_VERSION_ID >= 80200 && $p->include_end_date ? ']' : '[') : 'recurring '.$p->recurrences.' time/s'
         );
 
         $p = [Caster::PREFIX_VIRTUAL.'period' => new ConstStub($period, implode("\n", $dates))];
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/DoctrineCaster.php b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/DoctrineCaster.php
index 129b2cb47..3120c3d91 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/DoctrineCaster.php
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/DoctrineCaster.php
@@ -25,6 +25,9 @@ use Symfony\Component\VarDumper\Cloner\Stub;
  */
 class DoctrineCaster
 {
+    /**
+     * @return array
+     */
     public static function castCommonProxy(CommonProxy $proxy, array $a, Stub $stub, bool $isNested)
     {
         foreach (['__cloner__', '__initializer__'] as $k) {
@@ -37,6 +40,9 @@ class DoctrineCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castOrmProxy(OrmProxy $proxy, array $a, Stub $stub, bool $isNested)
     {
         foreach (['_entityPersister', '_identifier'] as $k) {
@@ -49,6 +55,9 @@ class DoctrineCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castPersistentCollection(PersistentCollection $coll, array $a, Stub $stub, bool $isNested)
     {
         foreach (['snapshot', 'association', 'typeClass'] as $k) {
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/DsPairStub.php b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/DsPairStub.php
index 22112af9c..afa2727b1 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/DsPairStub.php
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/DsPairStub.php
@@ -18,7 +18,7 @@ use Symfony\Component\VarDumper\Cloner\Stub;
  */
 class DsPairStub extends Stub
 {
-    public function __construct(string|int $key, mixed $value)
+    public function __construct(mixed $key, mixed $value)
     {
         $this->value = [
             Caster::PREFIX_VIRTUAL.'key' => $key,
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/ExceptionCaster.php b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/ExceptionCaster.php
index 8e517e079..02efb1b02 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/ExceptionCaster.php
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/ExceptionCaster.php
@@ -11,6 +11,7 @@
 
 namespace Symfony\Component\VarDumper\Caster;
 
+use Symfony\Component\ErrorHandler\Exception\FlattenException;
 use Symfony\Component\ErrorHandler\Exception\SilencedErrorContext;
 use Symfony\Component\VarDumper\Cloner\Stub;
 use Symfony\Component\VarDumper\Exception\ThrowingCasterException;
@@ -46,16 +47,25 @@ class ExceptionCaster
 
     private static array $framesCache = [];
 
+    /**
+     * @return array
+     */
     public static function castError(\Error $e, array $a, Stub $stub, bool $isNested, int $filter = 0)
     {
         return self::filterExceptionArray($stub->class, $a, "\0Error\0", $filter);
     }
 
+    /**
+     * @return array
+     */
     public static function castException(\Exception $e, array $a, Stub $stub, bool $isNested, int $filter = 0)
     {
         return self::filterExceptionArray($stub->class, $a, "\0Exception\0", $filter);
     }
 
+    /**
+     * @return array
+     */
     public static function castErrorException(\ErrorException $e, array $a, Stub $stub, bool $isNested)
     {
         if (isset($a[$s = Caster::PREFIX_PROTECTED.'severity'], self::$errorTypes[$a[$s]])) {
@@ -65,6 +75,9 @@ class ExceptionCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castThrowingCasterException(ThrowingCasterException $e, array $a, Stub $stub, bool $isNested)
     {
         $trace = Caster::PREFIX_VIRTUAL.'trace';
@@ -83,6 +96,9 @@ class ExceptionCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castSilencedErrorContext(SilencedErrorContext $e, array $a, Stub $stub, bool $isNested)
     {
         $sPrefix = "\0".SilencedErrorContext::class."\0";
@@ -110,6 +126,9 @@ class ExceptionCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castTraceStub(TraceStub $trace, array $a, Stub $stub, bool $isNested)
     {
         if (!$isNested) {
@@ -184,6 +203,9 @@ class ExceptionCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castFrameStub(FrameStub $frame, array $a, Stub $stub, bool $isNested)
     {
         if (!$isNested) {
@@ -267,6 +289,19 @@ class ExceptionCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
+    public static function castFlattenException(FlattenException $e, array $a, Stub $stub, bool $isNested)
+    {
+        if ($isNested) {
+            $k = sprintf(Caster::PATTERN_PRIVATE, FlattenException::class, 'traceAsString');
+            $a[$k] = new CutStub($a[$k]);
+        }
+
+        return $a;
+    }
+
     private static function filterExceptionArray(string $xClass, array $a, string $xPrefix, int $filter): array
     {
         if (isset($a[$xPrefix.'trace'])) {
@@ -285,12 +320,10 @@ class ExceptionCaster
         if (empty($a[$xPrefix.'previous'])) {
             unset($a[$xPrefix.'previous']);
         }
-        unset($a[$xPrefix.'string'], $a[Caster::PREFIX_DYNAMIC.'xdebug_message'], $a[Caster::PREFIX_DYNAMIC.'__destructorException']);
+        unset($a[$xPrefix.'string'], $a[Caster::PREFIX_DYNAMIC.'xdebug_message']);
 
         if (isset($a[Caster::PREFIX_PROTECTED.'message']) && str_contains($a[Caster::PREFIX_PROTECTED.'message'], "@anonymous\0")) {
-            $a[Caster::PREFIX_PROTECTED.'message'] = preg_replace_callback('/[a-zA-Z_\x7f-\xff][\\\\a-zA-Z0-9_\x7f-\xff]*+@anonymous\x00.*?\.php(?:0x?|:[0-9]++\$)[0-9a-fA-F]++/', function ($m) {
-                return class_exists($m[0], false) ? (get_parent_class($m[0]) ?: key(class_implements($m[0])) ?: 'class').'@anonymous' : $m[0];
-            }, $a[Caster::PREFIX_PROTECTED.'message']);
+            $a[Caster::PREFIX_PROTECTED.'message'] = preg_replace_callback('/[a-zA-Z_\x7f-\xff][\\\\a-zA-Z0-9_\x7f-\xff]*+@anonymous\x00.*?\.php(?:0x?|:[0-9]++\$)[0-9a-fA-F]++/', fn ($m) => class_exists($m[0], false) ? (get_parent_class($m[0]) ?: key(class_implements($m[0])) ?: 'class').'@anonymous' : $m[0], $a[Caster::PREFIX_PROTECTED.'message']);
         }
 
         if (isset($a[Caster::PREFIX_PROTECTED.'file'], $a[Caster::PREFIX_PROTECTED.'line'])) {
@@ -337,7 +370,7 @@ class ExceptionCaster
                     $stub->attr['file'] = $f;
                     $stub->attr['line'] = $caller->getStartLine();
                 }
-            } catch (\ReflectionException $e) {
+            } catch (\ReflectionException) {
                 // ignore fake class/function
             }
 
@@ -352,9 +385,7 @@ class ExceptionCaster
             $pad = null;
             for ($i = $srcContext << 1; $i >= 0; --$i) {
                 if (isset($src[$i][$ltrim]) && "\r" !== ($c = $src[$i][$ltrim]) && "\n" !== $c) {
-                    if (null === $pad) {
-                        $pad = $c;
-                    }
+                    $pad ??= $c;
                     if ((' ' !== $c && "\t" !== $c) || $pad !== $c) {
                         break;
                     }
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/FFICaster.php b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/FFICaster.php
new file mode 100644
index 000000000..f1984eef3
--- /dev/null
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/FFICaster.php
@@ -0,0 +1,161 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\VarDumper\Caster;
+
+use FFI\CData;
+use FFI\CType;
+use Symfony\Component\VarDumper\Cloner\Stub;
+
+/**
+ * Casts FFI extension classes to array representation.
+ *
+ * @author Nesmeyanov Kirill <nesk@xakep.ru>
+ */
+final class FFICaster
+{
+    /**
+     * In case of "char*" contains a string, the length of which depends on
+     * some other parameter, then during the generation of the string it is
+     * possible to go beyond the allowable memory area.
+     *
+     * This restriction serves to ensure that processing does not take
+     * up the entire allowable PHP memory limit.
+     */
+    private const MAX_STRING_LENGTH = 255;
+
+    public static function castCTypeOrCData(CData|CType $data, array $args, Stub $stub): array
+    {
+        if ($data instanceof CType) {
+            $type = $data;
+            $data = null;
+        } else {
+            $type = \FFI::typeof($data);
+        }
+
+        $stub->class = sprintf('%s<%s> size %d align %d', ($data ?? $type)::class, $type->getName(), $type->getSize(), $type->getAlignment());
+
+        return match ($type->getKind()) {
+            CType::TYPE_FLOAT,
+            CType::TYPE_DOUBLE,
+            \defined('\FFI\CType::TYPE_LONGDOUBLE') ? CType::TYPE_LONGDOUBLE : -1,
+            CType::TYPE_UINT8,
+            CType::TYPE_SINT8,
+            CType::TYPE_UINT16,
+            CType::TYPE_SINT16,
+            CType::TYPE_UINT32,
+            CType::TYPE_SINT32,
+            CType::TYPE_UINT64,
+            CType::TYPE_SINT64,
+            CType::TYPE_BOOL,
+            CType::TYPE_CHAR,
+            CType::TYPE_ENUM => null !== $data ? [Caster::PREFIX_VIRTUAL.'cdata' => $data->cdata] : [],
+            CType::TYPE_POINTER => self::castFFIPointer($stub, $type, $data),
+            CType::TYPE_STRUCT => self::castFFIStructLike($type, $data),
+            CType::TYPE_FUNC => self::castFFIFunction($stub, $type),
+            default => $args,
+        };
+    }
+
+    private static function castFFIFunction(Stub $stub, CType $type): array
+    {
+        $arguments = [];
+
+        for ($i = 0, $count = $type->getFuncParameterCount(); $i < $count; ++$i) {
+            $param = $type->getFuncParameterType($i);
+
+            $arguments[] = $param->getName();
+        }
+
+        $abi = match ($type->getFuncABI()) {
+            CType::ABI_DEFAULT,
+            CType::ABI_CDECL => '[cdecl]',
+            CType::ABI_FASTCALL => '[fastcall]',
+            CType::ABI_THISCALL => '[thiscall]',
+            CType::ABI_STDCALL => '[stdcall]',
+            CType::ABI_PASCAL => '[pascal]',
+            CType::ABI_REGISTER => '[register]',
+            CType::ABI_MS => '[ms]',
+            CType::ABI_SYSV => '[sysv]',
+            CType::ABI_VECTORCALL => '[vectorcall]',
+            default => '[unknown abi]'
+        };
+
+        $returnType = $type->getFuncReturnType();
+
+        $stub->class = $abi.' callable('.implode(', ', $arguments).'): '
+            .$returnType->getName();
+
+        return [Caster::PREFIX_VIRTUAL.'returnType' => $returnType];
+    }
+
+    private static function castFFIPointer(Stub $stub, CType $type, ?CData $data = null): array
+    {
+        $ptr = $type->getPointerType();
+
+        if (null === $data) {
+            return [Caster::PREFIX_VIRTUAL.'0' => $ptr];
+        }
+
+        return match ($ptr->getKind()) {
+            CType::TYPE_CHAR => [Caster::PREFIX_VIRTUAL.'cdata' => self::castFFIStringValue($data)],
+            CType::TYPE_FUNC => self::castFFIFunction($stub, $ptr),
+            default => [Caster::PREFIX_VIRTUAL.'cdata' => $data[0]],
+        };
+    }
+
+    private static function castFFIStringValue(CData $data): string|CutStub
+    {
+        $result = [];
+
+        for ($i = 0; $i < self::MAX_STRING_LENGTH; ++$i) {
+            $result[$i] = $data[$i];
+
+            if ("\0" === $result[$i]) {
+                return implode('', $result);
+            }
+        }
+
+        $string = implode('', $result);
+        $stub = new CutStub($string);
+        $stub->cut = -1;
+        $stub->value = $string;
+
+        return $stub;
+    }
+
+    private static function castFFIStructLike(CType $type, ?CData $data = null): array
+    {
+        $isUnion = ($type->getAttributes() & CType::ATTR_UNION) === CType::ATTR_UNION;
+
+        $result = [];
+
+        foreach ($type->getStructFieldNames() as $name) {
+            $field = $type->getStructFieldType($name);
+
+            // Retrieving the value of a field from a union containing
+            // a pointer is not a safe operation, because may contain
+            // incorrect data.
+            $isUnsafe = $isUnion && CType::TYPE_POINTER === $field->getKind();
+
+            if ($isUnsafe) {
+                $result[Caster::PREFIX_VIRTUAL.$name.'?'] = $field;
+            } elseif (null === $data) {
+                $result[Caster::PREFIX_VIRTUAL.$name] = $field;
+            } else {
+                $fieldName = $data->{$name} instanceof CData ? '' : $field->getName().' ';
+                $result[Caster::PREFIX_VIRTUAL.$fieldName.$name] = $data->{$name};
+            }
+        }
+
+        return $result;
+    }
+}
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/FiberCaster.php b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/FiberCaster.php
index c74a9e59c..b797dbd63 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/FiberCaster.php
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/FiberCaster.php
@@ -20,6 +20,9 @@ use Symfony\Component\VarDumper\Cloner\Stub;
  */
 final class FiberCaster
 {
+    /**
+     * @return array
+     */
     public static function castFiber(\Fiber $fiber, array $a, Stub $stub, bool $isNested, int $filter = 0)
     {
         $prefix = Caster::PREFIX_VIRTUAL;
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/IntlCaster.php b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/IntlCaster.php
index 23b9d5da3..a4590f4b5 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/IntlCaster.php
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/IntlCaster.php
@@ -21,6 +21,9 @@ use Symfony\Component\VarDumper\Cloner\Stub;
  */
 class IntlCaster
 {
+    /**
+     * @return array
+     */
     public static function castMessageFormatter(\MessageFormatter $c, array $a, Stub $stub, bool $isNested)
     {
         $a += [
@@ -31,6 +34,9 @@ class IntlCaster
         return self::castError($c, $a);
     }
 
+    /**
+     * @return array
+     */
     public static function castNumberFormatter(\NumberFormatter $c, array $a, Stub $stub, bool $isNested, int $filter = 0)
     {
         $a += [
@@ -102,12 +108,15 @@ class IntlCaster
                     'SIGNIFICANT_DIGIT_SYMBOL' => $c->getSymbol(\NumberFormatter::SIGNIFICANT_DIGIT_SYMBOL),
                     'MONETARY_GROUPING_SEPARATOR_SYMBOL' => $c->getSymbol(\NumberFormatter::MONETARY_GROUPING_SEPARATOR_SYMBOL),
                 ]
-             ),
+            ),
         ];
 
         return self::castError($c, $a);
     }
 
+    /**
+     * @return array
+     */
     public static function castIntlTimeZone(\IntlTimeZone $c, array $a, Stub $stub, bool $isNested)
     {
         $a += [
@@ -125,6 +134,9 @@ class IntlCaster
         return self::castError($c, $a);
     }
 
+    /**
+     * @return array
+     */
     public static function castIntlCalendar(\IntlCalendar $c, array $a, Stub $stub, bool $isNested, int $filter = 0)
     {
         $a += [
@@ -142,6 +154,9 @@ class IntlCaster
         return self::castError($c, $a);
     }
 
+    /**
+     * @return array
+     */
     public static function castIntlDateFormatter(\IntlDateFormatter $c, array $a, Stub $stub, bool $isNested, int $filter = 0)
     {
         $a += [
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/LinkStub.php b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/LinkStub.php
index 36e0d3cb9..4930436df 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/LinkStub.php
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/LinkStub.php
@@ -23,14 +23,11 @@ class LinkStub extends ConstStub
     private static array $vendorRoots;
     private static array $composerRoots = [];
 
-    public function __construct(string $label, int $line = 0, string $href = null)
+    public function __construct(string $label, int $line = 0, ?string $href = null)
     {
         $this->value = $label;
 
-        if (null === $href) {
-            $href = $label;
-        }
-        if (!\is_string($href)) {
+        if (!\is_string($href ??= $label)) {
             return;
         }
         if (str_starts_with($href, 'file://')) {
@@ -63,7 +60,7 @@ class LinkStub extends ConstStub
         }
     }
 
-    private function getComposerRoot(string $file, bool &$inVendor)
+    private function getComposerRoot(string $file, bool &$inVendor): string|false
     {
         if (!isset(self::$vendorRoots)) {
             self::$vendorRoots = [];
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/MemcachedCaster.php b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/MemcachedCaster.php
index d6baa2514..2f161e8cb 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/MemcachedCaster.php
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/MemcachedCaster.php
@@ -23,6 +23,9 @@ class MemcachedCaster
     private static array $optionConstants;
     private static array $defaultOptions;
 
+    /**
+     * @return array
+     */
     public static function castMemcached(\Memcached $c, array $a, Stub $stub, bool $isNested)
     {
         $a += [
@@ -37,8 +40,8 @@ class MemcachedCaster
 
     private static function getNonDefaultOptions(\Memcached $c): array
     {
-        self::$defaultOptions = self::$defaultOptions ?? self::discoverDefaultOptions();
-        self::$optionConstants = self::$optionConstants ?? self::getOptionConstants();
+        self::$defaultOptions ??= self::discoverDefaultOptions();
+        self::$optionConstants ??= self::getOptionConstants();
 
         $nonDefaultOptions = [];
         foreach (self::$optionConstants as $constantKey => $value) {
@@ -56,7 +59,7 @@ class MemcachedCaster
         $defaultMemcached->addServer('127.0.0.1', 11211);
 
         $defaultOptions = [];
-        self::$optionConstants = self::$optionConstants ?? self::getOptionConstants();
+        self::$optionConstants ??= self::getOptionConstants();
 
         foreach (self::$optionConstants as $constantKey => $value) {
             $defaultOptions[$constantKey] = $defaultMemcached->getOption($value);
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/PdoCaster.php b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/PdoCaster.php
index 140473b53..d68eae216 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/PdoCaster.php
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/PdoCaster.php
@@ -59,6 +59,9 @@ class PdoCaster
         ],
     ];
 
+    /**
+     * @return array
+     */
     public static function castPdo(\PDO $c, array $a, Stub $stub, bool $isNested)
     {
         $attr = [];
@@ -76,7 +79,7 @@ class PdoCaster
                 if ($v && isset($v[$attr[$k]])) {
                     $attr[$k] = new ConstStub($v[$attr[$k]], $attr[$k]);
                 }
-            } catch (\Exception $e) {
+            } catch (\Exception) {
             }
         }
         if (isset($attr[$k = 'STATEMENT_CLASS'][1])) {
@@ -108,6 +111,9 @@ class PdoCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castPdoStatement(\PDOStatement $c, array $a, Stub $stub, bool $isNested)
     {
         $prefix = Caster::PREFIX_VIRTUAL;
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/PgSqlCaster.php b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/PgSqlCaster.php
index d8e5b5253..0d8b3d919 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/PgSqlCaster.php
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/PgSqlCaster.php
@@ -69,6 +69,9 @@ class PgSqlCaster
         'function' => \PGSQL_DIAG_SOURCE_FUNCTION,
     ];
 
+    /**
+     * @return array
+     */
     public static function castLargeObject($lo, array $a, Stub $stub, bool $isNested)
     {
         $a['seek position'] = pg_lo_tell($lo);
@@ -76,6 +79,9 @@ class PgSqlCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castLink($link, array $a, Stub $stub, bool $isNested)
     {
         $a['status'] = pg_connection_status($link);
@@ -108,6 +114,9 @@ class PgSqlCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castResult($result, array $a, Stub $stub, bool $isNested)
     {
         $a['num rows'] = pg_num_rows($result);
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/ProxyManagerCaster.php b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/ProxyManagerCaster.php
index e7120191f..eb6c88db6 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/ProxyManagerCaster.php
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/ProxyManagerCaster.php
@@ -21,6 +21,9 @@ use Symfony\Component\VarDumper\Cloner\Stub;
  */
 class ProxyManagerCaster
 {
+    /**
+     * @return array
+     */
     public static function castProxy(ProxyInterface $c, array $a, Stub $stub, bool $isNested)
     {
         if ($parent = get_parent_class($c)) {
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/RdKafkaCaster.php b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/RdKafkaCaster.php
index 805336395..fcaa1b768 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/RdKafkaCaster.php
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/RdKafkaCaster.php
@@ -31,13 +31,16 @@ use Symfony\Component\VarDumper\Cloner\Stub;
  */
 class RdKafkaCaster
 {
+    /**
+     * @return array
+     */
     public static function castKafkaConsumer(KafkaConsumer $c, array $a, Stub $stub, bool $isNested)
     {
         $prefix = Caster::PREFIX_VIRTUAL;
 
         try {
             $assignment = $c->getAssignment();
-        } catch (RdKafkaException $e) {
+        } catch (RdKafkaException) {
             $assignment = [];
         }
 
@@ -51,6 +54,9 @@ class RdKafkaCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castTopic(Topic $c, array $a, Stub $stub, bool $isNested)
     {
         $prefix = Caster::PREFIX_VIRTUAL;
@@ -62,6 +68,9 @@ class RdKafkaCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castTopicPartition(TopicPartition $c, array $a)
     {
         $prefix = Caster::PREFIX_VIRTUAL;
@@ -75,6 +84,9 @@ class RdKafkaCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castMessage(Message $c, array $a, Stub $stub, bool $isNested)
     {
         $prefix = Caster::PREFIX_VIRTUAL;
@@ -86,6 +98,9 @@ class RdKafkaCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castConf(Conf $c, array $a, Stub $stub, bool $isNested)
     {
         $prefix = Caster::PREFIX_VIRTUAL;
@@ -97,6 +112,9 @@ class RdKafkaCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castTopicConf(TopicConf $c, array $a, Stub $stub, bool $isNested)
     {
         $prefix = Caster::PREFIX_VIRTUAL;
@@ -108,6 +126,9 @@ class RdKafkaCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castRdKafka(\RdKafka $c, array $a, Stub $stub, bool $isNested)
     {
         $prefix = Caster::PREFIX_VIRTUAL;
@@ -121,6 +142,9 @@ class RdKafkaCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castCollectionMetadata(CollectionMetadata $c, array $a, Stub $stub, bool $isNested)
     {
         $a += iterator_to_array($c);
@@ -128,6 +152,9 @@ class RdKafkaCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castTopicMetadata(TopicMetadata $c, array $a, Stub $stub, bool $isNested)
     {
         $prefix = Caster::PREFIX_VIRTUAL;
@@ -140,6 +167,9 @@ class RdKafkaCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castPartitionMetadata(PartitionMetadata $c, array $a, Stub $stub, bool $isNested)
     {
         $prefix = Caster::PREFIX_VIRTUAL;
@@ -153,6 +183,9 @@ class RdKafkaCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castBrokerMetadata(BrokerMetadata $c, array $a, Stub $stub, bool $isNested)
     {
         $prefix = Caster::PREFIX_VIRTUAL;
@@ -166,13 +199,16 @@ class RdKafkaCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     private static function extractMetadata(KafkaConsumer|\RdKafka $c)
     {
         $prefix = Caster::PREFIX_VIRTUAL;
 
         try {
             $m = $c->getMetadata(true, null, 500);
-        } catch (RdKafkaException $e) {
+        } catch (RdKafkaException) {
             return [];
         }
 
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/RedisCaster.php b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/RedisCaster.php
index eac25a12a..6ff046754 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/RedisCaster.php
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/RedisCaster.php
@@ -11,6 +11,7 @@
 
 namespace Symfony\Component\VarDumper\Caster;
 
+use Relay\Relay;
 use Symfony\Component\VarDumper\Cloner\Stub;
 
 /**
@@ -23,15 +24,15 @@ use Symfony\Component\VarDumper\Cloner\Stub;
 class RedisCaster
 {
     private const SERIALIZERS = [
-        \Redis::SERIALIZER_NONE => 'NONE',
-        \Redis::SERIALIZER_PHP => 'PHP',
+        0 => 'NONE', // Redis::SERIALIZER_NONE
+        1 => 'PHP', // Redis::SERIALIZER_PHP
         2 => 'IGBINARY', // Optional Redis::SERIALIZER_IGBINARY
     ];
 
     private const MODES = [
-        \Redis::ATOMIC => 'ATOMIC',
-        \Redis::MULTI => 'MULTI',
-        \Redis::PIPELINE => 'PIPELINE',
+        0 => 'ATOMIC', // Redis::ATOMIC
+        1 => 'MULTI', // Redis::MULTI
+        2 => 'PIPELINE', // Redis::PIPELINE
     ];
 
     private const COMPRESSION_MODES = [
@@ -46,7 +47,10 @@ class RedisCaster
         \RedisCluster::FAILOVER_DISTRIBUTE_SLAVES => 'DISTRIBUTE_SLAVES',
     ];
 
-    public static function castRedis(\Redis $c, array $a, Stub $stub, bool $isNested)
+    /**
+     * @return array
+     */
+    public static function castRedis(\Redis|Relay $c, array $a, Stub $stub, bool $isNested)
     {
         $prefix = Caster::PREFIX_VIRTUAL;
 
@@ -72,6 +76,9 @@ class RedisCaster
         ];
     }
 
+    /**
+     * @return array
+     */
     public static function castRedisArray(\RedisArray $c, array $a, Stub $stub, bool $isNested)
     {
         $prefix = Caster::PREFIX_VIRTUAL;
@@ -84,6 +91,9 @@ class RedisCaster
         ];
     }
 
+    /**
+     * @return array
+     */
     public static function castRedisCluster(\RedisCluster $c, array $a, Stub $stub, bool $isNested)
     {
         $prefix = Caster::PREFIX_VIRTUAL;
@@ -102,9 +112,9 @@ class RedisCaster
         return $a;
     }
 
-    private static function getRedisOptions(\Redis|\RedisArray|\RedisCluster $redis, array $options = []): EnumStub
+    private static function getRedisOptions(\Redis|Relay|\RedisArray|\RedisCluster $redis, array $options = []): EnumStub
     {
-        $serializer = $redis->getOption(\Redis::OPT_SERIALIZER);
+        $serializer = $redis->getOption(\defined('Redis::OPT_SERIALIZER') ? \Redis::OPT_SERIALIZER : 1);
         if (\is_array($serializer)) {
             foreach ($serializer as &$v) {
                 if (isset(self::SERIALIZERS[$v])) {
@@ -136,11 +146,11 @@ class RedisCaster
         }
 
         $options += [
-            'TCP_KEEPALIVE' => \defined('Redis::OPT_TCP_KEEPALIVE') ? $redis->getOption(\Redis::OPT_TCP_KEEPALIVE) : 0,
-            'READ_TIMEOUT' => $redis->getOption(\Redis::OPT_READ_TIMEOUT),
+            'TCP_KEEPALIVE' => \defined('Redis::OPT_TCP_KEEPALIVE') ? $redis->getOption(\Redis::OPT_TCP_KEEPALIVE) : Relay::OPT_TCP_KEEPALIVE,
+            'READ_TIMEOUT' => $redis->getOption(\defined('Redis::OPT_READ_TIMEOUT') ? \Redis::OPT_READ_TIMEOUT : Relay::OPT_READ_TIMEOUT),
             'COMPRESSION' => $compression,
             'SERIALIZER' => $serializer,
-            'PREFIX' => $redis->getOption(\Redis::OPT_PREFIX),
+            'PREFIX' => $redis->getOption(\defined('Redis::OPT_PREFIX') ? \Redis::OPT_PREFIX : Relay::OPT_PREFIX),
             'SCAN' => $retry,
         ];
 
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/ReflectionCaster.php b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/ReflectionCaster.php
index 86d439f2b..4adb9bc9f 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/ReflectionCaster.php
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/ReflectionCaster.php
@@ -35,6 +35,9 @@ class ReflectionCaster
         'isVariadic' => 'isVariadic',
     ];
 
+    /**
+     * @return array
+     */
     public static function castClosure(\Closure $c, array $a, Stub $stub, bool $isNested, int $filter = 0)
     {
         $prefix = Caster::PREFIX_VIRTUAL;
@@ -71,6 +74,9 @@ class ReflectionCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function unsetClosureFileInfo(\Closure $c, array $a)
     {
         unset($a[Caster::PREFIX_VIRTUAL.'file'], $a[Caster::PREFIX_VIRTUAL.'line']);
@@ -78,12 +84,12 @@ class ReflectionCaster
         return $a;
     }
 
-    public static function castGenerator(\Generator $c, array $a, Stub $stub, bool $isNested)
+    public static function castGenerator(\Generator $c, array $a, Stub $stub, bool $isNested): array
     {
         // Cannot create ReflectionGenerator based on a terminated Generator
         try {
             $reflectionGenerator = new \ReflectionGenerator($c);
-        } catch (\Exception $e) {
+        } catch (\Exception) {
             $a[Caster::PREFIX_VIRTUAL.'closed'] = true;
 
             return $a;
@@ -92,6 +98,9 @@ class ReflectionCaster
         return self::castReflectionGenerator($reflectionGenerator, $a, $stub, $isNested);
     }
 
+    /**
+     * @return array
+     */
     public static function castType(\ReflectionType $c, array $a, Stub $stub, bool $isNested)
     {
         $prefix = Caster::PREFIX_VIRTUAL;
@@ -114,6 +123,9 @@ class ReflectionCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castAttribute(\ReflectionAttribute $c, array $a, Stub $stub, bool $isNested)
     {
         self::addMap($a, $c, [
@@ -124,6 +136,9 @@ class ReflectionCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castReflectionGenerator(\ReflectionGenerator $c, array $a, Stub $stub, bool $isNested)
     {
         $prefix = Caster::PREFIX_VIRTUAL;
@@ -144,7 +159,7 @@ class ReflectionCaster
             array_unshift($trace, [
                 'function' => 'yield',
                 'file' => $function->getExecutingFile(),
-                'line' => $function->getExecutingLine() - (int) (\PHP_VERSION_ID < 80100),
+                'line' => $function->getExecutingLine(),
             ]);
             $trace[] = $frame;
             $a[$prefix.'trace'] = new TraceStub($trace, false, 0, -1, -1);
@@ -159,6 +174,9 @@ class ReflectionCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castClass(\ReflectionClass $c, array $a, Stub $stub, bool $isNested, int $filter = 0)
     {
         $prefix = Caster::PREFIX_VIRTUAL;
@@ -190,6 +208,9 @@ class ReflectionCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castFunctionAbstract(\ReflectionFunctionAbstract $c, array $a, Stub $stub, bool $isNested, int $filter = 0)
     {
         $prefix = Caster::PREFIX_VIRTUAL;
@@ -197,7 +218,7 @@ class ReflectionCaster
         self::addMap($a, $c, [
             'returnsReference' => 'returnsReference',
             'returnType' => 'getReturnType',
-            'class' => 'getClosureScopeClass',
+            'class' => \PHP_VERSION_ID >= 80111 ? 'getClosureCalledClass' : 'getClosureScopeClass',
             'this' => 'getClosureThis',
         ]);
 
@@ -248,6 +269,9 @@ class ReflectionCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castClassConstant(\ReflectionClassConstant $c, array $a, Stub $stub, bool $isNested)
     {
         $a[Caster::PREFIX_VIRTUAL.'modifiers'] = implode(' ', \Reflection::getModifierNames($c->getModifiers()));
@@ -258,6 +282,9 @@ class ReflectionCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castMethod(\ReflectionMethod $c, array $a, Stub $stub, bool $isNested)
     {
         $a[Caster::PREFIX_VIRTUAL.'modifiers'] = implode(' ', \Reflection::getModifierNames($c->getModifiers()));
@@ -265,6 +292,9 @@ class ReflectionCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castParameter(\ReflectionParameter $c, array $a, Stub $stub, bool $isNested)
     {
         $prefix = Caster::PREFIX_VIRTUAL;
@@ -292,19 +322,22 @@ class ReflectionCaster
         if ($c->isOptional()) {
             try {
                 $a[$prefix.'default'] = $v = $c->getDefaultValue();
-                if ($c->isDefaultValueConstant()) {
+                if ($c->isDefaultValueConstant() && !\is_object($v)) {
                     $a[$prefix.'default'] = new ConstStub($c->getDefaultValueConstantName(), $v);
                 }
                 if (null === $v) {
                     unset($a[$prefix.'allowsNull']);
                 }
-            } catch (\ReflectionException $e) {
+            } catch (\ReflectionException) {
             }
         }
 
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castProperty(\ReflectionProperty $c, array $a, Stub $stub, bool $isNested)
     {
         $a[Caster::PREFIX_VIRTUAL.'modifiers'] = implode(' ', \Reflection::getModifierNames($c->getModifiers()));
@@ -315,6 +348,9 @@ class ReflectionCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castReference(\ReflectionReference $c, array $a, Stub $stub, bool $isNested)
     {
         $a[Caster::PREFIX_VIRTUAL.'id'] = $c->getId();
@@ -322,6 +358,9 @@ class ReflectionCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castExtension(\ReflectionExtension $c, array $a, Stub $stub, bool $isNested)
     {
         self::addMap($a, $c, [
@@ -338,6 +377,9 @@ class ReflectionCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castZendExtension(\ReflectionZendExtension $c, array $a, Stub $stub, bool $isNested)
     {
         self::addMap($a, $c, [
@@ -350,6 +392,9 @@ class ReflectionCaster
         return $a;
     }
 
+    /**
+     * @return string
+     */
     public static function getSignature(array $a)
     {
         $prefix = Caster::PREFIX_VIRTUAL;
@@ -402,7 +447,7 @@ class ReflectionCaster
         return $signature;
     }
 
-    private static function addExtra(array &$a, \Reflector $c)
+    private static function addExtra(array &$a, \Reflector $c): void
     {
         $x = isset($a[Caster::PREFIX_VIRTUAL.'extra']) ? $a[Caster::PREFIX_VIRTUAL.'extra']->value : [];
 
@@ -418,7 +463,7 @@ class ReflectionCaster
         }
     }
 
-    private static function addMap(array &$a, object $c, array $map, string $prefix = Caster::PREFIX_VIRTUAL)
+    private static function addMap(array &$a, object $c, array $map, string $prefix = Caster::PREFIX_VIRTUAL): void
     {
         foreach ($map as $k => $m) {
             if ('isDisabled' === $k) {
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/ResourceCaster.php b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/ResourceCaster.php
index 4e597f86d..f3bbf3be4 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/ResourceCaster.php
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/ResourceCaster.php
@@ -27,6 +27,9 @@ class ResourceCaster
         return curl_getinfo($h);
     }
 
+    /**
+     * @return array
+     */
     public static function castDba($dba, array $a, Stub $stub, bool $isNested)
     {
         $list = dba_list();
@@ -35,12 +38,15 @@ class ResourceCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castProcess($process, array $a, Stub $stub, bool $isNested)
     {
         return proc_get_status($process);
     }
 
-    public static function castStream($stream, array $a, Stub $stub, bool $isNested)
+    public static function castStream($stream, array $a, Stub $stub, bool $isNested): array
     {
         $a = stream_get_meta_data($stream) + static::castStreamContext($stream, $a, $stub, $isNested);
         if ($a['uri'] ?? false) {
@@ -50,11 +56,17 @@ class ResourceCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castStreamContext($stream, array $a, Stub $stub, bool $isNested)
     {
         return @stream_context_get_params($stream) ?: $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castGd($gd, array $a, Stub $stub, bool $isNested)
     {
         $a['size'] = imagesx($gd).'x'.imagesy($gd);
@@ -63,15 +75,9 @@ class ResourceCaster
         return $a;
     }
 
-    public static function castMysqlLink($h, array $a, Stub $stub, bool $isNested)
-    {
-        $a['host'] = mysql_get_host_info($h);
-        $a['protocol'] = mysql_get_proto_info($h);
-        $a['server'] = mysql_get_server_info($h);
-
-        return $a;
-    }
-
+    /**
+     * @return array
+     */
     public static function castOpensslX509($h, array $a, Stub $stub, bool $isNested)
     {
         $stub->cut = -1;
@@ -86,7 +92,7 @@ class ResourceCaster
         $a += [
             'subject' => new EnumStub(array_intersect_key($info['subject'], ['organizationName' => true, 'commonName' => true])),
             'issuer' => new EnumStub(array_intersect_key($info['issuer'], ['organizationName' => true, 'commonName' => true])),
-            'expiry' => new ConstStub(date(\DateTime::ISO8601, $info['validTo_time_t']), $info['validTo_time_t']),
+            'expiry' => new ConstStub(date(\DateTimeInterface::ISO8601, $info['validTo_time_t']), $info['validTo_time_t']),
             'fingerprint' => new EnumStub([
                 'md5' => new ConstStub(wordwrap(strtoupper(openssl_x509_fingerprint($h, 'md5')), 2, ':', true)),
                 'sha1' => new ConstStub(wordwrap(strtoupper(openssl_x509_fingerprint($h, 'sha1')), 2, ':', true)),
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/ScalarStub.php b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/ScalarStub.php
new file mode 100644
index 000000000..3bb1935b8
--- /dev/null
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/ScalarStub.php
@@ -0,0 +1,27 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\VarDumper\Caster;
+
+use Symfony\Component\VarDumper\Cloner\Stub;
+
+/**
+ * Represents any arbitrary value.
+ *
+ * @author Alexandre Daubois <alex.daubois@gmail.com>
+ */
+class ScalarStub extends Stub
+{
+    public function __construct(mixed $value)
+    {
+        $this->value = $value;
+    }
+}
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/SplCaster.php b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/SplCaster.php
index a51cace1d..814d824d1 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/SplCaster.php
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/SplCaster.php
@@ -29,16 +29,25 @@ class SplCaster
         \SplFileObject::READ_CSV => 'READ_CSV',
     ];
 
+    /**
+     * @return array
+     */
     public static function castArrayObject(\ArrayObject $c, array $a, Stub $stub, bool $isNested)
     {
         return self::castSplArray($c, $a, $stub, $isNested);
     }
 
+    /**
+     * @return array
+     */
     public static function castArrayIterator(\ArrayIterator $c, array $a, Stub $stub, bool $isNested)
     {
         return self::castSplArray($c, $a, $stub, $isNested);
     }
 
+    /**
+     * @return array
+     */
     public static function castHeap(\Iterator $c, array $a, Stub $stub, bool $isNested)
     {
         $a += [
@@ -48,6 +57,9 @@ class SplCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castDoublyLinkedList(\SplDoublyLinkedList $c, array $a, Stub $stub, bool $isNested)
     {
         $prefix = Caster::PREFIX_VIRTUAL;
@@ -63,6 +75,9 @@ class SplCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castFileInfo(\SplFileInfo $c, array $a, Stub $stub, bool $isNested)
     {
         static $map = [
@@ -117,7 +132,7 @@ class SplCaster
         foreach ($map as $key => $accessor) {
             try {
                 $a[$prefix.$key] = $c->$accessor();
-            } catch (\Exception $e) {
+            } catch (\Exception) {
             }
         }
 
@@ -139,6 +154,9 @@ class SplCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castFileObject(\SplFileObject $c, array $a, Stub $stub, bool $isNested)
     {
         static $map = [
@@ -155,7 +173,7 @@ class SplCaster
         foreach ($map as $key => $accessor) {
             try {
                 $a[$prefix.$key] = $c->$accessor();
-            } catch (\Exception $e) {
+            } catch (\Exception) {
             }
         }
 
@@ -176,6 +194,9 @@ class SplCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castObjectStorage(\SplObjectStorage $c, array $a, Stub $stub, bool $isNested)
     {
         $storage = [];
@@ -184,10 +205,10 @@ class SplCaster
 
         $clone = clone $c;
         foreach ($clone as $obj) {
-            $storage[] = [
+            $storage[] = new EnumStub([
                 'object' => $obj,
                 'info' => $clone->getInfo(),
-             ];
+             ]);
         }
 
         $a += [
@@ -197,6 +218,9 @@ class SplCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castOuterIterator(\OuterIterator $c, array $a, Stub $stub, bool $isNested)
     {
         $a[Caster::PREFIX_VIRTUAL.'innerIterator'] = $c->getInnerIterator();
@@ -204,6 +228,9 @@ class SplCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castWeakReference(\WeakReference $c, array $a, Stub $stub, bool $isNested)
     {
         $a[Caster::PREFIX_VIRTUAL.'object'] = $c->get();
@@ -211,6 +238,27 @@ class SplCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
+    public static function castWeakMap(\WeakMap $c, array $a, Stub $stub, bool $isNested)
+    {
+        $map = [];
+
+        foreach (clone $c as $obj => $data) {
+            $map[] = new EnumStub([
+                'object' => $obj,
+                'data' => $data,
+             ]);
+        }
+
+        $a += [
+            Caster::PREFIX_VIRTUAL.'map' => $map,
+        ];
+
+        return $a;
+    }
+
     private static function castSplArray(\ArrayObject|\ArrayIterator $c, array $a, Stub $stub, bool $isNested): array
     {
         $prefix = Caster::PREFIX_VIRTUAL;
@@ -218,10 +266,14 @@ class SplCaster
 
         if (!($flags & \ArrayObject::STD_PROP_LIST)) {
             $c->setFlags(\ArrayObject::STD_PROP_LIST);
-            $a = Caster::castObject($c, \get_class($c), method_exists($c, '__debugInfo'), $stub->class);
+            $a = Caster::castObject($c, $c::class, method_exists($c, '__debugInfo'), $stub->class);
             $c->setFlags($flags);
         }
+
+        unset($a["\0ArrayObject\0storage"], $a["\0ArrayIterator\0storage"]);
+
         $a += [
+            $prefix.'storage' => $c->getArrayCopy(),
             $prefix.'flag::STD_PROP_LIST' => (bool) ($flags & \ArrayObject::STD_PROP_LIST),
             $prefix.'flag::ARRAY_AS_PROPS' => (bool) ($flags & \ArrayObject::ARRAY_AS_PROPS),
         ];
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/StubCaster.php b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/StubCaster.php
index 32ead7c27..4b93ff76f 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/StubCaster.php
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/StubCaster.php
@@ -22,6 +22,9 @@ use Symfony\Component\VarDumper\Cloner\Stub;
  */
 class StubCaster
 {
+    /**
+     * @return array
+     */
     public static function castStub(Stub $c, array $a, Stub $stub, bool $isNested)
     {
         if ($isNested) {
@@ -43,11 +46,17 @@ class StubCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castCutArray(CutArrayStub $c, array $a, Stub $stub, bool $isNested)
     {
         return $isNested ? $c->preservedSubset : $a;
     }
 
+    /**
+     * @return array
+     */
     public static function cutInternals($obj, array $a, Stub $stub, bool $isNested)
     {
         if ($isNested) {
@@ -59,6 +68,9 @@ class StubCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castEnum(EnumStub $c, array $a, Stub $stub, bool $isNested)
     {
         if ($isNested) {
@@ -81,4 +93,15 @@ class StubCaster
 
         return $a;
     }
+
+    /**
+     * @return array
+     */
+    public static function castScalar(ScalarStub $scalarStub, array $a, Stub $stub)
+    {
+        $stub->type = Stub::TYPE_SCALAR;
+        $stub->attr['value'] = $scalarStub->value;
+
+        return $a;
+    }
 }
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/SymfonyCaster.php b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/SymfonyCaster.php
index 08428b927..ebc00f90e 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/SymfonyCaster.php
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/SymfonyCaster.php
@@ -15,6 +15,7 @@ use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\Uid\Ulid;
 use Symfony\Component\Uid\Uuid;
 use Symfony\Component\VarDumper\Cloner\Stub;
+use Symfony\Component\VarExporter\Internal\LazyObjectState;
 
 /**
  * @final
@@ -30,6 +31,9 @@ class SymfonyCaster
         'format' => 'getRequestFormat',
     ];
 
+    /**
+     * @return array
+     */
     public static function castRequest(Request $request, array $a, Stub $stub, bool $isNested)
     {
         $clone = null;
@@ -37,9 +41,7 @@ class SymfonyCaster
         foreach (self::REQUEST_GETTERS as $prop => $getter) {
             $key = Caster::PREFIX_PROTECTED.$prop;
             if (\array_key_exists($key, $a) && null === $a[$key]) {
-                if (null === $clone) {
-                    $clone = clone $request;
-                }
+                $clone ??= clone $request;
                 $a[Caster::PREFIX_VIRTUAL.$prop] = $clone->{$getter}();
             }
         }
@@ -47,9 +49,12 @@ class SymfonyCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castHttpClient($client, array $a, Stub $stub, bool $isNested)
     {
-        $multiKey = sprintf("\0%s\0multi", \get_class($client));
+        $multiKey = sprintf("\0%s\0multi", $client::class);
         if (isset($a[$multiKey])) {
             $a[$multiKey] = new CutStub($a[$multiKey]);
         }
@@ -57,6 +62,9 @@ class SymfonyCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castHttpClientResponse($response, array $a, Stub $stub, bool $isNested)
     {
         $stub->cut += \count($a);
@@ -69,6 +77,37 @@ class SymfonyCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
+    public static function castLazyObjectState($state, array $a, Stub $stub, bool $isNested)
+    {
+        if (!$isNested) {
+            return $a;
+        }
+
+        $stub->cut += \count($a) - 1;
+
+        $instance = $a['realInstance'] ?? null;
+
+        $a = ['status' => new ConstStub(match ($a['status']) {
+            LazyObjectState::STATUS_INITIALIZED_FULL => 'INITIALIZED_FULL',
+            LazyObjectState::STATUS_INITIALIZED_PARTIAL => 'INITIALIZED_PARTIAL',
+            LazyObjectState::STATUS_UNINITIALIZED_FULL => 'UNINITIALIZED_FULL',
+            LazyObjectState::STATUS_UNINITIALIZED_PARTIAL => 'UNINITIALIZED_PARTIAL',
+        }, $a['status'])];
+
+        if ($instance) {
+            $a['realInstance'] = $instance;
+            --$stub->cut;
+        }
+
+        return $a;
+    }
+
+    /**
+     * @return array
+     */
     public static function castUuid(Uuid $uuid, array $a, Stub $stub, bool $isNested)
     {
         $a[Caster::PREFIX_VIRTUAL.'toBase58'] = $uuid->toBase58();
@@ -82,6 +121,9 @@ class SymfonyCaster
         return $a;
     }
 
+    /**
+     * @return array
+     */
     public static function castUlid(Ulid $ulid, array $a, Stub $stub, bool $isNested)
     {
         $a[Caster::PREFIX_VIRTUAL.'toBase58'] = $ulid->toBase58();
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/TraceStub.php b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/TraceStub.php
index 5eea1c876..d215d8db0 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/TraceStub.php
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/TraceStub.php
@@ -25,7 +25,7 @@ class TraceStub extends Stub
     public $sliceLength;
     public $numberingOffset;
 
-    public function __construct(array $trace, bool $keepArgs = true, int $sliceOffset = 0, int $sliceLength = null, int $numberingOffset = 0)
+    public function __construct(array $trace, bool $keepArgs = true, int $sliceOffset = 0, ?int $sliceLength = null, int $numberingOffset = 0)
     {
         $this->value = $trace;
         $this->keepArgs = $keepArgs;
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/UninitializedStub.php b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/UninitializedStub.php
new file mode 100644
index 000000000..a9bdd9b81
--- /dev/null
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/UninitializedStub.php
@@ -0,0 +1,25 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\VarDumper\Caster;
+
+/**
+ * Represents an uninitialized property.
+ *
+ * @author Nicolas Grekas <p@tchwork.com>
+ */
+class UninitializedStub extends ConstStub
+{
+    public function __construct(\ReflectionProperty $property)
+    {
+        parent::__construct('?'.($property->hasType() ? ' '.$property->getType() : ''), 'Uninitialized property');
+    }
+}
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/XmlReaderCaster.php b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/XmlReaderCaster.php
index 721513c5d..1cfcf4dd8 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/XmlReaderCaster.php
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/XmlReaderCaster.php
@@ -1,4 +1,5 @@
 <?php
+
 /*
  * This file is part of the Symfony package.
  *
@@ -42,6 +43,9 @@ class XmlReaderCaster
         \XMLReader::XML_DECLARATION => 'XML_DECLARATION',
     ];
 
+    /**
+     * @return array
+     */
     public static function castXmlReader(\XMLReader $reader, array $a, Stub $stub, bool $isNested)
     {
         try {
@@ -51,7 +55,7 @@ class XmlReaderCaster
                 'VALIDATE' => @$reader->getParserProperty(\XMLReader::VALIDATE),
                 'SUBST_ENTITIES' => @$reader->getParserProperty(\XMLReader::SUBST_ENTITIES),
             ];
-        } catch (\Error $e) {
+        } catch (\Error) {
             $properties = [
                 'LOADDTD' => false,
                 'DEFAULTATTRS' => false,
@@ -81,6 +85,7 @@ class XmlReaderCaster
             $info[$props]->cut = $count;
         }
 
+        $a = Caster::filter($a, Caster::EXCLUDE_UNINITIALIZED, [], $count);
         $info = Caster::filter($info, Caster::EXCLUDE_EMPTY, [], $count);
         // +2 because hasValue and hasAttributes are always filtered
         $stub->cut += $count + 2;
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/XmlResourceCaster.php b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/XmlResourceCaster.php
index ba55fcedd..0cf42584a 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/Caster/XmlResourceCaster.php
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Caster/XmlResourceCaster.php
@@ -47,6 +47,9 @@ class XmlResourceCaster
         \XML_ERROR_EXTERNAL_ENTITY_HANDLING => 'XML_ERROR_EXTERNAL_ENTITY_HANDLING',
     ];
 
+    /**
+     * @return array
+     */
     public static function castXml($h, array $a, Stub $stub, bool $isNested)
     {
         $a['current_byte_index'] = xml_get_current_byte_index($h);
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Cloner/AbstractCloner.php b/data/web/inc/lib/vendor/symfony/var-dumper/Cloner/AbstractCloner.php
index b835c0336..fc330bae2 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/Cloner/AbstractCloner.php
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Cloner/AbstractCloner.php
@@ -28,6 +28,7 @@ abstract class AbstractCloner implements ClonerInterface
         'Symfony\Component\VarDumper\Caster\CutArrayStub' => ['Symfony\Component\VarDumper\Caster\StubCaster', 'castCutArray'],
         'Symfony\Component\VarDumper\Caster\ConstStub' => ['Symfony\Component\VarDumper\Caster\StubCaster', 'castStub'],
         'Symfony\Component\VarDumper\Caster\EnumStub' => ['Symfony\Component\VarDumper\Caster\StubCaster', 'castEnum'],
+        'Symfony\Component\VarDumper\Caster\ScalarStub' => ['Symfony\Component\VarDumper\Caster\StubCaster', 'castScalar'],
 
         'Fiber' => ['Symfony\Component\VarDumper\Caster\FiberCaster', 'castFiber'],
 
@@ -66,9 +67,6 @@ abstract class AbstractCloner implements ClonerInterface
         'DOMAttr' => ['Symfony\Component\VarDumper\Caster\DOMCaster', 'castAttr'],
         'DOMElement' => ['Symfony\Component\VarDumper\Caster\DOMCaster', 'castElement'],
         'DOMText' => ['Symfony\Component\VarDumper\Caster\DOMCaster', 'castText'],
-        'DOMTypeinfo' => ['Symfony\Component\VarDumper\Caster\DOMCaster', 'castTypeinfo'],
-        'DOMDomError' => ['Symfony\Component\VarDumper\Caster\DOMCaster', 'castDomError'],
-        'DOMLocator' => ['Symfony\Component\VarDumper\Caster\DOMCaster', 'castLocator'],
         'DOMDocumentType' => ['Symfony\Component\VarDumper\Caster\DOMCaster', 'castDocumentType'],
         'DOMNotation' => ['Symfony\Component\VarDumper\Caster\DOMCaster', 'castNotation'],
         'DOMEntity' => ['Symfony\Component\VarDumper\Caster\DOMCaster', 'castEntity'],
@@ -92,10 +90,12 @@ abstract class AbstractCloner implements ClonerInterface
         'Symfony\Component\HttpFoundation\Request' => ['Symfony\Component\VarDumper\Caster\SymfonyCaster', 'castRequest'],
         'Symfony\Component\Uid\Ulid' => ['Symfony\Component\VarDumper\Caster\SymfonyCaster', 'castUlid'],
         'Symfony\Component\Uid\Uuid' => ['Symfony\Component\VarDumper\Caster\SymfonyCaster', 'castUuid'],
+        'Symfony\Component\VarExporter\Internal\LazyObjectState' => ['Symfony\Component\VarDumper\Caster\SymfonyCaster', 'castLazyObjectState'],
         'Symfony\Component\VarDumper\Exception\ThrowingCasterException' => ['Symfony\Component\VarDumper\Caster\ExceptionCaster', 'castThrowingCasterException'],
         'Symfony\Component\VarDumper\Caster\TraceStub' => ['Symfony\Component\VarDumper\Caster\ExceptionCaster', 'castTraceStub'],
         'Symfony\Component\VarDumper\Caster\FrameStub' => ['Symfony\Component\VarDumper\Caster\ExceptionCaster', 'castFrameStub'],
         'Symfony\Component\VarDumper\Cloner\AbstractCloner' => ['Symfony\Component\VarDumper\Caster\StubCaster', 'cutInternals'],
+        'Symfony\Component\ErrorHandler\Exception\FlattenException' => ['Symfony\Component\VarDumper\Caster\ExceptionCaster', 'castFlattenException'],
         'Symfony\Component\ErrorHandler\Exception\SilencedErrorContext' => ['Symfony\Component\VarDumper\Caster\ExceptionCaster', 'castSilencedErrorContext'],
 
         'Imagine\Image\ImageInterface' => ['Symfony\Component\VarDumper\Caster\ImagineCaster', 'castImage'],
@@ -127,9 +127,11 @@ abstract class AbstractCloner implements ClonerInterface
         'SplObjectStorage' => ['Symfony\Component\VarDumper\Caster\SplCaster', 'castObjectStorage'],
         'SplPriorityQueue' => ['Symfony\Component\VarDumper\Caster\SplCaster', 'castHeap'],
         'OuterIterator' => ['Symfony\Component\VarDumper\Caster\SplCaster', 'castOuterIterator'],
+        'WeakMap' => ['Symfony\Component\VarDumper\Caster\SplCaster', 'castWeakMap'],
         'WeakReference' => ['Symfony\Component\VarDumper\Caster\SplCaster', 'castWeakReference'],
 
         'Redis' => ['Symfony\Component\VarDumper\Caster\RedisCaster', 'castRedis'],
+        'Relay\Relay' => ['Symfony\Component\VarDumper\Caster\RedisCaster', 'castRedis'],
         'RedisArray' => ['Symfony\Component\VarDumper\Caster\RedisCaster', 'castRedisArray'],
         'RedisCluster' => ['Symfony\Component\VarDumper\Caster\RedisCaster', 'castRedisCluster'],
 
@@ -163,7 +165,6 @@ abstract class AbstractCloner implements ClonerInterface
         'GdImage' => ['Symfony\Component\VarDumper\Caster\ResourceCaster', 'castGd'],
         ':gd' => ['Symfony\Component\VarDumper\Caster\ResourceCaster', 'castGd'],
 
-        ':mysql link' => ['Symfony\Component\VarDumper\Caster\ResourceCaster', 'castMysqlLink'],
         ':pgsql large object' => ['Symfony\Component\VarDumper\Caster\PgSqlCaster', 'castLargeObject'],
         ':pgsql link' => ['Symfony\Component\VarDumper\Caster\PgSqlCaster', 'castLink'],
         ':pgsql link persistent' => ['Symfony\Component\VarDumper\Caster\PgSqlCaster', 'castLink'],
@@ -191,6 +192,9 @@ abstract class AbstractCloner implements ClonerInterface
         'RdKafka\Topic' => ['Symfony\Component\VarDumper\Caster\RdKafkaCaster', 'castTopic'],
         'RdKafka\TopicPartition' => ['Symfony\Component\VarDumper\Caster\RdKafkaCaster', 'castTopicPartition'],
         'RdKafka\TopicConf' => ['Symfony\Component\VarDumper\Caster\RdKafkaCaster', 'castTopicConf'],
+
+        'FFI\CData' => ['Symfony\Component\VarDumper\Caster\FFICaster', 'castCTypeOrCData'],
+        'FFI\CType' => ['Symfony\Component\VarDumper\Caster\FFICaster', 'castCTypeOrCData'],
     ];
 
     protected $maxItems = 2500;
@@ -215,12 +219,9 @@ abstract class AbstractCloner implements ClonerInterface
      *
      * @see addCasters
      */
-    public function __construct(array $casters = null)
+    public function __construct(?array $casters = null)
     {
-        if (null === $casters) {
-            $casters = static::$defaultCasters;
-        }
-        $this->addCasters($casters);
+        $this->addCasters($casters ?? static::$defaultCasters);
     }
 
     /**
@@ -232,6 +233,8 @@ abstract class AbstractCloner implements ClonerInterface
      * see e.g. static::$defaultCasters.
      *
      * @param callable[] $casters A map of casters
+     *
+     * @return void
      */
     public function addCasters(array $casters)
     {
@@ -242,6 +245,8 @@ abstract class AbstractCloner implements ClonerInterface
 
     /**
      * Sets the maximum number of items to clone past the minimum depth in nested structures.
+     *
+     * @return void
      */
     public function setMaxItems(int $maxItems)
     {
@@ -250,6 +255,8 @@ abstract class AbstractCloner implements ClonerInterface
 
     /**
      * Sets the maximum cloned length for strings.
+     *
+     * @return void
      */
     public function setMaxString(int $maxString)
     {
@@ -259,6 +266,8 @@ abstract class AbstractCloner implements ClonerInterface
     /**
      * Sets the minimum tree depth where we are guaranteed to clone all the items.  After this
      * depth is reached, only setMaxItems items will be cloned.
+     *
+     * @return void
      */
     public function setMinDepth(int $minDepth)
     {
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Cloner/Data.php b/data/web/inc/lib/vendor/symfony/var-dumper/Cloner/Data.php
index 6ecb883e8..16f51b0c7 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/Cloner/Data.php
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Cloner/Data.php
@@ -17,7 +17,7 @@ use Symfony\Component\VarDumper\Dumper\ContextProvider\SourceContextProvider;
 /**
  * @author Nicolas Grekas <p@tchwork.com>
  */
-class Data implements \ArrayAccess, \Countable, \IteratorAggregate
+class Data implements \ArrayAccess, \Countable, \IteratorAggregate, \Stringable
 {
     private array $data;
     private int $position = 0;
@@ -121,6 +121,9 @@ class Data implements \ArrayAccess, \Countable, \IteratorAggregate
         yield from $value;
     }
 
+    /**
+     * @return mixed
+     */
     public function __get(string $key)
     {
         if (null !== $data = $this->seek($key)) {
@@ -211,6 +214,11 @@ class Data implements \ArrayAccess, \Countable, \IteratorAggregate
         return $data;
     }
 
+    public function getContext(): array
+    {
+        return $this->context;
+    }
+
     /**
      * Seeks to a specific key in nested data structures.
      */
@@ -257,21 +265,21 @@ class Data implements \ArrayAccess, \Countable, \IteratorAggregate
 
     /**
      * Dumps data with a DumperInterface dumper.
+     *
+     * @return void
      */
     public function dump(DumperInterface $dumper)
     {
         $refs = [0];
         $cursor = new Cursor();
+        $cursor->hashType = -1;
+        $cursor->attr = $this->context[SourceContextProvider::class] ?? [];
+        $label = $this->context['label'] ?? '';
 
-        if ($cursor->attr = $this->context[SourceContextProvider::class] ?? []) {
-            $cursor->attr['if_links'] = true;
-            $cursor->hashType = -1;
-            $dumper->dumpScalar($cursor, 'default', '^');
-            $cursor->attr = ['if_links' => true];
-            $dumper->dumpScalar($cursor, 'default', ' ');
-            $cursor->hashType = 0;
+        if ($cursor->attr || '' !== $label) {
+            $dumper->dumpScalar($cursor, 'label', $label);
         }
-
+        $cursor->hashType = 0;
         $this->dumpItem($dumper, $cursor, $refs, $this->data[$this->position][$this->key]);
     }
 
@@ -280,7 +288,7 @@ class Data implements \ArrayAccess, \Countable, \IteratorAggregate
      *
      * @param mixed $item A Stub object or the original value being dumped
      */
-    private function dumpItem(DumperInterface $dumper, Cursor $cursor, array &$refs, mixed $item)
+    private function dumpItem(DumperInterface $dumper, Cursor $cursor, array &$refs, mixed $item): void
     {
         $cursor->refIndex = 0;
         $cursor->softRefTo = $cursor->softRefHandle = $cursor->softRefCount = 0;
@@ -362,6 +370,10 @@ class Data implements \ArrayAccess, \Countable, \IteratorAggregate
                     $dumper->leaveHash($cursor, $item->type, $item->class, $withChildren, $cut);
                     break;
 
+                case Stub::TYPE_SCALAR:
+                    $dumper->dumpScalar($cursor, 'default', $item->attr['value']);
+                    break;
+
                 default:
                     throw new \RuntimeException(sprintf('Unexpected Stub type: "%s".', $item->type));
             }
@@ -402,7 +414,7 @@ class Data implements \ArrayAccess, \Countable, \IteratorAggregate
         return $hashCut;
     }
 
-    private function getStub(mixed $item)
+    private function getStub(mixed $item): mixed
     {
         if (!$item || !\is_array($item)) {
             return $item;
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Cloner/DumperInterface.php b/data/web/inc/lib/vendor/symfony/var-dumper/Cloner/DumperInterface.php
index 61d02d240..4c5b315b6 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/Cloner/DumperInterface.php
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Cloner/DumperInterface.php
@@ -20,6 +20,8 @@ interface DumperInterface
 {
     /**
      * Dumps a scalar value.
+     *
+     * @return void
      */
     public function dumpScalar(Cursor $cursor, string $type, string|int|float|bool|null $value);
 
@@ -29,6 +31,8 @@ interface DumperInterface
      * @param string $str The string being dumped
      * @param bool   $bin Whether $str is UTF-8 or binary encoded
      * @param int    $cut The number of characters $str has been cut by
+     *
+     * @return void
      */
     public function dumpString(Cursor $cursor, string $str, bool $bin, int $cut);
 
@@ -38,6 +42,8 @@ interface DumperInterface
      * @param int             $type     A Cursor::HASH_* const for the type of hash
      * @param string|int|null $class    The object class, resource type or array count
      * @param bool            $hasChild When the dump of the hash has child item
+     *
+     * @return void
      */
     public function enterHash(Cursor $cursor, int $type, string|int|null $class, bool $hasChild);
 
@@ -48,6 +54,8 @@ interface DumperInterface
      * @param string|int|null $class    The object class, resource type or array count
      * @param bool            $hasChild When the dump of the hash has child item
      * @param int             $cut      The number of items the hash has been cut by
+     *
+     * @return void
      */
     public function leaveHash(Cursor $cursor, int $type, string|int|null $class, bool $hasChild, int $cut);
 }
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Cloner/Stub.php b/data/web/inc/lib/vendor/symfony/var-dumper/Cloner/Stub.php
index 1c5b88712..0c2a4b9d0 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/Cloner/Stub.php
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Cloner/Stub.php
@@ -23,6 +23,7 @@ class Stub
     public const TYPE_ARRAY = 3;
     public const TYPE_OBJECT = 4;
     public const TYPE_RESOURCE = 5;
+    public const TYPE_SCALAR = 6;
 
     public const STRING_BINARY = 1;
     public const STRING_UTF8 = 2;
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Cloner/VarCloner.php b/data/web/inc/lib/vendor/symfony/var-dumper/Cloner/VarCloner.php
index 9afcc348a..e168d0d3b 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/Cloner/VarCloner.php
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Cloner/VarCloner.php
@@ -16,12 +16,8 @@ namespace Symfony\Component\VarDumper\Cloner;
  */
 class VarCloner extends AbstractCloner
 {
-    private static string $gid;
     private static array $arrayCache = [];
 
-    /**
-     * {@inheritdoc}
-     */
     protected function doClone(mixed $var): array
     {
         $len = 1;                       // Length of $queue
@@ -44,7 +40,6 @@ class VarCloner extends AbstractCloner
         $stub = null;                   // Stub capturing the main properties of an original item value
                                         // or null if the original value is used directly
 
-        $gid = self::$gid ??= md5(random_bytes(6)); // Unique string used to detect the special $GLOBALS variable
         $arrayStub = new Stub();
         $arrayStub->type = Stub::TYPE_ARRAY;
         $fromObjCast = false;
@@ -121,53 +116,15 @@ class VarCloner extends AbstractCloner
                         }
                         $stub = $arrayStub;
 
-                        if (\PHP_VERSION_ID >= 80100) {
-                            $stub->class = array_is_list($v) ? Stub::ARRAY_INDEXED : Stub::ARRAY_ASSOC;
-                            $a = $v;
-                            break;
-                        }
-
-                        $stub->class = Stub::ARRAY_INDEXED;
-
-                        $j = -1;
-                        foreach ($v as $gk => $gv) {
-                            if ($gk !== ++$j) {
-                                $stub->class = Stub::ARRAY_ASSOC;
-                                $a = $v;
-                                $a[$gid] = true;
-                                break;
-                            }
-                        }
-
-                        // Copies of $GLOBALS have very strange behavior,
-                        // let's detect them with some black magic
-                        if (isset($v[$gid])) {
-                            unset($v[$gid]);
-                            $a = [];
-                            foreach ($v as $gk => &$gv) {
-                                if ($v === $gv && !isset($hardRefs[\ReflectionReference::fromArrayElement($v, $gk)->getId()])) {
-                                    unset($v);
-                                    $v = new Stub();
-                                    $v->value = [$v->cut = \count($gv), Stub::TYPE_ARRAY => 0];
-                                    $v->handle = -1;
-                                    $gv = &$a[$gk];
-                                    $hardRefs[\ReflectionReference::fromArrayElement($a, $gk)->getId()] = &$gv;
-                                    $gv = $v;
-                                }
-
-                                $a[$gk] = &$gv;
-                            }
-                            unset($gv);
-                        } else {
-                            $a = $v;
-                        }
+                        $stub->class = array_is_list($v) ? Stub::ARRAY_INDEXED : Stub::ARRAY_ASSOC;
+                        $a = $v;
                         break;
 
                     case \is_object($v):
                         if (empty($objRefs[$h = spl_object_id($v)])) {
                             $stub = new Stub();
                             $stub->type = Stub::TYPE_OBJECT;
-                            $stub->class = \get_class($v);
+                            $stub->class = $v::class;
                             $stub->value = $v;
                             $stub->handle = $h;
                             $a = $this->castObject($stub, 0 < $i);
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Command/Descriptor/CliDescriptor.php b/data/web/inc/lib/vendor/symfony/var-dumper/Command/Descriptor/CliDescriptor.php
index e3d5f1d11..4450fe986 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/Command/Descriptor/CliDescriptor.php
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Command/Descriptor/CliDescriptor.php
@@ -26,7 +26,7 @@ use Symfony\Component\VarDumper\Dumper\CliDumper;
  */
 class CliDescriptor implements DumpDescriptorInterface
 {
-    private $dumper;
+    private CliDumper $dumper;
     private mixed $lastIdentifier = null;
 
     public function __construct(CliDumper $dumper)
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Command/Descriptor/HtmlDescriptor.php b/data/web/inc/lib/vendor/symfony/var-dumper/Command/Descriptor/HtmlDescriptor.php
index 1c0d80a05..98f150a5e 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/Command/Descriptor/HtmlDescriptor.php
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Command/Descriptor/HtmlDescriptor.php
@@ -24,7 +24,7 @@ use Symfony\Component\VarDumper\Dumper\HtmlDumper;
  */
 class HtmlDescriptor implements DumpDescriptorInterface
 {
-    private $dumper;
+    private HtmlDumper $dumper;
     private bool $initialized = false;
 
     public function __construct(HtmlDumper $dumper)
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Command/ServerDumpCommand.php b/data/web/inc/lib/vendor/symfony/var-dumper/Command/ServerDumpCommand.php
index 13dd475b5..b64a884b9 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/Command/ServerDumpCommand.php
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Command/ServerDumpCommand.php
@@ -38,7 +38,7 @@ use Symfony\Component\VarDumper\Server\DumpServer;
 #[AsCommand(name: 'server:dump', description: 'Start a dump server that collects and displays dumps in a single place')]
 class ServerDumpCommand extends Command
 {
-    private $server;
+    private DumpServer $server;
 
     /** @var DumpDescriptorInterface[] */
     private array $descriptors;
@@ -54,7 +54,7 @@ class ServerDumpCommand extends Command
         parent::__construct();
     }
 
-    protected function configure()
+    protected function configure(): void
     {
         $this
             ->addOption('format', null, InputOption::VALUE_REQUIRED, sprintf('The output format (%s)', implode(', ', $this->getAvailableFormats())), 'cli')
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Dumper/AbstractDumper.php b/data/web/inc/lib/vendor/symfony/var-dumper/Dumper/AbstractDumper.php
index 6ac380836..53165ba64 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/Dumper/AbstractDumper.php
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Dumper/AbstractDumper.php
@@ -26,12 +26,15 @@ abstract class AbstractDumper implements DataDumperInterface, DumperInterface
     public const DUMP_COMMA_SEPARATOR = 4;
     public const DUMP_TRAILING_COMMA = 8;
 
+    /** @var callable|resource|string|null */
     public static $defaultOutput = 'php://output';
 
     protected $line = '';
+    /** @var callable|null */
     protected $lineDumper;
+    /** @var resource|null */
     protected $outputStream;
-    protected $decimalPoint; // This is locale dependent
+    protected $decimalPoint = '.';
     protected $indentPad = '  ';
     protected $flags;
 
@@ -42,12 +45,10 @@ abstract class AbstractDumper implements DataDumperInterface, DumperInterface
      * @param string|null                   $charset The default character encoding to use for non-UTF8 strings
      * @param int                           $flags   A bit field of static::DUMP_* constants to fine tune dumps representation
      */
-    public function __construct($output = null, string $charset = null, int $flags = 0)
+    public function __construct($output = null, ?string $charset = null, int $flags = 0)
     {
         $this->flags = $flags;
-        $this->setCharset($charset ?: ini_get('php.output_encoding') ?: ini_get('default_charset') ?: 'UTF-8');
-        $this->decimalPoint = localeconv();
-        $this->decimalPoint = $this->decimalPoint['decimal_point'];
+        $this->setCharset($charset ?: \ini_get('php.output_encoding') ?: \ini_get('default_charset') ?: 'UTF-8');
         $this->setOutput($output ?: static::$defaultOutput);
         if (!$output && \is_string(static::$defaultOutput)) {
             static::$defaultOutput = $this->outputStream;
@@ -57,9 +58,9 @@ abstract class AbstractDumper implements DataDumperInterface, DumperInterface
     /**
      * Sets the output destination of the dumps.
      *
-     * @param callable|resource|string $output A line dumper callable, an opened stream or an output path
+     * @param callable|resource|string|null $output A line dumper callable, an opened stream or an output path
      *
-     * @return callable|resource|string The previous output destination
+     * @return callable|resource|string|null The previous output destination
      */
     public function setOutput($output)
     {
@@ -73,7 +74,7 @@ abstract class AbstractDumper implements DataDumperInterface, DumperInterface
                 $output = fopen($output, 'w');
             }
             $this->outputStream = $output;
-            $this->lineDumper = [$this, 'echoLine'];
+            $this->lineDumper = $this->echoLine(...);
         }
 
         return $prev;
@@ -120,9 +121,6 @@ abstract class AbstractDumper implements DataDumperInterface, DumperInterface
      */
     public function dump(Data $data, $output = null): ?string
     {
-        $this->decimalPoint = localeconv();
-        $this->decimalPoint = $this->decimalPoint['decimal_point'];
-
         if ($locale = $this->flags & (self::DUMP_COMMA_SEPARATOR | self::DUMP_TRAILING_COMMA) ? setlocale(\LC_NUMERIC, 0) : null) {
             setlocale(\LC_NUMERIC, 'C');
         }
@@ -160,6 +158,8 @@ abstract class AbstractDumper implements DataDumperInterface, DumperInterface
      *
      * @param int $depth The recursive depth in the dumped structure for the line being dumped,
      *                   or -1 to signal the end-of-dump to the line dumper callable
+     *
+     * @return void
      */
     protected function dumpLine(int $depth)
     {
@@ -169,6 +169,8 @@ abstract class AbstractDumper implements DataDumperInterface, DumperInterface
 
     /**
      * Generic line dumper callback.
+     *
+     * @return void
      */
     protected function echoLine(string $line, int $depth, string $indentPad)
     {
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Dumper/CliDumper.php b/data/web/inc/lib/vendor/symfony/var-dumper/Dumper/CliDumper.php
index f6e290ca4..af9637072 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/Dumper/CliDumper.php
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Dumper/CliDumper.php
@@ -22,6 +22,7 @@ use Symfony\Component\VarDumper\Cloner\Stub;
 class CliDumper extends AbstractDumper
 {
     public static $defaultColors;
+    /** @var callable|resource|string|null */
     public static $defaultOutput = 'php://stdout';
 
     protected $colors;
@@ -51,6 +52,7 @@ class CliDumper extends AbstractDumper
         "\r" => '\r',
         "\033" => '\e',
     ];
+    protected static $unicodeCharsRx = "/[\u{00A0}\u{00AD}\u{034F}\u{061C}\u{115F}\u{1160}\u{17B4}\u{17B5}\u{180E}\u{2000}-\u{200F}\u{202F}\u{205F}\u{2060}-\u{2064}\u{206A}-\u{206F}\u{3000}\u{2800}\u{3164}\u{FEFF}\u{FFA0}\u{1D159}\u{1D173}-\u{1D17A}]/u";
 
     protected $collapseNextHash = false;
     protected $expandNextHash = false;
@@ -61,10 +63,7 @@ class CliDumper extends AbstractDumper
 
     private bool $handlesHrefGracefully;
 
-    /**
-     * {@inheritdoc}
-     */
-    public function __construct($output = null, string $charset = null, int $flags = 0)
+    public function __construct($output = null, ?string $charset = null, int $flags = 0)
     {
         parent::__construct($output, $charset, $flags);
 
@@ -83,11 +82,13 @@ class CliDumper extends AbstractDumper
             ]);
         }
 
-        $this->displayOptions['fileLinkFormat'] = ini_get('xdebug.file_link_format') ?: get_cfg_var('xdebug.file_link_format') ?: 'file://%f#L%l';
+        $this->displayOptions['fileLinkFormat'] = \ini_get('xdebug.file_link_format') ?: get_cfg_var('xdebug.file_link_format') ?: 'file://%f#L%l';
     }
 
     /**
      * Enables/disables colored output.
+     *
+     * @return void
      */
     public function setColors(bool $colors)
     {
@@ -96,6 +97,8 @@ class CliDumper extends AbstractDumper
 
     /**
      * Sets the maximum number of characters per line for dumped strings.
+     *
+     * @return void
      */
     public function setMaxStringWidth(int $maxStringWidth)
     {
@@ -106,6 +109,8 @@ class CliDumper extends AbstractDumper
      * Configures styles.
      *
      * @param array $styles A map of style names to style definitions
+     *
+     * @return void
      */
     public function setStyles(array $styles)
     {
@@ -116,6 +121,8 @@ class CliDumper extends AbstractDumper
      * Configures display options.
      *
      * @param array $displayOptions A map of display options to customize the behavior
+     *
+     * @return void
      */
     public function setDisplayOptions(array $displayOptions)
     {
@@ -123,11 +130,12 @@ class CliDumper extends AbstractDumper
     }
 
     /**
-     * {@inheritdoc}
+     * @return void
      */
     public function dumpScalar(Cursor $cursor, string $type, string|int|float|bool|null $value)
     {
         $this->dumpKey($cursor);
+        $this->collapseNextHash = $this->expandNextHash = false;
 
         $style = 'const';
         $attr = $cursor->attr;
@@ -137,6 +145,11 @@ class CliDumper extends AbstractDumper
                 $style = 'default';
                 break;
 
+            case 'label':
+                $this->styles += ['label' => $this->styles['default']];
+                $style = 'label';
+                break;
+
             case 'integer':
                 $style = 'num';
 
@@ -153,17 +166,12 @@ class CliDumper extends AbstractDumper
                     $style = 'float';
                 }
 
-                switch (true) {
-                    case \INF === $value:  $value = 'INF'; break;
-                    case -\INF === $value: $value = '-INF'; break;
-                    case is_nan($value):  $value = 'NAN'; break;
-                    default:
-                        $value = (string) $value;
-                        if (!str_contains($value, $this->decimalPoint)) {
-                            $value .= $this->decimalPoint.'0';
-                        }
-                        break;
-                }
+                $value = match (true) {
+                    \INF === $value => 'INF',
+                    -\INF === $value => '-INF',
+                    is_nan($value) => 'NAN',
+                    default => !str_contains($value = (string) $value, $this->decimalPoint) ? $value .= $this->decimalPoint.'0' : $value,
+                };
                 break;
 
             case 'NULL':
@@ -186,11 +194,12 @@ class CliDumper extends AbstractDumper
     }
 
     /**
-     * {@inheritdoc}
+     * @return void
      */
     public function dumpString(Cursor $cursor, string $str, bool $bin, int $cut)
     {
         $this->dumpKey($cursor);
+        $this->collapseNextHash = $this->expandNextHash = false;
         $attr = $cursor->attr;
 
         if ($bin) {
@@ -198,13 +207,16 @@ class CliDumper extends AbstractDumper
         }
         if ('' === $str) {
             $this->line .= '""';
+            if ($cut) {
+                $this->line .= '…'.$cut;
+            }
             $this->endValue($cursor);
         } else {
             $attr += [
                 'length' => 0 <= $cut ? mb_strlen($str, 'UTF-8') + $cut : 0,
                 'binary' => $bin,
             ];
-            $str = $bin && false !== strpos($str, "\0") ? [$str] : explode("\n", $str);
+            $str = $bin && str_contains($str, "\0") ? [$str] : explode("\n", $str);
             if (isset($str[1]) && !isset($str[2]) && !isset($str[1][0])) {
                 unset($str[1]);
                 $str[0] .= "\n";
@@ -274,15 +286,14 @@ class CliDumper extends AbstractDumper
     }
 
     /**
-     * {@inheritdoc}
+     * @return void
      */
     public function enterHash(Cursor $cursor, int $type, string|int|null $class, bool $hasChild)
     {
-        if (null === $this->colors) {
-            $this->colors = $this->supportsColors();
-        }
+        $this->colors ??= $this->supportsColors();
 
         $this->dumpKey($cursor);
+        $this->expandNextHash = false;
         $attr = $cursor->attr;
 
         if ($this->collapseNextHash) {
@@ -315,7 +326,7 @@ class CliDumper extends AbstractDumper
     }
 
     /**
-     * {@inheritdoc}
+     * @return void
      */
     public function leaveHash(Cursor $cursor, int $type, string|int|null $class, bool $hasChild, int $cut)
     {
@@ -332,6 +343,8 @@ class CliDumper extends AbstractDumper
      *
      * @param bool $hasChild When the dump of the hash has child item
      * @param int  $cut      The number of items the hash has been cut by
+     *
+     * @return void
      */
     protected function dumpEllipsis(Cursor $cursor, bool $hasChild, int $cut)
     {
@@ -348,6 +361,8 @@ class CliDumper extends AbstractDumper
 
     /**
      * Dumps a key in a hash structure.
+     *
+     * @return void
      */
     protected function dumpKey(Cursor $cursor)
     {
@@ -437,12 +452,11 @@ class CliDumper extends AbstractDumper
      */
     protected function style(string $style, string $value, array $attr = []): string
     {
-        if (null === $this->colors) {
-            $this->colors = $this->supportsColors();
-        }
+        $this->colors ??= $this->supportsColors();
 
         $this->handlesHrefGracefully ??= 'JetBrains-JediTerm' !== getenv('TERMINAL_EMULATOR')
-            && (!getenv('KONSOLE_VERSION') || (int) getenv('KONSOLE_VERSION') > 201100);
+            && (!getenv('KONSOLE_VERSION') || (int) getenv('KONSOLE_VERSION') > 201100)
+            && !isset($_SERVER['IDEA_INITIAL_DIRECTORY']);
 
         if (isset($attr['ellipsis'], $attr['ellipsis-type'])) {
             $prefix = substr($value, 0, -$attr['ellipsis']);
@@ -474,7 +488,15 @@ class CliDumper extends AbstractDumper
             return $s.$endCchr;
         }, $value, -1, $cchrCount);
 
-        if ($this->colors) {
+        if (!($attr['binary'] ?? false)) {
+            $value = preg_replace_callback(static::$unicodeCharsRx, function ($c) use (&$cchrCount, $startCchr, $endCchr) {
+                ++$cchrCount;
+
+                return $startCchr.'\u{'.strtoupper(dechex(mb_ord($c[0]))).'}'.$endCchr;
+            }, $value);
+        }
+
+        if ($this->colors && '' !== $value) {
             if ($cchrCount && "\033" === $value[0]) {
                 $value = substr($value, \strlen($startCchr));
             } else {
@@ -497,10 +519,15 @@ class CliDumper extends AbstractDumper
                 }
             }
             if (isset($attr['href'])) {
+                if ('label' === $style) {
+                    $value .= '^';
+                }
                 $value = "\033]8;;{$attr['href']}\033\\{$value}\033]8;;\033\\";
             }
-        } elseif ($attr['if_links'] ?? false) {
-            return '';
+        }
+
+        if ('label' === $style && '' !== $value) {
+            $value .= ' ';
         }
 
         return $value;
@@ -511,7 +538,7 @@ class CliDumper extends AbstractDumper
         if ($this->outputStream !== static::$defaultOutput) {
             return $this->hasColorSupport($this->outputStream);
         }
-        if (null !== static::$defaultColors) {
+        if (isset(static::$defaultColors)) {
             return static::$defaultColors;
         }
         if (isset($_SERVER['argv'][1])) {
@@ -546,16 +573,23 @@ class CliDumper extends AbstractDumper
     }
 
     /**
-     * {@inheritdoc}
+     * @return void
      */
     protected function dumpLine(int $depth, bool $endOfValue = false)
     {
+        if (null === $this->colors) {
+            $this->colors = $this->supportsColors();
+        }
+
         if ($this->colors) {
             $this->line = sprintf("\033[%sm%s\033[m", $this->styles['default'], $this->line);
         }
         parent::dumpLine($depth);
     }
 
+    /**
+     * @return void
+     */
     protected function endValue(Cursor $cursor)
     {
         if (-1 === $cursor->hashType) {
@@ -632,7 +666,7 @@ class CliDumper extends AbstractDumper
         return $result;
     }
 
-    private function getSourceLink(string $file, int $line)
+    private function getSourceLink(string $file, int $line): string|false
     {
         if ($fmt = $this->displayOptions['fileLinkFormat']) {
             return \is_string($fmt) ? strtr($fmt, ['%f' => $file, '%l' => $line]) : ($fmt->format($file, $line) ?: 'file://'.$file.'#L'.$line);
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Dumper/ContextProvider/RequestContextProvider.php b/data/web/inc/lib/vendor/symfony/var-dumper/Dumper/ContextProvider/RequestContextProvider.php
index 3684a4753..69dff067b 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/Dumper/ContextProvider/RequestContextProvider.php
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Dumper/ContextProvider/RequestContextProvider.php
@@ -22,8 +22,8 @@ use Symfony\Component\VarDumper\Cloner\VarCloner;
  */
 final class RequestContextProvider implements ContextProviderInterface
 {
-    private $requestStack;
-    private $cloner;
+    private RequestStack $requestStack;
+    private VarCloner $cloner;
 
     public function __construct(RequestStack $requestStack)
     {
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Dumper/ContextProvider/SourceContextProvider.php b/data/web/inc/lib/vendor/symfony/var-dumper/Dumper/ContextProvider/SourceContextProvider.php
index 8ef6e360e..cadddfac4 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/Dumper/ContextProvider/SourceContextProvider.php
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Dumper/ContextProvider/SourceContextProvider.php
@@ -11,7 +11,8 @@
 
 namespace Symfony\Component\VarDumper\Dumper\ContextProvider;
 
-use Symfony\Component\HttpKernel\Debug\FileLinkFormatter;
+use Symfony\Component\ErrorHandler\ErrorRenderer\FileLinkFormatter;
+use Symfony\Component\HttpKernel\Debug\FileLinkFormatter as LegacyFileLinkFormatter;
 use Symfony\Component\VarDumper\Cloner\VarCloner;
 use Symfony\Component\VarDumper\Dumper\HtmlDumper;
 use Symfony\Component\VarDumper\VarDumper;
@@ -28,9 +29,9 @@ final class SourceContextProvider implements ContextProviderInterface
     private int $limit;
     private ?string $charset;
     private ?string $projectDir;
-    private $fileLinkFormatter;
+    private FileLinkFormatter|LegacyFileLinkFormatter|null $fileLinkFormatter;
 
-    public function __construct(string $charset = null, string $projectDir = null, FileLinkFormatter $fileLinkFormatter = null, int $limit = 9)
+    public function __construct(?string $charset = null, ?string $projectDir = null, FileLinkFormatter|LegacyFileLinkFormatter|null $fileLinkFormatter = null, int $limit = 9)
     {
         $this->charset = $charset;
         $this->projectDir = $projectDir;
@@ -44,7 +45,7 @@ final class SourceContextProvider implements ContextProviderInterface
 
         $file = $trace[1]['file'];
         $line = $trace[1]['line'];
-        $name = false;
+        $name = '-' === $file || 'Standard input code' === $file ? 'Standard input code' : false;
         $fileExcerpt = false;
 
         for ($i = 2; $i < $this->limit; ++$i) {
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Dumper/ContextualizedDumper.php b/data/web/inc/lib/vendor/symfony/var-dumper/Dumper/ContextualizedDumper.php
index 18ab56ebd..84cfb4259 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/Dumper/ContextualizedDumper.php
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Dumper/ContextualizedDumper.php
@@ -19,7 +19,7 @@ use Symfony\Component\VarDumper\Dumper\ContextProvider\ContextProviderInterface;
  */
 class ContextualizedDumper implements DataDumperInterface
 {
-    private $wrappedDumper;
+    private DataDumperInterface $wrappedDumper;
     private array $contextProviders;
 
     /**
@@ -31,13 +31,16 @@ class ContextualizedDumper implements DataDumperInterface
         $this->contextProviders = $contextProviders;
     }
 
+    /**
+     * @return string|null
+     */
     public function dump(Data $data)
     {
-        $context = [];
+        $context = $data->getContext();
         foreach ($this->contextProviders as $contextProvider) {
-            $context[\get_class($contextProvider)] = $contextProvider->getContext();
+            $context[$contextProvider::class] = $contextProvider->getContext();
         }
 
-        $this->wrappedDumper->dump($data->withContext($context));
+        return $this->wrappedDumper->dump($data->withContext($context));
     }
 }
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Dumper/DataDumperInterface.php b/data/web/inc/lib/vendor/symfony/var-dumper/Dumper/DataDumperInterface.php
index b173bccf3..df05b6af5 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/Dumper/DataDumperInterface.php
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Dumper/DataDumperInterface.php
@@ -20,5 +20,8 @@ use Symfony\Component\VarDumper\Cloner\Data;
  */
 interface DataDumperInterface
 {
+    /**
+     * @return string|null
+     */
     public function dump(Data $data);
 }
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Dumper/HtmlDumper.php b/data/web/inc/lib/vendor/symfony/var-dumper/Dumper/HtmlDumper.php
index 40e97a534..ea09e6819 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/Dumper/HtmlDumper.php
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Dumper/HtmlDumper.php
@@ -21,6 +21,7 @@ use Symfony\Component\VarDumper\Cloner\Data;
  */
 class HtmlDumper extends CliDumper
 {
+    /** @var callable|resource|string|null */
     public static $defaultOutput = 'php://output';
 
     protected static $themes = [
@@ -74,19 +75,16 @@ class HtmlDumper extends CliDumper
     ];
     private array $extraDisplayOptions = [];
 
-    /**
-     * {@inheritdoc}
-     */
-    public function __construct($output = null, string $charset = null, int $flags = 0)
+    public function __construct($output = null, ?string $charset = null, int $flags = 0)
     {
         AbstractDumper::__construct($output, $charset, $flags);
         $this->dumpId = 'sf-dump-'.mt_rand();
-        $this->displayOptions['fileLinkFormat'] = ini_get('xdebug.file_link_format') ?: get_cfg_var('xdebug.file_link_format');
+        $this->displayOptions['fileLinkFormat'] = \ini_get('xdebug.file_link_format') ?: get_cfg_var('xdebug.file_link_format');
         $this->styles = static::$themes['dark'] ?? self::$themes['dark'];
     }
 
     /**
-     * {@inheritdoc}
+     * @return void
      */
     public function setStyles(array $styles)
     {
@@ -94,6 +92,9 @@ class HtmlDumper extends CliDumper
         $this->styles = $styles + $this->styles;
     }
 
+    /**
+     * @return void
+     */
     public function setTheme(string $themeName)
     {
         if (!isset(static::$themes[$themeName])) {
@@ -107,6 +108,8 @@ class HtmlDumper extends CliDumper
      * Configures display options.
      *
      * @param array $displayOptions A map of display options to customize the behavior
+     *
+     * @return void
      */
     public function setDisplayOptions(array $displayOptions)
     {
@@ -116,6 +119,8 @@ class HtmlDumper extends CliDumper
 
     /**
      * Sets an HTML header that will be dumped once in the output stream.
+     *
+     * @return void
      */
     public function setDumpHeader(?string $header)
     {
@@ -124,6 +129,8 @@ class HtmlDumper extends CliDumper
 
     /**
      * Sets an HTML prefix and suffix that will encapse every single dump.
+     *
+     * @return void
      */
     public function setDumpBoundaries(string $prefix, string $suffix)
     {
@@ -131,9 +138,6 @@ class HtmlDumper extends CliDumper
         $this->dumpSuffix = $suffix;
     }
 
-    /**
-     * {@inheritdoc}
-     */
     public function dump(Data $data, $output = null, array $extraDisplayOptions = []): ?string
     {
         $this->extraDisplayOptions = $extraDisplayOptions;
@@ -145,6 +149,8 @@ class HtmlDumper extends CliDumper
 
     /**
      * Dumps the HTML header.
+     *
+     * @return string
      */
     protected function getDumpHeader()
     {
@@ -158,19 +164,15 @@ class HtmlDumper extends CliDumper
 <script>
 Sfdump = window.Sfdump || (function (doc) {
 
-var refStyle = doc.createElement('style'),
-    rxEsc = /([.*+?^${}()|\[\]\/\\])/g,
+doc.documentElement.classList.add('sf-js-enabled');
+
+var rxEsc = /([.*+?^${}()|\[\]\/\\])/g,
     idRx = /\bsf-dump-\d+-ref[012]\w+\b/,
     keyHint = 0 <= navigator.platform.toUpperCase().indexOf('MAC') ? 'Cmd' : 'Ctrl',
     addEventListener = function (e, n, cb) {
         e.addEventListener(n, cb, false);
     };
 
-refStyle.innerHTML = 'pre.sf-dump .sf-dump-compact, .sf-dump-str-collapse .sf-dump-str-collapse, .sf-dump-str-expand .sf-dump-str-expand { display: none; }';
-(doc.documentElement.firstElementChild || doc.documentElement.children[0]).appendChild(refStyle);
-refStyle = doc.createElement('style');
-(doc.documentElement.firstElementChild || doc.documentElement.children[0]).appendChild(refStyle);
-
 if (!doc.addEventListener) {
     addEventListener = function (element, eventName, callback) {
         element.attachEvent('on' + eventName, function (e) {
@@ -350,26 +352,16 @@ return function (root, x) {
     function xpathHasClass(className) {
         return "contains(concat(' ', normalize-space(@class), ' '), ' " + className +" ')";
     }
-    addEventListener(root, 'mouseover', function (e) {
-        if ('' != refStyle.innerHTML) {
-            refStyle.innerHTML = '';
-        }
-    });
     a('mouseover', function (a, e, c) {
         if (c) {
             e.target.style.cursor = "pointer";
-        } else if (a = idRx.exec(a.className)) {
-            try {
-                refStyle.innerHTML = 'pre.sf-dump .'+a[0]+'{background-color: #B729D9; color: #FFF !important; border-radius: 2px}';
-            } catch (e) {
-            }
         }
     });
     a('click', function (a, e, c) {
         if (/\bsf-dump-toggle\b/.test(a.className)) {
             e.preventDefault();
             if (!toggle(a, isCtrlKey(e))) {
-                var r = doc.getElementById(a.getAttribute('href').substr(1)),
+                var r = doc.getElementById(a.getAttribute('href').slice(1)),
                     s = r.previousSibling,
                     f = r.parentNode,
                     t = a.parentNode;
@@ -430,7 +422,8 @@ return function (root, x) {
                 x += elt.parentNode.getAttribute('data-depth')/1;
             }
         } else if (/\bsf-dump-ref\b/.test(elt.className) && (a = elt.getAttribute('href'))) {
-            a = a.substr(1);
+            a = a.slice(1);
+            elt.className += ' sf-dump-hover';
             elt.className += ' '+a;
 
             if (/[\[{]$/.test(elt.previousSibling.nodeValue)) {
@@ -647,6 +640,16 @@ return function (root, x) {
 
 })(document);
 </script><style>
+.sf-js-enabled pre.sf-dump .sf-dump-compact,
+.sf-js-enabled .sf-dump-str-collapse .sf-dump-str-collapse,
+.sf-js-enabled .sf-dump-str-expand .sf-dump-str-expand {
+    display: none;
+}
+.sf-dump-hover:hover {
+    background-color: #B729D9;
+    color: #FFF !important;
+    border-radius: 2px;
+}
 pre.sf-dump {
     display: block;
     white-space: pre;
@@ -661,7 +664,7 @@ pre.sf-dump:after {
    clear: both;
 }
 pre.sf-dump span {
-    display: inline;
+    display: inline-flex;
 }
 pre.sf-dump a {
     text-decoration: none;
@@ -783,7 +786,7 @@ EOHTML
     }
 
     /**
-     * {@inheritdoc}
+     * @return void
      */
     public function dumpString(Cursor $cursor, string $str, bool $bin, int $cut)
     {
@@ -801,7 +804,7 @@ EOHTML
     }
 
     /**
-     * {@inheritdoc}
+     * @return void
      */
     public function enterHash(Cursor $cursor, int $type, string|int|null $class, bool $hasChild)
     {
@@ -832,7 +835,7 @@ EOHTML
     }
 
     /**
-     * {@inheritdoc}
+     * @return void
      */
     public function leaveHash(Cursor $cursor, int $type, string|int|null $class, bool $hasChild, int $cut)
     {
@@ -843,12 +846,9 @@ EOHTML
         parent::leaveHash($cursor, $type, $class, $hasChild, 0);
     }
 
-    /**
-     * {@inheritdoc}
-     */
     protected function style(string $style, string $value, array $attr = []): string
     {
-        if ('' === $value) {
+        if ('' === $value && ('label' !== $style || !isset($attr['file']) && !isset($attr['href']))) {
             return '';
         }
 
@@ -864,7 +864,7 @@ EOHTML
         }
 
         if ('const' === $style && isset($attr['value'])) {
-            $style .= sprintf(' title="%s"', esc(is_scalar($attr['value']) ? $attr['value'] : json_encode($attr['value'])));
+            $style .= sprintf(' title="%s"', esc(\is_scalar($attr['value']) ? $attr['value'] : json_encode($attr['value'])));
         } elseif ('public' === $style) {
             $style .= sprintf(' title="%s"', empty($attr['dynamic']) ? 'Public property' : 'Runtime added dynamic property');
         } elseif ('str' === $style && 1 < $attr['length']) {
@@ -883,7 +883,6 @@ EOHTML
         } elseif ('private' === $style) {
             $style .= sprintf(' title="Private property defined in class:&#10;`%s`"', esc($this->utf8Encode($attr['class'])));
         }
-        $map = static::$controlCharsMap;
 
         if (isset($attr['ellipsis'])) {
             $class = 'sf-dump-ellipsis';
@@ -902,6 +901,7 @@ EOHTML
             }
         }
 
+        $map = static::$controlCharsMap;
         $v = "<span class=sf-dump-{$style}>".preg_replace_callback(static::$controlCharsRx, function ($c) use ($map) {
             $s = $b = '<span class="sf-dump-default';
             $c = $c[$i = 0];
@@ -924,22 +924,34 @@ EOHTML
             return $s.'</span>';
         }, $v).'</span>';
 
+        if (!($attr['binary'] ?? false)) {
+            $v = preg_replace_callback(static::$unicodeCharsRx, function ($c) {
+                return '<span class=sf-dump-default>\u{'.strtoupper(dechex(mb_ord($c[0]))).'}</span>';
+            }, $v);
+        }
+
         if (isset($attr['file']) && $href = $this->getSourceLink($attr['file'], $attr['line'] ?? 0)) {
             $attr['href'] = $href;
         }
         if (isset($attr['href'])) {
+            if ('label' === $style) {
+                $v .= '^';
+            }
             $target = isset($attr['file']) ? '' : ' target="_blank"';
             $v = sprintf('<a href="%s"%s rel="noopener noreferrer">%s</a>', esc($this->utf8Encode($attr['href'])), $target, $v);
         }
         if (isset($attr['lang'])) {
             $v = sprintf('<code class="%s">%s</code>', esc($attr['lang']), $v);
         }
+        if ('label' === $style) {
+            $v .= ' ';
+        }
 
         return $v;
     }
 
     /**
-     * {@inheritdoc}
+     * @return void
      */
     protected function dumpLine(int $depth, bool $endOfValue = false)
     {
@@ -960,7 +972,7 @@ EOHTML
         }
         $this->lastDepth = $depth;
 
-        $this->line = mb_convert_encoding($this->line, 'HTML-ENTITIES', 'UTF-8');
+        $this->line = mb_encode_numericentity($this->line, [0x80, 0x10FFFF, 0, 0x1FFFFF], 'UTF-8');
 
         if (-1 === $depth) {
             AbstractDumper::dumpLine(0);
@@ -968,7 +980,7 @@ EOHTML
         AbstractDumper::dumpLine($depth);
     }
 
-    private function getSourceLink(string $file, int $line)
+    private function getSourceLink(string $file, int $line): string|false
     {
         $options = $this->extraDisplayOptions + $this->displayOptions;
 
@@ -980,7 +992,7 @@ EOHTML
     }
 }
 
-function esc(string $str)
+function esc(string $str): string
 {
     return htmlspecialchars($str, \ENT_QUOTES, 'UTF-8');
 }
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Dumper/ServerDumper.php b/data/web/inc/lib/vendor/symfony/var-dumper/Dumper/ServerDumper.php
index 94795bf6d..60fdd7ac3 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/Dumper/ServerDumper.php
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Dumper/ServerDumper.php
@@ -22,15 +22,15 @@ use Symfony\Component\VarDumper\Server\Connection;
  */
 class ServerDumper implements DataDumperInterface
 {
-    private $connection;
-    private $wrappedDumper;
+    private Connection $connection;
+    private ?DataDumperInterface $wrappedDumper;
 
     /**
      * @param string                     $host             The server host
      * @param DataDumperInterface|null   $wrappedDumper    A wrapped instance used whenever we failed contacting the server
      * @param ContextProviderInterface[] $contextProviders Context providers indexed by context name
      */
-    public function __construct(string $host, DataDumperInterface $wrappedDumper = null, array $contextProviders = [])
+    public function __construct(string $host, ?DataDumperInterface $wrappedDumper = null, array $contextProviders = [])
     {
         $this->connection = new Connection($host, $contextProviders);
         $this->wrappedDumper = $wrappedDumper;
@@ -42,12 +42,14 @@ class ServerDumper implements DataDumperInterface
     }
 
     /**
-     * {@inheritdoc}
+     * @return string|null
      */
     public function dump(Data $data)
     {
         if (!$this->connection->write($data) && $this->wrappedDumper) {
-            $this->wrappedDumper->dump($data);
+            return $this->wrappedDumper->dump($data);
         }
+
+        return null;
     }
 }
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Exception/ThrowingCasterException.php b/data/web/inc/lib/vendor/symfony/var-dumper/Exception/ThrowingCasterException.php
index 122f0d358..fd8eca9f1 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/Exception/ThrowingCasterException.php
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Exception/ThrowingCasterException.php
@@ -21,6 +21,6 @@ class ThrowingCasterException extends \Exception
      */
     public function __construct(\Throwable $prev)
     {
-        parent::__construct('Unexpected '.\get_class($prev).' thrown from a caster: '.$prev->getMessage(), 0, $prev);
+        parent::__construct('Unexpected '.$prev::class.' thrown from a caster: '.$prev->getMessage(), 0, $prev);
     }
 }
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/LICENSE b/data/web/inc/lib/vendor/symfony/var-dumper/LICENSE
index a843ec124..29f72d5e9 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/LICENSE
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/LICENSE
@@ -1,4 +1,4 @@
-Copyright (c) 2014-2022 Fabien Potencier
+Copyright (c) 2014-present Fabien Potencier
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Resources/bin/var-dump-server b/data/web/inc/lib/vendor/symfony/var-dumper/Resources/bin/var-dump-server
index 98c813a06..f398fcef7 100755
--- a/data/web/inc/lib/vendor/symfony/var-dumper/Resources/bin/var-dump-server
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Resources/bin/var-dump-server
@@ -10,6 +10,10 @@
  * file that was distributed with this source code.
  */
 
+if ('cli' !== PHP_SAPI) {
+    throw new Exception('This script must be run from the command line.');
+}
+
 /**
  * Starts a dump server to collect and output dumps on a single place with multiple formats support.
  *
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Resources/functions/dump.php b/data/web/inc/lib/vendor/symfony/var-dumper/Resources/functions/dump.php
index 6221a4d18..f2ff74c0c 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/Resources/functions/dump.php
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Resources/functions/dump.php
@@ -9,40 +9,52 @@
  * file that was distributed with this source code.
  */
 
+use Symfony\Component\VarDumper\Caster\ScalarStub;
 use Symfony\Component\VarDumper\VarDumper;
 
 if (!function_exists('dump')) {
     /**
      * @author Nicolas Grekas <p@tchwork.com>
+     * @author Alexandre Daubois <alex.daubois@gmail.com>
      */
-    function dump(mixed $var, mixed ...$moreVars): mixed
+    function dump(mixed ...$vars): mixed
     {
-        VarDumper::dump($var);
+        if (!$vars) {
+            VarDumper::dump(new ScalarStub('🐛'));
 
-        foreach ($moreVars as $v) {
-            VarDumper::dump($v);
+            return null;
         }
 
-        if (1 < func_num_args()) {
-            return func_get_args();
+        if (array_key_exists(0, $vars) && 1 === count($vars)) {
+            VarDumper::dump($vars[0]);
+            $k = 0;
+        } else {
+            foreach ($vars as $k => $v) {
+                VarDumper::dump($v, is_int($k) ? 1 + $k : $k);
+            }
         }
 
-        return $var;
+        if (1 < count($vars)) {
+            return $vars;
+        }
+
+        return $vars[$k];
     }
 }
 
 if (!function_exists('dd')) {
-    /**
-     * @return never
-     */
-    function dd(...$vars): void
+    function dd(mixed ...$vars): never
     {
-        if (!in_array(\PHP_SAPI, ['cli', 'phpdbg'], true) && !headers_sent()) {
+        if (!\in_array(\PHP_SAPI, ['cli', 'phpdbg', 'embed'], true) && !headers_sent()) {
             header('HTTP/1.1 500 Internal Server Error');
         }
 
-        foreach ($vars as $v) {
-            VarDumper::dump($v);
+        if (array_key_exists(0, $vars) && 1 === count($vars)) {
+            VarDumper::dump($vars[0]);
+        } else {
+            foreach ($vars as $k => $v) {
+                VarDumper::dump($v, is_int($k) ? 1 + $k : $k);
+            }
         }
 
         exit(1);
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Server/Connection.php b/data/web/inc/lib/vendor/symfony/var-dumper/Server/Connection.php
index 97b5b94f3..4383278c9 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/Server/Connection.php
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Server/Connection.php
@@ -62,7 +62,7 @@ class Connection
         $context = array_filter($context);
         $encodedPayload = base64_encode(serialize([$data, $context]))."\n";
 
-        set_error_handler([self::class, 'nullErrorHandler']);
+        set_error_handler(static fn () => null);
         try {
             if (-1 !== stream_socket_sendto($this->socket, $encodedPayload)) {
                 return true;
@@ -82,16 +82,14 @@ class Connection
         return false;
     }
 
-    private static function nullErrorHandler(int $t, string $m)
-    {
-        // no-op
-    }
-
+    /**
+     * @return resource|null
+     */
     private function createSocket()
     {
-        set_error_handler([self::class, 'nullErrorHandler']);
+        set_error_handler(static fn () => null);
         try {
-            return stream_socket_client($this->host, $errno, $errstr, 3, \STREAM_CLIENT_CONNECT | \STREAM_CLIENT_ASYNC_CONNECT);
+            return stream_socket_client($this->host, $errno, $errstr, 3) ?: null;
         } finally {
             restore_error_handler();
         }
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Server/DumpServer.php b/data/web/inc/lib/vendor/symfony/var-dumper/Server/DumpServer.php
index 6a43c1204..a9228a2ef 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/Server/DumpServer.php
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Server/DumpServer.php
@@ -25,14 +25,14 @@ use Symfony\Component\VarDumper\Cloner\Stub;
 class DumpServer
 {
     private string $host;
-    private $logger;
+    private ?LoggerInterface $logger;
 
     /**
      * @var resource|null
      */
     private $socket;
 
-    public function __construct(string $host, LoggerInterface $logger = null)
+    public function __construct(string $host, ?LoggerInterface $logger = null)
     {
         if (!str_contains($host, '://')) {
             $host = 'tcp://'.$host;
@@ -56,25 +56,19 @@ class DumpServer
         }
 
         foreach ($this->getMessages() as $clientId => $message) {
-            if ($this->logger) {
-                $this->logger->info('Received a payload from client {clientId}', ['clientId' => $clientId]);
-            }
+            $this->logger?->info('Received a payload from client {clientId}', ['clientId' => $clientId]);
 
             $payload = @unserialize(base64_decode($message), ['allowed_classes' => [Data::class, Stub::class]]);
 
             // Impossible to decode the message, give up.
             if (false === $payload) {
-                if ($this->logger) {
-                    $this->logger->warning('Unable to decode a message from {clientId} client.', ['clientId' => $clientId]);
-                }
+                $this->logger?->warning('Unable to decode a message from {clientId} client.', ['clientId' => $clientId]);
 
                 continue;
             }
 
             if (!\is_array($payload) || \count($payload) < 2 || !$payload[0] instanceof Data || !\is_array($payload[1])) {
-                if ($this->logger) {
-                    $this->logger->warning('Invalid payload from {clientId} client. Expected an array of two elements (Data $data, array $context)', ['clientId' => $clientId]);
-                }
+                $this->logger?->warning('Invalid payload from {clientId} client. Expected an array of two elements (Data $data, array $context)', ['clientId' => $clientId]);
 
                 continue;
             }
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/Test/VarDumperTestTrait.php b/data/web/inc/lib/vendor/symfony/var-dumper/Test/VarDumperTestTrait.php
index a202185e5..4475efd12 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/Test/VarDumperTestTrait.php
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/Test/VarDumperTestTrait.php
@@ -27,7 +27,7 @@ trait VarDumperTestTrait
         'flags' => null,
     ];
 
-    protected function setUpVarDumper(array $casters, int $flags = null): void
+    protected function setUpVarDumper(array $casters, ?int $flags = null): void
     {
         $this->varDumperConfig['casters'] = $casters;
         $this->varDumperConfig['flags'] = $flags;
@@ -52,7 +52,7 @@ trait VarDumperTestTrait
         $this->assertStringMatchesFormat($this->prepareExpectation($expected, $filter), $this->getDump($data, null, $filter), $message);
     }
 
-    protected function getDump(mixed $data, string|int $key = null, int $filter = 0): ?string
+    protected function getDump(mixed $data, string|int|null $key = null, int $filter = 0): ?string
     {
         if (null === $flags = $this->varDumperConfig['flags']) {
             $flags = getenv('DUMP_LIGHT_ARRAY') ? CliDumper::DUMP_LIGHT_ARRAY : 0;
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/VarDumper.php b/data/web/inc/lib/vendor/symfony/var-dumper/VarDumper.php
index dfef9f410..e1400f150 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/VarDumper.php
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/VarDumper.php
@@ -11,9 +11,9 @@
 
 namespace Symfony\Component\VarDumper;
 
+use Symfony\Component\ErrorHandler\ErrorRenderer\FileLinkFormatter;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\RequestStack;
-use Symfony\Component\HttpKernel\Debug\FileLinkFormatter;
 use Symfony\Component\VarDumper\Caster\ReflectionCaster;
 use Symfony\Component\VarDumper\Cloner\VarCloner;
 use Symfony\Component\VarDumper\Dumper\CliDumper;
@@ -37,17 +37,26 @@ class VarDumper
      */
     private static $handler;
 
-    public static function dump(mixed $var)
+    /**
+     * @param string|null $label
+     *
+     * @return mixed
+     */
+    public static function dump(mixed $var/* , string $label = null */)
     {
+        $label = 2 <= \func_num_args() ? func_get_arg(1) : null;
         if (null === self::$handler) {
             self::register();
         }
 
-        return (self::$handler)($var);
+        return (self::$handler)($var, $label);
     }
 
-    public static function setHandler(callable $callable = null): ?callable
+    public static function setHandler(?callable $callable = null): ?callable
     {
+        if (1 > \func_num_args()) {
+            trigger_deprecation('symfony/var-dumper', '6.2', 'Calling "%s()" without any arguments is deprecated, pass null explicitly instead.', __METHOD__);
+        }
         $prevHandler = self::$handler;
 
         // Prevent replacing the handler with expected format as soon as the env var was set:
@@ -76,19 +85,25 @@ class VarDumper
             case 'server' === $format:
             case $format && 'tcp' === parse_url($format, \PHP_URL_SCHEME):
                 $host = 'server' === $format ? $_SERVER['VAR_DUMPER_SERVER'] ?? '127.0.0.1:9912' : $format;
-                $dumper = \in_array(\PHP_SAPI, ['cli', 'phpdbg'], true) ? new CliDumper() : new HtmlDumper();
+                $dumper = \in_array(\PHP_SAPI, ['cli', 'phpdbg', 'embed'], true) ? new CliDumper() : new HtmlDumper();
                 $dumper = new ServerDumper($host, $dumper, self::getDefaultContextProviders());
                 break;
             default:
-                $dumper = \in_array(\PHP_SAPI, ['cli', 'phpdbg'], true) ? new CliDumper() : new HtmlDumper();
+                $dumper = \in_array(\PHP_SAPI, ['cli', 'phpdbg', 'embed'], true) ? new CliDumper() : new HtmlDumper();
         }
 
         if (!$dumper instanceof ServerDumper) {
             $dumper = new ContextualizedDumper($dumper, [new SourceContextProvider()]);
         }
 
-        self::$handler = function ($var) use ($cloner, $dumper) {
-            $dumper->dump($cloner->cloneVar($var));
+        self::$handler = function ($var, ?string $label = null) use ($cloner, $dumper) {
+            $var = $cloner->cloneVar($var);
+
+            if (null !== $label) {
+                $var = $var->withContext(['label' => $label]);
+            }
+
+            $dumper->dump($var);
         };
     }
 
@@ -96,7 +111,7 @@ class VarDumper
     {
         $contextProviders = [];
 
-        if (!\in_array(\PHP_SAPI, ['cli', 'phpdbg'], true) && (class_exists(Request::class))) {
+        if (!\in_array(\PHP_SAPI, ['cli', 'phpdbg', 'embed'], true) && class_exists(Request::class)) {
             $requestStack = new RequestStack();
             $requestStack->push(Request::createFromGlobals());
             $contextProviders['request'] = new RequestContextProvider($requestStack);
diff --git a/data/web/inc/lib/vendor/symfony/var-dumper/composer.json b/data/web/inc/lib/vendor/symfony/var-dumper/composer.json
index db04f5884..e6166f86d 100644
--- a/data/web/inc/lib/vendor/symfony/var-dumper/composer.json
+++ b/data/web/inc/lib/vendor/symfony/var-dumper/composer.json
@@ -16,25 +16,22 @@
         }
     ],
     "require": {
-        "php": ">=8.0.2",
+        "php": ">=8.1",
+        "symfony/deprecation-contracts": "^2.5|^3",
         "symfony/polyfill-mbstring": "~1.0"
     },
     "require-dev": {
         "ext-iconv": "*",
-        "symfony/console": "^5.4|^6.0",
-        "symfony/process": "^5.4|^6.0",
-        "symfony/uid": "^5.4|^6.0",
+        "symfony/console": "^5.4|^6.0|^7.0",
+        "symfony/error-handler": "^6.3|^7.0",
+        "symfony/http-kernel": "^5.4|^6.0|^7.0",
+        "symfony/process": "^5.4|^6.0|^7.0",
+        "symfony/uid": "^5.4|^6.0|^7.0",
         "twig/twig": "^2.13|^3.0.4"
     },
     "conflict": {
-        "phpunit/phpunit": "<5.4.3",
         "symfony/console": "<5.4"
     },
-    "suggest": {
-        "ext-iconv": "To convert non-UTF-8 strings to UTF-8 (or symfony/polyfill-iconv in case ext-iconv cannot be used).",
-        "ext-intl": "To show region name in time zone dump",
-        "symfony/console": "To use the ServerDumpCommand and/or the bin/var-dump-server script"
-    },
     "autoload": {
         "files": [ "Resources/functions/dump.php" ],
         "psr-4": { "Symfony\\Component\\VarDumper\\": "" },
diff --git a/data/web/inc/lib/vendor/tightenco/collect/.github/workflows/run-tests.yml b/data/web/inc/lib/vendor/tightenco/collect/.github/workflows/run-tests.yml
index c9325213f..406c40049 100644
--- a/data/web/inc/lib/vendor/tightenco/collect/.github/workflows/run-tests.yml
+++ b/data/web/inc/lib/vendor/tightenco/collect/.github/workflows/run-tests.yml
@@ -10,7 +10,7 @@ jobs:
     strategy:
       matrix:
         os: [Ubuntu, macOS]
-        php: [7.3, 7.4, 8.0, 8.1]
+        php: [8.0, 8.1, 8.2]
 
         include:
           - os: Ubuntu
@@ -25,7 +25,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v1
 
       - name: Setup PHP
         uses: shivammathur/setup-php@v2
diff --git a/data/web/inc/lib/vendor/tightenco/collect/composer.json b/data/web/inc/lib/vendor/tightenco/collect/composer.json
index 88ebb77ae..949635dcd 100644
--- a/data/web/inc/lib/vendor/tightenco/collect/composer.json
+++ b/data/web/inc/lib/vendor/tightenco/collect/composer.json
@@ -10,7 +10,7 @@
         }
     ],
     "require": {
-        "php": "^7.3|^8.0",
+        "php": "^8.0",
         "symfony/var-dumper": "^3.4 || ^4.0 || ^5.0 || ^6.0"
     },
     "require-dev": {
@@ -33,7 +33,6 @@
             "tests/files/Support/HtmlString.php",
             "tests/files/Support/HigherOrderTapProxy.php",
             "tests/files/Support/Str.php",
-            "tests/files/Support/Traits/Conditionable.php",
             "tests/files/Support/Stringable.php",
             "tests/files/Support/ItemNotFoundException.php",
             "tests/files/Support/MultipleItemsFoundException.php",
diff --git a/data/web/inc/lib/vendor/tightenco/collect/framework-.zip b/data/web/inc/lib/vendor/tightenco/collect/framework-.zip
new file mode 100644
index 000000000..e69de29bb
diff --git a/data/web/inc/lib/vendor/tightenco/collect/src/Collect/Conditionable/HigherOrderWhenProxy.php b/data/web/inc/lib/vendor/tightenco/collect/src/Collect/Conditionable/HigherOrderWhenProxy.php
new file mode 100644
index 000000000..eaf24812b
--- /dev/null
+++ b/data/web/inc/lib/vendor/tightenco/collect/src/Collect/Conditionable/HigherOrderWhenProxy.php
@@ -0,0 +1,109 @@
+<?php
+
+namespace Tightenco\Collect\Conditionable;
+
+class HigherOrderWhenProxy
+{
+    /**
+     * The target being conditionally operated on.
+     *
+     * @var mixed
+     */
+    protected $target;
+
+    /**
+     * The condition for proxying.
+     *
+     * @var bool
+     */
+    protected $condition;
+
+    /**
+     * Indicates whether the proxy has a condition.
+     *
+     * @var bool
+     */
+    protected $hasCondition = false;
+
+    /**
+     * Determine whether the condition should be negated.
+     *
+     * @var bool
+     */
+    protected $negateConditionOnCapture;
+
+    /**
+     * Create a new proxy instance.
+     *
+     * @param  mixed  $target
+     * @return void
+     */
+    public function __construct($target)
+    {
+        $this->target = $target;
+    }
+
+    /**
+     * Set the condition on the proxy.
+     *
+     * @param  bool  $condition
+     * @return $this
+     */
+    public function condition($condition)
+    {
+        [$this->condition, $this->hasCondition] = [$condition, true];
+
+        return $this;
+    }
+
+    /**
+     * Indicate that the condition should be negated.
+     *
+     * @return $this
+     */
+    public function negateConditionOnCapture()
+    {
+        $this->negateConditionOnCapture = true;
+
+        return $this;
+    }
+
+    /**
+     * Proxy accessing an attribute onto the target.
+     *
+     * @param  string  $key
+     * @return mixed
+     */
+    public function __get($key)
+    {
+        if (! $this->hasCondition) {
+            $condition = $this->target->{$key};
+
+            return $this->condition($this->negateConditionOnCapture ? ! $condition : $condition);
+        }
+
+        return $this->condition
+            ? $this->target->{$key}
+            : $this->target;
+    }
+
+    /**
+     * Proxy a method call on the target.
+     *
+     * @param  string  $method
+     * @param  array  $parameters
+     * @return mixed
+     */
+    public function __call($method, $parameters)
+    {
+        if (! $this->hasCondition) {
+            $condition = $this->target->{$method}(...$parameters);
+
+            return $this->condition($this->negateConditionOnCapture ? ! $condition : $condition);
+        }
+
+        return $this->condition
+            ? $this->target->{$method}(...$parameters)
+            : $this->target;
+    }
+}
diff --git a/data/web/inc/lib/vendor/tightenco/collect/src/Collect/Contracts/Support/Arrayable.php b/data/web/inc/lib/vendor/tightenco/collect/src/Collect/Contracts/Support/Arrayable.php
index a20580400..190bb9bc3 100755
--- a/data/web/inc/lib/vendor/tightenco/collect/src/Collect/Contracts/Support/Arrayable.php
+++ b/data/web/inc/lib/vendor/tightenco/collect/src/Collect/Contracts/Support/Arrayable.php
@@ -2,12 +2,16 @@
 
 namespace Tightenco\Collect\Contracts\Support;
 
+/**
+ * @template TKey of array-key
+ * @template TValue
+ */
 interface Arrayable
 {
     /**
      * Get the instance as an array.
      *
-     * @return array
+     * @return array<TKey, TValue>
      */
     public function toArray();
 }
diff --git a/data/web/inc/lib/vendor/tightenco/collect/src/Collect/Support/Arr.php b/data/web/inc/lib/vendor/tightenco/collect/src/Collect/Support/Arr.php
index 57350cca5..f3a4b042e 100644
--- a/data/web/inc/lib/vendor/tightenco/collect/src/Collect/Support/Arr.php
+++ b/data/web/inc/lib/vendor/tightenco/collect/src/Collect/Support/Arr.php
@@ -2,6 +2,7 @@
 
 namespace Tightenco\Collect\Support;
 
+use ArgumentCountError;
 use ArrayAccess;
 use Tightenco\Collect\Support\Traits\Macroable;
 use InvalidArgumentException;
@@ -25,7 +26,7 @@ class Arr
      * Add an element to an array using "dot" notation if it doesn't exist.
      *
      * @param  array  $array
-     * @param  string  $key
+     * @param  string|int|float  $key
      * @param  mixed  $value
      * @return array
      */
@@ -142,7 +143,7 @@ class Arr
      * Get all of the given array except for a specified array of keys.
      *
      * @param  array  $array
-     * @param  array|string  $keys
+     * @param  array|string|int|float  $keys
      * @return array
      */
     public static function except($array, $keys)
@@ -169,6 +170,10 @@ class Arr
             return $array->offsetExists($key);
         }
 
+        if (is_float($key)) {
+            $key = (string) $key;
+        }
+
         return array_key_exists($key, $array);
     }
 
@@ -252,7 +257,7 @@ class Arr
      * Remove one or many array items from a given array using "dot" notation.
      *
      * @param  array  $array
-     * @param  array|string  $keys
+     * @param  array|string|int|float  $keys
      * @return void
      */
     public static function forget(&$array, $keys)
@@ -281,7 +286,7 @@ class Arr
             while (count($parts) > 1) {
                 $part = array_shift($parts);
 
-                if (isset($array[$part]) && is_array($array[$part])) {
+                if (isset($array[$part]) && static::accessible($array[$part])) {
                     $array = &$array[$part];
                 } else {
                     continue 2;
@@ -314,7 +319,7 @@ class Arr
             return $array[$key];
         }
 
-        if (strpos($key, '.') === false) {
+        if (! str_contains($key, '.')) {
             return $array[$key] ?? value($default);
         }
 
@@ -423,6 +428,59 @@ class Arr
         return ! self::isAssoc($array);
     }
 
+    /**
+     * Join all items using a string. The final items can use a separate glue string.
+     *
+     * @param  array  $array
+     * @param  string  $glue
+     * @param  string  $finalGlue
+     * @return string
+     */
+    public static function join($array, $glue, $finalGlue = '')
+    {
+        if ($finalGlue === '') {
+            return implode($glue, $array);
+        }
+
+        if (count($array) === 0) {
+            return '';
+        }
+
+        if (count($array) === 1) {
+            return end($array);
+        }
+
+        $finalItem = array_pop($array);
+
+        return implode($glue, $array).$finalGlue.$finalItem;
+    }
+
+    /**
+     * Key an associative array by a field or using a callback.
+     *
+     * @param  array  $array
+     * @param  callable|array|string  $keyBy
+     * @return array
+     */
+    public static function keyBy($array, $keyBy)
+    {
+        return Collection::make($array)->keyBy($keyBy)->all();
+    }
+
+    /**
+     * Prepend the key names of an associative array.
+     *
+     * @param  array  $array
+     * @param  string  $prependWith
+     * @return array
+     */
+    public static function prependKeysWith($array, $prependWith)
+    {
+        return Collection::make($array)->mapWithKeys(function ($item, $key) use ($prependWith) {
+            return [$prependWith.$key => $item];
+        })->all();
+    }
+
     /**
      * Get a subset of the items from the given array.
      *
@@ -487,6 +545,26 @@ class Arr
         return [$value, $key];
     }
 
+    /**
+     * Run a map over each of the items in the array.
+     *
+     * @param  array  $array
+     * @param  callable  $callback
+     * @return array
+     */
+    public static function map(array $array, callable $callback)
+    {
+        $keys = array_keys($array);
+
+        try {
+            $items = array_map($callback, $array, $keys);
+        } catch (ArgumentCountError) {
+            $items = array_map($callback, $array);
+        }
+
+        return array_combine($keys, $items);
+    }
+
     /**
      * Push an item onto the beginning of an array.
      *
@@ -510,7 +588,7 @@ class Arr
      * Get a value from the array, and remove it.
      *
      * @param  array  $array
-     * @param  string  $key
+     * @param  string|int  $key
      * @param  mixed  $default
      * @return mixed
      */
@@ -539,7 +617,7 @@ class Arr
      *
      * @param  array  $array
      * @param  int|null  $number
-     * @param  bool|false  $preserveKeys
+     * @param  bool  $preserveKeys
      * @return mixed
      *
      * @throws \InvalidArgumentException
@@ -587,7 +665,7 @@ class Arr
      * If no key is given to the method, the entire array will be replaced.
      *
      * @param  array  $array
-     * @param  string|null  $key
+     * @param  string|int|null  $key
      * @param  mixed  $value
      * @return array
      */
@@ -653,6 +731,18 @@ class Arr
         return Collection::make($array)->sortBy($callback)->all();
     }
 
+    /**
+     * Sort the array in descending order using the given callback or "dot" notation.
+     *
+     * @param  array  $array
+     * @param  callable|array|string|null  $callback
+     * @return array
+     */
+    public static function sortDesc($array, $callback = null)
+    {
+        return Collection::make($array)->sortByDesc($callback)->all();
+    }
+
     /**
      * Recursively sort an array by keys and values.
      *
@@ -705,6 +795,29 @@ class Arr
         return implode(' ', $classes);
     }
 
+    /**
+     * Conditionally compile styles from an array into a style list.
+     *
+     * @param  array  $array
+     * @return string
+     */
+    public static function toCssStyles($array)
+    {
+        $styleList = static::wrap($array);
+
+        $styles = [];
+
+        foreach ($styleList as $class => $constraint) {
+            if (is_numeric($class)) {
+                $styles[] = Str::finish($constraint, ';');
+            } elseif ($constraint) {
+                $styles[] = Str::finish($class, ';');
+            }
+        }
+
+        return implode(' ', $styles);
+    }
+
     /**
      * Filter the array using the given callback.
      *
@@ -725,9 +838,7 @@ class Arr
      */
     public static function whereNotNull($array)
     {
-        return static::where($array, function ($value) {
-            return ! is_null($value);
-        });
+        return static::where($array, fn ($value) => ! is_null($value));
     }
 
     /**
diff --git a/data/web/inc/lib/vendor/tightenco/collect/src/Collect/Support/Collection.php b/data/web/inc/lib/vendor/tightenco/collect/src/Collect/Support/Collection.php
index 577e35157..e705ee0d0 100644
--- a/data/web/inc/lib/vendor/tightenco/collect/src/Collect/Support/Collection.php
+++ b/data/web/inc/lib/vendor/tightenco/collect/src/Collect/Support/Collection.php
@@ -8,22 +8,33 @@ use Tightenco\Collect\Contracts\Support\CanBeEscapedWhenCastToString;
 use Tightenco\Collect\Support\Traits\EnumeratesValues;
 use Tightenco\Collect\Support\Traits\Macroable;
 use stdClass;
+use Traversable;
 
+/**
+ * @template TKey of array-key
+ * @template TValue
+ *
+ * @implements \ArrayAccess<TKey, TValue>
+ * @implements \Tightenco\Collect\Support\Enumerable<TKey, TValue>
+ */
 class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerable
 {
+    /**
+     * @use \Tightenco\Collect\Support\Traits\EnumeratesValues<TKey, TValue>
+     */
     use EnumeratesValues, Macroable;
 
     /**
      * The items contained in the collection.
      *
-     * @var array
+     * @var array<TKey, TValue>
      */
     protected $items = [];
 
     /**
      * Create a new collection.
      *
-     * @param  mixed  $items
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<TKey, TValue>|iterable<TKey, TValue>|null  $items
      * @return void
      */
     public function __construct($items = [])
@@ -36,7 +47,7 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
      *
      * @param  int  $from
      * @param  int  $to
-     * @return static
+     * @return static<int, int>
      */
     public static function range($from, $to)
     {
@@ -46,7 +57,7 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Get all of the items in the collection.
      *
-     * @return array
+     * @return array<TKey, TValue>
      */
     public function all()
     {
@@ -56,7 +67,7 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Get a lazy collection for the items in this collection.
      *
-     * @return \Tightenco\Collect\Support\LazyCollection
+     * @return \Tightenco\Collect\Support\LazyCollection<TKey, TValue>
      */
     public function lazy()
     {
@@ -66,18 +77,16 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Get the average value of a given key.
      *
-     * @param  callable|string|null  $callback
-     * @return mixed
+     * @param  (callable(TValue): float|int)|string|null  $callback
+     * @return float|int|null
      */
     public function avg($callback = null)
     {
         $callback = $this->valueRetriever($callback);
 
-        $items = $this->map(function ($value) use ($callback) {
-            return $callback($value);
-        })->filter(function ($value) {
-            return ! is_null($value);
-        });
+        $items = $this
+            ->map(fn ($value) => $callback($value))
+            ->filter(fn ($value) => ! is_null($value));
 
         if ($count = $items->count()) {
             return $items->sum() / $count;
@@ -87,15 +96,14 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Get the median of a given key.
      *
-     * @param  string|array|null  $key
-     * @return mixed
+     * @param  string|array<array-key, string>|null  $key
+     * @return float|int|null
      */
     public function median($key = null)
     {
         $values = (isset($key) ? $this->pluck($key) : $this)
-            ->filter(function ($item) {
-                return ! is_null($item);
-            })->sort()->values();
+            ->filter(fn ($item) => ! is_null($item))
+            ->sort()->values();
 
         $count = $values->count();
 
@@ -117,8 +125,8 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Get the mode of a given key.
      *
-     * @param  string|array|null  $key
-     * @return array|null
+     * @param  string|array<array-key, string>|null  $key
+     * @return array<int, float|int>|null
      */
     public function mode($key = null)
     {
@@ -130,23 +138,20 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
 
         $counts = new static;
 
-        $collection->each(function ($value) use ($counts) {
-            $counts[$value] = isset($counts[$value]) ? $counts[$value] + 1 : 1;
-        });
+        $collection->each(fn ($value) => $counts[$value] = isset($counts[$value]) ? $counts[$value] + 1 : 1);
 
         $sorted = $counts->sort();
 
         $highestValue = $sorted->last();
 
-        return $sorted->filter(function ($value) use ($highestValue) {
-            return $value == $highestValue;
-        })->sort()->keys()->all();
+        return $sorted->filter(fn ($value) => $value == $highestValue)
+            ->sort()->keys()->all();
     }
 
     /**
      * Collapse the collection of items into a single array.
      *
-     * @return static
+     * @return static<int, mixed>
      */
     public function collapse()
     {
@@ -156,7 +161,7 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Determine if an item exists in the collection.
      *
-     * @param  mixed  $key
+     * @param  (callable(TValue, TKey): bool)|TValue|string  $key
      * @param  mixed  $operator
      * @param  mixed  $value
      * @return bool
@@ -176,6 +181,26 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
         return $this->contains($this->operatorForWhere(...func_get_args()));
     }
 
+    /**
+     * Determine if an item exists, using strict comparison.
+     *
+     * @param  (callable(TValue): bool)|TValue|array-key  $key
+     * @param  TValue|null  $value
+     * @return bool
+     */
+    public function containsStrict($key, $value = null)
+    {
+        if (func_num_args() === 2) {
+            return $this->contains(fn ($item) => data_get($item, $key) === $value);
+        }
+
+        if ($this->useAsCallable($key)) {
+            return ! is_null($this->first($key));
+        }
+
+        return in_array($key, $this->items, true);
+    }
+
     /**
      * Determine if an item is not contained in the collection.
      *
@@ -192,8 +217,11 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Cross join with the given lists, returning all possible permutations.
      *
-     * @param  mixed  ...$lists
-     * @return static
+     * @template TCrossJoinKey
+     * @template TCrossJoinValue
+     *
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<TCrossJoinKey, TCrossJoinValue>|iterable<TCrossJoinKey, TCrossJoinValue>  ...$lists
+     * @return static<int, array<int, TValue|TCrossJoinValue>>
      */
     public function crossJoin(...$lists)
     {
@@ -205,7 +233,7 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Get the items in the collection that are not present in the given items.
      *
-     * @param  mixed  $items
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<array-key, TValue>|iterable<array-key, TValue>  $items
      * @return static
      */
     public function diff($items)
@@ -216,8 +244,8 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Get the items in the collection that are not present in the given items, using the callback.
      *
-     * @param  mixed  $items
-     * @param  callable  $callback
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<array-key, TValue>|iterable<array-key, TValue>  $items
+     * @param  callable(TValue, TValue): int  $callback
      * @return static
      */
     public function diffUsing($items, callable $callback)
@@ -228,7 +256,7 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Get the items in the collection whose keys and values are not present in the given items.
      *
-     * @param  mixed  $items
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<TKey, TValue>|iterable<TKey, TValue>  $items
      * @return static
      */
     public function diffAssoc($items)
@@ -239,8 +267,8 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Get the items in the collection whose keys and values are not present in the given items, using the callback.
      *
-     * @param  mixed  $items
-     * @param  callable  $callback
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<TKey, TValue>|iterable<TKey, TValue>  $items
+     * @param  callable(TKey, TKey): int  $callback
      * @return static
      */
     public function diffAssocUsing($items, callable $callback)
@@ -251,7 +279,7 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Get the items in the collection whose keys are not present in the given items.
      *
-     * @param  mixed  $items
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<TKey, TValue>|iterable<TKey, TValue>  $items
      * @return static
      */
     public function diffKeys($items)
@@ -262,8 +290,8 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Get the items in the collection whose keys are not present in the given items, using the callback.
      *
-     * @param  mixed  $items
-     * @param  callable  $callback
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<TKey, TValue>|iterable<TKey, TValue>  $items
+     * @param  callable(TKey, TKey): int  $callback
      * @return static
      */
     public function diffKeysUsing($items, callable $callback)
@@ -274,7 +302,7 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Retrieve duplicate items from the collection.
      *
-     * @param  callable|string|null  $callback
+     * @param  (callable(TValue): bool)|string|null  $callback
      * @param  bool  $strict
      * @return static
      */
@@ -302,7 +330,7 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Retrieve duplicate items from the collection using strict comparison.
      *
-     * @param  callable|string|null  $callback
+     * @param  (callable(TValue): bool)|string|null  $callback
      * @return static
      */
     public function duplicatesStrict($callback = null)
@@ -314,25 +342,21 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
      * Get the comparison function to detect duplicates.
      *
      * @param  bool  $strict
-     * @return \Closure
+     * @return callable(TValue, TValue): bool
      */
     protected function duplicateComparator($strict)
     {
         if ($strict) {
-            return function ($a, $b) {
-                return $a === $b;
-            };
+            return fn ($a, $b) => $a === $b;
         }
 
-        return function ($a, $b) {
-            return $a == $b;
-        };
+        return fn ($a, $b) => $a == $b;
     }
 
     /**
      * Get all items except for those with the specified keys.
      *
-     * @param  \Tightenco\Collect\Support\Collection|mixed  $keys
+     * @param  \Tightenco\Collect\Support\Enumerable<array-key, TKey>|array<array-key, TKey>  $keys
      * @return static
      */
     public function except($keys)
@@ -349,7 +373,7 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Run a filter over each of the items.
      *
-     * @param  callable|null  $callback
+     * @param (callable(TValue, TKey): bool)|null  $callback
      * @return static
      */
     public function filter(callable $callback = null)
@@ -364,9 +388,11 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Get the first item from the collection passing the given truth test.
      *
-     * @param  callable|null  $callback
-     * @param  mixed  $default
-     * @return mixed
+     * @template TFirstDefault
+     *
+     * @param  (callable(TValue, TKey): bool)|null  $callback
+     * @param  TFirstDefault|(\Closure(): TFirstDefault)  $default
+     * @return TValue|TFirstDefault
      */
     public function first(callable $callback = null, $default = null)
     {
@@ -377,7 +403,7 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
      * Get a flattened array of the items in the collection.
      *
      * @param  int  $depth
-     * @return static
+     * @return static<int, mixed>
      */
     public function flatten($depth = INF)
     {
@@ -387,7 +413,7 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Flip the items in the collection.
      *
-     * @return static
+     * @return static<TValue, TKey>
      */
     public function flip()
     {
@@ -397,7 +423,7 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Remove an item from the collection by key.
      *
-     * @param  string|int|array  $keys
+     * @param  TKey|array<array-key, TKey>  $keys
      * @return $this
      */
     public function forget($keys)
@@ -412,9 +438,11 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Get an item from the collection by key.
      *
-     * @param  mixed  $key
-     * @param  mixed  $default
-     * @return mixed
+     * @template TGetDefault
+     *
+     * @param  TKey  $key
+     * @param  TGetDefault|(\Closure(): TGetDefault)  $default
+     * @return TValue|TGetDefault
      */
     public function get($key, $default = null)
     {
@@ -446,9 +474,9 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Group an associative array by a field or using a callback.
      *
-     * @param  array|callable|string  $groupBy
+     * @param  (callable(TValue, TKey): array-key)|array|string  $groupBy
      * @param  bool  $preserveKeys
-     * @return static
+     * @return static<array-key, static<array-key, TValue>>
      */
     public function groupBy($groupBy, $preserveKeys = false)
     {
@@ -470,7 +498,11 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
             }
 
             foreach ($groupKeys as $groupKey) {
-                $groupKey = is_bool($groupKey) ? (int) $groupKey : $groupKey;
+                $groupKey = match (true) {
+                    is_bool($groupKey) => (int) $groupKey,
+                    $groupKey instanceof \Stringable => (string) $groupKey,
+                    default => $groupKey,
+                };
 
                 if (! array_key_exists($groupKey, $results)) {
                     $results[$groupKey] = new static;
@@ -492,8 +524,8 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Key an associative array by a field or using a callback.
      *
-     * @param  callable|string  $keyBy
-     * @return static
+     * @param  (callable(TValue, TKey): array-key)|array|string  $keyBy
+     * @return static<array-key, TValue>
      */
     public function keyBy($keyBy)
     {
@@ -517,7 +549,7 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Determine if an item exists in the collection by key.
      *
-     * @param  mixed  $key
+     * @param  TKey|array<array-key, TKey>  $key
      * @return bool
      */
     public function has($key)
@@ -559,12 +591,16 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Concatenate values of a given key as a string.
      *
-     * @param  string  $value
+     * @param  callable|string  $value
      * @param  string|null  $glue
      * @return string
      */
     public function implode($value, $glue = null)
     {
+        if ($this->useAsCallable($value)) {
+            return implode($glue ?? '', $this->map($value)->all());
+        }
+
         $first = $this->first();
 
         if (is_array($first) || (is_object($first) && ! $first instanceof \Illuminate\Support\Stringable)) {
@@ -577,7 +613,7 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Intersect the collection with the given items.
      *
-     * @param  mixed  $items
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<TKey, TValue>|iterable<TKey, TValue>  $items
      * @return static
      */
     public function intersect($items)
@@ -585,10 +621,45 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
         return new static(array_intersect($this->items, $this->getArrayableItems($items)));
     }
 
+    /**
+     * Intersect the collection with the given items, using the callback.
+     *
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<array-key, TValue>|iterable<array-key, TValue>  $items
+     * @param  callable(TValue, TValue): int  $callback
+     * @return static
+     */
+    public function intersectUsing($items, callable $callback)
+    {
+        return new static(array_uintersect($this->items, $this->getArrayableItems($items), $callback));
+    }
+
+    /**
+     * Intersect the collection with the given items with additional index check.
+     *
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<TKey, TValue>|iterable<TKey, TValue>  $items
+     * @return static
+     */
+    public function intersectAssoc($items)
+    {
+        return new static(array_intersect_assoc($this->items, $this->getArrayableItems($items)));
+    }
+
+    /**
+     * Intersect the collection with the given items with additional index check, using the callback.
+     *
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<array-key, TValue>|iterable<array-key, TValue>  $items
+     * @param  callable(TValue, TValue): int  $callback
+     * @return static
+     */
+    public function intersectAssocUsing($items, callable $callback)
+    {
+        return new static(array_intersect_uassoc($this->items, $this->getArrayableItems($items), $callback));
+    }
+
     /**
      * Intersect the collection with the given items by key.
      *
-     * @param  mixed  $items
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<TKey, TValue>|iterable<TKey, TValue>  $items
      * @return static
      */
     public function intersectByKeys($items)
@@ -651,7 +722,7 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Get the keys of the collection items.
      *
-     * @return static
+     * @return static<int, TKey>
      */
     public function keys()
     {
@@ -661,9 +732,11 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Get the last item from the collection.
      *
-     * @param  callable|null  $callback
-     * @param  mixed  $default
-     * @return mixed
+     * @template TLastDefault
+     *
+     * @param  (callable(TValue, TKey): bool)|null  $callback
+     * @param  TLastDefault|(\Closure(): TLastDefault)  $default
+     * @return TValue|TLastDefault
      */
     public function last(callable $callback = null, $default = null)
     {
@@ -673,9 +746,9 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Get the values of a given key.
      *
-     * @param  string|array|int|null  $value
+     * @param  string|int|array<array-key, string>  $value
      * @param  string|null  $key
-     * @return static
+     * @return static<array-key, mixed>
      */
     public function pluck($value, $key = null)
     {
@@ -685,16 +758,14 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Run a map over each of the items.
      *
-     * @param  callable  $callback
-     * @return static
+     * @template TMapValue
+     *
+     * @param  callable(TValue, TKey): TMapValue  $callback
+     * @return static<TKey, TMapValue>
      */
     public function map(callable $callback)
     {
-        $keys = array_keys($this->items);
-
-        $items = array_map($callback, $this->items, $keys);
-
-        return new static(array_combine($keys, $items));
+        return new static(Arr::map($this->items, $callback));
     }
 
     /**
@@ -702,8 +773,11 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
      *
      * The callback should return an associative array with a single key/value pair.
      *
-     * @param  callable  $callback
-     * @return static
+     * @template TMapToDictionaryKey of array-key
+     * @template TMapToDictionaryValue
+     *
+     * @param  callable(TValue, TKey): array<TMapToDictionaryKey, TMapToDictionaryValue>  $callback
+     * @return static<TMapToDictionaryKey, array<int, TMapToDictionaryValue>>
      */
     public function mapToDictionary(callable $callback)
     {
@@ -731,8 +805,11 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
      *
      * The callback should return an associative array with a single key/value pair.
      *
-     * @param  callable  $callback
-     * @return static
+     * @template TMapWithKeysKey of array-key
+     * @template TMapWithKeysValue
+     *
+     * @param  callable(TValue, TKey): array<TMapWithKeysKey, TMapWithKeysValue>  $callback
+     * @return static<TMapWithKeysKey, TMapWithKeysValue>
      */
     public function mapWithKeys(callable $callback)
     {
@@ -752,7 +829,7 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Merge the collection with the given items.
      *
-     * @param  mixed  $items
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<TKey, TValue>|iterable<TKey, TValue>  $items
      * @return static
      */
     public function merge($items)
@@ -763,8 +840,10 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Recursively merge the collection with the given items.
      *
-     * @param  mixed  $items
-     * @return static
+     * @template TMergeRecursiveValue
+     *
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<TKey, TMergeRecursiveValue>|iterable<TKey, TMergeRecursiveValue>  $items
+     * @return static<TKey, TValue|TMergeRecursiveValue>
      */
     public function mergeRecursive($items)
     {
@@ -774,8 +853,10 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Create a collection by using this collection for keys and another for its values.
      *
-     * @param  mixed  $values
-     * @return static
+     * @template TCombineValue
+     *
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<array-key, TCombineValue>|iterable<array-key, TCombineValue>  $values
+     * @return static<TValue, TCombineValue>
      */
     public function combine($values)
     {
@@ -785,7 +866,7 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Union the collection with the given items.
      *
-     * @param  mixed  $items
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<TKey, TValue>|iterable<TKey, TValue>  $items
      * @return static
      */
     public function union($items)
@@ -806,8 +887,8 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
 
         $position = 0;
 
-        foreach ($this->items as $item) {
-            if ($position % $step === $offset) {
+        foreach ($this->slice($offset)->items as $item) {
+            if ($position % $step === 0) {
                 $new[] = $item;
             }
 
@@ -820,7 +901,7 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Get the items with the specified keys.
      *
-     * @param  mixed  $keys
+     * @param  \Tightenco\Collect\Support\Enumerable<array-key, TKey>|array<array-key, TKey>|string|null  $keys
      * @return static
      */
     public function only($keys)
@@ -842,7 +923,7 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
      * Get and remove the last N items from the collection.
      *
      * @param  int  $count
-     * @return mixed
+     * @return static<int, TValue>|TValue|null
      */
     public function pop($count = 1)
     {
@@ -868,8 +949,8 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Push an item onto the beginning of the collection.
      *
-     * @param  mixed  $value
-     * @param  mixed  $key
+     * @param  TValue  $value
+     * @param  TKey  $key
      * @return $this
      */
     public function prepend($value, $key = null)
@@ -882,7 +963,7 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Push one or more items onto the end of the collection.
      *
-     * @param  mixed  $values
+     * @param  TValue  ...$values
      * @return $this
      */
     public function push(...$values)
@@ -897,7 +978,7 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Push all of the given items onto the collection.
      *
-     * @param  iterable  $source
+     * @param  iterable<array-key, TValue>  $source
      * @return static
      */
     public function concat($source)
@@ -914,9 +995,11 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Get and remove an item from the collection.
      *
-     * @param  mixed  $key
-     * @param  mixed  $default
-     * @return mixed
+     * @template TPullDefault
+     *
+     * @param  TKey  $key
+     * @param  TPullDefault|(\Closure(): TPullDefault)  $default
+     * @return TValue|TPullDefault
      */
     public function pull($key, $default = null)
     {
@@ -926,8 +1009,8 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Put an item in the collection by key.
      *
-     * @param  mixed  $key
-     * @param  mixed  $value
+     * @param  TKey  $key
+     * @param  TValue  $value
      * @return $this
      */
     public function put($key, $value)
@@ -940,8 +1023,8 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Get one or a specified number of items randomly from the collection.
      *
-     * @param  int|null  $number
-     * @return static|mixed
+     * @param  (callable(self<TKey, TValue>): int)|int|null  $number
+     * @return static<int, TValue>|TValue
      *
      * @throws \InvalidArgumentException
      */
@@ -951,13 +1034,17 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
             return Arr::random($this->items);
         }
 
+        if (is_callable($number)) {
+            return new static(Arr::random($this->items, $number($this)));
+        }
+
         return new static(Arr::random($this->items, $number));
     }
 
     /**
      * Replace the collection items with the given items.
      *
-     * @param  mixed  $items
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<TKey, TValue>|iterable<TKey, TValue>  $items
      * @return static
      */
     public function replace($items)
@@ -968,7 +1055,7 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Recursively replace the collection items with the given items.
      *
-     * @param  mixed  $items
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<TKey, TValue>|iterable<TKey, TValue>  $items
      * @return static
      */
     public function replaceRecursive($items)
@@ -989,9 +1076,9 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Search the collection for a given value and return the corresponding key if successful.
      *
-     * @param  mixed  $value
+     * @param  TValue|(callable(TValue,TKey): bool)  $value
      * @param  bool  $strict
-     * @return mixed
+     * @return TKey|bool
      */
     public function search($value, $strict = false)
     {
@@ -1012,7 +1099,7 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
      * Get and remove the first N items from the collection.
      *
      * @param  int  $count
-     * @return mixed
+     * @return static<int, TValue>|TValue|null
      */
     public function shift($count = 1)
     {
@@ -1051,7 +1138,7 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
      *
      * @param  int  $size
      * @param  int  $step
-     * @return static
+     * @return static<int, static>
      */
     public function sliding($size = 2, $step = 1)
     {
@@ -1076,7 +1163,7 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Skip items in the collection until the given condition is met.
      *
-     * @param  mixed  $value
+     * @param  TValue|callable(TValue,TKey): bool  $value
      * @return static
      */
     public function skipUntil($value)
@@ -1087,7 +1174,7 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Skip items in the collection while the given condition is met.
      *
-     * @param  mixed  $value
+     * @param  TValue|callable(TValue,TKey): bool  $value
      * @return static
      */
     public function skipWhile($value)
@@ -1111,7 +1198,7 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
      * Split a collection into a certain number of groups.
      *
      * @param  int  $numberOfGroups
-     * @return static
+     * @return static<int, static>
      */
     public function split($numberOfGroups)
     {
@@ -1148,7 +1235,7 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
      * Split a collection into a certain number of groups, and fill the first groups completely.
      *
      * @param  int  $numberOfGroups
-     * @return static
+     * @return static<int, static>
      */
     public function splitIn($numberOfGroups)
     {
@@ -1158,10 +1245,10 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Get the first item in the collection, but only if exactly one item exists. Otherwise, throw an exception.
      *
-     * @param  mixed  $key
+     * @param  (callable(TValue, TKey): bool)|string  $key
      * @param  mixed  $operator
      * @param  mixed  $value
-     * @return mixed
+     * @return TValue
      *
      * @throws \Tightenco\Collect\Support\ItemNotFoundException
      * @throws \Tightenco\Collect\Support\MultipleItemsFoundException
@@ -1172,14 +1259,16 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
             ? $this->operatorForWhere(...func_get_args())
             : $key;
 
-        $items = $this->when($filter)->filter($filter);
+        $items = $this->unless($filter == null)->filter($filter);
 
-        if ($items->isEmpty()) {
+        $count = $items->count();
+
+        if ($count === 0) {
             throw new ItemNotFoundException;
         }
 
-        if ($items->count() > 1) {
-            throw new MultipleItemsFoundException;
+        if ($count > 1) {
+            throw new MultipleItemsFoundException($count);
         }
 
         return $items->first();
@@ -1188,10 +1277,10 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Get the first item in the collection but throw an exception if no matching items exist.
      *
-     * @param  mixed  $key
+     * @param  (callable(TValue, TKey): bool)|string  $key
      * @param  mixed  $operator
      * @param  mixed  $value
-     * @return mixed
+     * @return TValue
      *
      * @throws \Tightenco\Collect\Support\ItemNotFoundException
      */
@@ -1216,7 +1305,7 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
      * Chunk the collection into chunks of the given size.
      *
      * @param  int  $size
-     * @return static
+     * @return static<int, static>
      */
     public function chunk($size)
     {
@@ -1236,8 +1325,8 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Chunk the collection into chunks with a callback.
      *
-     * @param  callable  $callback
-     * @return static
+     * @param  callable(TValue, TKey, static<int, TValue>): bool  $callback
+     * @return static<int, static<int, TValue>>
      */
     public function chunkWhile(callable $callback)
     {
@@ -1249,7 +1338,7 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Sort through each item with a callback.
      *
-     * @param  callable|int|null  $callback
+     * @param  (callable(TValue, TValue): int)|null|int  $callback
      * @return static
      */
     public function sort($callback = null)
@@ -1281,7 +1370,7 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Sort the collection using the given callback.
      *
-     * @param  callable|array|string  $callback
+     * @param  array<array-key, (callable(TValue, TValue): mixed)|(callable(TValue, TKey): mixed)|string|array{string, string}>|(callable(TValue, TKey): mixed)|string  $callback
      * @param  int  $options
      * @param  bool  $descending
      * @return static
@@ -1319,14 +1408,14 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Sort the collection using multiple comparisons.
      *
-     * @param  array  $comparisons
+     * @param  array<array-key, (callable(TValue, TValue): mixed)|(callable(TValue, TKey): mixed)|string|array{string, string}>  $comparisons
      * @return static
      */
     protected function sortByMany(array $comparisons = [])
     {
         $items = $this->items;
 
-        usort($items, function ($a, $b) use ($comparisons) {
+        uasort($items, function ($a, $b) use ($comparisons) {
             foreach ($comparisons as $comparison) {
                 $comparison = Arr::wrap($comparison);
 
@@ -1335,8 +1424,6 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
                 $ascending = Arr::get($comparison, 1, true) === true ||
                              Arr::get($comparison, 1, true) === 'asc';
 
-                $result = 0;
-
                 if (! is_string($prop) && is_callable($prop)) {
                     $result = $prop($a, $b);
                 } else {
@@ -1363,7 +1450,7 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Sort the collection in descending order using the given callback.
      *
-     * @param  callable|string  $callback
+     * @param  array<array-key, (callable(TValue, TValue): mixed)|(callable(TValue, TKey): mixed)|string|array{string, string}>|(callable(TValue, TKey): mixed)|string  $callback
      * @param  int  $options
      * @return static
      */
@@ -1402,7 +1489,7 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Sort the collection keys using a callback.
      *
-     * @param  callable  $callback
+     * @param  callable(TKey, TKey): int  $callback
      * @return static
      */
     public function sortKeysUsing(callable $callback)
@@ -1419,7 +1506,7 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
      *
      * @param  int  $offset
      * @param  int|null  $length
-     * @param  mixed  $replacement
+     * @param  array<array-key, TValue>  $replacement
      * @return static
      */
     public function splice($offset, $length = null, $replacement = [])
@@ -1449,7 +1536,7 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Take items in the collection until the given condition is met.
      *
-     * @param  mixed  $value
+     * @param  TValue|callable(TValue,TKey): bool  $value
      * @return static
      */
     public function takeUntil($value)
@@ -1460,7 +1547,7 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Take items in the collection while the given condition is met.
      *
-     * @param  mixed  $value
+     * @param  TValue|callable(TValue,TKey): bool  $value
      * @return static
      */
     public function takeWhile($value)
@@ -1471,7 +1558,7 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Transform each item in the collection using a callback.
      *
-     * @param  callable  $callback
+     * @param  callable(TValue, TKey): TValue  $callback
      * @return $this
      */
     public function transform(callable $callback)
@@ -1494,7 +1581,7 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Return only unique items from the collection array.
      *
-     * @param  string|callable|null  $key
+     * @param  (callable(TValue, TKey): mixed)|string|null  $key
      * @param  bool  $strict
      * @return static
      */
@@ -1520,7 +1607,7 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Reset the keys on the underlying array.
      *
-     * @return static
+     * @return static<int, TValue>
      */
     public function values()
     {
@@ -1533,18 +1620,16 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
      * e.g. new Collection([1, 2, 3])->zip([4, 5, 6]);
      *      => [[1, 4], [2, 5], [3, 6]]
      *
-     * @param  mixed  ...$items
-     * @return static
+     * @template TZipValue
+     *
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<array-key, TZipValue>|iterable<array-key, TZipValue>  ...$items
+     * @return static<int, static<int, TValue|TZipValue>>
      */
     public function zip($items)
     {
-        $arrayableItems = array_map(function ($items) {
-            return $this->getArrayableItems($items);
-        }, func_get_args());
+        $arrayableItems = array_map(fn ($items) => $this->getArrayableItems($items), func_get_args());
 
-        $params = array_merge([function () {
-            return new static(func_get_args());
-        }, $this->items], $arrayableItems);
+        $params = array_merge([fn () => new static(func_get_args()), $this->items], $arrayableItems);
 
         return new static(array_map(...$params));
     }
@@ -1552,9 +1637,11 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Pad collection to the specified length with a value.
      *
+     * @template TPadValue
+     *
      * @param  int  $size
-     * @param  mixed  $value
-     * @return static
+     * @param  TPadValue  $value
+     * @return static<int, TValue|TPadValue>
      */
     public function pad($size, $value)
     {
@@ -1564,10 +1651,9 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Get an iterator for the items.
      *
-     * @return \ArrayIterator
+     * @return \ArrayIterator<TKey, TValue>
      */
-    #[\ReturnTypeWillChange]
-    public function getIterator()
+    public function getIterator(): Traversable
     {
         return new ArrayIterator($this->items);
     }
@@ -1577,8 +1663,7 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
      *
      * @return int
      */
-    #[\ReturnTypeWillChange]
-    public function count()
+    public function count(): int
     {
         return count($this->items);
     }
@@ -1586,8 +1671,8 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Count the number of items in the collection by a field or using a callback.
      *
-     * @param  callable|string  $countBy
-     * @return static
+     * @param  (callable(TValue, TKey): array-key)|string|null  $countBy
+     * @return static<array-key, int>
      */
     public function countBy($countBy = null)
     {
@@ -1597,7 +1682,7 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Add an item to the collection.
      *
-     * @param  mixed  $item
+     * @param  TValue  $item
      * @return $this
      */
     public function add($item)
@@ -1610,7 +1695,7 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Get a base Support collection instance from this collection.
      *
-     * @return \Tightenco\Collect\Support\Collection
+     * @return \Tightenco\Collect\Support\Collection<TKey, TValue>
      */
     public function toBase()
     {
@@ -1620,11 +1705,10 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Determine if an item exists at an offset.
      *
-     * @param  mixed  $key
+     * @param  TKey  $key
      * @return bool
      */
-    #[\ReturnTypeWillChange]
-    public function offsetExists($key)
+    public function offsetExists($key): bool
     {
         return isset($this->items[$key]);
     }
@@ -1632,11 +1716,10 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Get an item at a given offset.
      *
-     * @param  mixed  $key
-     * @return mixed
+     * @param  TKey  $key
+     * @return TValue
      */
-    #[\ReturnTypeWillChange]
-    public function offsetGet($key)
+    public function offsetGet($key): mixed
     {
         return $this->items[$key];
     }
@@ -1644,12 +1727,11 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Set the item at a given offset.
      *
-     * @param  mixed  $key
-     * @param  mixed  $value
+     * @param  TKey|null  $key
+     * @param  TValue  $value
      * @return void
      */
-    #[\ReturnTypeWillChange]
-    public function offsetSet($key, $value)
+    public function offsetSet($key, $value): void
     {
         if (is_null($key)) {
             $this->items[] = $value;
@@ -1661,11 +1743,10 @@ class Collection implements ArrayAccess, CanBeEscapedWhenCastToString, Enumerabl
     /**
      * Unset the item at a given offset.
      *
-     * @param  mixed  $key
+     * @param  TKey  $key
      * @return void
      */
-    #[\ReturnTypeWillChange]
-    public function offsetUnset($key)
+    public function offsetUnset($key): void
     {
         unset($this->items[$key]);
     }
diff --git a/data/web/inc/lib/vendor/tightenco/collect/src/Collect/Support/Enumerable.php b/data/web/inc/lib/vendor/tightenco/collect/src/Collect/Support/Enumerable.php
index 60af386cf..1f0db03ae 100644
--- a/data/web/inc/lib/vendor/tightenco/collect/src/Collect/Support/Enumerable.php
+++ b/data/web/inc/lib/vendor/tightenco/collect/src/Collect/Support/Enumerable.php
@@ -2,19 +2,31 @@
 
 namespace Tightenco\Collect\Support;
 
+use CachingIterator;
 use Countable;
 use Tightenco\Collect\Contracts\Support\Arrayable;
 use Tightenco\Collect\Contracts\Support\Jsonable;
 use IteratorAggregate;
 use JsonSerializable;
+use Traversable;
 
+/**
+ * @template TKey of array-key
+ * @template TValue
+ *
+ * @extends \Tightenco\Collect\Contracts\Support\Arrayable<TKey, TValue>
+ * @extends \IteratorAggregate<TKey, TValue>
+ */
 interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable, JsonSerializable
 {
     /**
      * Create a new collection instance if the value isn't one already.
      *
-     * @param  mixed  $items
-     * @return static
+     * @template TMakeKey of array-key
+     * @template TMakeValue
+     *
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<TMakeKey, TMakeValue>|iterable<TMakeKey, TMakeValue>|null  $items
+     * @return static<TMakeKey, TMakeValue>
      */
     public static function make($items = []);
 
@@ -39,16 +51,21 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
     /**
      * Wrap the given value in a collection if applicable.
      *
-     * @param  mixed  $value
-     * @return static
+     * @template TWrapValue
+     *
+     * @param  iterable<array-key, TWrapValue>|TWrapValue  $value
+     * @return static<array-key, TWrapValue>
      */
     public static function wrap($value);
 
     /**
      * Get the underlying items from the given collection if applicable.
      *
-     * @param  array|static  $value
-     * @return array
+     * @template TUnwrapKey of array-key
+     * @template TUnwrapValue
+     *
+     * @param  array<TUnwrapKey, TUnwrapValue>|static<TUnwrapKey, TUnwrapValue>  $value
+     * @return array<TUnwrapKey, TUnwrapValue>
      */
     public static function unwrap($value);
 
@@ -69,38 +86,38 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
     /**
      * Alias for the "avg" method.
      *
-     * @param  callable|string|null  $callback
-     * @return mixed
+     * @param  (callable(TValue): float|int)|string|null  $callback
+     * @return float|int|null
      */
     public function average($callback = null);
 
     /**
      * Get the median of a given key.
      *
-     * @param  string|array|null  $key
-     * @return mixed
+     * @param  string|array<array-key, string>|null  $key
+     * @return float|int|null
      */
     public function median($key = null);
 
     /**
      * Get the mode of a given key.
      *
-     * @param  string|array|null  $key
-     * @return array|null
+     * @param  string|array<array-key, string>|null  $key
+     * @return array<int, float|int>|null
      */
     public function mode($key = null);
 
     /**
      * Collapse the items into a single enumerable.
      *
-     * @return static
+     * @return static<int, mixed>
      */
     public function collapse();
 
     /**
      * Alias for the "contains" method.
      *
-     * @param  mixed  $key
+     * @param  (callable(TValue, TKey): bool)|TValue|string  $key
      * @param  mixed  $operator
      * @param  mixed  $value
      * @return bool
@@ -110,8 +127,8 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
     /**
      * Determine if an item exists, using strict comparison.
      *
-     * @param  mixed  $key
-     * @param  mixed  $value
+     * @param  (callable(TValue): bool)|TValue|array-key  $key
+     * @param  TValue|null  $value
      * @return bool
      */
     public function containsStrict($key, $value = null);
@@ -119,26 +136,39 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
     /**
      * Get the average value of a given key.
      *
-     * @param  callable|string|null  $callback
-     * @return mixed
+     * @param  (callable(TValue): float|int)|string|null  $callback
+     * @return float|int|null
      */
     public function avg($callback = null);
 
     /**
      * Determine if an item exists in the enumerable.
      *
-     * @param  mixed  $key
+     * @param  (callable(TValue, TKey): bool)|TValue|string  $key
      * @param  mixed  $operator
      * @param  mixed  $value
      * @return bool
      */
     public function contains($key, $operator = null, $value = null);
 
+    /**
+     * Determine if an item is not contained in the collection.
+     *
+     * @param  mixed  $key
+     * @param  mixed  $operator
+     * @param  mixed  $value
+     * @return bool
+     */
+    public function doesntContain($key, $operator = null, $value = null);
+
     /**
      * Cross join with the given lists, returning all possible permutations.
      *
-     * @param  mixed  ...$lists
-     * @return static
+     * @template TCrossJoinKey
+     * @template TCrossJoinValue
+     *
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<TCrossJoinKey, TCrossJoinValue>|iterable<TCrossJoinKey, TCrossJoinValue>  ...$lists
+     * @return static<int, array<int, TValue|TCrossJoinValue>>
      */
     public function crossJoin(...$lists);
 
@@ -146,7 +176,7 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
      * Dump the collection and end the script.
      *
      * @param  mixed  ...$args
-     * @return void
+     * @return never
      */
     public function dd(...$args);
 
@@ -160,7 +190,7 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
     /**
      * Get the items that are not present in the given items.
      *
-     * @param  mixed  $items
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<array-key, TValue>|iterable<array-key, TValue>  $items
      * @return static
      */
     public function diff($items);
@@ -168,8 +198,8 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
     /**
      * Get the items that are not present in the given items, using the callback.
      *
-     * @param  mixed  $items
-     * @param  callable  $callback
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<array-key, TValue>|iterable<array-key, TValue>  $items
+     * @param  callable(TValue, TValue): int  $callback
      * @return static
      */
     public function diffUsing($items, callable $callback);
@@ -177,7 +207,7 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
     /**
      * Get the items whose keys and values are not present in the given items.
      *
-     * @param  mixed  $items
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<TKey, TValue>|iterable<TKey, TValue>  $items
      * @return static
      */
     public function diffAssoc($items);
@@ -185,8 +215,8 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
     /**
      * Get the items whose keys and values are not present in the given items, using the callback.
      *
-     * @param  mixed  $items
-     * @param  callable  $callback
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<TKey, TValue>|iterable<TKey, TValue>  $items
+     * @param  callable(TKey, TKey): int  $callback
      * @return static
      */
     public function diffAssocUsing($items, callable $callback);
@@ -194,7 +224,7 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
     /**
      * Get the items whose keys are not present in the given items.
      *
-     * @param  mixed  $items
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<TKey, TValue>|iterable<TKey, TValue>  $items
      * @return static
      */
     public function diffKeys($items);
@@ -202,8 +232,8 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
     /**
      * Get the items whose keys are not present in the given items, using the callback.
      *
-     * @param  mixed  $items
-     * @param  callable  $callback
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<TKey, TValue>|iterable<TKey, TValue>  $items
+     * @param  callable(TKey, TKey): int  $callback
      * @return static
      */
     public function diffKeysUsing($items, callable $callback);
@@ -211,7 +241,7 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
     /**
      * Retrieve duplicate items.
      *
-     * @param  callable|string|null  $callback
+     * @param  (callable(TValue): bool)|string|null  $callback
      * @param  bool  $strict
      * @return static
      */
@@ -220,7 +250,7 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
     /**
      * Retrieve duplicate items using strict comparison.
      *
-     * @param  callable|string|null  $callback
+     * @param  (callable(TValue): bool)|string|null  $callback
      * @return static
      */
     public function duplicatesStrict($callback = null);
@@ -228,7 +258,7 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
     /**
      * Execute a callback over each item.
      *
-     * @param  callable  $callback
+     * @param  callable(TValue, TKey): mixed  $callback
      * @return $this
      */
     public function each(callable $callback);
@@ -244,7 +274,7 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
     /**
      * Determine if all items pass the given truth test.
      *
-     * @param  string|callable  $key
+     * @param  (callable(TValue, TKey): bool)|TValue|string  $key
      * @param  mixed  $operator
      * @param  mixed  $value
      * @return bool
@@ -254,7 +284,7 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
     /**
      * Get all items except for those with the specified keys.
      *
-     * @param  mixed  $keys
+     * @param  \Tightenco\Collect\Support\Enumerable<array-key, TKey>|array<array-key, TKey>  $keys
      * @return static
      */
     public function except($keys);
@@ -262,64 +292,76 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
     /**
      * Run a filter over each of the items.
      *
-     * @param  callable|null  $callback
+     * @param  (callable(TValue): bool)|null  $callback
      * @return static
      */
     public function filter(callable $callback = null);
 
     /**
-     * Apply the callback if the value is truthy.
+     * Apply the callback if the given "value" is (or resolves to) truthy.
+     *
+     * @template TWhenReturnType as null
      *
      * @param  bool  $value
-     * @param  callable  $callback
-     * @param  callable|null  $default
-     * @return static|mixed
+     * @param  (callable($this): TWhenReturnType)|null  $callback
+     * @param  (callable($this): TWhenReturnType)|null  $default
+     * @return $this|TWhenReturnType
      */
-    public function when($value, callable $callback, callable $default = null);
+    public function when($value, callable $callback = null, callable $default = null);
 
     /**
      * Apply the callback if the collection is empty.
      *
-     * @param  callable  $callback
-     * @param  callable|null  $default
-     * @return static|mixed
+     * @template TWhenEmptyReturnType
+     *
+     * @param  (callable($this): TWhenEmptyReturnType)  $callback
+     * @param  (callable($this): TWhenEmptyReturnType)|null  $default
+     * @return $this|TWhenEmptyReturnType
      */
     public function whenEmpty(callable $callback, callable $default = null);
 
     /**
      * Apply the callback if the collection is not empty.
      *
-     * @param  callable  $callback
-     * @param  callable|null  $default
-     * @return static|mixed
+     * @template TWhenNotEmptyReturnType
+     *
+     * @param  callable($this): TWhenNotEmptyReturnType  $callback
+     * @param  (callable($this): TWhenNotEmptyReturnType)|null  $default
+     * @return $this|TWhenNotEmptyReturnType
      */
     public function whenNotEmpty(callable $callback, callable $default = null);
 
     /**
-     * Apply the callback if the value is falsy.
+     * Apply the callback if the given "value" is (or resolves to) truthy.
+     *
+     * @template TUnlessReturnType
      *
      * @param  bool  $value
-     * @param  callable  $callback
-     * @param  callable|null  $default
-     * @return static|mixed
+     * @param  (callable($this): TUnlessReturnType)  $callback
+     * @param  (callable($this): TUnlessReturnType)|null  $default
+     * @return $this|TUnlessReturnType
      */
     public function unless($value, callable $callback, callable $default = null);
 
     /**
      * Apply the callback unless the collection is empty.
      *
-     * @param  callable  $callback
-     * @param  callable|null  $default
-     * @return static|mixed
+     * @template TUnlessEmptyReturnType
+     *
+     * @param  callable($this): TUnlessEmptyReturnType  $callback
+     * @param  (callable($this): TUnlessEmptyReturnType)|null  $default
+     * @return $this|TUnlessEmptyReturnType
      */
     public function unlessEmpty(callable $callback, callable $default = null);
 
     /**
      * Apply the callback unless the collection is not empty.
      *
-     * @param  callable  $callback
-     * @param  callable|null  $default
-     * @return static|mixed
+     * @template TUnlessNotEmptyReturnType
+     *
+     * @param  callable($this): TUnlessNotEmptyReturnType  $callback
+     * @param  (callable($this): TUnlessNotEmptyReturnType)|null  $default
+     * @return $this|TUnlessNotEmptyReturnType
      */
     public function unlessNotEmpty(callable $callback, callable $default = null);
 
@@ -362,7 +404,7 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
      * Filter items by the given key value pair.
      *
      * @param  string  $key
-     * @param  mixed  $values
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable|iterable  $values
      * @param  bool  $strict
      * @return static
      */
@@ -372,7 +414,7 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
      * Filter items by the given key value pair using strict comparison.
      *
      * @param  string  $key
-     * @param  mixed  $values
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable|iterable  $values
      * @return static
      */
     public function whereInStrict($key, $values);
@@ -381,7 +423,7 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
      * Filter items such that the value of the given key is between the given values.
      *
      * @param  string  $key
-     * @param  array  $values
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable|iterable  $values
      * @return static
      */
     public function whereBetween($key, $values);
@@ -390,7 +432,7 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
      * Filter items such that the value of the given key is not between the given values.
      *
      * @param  string  $key
-     * @param  array  $values
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable|iterable  $values
      * @return static
      */
     public function whereNotBetween($key, $values);
@@ -399,7 +441,7 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
      * Filter items by the given key value pair.
      *
      * @param  string  $key
-     * @param  mixed  $values
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable|iterable  $values
      * @param  bool  $strict
      * @return static
      */
@@ -409,7 +451,7 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
      * Filter items by the given key value pair using strict comparison.
      *
      * @param  string  $key
-     * @param  mixed  $values
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable|iterable  $values
      * @return static
      */
     public function whereNotInStrict($key, $values);
@@ -417,17 +459,21 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
     /**
      * Filter the items, removing any items that don't match the given type(s).
      *
-     * @param  string|string[]  $type
-     * @return static
+     * @template TWhereInstanceOf
+     *
+     * @param  class-string<TWhereInstanceOf>|array<array-key, class-string<TWhereInstanceOf>>  $type
+     * @return static<TKey, TWhereInstanceOf>
      */
     public function whereInstanceOf($type);
 
     /**
      * Get the first item from the enumerable passing the given truth test.
      *
-     * @param  callable|null  $callback
-     * @param  mixed  $default
-     * @return mixed
+     * @template TFirstDefault
+     *
+     * @param  (callable(TValue,TKey): bool)|null  $callback
+     * @param  TFirstDefault|(\Closure(): TFirstDefault)  $default
+     * @return TValue|TFirstDefault
      */
     public function first(callable $callback = null, $default = null);
 
@@ -437,7 +483,7 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
      * @param  string  $key
      * @param  mixed  $operator
      * @param  mixed  $value
-     * @return mixed
+     * @return TValue|null
      */
     public function firstWhere($key, $operator = null, $value = null);
 
@@ -452,44 +498,54 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
     /**
      * Flip the values with their keys.
      *
-     * @return static
+     * @return static<TValue, TKey>
      */
     public function flip();
 
     /**
      * Get an item from the collection by key.
      *
-     * @param  mixed  $key
-     * @param  mixed  $default
-     * @return mixed
+     * @template TGetDefault
+     *
+     * @param  TKey  $key
+     * @param  TGetDefault|(\Closure(): TGetDefault)  $default
+     * @return TValue|TGetDefault
      */
     public function get($key, $default = null);
 
     /**
      * Group an associative array by a field or using a callback.
      *
-     * @param  array|callable|string  $groupBy
+     * @param  (callable(TValue, TKey): array-key)|array|string  $groupBy
      * @param  bool  $preserveKeys
-     * @return static
+     * @return static<array-key, static<array-key, TValue>>
      */
     public function groupBy($groupBy, $preserveKeys = false);
 
     /**
      * Key an associative array by a field or using a callback.
      *
-     * @param  callable|string  $keyBy
-     * @return static
+     * @param  (callable(TValue, TKey): array-key)|array|string  $keyBy
+     * @return static<array-key, TValue>
      */
     public function keyBy($keyBy);
 
     /**
      * Determine if an item exists in the collection by key.
      *
-     * @param  mixed  $key
+     * @param  TKey|array<array-key, TKey>  $key
      * @return bool
      */
     public function has($key);
 
+    /**
+     * Determine if any of the keys exist in the collection.
+     *
+     * @param  mixed  $key
+     * @return bool
+     */
+    public function hasAny($key);
+
     /**
      * Concatenate values of a given key as a string.
      *
@@ -502,7 +558,7 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
     /**
      * Intersect the collection with the given items.
      *
-     * @param  mixed  $items
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<TKey, TValue>|iterable<TKey, TValue>  $items
      * @return static
      */
     public function intersect($items);
@@ -510,7 +566,7 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
     /**
      * Intersect the collection with the given items by key.
      *
-     * @param  mixed  $items
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<TKey, TValue>|iterable<TKey, TValue>  $items
      * @return static
      */
     public function intersectByKeys($items);
@@ -529,6 +585,13 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
      */
     public function isNotEmpty();
 
+    /**
+     * Determine if the collection contains a single item.
+     *
+     * @return bool
+     */
+    public function containsOneItem();
+
     /**
      * Join all items from the collection using a string. The final items can use a separate glue string.
      *
@@ -541,24 +604,28 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
     /**
      * Get the keys of the collection items.
      *
-     * @return static
+     * @return static<int, TKey>
      */
     public function keys();
 
     /**
      * Get the last item from the collection.
      *
-     * @param  callable|null  $callback
-     * @param  mixed  $default
-     * @return mixed
+     * @template TLastDefault
+     *
+     * @param  (callable(TValue, TKey): bool)|null  $callback
+     * @param  TLastDefault|(\Closure(): TLastDefault)  $default
+     * @return TValue|TLastDefault
      */
     public function last(callable $callback = null, $default = null);
 
     /**
      * Run a map over each of the items.
      *
-     * @param  callable  $callback
-     * @return static
+     * @template TMapValue
+     *
+     * @param  callable(TValue, TKey): TMapValue  $callback
+     * @return static<TKey, TMapValue>
      */
     public function map(callable $callback);
 
@@ -575,8 +642,11 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
      *
      * The callback should return an associative array with a single key/value pair.
      *
-     * @param  callable  $callback
-     * @return static
+     * @template TMapToDictionaryKey of array-key
+     * @template TMapToDictionaryValue
+     *
+     * @param  callable(TValue, TKey): array<TMapToDictionaryKey, TMapToDictionaryValue>  $callback
+     * @return static<TMapToDictionaryKey, array<int, TMapToDictionaryValue>>
      */
     public function mapToDictionary(callable $callback);
 
@@ -585,8 +655,11 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
      *
      * The callback should return an associative array with a single key/value pair.
      *
-     * @param  callable  $callback
-     * @return static
+     * @template TMapToGroupsKey of array-key
+     * @template TMapToGroupsValue
+     *
+     * @param  callable(TValue, TKey): array<TMapToGroupsKey, TMapToGroupsValue>  $callback
+     * @return static<TMapToGroupsKey, static<int, TMapToGroupsValue>>
      */
     public function mapToGroups(callable $callback);
 
@@ -595,31 +668,39 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
      *
      * The callback should return an associative array with a single key/value pair.
      *
-     * @param  callable  $callback
-     * @return static
+     * @template TMapWithKeysKey of array-key
+     * @template TMapWithKeysValue
+     *
+     * @param  callable(TValue, TKey): array<TMapWithKeysKey, TMapWithKeysValue>  $callback
+     * @return static<TMapWithKeysKey, TMapWithKeysValue>
      */
     public function mapWithKeys(callable $callback);
 
     /**
      * Map a collection and flatten the result by a single level.
      *
-     * @param  callable  $callback
-     * @return static
+     * @template TFlatMapKey of array-key
+     * @template TFlatMapValue
+     *
+     * @param  callable(TValue, TKey): (\Tightenco\Collect\Support\Collection<TFlatMapKey, TFlatMapValue>|array<TFlatMapKey, TFlatMapValue>)  $callback
+     * @return static<TFlatMapKey, TFlatMapValue>
      */
     public function flatMap(callable $callback);
 
     /**
      * Map the values into a new class.
      *
-     * @param  string  $class
-     * @return static
+     * @template TMapIntoValue
+     *
+     * @param  class-string<TMapIntoValue>  $class
+     * @return static<TKey, TMapIntoValue>
      */
     public function mapInto($class);
 
     /**
      * Merge the collection with the given items.
      *
-     * @param  mixed  $items
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<TKey, TValue>|iterable<TKey, TValue>  $items
      * @return static
      */
     public function merge($items);
@@ -627,23 +708,27 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
     /**
      * Recursively merge the collection with the given items.
      *
-     * @param  mixed  $items
-     * @return static
+     * @template TMergeRecursiveValue
+     *
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<TKey, TMergeRecursiveValue>|iterable<TKey, TMergeRecursiveValue>  $items
+     * @return static<TKey, TValue|TMergeRecursiveValue>
      */
     public function mergeRecursive($items);
 
     /**
      * Create a collection by using this collection for keys and another for its values.
      *
-     * @param  mixed  $values
-     * @return static
+     * @template TCombineValue
+     *
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<array-key, TCombineValue>|iterable<array-key, TCombineValue>  $values
+     * @return static<TValue, TCombineValue>
      */
     public function combine($values);
 
     /**
      * Union the collection with the given items.
      *
-     * @param  mixed  $items
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<TKey, TValue>|iterable<TKey, TValue>  $items
      * @return static
      */
     public function union($items);
@@ -651,7 +736,7 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
     /**
      * Get the min value of a given key.
      *
-     * @param  callable|string|null  $callback
+     * @param  (callable(TValue):mixed)|string|null  $callback
      * @return mixed
      */
     public function min($callback = null);
@@ -659,7 +744,7 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
     /**
      * Get the max value of a given key.
      *
-     * @param  callable|string|null  $callback
+     * @param  (callable(TValue):mixed)|string|null  $callback
      * @return mixed
      */
     public function max($callback = null);
@@ -676,7 +761,7 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
     /**
      * Get the items with the specified keys.
      *
-     * @param  mixed  $keys
+     * @param  \Tightenco\Collect\Support\Enumerable<array-key, TKey>|array<array-key, TKey>|string  $keys
      * @return static
      */
     public function only($keys);
@@ -693,17 +778,17 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
     /**
      * Partition the collection into two arrays using the given callback or key.
      *
-     * @param  callable|string  $key
+     * @param  (callable(TValue, TKey): bool)|TValue|string  $key
      * @param  mixed  $operator
      * @param  mixed  $value
-     * @return static
+     * @return static<int<0, 1>, static<TKey, TValue>>
      */
     public function partition($key, $operator = null, $value = null);
 
     /**
      * Push all of the given items onto the collection.
      *
-     * @param  iterable  $source
+     * @param  iterable<array-key, TValue>  $source
      * @return static
      */
     public function concat($source);
@@ -712,7 +797,7 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
      * Get one or a specified number of items randomly from the collection.
      *
      * @param  int|null  $number
-     * @return static|mixed
+     * @return static<int, TValue>|TValue
      *
      * @throws \InvalidArgumentException
      */
@@ -721,16 +806,30 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
     /**
      * Reduce the collection to a single value.
      *
-     * @param  callable  $callback
-     * @param  mixed  $initial
-     * @return mixed
+     * @template TReduceInitial
+     * @template TReduceReturnType
+     *
+     * @param  callable(TReduceInitial|TReduceReturnType, TValue, TKey): TReduceReturnType  $callback
+     * @param  TReduceInitial  $initial
+     * @return TReduceReturnType
      */
     public function reduce(callable $callback, $initial = null);
 
+    /**
+     * Reduce the collection to multiple aggregate values.
+     *
+     * @param  callable  $callback
+     * @param  mixed  ...$initial
+     * @return array
+     *
+     * @throws \UnexpectedValueException
+     */
+    public function reduceSpread(callable $callback, ...$initial);
+
     /**
      * Replace the collection items with the given items.
      *
-     * @param  mixed  $items
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<TKey, TValue>|iterable<TKey, TValue>  $items
      * @return static
      */
     public function replace($items);
@@ -738,7 +837,7 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
     /**
      * Recursively replace the collection items with the given items.
      *
-     * @param  mixed  $items
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<TKey, TValue>|iterable<TKey, TValue>  $items
      * @return static
      */
     public function replaceRecursive($items);
@@ -753,9 +852,9 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
     /**
      * Search the collection for a given value and return the corresponding key if successful.
      *
-     * @param  mixed  $value
+     * @param  TValue|callable(TValue,TKey): bool  $value
      * @param  bool  $strict
-     * @return mixed
+     * @return TKey|bool
      */
     public function search($value, $strict = false);
 
@@ -767,6 +866,15 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
      */
     public function shuffle($seed = null);
 
+    /**
+     * Create chunks representing a "sliding window" view of the items in the collection.
+     *
+     * @param  int  $size
+     * @param  int  $step
+     * @return static<int, static>
+     */
+    public function sliding($size = 2, $step = 1);
+
     /**
      * Skip the first {$count} items.
      *
@@ -778,7 +886,7 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
     /**
      * Skip items in the collection until the given condition is met.
      *
-     * @param  mixed  $value
+     * @param  TValue|callable(TValue,TKey): bool  $value
      * @return static
      */
     public function skipUntil($value);
@@ -786,7 +894,7 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
     /**
      * Skip items in the collection while the given condition is met.
      *
-     * @param  mixed  $value
+     * @param  TValue|callable(TValue,TKey): bool  $value
      * @return static
      */
     public function skipWhile($value);
@@ -804,30 +912,63 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
      * Split a collection into a certain number of groups.
      *
      * @param  int  $numberOfGroups
-     * @return static
+     * @return static<int, static>
      */
     public function split($numberOfGroups);
 
+    /**
+     * Get the first item in the collection, but only if exactly one item exists. Otherwise, throw an exception.
+     *
+     * @param  (callable(TValue, TKey): bool)|string  $key
+     * @param  mixed  $operator
+     * @param  mixed  $value
+     * @return TValue
+     *
+     * @throws \Tightenco\Collect\Support\ItemNotFoundException
+     * @throws \Tightenco\Collect\Support\MultipleItemsFoundException
+     */
+    public function sole($key = null, $operator = null, $value = null);
+
+    /**
+     * Get the first item in the collection but throw an exception if no matching items exist.
+     *
+     * @param  (callable(TValue, TKey): bool)|string  $key
+     * @param  mixed  $operator
+     * @param  mixed  $value
+     * @return TValue
+     *
+     * @throws \Tightenco\Collect\Support\ItemNotFoundException
+     */
+    public function firstOrFail($key = null, $operator = null, $value = null);
+
     /**
      * Chunk the collection into chunks of the given size.
      *
      * @param  int  $size
-     * @return static
+     * @return static<int, static>
      */
     public function chunk($size);
 
     /**
      * Chunk the collection into chunks with a callback.
      *
-     * @param  callable  $callback
-     * @return static
+     * @param  callable(TValue, TKey, static<int, TValue>): bool  $callback
+     * @return static<int, static<int, TValue>>
      */
     public function chunkWhile(callable $callback);
 
+    /**
+     * Split a collection into a certain number of groups, and fill the first groups completely.
+     *
+     * @param  int  $numberOfGroups
+     * @return static<int, static>
+     */
+    public function splitIn($numberOfGroups);
+
     /**
      * Sort through each item with a callback.
      *
-     * @param  callable|null|int  $callback
+     * @param  (callable(TValue, TValue): int)|null|int  $callback
      * @return static
      */
     public function sort($callback = null);
@@ -843,7 +984,7 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
     /**
      * Sort the collection using the given callback.
      *
-     * @param  callable|string  $callback
+     * @param  array<array-key, (callable(TValue, TValue): mixed)|(callable(TValue, TKey): mixed)|string|array{string, string}>|(callable(TValue, TKey): mixed)|string  $callback
      * @param  int  $options
      * @param  bool  $descending
      * @return static
@@ -853,7 +994,7 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
     /**
      * Sort the collection in descending order using the given callback.
      *
-     * @param  callable|string  $callback
+     * @param  array<array-key, (callable(TValue, TValue): mixed)|(callable(TValue, TKey): mixed)|string|array{string, string}>|(callable(TValue, TKey): mixed)|string  $callback
      * @param  int  $options
      * @return static
      */
@@ -876,10 +1017,18 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
      */
     public function sortKeysDesc($options = SORT_REGULAR);
 
+    /**
+     * Sort the collection keys using a callback.
+     *
+     * @param  callable(TKey, TKey): int  $callback
+     * @return static
+     */
+    public function sortKeysUsing(callable $callback);
+
     /**
      * Get the sum of the given values.
      *
-     * @param  callable|string|null  $callback
+     * @param  (callable(TValue): mixed)|string|null  $callback
      * @return mixed
      */
     public function sum($callback = null);
@@ -895,7 +1044,7 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
     /**
      * Take items in the collection until the given condition is met.
      *
-     * @param  mixed  $value
+     * @param  TValue|callable(TValue,TKey): bool  $value
      * @return static
      */
     public function takeUntil($value);
@@ -903,7 +1052,7 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
     /**
      * Take items in the collection while the given condition is met.
      *
-     * @param  mixed  $value
+     * @param  TValue|callable(TValue,TKey): bool  $value
      * @return static
      */
     public function takeWhile($value);
@@ -911,7 +1060,7 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
     /**
      * Pass the collection to the given callback and then return it.
      *
-     * @param  callable  $callback
+     * @param  callable(TValue): mixed  $callback
      * @return $this
      */
     public function tap(callable $callback);
@@ -919,32 +1068,57 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
     /**
      * Pass the enumerable to the given callback and return the result.
      *
-     * @param  callable  $callback
-     * @return mixed
+     * @template TPipeReturnType
+     *
+     * @param  callable($this): TPipeReturnType  $callback
+     * @return TPipeReturnType
      */
     public function pipe(callable $callback);
 
+    /**
+     * Pass the collection into a new class.
+     *
+     * @param  class-string  $class
+     * @return mixed
+     */
+    public function pipeInto($class);
+
+    /**
+     * Pass the collection through a series of callable pipes and return the result.
+     *
+     * @param  array<callable>  $pipes
+     * @return mixed
+     */
+    public function pipeThrough($pipes);
+
     /**
      * Get the values of a given key.
      *
-     * @param  string|array  $value
+     * @param  string|array<array-key, string>  $value
      * @param  string|null  $key
-     * @return static
+     * @return static<int, mixed>
      */
     public function pluck($value, $key = null);
 
     /**
      * Create a collection of all elements that do not pass a given truth test.
      *
-     * @param  callable|mixed  $callback
+     * @param  (callable(TValue, TKey): bool)|bool|TValue  $callback
      * @return static
      */
     public function reject($callback = true);
 
+    /**
+     * Convert a flatten "dot" notation array into an expanded array.
+     *
+     * @return static
+     */
+    public function undot();
+
     /**
      * Return only unique items from the collection array.
      *
-     * @param  string|callable|null  $key
+     * @param  (callable(TValue, TKey): mixed)|string|null  $key
      * @param  bool  $strict
      * @return static
      */
@@ -953,7 +1127,7 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
     /**
      * Return only unique items from the collection array using strict comparison.
      *
-     * @param  string|callable|null  $key
+     * @param  (callable(TValue, TKey): mixed)|string|null  $key
      * @return static
      */
     public function uniqueStrict($key = null);
@@ -961,26 +1135,42 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
     /**
      * Reset the keys on the underlying array.
      *
-     * @return static
+     * @return static<int, TValue>
      */
     public function values();
 
     /**
      * Pad collection to the specified length with a value.
      *
+     * @template TPadValue
+     *
      * @param  int  $size
-     * @param  mixed  $value
-     * @return static
+     * @param  TPadValue  $value
+     * @return static<int, TValue|TPadValue>
      */
     public function pad($size, $value);
 
     /**
-     * Count the number of items in the collection using a given truth test.
+     * Get the values iterator.
      *
-     * @param  callable|null  $callback
-     * @return static
+     * @return \Traversable<TKey, TValue>
      */
-    public function countBy($callback = null);
+    public function getIterator(): Traversable;
+
+    /**
+     * Count the number of items in the collection.
+     *
+     * @return int
+     */
+    public function count(): int;
+
+    /**
+     * Count the number of items in the collection by a field or using a callback.
+     *
+     * @param  (callable(TValue, TKey): array-key)|string|null  $countBy
+     * @return static<array-key, int>
+     */
+    public function countBy($countBy = null);
 
     /**
      * Zip the collection together with one or more arrays.
@@ -988,18 +1178,50 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
      * e.g. new Collection([1, 2, 3])->zip([4, 5, 6]);
      *      => [[1, 4], [2, 5], [3, 6]]
      *
-     * @param  mixed  ...$items
-     * @return static
+     * @template TZipValue
+     *
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<array-key, TZipValue>|iterable<array-key, TZipValue>  ...$items
+     * @return static<int, static<int, TValue|TZipValue>>
      */
     public function zip($items);
 
     /**
      * Collect the values into a collection.
      *
-     * @return \Tightenco\Collect\Support\Collection
+     * @return \Tightenco\Collect\Support\Collection<TKey, TValue>
      */
     public function collect();
 
+    /**
+     * Get the collection of items as a plain array.
+     *
+     * @return array<TKey, mixed>
+     */
+    public function toArray();
+
+    /**
+     * Convert the object into something JSON serializable.
+     *
+     * @return mixed
+     */
+    public function jsonSerialize(): mixed;
+
+    /**
+     * Get the collection of items as JSON.
+     *
+     * @param  int  $options
+     * @return string
+     */
+    public function toJson($options = 0);
+
+    /**
+     * Get a CachingIterator instance.
+     *
+     * @param  int  $flags
+     * @return \CachingIterator
+     */
+    public function getCachingIterator($flags = CachingIterator::CALL_TOSTRING);
+
     /**
      * Convert the collection to its string representation.
      *
@@ -1007,6 +1229,14 @@ interface Enumerable extends Arrayable, Countable, IteratorAggregate, Jsonable,
      */
     public function __toString();
 
+    /**
+     * Indicate that the model's string representation should be escaped when __toString is invoked.
+     *
+     * @param  bool  $escape
+     * @return $this
+     */
+    public function escapeWhenCastingToString($escape = true);
+
     /**
      * Add a method to the list of proxied methods.
      *
diff --git a/data/web/inc/lib/vendor/tightenco/collect/src/Collect/Support/HigherOrderWhenProxy.php b/data/web/inc/lib/vendor/tightenco/collect/src/Collect/Support/HigherOrderWhenProxy.php
deleted file mode 100644
index ea48c7c58..000000000
--- a/data/web/inc/lib/vendor/tightenco/collect/src/Collect/Support/HigherOrderWhenProxy.php
+++ /dev/null
@@ -1,63 +0,0 @@
-<?php
-
-namespace Tightenco\Collect\Support;
-
-/**
- * @mixin \Tightenco\Collect\Support\Enumerable
- */
-class HigherOrderWhenProxy
-{
-    /**
-     * The collection being operated on.
-     *
-     * @var \Tightenco\Collect\Support\Enumerable
-     */
-    protected $collection;
-
-    /**
-     * The condition for proxying.
-     *
-     * @var bool
-     */
-    protected $condition;
-
-    /**
-     * Create a new proxy instance.
-     *
-     * @param  \Tightenco\Collect\Support\Enumerable  $collection
-     * @param  bool  $condition
-     * @return void
-     */
-    public function __construct(Enumerable $collection, $condition)
-    {
-        $this->condition = $condition;
-        $this->collection = $collection;
-    }
-
-    /**
-     * Proxy accessing an attribute onto the collection.
-     *
-     * @param  string  $key
-     * @return mixed
-     */
-    public function __get($key)
-    {
-        return $this->condition
-            ? $this->collection->{$key}
-            : $this->collection;
-    }
-
-    /**
-     * Proxy a method call onto the collection.
-     *
-     * @param  string  $method
-     * @param  array  $parameters
-     * @return mixed
-     */
-    public function __call($method, $parameters)
-    {
-        return $this->condition
-            ? $this->collection->{$method}(...$parameters)
-            : $this->collection;
-    }
-}
diff --git a/data/web/inc/lib/vendor/tightenco/collect/src/Collect/Support/LazyCollection.php b/data/web/inc/lib/vendor/tightenco/collect/src/Collect/Support/LazyCollection.php
index 464cee1b8..07327cb1c 100644
--- a/data/web/inc/lib/vendor/tightenco/collect/src/Collect/Support/LazyCollection.php
+++ b/data/web/inc/lib/vendor/tightenco/collect/src/Collect/Support/LazyCollection.php
@@ -5,27 +5,39 @@ namespace Tightenco\Collect\Support;
 use ArrayIterator;
 use Closure;
 use DateTimeInterface;
+use Generator;
 use Tightenco\Collect\Contracts\Support\CanBeEscapedWhenCastToString;
 use Tightenco\Collect\Support\Traits\EnumeratesValues;
 use Tightenco\Collect\Support\Traits\Macroable;
+use InvalidArgumentException;
 use IteratorAggregate;
 use stdClass;
+use Traversable;
 
+/**
+ * @template TKey of array-key
+ * @template TValue
+ *
+ * @implements \Tightenco\Collect\Support\Enumerable<TKey, TValue>
+ */
 class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
 {
+    /**
+     * @use \Tightenco\Collect\Support\Traits\EnumeratesValues<TKey, TValue>
+     */
     use EnumeratesValues, Macroable;
 
     /**
      * The source from which to generate items.
      *
-     * @var callable|static
+     * @var (Closure(): \Generator<TKey, TValue, mixed, void>)|static|array<TKey, TValue>
      */
     public $source;
 
     /**
      * Create a new lazy collection instance.
      *
-     * @param  mixed  $source
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<TKey, TValue>|iterable<TKey, TValue>|(Closure(): \Generator<TKey, TValue, mixed, void>)|self<TKey, TValue>|array<TKey, TValue>|null  $source
      * @return void
      */
     public function __construct($source = null)
@@ -34,17 +46,35 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
             $this->source = $source;
         } elseif (is_null($source)) {
             $this->source = static::empty();
+        } elseif ($source instanceof Generator) {
+            throw new InvalidArgumentException(
+                'Generators should not be passed directly to LazyCollection. Instead, pass a generator function.'
+            );
         } else {
             $this->source = $this->getArrayableItems($source);
         }
     }
 
+    /**
+     * Create a new collection instance if the value isn't one already.
+     *
+     * @template TMakeKey of array-key
+     * @template TMakeValue
+     *
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<TMakeKey, TMakeValue>|iterable<TMakeKey, TMakeValue>|(Closure(): \Generator<TMakeKey, TMakeValue, mixed, void>)|self<TMakeKey, TMakeValue>|array<TMakeKey, TMakeValue>|null  $items
+     * @return static<TMakeKey, TMakeValue>
+     */
+    public static function make($items = [])
+    {
+        return new static($items);
+    }
+
     /**
      * Create a collection with the given range.
      *
      * @param  int  $from
      * @param  int  $to
-     * @return static
+     * @return static<int, int>
      */
     public static function range($from, $to)
     {
@@ -64,7 +94,7 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Get all items in the enumerable.
      *
-     * @return array
+     * @return array<TKey, TValue>
      */
     public function all()
     {
@@ -126,8 +156,8 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Get the average value of a given key.
      *
-     * @param  callable|string|null  $callback
-     * @return mixed
+     * @param  (callable(TValue): float|int)|string|null  $callback
+     * @return float|int|null
      */
     public function avg($callback = null)
     {
@@ -137,8 +167,8 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Get the median of a given key.
      *
-     * @param  string|array|null  $key
-     * @return mixed
+     * @param  string|array<array-key, string>|null  $key
+     * @return float|int|null
      */
     public function median($key = null)
     {
@@ -148,8 +178,8 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Get the mode of a given key.
      *
-     * @param  string|array|null  $key
-     * @return array|null
+     * @param  string|array<string>|null  $key
+     * @return array<int, float|int>|null
      */
     public function mode($key = null)
     {
@@ -159,7 +189,7 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Collapse the collection of items into a single array.
      *
-     * @return static
+     * @return static<int, mixed>
      */
     public function collapse()
     {
@@ -177,7 +207,7 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Determine if an item exists in the enumerable.
      *
-     * @param  mixed  $key
+     * @param  (callable(TValue, TKey): bool)|TValue|string  $key
      * @param  mixed  $operator
      * @param  mixed  $value
      * @return bool
@@ -187,6 +217,7 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
         if (func_num_args() === 1 && $this->useAsCallable($key)) {
             $placeholder = new stdClass;
 
+            /** @var callable $key */
             return $this->first($key, $placeholder) !== $placeholder;
         }
 
@@ -205,6 +236,32 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
         return $this->contains($this->operatorForWhere(...func_get_args()));
     }
 
+    /**
+     * Determine if an item exists, using strict comparison.
+     *
+     * @param  (callable(TValue): bool)|TValue|array-key  $key
+     * @param  TValue|null  $value
+     * @return bool
+     */
+    public function containsStrict($key, $value = null)
+    {
+        if (func_num_args() === 2) {
+            return $this->contains(fn ($item) => data_get($item, $key) === $value);
+        }
+
+        if ($this->useAsCallable($key)) {
+            return ! is_null($this->first($key));
+        }
+
+        foreach ($this as $item) {
+            if ($item === $key) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
     /**
      * Determine if an item is not contained in the enumerable.
      *
@@ -221,8 +278,11 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Cross join the given iterables, returning all possible permutations.
      *
-     * @param  array  ...$arrays
-     * @return static
+     * @template TCrossJoinKey
+     * @template TCrossJoinValue
+     *
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<TCrossJoinKey, TCrossJoinValue>|iterable<TCrossJoinKey, TCrossJoinValue>  ...$arrays
+     * @return static<int, array<int, TValue|TCrossJoinValue>>
      */
     public function crossJoin(...$arrays)
     {
@@ -232,8 +292,8 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Count the number of items in the collection by a field or using a callback.
      *
-     * @param  callable|string  $countBy
-     * @return static
+     * @param  (callable(TValue, TKey): array-key)|string|null  $countBy
+     * @return static<array-key, int>
      */
     public function countBy($countBy = null)
     {
@@ -261,7 +321,7 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Get the items that are not present in the given items.
      *
-     * @param  mixed  $items
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<array-key, TValue>|iterable<array-key, TValue>  $items
      * @return static
      */
     public function diff($items)
@@ -272,8 +332,8 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Get the items that are not present in the given items, using the callback.
      *
-     * @param  mixed  $items
-     * @param  callable  $callback
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<array-key, TValue>|iterable<array-key, TValue>  $items
+     * @param  callable(TValue, TValue): int  $callback
      * @return static
      */
     public function diffUsing($items, callable $callback)
@@ -284,7 +344,7 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Get the items whose keys and values are not present in the given items.
      *
-     * @param  mixed  $items
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<TKey, TValue>|iterable<TKey, TValue>  $items
      * @return static
      */
     public function diffAssoc($items)
@@ -295,8 +355,8 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Get the items whose keys and values are not present in the given items, using the callback.
      *
-     * @param  mixed  $items
-     * @param  callable  $callback
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<TKey, TValue>|iterable<TKey, TValue>  $items
+     * @param  callable(TKey, TKey): int  $callback
      * @return static
      */
     public function diffAssocUsing($items, callable $callback)
@@ -307,7 +367,7 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Get the items whose keys are not present in the given items.
      *
-     * @param  mixed  $items
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<TKey, TValue>|iterable<TKey, TValue>  $items
      * @return static
      */
     public function diffKeys($items)
@@ -318,8 +378,8 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Get the items whose keys are not present in the given items, using the callback.
      *
-     * @param  mixed  $items
-     * @param  callable  $callback
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<TKey, TValue>|iterable<TKey, TValue>  $items
+     * @param  callable(TKey, TKey): int  $callback
      * @return static
      */
     public function diffKeysUsing($items, callable $callback)
@@ -330,7 +390,7 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Retrieve duplicate items.
      *
-     * @param  callable|string|null  $callback
+     * @param  (callable(TValue): bool)|string|null  $callback
      * @param  bool  $strict
      * @return static
      */
@@ -342,7 +402,7 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Retrieve duplicate items using strict comparison.
      *
-     * @param  callable|string|null  $callback
+     * @param  (callable(TValue): bool)|string|null  $callback
      * @return static
      */
     public function duplicatesStrict($callback = null)
@@ -353,7 +413,7 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Get all items except for those with the specified keys.
      *
-     * @param  mixed  $keys
+     * @param  \Tightenco\Collect\Support\Enumerable<array-key, TKey>|array<array-key, TKey>  $keys
      * @return static
      */
     public function except($keys)
@@ -364,15 +424,13 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Run a filter over each of the items.
      *
-     * @param  callable|null  $callback
+     * @param  (callable(TValue, TKey): bool)|null  $callback
      * @return static
      */
     public function filter(callable $callback = null)
     {
         if (is_null($callback)) {
-            $callback = function ($value) {
-                return (bool) $value;
-            };
+            $callback = fn ($value) => (bool) $value;
         }
 
         return new static(function () use ($callback) {
@@ -387,9 +445,11 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Get the first item from the enumerable passing the given truth test.
      *
-     * @param  callable|null  $callback
-     * @param  mixed  $default
-     * @return mixed
+     * @template TFirstDefault
+     *
+     * @param  (callable(TValue): bool)|null  $callback
+     * @param  TFirstDefault|(\Closure(): TFirstDefault)  $default
+     * @return TValue|TFirstDefault
      */
     public function first(callable $callback = null, $default = null)
     {
@@ -416,7 +476,7 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
      * Get a flattened list of the items in the collection.
      *
      * @param  int  $depth
-     * @return static
+     * @return static<int, mixed>
      */
     public function flatten($depth = INF)
     {
@@ -438,7 +498,7 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Flip the items in the collection.
      *
-     * @return static
+     * @return static<TValue, TKey>
      */
     public function flip()
     {
@@ -452,9 +512,11 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Get an item by key.
      *
-     * @param  mixed  $key
-     * @param  mixed  $default
-     * @return mixed
+     * @template TGetDefault
+     *
+     * @param  TKey|null  $key
+     * @param  TGetDefault|(\Closure(): TGetDefault)  $default
+     * @return TValue|TGetDefault
      */
     public function get($key, $default = null)
     {
@@ -474,9 +536,9 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Group an associative array by a field or using a callback.
      *
-     * @param  array|callable|string  $groupBy
+     * @param  (callable(TValue, TKey): array-key)|array|string  $groupBy
      * @param  bool  $preserveKeys
-     * @return static
+     * @return static<array-key, static<array-key, TValue>>
      */
     public function groupBy($groupBy, $preserveKeys = false)
     {
@@ -486,8 +548,8 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Key an associative array by a field or using a callback.
      *
-     * @param  callable|string  $keyBy
-     * @return static
+     * @param  (callable(TValue, TKey): array-key)|array|string  $keyBy
+     * @return static<array-key, TValue>
      */
     public function keyBy($keyBy)
     {
@@ -548,7 +610,7 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Concatenate values of a given key as a string.
      *
-     * @param  string  $value
+     * @param  callable|string  $value
      * @param  string|null  $glue
      * @return string
      */
@@ -560,7 +622,7 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Intersect the collection with the given items.
      *
-     * @param  mixed  $items
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<TKey, TValue>|iterable<TKey, TValue>  $items
      * @return static
      */
     public function intersect($items)
@@ -568,10 +630,45 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
         return $this->passthru('intersect', func_get_args());
     }
 
+    /**
+     * Intersect the collection with the given items, using the callback.
+     *
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<array-key, TValue>|iterable<array-key, TValue>  $items
+     * @param  callable(TValue, TValue): int  $callback
+     * @return static
+     */
+    public function intersectUsing()
+    {
+        return $this->passthru('intersectUsing', func_get_args());
+    }
+
+    /**
+     * Intersect the collection with the given items with additional index check.
+     *
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<TKey, TValue>|iterable<TKey, TValue>  $items
+     * @return static
+     */
+    public function intersectAssoc($items)
+    {
+        return $this->passthru('intersectAssoc', func_get_args());
+    }
+
+    /**
+     * Intersect the collection with the given items with additional index check, using the callback.
+     *
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<array-key, TValue>|iterable<array-key, TValue>  $items
+     * @param  callable(TValue, TValue): int  $callback
+     * @return static
+     */
+    public function intersectAssocUsing($items, callable $callback)
+    {
+        return $this->passthru('intersectAssocUsing', func_get_args());
+    }
+
     /**
      * Intersect the collection with the given items by key.
      *
-     * @param  mixed  $items
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<TKey, TValue>|iterable<TKey, TValue>  $items
      * @return static
      */
     public function intersectByKeys($items)
@@ -614,7 +711,7 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Get the keys of the collection items.
      *
-     * @return static
+     * @return static<int, TKey>
      */
     public function keys()
     {
@@ -628,9 +725,11 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Get the last item from the collection.
      *
-     * @param  callable|null  $callback
-     * @param  mixed  $default
-     * @return mixed
+     * @template TLastDefault
+     *
+     * @param  (callable(TValue, TKey): bool)|null  $callback
+     * @param  TLastDefault|(\Closure(): TLastDefault)  $default
+     * @return TValue|TLastDefault
      */
     public function last(callable $callback = null, $default = null)
     {
@@ -648,9 +747,9 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Get the values of a given key.
      *
-     * @param  string|array  $value
+     * @param  string|array<array-key, string>  $value
      * @param  string|null  $key
-     * @return static
+     * @return static<int, mixed>
      */
     public function pluck($value, $key = null)
     {
@@ -678,8 +777,10 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Run a map over each of the items.
      *
-     * @param  callable  $callback
-     * @return static
+     * @template TMapValue
+     *
+     * @param  callable(TValue, TKey): TMapValue  $callback
+     * @return static<TKey, TMapValue>
      */
     public function map(callable $callback)
     {
@@ -695,8 +796,11 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
      *
      * The callback should return an associative array with a single key/value pair.
      *
-     * @param  callable  $callback
-     * @return static
+     * @template TMapToDictionaryKey of array-key
+     * @template TMapToDictionaryValue
+     *
+     * @param  callable(TValue, TKey): array<TMapToDictionaryKey, TMapToDictionaryValue>  $callback
+     * @return static<TMapToDictionaryKey, array<int, TMapToDictionaryValue>>
      */
     public function mapToDictionary(callable $callback)
     {
@@ -708,8 +812,11 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
      *
      * The callback should return an associative array with a single key/value pair.
      *
-     * @param  callable  $callback
-     * @return static
+     * @template TMapWithKeysKey of array-key
+     * @template TMapWithKeysValue
+     *
+     * @param  callable(TValue, TKey): array<TMapWithKeysKey, TMapWithKeysValue>  $callback
+     * @return static<TMapWithKeysKey, TMapWithKeysValue>
      */
     public function mapWithKeys(callable $callback)
     {
@@ -723,7 +830,7 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Merge the collection with the given items.
      *
-     * @param  mixed  $items
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<TKey, TValue>|iterable<TKey, TValue>  $items
      * @return static
      */
     public function merge($items)
@@ -734,8 +841,10 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Recursively merge the collection with the given items.
      *
-     * @param  mixed  $items
-     * @return static
+     * @template TMergeRecursiveValue
+     *
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<TKey, TMergeRecursiveValue>|iterable<TKey, TMergeRecursiveValue>  $items
+     * @return static<TKey, TValue|TMergeRecursiveValue>
      */
     public function mergeRecursive($items)
     {
@@ -745,8 +854,10 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Create a collection by using this collection for keys and another for its values.
      *
-     * @param  mixed  $values
-     * @return static
+     * @template TCombineValue
+     *
+     * @param  \IteratorAggregate<array-key, TCombineValue>|array<array-key, TCombineValue>|(callable(): \Generator<array-key, TCombineValue>)  $values
+     * @return static<TValue, TCombineValue>
      */
     public function combine($values)
     {
@@ -776,7 +887,7 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Union the collection with the given items.
      *
-     * @param  mixed  $items
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<TKey, TValue>|iterable<TKey, TValue>  $items
      * @return static
      */
     public function union($items)
@@ -796,8 +907,8 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
         return new static(function () use ($step, $offset) {
             $position = 0;
 
-            foreach ($this as $item) {
-                if ($position % $step === $offset) {
+            foreach ($this->slice($offset) as $item) {
+                if ($position % $step === 0) {
                     yield $item;
                 }
 
@@ -809,7 +920,7 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Get the items with the specified keys.
      *
-     * @param  mixed  $keys
+     * @param  \Tightenco\Collect\Support\Enumerable<array-key, TKey>|array<array-key, TKey>|string  $keys
      * @return static
      */
     public function only($keys)
@@ -844,7 +955,7 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Push all of the given items onto the collection.
      *
-     * @param  iterable  $source
+     * @param  iterable<array-key, TValue>  $source
      * @return static
      */
     public function concat($source)
@@ -859,7 +970,7 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
      * Get one or a specified number of items randomly from the collection.
      *
      * @param  int|null  $number
-     * @return static|mixed
+     * @return static<int, TValue>|TValue
      *
      * @throws \InvalidArgumentException
      */
@@ -873,7 +984,7 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Replace the collection items with the given items.
      *
-     * @param  mixed  $items
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<TKey, TValue>|iterable<TKey, TValue>  $items
      * @return static
      */
     public function replace($items)
@@ -900,7 +1011,7 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Recursively replace the collection items with the given items.
      *
-     * @param  mixed  $items
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<TKey, TValue>|iterable<TKey, TValue>  $items
      * @return static
      */
     public function replaceRecursive($items)
@@ -921,12 +1032,13 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Search the collection for a given value and return the corresponding key if successful.
      *
-     * @param  mixed  $value
+     * @param  TValue|(callable(TValue,TKey): bool)  $value
      * @param  bool  $strict
-     * @return mixed
+     * @return TKey|bool
      */
     public function search($value, $strict = false)
     {
+        /** @var (callable(TValue,TKey): bool) $predicate */
         $predicate = $this->useAsCallable($value)
             ? $value
             : function ($item) use ($value, $strict) {
@@ -958,7 +1070,7 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
      *
      * @param  int  $size
      * @param  int  $step
-     * @return static
+     * @return static<int, static>
      */
     public function sliding($size = 2, $step = 1)
     {
@@ -971,7 +1083,7 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
                 $chunk[$iterator->key()] = $iterator->current();
 
                 if (count($chunk) == $size) {
-                    yield tap(new static($chunk), function () use (&$chunk, $step) {
+                    yield (new static($chunk))->tap(function () use (&$chunk, $step) {
                         $chunk = array_slice($chunk, $step, null, true);
                     });
 
@@ -1018,7 +1130,7 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Skip items in the collection until the given condition is met.
      *
-     * @param  mixed  $value
+     * @param  TValue|callable(TValue,TKey): bool  $value
      * @return static
      */
     public function skipUntil($value)
@@ -1031,7 +1143,7 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Skip items in the collection while the given condition is met.
      *
-     * @param  mixed  $value
+     * @param  TValue|callable(TValue,TKey): bool  $value
      * @return static
      */
     public function skipWhile($value)
@@ -1075,7 +1187,7 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
      * Split a collection into a certain number of groups.
      *
      * @param  int  $numberOfGroups
-     * @return static
+     * @return static<int, static>
      */
     public function split($numberOfGroups)
     {
@@ -1085,10 +1197,10 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Get the first item in the collection, but only if exactly one item exists. Otherwise, throw an exception.
      *
-     * @param  mixed  $key
+     * @param  (callable(TValue, TKey): bool)|string  $key
      * @param  mixed  $operator
      * @param  mixed  $value
-     * @return mixed
+     * @return TValue
      *
      * @throws \Tightenco\Collect\Support\ItemNotFoundException
      * @throws \Tightenco\Collect\Support\MultipleItemsFoundException
@@ -1100,7 +1212,7 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
             : $key;
 
         return $this
-            ->when($filter)
+            ->unless($filter == null)
             ->filter($filter)
             ->take(2)
             ->collect()
@@ -1110,10 +1222,10 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Get the first item in the collection but throw an exception if no matching items exist.
      *
-     * @param  mixed  $key
+     * @param  (callable(TValue, TKey): bool)|string  $key
      * @param  mixed  $operator
      * @param  mixed  $value
-     * @return mixed
+     * @return TValue
      *
      * @throws \Tightenco\Collect\Support\ItemNotFoundException
      */
@@ -1124,7 +1236,7 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
             : $key;
 
         return $this
-            ->when($filter)
+            ->unless($filter == null)
             ->filter($filter)
             ->take(1)
             ->collect()
@@ -1135,7 +1247,7 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
      * Chunk the collection into chunks of the given size.
      *
      * @param  int  $size
-     * @return static
+     * @return static<int, static>
      */
     public function chunk($size)
     {
@@ -1174,7 +1286,7 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
      * Split a collection into a certain number of groups, and fill the first groups completely.
      *
      * @param  int  $numberOfGroups
-     * @return static
+     * @return static<int, static>
      */
     public function splitIn($numberOfGroups)
     {
@@ -1184,8 +1296,8 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Chunk the collection into chunks with a callback.
      *
-     * @param  callable  $callback
-     * @return static
+     * @param  callable(TValue, TKey, Collection<TKey, TValue>): bool  $callback
+     * @return static<int, static<int, TValue>>
      */
     public function chunkWhile(callable $callback)
     {
@@ -1221,7 +1333,7 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Sort through each item with a callback.
      *
-     * @param  callable|null|int  $callback
+     * @param  (callable(TValue, TValue): int)|null|int  $callback
      * @return static
      */
     public function sort($callback = null)
@@ -1243,7 +1355,7 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Sort the collection using the given callback.
      *
-     * @param  callable|string  $callback
+     * @param  array<array-key, (callable(TValue, TValue): mixed)|(callable(TValue, TKey): mixed)|string|array{string, string}>|(callable(TValue, TKey): mixed)|string  $callback
      * @param  int  $options
      * @param  bool  $descending
      * @return static
@@ -1256,7 +1368,7 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Sort the collection in descending order using the given callback.
      *
-     * @param  callable|string  $callback
+     * @param  array<array-key, (callable(TValue, TValue): mixed)|(callable(TValue, TKey): mixed)|string|array{string, string}>|(callable(TValue, TKey): mixed)|string  $callback
      * @param  int  $options
      * @return static
      */
@@ -1291,7 +1403,7 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Sort the collection keys using a callback.
      *
-     * @param  callable  $callback
+     * @param  callable(TKey, TKey): int  $callback
      * @return static
      */
     public function sortKeysUsing(callable $callback)
@@ -1331,11 +1443,12 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Take items in the collection until the given condition is met.
      *
-     * @param  mixed  $value
+     * @param  TValue|callable(TValue,TKey): bool  $value
      * @return static
      */
     public function takeUntil($value)
     {
+        /** @var callable(TValue, TKey): bool $callback */
         $callback = $this->useAsCallable($value) ? $value : $this->equality($value);
 
         return new static(function () use ($callback) {
@@ -1359,30 +1472,39 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     {
         $timeout = $timeout->getTimestamp();
 
-        return $this->takeWhile(function () use ($timeout) {
-            return $this->now() < $timeout;
+        return new static(function () use ($timeout) {
+            if ($this->now() >= $timeout) {
+                return;
+            }
+
+            foreach ($this as $key => $value) {
+                yield $key => $value;
+
+                if ($this->now() >= $timeout) {
+                    break;
+                }
+            }
         });
     }
 
     /**
      * Take items in the collection while the given condition is met.
      *
-     * @param  mixed  $value
+     * @param  TValue|callable(TValue,TKey): bool  $value
      * @return static
      */
     public function takeWhile($value)
     {
+        /** @var callable(TValue, TKey): bool $callback */
         $callback = $this->useAsCallable($value) ? $value : $this->equality($value);
 
-        return $this->takeUntil(function ($item, $key) use ($callback) {
-            return ! $callback($item, $key);
-        });
+        return $this->takeUntil(fn ($item, $key) => ! $callback($item, $key));
     }
 
     /**
      * Pass each item in the collection to the given callback, lazily.
      *
-     * @param  callable  $callback
+     * @param  callable(TValue, TKey): mixed  $callback
      * @return static
      */
     public function tapEach(callable $callback)
@@ -1409,7 +1531,7 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Return only unique items from the collection array.
      *
-     * @param  string|callable|null  $key
+     * @param  (callable(TValue, TKey): mixed)|string|null  $key
      * @param  bool  $strict
      * @return static
      */
@@ -1433,7 +1555,7 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Reset the keys on the underlying array.
      *
-     * @return static
+     * @return static<int, TValue>
      */
     public function values()
     {
@@ -1450,8 +1572,10 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
      * e.g. new LazyCollection([1, 2, 3])->zip([4, 5, 6]);
      *      => [[1, 4], [2, 5], [3, 6]]
      *
-     * @param  mixed  ...$items
-     * @return static
+     * @template TZipValue
+     *
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<array-key, TZipValue>|iterable<array-key, TZipValue>  ...$items
+     * @return static<int, static<int, TValue|TZipValue>>
      */
     public function zip($items)
     {
@@ -1473,9 +1597,11 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Pad collection to the specified length with a value.
      *
+     * @template TPadValue
+     *
      * @param  int  $size
-     * @param  mixed  $value
-     * @return static
+     * @param  TPadValue  $value
+     * @return static<int, TValue|TPadValue>
      */
     public function pad($size, $value)
     {
@@ -1501,10 +1627,9 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Get the values iterator.
      *
-     * @return \Traversable
+     * @return \Traversable<TKey, TValue>
      */
-    #[\ReturnTypeWillChange]
-    public function getIterator()
+    public function getIterator(): Traversable
     {
         return $this->makeIterator($this->source);
     }
@@ -1514,8 +1639,7 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
      *
      * @return int
      */
-    #[\ReturnTypeWillChange]
-    public function count()
+    public function count(): int
     {
         if (is_array($this->source)) {
             return count($this->source);
@@ -1527,8 +1651,11 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
     /**
      * Make an iterator from the given source.
      *
-     * @param  mixed  $source
-     * @return \Traversable
+     * @template TIteratorKey of array-key
+     * @template TIteratorValue
+     *
+     * @param  \IteratorAggregate<TIteratorKey, TIteratorValue>|array<TIteratorKey, TIteratorValue>|(callable(): \Generator<TIteratorKey, TIteratorValue>)  $source
+     * @return \Traversable<TIteratorKey, TIteratorValue>
      */
     protected function makeIterator($source)
     {
@@ -1540,15 +1667,23 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
             return new ArrayIterator($source);
         }
 
-        return $source();
+        if (is_callable($source)) {
+            $maybeTraversable = $source();
+
+            return $maybeTraversable instanceof Traversable
+                ? $maybeTraversable
+                : new ArrayIterator(Arr::wrap($maybeTraversable));
+        }
+
+        return new ArrayIterator((array) $source);
     }
 
     /**
      * Explode the "value" and "key" arguments passed to "pluck".
      *
-     * @param  string|array  $value
-     * @param  string|array|null  $key
-     * @return array
+     * @param  string|string[]  $value
+     * @param  string|string[]|null  $key
+     * @return array{string[],string[]|null}
      */
     protected function explodePluckParameters($value, $key)
     {
@@ -1563,7 +1698,7 @@ class LazyCollection implements CanBeEscapedWhenCastToString, Enumerable
      * Pass this lazy collection through a method on the collection class.
      *
      * @param  string  $method
-     * @param  array  $params
+     * @param  array<mixed>  $params
      * @return static
      */
     protected function passthru($method, array $params)
diff --git a/data/web/inc/lib/vendor/tightenco/collect/src/Collect/Support/Str.php b/data/web/inc/lib/vendor/tightenco/collect/src/Collect/Support/Str.php
new file mode 100644
index 000000000..07e82545d
--- /dev/null
+++ b/data/web/inc/lib/vendor/tightenco/collect/src/Collect/Support/Str.php
@@ -0,0 +1,1367 @@
+<?php
+
+namespace Tightenco\Collect\Support;
+
+use Closure;
+use Tightenco\Collect\Support\Traits\Macroable;
+use JsonException;
+use League\CommonMark\Environment\Environment;
+use League\CommonMark\Extension\GithubFlavoredMarkdownExtension;
+use League\CommonMark\Extension\InlinesOnly\InlinesOnlyExtension;
+use League\CommonMark\GithubFlavoredMarkdownConverter;
+use League\CommonMark\MarkdownConverter;
+use Ramsey\Uuid\Codec\TimestampFirstCombCodec;
+use Ramsey\Uuid\Generator\CombGenerator;
+use Ramsey\Uuid\Uuid;
+use Ramsey\Uuid\UuidFactory;
+use Symfony\Component\Uid\Ulid;
+use Traversable;
+use voku\helper\ASCII;
+
+class Str
+{
+    use Macroable;
+
+    /**
+     * The cache of snake-cased words.
+     *
+     * @var array
+     */
+    protected static $snakeCache = [];
+
+    /**
+     * The cache of camel-cased words.
+     *
+     * @var array
+     */
+    protected static $camelCache = [];
+
+    /**
+     * The cache of studly-cased words.
+     *
+     * @var array
+     */
+    protected static $studlyCache = [];
+
+    /**
+     * The callback that should be used to generate UUIDs.
+     *
+     * @var callable|null
+     */
+    protected static $uuidFactory;
+
+    /**
+     * The callback that should be used to generate random strings.
+     *
+     * @var callable|null
+     */
+    protected static $randomStringFactory;
+
+    /**
+     * Get a new stringable object from the given string.
+     *
+     * @param  string  $string
+     * @return \Tightenco\Collect\Support\Stringable
+     */
+    public static function of($string)
+    {
+        return new Stringable($string);
+    }
+
+    /**
+     * Return the remainder of a string after the first occurrence of a given value.
+     *
+     * @param  string  $subject
+     * @param  string  $search
+     * @return string
+     */
+    public static function after($subject, $search)
+    {
+        return $search === '' ? $subject : array_reverse(explode($search, $subject, 2))[0];
+    }
+
+    /**
+     * Return the remainder of a string after the last occurrence of a given value.
+     *
+     * @param  string  $subject
+     * @param  string  $search
+     * @return string
+     */
+    public static function afterLast($subject, $search)
+    {
+        if ($search === '') {
+            return $subject;
+        }
+
+        $position = strrpos($subject, (string) $search);
+
+        if ($position === false) {
+            return $subject;
+        }
+
+        return substr($subject, $position + strlen($search));
+    }
+
+    /**
+     * Transliterate a UTF-8 value to ASCII.
+     *
+     * @param  string  $value
+     * @param  string  $language
+     * @return string
+     */
+    public static function ascii($value, $language = 'en')
+    {
+        return ASCII::to_ascii((string) $value, $language);
+    }
+
+    /**
+     * Transliterate a string to its closest ASCII representation.
+     *
+     * @param  string  $string
+     * @param  string|null  $unknown
+     * @param  bool|null  $strict
+     * @return string
+     */
+    public static function transliterate($string, $unknown = '?', $strict = false)
+    {
+        return ASCII::to_transliterate($string, $unknown, $strict);
+    }
+
+    /**
+     * Get the portion of a string before the first occurrence of a given value.
+     *
+     * @param  string  $subject
+     * @param  string  $search
+     * @return string
+     */
+    public static function before($subject, $search)
+    {
+        if ($search === '') {
+            return $subject;
+        }
+
+        $result = strstr($subject, (string) $search, true);
+
+        return $result === false ? $subject : $result;
+    }
+
+    /**
+     * Get the portion of a string before the last occurrence of a given value.
+     *
+     * @param  string  $subject
+     * @param  string  $search
+     * @return string
+     */
+    public static function beforeLast($subject, $search)
+    {
+        if ($search === '') {
+            return $subject;
+        }
+
+        $pos = mb_strrpos($subject, $search);
+
+        if ($pos === false) {
+            return $subject;
+        }
+
+        return static::substr($subject, 0, $pos);
+    }
+
+    /**
+     * Get the portion of a string between two given values.
+     *
+     * @param  string  $subject
+     * @param  string  $from
+     * @param  string  $to
+     * @return string
+     */
+    public static function between($subject, $from, $to)
+    {
+        if ($from === '' || $to === '') {
+            return $subject;
+        }
+
+        return static::beforeLast(static::after($subject, $from), $to);
+    }
+
+    /**
+     * Get the smallest possible portion of a string between two given values.
+     *
+     * @param  string  $subject
+     * @param  string  $from
+     * @param  string  $to
+     * @return string
+     */
+    public static function betweenFirst($subject, $from, $to)
+    {
+        if ($from === '' || $to === '') {
+            return $subject;
+        }
+
+        return static::before(static::after($subject, $from), $to);
+    }
+
+    /**
+     * Convert a value to camel case.
+     *
+     * @param  string  $value
+     * @return string
+     */
+    public static function camel($value)
+    {
+        if (isset(static::$camelCache[$value])) {
+            return static::$camelCache[$value];
+        }
+
+        return static::$camelCache[$value] = lcfirst(static::studly($value));
+    }
+
+    /**
+     * Determine if a given string contains a given substring.
+     *
+     * @param  string  $haystack
+     * @param  string|iterable<string>  $needles
+     * @param  bool  $ignoreCase
+     * @return bool
+     */
+    public static function contains($haystack, $needles, $ignoreCase = false)
+    {
+        if ($ignoreCase) {
+            $haystack = mb_strtolower($haystack);
+        }
+
+        if (! is_iterable($needles)) {
+            $needles = (array) $needles;
+        }
+
+        foreach ($needles as $needle) {
+            if ($ignoreCase) {
+                $needle = mb_strtolower($needle);
+            }
+
+            if ($needle !== '' && str_contains($haystack, $needle)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    /**
+     * Determine if a given string contains all array values.
+     *
+     * @param  string  $haystack
+     * @param  iterable<string>  $needles
+     * @param  bool  $ignoreCase
+     * @return bool
+     */
+    public static function containsAll($haystack, $needles, $ignoreCase = false)
+    {
+        foreach ($needles as $needle) {
+            if (! static::contains($haystack, $needle, $ignoreCase)) {
+                return false;
+            }
+        }
+
+        return true;
+    }
+
+    /**
+     * Determine if a given string ends with a given substring.
+     *
+     * @param  string  $haystack
+     * @param  string|iterable<string>  $needles
+     * @return bool
+     */
+    public static function endsWith($haystack, $needles)
+    {
+        if (! is_iterable($needles)) {
+            $needles = (array) $needles;
+        }
+
+        foreach ($needles as $needle) {
+            if ((string) $needle !== '' && str_ends_with($haystack, $needle)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    /**
+     * Extracts an excerpt from text that matches the first instance of a phrase.
+     *
+     * @param  string  $text
+     * @param  string  $phrase
+     * @param  array  $options
+     * @return string|null
+     */
+    public static function excerpt($text, $phrase = '', $options = [])
+    {
+        $radius = $options['radius'] ?? 100;
+        $omission = $options['omission'] ?? '...';
+
+        preg_match('/^(.*?)('.preg_quote((string) $phrase).')(.*)$/iu', (string) $text, $matches);
+
+        if (empty($matches)) {
+            return null;
+        }
+
+        $start = ltrim($matches[1]);
+
+        $start = str(mb_substr($start, max(mb_strlen($start, 'UTF-8') - $radius, 0), $radius, 'UTF-8'))->ltrim()->unless(
+            fn ($startWithRadius) => $startWithRadius->exactly($start),
+            fn ($startWithRadius) => $startWithRadius->prepend($omission),
+        );
+
+        $end = rtrim($matches[3]);
+
+        $end = str(mb_substr($end, 0, $radius, 'UTF-8'))->rtrim()->unless(
+            fn ($endWithRadius) => $endWithRadius->exactly($end),
+            fn ($endWithRadius) => $endWithRadius->append($omission),
+        );
+
+        return $start->append($matches[2], $end)->toString();
+    }
+
+    /**
+     * Cap a string with a single instance of a given value.
+     *
+     * @param  string  $value
+     * @param  string  $cap
+     * @return string
+     */
+    public static function finish($value, $cap)
+    {
+        $quoted = preg_quote($cap, '/');
+
+        return preg_replace('/(?:'.$quoted.')+$/u', '', $value).$cap;
+    }
+
+    /**
+     * Wrap the string with the given strings.
+     *
+     * @param  string  $value
+     * @param  string  $before
+     * @param  string|null  $after
+     * @return string
+     */
+    public static function wrap($value, $before, $after = null)
+    {
+        return $before.$value.($after ??= $before);
+    }
+
+    /**
+     * Determine if a given string matches a given pattern.
+     *
+     * @param  string|iterable<string>  $pattern
+     * @param  string  $value
+     * @return bool
+     */
+    public static function is($pattern, $value)
+    {
+        $value = (string) $value;
+
+        if (! is_iterable($pattern)) {
+            $pattern = [$pattern];
+        }
+
+        foreach ($pattern as $pattern) {
+            $pattern = (string) $pattern;
+
+            // If the given value is an exact match we can of course return true right
+            // from the beginning. Otherwise, we will translate asterisks and do an
+            // actual pattern match against the two strings to see if they match.
+            if ($pattern === $value) {
+                return true;
+            }
+
+            $pattern = preg_quote($pattern, '#');
+
+            // Asterisks are translated into zero-or-more regular expression wildcards
+            // to make it convenient to check if the strings starts with the given
+            // pattern such as "library/*", making any string check convenient.
+            $pattern = str_replace('\*', '.*', $pattern);
+
+            if (preg_match('#^'.$pattern.'\z#u', $value) === 1) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    /**
+     * Determine if a given string is 7 bit ASCII.
+     *
+     * @param  string  $value
+     * @return bool
+     */
+    public static function isAscii($value)
+    {
+        return ASCII::is_ascii((string) $value);
+    }
+
+    /**
+     * Determine if a given string is valid JSON.
+     *
+     * @param  string  $value
+     * @return bool
+     */
+    public static function isJson($value)
+    {
+        if (! is_string($value)) {
+            return false;
+        }
+
+        try {
+            json_decode($value, true, 512, JSON_THROW_ON_ERROR);
+        } catch (JsonException) {
+            return false;
+        }
+
+        return true;
+    }
+
+    /**
+     * Determine if a given string is a valid UUID.
+     *
+     * @param  string  $value
+     * @return bool
+     */
+    public static function isUuid($value)
+    {
+        if (! is_string($value)) {
+            return false;
+        }
+
+        return preg_match('/^[\da-f]{8}-[\da-f]{4}-[\da-f]{4}-[\da-f]{4}-[\da-f]{12}$/iD', $value) > 0;
+    }
+
+    /**
+     * Determine if a given string is a valid ULID.
+     *
+     * @param  string  $value
+     * @return bool
+     */
+    public static function isUlid($value)
+    {
+        if (! is_string($value)) {
+            return false;
+        }
+
+        return Ulid::isValid($value);
+    }
+
+    /**
+     * Convert a string to kebab case.
+     *
+     * @param  string  $value
+     * @return string
+     */
+    public static function kebab($value)
+    {
+        return static::snake($value, '-');
+    }
+
+    /**
+     * Return the length of the given string.
+     *
+     * @param  string  $value
+     * @param  string|null  $encoding
+     * @return int
+     */
+    public static function length($value, $encoding = null)
+    {
+        if ($encoding) {
+            return mb_strlen($value, $encoding);
+        }
+
+        return mb_strlen($value);
+    }
+
+    /**
+     * Limit the number of characters in a string.
+     *
+     * @param  string  $value
+     * @param  int  $limit
+     * @param  string  $end
+     * @return string
+     */
+    public static function limit($value, $limit = 100, $end = '...')
+    {
+        if (mb_strwidth($value, 'UTF-8') <= $limit) {
+            return $value;
+        }
+
+        return rtrim(mb_strimwidth($value, 0, $limit, '', 'UTF-8')).$end;
+    }
+
+    /**
+     * Convert the given string to lower-case.
+     *
+     * @param  string  $value
+     * @return string
+     */
+    public static function lower($value)
+    {
+        return mb_strtolower($value, 'UTF-8');
+    }
+
+    /**
+     * Limit the number of words in a string.
+     *
+     * @param  string  $value
+     * @param  int  $words
+     * @param  string  $end
+     * @return string
+     */
+    public static function words($value, $words = 100, $end = '...')
+    {
+        preg_match('/^\s*+(?:\S++\s*+){1,'.$words.'}/u', $value, $matches);
+
+        if (! isset($matches[0]) || static::length($value) === static::length($matches[0])) {
+            return $value;
+        }
+
+        return rtrim($matches[0]).$end;
+    }
+
+    /**
+     * Converts GitHub flavored Markdown into HTML.
+     *
+     * @param  string  $string
+     * @param  array  $options
+     * @return string
+     */
+    public static function markdown($string, array $options = [])
+    {
+        $converter = new GithubFlavoredMarkdownConverter($options);
+
+        return (string) $converter->convert($string);
+    }
+
+    /**
+     * Converts inline Markdown into HTML.
+     *
+     * @param  string  $string
+     * @param  array  $options
+     * @return string
+     */
+    public static function inlineMarkdown($string, array $options = [])
+    {
+        $environment = new Environment($options);
+
+        $environment->addExtension(new GithubFlavoredMarkdownExtension());
+        $environment->addExtension(new InlinesOnlyExtension());
+
+        $converter = new MarkdownConverter($environment);
+
+        return (string) $converter->convert($string);
+    }
+
+    /**
+     * Masks a portion of a string with a repeated character.
+     *
+     * @param  string  $string
+     * @param  string  $character
+     * @param  int  $index
+     * @param  int|null  $length
+     * @param  string  $encoding
+     * @return string
+     */
+    public static function mask($string, $character, $index, $length = null, $encoding = 'UTF-8')
+    {
+        if ($character === '') {
+            return $string;
+        }
+
+        $segment = mb_substr($string, $index, $length, $encoding);
+
+        if ($segment === '') {
+            return $string;
+        }
+
+        $strlen = mb_strlen($string, $encoding);
+        $startIndex = $index;
+
+        if ($index < 0) {
+            $startIndex = $index < -$strlen ? 0 : $strlen + $index;
+        }
+
+        $start = mb_substr($string, 0, $startIndex, $encoding);
+        $segmentLen = mb_strlen($segment, $encoding);
+        $end = mb_substr($string, $startIndex + $segmentLen);
+
+        return $start.str_repeat(mb_substr($character, 0, 1, $encoding), $segmentLen).$end;
+    }
+
+    /**
+     * Get the string matching the given pattern.
+     *
+     * @param  string  $pattern
+     * @param  string  $subject
+     * @return string
+     */
+    public static function match($pattern, $subject)
+    {
+        preg_match($pattern, $subject, $matches);
+
+        if (! $matches) {
+            return '';
+        }
+
+        return $matches[1] ?? $matches[0];
+    }
+
+    /**
+     * Get the string matching the given pattern.
+     *
+     * @param  string  $pattern
+     * @param  string  $subject
+     * @return \Tightenco\Collect\Support\Collection
+     */
+    public static function matchAll($pattern, $subject)
+    {
+        preg_match_all($pattern, $subject, $matches);
+
+        if (empty($matches[0])) {
+            return collect();
+        }
+
+        return collect($matches[1] ?? $matches[0]);
+    }
+
+    /**
+     * Pad both sides of a string with another.
+     *
+     * @param  string  $value
+     * @param  int  $length
+     * @param  string  $pad
+     * @return string
+     */
+    public static function padBoth($value, $length, $pad = ' ')
+    {
+        $short = max(0, $length - mb_strlen($value));
+        $shortLeft = floor($short / 2);
+        $shortRight = ceil($short / 2);
+
+        return mb_substr(str_repeat($pad, $shortLeft), 0, $shortLeft).
+               $value.
+               mb_substr(str_repeat($pad, $shortRight), 0, $shortRight);
+    }
+
+    /**
+     * Pad the left side of a string with another.
+     *
+     * @param  string  $value
+     * @param  int  $length
+     * @param  string  $pad
+     * @return string
+     */
+    public static function padLeft($value, $length, $pad = ' ')
+    {
+        $short = max(0, $length - mb_strlen($value));
+
+        return mb_substr(str_repeat($pad, $short), 0, $short).$value;
+    }
+
+    /**
+     * Pad the right side of a string with another.
+     *
+     * @param  string  $value
+     * @param  int  $length
+     * @param  string  $pad
+     * @return string
+     */
+    public static function padRight($value, $length, $pad = ' ')
+    {
+        $short = max(0, $length - mb_strlen($value));
+
+        return $value.mb_substr(str_repeat($pad, $short), 0, $short);
+    }
+
+    /**
+     * Parse a Class[@]method style callback into class and method.
+     *
+     * @param  string  $callback
+     * @param  string|null  $default
+     * @return array<int, string|null>
+     */
+    public static function parseCallback($callback, $default = null)
+    {
+        return static::contains($callback, '@') ? explode('@', $callback, 2) : [$callback, $default];
+    }
+
+    /**
+     * Get the plural form of an English word.
+     *
+     * @param  string  $value
+     * @param  int|array|\Countable  $count
+     * @return string
+     */
+    public static function plural($value, $count = 2)
+    {
+        return Pluralizer::plural($value, $count);
+    }
+
+    /**
+     * Pluralize the last word of an English, studly caps case string.
+     *
+     * @param  string  $value
+     * @param  int|array|\Countable  $count
+     * @return string
+     */
+    public static function pluralStudly($value, $count = 2)
+    {
+        $parts = preg_split('/(.)(?=[A-Z])/u', $value, -1, PREG_SPLIT_DELIM_CAPTURE);
+
+        $lastWord = array_pop($parts);
+
+        return implode('', $parts).self::plural($lastWord, $count);
+    }
+
+    /**
+     * Generate a more truly "random" alpha-numeric string.
+     *
+     * @param  int  $length
+     * @return string
+     */
+    public static function random($length = 16)
+    {
+        return (static::$randomStringFactory ?? function ($length) {
+            $string = '';
+
+            while (($len = strlen($string)) < $length) {
+                $size = $length - $len;
+
+                $bytesSize = (int) ceil($size / 3) * 3;
+
+                $bytes = random_bytes($bytesSize);
+
+                $string .= substr(str_replace(['/', '+', '='], '', base64_encode($bytes)), 0, $size);
+            }
+
+            return $string;
+        })($length);
+    }
+
+    /**
+     * Set the callable that will be used to generate random strings.
+     *
+     * @param  callable|null  $factory
+     * @return void
+     */
+    public static function createRandomStringsUsing(callable $factory = null)
+    {
+        static::$randomStringFactory = $factory;
+    }
+
+    /**
+     * Set the sequence that will be used to generate random strings.
+     *
+     * @param  array  $sequence
+     * @param  callable|null  $whenMissing
+     * @return void
+     */
+    public static function createRandomStringsUsingSequence(array $sequence, $whenMissing = null)
+    {
+        $next = 0;
+
+        $whenMissing ??= function ($length) use (&$next) {
+            $factoryCache = static::$randomStringFactory;
+
+            static::$randomStringFactory = null;
+
+            $randomString = static::random($length);
+
+            static::$randomStringFactory = $factoryCache;
+
+            $next++;
+
+            return $randomString;
+        };
+
+        static::createRandomStringsUsing(function ($length) use (&$next, $sequence, $whenMissing) {
+            if (array_key_exists($next, $sequence)) {
+                return $sequence[$next++];
+            }
+
+            return $whenMissing($length);
+        });
+    }
+
+    /**
+     * Indicate that random strings should be created normally and not using a custom factory.
+     *
+     * @return void
+     */
+    public static function createRandomStringsNormally()
+    {
+        static::$randomStringFactory = null;
+    }
+
+    /**
+     * Repeat the given string.
+     *
+     * @param  string  $string
+     * @param  int  $times
+     * @return string
+     */
+    public static function repeat(string $string, int $times)
+    {
+        return str_repeat($string, $times);
+    }
+
+    /**
+     * Replace a given value in the string sequentially with an array.
+     *
+     * @param  string  $search
+     * @param  iterable<string>  $replace
+     * @param  string  $subject
+     * @return string
+     */
+    public static function replaceArray($search, $replace, $subject)
+    {
+        if ($replace instanceof Traversable) {
+            $replace = collect($replace)->all();
+        }
+
+        $segments = explode($search, $subject);
+
+        $result = array_shift($segments);
+
+        foreach ($segments as $segment) {
+            $result .= (array_shift($replace) ?? $search).$segment;
+        }
+
+        return $result;
+    }
+
+    /**
+     * Replace the given value in the given string.
+     *
+     * @param  string|iterable<string>  $search
+     * @param  string|iterable<string>  $replace
+     * @param  string|iterable<string>  $subject
+     * @return string
+     */
+    public static function replace($search, $replace, $subject)
+    {
+        if ($search instanceof Traversable) {
+            $search = collect($search)->all();
+        }
+
+        if ($replace instanceof Traversable) {
+            $replace = collect($replace)->all();
+        }
+
+        if ($subject instanceof Traversable) {
+            $subject = collect($subject)->all();
+        }
+
+        return str_replace($search, $replace, $subject);
+    }
+
+    /**
+     * Replace the first occurrence of a given value in the string.
+     *
+     * @param  string  $search
+     * @param  string  $replace
+     * @param  string  $subject
+     * @return string
+     */
+    public static function replaceFirst($search, $replace, $subject)
+    {
+        $search = (string) $search;
+
+        if ($search === '') {
+            return $subject;
+        }
+
+        $position = strpos($subject, $search);
+
+        if ($position !== false) {
+            return substr_replace($subject, $replace, $position, strlen($search));
+        }
+
+        return $subject;
+    }
+
+    /**
+     * Replace the last occurrence of a given value in the string.
+     *
+     * @param  string  $search
+     * @param  string  $replace
+     * @param  string  $subject
+     * @return string
+     */
+    public static function replaceLast($search, $replace, $subject)
+    {
+        if ($search === '') {
+            return $subject;
+        }
+
+        $position = strrpos($subject, $search);
+
+        if ($position !== false) {
+            return substr_replace($subject, $replace, $position, strlen($search));
+        }
+
+        return $subject;
+    }
+
+    /**
+     * Remove any occurrence of the given string in the subject.
+     *
+     * @param  string|iterable<string>  $search
+     * @param  string  $subject
+     * @param  bool  $caseSensitive
+     * @return string
+     */
+    public static function remove($search, $subject, $caseSensitive = true)
+    {
+        if ($search instanceof Traversable) {
+            $search = collect($search)->all();
+        }
+
+        $subject = $caseSensitive
+                    ? str_replace($search, '', $subject)
+                    : str_ireplace($search, '', $subject);
+
+        return $subject;
+    }
+
+    /**
+     * Reverse the given string.
+     *
+     * @param  string  $value
+     * @return string
+     */
+    public static function reverse(string $value)
+    {
+        return implode(array_reverse(mb_str_split($value)));
+    }
+
+    /**
+     * Begin a string with a single instance of a given value.
+     *
+     * @param  string  $value
+     * @param  string  $prefix
+     * @return string
+     */
+    public static function start($value, $prefix)
+    {
+        $quoted = preg_quote($prefix, '/');
+
+        return $prefix.preg_replace('/^(?:'.$quoted.')+/u', '', $value);
+    }
+
+    /**
+     * Convert the given string to upper-case.
+     *
+     * @param  string  $value
+     * @return string
+     */
+    public static function upper($value)
+    {
+        return mb_strtoupper($value, 'UTF-8');
+    }
+
+    /**
+     * Convert the given string to title case.
+     *
+     * @param  string  $value
+     * @return string
+     */
+    public static function title($value)
+    {
+        return mb_convert_case($value, MB_CASE_TITLE, 'UTF-8');
+    }
+
+    /**
+     * Convert the given string to title case for each word.
+     *
+     * @param  string  $value
+     * @return string
+     */
+    public static function headline($value)
+    {
+        $parts = explode(' ', $value);
+
+        $parts = count($parts) > 1
+            ? array_map([static::class, 'title'], $parts)
+            : array_map([static::class, 'title'], static::ucsplit(implode('_', $parts)));
+
+        $collapsed = static::replace(['-', '_', ' '], '_', implode('_', $parts));
+
+        return implode(' ', array_filter(explode('_', $collapsed)));
+    }
+
+    /**
+     * Get the singular form of an English word.
+     *
+     * @param  string  $value
+     * @return string
+     */
+    public static function singular($value)
+    {
+        return Pluralizer::singular($value);
+    }
+
+    /**
+     * Generate a URL friendly "slug" from a given string.
+     *
+     * @param  string  $title
+     * @param  string  $separator
+     * @param  string|null  $language
+     * @param  array<string, string>  $dictionary
+     * @return string
+     */
+    public static function slug($title, $separator = '-', $language = 'en', $dictionary = ['@' => 'at'])
+    {
+        $title = $language ? static::ascii($title, $language) : $title;
+
+        // Convert all dashes/underscores into separator
+        $flip = $separator === '-' ? '_' : '-';
+
+        $title = preg_replace('!['.preg_quote($flip).']+!u', $separator, $title);
+
+        // Replace dictionary words
+        foreach ($dictionary as $key => $value) {
+            $dictionary[$key] = $separator.$value.$separator;
+        }
+
+        $title = str_replace(array_keys($dictionary), array_values($dictionary), $title);
+
+        // Remove all characters that are not the separator, letters, numbers, or whitespace
+        $title = preg_replace('![^'.preg_quote($separator).'\pL\pN\s]+!u', '', static::lower($title));
+
+        // Replace all separator characters and whitespace by a single separator
+        $title = preg_replace('!['.preg_quote($separator).'\s]+!u', $separator, $title);
+
+        return trim($title, $separator);
+    }
+
+    /**
+     * Convert a string to snake case.
+     *
+     * @param  string  $value
+     * @param  string  $delimiter
+     * @return string
+     */
+    public static function snake($value, $delimiter = '_')
+    {
+        $key = $value;
+
+        if (isset(static::$snakeCache[$key][$delimiter])) {
+            return static::$snakeCache[$key][$delimiter];
+        }
+
+        if (! ctype_lower($value)) {
+            $value = preg_replace('/\s+/u', '', ucwords($value));
+
+            $value = static::lower(preg_replace('/(.)(?=[A-Z])/u', '$1'.$delimiter, $value));
+        }
+
+        return static::$snakeCache[$key][$delimiter] = $value;
+    }
+
+    /**
+     * Remove all "extra" blank space from the given string.
+     *
+     * @param  string  $value
+     * @return string
+     */
+    public static function squish($value)
+    {
+        return preg_replace('~(\s|\x{3164})+~u', ' ', preg_replace('~^[\s\x{FEFF}]+|[\s\x{FEFF}]+$~u', '', $value));
+    }
+
+    /**
+     * Determine if a given string starts with a given substring.
+     *
+     * @param  string  $haystack
+     * @param  string|iterable<string>  $needles
+     * @return bool
+     */
+    public static function startsWith($haystack, $needles)
+    {
+        if (! is_iterable($needles)) {
+            $needles = [$needles];
+        }
+
+        foreach ($needles as $needle) {
+            if ((string) $needle !== '' && str_starts_with($haystack, $needle)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    /**
+     * Convert a value to studly caps case.
+     *
+     * @param  string  $value
+     * @return string
+     */
+    public static function studly($value)
+    {
+        $key = $value;
+
+        if (isset(static::$studlyCache[$key])) {
+            return static::$studlyCache[$key];
+        }
+
+        $words = explode(' ', static::replace(['-', '_'], ' ', $value));
+
+        $studlyWords = array_map(fn ($word) => static::ucfirst($word), $words);
+
+        return static::$studlyCache[$key] = implode($studlyWords);
+    }
+
+    /**
+     * Returns the portion of the string specified by the start and length parameters.
+     *
+     * @param  string  $string
+     * @param  int  $start
+     * @param  int|null  $length
+     * @param  string  $encoding
+     * @return string
+     */
+    public static function substr($string, $start, $length = null, $encoding = 'UTF-8')
+    {
+        return mb_substr($string, $start, $length, $encoding);
+    }
+
+    /**
+     * Returns the number of substring occurrences.
+     *
+     * @param  string  $haystack
+     * @param  string  $needle
+     * @param  int  $offset
+     * @param  int|null  $length
+     * @return int
+     */
+    public static function substrCount($haystack, $needle, $offset = 0, $length = null)
+    {
+        if (! is_null($length)) {
+            return substr_count($haystack, $needle, $offset, $length);
+        }
+
+        return substr_count($haystack, $needle, $offset);
+    }
+
+    /**
+     * Replace text within a portion of a string.
+     *
+     * @param  string|string[]  $string
+     * @param  string|string[]  $replace
+     * @param  int|int[]  $offset
+     * @param  int|int[]|null  $length
+     * @return string|string[]
+     */
+    public static function substrReplace($string, $replace, $offset = 0, $length = null)
+    {
+        if ($length === null) {
+            $length = strlen($string);
+        }
+
+        return substr_replace($string, $replace, $offset, $length);
+    }
+
+    /**
+     * Swap multiple keywords in a string with other keywords.
+     *
+     * @param  array  $map
+     * @param  string  $subject
+     * @return string
+     */
+    public static function swap(array $map, $subject)
+    {
+        return strtr($subject, $map);
+    }
+
+    /**
+     * Make a string's first character lowercase.
+     *
+     * @param  string  $string
+     * @return string
+     */
+    public static function lcfirst($string)
+    {
+        return static::lower(static::substr($string, 0, 1)).static::substr($string, 1);
+    }
+
+    /**
+     * Make a string's first character uppercase.
+     *
+     * @param  string  $string
+     * @return string
+     */
+    public static function ucfirst($string)
+    {
+        return static::upper(static::substr($string, 0, 1)).static::substr($string, 1);
+    }
+
+    /**
+     * Split a string into pieces by uppercase characters.
+     *
+     * @param  string  $string
+     * @return string[]
+     */
+    public static function ucsplit($string)
+    {
+        return preg_split('/(?=\p{Lu})/u', $string, -1, PREG_SPLIT_NO_EMPTY);
+    }
+
+    /**
+     * Get the number of words a string contains.
+     *
+     * @param  string  $string
+     * @param  string|null  $characters
+     * @return int
+     */
+    public static function wordCount($string, $characters = null)
+    {
+        return str_word_count($string, 0, $characters);
+    }
+
+    /**
+     * Generate a UUID (version 4).
+     *
+     * @return \Ramsey\Uuid\UuidInterface
+     */
+    public static function uuid()
+    {
+        return static::$uuidFactory
+                    ? call_user_func(static::$uuidFactory)
+                    : Uuid::uuid4();
+    }
+
+    /**
+     * Generate a time-ordered UUID (version 4).
+     *
+     * @return \Ramsey\Uuid\UuidInterface
+     */
+    public static function orderedUuid()
+    {
+        if (static::$uuidFactory) {
+            return call_user_func(static::$uuidFactory);
+        }
+
+        $factory = new UuidFactory;
+
+        $factory->setRandomGenerator(new CombGenerator(
+            $factory->getRandomGenerator(),
+            $factory->getNumberConverter()
+        ));
+
+        $factory->setCodec(new TimestampFirstCombCodec(
+            $factory->getUuidBuilder()
+        ));
+
+        return $factory->uuid4();
+    }
+
+    /**
+     * Set the callable that will be used to generate UUIDs.
+     *
+     * @param  callable|null  $factory
+     * @return void
+     */
+    public static function createUuidsUsing(callable $factory = null)
+    {
+        static::$uuidFactory = $factory;
+    }
+
+    /**
+     * Set the sequence that will be used to generate UUIDs.
+     *
+     * @param  array  $sequence
+     * @param  callable|null  $whenMissing
+     * @return void
+     */
+    public static function createUuidsUsingSequence(array $sequence, $whenMissing = null)
+    {
+        $next = 0;
+
+        $whenMissing ??= function () use (&$next) {
+            $factoryCache = static::$uuidFactory;
+
+            static::$uuidFactory = null;
+
+            $uuid = static::uuid();
+
+            static::$uuidFactory = $factoryCache;
+
+            $next++;
+
+            return $uuid;
+        };
+
+        static::createUuidsUsing(function () use (&$next, $sequence, $whenMissing) {
+            if (array_key_exists($next, $sequence)) {
+                return $sequence[$next++];
+            }
+
+            return $whenMissing();
+        });
+    }
+
+    /**
+     * Always return the same UUID when generating new UUIDs.
+     *
+     * @param  \Closure|null  $callback
+     * @return \Ramsey\Uuid\UuidInterface
+     */
+    public static function freezeUuids(Closure $callback = null)
+    {
+        $uuid = Str::uuid();
+
+        Str::createUuidsUsing(fn () => $uuid);
+
+        if ($callback !== null) {
+            try {
+                $callback($uuid);
+            } finally {
+                Str::createUuidsNormally();
+            }
+        }
+
+        return $uuid;
+    }
+
+    /**
+     * Indicate that UUIDs should be created normally and not using a custom factory.
+     *
+     * @return void
+     */
+    public static function createUuidsNormally()
+    {
+        static::$uuidFactory = null;
+    }
+
+    /**
+     * Generate a ULID.
+     *
+     * @return \Symfony\Component\Uid\Ulid
+     */
+    public static function ulid()
+    {
+        return new Ulid();
+    }
+
+    /**
+     * Remove all strings from the casing caches.
+     *
+     * @return void
+     */
+    public static function flushCache()
+    {
+        static::$snakeCache = [];
+        static::$camelCache = [];
+        static::$studlyCache = [];
+    }
+}
diff --git a/data/web/inc/lib/vendor/tightenco/collect/src/Collect/Support/Traits/Conditionable.php b/data/web/inc/lib/vendor/tightenco/collect/src/Collect/Support/Traits/Conditionable.php
new file mode 100644
index 000000000..f52499233
--- /dev/null
+++ b/data/web/inc/lib/vendor/tightenco/collect/src/Collect/Support/Traits/Conditionable.php
@@ -0,0 +1,73 @@
+<?php
+
+namespace Tightenco\Collect\Support\Traits;
+
+use Closure;
+use Tightenco\Collect\Conditionable\HigherOrderWhenProxy;
+
+trait Conditionable
+{
+    /**
+     * Apply the callback if the given "value" is (or resolves to) truthy.
+     *
+     * @template TWhenParameter
+     * @template TWhenReturnType
+     *
+     * @param  (\Closure($this): TWhenParameter)|TWhenParameter|null  $value
+     * @param  (callable($this, TWhenParameter): TWhenReturnType)|null  $callback
+     * @param  (callable($this, TWhenParameter): TWhenReturnType)|null  $default
+     * @return $this|TWhenReturnType
+     */
+    public function when($value = null, callable $callback = null, callable $default = null)
+    {
+        $value = $value instanceof Closure ? $value($this) : $value;
+
+        if (func_num_args() === 0) {
+            return new HigherOrderWhenProxy($this);
+        }
+
+        if (func_num_args() === 1) {
+            return (new HigherOrderWhenProxy($this))->condition($value);
+        }
+
+        if ($value) {
+            return $callback($this, $value) ?? $this;
+        } elseif ($default) {
+            return $default($this, $value) ?? $this;
+        }
+
+        return $this;
+    }
+
+    /**
+     * Apply the callback if the given "value" is (or resolves to) falsy.
+     *
+     * @template TUnlessParameter
+     * @template TUnlessReturnType
+     *
+     * @param  (\Closure($this): TUnlessParameter)|TUnlessParameter|null  $value
+     * @param  (callable($this, TUnlessParameter): TUnlessReturnType)|null  $callback
+     * @param  (callable($this, TUnlessParameter): TUnlessReturnType)|null  $default
+     * @return $this|TUnlessReturnType
+     */
+    public function unless($value = null, callable $callback = null, callable $default = null)
+    {
+        $value = $value instanceof Closure ? $value($this) : $value;
+
+        if (func_num_args() === 0) {
+            return (new HigherOrderWhenProxy($this))->negateConditionOnCapture();
+        }
+
+        if (func_num_args() === 1) {
+            return (new HigherOrderWhenProxy($this))->condition(! $value);
+        }
+
+        if (! $value) {
+            return $callback($this, $value) ?? $this;
+        } elseif ($default) {
+            return $default($this, $value) ?? $this;
+        }
+
+        return $this;
+    }
+}
diff --git a/data/web/inc/lib/vendor/tightenco/collect/src/Collect/Support/Traits/EnumeratesValues.php b/data/web/inc/lib/vendor/tightenco/collect/src/Collect/Support/Traits/EnumeratesValues.php
index 2600a2238..25cde2216 100644
--- a/data/web/inc/lib/vendor/tightenco/collect/src/Collect/Support/Traits/EnumeratesValues.php
+++ b/data/web/inc/lib/vendor/tightenco/collect/src/Collect/Support/Traits/EnumeratesValues.php
@@ -11,13 +11,16 @@ use Tightenco\Collect\Support\Arr;
 use Tightenco\Collect\Support\Collection;
 use Tightenco\Collect\Support\Enumerable;
 use Tightenco\Collect\Support\HigherOrderCollectionProxy;
-use Tightenco\Collect\Support\HigherOrderWhenProxy;
 use JsonSerializable;
 use Symfony\Component\VarDumper\VarDumper;
 use Traversable;
 use UnexpectedValueException;
+use UnitEnum;
 
 /**
+ * @template TKey of array-key
+ * @template TValue
+ *
  * @property-read HigherOrderCollectionProxy $average
  * @property-read HigherOrderCollectionProxy $avg
  * @property-read HigherOrderCollectionProxy $contains
@@ -34,19 +37,23 @@ use UnexpectedValueException;
  * @property-read HigherOrderCollectionProxy $min
  * @property-read HigherOrderCollectionProxy $partition
  * @property-read HigherOrderCollectionProxy $reject
+ * @property-read HigherOrderCollectionProxy $skipUntil
+ * @property-read HigherOrderCollectionProxy $skipWhile
  * @property-read HigherOrderCollectionProxy $some
  * @property-read HigherOrderCollectionProxy $sortBy
  * @property-read HigherOrderCollectionProxy $sortByDesc
- * @property-read HigherOrderCollectionProxy $skipUntil
- * @property-read HigherOrderCollectionProxy $skipWhile
  * @property-read HigherOrderCollectionProxy $sum
  * @property-read HigherOrderCollectionProxy $takeUntil
  * @property-read HigherOrderCollectionProxy $takeWhile
  * @property-read HigherOrderCollectionProxy $unique
+ * @property-read HigherOrderCollectionProxy $unless
  * @property-read HigherOrderCollectionProxy $until
+ * @property-read HigherOrderCollectionProxy $when
  */
 trait EnumeratesValues
 {
+    use Conditionable;
+
     /**
      * Indicates that the object's string representation should be escaped when __toString is invoked.
      *
@@ -57,7 +64,7 @@ trait EnumeratesValues
     /**
      * The methods that can be proxied.
      *
-     * @var string[]
+     * @var array<int, string>
      */
     protected static $proxies = [
         'average',
@@ -85,14 +92,19 @@ trait EnumeratesValues
         'takeUntil',
         'takeWhile',
         'unique',
+        'unless',
         'until',
+        'when',
     ];
 
     /**
      * Create a new collection instance if the value isn't one already.
      *
-     * @param  mixed  $items
-     * @return static
+     * @template TMakeKey of array-key
+     * @template TMakeValue
+     *
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable<TMakeKey, TMakeValue>|iterable<TMakeKey, TMakeValue>|null  $items
+     * @return static<TMakeKey, TMakeValue>
      */
     public static function make($items = [])
     {
@@ -102,8 +114,10 @@ trait EnumeratesValues
     /**
      * Wrap the given value in a collection if applicable.
      *
-     * @param  mixed  $value
-     * @return static
+     * @template TWrapValue
+     *
+     * @param  iterable<array-key, TWrapValue>|TWrapValue  $value
+     * @return static<array-key, TWrapValue>
      */
     public static function wrap($value)
     {
@@ -115,8 +129,11 @@ trait EnumeratesValues
     /**
      * Get the underlying items from the given collection if applicable.
      *
-     * @param  array|static  $value
-     * @return array
+     * @template TUnwrapKey of array-key
+     * @template TUnwrapValue
+     *
+     * @param  array<TUnwrapKey, TUnwrapValue>|static<TUnwrapKey, TUnwrapValue>  $value
+     * @return array<TUnwrapKey, TUnwrapValue>
      */
     public static function unwrap($value)
     {
@@ -136,9 +153,11 @@ trait EnumeratesValues
     /**
      * Create a new collection by invoking the callback a given amount of times.
      *
+     * @template TTimesValue
+     *
      * @param  int  $number
-     * @param  callable|null  $callback
-     * @return static
+     * @param  (callable(int): TTimesValue)|null  $callback
+     * @return static<int, TTimesValue>
      */
     public static function times($number, callable $callback = null)
     {
@@ -147,15 +166,15 @@ trait EnumeratesValues
         }
 
         return static::range(1, $number)
-            ->when($callback)
+            ->unless($callback == null)
             ->map($callback);
     }
 
     /**
      * Alias for the "avg" method.
      *
-     * @param  callable|string|null  $callback
-     * @return mixed
+     * @param  (callable(TValue): float|int)|string|null  $callback
+     * @return float|int|null
      */
     public function average($callback = null)
     {
@@ -165,7 +184,7 @@ trait EnumeratesValues
     /**
      * Alias for the "contains" method.
      *
-     * @param  mixed  $key
+     * @param  (callable(TValue, TKey): bool)|TValue|string  $key
      * @param  mixed  $operator
      * @param  mixed  $value
      * @return bool
@@ -175,39 +194,11 @@ trait EnumeratesValues
         return $this->contains(...func_get_args());
     }
 
-    /**
-     * Determine if an item exists, using strict comparison.
-     *
-     * @param  mixed  $key
-     * @param  mixed  $value
-     * @return bool
-     */
-    public function containsStrict($key, $value = null)
-    {
-        if (func_num_args() === 2) {
-            return $this->contains(function ($item) use ($key, $value) {
-                return data_get($item, $key) === $value;
-            });
-        }
-
-        if ($this->useAsCallable($key)) {
-            return ! is_null($this->first($key));
-        }
-
-        foreach ($this as $item) {
-            if ($item === $key) {
-                return true;
-            }
-        }
-
-        return false;
-    }
-
     /**
      * Dump the items and end the script.
      *
      * @param  mixed  ...$args
-     * @return void
+     * @return never
      */
     public function dd(...$args)
     {
@@ -235,7 +226,7 @@ trait EnumeratesValues
     /**
      * Execute a callback over each item.
      *
-     * @param  callable  $callback
+     * @param  callable(TValue, TKey): mixed  $callback
      * @return $this
      */
     public function each(callable $callback)
@@ -252,7 +243,7 @@ trait EnumeratesValues
     /**
      * Execute a callback over each nested chunk of items.
      *
-     * @param  callable  $callback
+     * @param  callable(...mixed): mixed  $callback
      * @return static
      */
     public function eachSpread(callable $callback)
@@ -267,7 +258,7 @@ trait EnumeratesValues
     /**
      * Determine if all items pass the given truth test.
      *
-     * @param  string|callable  $key
+     * @param  (callable(TValue, TKey): bool)|TValue|string  $key
      * @param  mixed  $operator
      * @param  mixed  $value
      * @return bool
@@ -292,16 +283,32 @@ trait EnumeratesValues
     /**
      * Get the first item by the given key value pair.
      *
-     * @param  string  $key
+     * @param  callable|string  $key
      * @param  mixed  $operator
      * @param  mixed  $value
-     * @return mixed
+     * @return TValue|null
      */
     public function firstWhere($key, $operator = null, $value = null)
     {
         return $this->first($this->operatorForWhere(...func_get_args()));
     }
 
+    /**
+     * Get a single key's value from the first matching item in the collection.
+     *
+     * @param  string  $key
+     * @param  mixed  $default
+     * @return mixed
+     */
+    public function value($key, $default = null)
+    {
+        if ($value = $this->firstWhere($key)) {
+            return data_get($value, $key, $default);
+        }
+
+        return value($default);
+    }
+
     /**
      * Determine if the collection is not empty.
      *
@@ -315,8 +322,10 @@ trait EnumeratesValues
     /**
      * Run a map over each nested chunk of items.
      *
-     * @param  callable  $callback
-     * @return static
+     * @template TMapSpreadValue
+     *
+     * @param  callable(mixed): TMapSpreadValue  $callback
+     * @return static<TKey, TMapSpreadValue>
      */
     public function mapSpread(callable $callback)
     {
@@ -332,8 +341,11 @@ trait EnumeratesValues
      *
      * The callback should return an associative array with a single key/value pair.
      *
-     * @param  callable  $callback
-     * @return static
+     * @template TMapToGroupsKey of array-key
+     * @template TMapToGroupsValue
+     *
+     * @param  callable(TValue, TKey): array<TMapToGroupsKey, TMapToGroupsValue>  $callback
+     * @return static<TMapToGroupsKey, static<int, TMapToGroupsValue>>
      */
     public function mapToGroups(callable $callback)
     {
@@ -345,8 +357,11 @@ trait EnumeratesValues
     /**
      * Map a collection and flatten the result by a single level.
      *
-     * @param  callable  $callback
-     * @return static
+     * @template TFlatMapKey of array-key
+     * @template TFlatMapValue
+     *
+     * @param  callable(TValue, TKey): (\Tightenco\Collect\Support\Collection<TFlatMapKey, TFlatMapValue>|array<TFlatMapKey, TFlatMapValue>)  $callback
+     * @return static<TFlatMapKey, TFlatMapValue>
      */
     public function flatMap(callable $callback)
     {
@@ -356,48 +371,42 @@ trait EnumeratesValues
     /**
      * Map the values into a new class.
      *
-     * @param  string  $class
-     * @return static
+     * @template TMapIntoValue
+     *
+     * @param  class-string<TMapIntoValue>  $class
+     * @return static<TKey, TMapIntoValue>
      */
     public function mapInto($class)
     {
-        return $this->map(function ($value, $key) use ($class) {
-            return new $class($value, $key);
-        });
+        return $this->map(fn ($value, $key) => new $class($value, $key));
     }
 
     /**
      * Get the min value of a given key.
      *
-     * @param  callable|string|null  $callback
+     * @param  (callable(TValue):mixed)|string|null  $callback
      * @return mixed
      */
     public function min($callback = null)
     {
         $callback = $this->valueRetriever($callback);
 
-        return $this->map(function ($value) use ($callback) {
-            return $callback($value);
-        })->filter(function ($value) {
-            return ! is_null($value);
-        })->reduce(function ($result, $value) {
-            return is_null($result) || $value < $result ? $value : $result;
-        });
+        return $this->map(fn ($value) => $callback($value))
+            ->filter(fn ($value) => ! is_null($value))
+            ->reduce(fn ($result, $value) => is_null($result) || $value < $result ? $value : $result);
     }
 
     /**
      * Get the max value of a given key.
      *
-     * @param  callable|string|null  $callback
+     * @param  (callable(TValue):mixed)|string|null  $callback
      * @return mixed
      */
     public function max($callback = null)
     {
         $callback = $this->valueRetriever($callback);
 
-        return $this->filter(function ($value) {
-            return ! is_null($value);
-        })->reduce(function ($result, $item) use ($callback) {
+        return $this->filter(fn ($value) => ! is_null($value))->reduce(function ($result, $item) use ($callback) {
             $value = $callback($item);
 
             return is_null($result) || $value > $result ? $value : $result;
@@ -421,10 +430,10 @@ trait EnumeratesValues
     /**
      * Partition the collection into two arrays using the given callback or key.
      *
-     * @param  callable|string  $key
-     * @param  mixed  $operator
-     * @param  mixed  $value
-     * @return static
+     * @param  (callable(TValue, TKey): bool)|TValue|string  $key
+     * @param  TValue|string|null  $operator
+     * @param  TValue|null  $value
+     * @return static<int<0, 1>, static<TKey, TValue>>
      */
     public function partition($key, $operator = null, $value = null)
     {
@@ -449,7 +458,7 @@ trait EnumeratesValues
     /**
      * Get the sum of the given values.
      *
-     * @param  callable|string|null  $callback
+     * @param  (callable(TValue): mixed)|string|null  $callback
      * @return mixed
      */
     public function sum($callback = null)
@@ -458,40 +467,17 @@ trait EnumeratesValues
             ? $this->identity()
             : $this->valueRetriever($callback);
 
-        return $this->reduce(function ($result, $item) use ($callback) {
-            return $result + $callback($item);
-        }, 0);
-    }
-
-    /**
-     * Apply the callback if the value is truthy.
-     *
-     * @param  bool|mixed  $value
-     * @param  callable|null  $callback
-     * @param  callable|null  $default
-     * @return static|mixed
-     */
-    public function when($value, callable $callback = null, callable $default = null)
-    {
-        if (! $callback) {
-            return new HigherOrderWhenProxy($this, $value);
-        }
-
-        if ($value) {
-            return $callback($this, $value);
-        } elseif ($default) {
-            return $default($this, $value);
-        }
-
-        return $this;
+        return $this->reduce(fn ($result, $item) => $result + $callback($item), 0);
     }
 
     /**
      * Apply the callback if the collection is empty.
      *
-     * @param  callable  $callback
-     * @param  callable|null  $default
-     * @return static|mixed
+     * @template TWhenEmptyReturnType
+     *
+     * @param  (callable($this): TWhenEmptyReturnType)  $callback
+     * @param  (callable($this): TWhenEmptyReturnType)|null  $default
+     * @return $this|TWhenEmptyReturnType
      */
     public function whenEmpty(callable $callback, callable $default = null)
     {
@@ -501,34 +487,25 @@ trait EnumeratesValues
     /**
      * Apply the callback if the collection is not empty.
      *
-     * @param  callable  $callback
-     * @param  callable|null  $default
-     * @return static|mixed
+     * @template TWhenNotEmptyReturnType
+     *
+     * @param  callable($this): TWhenNotEmptyReturnType  $callback
+     * @param  (callable($this): TWhenNotEmptyReturnType)|null  $default
+     * @return $this|TWhenNotEmptyReturnType
      */
     public function whenNotEmpty(callable $callback, callable $default = null)
     {
         return $this->when($this->isNotEmpty(), $callback, $default);
     }
 
-    /**
-     * Apply the callback if the value is falsy.
-     *
-     * @param  bool  $value
-     * @param  callable  $callback
-     * @param  callable|null  $default
-     * @return static|mixed
-     */
-    public function unless($value, callable $callback, callable $default = null)
-    {
-        return $this->when(! $value, $callback, $default);
-    }
-
     /**
      * Apply the callback unless the collection is empty.
      *
-     * @param  callable  $callback
-     * @param  callable|null  $default
-     * @return static|mixed
+     * @template TUnlessEmptyReturnType
+     *
+     * @param  callable($this): TUnlessEmptyReturnType  $callback
+     * @param  (callable($this): TUnlessEmptyReturnType)|null  $default
+     * @return $this|TUnlessEmptyReturnType
      */
     public function unlessEmpty(callable $callback, callable $default = null)
     {
@@ -538,9 +515,11 @@ trait EnumeratesValues
     /**
      * Apply the callback unless the collection is not empty.
      *
-     * @param  callable  $callback
-     * @param  callable|null  $default
-     * @return static|mixed
+     * @template TUnlessNotEmptyReturnType
+     *
+     * @param  callable($this): TUnlessNotEmptyReturnType  $callback
+     * @param  (callable($this): TUnlessNotEmptyReturnType)|null  $default
+     * @return $this|TUnlessNotEmptyReturnType
      */
     public function unlessNotEmpty(callable $callback, callable $default = null)
     {
@@ -550,7 +529,7 @@ trait EnumeratesValues
     /**
      * Filter items by the given key value pair.
      *
-     * @param  string  $key
+     * @param  callable|string  $key
      * @param  mixed  $operator
      * @param  mixed  $value
      * @return static
@@ -598,7 +577,7 @@ trait EnumeratesValues
      * Filter items by the given key value pair.
      *
      * @param  string  $key
-     * @param  mixed  $values
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable|iterable  $values
      * @param  bool  $strict
      * @return static
      */
@@ -606,16 +585,14 @@ trait EnumeratesValues
     {
         $values = $this->getArrayableItems($values);
 
-        return $this->filter(function ($item) use ($key, $values, $strict) {
-            return in_array(data_get($item, $key), $values, $strict);
-        });
+        return $this->filter(fn ($item) => in_array(data_get($item, $key), $values, $strict));
     }
 
     /**
      * Filter items by the given key value pair using strict comparison.
      *
      * @param  string  $key
-     * @param  mixed  $values
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable|iterable  $values
      * @return static
      */
     public function whereInStrict($key, $values)
@@ -627,7 +604,7 @@ trait EnumeratesValues
      * Filter items such that the value of the given key is between the given values.
      *
      * @param  string  $key
-     * @param  array  $values
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable|iterable  $values
      * @return static
      */
     public function whereBetween($key, $values)
@@ -639,21 +616,21 @@ trait EnumeratesValues
      * Filter items such that the value of the given key is not between the given values.
      *
      * @param  string  $key
-     * @param  array  $values
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable|iterable  $values
      * @return static
      */
     public function whereNotBetween($key, $values)
     {
-        return $this->filter(function ($item) use ($key, $values) {
-            return data_get($item, $key) < reset($values) || data_get($item, $key) > end($values);
-        });
+        return $this->filter(
+            fn ($item) => data_get($item, $key) < reset($values) || data_get($item, $key) > end($values)
+        );
     }
 
     /**
      * Filter items by the given key value pair.
      *
      * @param  string  $key
-     * @param  mixed  $values
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable|iterable  $values
      * @param  bool  $strict
      * @return static
      */
@@ -661,16 +638,14 @@ trait EnumeratesValues
     {
         $values = $this->getArrayableItems($values);
 
-        return $this->reject(function ($item) use ($key, $values, $strict) {
-            return in_array(data_get($item, $key), $values, $strict);
-        });
+        return $this->reject(fn ($item) => in_array(data_get($item, $key), $values, $strict));
     }
 
     /**
      * Filter items by the given key value pair using strict comparison.
      *
      * @param  string  $key
-     * @param  mixed  $values
+     * @param  \Tightenco\Collect\Contracts\Support\Arrayable|iterable  $values
      * @return static
      */
     public function whereNotInStrict($key, $values)
@@ -681,8 +656,10 @@ trait EnumeratesValues
     /**
      * Filter the items, removing any items that don't match the given type(s).
      *
-     * @param  string|string[]  $type
-     * @return static
+     * @template TWhereInstanceOf
+     *
+     * @param  class-string<TWhereInstanceOf>|array<array-key, class-string<TWhereInstanceOf>>  $type
+     * @return static<TKey, TWhereInstanceOf>
      */
     public function whereInstanceOf($type)
     {
@@ -704,8 +681,10 @@ trait EnumeratesValues
     /**
      * Pass the collection to the given callback and return the result.
      *
-     * @param  callable  $callback
-     * @return mixed
+     * @template TPipeReturnType
+     *
+     * @param  callable($this): TPipeReturnType  $callback
+     * @return TPipeReturnType
      */
     public function pipe(callable $callback)
     {
@@ -715,7 +694,7 @@ trait EnumeratesValues
     /**
      * Pass the collection into a new class.
      *
-     * @param  string  $class
+     * @param  class-string  $class
      * @return mixed
      */
     public function pipeInto($class)
@@ -726,38 +705,26 @@ trait EnumeratesValues
     /**
      * Pass the collection through a series of callable pipes and return the result.
      *
-     * @param  array<callable>  $pipes
+     * @param  array<callable>  $callbacks
      * @return mixed
      */
-    public function pipeThrough($pipes)
+    public function pipeThrough($callbacks)
     {
-        return static::make($pipes)->reduce(
-            function ($carry, $pipe) {
-                return $pipe($carry);
-            },
+        return Collection::make($callbacks)->reduce(
+            fn ($carry, $callback) => $callback($carry),
             $this,
         );
     }
 
-    /**
-     * Pass the collection to the given callback and then return it.
-     *
-     * @param  callable  $callback
-     * @return $this
-     */
-    public function tap(callable $callback)
-    {
-        $callback(clone $this);
-
-        return $this;
-    }
-
     /**
      * Reduce the collection to a single value.
      *
-     * @param  callable  $callback
-     * @param  mixed  $initial
-     * @return mixed
+     * @template TReduceInitial
+     * @template TReduceReturnType
+     *
+     * @param  callable(TReduceInitial|TReduceReturnType, TValue, TKey): TReduceReturnType  $callback
+     * @param  TReduceInitial  $initial
+     * @return TReduceReturnType
      */
     public function reduce(callable $callback, $initial = null)
     {
@@ -770,22 +737,6 @@ trait EnumeratesValues
         return $result;
     }
 
-    /**
-     * Reduce the collection to multiple aggregate values.
-     *
-     * @param  callable  $callback
-     * @param  mixed  ...$initial
-     * @return array
-     *
-     * @deprecated Use "reduceSpread" instead
-     *
-     * @throws \UnexpectedValueException
-     */
-    public function reduceMany(callable $callback, ...$initial)
-    {
-        return $this->reduceSpread($callback, ...$initial);
-    }
-
     /**
      * Reduce the collection to multiple aggregate values.
      *
@@ -804,7 +755,7 @@ trait EnumeratesValues
 
             if (! is_array($result)) {
                 throw new UnexpectedValueException(sprintf(
-                    "%s::reduceMany expects reducer to return an array, but got a '%s' instead.",
+                    "%s::reduceSpread expects reducer to return an array, but got a '%s' instead.",
                     class_basename(static::class), gettype($result)
                 ));
             }
@@ -813,22 +764,10 @@ trait EnumeratesValues
         return $result;
     }
 
-    /**
-     * Reduce an associative collection to a single value.
-     *
-     * @param  callable  $callback
-     * @param  mixed  $initial
-     * @return mixed
-     */
-    public function reduceWithKeys(callable $callback, $initial = null)
-    {
-        return $this->reduce($callback, $initial);
-    }
-
     /**
      * Create a collection of all elements that do not pass a given truth test.
      *
-     * @param  callable|mixed  $callback
+     * @param  (callable(TValue, TKey): bool)|bool|TValue  $callback
      * @return static
      */
     public function reject($callback = true)
@@ -842,10 +781,45 @@ trait EnumeratesValues
         });
     }
 
+    /**
+     * Pass the collection to the given callback and then return it.
+     *
+     * @param  callable($this): mixed  $callback
+     * @return $this
+     */
+    public function tap(callable $callback)
+    {
+        $callback($this);
+
+        return $this;
+    }
+
+    /**
+     * Return only unique items from the collection array.
+     *
+     * @param  (callable(TValue, TKey): mixed)|string|null  $key
+     * @param  bool  $strict
+     * @return static
+     */
+    public function unique($key = null, $strict = false)
+    {
+        $callback = $this->valueRetriever($key);
+
+        $exists = [];
+
+        return $this->reject(function ($item, $key) use ($callback, $strict, &$exists) {
+            if (in_array($id = $callback($item, $key), $exists, $strict)) {
+                return true;
+            }
+
+            $exists[] = $id;
+        });
+    }
+
     /**
      * Return only unique items from the collection array using strict comparison.
      *
-     * @param  string|callable|null  $key
+     * @param  (callable(TValue, TKey): mixed)|string|null  $key
      * @return static
      */
     public function uniqueStrict($key = null)
@@ -856,7 +830,7 @@ trait EnumeratesValues
     /**
      * Collect the values into a collection.
      *
-     * @return \Tightenco\Collect\Support\Collection
+     * @return \Tightenco\Collect\Support\Collection<TKey, TValue>
      */
     public function collect()
     {
@@ -866,22 +840,19 @@ trait EnumeratesValues
     /**
      * Get the collection of items as a plain array.
      *
-     * @return array
+     * @return array<TKey, mixed>
      */
     public function toArray()
     {
-        return $this->map(function ($value) {
-            return $value instanceof Arrayable ? $value->toArray() : $value;
-        })->all();
+        return $this->map(fn ($value) => $value instanceof Arrayable ? $value->toArray() : $value)->all();
     }
 
     /**
      * Convert the object into something JSON serializable.
      *
-     * @return array
+     * @return array<TKey, mixed>
      */
-    #[\ReturnTypeWillChange]
-    public function jsonSerialize()
+    public function jsonSerialize(): array
     {
         return array_map(function ($value) {
             if ($value instanceof JsonSerializable) {
@@ -975,7 +946,7 @@ trait EnumeratesValues
      * Results array of items from Collection or Arrayable.
      *
      * @param  mixed  $items
-     * @return array
+     * @return array<TKey, TValue>
      */
     protected function getArrayableItems($items)
     {
@@ -985,12 +956,14 @@ trait EnumeratesValues
             return $items->all();
         } elseif ($items instanceof Arrayable) {
             return $items->toArray();
+        } elseif ($items instanceof Traversable) {
+            return iterator_to_array($items);
         } elseif ($items instanceof Jsonable) {
             return json_decode($items->toJson(), true);
         } elseif ($items instanceof JsonSerializable) {
             return (array) $items->jsonSerialize();
-        } elseif ($items instanceof Traversable) {
-            return iterator_to_array($items);
+        } elseif ($items instanceof UnitEnum) {
+            return [$items];
         }
 
         return (array) $items;
@@ -999,13 +972,17 @@ trait EnumeratesValues
     /**
      * Get an operator checker callback.
      *
-     * @param  string  $key
+     * @param  callable|string  $key
      * @param  string|null  $operator
      * @param  mixed  $value
      * @return \Closure
      */
     protected function operatorForWhere($key, $operator = null, $value = null)
     {
+        if ($this->useAsCallable($key)) {
+            return $key;
+        }
+
         if (func_num_args() === 1) {
             $value = true;
 
@@ -1041,6 +1018,7 @@ trait EnumeratesValues
                 case '>=':  return $retrieved >= $value;
                 case '===': return $retrieved === $value;
                 case '!==': return $retrieved !== $value;
+                case '<=>': return $retrieved <=> $value;
             }
         };
     }
@@ -1068,22 +1046,18 @@ trait EnumeratesValues
             return $value;
         }
 
-        return function ($item) use ($value) {
-            return data_get($item, $value);
-        };
+        return fn ($item) => data_get($item, $value);
     }
 
     /**
      * Make a function to check an item's equality.
      *
      * @param  mixed  $value
-     * @return \Closure
+     * @return \Closure(mixed): bool
      */
     protected function equality($value)
     {
-        return function ($item) use ($value) {
-            return $item === $value;
-        };
+        return fn ($item) => $item === $value;
     }
 
     /**
@@ -1094,20 +1068,16 @@ trait EnumeratesValues
      */
     protected function negate(Closure $callback)
     {
-        return function (...$params) use ($callback) {
-            return ! $callback(...$params);
-        };
+        return fn (...$params) => ! $callback(...$params);
     }
 
     /**
      * Make a function that returns what's passed to it.
      *
-     * @return \Closure
+     * @return \Closure(TValue): TValue
      */
     protected function identity()
     {
-        return function ($value) {
-            return $value;
-        };
+        return fn ($value) => $value;
     }
 }
diff --git a/data/web/inc/lib/vendor/tightenco/collect/src/Collect/Support/alias.php b/data/web/inc/lib/vendor/tightenco/collect/src/Collect/Support/alias.php
index a9c04063f..d2184d201 100644
--- a/data/web/inc/lib/vendor/tightenco/collect/src/Collect/Support/alias.php
+++ b/data/web/inc/lib/vendor/tightenco/collect/src/Collect/Support/alias.php
@@ -9,7 +9,6 @@ $aliases = [
     Tightenco\Collect\Support\Collection::class => Illuminate\Support\Collection::class,
     Tightenco\Collect\Support\Enumerable::class => Illuminate\Support\Enumerable::class,
     Tightenco\Collect\Support\HigherOrderCollectionProxy::class => Illuminate\Support\HigherOrderCollectionProxy::class,
-    Tightenco\Collect\Support\HigherOrderWhenProxy::class => Illuminate\Support\HigherOrderWhenProxy::class,
     Tightenco\Collect\Support\LazyCollection::class => Illuminate\Support\LazyCollection::class,
     Tightenco\Collect\Support\Traits\EnumeratesValues::class => Illuminate\Support\Traits\EnumeratesValues::class,
 ];

From a06c78362a29eba6c5ecf1e4a2a6a65362301e1f Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Tue, 20 Feb 2024 10:31:14 +0100
Subject: [PATCH 102/378] [Web] add ldap idp

---
 data/conf/phpfpm/crons/keycloak-sync.php      |  17 +-
 data/conf/phpfpm/crons/ldap-sync.php          | 176 ++++++++++++
 data/conf/sogo/custom-sogo.js                 |  47 ++++
 data/web/inc/functions.auth.inc.php           | 253 ++++++++++++-----
 data/web/inc/functions.inc.php                | 262 ++++++++++++------
 data/web/inc/functions.mailbox.inc.php        |   8 +-
 data/web/inc/init_db.inc.php                  |   2 +-
 data/web/inc/sessions.inc.php                 |   2 +
 data/web/inc/triggers.inc.php                 |  58 ++--
 data/web/inc/vars.inc.php                     |   6 +-
 data/web/index.php                            |  18 +-
 data/web/js/site/admin.js                     |  33 ++-
 data/web/lang/lang.cs-cz.json                 |   8 +-
 data/web/lang/lang.de-de.json                 |   8 +-
 data/web/lang/lang.en-gb.json                 |  17 +-
 data/web/lang/lang.it-it.json                 |   8 +-
 data/web/lang/lang.pt-br.json                 |   8 +-
 data/web/lang/lang.ro-ro.json                 |   8 +-
 data/web/lang/lang.ru-ru.json                 |   7 +-
 data/web/lang/lang.sk-sk.json                 |   8 +-
 data/web/lang/lang.uk-ua.json                 |   8 +-
 data/web/lang/lang.zh-cn.json                 |   8 +-
 data/web/lang/lang.zh-tw.json                 |   8 +-
 data/web/sogo-auth.php                        |   7 +
 .../admin/tab-config-identity-provider.twig   | 138 +++++++++
 data/web/templates/edit/mailbox.twig          |   5 +
 data/web/templates/user/tab-user-auth.twig    |  16 +-
 27 files changed, 907 insertions(+), 237 deletions(-)
 create mode 100644 data/conf/phpfpm/crons/ldap-sync.php

diff --git a/data/conf/phpfpm/crons/keycloak-sync.php b/data/conf/phpfpm/crons/keycloak-sync.php
index da26ca5be..0525f9572 100644
--- a/data/conf/phpfpm/crons/keycloak-sync.php
+++ b/data/conf/phpfpm/crons/keycloak-sync.php
@@ -18,7 +18,7 @@ try {
   $pdo = new PDO($dsn, $database_user, $database_pass, $opt);
 }
 catch (PDOException $e) {
-  logMsg("danger", $e->getMessage());
+  logMsg("err", $e->getMessage());
   session_destroy();
   exit;
 }
@@ -68,11 +68,12 @@ $_SESSION['acl']['ratelimit'] = "1";
 $_SESSION['acl']['sogo_access'] = "1";
 $_SESSION['acl']['protocol_access'] = "1";
 $_SESSION['acl']['mailbox_relayhost'] = "1";
+$_SESSION['acl']['unlimited_quota'] = "1";
 
 // Init Keycloak Provider
 $iam_provider = identity_provider('init');
 $iam_settings = identity_provider('get');
-if (intval($iam_settings['periodic_sync']) != 1 && $iam_settings['import_users'] != 1) {
+if ($iam_settings['authsource'] != "keycloak" || (intval($iam_settings['periodic_sync']) != 1 && intval($iam_settings['import_users']) != 1)) {
   session_destroy();
   exit;
 }
@@ -127,18 +128,18 @@ while (true) {
   curl_close($ch);
   
   if ($code != 200){
-    logMsg("danger", "Recieved HTTP {$code}");
+    logMsg("err", "Recieved HTTP {$code}");
     session_destroy();
     exit;
   }
   try {
     $response = json_decode($response, true);
   } catch (Exception $e) {
-    logMsg("danger", $e->getMessage());
+    logMsg("err", $e->getMessage());
     break;
   }
   if (!is_array($response)){
-    logMsg("danger", "Recieved malformed response from keycloak api");
+    logMsg("err", "Recieved malformed response from keycloak api");
     break;
   }
   if (count($response) == 0) {
@@ -181,7 +182,7 @@ while (true) {
       }
     }
     if (!$mbox_template){
-      logMsg("warning", "No matching mapper found for mailbox_template");
+      logMsg("warning", "No matching attribute mapping found for user " . $user['email']);
       continue;
     }
 
@@ -191,14 +192,16 @@ while (true) {
       mailbox('add', 'mailbox_from_template', array(
         'domain' => explode('@', $user['email'])[1],
         'local_part' => explode('@', $user['email'])[0],
+        'name' => $user['firstName'] . " " . $user['lastName'],
         'authsource' => 'keycloak',
         'template' => $mbox_template
       ));
-    } else if ($row) {
+    } else if ($row && intval($iam_settings['periodic_sync']) == 1) {
       // mailbox user does exist, sync attribtues...
       logMsg("info", "Syncing attributes for user " . $user['email']);
       mailbox('edit', 'mailbox_from_template', array(
         'username' => $user['email'],
+        'name' => $user['firstName'] . " " . $user['lastName'],
         'template' => $mbox_template
       ));
     } else {
diff --git a/data/conf/phpfpm/crons/ldap-sync.php b/data/conf/phpfpm/crons/ldap-sync.php
new file mode 100644
index 000000000..5686bdacc
--- /dev/null
+++ b/data/conf/phpfpm/crons/ldap-sync.php
@@ -0,0 +1,176 @@
+<?php
+
+require_once(__DIR__ . '/../web/inc/vars.inc.php');
+if (file_exists(__DIR__ . '/../web/inc/vars.local.inc.php')) {
+  include_once(__DIR__ . '/../web/inc/vars.local.inc.php');
+}
+require_once __DIR__ . '/../web/inc/lib/vendor/autoload.php';
+
+// Init database
+//$dsn = $database_type . ':host=' . $database_host . ';dbname=' . $database_name;
+$dsn = $database_type . ":unix_socket=" . $database_sock . ";dbname=" . $database_name;
+$opt = [
+    PDO::ATTR_ERRMODE            => PDO::ERRMODE_EXCEPTION,
+    PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
+    PDO::ATTR_EMULATE_PREPARES   => false,
+];
+try {
+  $pdo = new PDO($dsn, $database_user, $database_pass, $opt);
+}
+catch (PDOException $e) {
+  logMsg("err", $e->getMessage());
+  session_destroy();
+  exit;
+}
+
+// Init Redis
+$redis = new Redis();
+try {
+  if (!empty(getenv('REDIS_SLAVEOF_IP'))) {
+    $redis->connect(getenv('REDIS_SLAVEOF_IP'), getenv('REDIS_SLAVEOF_PORT'));
+  }
+  else {
+    $redis->connect('redis-mailcow', 6379);
+  }
+}
+catch (Exception $e) {
+  echo "Exiting: " . $e->getMessage();
+  session_destroy();
+  exit;
+}
+
+function logMsg($priority, $message, $task = "LDAP Sync") {
+  global $redis;
+
+  $finalMsg = array(
+    "time" => time(),
+    "priority" => $priority,
+    "task" => $task,
+    "message" => $message
+  );
+  $redis->lPush('CRON_LOG', json_encode($finalMsg));
+}
+
+// Load core functions first
+require_once __DIR__ . '/../web/inc/functions.inc.php';
+require_once __DIR__ . '/../web/inc/functions.auth.inc.php';
+require_once __DIR__ . '/../web/inc/sessions.inc.php';
+require_once __DIR__ . '/../web/inc/functions.mailbox.inc.php';
+require_once __DIR__ . '/../web/inc/functions.ratelimit.inc.php';
+require_once __DIR__ . '/../web/inc/functions.acl.inc.php';
+
+$_SESSION['mailcow_cc_username'] = "admin";
+$_SESSION['mailcow_cc_role'] = "admin";
+$_SESSION['acl']['tls_policy'] = "1";
+$_SESSION['acl']['quarantine_notification'] = "1";
+$_SESSION['acl']['quarantine_category'] = "1";
+$_SESSION['acl']['ratelimit'] = "1";
+$_SESSION['acl']['sogo_access'] = "1";
+$_SESSION['acl']['protocol_access'] = "1";
+$_SESSION['acl']['mailbox_relayhost'] = "1";
+$_SESSION['acl']['unlimited_quota'] = "1";
+
+// Init Provider
+$iam_provider = identity_provider('init');
+$iam_settings = identity_provider('get');
+if ($iam_settings['authsource'] != "ldap" || (intval($iam_settings['periodic_sync']) != 1 && intval($iam_settings['import_users']) != 1)) {
+  session_destroy();
+  exit;
+}
+
+// Set pagination variables
+$start = 0;
+$max = 25;
+
+// lock sync if already running
+$lock_file = '/tmp/iam-sync.lock';
+if (file_exists($lock_file)) {
+  $lock_file_parts = explode("\n", file_get_contents($lock_file));
+  $pid = $lock_file_parts[0];
+  if (count($lock_file_parts) > 1){
+    $last_execution = $lock_file_parts[1];
+    $elapsed_time = (time() - $last_execution) / 60;
+    if ($elapsed_time < intval($iam_settings['sync_interval'])) {
+      logMsg("warning", "Sync not ready (".number_format((float)$elapsed_time, 2, '.', '')."min / ".$iam_settings['sync_interval']."min)");
+      session_destroy();
+      exit;
+    }
+  }
+
+  if (posix_kill($pid, 0)) {
+    logMsg("warning", "Sync is already running");
+    session_destroy();
+    exit;
+  } else {
+    unlink($lock_file);
+  }
+}
+$lock_file_handle = fopen($lock_file, 'w');
+fwrite($lock_file_handle, getmypid());
+fclose($lock_file_handle);
+
+// Get ldap users
+$response = $iam_provider->query()
+  ->where($iam_settings['username_field'], "*")
+  ->where($iam_settings['attribute_field'], "*")
+  ->select([$iam_settings['username_field'], $iam_settings['attribute_field'], 'displayname'])
+  ->paginate($max);
+
+// Process the users
+foreach ($response as $user) {
+  $mailcow_template = $user[$iam_settings['attribute_field']][0];
+
+  // try get mailbox user
+  $stmt = $pdo->prepare("SELECT `mailbox`.* FROM `mailbox`
+  INNER JOIN domain on mailbox.domain = domain.domain
+  WHERE `kind` NOT REGEXP 'location|thing|group'
+    AND `domain`.`active`='1'
+    AND `username` = :user");
+  $stmt->execute(array(':user' => $user[$iam_settings['username_field']][0]));
+  $row = $stmt->fetch(PDO::FETCH_ASSOC);
+
+  // check if matching attribute mapping exists
+  $mbox_template = null;
+  foreach ($iam_settings['mappers'] as $index => $mapper){
+    if ($mapper ==  $mailcow_template) {
+      $mbox_template = $iam_settings['templates'][$index];
+      break;
+    }
+  }
+  if (!$mbox_template){
+    logMsg("warning", "No matching attribute mapping found for user " . $user[$iam_settings['username_field']][0]);
+    continue;
+  }
+
+  if (!$row && intval($iam_settings['import_users']) == 1){
+    // mailbox user does not exist, create...
+    logMsg("info", "Creating user " .  $user[$iam_settings['username_field']][0]);
+    mailbox('add', 'mailbox_from_template', array(
+      'domain' => explode('@',  $user[$iam_settings['username_field']][0])[1],
+      'local_part' => explode('@',  $user[$iam_settings['username_field']][0])[0],
+      'name' => $user['displayname'][0],
+      'authsource' => 'ldap',
+      'template' => $mbox_template
+    ));
+  } else if ($row && intval($iam_settings['periodic_sync']) == 1) {
+    // mailbox user does exist, sync attribtues...
+    logMsg("info", "Syncing attributes for user " . $user[$iam_settings['username_field']][0]);
+    mailbox('edit', 'mailbox_from_template', array(
+      'username' =>  $user[$iam_settings['username_field']][0],
+      'name' => $user['displayname'][0],
+      'template' => $mbox_template
+    ));
+  } else {
+    // skip mailbox user
+    logMsg("info", "Skipping user " .  $user[$iam_settings['username_field']][0]);
+  }
+
+  sleep(0.025);
+}
+
+logMsg("info", "DONE!");
+// add last execution time to lock file
+$lock_file_handle = fopen($lock_file, 'w');
+fwrite($lock_file_handle, getmypid() . "\n" . time());
+fclose($lock_file_handle);
+session_destroy();
diff --git a/data/conf/sogo/custom-sogo.js b/data/conf/sogo/custom-sogo.js
index 9ee6daba1..44afa2998 100644
--- a/data/conf/sogo/custom-sogo.js
+++ b/data/conf/sogo/custom-sogo.js
@@ -1,3 +1,49 @@
+// redirect to mailcow login form
+document.addEventListener('DOMContentLoaded', function () {
+    var loginForm = document.forms.namedItem("loginForm");
+    if (loginForm) {
+        window.location.href = '/';
+    }
+
+    angularReady = false;
+    // Wait for the Angular components to be initialized
+    function waitForAngularComponents(callback) {
+        const targetNode = document.body;
+
+        const observer = new MutationObserver(function(mutations) {
+            mutations.forEach(function(mutation) {
+            if (mutation.addedNodes.length > 0) {
+                const toolbarElement = document.body.querySelector('md-toolbar');
+                if (toolbarElement) {
+                observer.disconnect();
+                callback();
+                }
+            }
+            });
+        });
+
+        const config = { childList: true, subtree: true };
+        observer.observe(targetNode, config);
+    }
+
+    // Usage
+    waitForAngularComponents(function() {
+        if (!angularReady){
+            angularReady = true;
+
+            const toolbarElement = document.body.querySelector('.md-toolbar-tools.sg-toolbar-group-last.layout-align-end-center.layout-row');
+
+            var htmlCode = '<a class="md-icon-button md-button md-ink-ripple" aria-label="mailcow" href="/user" aria-hidden="false" tabindex="-1">' +
+                '<md-icon class="material-icons" role="img" aria-label="build">build</md-icon>' +
+                '</a><a class="md-icon-button md-button md-ink-ripple" aria-label="mailcow" href="#" onclick="logout.submit()" aria-hidden="false" tabindex="-1">' +
+                '<md-icon class="material-icons" role="img" aria-label="settings_power">settings_power</md-icon>' +
+                '</a><form action="/" method="post" id="logout"><input type="hidden" name="logout"></form>';
+
+            toolbarElement.insertAdjacentHTML('beforeend', htmlCode);
+        }
+    });
+});
+
 // Custom SOGo JS
 
 // Change the visible font-size in the editor, this does not change the font of a html message by default
@@ -5,3 +51,4 @@ CKEDITOR.addCss("body {font-size: 16px !important}");
 
 // Enable scayt by default
 //CKEDITOR.config.scayt_autoStartup = true;
+
diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php
index 7183cc8c1..fe6af27cb 100644
--- a/data/web/inc/functions.auth.inc.php
+++ b/data/web/inc/functions.auth.inc.php
@@ -4,22 +4,31 @@ function check_login($user, $pass, $app_passwd_data = false, $extra = null) {
   global $redis;
   
   $is_internal = $extra['is_internal'];
+  $role = $extra['role'];
 
   // Try validate admin
-  $result = admin_login($user, $pass);
-  if ($result !== false) return $result;
+  if (!isset($role) || $role == "admin") {
+    $result = admin_login($user, $pass);
+    if ($result !== false) return $result;
+  }
 
   // Try validate domain admin
-  $result = domainadmin_login($user, $pass);
-  if ($result !== false) return $result;
+  if (!isset($role) || $role == "domain_admin") {
+    $result = domainadmin_login($user, $pass);
+    if ($result !== false) return $result;
+  }
 
   // Try validate user
-  $result = user_login($user, $pass);
-  if ($result !== false) return $result;
+  if (!isset($role) || $role == "user") {
+    $result = user_login($user, $pass);
+    if ($result !== false) return $result;
+  }
 
   // Try validate app password
-  $result = apppass_login($user, $pass, $app_passwd_data);
-  if ($result !== false) return $result;
+  if (!isset($role) || $role == "app") {
+    $result = apppass_login($user, $pass, $app_passwd_data);
+    if ($result !== false) return $result;
+  }
 
   // skip log and only return false if it's an internal request
   if ($is_internal == true) return false;
@@ -175,62 +184,136 @@ function user_login($user, $pass, $extra = null){
   $stmt->execute(array(':user' => $user));
   $row = $stmt->fetch(PDO::FETCH_ASSOC);
 
-  // user does not exist, try call keycloak login and create user if possible via rest flow
+  // user does not exist, try call idp login and create user if possible via rest flow
   if (!$row){
     $iam_settings = identity_provider('get');
     if ($iam_settings['authsource'] == 'keycloak' && intval($iam_settings['mailpassword_flow']) == 1){
       $result = keycloak_mbox_login_rest($user, $pass, $iam_settings, array('is_internal' => $is_internal, 'create' => true));
       if ($result !== false) return $result;
+    } else if ($iam_settings['authsource'] == 'ldap') {
+      $result = ldap_mbox_login($user, $pass, $iam_settings, array('is_internal' => $is_internal, 'create' => true));
+      if ($result !== false) return $result;
     }
   } 
   if ($row['active'] != 1) {
     return false;
   }
 
-  if ($row['authsource'] == 'keycloak'){
-    // user authsource is keycloak, try using via rest flow
-    $iam_settings = identity_provider('get');
-    if (intval($iam_settings['mailpassword_flow']) == 1){
-      $result = keycloak_mbox_login_rest($user, $pass, $iam_settings, array('is_internal' => $is_internal));
+  switch ($row['authsource']) {
+    case 'keycloak':
+      // user authsource is keycloak, try using via rest flow
+      $iam_settings = identity_provider('get');
+      if (intval($iam_settings['mailpassword_flow']) == 1){
+        $result = keycloak_mbox_login_rest($user, $pass, $iam_settings, array('is_internal' => $is_internal));
+        if ($result !== false) {
+          // check for tfa authenticators
+          $authenticators = get_tfa($user);
+          if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 && !$is_internal) {
+            // authenticators found, init TFA flow
+            $_SESSION['pending_mailcow_cc_username'] = $user;
+            $_SESSION['pending_mailcow_cc_role'] = "user";
+            $_SESSION['pending_tfa_methods'] = $authenticators['additional'];
+            unset($_SESSION['ldelay']);
+            $_SESSION['return'][] =  array(
+              'type' => 'success',
+              'log' => array(__FUNCTION__, $user, '*'),
+              'msg' => array('logged_in_as', $user)
+            );
+            return "pending";
+          } else if (!isset($authenticators['additional']) || !is_array($authenticators['additional']) || count($authenticators['additional']) == 0) {
+            // no authenticators found, login successfull
+            if (!$is_internal){
+              unset($_SESSION['ldelay']);
+              // Reactivate TFA if it was set to "deactivate TFA for next login"
+              $stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user");
+              $stmt->execute(array(':user' => $user));
+              $_SESSION['return'][] =  array(
+                'type' => 'success',
+                'log' => array(__FUNCTION__, $user, '*'),
+                'msg' => array('logged_in_as', $user)
+              );
+            }
+            return "user";
+          }
+        }
+        return $result;
+      } else {
+        return false;
+      }
+    break;
+    case 'ldap':
+      // user authsource is ldap
+      $iam_settings = identity_provider('get');
+      $result = ldap_mbox_login($user, $pass, $iam_settings, array('is_internal' => $is_internal));
+      if ($result !== false) {
+        // check for tfa authenticators
+        $authenticators = get_tfa($user);
+        if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 && !$is_internal) {
+          // authenticators found, init TFA flow
+          $_SESSION['pending_mailcow_cc_username'] = $user;
+          $_SESSION['pending_mailcow_cc_role'] = "user";
+          $_SESSION['pending_tfa_methods'] = $authenticators['additional'];
+          unset($_SESSION['ldelay']);
+          $_SESSION['return'][] =  array(
+            'type' => 'success',
+            'log' => array(__FUNCTION__, $user, '*'),
+            'msg' => array('logged_in_as', $user)
+          );
+          return "pending";
+        } else if (!isset($authenticators['additional']) || !is_array($authenticators['additional']) || count($authenticators['additional']) == 0) {
+          // no authenticators found, login successfull
+          if (!$is_internal){
+            unset($_SESSION['ldelay']);
+            // Reactivate TFA if it was set to "deactivate TFA for next login"
+            $stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user");
+            $stmt->execute(array(':user' => $user));
+            $_SESSION['return'][] =  array(
+              'type' => 'success',
+              'log' => array(__FUNCTION__, $user, '*'),
+              'msg' => array('logged_in_as', $user)
+            );
+          }
+          return "user";
+        }
+      }
       return $result;
-    } else {
-      return false;
-    }
+    break;
+    default:
+      // verify password
+      if (verify_hash($row['password'], $pass) !== false) {
+        // check for tfa authenticators
+        $authenticators = get_tfa($user);
+        if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 && !$is_internal) {
+          // authenticators found, init TFA flow
+          $_SESSION['pending_mailcow_cc_username'] = $user;
+          $_SESSION['pending_mailcow_cc_role'] = "user";
+          $_SESSION['pending_tfa_methods'] = $authenticators['additional'];
+          unset($_SESSION['ldelay']);
+          $_SESSION['return'][] =  array(
+            'type' => 'success',
+            'log' => array(__FUNCTION__, $user, '*'),
+            'msg' => array('logged_in_as', $user)
+          );
+          return "pending";
+        } else if (!isset($authenticators['additional']) || !is_array($authenticators['additional']) || count($authenticators['additional']) == 0) {
+          // no authenticators found, login successfull
+          if (!$is_internal){
+            unset($_SESSION['ldelay']);
+            // Reactivate TFA if it was set to "deactivate TFA for next login"
+            $stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user");
+            $stmt->execute(array(':user' => $user));
+            $_SESSION['return'][] =  array(
+              'type' => 'success',
+              'log' => array(__FUNCTION__, $user, '*'),
+              'msg' => array('logged_in_as', $user)
+            );
+          }
+          return "user";
+        }
+      }
+    break;
   }
  
-  // verify password
-  if (verify_hash($row['password'], $pass) !== false) {
-    // check for tfa authenticators
-    $authenticators = get_tfa($user);
-    if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 && !$is_internal) {
-      // authenticators found, init TFA flow
-      $_SESSION['pending_mailcow_cc_username'] = $user;
-      $_SESSION['pending_mailcow_cc_role'] = "user";
-      $_SESSION['pending_tfa_methods'] = $authenticators['additional'];
-      unset($_SESSION['ldelay']);
-      $_SESSION['return'][] =  array(
-        'type' => 'success',
-        'log' => array(__FUNCTION__, $user, '*'),
-        'msg' => array('logged_in_as', $user)
-      );
-      return "pending";
-    } else if (!isset($authenticators['additional']) || !is_array($authenticators['additional']) || count($authenticators['additional']) == 0) {
-      // no authenticators found, login successfull
-      if (!$is_internal){
-        unset($_SESSION['ldelay']);
-        // Reactivate TFA if it was set to "deactivate TFA for next login"
-        $stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user");
-        $stmt->execute(array(':user' => $user));
-        $_SESSION['return'][] =  array(
-          'type' => 'success',
-          'log' => array(__FUNCTION__, $user, '*'),
-          'msg' => array('logged_in_as', $user)
-        );
-      }
-      return "user";
-    }
-  }
-
   return false;
 }
 function apppass_login($user, $pass, $app_passwd_data, $extra = null){
@@ -372,11 +455,6 @@ function keycloak_mbox_login_rest($user, $pass, $iam_settings, $extra = null){
     return false;
   } else if (!$create) {
     // login success - dont create mailbox
-    $_SESSION['return'][] =  array(
-      'type' => 'success',
-      'log' => array(__FUNCTION__, $user, '*'),
-      'msg' => array('logged_in_as', $user)
-    );
     return 'user';
   }
 
@@ -388,16 +466,67 @@ function keycloak_mbox_login_rest($user, $pass, $iam_settings, $extra = null){
   $create_res = mailbox('add', 'mailbox_from_template', array(
     'domain' => explode('@', $user)[1],
     'local_part' => explode('@', $user)[0],
+    'name' => $user_res['firstName'] . " " . $user_res['lastName'],
     'authsource' => 'keycloak',
-    'template' => $iam_settings['mappers'][$mapper_key]
+    'template' => $iam_settings['templates'][$mapper_key]
+  ));
+  if (!$create_res) return false;
+
+  return 'user';
+}
+function ldap_mbox_login($user, $pass, $iam_settings, $extra = null){
+  global $pdo;
+  global $iam_provider;
+
+  $is_internal = $extra['is_internal'];
+  $create = $extra['create'];
+
+  if (!filter_var($user, FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $user))) {
+    if (!$is_internal){
+      $_SESSION['return'][] =  array(
+        'type' => 'danger',
+        'log' => array(__FUNCTION__, $user, '*'),
+        'msg' => 'malformed_username'
+      );
+    }
+    return false;
+  }
+
+  try {
+    $user_res = $iam_provider->query()
+      ->where($iam_settings['username_field'], '=', $user)
+      ->select([$iam_settings['username_field'], $iam_settings['attribute_field'], 'displayname', 'distinguishedname'])
+      ->firstOrFail();
+  } catch (Exception $e) {
+    return false;
+  }
+  if (!$iam_provider->auth()->attempt($user_res['distinguishedname'][0], $pass)) {
+    return false;
+  }
+
+  // get mapped template, if not set return false
+  // also return false if no mappers were defined
+  $user_template = $user_res[$iam_settings['attribute_field']][0];
+  if ($create && (empty($iam_settings['mappers']) || !$user_template)){
+    return false;
+  } else if (!$create) {
+    // login success - dont create mailbox
+    return 'user';
+  }
+
+  // check if matching attribute exist
+  $mapper_key = array_search($user_template, $iam_settings['mappers']);
+  if ($mapper_key === false) return false;
+
+  // create mailbox
+  $create_res = mailbox('add', 'mailbox_from_template', array(
+    'domain' => explode('@', $user)[1],
+    'local_part' => explode('@', $user)[0],
+    'name' => $user_res['displayname'][0],
+    'authsource' => 'ldap',
+    'template' => $iam_settings['templates'][$mapper_key]
   ));
   if (!$create_res) return false;
 
-
-  $_SESSION['return'][] =  array(
-    'type' => 'success',
-    'log' => array(__FUNCTION__, $user, '*'),
-    'msg' => array('logged_in_as', $user)
-  );
   return 'user';
 }
diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index 215a95fdd..7e8389341 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -840,6 +840,11 @@ function update_sogo_static_view($mailbox = null) {
     }
   }
 
+  // generate random password for sogo to deny direct login
+  $random_password = base64_encode(openssl_random_pseudo_bytes(24));
+  $random_salt = base64_encode(openssl_random_pseudo_bytes(16));
+  $random_hash = '{SSHA256}' . base64_encode(hash('sha256', base64_decode($password) . $salt, true) . $salt);
+  
   $subquery = "GROUP BY mailbox.username";
   if ($mailbox_exists) {
     $subquery = "AND mailbox.username = :mailbox";
@@ -849,13 +854,7 @@ function update_sogo_static_view($mailbox = null) {
         mailbox.username,
         mailbox.domain,
         mailbox.username,
-        CASE 
-          WHEN mailbox.authsource IS NOT NULL AND mailbox.authsource <> 'mailcow' THEN '{SSHA256}A123A123A321A321A321B321B321B123B123B321B432F123E321123123321321'
-          ELSE 
-            IF(JSON_UNQUOTE(JSON_VALUE(attributes, '$.force_pw_update')) = '0',
-              IF(JSON_UNQUOTE(JSON_VALUE(attributes, '$.sogo_access')) = 1, password, '{SSHA256}A123A123A321A321A321B321B321B123B123B321B432F123E321123123321321'),
-              '{SSHA256}A123A123A321A321A321B321B321B123B123B321B432F123E321123123321321')
-        END AS c_password,
+        :random_hash,
         mailbox.name,
         mailbox.username,
         IFNULL(GROUP_CONCAT(ga.aliases ORDER BY ga.aliases SEPARATOR ' '), ''),
@@ -886,9 +885,15 @@ function update_sogo_static_view($mailbox = null) {
   
   if ($mailbox_exists) {
     $stmt = $pdo->prepare($query);
-    $stmt->execute(array(':mailbox' => $mailbox));
+    $stmt->execute(array(
+      ':random_hash' => $random_hash,
+      ':mailbox' => $mailbox
+    ));
   } else {
-    $stmt = $pdo->query($query);
+    $stmt = $pdo->prepare($query);
+    $stmt->execute(array(
+      ':random_hash' => $random_hash
+    ));
   }
   
   $stmt = $pdo->query("DELETE FROM _sogo_static_view WHERE `c_uid` NOT IN (SELECT `username` FROM `mailbox` WHERE `active` = '1');");
@@ -2129,12 +2134,18 @@ function identity_provider($_action, $_data = null, $_extra = null) {
         $_SESSION['return'][] =  array(
           'type' => 'danger',
           'log' => array(__FUNCTION__, $_action, $data_log),
-          'msg' => array('required_data_missing', $setting)
+          'msg' => array('required_data_missing', '')
         );
         return false;
       }
+
+      $available_authsources = array(
+        "keycloak",
+        "generic-oidc",
+        "ldap"
+      );
       $_data['authsource'] = strtolower($_data['authsource']);
-      if ($_data['authsource'] != "keycloak" && $_data['authsource'] != "generic-oidc"){
+      if (!in_array($_data['authsource'], $available_authsources)){
         $_SESSION['return'][] =  array(
           'type' => 'danger',
           'log' => array(__FUNCTION__, $_action, $data_log),
@@ -2158,20 +2169,32 @@ function identity_provider($_action, $_data = null, $_extra = null) {
         return false;
       }
 
-      if ($_data['authsource'] == "keycloak") {
-        $_data['server_url']        = (!empty($_data['server_url'])) ? rtrim($_data['server_url'], '/') : null;
-        $_data['mailpassword_flow'] = isset($_data['mailpassword_flow']) ? intval($_data['mailpassword_flow']) : 0;
-        $_data['periodic_sync']     = isset($_data['periodic_sync']) ? intval($_data['periodic_sync']) : 0;
-        $_data['import_users']      = isset($_data['import_users']) ? intval($_data['import_users']) : 0;
-        $_data['sync_interval']     = isset($_data['sync_interval']) ? intval($_data['sync_interval']) : 15;
-        $_data['sync_interval']     = $_data['sync_interval'] < 1 ? 1 : $_data['sync_interval'];
-        $required_settings          = array('authsource', 'server_url', 'realm', 'client_id', 'client_secret', 'redirect_url', 'version', 'mailpassword_flow', 'periodic_sync', 'import_users', 'sync_interval');
-      } else if ($_data['authsource'] == "generic-oidc") {
-        $_data['authorize_url']     = (!empty($_data['authorize_url'])) ? $_data['authorize_url'] : null;
-        $_data['token_url']         = (!empty($_data['token_url'])) ? $_data['token_url'] : null;
-        $_data['userinfo_url']      = (!empty($_data['userinfo_url'])) ? $_data['userinfo_url'] : null;
-        $_data['client_scopes']     = (!empty($_data['client_scopes'])) ? $_data['client_scopes'] : "openid profile email";
-        $required_settings          = array('authsource', 'authorize_url', 'token_url', 'client_id', 'client_secret', 'redirect_url', 'userinfo_url', 'client_scopes');
+      switch ($_data['authsource']) {
+        case "keycloak":
+          $_data['server_url']        = (!empty($_data['server_url'])) ? rtrim($_data['server_url'], '/') : null;
+          $_data['mailpassword_flow'] = isset($_data['mailpassword_flow']) ? intval($_data['mailpassword_flow']) : 0;
+          $_data['periodic_sync']     = isset($_data['periodic_sync']) ? intval($_data['periodic_sync']) : 0;
+          $_data['import_users']      = isset($_data['import_users']) ? intval($_data['import_users']) : 0;
+          $_data['sync_interval']     = (!empty($_data['sync_interval'])) ? intval($_data['sync_interval']) : 15;
+          $_data['sync_interval']     = $_data['sync_interval'] < 1 ? 1 : $_data['sync_interval'];
+          $required_settings          = array('authsource', 'server_url', 'realm', 'client_id', 'client_secret', 'redirect_url', 'version', 'mailpassword_flow', 'periodic_sync', 'import_users', 'sync_interval');
+        break;
+        case "generic-oidc":
+          $_data['authorize_url']     = (!empty($_data['authorize_url'])) ? $_data['authorize_url'] : null;
+          $_data['token_url']         = (!empty($_data['token_url'])) ? $_data['token_url'] : null;
+          $_data['userinfo_url']      = (!empty($_data['userinfo_url'])) ? $_data['userinfo_url'] : null;
+          $_data['client_scopes']     = (!empty($_data['client_scopes'])) ? $_data['client_scopes'] : "openid profile email";
+          $required_settings          = array('authsource', 'authorize_url', 'token_url', 'client_id', 'client_secret', 'redirect_url', 'userinfo_url', 'client_scopes');
+        break;
+        case "ldap":
+          $_data['port']              = (!empty($_data['port'])) ? intval($_data['port']) : 389;
+          $_data['username_field']    = (!empty($_data['username_field'])) ? $_data['username_field'] : "mail";
+          $_data['periodic_sync']     = isset($_data['periodic_sync']) ? intval($_data['periodic_sync']) : 0;
+          $_data['import_users']      = isset($_data['import_users']) ? intval($_data['import_users']) : 0;
+          $_data['sync_interval']     = (!empty($_data['sync_interval'])) ? intval($_data['sync_interval']) : 15;
+          $_data['sync_interval']     = $_data['sync_interval'] < 1 ? 1 : $_data['sync_interval'];
+          $required_settings          = array('authsource', 'host', 'port', 'basedn', 'username_field', 'attribute_field', 'binddn', 'bindpass', 'periodic_sync', 'import_users', 'sync_interval');
+        break;
       }
       
       $pdo->beginTransaction();
@@ -2234,30 +2257,56 @@ function identity_provider($_action, $_data = null, $_extra = null) {
         return false;
       }
 
-      if ($_data['authsource'] == 'keycloak') {
-        $url = "{$_data['server_url']}/realms/{$_data['realm']}/protocol/openid-connect/token";
-      } else {
-        $url = $_data['token_url'];
-      }
-      $req = http_build_query(array(
-        'grant_type'    => 'client_credentials',
-        'client_id'     => $_data['client_id'],
-        'client_secret' => $_data['client_secret']
-      ));
-      $curl = curl_init();
-      curl_setopt($curl, CURLOPT_URL, $url);
-      curl_setopt($curl, CURLOPT_TIMEOUT, 7);
-      curl_setopt($curl, CURLOPT_POST, 1);
-      curl_setopt($curl, CURLOPT_POSTFIELDS, $req);
-      curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));
-      curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
-      $res = curl_exec($curl);
-      $code = curl_getinfo($curl, CURLINFO_HTTP_CODE);
-      curl_close ($curl);
-      
-      if ($code != 200) {
-        return false;
+      switch ($_data['authsource']) {
+        case 'keycloak':
+        case 'generic-oidc':
+          if ($_data['authsource'] == 'keycloak') {
+            $url = "{$_data['server_url']}/realms/{$_data['realm']}/protocol/openid-connect/token";
+          } else {
+            $url = $_data['token_url'];
+          }
+          $req = http_build_query(array(
+            'grant_type'    => 'client_credentials',
+            'client_id'     => $_data['client_id'],
+            'client_secret' => $_data['client_secret']
+          ));
+          $curl = curl_init();
+          curl_setopt($curl, CURLOPT_URL, $url);
+          curl_setopt($curl, CURLOPT_TIMEOUT, 7);
+          curl_setopt($curl, CURLOPT_POST, 1);
+          curl_setopt($curl, CURLOPT_POSTFIELDS, $req);
+          curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));
+          curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
+          $res = curl_exec($curl);
+          $code = curl_getinfo($curl, CURLINFO_HTTP_CODE);
+          curl_close ($curl);
+          
+          if ($code != 200) {
+            return false;
+          }
+        break;
+        case 'ldap':
+          if (!$_data['host'] || !$_data['port'] || !$_data['basedn'] ||
+            !$_data['binddn'] || !$_data['bindpass']){
+              return false;
+          }
+          $provider = new \LdapRecord\Connection([
+            'hosts'                     => [$_data['host']],
+            'port'                      => $_data['port'],
+            'base_dn'                   => $_data['basedn'],
+            'username'                  => $_data['binddn'],
+            'password'                  => $_data['bindpass']
+          ]);
+          try {
+            $provider->connect();
+          } catch (TypeError $e) {
+            return false;
+          } catch (\LdapRecord\Auth\BindException $e) {
+            return false;
+          }
+        break;
       }
+
       return true;
     break;
     case "delete":
@@ -2295,40 +2344,70 @@ function identity_provider($_action, $_data = null, $_extra = null) {
     case "init":
       $iam_settings = identity_provider('get');
       $provider = null;
-      if ($iam_settings['authsource'] == 'keycloak'){
-        if ($iam_settings['server_url'] && $iam_settings['realm'] && $iam_settings['client_id'] &&
+
+      switch ($iam_settings['authsource']) {
+        case "keycloak":
+          if ($iam_settings['server_url'] && $iam_settings['realm'] && $iam_settings['client_id'] &&
             $iam_settings['client_secret'] && $iam_settings['redirect_url'] && $iam_settings['version']){
-          $provider = new Stevenmaguire\OAuth2\Client\Provider\Keycloak([
-            'authServerUrl'         => $iam_settings['server_url'],
-            'realm'                 => $iam_settings['realm'],
-            'clientId'              => $iam_settings['client_id'],
-            'clientSecret'          => $iam_settings['client_secret'],
-            'redirectUri'           => $iam_settings['redirect_url'],
-            'version'               => $iam_settings['version'],                            
-            // 'encryptionAlgorithm'   => 'RS256',                             // optional
-            // 'encryptionKeyPath'     => '../key.pem'                         // optional
-            // 'encryptionKey'         => 'contents_of_key_or_certificate'     // optional
-          ]);
-        }
-      }
-      else if ($iam_settings['authsource'] == 'generic-oidc'){
-        if ($iam_settings['client_id'] && $iam_settings['client_secret'] && $iam_settings['redirect_url'] &&
+            $provider = new Stevenmaguire\OAuth2\Client\Provider\Keycloak([
+              'authServerUrl'         => $iam_settings['server_url'],
+              'realm'                 => $iam_settings['realm'],
+              'clientId'              => $iam_settings['client_id'],
+              'clientSecret'          => $iam_settings['client_secret'],
+              'redirectUri'           => $iam_settings['redirect_url'],
+              'version'               => $iam_settings['version'],                            
+              // 'encryptionAlgorithm'   => 'RS256',                             // optional
+              // 'encryptionKeyPath'     => '../key.pem'                         // optional
+              // 'encryptionKey'         => 'contents_of_key_or_certificate'     // optional
+            ]);
+          }
+        break;
+        case "generic-oidc":
+          if ($iam_settings['client_id'] && $iam_settings['client_secret'] && $iam_settings['redirect_url'] &&
             $iam_settings['authorize_url'] && $iam_settings['token_url'] && $iam_settings['userinfo_url']){
-          $provider = new \League\OAuth2\Client\Provider\GenericProvider([
-            'clientId'                => $iam_settings['client_id'],
-            'clientSecret'            => $iam_settings['client_secret'],
-            'redirectUri'             => $iam_settings['redirect_url'],
-            'urlAuthorize'            => $iam_settings['authorize_url'],
-            'urlAccessToken'          => $iam_settings['token_url'],
-            'urlResourceOwnerDetails' => $iam_settings['userinfo_url'],
-            'scopes'                  => $iam_settings['client_scopes']
-          ]);
-        }
+            $provider = new \League\OAuth2\Client\Provider\GenericProvider([
+              'clientId'                => $iam_settings['client_id'],
+              'clientSecret'            => $iam_settings['client_secret'],
+              'redirectUri'             => $iam_settings['redirect_url'],
+              'urlAuthorize'            => $iam_settings['authorize_url'],
+              'urlAccessToken'          => $iam_settings['token_url'],
+              'urlResourceOwnerDetails' => $iam_settings['userinfo_url'],
+              'scopes'                  => $iam_settings['client_scopes']
+            ]);
+          }
+        break;
+        case "ldap":
+          if ($iam_settings['host'] && $iam_settings['port'] && $iam_settings['basedn'] &&
+            $iam_settings['binddn'] && $iam_settings['bindpass']){
+            $provider = new \LdapRecord\Connection([
+              'hosts'                     => [$iam_settings['host']],
+              'port'                      => $iam_settings['port'],
+              'base_dn'                   => $iam_settings['basedn'],
+              'username'                  => $iam_settings['binddn'],
+              'password'                  => $iam_settings['bindpass']
+            ]);
+            try {
+              $provider->connect();
+            } catch (TypeError $e) {
+              $provider = null;
+            }
+          }
+        break;
       }
+
       return $provider;
     break;
     case "verify-sso":
       $provider = $_data['iam_provider'];
+      $iam_settings = identity_provider('get');
+      if ($iam_settings['authsource'] != 'keycloak' && $iam_settings['authsource'] != 'generic-oidc'){
+        $_SESSION['return'][] =  array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__),
+          'msg' => array('login_failed', "no OIDC provider configured")
+        );
+        return false;
+      }
     
       try {
         $token = $provider->getAccessToken('authorization_code', ['code' => $_GET['code']]);
@@ -2358,8 +2437,7 @@ function identity_provider($_action, $_data = null, $_extra = null) {
       $row = $stmt->fetch(PDO::FETCH_ASSOC);
       if ($row){
         // success
-        $_SESSION['mailcow_cc_username'] = $info['email'];
-        $_SESSION['mailcow_cc_role'] = "user";
+        set_user_loggedin_session($info['email']);
         $_SESSION['return'][] =  array(
           'type' => 'success',
           'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
@@ -2370,9 +2448,8 @@ function identity_provider($_action, $_data = null, $_extra = null) {
 
       // get mapped template, if not set return false
       // also return false if no mappers were defined
-      $provider = identity_provider('get');
       $user_template = $info['mailcow_template'];
-      if (empty($provider['mappers']) || empty($user_template)){
+      if (empty($iam_settings['mappers']) || empty($user_template)){
         clear_session();  
         $_SESSION['return'][] =  array(
           'type' => 'danger',
@@ -2383,7 +2460,7 @@ function identity_provider($_action, $_data = null, $_extra = null) {
       }
 
       // check if matching attribute exist
-      $mapper_key = array_search($user_template, $provider['mappers']);
+      $mapper_key = array_search($user_template, $iam_settings['mappers']);
       if ($mapper_key === false) {
         clear_session();  
         $_SESSION['return'][] =  array(
@@ -2398,8 +2475,9 @@ function identity_provider($_action, $_data = null, $_extra = null) {
       $create_res = mailbox('add', 'mailbox_from_template', array(
         'domain' => explode('@', $info['email'])[1],
         'local_part' => explode('@', $info['email'])[0],
-        'authsource' => identity_provider('get')['authsource'],
-        'template' => $provider['templates'][$mapper_key]
+        'name' => $info['firstName'] . " " . $info['lastName'],
+        'authsource' => $iam_settings['authsource'],
+        'template' => $iam_settings['templates'][$mapper_key]
       ));
       if (!$create_res){
         clear_session();  
@@ -2411,8 +2489,7 @@ function identity_provider($_action, $_data = null, $_extra = null) {
         return false;
       }
     
-      $_SESSION['mailcow_cc_username'] = $info['email'];
-      $_SESSION['mailcow_cc_role'] = "user";
+      set_user_loggedin_session($info['email']);
       $_SESSION['return'][] =  array(
         'type' => 'success',
         'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
@@ -2429,10 +2506,11 @@ function identity_provider($_action, $_data = null, $_extra = null) {
         $_SESSION['iam_refresh_token'] = $token->getRefreshToken();
         $info = $provider->getResourceOwner($token)->toArray();
       } catch (Throwable $e) {
+        clear_session();  
         $_SESSION['return'][] =  array(
           'type' => 'danger',
           'log' => array(__FUNCTION__),
-          'msg' => array('login_failed', $e->getMessage())
+          'msg' => array('refresh_login_failed', $e->getMessage())
         );
         return false;
       }
@@ -2452,6 +2530,9 @@ function identity_provider($_action, $_data = null, $_extra = null) {
       return true;
     break;
     case "get-redirect":
+      $iam_settings = identity_provider('get');
+      if ($iam_settings['authsource'] != 'keycloak' && $iam_settings['authsource'] != 'generic-oidc') 
+        return false;
       $provider = $_data['iam_provider'];
       $authUrl = $provider->getAuthorizationUrl();
       $_SESSION['oauth2state'] = $provider->getState();
@@ -2522,7 +2603,16 @@ function clear_session(){
   session_destroy();
   session_write_close();
 }
-
+function set_user_loggedin_session($user) {
+  $_SESSION['mailcow_cc_username'] = $user;
+  $_SESSION['mailcow_cc_role'] = 'user';
+  $sogo_sso_pass = file_get_contents("/etc/sogo-sso/sogo-sso.pass");
+  $_SESSION['sogo-sso-user-allowed'][] = $user;
+  $_SESSION['sogo-sso-pass'] = $sogo_sso_pass;
+  unset($_SESSION['pending_mailcow_cc_username']);
+  unset($_SESSION['pending_mailcow_cc_role']);
+  unset($_SESSION['pending_tfa_methods']);
+}
 function get_logs($application, $lines = false) {
   if ($lines === false) {
     $lines = $GLOBALS['LOG_LINES'] - 1;
diff --git a/data/web/inc/functions.mailbox.inc.php b/data/web/inc/functions.mailbox.inc.php
index 46658274e..939958d29 100644
--- a/data/web/inc/functions.mailbox.inc.php
+++ b/data/web/inc/functions.mailbox.inc.php
@@ -1019,7 +1019,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             );
             return false;
           }
-          if (in_array($_data['authsource'], array('mailcow', 'keycloak', 'generic-oidc'))){
+          if (in_array($_data['authsource'], array('mailcow', 'keycloak', 'generic-oidc', 'ldap'))){
             $authsource = $_data['authsource'];
           }
           if (empty($name)) {
@@ -2944,7 +2944,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               $tags           = (is_array($_data['tags']) ? $_data['tags'] : array());
               $attribute_hash = (!empty($_data['attribute_hash'])) ? $_data['attribute_hash'] : '';
               $authsource     = $is_now['authsource'];
-              if (in_array($_data['authsource'], array('mailcow', 'keycloak', 'generic-oidc'))){
+              if (in_array($_data['authsource'], array('mailcow', 'keycloak', 'generic-oidc', 'ldap'))){
                 $authsource = $_data['authsource'];
               }
             }
@@ -3285,11 +3285,13 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
 
           $attribute_hash = sha1(json_encode($mbox_template_data["attributes"]));
           $is_now = mailbox('get', 'mailbox_details', $_data['username']);
-          if ($is_now['attributes']['attribute_hash'] == $attribute_hash)
+          $name = ltrim(rtrim($_data['name'], '>'), '<');
+          if ($is_now['attributes']['attribute_hash'] == $attribute_hash && $is_now['name'] == $name)
             return true;
 
           $mbox_template_data = json_decode($mbox_template_data["attributes"], true);
           $mbox_template_data['attribute_hash'] = $attribute_hash;
+          $mbox_template_data['name'] = $name;
           $quarantine_attributes = array('username' => $_data['username']);
           $tls_attributes = array('username' => $_data['username']);
           $ratelimit_attributes = array('object' => $_data['username']);
diff --git a/data/web/inc/init_db.inc.php b/data/web/inc/init_db.inc.php
index 4f73911a6..afacbc724 100644
--- a/data/web/inc/init_db.inc.php
+++ b/data/web/inc/init_db.inc.php
@@ -362,7 +362,7 @@ function init_db_schema() {
           "custom_attributes" => "JSON NOT NULL DEFAULT ('{}')",
           "kind" => "VARCHAR(100) NOT NULL DEFAULT ''",
           "multiple_bookings" => "INT NOT NULL DEFAULT -1",
-          "authsource" => "ENUM('mailcow', 'keycloak', 'generic-oidc') DEFAULT 'mailcow'",
+          "authsource" => "ENUM('mailcow', 'keycloak', 'generic-oidc', 'ldap') DEFAULT 'mailcow'",
           "created" => "DATETIME(0) NOT NULL DEFAULT NOW(0)",
           "modified" => "DATETIME ON UPDATE CURRENT_TIMESTAMP",
           "active" => "TINYINT(1) NOT NULL DEFAULT '1'"
diff --git a/data/web/inc/sessions.inc.php b/data/web/inc/sessions.inc.php
index 1a33e7604..b73ad2816 100644
--- a/data/web/inc/sessions.inc.php
+++ b/data/web/inc/sessions.inc.php
@@ -94,6 +94,8 @@ if (isset($_POST["logout"])) {
   if (isset($_SESSION["dual-login"])) {
     $_SESSION["mailcow_cc_username"] = $_SESSION["dual-login"]["username"];
     $_SESSION["mailcow_cc_role"] = $_SESSION["dual-login"]["role"];
+    unset($_SESSION['sogo-sso-user-allowed']);
+    unset($_SESSION['sogo-sso-pass']);
     unset($_SESSION["dual-login"]);
     header("Location: /mailbox");
     exit();
diff --git a/data/web/inc/triggers.inc.php b/data/web/inc/triggers.inc.php
index c8333f979..cd81f4c21 100644
--- a/data/web/inc/triggers.inc.php
+++ b/data/web/inc/triggers.inc.php
@@ -4,6 +4,7 @@ if ($iam_provider){
   if (isset($_GET['iam_sso'])){
     // redirect for sso
     $redirect_uri = identity_provider('get-redirect', array('iam_provider' => $iam_provider));
+    $redirect_uri = !empty($redirect_uri) ? $redirect_uri : '/';
     header('Location: ' . $redirect_uri);
     die();
   }
@@ -12,9 +13,9 @@ if ($iam_provider){
     $isRefreshed = identity_provider('refresh-token', array('iam_provider' => $iam_provider));
 
     if (!$isRefreshed){
-      // Session could not be refreshed, clear and redirect to provider
-      clear_session();
+      // Session could not be refreshed, redirect to provider
       $redirect_uri = identity_provider('get-redirect', array('iam_provider' => $iam_provider));
+      $redirect_uri = !empty($redirect_uri) ? $redirect_uri : '/';
       header('Location: ' . $redirect_uri);
       die();
     }
@@ -39,13 +40,16 @@ if (!empty($_GET['sso_token'])) {
 
 if (isset($_POST["verify_tfa_login"])) {
   if (verify_tfa_login($_SESSION['pending_mailcow_cc_username'], $_POST)) {
-    $_SESSION['mailcow_cc_username'] = $_SESSION['pending_mailcow_cc_username'];
-    $_SESSION['mailcow_cc_role'] = $_SESSION['pending_mailcow_cc_role'];
-    unset($_SESSION['pending_mailcow_cc_username']);
-    unset($_SESSION['pending_mailcow_cc_role']);
-    unset($_SESSION['pending_tfa_methods']);
-
-    header("Location: /user");
+    set_user_loggedin_session($_SESSION['pending_mailcow_cc_username']);
+    $user_details = mailbox("get", "mailbox_details", $_SESSION['mailcow_cc_username']);
+    $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false;
+    if (intval($user_details['attributes']['sogo_access']) == 1 && !$is_dual) {
+      header("Location: /SOGo/so/{$_SESSION['mailcow_cc_username']}");
+      die();
+    } else {
+      header("Location: /user");
+      die();
+    }
   } else {
     unset($_SESSION['pending_mailcow_cc_username']);
     unset($_SESSION['pending_mailcow_cc_role']);
@@ -70,10 +74,10 @@ if (isset($_POST["quick_delete"])) {
 }
 
 if (isset($_POST["login_user"]) && isset($_POST["pass_user"])) {
-	$login_user = strtolower(trim($_POST["login_user"]));
-	$as = check_login($login_user, $_POST["pass_user"]);
+  $login_user = strtolower(trim($_POST["login_user"]));
+  $as = check_login($login_user, $_POST["pass_user"]);
 
-	if ($as == "admin") {
+  if ($as == "admin") {
 		$_SESSION['mailcow_cc_username'] = $login_user;
 		$_SESSION['mailcow_cc_role'] = "admin";
 		header("Location: /admin");
@@ -84,19 +88,27 @@ if (isset($_POST["login_user"]) && isset($_POST["pass_user"])) {
 		header("Location: /mailbox");
 	}
 	elseif ($as == "user") {
-		$_SESSION['mailcow_cc_username'] = $login_user;
-		$_SESSION['mailcow_cc_role'] = "user";
-        $http_parameters = explode('&', $_SESSION['index_query_string']);
-        unset($_SESSION['index_query_string']);
-        if (in_array('mobileconfig', $http_parameters)) {
-            if (in_array('only_email', $http_parameters)) {
-                header("Location: /mobileconfig.php?only_email");
-                die();
-            }
-            header("Location: /mobileconfig.php");
+    set_user_loggedin_session($login_user);
+    $http_parameters = explode('&', $_SESSION['index_query_string']);
+    unset($_SESSION['index_query_string']);
+    if (in_array('mobileconfig', $http_parameters)) {
+        if (in_array('only_email', $http_parameters)) {
+            header("Location: /mobileconfig.php?only_email");
             die();
         }
-		header("Location: /user");
+        header("Location: /mobileconfig.php");
+        die();
+    }
+
+    $user_details = mailbox("get", "mailbox_details", $login_user);
+    $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false;
+    if (intval($user_details['attributes']['sogo_access']) == 1 && !$is_dual) {
+      header("Location: /SOGo/so/{$login_user}");
+      die();
+    } else {
+      header("Location: /user");
+      die();
+    }
 	}
 	elseif ($as != "pending") {
     unset($_SESSION['pending_mailcow_cc_username']);
diff --git a/data/web/inc/vars.inc.php b/data/web/inc/vars.inc.php
index 18bc63285..726640772 100644
--- a/data/web/inc/vars.inc.php
+++ b/data/web/inc/vars.inc.php
@@ -122,8 +122,8 @@ $SHOW_DKIM_PRIV_KEYS = false;
 $MAILCOW_APPS = array(
   array(
     'name' => 'Webmail',
-    'link' => '/SOGo/so/',
-    'user_link' => '/sogo-auth.php?login=%u',
+    'link' => '/SOGo/so',
+    'user_link' => '/SOGo/so',
     'hide' => true
   )
 );
@@ -179,7 +179,7 @@ $MAILBOX_DEFAULT_ATTRIBUTES['tls_enforce_out'] = false;
 // Force password change on next login (only allows login to mailcow UI)
 $MAILBOX_DEFAULT_ATTRIBUTES['force_pw_update'] = false;
 
-// Enable SOGo access (set to false to disable access by default)
+// Enable SOGo access - Users will be redirected to SOGo after login (set to false to disable redirect by default)
 $MAILBOX_DEFAULT_ATTRIBUTES['sogo_access'] = true;
 
 // Send notification when quarantine is not empty (never, hourly, daily, weekly)
diff --git a/data/web/index.php b/data/web/index.php
index c44696b6d..08857006f 100644
--- a/data/web/index.php
+++ b/data/web/index.php
@@ -15,8 +15,14 @@ elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == '
   header('Location: /mailbox');
   exit();
 }
-elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == 'user') {
-  header('Location: /user');
+elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == 'user') {    
+  $user_details = mailbox("get", "mailbox_details", $_SESSION['mailcow_cc_username']);
+  $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false;
+  if (intval($user_details['attributes']['sogo_access']) == 1 && !$is_dual) {
+    header("Location: /SOGo/so/{$_SESSION['mailcow_cc_username']}");
+  } else {
+    header("Location: /user");
+  }
   exit();
 }
 
@@ -24,12 +30,18 @@ require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/header.inc.php';
 $_SESSION['return_to'] = $_SERVER['REQUEST_URI'];
 $_SESSION['index_query_string'] = $_SERVER['QUERY_STRING'];
 
+$has_iam_sso = false;
+if ($iam_provider){
+  $has_iam_sso = identity_provider("get-redirect", array('iam_provider' => $iam_provider)) ? true : false; 
+}
+
+
 $template = 'index.twig';
 $template_data = [
   'oauth2_request' => @$_SESSION['oauth2_request'],
   'is_mobileconfig' => str_contains($_SESSION['index_query_string'], 'mobileconfig'),
   'login_delay' => @$_SESSION['ldelay'],
-  'has_iam_sso' => ($iam_provider) ? true : false
+  'has_iam_sso' => $has_iam_sso
 ];
 
 $js_minifier->add('/web/js/site/index.js');
diff --git a/data/web/js/site/admin.js b/data/web/js/site/admin.js
index 3397a1a59..c6839fa47 100644
--- a/data/web/js/site/admin.js
+++ b/data/web/js/site/admin.js
@@ -808,6 +808,26 @@ jQuery(function($){
         $(this).parent().parent().parent().remove();
     });
   });
+  $('.iam_rolemap_add_ldap').click(async function(e){
+    e.preventDefault();
+
+    var parent = $('#iam_ldap_mapping_list')
+    $(parent).children().last().clone().appendTo(parent);
+    var newChild = $(parent).children().last();
+    $(newChild).find('input').val('');
+    $(newChild).find('.dropdown-toggle').remove();
+    $(newChild).find('.dropdown-menu').remove();
+    $(newChild).find('.bs-title-option').remove();
+    $(newChild).find('select').selectpicker('destroy');
+    $(newChild).find('select').selectpicker();
+
+    $('.iam_ldap_rolemap_del').off('click');
+    $('.iam_ldap_rolemap_del').click(async function(e){
+      e.preventDefault();
+      if ($(this).parent().parent().parent().parent().children().length > 1)
+        $(this).parent().parent().parent().remove();
+    });
+  });
   $('.iam_keycloak_rolemap_del').click(async function(e){
     e.preventDefault();
     if ($(this).parent().parent().parent().parent().children().length > 1)
@@ -818,15 +838,26 @@ jQuery(function($){
     if ($(this).parent().parent().parent().parent().children().length > 1)
       $(this).parent().parent().parent().remove();
   });
+  $('.iam_ldap_rolemap_del').click(async function(e){
+    e.preventDefault();
+    if ($(this).parent().parent().parent().parent().children().length > 1)
+      $(this).parent().parent().parent().remove();
+  });
   // selecting identity provider
   $('#iam_provider').on('change', function(){
     // toggle password fields
     if (this.value === 'keycloak'){
       $('#keycloak_settings').removeClass('d-none');
       $('#generic_oidc_settings').addClass('d-none');
+      $('#ldap_settings').addClass('d-none');
     } else if (this.value === 'generic-oidc') {
-      $('#keycloak_settings').addClass('d-none');
       $('#generic_oidc_settings').removeClass('d-none');
+      $('#keycloak_settings').addClass('d-none');
+      $('#ldap_settings').addClass('d-none');
+    } else if (this.value === 'ldap') {
+      $('#ldap_settings').removeClass('d-none');
+      $('#generic_oidc_settings').addClass('d-none');
+      $('#keycloak_settings').addClass('d-none');
     }
   });
 });
diff --git a/data/web/lang/lang.cs-cz.json b/data/web/lang/lang.cs-cz.json
index 2d0b1014e..8190315fa 100644
--- a/data/web/lang/lang.cs-cz.json
+++ b/data/web/lang/lang.cs-cz.json
@@ -648,8 +648,8 @@
         "sieve_desc": "Krátký popis",
         "sieve_type": "Typ filtru",
         "skipcrossduplicates": "Přeskočit duplicitní zprávy (\"první přijde, první mele\")",
-        "sogo_access": "Udělit přímý přihlašovací přístup do služby SOGo",
-        "sogo_access_info": "Jednotné přihlášení (SSO) z mail UI zůstává funkční. Toto nastavení neovlivňuje přístup ke všem ostatním službám ani neodstraňuje či nemění stávající profil uživatele SOGo.",
+        "sogo_access": "Přímé předání na SOGo",
+        "sogo_access_info": "Po přihlášení je uživatel automaticky přesměrován do služby SOGo.",
         "sogo_visible": "Alias dostupný v SOGo",
         "sogo_visible_info": "Tato volba určuje objekty, jež lze zobrazit v SOGo (sdílené nebo nesdílené aliasy, jež ukazuje alespoň na jednu schránku).",
         "spam_alias": "Vytvořit nebo změnit dočasné aliasy",
@@ -1143,7 +1143,7 @@
         "delete_ays": "Potvrďte odstranění.",
         "direct_aliases": "Přímé aliasy",
         "direct_aliases_desc": "Na přímé aliasy se uplatňuje filtr spamu a nastavení pravidel TLS",
-        "direct_protocol_access": "Tento uživatel mailové schránky má <b>přímý externí přístup</b> k následujícím protokolům a aplikacím. Toto nastavení je řízeno správcem. Pro udělení přístupu k jednotlivým protokolům a aplikacím lze vytvořit hesla aplikací.<br>Tlačítko \" Přihlaste se do webmailu\" zajišťuje jednotné přihlášení k SOGo a je vždy k dispozici.",
+        "direct_protocol_access": "Tento uživatel mailové schránky má <b>přímý externí přístup</b> k následujícím protokolům a aplikacím. Toto nastavení je řízeno správcem. Pro udělení přístupu k jednotlivým protokolům a aplikacím lze vytvořit hesla aplikací.<br>Tlačítko \"Webmailu\" zajišťuje jednotné přihlášení k SOGo a je vždy k dispozici.",
         "eas_reset": "Smazat mezipaměť zařízení ActiveSync",
         "eas_reset_help": "Obnovení mezipaměti zařízení pomůže zpravidla obnovit poškozený profil služby ActiveSync.<br><b>Upozornění:</b> Všechna data budou opětovně stažena!",
         "eas_reset_now": "Smazat",
@@ -1184,7 +1184,7 @@
         "no_last_login": "Žádný záznam o přihlášení",
         "no_record": "Žádný záznam",
         "open_logs": "Otevřít záznam",
-        "open_webmail_sso": "Přihlaste se do webmailu",
+        "open_webmail_sso": "Webmailu",
         "password": "Heslo",
         "password_now": "Současné heslo (pro potvrzení změny)",
         "password_repeat": "Heslo (znovu)",
diff --git a/data/web/lang/lang.de-de.json b/data/web/lang/lang.de-de.json
index fd3442132..0f758d0d2 100644
--- a/data/web/lang/lang.de-de.json
+++ b/data/web/lang/lang.de-de.json
@@ -675,8 +675,8 @@
         "sieve_desc": "Kurze Beschreibung",
         "sieve_type": "Filtertyp",
         "skipcrossduplicates": "Duplikate auch über Ordner hinweg überspringen (\"first come, first serve\")",
-        "sogo_access": "Direktes Einloggen an SOGo erlauben",
-        "sogo_access_info": "Single-Sign-On Zugriff über die UI wird hierdurch NICHT deaktiviert. Diese Einstellung hat weder Einfluss auf den Zugang sonstiger Dienste noch entfernt sie ein vorhandenes SOGo-Benutzerprofil.",
+        "sogo_access": "Direktes weiterleiten an SOGo",
+        "sogo_access_info": "Nach dem Einloggen wird der Benutzer automatisch an SOGo weitergeleitet.",
         "sogo_visible": "Alias in SOGo sichtbar",
         "sogo_visible_info": "Diese Option hat lediglich Einfluss auf Objekte, die in SOGo darstellbar sind (geteilte oder nicht-geteilte Alias-Adressen mit dem Ziel mindestens einer lokalen Mailbox).",
         "spam_alias": "Anpassen temporärer Alias-Adressen",
@@ -1161,7 +1161,7 @@
         "delete_ays": "Soll der Löschvorgang wirklich ausgeführt werden?",
         "direct_aliases": "Direkte Alias-Adressen",
         "direct_aliases_desc": "Nur direkte Alias-Adressen werden für benutzerdefinierte Einstellungen berücksichtigt.",
-        "direct_protocol_access": "Der Hauptbenutzer hat <b>direkten, externen Zugriff</b> auf folgende Protokolle und Anwendungen. Diese Einstellung wird vom Administrator gesteuert. App-Passwörter können verwendet werden, um individuelle Zugänge für Protokolle und Anwendungen zu erstellen.<br>Der Button \"In Webmail einloggen\" kann unabhängig der Einstellung immer verwendet werden.",
+        "direct_protocol_access": "Der Hauptbenutzer hat <b>direkten, externen Zugriff</b> auf folgende Protokolle und Anwendungen. Diese Einstellung wird vom Administrator gesteuert. App-Passwörter können verwendet werden, um individuelle Zugänge für Protokolle und Anwendungen zu erstellen.<br>Der Button \"Webmail\" kann unabhängig der Einstellung immer verwendet werden.",
         "eas_reset": "ActiveSync-Geräte-Cache zurücksetzen",
         "eas_reset_help": "In vielen Fällen kann ein ActiveSync-Profil durch das Zurücksetzen des Caches repariert werden.<br><b>Vorsicht:</b> Alle Elemente werden erneut heruntergeladen!",
         "eas_reset_now": "Jetzt zurücksetzen",
@@ -1201,7 +1201,7 @@
         "no_active_filter": "Kein aktiver Filter vorhanden",
         "no_last_login": "Keine letzte UI-Anmeldung gespeichert",
         "no_record": "Kein Eintrag",
-        "open_webmail_sso": "In Webmail einloggen",
+        "open_webmail_sso": "Webmail",
         "overview": "Übersicht",
         "password": "Passwort",
         "password_now": "Aktuelles Passwort (Änderungen bestätigen)",
diff --git a/data/web/lang/lang.en-gb.json b/data/web/lang/lang.en-gb.json
index 869e69d16..e41a5f51a 100644
--- a/data/web/lang/lang.en-gb.json
+++ b/data/web/lang/lang.en-gb.json
@@ -212,17 +212,22 @@
         "host": "Host",
         "html": "HTML",
         "iam": "Identity Provider",
+        "iam_attribute_field": "Attribute Field",
         "iam_authorize_url": "Authorization endpoint",
         "iam_auth_flow": "Authentication Flow",
         "iam_auth_flow_info": "In addition to the Authorization Code Flow (Standard Flow in Keycloak), which is used for Single-Sign On login, mailcow also supports Authentication Flow with direct Credentials. The Mailpassword Flow attempts to validate the user's credentials by using the Keycloak Admin REST API. mailcow retrieves the hashed password from the <code>mailcow_password</code> attribute, which is mapped in Keycloak.",
+        "iam_basedn": "Base DN",
         "iam_client_id": "Client ID",
         "iam_client_secret": "Client Secret",
         "iam_client_scopes": "Client Scopes",
-        "iam_description": "Configure an external OIDC Provider for Authentication<br>User's mailboxes will be automatically created upon their first login, provided that an attribute mapping has been set.",
+        "iam_description": "Configure an external Provider for Authentication<br>User's mailboxes will be automatically created upon their first login, provided that an attribute mapping has been set.",
         "iam_extra_permission": "For the following settings to work, the mailcow client in Keycloak needs a <code>Service account</code> and the permission to <code>view-users</code>.",
+        "iam_host": "Host",
         "iam_import_users": "Import Users",
         "iam_mapping": "Attribute Mapping",
+        "iam_bindpass": "Bind Password",
         "iam_periodic_full_sync": "Periodic Full Sync",
+        "iam_port": "Port",
         "iam_realm": "Realm",
         "iam_redirect_url": "Redirect Url",
         "iam_rest_flow": "Mailpassword Flow",
@@ -232,6 +237,8 @@
         "iam_test_connection": "Test Connection",
         "iam_token_url": "Token endpoint",
         "iam_userinfo_url": "User info endpoint",
+        "iam_username_field": "Username Field",
+        "iam_binddn": "Bind DN",
         "iam_version": "Version",
         "import": "Import",
         "import_private_key": "Import private key",
@@ -702,8 +709,8 @@
         "sieve_desc": "Short description",
         "sieve_type": "Filter type",
         "skipcrossduplicates": "Skip duplicate messages across folders (first come, first serve)",
-        "sogo_access": "Grant direct login access to SOGo",
-        "sogo_access_info": "Single-sign-on from within the mail UI remains working. This setting does neither affect access to all other services nor does it delete or change a user's existing SOGo profile.",
+        "sogo_access": "Direct forwarding to SOGo",
+        "sogo_access_info": "After logging in, the user is automatically redirected to SOGo.",
         "sogo_visible": "Alias is visible in SOGo",
         "sogo_visible_info": "This option only affects objects, that can be displayed in SOGo (shared or non-shared alias addresses pointing to at least one local mailbox). If hidden, an alias will not appear as selectable sender in SOGo.",
         "spam_alias": "Create or change time limited alias addresses",
@@ -1196,7 +1203,7 @@
         "delete_ays": "Please confirm the deletion process.",
         "direct_aliases": "Direct alias addresses",
         "direct_aliases_desc": "Direct alias addresses are affected by spam filter and TLS policy settings.",
-        "direct_protocol_access": "This mailbox user has <b>direct, external access</b> to the following protocols and applications. This setting is controlled by your administrator. App passwords can be created to grant access to individual protocols and applications.<br>The \"Login to webmail\" button provides single-sign-on to SOGo and is always available.",
+        "direct_protocol_access": "This mailbox user has <b>direct, external access</b> to the following protocols and applications. This setting is controlled by your administrator. App passwords can be created to grant access to individual protocols and applications.<br>The \"Webmail\" button provides single-sign-on to SOGo and is always available.",
         "eas_reset": "Reset ActiveSync device cache",
         "eas_reset_help": "In many cases a device cache reset will help to recover a broken ActiveSync profile.<br><b>Attention:</b> All elements will be redownloaded!",
         "eas_reset_now": "Reset now",
@@ -1237,7 +1244,7 @@
         "no_last_login": "No last UI login information",
         "no_record": "No record",
         "open_logs": "Open logs",
-        "open_webmail_sso": "Login to webmail",
+        "open_webmail_sso": "Webmail",
         "overview": "Overview",
         "password": "Password",
         "password_now": "Current password (confirm changes)",
diff --git a/data/web/lang/lang.it-it.json b/data/web/lang/lang.it-it.json
index 6783dfed8..65bb36942 100644
--- a/data/web/lang/lang.it-it.json
+++ b/data/web/lang/lang.it-it.json
@@ -620,9 +620,9 @@
         "username": "Nome utente",
         "validate_save": "Convalida e salva",
         "pushover": "Pushover",
-        "sogo_access_info": "Il single-sign-on dall'interno dell'interfaccia di posta rimane funzionante. Questa impostazione non influisce sull'accesso a tutti gli altri servizi né cancella o modifica il profilo SOGo esistente dell'utente.",
         "none_inherit": "Nessuno / Eredita",
-        "sogo_access": "Concedere l'accesso diretto a SOGo",
+        "sogo_access": "Inoltro diretto a SOGo",
+        "sogo_access_info": "Dopo aver effettuato il login, l'utente viene automaticamente reindirizzato a SOGo.",
         "acl": "ACL (autorizzazione)",
         "app_passwd_protocols": "Protocolli consentiti per la password dell'app",
         "last_modified": "Ultima modifica",
@@ -1121,7 +1121,7 @@
         "no_active_filter": "No active filter available",
         "no_last_login": "No last UI login information",
         "no_record": "Nessun elemento",
-        "open_webmail_sso": "Accedi alla webmail",
+        "open_webmail_sso": "Webmail",
         "password": "Password",
         "password_now": "Password attuale (conferma modifiche)",
         "password_repeat": "Conferma password (riscrivi)",
@@ -1209,7 +1209,7 @@
         "syncjob_EXIT_CONNECTION_FAILURE_HOST1": "Impossibile connettersi al server remoto",
         "syncjob_EXIT_AUTHENTICATION_FAILURE_USER1": "Nome utente o password errati",
         "with_app_password": "con password dell'app",
-        "direct_protocol_access": "Questo utente della mailbox ha <b>accesso diretto ed esterno</b> ai seguenti protocolli e applicazioni. Questa impostazione è controllata dal tuo amministratore. Le password delle applicazioni possono essere create per garantire l'accesso ai singoli protocolli e applicazioni.<br>Il pulsante \"Accedi alla webmail\" fornisce un singolo accesso a SOGo ed è sempre disponibile.",
+        "direct_protocol_access": "Questo utente della mailbox ha <b>accesso diretto ed esterno</b> ai seguenti protocolli e applicazioni. Questa impostazione è controllata dal tuo amministratore. Le password delle applicazioni possono essere create per garantire l'accesso ai singoli protocolli e applicazioni.<br>Il pulsante \"Webmail\" fornisce un singolo accesso a SOGo ed è sempre disponibile.",
         "pushover_sound": "Suono"
     },
     "warning": {
diff --git a/data/web/lang/lang.pt-br.json b/data/web/lang/lang.pt-br.json
index 9acaf87c7..e254a6e2d 100644
--- a/data/web/lang/lang.pt-br.json
+++ b/data/web/lang/lang.pt-br.json
@@ -669,8 +669,8 @@
         "sieve_desc": "Breve descrição",
         "sieve_type": "Tipo de filtro",
         "skipcrossduplicates": "Ignore mensagens duplicadas entre pastas (primeiro a chegar, primeiro a ser servido)",
-        "sogo_access": "Conceder acesso de login direto ao SoGo",
-        "sogo_access_info": "O login único de dentro da interface do usuário de e-mail continua funcionando. Essa configuração não afeta o acesso a todos os outros serviços nem exclui ou altera o perfil SoGo existente de um usuário.",
+        "sogo_access": "Encaminhamento direto para o SOGoo",
+        "sogo_access_info": "Depois de fazer login, o usuário é automaticamente redirecionado para o SOGo.",
         "sogo_visible": "O alias é visível no SoGo",
         "sogo_visible_info": "Essa opção afeta somente objetos, que podem ser exibidos no SoGo (endereços de alias compartilhados ou não compartilhados apontando para pelo menos uma caixa de correio local). Se estiver oculto, um alias não aparecerá como remetente selecionável no SoGo.",
         "spam_alias": "Crie ou altere endereços de alias com limite de tempo",
@@ -1160,7 +1160,7 @@
         "delete_ays": "Confirme o processo de exclusão.",
         "direct_aliases": "Endereços de alias diretos",
         "direct_aliases_desc": "Os endereços de alias diretos são afetados pelo filtro de spam e pelas configurações da política TLS.",
-        "direct_protocol_access": "Esse usuário da caixa de correio tem <b>acesso externo direto</b> aos seguintes protocolos e aplicativos. Essa configuração é controlada pelo administrador. As senhas de aplicativos podem ser criadas para conceder acesso a protocolos e aplicativos individuais. <br>O botão “Login no webmail” fornece login único no SoGo e está sempre disponível.",
+        "direct_protocol_access": "Esse usuário da caixa de correio tem <b>acesso externo direto</b> aos seguintes protocolos e aplicativos. Essa configuração é controlada pelo administrador. As senhas de aplicativos podem ser criadas para conceder acesso a protocolos e aplicativos individuais. <br>O botão “Webmail” fornece login único no SoGo e está sempre disponível.",
         "eas_reset": "Redefinir o cache do dispositivo ActiveSync",
         "eas_reset_help": "Em muitos casos, uma redefinição do cache do dispositivo ajudará a recuperar um perfil quebrado do ActiveSync. <br><b>Atenção:</b> Todos os elementos serão baixados novamente!",
         "eas_reset_now": "Reinicie agora",
@@ -1201,7 +1201,7 @@
         "no_last_login": "Nenhuma informação de login da última interface",
         "no_record": "Sem registro",
         "open_logs": "Registros abertos",
-        "open_webmail_sso": "Faça login no webmail",
+        "open_webmail_sso": "Webmail",
         "password": "Senha",
         "password_now": "Senha atual (confirme as alterações)",
         "password_repeat": "Senha (repetição)",
diff --git a/data/web/lang/lang.ro-ro.json b/data/web/lang/lang.ro-ro.json
index 5c7b29b0e..2191b479a 100644
--- a/data/web/lang/lang.ro-ro.json
+++ b/data/web/lang/lang.ro-ro.json
@@ -607,8 +607,8 @@
         "sieve_desc": "Descriere scurtă",
         "sieve_type": "Tip filtru",
         "skipcrossduplicates": "Sari peste mesajele duplicate din toate folderele (primul venit, primul servit)",
-        "sogo_access": "Acordați acces direct de conectare la SOGo",
-        "sogo_access_info": "Conectarea unică din interfața de administrare a e-mailului continuă să funcționeze. Această setare nu afectează accesul la toate celelalte servicii și nici nu șterge sau modifică profilul SOGo existent al unui utilizator.",
+        "sogo_access": "Redirecționare directă către SOGo",
+        "sogo_access_info": "După logare, utilizatorul este redirecționat automat către SOGo.",
         "sogo_visible": "Aliasul este vizibil în SOGo",
         "sogo_visible_info": "Această opțiune afectează doar obiecte, care pot fi afișate în SOGo (adrese alias partajate sau ne-partajate cu cel puțin o căsuță poștală locală). Dacă este ascuns, un alias nu va apărea ca expeditor selectabil în SOGo.",
         "spam_alias": "Crează sau modifică adrese alias limitate în funcție de timp",
@@ -1067,7 +1067,7 @@
         "delete_ays": "Vă rugăm să confirmați stergerea.",
         "direct_aliases": "Adrese alias directe",
         "direct_aliases_desc": "Adresele alias directe sunt afectate de setările filtrului de spam și ale politicii TLS.",
-        "direct_protocol_access": "Acest utilizator are <b>acces direct, extern</b> la următoarele protocoale și aplicații. Această setare este controlată de administratorul dvs. Parolele pentru aplicații pot fi create pentru a acorda acces la protocoale și aplicații individuale.<br>Butonul \"Conectați-vă la webmail\" oferă conectare unică la SOGo și este întotdeauna disponibil.",
+        "direct_protocol_access": "Acest utilizator are <b>acces direct, extern</b> la următoarele protocoale și aplicații. Această setare este controlată de administratorul dvs. Parolele pentru aplicații pot fi create pentru a acorda acces la protocoale și aplicații individuale.<br>Butonul \"Webmail\" oferă conectare unică la SOGo și este întotdeauna disponibil.",
         "eas_reset": "Resetează memoria cache a dispozitivului ActiveSync",
         "eas_reset_help": "În multe cazuri, resetarea cache-ului dispozitivului va ajuta la recuperarea unui profil ActiveSync defect.<br><b>Atenţie:</b> Toate elementele vor fi descărcate din nou!",
         "eas_reset_now": "Resetează acum",
@@ -1108,7 +1108,7 @@
         "no_last_login": "Nu există informații despre ultima autentificare în interfață",
         "no_record": "Nici o înregistrare",
         "open_logs": "Deschide jurnalele",
-        "open_webmail_sso": "Autentificare în webmail",
+        "open_webmail_sso": "Webmail",
         "password": "Parolă",
         "password_now": "Parola curentă (confirmă modificările)",
         "password_repeat": "Parolă (repetă)",
diff --git a/data/web/lang/lang.ru-ru.json b/data/web/lang/lang.ru-ru.json
index 2a959ab3c..b40568053 100644
--- a/data/web/lang/lang.ru-ru.json
+++ b/data/web/lang/lang.ru-ru.json
@@ -621,7 +621,8 @@
         "unchanged_if_empty": "Если без изменений - оставьте пустым",
         "username": "Имя пользователя",
         "validate_save": "Подтвердить и сохранить",
-        "sogo_access_info": "Единый вход из интерфейса почты продолжает работать. Эта настройка не влияет на доступ ко всем другим службам, а также не удаляет или изменяет существующий профиль пользователя SOGo.",
+        "sogo_access": "Прямая переадресация в SOGo",
+        "sogo_access_info": "После входа в систему пользователь автоматически перенаправляется в SOGo.",
         "app_passwd_protocols": "Разрешенные протоколы для пароля приложения",
         "domain_footer_info": "Нижние колонтитулы на уровне домена добавляются ко всем исходящим электронным письмам, связанным с адресом в этом домене. <br> Для нижнего колонтитула можно использовать следующие переменные:",
         "domain_footer_info_vars": {
@@ -1119,7 +1120,7 @@
         "no_last_login": "Информация о последнем входе в пользовательский интерфейс отсутствует",
         "no_record": "Записи отсутствуют",
         "open_logs": "Показать журнал",
-        "open_webmail_sso": "Вход в веб-почту",
+        "open_webmail_sso": "веб-почту",
         "password": "Пароль",
         "password_now": "Текущий пароль (подтверждение изменения)",
         "password_repeat": "Подтверждение пароля (повтор)",
@@ -1204,7 +1205,7 @@
         "years": "лет",
         "allowed_protocols": "Разрешенные протоколы",
         "apple_connection_profile_with_app_password": "Новый пароль приложения генерируется и добавляется в профиль, поэтому при настройке устройства не требуется вводить пароль. Не предоставляйте доступ к файлу, поскольку он предоставляет полный доступ к вашему почтовому ящику.",
-        "direct_protocol_access": "Этот пользователь почтового ящика имеет <b>прямой, внешний доступ</b> к следующим протоколам и приложениям. Эта настройка контролируется вашим администратором. Для предоставления доступа к отдельным протоколам и приложениям могут быть созданы пароли приложений.<br> Кнопка \"Вход в веб-почту\" обеспечивает единый вход в SOGo и всегда доступна.",
+        "direct_protocol_access": "Этот пользователь почтового ящика имеет <b>прямой, внешний доступ</b> к следующим протоколам и приложениям. Эта настройка контролируется вашим администратором. Для предоставления доступа к отдельным протоколам и приложениям могут быть созданы пароли приложений.<br> Кнопка \"веб-почту\" обеспечивает единый вход в SOGo и всегда доступна.",
         "with_app_password": "с паролем приложения",
         "change_password_hint_app_passwords": "В вашей учетной записи есть {{number_of_app_passwords}} паролей приложений, которые не будут изменены. Чтобы управлять ими, перейдите на вкладку \"Пароли приложений\".",
         "attribute": "Атрибут",
diff --git a/data/web/lang/lang.sk-sk.json b/data/web/lang/lang.sk-sk.json
index d656a2cd1..465231860 100644
--- a/data/web/lang/lang.sk-sk.json
+++ b/data/web/lang/lang.sk-sk.json
@@ -625,8 +625,8 @@
         "sieve_desc": "Krátky popis",
         "sieve_type": "Typ filtru",
         "skipcrossduplicates": "Preskočiť duplikované správy naprieč priečinkami (akceptuje sa prvý nález)",
-        "sogo_access": "Prideliť priame prihlásenie do SOGo",
-        "sogo_access_info": "Jednotné prihlásenie z používateľského mail rozhrania zostáva funkčné. Toto nastavenie nemá vplyv na prístup k ostatným službám, ani neodstraňuje alebo nemení existujúci profil používateľa SOGo.",
+        "sogo_access": "Priame presmerovanie na SOGo",
+        "sogo_access_info": "Po prihlásení je používateľ automaticky presmerovaný na službu SOGo.",
         "sogo_visible": "Alias je viditeľný v SOGo",
         "sogo_visible_info": "Táto voľba ovplyvňuje len objekty, ktoré dokážu byť zobrazené v SOGo (zdieľané alebo nezdieľané alias adresy ukazujúc na minimálne jednu lokálnu mailovú schránku). Ak je skrytý, alias nebude prezentovaný ako voliteľný odosielateľ v SOGo.",
         "spam_alias": "Vytvoriť alebo zmeniť časovo limitované alias adresy",
@@ -1119,7 +1119,7 @@
         "delete_ays": "Potvrďte zmazanie.",
         "direct_aliases": "Priame alias adresy",
         "direct_aliases_desc": "Priame aliasy sú ovplyvnené spam filtrom a nastavením TLS pravidiel.",
-        "direct_protocol_access": "Tento používateľ mailovej schránky má <b>priamy, externý prístup</b> k nasledujúcim protokolom a aplikáciám. Toto nastavenie kontroluje administrátor. Na udelenie prístupu k jednotlivým protokolom a aplikáciám je možné vytvoriť heslá aplikácií.<br>Tlačidlo \"Prihlásenie do webmailu\" poskytuje jednotné prihlásenie do systému SOGo a je vždy k dispozícii.",
+        "direct_protocol_access": "Tento používateľ mailovej schránky má <b>priamy, externý prístup</b> k nasledujúcim protokolom a aplikáciám. Toto nastavenie kontroluje administrátor. Na udelenie prístupu k jednotlivým protokolom a aplikáciám je možné vytvoriť heslá aplikácií.<br>Tlačidlo \"Webmailu\" poskytuje jednotné prihlásenie do systému SOGo a je vždy k dispozícii.",
         "eas_reset": "Resetovať medzipamäť u ActiveSync zariadení",
         "eas_reset_help": "Vo väčšine prípadov, reset medzipamäte ActiveSync pomôže opravit nefunkčný profil.<br><b>Pozor:</b> Všetky potrebné dáta budú opäť stiahnuté!",
         "eas_reset_now": "Reset ActiveSync",
@@ -1160,7 +1160,7 @@
         "no_last_login": "Žiadny záznam o prihlásení cez web",
         "no_record": "Žiaden záznam",
         "open_logs": "Otvoriť záznam",
-        "open_webmail_sso": "Prihláste sa do webmailu",
+        "open_webmail_sso": "Webmailu",
         "password": "Heslo",
         "password_now": "Aktuálne heslo (potvrdiť zmeny)",
         "password_repeat": "Heslo (opakovať)",
diff --git a/data/web/lang/lang.uk-ua.json b/data/web/lang/lang.uk-ua.json
index e778f1569..316fcb23c 100644
--- a/data/web/lang/lang.uk-ua.json
+++ b/data/web/lang/lang.uk-ua.json
@@ -607,8 +607,8 @@
         "sieve_desc": "Короткий опис",
         "sieve_type": "Тип фільтра",
         "skipcrossduplicates": "Пропускати в папках повідомлення, що повторюються",
-        "sogo_access": "Надати прямий доступ до SOGo",
-        "sogo_access_info": "Єдиний вхід із інтерфейсу пошти продовжує працювати. Це налаштування не впливає на доступ до всіх інших служб, а також не видаляє чи змінює наявний профіль користувача SOGo.",
+        "sogo_access": "Пряме перенаправлення до SOGo",
+        "sogo_access_info": "Після входу користувач автоматично перенаправляється на SOGo.",
         "sogo_visible": "Відображати псевдонім у SOGo",
         "spam_alias": "Створити або змінити тимчасові (спам) псевдоніми",
         "spam_filter": "Спам фільтр",
@@ -1230,13 +1230,13 @@
         "client_configuration": "Показати посібники з налаштування поштових клієнтів та смартфонів",
         "direct_aliases": "Особисті псевдоніми",
         "direct_aliases_desc": "На особисті псевдоніми розповсюджуються фільтри небажаної пошти та параметри політики TLS.",
-        "direct_protocol_access": "Цей користувач поштової скриньки має <b>прямий, зовнішній доступ</b> до наведених нижче протоколів і програм. Цими параметрами керує ваш адміністратор. Паролі додатків можна створювати для надання доступу до окремих протоколів і програм.<br>Кнопка \"Увійти до веб-пошти\" забезпечує єдиний вхід в SOGo і завжди доступна.",
+        "direct_protocol_access": "Цей користувач поштової скриньки має <b>прямий, зовнішній доступ</b> до наведених нижче протоколів і програм. Цими параметрами керує ваш адміністратор. Паролі додатків можна створювати для надання доступу до окремих протоколів і програм.<br>Кнопка \"веб-пошти\" забезпечує єдиний вхід в SOGo і завжди доступна.",
         "force_pw_update": "Ви <b>повинні</b> встановити новий пароль для доступу до сервісів, що належать до цього облікового запису.",
         "is_catch_all": "Catch-all для домена/ів",
         "last_ui_login": "Останній вхід до особистого кабінету",
         "months": "місяців",
         "new_password_repeat": "Підтвердження пароля (повтор)",
-        "open_webmail_sso": "Вхід до веб-пошти",
+        "open_webmail_sso": "веб-пошти",
         "pushover_evaluate_x_prio": "Встановити високий пріоритет повідомлень для листів із високим пріоритетом [<code>X-Priority: 1</code>]",
         "pushover_info": "Налаштування Push-повідомлень будуть застосовуватися до всієї пошти <b>%s</b> (за винятком спаму), включаючи псевдоніми (особисті, загальні та теговані).",
         "pushover_title": "Заголовок сповіщення",
diff --git a/data/web/lang/lang.zh-cn.json b/data/web/lang/lang.zh-cn.json
index b1aacf5c8..5ee376174 100644
--- a/data/web/lang/lang.zh-cn.json
+++ b/data/web/lang/lang.zh-cn.json
@@ -594,8 +594,8 @@
         "sieve_desc": "简短描述",
         "sieve_type": "过滤器类型",
         "skipcrossduplicates": "跳过其他文件夹中已存在的邮件(保留已经存在的邮件)",
-        "sogo_access": "允许直接登录 SOGo",
-        "sogo_access_info": "在邮箱的用户界面内的单点登录仍然有效。这一设置既不影响对所有其他服务的访问，也不删除或改变用户现有的 SOGo 的配置文件。",
+        "sogo_access": "直接转发给 SOGo",
+        "sogo_access_info": "登录后，用户会自动跳转到 SOGo。",
         "sogo_visible": "SOGo 显示的别名",
         "sogo_visible_info": "此设置只影响 SOGo 上可显示的对象 (指向本地邮箱的共享或非共享别名地址)。如果设置为隐藏，则别名地址不会作为可选发件人的下拉项显示。",
         "spam_alias": "添加或更改临时别名地址",
@@ -1053,7 +1053,7 @@
         "delete_ays": "请确认删除。",
         "direct_aliases": "直接别名",
         "direct_aliases_desc": "垃圾邮件过滤和 TLS 策略会作用于直接别名。",
-        "direct_protocol_access": "该邮箱用户可以<b>直接</b>从<b>外部</b>访问以下的协议和应用程序。该选项由你的管理员进行设置。并可以创建应用密码，以授予对个别协议和应用的访问权限。<br>\"登录到 Webmail\" 按钮提供到 SOGo 的单点登录方式，并且始终可用。",
+        "direct_protocol_access": "该邮箱用户可以<b>直接</b>从<b>外部</b>访问以下的协议和应用程序。该选项由你的管理员进行设置。并可以创建应用密码，以授予对个别协议和应用的访问权限。<br>\"Webmail\" 按钮提供到 SOGo 的单点登录方式，并且始终可用。",
         "eas_reset": "重置 ActiveSync 设备缓存",
         "eas_reset_help": "在许多情况下，重置设备缓存可以帮助恢复错误的 ActiveSync 资料。<br><b>注意:</b> 所有元素将会被重新下载！",
         "eas_reset_now": "立即重置",
@@ -1094,7 +1094,7 @@
         "no_last_login": "没有最后一次 UI 登录信息",
         "no_record": "没有记录",
         "open_logs": "打开日志",
-        "open_webmail_sso": "登录到 Webmail",
+        "open_webmail_sso": "Webmail",
         "password": "密码",
         "password_now": "当前密码 (确认更改)",
         "password_repeat": "确认密码 (重复)",
diff --git a/data/web/lang/lang.zh-tw.json b/data/web/lang/lang.zh-tw.json
index 4d84b2116..f3a2431a8 100644
--- a/data/web/lang/lang.zh-tw.json
+++ b/data/web/lang/lang.zh-tw.json
@@ -628,8 +628,8 @@
         "sieve_desc": "簡短描述",
         "sieve_type": "過濾器類型",
         "skipcrossduplicates": "跳過在其他資料夾中重複的郵件 (優先使用先找到的郵件)",
-        "sogo_access": "授權 SOGo 的直接存取權",
-        "sogo_access_info": "mail UI 內的 SSO 仍可以運作。此設定既不會影響到存取其他服務的權限，也不會刪除或更改使用者既有的個人檔案。",
+        "sogo_access": "直接轉寄至SOGo",
+        "sogo_access_info": "登入後，使用者會自動重新導向至SOGo。",
         "sogo_visible": "別名會在 SOGo 中顯示",
         "sogo_visible_info": "此選項只會影響可以顯示於 SOGo 上物件 (指向至少一個本地信箱的共享或非共享別名地址)。如果設為隱藏，別名地址將不會顯示於寄件人下拉選項中。",
         "spam_alias": "新增或更改臨時別名地址",
@@ -1105,7 +1105,7 @@
         "delete_ays": "請確認刪除。",
         "direct_aliases": "直接別名",
         "direct_aliases_desc": "直接別名會受到垃圾郵件過濾器和 TLS 規則限制。",
-        "direct_protocol_access": "此信箱使用者有 <b>直接、外部存取</b> 至下列協定及應用程式。此設定是由管理者設定。應用程式密碼則可以用於授權單獨的協定及應用程式存取權限。<br>\"登入至網頁信箱\" 使用 SSO (single-sign-on) 來登入至 SOGO 且不受前面的限制。",
+        "direct_protocol_access": "此信箱使用者有 <b>直接、外部存取</b> 至下列協定及應用程式。此設定是由管理者設定。應用程式密碼則可以用於授權單獨的協定及應用程式存取權限。<br>\"网络邮件\" 使用 SSO (single-sign-on) 來登入至 SOGO 且不受前面的限制。",
         "eas_reset": "重設 ActiveSync 裝置快取",
         "eas_reset_help": "在許多情況下，重設裝置快取可以幫助恢復錯誤的 ActiveSync 資料。<br><b>注意:</b> 所有元素都會被重新下載！",
         "eas_reset_now": "立即重設",
@@ -1146,7 +1146,7 @@
         "no_last_login": "沒有最後 UI 登入訊息",
         "no_record": "沒有紀錄",
         "open_logs": "開啟日誌",
-        "open_webmail_sso": "登入至網頁信箱",
+        "open_webmail_sso": "网络邮件",
         "password": "密碼",
         "password_now": "目前密碼 (確認更改)",
         "password_repeat": "密碼 (再次輸入)",
diff --git a/data/web/sogo-auth.php b/data/web/sogo-auth.php
index c34a60def..d93c12543 100644
--- a/data/web/sogo-auth.php
+++ b/data/web/sogo-auth.php
@@ -52,6 +52,13 @@ elseif (isset($_GET['login'])) {
         // register username and password in session
         $_SESSION[$session_var_user_allowed][] = $login;
         $_SESSION[$session_var_pass] = $sogo_sso_pass;
+        // set dual login
+        if ($_SESSION['acl']['login_as'] == "1" && $ALLOW_ADMIN_EMAIL_LOGIN !== 0 && $is_dual === false && $_SESSION['mailcow_cc_role'] != "user"){      
+          $_SESSION["dual-login"]["username"] = $_SESSION['mailcow_cc_username'];
+          $_SESSION["dual-login"]["role"]     = $_SESSION['mailcow_cc_role'];
+          $_SESSION['mailcow_cc_username']    = $login;
+          $_SESSION['mailcow_cc_role']        = "user";
+        }
         // update sasl logs
         $service = ($app_passwd_data['eas'] === true) ? 'EAS' : 'DAV';
         $stmt = $pdo->prepare("REPLACE INTO sasl_log (`service`, `app_password`, `username`, `real_rip`) VALUES ('SSO', 0, :username, :remote_addr)");
diff --git a/data/web/templates/admin/tab-config-identity-provider.twig b/data/web/templates/admin/tab-config-identity-provider.twig
index 32c20feab..78e76cbc6 100644
--- a/data/web/templates/admin/tab-config-identity-provider.twig
+++ b/data/web/templates/admin/tab-config-identity-provider.twig
@@ -18,6 +18,7 @@
             name="iam_provider" id="iam_provider" class="full-width-select form-control" required>
               <option value="keycloak" {% if not iam_settings.authsource or iam_settings.authsource == 'keycloak' %}selected{% endif %}>Keycloak</option>
               <option value="generic-oidc" {% if iam_settings.authsource == 'generic-oidc' %}selected{% endif %}>Generic-OIDC</option>
+              <option value="ldap" {% if iam_settings.authsource == 'ldap' %}selected{% endif %}>LDAP</option>
           </select>
         </div>
       </div>
@@ -286,6 +287,143 @@
           </div>
         </form>
       </div>
+      <div id="ldap_settings" class="{% if not iam_settings.authsource or iam_settings.authsource != 'ldap' %}d-none{% endif %}">
+        <form class="form-horizontal" autocapitalize="none" data-id="iam_ldap" autocorrect="off" role="form" method="post">
+          <input type="hidden" name="authsource" value="ldap">
+          <div class="row mb-2">
+            <label class="control-label col-md-3 text-sm-end" for="iam_ldap_host">{{ lang.admin.iam_host }}:</label>
+            <div class="col-12 col-md-9 col-lg-4">
+              <input type="text" class="form-control" id="iam_ldap_host" name="host" value="{{ iam_settings.host }}" required>
+            </div>
+          </div>
+          <div class="row mb-2">
+            <label class="control-label col-md-3 text-sm-end" for="iam_ldap_port">{{ lang.admin.iam_port }}:</label>
+            <div class="col-12 col-md-9 col-lg-4">
+              <input type="number" class="form-control" id="iam_ldap_port" name="port" value="{{ iam_settings.port }}" required>
+            </div>
+          </div>
+          <div class="row mb-2">
+            <label class="control-label col-md-3 text-sm-end" for="iam_ldap_basedn">{{ lang.admin.iam_basedn }}:</label>
+            <div class="col-12 col-md-9 col-lg-4">
+              <input type="text" class="form-control" id="iam_ldap_basedn" name="basedn" value="{{ iam_settings.basedn }}" required>
+            </div>
+          </div>
+          <div class="row mb-2">
+            <label class="control-label col-md-3 text-sm-end" for="iam_ldap_username_field">{{ lang.admin.iam_username_field }}:</label>
+            <div class="col-12 col-md-9 col-lg-4">
+              <input type="text" class="form-control" placeholder="mail" id="iam_ldap_username_field" name="username_field" value="{{ iam_settings.username_field }}">
+            </div>
+          </div>
+          <div class="row mb-2">
+            <label class="control-label col-md-3 text-sm-end" for="iam_ldap_attribute_field">{{ lang.admin.iam_attribute_field }}:</label>
+            <div class="col-12 col-md-9 col-lg-4">
+              <input type="text" class="form-control" id="iam_ldap_attribute_field" name="attribute_field" value="{{ iam_settings.attribute_field }}" required>
+            </div>
+          </div>
+          <div class="row mb-2">
+            <label class="control-label col-md-3 text-sm-end" for="iam_ldap_binddn">{{ lang.admin.iam_binddn }}:</label>
+            <div class="col-12 col-md-9 col-lg-4">
+              <input type="text" class="form-control" id="iam_ldap_binddn" name="binddn" value="{{ iam_settings.binddn }}" required>
+            </div>
+          </div>
+          <div class="row mb-4">
+            <label class="control-label col-md-3 text-sm-end" for="iam_ldap_bindpass">{{ lang.admin.iam_bindpass }}:</label>
+            <div class="col-12 col-md-9 col-lg-4">
+              <div class="reveal-password-input input-group">
+                <input type="password" class="password-field form-control" id="iam_ldap_bindpass" name="bindpass" value="{{ iam_settings.bindpass }}" required>
+                <button class="toggle-password btn btn-secondary" type="button"><i class="bi bi-eye"></i></button>
+              </div>
+            </div>
+          </div>
+          <div class="row mb-2">
+            <label class="control-label col-md-3 text-sm-end">{{ lang.admin.iam_mapping }}:</label>
+            <div class="col-12 col-md-9 col-lg-4">
+              <div class="row px-2 align-items-center">
+                <span class="col-5 p-0 pe-2">Attribute</span>
+                <span class="col-5 p-0 pe-2">{{ lang.mailbox.template }}</span>
+                <div class="col-2 p-0 d-flex">
+                  <button class="btn btn-sm d-block d-sm-inline btn-secondary ms-auto iam_rolemap_add_ldap"><i class="bi bi-plus-lg"></i></button>
+                </div>
+              </div>
+            </div>
+          </div>
+          <div class="row mb-2" id="iam_ldap_mapping_list">
+            {% for key, role in iam_settings.mappers %}
+            <div class="offset-md-3 col-12 col-md-9 col-lg-4 mb-2">
+              <div class="row px-2">
+                <div class="col-5 p-0 pe-2">
+                  <input type="text" class="form-control me-2" name="mappers" value="{{ iam_settings.mappers[key] }}" required>
+                </div>
+                <div class="col-5 p-0 pe-2">
+                  <select data-live-search="true" name="templates" class="form-control" title="{{ lang.mailbox.template }}" required>
+                  {% for mbox_template in mbox_templates %}
+                    <option{% if mbox_template.template == iam_settings.templates[key] %} selected{% endif %}>
+                      {{ mbox_template.template }}
+                    </option>
+                  {% endfor %}
+                  </select>
+                </div>
+                <div class="col-2 p-0 d-flex">
+                  <button class="iam_ldap_rolemap_del btn btn-sm d-block d-sm-inline btn-secondary ms-auto"><i class="bi bi-x-lg"></i></button>
+                </div>
+              </div>
+            </div>
+            {% endfor %}
+            {% if not iam_settings.mappers %}
+            <div class="offset-md-3 col-12 col-md-9 col-lg-4 mb-2">
+              <div class="row px-2">
+                <div class="col-5 p-0 pe-2">
+                  <input type="text" class="form-control me-2" name="mappers" value="" required>
+                </div>
+                <div class="col-5 p-0 pe-2">
+                  <select data-live-search="true" name="templates" class="form-control" title="{{ lang.mailbox.template }}" required>
+                  {% for mbox_template in mbox_templates %}
+                    <option>
+                      {{ mbox_template.template }}
+                    </option>
+                  {% endfor %}
+                  </select>
+                </div>
+                <div class="col-2 p-0 d-flex">
+                  <button class="iam_ldap_rolemap_del btn btn-sm d-block d-sm-inline btn-secondary ms-auto"><i class="bi bi-x-lg"></i></button>
+                </div>
+              </div>
+            </div>
+            {% endif %}
+          </div>
+          <div class="row mb-2">
+            <label class="control-label col-md-3 text-sm-end">{{ lang.admin.iam_periodic_full_sync }}</label>
+            <div class="col-12 col-md-9">
+              <div class="form-check form-switch">
+                <input class="form-check-input" type="checkbox" role="switch" name="periodic_sync"  value="1" {% if iam_settings.periodic_sync == 1 %}checked{% endif %}>
+              </div>
+            </div>
+          </div>
+          <div class="row mb-2">
+            <label class="control-label col-md-3 text-sm-end">{{ lang.admin.iam_import_users }}</label>
+            <div class="col-12 col-md-9">
+              <div class="form-check form-switch">
+                <input class="form-check-input" type="checkbox" role="switch" name="import_users"  value="1" {% if iam_settings.import_users == 1 %}checked{% endif %}>
+              </div>
+            </div>
+          </div>
+          <div class="row mb-2">
+            <label class="control-label col-md-3 text-sm-end">{{ lang.admin.iam_sync_interval }}</label>
+            <div class="col-12 col-md-9 col-lg-4">
+              <input class="form-control" type="number" min="1" name="sync_interval" style="width: 80px;"  {% if iam_settings.sync_interval %}value="{{ iam_settings.sync_interval }}"{% else %}value="15"{% endif %}>
+            </div>
+          </div>
+          <div class="row mt-4 mb-2">
+            <div class="offset-md-3 col-12 col-md-9 d-flex flex-wrap">
+              <div class="btn-group mb-2">   
+                <button class="btn btn-sm d-block d-sm-inline btn-secondary iam_test_connection iam_test_connection" data-id="iam_ldap"><i class="bi bi-play"></i> {{ lang.admin.iam_test_connection }}</button>
+                <button class="btn btn-sm d-block d-sm-inline btn-success" data-item="identity-provider" data-action="edit_selected" data-id="iam_ldap" data-api-url='edit/identity-provider' data-api-attr='{}'><i class="bi bi-check-lg"></i> {{ lang.admin.save }}</button>
+              </div>
+              <button class="btn btn-sm d-block d-sm-inline btn-danger ms-auto mb-2" data-item="identity-provider" data-action="delete_selected" data-id="iam_ldap" data-api-url='delete/identity-provider'><i class="bi bi-trash"></i> {{ lang.mailbox.remove }}</button>
+            </div>
+          </div>
+        </form>
+      </div>
     </div>
   </div>
 </div>
diff --git a/data/web/templates/edit/mailbox.twig b/data/web/templates/edit/mailbox.twig
index b3ac8223b..fb52b278a 100644
--- a/data/web/templates/edit/mailbox.twig
+++ b/data/web/templates/edit/mailbox.twig
@@ -38,6 +38,9 @@
                           {% if iam_settings.authsource == 'generic-oidc' %}
                           <option value="generic-oidc" {% if result.authsource == "generic-oidc" %}selected{% endif %}>Generic-OIDC</option>
                           {% endif %}
+                          {% if iam_settings.authsource == 'ldap' %}
+                          <option value="ldap" {% if result.authsource == "ldap" %}selected{% endif %}>LDAP</option>
+                          {% endif %}
                       </select>
                     </div>
                   </div>
@@ -207,6 +210,7 @@
                       </div>
                     </div>
                   </div>
+                  {% if not result.authsource or result.authsource == 'mailcow' %}
                   <div class="row">
                     <label class="control-label col-sm-2" for="password">{{ lang.edit.password }} (<a href="#" class="generate_password">{{ lang.edit.generate }}</a>)</label>
                     <div class="col-sm-10">
@@ -231,6 +235,7 @@
                       {% endif %}
                     </div>
                   </div>
+                  {% endif %}
                   <div class="row">
                     <label class="control-label col-sm-2" for="protocol_access">{{ lang.edit.allowed_protocols }}</label>
                     <div class="col-sm-10">
diff --git a/data/web/templates/user/tab-user-auth.twig b/data/web/templates/user/tab-user-auth.twig
index f4d364d7b..424d5e94f 100644
--- a/data/web/templates/user/tab-user-auth.twig
+++ b/data/web/templates/user/tab-user-auth.twig
@@ -19,8 +19,12 @@
                 <button disabled class="btn btn-secondary btn-block btn-xs-lg w-100">
                   {{ lang.user.open_webmail_sso }} <i class="bi bi-arrow-right"></i>
                 </button>
+              {% elseif dual_login %}
+                <a target="_blank" href="/sogo-auth.php?login={{ mailcow_cc_username  }}" role="button" class="btn btn-primary btn-lg btn-block btn-xs-lg w-100">
+                  {{ lang.user.open_webmail_sso }} <i class="bi bi-arrow-right"></i>
+                </a>
               {% else %}
-                <a target="_blank" href="/sogo-auth.php?login={{ mailcow_cc_username }}" role="button" class="btn btn-primary btn-lg btn-block btn-xs-lg w-100">
+                <a target="_blank" href="/SOGo/so" role="button" class="btn btn-primary btn-lg btn-block btn-xs-lg w-100">
                   {{ lang.user.open_webmail_sso }} <i class="bi bi-arrow-right"></i>
                 </a>
               {% endif %}
@@ -51,7 +55,6 @@
               {% if mailboxdata.attributes.smtp_access == 1 %}<div class="badge fs-6 bg-success m-2">SMTP <i class="bi bi-check-lg"></i></div>{% else %}<div class="badge fs-6 bg-danger m-2">SMTP <i class="bi bi-x-lg"></i></div>{% endif %}
               {% if mailboxdata.attributes.sieve_access == 1 %}<div class="badge fs-6 bg-success m-2">Sieve <i class="bi bi-check-lg"></i></div>{% else %}<div class="badge fs-6 bg-danger m-2">Sieve <i class="bi bi-x-lg"></i></div>{% endif %}
               {% if mailboxdata.attributes.pop3_access == 1 %}<div class="badge fs-6 bg-success m-2">POP3 <i class="bi bi-check-lg"></i></div>{% else %}<div class="badge fs-6 bg-danger m-2">POP3 <i class="bi bi-x-lg"></i></div>{% endif %}
-              {% if not skip_sogo %}{% if mailboxdata.attributes.sogo_access == 1 %}<div class="badge fs-6 bg-success m-2">SOGo <i class="bi bi-check-lg"></i></div>{% else %}<div class="badge fs-6 bg-danger m-2">SOGo <i class="bi bi-x-lg"></i></div>{% endif %}{% endif %}       
               </div>
             </div>
           </div>
@@ -96,16 +99,19 @@
             </div>
           </div>
 
-          {# TFA #}
-          {% if mailboxdata.authsource == "mailcow" %}
           <legend class="mt-4">{{ lang.user.authentication }}</legend>
           <hr>
+          {# Password Change #}
+          {% if mailboxdata.authsource == "mailcow" %}
           <div class="row">
             <div class="col-12 col-md-3 d-flex"></div>
             <div class="col-12 col-md-9 d-flex flex-wrap justify-content-center justify-content-sm-start">
               <a class="btn btn-secondary" href="#pwChangeModal" data-bs-toggle="modal"><i class="bi bi-pencil-fill"></i> {{ lang.user.change_password }}</a>
             </div>
           </div>
+          {% endif %}
+          {# TFA #}
+          {% if mailboxdata.authsource == "mailcow" or mailboxdata.authsource == "ldap" %}
           <div class="row mt-4">
             <div class="col-12 col-md-3 d-flex">
               <span class="mt-2 w-100 text-md-end">{{ lang.tfa.tfa }}:</span>
@@ -129,7 +135,9 @@
               </select>
             </div>
           </div>
+          {% endif %}
           {# FIDO2 #}
+          {% if mailboxdata.authsource == "mailcow" %}
           <div class="row mt-4">
             <div class="col-sm-3 col-12 text-sm-end text-start">
               <p><i class="bi bi-shield-fill-check"></i> {{ lang.fido2.fido2_auth }}</p>

From 78e726636844b9b63fca48f68aeeaeb1f16d0b02 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Tue, 20 Feb 2024 10:46:23 +0100
Subject: [PATCH 103/378] [Web] add LDAP query filter

---
 data/web/inc/functions.auth.inc.php                        | 1 +
 data/web/inc/functions.inc.php                             | 3 ++-
 data/web/lang/lang.en-gb.json                              | 1 +
 data/web/templates/admin/tab-config-identity-provider.twig | 6 ++++++
 4 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php
index fe6af27cb..d325c0723 100644
--- a/data/web/inc/functions.auth.inc.php
+++ b/data/web/inc/functions.auth.inc.php
@@ -495,6 +495,7 @@ function ldap_mbox_login($user, $pass, $iam_settings, $extra = null){
   try {
     $user_res = $iam_provider->query()
       ->where($iam_settings['username_field'], '=', $user)
+      ->whereRaw($iam_settings['filter'])
       ->select([$iam_settings['username_field'], $iam_settings['attribute_field'], 'displayname', 'distinguishedname'])
       ->firstOrFail();
   } catch (Exception $e) {
diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index 7e8389341..f63d50463 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -2189,11 +2189,12 @@ function identity_provider($_action, $_data = null, $_extra = null) {
         case "ldap":
           $_data['port']              = (!empty($_data['port'])) ? intval($_data['port']) : 389;
           $_data['username_field']    = (!empty($_data['username_field'])) ? $_data['username_field'] : "mail";
+          $_data['filter']            = (!empty($_data['filter'])) ? $_data['filter'] : "";
           $_data['periodic_sync']     = isset($_data['periodic_sync']) ? intval($_data['periodic_sync']) : 0;
           $_data['import_users']      = isset($_data['import_users']) ? intval($_data['import_users']) : 0;
           $_data['sync_interval']     = (!empty($_data['sync_interval'])) ? intval($_data['sync_interval']) : 15;
           $_data['sync_interval']     = $_data['sync_interval'] < 1 ? 1 : $_data['sync_interval'];
-          $required_settings          = array('authsource', 'host', 'port', 'basedn', 'username_field', 'attribute_field', 'binddn', 'bindpass', 'periodic_sync', 'import_users', 'sync_interval');
+          $required_settings          = array('authsource', 'host', 'port', 'basedn', 'username_field', 'filter', 'attribute_field', 'binddn', 'bindpass', 'periodic_sync', 'import_users', 'sync_interval');
         break;
       }
       
diff --git a/data/web/lang/lang.en-gb.json b/data/web/lang/lang.en-gb.json
index e41a5f51a..0a0622739 100644
--- a/data/web/lang/lang.en-gb.json
+++ b/data/web/lang/lang.en-gb.json
@@ -199,6 +199,7 @@
         "f2b_regex_info": "Logs taken into consideration: SOGo, Postfix, Dovecot, PHP-FPM.",
         "f2b_retry_window": "Retry window (s) for max. attempts",
         "f2b_whitelist": "Whitelisted networks/hosts",
+        "filter": "Filter",
         "filter_table": "Filter table",
         "forwarding_hosts": "Forwarding Hosts",
         "forwarding_hosts_add_hint": "You can either specify IPv4/IPv6 addresses, networks in CIDR notation, host names (which will be resolved to IP addresses), or domain names (which will be resolved to IP addresses by querying SPF records or, in their absence, MX records).",
diff --git a/data/web/templates/admin/tab-config-identity-provider.twig b/data/web/templates/admin/tab-config-identity-provider.twig
index 78e76cbc6..5f002c056 100644
--- a/data/web/templates/admin/tab-config-identity-provider.twig
+++ b/data/web/templates/admin/tab-config-identity-provider.twig
@@ -314,6 +314,12 @@
               <input type="text" class="form-control" placeholder="mail" id="iam_ldap_username_field" name="username_field" value="{{ iam_settings.username_field }}">
             </div>
           </div>
+          <div class="row mb-2">
+            <label class="control-label col-md-3 text-sm-end" for="iam_ldap_filter">{{ lang.admin.filter }}:</label>
+            <div class="col-12 col-md-9 col-lg-4">
+              <input type="text" class="form-control" placeholder="" id="iam_ldap_filter" name="filter" value="{{ iam_settings.filter }}">
+            </div>
+          </div>
           <div class="row mb-2">
             <label class="control-label col-md-3 text-sm-end" for="iam_ldap_attribute_field">{{ lang.admin.iam_attribute_field }}:</label>
             <div class="col-12 col-md-9 col-lg-4">

From d22cafacc86ab9ebe4a3e9f20924fc1a27c84332 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Tue, 20 Feb 2024 11:21:25 +0100
Subject: [PATCH 104/378] [Web] fix ldap filter if empty

---
 data/web/inc/functions.auth.inc.php | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php
index d325c0723..6075ab764 100644
--- a/data/web/inc/functions.auth.inc.php
+++ b/data/web/inc/functions.auth.inc.php
@@ -493,11 +493,14 @@ function ldap_mbox_login($user, $pass, $iam_settings, $extra = null){
   }
 
   try {
-    $user_res = $iam_provider->query()
+    $ldap_query = $iam_provider->query()
       ->where($iam_settings['username_field'], '=', $user)
-      ->whereRaw($iam_settings['filter'])
-      ->select([$iam_settings['username_field'], $iam_settings['attribute_field'], 'displayname', 'distinguishedname'])
-      ->firstOrFail();
+      ->select([$iam_settings['username_field'], $iam_settings['attribute_field'], 'displayname', 'distinguishedname']);
+    if (!empty($iam_settings['filter'])) {
+      $ldap_query = $ldap_query->whereRaw($iam_settings['filter']);
+    }
+
+    $user_res = $ldap_query->firstOrFail();
   } catch (Exception $e) {
     return false;
   }

From 3a1dcb3aaf238ba741f08d40047f60e776aa41f2 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Tue, 20 Feb 2024 11:34:01 +0100
Subject: [PATCH 105/378] [Web] fix set_tfa for ldap users

---
 data/web/inc/functions.inc.php | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index f63d50463..1e9f35072 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -1065,13 +1065,19 @@ function set_tfa($_data) {
 
   // check mailbox confirm password
   if ($access_denied === null) {
-    $stmt = $pdo->prepare("SELECT `password` FROM `mailbox`
+    $stmt = $pdo->prepare("SELECT `password`, `authsource` FROM `mailbox`
         WHERE `username` = :username");
     $stmt->execute(array(':username' => $username));
     $row = $stmt->fetch(PDO::FETCH_ASSOC);
     if ($row) {
-      if (!verify_hash($row['password'], $_data["confirm_password"])) $access_denied = true;
-      else $access_denied = false;
+      if ($row['authsource'] == 'ldap'){
+        $iam_settings = identity_provider('get');
+        if (!ldap_mbox_login($username, $row['password'], $iam_settings)) $access_denied = true;
+        else $access_denied = false;
+      } else {
+        if (!verify_hash($row['password'], $_data["confirm_password"])) $access_denied = true;
+        else $access_denied = false;
+      }
     }
   }
 

From a3bb889def63294f8fd475ea9e4216186dc149f4 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Tue, 20 Feb 2024 11:41:02 +0100
Subject: [PATCH 106/378] [Web] fix set_tfa for ldap users

---
 data/web/inc/functions.inc.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index 1e9f35072..94d81e9ea 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -1072,7 +1072,7 @@ function set_tfa($_data) {
     if ($row) {
       if ($row['authsource'] == 'ldap'){
         $iam_settings = identity_provider('get');
-        if (!ldap_mbox_login($username, $row['password'], $iam_settings)) $access_denied = true;
+        if (!ldap_mbox_login($username, $_data["confirm_password"], $iam_settings)) $access_denied = true;
         else $access_denied = false;
       } else {
         if (!verify_hash($row['password'], $_data["confirm_password"])) $access_denied = true;

From b3e26e14ef81e3e9a6589a4d1dde5d5cd1ddf3fa Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Tue, 20 Feb 2024 12:01:08 +0100
Subject: [PATCH 107/378] [Ofelia] add ldap sync cronjob

---
 docker-compose.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/docker-compose.yml b/docker-compose.yml
index a62ea1212..ee180bc61 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -181,6 +181,9 @@ services:
         ofelia.job-exec.phpfpm_keycloak_sync.schedule: "@every 1m"
         ofelia.job-exec.phpfpm_keycloak_sync.no-overlap: "true"
         ofelia.job-exec.phpfpm_keycloak_sync.command: "/bin/bash -c \"php /crons/keycloak-sync.php || exit 0\""
+        ofelia.job-exec.phpfpm_ldap_sync.schedule: "@every 1m"
+        ofelia.job-exec.phpfpm_ldap_sync.no-overlap: "true"
+        ofelia.job-exec.phpfpm_ldap_sync.command: "/bin/bash -c \"php /crons/ldap-sync.php || exit 0\""
       networks:
         mailcow-network:
           aliases:

From 132e37bfec5fa51765a01c02154f9940c213c938 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Tue, 20 Feb 2024 12:42:37 +0100
Subject: [PATCH 108/378] [SOGo] use bash script for ldap plist template

---
 .gitignore                                   |  1 +
 data/Dockerfiles/sogo/bootstrap-sogo.sh      |  2 +-
 data/conf/sogo/{plist_ldap => plist_ldap.sh} | 62 +++++++++++---------
 docker-compose.yml                           |  2 +-
 4 files changed, 37 insertions(+), 30 deletions(-)
 rename data/conf/sogo/{plist_ldap => plist_ldap.sh} (85%)
 mode change 100644 => 100755

diff --git a/.gitignore b/.gitignore
index e1e8e8882..43bc74e0e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -44,6 +44,7 @@ data/conf/rspamd/local.d/*
 data/conf/rspamd/override.d/*
 data/conf/sogo/custom-theme.js
 data/conf/sogo/plist_ldap
+data/conf/sogo/plist_ldap.sh
 data/conf/sogo/sieve.creds
 data/conf/sogo/sogo-full.svg
 data/gitea/
diff --git a/data/Dockerfiles/sogo/bootstrap-sogo.sh b/data/Dockerfiles/sogo/bootstrap-sogo.sh
index 3eb591186..8913fd2c8 100755
--- a/data/Dockerfiles/sogo/bootstrap-sogo.sh
+++ b/data/Dockerfiles/sogo/bootstrap-sogo.sh
@@ -107,7 +107,7 @@ while read -r line gal
                 </dict>" >> /var/lib/sogo/GNUstep/Defaults/sogod.plist
   # Generate alternative LDAP authentication dict, when SQL authentication fails
   # This will nevertheless read attributes from LDAP
-  line=${line} envsubst < /etc/sogo/plist_ldap >> /var/lib/sogo/GNUstep/Defaults/sogod.plist
+  /etc/sogo/plist_ldap.sh ${line} ${gal} >> /var/lib/sogo/GNUstep/Defaults/sogod.plist
   echo "            </array>
         </dict>" >> /var/lib/sogo/GNUstep/Defaults/sogod.plist
 done < <(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT domain, CASE gal WHEN '1' THEN 'YES' ELSE 'NO' END AS gal FROM domain;" -B -N)
diff --git a/data/conf/sogo/plist_ldap b/data/conf/sogo/plist_ldap.sh
old mode 100644
new mode 100755
similarity index 85%
rename from data/conf/sogo/plist_ldap
rename to data/conf/sogo/plist_ldap.sh
index d585a494f..c35949c65
--- a/data/conf/sogo/plist_ldap
+++ b/data/conf/sogo/plist_ldap.sh
@@ -1,28 +1,34 @@
-                <!--
-                <example>
-                    <key>canAuthenticate</key>
-                    <string>YES</string>
-                    <key>id</key>
-                    <string>${line}_ldap</string>
-                    <key>isAddressBook</key>
-                    <string>NO</string>
-                    <key>IDFieldName</key>
-                    <string>mail</string>
-                    <key>UIDFieldName</key>
-                    <string>uid</string>
-                    <key>bindFields</key>
-                    <array>
-                        <string>mail</string>
-                    </array>
-                    <key>type</key>
-                    <string>ldap</string>
-                    <key>bindDN</key>
-                    <string>cn=admin,dc=example,dc=local</string>
-                    <key>bindPassword</key>
-                    <string>password</string>
-                    <key>baseDN</key>
-                    <string>ou=People,dc=example,dc=local</string>
-                    <key>hostname</key>
-                    <string>ldap://1.2.3.4:389</string>
-                </example>
-                -->
+#!/bin/bash
+
+domain="$1"
+gal_status="$2"
+
+echo '
+                <!--
+                <example>
+                    <key>canAuthenticate</key>
+                    <string>YES</string>
+                    <key>id</key>
+                    <string>'"${domain}_ldap"'</string>
+                    <key>isAddressBook</key>
+                    <string>'"${gal_status}"'</string>
+                    <key>IDFieldName</key>
+                    <string>mail</string>
+                    <key>UIDFieldName</key>
+                    <string>uid</string>
+                    <key>bindFields</key>
+                    <array>
+                        <string>mail</string>
+                    </array>
+                    <key>type</key>
+                    <string>ldap</string>
+                    <key>bindDN</key>
+                    <string>cn=admin,dc=example,dc=local</string>
+                    <key>bindPassword</key>
+                    <string>password</string>
+                    <key>baseDN</key>
+                    <string>ou=People,dc=example,dc=local</string>
+                    <key>hostname</key>
+                    <string>ldap://1.2.3.4:389</string>
+                </example>
+                -->'
diff --git a/docker-compose.yml b/docker-compose.yml
index ee180bc61..ea8f7feb7 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -190,7 +190,7 @@ services:
             - phpfpm
 
     sogo-mailcow:
-      image: mailcow/sogo:nightly-20240208
+      image: mailcow/sogo:nightly-20240220
       environment:
         - DBNAME=${DBNAME}
         - DBUSER=${DBUSER}

From 45811bc2dc8300098ab3ee173fc92834333287eb Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Tue, 20 Feb 2024 15:00:06 +0100
Subject: [PATCH 109/378] [Web] fix mailbox datatable search

---
 data/web/json_api.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/web/json_api.php b/data/web/json_api.php
index 07820d75d..079e79ce8 100644
--- a/data/web/json_api.php
+++ b/data/web/json_api.php
@@ -1082,7 +1082,7 @@ if (isset($_GET['query'])) {
                   ['db' => 'last_mail_login', 'dt' => 4, 'dummy' => true, 'order_subquery' => "SELECT MAX(`datetime`) FROM `sasl_log` WHERE `service` != 'SSO' AND `username` = `m`.`username`"],
                   ['db' => 'last_pw_change', 'dt' => 5, 'dummy' => true, 'order_subquery' => "JSON_EXTRACT(attributes, '$.passwd_update')"],
                   ['db' => 'in_use', 'dt' => 6, 'dummy' => true, 'order_subquery' => "(SELECT SUM(bytes) FROM `quota2` WHERE `quota2`.`username` = `m`.`username`) / `m`.`quota`"],
-                  ['db' => 'messages', 'dt' => 17, 'dummy' => true, 'order_subquery' => "SELECT SUM(messages) FROM `quota2` WHERE `quota2`.`username` = `m`.`username`"],
+                  ['db' => 'messages', 'dt' => 18, 'dummy' => true, 'order_subquery' => "SELECT SUM(messages) FROM `quota2` WHERE `quota2`.`username` = `m`.`username`"],
                   ['db' => 'tags', 'dt' => 20, 'dummy' => true, 'search' => ['join' => 'LEFT JOIN `tags_mailbox` AS `tm` ON `tm`.`username` = `m`.`username`', 'where_column' => '`tm`.`tag_name`']],
                   ['db' => 'active', 'dt' => 21]
                 ];

From 916d0fd46aa47b3a72800bf040db5309a13ed87a Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 23 Feb 2024 08:12:06 +0100
Subject: [PATCH 110/378] [Web] catch all exceptions on ldap connect

---
 data/web/inc/functions.inc.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index 94d81e9ea..88aa811e6 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -2395,7 +2395,7 @@ function identity_provider($_action, $_data = null, $_extra = null) {
             ]);
             try {
               $provider->connect();
-            } catch (TypeError $e) {
+            } catch (Throwable $e) {
               $provider = null;
             }
           }

From 766c270b1fa5a634c10391d23830191fa71a2967 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 23 Feb 2024 09:12:17 +0100
Subject: [PATCH 111/378] [SOGo] fix custom html elements and wrong redirection

---
 data/conf/sogo/custom-sogo.js | 60 +++++++++++++++++++----------------
 data/web/sogo-auth.php        |  2 +-
 2 files changed, 34 insertions(+), 28 deletions(-)

diff --git a/data/conf/sogo/custom-sogo.js b/data/conf/sogo/custom-sogo.js
index 44afa2998..0f1d5d342 100644
--- a/data/conf/sogo/custom-sogo.js
+++ b/data/conf/sogo/custom-sogo.js
@@ -6,42 +6,48 @@ document.addEventListener('DOMContentLoaded', function () {
     }
 
     angularReady = false;
-    // Wait for the Angular components to be initialized
-    function waitForAngularComponents(callback) {
-        const targetNode = document.body;
+    function observe() {
+        angularReady = toolbarExists();
+        if (angularReady && !mcElementsExists()) addMCElements();
 
         const observer = new MutationObserver(function(mutations) {
-            mutations.forEach(function(mutation) {
-            if (mutation.addedNodes.length > 0) {
-                const toolbarElement = document.body.querySelector('md-toolbar');
-                if (toolbarElement) {
-                observer.disconnect();
-                callback();
-                }
+            if (!angularReady) {
+                mutations.forEach(function(mutation) {
+                    if (mutation.addedNodes.length > 0) angularReady = toolbarExists();
+                });
+            } else if (angularReady && !mcElementsExists()) {
+                addMCElements();
             }
-            });
         });
 
+        const targetNode = document.body;
         const config = { childList: true, subtree: true };
         observer.observe(targetNode, config);
     }
+    function toolbarExists() {
+        const toolbarElement = document.body.querySelector('md-toolbar');
+        if (toolbarElement)
+            return true;
+        else
+            return false;
+    }
+    function mcElementsExists() {
+        if (document.getElementById("mc_logout"))
+            return true;
+        else 
+            return false;
+    }
+    function addMCElements() {
+        const toolbarElement = document.body.querySelector('.md-toolbar-tools.sg-toolbar-group-last.layout-align-end-center.layout-row');
+        var htmlCode = '<a class="md-icon-button md-button md-ink-ripple" aria-label="mailcow" href="/user" aria-hidden="false" tabindex="-1">' +
+            '<md-icon class="material-icons" role="img" aria-label="build">build</md-icon>' +
+            '</a><a class="md-icon-button md-button md-ink-ripple" aria-label="mailcow" href="#" onclick="mc_logout.submit()" aria-hidden="false" tabindex="-1">' +
+            '<md-icon class="material-icons" role="img" aria-label="settings_power">settings_power</md-icon>' +
+            '</a><form action="/" method="post" id="mc_logout"><input type="hidden" name="logout"></form>';
+        toolbarElement.insertAdjacentHTML('beforeend', htmlCode);
+    }
 
-    // Usage
-    waitForAngularComponents(function() {
-        if (!angularReady){
-            angularReady = true;
-
-            const toolbarElement = document.body.querySelector('.md-toolbar-tools.sg-toolbar-group-last.layout-align-end-center.layout-row');
-
-            var htmlCode = '<a class="md-icon-button md-button md-ink-ripple" aria-label="mailcow" href="/user" aria-hidden="false" tabindex="-1">' +
-                '<md-icon class="material-icons" role="img" aria-label="build">build</md-icon>' +
-                '</a><a class="md-icon-button md-button md-ink-ripple" aria-label="mailcow" href="#" onclick="logout.submit()" aria-hidden="false" tabindex="-1">' +
-                '<md-icon class="material-icons" role="img" aria-label="settings_power">settings_power</md-icon>' +
-                '</a><form action="/" method="post" id="logout"><input type="hidden" name="logout"></form>';
-
-            toolbarElement.insertAdjacentHTML('beforeend', htmlCode);
-        }
-    });
+    observe();
 });
 
 // Custom SOGo JS
diff --git a/data/web/sogo-auth.php b/data/web/sogo-auth.php
index d93c12543..640a8e00c 100644
--- a/data/web/sogo-auth.php
+++ b/data/web/sogo-auth.php
@@ -72,7 +72,7 @@ elseif (isset($_GET['login'])) {
       }
     }
   }
-  header("Location: /SOGo/");
+  header("Location: /");
   exit;
 }
 // only check for admin-login on sogo GUI requests

From 010d898786b78327240bb2f2608e973a65c5f859 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 23 Feb 2024 10:01:56 +0100
Subject: [PATCH 112/378] [Web] apply LDAP filter

---
 data/conf/phpfpm/crons/ldap-sync.php | 7 +++++--
 data/web/inc/functions.auth.inc.php  | 8 ++++----
 2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/data/conf/phpfpm/crons/ldap-sync.php b/data/conf/phpfpm/crons/ldap-sync.php
index 5686bdacc..20cf7f290 100644
--- a/data/conf/phpfpm/crons/ldap-sync.php
+++ b/data/conf/phpfpm/crons/ldap-sync.php
@@ -110,8 +110,11 @@ fwrite($lock_file_handle, getmypid());
 fclose($lock_file_handle);
 
 // Get ldap users
-$response = $iam_provider->query()
-  ->where($iam_settings['username_field'], "*")
+$ldap_query = $iam_provider->query();
+if (!empty($iam_settings['filter'])) {
+  $ldap_query = $ldap_query->rawFilter($iam_settings['filter']);
+}
+$response = $ldap_query->where($iam_settings['username_field'], "*")
   ->where($iam_settings['attribute_field'], "*")
   ->select([$iam_settings['username_field'], $iam_settings['attribute_field'], 'displayname'])
   ->paginate($max);
diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php
index 6075ab764..b7b8dbc6a 100644
--- a/data/web/inc/functions.auth.inc.php
+++ b/data/web/inc/functions.auth.inc.php
@@ -493,12 +493,12 @@ function ldap_mbox_login($user, $pass, $iam_settings, $extra = null){
   }
 
   try {
-    $ldap_query = $iam_provider->query()
-      ->where($iam_settings['username_field'], '=', $user)
-      ->select([$iam_settings['username_field'], $iam_settings['attribute_field'], 'displayname', 'distinguishedname']);
+    $ldap_query = $iam_provider->query();
     if (!empty($iam_settings['filter'])) {
-      $ldap_query = $ldap_query->whereRaw($iam_settings['filter']);
+      $ldap_query = $ldap_query->rawFilter($iam_settings['filter']);
     }
+    $ldap_query = $ldap_query->where($iam_settings['username_field'], '=', $user)
+      ->select([$iam_settings['username_field'], $iam_settings['attribute_field'], 'displayname', 'distinguishedname']);
 
     $user_res = $ldap_query->firstOrFail();
   } catch (Exception $e) {

From 6928eb632efbb0862d890005f54e314f272f3c81 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Mon, 26 Feb 2024 13:10:08 +0100
Subject: [PATCH 113/378] [Dovecot] move sogo sso to mailcowauth.php

---
 data/Dockerfiles/dovecot/docker-entrypoint.sh |  7 -------
 data/conf/dovecot/auth/mailcowauth.php        | 20 ++++++++++++++-----
 data/conf/dovecot/dovecot.conf                |  1 -
 docker-compose.yml                            |  2 +-
 4 files changed, 16 insertions(+), 14 deletions(-)

diff --git a/data/Dockerfiles/dovecot/docker-entrypoint.sh b/data/Dockerfiles/dovecot/docker-entrypoint.sh
index fef099cc6..1f6a7dc22 100755
--- a/data/Dockerfiles/dovecot/docker-entrypoint.sh
+++ b/data/Dockerfiles/dovecot/docker-entrypoint.sh
@@ -200,13 +200,6 @@ EOF
 # Create random master Password for SOGo SSO
 RAND_PASS=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 32 | head -n 1)
 echo -n ${RAND_PASS} > /etc/phpfpm/sogo-sso.pass
-cat <<EOF > /etc/dovecot/sogo-sso.conf
-# Autogenerated by mailcow
-passdb {
-  driver = static
-  args = allow_real_nets=${IPV4_NETWORK}.248/32 password={plain}${RAND_PASS}
-}
-EOF
 
 if [[ "${MASTER}" =~ ^([nN][oO]|[nN])+$ ]]; then
   # Toggling MASTER will result in a rebuild of containers, so the quota script will be recreated
diff --git a/data/conf/dovecot/auth/mailcowauth.php b/data/conf/dovecot/auth/mailcowauth.php
index d2da46598..2c3c01b30 100644
--- a/data/conf/dovecot/auth/mailcowauth.php
+++ b/data/conf/dovecot/auth/mailcowauth.php
@@ -45,20 +45,30 @@ require_once 'functions.auth.inc.php';
 require_once 'sessions.inc.php';
 require_once 'functions.mailbox.inc.php';
 
-// Init provider
-$iam_provider = identity_provider('init');
-
 
+$isSOGoRequest = $post['real_rip'] == getenv('IPV4_NETWORK') . '.248';
+$result = false;
 $protocol = $post['protocol'];
-if ($post['real_rip'] == getenv('IPV4_NETWORK') . '.248') {
+if ($isSOGoRequest) {
   $protocol = null;
+  // This is a SOGo Auth request. First check for SSO password.
+  $sogo_sso_pass = file_get_contents("/etc/sogo-sso/sogo-sso.pass");
+  if ($sogo_sso_pass === $post['password']){
+    error_log('MAILCOWAUTH: SOGo SSO auth for user ' . $post['username']);
+    $result = true;
+  }
+  
 }
-$result = user_login($post['username'], $post['password'], $protocol, array('is_internal' => true));
 if ($result === false){
   $result = apppass_login($post['username'], $post['password'], $protocol, array(
     'is_internal' => true,
     'remote_addr' => $post['real_rip']
   ));
+  if ($result) error_log('MAILCOWAUTH: App auth for user ' . $post['username']);
+}
+if ($result === false){
+  $result = user_login($post['username'], $post['password'], $protocol, array('is_internal' => true));
+  if ($result) error_log('MAILCOWAUTH: User auth for user ' . $post['username']);
 }
 
 if ($result) {
diff --git a/data/conf/dovecot/dovecot.conf b/data/conf/dovecot/dovecot.conf
index c61d9a1b6..e14c445fd 100644
--- a/data/conf/dovecot/dovecot.conf
+++ b/data/conf/dovecot/dovecot.conf
@@ -303,7 +303,6 @@ replication_dsync_parameters = -d -l 30 -U -n INBOX
 !include_try /etc/dovecot/sni.conf
 !include_try /etc/dovecot/sogo_trusted_ip.conf
 !include_try /etc/dovecot/extra.conf
-!include_try /etc/dovecot/sogo-sso.conf
 !include_try /etc/dovecot/shared_namespace.conf
 # </Includes>
 default_client_limit = 10400
diff --git a/docker-compose.yml b/docker-compose.yml
index ea8f7feb7..f882d94a2 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -237,7 +237,7 @@ services:
             - sogo
 
     dovecot-mailcow:
-      image: mailcow/dovecot:nightly-20240208
+      image: mailcow/dovecot:nightly-20240226
       depends_on:
         - mysql-mailcow
         - netfilter-mailcow

From d237157c0b743434ce213d895a130e02a0b06b3e Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Mon, 26 Feb 2024 13:12:44 +0100
Subject: [PATCH 114/378] init identity_provider only after all conditions are
 met

---
 data/conf/phpfpm/crons/keycloak-sync.php | 5 +++--
 data/conf/phpfpm/crons/ldap-sync.php     | 5 +++--
 data/web/inc/functions.auth.inc.php      | 4 ++--
 data/web/inc/functions.inc.php           | 8 ++++++++
 4 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/data/conf/phpfpm/crons/keycloak-sync.php b/data/conf/phpfpm/crons/keycloak-sync.php
index 0525f9572..3a7b1da7b 100644
--- a/data/conf/phpfpm/crons/keycloak-sync.php
+++ b/data/conf/phpfpm/crons/keycloak-sync.php
@@ -70,8 +70,6 @@ $_SESSION['acl']['protocol_access'] = "1";
 $_SESSION['acl']['mailbox_relayhost'] = "1";
 $_SESSION['acl']['unlimited_quota'] = "1";
 
-// Init Keycloak Provider
-$iam_provider = identity_provider('init');
 $iam_settings = identity_provider('get');
 if ($iam_settings['authsource'] != "keycloak" || (intval($iam_settings['periodic_sync']) != 1 && intval($iam_settings['import_users']) != 1)) {
   session_destroy();
@@ -109,6 +107,9 @@ $lock_file_handle = fopen($lock_file, 'w');
 fwrite($lock_file_handle, getmypid());
 fclose($lock_file_handle);
 
+// Init Keycloak Provider
+$iam_provider = identity_provider('init');
+
 // Loop until all users have been retrieved
 while (true) {
   // Get admin access token
diff --git a/data/conf/phpfpm/crons/ldap-sync.php b/data/conf/phpfpm/crons/ldap-sync.php
index 20cf7f290..1a53884c3 100644
--- a/data/conf/phpfpm/crons/ldap-sync.php
+++ b/data/conf/phpfpm/crons/ldap-sync.php
@@ -70,8 +70,6 @@ $_SESSION['acl']['protocol_access'] = "1";
 $_SESSION['acl']['mailbox_relayhost'] = "1";
 $_SESSION['acl']['unlimited_quota'] = "1";
 
-// Init Provider
-$iam_provider = identity_provider('init');
 $iam_settings = identity_provider('get');
 if ($iam_settings['authsource'] != "ldap" || (intval($iam_settings['periodic_sync']) != 1 && intval($iam_settings['import_users']) != 1)) {
   session_destroy();
@@ -109,6 +107,9 @@ $lock_file_handle = fopen($lock_file, 'w');
 fwrite($lock_file_handle, getmypid());
 fclose($lock_file_handle);
 
+// Init Provider
+$iam_provider = identity_provider('init');
+
 // Get ldap users
 $ldap_query = $iam_provider->query();
 if (!empty($iam_settings['filter'])) {
diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php
index b7b8dbc6a..78aca3c67 100644
--- a/data/web/inc/functions.auth.inc.php
+++ b/data/web/inc/functions.auth.inc.php
@@ -476,8 +476,8 @@ function keycloak_mbox_login_rest($user, $pass, $iam_settings, $extra = null){
 }
 function ldap_mbox_login($user, $pass, $iam_settings, $extra = null){
   global $pdo;
-  global $iam_provider;
-
+  
+  $iam_provider = identity_provider();
   $is_internal = $extra['is_internal'];
   $create = $extra['create'];
 
diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index 88aa811e6..bba46935b 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -2099,12 +2099,20 @@ function uuid4() {
 }
 function identity_provider($_action, $_data = null, $_extra = null) {
   global $pdo;
+  global $iam_provider;
 
   $data_log = $_data;
   if (isset($data_log['client_secret'])) $data_log['client_secret'] = '*';
   if (isset($data_log['access_token'])) $data_log['access_token'] = '*';
 
   switch ($_action) {
+    case NULL:
+      if ($iam_provider) {
+        return $iam_provider;
+      } else {
+        $iam_provider = identity_provider("init");
+      }
+    break;
     case 'get':
       $settings = array();
       $stmt = $pdo->prepare("SELECT * FROM `identity_provider`;");

From 881c2d6e022a69f41fd6b773f24413f7fa5a181b Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Mon, 26 Feb 2024 13:13:50 +0100
Subject: [PATCH 115/378] [SOGo] remove custom logout from toolbar

---
 data/conf/sogo/custom-sogo.js | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/data/conf/sogo/custom-sogo.js b/data/conf/sogo/custom-sogo.js
index 0f1d5d342..e794372f0 100644
--- a/data/conf/sogo/custom-sogo.js
+++ b/data/conf/sogo/custom-sogo.js
@@ -32,18 +32,16 @@ document.addEventListener('DOMContentLoaded', function () {
             return false;
     }
     function mcElementsExists() {
-        if (document.getElementById("mc_logout"))
+        if (document.getElementById("mc_backlink"))
             return true;
         else 
             return false;
     }
     function addMCElements() {
         const toolbarElement = document.body.querySelector('.md-toolbar-tools.sg-toolbar-group-last.layout-align-end-center.layout-row');
-        var htmlCode = '<a class="md-icon-button md-button md-ink-ripple" aria-label="mailcow" href="/user" aria-hidden="false" tabindex="-1">' +
+        var htmlCode = '<a id="mc_backlink" class="md-icon-button md-button md-ink-ripple" aria-label="mailcow" href="/user" aria-hidden="false" tabindex="-1">' +
             '<md-icon class="material-icons" role="img" aria-label="build">build</md-icon>' +
-            '</a><a class="md-icon-button md-button md-ink-ripple" aria-label="mailcow" href="#" onclick="mc_logout.submit()" aria-hidden="false" tabindex="-1">' +
-            '<md-icon class="material-icons" role="img" aria-label="settings_power">settings_power</md-icon>' +
-            '</a><form action="/" method="post" id="mc_logout"><input type="hidden" name="logout"></form>';
+            '</a>';
         toolbarElement.insertAdjacentHTML('beforeend', htmlCode);
     }
 

From 39a4b115ed11028a96afc191a089993a77372d30 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Mon, 26 Feb 2024 13:14:08 +0100
Subject: [PATCH 116/378] [SOGo] fix plist_ldap.sh example

---
 data/conf/sogo/plist_ldap.sh | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/data/conf/sogo/plist_ldap.sh b/data/conf/sogo/plist_ldap.sh
index c35949c65..1911cd18c 100755
--- a/data/conf/sogo/plist_ldap.sh
+++ b/data/conf/sogo/plist_ldap.sh
@@ -3,15 +3,15 @@
 domain="$1"
 gal_status="$2"
 
-echo '
+echo "
                 <!--
                 <example>
                     <key>canAuthenticate</key>
                     <string>YES</string>
                     <key>id</key>
-                    <string>'"${domain}_ldap"'</string>
+                    <string>"${domain}"_ldap</string>
                     <key>isAddressBook</key>
-                    <string>'"${gal_status}"'</string>
+                    <string>"${gal_status}"</string>
                     <key>IDFieldName</key>
                     <string>mail</string>
                     <key>UIDFieldName</key>
@@ -31,4 +31,4 @@ echo '
                     <key>hostname</key>
                     <string>ldap://1.2.3.4:389</string>
                 </example>
-                -->'
+                -->"

From ffbf1758e0a8e49d3b030b6edba67ac4d3eb8a61 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Mon, 26 Feb 2024 13:40:34 +0100
Subject: [PATCH 117/378] [Web] fix identity_provider ArgumentCountError

---
 data/web/inc/functions.inc.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index bba46935b..19293d190 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -2097,7 +2097,7 @@ function uuid4() {
 
   return vsprintf('%s%s-%s-%s-%s-%s%s%s', str_split(bin2hex($data), 4));
 }
-function identity_provider($_action, $_data = null, $_extra = null) {
+function identity_provider($_action = null, $_data = null, $_extra = null) {
   global $pdo;
   global $iam_provider;
 

From e1c3ad9fe8eaa6580ebc60b5217efee87a6e8b04 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 8 Mar 2024 13:15:35 +0100
Subject: [PATCH 118/378] [Web] return idp instance after init

---
 data/web/inc/functions.inc.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index 19293d190..6571e0179 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -2111,6 +2111,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
         return $iam_provider;
       } else {
         $iam_provider = identity_provider("init");
+        return $iam_provider;
       }
     break;
     case 'get':

From 2ba64e93f9f7a152cc32e3e9fb79eaee88bb8d9d Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 8 Mar 2024 13:50:20 +0100
Subject: [PATCH 119/378] [Web] allow SSL / TLS connections for LDAP

---
 data/web/inc/functions.inc.php                | 43 ++++++++++++++++---
 data/web/lang/lang.en-gb.json                 |  3 ++
 .../admin/tab-config-identity-provider.twig   | 24 +++++++++++
 3 files changed, 63 insertions(+), 7 deletions(-)

diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index 6571e0179..274589972 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -2120,10 +2120,19 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
       $stmt->execute();
       $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
       foreach($rows as $row){
-        if ($row["key"] == 'mappers' || $row["key"] == 'templates'){
-          $settings[$row["key"]] = json_decode($row["value"]);
-        } else {
-          $settings[$row["key"]] = $row["value"];
+        switch ($row["key"]) {
+          case "mappers":
+          case "templates":
+            $settings[$row["key"]] = json_decode($row["value"]);
+          break;
+          case "use_ssl":
+          case "use_tls":
+          case "ignore_ssl_errors":
+            $settings[$row["key"]] = boolval($row["value"]);
+          break;
+          default:
+            $settings[$row["key"]] = $row["value"];
+          break;
         }
       }
       // return default client_scopes for generic-oidc if none is set
@@ -2207,9 +2216,12 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
           $_data['filter']            = (!empty($_data['filter'])) ? $_data['filter'] : "";
           $_data['periodic_sync']     = isset($_data['periodic_sync']) ? intval($_data['periodic_sync']) : 0;
           $_data['import_users']      = isset($_data['import_users']) ? intval($_data['import_users']) : 0;
+          $_data['use_ssl']           = isset($_data['use_ssl']) ? boolval($_data['use_ssl']) : false;
+          $_data['use_tls']           = isset($_data['use_tls']) && !$_data['use_ssl'] ? boolval($_data['use_tls']) : false;
+          $_data['ignore_ssl_error']  = isset($_data['ignore_ssl_error']) ? boolval($_data['ignore_ssl_error']) : false;
           $_data['sync_interval']     = (!empty($_data['sync_interval'])) ? intval($_data['sync_interval']) : 15;
           $_data['sync_interval']     = $_data['sync_interval'] < 1 ? 1 : $_data['sync_interval'];
-          $required_settings          = array('authsource', 'host', 'port', 'basedn', 'username_field', 'filter', 'attribute_field', 'binddn', 'bindpass', 'periodic_sync', 'import_users', 'sync_interval');
+          $required_settings          = array('authsource', 'host', 'port', 'basedn', 'username_field', 'filter', 'attribute_field', 'binddn', 'bindpass', 'periodic_sync', 'import_users', 'sync_interval', 'use_ssl', 'use_tls', 'ignore_ssl_error');
         break;
       }
       
@@ -2306,12 +2318,22 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
             !$_data['binddn'] || !$_data['bindpass']){
               return false;
           }
+          $_data['use_ssl'] = isset($_data['use_ssl']) ? boolval($_data['use_ssl']) : false;
+          $_data['use_tls'] = isset($_data['use_tls']) && !$_data['use_ssl'] ? boolval($_data['use_tls']) : false;
+          $_data['ignore_ssl_error'] = isset($_data['ignore_ssl_error']) ? boolval($_data['ignore_ssl_error']) : false;
+          $options = array();
+          if ($_data['ignore_ssl_error']) {
+            $options['LDAP_OPT_X_TLS_REQUIRE_CERT'] = "LDAP_OPT_X_TLS_NEVER";
+          }
           $provider = new \LdapRecord\Connection([
             'hosts'                     => [$_data['host']],
             'port'                      => $_data['port'],
             'base_dn'                   => $_data['basedn'],
             'username'                  => $_data['binddn'],
-            'password'                  => $_data['bindpass']
+            'password'                  => $_data['bindpass'],
+            'use_ssl'                   => $_data['use_ssl'],
+            'use_tls'                   => $_data['use_tls'],
+            'options'                   => $options
           ]);
           try {
             $provider->connect();
@@ -2395,12 +2417,19 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
         case "ldap":
           if ($iam_settings['host'] && $iam_settings['port'] && $iam_settings['basedn'] &&
             $iam_settings['binddn'] && $iam_settings['bindpass']){
+            $options = array();
+            if ($iam_settings['ignore_ssl_error']) {
+              $options['LDAP_OPT_X_TLS_REQUIRE_CERT'] = "LDAP_OPT_X_TLS_NEVER";
+            }
             $provider = new \LdapRecord\Connection([
               'hosts'                     => [$iam_settings['host']],
               'port'                      => $iam_settings['port'],
               'base_dn'                   => $iam_settings['basedn'],
               'username'                  => $iam_settings['binddn'],
-              'password'                  => $iam_settings['bindpass']
+              'password'                  => $iam_settings['bindpass'],
+              'use_ssl'                   => $iam_settings['use_ssl'],
+              'use_tls'                   => $iam_settings['use_tls'],
+              'options'                   => $options
             ]);
             try {
               $provider->connect();
diff --git a/data/web/lang/lang.en-gb.json b/data/web/lang/lang.en-gb.json
index 0a0622739..705908028 100644
--- a/data/web/lang/lang.en-gb.json
+++ b/data/web/lang/lang.en-gb.json
@@ -240,7 +240,10 @@
         "iam_userinfo_url": "User info endpoint",
         "iam_username_field": "Username Field",
         "iam_binddn": "Bind DN",
+        "iam_use_ssl": "Use SSL",
+        "iam_use_tls": "Use TLS",
         "iam_version": "Version",
+        "ignore_ssl_error": "Ignore SSL Errors",
         "import": "Import",
         "import_private_key": "Import private key",
         "in_use_by": "In use by",
diff --git a/data/web/templates/admin/tab-config-identity-provider.twig b/data/web/templates/admin/tab-config-identity-provider.twig
index 5f002c056..e5103d970 100644
--- a/data/web/templates/admin/tab-config-identity-provider.twig
+++ b/data/web/templates/admin/tab-config-identity-provider.twig
@@ -302,6 +302,30 @@
               <input type="number" class="form-control" id="iam_ldap_port" name="port" value="{{ iam_settings.port }}" required>
             </div>
           </div>
+          <div class="row mb-2">
+            <label class="control-label col-md-3 text-sm-end">{{ lang.admin.iam_use_ssl }}</label>
+            <div class="col-12 col-md-9">
+              <div class="form-check form-switch">
+                <input class="form-check-input" type="checkbox" role="switch" name="use_ssl" value="1" {% if iam_settings.use_ssl == 1 %}checked{% endif %}>
+              </div>
+            </div>
+          </div>
+          <div class="row mb-2">
+            <label class="control-label col-md-3 text-sm-end">{{ lang.admin.iam_use_tls }}</label>
+            <div class="col-12 col-md-9">
+              <div class="form-check form-switch">
+                <input class="form-check-input" type="checkbox" role="switch" name="use_tls" value="1" {% if iam_settings.use_tls == 1 %}checked{% endif %}>
+              </div>
+            </div>
+          </div>
+          <div class="row mb-4">
+            <label class="control-label col-md-3 text-sm-end">{{ lang.admin.ignore_ssl_error }}</label>
+            <div class="col-12 col-md-9">
+              <div class="form-check form-switch">
+                <input class="form-check-input" type="checkbox" role="switch" name="ignore_ssl_error" value="1" {% if iam_settings.ignore_ssl_error == 1 %}checked{% endif %}>
+              </div>
+            </div>
+          </div>
           <div class="row mb-2">
             <label class="control-label col-md-3 text-sm-end" for="iam_ldap_basedn">{{ lang.admin.iam_basedn }}:</label>
             <div class="col-12 col-md-9 col-lg-4">

From e0bda6ca6a2c78e94d01772a12f397628552b5e4 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 8 Mar 2024 14:05:37 +0100
Subject: [PATCH 120/378] [Web] prevent multiple dual-logins

---
 data/web/inc/triggers.inc.php | 35 +++++++++++++++++++----------------
 1 file changed, 19 insertions(+), 16 deletions(-)

diff --git a/data/web/inc/triggers.inc.php b/data/web/inc/triggers.inc.php
index cd81f4c21..0e29011de 100644
--- a/data/web/inc/triggers.inc.php
+++ b/data/web/inc/triggers.inc.php
@@ -121,23 +121,26 @@ if (isset($_POST["login_user"]) && isset($_POST["pass_user"])) {
 
 if (isset($_SESSION['mailcow_cc_role']) && (isset($_SESSION['acl']['login_as']) && $_SESSION['acl']['login_as'] == "1")) {
 	if (isset($_GET["duallogin"])) {
-    $duallogin = html_entity_decode(rawurldecode($_GET["duallogin"]));
-    if (filter_var($duallogin, FILTER_VALIDATE_EMAIL)) {
-      if (!empty(mailbox('get', 'mailbox_details', $duallogin))) {
-        $_SESSION["dual-login"]["username"] = $_SESSION['mailcow_cc_username'];
-        $_SESSION["dual-login"]["role"]     = $_SESSION['mailcow_cc_role'];
-        $_SESSION['mailcow_cc_username']    = $duallogin;
-        $_SESSION['mailcow_cc_role']        = "user";
-        header("Location: /user");
+    $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false;
+    if (!$is_dual) {
+      $duallogin = html_entity_decode(rawurldecode($_GET["duallogin"]));
+      if (filter_var($duallogin, FILTER_VALIDATE_EMAIL)) {
+        if (!empty(mailbox('get', 'mailbox_details', $duallogin))) {
+          $_SESSION["dual-login"]["username"] = $_SESSION['mailcow_cc_username'];
+          $_SESSION["dual-login"]["role"]     = $_SESSION['mailcow_cc_role'];
+          $_SESSION['mailcow_cc_username']    = $duallogin;
+          $_SESSION['mailcow_cc_role']        = "user";
+          header("Location: /user");
+        }
       }
-    }
-    else {
-      if (!empty(domain_admin('details', $duallogin))) {
-        $_SESSION["dual-login"]["username"] = $_SESSION['mailcow_cc_username'];
-        $_SESSION["dual-login"]["role"]     = $_SESSION['mailcow_cc_role'];
-        $_SESSION['mailcow_cc_username']    = $duallogin;
-        $_SESSION['mailcow_cc_role']        = "domainadmin";
-        header("Location: /user");
+      else {
+        if (!empty(domain_admin('details', $duallogin))) {
+          $_SESSION["dual-login"]["username"] = $_SESSION['mailcow_cc_username'];
+          $_SESSION["dual-login"]["role"]     = $_SESSION['mailcow_cc_role'];
+          $_SESSION['mailcow_cc_username']    = $duallogin;
+          $_SESSION['mailcow_cc_role']        = "domainadmin";
+          header("Location: /user");
+        }
       }
     }
   }

From 0807c122f659f074b8376313d9ab9c4bed6fba06 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 8 Mar 2024 15:11:49 +0100
Subject: [PATCH 121/378] [Web] set default LDAP options on get

---
 data/web/inc/functions.inc.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index 274589972..864c07f4a 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -2143,6 +2143,12 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
         $settings['client_secret'] = '';
         $settings['access_token'] = '';
       }
+      // return default ldap options
+      if ($settings["authsource"] == "ldap"){
+        $settings['use_ssl'] = !isset($settings['use_ssl']) ? false : $settings['use_ssl'];
+        $settings['use_tls'] = !isset($settings['use_tls']) ? false : $settings['use_tls'];
+        $settings['ignore_ssl_errors'] = !isset($settings['ignore_ssl_errors']) ? false : $settings['ignore_ssl_errors'];
+      }
       return $settings;
     break;
     case 'edit':

From c68a436a222e10c9c9a21d58d13c9b48c03d8eb3 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Thu, 4 Apr 2024 09:30:30 +0200
Subject: [PATCH 122/378] [Web] fix invalid rspamd map check

---
 data/web/inc/functions.rspamd.inc.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/data/web/inc/functions.rspamd.inc.php b/data/web/inc/functions.rspamd.inc.php
index fd1c5bd6c..ec86919c3 100644
--- a/data/web/inc/functions.rspamd.inc.php
+++ b/data/web/inc/functions.rspamd.inc.php
@@ -143,6 +143,7 @@ function rspamd_maps($_action, $_data = null) {
         return false;
       }
       $maps = (array)$_data['map'];
+      $valid_maps = array();
       foreach ($maps as $map) {
         foreach ($RSPAMD_MAPS as $rspamd_map_type) {
           if (!in_array($map, $rspamd_map_type)) {
@@ -151,9 +152,12 @@ function rspamd_maps($_action, $_data = null) {
               'log' => array(__FUNCTION__, $_action, '-'),
               'msg' => array('global_map_invalid', $map)
             );
-            continue;
+          } else {
+            array_push($valid_maps, $map);
           }
         }
+      }
+      foreach ($valid_maps as $map) {
         try {
           if (file_exists('/rspamd_custom_maps/' . $map)) {
             $map_content = trim($_data['rspamd_map_data']);

From cd24057f1ad410c2f6117b481af137e8b27b25d3 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Thu, 4 Apr 2024 09:31:03 +0200
Subject: [PATCH 123/378] [Web] use SEC_FETCH_DEST header to block api requests

---
 data/web/json_api.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/data/web/json_api.php b/data/web/json_api.php
index 079e79ce8..2458e6624 100644
--- a/data/web/json_api.php
+++ b/data/web/json_api.php
@@ -47,6 +47,12 @@ function api_log($_data) {
   }
 }
 
+// Block requests not intended for direct API use by checking the 'Sec-Fetch-Dest' header.
+if (isset($_SERVER['HTTP_SEC_FETCH_DEST']) && $_SERVER['HTTP_SEC_FETCH_DEST'] !== 'empty') {
+  header('HTTP/1.1 403 Forbidden');
+  exit;
+}
+
 if (isset($_GET['query'])) {
 
   $query = explode('/', $_GET['query']);

From cf2fda66e2f359e50e2ac255f731509c35ff48fe Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Thu, 4 Apr 2024 09:31:20 +0200
Subject: [PATCH 124/378] [Web] escape html of alert messages

---
 data/web/inc/footer.inc.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/data/web/inc/footer.inc.php b/data/web/inc/footer.inc.php
index 8c50c9c15..ac1bff033 100644
--- a/data/web/inc/footer.inc.php
+++ b/data/web/inc/footer.inc.php
@@ -12,7 +12,8 @@ $alertbox_log_parser = alertbox_log_parser($_SESSION);
 $alerts = [];
 if (is_array($alertbox_log_parser)) {
   foreach ($alertbox_log_parser as $log) {
-    $message = strtr($log['msg'], ["\n" => '', "\r" => '', "\t" => '<br>']);
+    $message = htmlspecialchars($log['msg'], ENT_QUOTES);
+    $message = strtr($message, ["\n" => '', "\r" => '', "\t" => '<br>']);
     $alerts[trim($log['type'], '"')][] = trim($message, '"');
   }
   $alert = array_filter(array_unique($alerts));

From eadf70d809f87147faeece7c7a386f34fa049f23 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Thu, 18 Apr 2024 14:23:35 +0200
Subject: [PATCH 125/378] [Web] include prerequisites in autodiscover

---
 data/web/autodiscover.php | 22 +---------------------
 1 file changed, 1 insertion(+), 21 deletions(-)

diff --git a/data/web/autodiscover.php b/data/web/autodiscover.php
index cff10b4c6..28819f567 100644
--- a/data/web/autodiscover.php
+++ b/data/web/autodiscover.php
@@ -1,27 +1,7 @@
 <?php
-require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/vars.inc.php';
-require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.inc.php';
-require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.auth.inc.php';
-$default_autodiscover_config = $autodiscover_config;
-if(file_exists('inc/vars.local.inc.php')) {
-  include_once 'inc/vars.local.inc.php';
-}
+require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php';
 $autodiscover_config = array_merge($default_autodiscover_config, $autodiscover_config);
 
-// Redis
-$redis = new Redis();
-try {
-  if (!empty(getenv('REDIS_SLAVEOF_IP'))) {
-    $redis->connect(getenv('REDIS_SLAVEOF_IP'), getenv('REDIS_SLAVEOF_PORT'));
-  }
-  else {
-    $redis->connect('redis-mailcow', 6379);
-  }
-}
-catch (Exception $e) {
-  exit;
-}
-
 error_reporting(0);
 
 $data = trim(file_get_contents("php://input"));

From 95d6eeb37aaa02252d83da869b127a24575b850d Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 19 Apr 2024 20:32:44 +0200
Subject: [PATCH 126/378] [Web] revert include prerequisites in autodiscover -
 include autoload

---
 data/web/autodiscover.php | 28 +++++++++++++++++++++++++++-
 1 file changed, 27 insertions(+), 1 deletion(-)

diff --git a/data/web/autodiscover.php b/data/web/autodiscover.php
index 28819f567..323f89e78 100644
--- a/data/web/autodiscover.php
+++ b/data/web/autodiscover.php
@@ -1,7 +1,29 @@
 <?php
-require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php';
+require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/lib/vendor/autoload.php';
+require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/vars.inc.php';
+if(file_exists('inc/vars.local.inc.php')) {
+  include_once 'inc/vars.local.inc.php';
+}
+require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.inc.php';
+require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.auth.inc.php';
+require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/sessions.inc.php';
+$default_autodiscover_config = $autodiscover_config;
 $autodiscover_config = array_merge($default_autodiscover_config, $autodiscover_config);
 
+// Redis
+$redis = new Redis();
+try {
+  if (!empty(getenv('REDIS_SLAVEOF_IP'))) {
+    $redis->connect(getenv('REDIS_SLAVEOF_IP'), getenv('REDIS_SLAVEOF_PORT'));
+  }
+  else {
+    $redis->connect('redis-mailcow', 6379);
+  }
+}
+catch (Exception $e) {
+  exit;
+}
+
 error_reporting(0);
 
 $data = trim(file_get_contents("php://input"));
@@ -30,6 +52,10 @@ $opt = [
   PDO::ATTR_EMULATE_PREPARES   => false,
 ];
 $pdo = new PDO($dsn, $database_user, $database_pass, $opt);
+
+// Init Identity Provider
+$iam_provider = identity_provider('init');
+
 $login_user = strtolower(trim($_SERVER['PHP_AUTH_USER']));
 $login_pass = trim(htmlspecialchars_decode($_SERVER['PHP_AUTH_PW']));
 

From 3080a702874f70f79061cd42f2cc6537fbec1a87 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Mon, 3 Jun 2024 09:20:54 +0200
Subject: [PATCH 127/378] [Nightly][SOGo] Update to 5.10.0

---
 docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index f882d94a2..2fc444b5b 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -190,7 +190,7 @@ services:
             - phpfpm
 
     sogo-mailcow:
-      image: mailcow/sogo:nightly-20240220
+      image: mailcow/sogo:nightly-20240603
       environment:
         - DBNAME=${DBNAME}
         - DBUSER=${DBUSER}

From f7ae2a6162958907bbfdd2df5237f343564080c8 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Thu, 6 Jun 2024 12:12:30 +0200
Subject: [PATCH 128/378] [Nightly][SOGo] Update 5.10.0

---
 data/Dockerfiles/sogo/bootstrap-sogo.sh |  2 ++
 data/web/inc/init_db.inc.php            | 14 +++++++++++++-
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/data/Dockerfiles/sogo/bootstrap-sogo.sh b/data/Dockerfiles/sogo/bootstrap-sogo.sh
index 8913fd2c8..134d3853f 100755
--- a/data/Dockerfiles/sogo/bootstrap-sogo.sh
+++ b/data/Dockerfiles/sogo/bootstrap-sogo.sh
@@ -46,6 +46,8 @@ cat <<EOF > /var/lib/sogo/GNUstep/Defaults/sogod.plist
     <string>YES</string>
     <key>SOGoEncryptionKey</key>
     <string>${RAND_PASS}</string>
+    <key>OCSAdminURL</key>
+    <string>mysql://${DBUSER}:${DBPASS}@%2Fvar%2Frun%2Fmysqld%2Fmysqld.sock/${DBNAME}/sogo_admin</string>
     <key>OCSCacheFolderURL</key>
     <string>mysql://${DBUSER}:${DBPASS}@%2Fvar%2Frun%2Fmysqld%2Fmysqld.sock/${DBNAME}/sogo_cache_folder</string>
     <key>OCSEMailAlarmsFolderURL</key>
diff --git a/data/web/inc/init_db.inc.php b/data/web/inc/init_db.inc.php
index afacbc724..b4ca9c9df 100644
--- a/data/web/inc/init_db.inc.php
+++ b/data/web/inc/init_db.inc.php
@@ -3,7 +3,7 @@ function init_db_schema() {
   try {
     global $pdo;
 
-    $db_version = "08012024_1442";
+    $db_version = "06062024_1210";
 
     $stmt = $pdo->query("SHOW TABLES LIKE 'versions'");
     $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
@@ -993,6 +993,18 @@ function init_db_schema() {
         ),
         "attr" => "ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=DYNAMIC"
       ),
+      "sogo_admin" => array(
+        "cols" => array(
+          "c_key" => "VARCHAR(255) NOT NULL DEFAULT ''",
+          "c_content"  => "mediumtext NOT NULL",
+        ),
+        "keys" => array(
+          "primary" => array(
+            "" => array("c_key")
+          )
+        ),
+        "attr" => "ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=DYNAMIC"
+      ),
       "pushover" => array(
         "cols" => array(
           "username" => "VARCHAR(255) NOT NULL",

From b39b7c24a5db7a5809b0a951b1f06f6460313706 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Thu, 8 Aug 2024 17:04:56 +0200
Subject: [PATCH 129/378] [Web] fix incorrect user role assignment after TFA
 verification

---
 data/web/inc/triggers.inc.php | 48 +++++++++++++++++++++++++----------
 1 file changed, 35 insertions(+), 13 deletions(-)

diff --git a/data/web/inc/triggers.inc.php b/data/web/inc/triggers.inc.php
index 0e29011de..30198778a 100644
--- a/data/web/inc/triggers.inc.php
+++ b/data/web/inc/triggers.inc.php
@@ -40,21 +40,43 @@ if (!empty($_GET['sso_token'])) {
 
 if (isset($_POST["verify_tfa_login"])) {
   if (verify_tfa_login($_SESSION['pending_mailcow_cc_username'], $_POST)) {
-    set_user_loggedin_session($_SESSION['pending_mailcow_cc_username']);
-    $user_details = mailbox("get", "mailbox_details", $_SESSION['mailcow_cc_username']);
-    $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false;
-    if (intval($user_details['attributes']['sogo_access']) == 1 && !$is_dual) {
-      header("Location: /SOGo/so/{$_SESSION['mailcow_cc_username']}");
-      die();
-    } else {
-      header("Location: /user");
+    if ($_SESSION['pending_mailcow_cc_role'] == "admin") {
+      $_SESSION['mailcow_cc_username'] = $_SESSION['pending_mailcow_cc_username'];
+      $_SESSION['mailcow_cc_role'] = "admin";
+      unset($_SESSION['pending_mailcow_cc_username']);
+      unset($_SESSION['pending_mailcow_cc_role']);
+      unset($_SESSION['pending_tfa_methods']);
+      
+		  header("Location: /debug");
       die();
     }
-  } else {
-    unset($_SESSION['pending_mailcow_cc_username']);
-    unset($_SESSION['pending_mailcow_cc_role']);
-    unset($_SESSION['pending_tfa_methods']);
+    elseif ($_SESSION['pending_mailcow_cc_role'] == "domainadmin") {
+      $_SESSION['mailcow_cc_username'] = $_SESSION['pending_mailcow_cc_username'];
+      $_SESSION['mailcow_cc_role'] = "domainadmin";
+      unset($_SESSION['pending_mailcow_cc_username']);
+      unset($_SESSION['pending_mailcow_cc_role']);
+      unset($_SESSION['pending_tfa_methods']);
+      
+		  header("Location: /mailbox");
+      die();
+    }
+    elseif ($_SESSION['pending_mailcow_cc_role'] == "user") {
+      set_user_loggedin_session($_SESSION['pending_mailcow_cc_username']);
+      $user_details = mailbox("get", "mailbox_details", $_SESSION['mailcow_cc_username']);
+      $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false;
+      if (intval($user_details['attributes']['sogo_access']) == 1 && !$is_dual) {
+        header("Location: /SOGo/so/{$_SESSION['mailcow_cc_username']}");
+        die();
+      } else {
+        header("Location: /user");
+        die();
+      }
+    }
   }
+
+  unset($_SESSION['pending_mailcow_cc_username']);
+  unset($_SESSION['pending_mailcow_cc_role']);
+  unset($_SESSION['pending_tfa_methods']);
 }
 
 if (isset($_GET["cancel_tfa_login"])) {
@@ -80,7 +102,7 @@ if (isset($_POST["login_user"]) && isset($_POST["pass_user"])) {
   if ($as == "admin") {
 		$_SESSION['mailcow_cc_username'] = $login_user;
 		$_SESSION['mailcow_cc_role'] = "admin";
-		header("Location: /admin");
+		header("Location: /debug");
 	}
 	elseif ($as == "domainadmin") {
 		$_SESSION['mailcow_cc_username'] = $login_user;

From c034f4bd27738c22d48075260c3e73e0f040dbe8 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Mon, 12 Aug 2024 10:10:33 +0200
Subject: [PATCH 130/378] [Web] fix wrong log type on PDOException

---
 data/web/inc/functions.mailbox.inc.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/data/web/inc/functions.mailbox.inc.php b/data/web/inc/functions.mailbox.inc.php
index af11a47d5..c6e789d81 100644
--- a/data/web/inc/functions.mailbox.inc.php
+++ b/data/web/inc/functions.mailbox.inc.php
@@ -1328,9 +1328,9 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
        
           try {
             update_sogo_static_view($username);
-          }catch (PDOException $e) {
+          } catch (PDOException $e) {
             $_SESSION['return'][] = array(
-              'type' => 'success',
+              'type' => 'danger',
               'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
               'msg' => $e->getMessage()
             );
@@ -3257,9 +3257,9 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
 
             try {
               update_sogo_static_view($username);
-            }catch (PDOException $e) {
+            } catch (PDOException $e) {
               $_SESSION['return'][] = array(
-                'type' => 'success',
+                'type' => 'danger',
                 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
                 'msg' => $e->getMessage()
               );

From 092d3cd80b64e1f4a4ff46508b4deac8f0eea9c9 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Mon, 12 Aug 2024 10:14:53 +0200
Subject: [PATCH 131/378] [Web] extend ldap auth logging

---
 data/web/inc/functions.auth.inc.php | 30 ++++++++++++++++++++++++++++-
 1 file changed, 29 insertions(+), 1 deletion(-)

diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php
index 78aca3c67..e9a1e4a6d 100644
--- a/data/web/inc/functions.auth.inc.php
+++ b/data/web/inc/functions.auth.inc.php
@@ -502,9 +502,31 @@ function ldap_mbox_login($user, $pass, $iam_settings, $extra = null){
 
     $user_res = $ldap_query->firstOrFail();
   } catch (Exception $e) {
+    $_SESSION['return'][] =  array(
+      'type' => 'danger',
+      'log' => array(__FUNCTION__, $user, '*'),
+      'msg' => $e->getMessage()
+    );
+    clear_session();
     return false;
   }
-  if (!$iam_provider->auth()->attempt($user_res['distinguishedname'][0], $pass)) {
+  try {
+    if (!$iam_provider->auth()->attempt($user_res['distinguishedname'][0], $pass)) {
+      $_SESSION['return'][] =  array(
+        'type' => 'danger',
+        'log' => array(__FUNCTION__, $user, '*', $user_res),
+        'msg' => 'failed_ldap_auth'
+      );
+      clear_session();
+      return false;
+    }
+  } catch (Exception $e) {
+    $_SESSION['return'][] =  array(
+      'type' => 'danger',
+      'log' => array(__FUNCTION__, $user, '*', $user_res),
+      'msg' => $e->getMessage()
+    );
+    clear_session();
     return false;
   }
 
@@ -512,6 +534,12 @@ function ldap_mbox_login($user, $pass, $iam_settings, $extra = null){
   // also return false if no mappers were defined
   $user_template = $user_res[$iam_settings['attribute_field']][0];
   if ($create && (empty($iam_settings['mappers']) || !$user_template)){
+    $_SESSION['return'][] =  array(
+      'type' => 'danger',
+      'log' => array(__FUNCTION__, $user, '*', $user_res),
+      'msg' => 'no_matching_template'
+    );
+    clear_session();
     return false;
   } else if (!$create) {
     // login success - dont create mailbox

From 519d95cb8b4b5437a63f3a69f27ffbba2c7fd5b2 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Tue, 13 Aug 2024 09:30:54 +0200
Subject: [PATCH 132/378] [Web] extend ldap auth logging

---
 data/web/inc/functions.auth.inc.php | 21 ++++++++-------------
 1 file changed, 8 insertions(+), 13 deletions(-)

diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php
index e9a1e4a6d..9ab54e4bb 100644
--- a/data/web/inc/functions.auth.inc.php
+++ b/data/web/inc/functions.auth.inc.php
@@ -502,12 +502,13 @@ function ldap_mbox_login($user, $pass, $iam_settings, $extra = null){
 
     $user_res = $ldap_query->firstOrFail();
   } catch (Exception $e) {
+    // clear $_SESSION['return'] to not leak data
+    $_SESSION['return'] = array();
     $_SESSION['return'][] =  array(
       'type' => 'danger',
       'log' => array(__FUNCTION__, $user, '*'),
-      'msg' => $e->getMessage()
+      'msg' => 'ldap_error'
     );
-    clear_session();
     return false;
   }
   try {
@@ -515,18 +516,18 @@ function ldap_mbox_login($user, $pass, $iam_settings, $extra = null){
       $_SESSION['return'][] =  array(
         'type' => 'danger',
         'log' => array(__FUNCTION__, $user, '*', $user_res),
-        'msg' => 'failed_ldap_auth'
+        'msg' => 'ldap_auth_failed'
       );
-      clear_session();
       return false;
     }
   } catch (Exception $e) {
+    // clear $_SESSION['return'] to not leak data
+    $_SESSION['return'] = array();
     $_SESSION['return'][] =  array(
       'type' => 'danger',
-      'log' => array(__FUNCTION__, $user, '*', $user_res),
-      'msg' => $e->getMessage()
+      'log' => array(__FUNCTION__, $user, '*'),
+      'msg' => 'ldap_error'
     );
-    clear_session();
     return false;
   }
 
@@ -534,12 +535,6 @@ function ldap_mbox_login($user, $pass, $iam_settings, $extra = null){
   // also return false if no mappers were defined
   $user_template = $user_res[$iam_settings['attribute_field']][0];
   if ($create && (empty($iam_settings['mappers']) || !$user_template)){
-    $_SESSION['return'][] =  array(
-      'type' => 'danger',
-      'log' => array(__FUNCTION__, $user, '*', $user_res),
-      'msg' => 'no_matching_template'
-    );
-    clear_session();
     return false;
   } else if (!$create) {
     // login success - dont create mailbox

From 58a5a4578ce452b5e946ad753d0e39dd0f4a8963 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Tue, 13 Aug 2024 12:14:05 +0200
Subject: [PATCH 133/378] [Web] use cn as fallback ldap login

---
 data/web/inc/functions.auth.inc.php | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php
index 9ab54e4bb..f93eb54cf 100644
--- a/data/web/inc/functions.auth.inc.php
+++ b/data/web/inc/functions.auth.inc.php
@@ -498,7 +498,7 @@ function ldap_mbox_login($user, $pass, $iam_settings, $extra = null){
       $ldap_query = $ldap_query->rawFilter($iam_settings['filter']);
     }
     $ldap_query = $ldap_query->where($iam_settings['username_field'], '=', $user)
-      ->select([$iam_settings['username_field'], $iam_settings['attribute_field'], 'displayname', 'distinguishedname']);
+      ->select([$iam_settings['username_field'], $iam_settings['attribute_field'], 'displayname', 'distinguishedname', 'cn']);
 
     $user_res = $ldap_query->firstOrFail();
   } catch (Exception $e) {
@@ -513,12 +513,15 @@ function ldap_mbox_login($user, $pass, $iam_settings, $extra = null){
   }
   try {
     if (!$iam_provider->auth()->attempt($user_res['distinguishedname'][0], $pass)) {
-      $_SESSION['return'][] =  array(
-        'type' => 'danger',
-        'log' => array(__FUNCTION__, $user, '*', $user_res),
-        'msg' => 'ldap_auth_failed'
-      );
-      return false;
+      // fallback to cn
+      if (!$iam_provider->auth()->attempt($user_res['cn'][0], $pass)) {
+        $_SESSION['return'][] =  array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $user, '*', $user_res),
+          'msg' => 'ldap_auth_failed'
+        );
+        return false;
+      }
     }
   } catch (Exception $e) {
     // clear $_SESSION['return'] to not leak data

From 1fc964d72e9ddfee505b4039e45049bdf52cf365 Mon Sep 17 00:00:00 2001
From: DerLinkman <niklas.meyer@servercow.de>
Date: Wed, 14 Aug 2024 10:12:10 +0200
Subject: [PATCH 134/378] compose: bump dovecot image to newest nightly
 (20240814)

---
 docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 7e0cf46b9..3913067bc 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -238,7 +238,7 @@ services:
             - sogo
 
     dovecot-mailcow:
-      image: mailcow/dovecot:nightly-20240807
+      image: mailcow/dovecot:nightly-20240814
       depends_on:
         - mysql-mailcow
         - netfilter-mailcow

From fa3c453d6eed90acc6e86d1600802494f9e5dd87 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Thu, 15 Aug 2024 12:49:57 +0200
Subject: [PATCH 135/378] Use DN instead of DistinguishedName for LDAP login

---
 data/web/inc/functions.auth.inc.php | 23 ++++++++++-------------
 1 file changed, 10 insertions(+), 13 deletions(-)

diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php
index f93eb54cf..943bb1647 100644
--- a/data/web/inc/functions.auth.inc.php
+++ b/data/web/inc/functions.auth.inc.php
@@ -498,7 +498,7 @@ function ldap_mbox_login($user, $pass, $iam_settings, $extra = null){
       $ldap_query = $ldap_query->rawFilter($iam_settings['filter']);
     }
     $ldap_query = $ldap_query->where($iam_settings['username_field'], '=', $user)
-      ->select([$iam_settings['username_field'], $iam_settings['attribute_field'], 'displayname', 'distinguishedname', 'cn']);
+      ->select([$iam_settings['username_field'], $iam_settings['attribute_field'], 'displayname', 'distinguishedname', 'dn']);
 
     $user_res = $ldap_query->firstOrFail();
   } catch (Exception $e) {
@@ -506,29 +506,26 @@ function ldap_mbox_login($user, $pass, $iam_settings, $extra = null){
     $_SESSION['return'] = array();
     $_SESSION['return'][] =  array(
       'type' => 'danger',
-      'log' => array(__FUNCTION__, $user, '*'),
+      'log' => array(__FUNCTION__, $user, '*', $e->getMessage()),
       'msg' => 'ldap_error'
     );
     return false;
   }
   try {
-    if (!$iam_provider->auth()->attempt($user_res['distinguishedname'][0], $pass)) {
-      // fallback to cn
-      if (!$iam_provider->auth()->attempt($user_res['cn'][0], $pass)) {
-        $_SESSION['return'][] =  array(
-          'type' => 'danger',
-          'log' => array(__FUNCTION__, $user, '*', $user_res),
-          'msg' => 'ldap_auth_failed'
-        );
-        return false;
-      }
+    if (!$iam_provider->auth()->attempt($user_res['dn'], $pass)) {
+      $_SESSION['return'][] =  array(
+        'type' => 'danger',
+        'log' => array(__FUNCTION__, $user, '*', $user_res),
+        'msg' => 'ldap_auth_failed'
+      );
+      return false;
     }
   } catch (Exception $e) {
     // clear $_SESSION['return'] to not leak data
     $_SESSION['return'] = array();
     $_SESSION['return'][] =  array(
       'type' => 'danger',
-      'log' => array(__FUNCTION__, $user, '*'),
+      'log' => array(__FUNCTION__, $user, '*', $e->getMessage()),
       'msg' => 'ldap_error'
     );
     return false;

From aeeac63e1fb832ee6f997a806558e042b9c2bd3f Mon Sep 17 00:00:00 2001
From: milkmaker <milkmaker@mailcow.de>
Date: Tue, 20 Aug 2024 14:22:51 +0200
Subject: [PATCH 136/378] Fix: Escape a `'` character in `update.sh` (#6034)
 (#6035)

Co-authored-by: Hassan A Hashim <h3ssan@protonmail.com>
---
 update.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/update.sh b/update.sh
index 1f61ba995..dcc2020eb 100755
--- a/update.sh
+++ b/update.sh
@@ -404,7 +404,7 @@ while (($#)); do
   --nightly            -   Switch your mailcow updates to the unstable (nightly) branch. FOR TESTING PURPOSES ONLY!!!!
   --prefetch           -   Only prefetch new images and exit (useful to prepare updates)
   --skip-start         -   Do not start mailcow after update
-  --skip-ping-check    -   Skip ICMP Check to public DNS resolvers (Use it only if you've blocked any ICMP Connections to your mailcow machine)
+  --skip-ping-check    -   Skip ICMP Check to public DNS resolvers (Use it only if you'\''ve blocked any ICMP Connections to your mailcow machine)
   --stable             -   Switch your mailcow updates to the stable (master) branch. Default unless you changed it with --nightly.
   -f|--force           -   Force update, do not ask questions
   -d|--dev             -   Enables Developer Mode (No Checkout of update.sh for tests)

From dbf87e99fc11970721763a1abe92fc9a20857254 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Wed, 21 Aug 2024 10:48:04 +0200
Subject: [PATCH 137/378] [Web] Convert LDAP username_field and attribute_field
 to lowercase

---
 data/web/inc/functions.inc.php | 85 +++++++++++++++++-----------------
 1 file changed, 43 insertions(+), 42 deletions(-)

diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index 97f97a421..15c3b0b9e 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -834,7 +834,7 @@ function update_sogo_static_view($mailbox = null) {
     // Check if the mailbox exists
     $stmt = $pdo->prepare("SELECT username FROM mailbox WHERE username = :mailbox AND active = '1'");
     $stmt->execute(array(':mailbox' => $mailbox));
-    $row = $stmt->fetch(PDO::FETCH_ASSOC);  
+    $row = $stmt->fetch(PDO::FETCH_ASSOC);
     if ($row){
       $mailbox_exists = true;
     }
@@ -844,7 +844,7 @@ function update_sogo_static_view($mailbox = null) {
   $random_password = base64_encode(openssl_random_pseudo_bytes(24));
   $random_salt = base64_encode(openssl_random_pseudo_bytes(16));
   $random_hash = '{SSHA256}' . base64_encode(hash('sha256', base64_decode($password) . $salt, true) . $salt);
-  
+
   $subquery = "GROUP BY mailbox.username";
   if ($mailbox_exists) {
     $subquery = "AND mailbox.username = :mailbox";
@@ -882,7 +882,7 @@ function update_sogo_static_view($mailbox = null) {
         `kind` = VALUES(`kind`),
         `multiple_bookings` = VALUES(`multiple_bookings`)";
 
-  
+
   if ($mailbox_exists) {
     $stmt = $pdo->prepare($query);
     $stmt->execute(array(
@@ -895,9 +895,9 @@ function update_sogo_static_view($mailbox = null) {
       ':random_hash' => $random_hash
     ));
   }
-  
+
   $stmt = $pdo->query("DELETE FROM _sogo_static_view WHERE `c_uid` NOT IN (SELECT `username` FROM `mailbox` WHERE `active` = '1');");
-  
+
   flush_memcached();
 }
 function edit_user_account($_data) {
@@ -930,7 +930,7 @@ function edit_user_account($_data) {
           AND `username` = :user AND authsource = 'mailcow'");
     $stmt->execute(array(':user' => $username));
     $row = $stmt->fetch(PDO::FETCH_ASSOC);
-  
+
     if (!verify_hash($row['password'], $password_old)) {
       $_SESSION['return'][] =  array(
         'type' => 'danger',
@@ -939,7 +939,7 @@ function edit_user_account($_data) {
       );
       return false;
     }
-  
+
     $password_new = $_data['user_new_pass'];
     $password_new2  = $_data['user_new_pass2'];
     if (password_check($password_new, $password_new2) !== true) {
@@ -954,7 +954,7 @@ function edit_user_account($_data) {
       ':password_hashed' => $password_hashed,
       ':username' => $username
     ));
-  
+
     update_sogo_static_view();
   }
   // edit password recovery email
@@ -1210,7 +1210,7 @@ function set_tfa($_data) {
             $_data['registration']->certificate,
             0
         ));
-    
+
         $_SESSION['return'][] =  array(
             'type' => 'success',
             'log' => array(__FUNCTION__, $_data_log),
@@ -1380,7 +1380,7 @@ function unset_tfa_key($_data) {
 
   try {
     if (!is_numeric($id)) $access_denied = true;
-    
+
     // set access_denied error
     if ($access_denied){
       $_SESSION['return'][] = array(
@@ -1389,7 +1389,7 @@ function unset_tfa_key($_data) {
         'msg' => 'access_denied'
       );
       return false;
-    } 
+    }
 
     // check if it's last key
     $stmt = $pdo->prepare("SELECT COUNT(*) AS `keys` FROM `tfa`
@@ -1438,7 +1438,7 @@ function get_tfa($username = null, $id = null) {
         WHERE `username` = :username AND `active` = '1'");
     $stmt->execute(array(':username' => $username));
     $results = $stmt->fetchAll(PDO::FETCH_ASSOC);
- 
+
     // no tfa methods found
     if (count($results) == 0) {
         $data['name'] = 'none';
@@ -1646,8 +1646,8 @@ function verify_tfa_login($username, $_data) {
                   'msg' => array('webauthn_authenticator_failed')
               );
               return false;
-            } 
-            
+            }
+
             if (empty($process_webauthn['publicKey']) || $process_webauthn['publicKey'] === false) {
                 $_SESSION['return'][] =  array(
                     'type' => 'danger',
@@ -2009,7 +2009,7 @@ function cors($action, $data = null) {
           'msg' => 'access_denied'
         );
         return false;
-      }    
+      }
 
       $allowed_origins = isset($data['allowed_origins']) ? $data['allowed_origins'] : array($_SERVER['SERVER_NAME']);
       $allowed_origins = !is_array($allowed_origins) ? array_filter(array_map('trim', explode("\n", $allowed_origins))) : $allowed_origins;
@@ -2042,7 +2042,7 @@ function cors($action, $data = null) {
         $redis->hMSet('CORS_SETTINGS', array(
           'allowed_origins' => implode(', ', $allowed_origins),
           'allowed_methods' => implode(', ', $allowed_methods)
-        ));   
+        ));
       } catch (RedisException $e) {
         $_SESSION['return'][] = array(
           'type' => 'danger',
@@ -2094,10 +2094,10 @@ function cors($action, $data = null) {
       header('Access-Control-Allow-Headers: Accept, Content-Type, X-Api-Key, Origin');
 
       // Access-Control settings requested, this is just a preflight request
-      if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS' && 
+      if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS' &&
         isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD']) &&
         isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS'])) {
-  
+
         $allowed_methods = explode(', ', $cors_settings["allowed_methods"]);
         if (in_array($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD'], $allowed_methods, true))
           // method allowed send 200 OK
@@ -2216,7 +2216,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
       $stmt = $pdo->prepare("SELECT * FROM `mailbox`
           WHERE `authsource` != 'mailcow'
           AND `authsource` IS NOT NULL
-          AND `authsource` != :authsource");  
+          AND `authsource` != :authsource");
       $stmt->execute(array(':authsource' => $_data['authsource']));
       $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
       if ($rows) {
@@ -2247,7 +2247,8 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
         break;
         case "ldap":
           $_data['port']              = (!empty($_data['port'])) ? intval($_data['port']) : 389;
-          $_data['username_field']    = (!empty($_data['username_field'])) ? $_data['username_field'] : "mail";
+          $_data['username_field']    = (!empty($_data['username_field'])) ? strtolower($_data['username_field']) : "mail";
+          $_data['attribute_field']   = (!empty($_data['attribute_field'])) ? strtolower($_data['attribute_field']) : "";
           $_data['filter']            = (!empty($_data['filter'])) ? $_data['filter'] : "";
           $_data['periodic_sync']     = isset($_data['periodic_sync']) ? intval($_data['periodic_sync']) : 0;
           $_data['import_users']      = isset($_data['import_users']) ? intval($_data['import_users']) : 0;
@@ -2259,7 +2260,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
           $required_settings          = array('authsource', 'host', 'port', 'basedn', 'username_field', 'filter', 'attribute_field', 'binddn', 'bindpass', 'periodic_sync', 'import_users', 'sync_interval', 'use_ssl', 'use_tls', 'ignore_ssl_error');
         break;
       }
-      
+
       $pdo->beginTransaction();
       $stmt = $pdo->prepare("INSERT INTO identity_provider (`key`, `value`) VALUES (:key, :value) ON DUPLICATE KEY UPDATE `value` = VALUES(`value`);");
       // add connection settings
@@ -2343,7 +2344,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
           $res = curl_exec($curl);
           $code = curl_getinfo($curl, CURLINFO_HTTP_CODE);
           curl_close ($curl);
-          
+
           if ($code != 200) {
             return false;
           }
@@ -2391,7 +2392,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
         );
         return false;
       }
-      
+
       $stmt = $pdo->query("SELECT * FROM `mailbox`
           WHERE `authsource` != 'mailcow'
           AND `authsource` IS NOT NULL");
@@ -2428,7 +2429,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
               'clientId'              => $iam_settings['client_id'],
               'clientSecret'          => $iam_settings['client_secret'],
               'redirectUri'           => $iam_settings['redirect_url'],
-              'version'               => $iam_settings['version'],                            
+              'version'               => $iam_settings['version'],
               // 'encryptionAlgorithm'   => 'RS256',                             // optional
               // 'encryptionKeyPath'     => '../key.pem'                         // optional
               // 'encryptionKey'         => 'contents_of_key_or_certificate'     // optional
@@ -2488,7 +2489,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
         );
         return false;
       }
-    
+
       try {
         $token = $provider->getAccessToken('authorization_code', ['code' => $_GET['code']]);
         $_SESSION['iam_token'] = $token->getToken();
@@ -2504,7 +2505,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
       }
       // check if email address is given
       if (empty($info['email'])) return false;
-    
+
       // token valid, get mailbox
       $stmt = $pdo->prepare("SELECT * FROM `mailbox`
         INNER JOIN domain on mailbox.domain = domain.domain
@@ -2530,7 +2531,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
       // also return false if no mappers were defined
       $user_template = $info['mailcow_template'];
       if (empty($iam_settings['mappers']) || empty($user_template)){
-        clear_session();  
+        clear_session();
         $_SESSION['return'][] =  array(
           'type' => 'danger',
           'log' => array(__FUNCTION__, $info['email']),
@@ -2542,7 +2543,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
       // check if matching attribute exist
       $mapper_key = array_search($user_template, $iam_settings['mappers']);
       if ($mapper_key === false) {
-        clear_session();  
+        clear_session();
         $_SESSION['return'][] =  array(
           'type' => 'danger',
           'log' => array(__FUNCTION__, $info['email']),
@@ -2560,7 +2561,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
         'template' => $iam_settings['templates'][$mapper_key]
       ));
       if (!$create_res){
-        clear_session();  
+        clear_session();
         $_SESSION['return'][] =  array(
           'type' => 'danger',
           'log' => array(__FUNCTION__, $info['email']),
@@ -2568,7 +2569,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
         );
         return false;
       }
-    
+
       set_user_loggedin_session($info['email']);
       $_SESSION['return'][] =  array(
         'type' => 'success',
@@ -2586,7 +2587,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
         $_SESSION['iam_refresh_token'] = $token->getRefreshToken();
         $info = $provider->getResourceOwner($token)->toArray();
       } catch (Throwable $e) {
-        clear_session();  
+        clear_session();
         $_SESSION['return'][] =  array(
           'type' => 'danger',
           'log' => array(__FUNCTION__),
@@ -2596,7 +2597,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
       }
 
       if (empty($info['email'])){
-        clear_session();  
+        clear_session();
         $_SESSION['return'][] =  array(
           'type' => 'danger',
           'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
@@ -2604,14 +2605,14 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
         );
         return false;
       }
-    
+
       $_SESSION['mailcow_cc_username'] = $info['email'];
       $_SESSION['mailcow_cc_role'] = "user";
       return true;
     break;
     case "get-redirect":
       $iam_settings = identity_provider('get');
-      if ($iam_settings['authsource'] != 'keycloak' && $iam_settings['authsource'] != 'generic-oidc') 
+      if ($iam_settings['authsource'] != 'keycloak' && $iam_settings['authsource'] != 'generic-oidc')
         return false;
       $provider = $_data['iam_provider'];
       $authUrl = $provider->getAuthorizationUrl();
@@ -2667,7 +2668,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
       if ($code != 200) {
         return false;
       }
-      
+
       $stmt = $pdo->prepare("INSERT INTO identity_provider (`key`, `value`) VALUES (:key, :value) ON DUPLICATE KEY UPDATE `value` = VALUES(`value`);");
       $stmt->execute(array(
         ':key' => 'access_token',
@@ -2702,7 +2703,7 @@ function reset_password($action, $data = null) {
     break;
     case 'issue':
       $username = $data;
-      
+
       // perform cleanup
       $stmt = $pdo->prepare("DELETE FROM `reset_password` WHERE created < DATE_SUB(NOW(), INTERVAL :lifetime MINUTE);");
       $stmt->execute(array(':lifetime' => $PW_RESET_TOKEN_LIFETIME));
@@ -2784,8 +2785,8 @@ function reset_password($action, $data = null) {
       $request_date = new DateTime();
       $locale_date = locale_get_default();
       $date_formatter = new IntlDateFormatter(
-        $locale_date, 
-        IntlDateFormatter::FULL, 
+        $locale_date,
+        IntlDateFormatter::FULL,
         IntlDateFormatter::FULL
       );
       $formatted_request_date = $date_formatter->format($request_date);
@@ -2901,7 +2902,7 @@ function reset_password($action, $data = null) {
       $stmt->execute(array(
         ':username' => $username
       ));
-   
+
       $_SESSION['return'][] = array(
         'type' => 'success',
         'log' => array(__FUNCTION__, $action, $_data_log),
@@ -2944,7 +2945,7 @@ function reset_password($action, $data = null) {
       $text = $data['text'];
       $html = $data['html'];
       $subject = $data['subject'];
-    
+
       if (!filter_var($from, FILTER_VALIDATE_EMAIL)) {
         $_SESSION['return'][] =  array(
           'type' => 'danger',
@@ -2977,7 +2978,7 @@ function reset_password($action, $data = null) {
         );
         return false;
       }
-    
+
       ini_set('max_execution_time', 0);
       ini_set('max_input_time', 0);
       $mail = new PHPMailer;
@@ -3009,7 +3010,7 @@ function reset_password($action, $data = null) {
         return false;
       }
       $mail->ClearAllRecipients();
-    
+
       return true;
     break;
   }

From ef238e533214c8a3e9e6e4b4d9dfdd564bfd57e6 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Wed, 28 Aug 2024 11:28:37 +0200
Subject: [PATCH 138/378] [LDAP] skip sync user if username_field in LDAP is
 empty

---
 data/conf/phpfpm/crons/ldap-sync.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/data/conf/phpfpm/crons/ldap-sync.php b/data/conf/phpfpm/crons/ldap-sync.php
index 1a53884c3..93b22b941 100644
--- a/data/conf/phpfpm/crons/ldap-sync.php
+++ b/data/conf/phpfpm/crons/ldap-sync.php
@@ -146,6 +146,11 @@ foreach ($response as $user) {
     continue;
   }
 
+  if (empty($user[$iam_settings['username_field']][0])){
+    logMsg("warning", "Skipping user " . $user['displayname'][0] . " due to empty LDAP ". $iam_settings['username_field'] . "property.'");
+    continue;
+  }
+
   if (!$row && intval($iam_settings['import_users']) == 1){
     // mailbox user does not exist, create...
     logMsg("info", "Creating user " .  $user[$iam_settings['username_field']][0]);

From b307e0a0d55474825d54f83b12339ee75c9b1a72 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Mon, 2 Sep 2024 09:57:33 +0200
Subject: [PATCH 139/378] [PHP-FPM] Add missing space in log message

---
 data/conf/phpfpm/crons/ldap-sync.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/conf/phpfpm/crons/ldap-sync.php b/data/conf/phpfpm/crons/ldap-sync.php
index 93b22b941..75eddc7a1 100644
--- a/data/conf/phpfpm/crons/ldap-sync.php
+++ b/data/conf/phpfpm/crons/ldap-sync.php
@@ -147,7 +147,7 @@ foreach ($response as $user) {
   }
 
   if (empty($user[$iam_settings['username_field']][0])){
-    logMsg("warning", "Skipping user " . $user['displayname'][0] . " due to empty LDAP ". $iam_settings['username_field'] . "property.'");
+    logMsg("warning", "Skipping user " . $user['displayname'][0] . " due to empty LDAP ". $iam_settings['username_field'] . " property.");
     continue;
   }
 

From 320bd31d372770b8abf444223b5d74376ff4c5b1 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Mon, 2 Sep 2024 10:02:10 +0200
Subject: [PATCH 140/378] [Web] fix LDAP "ignore ssl errors" option

---
 data/web/inc/functions.inc.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index 15c3b0b9e..3588d36ed 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -2359,7 +2359,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
           $_data['ignore_ssl_error'] = isset($_data['ignore_ssl_error']) ? boolval($_data['ignore_ssl_error']) : false;
           $options = array();
           if ($_data['ignore_ssl_error']) {
-            $options['LDAP_OPT_X_TLS_REQUIRE_CERT'] = "LDAP_OPT_X_TLS_NEVER";
+            $options[LDAP_OPT_X_TLS_REQUIRE_CERT] = LDAP_OPT_X_TLS_NEVER;
           }
           $provider = new \LdapRecord\Connection([
             'hosts'                     => [$_data['host']],
@@ -2455,7 +2455,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
             $iam_settings['binddn'] && $iam_settings['bindpass']){
             $options = array();
             if ($iam_settings['ignore_ssl_error']) {
-              $options['LDAP_OPT_X_TLS_REQUIRE_CERT'] = "LDAP_OPT_X_TLS_NEVER";
+              $options[LDAP_OPT_X_TLS_REQUIRE_CERT] = LDAP_OPT_X_TLS_NEVER;
             }
             $provider = new \LdapRecord\Connection([
               'hosts'                     => [$iam_settings['host']],

From 82fcddb177639ae1a1884094ce3d7fbb8dbbafda Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Mon, 2 Sep 2024 10:12:51 +0200
Subject: [PATCH 141/378] [Web] Fix catch block in LDAP connection test

---
 data/web/inc/functions.inc.php | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index 3588d36ed..fc703c353 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -2373,9 +2373,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
           ]);
           try {
             $provider->connect();
-          } catch (TypeError $e) {
-            return false;
-          } catch (\LdapRecord\Auth\BindException $e) {
+          } catch (Throwable $e) {
             return false;
           }
         break;

From 0b9b8c906061857addaed0f10603b3ffc49f9c14 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 6 Sep 2024 10:05:00 +0200
Subject: [PATCH 142/378] [Web] Ensure correct SOGo SSO password is used after
 Dovecot restart

---
 data/web/sogo-auth.php | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/data/web/sogo-auth.php b/data/web/sogo-auth.php
index 640a8e00c..dbc54d7c2 100644
--- a/data/web/sogo-auth.php
+++ b/data/web/sogo-auth.php
@@ -47,13 +47,10 @@ elseif (isset($_GET['login'])) {
     (($_SESSION['acl']['login_as'] == "1" && $ALLOW_ADMIN_EMAIL_LOGIN !== 0) || ($is_dual === false && $login == $_SESSION['mailcow_cc_username']))) {
     if (filter_var($login, FILTER_VALIDATE_EMAIL)) {
       if (user_get_alias_details($login) !== false) {
-        // load master password
-        $sogo_sso_pass = file_get_contents("/etc/sogo-sso/sogo-sso.pass");
-        // register username and password in session
+        // register username in session
         $_SESSION[$session_var_user_allowed][] = $login;
-        $_SESSION[$session_var_pass] = $sogo_sso_pass;
         // set dual login
-        if ($_SESSION['acl']['login_as'] == "1" && $ALLOW_ADMIN_EMAIL_LOGIN !== 0 && $is_dual === false && $_SESSION['mailcow_cc_role'] != "user"){      
+        if ($_SESSION['acl']['login_as'] == "1" && $ALLOW_ADMIN_EMAIL_LOGIN !== 0 && $is_dual === false && $_SESSION['mailcow_cc_role'] != "user"){
           $_SESSION["dual-login"]["username"] = $_SESSION['mailcow_cc_username'];
           $_SESSION["dual-login"]["role"]     = $_SESSION['mailcow_cc_role'];
           $_SESSION['mailcow_cc_username']    = $login;
@@ -95,7 +92,7 @@ elseif (isset($_SERVER['HTTP_X_ORIGINAL_URI']) && strcasecmp(substr($_SERVER['HT
         in_array($email, $_SESSION[$session_var_user_allowed])
     ) {
       $username = $email;
-      $password = $_SESSION[$session_var_pass];
+      $password = file_get_contents("/etc/sogo-sso/sogo-sso.pass");
       header("X-User: $username");
       header("X-Auth: Basic ".base64_encode("$username:$password"));
       header("X-Auth-Type: Basic");

From f9304dcd9befcbcae3c1ffdbd4c9cfecad722f2b Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Wed, 9 Oct 2024 12:34:39 +0200
Subject: [PATCH 143/378] [Web] check if $iam_provider is null on
 ldap_mbox_login

---
 data/web/inc/functions.auth.inc.php | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php
index 943bb1647..a0424f3ed 100644
--- a/data/web/inc/functions.auth.inc.php
+++ b/data/web/inc/functions.auth.inc.php
@@ -2,7 +2,7 @@
 function check_login($user, $pass, $app_passwd_data = false, $extra = null) {
   global $pdo;
   global $redis;
-  
+
   $is_internal = $extra['is_internal'];
   $role = $extra['role'];
 
@@ -194,7 +194,7 @@ function user_login($user, $pass, $extra = null){
       $result = ldap_mbox_login($user, $pass, $iam_settings, array('is_internal' => $is_internal, 'create' => true));
       if ($result !== false) return $result;
     }
-  } 
+  }
   if ($row['active'] != 1) {
     return false;
   }
@@ -313,7 +313,7 @@ function user_login($user, $pass, $extra = null){
       }
     break;
   }
- 
+
   return false;
 }
 function apppass_login($user, $pass, $app_passwd_data, $extra = null){
@@ -364,7 +364,7 @@ function apppass_login($user, $pass, $app_passwd_data, $extra = null){
     ':user' => $user,
   ));
   $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
-  
+
   foreach ($rows as $row) {
     if ($protocol && $row[$protocol . '_access'] != '1'){
       continue;
@@ -476,7 +476,7 @@ function keycloak_mbox_login_rest($user, $pass, $iam_settings, $extra = null){
 }
 function ldap_mbox_login($user, $pass, $iam_settings, $extra = null){
   global $pdo;
-  
+
   $iam_provider = identity_provider();
   $is_internal = $extra['is_internal'];
   $create = $extra['create'];
@@ -491,6 +491,9 @@ function ldap_mbox_login($user, $pass, $iam_settings, $extra = null){
     }
     return false;
   }
+  if (!$iam_provider) {
+    return false;
+  }
 
   try {
     $ldap_query = $iam_provider->query();

From 52f3f93aeef939dcf831ba26e82d1c9e34aa54b8 Mon Sep 17 00:00:00 2001
From: Niklas Meyer <niklas.meyer@servercow.de>
Date: Mon, 11 Nov 2024 16:50:14 +0100
Subject: [PATCH 144/378] update.sh: precaution ask for deletion of
 dns_blocklists.cf if old format (#6154)

---
 update.sh | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/update.sh b/update.sh
index fe8aee72f..cf94eb71c 100755
--- a/update.sh
+++ b/update.sh
@@ -275,6 +275,34 @@ detect_bad_asn() {
   fi
 }
 
+fix_broken_dnslist_conf() {
+
+# Fixing issue: #6143. To be removed in a later patch
+
+  local file="${SCRIPT_DIR}/data/conf/postfix/dns_blocklists.cf"
+    # Check if the file exists
+  if [[ ! -f "$file" ]]; then
+      return 1
+  fi
+
+  # Check if the file contains the autogenerated comment
+  if grep -q "# Autogenerated by mailcow" "$file"; then
+      # Ask the user if custom changes were made
+      echo -e "\e[91mWARNING!!! \e[31mAn old version of dns_blocklists.cnf has been detected which may cause a broken postfix upon startup (see: https://github.com/mailcow/mailcow-dockerized/issues/6143)...\e[0m"
+      echo -e "\e[31mIf you have any custom settings in there you might copy it away and adapt the changes after the file is regenerated...\e[0m"
+      read -p "Do you want to delete the file now and let mailcow regenerate it properly? " response
+      if [[ "${response}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
+        rm "$file"
+        echo -e "\e[32mdns_blocklists.cf has been deleted and will be properly regenerated"
+        return 0
+      else
+        echo -e "\e[35mOk, not deleting it! Please make sure you take a look at postfix upon start then..."
+        return 2
+      fi
+  fi  
+
+}
+
 ############## End Function Section ##############
 
 # Check permissions
@@ -437,6 +465,8 @@ source mailcow.conf
 
 detect_docker_compose_command
 
+fix_broken_dnslist_conf
+
 DOTS=${MAILCOW_HOSTNAME//[^.]};
 if [ ${#DOTS} -lt 1 ]; then
   echo -e "\e[31mMAILCOW_HOSTNAME (${MAILCOW_HOSTNAME}) is not a FQDN!\e[0m"

From dc5a28111d1d77915234d1e4d9f2853fb9e4b59a Mon Sep 17 00:00:00 2001
From: milkmaker <milkmaker@mailcow.de>
Date: Mon, 11 Nov 2024 21:39:15 +0100
Subject: [PATCH 145/378] [Web] Updated lang.zh-cn.json (#6151)

[Web] Updated lang.zh-cn.json

Co-authored-by: Easton Man <me@eastonman.com>
---
 data/web/lang/lang.zh-cn.json | 145 ++++++++++++++++++++++++++++------
 1 file changed, 123 insertions(+), 22 deletions(-)

diff --git a/data/web/lang/lang.zh-cn.json b/data/web/lang/lang.zh-cn.json
index bac42e5d7..ca6c9aaf2 100644
--- a/data/web/lang/lang.zh-cn.json
+++ b/data/web/lang/lang.zh-cn.json
@@ -63,7 +63,7 @@
         "exclude": "拒绝对象 (Regex)",
         "full_name": "全称",
         "gal": "全球地址簿",
-        "gal_info": "<b>全球地址簿</b>包含了域名下的所有对象，并且此行为不能被用户更改。如果关闭，用户的 \"空闲/繁忙\" 的状态将无法在 SOGo 中显示。 <b>重启 SOGo 服务以应用更改。</b>",
+        "gal_info": "全球地址簿包含了域名下的所有对象，并且此行为不能被用户更改。如果关闭，用户的 \"空闲/繁忙\" 的状态将无法在 SOGo 中显示。 <b>重启 SOGo 服务以应用更改。</b>",
         "generate": "生成",
         "goto_ham": "学习为<span class=\"text-success\"><b>非垃圾邮件</b></span>",
         "goto_null": "静默丢弃邮件",
@@ -146,7 +146,7 @@
         "arrival_time": "到达时间 (服务器时间)",
         "authed_user": "已认证用户",
         "ays": "确定继续操作?",
-        "ban_list_info": "以下为被封禁的 IP 列表: <b>网络 (剩余封禁时间) - [操作]</b>。<br />被取消封禁的 IP 将会在几秒之内从封禁列表中移除<br />红色标签表示因黑名单而导致的永久封禁",
+        "ban_list_info": "以下为被封禁的 IP 列表: <b>网络 (剩余封禁时间) - [操作]</b>。<br />被取消封禁的 IP 将会在几秒之内从封禁列表中移除<br />红色标签表示因黑名单而导致的永久封禁。",
         "change_logo": "更改 Logo",
         "configuration": "配置",
         "convert_html_to_text": "将 HTML 转换为纯文本内容",
@@ -292,7 +292,7 @@
         "rsettings_preset_2": "允许管理员接收垃圾邮件",
         "rsettings_preset_3": "只允许指定的发件人发信 (例如只允许内部邮箱发送)",
         "rsettings_preset_4": "禁用域名的 Rspamd 服务",
-        "rspamd_com_settings": "设置名称将会自动生成，请看参考下方的示例预设。查看<a href=\"https://rspamd.com/doc/configuration/settings.html#settings-structure\" target=\"_blank\">Rspamd 文档</a>以了解更多的细节。",
+        "rspamd_com_settings": "设置名称将会自动生成，请看参考下方的示例预设。查看<a href=\"https://rspamd.com/doc/configuration/settings.html#settings-structure\" target=\"_blank\">Rspamd 文档</a>以了解更多的细节",
         "rspamd_global_filters": "全局过滤规则",
         "rspamd_global_filters_agree": "我会小心谨慎的!",
         "rspamd_global_filters_info": "全局过滤规则包含了不同类型的全局黑名单和白名单。",
@@ -353,7 +353,7 @@
         "password_reset_tmpl_html": "HTML 模版",
         "password_reset_tmpl_text": "文字模版",
         "password_settings": "密码设定",
-        "restore_template": "留空以恢复预设模版",
+        "restore_template": "留空以恢复预设模版。",
         "ip_check": "IP 检查",
         "ip_check_disabled": "IP 检查已禁用。你可透过以下路径启用<br> <strong>系统 > 配置 > 选项 > 页面自定义</strong>",
         "queue_unban": "解除封禁",
@@ -481,7 +481,21 @@
         "template_exists": "模板 %s 已存在",
         "template_name_invalid": "模板名称无效",
         "cors_invalid_method": "制定的允许模式无效",
-        "cors_invalid_origin": "指定的允许原无效"
+        "cors_invalid_origin": "指定的允许原无效",
+        "reset_token_limit_exceeded": "Reset token 数量已达上限。请稍后再尝试。",
+        "extended_sender_acl_denied": "缺少设置外部发送者地址的 ACL",
+        "img_dimensions_exceeded": "图片超出最大图片大小",
+        "img_size_exceeded": "图片超过最大文件大小",
+        "invalid_reset_token": "不合法的 reset token",
+        "password_reset_invalid_user": "未找到此信箱或未设置恢复邮箱",
+        "password_reset_na": "密码恢复目前无法使用。请联系您的管理员。",
+        "recovery_email_failed": "无法发送恢复邮件。请联系您的管理员。",
+        "template_id_invalid": "Template ID %s 无效",
+        "to_invalid": "收件人不能为空",
+        "webauthn_authenticator_failed": "找不到所选的 authenticator",
+        "webauthn_publickey_failed": "没有为选定的身份验证器保存公钥",
+        "webauthn_username_failed": "所选的 authenticator 属于另一个账户",
+        "demo_mode_enabled": "演示模式已开启"
     },
     "debug": {
         "chart_this_server": "图表 (此服务器)",
@@ -516,7 +530,13 @@
         "error_show_ip": "无法解析公网IP地址",
         "show_ip": "显示公网IP",
         "update_available": "有可用更新",
-        "update_failed": "无法检查更新"
+        "update_failed": "无法检查更新",
+        "architecture": "结构",
+        "container_stopped": "已停止",
+        "current_time": "系统时间",
+        "timezone": "时区",
+        "no_update_available": "系统已经是最新版本",
+        "wip": "正在施工中"
     },
     "diagnostics": {
         "cname_from_a": "来自 A/AAAA 记录的值。但只要记录指向正确的资源即可。",
@@ -640,7 +660,31 @@
         "title": "编辑对象",
         "unchanged_if_empty": "如果不更改则留空",
         "username": "用户名",
-        "validate_save": "验证并保存"
+        "validate_save": "验证并保存",
+        "domain_footer_info_vars": {
+            "from_name": "{= from_name =}   - 信件中的 From name 字段，例如对于 \"Mailcow &lt;moo@mailcow.tld&gt;\" 来说它是 \"Mailcow\"",
+            "auth_user": "{= auth_user =}   - MTA 指定的经过认证的用户名",
+            "from_user": "{= from_user =}   - 信件中的 From user 字段，例如对于 \"moo@mailcow.tld\" 来说它是 \"moo\"",
+            "from_addr": "{= from_addr =}   - 信件中的 From address 字段",
+            "from_domain": "{= from_domain =} - 信件中的 From domain 字段",
+            "custom": "{= foo =}         - 如果信箱有一个自定义属性 \"foo\" 的值为 \"bar\"， 它将返回 \"bar\""
+        },
+        "created_on": "创建于",
+        "custom_attributes": "自定义属性",
+        "mailbox_rename": "重命名信箱",
+        "mailbox_rename_agree": "我已经创建了一个备份。",
+        "mailbox_rename_warning": "重要！ 重命名信箱之前请先创建备份。",
+        "mailbox_rename_alias": "自动创建别名",
+        "mailbox_rename_title": "新本地信箱的名字",
+        "password_recovery_email": "密码重置邮箱",
+        "domain_footer": "域页脚",
+        "domain_footer_html": "HTML footer",
+        "domain_footer_info": "Domain-wide footers 会被加入到该 domain 下的地址发出的所有邮件中。 <br> 下列变量可以在 footer 中使用：",
+        "domain_footer_plain": "纯文字 footer",
+        "domain_footer_skip_replies": "在回信中忽略 footer",
+        "footer_exclude": "从 footer 中排除",
+        "last_modified": "上次修改时间",
+        "pushover_sound": "声音"
     },
     "fido2": {
         "confirm": "确认",
@@ -675,13 +719,14 @@
     "header": {
         "administration": "配置和管理",
         "apps": "应用",
-        "debug": "系统信息",
+        "debug": "信息",
         "email": "E-Mail",
         "mailcow_config": "配置",
         "quarantine": "隔离",
         "restart_netfilter": "重启 netfilter",
         "restart_sogo": "重启 SOGo",
-        "user_settings": "用户设置"
+        "user_settings": "用户设置",
+        "mailcow_system": "系统"
     },
     "info": {
         "awaiting_tfa_confirmation": "等待 TFA 确认",
@@ -695,7 +740,14 @@
         "mobileconfig_info": "请使用邮箱用户登录以下载 Apple 连接描述文件。",
         "other_logins": "Key 登录",
         "password": "密码",
-        "username": "用户名"
+        "username": "用户名",
+        "forgot_password": "> 忘记密码？",
+        "back_to_mailcow": "返回到 mailcow",
+        "new_password": "新密码",
+        "new_password_confirm": "确认新密码",
+        "reset_password": "重置密码",
+        "request_reset_password": "请求重置密码",
+        "invalid_pass_reset_token": "密码重置 token 无效或已过期。<br> 请重新获取新的密码重置链接。"
     },
     "mailbox": {
         "action": "操作",
@@ -799,9 +851,9 @@
         "recipient_map": "收件人映射",
         "recipient_map_info": "收件人映射用于在邮件被发送前替换收件人的地址。",
         "recipient_map_new": "新收件人",
-        "recipient_map_new_info": "新收件人必须为合法的邮箱地址",
+        "recipient_map_new_info": "新收件人必须为合法的邮箱地址。",
         "recipient_map_old": "原收件人",
-        "recipient_map_old_info": "原收件人必须为合法的邮箱地址",
+        "recipient_map_old_info": "原收件人必须为合法的邮箱地址。",
         "recipient_maps": "收件人映射",
         "relay_all": "中继所有收件人",
         "remove": "删除",
@@ -818,7 +870,7 @@
         "sieve_preset_5": "自动回复 (休假)",
         "sieve_preset_6": "拒绝接收邮件并通知",
         "sieve_preset_7": "重定向邮件并保留或删除",
-        "sieve_preset_8": "删除发件人发送给自己别名地址的邮件",
+        "sieve_preset_8": "重定向来自特定发件人的邮件，标记为已读并放入子文件夹中",
         "sieve_preset_header": "请看下方的示例预设。 查看 <a href=\"https://en.wikipedia.org/wiki/Sieve_(mail_filtering_language)\" target=\"_blank\">Sieve Wikipedia 页面 (英文)</a>以了解更多细节。",
         "sogo_visible": "SOGo 别名显示",
         "sogo_visible_n": "在 SOGo 中隐藏别名",
@@ -860,10 +912,20 @@
         "mailbox_templates": "邮箱模板",
         "gal": "全局地址列表",
         "max_aliases": "最大别名数",
-        "max_mailboxes": "最大可能的邮箱数"
+        "max_mailboxes": "最大可能的邮箱数",
+        "created_on": "建立于",
+        "force_pw_update": "强制在下一次登陆时更新密码",
+        "add_template": "新增模板",
+        "goto_ham": "学习为 <b> 非垃圾邮件 </b>",
+        "goto_spam": "学习为 <b> 垃圾邮件 </b>",
+        "last_modified": "上次修改时间",
+        "max_quota": "每个信箱的最大容量配额",
+        "relay_unknown": "转发未知信箱",
+        "templates": "模板",
+        "template": "模板"
     },
     "oauth2": {
-        "access_denied": "请作为邮箱所有者登录以使用 OAuth2 授权",
+        "access_denied": "请作为邮箱所有者登录以使用 OAuth2 授权。",
         "authorize_app": "授权应用",
         "deny": "拒绝",
         "permit": "授权应用",
@@ -926,7 +988,19 @@
     },
     "queue": {
         "queue_manager": "队列管理器",
-        "delete": "全部删除"
+        "delete": "全部删除",
+        "info": "邮件队列包含所有等待投递的邮件。如果邮件长时间停留在邮件队列中，系统会自动将其删除。<br>对应的邮件错误信息会提供有关邮件无法送达的原因。",
+        "flush": "刷新队列",
+        "legend": "邮件队列操作功能：",
+        "ays": "请确认您要删除当前队列中的所有项目。",
+        "deliver_mail": "投递",
+        "deliver_mail_legend": "尝试重新投递选中的邮件。",
+        "hold_mail": "保留",
+        "hold_mail_legend": "保持选中的邮件。（不继续投递）",
+        "show_message": "显示内容",
+        "unban": "队列解除限制",
+        "unhold_mail": "取消保持",
+        "unhold_mail_legend": "允许选中的邮件继续投递。（需要在保持状态）"
     },
     "ratelimit": {
         "disabled": "禁用",
@@ -994,7 +1068,7 @@
         "nginx_reloaded": "Nginx 已重新启动",
         "object_modified": "已保存对象 %s 更改",
         "password_policy_saved": "已成功保存密码规则",
-        "pushover_settings_edited": "已成功设置 Pushover，请重新校验凭证",
+        "pushover_settings_edited": "Pushover 设置已保存，请重新校验凭证。",
         "qlearn_spam": "消息 ID %s 已被学习为垃圾邮件并被删除",
         "queue_command_success": "成功执行配额命令",
         "recipient_map_entry_deleted": "已删除接收人映射 ID %s",
@@ -1018,7 +1092,17 @@
         "verified_fido2_login": "FIDO2 登录验证成功",
         "verified_totp_login": "TOTP 登录验证成功",
         "verified_webauthn_login": "WebAuthn 登录验证成功",
-        "verified_yotp_login": "Yubico OTP 登录验证成功"
+        "verified_yotp_login": "Yubico OTP 登录验证成功",
+        "domain_footer_modified": "对域 footer %s 的修改已保存",
+        "cors_headers_edited": "CORS 设置已保存",
+        "ip_check_opt_in_modified": "IP 检查已保存",
+        "f2b_banlist_refreshed": "黑名单 ID 已成功刷新。",
+        "mailbox_renamed": "信箱 %s 已被重命名为 %s",
+        "password_changed_success": "密码重置成功",
+        "recovery_email_sent": "重置邮件已发送至 %s",
+        "template_added": "新增了模板 %s",
+        "template_modified": "模板 %s 的修改已保存",
+        "template_removed": "模板 ID %s 已删除"
     },
     "tfa": {
         "api_register": "%s 使用了 Yubico Cloud API，请<a href=\"https://upgrade.yubico.com/getapikey/\" target=\"_blank\">在此</a>为你的密钥获取 API 密钥",
@@ -1045,7 +1129,8 @@
         "webauthn": "WebAuthn 认证",
         "waiting_usb_auth": "<i>等待 USB 设备中...</i><br><br>现在请触碰你的 WebAuthn USB 设备上的按钮。",
         "waiting_usb_register": "<i>等待 USB 设备中...</i><br><br>请在上方输入你的密码并请触碰你的 WebAuthn USB 设备上的按钮以确认注册该 WebAuthn 设备。",
-        "yubi_otp": "Yubico OTP 认证"
+        "yubi_otp": "Yubico OTP 认证",
+        "authenticators": "验证器（Authenticators）"
     },
     "user": {
         "action": "操作",
@@ -1062,7 +1147,7 @@
         "alias_valid_until": "有效至",
         "aliases_also_send_as": "同时允许发送为",
         "aliases_send_as_all": "已关闭发件人可访性检查的域名和域名别名",
-        "app_hint": "应用密码是你登录 <b>IMAP 和 SMTP</b> 时的可选替代密码，用户名仍然保持不变。<br>应用密码不适用于 SOGo (包括 ActiveSync) ",
+        "app_hint": "应用密码是你登录 <b>IMAP 和 SMTP</b> 时的可选替代密码，用户名仍然保持不变。<br>应用密码不适用于 SOGo (包括 ActiveSync)。",
         "allowed_protocols": "允许使用的协议",
         "app_name": "应用名称",
         "app_passwds": "应用密码",
@@ -1206,7 +1291,12 @@
         "weeks": "周",
         "with_app_password": "包含应用密码",
         "year": "年",
-        "years": "年"
+        "years": "年",
+        "pw_recovery_email": "密码重置邮箱",
+        "password_reset_info": "如果不提供密码重置邮箱，此功能将无法使用。",
+        "pushover_sound": "声音",
+        "value": "值",
+        "attribute": "属性"
     },
     "warning": {
         "cannot_delete_self": "不能删除已登录的用户",
@@ -1233,6 +1323,17 @@
             "last": "最后一页",
             "previous": "上一页",
             "next": "下一页"
-        }
+        },
+        "aria": {
+            "sortDescending": ": 激活以降序对列进行排序",
+            "sortAscending": ": 激活以升序对列进行排序"
+        },
+        "decimal": ".",
+        "emptyTable": "表中没有可用的数据",
+        "infoFiltered": "（从 _MAX_ 个总条目中过滤）",
+        "thousands": ",",
+        "lengthMenu": "显示 _MENU_ 条目",
+        "loadingRecords": "加载中...",
+        "zeroRecords": "未找到符合条件的记录"
     }
 }

From afe0ba74d28665c64dbbfebfea8654ea144ec959 Mon Sep 17 00:00:00 2001
From: Niklas Meyer <niklas.meyer@servercow.de>
Date: Tue, 12 Nov 2024 11:11:34 +0100
Subject: [PATCH 146/378] compose: bump sogo version to include 5.11.2 (#6156)

---
 docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index c462ba88c..56e6d4bfb 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -177,7 +177,7 @@ services:
             - phpfpm
 
     sogo-mailcow:
-      image: mailcow/sogo:1.127
+      image: mailcow/sogo:1.127.1
       environment:
         - DBNAME=${DBNAME}
         - DBUSER=${DBUSER}

From b90375b6e5f76d8653002eb13f52901b28e2adc5 Mon Sep 17 00:00:00 2001
From: Niklas Meyer <niklas.meyer@servercow.de>
Date: Tue, 12 Nov 2024 15:56:23 +0100
Subject: [PATCH 147/378] php: use correct php image + workaround of #6149
 (#6159)

* compose: bump php-fpm container to correctly use patched c-ares

* [Web] check $containers_info contains required fields

---------

Co-authored-by: FreddleSpl0it <patschul@posteo.de>
---
 data/web/debug.php | 22 +++++++++++++---------
 docker-compose.yml |  2 +-
 2 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/data/web/debug.php b/data/web/debug.php
index 9c338009c..4a099cb6e 100644
--- a/data/web/debug.php
+++ b/data/web/debug.php
@@ -23,11 +23,15 @@ $exec_fields = array('cmd' => 'system', 'task' => 'df', 'dir' => '/var/vmail');
 $vmail_df = explode(',', (string)json_decode(docker('post', 'dovecot-mailcow', 'exec', $exec_fields), true));
 
 // containers
-$containers = (array) docker('info');
-if ($clamd_status === false) unset($containers['clamd-mailcow']);
-if ($solr_status === false) unset($containers['solr-mailcow']);
-ksort($containers);
-foreach ($containers as $container => $container_info) {
+$containers_info = (array) docker('info');
+if ($clamd_status === false) unset($containers_info['clamd-mailcow']);
+if ($solr_status === false) unset($containers_info['solr-mailcow']);
+ksort($containers_info);
+$containers = array();
+foreach ($containers_info as $container => $container_info) {
+  if (!isset($container_info['State']) || !is_array($container_info['State']) || !isset($container_info['State']['StartedAt'])){
+    continue;
+  }
   date_default_timezone_set('UTC');
   $StartedAt = date_parse($container_info['State']['StartedAt']);
   if ($StartedAt['hour'] !== false) {
@@ -42,15 +46,15 @@ foreach ($containers as $container => $container_info) {
     try {
       $user_tz = new DateTimeZone(getenv('TZ'));
       $date->setTimezone($user_tz);
-      $started = $date->format('r');
+      $container_info['State']['StartedAtHR'] = $date->format('r');
     } catch(Exception $e) {
-      $started = '?';
+      $container_info['State']['StartedAtHR'] = '?';
     }
   }
   else {
-    $started = '?';
+    $container_info['State']['StartedAtHR'] = '?';
   }
-  $containers[$container]['State']['StartedAtHR'] = $started;
+  $containers[$container] = $container_info;
 }
 
 // get mailcow data
diff --git a/docker-compose.yml b/docker-compose.yml
index 56e6d4bfb..b0324521a 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -112,7 +112,7 @@ services:
             - rspamd
 
     php-fpm-mailcow:
-      image: mailcow/phpfpm:1.91
+      image: mailcow/phpfpm:1.91.1
       command: "php-fpm -d date.timezone=${TZ} -d expose_php=0"
       depends_on:
         - redis-mailcow

From 05e4bd7602e2d7fecdab638e8e3a8aa2562c5f53 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 29 Nov 2024 15:50:35 +0100
Subject: [PATCH 148/378] [Web] use global vars for iam_provider and
 iam_settings

---
 data/web/admin.php                  |  2 -
 data/web/autodiscover.php           |  1 +
 data/web/edit.php                   |  1 -
 data/web/inc/functions.auth.inc.php | 22 +++----
 data/web/inc/functions.inc.php      | 89 ++++++++++++-----------------
 data/web/inc/prerequisites.inc.php  |  3 +-
 data/web/inc/triggers.inc.php       |  8 +--
 data/web/index.php                  |  4 +-
 data/web/json_api.php               |  2 +-
 9 files changed, 60 insertions(+), 72 deletions(-)

diff --git a/data/web/admin.php b/data/web/admin.php
index 9af7b6449..2081f34a6 100644
--- a/data/web/admin.php
+++ b/data/web/admin.php
@@ -86,8 +86,6 @@ $cors_settings['allowed_origins'] = str_replace(", ", "\n", $cors_settings['allo
 $cors_settings['allowed_methods'] = explode(", ", $cors_settings['allowed_methods']);
 
 $f2b_data = fail2ban('get');
-// identity provider
-$iam_settings = identity_provider('get');
 // mbox templates
 $mbox_templates = mailbox('get', 'mailbox_templates');
 
diff --git a/data/web/autodiscover.php b/data/web/autodiscover.php
index 323f89e78..0b03eb3ce 100644
--- a/data/web/autodiscover.php
+++ b/data/web/autodiscover.php
@@ -55,6 +55,7 @@ $pdo = new PDO($dsn, $database_user, $database_pass, $opt);
 
 // Init Identity Provider
 $iam_provider = identity_provider('init');
+$iam_settings = identity_provider('get');
 
 $login_user = strtolower(trim($_SERVER['PHP_AUTH_USER']));
 $login_pass = trim(htmlspecialchars_decode($_SERVER['PHP_AUTH_PW']));
diff --git a/data/web/edit.php b/data/web/edit.php
index fb7051b4c..b6359d172 100644
--- a/data/web/edit.php
+++ b/data/web/edit.php
@@ -119,7 +119,6 @@ if (isset($_SESSION['mailcow_cc_role'])) {
         $quarantine_category = mailbox('get', 'quarantine_category', $mailbox);
         $get_tls_policy = mailbox('get', 'tls_policy', $mailbox);
         $rlyhosts = relayhost('get');
-        $iam_settings = identity_provider('get');
         $template = 'edit/mailbox.twig';
         $template_data = [
           'acl' => $_SESSION['acl'],
diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php
index a0424f3ed..74cd6d956 100644
--- a/data/web/inc/functions.auth.inc.php
+++ b/data/web/inc/functions.auth.inc.php
@@ -162,6 +162,8 @@ function domainadmin_login($user, $pass){
 }
 function user_login($user, $pass, $extra = null){
   global $pdo;
+  global $iam_provider;
+  global $iam_settings;
 
   $is_internal = $extra['is_internal'];
 
@@ -186,12 +188,11 @@ function user_login($user, $pass, $extra = null){
 
   // user does not exist, try call idp login and create user if possible via rest flow
   if (!$row){
-    $iam_settings = identity_provider('get');
     if ($iam_settings['authsource'] == 'keycloak' && intval($iam_settings['mailpassword_flow']) == 1){
-      $result = keycloak_mbox_login_rest($user, $pass, $iam_settings, array('is_internal' => $is_internal, 'create' => true));
+      $result = keycloak_mbox_login_rest($user, $pass, array('is_internal' => $is_internal, 'create' => true));
       if ($result !== false) return $result;
     } else if ($iam_settings['authsource'] == 'ldap') {
-      $result = ldap_mbox_login($user, $pass, $iam_settings, array('is_internal' => $is_internal, 'create' => true));
+      $result = ldap_mbox_login($user, $pass, array('is_internal' => $is_internal, 'create' => true));
       if ($result !== false) return $result;
     }
   }
@@ -202,9 +203,8 @@ function user_login($user, $pass, $extra = null){
   switch ($row['authsource']) {
     case 'keycloak':
       // user authsource is keycloak, try using via rest flow
-      $iam_settings = identity_provider('get');
       if (intval($iam_settings['mailpassword_flow']) == 1){
-        $result = keycloak_mbox_login_rest($user, $pass, $iam_settings, array('is_internal' => $is_internal));
+        $result = keycloak_mbox_login_rest($user, $pass, array('is_internal' => $is_internal));
         if ($result !== false) {
           // check for tfa authenticators
           $authenticators = get_tfa($user);
@@ -243,8 +243,7 @@ function user_login($user, $pass, $extra = null){
     break;
     case 'ldap':
       // user authsource is ldap
-      $iam_settings = identity_provider('get');
-      $result = ldap_mbox_login($user, $pass, $iam_settings, array('is_internal' => $is_internal));
+      $result = ldap_mbox_login($user, $pass, array('is_internal' => $is_internal));
       if ($result !== false) {
         // check for tfa authenticators
         $authenticators = get_tfa($user);
@@ -397,8 +396,10 @@ function apppass_login($user, $pass, $app_passwd_data, $extra = null){
 // Keycloak REST Api Flow - auth user by mailcow_password attribute
 // This password will be used for direct UI, IMAP and SMTP Auth
 // To use direct user credentials, only Authorization Code Flow is valid
-function keycloak_mbox_login_rest($user, $pass, $iam_settings, $extra = null){
+function keycloak_mbox_login_rest($user, $pass, $extra = null){
   global $pdo;
+  global $iam_provider;
+  global $iam_settings;
 
   $is_internal = $extra['is_internal'];
   $create = $extra['create'];
@@ -474,10 +475,11 @@ function keycloak_mbox_login_rest($user, $pass, $iam_settings, $extra = null){
 
   return 'user';
 }
-function ldap_mbox_login($user, $pass, $iam_settings, $extra = null){
+function ldap_mbox_login($user, $pass, $extra = null){
   global $pdo;
+  global $iam_provider;
+  global $iam_settings;
 
-  $iam_provider = identity_provider();
   $is_internal = $extra['is_internal'];
   $create = $extra['create'];
 
diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index fc703c353..c7cab469d 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -1072,6 +1072,8 @@ function set_tfa($_data) {
   global $pdo;
   global $yubi;
   global $tfa;
+  global $iam_settings;
+
   $_data_log = $_data;
   $access_denied = null;
   !isset($_data_log['confirm_password']) ?: $_data_log['confirm_password'] = '*';
@@ -1100,7 +1102,6 @@ function set_tfa($_data) {
     $row = $stmt->fetch(PDO::FETCH_ASSOC);
     if ($row) {
       if ($row['authsource'] == 'ldap'){
-        $iam_settings = identity_provider('get');
         if (!ldap_mbox_login($username, $_data["confirm_password"], $iam_settings)) $access_denied = true;
         else $access_denied = false;
       } else {
@@ -2129,20 +2130,13 @@ function uuid4() {
 function identity_provider($_action = null, $_data = null, $_extra = null) {
   global $pdo;
   global $iam_provider;
+  global $iam_settings;
 
   $data_log = $_data;
   if (isset($data_log['client_secret'])) $data_log['client_secret'] = '*';
   if (isset($data_log['access_token'])) $data_log['access_token'] = '*';
 
   switch ($_action) {
-    case NULL:
-      if ($iam_provider) {
-        return $iam_provider;
-      } else {
-        $iam_provider = identity_provider("init");
-        return $iam_provider;
-      }
-    break;
     case 'get':
       $settings = array();
       $stmt = $pdo->prepare("SELECT * FROM `identity_provider`;");
@@ -2414,20 +2408,20 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
       return true;
     break;
     case "init":
-      $iam_settings = identity_provider('get');
+      $settings = identity_provider('get');
       $provider = null;
 
-      switch ($iam_settings['authsource']) {
+      switch ($settings['authsource']) {
         case "keycloak":
-          if ($iam_settings['server_url'] && $iam_settings['realm'] && $iam_settings['client_id'] &&
-            $iam_settings['client_secret'] && $iam_settings['redirect_url'] && $iam_settings['version']){
+          if ($settings['server_url'] && $settings['realm'] && $settings['client_id'] &&
+            $settings['client_secret'] && $settings['redirect_url'] && $settings['version']){
             $provider = new Stevenmaguire\OAuth2\Client\Provider\Keycloak([
-              'authServerUrl'         => $iam_settings['server_url'],
-              'realm'                 => $iam_settings['realm'],
-              'clientId'              => $iam_settings['client_id'],
-              'clientSecret'          => $iam_settings['client_secret'],
-              'redirectUri'           => $iam_settings['redirect_url'],
-              'version'               => $iam_settings['version'],
+              'authServerUrl'         => $settings['server_url'],
+              'realm'                 => $settings['realm'],
+              'clientId'              => $settings['client_id'],
+              'clientSecret'          => $settings['client_secret'],
+              'redirectUri'           => $settings['redirect_url'],
+              'version'               => $settings['version'],
               // 'encryptionAlgorithm'   => 'RS256',                             // optional
               // 'encryptionKeyPath'     => '../key.pem'                         // optional
               // 'encryptionKey'         => 'contents_of_key_or_certificate'     // optional
@@ -2435,34 +2429,34 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
           }
         break;
         case "generic-oidc":
-          if ($iam_settings['client_id'] && $iam_settings['client_secret'] && $iam_settings['redirect_url'] &&
-            $iam_settings['authorize_url'] && $iam_settings['token_url'] && $iam_settings['userinfo_url']){
+          if ($settings['client_id'] && $settings['client_secret'] && $settings['redirect_url'] &&
+            $settings['authorize_url'] && $settings['token_url'] && $settings['userinfo_url']){
             $provider = new \League\OAuth2\Client\Provider\GenericProvider([
-              'clientId'                => $iam_settings['client_id'],
-              'clientSecret'            => $iam_settings['client_secret'],
-              'redirectUri'             => $iam_settings['redirect_url'],
-              'urlAuthorize'            => $iam_settings['authorize_url'],
-              'urlAccessToken'          => $iam_settings['token_url'],
-              'urlResourceOwnerDetails' => $iam_settings['userinfo_url'],
-              'scopes'                  => $iam_settings['client_scopes']
+              'clientId'                => $settings['client_id'],
+              'clientSecret'            => $settings['client_secret'],
+              'redirectUri'             => $settings['redirect_url'],
+              'urlAuthorize'            => $settings['authorize_url'],
+              'urlAccessToken'          => $settings['token_url'],
+              'urlResourceOwnerDetails' => $settings['userinfo_url'],
+              'scopes'                  => $settings['client_scopes']
             ]);
           }
         break;
         case "ldap":
-          if ($iam_settings['host'] && $iam_settings['port'] && $iam_settings['basedn'] &&
-            $iam_settings['binddn'] && $iam_settings['bindpass']){
+          if ($settings['host'] && $settings['port'] && $settings['basedn'] &&
+            $settings['binddn'] && $settings['bindpass']){
             $options = array();
-            if ($iam_settings['ignore_ssl_error']) {
+            if ($settings['ignore_ssl_error']) {
               $options[LDAP_OPT_X_TLS_REQUIRE_CERT] = LDAP_OPT_X_TLS_NEVER;
             }
             $provider = new \LdapRecord\Connection([
-              'hosts'                     => [$iam_settings['host']],
-              'port'                      => $iam_settings['port'],
-              'base_dn'                   => $iam_settings['basedn'],
-              'username'                  => $iam_settings['binddn'],
-              'password'                  => $iam_settings['bindpass'],
-              'use_ssl'                   => $iam_settings['use_ssl'],
-              'use_tls'                   => $iam_settings['use_tls'],
+              'hosts'                     => [$settings['host']],
+              'port'                      => $settings['port'],
+              'base_dn'                   => $settings['basedn'],
+              'username'                  => $settings['binddn'],
+              'password'                  => $settings['bindpass'],
+              'use_ssl'                   => $settings['use_ssl'],
+              'use_tls'                   => $settings['use_tls'],
               'options'                   => $options
             ]);
             try {
@@ -2477,8 +2471,6 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
       return $provider;
     break;
     case "verify-sso":
-      $provider = $_data['iam_provider'];
-      $iam_settings = identity_provider('get');
       if ($iam_settings['authsource'] != 'keycloak' && $iam_settings['authsource'] != 'generic-oidc'){
         $_SESSION['return'][] =  array(
           'type' => 'danger',
@@ -2489,10 +2481,10 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
       }
 
       try {
-        $token = $provider->getAccessToken('authorization_code', ['code' => $_GET['code']]);
+        $token = $iam_provider->getAccessToken('authorization_code', ['code' => $_GET['code']]);
         $_SESSION['iam_token'] = $token->getToken();
         $_SESSION['iam_refresh_token'] = $token->getRefreshToken();
-        $info = $provider->getResourceOwner($token)->toArray();
+        $info = $iam_provider->getResourceOwner($token)->toArray();
       } catch (Throwable $e) {
         $_SESSION['return'][] =  array(
           'type' => 'danger',
@@ -2577,13 +2569,11 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
       return true;
     break;
     case "refresh-token":
-      $provider = $_data['iam_provider'];
-
       try {
-        $token = $provider->getAccessToken('refresh_token', ['refresh_token' => $_SESSION['iam_refresh_token']]);
+        $token = $iam_provider->getAccessToken('refresh_token', ['refresh_token' => $_SESSION['iam_refresh_token']]);
         $_SESSION['iam_token'] = $token->getToken();
         $_SESSION['iam_refresh_token'] = $token->getRefreshToken();
-        $info = $provider->getResourceOwner($token)->toArray();
+        $info = $iam_provider->getResourceOwner($token)->toArray();
       } catch (Throwable $e) {
         clear_session();
         $_SESSION['return'][] =  array(
@@ -2609,17 +2599,14 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
       return true;
     break;
     case "get-redirect":
-      $iam_settings = identity_provider('get');
       if ($iam_settings['authsource'] != 'keycloak' && $iam_settings['authsource'] != 'generic-oidc')
         return false;
-      $provider = $_data['iam_provider'];
-      $authUrl = $provider->getAuthorizationUrl();
-      $_SESSION['oauth2state'] = $provider->getState();
+      $authUrl = $iam_provider->getAuthorizationUrl();
+      $_SESSION['oauth2state'] = $iam_provider->getState();
       return $authUrl;
     break;
     case "get-keycloak-admin-token":
       // get access_token for service account of mailcow client
-      $iam_settings = identity_provider('get');
       if ($iam_settings['authsource'] !== 'keycloak') return false;
       if (isset($iam_settings['access_token'])) {
         // check if access_token is valid
diff --git a/data/web/inc/prerequisites.inc.php b/data/web/inc/prerequisites.inc.php
index fb30956f4..e67271412 100644
--- a/data/web/inc/prerequisites.inc.php
+++ b/data/web/inc/prerequisites.inc.php
@@ -180,6 +180,7 @@ require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/sessions.inc.php';
 
 // Init Identity Provider
 $iam_provider = identity_provider('init');
+$iam_settings = identity_provider('get');
 
 // IMAP lib
 // use Ddeboer\Imap\Server;
@@ -323,7 +324,7 @@ $UI_TEXTS = customize('get', 'ui_texts');
 if (file_exists('/web/css/themes/'.$UI_THEME.'-bootstrap.css'))
   $css_minifier->add('/web/css/themes/'.$UI_THEME.'-bootstrap.css');
 else
-  $css_minifier->add('/web/css/themes/lumen-bootstrap.css'); 
+  $css_minifier->add('/web/css/themes/lumen-bootstrap.css');
 // minify css build files
 foreach ($css_dir as $css_file) {
   $css_minifier->add('/web/css/build/' . $css_file);
diff --git a/data/web/inc/triggers.inc.php b/data/web/inc/triggers.inc.php
index 7f330ba1c..b0c2237d6 100644
--- a/data/web/inc/triggers.inc.php
+++ b/data/web/inc/triggers.inc.php
@@ -3,18 +3,18 @@
 if ($iam_provider){
   if (isset($_GET['iam_sso'])){
     // redirect for sso
-    $redirect_uri = identity_provider('get-redirect', array('iam_provider' => $iam_provider));
+    $redirect_uri = identity_provider('get-redirect');
     $redirect_uri = !empty($redirect_uri) ? $redirect_uri : '/';
     header('Location: ' . $redirect_uri);
     die();
   }
   if ($_SESSION['iam_token'] && $_SESSION['iam_refresh_token']) {
     // Session found, try to refresh
-    $isRefreshed = identity_provider('refresh-token', array('iam_provider' => $iam_provider));
+    $isRefreshed = identity_provider('refresh-token');
 
     if (!$isRefreshed){
       // Session could not be refreshed, redirect to provider
-      $redirect_uri = identity_provider('get-redirect', array('iam_provider' => $iam_provider));
+      $redirect_uri = identity_provider('get-redirect');
       $redirect_uri = !empty($redirect_uri) ? $redirect_uri : '/';
       header('Location: ' . $redirect_uri);
       die();
@@ -23,7 +23,7 @@ if ($iam_provider){
     // Check given state against previously stored one to mitigate CSRF attack
     // Recieved access token in $_GET['code']
     // extract info and verify user
-    identity_provider('verify-sso', array('iam_provider' => $iam_provider));
+    identity_provider('verify-sso');
   }
 }
 
diff --git a/data/web/index.php b/data/web/index.php
index 08857006f..0282e4835 100644
--- a/data/web/index.php
+++ b/data/web/index.php
@@ -15,7 +15,7 @@ elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == '
   header('Location: /mailbox');
   exit();
 }
-elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == 'user') {    
+elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == 'user') {
   $user_details = mailbox("get", "mailbox_details", $_SESSION['mailcow_cc_username']);
   $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false;
   if (intval($user_details['attributes']['sogo_access']) == 1 && !$is_dual) {
@@ -32,7 +32,7 @@ $_SESSION['index_query_string'] = $_SERVER['QUERY_STRING'];
 
 $has_iam_sso = false;
 if ($iam_provider){
-  $has_iam_sso = identity_provider("get-redirect", array('iam_provider' => $iam_provider)) ? true : false; 
+  $has_iam_sso = identity_provider("get-redirect") ? true : false;
 }
 
 
diff --git a/data/web/json_api.php b/data/web/json_api.php
index a3103ffa1..4e9d2a0ed 100644
--- a/data/web/json_api.php
+++ b/data/web/json_api.php
@@ -1708,7 +1708,7 @@ if (isset($_GET['query'])) {
               $score = array("score" => preg_replace("/\s+/", "", $score));
             process_get_return($score);
           case "identity_provider":
-            process_get_return(identity_provider('get'));
+            process_get_return($iam_settings);
           break;
         break;
         // return no route found if no case is matched

From b2db8e6b314d586a062b248b9553f533f4ed67a5 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 29 Nov 2024 16:52:34 +0100
Subject: [PATCH 149/378] [Dovecot] init identity provider before user login

---
 data/conf/dovecot/auth/mailcowauth.php | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/data/conf/dovecot/auth/mailcowauth.php b/data/conf/dovecot/auth/mailcowauth.php
index 2c3c01b30..6d7660577 100644
--- a/data/conf/dovecot/auth/mailcowauth.php
+++ b/data/conf/dovecot/auth/mailcowauth.php
@@ -12,7 +12,7 @@ $return = array("success" => false);
 if(!isset($post['username']) || !isset($post['password']) || !isset($post['real_rip'])){
   error_log("MAILCOWAUTH: Bad Request");
   http_response_code(400); // Bad Request
-  echo json_encode($return); 
+  echo json_encode($return);
   exit();
 }
 
@@ -35,7 +35,7 @@ try {
 catch (PDOException $e) {
   error_log("MAILCOWAUTH: " . $e . PHP_EOL);
   http_response_code(500); // Internal Server Error
-  echo json_encode($return); 
+  echo json_encode($return);
   exit;
 }
 
@@ -57,7 +57,6 @@ if ($isSOGoRequest) {
     error_log('MAILCOWAUTH: SOGo SSO auth for user ' . $post['username']);
     $result = true;
   }
-  
 }
 if ($result === false){
   $result = apppass_login($post['username'], $post['password'], $protocol, array(
@@ -67,6 +66,10 @@ if ($result === false){
   if ($result) error_log('MAILCOWAUTH: App auth for user ' . $post['username']);
 }
 if ($result === false){
+  // Init Identity Provider
+  $iam_provider = identity_provider('init');
+  $iam_settings = identity_provider('get');
+  error_log('MAILCOWAUTH Try: User auth for user ' . $post['username']);
   $result = user_login($post['username'], $post['password'], $protocol, array('is_internal' => true));
   if ($result) error_log('MAILCOWAUTH: User auth for user ' . $post['username']);
 }
@@ -80,6 +83,6 @@ if ($result) {
 }
 
 
-echo json_encode($return); 
+echo json_encode($return);
 session_destroy();
 exit;

From ec4b9b088c875f967fdc160a21481361a101127b Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 29 Nov 2024 18:59:07 +0100
Subject: [PATCH 150/378] [Web] support multiple ldap hosts separated by comma

---
 data/web/inc/functions.inc.php                |   5 +-
 data/web/lang/lang.en-gb.json                 |   1 +
 .../admin/tab-config-identity-provider.twig   | 153 +++++++++++++-----
 3 files changed, 116 insertions(+), 43 deletions(-)

diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index c7cab469d..6ae49e7bc 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -2240,6 +2240,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
           $required_settings          = array('authsource', 'authorize_url', 'token_url', 'client_id', 'client_secret', 'redirect_url', 'userinfo_url', 'client_scopes');
         break;
         case "ldap":
+          $_data['host']              = (!empty($_data['host'])) ? str_replace(" ", "", $_data['host']) : "";
           $_data['port']              = (!empty($_data['port'])) ? intval($_data['port']) : 389;
           $_data['username_field']    = (!empty($_data['username_field'])) ? strtolower($_data['username_field']) : "mail";
           $_data['attribute_field']   = (!empty($_data['attribute_field'])) ? strtolower($_data['attribute_field']) : "";
@@ -2356,7 +2357,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
             $options[LDAP_OPT_X_TLS_REQUIRE_CERT] = LDAP_OPT_X_TLS_NEVER;
           }
           $provider = new \LdapRecord\Connection([
-            'hosts'                     => [$_data['host']],
+            'hosts'                     => explode(",", $_data['host']),
             'port'                      => $_data['port'],
             'base_dn'                   => $_data['basedn'],
             'username'                  => $_data['binddn'],
@@ -2450,7 +2451,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
               $options[LDAP_OPT_X_TLS_REQUIRE_CERT] = LDAP_OPT_X_TLS_NEVER;
             }
             $provider = new \LdapRecord\Connection([
-              'hosts'                     => [$settings['host']],
+              'hosts'                     => explode(",", $settings['host']),
               'port'                      => $settings['port'],
               'base_dn'                   => $settings['basedn'],
               'username'                  => $settings['binddn'],
diff --git a/data/web/lang/lang.en-gb.json b/data/web/lang/lang.en-gb.json
index 5c9c1b21b..c9a7f9dfa 100644
--- a/data/web/lang/lang.en-gb.json
+++ b/data/web/lang/lang.en-gb.json
@@ -225,6 +225,7 @@
         "iam_description": "Configure an external Provider for Authentication<br>User's mailboxes will be automatically created upon their first login, provided that an attribute mapping has been set.",
         "iam_extra_permission": "For the following settings to work, the mailcow client in Keycloak needs a <code>Service account</code> and the permission to <code>view-users</code>.",
         "iam_host": "Host",
+        "iam_host_info": "Enter one or more LDAP hosts, separated by commas.",
         "iam_import_users": "Import Users",
         "iam_mapping": "Attribute Mapping",
         "iam_bindpass": "Bind Password",
diff --git a/data/web/templates/admin/tab-config-identity-provider.twig b/data/web/templates/admin/tab-config-identity-provider.twig
index e5103d970..e2cc56838 100644
--- a/data/web/templates/admin/tab-config-identity-provider.twig
+++ b/data/web/templates/admin/tab-config-identity-provider.twig
@@ -9,7 +9,9 @@
     <div id="collapse-tab-config-identity-provider" class="card-body collapse" data-bs-parent="#admin-content">
       <p class="offset-sm-3 mb-4">{{ lang.admin.iam_description|raw }}</p>
       <div class="row mb-4">
-        <label class="control-label col-md-3 text-sm-end" for="iam_realm">{{ lang.admin.iam }}:</label>
+        <div class="col-md-3 d-flex align-items-center justify-content-md-end">
+          <label class="control-label" for="iam_realm">{{ lang.admin.iam }}:</label>
+        </div>
         <div class="col-12 col-md-9 col-lg-4">
           <select
             data-style="btn btn-secondary"
@@ -26,25 +28,33 @@
         <form class="form-horizontal" autocapitalize="none" data-id="iam_keycloak" autocorrect="off" role="form" method="post">
           <input type="hidden" name="authsource" value="keycloak">
           <div class="row mb-2">
-            <label class="control-label col-md-3 text-sm-end" for="iam_keycloak_url">{{ lang.admin.iam_server_url }}:</label>
+            <div class="col-md-3 d-flex align-items-center justify-content-md-end">
+                <label class="control-label" for="iam_keycloak_url">{{ lang.admin.iam_server_url }}:</label>
+            </div>
             <div class="col-12 col-md-9 col-lg-4">
               <input type="text" class="form-control" id="iam_keycloak_url" name="server_url" value="{{ iam_settings.server_url }}" required>
             </div>
           </div>
           <div class="row mb-2">
-            <label class="control-label col-md-3 text-sm-end" for="iam_keycloak_realm">{{ lang.admin.iam_realm }}:</label>
+            <div class="col-md-3 d-flex align-items-center justify-content-md-end">
+              <label class="control-label" for="iam_keycloak_realm">{{ lang.admin.iam_realm }}:</label>
+            </div>
             <div class="col-12 col-md-9 col-lg-4">
               <input type="text" class="form-control" id="iam_keycloak_realm" name="realm" value="{{ iam_settings.realm }}" required>
             </div>
           </div>
           <div class="row mb-2">
-            <label class="control-label col-md-3 text-sm-end" for="iam_keycloak_clientid">{{ lang.admin.iam_client_id }}:</label>
+            <div class="col-md-3 d-flex align-items-center justify-content-md-end">
+              <label class="control-label" for="iam_keycloak_clientid">{{ lang.admin.iam_client_id }}:</label>
+            </div>
             <div class="col-12 col-md-9 col-lg-4">
               <input type="text" class="form-control" id="iam_keycloak_clientid" name="client_id" value="{{ iam_settings.client_id }}" required>
             </div>
           </div>
           <div class="row mb-2">
-            <label class="control-label col-md-3 text-sm-end" for="iam_keycloak_clientsecret">{{ lang.admin.iam_client_secret }}:</label>
+            <div class="col-md-3 d-flex align-items-center justify-content-md-end">
+              <label class="control-label" for="iam_keycloak_clientsecret">{{ lang.admin.iam_client_secret }}:</label>
+            </div>
             <div class="col-12 col-md-9 col-lg-4">
               <div class="reveal-password-input input-group">
                 <input type="password" class="password-field form-control" id="iam_keycloak_clientsecret" name="client_secret" value="{{ iam_settings.client_secret }}" required>
@@ -53,19 +63,25 @@
             </div>
           </div>
           <div class="row mb-2">
-            <label class="control-label col-md-3 text-sm-end" for="iam_keycloak_redirecturl">{{ lang.admin.iam_redirect_url }}:</label>
+            <div class="col-md-3 d-flex align-items-center justify-content-md-end">
+              <label class="control-label" for="iam_keycloak_redirecturl">{{ lang.admin.iam_redirect_url }}:</label>
+            </div>
             <div class="col-12 col-md-9 col-lg-4">
               <input type="text" class="form-control" id="iam_keycloak_redirecturl" name="redirect_url" value="{{ iam_settings.redirect_url }}" required>
             </div>
           </div>
           <div class="row mb-4">
-            <label class="control-label col-md-3 text-sm-end" for="iam_keycloak_version">{{ lang.admin.iam_version }}:</label>
+            <div class="col-md-3 d-flex align-items-center justify-content-md-end">
+              <label class="control-label" for="iam_keycloak_version">{{ lang.admin.iam_version }}:</label>
+            </div>
             <div class="col-sm-4">
               <input type="text" class="form-control" id="iam_keycloak_version" name="version" value="{{ iam_settings.version }}" required>
             </div>
           </div>
           <div class="row mb-2">
-            <label class="control-label col-md-3 text-sm-end">{{ lang.admin.iam_mapping }}:</label>
+            <div class="col-md-3 d-flex align-items-center justify-content-md-end">
+              <label class="control-label">{{ lang.admin.iam_mapping }}:</label>
+            </div>
             <div class="col-12 col-md-9 col-lg-4">
               <div class="row px-2 align-items-center">
                 <span class="col-5 p-0 pe-2">Attribute</span>
@@ -121,13 +137,15 @@
             {% endif %}
           </div>
           <div class="row mb-2 mt-4">
-            <label class="control-label col-md-3 text-sm-end"></label>
+            <div class="col-md-3 d-flex align-items-center justify-content-md-end"></div>
             <div class="col-12 col-md-9">
               <span>{{ lang.admin.iam_extra_permission|raw }}</span>
             </div>
           </div>
           <div class="row mb-2">
-            <label class="control-label col-md-3 text-sm-end">{{ lang.admin.iam_rest_flow }}</label>
+            <div class="col-md-3 d-flex align-items-start justify-content-md-end">
+              <label class="control-label">{{ lang.admin.iam_rest_flow }}</label>
+            </div>
             <div class="col-12 col-md-9">
               <div class="form-check form-switch">
                 <input class="form-check-input" type="checkbox" role="switch" name="mailpassword_flow" value="1" {% if iam_settings.mailpassword_flow == 1 %}checked{% endif %}>
@@ -140,7 +158,9 @@
             </div>
           </div>
           <div class="row mb-2">
-            <label class="control-label col-md-3 text-sm-end">{{ lang.admin.iam_periodic_full_sync }}</label>
+            <div class="col-md-3 d-flex align-items-center justify-content-md-end">
+              <label class="control-label">{{ lang.admin.iam_periodic_full_sync }}</label>
+            </div>
             <div class="col-12 col-md-9">
               <div class="form-check form-switch">
                 <input class="form-check-input" type="checkbox" role="switch" name="periodic_sync"  value="1" {% if iam_settings.periodic_sync == 1 %}checked{% endif %}>
@@ -148,7 +168,9 @@
             </div>
           </div>
           <div class="row mb-2">
-            <label class="control-label col-md-3 text-sm-end">{{ lang.admin.iam_import_users }}</label>
+            <div class="col-md-3 d-flex align-items-center justify-content-md-end">
+              <label class="control-label">{{ lang.admin.iam_import_users }}</label>
+            </div>
             <div class="col-12 col-md-9">
               <div class="form-check form-switch">
                 <input class="form-check-input" type="checkbox" role="switch" name="import_users"  value="1" {% if iam_settings.import_users == 1 %}checked{% endif %}>
@@ -156,14 +178,16 @@
             </div>
           </div>
           <div class="row mb-2">
-            <label class="control-label col-md-3 text-sm-end">{{ lang.admin.iam_sync_interval }}</label>
+            <div class="col-md-3 d-flex align-items-center justify-content-md-end">
+              <label class="control-label">{{ lang.admin.iam_sync_interval }}</label>
+            </div>
             <div class="col-12 col-md-9 col-lg-4">
               <input class="form-control" type="number" min="1" name="sync_interval" style="width: 80px;"  {% if iam_settings.sync_interval %}value="{{ iam_settings.sync_interval }}"{% else %}value="15"{% endif %}>
             </div>
           </div>
           <div class="row mt-4 mb-2">
             <div class="offset-md-3 col-12 col-md-9 d-flex flex-wrap">
-              <div class="btn-group mb-2">   
+              <div class="btn-group mb-2">
                 <button class="btn btn-sm d-block d-sm-inline btn-secondary iam_test_connection iam_test_connection" data-id="iam_keycloak"><i class="bi bi-play"></i> {{ lang.admin.iam_test_connection }}</button>
                 <button class="btn btn-sm d-block d-sm-inline btn-success" data-item="identity-provider" data-action="edit_selected" data-id="iam_keycloak" data-api-url='edit/identity-provider' data-api-attr='{}'><i class="bi bi-check-lg"></i> {{ lang.admin.save }}</button>
               </div>
@@ -176,31 +200,41 @@
         <form class="form-horizontal" autocapitalize="none" data-id="iam_generic" autocorrect="off" role="form" method="post">
           <input type="hidden" name="authsource" value="generic-oidc">
           <div class="row mb-2">
-            <label class="control-label col-md-3 text-sm-end" for="iam_authorize_url">{{ lang.admin.iam_authorize_url }}:</label>
+            <div class="col-md-3 d-flex align-items-center justify-content-md-end">
+              <label class="control-label" for="iam_authorize_url">{{ lang.admin.iam_authorize_url }}:</label>
+            </div>
             <div class="col-12 col-md-9 col-lg-4">
               <input type="text" class="form-control" id="iam_authorize_url" name="authorize_url" value="{{ iam_settings.authorize_url }}" required>
             </div>
           </div>
           <div class="row mb-2">
-            <label class="control-label col-md-3 text-sm-end" for="iam_token_url">{{ lang.admin.iam_token_url }}:</label>
+            <div class="col-md-3 d-flex align-items-center justify-content-md-end">
+              <label class="control-label" for="iam_token_url">{{ lang.admin.iam_token_url }}:</label>
+            </div>
             <div class="col-12 col-md-9 col-lg-4">
               <input type="text" class="form-control" id="iam_token_url" name="token_url" value="{{ iam_settings.token_url }}" required>
             </div>
           </div>
           <div class="row mb-2">
-            <label class="control-label col-md-3 text-sm-end" for="iam_userinfo_url">{{ lang.admin.iam_userinfo_url }}:</label>
+            <div class="col-md-3 d-flex align-items-center justify-content-md-end">
+              <label class="control-label" for="iam_userinfo_url">{{ lang.admin.iam_userinfo_url }}:</label>
+            </div>
             <div class="col-12 col-md-9 col-lg-4">
               <input type="text" class="form-control" id="iam_userinfo_url" name="userinfo_url" value="{{ iam_settings.userinfo_url }}" required>
             </div>
           </div>
           <div class="row mb-2">
-            <label class="control-label col-md-3 text-sm-end" for="iam_client_id">{{ lang.admin.iam_client_id }}:</label>
+            <div class="col-md-3 d-flex align-items-center justify-content-md-end">
+              <label class="control-label" for="iam_client_id">{{ lang.admin.iam_client_id }}:</label>
+            </div>
             <div class="col-12 col-md-9 col-lg-4">
               <input type="text" class="form-control" id="iam_client_id" name="client_id" value="{{ iam_settings.client_id }}" required>
             </div>
           </div>
           <div class="row mb-2">
-            <label class="control-label col-md-3 text-sm-end" for="iam_client_secret">{{ lang.admin.iam_client_secret }}:</label>
+            <div class="col-md-3 d-flex align-items-center justify-content-md-end">
+              <label class="control-label" for="iam_client_secret">{{ lang.admin.iam_client_secret }}:</label>
+            </div>
             <div class="col-12 col-md-9 col-lg-4">
               <div class="reveal-password-input input-group">
                 <input type="password" class="password-field form-control" id="iam_client_secret" name="client_secret" value="{{ iam_settings.client_secret }}" required>
@@ -209,19 +243,25 @@
             </div>
           </div>
           <div class="row mb-2">
-            <label class="control-label col-md-3 text-sm-end" for="iam_redirect_url">{{ lang.admin.iam_redirect_url }}:</label>
+            <div class="col-md-3 d-flex align-items-center justify-content-md-end">
+              <label class="control-label" for="iam_redirect_url">{{ lang.admin.iam_redirect_url }}:</label>
+            </div>
             <div class="col-12 col-md-9 col-lg-4">
               <input type="text" class="form-control" id="iam_redirect_url" name="redirect_url" value="{{ iam_settings.redirect_url }}" required>
             </div>
           </div>
           <div class="row mb-4">
-            <label class="control-label col-md-3 text-sm-end" for="iam_client_scopes">{{ lang.admin.iam_client_scopes }}:</label>
+            <div class="col-md-3 d-flex align-items-center justify-content-md-end">
+              <label class="control-label" for="iam_client_scopes">{{ lang.admin.iam_client_scopes }}:</label>
+            </div>
             <div class="col-12 col-md-9 col-lg-4">
               <input type="text" placeholder="openid profile email" class="form-control" id="iam_client_scopes" name="client_scopes" value="{{ iam_settings.client_scopes }}">
             </div>
           </div>
           <div class="row mb-2">
-            <label class="control-label col-md-3 text-sm-end">{{ lang.admin.iam_mapping }}:</label>
+            <div class="col-md-3 d-flex align-items-center justify-content-md-end">
+              <label class="control-label">{{ lang.admin.iam_mapping }}:</label>
+            </div>
             <div class="col-12 col-md-9 col-lg-4">
               <div class="row px-2 align-items-center">
                 <span class="col-5 p-0 pe-2">Attribute</span>
@@ -278,7 +318,7 @@
           </div>
           <div class="row mt-4 mb-2">
             <div class="offset-md-3 col-12 col-md-9 d-flex flex-wrap">
-              <div class="btn-group mb-2">   
+              <div class="btn-group mb-2">
                 <button class="btn btn-sm d-block d-sm-inline btn-secondary iam_test_connection" data-id="iam_generic"><i class="bi bi-play"></i> {{ lang.admin.iam_test_connection }}</button>
                 <button class="btn btn-sm d-block d-sm-inline btn-success" data-item="identity-provider" data-action="edit_selected" data-id="iam_generic" data-api-url='edit/identity-provider' data-api-attr='{}'><i class="bi bi-check-lg"></i> {{ lang.admin.save }}</button>
               </div>
@@ -291,19 +331,26 @@
         <form class="form-horizontal" autocapitalize="none" data-id="iam_ldap" autocorrect="off" role="form" method="post">
           <input type="hidden" name="authsource" value="ldap">
           <div class="row mb-2">
-            <label class="control-label col-md-3 text-sm-end" for="iam_ldap_host">{{ lang.admin.iam_host }}:</label>
-            <div class="col-12 col-md-9 col-lg-4">
-              <input type="text" class="form-control" id="iam_ldap_host" name="host" value="{{ iam_settings.host }}" required>
+            <div class="col-md-3 d-flex align-items-center justify-content-md-end">
+              <i style="font-size: 16px; cursor: pointer;" class="bi bi-patch-question-fill m-2 ms-0" data-bs-toggle="tooltip" data-bs-html="true" data-bs-placement="bottom" title="{{ lang.admin.iam_host_info }}"></i>
+              <label class="control-label" for="iam_ldap_host">{{ lang.admin.iam_host }}:</label>
+            </div>
+            <div class="col-12 col-md-9 col-lg-4 d-flex">
+            <input type="text" class="form-control" id="iam_ldap_host" name="host" value="{{ iam_settings.host }}" required>
             </div>
           </div>
           <div class="row mb-2">
-            <label class="control-label col-md-3 text-sm-end" for="iam_ldap_port">{{ lang.admin.iam_port }}:</label>
+            <div class="col-md-3 d-flex align-items-center justify-content-md-end">
+              <label class="control-label" for="iam_ldap_port">{{ lang.admin.iam_port }}:</label>
+            </div>
             <div class="col-12 col-md-9 col-lg-4">
               <input type="number" class="form-control" id="iam_ldap_port" name="port" value="{{ iam_settings.port }}" required>
             </div>
           </div>
           <div class="row mb-2">
-            <label class="control-label col-md-3 text-sm-end">{{ lang.admin.iam_use_ssl }}</label>
+            <div class="col-md-3 d-flex align-items-center justify-content-md-end">
+              <label class="control-label">{{ lang.admin.iam_use_ssl }}</label>
+            </div>
             <div class="col-12 col-md-9">
               <div class="form-check form-switch">
                 <input class="form-check-input" type="checkbox" role="switch" name="use_ssl" value="1" {% if iam_settings.use_ssl == 1 %}checked{% endif %}>
@@ -311,7 +358,9 @@
             </div>
           </div>
           <div class="row mb-2">
-            <label class="control-label col-md-3 text-sm-end">{{ lang.admin.iam_use_tls }}</label>
+            <div class="col-md-3 d-flex align-items-center justify-content-md-end">
+              <label class="control-label">{{ lang.admin.iam_use_tls }}</label>
+            </div>
             <div class="col-12 col-md-9">
               <div class="form-check form-switch">
                 <input class="form-check-input" type="checkbox" role="switch" name="use_tls" value="1" {% if iam_settings.use_tls == 1 %}checked{% endif %}>
@@ -319,7 +368,9 @@
             </div>
           </div>
           <div class="row mb-4">
-            <label class="control-label col-md-3 text-sm-end">{{ lang.admin.ignore_ssl_error }}</label>
+            <div class="col-md-3 d-flex align-items-center justify-content-md-end">
+              <label class="control-label">{{ lang.admin.ignore_ssl_error }}</label>
+            </div>
             <div class="col-12 col-md-9">
               <div class="form-check form-switch">
                 <input class="form-check-input" type="checkbox" role="switch" name="ignore_ssl_error" value="1" {% if iam_settings.ignore_ssl_error == 1 %}checked{% endif %}>
@@ -327,37 +378,49 @@
             </div>
           </div>
           <div class="row mb-2">
-            <label class="control-label col-md-3 text-sm-end" for="iam_ldap_basedn">{{ lang.admin.iam_basedn }}:</label>
+            <div class="col-md-3 d-flex align-items-center justify-content-md-end">
+              <label class="control-label" for="iam_ldap_basedn">{{ lang.admin.iam_basedn }}:</label>
+            </div>
             <div class="col-12 col-md-9 col-lg-4">
               <input type="text" class="form-control" id="iam_ldap_basedn" name="basedn" value="{{ iam_settings.basedn }}" required>
             </div>
           </div>
           <div class="row mb-2">
-            <label class="control-label col-md-3 text-sm-end" for="iam_ldap_username_field">{{ lang.admin.iam_username_field }}:</label>
+            <div class="col-md-3 d-flex align-items-center justify-content-md-end">
+              <label class="control-label" for="iam_ldap_username_field">{{ lang.admin.iam_username_field }}:</label>
+            </div>
             <div class="col-12 col-md-9 col-lg-4">
               <input type="text" class="form-control" placeholder="mail" id="iam_ldap_username_field" name="username_field" value="{{ iam_settings.username_field }}">
             </div>
           </div>
           <div class="row mb-2">
-            <label class="control-label col-md-3 text-sm-end" for="iam_ldap_filter">{{ lang.admin.filter }}:</label>
+            <div class="col-md-3 d-flex align-items-center justify-content-md-end">
+              <label class="control-label" for="iam_ldap_filter">{{ lang.admin.filter }}:</label>
+            </div>
             <div class="col-12 col-md-9 col-lg-4">
               <input type="text" class="form-control" placeholder="" id="iam_ldap_filter" name="filter" value="{{ iam_settings.filter }}">
             </div>
           </div>
           <div class="row mb-2">
-            <label class="control-label col-md-3 text-sm-end" for="iam_ldap_attribute_field">{{ lang.admin.iam_attribute_field }}:</label>
+            <div class="col-md-3 d-flex align-items-center justify-content-md-end">
+              <label class="control-label" for="iam_ldap_attribute_field">{{ lang.admin.iam_attribute_field }}:</label>
+            </div>
             <div class="col-12 col-md-9 col-lg-4">
               <input type="text" class="form-control" id="iam_ldap_attribute_field" name="attribute_field" value="{{ iam_settings.attribute_field }}" required>
             </div>
           </div>
           <div class="row mb-2">
-            <label class="control-label col-md-3 text-sm-end" for="iam_ldap_binddn">{{ lang.admin.iam_binddn }}:</label>
+            <div class="col-md-3 d-flex align-items-center justify-content-md-end">
+              <label class="control-label" for="iam_ldap_binddn">{{ lang.admin.iam_binddn }}:</label>
+            </div>
             <div class="col-12 col-md-9 col-lg-4">
               <input type="text" class="form-control" id="iam_ldap_binddn" name="binddn" value="{{ iam_settings.binddn }}" required>
             </div>
           </div>
           <div class="row mb-4">
-            <label class="control-label col-md-3 text-sm-end" for="iam_ldap_bindpass">{{ lang.admin.iam_bindpass }}:</label>
+            <div class="col-md-3 d-flex align-items-center justify-content-md-end">
+              <label class="control-label" for="iam_ldap_bindpass">{{ lang.admin.iam_bindpass }}:</label>
+            </div>
             <div class="col-12 col-md-9 col-lg-4">
               <div class="reveal-password-input input-group">
                 <input type="password" class="password-field form-control" id="iam_ldap_bindpass" name="bindpass" value="{{ iam_settings.bindpass }}" required>
@@ -366,7 +429,9 @@
             </div>
           </div>
           <div class="row mb-2">
-            <label class="control-label col-md-3 text-sm-end">{{ lang.admin.iam_mapping }}:</label>
+            <div class="col-md-3 d-flex align-items-center justify-content-md-end">
+              <label class="control-label">{{ lang.admin.iam_mapping }}:</label>
+            </div>
             <div class="col-12 col-md-9 col-lg-4">
               <div class="row px-2 align-items-center">
                 <span class="col-5 p-0 pe-2">Attribute</span>
@@ -422,7 +487,9 @@
             {% endif %}
           </div>
           <div class="row mb-2">
-            <label class="control-label col-md-3 text-sm-end">{{ lang.admin.iam_periodic_full_sync }}</label>
+            <div class="col-md-3 d-flex align-items-center justify-content-md-end">
+              <label class="control-label">{{ lang.admin.iam_periodic_full_sync }}</label>
+            </div>
             <div class="col-12 col-md-9">
               <div class="form-check form-switch">
                 <input class="form-check-input" type="checkbox" role="switch" name="periodic_sync"  value="1" {% if iam_settings.periodic_sync == 1 %}checked{% endif %}>
@@ -430,7 +497,9 @@
             </div>
           </div>
           <div class="row mb-2">
-            <label class="control-label col-md-3 text-sm-end">{{ lang.admin.iam_import_users }}</label>
+            <div class="col-md-3 d-flex align-items-center justify-content-md-end">
+              <label class="control-label">{{ lang.admin.iam_import_users }}</label>
+            </div>
             <div class="col-12 col-md-9">
               <div class="form-check form-switch">
                 <input class="form-check-input" type="checkbox" role="switch" name="import_users"  value="1" {% if iam_settings.import_users == 1 %}checked{% endif %}>
@@ -438,14 +507,16 @@
             </div>
           </div>
           <div class="row mb-2">
-            <label class="control-label col-md-3 text-sm-end">{{ lang.admin.iam_sync_interval }}</label>
+            <div class="col-md-3 d-flex align-items-center justify-content-md-end">
+              <label class="control-label">{{ lang.admin.iam_sync_interval }}</label>
+            </div>
             <div class="col-12 col-md-9 col-lg-4">
               <input class="form-control" type="number" min="1" name="sync_interval" style="width: 80px;"  {% if iam_settings.sync_interval %}value="{{ iam_settings.sync_interval }}"{% else %}value="15"{% endif %}>
             </div>
           </div>
           <div class="row mt-4 mb-2">
             <div class="offset-md-3 col-12 col-md-9 d-flex flex-wrap">
-              <div class="btn-group mb-2">   
+              <div class="btn-group mb-2">
                 <button class="btn btn-sm d-block d-sm-inline btn-secondary iam_test_connection iam_test_connection" data-id="iam_ldap"><i class="bi bi-play"></i> {{ lang.admin.iam_test_connection }}</button>
                 <button class="btn btn-sm d-block d-sm-inline btn-success" data-item="identity-provider" data-action="edit_selected" data-id="iam_ldap" data-api-url='edit/identity-provider' data-api-attr='{}'><i class="bi bi-check-lg"></i> {{ lang.admin.save }}</button>
               </div>

From c8c4cfd939a5c4fd91cbe0c892a9cc9614314f0e Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Sat, 30 Nov 2024 14:37:07 +0100
Subject: [PATCH 151/378] [Web] add ignore ssl option for keycloak and
 generic-oidc provider

---
 data/web/inc/functions.inc.php                | 23 +++++++++++++++----
 .../admin/tab-config-identity-provider.twig   | 20 ++++++++++++++++
 2 files changed, 39 insertions(+), 4 deletions(-)

diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index 6ae49e7bc..dfe3a15ad 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -2222,6 +2222,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
         return false;
       }
 
+      $_data['ignore_ssl_error']  = isset($_data['ignore_ssl_error']) ? boolval($_data['ignore_ssl_error']) : false;
       switch ($_data['authsource']) {
         case "keycloak":
           $_data['server_url']        = (!empty($_data['server_url'])) ? rtrim($_data['server_url'], '/') : null;
@@ -2230,14 +2231,14 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
           $_data['import_users']      = isset($_data['import_users']) ? intval($_data['import_users']) : 0;
           $_data['sync_interval']     = (!empty($_data['sync_interval'])) ? intval($_data['sync_interval']) : 15;
           $_data['sync_interval']     = $_data['sync_interval'] < 1 ? 1 : $_data['sync_interval'];
-          $required_settings          = array('authsource', 'server_url', 'realm', 'client_id', 'client_secret', 'redirect_url', 'version', 'mailpassword_flow', 'periodic_sync', 'import_users', 'sync_interval');
+          $required_settings          = array('authsource', 'server_url', 'realm', 'client_id', 'client_secret', 'redirect_url', 'version', 'mailpassword_flow', 'periodic_sync', 'import_users', 'sync_interval', 'ignore_ssl_error');
         break;
         case "generic-oidc":
           $_data['authorize_url']     = (!empty($_data['authorize_url'])) ? $_data['authorize_url'] : null;
           $_data['token_url']         = (!empty($_data['token_url'])) ? $_data['token_url'] : null;
           $_data['userinfo_url']      = (!empty($_data['userinfo_url'])) ? $_data['userinfo_url'] : null;
           $_data['client_scopes']     = (!empty($_data['client_scopes'])) ? $_data['client_scopes'] : "openid profile email";
-          $required_settings          = array('authsource', 'authorize_url', 'token_url', 'client_id', 'client_secret', 'redirect_url', 'userinfo_url', 'client_scopes');
+          $required_settings          = array('authsource', 'authorize_url', 'token_url', 'client_id', 'client_secret', 'redirect_url', 'userinfo_url', 'client_scopes', 'ignore_ssl_error');
         break;
         case "ldap":
           $_data['host']              = (!empty($_data['host'])) ? str_replace(" ", "", $_data['host']) : "";
@@ -2249,7 +2250,6 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
           $_data['import_users']      = isset($_data['import_users']) ? intval($_data['import_users']) : 0;
           $_data['use_ssl']           = isset($_data['use_ssl']) ? boolval($_data['use_ssl']) : false;
           $_data['use_tls']           = isset($_data['use_tls']) && !$_data['use_ssl'] ? boolval($_data['use_tls']) : false;
-          $_data['ignore_ssl_error']  = isset($_data['ignore_ssl_error']) ? boolval($_data['ignore_ssl_error']) : false;
           $_data['sync_interval']     = (!empty($_data['sync_interval'])) ? intval($_data['sync_interval']) : 15;
           $_data['sync_interval']     = $_data['sync_interval'] < 1 ? 1 : $_data['sync_interval'];
           $required_settings          = array('authsource', 'host', 'port', 'basedn', 'username_field', 'filter', 'attribute_field', 'binddn', 'bindpass', 'periodic_sync', 'import_users', 'sync_interval', 'use_ssl', 'use_tls', 'ignore_ssl_error');
@@ -2416,6 +2416,13 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
         case "keycloak":
           if ($settings['server_url'] && $settings['realm'] && $settings['client_id'] &&
             $settings['client_secret'] && $settings['redirect_url'] && $settings['version']){
+            $guzzyClient = new GuzzleHttp\Client([
+              'defaults' => [
+                \GuzzleHttp\RequestOptions::CONNECT_TIMEOUT => 5,
+                \GuzzleHttp\RequestOptions::ALLOW_REDIRECTS => true],
+                \GuzzleHttp\RequestOptions::VERIFY => !$settings['ignore_ssl_error'],
+              ]
+            );
             $provider = new Stevenmaguire\OAuth2\Client\Provider\Keycloak([
               'authServerUrl'         => $settings['server_url'],
               'realm'                 => $settings['realm'],
@@ -2427,11 +2434,19 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
               // 'encryptionKeyPath'     => '../key.pem'                         // optional
               // 'encryptionKey'         => 'contents_of_key_or_certificate'     // optional
             ]);
+            $provider->setHttpClient($guzzyClient);
           }
         break;
         case "generic-oidc":
           if ($settings['client_id'] && $settings['client_secret'] && $settings['redirect_url'] &&
             $settings['authorize_url'] && $settings['token_url'] && $settings['userinfo_url']){
+            $guzzyClient = new GuzzleHttp\Client([
+              'defaults' => [
+                \GuzzleHttp\RequestOptions::CONNECT_TIMEOUT => 5,
+                \GuzzleHttp\RequestOptions::ALLOW_REDIRECTS => true],
+                \GuzzleHttp\RequestOptions::VERIFY => !$settings['ignore_ssl_error'],
+              ]
+            );
             $provider = new \League\OAuth2\Client\Provider\GenericProvider([
               'clientId'                => $settings['client_id'],
               'clientSecret'            => $settings['client_secret'],
@@ -2441,6 +2456,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
               'urlResourceOwnerDetails' => $settings['userinfo_url'],
               'scopes'                  => $settings['client_scopes']
             ]);
+            $provider->setHttpClient($guzzyClient);
           }
         break;
         case "ldap":
@@ -2468,7 +2484,6 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
           }
         break;
       }
-
       return $provider;
     break;
     case "verify-sso":
diff --git a/data/web/templates/admin/tab-config-identity-provider.twig b/data/web/templates/admin/tab-config-identity-provider.twig
index e2cc56838..e2cea7fa2 100644
--- a/data/web/templates/admin/tab-config-identity-provider.twig
+++ b/data/web/templates/admin/tab-config-identity-provider.twig
@@ -157,6 +157,16 @@
               </p>
             </div>
           </div>
+          <div class="row mb-2">
+            <div class="col-md-3 d-flex align-items-center justify-content-md-end">
+              <label class="control-label">{{ lang.admin.ignore_ssl_error }}</label>
+            </div>
+            <div class="col-12 col-md-9">
+              <div class="form-check form-switch">
+                <input class="form-check-input" type="checkbox" role="switch" name="ignore_ssl_error" value="1" {% if iam_settings.ignore_ssl_error == 1 %}checked{% endif %}>
+              </div>
+            </div>
+          </div>
           <div class="row mb-2">
             <div class="col-md-3 d-flex align-items-center justify-content-md-end">
               <label class="control-label">{{ lang.admin.iam_periodic_full_sync }}</label>
@@ -316,6 +326,16 @@
             </div>
             {% endif %}
           </div>
+          <div class="row mb-4">
+            <div class="col-md-3 d-flex align-items-center justify-content-md-end">
+              <label class="control-label">{{ lang.admin.ignore_ssl_error }}</label>
+            </div>
+            <div class="col-12 col-md-9">
+              <div class="form-check form-switch">
+                <input class="form-check-input" type="checkbox" role="switch" name="ignore_ssl_error" value="1" {% if iam_settings.ignore_ssl_error == 1 %}checked{% endif %}>
+              </div>
+            </div>
+          </div>
           <div class="row mt-4 mb-2">
             <div class="offset-md-3 col-12 col-md-9 d-flex flex-wrap">
               <div class="btn-group mb-2">

From d61a08c2a9bc108cd085f8320bc1c3b09db17ede Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Sat, 30 Nov 2024 14:39:05 +0100
Subject: [PATCH 152/378] [Web] hide auth heading for external managed users

---
 data/web/templates/user/tab-user-auth.twig | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/data/web/templates/user/tab-user-auth.twig b/data/web/templates/user/tab-user-auth.twig
index 0f30d333c..5c90bedf5 100644
--- a/data/web/templates/user/tab-user-auth.twig
+++ b/data/web/templates/user/tab-user-auth.twig
@@ -43,7 +43,7 @@
               {{ mailboxdata.percent_in_use }}%
             </div>
           </div>
-          
+
           <div class="row">
             <div class="col-12 col-md-3 d-flex">
               <span class="mt-2 w-100 text-md-end">{{ lang.user.protocols }}:</span>
@@ -64,12 +64,12 @@
             </div>
             <div class="col-12 col-md-8">
               <div class="d-flex">
-                <i style="font-size: 16px; cursor: pointer;" class="bi bi-patch-question-fill me-2" data-bs-toggle="tooltip" data-bs-html="true" data-bs-placement="bottom" title="{{ lang.user.apple_connection_profile_mailonly }}"></i> 
+                <i style="font-size: 16px; cursor: pointer;" class="bi bi-patch-question-fill me-2" data-bs-toggle="tooltip" data-bs-html="true" data-bs-placement="bottom" title="{{ lang.user.apple_connection_profile_mailonly }}"></i>
                 <a href="/mobileconfig.php?only_email">{{ lang.user.email }} <small>[IMAP, SMTP]</small></a>
-              </div> 
+              </div>
               {% if not skip_sogo %}
               <div class="d-flex">
-                <i style="font-size: 16px; cursor: pointer;" class="bi bi-patch-question-fill me-2" data-bs-toggle="tooltip" data-bs-html="true" data-bs-placement="bottom" title="{{ lang.user.apple_connection_profile_complete }}"></i>  
+                <i style="font-size: 16px; cursor: pointer;" class="bi bi-patch-question-fill me-2" data-bs-toggle="tooltip" data-bs-html="true" data-bs-placement="bottom" title="{{ lang.user.apple_connection_profile_complete }}"></i>
                 <a href="/mobileconfig.php">{{ lang.user.email_and_dav }} <small>[IMAP, SMTP, Cal/CardDAV]</small></a>
               </div>
               {% endif %}
@@ -81,12 +81,12 @@
             </div>
             <div class="col-12 col-md-9">
               <div class="d-flex">
-                <i style="font-size: 16px; cursor: pointer;" class="bi bi-patch-question-fill me-2" data-bs-toggle="tooltip" data-bs-html="true" data-bs-placement="bottom" title="{{ lang.user.apple_connection_profile_mailonly }} {{ lang.user.apple_connection_profile_with_app_password }}"></i> 
+                <i style="font-size: 16px; cursor: pointer;" class="bi bi-patch-question-fill me-2" data-bs-toggle="tooltip" data-bs-html="true" data-bs-placement="bottom" title="{{ lang.user.apple_connection_profile_mailonly }} {{ lang.user.apple_connection_profile_with_app_password }}"></i>
                 <a href="/mobileconfig.php?only_email&amp;app_password">{{ lang.user.email }} <small>[IMAP, SMTP]</small></a>
               </div>
               {% if not skip_sogo %}
               <div class="d-flex">
-                <i style="font-size: 16px; cursor: pointer;" class="bi bi-patch-question-fill me-2" data-bs-toggle="tooltip" data-bs-html="true" data-bs-placement="bottom" title="{{ lang.user.apple_connection_profile_complete }} {{ lang.user.apple_connection_profile_with_app_password }}"></i> 
+                <i style="font-size: 16px; cursor: pointer;" class="bi bi-patch-question-fill me-2" data-bs-toggle="tooltip" data-bs-html="true" data-bs-placement="bottom" title="{{ lang.user.apple_connection_profile_complete }} {{ lang.user.apple_connection_profile_with_app_password }}"></i>
                 <a href="/mobileconfig.php?app_password">{{ lang.user.email_and_dav }} <small>[IMAP, SMTP, Cal/CardDAV]</small></a>
               </div>
               {% endif %}
@@ -99,10 +99,10 @@
             </div>
           </div>
 
+          {% if mailboxdata.authsource == "mailcow" %}
           <legend class="mt-4">{{ lang.user.authentication }}</legend>
           <hr>
           {# Password Change #}
-          {% if mailboxdata.authsource == "mailcow" %}
           <div class="row">
             <div class="col-12 col-md-3 d-flex"></div>
             <div class="col-12 col-md-9 d-flex flex-wrap">

From 45c13c687b7c294d24708cd44eb05062d0862d33 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Sun, 1 Dec 2024 16:36:16 +0100
Subject: [PATCH 153/378] [Web] update user based on template after login

---
 data/conf/phpfpm/crons/keycloak-sync.php | 16 +++---
 data/conf/phpfpm/crons/ldap-sync.php     |  6 ++-
 data/web/inc/functions.acl.inc.php       | 10 ++--
 data/web/inc/functions.auth.inc.php      |  2 +-
 data/web/inc/functions.inc.php           | 55 ++++++++++++---------
 data/web/inc/functions.mailbox.inc.php   | 62 ++++++++++++------------
 data/web/inc/functions.ratelimit.inc.php |  4 +-
 7 files changed, 85 insertions(+), 70 deletions(-)

diff --git a/data/conf/phpfpm/crons/keycloak-sync.php b/data/conf/phpfpm/crons/keycloak-sync.php
index 3a7b1da7b..a7e46c4fd 100644
--- a/data/conf/phpfpm/crons/keycloak-sync.php
+++ b/data/conf/phpfpm/crons/keycloak-sync.php
@@ -114,7 +114,7 @@ $iam_provider = identity_provider('init');
 while (true) {
   // Get admin access token
   $admin_token = identity_provider("get-keycloak-admin-token");
-  
+
   // Make the API request to retrieve the users
   $url = "{$iam_settings['server_url']}/admin/realms/{$iam_settings['realm']}/users?first=$start&max=$max";
   $ch = curl_init();
@@ -127,7 +127,7 @@ while (true) {
   $response = curl_exec($ch);
   $code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
   curl_close($ch);
-  
+
   if ($code != 200){
     logMsg("err", "Recieved HTTP {$code}");
     session_destroy();
@@ -157,8 +157,8 @@ while (true) {
       logMsg("warning", "No attributes in keycloak found for user " . $user['email']);
       continue;
     }
-    if (!isset($user['attributes']['mailcow_template']) || 
-        !is_array($user['attributes']['mailcow_template']) || 
+    if (!isset($user['attributes']['mailcow_template']) ||
+        !is_array($user['attributes']['mailcow_template']) ||
         count($user['attributes']['mailcow_template']) == 0) {
       logMsg("warning", "No mailcow_template in keycloak found for user " . $user['email']);
       continue;
@@ -195,7 +195,8 @@ while (true) {
         'local_part' => explode('@', $user['email'])[0],
         'name' => $user['firstName'] . " " . $user['lastName'],
         'authsource' => 'keycloak',
-        'template' => $mbox_template
+        'template' => $mbox_template,
+        'hasAccess' => true
       ));
     } else if ($row && intval($iam_settings['periodic_sync']) == 1) {
       // mailbox user does exist, sync attribtues...
@@ -203,7 +204,8 @@ while (true) {
       mailbox('edit', 'mailbox_from_template', array(
         'username' => $user['email'],
         'name' => $user['firstName'] . " " . $user['lastName'],
-        'template' => $mbox_template
+        'template' => $mbox_template,
+        'hasAccess' => true
       ));
     } else {
       // skip mailbox user
@@ -212,7 +214,7 @@ while (true) {
 
     sleep(0.025);
   }
-  
+
   // Update the pagination variables for the next batch
   $start += $max;
   sleep(1);
diff --git a/data/conf/phpfpm/crons/ldap-sync.php b/data/conf/phpfpm/crons/ldap-sync.php
index 75eddc7a1..da5533b39 100644
--- a/data/conf/phpfpm/crons/ldap-sync.php
+++ b/data/conf/phpfpm/crons/ldap-sync.php
@@ -159,7 +159,8 @@ foreach ($response as $user) {
       'local_part' => explode('@',  $user[$iam_settings['username_field']][0])[0],
       'name' => $user['displayname'][0],
       'authsource' => 'ldap',
-      'template' => $mbox_template
+      'template' => $mbox_template,
+      'hasAccess' => true
     ));
   } else if ($row && intval($iam_settings['periodic_sync']) == 1) {
     // mailbox user does exist, sync attribtues...
@@ -167,7 +168,8 @@ foreach ($response as $user) {
     mailbox('edit', 'mailbox_from_template', array(
       'username' =>  $user[$iam_settings['username_field']][0],
       'name' => $user['displayname'][0],
-      'template' => $mbox_template
+      'template' => $mbox_template,
+      'hasAccess' => true
     ));
   } else {
     // skip mailbox user
diff --git a/data/web/inc/functions.acl.inc.php b/data/web/inc/functions.acl.inc.php
index ffce9f44c..ffc7408fe 100644
--- a/data/web/inc/functions.acl.inc.php
+++ b/data/web/inc/functions.acl.inc.php
@@ -1,5 +1,5 @@
 <?php
-function acl($_action, $_scope = null, $_data = null) {
+function acl($_action, $_scope = null, $_data = null, $_extra = null) {
   global $pdo;
   global $lang;
   $_data_log = $_data;
@@ -23,8 +23,8 @@ function acl($_action, $_scope = null, $_data = null) {
               $acl_post[$acl_val] = 1;
             }
             // Users cannot change their own ACL
-            if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)
-              || ($_SESSION['mailcow_cc_role'] != 'admin' && $_SESSION['mailcow_cc_role'] != 'domainadmin')) {
+            if (!$_extra['hasAccess'] && (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)
+              || ($_SESSION['mailcow_cc_role'] != 'admin' && $_SESSION['mailcow_cc_role'] != 'domainadmin'))) {
               $_SESSION['return'][] = array(
                 'type' => 'danger',
                 'log' => array(__FUNCTION__, $_action, $_scope, $_data_log),
@@ -34,7 +34,7 @@ function acl($_action, $_scope = null, $_data = null) {
             }
             // Read all available acl options by calling acl(get)
             // Set all available acl options we cannot find in the post data to 0, else 1
-            $is_now = acl('get', 'user', $username);
+            $is_now = acl('get', 'user', $username, $_extra);
             if (!empty($is_now)) {
               foreach ($is_now as $acl_now_name => $acl_now_val) {
                 $set_acls[$acl_now_name] = (isset($acl_post[$acl_now_name])) ? 1 : 0;
@@ -130,7 +130,7 @@ function acl($_action, $_scope = null, $_data = null) {
     case 'get':
       switch ($_scope) {
         case 'user':
-          if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
+          if (!$_extra['hasAccess'] && !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
             return false;
           }
           $stmt = $pdo->prepare("SELECT * FROM `user_acl` WHERE `username` = :username");
diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php
index 74cd6d956..83c0a32eb 100644
--- a/data/web/inc/functions.auth.inc.php
+++ b/data/web/inc/functions.auth.inc.php
@@ -467,7 +467,7 @@ function keycloak_mbox_login_rest($user, $pass, $extra = null){
   $create_res = mailbox('add', 'mailbox_from_template', array(
     'domain' => explode('@', $user)[1],
     'local_part' => explode('@', $user)[0],
-    'name' => $user_res['firstName'] . " " . $user_res['lastName'],
+    'name' => $user_res['name'],
     'authsource' => 'keycloak',
     'template' => $iam_settings['templates'][$mapper_key]
   ));
diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index dfe3a15ad..943d53e97 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -2512,27 +2512,6 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
       // check if email address is given
       if (empty($info['email'])) return false;
 
-      // token valid, get mailbox
-      $stmt = $pdo->prepare("SELECT * FROM `mailbox`
-        INNER JOIN domain on mailbox.domain = domain.domain
-        WHERE `kind` NOT REGEXP 'location|thing|group'
-          AND `mailbox`.`active`='1'
-          AND `domain`.`active`='1'
-          AND `username` = :user
-          AND (`authsource`='keycloak' OR `authsource`='generic-oidc')");
-      $stmt->execute(array(':user' => $info['email']));
-      $row = $stmt->fetch(PDO::FETCH_ASSOC);
-      if ($row){
-        // success
-        set_user_loggedin_session($info['email']);
-        $_SESSION['return'][] =  array(
-          'type' => 'success',
-          'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
-          'msg' => array('logged_in_as', $_SESSION['mailcow_cc_username'])
-        );
-        return true;
-      }
-
       // get mapped template, if not set return false
       // also return false if no mappers were defined
       $user_template = $info['mailcow_template'];
@@ -2558,13 +2537,43 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
         return false;
       }
 
+
+      // token valid, get mailbox
+      $stmt = $pdo->prepare("SELECT * FROM `mailbox`
+        INNER JOIN domain on mailbox.domain = domain.domain
+        WHERE `kind` NOT REGEXP 'location|thing|group'
+          AND `mailbox`.`active`='1'
+          AND `domain`.`active`='1'
+          AND `username` = :user
+          AND (`authsource`='keycloak' OR `authsource`='generic-oidc')");
+      $stmt->execute(array(':user' => $info['email']));
+      $row = $stmt->fetch(PDO::FETCH_ASSOC);
+      if ($row){
+        // success
+        // update user
+        mailbox('edit', 'mailbox_from_template', array(
+          'username' => $info['email'],
+          'name' => $info['name'],
+          'template' => $iam_settings['templates'][$mapper_key],
+          'hasAccess' => true
+        ));
+        set_user_loggedin_session($info['email']);
+        $_SESSION['return'][] =  array(
+          'type' => 'success',
+          'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
+          'msg' => array('logged_in_as', $_SESSION['mailcow_cc_username'])
+        );
+        return true;
+      }
+
       // create mailbox
       $create_res = mailbox('add', 'mailbox_from_template', array(
         'domain' => explode('@', $info['email'])[1],
         'local_part' => explode('@', $info['email'])[0],
-        'name' => $info['firstName'] . " " . $info['lastName'],
+        'name' => $info['name'],
         'authsource' => $iam_settings['authsource'],
-        'template' => $iam_settings['templates'][$mapper_key]
+        'template' => $iam_settings['templates'][$mapper_key],
+        'hasAccess' => true
       ));
       if (!$create_res){
         clear_session();
diff --git a/data/web/inc/functions.mailbox.inc.php b/data/web/inc/functions.mailbox.inc.php
index 1b5b577f8..5c8d50d41 100644
--- a/data/web/inc/functions.mailbox.inc.php
+++ b/data/web/inc/functions.mailbox.inc.php
@@ -1045,7 +1045,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             $password2 = '';
             $password_hashed = '';
           }
-          if (!$_extra['iam_create_login'] && ((!isset($_SESSION['acl']['unlimited_quota']) || $_SESSION['acl']['unlimited_quota'] != "1") && $quota_m === 0)) {
+          if (!$_extra['hasAccess'] && ((!isset($_SESSION['acl']['unlimited_quota']) || $_SESSION['acl']['unlimited_quota'] != "1") && $quota_m === 0)) {
             $_SESSION['return'][] = array(
               'type' => 'danger',
               'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@@ -1101,7 +1101,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             );
             return false;
           }
-          if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $domain) && !$_extra['iam_create_login']) {
+          if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $domain) && !$_extra['hasAccess']) {
             $_SESSION['return'][] = array(
               'type' => 'danger',
               'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@@ -1364,6 +1364,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
           $attribute_hash = sha1(json_encode($mbox_template_data["attributes"]));
           $mbox_template_data = json_decode($mbox_template_data["attributes"], true);
           $mbox_template_data['domain'] = $_data['domain'];
+          $mbox_template_data['name'] = $_data['name'];
           $mbox_template_data['local_part'] = $_data['local_part'];
           $mbox_template_data['authsource'] = $_data['authsource'];
           $mbox_template_data['attribute_hash'] = $attribute_hash;
@@ -1381,7 +1382,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             }
           }
 
-          return mailbox('add', 'mailbox', $mailbox_attributes, array('iam_create_login' => true));
+          return mailbox('add', 'mailbox', $mailbox_attributes, array('hasAccess' => $_data['hasAccess']));
         break;
         case 'resource':
           $domain             = idn_to_ascii(strtolower(trim($_data['domain'])), 0, INTL_IDNA_VARIANT_UTS46);
@@ -1749,7 +1750,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
           else {
             $usernames = $_data['username'];
           }
-          if (!isset($_SESSION['acl']['tls_policy']) || $_SESSION['acl']['tls_policy'] != "1" ) {
+          if (!$_extra['hasAccess'] && (!isset($_SESSION['acl']['tls_policy']) || $_SESSION['acl']['tls_policy'] != "1")) {
             $_SESSION['return'][] = array(
               'type' => 'danger',
               'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@@ -1758,7 +1759,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             return false;
           }
           foreach ($usernames as $username) {
-            if (!filter_var($username, FILTER_VALIDATE_EMAIL) || !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)) {
+            if (!$_extra['hasAccess'] && (!filter_var($username, FILTER_VALIDATE_EMAIL) || !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username))) {
               $_SESSION['return'][] = array(
                 'type' => 'danger',
                 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@@ -1766,7 +1767,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               );
               continue;
             }
-            $is_now = mailbox('get', 'tls_policy', $username);
+            $is_now = mailbox('get', 'tls_policy', $username, $_extra);
             if (!empty($is_now)) {
               $tls_enforce_in = (isset($_data['tls_enforce_in'])) ? intval($_data['tls_enforce_in']) : $is_now['tls_enforce_in'];
               $tls_enforce_out = (isset($_data['tls_enforce_out'])) ? intval($_data['tls_enforce_out']) : $is_now['tls_enforce_out'];
@@ -1803,7 +1804,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
           else {
             $usernames = $_data['username'];
           }
-          if (!isset($_SESSION['acl']['quarantine_notification']) || $_SESSION['acl']['quarantine_notification'] != "1" ) {
+          if (!$_extra['hasAccess'] && (!isset($_SESSION['acl']['quarantine_notification']) || $_SESSION['acl']['quarantine_notification'] != "1")) {
             $_SESSION['return'][] = array(
               'type' => 'danger',
               'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@@ -1812,7 +1813,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             return false;
           }
           foreach ($usernames as $username) {
-            if (!filter_var($username, FILTER_VALIDATE_EMAIL) || !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)) {
+            if (!$_extra['hasAccess'] && (!filter_var($username, FILTER_VALIDATE_EMAIL) || !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username))) {
               $_SESSION['return'][] = array(
                 'type' => 'danger',
                 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@@ -1820,7 +1821,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               );
               continue;
             }
-            $is_now = mailbox('get', 'quarantine_notification', $username);
+            $is_now = mailbox('get', 'quarantine_notification', $username, $_extra);
             if (!empty($is_now)) {
               $quarantine_notification = (isset($_data['quarantine_notification'])) ? $_data['quarantine_notification'] : $is_now['quarantine_notification'];
             }
@@ -1862,7 +1863,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
           else {
             $usernames = $_data['username'];
           }
-          if (!isset($_SESSION['acl']['quarantine_category']) || $_SESSION['acl']['quarantine_category'] != "1" ) {
+          if (!$_extra['hasAccess'] && (!isset($_SESSION['acl']['quarantine_category']) || $_SESSION['acl']['quarantine_category'] != "1")) {
             $_SESSION['return'][] = array(
               'type' => 'danger',
               'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@@ -1871,7 +1872,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             return false;
           }
           foreach ($usernames as $username) {
-            if (!filter_var($username, FILTER_VALIDATE_EMAIL) || !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)) {
+            if (!$_extra['hasAccess'] && (!filter_var($username, FILTER_VALIDATE_EMAIL) || !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username))) {
               $_SESSION['return'][] = array(
                 'type' => 'danger',
                 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@@ -1879,7 +1880,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               );
               continue;
             }
-            $is_now = mailbox('get', 'quarantine_category', $username);
+            $is_now = mailbox('get', 'quarantine_category', $username, $_extra);
             if (!empty($is_now)) {
               $quarantine_category = (isset($_data['quarantine_category'])) ? $_data['quarantine_category'] : $is_now['quarantine_category'];
             }
@@ -2923,7 +2924,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               );
               continue;
             }
-            $is_now = mailbox('get', 'mailbox_details', $username);
+            $is_now = mailbox('get', 'mailbox_details', $username, $_extra);
             if (isset($_data['protocol_access'])) {
               $_data['protocol_access'] = (array)$_data['protocol_access'];
               $_data['imap_access'] = (in_array('imap', $_data['protocol_access'])) ? 1 : 0;
@@ -2963,7 +2964,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               continue;
             }
             // if already 0 == ok
-            if ((!isset($_SESSION['acl']['unlimited_quota']) || $_SESSION['acl']['unlimited_quota'] != "1") && ($quota_m == 0 && $is_now['quota'] != 0)) {
+            if (!$_extra['hasAccess'] && (!isset($_SESSION['acl']['unlimited_quota']) || $_SESSION['acl']['unlimited_quota'] != "1") && ($quota_m == 0 && $is_now['quota'] != 0)) {
               $_SESSION['return'][] = array(
                 'type' => 'danger',
                 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@@ -2971,7 +2972,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               );
               return false;
             }
-            if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $domain)) {
+            if (!$_extra['hasAccess'] && !hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $domain)) {
               $_SESSION['return'][] = array(
                 'type' => 'danger',
                 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@@ -2998,7 +2999,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             }
             $extra_acls = array();
             if (isset($_data['extended_sender_acl'])) {
-              if (!isset($_SESSION['acl']['extend_sender_acl']) || $_SESSION['acl']['extend_sender_acl'] != "1" ) {
+              if (!$_extra['hasAccess'] && (!isset($_SESSION['acl']['extend_sender_acl']) || $_SESSION['acl']['extend_sender_acl'] != "1")) {
                 $_SESSION['return'][] = array(
                   'type' => 'danger',
                   'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@@ -3493,7 +3494,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
           }
 
           $attribute_hash = sha1(json_encode($mbox_template_data["attributes"]));
-          $is_now = mailbox('get', 'mailbox_details', $_data['username']);
+          $is_now = mailbox('get', 'mailbox_details', $_data['username'], array('hasAccess' => $_data['hasAccess']));
           $name = ltrim(rtrim($_data['name'], '>'), '<');
           if ($is_now['attributes']['attribute_hash'] == $attribute_hash && $is_now['name'] == $name)
             return true;
@@ -3529,19 +3530,20 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
           }
 
           $mailbox_attributes['quota'] = intval($mailbox_attributes['quota'] / 1048576);
-          $result = mailbox('edit', 'mailbox', $mailbox_attributes);
+          $result = mailbox('edit', 'mailbox', $mailbox_attributes, array('hasAccess' => $_data['hasAccess']));
           if ($result === false) return $result;
-          $result = mailbox('edit', 'tls_policy', $tls_attributes);
+          $result = mailbox('edit', 'tls_policy', $tls_attributes, array('hasAccess' => $_data['hasAccess']));
           if ($result === false) return $result;
-          $result = mailbox('edit', 'quarantine_notification', $quarantine_attributes);
+          $result = mailbox('edit', 'quarantine_notification', $quarantine_attributes, array('hasAccess' => $_data['hasAccess']));
           if ($result === false) return $result;
-          $result = mailbox('edit', 'quarantine_category', $quarantine_attributes);
+          $result = mailbox('edit', 'quarantine_category', $quarantine_attributes, array('hasAccess' => $_data['hasAccess']));
           if ($result === false) return $result;
-          $result = ratelimit('edit', 'mailbox', $ratelimit_attributes);
+          $result = ratelimit('edit', 'mailbox', $ratelimit_attributes, array('hasAccess' => $_data['hasAccess']));
           if ($result === false) return $result;
-          $result = acl('edit', 'user', $acl_attributes);
+          $result = acl('edit', 'user', $acl_attributes, array('hasAccess' => $_data['hasAccess']));
           if ($result === false) return $result;
 
+          $_SESSION['return'] = array();
           return true;
         break;
         case 'mailbox_templates':
@@ -4077,7 +4079,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
         case 'tls_policy':
           $attrs = array();
           if (isset($_data) && filter_var($_data, FILTER_VALIDATE_EMAIL)) {
-            if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
+            if (!$_extra['hasAccess'] && !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
               return false;
             }
           }
@@ -4096,7 +4098,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
         case 'quarantine_notification':
           $attrs = array();
           if (isset($_data) && filter_var($_data, FILTER_VALIDATE_EMAIL)) {
-            if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
+            if (!$_extra['hasAccess'] && !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
               return false;
             }
           }
@@ -4112,7 +4114,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
         case 'quarantine_category':
           $attrs = array();
           if (isset($_data) && filter_var($_data, FILTER_VALIDATE_EMAIL)) {
-            if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
+            if (!$_extra['hasAccess'] && (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data))) {
               return false;
             }
           }
@@ -4793,7 +4795,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
           }
         break;
         case 'mailbox_details':
-          if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
+          if (!$_extra['hasAccess'] && !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
             return false;
           }
           $mailboxdata = array();
@@ -4891,7 +4893,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             else if ($SaslLogs['service'] == 'pop3') {
               $last_pop3_login = strtotime($SaslLogs['datetime']);
             }
-			else if ($SaslLogs['service'] == 'SSO') {
+			      else if ($SaslLogs['service'] == 'SSO') {
               $last_sso_login = strtotime($SaslLogs['datetime']);
             }
           }
@@ -4904,7 +4906,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
           if (!isset($last_pop3_login) || $GLOBALS['SHOW_LAST_LOGIN'] === false) {
             $last_pop3_login = 0;
           }
-		  if (!isset($last_sso_login) || $GLOBALS['SHOW_LAST_LOGIN'] === false) {
+		      if (!isset($last_sso_login) || $GLOBALS['SHOW_LAST_LOGIN'] === false) {
             $last_sso_login = 0;
           }
           $mailboxdata['last_imap_login'] = $last_imap_login;
@@ -4956,7 +4958,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
           return $mailboxdata;
         break;
         case 'mailbox_templates':
-          if ($_SESSION['mailcow_cc_role'] != "admin" && $_SESSION['mailcow_cc_role'] != "domainadmin" && !$_extra['iam_create_login']) {
+          if ($_SESSION['mailcow_cc_role'] != "admin" && $_SESSION['mailcow_cc_role'] != "domainadmin" && !$_extra['hasAccess']) {
             return false;
           }
           $_data = (isset($_data)) ? intval($_data) : null;
diff --git a/data/web/inc/functions.ratelimit.inc.php b/data/web/inc/functions.ratelimit.inc.php
index bc05cd362..c59accb54 100644
--- a/data/web/inc/functions.ratelimit.inc.php
+++ b/data/web/inc/functions.ratelimit.inc.php
@@ -4,7 +4,7 @@ function ratelimit($_action, $_scope, $_data = null, $_extra = null) {
   $_data_log = $_data;
   switch ($_action) {
     case 'edit':
-      if ((!isset($_SESSION['acl']['ratelimit']) || $_SESSION['acl']['ratelimit'] != "1") && !$_extra['iam_create_login']) {
+      if ((!isset($_SESSION['acl']['ratelimit']) || $_SESSION['acl']['ratelimit'] != "1") && !$_extra['hasAccess']) {
         $_SESSION['return'][] = array(
           'type' => 'danger',
           'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@@ -93,7 +93,7 @@ function ratelimit($_action, $_scope, $_data = null, $_extra = null) {
               continue;
             }
             if ((!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $object)
-                || ($_SESSION['mailcow_cc_role'] != 'admin' && $_SESSION['mailcow_cc_role'] != 'domainadmin')) && !$_extra['iam_create_login']) {
+                || ($_SESSION['mailcow_cc_role'] != 'admin' && $_SESSION['mailcow_cc_role'] != 'domainadmin')) && !$_extra['hasAccess']) {
               $_SESSION['return'][] = array(
                 'type' => 'danger',
                 'log' => array(__FUNCTION__, $_action, $_scope, $_data_log),

From ccc8595665ea28ba92c3e6d66bd40b2d65890eca Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Sun, 1 Dec 2024 16:51:56 +0100
Subject: [PATCH 154/378] [SOGo] redirect to /user if unauthenticated

---
 data/conf/sogo/custom-sogo.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/data/conf/sogo/custom-sogo.js b/data/conf/sogo/custom-sogo.js
index e794372f0..1070efa40 100644
--- a/data/conf/sogo/custom-sogo.js
+++ b/data/conf/sogo/custom-sogo.js
@@ -2,7 +2,7 @@
 document.addEventListener('DOMContentLoaded', function () {
     var loginForm = document.forms.namedItem("loginForm");
     if (loginForm) {
-        window.location.href = '/';
+        window.location.href = '/user';
     }
 
     angularReady = false;
@@ -34,7 +34,7 @@ document.addEventListener('DOMContentLoaded', function () {
     function mcElementsExists() {
         if (document.getElementById("mc_backlink"))
             return true;
-        else 
+        else
             return false;
     }
     function addMCElements() {

From 6fa1c9f63df04b95a3e634f6b0fe417278c53ff3 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Mon, 2 Dec 2024 10:24:15 +0100
Subject: [PATCH 155/378] [Web] protect /get/identity-provider

---
 data/web/json_api.php | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/data/web/json_api.php b/data/web/json_api.php
index 4e9d2a0ed..36b39b0e6 100644
--- a/data/web/json_api.php
+++ b/data/web/json_api.php
@@ -1707,8 +1707,13 @@ if (isset($_GET['query'])) {
             if ($score)
               $score = array("score" => preg_replace("/\s+/", "", $score));
             process_get_return($score);
-          case "identity_provider":
-            process_get_return($iam_settings);
+          break;
+          case "identity-provider":
+            if($_SESSION['mailcow_cc_role'] === 'admin') {
+              process_get_return($iam_settings);
+            } else {
+              process_get_return(null);
+            }
           break;
         break;
         // return no route found if no case is matched
@@ -2086,7 +2091,6 @@ if (isset($_GET['query'])) {
         break;
         case "cors":
           process_edit_return(cors('edit', $attr));
-        case "identity_provider":
         case "identity-provider":
           process_edit_return(identity_provider('edit', $attr));
         break;

From f36184df64eb6481c23a9fc11fd06569c62d118c Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Mon, 2 Dec 2024 10:35:45 +0100
Subject: [PATCH 156/378] [Web] update mailbox on idp login

---
 data/web/inc/functions.auth.inc.php | 50 ++++++++++++++++--------
 data/web/inc/functions.inc.php      | 59 ++++++++++++++---------------
 2 files changed, 63 insertions(+), 46 deletions(-)

diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php
index 83c0a32eb..9bea24995 100644
--- a/data/web/inc/functions.auth.inc.php
+++ b/data/web/inc/functions.auth.inc.php
@@ -449,18 +449,26 @@ function keycloak_mbox_login_rest($user, $pass, $extra = null){
     return false;
   }
 
-  // get mapped template, if not set return false
-  // also return false if no mappers were defined
+  // get mapped template
   $user_template = $user_res['attributes']['mailcow_template'][0];
-  if ($create && (empty($iam_settings['mappers']) || !$user_template)){
-    return false;
-  } else if (!$create) {
-    // login success - dont create mailbox
+  $mapper_key = array_search($user_template, $iam_settings['mappers']);
+
+  if (!$create) {
+    // login success
+    if ($mapper_key !== false) {
+      // update user
+      mailbox('edit', 'mailbox_from_template', array(
+        'username' => $user,
+        'name' => $user_res['name'],
+        'template' => $iam_settings['templates'][$mapper_key],
+        'hasAccess' => true
+      ));
+    }
     return 'user';
   }
 
   // check if matching attribute exist
-  $mapper_key = array_search($user_template, $iam_settings['mappers']);
+  if (empty($iam_settings['mappers']) || !$user_template) return false;
   if ($mapper_key === false) return false;
 
   // create mailbox
@@ -469,7 +477,8 @@ function keycloak_mbox_login_rest($user, $pass, $extra = null){
     'local_part' => explode('@', $user)[0],
     'name' => $user_res['name'],
     'authsource' => 'keycloak',
-    'template' => $iam_settings['templates'][$mapper_key]
+    'template' => $iam_settings['templates'][$mapper_key],
+    'hasAccess' => true
   ));
   if (!$create_res) return false;
 
@@ -536,18 +545,26 @@ function ldap_mbox_login($user, $pass, $extra = null){
     return false;
   }
 
-  // get mapped template, if not set return false
-  // also return false if no mappers were defined
+  // get mapped template
   $user_template = $user_res[$iam_settings['attribute_field']][0];
-  if ($create && (empty($iam_settings['mappers']) || !$user_template)){
-    return false;
-  } else if (!$create) {
-    // login success - dont create mailbox
+  $mapper_key = array_search($user_template, $iam_settings['mappers']);
+
+  if (!$create) {
+    // login success
+    if ($mapper_key !== false) {
+      // update user
+      mailbox('edit', 'mailbox_from_template', array(
+        'username' => $user,
+        'name' => $user_res['displayname'][0],
+        'template' => $iam_settings['templates'][$mapper_key],
+        'hasAccess' => true
+      ));
+    }
     return 'user';
   }
 
   // check if matching attribute exist
-  $mapper_key = array_search($user_template, $iam_settings['mappers']);
+  if (empty($iam_settings['mappers']) || !$user_template) return false;
   if ($mapper_key === false) return false;
 
   // create mailbox
@@ -556,7 +573,8 @@ function ldap_mbox_login($user, $pass, $extra = null){
     'local_part' => explode('@', $user)[0],
     'name' => $user_res['displayname'][0],
     'authsource' => 'ldap',
-    'template' => $iam_settings['templates'][$mapper_key]
+    'template' => $iam_settings['templates'][$mapper_key],
+    'hasAccess' => true
   ));
   if (!$create_res) return false;
 
diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index 943d53e97..dece39eef 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -2512,31 +2512,9 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
       // check if email address is given
       if (empty($info['email'])) return false;
 
-      // get mapped template, if not set return false
-      // also return false if no mappers were defined
+      // get mapped template
       $user_template = $info['mailcow_template'];
-      if (empty($iam_settings['mappers']) || empty($user_template)){
-        clear_session();
-        $_SESSION['return'][] =  array(
-          'type' => 'danger',
-          'log' => array(__FUNCTION__, $info['email']),
-          'msg' => array('login_failed', 'empty attribute mapping or missing template attribute')
-        );
-        return false;
-      }
-
-      // check if matching attribute exist
       $mapper_key = array_search($user_template, $iam_settings['mappers']);
-      if ($mapper_key === false) {
-        clear_session();
-        $_SESSION['return'][] =  array(
-          'type' => 'danger',
-          'log' => array(__FUNCTION__, $info['email']),
-          'msg' => array('login_failed', 'specified template not found')
-        );
-        return false;
-      }
-
 
       // token valid, get mailbox
       $stmt = $pdo->prepare("SELECT * FROM `mailbox`
@@ -2550,13 +2528,15 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
       $row = $stmt->fetch(PDO::FETCH_ASSOC);
       if ($row){
         // success
-        // update user
-        mailbox('edit', 'mailbox_from_template', array(
-          'username' => $info['email'],
-          'name' => $info['name'],
-          'template' => $iam_settings['templates'][$mapper_key],
-          'hasAccess' => true
-        ));
+        if ($mapper_key !== false) {
+          // update user
+          mailbox('edit', 'mailbox_from_template', array(
+            'username' => $info['email'],
+            'name' => $info['name'],
+            'template' => $iam_settings['templates'][$mapper_key],
+            'hasAccess' => true
+          ));
+        }
         set_user_loggedin_session($info['email']);
         $_SESSION['return'][] =  array(
           'type' => 'success',
@@ -2566,6 +2546,25 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
         return true;
       }
 
+      if (empty($iam_settings['mappers']) || empty($user_template)){
+        clear_session();
+        $_SESSION['return'][] =  array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $info['email']),
+          'msg' => array('login_failed', 'empty attribute mapping or missing template attribute')
+        );
+        return false;
+      }
+      if ($mapper_key === false) {
+        clear_session();
+        $_SESSION['return'][] =  array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $info['email']),
+          'msg' => array('login_failed', 'specified template not found')
+        );
+        return false;
+      }
+
       // create mailbox
       $create_res = mailbox('add', 'mailbox_from_template', array(
         'domain' => explode('@', $info['email'])[1],

From 83e53eb524c816b9b99209bb1a5000ea8821b9e1 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Mon, 2 Dec 2024 11:55:17 +0100
Subject: [PATCH 157/378] [Web] fix incomplete session on broken logins

---
 data/web/inc/functions.inc.php | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index dece39eef..711bd5787 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -2498,8 +2498,8 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
 
       try {
         $token = $iam_provider->getAccessToken('authorization_code', ['code' => $_GET['code']]);
-        $_SESSION['iam_token'] = $token->getToken();
-        $_SESSION['iam_refresh_token'] = $token->getRefreshToken();
+        $plain_token = $token->getToken();
+        $plain_refreshtoken = $token->getRefreshToken();
         $info = $iam_provider->getResourceOwner($token)->toArray();
       } catch (Throwable $e) {
         $_SESSION['return'][] =  array(
@@ -2538,6 +2538,8 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
           ));
         }
         set_user_loggedin_session($info['email']);
+        $_SESSION['iam_token'] = $plain_token;
+        $_SESSION['iam_refresh_token'] = $plain_refreshtoken;
         $_SESSION['return'][] =  array(
           'type' => 'success',
           'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
@@ -2585,6 +2587,8 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
       }
 
       set_user_loggedin_session($info['email']);
+      $_SESSION['iam_token'] = $plain_token;
+      $_SESSION['iam_refresh_token'] = $plain_refreshtoken;
       $_SESSION['return'][] =  array(
         'type' => 'success',
         'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
@@ -2595,8 +2599,8 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
     case "refresh-token":
       try {
         $token = $iam_provider->getAccessToken('refresh_token', ['refresh_token' => $_SESSION['iam_refresh_token']]);
-        $_SESSION['iam_token'] = $token->getToken();
-        $_SESSION['iam_refresh_token'] = $token->getRefreshToken();
+        $plain_token = $token->getToken();
+        $plain_refreshtoken = $token->getRefreshToken();
         $info = $iam_provider->getResourceOwner($token)->toArray();
       } catch (Throwable $e) {
         clear_session();
@@ -2618,8 +2622,9 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
         return false;
       }
 
-      $_SESSION['mailcow_cc_username'] = $info['email'];
-      $_SESSION['mailcow_cc_role'] = "user";
+      set_user_loggedin_session($info['email']);
+      $_SESSION['iam_token'] = $plain_token;
+      $_SESSION['iam_refresh_token'] = $plain_refreshtoken;
       return true;
     break;
     case "get-redirect":

From 896a9638d6b55c15081a8ca0ee172797988640e5 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Mon, 2 Dec 2024 14:16:43 +0100
Subject: [PATCH 158/378] Fix mailcowauth

---
 data/conf/dovecot/auth/mailcowauth.php   | 23 +++++++++++++++++++++--
 data/web/inc/functions.ratelimit.inc.php |  8 ++++----
 docker-compose.yml                       |  1 +
 3 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/data/conf/dovecot/auth/mailcowauth.php b/data/conf/dovecot/auth/mailcowauth.php
index 6d7660577..4f10ed535 100644
--- a/data/conf/dovecot/auth/mailcowauth.php
+++ b/data/conf/dovecot/auth/mailcowauth.php
@@ -22,6 +22,24 @@ if (file_exists('../../../web/inc/vars.local.inc.php')) {
 }
 require_once '../../../web/inc/lib/vendor/autoload.php';
 
+
+// Init Redis
+$redis = new Redis();
+try {
+  if (!empty(getenv('REDIS_SLAVEOF_IP'))) {
+    $redis->connect(getenv('REDIS_SLAVEOF_IP'), getenv('REDIS_SLAVEOF_PORT'));
+  }
+  else {
+    $redis->connect('redis-mailcow', 6379);
+  }
+}
+catch (Exception $e) {
+  error_log("MAILCOWAUTH: " . $e . PHP_EOL);
+  http_response_code(500); // Internal Server Error
+  echo json_encode($return);
+  exit;
+}
+
 // Init database
 $dsn = $database_type . ":unix_socket=" . $database_sock . ";dbname=" . $database_name;
 $opt = [
@@ -44,6 +62,8 @@ require_once 'functions.inc.php';
 require_once 'functions.auth.inc.php';
 require_once 'sessions.inc.php';
 require_once 'functions.mailbox.inc.php';
+require_once 'functions.ratelimit.inc.php';
+require_once 'functions.acl.inc.php';
 
 
 $isSOGoRequest = $post['real_rip'] == getenv('IPV4_NETWORK') . '.248';
@@ -69,8 +89,7 @@ if ($result === false){
   // Init Identity Provider
   $iam_provider = identity_provider('init');
   $iam_settings = identity_provider('get');
-  error_log('MAILCOWAUTH Try: User auth for user ' . $post['username']);
-  $result = user_login($post['username'], $post['password'], $protocol, array('is_internal' => true));
+  $result = user_login($post['username'], $post['password'], array('is_internal' => true));
   if ($result) error_log('MAILCOWAUTH: User auth for user ' . $post['username']);
 }
 
diff --git a/data/web/inc/functions.ratelimit.inc.php b/data/web/inc/functions.ratelimit.inc.php
index c59accb54..5779ad77c 100644
--- a/data/web/inc/functions.ratelimit.inc.php
+++ b/data/web/inc/functions.ratelimit.inc.php
@@ -92,8 +92,8 @@ function ratelimit($_action, $_scope, $_data = null, $_extra = null) {
               );
               continue;
             }
-            if ((!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $object)
-                || ($_SESSION['mailcow_cc_role'] != 'admin' && $_SESSION['mailcow_cc_role'] != 'domainadmin')) && !$_extra['hasAccess']) {
+            if (((!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $object)
+                || ($_SESSION['mailcow_cc_role'] != 'admin' && $_SESSION['mailcow_cc_role'] != 'domainadmin'))) && !$_extra['hasAccess']) {
               $_SESSION['return'][] = array(
                 'type' => 'danger',
                 'log' => array(__FUNCTION__, $_action, $_scope, $_data_log),
@@ -139,7 +139,7 @@ function ratelimit($_action, $_scope, $_data = null, $_extra = null) {
     case 'get':
       switch ($_scope) {
         case 'domain':
-          if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
+          if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data) && !$_extra['hasAccess']) {
             return false;
           }
           try {
@@ -164,7 +164,7 @@ function ratelimit($_action, $_scope, $_data = null, $_extra = null) {
           return false;
         break;
         case 'mailbox':
-          if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)
+          if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data && !$_extra['hasAccess'])
             || ($_SESSION['mailcow_cc_role'] != 'admin' && $_SESSION['mailcow_cc_role'] != 'domainadmin')) {
             return false;
           }
diff --git a/docker-compose.yml b/docker-compose.yml
index a55f0c02c..85395b645 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -127,6 +127,7 @@ services:
         - ./data/web/inc/sessions.inc.php:/mailcowauth/sessions.inc.php:z
         - ./data/web/inc/functions.mailbox.inc.php:/mailcowauth/functions.mailbox.inc.php:z
         - ./data/web/inc/functions.ratelimit.inc.php:/mailcowauth/functions.ratelimit.inc.php:z
+        - ./data/web/inc/functions.acl.inc.php:/mailcowauth/functions.acl.inc.php:z
         - rspamd-vol-1:/var/lib/rspamd
         - mysql-socket-vol-1:/var/run/mysqld/
         - ./data/conf/sogo/:/etc/sogo/:z

From 1d6513ffbabdde974bca853d15f4ecd889111c09 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Wed, 4 Dec 2024 14:49:31 +0100
Subject: [PATCH 159/378] [Web] fix idp login alerts and updates

---
 data/web/inc/functions.auth.inc.php    | 10 ++++++++--
 data/web/inc/functions.mailbox.inc.php | 22 ++++++++++++++--------
 2 files changed, 22 insertions(+), 10 deletions(-)

diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php
index 9bea24995..f9d82f1ad 100644
--- a/data/web/inc/functions.auth.inc.php
+++ b/data/web/inc/functions.auth.inc.php
@@ -480,7 +480,10 @@ function keycloak_mbox_login_rest($user, $pass, $extra = null){
     'template' => $iam_settings['templates'][$mapper_key],
     'hasAccess' => true
   ));
-  if (!$create_res) return false;
+  if (!$create_res){
+    clear_session();
+    return false;
+  }
 
   return 'user';
 }
@@ -576,7 +579,10 @@ function ldap_mbox_login($user, $pass, $extra = null){
     'template' => $iam_settings['templates'][$mapper_key],
     'hasAccess' => true
   ));
-  if (!$create_res) return false;
+  if (!$create_res){
+    clear_session();
+    return false;
+  }
 
   return 'user';
 }
diff --git a/data/web/inc/functions.mailbox.inc.php b/data/web/inc/functions.mailbox.inc.php
index 5c8d50d41..cd62d5d7c 100644
--- a/data/web/inc/functions.mailbox.inc.php
+++ b/data/web/inc/functions.mailbox.inc.php
@@ -1075,6 +1075,9 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
           $quarantine_category = (isset($_data['quarantine_category'])) ? strval($_data['quarantine_category']) : strval($MAILBOX_DEFAULT_ATTRIBUTES['quarantine_category']);
           $quota_b    = ($quota_m * 1048576);
           $attribute_hash = (!empty($_data['attribute_hash'])) ? $_data['attribute_hash'] : '';
+          if (in_array($authsource, array('keycloak', 'generic-oidc', 'ldap'))){
+            $force_pw_update = 0;
+          }
           $mailbox_attrs = json_encode(
             array(
               'force_pw_update' => strval($force_pw_update),
@@ -2935,12 +2938,12 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             if (!empty($is_now)) {
               $active               = (isset($_data['active'])) ? intval($_data['active']) : $is_now['active'];
               (int)$force_pw_update = (isset($_data['force_pw_update'])) ? intval($_data['force_pw_update']) : intval($is_now['attributes']['force_pw_update']);
-              (int)$sogo_access     = (isset($_data['sogo_access']) && isset($_SESSION['acl']['sogo_access']) && $_SESSION['acl']['sogo_access'] == "1") ? intval($_data['sogo_access']) : intval($is_now['attributes']['sogo_access']);
-              (int)$imap_access     = (isset($_data['imap_access']) && isset($_SESSION['acl']['protocol_access']) && $_SESSION['acl']['protocol_access'] == "1") ? intval($_data['imap_access']) : intval($is_now['attributes']['imap_access']);
-              (int)$pop3_access     = (isset($_data['pop3_access']) && isset($_SESSION['acl']['protocol_access']) && $_SESSION['acl']['protocol_access'] == "1") ? intval($_data['pop3_access']) : intval($is_now['attributes']['pop3_access']);
-              (int)$smtp_access     = (isset($_data['smtp_access']) && isset($_SESSION['acl']['protocol_access']) && $_SESSION['acl']['protocol_access'] == "1") ? intval($_data['smtp_access']) : intval($is_now['attributes']['smtp_access']);
-              (int)$sieve_access    = (isset($_data['sieve_access']) && isset($_SESSION['acl']['protocol_access']) && $_SESSION['acl']['protocol_access'] == "1") ? intval($_data['sieve_access']) : intval($is_now['attributes']['sieve_access']);
-              (int)$relayhost       = (isset($_data['relayhost']) && isset($_SESSION['acl']['mailbox_relayhost']) && $_SESSION['acl']['mailbox_relayhost'] == "1") ? intval($_data['relayhost']) : intval($is_now['attributes']['relayhost']);
+              (int)$sogo_access     = ((isset($_data['sogo_access']) && isset($_SESSION['acl']['sogo_access']) && $_SESSION['acl']['sogo_access'] == "1") || $_extra['hasAccess']) ? intval($_data['sogo_access']) : intval($is_now['attributes']['sogo_access']);
+              (int)$imap_access     = ((isset($_data['imap_access']) && isset($_SESSION['acl']['protocol_access']) && $_SESSION['acl']['protocol_access'] == "1") || $_extra['hasAccess']) ? intval($_data['imap_access']) : intval($is_now['attributes']['imap_access']);
+              (int)$pop3_access     = ((isset($_data['pop3_access']) && isset($_SESSION['acl']['protocol_access']) && $_SESSION['acl']['protocol_access'] == "1") || $_extra['hasAccess']) ? intval($_data['pop3_access']) : intval($is_now['attributes']['pop3_access']);
+              (int)$smtp_access     = ((isset($_data['smtp_access']) && isset($_SESSION['acl']['protocol_access']) && $_SESSION['acl']['protocol_access'] == "1") || $_extra['hasAccess']) ? intval($_data['smtp_access']) : intval($is_now['attributes']['smtp_access']);
+              (int)$sieve_access    = ((isset($_data['sieve_access']) && isset($_SESSION['acl']['protocol_access']) && $_SESSION['acl']['protocol_access'] == "1") || $_extra['hasAccess']) ? intval($_data['sieve_access']) : intval($is_now['attributes']['sieve_access']);
+              (int)$relayhost       = ((isset($_data['relayhost']) && isset($_SESSION['acl']['mailbox_relayhost']) && $_SESSION['acl']['mailbox_relayhost'] == "1") || $_extra['hasAccess']) ? intval($_data['relayhost']) : intval($is_now['attributes']['relayhost']);
               (int)$quota_m         = (isset_has_content($_data['quota'])) ? intval($_data['quota']) : ($is_now['quota'] / 1048576);
               $name                 = (!empty($_data['name'])) ? ltrim(rtrim($_data['name'], '>'), '<') : $is_now['name'];
               $domain               = $is_now['domain'];
@@ -2953,6 +2956,9 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               if (in_array($_data['authsource'], array('mailcow', 'keycloak', 'generic-oidc', 'ldap'))){
                 $authsource = $_data['authsource'];
               }
+              if (in_array($authsource, array('keycloak', 'generic-oidc', 'ldap'))){
+                $force_pw_update = 0;
+              }
               $pw_recovery_email    = (isset($_data['pw_recovery_email']) && $authsource == 'mailcow') ? $_data['pw_recovery_email'] : $is_now['attributes']['recovery_email'];
             }
             else {
@@ -2980,7 +2986,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               );
               continue;
             }
-            $DomainData = mailbox('get', 'domain_details', $domain);
+            $DomainData = mailbox('get', 'domain_details', $domain, $_extra);
             if ($quota_m > ($is_now['max_new_quota'] / 1048576)) {
               $_SESSION['return'][] = array(
                 'type' => 'danger',
@@ -4629,7 +4635,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
         case 'domain_details':
           $domaindata = array();
           $_data = idn_to_ascii(strtolower(trim($_data)), 0, INTL_IDNA_VARIANT_UTS46);
-          if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
+          if (!$_extra['hasAccess'] && !hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
             return false;
           }
           $stmt = $pdo->prepare("SELECT `target_domain` FROM `alias_domain` WHERE `alias_domain` =  :domain");

From bbddfc3eabf3696b0a5e4fe6bf4dedf0d6b9d48b Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Thu, 5 Dec 2024 15:21:07 +0100
Subject: [PATCH 160/378] [Web] rearrange login buttons

---
 data/web/css/build/014-mailcow.css | 56 +++++++++++++++++++++---------
 data/web/lang/lang.cs-cz.json      |  2 +-
 data/web/lang/lang.da-dk.json      |  2 +-
 data/web/lang/lang.de-de.json      |  2 +-
 data/web/lang/lang.en-gb.json      |  4 +--
 data/web/lang/lang.fr-fr.json      |  2 +-
 data/web/lang/lang.it-it.json      |  2 +-
 data/web/lang/lang.lt-lt.json      |  2 +-
 data/web/lang/lang.lv-lv.json      |  2 +-
 data/web/lang/lang.nl-nl.json      |  2 +-
 data/web/lang/lang.pt-br.json      |  2 +-
 data/web/lang/lang.ro-ro.json      |  2 +-
 data/web/lang/lang.ru-ru.json      |  2 +-
 data/web/lang/lang.sk-sk.json      |  2 +-
 data/web/lang/lang.sv-se.json      |  2 +-
 data/web/lang/lang.tr-tr.json      |  2 +-
 data/web/lang/lang.uk-ua.json      |  2 +-
 data/web/lang/lang.zh-cn.json      |  2 +-
 data/web/lang/lang.zh-tw.json      |  2 +-
 data/web/templates/index.twig      | 20 +++++------
 20 files changed, 67 insertions(+), 47 deletions(-)

diff --git a/data/web/css/build/014-mailcow.css b/data/web/css/build/014-mailcow.css
index d1d6ac45d..3e1ace79d 100644
--- a/data/web/css/build/014-mailcow.css
+++ b/data/web/css/build/014-mailcow.css
@@ -81,7 +81,7 @@ body {
   align-items: center;
   padding: 0 10px !important;
 }
-.navbar-fixed-bottom .navbar-collapse, 
+.navbar-fixed-bottom .navbar-collapse,
 .navbar-fixed-top .navbar-collapse {
   max-height: 1000px
 }
@@ -143,18 +143,18 @@ body {
   }
 }
 @keyframes blink {
-  50% { 
-    color: transparent 
+  50% {
+    color: transparent
   }
 }
-.loader-dot { 
-  animation: 1s blink infinite 
+.loader-dot {
+  animation: 1s blink infinite
 }
-.loader-dot:nth-child(2) { 
-  animation-delay: 250ms 
+.loader-dot:nth-child(2) {
+  animation-delay: 250ms
 }
-.loader-dot:nth-child(3) { 
-  animation-delay: 500ms 
+.loader-dot:nth-child(3) {
+  animation-delay: 500ms
 }
 
 pre{white-space:pre-wrap;white-space:-moz-pre-wrap;white-space:-o-pre-wrap;word-wrap:break-word;}
@@ -220,13 +220,13 @@ legend {
 }
 .haveibeenpwned {
   cursor: pointer;
-  -webkit-user-select: none;  
-  -moz-user-select: none;    
-  -ms-user-select: none;      
+  -webkit-user-select: none;
+  -moz-user-select: none;
+  -ms-user-select: none;
   user-select: none;
 }
 .full-width-select {
-  width: 100%!important;  
+  width: 100%!important;
 }
 .tooltip {
   font-family: inherit;
@@ -350,7 +350,7 @@ code {
 .caret {
   transform: rotate(0deg);
 }
-a[aria-expanded='true'] > .caret, 
+a[aria-expanded='true'] > .caret,
 button[aria-expanded='true'] > .caret {
   transform: rotate(-180deg);
 }
@@ -360,7 +360,7 @@ button[aria-expanded='true'] > .caret {
 }
 .list-group-header {
   background: #f7f7f7;
-} 
+}
 
 
 .bg-primary, .alert-primary, .btn-primary {
@@ -387,12 +387,12 @@ button[aria-expanded='true'] > .caret {
 }
 .btn.btn-outline-secondary {
   color: #000000 !important;
-  border-color: #cfcfcf !important;  
+  border-color: #cfcfcf !important;
 }
 .btn-check:checked+.btn-outline-secondary, .btn-check:active+.btn-outline-secondary, .btn-outline-secondary:active, .btn-outline-secondary.active, .btn-outline-secondary.dropdown-toggle.show {
     background-color: #f0f0f0 !important;
 }
-.btn-check:checked+.btn-light, .btn-check:active+.btn-light, .btn-light:active, .btn-light.active, .show>.btn-light.dropdown-toggle {    
+.btn-check:checked+.btn-light, .btn-check:active+.btn-light, .btn-light:active, .btn-light.active, .show>.btn-light.dropdown-toggle {
     color: #fff;
     background-color: #555;
     background-image: none;
@@ -410,4 +410,26 @@ button[aria-expanded='true'] > .caret {
 .badge.bg-danger > a {
     color: #fff !important;
     text-decoration: none;
+}
+
+.hr-title {
+  display: flex;
+  align-items: center;
+  text-align: center;
+  margin: 20px 0;
+}
+
+.hr-title::before,
+.hr-title::after {
+  content: "";
+  flex: 1;
+  border-bottom: 1px solid #ccc;
+}
+
+.hr-title:not(:empty)::before {
+  margin-right: 10px;
+}
+
+.hr-title:not(:empty)::after {
+  margin-left: 10px;
 }
\ No newline at end of file
diff --git a/data/web/lang/lang.cs-cz.json b/data/web/lang/lang.cs-cz.json
index d28132721..7a337eff0 100644
--- a/data/web/lang/lang.cs-cz.json
+++ b/data/web/lang/lang.cs-cz.json
@@ -747,7 +747,7 @@
         "fido2_webauthn": "FIDO2/WebAuthn Login",
         "login": "Přihlásit",
         "mobileconfig_info": "Ke stažení profilového souboru se přihlaste jako uživatel schránky.",
-        "other_logins": "Přihlášení klíčem",
+        "other_logins": "nebo přihlásit s",
         "password": "Heslo",
         "username": "Uživatelské jméno",
         "back_to_mailcow": "Zpět do mailcow",
diff --git a/data/web/lang/lang.da-dk.json b/data/web/lang/lang.da-dk.json
index 95db916ef..c5605f758 100644
--- a/data/web/lang/lang.da-dk.json
+++ b/data/web/lang/lang.da-dk.json
@@ -604,7 +604,7 @@
         "fido2_webauthn": "FIDO2/WebAuthn Login",
         "login": "Login",
         "mobileconfig_info": "Log ind som postkassebruger for at downloade den anmodede Apple-forbindelsesprofil.",
-        "other_logins": "Nøgle login",
+        "other_logins": "eller log ind med",
         "password": "Adgangskode",
         "username": "Brugernavn"
     },
diff --git a/data/web/lang/lang.de-de.json b/data/web/lang/lang.de-de.json
index dac01d4e2..17eb800d8 100644
--- a/data/web/lang/lang.de-de.json
+++ b/data/web/lang/lang.de-de.json
@@ -772,7 +772,7 @@
         "mobileconfig_info": "Bitte als Mailbox-Benutzer einloggen, um das Verbindungsprofil herunterzuladen.",
         "new_password": "Neues Passwort",
         "new_password_confirm": "Neues Passwort bestätigen",
-        "other_logins": "Key Login",
+        "other_logins": "oder anmelden mit",
         "password": "Passwort",
         "reset_password": "Passwort zurücksetzen",
         "request_reset_password": "Passwortänderung anfordern",
diff --git a/data/web/lang/lang.en-gb.json b/data/web/lang/lang.en-gb.json
index c9a7f9dfa..6ef6193bb 100644
--- a/data/web/lang/lang.en-gb.json
+++ b/data/web/lang/lang.en-gb.json
@@ -235,7 +235,7 @@
         "iam_redirect_url": "Redirect Url",
         "iam_rest_flow": "Mailpassword Flow",
         "iam_server_url": "Server Url",
-        "iam_sso": "SSO",
+        "iam_sso": "Single Sign-On",
         "iam_sync_interval": "Sync / Import interval (min)",
         "iam_test_connection": "Test Connection",
         "iam_token_url": "Token endpoint",
@@ -810,7 +810,7 @@
         "mobileconfig_info": "Please login as mailbox user to download the requested Apple connection profile.",
         "new_password": "New Password",
         "new_password_confirm": "Confirm new password",
-        "other_logins": "Key login",
+        "other_logins": "or login with",
         "password": "Password",
         "reset_password": "Reset Password",
         "request_reset_password": "Request password change",
diff --git a/data/web/lang/lang.fr-fr.json b/data/web/lang/lang.fr-fr.json
index 386a4dfc6..0fdb86fa5 100644
--- a/data/web/lang/lang.fr-fr.json
+++ b/data/web/lang/lang.fr-fr.json
@@ -695,7 +695,7 @@
         "fido2_webauthn": "FIDO2/WebAuthn Login",
         "login": "Connexion",
         "mobileconfig_info": "Veuillez vous connecter en tant qu’utilisateur de la boîte de réception pour télécharger le profil de connexion Apple demandé.",
-        "other_logins": "Clé d'authentification",
+        "other_logins": "ou se connecter avec",
         "password": "Mot de passe",
         "username": "Nom d'utilisateur",
         "back_to_mailcow": "Revenir sur mailcow",
diff --git a/data/web/lang/lang.it-it.json b/data/web/lang/lang.it-it.json
index 45fabc8eb..845dea5db 100644
--- a/data/web/lang/lang.it-it.json
+++ b/data/web/lang/lang.it-it.json
@@ -712,7 +712,7 @@
         "fido2_webauthn": "FIDO2/WebAuthn Login",
         "login": "Login",
         "mobileconfig_info": "Please login as mailbox user to download the requested Apple connection profile.",
-        "other_logins": "Key login",
+        "other_logins": "o accedi con",
         "password": "Password",
         "username": "Nome utente",
         "request_reset_password": "Richiesta di modifica della password",
diff --git a/data/web/lang/lang.lt-lt.json b/data/web/lang/lang.lt-lt.json
index f5413b1a9..78e48ea13 100644
--- a/data/web/lang/lang.lt-lt.json
+++ b/data/web/lang/lang.lt-lt.json
@@ -251,7 +251,7 @@
     "login": {
         "fido2_webauthn": "FIDO2/WebAuthn Prisijungimas",
         "login": "Prisijungti",
-        "other_logins": "Prisijungimas raktu",
+        "other_logins": "ar prisijungti su",
         "password": "Slaptažodis",
         "username": "Naudotojo vardas",
         "mobileconfig_info": "Prašome prisijungti kaip pašto dėžutės vartotojui, kad galėtumėte atsisiųsti pageidaujamą „Apple“ ryšio profilį."
diff --git a/data/web/lang/lang.lv-lv.json b/data/web/lang/lang.lv-lv.json
index 98cb04ae8..7d41e325e 100644
--- a/data/web/lang/lang.lv-lv.json
+++ b/data/web/lang/lang.lv-lv.json
@@ -333,7 +333,7 @@
         "username": "Lietotājvārds",
         "fido2_webauthn": "FIDO/WebAuthn pieteikšanās",
         "mobileconfig_info": "Lūgums pieteikties kā pastkastes lietotājam, lai lejupielādētu pieprasīto Apple savienojuma profilu.",
-        "other_logins": "Pieteikšanās ar atslēgu"
+        "other_logins": "vai pieslēgties ar"
     },
     "mailbox": {
         "action": "Rīcība",
diff --git a/data/web/lang/lang.nl-nl.json b/data/web/lang/lang.nl-nl.json
index fdfc91c70..6775f4b3d 100644
--- a/data/web/lang/lang.nl-nl.json
+++ b/data/web/lang/lang.nl-nl.json
@@ -663,7 +663,7 @@
         "fido2_webauthn": "FIDO2/WebAuthn Login",
         "login": "Aanmelden",
         "mobileconfig_info": "Log in als mailboxgebruiker om het Apple-verbindingsprofiel te downloaden.",
-        "other_logins": "Meld aan met key",
+        "other_logins": "of aanmelden met",
         "password": "Wachtwoord",
         "username": "Gebruikersnaam"
     },
diff --git a/data/web/lang/lang.pt-br.json b/data/web/lang/lang.pt-br.json
index 2fbd43535..8bdf25345 100644
--- a/data/web/lang/lang.pt-br.json
+++ b/data/web/lang/lang.pt-br.json
@@ -765,7 +765,7 @@
         "mobileconfig_info": "Faça login como usuário da mailbox para baixar o perfil de conexão Apple solicitado.",
         "new_password": "Nova senha",
         "new_password_confirm": "Confirmar nova senha",
-        "other_logins": "Login com chave",
+        "other_logins": "ou faça login com",
         "password": "Senha",
         "reset_password": "Recuperar a senha",
         "request_reset_password": "Solicitar troca de senha",
diff --git a/data/web/lang/lang.ro-ro.json b/data/web/lang/lang.ro-ro.json
index a33356f78..a3779c052 100644
--- a/data/web/lang/lang.ro-ro.json
+++ b/data/web/lang/lang.ro-ro.json
@@ -677,7 +677,7 @@
         "fido2_webauthn": "FIDO2/WebAuthn Login",
         "login": "Autentificare",
         "mobileconfig_info": "Autentificați-vă cu adresa de email pentru a descărca profilul de conexiune Apple.",
-        "other_logins": "Autentificare cu cheie",
+        "other_logins": "sau autentificare cu",
         "password": "Parolă",
         "username": "Nume de utilizator"
     },
diff --git a/data/web/lang/lang.ru-ru.json b/data/web/lang/lang.ru-ru.json
index f64664aa7..63f65e23f 100644
--- a/data/web/lang/lang.ru-ru.json
+++ b/data/web/lang/lang.ru-ru.json
@@ -770,7 +770,7 @@
         "mobileconfig_info": "Пожалуйста, войдите в систему как пользователь почтового аккаунта для загрузки профиля подключения Apple.",
         "new_password": "Новый пароль",
         "new_password_confirm": "Повторите новый пароль",
-        "other_logins": "Вход с помощью ключа",
+        "other_logins": "или войти с",
         "password": "Пароль",
         "request_reset_password": "Запросить восстановление пароля",
         "reset_password": "Восстановление пароля",
diff --git a/data/web/lang/lang.sk-sk.json b/data/web/lang/lang.sk-sk.json
index 2950026b3..078dac8ff 100644
--- a/data/web/lang/lang.sk-sk.json
+++ b/data/web/lang/lang.sk-sk.json
@@ -707,7 +707,7 @@
         "fido2_webauthn": "FIDO2/WebAuthn Login",
         "login": "Prihlásenie",
         "mobileconfig_info": "Prosím, prihláste sa ako mailový používateľ pre stiahnutie požadovaného Apple profilu.",
-        "other_logins": "Prihlásenie kľúčom",
+        "other_logins": "alebo prihlásiť sa s",
         "password": "Heslo",
         "username": "Používateľské meno alebo email"
     },
diff --git a/data/web/lang/lang.sv-se.json b/data/web/lang/lang.sv-se.json
index bbf0d9586..79a5192ca 100644
--- a/data/web/lang/lang.sv-se.json
+++ b/data/web/lang/lang.sv-se.json
@@ -621,7 +621,7 @@
         "fido2_webauthn": "FIDO2/WebAuthn Login",
         "login": "Logga in",
         "mobileconfig_info": "Logga in som en användare av brevlåda för att ladda ner den begärda Apple-anslutningsprofilen.",
-        "other_logins": "Loggain med nyckel",
+        "other_logins": "eller logga in med",
         "password": "Lösenord",
         "username": "Användarnamn"
     },
diff --git a/data/web/lang/lang.tr-tr.json b/data/web/lang/lang.tr-tr.json
index 7049046c2..269e95ea1 100644
--- a/data/web/lang/lang.tr-tr.json
+++ b/data/web/lang/lang.tr-tr.json
@@ -895,7 +895,7 @@
         "login": "Giriş",
         "password": "Şifre",
         "username": "Kullanıcı Adı",
-        "other_logins": "Anahtar girişi"
+        "other_logins": "veya ile giriş yap"
     },
     "success": {
         "bcc_saved": "BCC harita girişi kaydedildi",
diff --git a/data/web/lang/lang.uk-ua.json b/data/web/lang/lang.uk-ua.json
index e800b0fd5..8688c823f 100644
--- a/data/web/lang/lang.uk-ua.json
+++ b/data/web/lang/lang.uk-ua.json
@@ -722,7 +722,7 @@
     "login": {
         "fido2_webauthn": "FIDO2/WebAuthn Login",
         "login": "Увійти",
-        "other_logins": "Вхід за допомогою ключа",
+        "other_logins": "або увійти з",
         "password": "Пароль",
         "username": "Ім'я користувача",
         "delayed": "Вхід був затриманий на %s секунд.",
diff --git a/data/web/lang/lang.zh-cn.json b/data/web/lang/lang.zh-cn.json
index 368056f5d..28b1ca26d 100644
--- a/data/web/lang/lang.zh-cn.json
+++ b/data/web/lang/lang.zh-cn.json
@@ -738,7 +738,7 @@
         "fido2_webauthn": "使用 FIDO2/WebAuthn Login 登录",
         "login": "登录",
         "mobileconfig_info": "请使用邮箱用户登录以下载 Apple 连接描述文件。",
-        "other_logins": "Key 登录",
+        "other_logins": "或通过以下方式登录",
         "password": "密码",
         "username": "用户名",
         "forgot_password": "> 忘记密码？",
diff --git a/data/web/lang/lang.zh-tw.json b/data/web/lang/lang.zh-tw.json
index abb75a868..25e3d8fb0 100644
--- a/data/web/lang/lang.zh-tw.json
+++ b/data/web/lang/lang.zh-tw.json
@@ -731,7 +731,7 @@
         "fido2_webauthn": "FIDO2/WebAuthn Login",
         "login": "登入",
         "mobileconfig_info": "請使用信箱使用者登入以下載 Apple 連接描述檔案。",
-        "other_logins": "金鑰登入",
+        "other_logins": "或透過以下方式登入",
         "password": "密碼",
         "username": "使用者名稱",
         "back_to_mailcow": "返回至mailcow",
diff --git a/data/web/templates/index.twig b/data/web/templates/index.twig
index b4175a0f2..07274e6bd 100644
--- a/data/web/templates/index.twig
+++ b/data/web/templates/index.twig
@@ -41,16 +41,7 @@
             </div>
           </div>
           <div class="d-flex justify-content-between mt-4" style="position: relative">
-            <div class="btn-group">
-              <button type="submit" class="btn btn-xs-lg btn-success" value="Login">{{ lang.login.login }}</button>
-              <button type="button" class="btn btn-xs-lg btn-success dropdown-toggle" data-bs-toggle="dropdown" aria-haspopup="true" aria-expanded="false"></button>
-              <ul class="dropdown-menu">
-                <li><a class="dropdown-item" href="#" id="fido2-login"><i class="bi bi-shield-fill-check"></i> {{ lang.login.fido2_webauthn }}</a></li>
-                {% if has_iam_sso %}
-                <li><a class="dropdown-item" href="/?iam_sso=1"><i class="bi bi-cloud-arrow-up-fill"></i> {{ lang.admin.iam_sso }}</a></li>
-                {% endif %}
-              </ul>
-            </div>
+            <button type="submit" class="btn btn-xs-lg btn-success" value="Login">{{ lang.login.login }}</button>
             {% if not oauth2_request %}
             <div class="d-grid d-sm-block">
             <button type="button" {% if available_languages|length == 1 %}disabled="true"{% endif %} class="btn btn-secondary ms-auto dropdown-toggle" data-bs-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
@@ -69,9 +60,16 @@
             {% endif %}
           </div>
         </form>
-        <div class="mt-3 mb-4">
+        <div class="mt-3">
           <a href="/reset-password">{{ lang.login.forgot_password }}</a>
         </div>
+        <div class="hr-title mt-5"><strong>{{ lang.login.other_logins }}</strong></div>
+        <div class="d-flex flex-column align-items-center">
+          <a class="btn btn-xs-lg btn-secondary w-100" style="max-width: 400px;" href="#" id="fido2-login"><i class="bi bi-shield-fill-check"></i> {{ lang.login.fido2_webauthn }}</a>
+          {% if has_iam_sso %}
+          <a class="btn btn-xs-lg btn-secondary w-100 mt-2" style="max-width: 400px;" href="/?iam_sso=1"><i class="bi bi-cloud-arrow-up-fill"></i> {{ lang.admin.iam_sso }}</a>
+          {% endif %}
+        </div>
         {% if login_delay %}
         <p><div class="my-4 alert alert-info">{{ lang.login.delayed|format(login_delay) }}</b></div></p>
         {% endif %}

From c9dd102741da085f057b7f4bfcd9e308e591bc7a Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 6 Dec 2024 12:55:44 +0100
Subject: [PATCH 161/378] [Dovecot] use auth_cache

---
 data/conf/dovecot/dovecot.conf | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/data/conf/dovecot/dovecot.conf b/data/conf/dovecot/dovecot.conf
index b6f7318c9..e6744ee40 100644
--- a/data/conf/dovecot/dovecot.conf
+++ b/data/conf/dovecot/dovecot.conf
@@ -53,7 +53,7 @@ mail_shared_explicit_inbox = yes
 mail_prefetch_count = 30
 passdb {
   driver = lua
-  args = file=/etc/dovecot/auth/passwd-verify.lua blocking=yes
+  args = file=/etc/dovecot/auth/passwd-verify.lua blocking=yes cache_key=%u:%w
   result_success = return-ok
   result_failure = continue
   result_internalfail = continue
@@ -125,6 +125,7 @@ service managesieve-login {
 }
 service imap-login {
   service_count = 1
+  process_min_avail = 2
   process_limit = 10000
   vsz_limit = 1G
   user = dovenull
@@ -140,6 +141,7 @@ service imap-login {
 }
 service pop3-login {
   service_count = 1
+  process_min_avail = 1
   vsz_limit = 1G
   inet_listener pop3_haproxy {
     port = 10110
@@ -274,10 +276,10 @@ service stats {
   }
 }
 imap_max_line_length = 2 M
-#auth_cache_verify_password_with_worker = yes
-#auth_cache_negative_ttl = 0
-#auth_cache_ttl = 30 s
-#auth_cache_size = 2 M
+auth_cache_verify_password_with_worker = yes
+auth_cache_negative_ttl = 60s
+auth_cache_ttl = 300s
+auth_cache_size = 10M
 service replicator {
   process_min_avail = 1
 }

From 69b03791a2987ee8a18c16aaf5d5bfb79c09a49f Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Mon, 9 Dec 2024 13:54:44 +0100
Subject: [PATCH 162/378] Add missing Redis authentication

---
 data/conf/dovecot/auth/mailcowauth.php   | 1 +
 data/conf/phpfpm/crons/keycloak-sync.php | 1 +
 data/conf/phpfpm/crons/ldap-sync.php     | 1 +
 3 files changed, 3 insertions(+)

diff --git a/data/conf/dovecot/auth/mailcowauth.php b/data/conf/dovecot/auth/mailcowauth.php
index 4f10ed535..fc17df724 100644
--- a/data/conf/dovecot/auth/mailcowauth.php
+++ b/data/conf/dovecot/auth/mailcowauth.php
@@ -32,6 +32,7 @@ try {
   else {
     $redis->connect('redis-mailcow', 6379);
   }
+  $redis->auth(getenv("REDISPASS"));
 }
 catch (Exception $e) {
   error_log("MAILCOWAUTH: " . $e . PHP_EOL);
diff --git a/data/conf/phpfpm/crons/keycloak-sync.php b/data/conf/phpfpm/crons/keycloak-sync.php
index a7e46c4fd..f6d92266f 100644
--- a/data/conf/phpfpm/crons/keycloak-sync.php
+++ b/data/conf/phpfpm/crons/keycloak-sync.php
@@ -32,6 +32,7 @@ try {
   else {
     $redis->connect('redis-mailcow', 6379);
   }
+  $redis->auth(getenv("REDISPASS"));
 }
 catch (Exception $e) {
   echo "Exiting: " . $e->getMessage();
diff --git a/data/conf/phpfpm/crons/ldap-sync.php b/data/conf/phpfpm/crons/ldap-sync.php
index da5533b39..87f2dddb9 100644
--- a/data/conf/phpfpm/crons/ldap-sync.php
+++ b/data/conf/phpfpm/crons/ldap-sync.php
@@ -32,6 +32,7 @@ try {
   else {
     $redis->connect('redis-mailcow', 6379);
   }
+  $redis->auth(getenv("REDISPASS"));
 }
 catch (Exception $e) {
   echo "Exiting: " . $e->getMessage();

From 8048e0a53c793ed587cba0b5ee5eadb80efed88e Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Wed, 15 Jan 2025 12:48:10 +0100
Subject: [PATCH 163/378] [Web] Fix permission exception in IdP actions

---
 data/conf/phpfpm/crons/keycloak-sync.php |  8 +--
 data/conf/phpfpm/crons/ldap-sync.php     |  8 +--
 data/web/inc/functions.acl.inc.php       |  6 +--
 data/web/inc/functions.auth.inc.php      | 20 +++++---
 data/web/inc/functions.inc.php           | 33 ++++++++++---
 data/web/inc/functions.mailbox.inc.php   | 62 ++++++++++++------------
 data/web/inc/functions.ratelimit.inc.php | 10 ++--
 data/web/inc/sessions.inc.php            |  2 +
 8 files changed, 88 insertions(+), 61 deletions(-)

diff --git a/data/conf/phpfpm/crons/keycloak-sync.php b/data/conf/phpfpm/crons/keycloak-sync.php
index f6d92266f..98010648b 100644
--- a/data/conf/phpfpm/crons/keycloak-sync.php
+++ b/data/conf/phpfpm/crons/keycloak-sync.php
@@ -188,6 +188,7 @@ while (true) {
       continue;
     }
 
+    $_SESSION['access_all_exception'] = '1';
     if (!$row && intval($iam_settings['import_users']) == 1){
       // mailbox user does not exist, create...
       logMsg("info", "Creating user " . $user['email']);
@@ -196,8 +197,7 @@ while (true) {
         'local_part' => explode('@', $user['email'])[0],
         'name' => $user['firstName'] . " " . $user['lastName'],
         'authsource' => 'keycloak',
-        'template' => $mbox_template,
-        'hasAccess' => true
+        'template' => $mbox_template
       ));
     } else if ($row && intval($iam_settings['periodic_sync']) == 1) {
       // mailbox user does exist, sync attribtues...
@@ -205,13 +205,13 @@ while (true) {
       mailbox('edit', 'mailbox_from_template', array(
         'username' => $user['email'],
         'name' => $user['firstName'] . " " . $user['lastName'],
-        'template' => $mbox_template,
-        'hasAccess' => true
+        'template' => $mbox_template
       ));
     } else {
       // skip mailbox user
       logMsg("info", "Skipping user " . $user['email']);
     }
+    $_SESSION['access_all_exception'] = '0';
 
     sleep(0.025);
   }
diff --git a/data/conf/phpfpm/crons/ldap-sync.php b/data/conf/phpfpm/crons/ldap-sync.php
index 87f2dddb9..8f7a08bf5 100644
--- a/data/conf/phpfpm/crons/ldap-sync.php
+++ b/data/conf/phpfpm/crons/ldap-sync.php
@@ -152,6 +152,7 @@ foreach ($response as $user) {
     continue;
   }
 
+  $_SESSION['access_all_exception'] = '1';
   if (!$row && intval($iam_settings['import_users']) == 1){
     // mailbox user does not exist, create...
     logMsg("info", "Creating user " .  $user[$iam_settings['username_field']][0]);
@@ -160,8 +161,7 @@ foreach ($response as $user) {
       'local_part' => explode('@',  $user[$iam_settings['username_field']][0])[0],
       'name' => $user['displayname'][0],
       'authsource' => 'ldap',
-      'template' => $mbox_template,
-      'hasAccess' => true
+      'template' => $mbox_template
     ));
   } else if ($row && intval($iam_settings['periodic_sync']) == 1) {
     // mailbox user does exist, sync attribtues...
@@ -169,13 +169,13 @@ foreach ($response as $user) {
     mailbox('edit', 'mailbox_from_template', array(
       'username' =>  $user[$iam_settings['username_field']][0],
       'name' => $user['displayname'][0],
-      'template' => $mbox_template,
-      'hasAccess' => true
+      'template' => $mbox_template
     ));
   } else {
     // skip mailbox user
     logMsg("info", "Skipping user " .  $user[$iam_settings['username_field']][0]);
   }
+  $_SESSION['access_all_exception'] = '0';
 
   sleep(0.025);
 }
diff --git a/data/web/inc/functions.acl.inc.php b/data/web/inc/functions.acl.inc.php
index ffc7408fe..dde9b1236 100644
--- a/data/web/inc/functions.acl.inc.php
+++ b/data/web/inc/functions.acl.inc.php
@@ -23,8 +23,8 @@ function acl($_action, $_scope = null, $_data = null, $_extra = null) {
               $acl_post[$acl_val] = 1;
             }
             // Users cannot change their own ACL
-            if (!$_extra['hasAccess'] && (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)
-              || ($_SESSION['mailcow_cc_role'] != 'admin' && $_SESSION['mailcow_cc_role'] != 'domainadmin'))) {
+            if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)
+              || ($_SESSION['mailcow_cc_role'] != 'admin' && $_SESSION['mailcow_cc_role'] != 'domainadmin' && $_SESSION['access_all_exception'] != '1')) {
               $_SESSION['return'][] = array(
                 'type' => 'danger',
                 'log' => array(__FUNCTION__, $_action, $_scope, $_data_log),
@@ -130,7 +130,7 @@ function acl($_action, $_scope = null, $_data = null, $_extra = null) {
     case 'get':
       switch ($_scope) {
         case 'user':
-          if (!$_extra['hasAccess'] && !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
+          if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
             return false;
           }
           $stmt = $pdo->prepare("SELECT * FROM `user_acl` WHERE `username` = :username");
diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php
index f9d82f1ad..62329e305 100644
--- a/data/web/inc/functions.auth.inc.php
+++ b/data/web/inc/functions.auth.inc.php
@@ -457,12 +457,13 @@ function keycloak_mbox_login_rest($user, $pass, $extra = null){
     // login success
     if ($mapper_key !== false) {
       // update user
+      $_SESSION['access_all_exception'] = '1';
       mailbox('edit', 'mailbox_from_template', array(
         'username' => $user,
         'name' => $user_res['name'],
-        'template' => $iam_settings['templates'][$mapper_key],
-        'hasAccess' => true
+        'template' => $iam_settings['templates'][$mapper_key]
       ));
+      $_SESSION['access_all_exception'] = '0';
     }
     return 'user';
   }
@@ -472,14 +473,15 @@ function keycloak_mbox_login_rest($user, $pass, $extra = null){
   if ($mapper_key === false) return false;
 
   // create mailbox
+  $_SESSION['access_all_exception'] = '1';
   $create_res = mailbox('add', 'mailbox_from_template', array(
     'domain' => explode('@', $user)[1],
     'local_part' => explode('@', $user)[0],
     'name' => $user_res['name'],
     'authsource' => 'keycloak',
-    'template' => $iam_settings['templates'][$mapper_key],
-    'hasAccess' => true
+    'template' => $iam_settings['templates'][$mapper_key]
   ));
+  $_SESSION['access_all_exception'] = '0';
   if (!$create_res){
     clear_session();
     return false;
@@ -556,12 +558,13 @@ function ldap_mbox_login($user, $pass, $extra = null){
     // login success
     if ($mapper_key !== false) {
       // update user
+      $_SESSION['access_all_exception'] = '1';
       mailbox('edit', 'mailbox_from_template', array(
         'username' => $user,
         'name' => $user_res['displayname'][0],
-        'template' => $iam_settings['templates'][$mapper_key],
-        'hasAccess' => true
+        'template' => $iam_settings['templates'][$mapper_key]
       ));
+      $_SESSION['access_all_exception'] = '0';
     }
     return 'user';
   }
@@ -571,14 +574,15 @@ function ldap_mbox_login($user, $pass, $extra = null){
   if ($mapper_key === false) return false;
 
   // create mailbox
+  $_SESSION['access_all_exception'] = '1';
   $create_res = mailbox('add', 'mailbox_from_template', array(
     'domain' => explode('@', $user)[1],
     'local_part' => explode('@', $user)[0],
     'name' => $user_res['displayname'][0],
     'authsource' => 'ldap',
-    'template' => $iam_settings['templates'][$mapper_key],
-    'hasAccess' => true
+    'template' => $iam_settings['templates'][$mapper_key]
   ));
+  $_SESSION['access_all_exception'] = '0';
   if (!$create_res){
     clear_session();
     return false;
diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index d351eccf4..ed41379f4 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -538,10 +538,13 @@ function logger($_data = false) {
 }
 function hasDomainAccess($username, $role, $domain) {
   global $pdo;
-  if (!filter_var($username, FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $username))) {
+  if (empty($domain) || !is_valid_domain_name($domain)) {
     return false;
   }
-  if (empty($domain) || !is_valid_domain_name($domain)) {
+  if (isset($_SESSION['access_all_exception']) && $_SESSION['access_all_exception'] == "1") {
+    return true;
+  }
+  if (!filter_var($username, FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $username))) {
     return false;
   }
   if ($role != 'admin' && $role != 'domainadmin') {
@@ -577,6 +580,9 @@ function hasDomainAccess($username, $role, $domain) {
 }
 function hasMailboxObjectAccess($username, $role, $object) {
   global $pdo;
+  if (isset($_SESSION['access_all_exception']) && $_SESSION['access_all_exception'] == "1") {
+    return true;
+  }
   if (empty($username) || empty($role) || empty($object)) {
     return false;
   }
@@ -600,6 +606,9 @@ function hasMailboxObjectAccess($username, $role, $object) {
 // does also verify mailboxes as a mailbox is a alias == goto
 function hasAliasObjectAccess($username, $role, $object) {
   global $pdo;
+  if (isset($_SESSION['access_all_exception']) && $_SESSION['access_all_exception'] == "1") {
+    return true;
+  }
   if (empty($username) || empty($role) || empty($object)) {
     return false;
   }
@@ -617,6 +626,16 @@ function hasAliasObjectAccess($username, $role, $object) {
   }
   return false;
 }
+function hasACLAccess($type) {
+  if (isset($_SESSION['access_all_exception']) && $_SESSION['access_all_exception'] == "1") {
+    return true;
+  }
+  if (isset($_SESSION['acl'][$type]) && $_SESSION['acl'][$type] == "1") {
+    return true;
+  }
+
+  return false;
+}
 function pem_to_der($pem_key) {
   // Need to remove BEGIN/END PUBLIC KEY
   $lines = explode("\n", trim($pem_key));
@@ -2530,12 +2549,13 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
         // success
         if ($mapper_key !== false) {
           // update user
+          $_SESSION['access_all_exception'] = '1';
           mailbox('edit', 'mailbox_from_template', array(
             'username' => $info['email'],
             'name' => $info['name'],
-            'template' => $iam_settings['templates'][$mapper_key],
-            'hasAccess' => true
+            'template' => $iam_settings['templates'][$mapper_key]
           ));
+          $_SESSION['access_all_exception'] = '0';
         }
         set_user_loggedin_session($info['email']);
         $_SESSION['iam_token'] = $plain_token;
@@ -2568,14 +2588,15 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
       }
 
       // create mailbox
+      $_SESSION['access_all_exception'] = '1';
       $create_res = mailbox('add', 'mailbox_from_template', array(
         'domain' => explode('@', $info['email'])[1],
         'local_part' => explode('@', $info['email'])[0],
         'name' => $info['name'],
         'authsource' => $iam_settings['authsource'],
-        'template' => $iam_settings['templates'][$mapper_key],
-        'hasAccess' => true
+        'template' => $iam_settings['templates'][$mapper_key]
       ));
+      $_SESSION['access_all_exception'] = '0';
       if (!$create_res){
         clear_session();
         $_SESSION['return'][] =  array(
diff --git a/data/web/inc/functions.mailbox.inc.php b/data/web/inc/functions.mailbox.inc.php
index c63a0d37b..84bc3f169 100644
--- a/data/web/inc/functions.mailbox.inc.php
+++ b/data/web/inc/functions.mailbox.inc.php
@@ -1045,7 +1045,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             $password2 = '';
             $password_hashed = '';
           }
-          if (!$_extra['hasAccess'] && ((!isset($_SESSION['acl']['unlimited_quota']) || $_SESSION['acl']['unlimited_quota'] != "1") && $quota_m === 0)) {
+          if (!hasACLAccess("unlimited_quota") && $quota_m === 0) {
             $_SESSION['return'][] = array(
               'type' => 'danger',
               'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@@ -1104,7 +1104,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             );
             return false;
           }
-          if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $domain) && !$_extra['hasAccess']) {
+          if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $domain)) {
             $_SESSION['return'][] = array(
               'type' => 'danger',
               'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@@ -1385,7 +1385,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             }
           }
 
-          return mailbox('add', 'mailbox', $mailbox_attributes, array('hasAccess' => $_data['hasAccess']));
+          return mailbox('add', 'mailbox', $mailbox_attributes);
         break;
         case 'resource':
           $domain             = idn_to_ascii(strtolower(trim($_data['domain'])), 0, INTL_IDNA_VARIANT_UTS46);
@@ -1753,7 +1753,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
           else {
             $usernames = $_data['username'];
           }
-          if (!$_extra['hasAccess'] && (!isset($_SESSION['acl']['tls_policy']) || $_SESSION['acl']['tls_policy'] != "1")) {
+          if (!hasACLAccess("tls_policy")) {
             $_SESSION['return'][] = array(
               'type' => 'danger',
               'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@@ -1762,7 +1762,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             return false;
           }
           foreach ($usernames as $username) {
-            if (!$_extra['hasAccess'] && (!filter_var($username, FILTER_VALIDATE_EMAIL) || !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username))) {
+            if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)) {
               $_SESSION['return'][] = array(
                 'type' => 'danger',
                 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@@ -1807,7 +1807,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
           else {
             $usernames = $_data['username'];
           }
-          if (!$_extra['hasAccess'] && (!isset($_SESSION['acl']['quarantine_notification']) || $_SESSION['acl']['quarantine_notification'] != "1")) {
+          if (!hasACLAccess("quarantine_notification")) {
             $_SESSION['return'][] = array(
               'type' => 'danger',
               'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@@ -1816,7 +1816,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             return false;
           }
           foreach ($usernames as $username) {
-            if (!$_extra['hasAccess'] && (!filter_var($username, FILTER_VALIDATE_EMAIL) || !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username))) {
+            if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)) {
               $_SESSION['return'][] = array(
                 'type' => 'danger',
                 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@@ -1866,7 +1866,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
           else {
             $usernames = $_data['username'];
           }
-          if (!$_extra['hasAccess'] && (!isset($_SESSION['acl']['quarantine_category']) || $_SESSION['acl']['quarantine_category'] != "1")) {
+          if (!hasACLAccess("quarantine_category")) {
             $_SESSION['return'][] = array(
               'type' => 'danger',
               'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@@ -1875,7 +1875,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             return false;
           }
           foreach ($usernames as $username) {
-            if (!$_extra['hasAccess'] && (!filter_var($username, FILTER_VALIDATE_EMAIL) || !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username))) {
+            if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)) {
               $_SESSION['return'][] = array(
                 'type' => 'danger',
                 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@@ -2938,12 +2938,12 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             if (!empty($is_now)) {
               $active               = (isset($_data['active'])) ? intval($_data['active']) : $is_now['active'];
               (int)$force_pw_update = (isset($_data['force_pw_update'])) ? intval($_data['force_pw_update']) : intval($is_now['attributes']['force_pw_update']);
-              (int)$sogo_access     = ((isset($_data['sogo_access']) && isset($_SESSION['acl']['sogo_access']) && $_SESSION['acl']['sogo_access'] == "1") || $_extra['hasAccess']) ? intval($_data['sogo_access']) : intval($is_now['attributes']['sogo_access']);
-              (int)$imap_access     = ((isset($_data['imap_access']) && isset($_SESSION['acl']['protocol_access']) && $_SESSION['acl']['protocol_access'] == "1") || $_extra['hasAccess']) ? intval($_data['imap_access']) : intval($is_now['attributes']['imap_access']);
-              (int)$pop3_access     = ((isset($_data['pop3_access']) && isset($_SESSION['acl']['protocol_access']) && $_SESSION['acl']['protocol_access'] == "1") || $_extra['hasAccess']) ? intval($_data['pop3_access']) : intval($is_now['attributes']['pop3_access']);
-              (int)$smtp_access     = ((isset($_data['smtp_access']) && isset($_SESSION['acl']['protocol_access']) && $_SESSION['acl']['protocol_access'] == "1") || $_extra['hasAccess']) ? intval($_data['smtp_access']) : intval($is_now['attributes']['smtp_access']);
-              (int)$sieve_access    = ((isset($_data['sieve_access']) && isset($_SESSION['acl']['protocol_access']) && $_SESSION['acl']['protocol_access'] == "1") || $_extra['hasAccess']) ? intval($_data['sieve_access']) : intval($is_now['attributes']['sieve_access']);
-              (int)$relayhost       = ((isset($_data['relayhost']) && isset($_SESSION['acl']['mailbox_relayhost']) && $_SESSION['acl']['mailbox_relayhost'] == "1") || $_extra['hasAccess']) ? intval($_data['relayhost']) : intval($is_now['attributes']['relayhost']);
+              (int)$sogo_access     = (isset($_data['sogo_access']) && hasACLAccess("sogo_access")) ? intval($_data['sogo_access']) : intval($is_now['attributes']['sogo_access']);
+              (int)$imap_access     = (isset($_data['imap_access']) && hasACLAccess("protocol_access")) ? intval($_data['imap_access']) : intval($is_now['attributes']['imap_access']);
+              (int)$pop3_access     = (isset($_data['pop3_access']) && hasACLAccess("protocol_access")) ? intval($_data['pop3_access']) : intval($is_now['attributes']['pop3_access']);
+              (int)$smtp_access     = (isset($_data['smtp_access']) && hasACLAccess("protocol_access")) ? intval($_data['smtp_access']) : intval($is_now['attributes']['smtp_access']);
+              (int)$sieve_access    = (isset($_data['sieve_access']) && hasACLAccess("protocol_access")) ? intval($_data['sieve_access']) : intval($is_now['attributes']['sieve_access']);
+              (int)$relayhost       = (isset($_data['relayhost']) && hasACLAccess("mailbox_relayhost")) ? intval($_data['relayhost']) : intval($is_now['attributes']['relayhost']);
               (int)$quota_m         = (isset_has_content($_data['quota'])) ? intval($_data['quota']) : ($is_now['quota'] / 1048576);
               $name                 = (!empty($_data['name'])) ? ltrim(rtrim($_data['name'], '>'), '<') : $is_now['name'];
               $domain               = $is_now['domain'];
@@ -2970,7 +2970,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               continue;
             }
             // if already 0 == ok
-            if (!$_extra['hasAccess'] && (!isset($_SESSION['acl']['unlimited_quota']) || $_SESSION['acl']['unlimited_quota'] != "1") && ($quota_m == 0 && $is_now['quota'] != 0)) {
+            if (!hasACLAccess("unlimited_quota") && ($quota_m == 0 && $is_now['quota'] != 0)) {
               $_SESSION['return'][] = array(
                 'type' => 'danger',
                 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@@ -2978,7 +2978,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               );
               return false;
             }
-            if (!$_extra['hasAccess'] && !hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $domain)) {
+            if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $domain)) {
               $_SESSION['return'][] = array(
                 'type' => 'danger',
                 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@@ -3005,7 +3005,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             }
             $extra_acls = array();
             if (isset($_data['extended_sender_acl'])) {
-              if (!$_extra['hasAccess'] && (!isset($_SESSION['acl']['extend_sender_acl']) || $_SESSION['acl']['extend_sender_acl'] != "1")) {
+              if (!hasACLAccess("extend_sender_acl")) {
                 $_SESSION['return'][] = array(
                   'type' => 'danger',
                   'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@@ -3505,7 +3505,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
           }
 
           $attribute_hash = sha1(json_encode($mbox_template_data["attributes"]));
-          $is_now = mailbox('get', 'mailbox_details', $_data['username'], array('hasAccess' => $_data['hasAccess']));
+          $is_now = mailbox('get', 'mailbox_details', $_data['username']);
           $name = ltrim(rtrim($_data['name'], '>'), '<');
           if ($is_now['attributes']['attribute_hash'] == $attribute_hash && $is_now['name'] == $name)
             return true;
@@ -3541,17 +3541,17 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
           }
 
           $mailbox_attributes['quota'] = intval($mailbox_attributes['quota'] / 1048576);
-          $result = mailbox('edit', 'mailbox', $mailbox_attributes, array('hasAccess' => $_data['hasAccess']));
+          $result = mailbox('edit', 'mailbox', $mailbox_attributes);
           if ($result === false) return $result;
-          $result = mailbox('edit', 'tls_policy', $tls_attributes, array('hasAccess' => $_data['hasAccess']));
+          $result = mailbox('edit', 'tls_policy', $tls_attributes);
           if ($result === false) return $result;
-          $result = mailbox('edit', 'quarantine_notification', $quarantine_attributes, array('hasAccess' => $_data['hasAccess']));
+          $result = mailbox('edit', 'quarantine_notification', $quarantine_attributes);
           if ($result === false) return $result;
-          $result = mailbox('edit', 'quarantine_category', $quarantine_attributes, array('hasAccess' => $_data['hasAccess']));
+          $result = mailbox('edit', 'quarantine_category', $quarantine_attributes);
           if ($result === false) return $result;
-          $result = ratelimit('edit', 'mailbox', $ratelimit_attributes, array('hasAccess' => $_data['hasAccess']));
+          $result = ratelimit('edit', 'mailbox', $ratelimit_attributes);
           if ($result === false) return $result;
-          $result = acl('edit', 'user', $acl_attributes, array('hasAccess' => $_data['hasAccess']));
+          $result = acl('edit', 'user', $acl_attributes);
           if ($result === false) return $result;
 
           $_SESSION['return'] = array();
@@ -4090,7 +4090,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
         case 'tls_policy':
           $attrs = array();
           if (isset($_data) && filter_var($_data, FILTER_VALIDATE_EMAIL)) {
-            if (!$_extra['hasAccess'] && !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
+            if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
               return false;
             }
           }
@@ -4109,7 +4109,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
         case 'quarantine_notification':
           $attrs = array();
           if (isset($_data) && filter_var($_data, FILTER_VALIDATE_EMAIL)) {
-            if (!$_extra['hasAccess'] && !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
+            if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
               return false;
             }
           }
@@ -4125,7 +4125,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
         case 'quarantine_category':
           $attrs = array();
           if (isset($_data) && filter_var($_data, FILTER_VALIDATE_EMAIL)) {
-            if (!$_extra['hasAccess'] && (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data))) {
+            if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
               return false;
             }
           }
@@ -4640,7 +4640,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
         case 'domain_details':
           $domaindata = array();
           $_data = idn_to_ascii(strtolower(trim($_data)), 0, INTL_IDNA_VARIANT_UTS46);
-          if (!$_extra['hasAccess'] && !hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
+          if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
             return false;
           }
           $stmt = $pdo->prepare("SELECT `target_domain` FROM `alias_domain` WHERE `alias_domain` =  :domain");
@@ -4806,7 +4806,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
           }
         break;
         case 'mailbox_details':
-          if (!$_extra['hasAccess'] && !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
+          if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
             return false;
           }
           $mailboxdata = array();
@@ -4969,7 +4969,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
           return $mailboxdata;
         break;
         case 'mailbox_templates':
-          if ($_SESSION['mailcow_cc_role'] != "admin" && $_SESSION['mailcow_cc_role'] != "domainadmin" && !$_extra['hasAccess']) {
+          if ($_SESSION['mailcow_cc_role'] != "admin" && $_SESSION['mailcow_cc_role'] != "domainadmin" && $_SESSION['access_all_exception'] != "1") {
             return false;
           }
           $_data = (isset($_data)) ? intval($_data) : null;
diff --git a/data/web/inc/functions.ratelimit.inc.php b/data/web/inc/functions.ratelimit.inc.php
index 5779ad77c..91ac999e2 100644
--- a/data/web/inc/functions.ratelimit.inc.php
+++ b/data/web/inc/functions.ratelimit.inc.php
@@ -4,7 +4,7 @@ function ratelimit($_action, $_scope, $_data = null, $_extra = null) {
   $_data_log = $_data;
   switch ($_action) {
     case 'edit':
-      if ((!isset($_SESSION['acl']['ratelimit']) || $_SESSION['acl']['ratelimit'] != "1") && !$_extra['hasAccess']) {
+      if (!hasACLAccess("ratelimit")) {
         $_SESSION['return'][] = array(
           'type' => 'danger',
           'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@@ -92,8 +92,8 @@ function ratelimit($_action, $_scope, $_data = null, $_extra = null) {
               );
               continue;
             }
-            if (((!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $object)
-                || ($_SESSION['mailcow_cc_role'] != 'admin' && $_SESSION['mailcow_cc_role'] != 'domainadmin'))) && !$_extra['hasAccess']) {
+            if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $object)
+                || ($_SESSION['mailcow_cc_role'] != 'admin' && $_SESSION['mailcow_cc_role'] != 'domainadmin' && $_SESSION['access_all_exception'] != '1')) {
               $_SESSION['return'][] = array(
                 'type' => 'danger',
                 'log' => array(__FUNCTION__, $_action, $_scope, $_data_log),
@@ -139,7 +139,7 @@ function ratelimit($_action, $_scope, $_data = null, $_extra = null) {
     case 'get':
       switch ($_scope) {
         case 'domain':
-          if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data) && !$_extra['hasAccess']) {
+          if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
             return false;
           }
           try {
@@ -164,7 +164,7 @@ function ratelimit($_action, $_scope, $_data = null, $_extra = null) {
           return false;
         break;
         case 'mailbox':
-          if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data && !$_extra['hasAccess'])
+          if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)
             || ($_SESSION['mailcow_cc_role'] != 'admin' && $_SESSION['mailcow_cc_role'] != 'domainadmin')) {
             return false;
           }
diff --git a/data/web/inc/sessions.inc.php b/data/web/inc/sessions.inc.php
index b73ad2816..67bdd35b3 100644
--- a/data/web/inc/sessions.inc.php
+++ b/data/web/inc/sessions.inc.php
@@ -5,6 +5,8 @@ if (session_status() !== PHP_SESSION_ACTIVE) {
   ini_set('session.gc_maxlifetime', $SESSION_LIFETIME);
 }
 
+$_SESSION['access_all_exception'] = '0';
+
 if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) &&
   strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) == "https") {
   if (session_status() !== PHP_SESSION_ACTIVE) {

From 1e70a2018858b24047ebeb5e4c08a8f4689d2520 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Wed, 15 Jan 2025 16:15:25 +0100
Subject: [PATCH 164/378] [SOGo] Add mailcow Buttons to SOGo navbar

---
 data/Dockerfiles/sogo/Dockerfile          |  1 +
 data/Dockerfiles/sogo/bootstrap-sogo.sh   |  4 +++
 data/Dockerfiles/sogo/navMailcowBtns.diff | 20 +++++++++++
 data/conf/sogo/custom-sogo.js             | 42 -----------------------
 docker-compose.yml                        |  2 +-
 5 files changed, 26 insertions(+), 43 deletions(-)
 create mode 100644 data/Dockerfiles/sogo/navMailcowBtns.diff

diff --git a/data/Dockerfiles/sogo/Dockerfile b/data/Dockerfiles/sogo/Dockerfile
index 78da39bec..4eb36638a 100644
--- a/data/Dockerfiles/sogo/Dockerfile
+++ b/data/Dockerfiles/sogo/Dockerfile
@@ -48,6 +48,7 @@ COPY syslog-ng.conf /etc/syslog-ng/syslog-ng.conf
 COPY syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng-redis_slave.conf
 COPY supervisord.conf /etc/supervisor/supervisord.conf
 COPY acl.diff /acl.diff
+COPY navMailcowBtns.diff /navMailcowBtns.diff
 COPY stop-supervisor.sh /usr/local/sbin/stop-supervisor.sh
 COPY docker-entrypoint.sh /
 
diff --git a/data/Dockerfiles/sogo/bootstrap-sogo.sh b/data/Dockerfiles/sogo/bootstrap-sogo.sh
index 11b077cfd..566d812fc 100755
--- a/data/Dockerfiles/sogo/bootstrap-sogo.sh
+++ b/data/Dockerfiles/sogo/bootstrap-sogo.sh
@@ -136,6 +136,10 @@ chmod 600 /var/lib/sogo/GNUstep/Defaults/sogod.plist
 #  fi
 #fi
 
+if patch -R -sfN --dry-run /usr/lib/GNUstep/SOGo/Templates/UIxTopnavToolbar.wox < /navMailcowBtns.diff > /dev/null; then
+  patch -R /usr/lib/GNUstep/SOGo/Templates/UIxTopnavToolbar.wox < /navMailcowBtns.diff;
+fi
+
 # Copy logo, if any
 [[ -f /etc/sogo/sogo-full.svg ]] && cp /etc/sogo/sogo-full.svg /usr/lib/GNUstep/SOGo/WebServerResources/img/sogo-full.svg
 
diff --git a/data/Dockerfiles/sogo/navMailcowBtns.diff b/data/Dockerfiles/sogo/navMailcowBtns.diff
new file mode 100644
index 000000000..1b469aa60
--- /dev/null
+++ b/data/Dockerfiles/sogo/navMailcowBtns.diff
@@ -0,0 +1,20 @@
+59,65d58
+<                ng-show="::!activeUser.isSuperUser"
+<                var:ng-click="navButtonClick"
+<                ng-href="/user">
+<       <md-icon>build</md-icon>
+<       <md-tooltip><var:string label:value="mailcow"/></md-tooltip>
+<     </md-button>
+<     <md-button class="md-icon-button"
+83c76
+<                onclick="document.getElementById('mc_logout').setAttribute('action', '/'); document.getElementById('mc_logout').submit();"
+---
+>                ng-show="::activeUser.path.logoff.length"
+85c78
+<                ng-href="#">
+---
+>                ng-href="{{::activeUser.path.logoff}}">
+89,91d81
+<     <form method="POST" id="mc_logout" action="user">
+<       <input type="hidden" name="logout" value="1">
+<     </form>
diff --git a/data/conf/sogo/custom-sogo.js b/data/conf/sogo/custom-sogo.js
index 1070efa40..e1f27e8ff 100644
--- a/data/conf/sogo/custom-sogo.js
+++ b/data/conf/sogo/custom-sogo.js
@@ -4,48 +4,6 @@ document.addEventListener('DOMContentLoaded', function () {
     if (loginForm) {
         window.location.href = '/user';
     }
-
-    angularReady = false;
-    function observe() {
-        angularReady = toolbarExists();
-        if (angularReady && !mcElementsExists()) addMCElements();
-
-        const observer = new MutationObserver(function(mutations) {
-            if (!angularReady) {
-                mutations.forEach(function(mutation) {
-                    if (mutation.addedNodes.length > 0) angularReady = toolbarExists();
-                });
-            } else if (angularReady && !mcElementsExists()) {
-                addMCElements();
-            }
-        });
-
-        const targetNode = document.body;
-        const config = { childList: true, subtree: true };
-        observer.observe(targetNode, config);
-    }
-    function toolbarExists() {
-        const toolbarElement = document.body.querySelector('md-toolbar');
-        if (toolbarElement)
-            return true;
-        else
-            return false;
-    }
-    function mcElementsExists() {
-        if (document.getElementById("mc_backlink"))
-            return true;
-        else
-            return false;
-    }
-    function addMCElements() {
-        const toolbarElement = document.body.querySelector('.md-toolbar-tools.sg-toolbar-group-last.layout-align-end-center.layout-row');
-        var htmlCode = '<a id="mc_backlink" class="md-icon-button md-button md-ink-ripple" aria-label="mailcow" href="/user" aria-hidden="false" tabindex="-1">' +
-            '<md-icon class="material-icons" role="img" aria-label="build">build</md-icon>' +
-            '</a>';
-        toolbarElement.insertAdjacentHTML('beforeend', htmlCode);
-    }
-
-    observe();
 });
 
 // Custom SOGo JS
diff --git a/docker-compose.yml b/docker-compose.yml
index 9218b3960..aaa8a3a03 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -198,7 +198,7 @@ services:
             - phpfpm
 
     sogo-mailcow:
-      image: mailcow/sogo:nightly-20241205
+      image: mailcow/sogo:nightly-20250115
       environment:
         - DBNAME=${DBNAME}
         - DBUSER=${DBUSER}

From 5f45f8ae34cf5fde56be4627a159e2c853fe346b Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Thu, 23 Jan 2025 09:18:45 +0100
Subject: [PATCH 165/378] [Web] Fix mailbox datatable search

---
 data/web/json_api.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/web/json_api.php b/data/web/json_api.php
index 92644ffc5..14e7c47d3 100644
--- a/data/web/json_api.php
+++ b/data/web/json_api.php
@@ -1079,7 +1079,7 @@ if (isset($_GET['query'])) {
                   ['db' => 'last_pw_change', 'dt' => 5, 'dummy' => true, 'order_subquery' => "JSON_EXTRACT(attributes, '$.passwd_update')"],
                   ['db' => 'in_use', 'dt' => 6, 'dummy' => true, 'order_subquery' => "(SELECT SUM(bytes) FROM `quota2` WHERE `quota2`.`username` = `m`.`username`) / `m`.`quota`"],
                   ['db' => 'name', 'dt' => 7],
-                  ['db' => 'messages', 'dt' => 17, 'dummy' => true, 'order_subquery' => "SELECT SUM(messages) FROM `quota2` WHERE `quota2`.`username` = `m`.`username`"],
+                  ['db' => 'messages', 'dt' => 18, 'dummy' => true, 'order_subquery' => "SELECT SUM(messages) FROM `quota2` WHERE `quota2`.`username` = `m`.`username`"],
                   ['db' => 'tags', 'dt' => 20, 'dummy' => true, 'search' => ['join' => 'LEFT JOIN `tags_mailbox` AS `tm` ON `tm`.`username` = `m`.`username`', 'where_column' => '`tm`.`tag_name`']],
                   ['db' => 'active', 'dt' => 21],
                 ];

From de6bd222fcce86b9cd27c3364543c3983be71696 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 24 Jan 2025 09:25:19 +0100
Subject: [PATCH 166/378] [Web] increase db_version

---
 data/web/inc/init_db.inc.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/web/inc/init_db.inc.php b/data/web/inc/init_db.inc.php
index b1459136d..3c6721090 100644
--- a/data/web/inc/init_db.inc.php
+++ b/data/web/inc/init_db.inc.php
@@ -4,7 +4,7 @@ function init_db_schema()
   try {
     global $pdo;
 
-    $db_version = "20112024_1105";
+    $db_version = "24012025_0923";
 
     $stmt = $pdo->query("SHOW TABLES LIKE 'versions'");
     $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));

From aca01c8aa2607777205226a86be29df338eb51d9 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Mon, 27 Jan 2025 15:59:50 +0100
Subject: [PATCH 167/378] [Web] Separate Login pages

---
 data/web/{debug.php => admin/dashboard.php}   |  17 +-
 data/web/admin/index.php                      |  29 ++
 data/web/{ => admin}/mailbox.php              |  16 +-
 data/web/{ => admin}/queue.php                |  15 +-
 data/web/{admin.php => admin/system.php}      |  13 +-
 data/web/css/site/admin.css                   |   3 -
 data/web/domainadmin/index.php                |  28 ++
 data/web/domainadmin/mailbox.php              |  58 ++++
 data/web/domainadmin/user.php                 |  44 +++
 data/web/inc/functions.inc.php                |   1 +
 data/web/inc/init_db.inc.php                  |   2 +-
 data/web/inc/prerequisites.inc.php            |   2 +-
 data/web/inc/sessions.inc.php                 |  19 +-
 data/web/inc/triggers.admin.inc.php           |  93 +++++++
 data/web/inc/triggers.domainadmin.inc.php     |  62 +++++
 data/web/inc/triggers.global.inc.php          |  48 ++++
 data/web/inc/triggers.inc.php                 | 263 ------------------
 data/web/inc/triggers.user.inc.php            | 132 +++++++++
 data/web/index.php                            |  19 +-
 data/web/js/site/{debug.js => dashboard.js}   |   0
 data/web/js/site/mailbox.js                   |   2 +-
 data/web/reset-password.php                   |   4 +-
 data/web/templates/admin_index.twig           |  91 ++++++
 data/web/templates/base.twig                  |  43 +--
 .../templates/{debug.twig => dashboard.twig}  |   4 +-
 data/web/templates/domainadmin_index.twig     |  91 ++++++
 data/web/templates/user/tab-user-auth.twig    |   4 +-
 .../templates/{index.twig => user_index.twig} |   0
 data/web/user.php                             |  33 +--
 29 files changed, 798 insertions(+), 338 deletions(-)
 rename data/web/{debug.php => admin/dashboard.php} (83%)
 create mode 100644 data/web/admin/index.php
 rename data/web/{ => admin}/mailbox.php (73%)
 rename data/web/{ => admin}/queue.php (55%)
 rename data/web/{admin.php => admin/system.php} (90%)
 create mode 100644 data/web/domainadmin/index.php
 create mode 100644 data/web/domainadmin/mailbox.php
 create mode 100644 data/web/domainadmin/user.php
 create mode 100644 data/web/inc/triggers.admin.inc.php
 create mode 100644 data/web/inc/triggers.domainadmin.inc.php
 create mode 100644 data/web/inc/triggers.global.inc.php
 delete mode 100644 data/web/inc/triggers.inc.php
 create mode 100644 data/web/inc/triggers.user.inc.php
 rename data/web/js/site/{debug.js => dashboard.js} (100%)
 create mode 100644 data/web/templates/admin_index.twig
 rename data/web/templates/{debug.twig => dashboard.twig} (99%)
 create mode 100644 data/web/templates/domainadmin_index.twig
 rename data/web/templates/{index.twig => user_index.twig} (100%)

diff --git a/data/web/debug.php b/data/web/admin/dashboard.php
similarity index 83%
rename from data/web/debug.php
rename to data/web/admin/dashboard.php
index 4a099cb6e..894b1c645 100644
--- a/data/web/debug.php
+++ b/data/web/admin/dashboard.php
@@ -1,8 +1,17 @@
 <?php
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php';
+require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/triggers.admin.inc.php';
 
-if (!isset($_SESSION['mailcow_cc_role']) || $_SESSION['mailcow_cc_role'] != "admin") {
-  header('Location: /');
+if (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == 'domainadmin') {
+  header('Location: /domainadmin/mailbox');
+  exit();
+}
+elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == 'user') {
+  header('Location: /user');
+  exit();
+}
+elseif (!isset($_SESSION['mailcow_cc_role']) || $_SESSION['mailcow_cc_role'] != "admin") {
+  header('Location: /admin');
   exit();
 }
 
@@ -16,7 +25,7 @@ if (!isset($_SESSION['gal']) && $license_cache = $redis->Get('LICENSE_STATUS_CAC
   $_SESSION['gal'] = json_decode($license_cache, true);
 }
 
-$js_minifier->add('/web/js/site/debug.js');
+$js_minifier->add('/web/js/site/dashboard.js');
 
 // vmail df
 $exec_fields = array('cmd' => 'system', 'task' => 'df', 'dir' => '/var/vmail');
@@ -61,7 +70,7 @@ foreach ($containers_info as $container => $container_info) {
 $hostname = getenv('MAILCOW_HOSTNAME');
 $timezone = getenv('TZ');
 
-$template = 'debug.twig';
+$template = 'dashboard.twig';
 $template_data = [
   'log_lines' => getenv('LOG_LINES'),
   'vmail_df' => $vmail_df,
diff --git a/data/web/admin/index.php b/data/web/admin/index.php
new file mode 100644
index 000000000..05ba70337
--- /dev/null
+++ b/data/web/admin/index.php
@@ -0,0 +1,29 @@
+<?php
+require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php';
+require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/triggers.admin.inc.php';
+
+if (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == 'admin') {
+  header('Location: /admin/dashboard');
+  exit();
+}
+elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == 'domainadmin') {
+  header('Location: /domainadmin/mailbox');
+  exit();
+}
+elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == 'user') {
+  header('Location: /user');
+  exit();
+}
+
+require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/header.inc.php';
+$_SESSION['return_to'] = $_SERVER['REQUEST_URI'];
+$_SESSION['index_query_string'] = $_SERVER['QUERY_STRING'];
+
+
+$template = 'admin_index.twig';
+$template_data = [
+  'login_delay' => @$_SESSION['ldelay']
+];
+
+$js_minifier->add('/web/js/site/index.js');
+require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/footer.inc.php';
diff --git a/data/web/mailbox.php b/data/web/admin/mailbox.php
similarity index 73%
rename from data/web/mailbox.php
rename to data/web/admin/mailbox.php
index a84e32c47..d0073bbd6 100644
--- a/data/web/mailbox.php
+++ b/data/web/admin/mailbox.php
@@ -1,10 +1,20 @@
 <?php
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php';
+require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/triggers.admin.inc.php';
 
-if (!isset($_SESSION['mailcow_cc_role']) || $_SESSION['mailcow_cc_role'] != "admin" && $_SESSION['mailcow_cc_role'] != "domainadmin") {
-  header('Location: /');
+if (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == 'domainadmin') {
+  header('Location: /domainadmin/mailbox');
   exit();
 }
+elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == 'user') {
+  header('Location: /user');
+  exit();
+}
+elseif (!isset($_SESSION['mailcow_cc_role']) || $_SESSION['mailcow_cc_role'] != "admin") {
+  header('Location: /admin');
+  exit();
+}
+
 require_once $_SERVER['DOCUMENT_ROOT'] .  '/inc/header.inc.php';
 $_SESSION['return_to'] = $_SERVER['REQUEST_URI'];
 
@@ -14,7 +24,7 @@ $js_minifier->add('/web/js/site/mailbox.js');
 $js_minifier->add('/web/js/presets/sieveMailbox.js');
 $js_minifier->add('/web/js/site/pwgen.js');
 
-$role = ($_SESSION['mailcow_cc_role'] == "admin") ? 'admin' : 'domainadmin';
+$role = "admin";
 $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? 'true' : 'false';
 $allow_admin_email_login = (preg_match("/^([yY][eE][sS]|[yY])+$/", $_ENV["ALLOW_ADMIN_EMAIL_LOGIN"])) ? 'true' : 'false';
 
diff --git a/data/web/queue.php b/data/web/admin/queue.php
similarity index 55%
rename from data/web/queue.php
rename to data/web/admin/queue.php
index ffce8d8b0..85ec59401 100644
--- a/data/web/queue.php
+++ b/data/web/admin/queue.php
@@ -1,8 +1,17 @@
 <?php
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php';
+require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/triggers.admin.inc.php';
 
-if (!isset($_SESSION['mailcow_cc_role']) || $_SESSION['mailcow_cc_role'] != "admin") {
-  header('Location: /');
+if (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == 'domainadmin') {
+  header('Location: /domainadmin/mailbox');
+  exit();
+}
+elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == 'user') {
+  header('Location: /user');
+  exit();
+}
+elseif (!isset($_SESSION['mailcow_cc_role']) || $_SESSION['mailcow_cc_role'] != "admin") {
+  header('Location: /admin');
   exit();
 }
 
@@ -11,7 +20,7 @@ require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/header.inc.php';
 $js_minifier->add('/web/js/site/queue.js');
 $_SESSION['return_to'] = $_SERVER['REQUEST_URI'];
 
-$role = ($_SESSION['mailcow_cc_role'] == "admin") ? 'admin' : 'domainadmin';
+$role = "admin";
 
 $template = 'queue.twig';
 $template_data = [
diff --git a/data/web/admin.php b/data/web/admin/system.php
similarity index 90%
rename from data/web/admin.php
rename to data/web/admin/system.php
index 5a8895dee..c21d43f0d 100644
--- a/data/web/admin.php
+++ b/data/web/admin/system.php
@@ -1,8 +1,17 @@
 <?php
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php';
+require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/triggers.admin.inc.php';
 
-if (!isset($_SESSION['mailcow_cc_role']) || $_SESSION['mailcow_cc_role'] != "admin") {
-  header('Location: /');
+if (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == 'domainadmin') {
+  header('Location: /domainadmin/mailbox');
+  exit();
+}
+elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == 'user') {
+  header('Location: /user');
+  exit();
+}
+elseif (!isset($_SESSION['mailcow_cc_role']) || $_SESSION['mailcow_cc_role'] != "admin") {
+  header('Location: /admin');
   exit();
 }
 
diff --git a/data/web/css/site/admin.css b/data/web/css/site/admin.css
index e49046b00..b54148026 100644
--- a/data/web/css/site/admin.css
+++ b/data/web/css/site/admin.css
@@ -59,9 +59,6 @@ body.modal-open {
 .table-condensed > thead > tr > th, .table-condensed > tbody > tr > th, .table-condensed > tfoot > tr > th, .table-condensed > thead > tr > td, .table-condensed > tbody > tr > td, .table-condensed > tfoot > tr > td {
   padding: 3px;
 }
-table tbody tr {
-  cursor: pointer;
-}
 table tbody tr td input[type="checkbox"] {
   cursor: pointer;
 }
diff --git a/data/web/domainadmin/index.php b/data/web/domainadmin/index.php
new file mode 100644
index 000000000..2d909f97f
--- /dev/null
+++ b/data/web/domainadmin/index.php
@@ -0,0 +1,28 @@
+<?php
+require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php';
+require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/triggers.domainadmin.inc.php';
+
+if (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == 'domainadmin') {
+  header('Location: /domainadmin/mailbox');
+  exit();
+}
+elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == 'admin') {
+  header('Location: /admin/dashboard');
+  exit();
+}
+elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == 'user') {
+  header('Location: /user');
+  exit();
+}
+
+require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/header.inc.php';
+$_SESSION['return_to'] = $_SERVER['REQUEST_URI'];
+$_SESSION['index_query_string'] = $_SERVER['QUERY_STRING'];
+
+$template = 'domainadmin_index.twig';
+$template_data = [
+  'login_delay' => @$_SESSION['ldelay'],
+];
+
+$js_minifier->add('/web/js/site/index.js');
+require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/footer.inc.php';
diff --git a/data/web/domainadmin/mailbox.php b/data/web/domainadmin/mailbox.php
new file mode 100644
index 000000000..bb2ef16f3
--- /dev/null
+++ b/data/web/domainadmin/mailbox.php
@@ -0,0 +1,58 @@
+<?php
+require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php';
+require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/triggers.domainadmin.inc.php';
+
+if (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == 'admin') {
+  header('Location: /admin/dashboard');
+  exit();
+}
+elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == 'user') {
+  header('Location: /user');
+  exit();
+}
+elseif (!isset($_SESSION['mailcow_cc_role']) || $_SESSION['mailcow_cc_role'] != "domainadmin") {
+  header('Location: /domainadmin');
+  exit();
+}
+
+require_once $_SERVER['DOCUMENT_ROOT'] .  '/inc/header.inc.php';
+$_SESSION['return_to'] = $_SERVER['REQUEST_URI'];
+
+
+
+$js_minifier->add('/web/js/site/mailbox.js');
+$js_minifier->add('/web/js/presets/sieveMailbox.js');
+$js_minifier->add('/web/js/site/pwgen.js');
+
+$role = "domainadmin";
+$is_dual = (!empty($_SESSION["dual-login"]["username"])) ? 'true' : 'false';
+$allow_admin_email_login = (preg_match("/^([yY][eE][sS]|[yY])+$/", $_ENV["ALLOW_ADMIN_EMAIL_LOGIN"])) ? 'true' : 'false';
+
+// domains
+$domains = mailbox('get', 'domains');
+
+// mailboxes
+$mailboxes = [];
+foreach ($domains as $domain) {
+  foreach (mailbox('get', 'mailboxes', $domain) as $mailbox) {
+    $mailboxes[] = $mailbox;
+  }
+}
+
+$template = 'mailbox.twig';
+$template_data = [
+  'acl' => $_SESSION['acl'],
+  'acl_json' => json_encode($_SESSION['acl']),
+  'role' => $role,
+  'is_dual' => $is_dual,
+  'allow_admin_email_login' => $allow_admin_email_login,
+  'global_filters' => mailbox('get', 'global_filter_details'),
+  'domains' => $domains,
+  'mailboxes' => $mailboxes,
+  'lang_mailbox' => json_encode($lang['mailbox']),
+  'lang_rl' => json_encode($lang['ratelimit']),
+  'lang_edit' => json_encode($lang['edit']),
+  'lang_datatables' => json_encode($lang['datatables']),
+];
+
+require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/footer.inc.php';
\ No newline at end of file
diff --git a/data/web/domainadmin/user.php b/data/web/domainadmin/user.php
new file mode 100644
index 000000000..7f1b392e0
--- /dev/null
+++ b/data/web/domainadmin/user.php
@@ -0,0 +1,44 @@
+<?php
+require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php';
+require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/triggers.domainadmin.inc.php';
+
+if (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == 'domainadmin') {
+
+  /*
+  / DOMAIN ADMIN
+  */
+
+  require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/header.inc.php';
+  $_SESSION['return_to'] = $_SERVER['REQUEST_URI'];
+  $tfa_data = get_tfa();
+  $fido2_data = fido2(array("action" => "get_friendly_names"));
+  $username = $_SESSION['mailcow_cc_username'];
+
+  $template = 'domainadmin.twig';
+  $template_data = [
+    'acl' => $_SESSION['acl'],
+    'acl_json' => json_encode($_SESSION['acl']),
+    'user_spam_score' => mailbox('get', 'spam_score', $username),
+    'tfa_data' => $tfa_data,
+    'fido2_data' => $fido2_data,
+    'lang_user' => json_encode($lang['user']),
+    'lang_datatables' => json_encode($lang['datatables']),
+  ];
+}
+elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == 'admin') {
+  header('Location: /admin/dashboard');
+  exit();
+}
+elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == 'user') {
+  header('Location: /user');
+  exit();
+}
+else {
+  header('Location: /domainadmin');
+  exit();
+}
+
+$js_minifier->add('/web/js/site/user.js');
+$js_minifier->add('/web/js/site/pwgen.js');
+
+require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/footer.inc.php';
diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index ed41379f4..233624278 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -3101,6 +3101,7 @@ function clear_session(){
   session_write_close();
 }
 function set_user_loggedin_session($user) {
+  session_regenerate_id(true);
   $_SESSION['mailcow_cc_username'] = $user;
   $_SESSION['mailcow_cc_role'] = 'user';
   $sogo_sso_pass = file_get_contents("/etc/sogo-sso/sogo-sso.pass");
diff --git a/data/web/inc/init_db.inc.php b/data/web/inc/init_db.inc.php
index 7fb619d44..156856c24 100644
--- a/data/web/inc/init_db.inc.php
+++ b/data/web/inc/init_db.inc.php
@@ -3,7 +3,7 @@ function init_db_schema() {
   try {
     global $pdo;
 
-    $db_version = "20112024_1105";
+    $db_version = "27012025_1555";
 
     $stmt = $pdo->query("SHOW TABLES LIKE 'versions'");
     $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
diff --git a/data/web/inc/prerequisites.inc.php b/data/web/inc/prerequisites.inc.php
index 5738e7c0a..deb5da8fa 100644
--- a/data/web/inc/prerequisites.inc.php
+++ b/data/web/inc/prerequisites.inc.php
@@ -297,7 +297,7 @@ require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.rspamd.inc.php';
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.tls_policy_maps.inc.php';
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.transports.inc.php';
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/init_db.inc.php';
-require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/triggers.inc.php';
+require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/triggers.global.inc.php';
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/twig.inc.php';
 init_db_schema();
 if (isset($_SESSION['mailcow_cc_role'])) {
diff --git a/data/web/inc/sessions.inc.php b/data/web/inc/sessions.inc.php
index 67bdd35b3..bbc08cf13 100644
--- a/data/web/inc/sessions.inc.php
+++ b/data/web/inc/sessions.inc.php
@@ -99,15 +99,30 @@ if (isset($_POST["logout"])) {
     unset($_SESSION['sogo-sso-user-allowed']);
     unset($_SESSION['sogo-sso-pass']);
     unset($_SESSION["dual-login"]);
-    header("Location: /mailbox");
+    if ($_SESSION["mailcow_cc_role"] == "admin"){
+      header("Location: /admin/mailbox");
+    } elseif ($_SESSION["mailcow_cc_role"] == "domainadmin") {
+      header("Location: /domainadmin/mailbox");
+    } else {
+      header("Location: /");
+    }
     exit();
   }
   else {
+    $role = $_SESSION["mailcow_cc_role"];
     session_regenerate_id(true);
     session_unset();
     session_destroy();
     session_write_close();
-    header("Location: /");
+    if ($role == "admin") {
+      header("Location: /admin");
+    }
+    elseif ($role == "domainadmin") {
+      header("Location: /domainadmin");
+    }
+    else {
+      header("Location: /");
+    }
   }
 }
 
diff --git a/data/web/inc/triggers.admin.inc.php b/data/web/inc/triggers.admin.inc.php
new file mode 100644
index 000000000..5b1061f7e
--- /dev/null
+++ b/data/web/inc/triggers.admin.inc.php
@@ -0,0 +1,93 @@
+<?php
+
+if (isset($_POST["verify_tfa_login"])) {
+  if (verify_tfa_login($_SESSION['pending_mailcow_cc_username'], $_POST)) {
+    if ($_SESSION['pending_mailcow_cc_role'] == "admin") {
+      $_SESSION['mailcow_cc_username'] = $_SESSION['pending_mailcow_cc_username'];
+      $_SESSION['mailcow_cc_role'] = "admin";
+      unset($_SESSION['pending_mailcow_cc_username']);
+      unset($_SESSION['pending_mailcow_cc_role']);
+      unset($_SESSION['pending_tfa_methods']);
+
+		  header("Location: /admin/dashboard");
+      die();
+    }
+  }
+
+  unset($_SESSION['pending_mailcow_cc_username']);
+  unset($_SESSION['pending_mailcow_cc_role']);
+  unset($_SESSION['pending_tfa_methods']);
+}
+
+if (isset($_GET["cancel_tfa_login"])) {
+  unset($_SESSION['pending_pw_reset_token']);
+  unset($_SESSION['pending_pw_new_password']);
+  unset($_SESSION['pending_mailcow_cc_username']);
+  unset($_SESSION['pending_mailcow_cc_role']);
+  unset($_SESSION['pending_tfa_methods']);
+
+  header("Location: /admin");
+}
+
+if (isset($_POST["login_user"]) && isset($_POST["pass_user"])) {
+  $login_user = strtolower(trim($_POST["login_user"]));
+  $as = check_login($login_user, $_POST["pass_user"], false, array("role" => "admin"));
+
+  if ($as == "admin") {
+    session_regenerate_id(true);
+		$_SESSION['mailcow_cc_username'] = $login_user;
+		$_SESSION['mailcow_cc_role'] = "admin";
+		header("Location: /admin/dashboard");
+    die();
+	}
+	elseif ($as != "pending") {
+    unset($_SESSION['pending_mailcow_cc_username']);
+    unset($_SESSION['pending_mailcow_cc_role']);
+    unset($_SESSION['pending_tfa_methods']);
+		unset($_SESSION['mailcow_cc_username']);
+		unset($_SESSION['mailcow_cc_role']);
+	}
+}
+
+if (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == "admin" && !isset($_SESSION['mailcow_cc_api'])) {
+  // TODO: Move file upload to API?
+	if (isset($_POST["submit_main_logo"])) {
+    if ($_FILES['main_logo']['error'] == 0) {
+      customize('add', 'main_logo', $_FILES);
+    }
+    if ($_FILES['main_logo_dark']['error'] == 0) {
+      customize('add', 'main_logo_dark', $_FILES);
+    }
+	}
+	if (isset($_POST["reset_main_logo"])) {
+    customize('delete', 'main_logo');
+    customize('delete', 'main_logo_dark');
+	}
+  // Some actions will not be available via API
+	if (isset($_POST["license_validate_now"])) {
+		license('verify');
+	}
+  if (isset($_POST["admin_api"])) {
+    if (isset($_POST["admin_api"]["ro"])) {
+      admin_api('ro', 'edit', $_POST);
+    }
+    elseif (isset($_POST["admin_api"]["rw"])) {
+      admin_api('rw', 'edit', $_POST);
+    }
+	}
+  if (isset($_POST["admin_api_regen_key"])) {
+    if (isset($_POST["admin_api_regen_key"]["ro"])) {
+      admin_api('ro', 'regen_key', $_POST);
+    }
+    elseif (isset($_POST["admin_api_regen_key"]["rw"])) {
+      admin_api('rw', 'regen_key', $_POST);
+    }
+	}
+	if (isset($_POST["rspamd_ui"])) {
+		rspamd_ui('edit', $_POST);
+	}
+	if (isset($_POST["mass_send"])) {
+		sys_mail($_POST);
+	}
+}
+?>
diff --git a/data/web/inc/triggers.domainadmin.inc.php b/data/web/inc/triggers.domainadmin.inc.php
new file mode 100644
index 000000000..9ee53d67a
--- /dev/null
+++ b/data/web/inc/triggers.domainadmin.inc.php
@@ -0,0 +1,62 @@
+<?php
+// SSO Domain Admin
+if (!empty($_GET['sso_token'])) {
+  $username = domain_admin_sso('check', $_GET['sso_token']);
+
+  if ($username !== false) {
+    session_regenerate_id(true);
+    $_SESSION['mailcow_cc_username'] = $username;
+    $_SESSION['mailcow_cc_role'] = 'domainadmin';
+    header('Location: /domainadmin/mailbox');
+  }
+}
+
+if (isset($_POST["verify_tfa_login"])) {
+  if (verify_tfa_login($_SESSION['pending_mailcow_cc_username'], $_POST)) {
+    if ($_SESSION['pending_mailcow_cc_role'] == "domainadmin") {
+      $_SESSION['mailcow_cc_username'] = $_SESSION['pending_mailcow_cc_username'];
+      $_SESSION['mailcow_cc_role'] = "domainadmin";
+      unset($_SESSION['pending_mailcow_cc_username']);
+      unset($_SESSION['pending_mailcow_cc_role']);
+      unset($_SESSION['pending_tfa_methods']);
+
+		  header("Location: /domainadmin/mailbox");
+      die();
+    }
+  }
+
+  unset($_SESSION['pending_mailcow_cc_username']);
+  unset($_SESSION['pending_mailcow_cc_role']);
+  unset($_SESSION['pending_tfa_methods']);
+}
+
+if (isset($_GET["cancel_tfa_login"])) {
+  unset($_SESSION['pending_pw_reset_token']);
+  unset($_SESSION['pending_pw_new_password']);
+  unset($_SESSION['pending_mailcow_cc_username']);
+  unset($_SESSION['pending_mailcow_cc_role']);
+  unset($_SESSION['pending_tfa_methods']);
+
+  header("Location: /domainadmin");
+}
+
+if (isset($_POST["login_user"]) && isset($_POST["pass_user"])) {
+  $login_user = strtolower(trim($_POST["login_user"]));
+  $as = check_login($login_user, $_POST["pass_user"], false, array("role" => "domain_admin"));
+
+  if ($as == "domainadmin") {
+    session_regenerate_id(true);
+		$_SESSION['mailcow_cc_username'] = $login_user;
+		$_SESSION['mailcow_cc_role'] = "domainadmin";
+		header("Location: /domainadmin/mailbox");
+    die();
+	}
+	elseif ($as != "pending") {
+    unset($_SESSION['pending_mailcow_cc_username']);
+    unset($_SESSION['pending_mailcow_cc_role']);
+    unset($_SESSION['pending_tfa_methods']);
+		unset($_SESSION['mailcow_cc_username']);
+		unset($_SESSION['mailcow_cc_role']);
+	}
+}
+?>
diff --git a/data/web/inc/triggers.global.inc.php b/data/web/inc/triggers.global.inc.php
new file mode 100644
index 000000000..dd88fad56
--- /dev/null
+++ b/data/web/inc/triggers.global.inc.php
@@ -0,0 +1,48 @@
+<?php
+if (isset($_POST["quick_release"])) {
+	quarantine('quick_release', $_POST["quick_release"]);
+}
+
+if (isset($_POST["quick_delete"])) {
+	quarantine('quick_delete', $_POST["quick_delete"]);
+}
+
+if (isset($_SESSION['mailcow_cc_role']) && (isset($_SESSION['acl']['login_as']) && $_SESSION['acl']['login_as'] == "1")) {
+	if (isset($_GET["duallogin"])) {
+    $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false;
+    if (!$is_dual) {
+      $duallogin = html_entity_decode(rawurldecode($_GET["duallogin"]));
+      if (filter_var($duallogin, FILTER_VALIDATE_EMAIL)) {
+        if (!empty(mailbox('get', 'mailbox_details', $duallogin))) {
+          $_SESSION["dual-login"]["username"] = $_SESSION['mailcow_cc_username'];
+          $_SESSION["dual-login"]["role"]     = $_SESSION['mailcow_cc_role'];
+          $_SESSION['mailcow_cc_username']    = $duallogin;
+          $_SESSION['mailcow_cc_role']        = "user";
+          header("Location: /user");
+        }
+      }
+      else {
+        if (!empty(domain_admin('details', $duallogin))) {
+          $_SESSION["dual-login"]["username"] = $_SESSION['mailcow_cc_username'];
+          $_SESSION["dual-login"]["role"]     = $_SESSION['mailcow_cc_role'];
+          $_SESSION['mailcow_cc_username']    = $duallogin;
+          $_SESSION['mailcow_cc_role']        = "domainadmin";
+          header("Location: /user");
+        }
+      }
+    }
+  }
+}
+
+if (isset($_SESSION['mailcow_cc_role'])) {
+	if (isset($_POST["set_tfa"])) {
+		set_tfa($_POST);
+	}
+	if (isset($_POST["unset_tfa_key"])) {
+		unset_tfa_key($_POST);
+	}
+	if (isset($_POST["unset_fido2_key"])) {
+		fido2(array("action" => "unset_fido2_key", "post_data" => $_POST));
+	}
+}
+?>
diff --git a/data/web/inc/triggers.inc.php b/data/web/inc/triggers.inc.php
deleted file mode 100644
index b0c2237d6..000000000
--- a/data/web/inc/triggers.inc.php
+++ /dev/null
@@ -1,263 +0,0 @@
-<?php
-// handle iam authentication
-if ($iam_provider){
-  if (isset($_GET['iam_sso'])){
-    // redirect for sso
-    $redirect_uri = identity_provider('get-redirect');
-    $redirect_uri = !empty($redirect_uri) ? $redirect_uri : '/';
-    header('Location: ' . $redirect_uri);
-    die();
-  }
-  if ($_SESSION['iam_token'] && $_SESSION['iam_refresh_token']) {
-    // Session found, try to refresh
-    $isRefreshed = identity_provider('refresh-token');
-
-    if (!$isRefreshed){
-      // Session could not be refreshed, redirect to provider
-      $redirect_uri = identity_provider('get-redirect');
-      $redirect_uri = !empty($redirect_uri) ? $redirect_uri : '/';
-      header('Location: ' . $redirect_uri);
-      die();
-    }
-  } elseif ($_GET['code'] && $_GET['state'] === $_SESSION['oauth2state']) {
-    // Check given state against previously stored one to mitigate CSRF attack
-    // Recieved access token in $_GET['code']
-    // extract info and verify user
-    identity_provider('verify-sso');
-  }
-}
-
-// SSO Domain Admin
-if (!empty($_GET['sso_token'])) {
-  $username = domain_admin_sso('check', $_GET['sso_token']);
-
-  if ($username !== false) {
-    $_SESSION['mailcow_cc_username'] = $username;
-    $_SESSION['mailcow_cc_role'] = 'domainadmin';
-    header('Location: /mailbox');
-  }
-}
-
-if (isset($_POST["pw_reset_request"]) && !empty($_POST['username'])) {
-  reset_password("issue", $_POST['username']);
-  header("Location: /");
-  exit;
-}
-if (isset($_POST["pw_reset"])) {
-  $username = reset_password("check", $_POST['token']);
-  $reset_result = reset_password("reset", array(
-    'new_password' => $_POST['new_password'],
-    'new_password2' => $_POST['new_password2'],
-    'token' => $_POST['token'],
-    'username' => $username,
-    'check_tfa' => True
-  ));
-
-  if ($reset_result){
-    header("Location: /");
-    exit;
-  }
-}
-if (isset($_POST["verify_tfa_login"])) {
-  if (verify_tfa_login($_SESSION['pending_mailcow_cc_username'], $_POST)) {
-    if ($_SESSION['pending_mailcow_cc_role'] == "admin") {
-      $_SESSION['mailcow_cc_username'] = $_SESSION['pending_mailcow_cc_username'];
-      $_SESSION['mailcow_cc_role'] = "admin";
-      unset($_SESSION['pending_mailcow_cc_username']);
-      unset($_SESSION['pending_mailcow_cc_role']);
-      unset($_SESSION['pending_tfa_methods']);
-
-		  header("Location: /debug");
-      die();
-    }
-    elseif ($_SESSION['pending_mailcow_cc_role'] == "domainadmin") {
-      $_SESSION['mailcow_cc_username'] = $_SESSION['pending_mailcow_cc_username'];
-      $_SESSION['mailcow_cc_role'] = "domainadmin";
-      unset($_SESSION['pending_mailcow_cc_username']);
-      unset($_SESSION['pending_mailcow_cc_role']);
-      unset($_SESSION['pending_tfa_methods']);
-
-		  header("Location: /mailbox");
-      die();
-    }
-    elseif ($_SESSION['pending_mailcow_cc_role'] == "user") {
-      if (isset($_SESSION['pending_pw_reset_token']) && isset($_SESSION['pending_pw_new_password'])) {
-        reset_password("reset", array(
-          'new_password' => $_SESSION['pending_pw_new_password'],
-          'new_password2' => $_SESSION['pending_pw_new_password'],
-          'token' => $_SESSION['pending_pw_reset_token'],
-          'username' => $_SESSION['pending_mailcow_cc_username']
-        ));
-        unset($_SESSION['pending_pw_reset_token']);
-        unset($_SESSION['pending_pw_new_password']);
-        unset($_SESSION['pending_mailcow_cc_username']);
-        unset($_SESSION['pending_tfa_methods']);
-
-        header("Location: /");
-        die();
-      } else {
-        set_user_loggedin_session($_SESSION['pending_mailcow_cc_username']);
-        $user_details = mailbox("get", "mailbox_details", $_SESSION['mailcow_cc_username']);
-        $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false;
-        if (intval($user_details['attributes']['sogo_access']) == 1 && !$is_dual) {
-          header("Location: /SOGo/so/{$_SESSION['mailcow_cc_username']}");
-          die();
-        } else {
-          header("Location: /user");
-          die();
-        }
-      }
-    }
-  }
-
-  unset($_SESSION['pending_mailcow_cc_username']);
-  unset($_SESSION['pending_mailcow_cc_role']);
-  unset($_SESSION['pending_tfa_methods']);
-}
-
-if (isset($_GET["cancel_tfa_login"])) {
-  unset($_SESSION['pending_pw_reset_token']);
-  unset($_SESSION['pending_pw_new_password']);
-  unset($_SESSION['pending_mailcow_cc_username']);
-  unset($_SESSION['pending_mailcow_cc_role']);
-  unset($_SESSION['pending_tfa_methods']);
-
-  header("Location: /");
-}
-
-if (isset($_POST["quick_release"])) {
-	quarantine('quick_release', $_POST["quick_release"]);
-}
-
-if (isset($_POST["quick_delete"])) {
-	quarantine('quick_delete', $_POST["quick_delete"]);
-}
-
-if (isset($_POST["login_user"]) && isset($_POST["pass_user"])) {
-  $login_user = strtolower(trim($_POST["login_user"]));
-  $as = check_login($login_user, $_POST["pass_user"]);
-
-  if ($as == "admin") {
-		$_SESSION['mailcow_cc_username'] = $login_user;
-		$_SESSION['mailcow_cc_role'] = "admin";
-		header("Location: /debug");
-    die();
-	}
-	elseif ($as == "domainadmin") {
-		$_SESSION['mailcow_cc_username'] = $login_user;
-		$_SESSION['mailcow_cc_role'] = "domainadmin";
-		header("Location: /mailbox");
-    die();
-	}
-	elseif ($as == "user") {
-    set_user_loggedin_session($login_user);
-    $http_parameters = explode('&', $_SESSION['index_query_string']);
-    unset($_SESSION['index_query_string']);
-    if (in_array('mobileconfig', $http_parameters)) {
-        if (in_array('only_email', $http_parameters)) {
-            header("Location: /mobileconfig.php?only_email");
-            die();
-        }
-        header("Location: /mobileconfig.php");
-        die();
-    }
-
-    $user_details = mailbox("get", "mailbox_details", $login_user);
-    $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false;
-    if (intval($user_details['attributes']['sogo_access']) == 1 && !$is_dual) {
-      header("Location: /SOGo/so/{$login_user}");
-      die();
-    } else {
-      header("Location: /user");
-      die();
-    }
-	}
-	elseif ($as != "pending") {
-    unset($_SESSION['pending_mailcow_cc_username']);
-    unset($_SESSION['pending_mailcow_cc_role']);
-    unset($_SESSION['pending_tfa_methods']);
-		unset($_SESSION['mailcow_cc_username']);
-		unset($_SESSION['mailcow_cc_role']);
-	}
-}
-
-if (isset($_SESSION['mailcow_cc_role']) && (isset($_SESSION['acl']['login_as']) && $_SESSION['acl']['login_as'] == "1")) {
-	if (isset($_GET["duallogin"])) {
-    $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false;
-    if (!$is_dual) {
-      $duallogin = html_entity_decode(rawurldecode($_GET["duallogin"]));
-      if (filter_var($duallogin, FILTER_VALIDATE_EMAIL)) {
-        if (!empty(mailbox('get', 'mailbox_details', $duallogin))) {
-          $_SESSION["dual-login"]["username"] = $_SESSION['mailcow_cc_username'];
-          $_SESSION["dual-login"]["role"]     = $_SESSION['mailcow_cc_role'];
-          $_SESSION['mailcow_cc_username']    = $duallogin;
-          $_SESSION['mailcow_cc_role']        = "user";
-          header("Location: /user");
-        }
-      }
-      else {
-        if (!empty(domain_admin('details', $duallogin))) {
-          $_SESSION["dual-login"]["username"] = $_SESSION['mailcow_cc_username'];
-          $_SESSION["dual-login"]["role"]     = $_SESSION['mailcow_cc_role'];
-          $_SESSION['mailcow_cc_username']    = $duallogin;
-          $_SESSION['mailcow_cc_role']        = "domainadmin";
-          header("Location: /user");
-        }
-      }
-    }
-  }
-}
-
-if (isset($_SESSION['mailcow_cc_role'])) {
-	if (isset($_POST["set_tfa"])) {
-		set_tfa($_POST);
-	}
-	if (isset($_POST["unset_tfa_key"])) {
-		unset_tfa_key($_POST);
-	}
-	if (isset($_POST["unset_fido2_key"])) {
-		fido2(array("action" => "unset_fido2_key", "post_data" => $_POST));
-	}
-}
-if (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == "admin" && !isset($_SESSION['mailcow_cc_api'])) {
-  // TODO: Move file upload to API?
-	if (isset($_POST["submit_main_logo"])) {
-    if ($_FILES['main_logo']['error'] == 0) {
-      customize('add', 'main_logo', $_FILES);
-    }
-    if ($_FILES['main_logo_dark']['error'] == 0) {
-      customize('add', 'main_logo_dark', $_FILES);
-    }
-	}
-	if (isset($_POST["reset_main_logo"])) {
-    customize('delete', 'main_logo');
-    customize('delete', 'main_logo_dark');
-	}
-  // Some actions will not be available via API
-	if (isset($_POST["license_validate_now"])) {
-		license('verify');
-	}
-  if (isset($_POST["admin_api"])) {
-    if (isset($_POST["admin_api"]["ro"])) {
-      admin_api('ro', 'edit', $_POST);
-    }
-    elseif (isset($_POST["admin_api"]["rw"])) {
-      admin_api('rw', 'edit', $_POST);
-    }
-	}
-  if (isset($_POST["admin_api_regen_key"])) {
-    if (isset($_POST["admin_api_regen_key"]["ro"])) {
-      admin_api('ro', 'regen_key', $_POST);
-    }
-    elseif (isset($_POST["admin_api_regen_key"]["rw"])) {
-      admin_api('rw', 'regen_key', $_POST);
-    }
-	}
-	if (isset($_POST["rspamd_ui"])) {
-		rspamd_ui('edit', $_POST);
-	}
-	if (isset($_POST["mass_send"])) {
-		sys_mail($_POST);
-	}
-}
-?>
diff --git a/data/web/inc/triggers.user.inc.php b/data/web/inc/triggers.user.inc.php
new file mode 100644
index 000000000..c16edc10e
--- /dev/null
+++ b/data/web/inc/triggers.user.inc.php
@@ -0,0 +1,132 @@
+<?php
+// handle iam authentication
+if ($iam_provider){
+  if (isset($_GET['iam_sso'])){
+    // redirect for sso
+    $redirect_uri = identity_provider('get-redirect');
+    $redirect_uri = !empty($redirect_uri) ? $redirect_uri : '/';
+    header('Location: ' . $redirect_uri);
+    die();
+  }
+  if ($_SESSION['iam_token'] && $_SESSION['iam_refresh_token']) {
+    // Session found, try to refresh
+    $isRefreshed = identity_provider('refresh-token');
+
+    if (!$isRefreshed){
+      // Session could not be refreshed, redirect to provider
+      $redirect_uri = identity_provider('get-redirect');
+      $redirect_uri = !empty($redirect_uri) ? $redirect_uri : '/';
+      header('Location: ' . $redirect_uri);
+      die();
+    }
+  } elseif ($_GET['code'] && $_GET['state'] === $_SESSION['oauth2state']) {
+    // Check given state against previously stored one to mitigate CSRF attack
+    // Recieved access token in $_GET['code']
+    // extract info and verify user
+    identity_provider('verify-sso');
+  }
+}
+
+if (isset($_POST["pw_reset_request"]) && !empty($_POST['username'])) {
+  reset_password("issue", $_POST['username']);
+  header("Location: /");
+  exit;
+}
+if (isset($_POST["pw_reset"])) {
+  $username = reset_password("check", $_POST['token']);
+  $reset_result = reset_password("reset", array(
+    'new_password' => $_POST['new_password'],
+    'new_password2' => $_POST['new_password2'],
+    'token' => $_POST['token'],
+    'username' => $username,
+    'check_tfa' => True
+  ));
+
+  if ($reset_result){
+    header("Location: /");
+    exit;
+  }
+}
+if (isset($_POST["verify_tfa_login"])) {
+  if (verify_tfa_login($_SESSION['pending_mailcow_cc_username'], $_POST)) {
+    if ($_SESSION['pending_mailcow_cc_role'] == "user") {
+      if (isset($_SESSION['pending_pw_reset_token']) && isset($_SESSION['pending_pw_new_password'])) {
+        reset_password("reset", array(
+          'new_password' => $_SESSION['pending_pw_new_password'],
+          'new_password2' => $_SESSION['pending_pw_new_password'],
+          'token' => $_SESSION['pending_pw_reset_token'],
+          'username' => $_SESSION['pending_mailcow_cc_username']
+        ));
+        unset($_SESSION['pending_pw_reset_token']);
+        unset($_SESSION['pending_pw_new_password']);
+        unset($_SESSION['pending_mailcow_cc_username']);
+        unset($_SESSION['pending_tfa_methods']);
+
+        header("Location: /");
+        die();
+      } else {
+        set_user_loggedin_session($_SESSION['pending_mailcow_cc_username']);
+        $user_details = mailbox("get", "mailbox_details", $_SESSION['mailcow_cc_username']);
+        $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false;
+        if (intval($user_details['attributes']['sogo_access']) == 1 && !$is_dual) {
+          header("Location: /SOGo/so/{$_SESSION['mailcow_cc_username']}");
+          die();
+        } else {
+          header("Location: /user");
+          die();
+        }
+      }
+    }
+  }
+
+  unset($_SESSION['pending_mailcow_cc_username']);
+  unset($_SESSION['pending_mailcow_cc_role']);
+  unset($_SESSION['pending_tfa_methods']);
+}
+
+if (isset($_GET["cancel_tfa_login"])) {
+  unset($_SESSION['pending_pw_reset_token']);
+  unset($_SESSION['pending_pw_new_password']);
+  unset($_SESSION['pending_mailcow_cc_username']);
+  unset($_SESSION['pending_mailcow_cc_role']);
+  unset($_SESSION['pending_tfa_methods']);
+
+  header("Location: /");
+}
+
+if (isset($_POST["login_user"]) && isset($_POST["pass_user"])) {
+  $login_user = strtolower(trim($_POST["login_user"]));
+  $as = check_login($login_user, $_POST["pass_user"], false, array("role" => "user"));
+
+  if ($as == "user") {
+    set_user_loggedin_session($login_user);
+    $http_parameters = explode('&', $_SESSION['index_query_string']);
+    unset($_SESSION['index_query_string']);
+    if (in_array('mobileconfig', $http_parameters)) {
+        if (in_array('only_email', $http_parameters)) {
+            header("Location: /mobileconfig.php?only_email");
+            die();
+        }
+        header("Location: /mobileconfig.php");
+        die();
+    }
+
+    $user_details = mailbox("get", "mailbox_details", $login_user);
+    $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false;
+    if (intval($user_details['attributes']['sogo_access']) == 1 && !$is_dual) {
+      header("Location: /SOGo/so/{$login_user}");
+      die();
+    } else {
+      header("Location: /user");
+      die();
+    }
+	}
+	elseif ($as != "pending") {
+    unset($_SESSION['pending_mailcow_cc_username']);
+    unset($_SESSION['pending_mailcow_cc_role']);
+    unset($_SESSION['pending_tfa_methods']);
+		unset($_SESSION['mailcow_cc_username']);
+		unset($_SESSION['mailcow_cc_role']);
+	}
+}
+?>
diff --git a/data/web/index.php b/data/web/index.php
index 0282e4835..1e91cb785 100644
--- a/data/web/index.php
+++ b/data/web/index.php
@@ -1,5 +1,6 @@
 <?php
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php';
+require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/triggers.user.inc.php';
 
 if (isset($_SESSION['mailcow_cc_role']) && isset($_SESSION['oauth2_request'])) {
   $oauth2_request = $_SESSION['oauth2_request'];
@@ -7,14 +8,6 @@ if (isset($_SESSION['mailcow_cc_role']) && isset($_SESSION['oauth2_request'])) {
   header('Location: ' . $oauth2_request);
   exit();
 }
-elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == 'admin') {
-  header('Location: /debug');
-  exit();
-}
-elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == 'domainadmin') {
-  header('Location: /mailbox');
-  exit();
-}
 elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == 'user') {
   $user_details = mailbox("get", "mailbox_details", $_SESSION['mailcow_cc_username']);
   $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false;
@@ -25,6 +18,14 @@ elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == '
   }
   exit();
 }
+elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == 'admin') {
+  header('Location: /admin/dashboard');
+  exit();
+}
+elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == 'domainadmin') {
+  header('Location: /domainadmin/mailbox');
+  exit();
+}
 
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/header.inc.php';
 $_SESSION['return_to'] = $_SERVER['REQUEST_URI'];
@@ -36,7 +37,7 @@ if ($iam_provider){
 }
 
 
-$template = 'index.twig';
+$template = 'user_index.twig';
 $template_data = [
   'oauth2_request' => @$_SESSION['oauth2_request'],
   'is_mobileconfig' => str_contains($_SESSION['index_query_string'], 'mobileconfig'),
diff --git a/data/web/js/site/debug.js b/data/web/js/site/dashboard.js
similarity index 100%
rename from data/web/js/site/debug.js
rename to data/web/js/site/dashboard.js
diff --git a/data/web/js/site/mailbox.js b/data/web/js/site/mailbox.js
index 0c9ffb3d4..3c21c18b0 100644
--- a/data/web/js/site/mailbox.js
+++ b/data/web/js/site/mailbox.js
@@ -939,7 +939,7 @@ jQuery(function($){
               '<a href="#" data-action="delete_selected" data-id="single-mailbox" data-api-url="delete/mailbox" data-item="' + encodeURIComponent(item.username) + '" class="btn btn-sm btn-xs-lg btn-xs-half btn-danger"><i class="bi bi-trash"></i> ' + lang.remove + '</a>' +
               '<a href="/index.php?duallogin=' + encodeURIComponent(item.username) + '" class="login_as btn btn-sm btn-xs-lg btn-xs-half btn-success"><i class="bi bi-person-fill"></i> Login</a>';
               if (ALLOW_ADMIN_EMAIL_LOGIN) {
-                item.action += '<a href="/sogo-auth.php?login=' + encodeURIComponent(item.username) + '" class="login_as btn btn-sm btn-xs-lg btn-xs-half btn-primary" target="_blank"><i class="bi bi-envelope-fill"></i> SOGo</a>';
+                item.action += '<a href="/sogo-auth.php?login=' + encodeURIComponent(item.username) + '" class="login_as btn btn-sm btn-xs-lg btn-xs-half btn-primary"><i class="bi bi-envelope-fill"></i> SOGo</a>';
               }
               item.action += '</div>';
             }
diff --git a/data/web/reset-password.php b/data/web/reset-password.php
index a0225dc6a..7544d40c3 100644
--- a/data/web/reset-password.php
+++ b/data/web/reset-password.php
@@ -2,11 +2,11 @@
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php';
 
 if (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == 'admin') {
-  header('Location: /debug');
+  header('Location: /admin/dashboard');
   exit();
 }
 elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == 'domainadmin') {
-  header('Location: /mailbox');
+  header('Location: /domainadmin/mailbox');
   exit();
 }
 elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == 'user') {
diff --git a/data/web/templates/admin_index.twig b/data/web/templates/admin_index.twig
new file mode 100644
index 000000000..4127a6a21
--- /dev/null
+++ b/data/web/templates/admin_index.twig
@@ -0,0 +1,91 @@
+{% extends 'base.twig' %}
+
+{% block navbar %}{% endblock %}
+
+{% block content %}
+<div class="row mb-4" style="margin-top: 60px">
+  <div class="col-12 col-md-7 col-lg-6 col-xl-5 ms-auto me-auto">
+    <div class="card">
+      <div class="card-header d-flex align-items-center">
+        <i class="bi bi-person-fill me-2"></i> {{ lang.login.login }}
+        <div class="ms-auto form-check form-switch my-auto d-flex align-items-center">
+          <label class="form-check-label"><i class="bi bi-moon-fill"></i></label>
+          <input class="form-check-input ms-2" type="checkbox" id="dark-mode-toggle">
+        </div>
+      </div>
+      <div class="card-body">
+        <div class="text-center mailcow-logo mb-4">
+          <img class="main-logo" src="{{ logo|default('/img/cow_mailcow.svg') }}" alt="mailcow">
+          <img class="main-logo-dark" src="{{ logo_dark|default('/img/cow_mailcow.svg') }}" alt="mailcow-logo-dark">
+        </div>
+        {% if ui_texts.ui_announcement_text and ui_texts.ui_announcement_active %}
+        <div class="my-4 alert alert-{{ ui_texts.ui_announcement_type }} rot-enc ui-announcement-alert">{{ ui_texts.ui_announcement_text|rot13 }}</div>
+        {% endif %}
+        <form method="post" autofill="off">
+          <div class="d-flex mt-3">
+            <label class="visually-hidden" for="login_user">{{ lang.login.username }}</label>
+            <div class="input-group">
+              <div class="input-group-text"><i class="bi bi-person-fill"></i></div>
+              <input name="login_user" autocorrect="off" autocapitalize="none" type="text" id="login_user" class="form-control" placeholder="{{ lang.login.username }}" required="" autofocus="" autocomplete="username">
+            </div>
+          </div>
+          <div class="d-flex mt-3">
+            <label class="visually-hidden" for="pass_user">{{ lang.login.password }}</label>
+            <div class="input-group">
+              <div class="input-group-text"><i class="bi bi-lock-fill"></i></div>
+              <input name="pass_user" type="password" id="pass_user" class="form-control" placeholder="{{ lang.login.password }}" required="" autocomplete="current-password">
+            </div>
+          </div>
+          <div class="d-flex justify-content-between mt-4" style="position: relative">
+            <button type="submit" class="btn btn-xs-lg btn-success" value="Login">{{ lang.login.login }}</button>            <div class="d-grid d-sm-block">
+            <button type="button" {% if available_languages|length == 1 %}disabled="true"{% endif %} class="btn btn-secondary ms-auto dropdown-toggle" data-bs-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
+              <span class="flag-icon flag-icon-{{ mailcow_locale[-2:] }}"></span>
+            </button>
+            <ul class="dropdown-menu ms-auto login">
+              {% for key, val in available_languages %}
+                <li>
+                  <a class="dropdown-item {% if mailcow_locale == key %}active{% endif %}" href="?{{ query_string({'lang': key}) }}">
+                    <span class="flag-icon flag-icon-{{ key[-2:] }}"></span>{{ val }}
+                  </a>
+                </li>
+              {% endfor %}
+            </ul>
+            </div>
+          </div>
+        </form>
+        <div class="hr-title mt-5"><strong>{{ lang.login.other_logins }}</strong></div>
+        <div class="d-flex flex-column align-items-center">
+          <a class="btn btn-xs-lg btn-secondary w-100" style="max-width: 400px;" href="#" id="fido2-login"><i class="bi bi-shield-fill-check"></i> {{ lang.login.fido2_webauthn }}</a>
+        </div>
+        {% if login_delay %}
+        <p><div class="my-4 alert alert-info">{{ lang.login.delayed|format(login_delay) }}</b></div></p>
+        {% endif %}
+        <div class="my-4" id="fido2-alerts"></div>
+        {% if (mailcow_apps or app_links) and not hide_mailcow_apps %}
+        <legend><i class="bi bi-link-45deg"></i> {{ ui_texts.apps_name|raw }}</legend><hr />
+        <div class="my-2 d-grid gap-2 d-sm-block apps">
+          {% for app in mailcow_apps %}
+            {% if not app.hide %}
+              {% if not skip_sogo or not is_uri('SOGo', app.link) %}
+              <div class="m-2">
+                <a href="{{ app.link }}" role="button" {% if app.description %}title="{{ app.description }}"{% endif %} class="btn btn-primary btn-block">{{ app.name }}</a>
+              </div>
+            {% endif %}
+          {% endif %}
+          {% endfor %}
+          {% for row in app_links %}
+            {% for key, val in row %}
+            {% if not val.hide %}
+              <div class="m-2">
+                <a href="{{ val.link }}" role="button" class="btn btn-primary btn-block">{{ key }}</a>
+              </div>
+            {% endif %}
+            {% endfor %}
+          {% endfor %}
+        </div>
+        {% endif %}
+      </div>
+    </div>
+  </div>
+</div>
+{% endblock %}
diff --git a/data/web/templates/base.twig b/data/web/templates/base.twig
index 2634574d8..4d0a30251 100644
--- a/data/web/templates/base.twig
+++ b/data/web/templates/base.twig
@@ -66,27 +66,36 @@
         <li class="nav-item dropdown">
           <a href="#" class="nav-link dropdown-toggle" data-bs-toggle="dropdown" role="button" aria-expanded="false">{{ lang.header.mailcow_system }}</a>
           <ul class="dropdown-menu">
-            <li><a href="/debug" class="dropdown-item {% if is_uri('debug') %}active{% endif %}">{{ lang.header.debug }}</a></li>
-            <li><a href="/admin" class="dropdown-item {% if is_uri('admin') %}active{% endif %}">{{ lang.header.mailcow_config }}</a></li>
+            <li><a href="/admin/dashboard" class="dropdown-item {% if is_uri('dashboard') %}active{% endif %}">{{ lang.header.debug }}</a></li>
+            <li><a href="/admin/system" class="dropdown-item {% if is_uri('system') %}active{% endif %}">{{ lang.header.mailcow_config }}</a></li>
+          </ul>
+        </li>
+        <li class="nav-item dropdown">
+          <a href="#" class="nav-link dropdown-toggle" data-bs-toggle="dropdown" role="button" aria-expanded="false">{{ lang.header.email }}</a>
+          <ul class="dropdown-menu">
+            <li><a href="/admin/mailbox" class="dropdown-item {% if is_uri('mailbox') %}active{% endif %}">{{ lang.header.mailcow_config }}</a></li>
+            <li><a href="/quarantine" class="dropdown-item {% if is_uri('quarantine') %}active{% endif %}">{{ lang.header.quarantine }}</a></li>
+            <li><a href="/admin/queue" class="dropdown-item {% if is_uri('queue') %}active{% endif %}">{{ lang.queue.queue_manager }}</a></li>
+            <li><a href="#" class="dropdown-item" data-bs-toggle="modal" data-container="sogo-mailcow" data-bs-target="#RestartContainer">{{ lang.header.restart_sogo }}</a></li>
           </ul>
         </li>
         {% endif %}
-        {% if mailcow_cc_role != 'admin' %}
+        {% if mailcow_cc_role == 'domainadmin' %}
+        <li class="nav-item dropdown">
+          <a href="/domainadmin/user" class="nav-link" role="button" aria-expanded="false">{{ lang.header.user_settings }}</a>
+        </li>
+        {% elseif mailcow_cc_role == 'user' %}
         <li class="nav-item dropdown">
           <a href="/user" class="nav-link" role="button" aria-expanded="false">{{ lang.header.user_settings }}</a>
         </li>
         {% endif %}
 
-        {% if mailcow_cc_role == 'admin' or mailcow_cc_role == 'domainadmin' %}
+        {% if mailcow_cc_role == 'domainadmin' %}
         <li class="nav-item dropdown">
           <a href="#" class="nav-link dropdown-toggle" data-bs-toggle="dropdown" role="button" aria-expanded="false">{{ lang.header.email }}</a>
           <ul class="dropdown-menu">
-            <li><a href="/mailbox" class="dropdown-item {% if is_uri('mailbox') %}active{% endif %}">{{ lang.header.mailcow_config }}</a></li>
+            <li><a href="/domainadmin/mailbox" class="dropdown-item {% if is_uri('mailbox') %}active{% endif %}">{{ lang.header.mailcow_config }}</a></li>
             <li><a href="/quarantine" class="dropdown-item {% if is_uri('quarantine') %}active{% endif %}">{{ lang.header.quarantine }}</a></li>
-            {% if mailcow_cc_role == 'admin' %}
-            <li><a href="/queue" class="dropdown-item {% if is_uri('queue') %}active{% endif %}">{{ lang.queue.queue_manager }}</a></li>
-            <li><a href="#" class="dropdown-item" data-bs-toggle="modal" data-container="sogo-mailcow" data-bs-target="#RestartContainer">{{ lang.header.restart_sogo }}</a></li>
-            {% endif %}
           </ul>
         </li>
         {% endif %}
@@ -246,7 +255,7 @@ function recursiveBase64StrToArrayBuffer(obj) {
     $(".totp-authenticator-selection").click(function(){
       $(".totp-authenticator-selection").removeClass("active");
       $(this).addClass("active");
-      
+
       var id = $(this).children('input').first().val();
       $("#totp_selected_id").val(id);
 
@@ -255,7 +264,7 @@ function recursiveBase64StrToArrayBuffer(obj) {
     if ($('.totp-authenticator-selection').length == 1 &&
         $('#pending_tfa_tab_yubi_otp').length == 0 &&
         $('.webauthn-authenticator-selection').length == 0){
-      
+
       // select default if only one authenticator exists
       $('.totp-authenticator-selection').addClass("active");
 
@@ -268,7 +277,7 @@ function recursiveBase64StrToArrayBuffer(obj) {
     $('#pending_tfa_tab_totp').on('shown.bs.tab', function() {
       // autofocus
       setTimeout(function() { $("#collapseTotpTFA").find('input[name="token"]').focus(); }, 200);
-    });    
+    });
     // validate Yubi OTP tfa
     if ($('.webauthn-authenticator-selection').length == 0){
       // autofocus
@@ -287,10 +296,10 @@ function recursiveBase64StrToArrayBuffer(obj) {
     $(".webauthn-authenticator-selection").click(function(){
       $(".webauthn-authenticator-selection").removeClass("active");
       $(this).addClass("active");
-      
+
       var id = $(this).children('input').first().val();
       $("#webauthn_selected_id").val(id);
-      
+
       var webauthn_status_auth = document.getElementById('webauthn_status_auth');
       webauthn_status_auth.style.setProperty('display', 'flex', 'important');
       var webauthn_return_code = document.getElementById('webauthn_return_code');
@@ -313,7 +322,7 @@ function recursiveBase64StrToArrayBuffer(obj) {
           console.log(json);
           if (json.success === false) throw new Error();
           if (json.type === "error") throw new Error(json.msg);
-      
+
           recursiveBase64StrToArrayBuffer(json);
           return json;
         }).then(getCredentialArgs => {
@@ -340,7 +349,7 @@ function recursiveBase64StrToArrayBuffer(obj) {
           webauthn_return_code.style.setProperty('display', 'block', 'important');
           webauthn_return_code.innerHTML = lang_tfa.error_code + ': ' + err + ' ' + lang_tfa.reload_retry;
         });
-      } 
+      }
     });
     $('#ConfirmTFAModal').on('hidden.bs.modal', function(){
       // cancel pending login
@@ -551,7 +560,7 @@ function recursiveBase64StrToArrayBuffer(obj) {
         Version: <a href="{{ mailcow_info.git_project_url }}/releases/tag/{{ mailcow_info.version_tag }}" target="_blank">{{ mailcow_info.version_tag }}
     </a>
   </span>
-  {% endif %}  
+  {% endif %}
   {% if mailcow_cc_username and mailcow_info.mailcow_branch|lower == "nightly" and mailcow_info.version_tag|default %}
   <span class="version">
     🛠️🐮 + 🐋 = 💕
diff --git a/data/web/templates/debug.twig b/data/web/templates/dashboard.twig
similarity index 99%
rename from data/web/templates/debug.twig
rename to data/web/templates/dashboard.twig
index c148856cb..8f8c2d99f 100644
--- a/data/web/templates/debug.twig
+++ b/data/web/templates/dashboard.twig
@@ -42,8 +42,8 @@
                 <img class="main-logo-dark img-responsive my-auto m-auto" alt="mailcow-logo-dark" style="max-width: 85%; max-height: 85%;" src="{{ logo_dark|default('/img/cow_mailcow.svg') }}">
               </div>
               <div class="col-sm-12 col-md-8">
-                <div class="table-responsive" style="margin-top: 10px;">
-                  <table class="table table-striped table-condensed w-100">
+                <div style="margin-top: 10px;">
+                  <table class="table table-striped w-100">
                     <tbody>
                       <tr>
                         <td>Hostname</td>
diff --git a/data/web/templates/domainadmin_index.twig b/data/web/templates/domainadmin_index.twig
new file mode 100644
index 000000000..4127a6a21
--- /dev/null
+++ b/data/web/templates/domainadmin_index.twig
@@ -0,0 +1,91 @@
+{% extends 'base.twig' %}
+
+{% block navbar %}{% endblock %}
+
+{% block content %}
+<div class="row mb-4" style="margin-top: 60px">
+  <div class="col-12 col-md-7 col-lg-6 col-xl-5 ms-auto me-auto">
+    <div class="card">
+      <div class="card-header d-flex align-items-center">
+        <i class="bi bi-person-fill me-2"></i> {{ lang.login.login }}
+        <div class="ms-auto form-check form-switch my-auto d-flex align-items-center">
+          <label class="form-check-label"><i class="bi bi-moon-fill"></i></label>
+          <input class="form-check-input ms-2" type="checkbox" id="dark-mode-toggle">
+        </div>
+      </div>
+      <div class="card-body">
+        <div class="text-center mailcow-logo mb-4">
+          <img class="main-logo" src="{{ logo|default('/img/cow_mailcow.svg') }}" alt="mailcow">
+          <img class="main-logo-dark" src="{{ logo_dark|default('/img/cow_mailcow.svg') }}" alt="mailcow-logo-dark">
+        </div>
+        {% if ui_texts.ui_announcement_text and ui_texts.ui_announcement_active %}
+        <div class="my-4 alert alert-{{ ui_texts.ui_announcement_type }} rot-enc ui-announcement-alert">{{ ui_texts.ui_announcement_text|rot13 }}</div>
+        {% endif %}
+        <form method="post" autofill="off">
+          <div class="d-flex mt-3">
+            <label class="visually-hidden" for="login_user">{{ lang.login.username }}</label>
+            <div class="input-group">
+              <div class="input-group-text"><i class="bi bi-person-fill"></i></div>
+              <input name="login_user" autocorrect="off" autocapitalize="none" type="text" id="login_user" class="form-control" placeholder="{{ lang.login.username }}" required="" autofocus="" autocomplete="username">
+            </div>
+          </div>
+          <div class="d-flex mt-3">
+            <label class="visually-hidden" for="pass_user">{{ lang.login.password }}</label>
+            <div class="input-group">
+              <div class="input-group-text"><i class="bi bi-lock-fill"></i></div>
+              <input name="pass_user" type="password" id="pass_user" class="form-control" placeholder="{{ lang.login.password }}" required="" autocomplete="current-password">
+            </div>
+          </div>
+          <div class="d-flex justify-content-between mt-4" style="position: relative">
+            <button type="submit" class="btn btn-xs-lg btn-success" value="Login">{{ lang.login.login }}</button>            <div class="d-grid d-sm-block">
+            <button type="button" {% if available_languages|length == 1 %}disabled="true"{% endif %} class="btn btn-secondary ms-auto dropdown-toggle" data-bs-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
+              <span class="flag-icon flag-icon-{{ mailcow_locale[-2:] }}"></span>
+            </button>
+            <ul class="dropdown-menu ms-auto login">
+              {% for key, val in available_languages %}
+                <li>
+                  <a class="dropdown-item {% if mailcow_locale == key %}active{% endif %}" href="?{{ query_string({'lang': key}) }}">
+                    <span class="flag-icon flag-icon-{{ key[-2:] }}"></span>{{ val }}
+                  </a>
+                </li>
+              {% endfor %}
+            </ul>
+            </div>
+          </div>
+        </form>
+        <div class="hr-title mt-5"><strong>{{ lang.login.other_logins }}</strong></div>
+        <div class="d-flex flex-column align-items-center">
+          <a class="btn btn-xs-lg btn-secondary w-100" style="max-width: 400px;" href="#" id="fido2-login"><i class="bi bi-shield-fill-check"></i> {{ lang.login.fido2_webauthn }}</a>
+        </div>
+        {% if login_delay %}
+        <p><div class="my-4 alert alert-info">{{ lang.login.delayed|format(login_delay) }}</b></div></p>
+        {% endif %}
+        <div class="my-4" id="fido2-alerts"></div>
+        {% if (mailcow_apps or app_links) and not hide_mailcow_apps %}
+        <legend><i class="bi bi-link-45deg"></i> {{ ui_texts.apps_name|raw }}</legend><hr />
+        <div class="my-2 d-grid gap-2 d-sm-block apps">
+          {% for app in mailcow_apps %}
+            {% if not app.hide %}
+              {% if not skip_sogo or not is_uri('SOGo', app.link) %}
+              <div class="m-2">
+                <a href="{{ app.link }}" role="button" {% if app.description %}title="{{ app.description }}"{% endif %} class="btn btn-primary btn-block">{{ app.name }}</a>
+              </div>
+            {% endif %}
+          {% endif %}
+          {% endfor %}
+          {% for row in app_links %}
+            {% for key, val in row %}
+            {% if not val.hide %}
+              <div class="m-2">
+                <a href="{{ val.link }}" role="button" class="btn btn-primary btn-block">{{ key }}</a>
+              </div>
+            {% endif %}
+            {% endfor %}
+          {% endfor %}
+        </div>
+        {% endif %}
+      </div>
+    </div>
+  </div>
+</div>
+{% endblock %}
diff --git a/data/web/templates/user/tab-user-auth.twig b/data/web/templates/user/tab-user-auth.twig
index 5c90bedf5..a7e025431 100644
--- a/data/web/templates/user/tab-user-auth.twig
+++ b/data/web/templates/user/tab-user-auth.twig
@@ -20,11 +20,11 @@
                   {{ lang.user.open_webmail_sso }} <i class="bi bi-arrow-right"></i>
                 </button>
               {% elseif dual_login %}
-                <a target="_blank" href="/sogo-auth.php?login={{ mailcow_cc_username  }}" role="button" class="btn btn-primary btn-lg btn-block btn-xs-lg w-100">
+                <a href="/sogo-auth.php?login={{ mailcow_cc_username  }}" role="button" class="btn btn-primary btn-lg btn-block btn-xs-lg w-100">
                   {{ lang.user.open_webmail_sso }} <i class="bi bi-arrow-right"></i>
                 </a>
               {% else %}
-                <a target="_blank" href="/SOGo/so" role="button" class="btn btn-primary btn-lg btn-block btn-xs-lg w-100">
+                <a href="/SOGo/so" role="button" class="btn btn-primary btn-lg btn-block btn-xs-lg w-100">
                   {{ lang.user.open_webmail_sso }} <i class="bi bi-arrow-right"></i>
                 </a>
               {% endif %}
diff --git a/data/web/templates/index.twig b/data/web/templates/user_index.twig
similarity index 100%
rename from data/web/templates/index.twig
rename to data/web/templates/user_index.twig
diff --git a/data/web/user.php b/data/web/user.php
index 19aafdddc..7c34ba953 100644
--- a/data/web/user.php
+++ b/data/web/user.php
@@ -1,29 +1,8 @@
 <?php
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php';
-if (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == 'domainadmin') {
+require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/triggers.user.inc.php';
 
-  /*
-  / DOMAIN ADMIN
-  */
-
-  require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/header.inc.php';
-  $_SESSION['return_to'] = $_SERVER['REQUEST_URI'];
-  $tfa_data = get_tfa();
-  $fido2_data = fido2(array("action" => "get_friendly_names"));
-  $username = $_SESSION['mailcow_cc_username'];
-
-  $template = 'domainadmin.twig';
-  $template_data = [
-    'acl' => $_SESSION['acl'],
-    'acl_json' => json_encode($_SESSION['acl']),
-    'user_spam_score' => mailbox('get', 'spam_score', $username),
-    'tfa_data' => $tfa_data,
-    'fido2_data' => $fido2_data,
-    'lang_user' => json_encode($lang['user']),
-    'lang_datatables' => json_encode($lang['datatables']),
-  ];
-}
-elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == 'user') {
+if (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == 'user') {
 
   /*
   / USER
@@ -95,6 +74,14 @@ elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == '
     'lang_datatables' => json_encode($lang['datatables']),
   ];
 }
+elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == 'admin') {
+  header('Location: /admin/dashboard');
+  exit();
+}
+elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == 'domainadmin') {
+  header('Location: /domainadmin/mailbox');
+  exit();
+}
 else {
   header('Location: /');
   exit();

From f0016eeecdaa74ad28d3e63914895d05f43c8196 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 7 Feb 2025 14:19:20 +0100
Subject: [PATCH 168/378] [Web] Add german translation for idp settings

---
 data/web/lang/lang.de-de.json                 | 37 +++++++++++++++++++
 data/web/lang/lang.en-gb.json                 |  3 ++
 .../admin/tab-config-identity-provider.twig   |  8 ++--
 data/web/templates/admin_index.twig           |  2 +-
 data/web/templates/domainadmin_index.twig     |  2 +-
 data/web/templates/user_index.twig            |  2 +-
 6 files changed, 47 insertions(+), 7 deletions(-)

diff --git a/data/web/lang/lang.de-de.json b/data/web/lang/lang.de-de.json
index 782e4e689..8e164b444 100644
--- a/data/web/lang/lang.de-de.json
+++ b/data/web/lang/lang.de-de.json
@@ -206,6 +206,39 @@
         "help_text": "Hilfstext unter Login-Maske (HTML ist zulässig)",
         "host": "Host",
         "html": "HTML",
+        "iam": "Identity Provider",
+        "iam_attribute_field": "Attribut Feld",
+        "iam_authorize_url": "Authorization Endpunkt",
+        "iam_auth_flow": "Authentication Flow",
+        "iam_auth_flow_info": "Zusätzlich zum Authorization Code Flow (dem Standard-Flow in Keycloak), der für Single-Sign-On-Logins verwendet wird, unterstützt mailcow auch den Authentication Flow mit direkten Anmeldeinformationen. Der Mailpassword Flow versucht, die Anmeldedaten des Benutzers über die Keycloak Admin REST API zu validieren. Dabei ruft mailcow das gehashte Passwort aus dem <code>mailcow_password</code> Attribut ab, das in Keycloak zugewiesen ist.",
+        "iam_basedn": "Base DN",
+        "iam_client_id": "Client ID",
+        "iam_client_secret": "Client Secret",
+        "iam_client_scopes": "Client Scopes",
+        "iam_description": "Konfiguriere einen externen Identity Provider für die Authentifizierung<br>Die Mailboxen der Benutzer werden bei ihrer ersten Anmeldung automatisch erstellt, vorausgesetzt, dass ein Attribut Mapping festgelegt wurde.",
+        "iam_extra_permission": "Damit die folgenden Einstellungen funktionieren, benötigt der mailcow Client in Keycloak ein <code>Service-Konto</code> und die Berechtigung <code>view-users</code>.",
+        "iam_host": "Host",
+        "iam_host_info": "Gib einen oder mehrere LDAP-Hosts ein, getrennt durch Kommas.",
+        "iam_import_users": "Import Users",
+        "iam_mapping": "Attribut Mapping",
+        "iam_bindpass": "Bind Passwort",
+        "iam_periodic_full_sync": "Periodic Full Sync",
+        "iam_port": "Port",
+        "iam_realm": "Realm",
+        "iam_redirect_url": "Redirect Url",
+        "iam_rest_flow": "Mailpassword Flow",
+        "iam_server_url": "Server Url",
+        "iam_sso": "Single Sign-On",
+        "iam_sync_interval": "Sync / Import interval (min)",
+        "iam_test_connection": "Verbindung Testen",
+        "iam_token_url": "Token Endpunkt",
+        "iam_userinfo_url": "User info Endpunkt",
+        "iam_username_field": "Username Feld",
+        "iam_binddn": "Bind DN",
+        "iam_use_ssl": "Benutze SSL",
+        "iam_use_tls": "Benutze TLS",
+        "iam_version": "Version",
+        "ignore_ssl_error": "Ignoriere SSL Errors",
         "import": "Importieren",
         "import_private_key": "Private Key importieren",
         "in_use_by": "Verwendet von",
@@ -403,6 +436,7 @@
         "goto_empty": "Eine Alias-Adresse muss auf mindestens eine gültige Ziel-Adresse zeigen",
         "goto_invalid": "Ziel-Adresse %s ist ungültig",
         "ham_learn_error": "Ham Lernfehler: %s",
+        "iam_test_connection": "Verbindung fehlgeschlagen",
         "imagick_exception": "Fataler Bildverarbeitungsfehler",
         "img_dimensions_exceeded": "Grafik überschreitet die maximale Bildgröße",
         "img_invalid": "Grafik konnte nicht validiert werden",
@@ -766,6 +800,9 @@
         "forgot_password": "> Passwort vergessen?",
         "invalid_pass_reset_token": "Der Rücksetz-Token für das Passwort ist ungültig oder abgelaufen.<br>Bitte fordern Sie einen neuen Link zur Passwortwiederherstellung an.",
         "login": "Anmelden",
+        "login_user": "Benutzer Anmelden",
+        "login_dadmin": "Domain-Administrator Anmelden",
+        "login_admin": "Administrator Anmelden",
         "mobileconfig_info": "Bitte als Mailbox-Benutzer einloggen, um das Verbindungsprofil herunterzuladen.",
         "new_password": "Neues Passwort",
         "new_password_confirm": "Neues Passwort bestätigen",
diff --git a/data/web/lang/lang.en-gb.json b/data/web/lang/lang.en-gb.json
index 6d3580e16..362262bff 100644
--- a/data/web/lang/lang.en-gb.json
+++ b/data/web/lang/lang.en-gb.json
@@ -804,6 +804,9 @@
         "forgot_password": "> Forgot Password?",
         "invalid_pass_reset_token": "The reset password token is invalid or has expired.<br>Please request a new password reset link.",
         "login": "Login",
+        "login_user": "User Login",
+        "login_dadmin": "Domain-Administrator Login",
+        "login_admin": "Administrator Login",
         "mobileconfig_info": "Please login as mailbox user to download the requested Apple connection profile.",
         "new_password": "New Password",
         "new_password_confirm": "Confirm new password",
diff --git a/data/web/templates/admin/tab-config-identity-provider.twig b/data/web/templates/admin/tab-config-identity-provider.twig
index e2cea7fa2..3381fe4d6 100644
--- a/data/web/templates/admin/tab-config-identity-provider.twig
+++ b/data/web/templates/admin/tab-config-identity-provider.twig
@@ -84,7 +84,7 @@
             </div>
             <div class="col-12 col-md-9 col-lg-4">
               <div class="row px-2 align-items-center">
-                <span class="col-5 p-0 pe-2">Attribute</span>
+                <span class="col-5 p-0 pe-2">{{ lang.user.attribute }}</span>
                 <span class="col-5 p-0 pe-2">{{ lang.mailbox.template }}</span>
                 <div class="col-2 p-0 d-flex">
                   <button class="btn btn-sm d-block d-sm-inline btn-secondary ms-auto iam_rolemap_add_keycloak"><i class="bi bi-plus-lg"></i></button>
@@ -274,8 +274,8 @@
             </div>
             <div class="col-12 col-md-9 col-lg-4">
               <div class="row px-2 align-items-center">
-                <span class="col-5 p-0 pe-2">Attribute</span>
-                <span class="col-5 p-0 pe-2">Template</span>
+                <span class="col-5 p-0 pe-2">{{ lang.user.attribute }}</span>
+                <span class="col-5 p-0 pe-2">{{ lang.mailbox.template }}</span>
                 <div class="col-2 p-0 d-flex">
                   <button class="btn btn-sm d-block d-sm-inline btn-secondary ms-auto iam_rolemap_add_generic"><i class="bi bi-plus-lg"></i></button>
                 </div>
@@ -454,7 +454,7 @@
             </div>
             <div class="col-12 col-md-9 col-lg-4">
               <div class="row px-2 align-items-center">
-                <span class="col-5 p-0 pe-2">Attribute</span>
+                <span class="col-5 p-0 pe-2">{{ lang.user.attribute }}</span>
                 <span class="col-5 p-0 pe-2">{{ lang.mailbox.template }}</span>
                 <div class="col-2 p-0 d-flex">
                   <button class="btn btn-sm d-block d-sm-inline btn-secondary ms-auto iam_rolemap_add_ldap"><i class="bi bi-plus-lg"></i></button>
diff --git a/data/web/templates/admin_index.twig b/data/web/templates/admin_index.twig
index 4127a6a21..93a892842 100644
--- a/data/web/templates/admin_index.twig
+++ b/data/web/templates/admin_index.twig
@@ -7,7 +7,7 @@
   <div class="col-12 col-md-7 col-lg-6 col-xl-5 ms-auto me-auto">
     <div class="card">
       <div class="card-header d-flex align-items-center">
-        <i class="bi bi-person-fill me-2"></i> {{ lang.login.login }}
+        <i class="bi bi-person-fill me-2"></i> {{ lang.login.login_admin }}
         <div class="ms-auto form-check form-switch my-auto d-flex align-items-center">
           <label class="form-check-label"><i class="bi bi-moon-fill"></i></label>
           <input class="form-check-input ms-2" type="checkbox" id="dark-mode-toggle">
diff --git a/data/web/templates/domainadmin_index.twig b/data/web/templates/domainadmin_index.twig
index 4127a6a21..41a9f2597 100644
--- a/data/web/templates/domainadmin_index.twig
+++ b/data/web/templates/domainadmin_index.twig
@@ -7,7 +7,7 @@
   <div class="col-12 col-md-7 col-lg-6 col-xl-5 ms-auto me-auto">
     <div class="card">
       <div class="card-header d-flex align-items-center">
-        <i class="bi bi-person-fill me-2"></i> {{ lang.login.login }}
+        <i class="bi bi-person-fill me-2"></i> {{ lang.login.login_dadmin }}
         <div class="ms-auto form-check form-switch my-auto d-flex align-items-center">
           <label class="form-check-label"><i class="bi bi-moon-fill"></i></label>
           <input class="form-check-input ms-2" type="checkbox" id="dark-mode-toggle">
diff --git a/data/web/templates/user_index.twig b/data/web/templates/user_index.twig
index 07274e6bd..950482c9a 100644
--- a/data/web/templates/user_index.twig
+++ b/data/web/templates/user_index.twig
@@ -7,7 +7,7 @@
   <div class="col-12 col-md-7 col-lg-6 col-xl-5 ms-auto me-auto">
     <div class="card">
       <div class="card-header d-flex align-items-center">
-        <i class="bi bi-person-fill me-2"></i> {{ lang.login.login }}
+        <i class="bi bi-person-fill me-2"></i> {{ lang.login.login_user }}
         <div class="ms-auto form-check form-switch my-auto d-flex align-items-center">
           <label class="form-check-label"><i class="bi bi-moon-fill"></i></label>
           <input class="form-check-input ms-2" type="checkbox" id="dark-mode-toggle">

From 55dcae4a01998b3d9ed861a3f833b6b4df2567e0 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 7 Feb 2025 15:05:43 +0100
Subject: [PATCH 169/378] [Web] Fix Generic-OIDC connection test

---
 data/web/inc/functions.inc.php | 30 ++++++++++++++++++++++++------
 data/web/lang/lang.de-de.json  |  1 +
 2 files changed, 25 insertions(+), 6 deletions(-)

diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index a434582c5..7969c6bb4 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -2337,12 +2337,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
 
       switch ($_data['authsource']) {
         case 'keycloak':
-        case 'generic-oidc':
-          if ($_data['authsource'] == 'keycloak') {
-            $url = "{$_data['server_url']}/realms/{$_data['realm']}/protocol/openid-connect/token";
-          } else {
-            $url = $_data['token_url'];
-          }
+          $url = "{$_data['server_url']}/realms/{$_data['realm']}/protocol/openid-connect/token";
           $req = http_build_query(array(
             'grant_type'    => 'client_credentials',
             'client_id'     => $_data['client_id'],
@@ -2355,6 +2350,29 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
           curl_setopt($curl, CURLOPT_POSTFIELDS, $req);
           curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));
           curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
+          if ($_data['ignore_ssl_error'] == "1"){
+            curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
+            curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, false);
+          }
+          $res = curl_exec($curl);
+          $code = curl_getinfo($curl, CURLINFO_HTTP_CODE);
+          curl_close ($curl);
+
+          if ($code != 200) {
+            return false;
+          }
+        break;
+        case 'generic-oidc':
+          $url = $_data['token_url'];
+          $curl = curl_init();
+          curl_setopt($curl, CURLOPT_URL, $url);
+          curl_setopt($curl, CURLOPT_TIMEOUT, 7);
+          curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
+          curl_setopt($curl, CURLOPT_CUSTOMREQUEST, "OPTIONS");
+          if ($_data['ignore_ssl_error'] == "1"){
+            curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
+            curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, false);
+          }
           $res = curl_exec($curl);
           $code = curl_getinfo($curl, CURLINFO_HTTP_CODE);
           curl_close ($curl);
diff --git a/data/web/lang/lang.de-de.json b/data/web/lang/lang.de-de.json
index 8e164b444..9c54d3fc8 100644
--- a/data/web/lang/lang.de-de.json
+++ b/data/web/lang/lang.de-de.json
@@ -1114,6 +1114,7 @@
         "forwarding_host_removed": "Weiterleitungs-Host %s wurde entfernt",
         "global_filter_written": "Filterdatei wurde erfolgreich geschrieben",
         "hash_deleted": "Hash wurde gelöscht",
+        "iam_test_connection": "Verbindung erfolgreich",
         "ip_check_opt_in_modified": "IP Check wurde erfolgreich gespeichert",
         "item_deleted": "Objekt %s wurde entfernt",
         "item_released": "Objekt %s freigegeben",

From 54728bf7809dbeb334d526421857647fe092bff9 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Tue, 11 Feb 2025 14:40:38 +0100
Subject: [PATCH 170/378] [Dovecot] Fix create sogo-sso.conf

---
 data/Dockerfiles/dovecot/docker-entrypoint.sh | 7 +++++++
 docker-compose.yml                            | 2 +-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/data/Dockerfiles/dovecot/docker-entrypoint.sh b/data/Dockerfiles/dovecot/docker-entrypoint.sh
index 8ab57d20b..85a0bab06 100755
--- a/data/Dockerfiles/dovecot/docker-entrypoint.sh
+++ b/data/Dockerfiles/dovecot/docker-entrypoint.sh
@@ -206,6 +206,13 @@ RAND_PASS=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 32 | head -n 1)
 echo -n ${RAND_PASS} > /etc/phpfpm/sogo-sso.pass
 # Creating additional creds file for SOGo notify crons (calendars, etc)
 echo -n ${RAND_USER}@mailcow.local:${RAND_PASS} > /etc/sogo/cron.creds
+cat <<EOF > /etc/dovecot/sogo-sso.conf
+# Autogenerated by mailcow
+passdb {
+  driver = static
+  args = allow_real_nets=${IPV4_NETWORK}.248/32 password={plain}${RAND_PASS}
+}
+EOF
 
 if [[ "${MASTER}" =~ ^([nN][oO]|[nN])+$ ]]; then
   # Toggling MASTER will result in a rebuild of containers, so the quota script will be recreated
diff --git a/docker-compose.yml b/docker-compose.yml
index e87dce8f5..a37c6982f 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -246,7 +246,7 @@ services:
             - sogo
 
     dovecot-mailcow:
-      image: mailcow/dovecot:nightly-20250123
+      image: mailcow/dovecot:nightly-20250211
       depends_on:
         - mysql-mailcow
         - netfilter-mailcow

From b77ff2f51ce3491beb5aee30434619ddc79aba73 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Wed, 26 Feb 2025 09:47:59 +0100
Subject: [PATCH 171/378] Add switch to legacy version

---
 data/web/templates/base.twig |  8 ++++++++
 generate_config.sh           |  8 ++++++++
 update.sh                    | 37 ++++++++++++++++++++++++++++++++++--
 3 files changed, 51 insertions(+), 2 deletions(-)

diff --git a/data/web/templates/base.twig b/data/web/templates/base.twig
index 4d0a30251..87bdddab5 100644
--- a/data/web/templates/base.twig
+++ b/data/web/templates/base.twig
@@ -569,6 +569,14 @@ function recursiveBase64StrToArrayBuffer(obj) {
     <span style="text-align:right;display:block;">Build: {{ mailcow_info.git_commit_date }}</span>
   </span>
   {% endif %}
+  {% if mailcow_cc_username and mailcow_info.mailcow_branch|lower == "legacy" and mailcow_info.version_tag|default %}
+  <span class="version">
+    🛠️🐮 + 🐋 = 💕
+        Legacy: <a href="{{ mailcow_info.git_project_url }}/commit/{{ mailcow_info.git_commit }}" target="_blank">{{ mailcow_info.version_tag }}
+    </a><br>
+    <span style="text-align:right;display:block;">Build: {{ mailcow_info.git_commit_date }}</span>
+  </span>
+  {% endif %}
 </div>
 </body>
 </html>
diff --git a/generate_config.sh b/generate_config.sh
index 052764a6b..e9a82ff5a 100755
--- a/generate_config.sh
+++ b/generate_config.sh
@@ -181,11 +181,15 @@ if [[ ${SKIP_BRANCH} != y ]]; then
   echo "Available Branches:"
   echo "- master branch (stable updates) | default, recommended [1]"
   echo "- nightly branch (unstable updates, testing) | not-production ready [2]"
+  echo "- legacy branch (supported until February 2026) | deprecated, security updates only [3]"
   sleep 1
 
   while [ -z "${MAILCOW_BRANCH}" ]; do
     read -r -p  "Choose the Branch with it's number [1/2] " branch
     case $branch in
+      [3])
+        MAILCOW_BRANCH="legacy"
+        ;;
       [2])
         MAILCOW_BRANCH="nightly"
         ;;
@@ -534,6 +538,10 @@ case ${git_branch} in
     mailcow_git_version=$(git rev-parse --short $(git rev-parse @{upstream}))
     mailcow_last_git_version=""
     ;;
+  legacy)
+    mailcow_git_version=$(git rev-parse --short $(git rev-parse @{upstream}))
+    mailcow_last_git_version=""
+    ;;
   *)
     mailcow_git_version=$(git rev-parse --short HEAD)
     mailcow_last_git_version=""
diff --git a/update.sh b/update.sh
index c11179c5e..985d2cd1c 100755
--- a/update.sh
+++ b/update.sh
@@ -845,8 +845,12 @@ while (($#)); do
       echo -e "\e[32mRunning in Developer mode...\e[0m"
       DEV=y
     ;;
+    --legacy)
+      CURRENT_BRANCH="$(cd "${SCRIPT_DIR}"; git rev-parse --abbrev-ref HEAD)"
+      NEW_BRANCH="legacy"
+    ;;
     --help|-h)
-    echo './update.sh [-c|--check, --check-tags, --ours, --gc, --nightly, --prefetch, --skip-start, --skip-ping-check, --stable, -f|--force, -d|--dev, -h|--help]
+    echo './update.sh [-c|--check, --check-tags, --ours, --gc, --nightly, --prefetch, --skip-start, --skip-ping-check, --stable, --legacy, -f|--force, -d|--dev, -h|--help]
 
   -c|--check           -   Check for updates and exit (exit codes => 0: update available, 3: no updates)
   --check-tags         -   Check for newer tags and exit (exit codes => 0: newer tag available, 3: no newer tag)
@@ -856,7 +860,8 @@ while (($#)); do
   --prefetch           -   Only prefetch new images and exit (useful to prepare updates)
   --skip-start         -   Do not start mailcow after update
   --skip-ping-check    -   Skip ICMP Check to public DNS resolvers (Use it only if you'\''ve blocked any ICMP Connections to your mailcow machine)
-  --stable             -   Switch your mailcow updates to the stable (master) branch. Default unless you changed it with --nightly.
+  --stable             -   Switch your mailcow updates to the stable (master) branch. Default unless you changed it with --nightly or --legacy.
+  --legacy             -   Switch your mailcow updates to the legacy branch. The legacy branch will only recieve security updates until February 2026.
   -f|--force           -   Force update, do not ask questions
   -d|--dev             -   Enables Developer Mode (No Checkout of update.sh for tests)
 '
@@ -1262,6 +1267,11 @@ if ! [ "$NEW_BRANCH" ]; then
     sleep 1
     echo -e "\e[33mTo change that run the update.sh Script one time with the --stable parameter to switch to stable builds.\e[0m"
 
+  elif [ "${BRANCH}" == "legcy" ]; then
+    echo -e "\e[31mYou are receiving legacy updates. The legacy branch will only recieve security updates until February 2026.\e[0m"
+    sleep 1
+    echo -e "\e[33mTo change that run the update.sh Script one time with the --stable parameter to switch to stable builds.\e[0m"
+
   else
     echo -e "\e[33mYou are receiving updates from an unsupported branch.\e[0m"
     sleep 1
@@ -1324,6 +1334,29 @@ elif [ "$NEW_BRANCH" == "nightly" ] && [ "$CURRENT_BRANCH" != "nightly" ]; then
   fi
   git fetch origin
   git checkout -f "${BRANCH}"
+elif [ "$NEW_BRANCH" == "legacy" ] && [ "$CURRENT_BRANCH" != "legacy" ]; then
+  echo -e "\e[33mYou are about to switch your mailcow Updates to the legacy branch.\e[0m"
+  sleep 1
+  echo -e "\e[33mBefore you do: Please take a backup of all components to ensure that no Data is lost...\e[0m"
+  sleep 1
+  echo -e "\e[31mWARNING: A switch to stable or nightly is possible any time.\e[0m"
+  read -r -p "Are you sure you that want to continue upgrading to the legacy branch? [y/N] " response
+  if [[ ! "${response}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
+    echo "OK. If you prepared yourself for that please run the update.sh Script with the --legacy parameter again to trigger this process here."
+    exit 0
+  fi
+  BRANCH=$NEW_BRANCH
+  DIFF_DIRECTORY=update_diffs
+  DIFF_FILE=${DIFF_DIRECTORY}/diff_before_upgrade_to_legacy_$(date +"%Y-%m-%d-%H-%M-%S")
+  mv diff_before_upgrade* ${DIFF_DIRECTORY}/ 2> /dev/null
+  if ! git diff-index --quiet HEAD; then
+    echo -e "\e[32mSaving diff to ${DIFF_FILE}...\e[0m"
+    mkdir -p ${DIFF_DIRECTORY}
+    git diff "${BRANCH}" --stat > "${DIFF_FILE}"
+    git diff "${BRANCH}" >> "${DIFF_FILE}"
+  fi
+  git fetch origin
+  git checkout -f "${BRANCH}"
 fi
 
 if [ ! "$DEV" ]; then

From 8d0c03b2fcaea088e1ece18faccde9a2d404a13d Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Wed, 26 Feb 2025 10:39:41 +0100
Subject: [PATCH 172/378] small adjustment for legacy version

---
 data/web/templates/base.twig | 2 +-
 generate_config.sh           | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/data/web/templates/base.twig b/data/web/templates/base.twig
index 87bdddab5..eb8d3711a 100644
--- a/data/web/templates/base.twig
+++ b/data/web/templates/base.twig
@@ -571,7 +571,7 @@ function recursiveBase64StrToArrayBuffer(obj) {
   {% endif %}
   {% if mailcow_cc_username and mailcow_info.mailcow_branch|lower == "legacy" and mailcow_info.version_tag|default %}
   <span class="version">
-    🛠️🐮 + 🐋 = 💕
+    ⚰️🐮 + 🐋 = 💕
         Legacy: <a href="{{ mailcow_info.git_project_url }}/commit/{{ mailcow_info.git_commit }}" target="_blank">{{ mailcow_info.version_tag }}
     </a><br>
     <span style="text-align:right;display:block;">Build: {{ mailcow_info.git_commit_date }}</span>
diff --git a/generate_config.sh b/generate_config.sh
index e9a82ff5a..c7a7cb64f 100755
--- a/generate_config.sh
+++ b/generate_config.sh
@@ -185,7 +185,7 @@ if [[ ${SKIP_BRANCH} != y ]]; then
   sleep 1
 
   while [ -z "${MAILCOW_BRANCH}" ]; do
-    read -r -p  "Choose the Branch with it's number [1/2] " branch
+    read -r -p  "Choose the Branch with it's number [1/2/3] " branch
     case $branch in
       [3])
         MAILCOW_BRANCH="legacy"

From 3c9d0c9d577a3ac8a159a34c7851b14cd6d4ecb1 Mon Sep 17 00:00:00 2001
From: Peter <magic@kthx.at>
Date: Thu, 27 Feb 2025 10:58:23 +0100
Subject: [PATCH 173/378] use ghcr.io for backupimage (#6333)

* use ghcr.io for backup image

* backup script: use renamed script + improved build of image

---------

Co-authored-by: DerLinkman <niklas.meyer@servercow.de>
---
 .github/workflows/rebuild_backup_image.yml | 14 +++++++++-----
 data/Dockerfiles/backup/Dockerfile         |  2 +-
 helper-scripts/backup_and_restore.sh       |  2 +-
 3 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/rebuild_backup_image.yml b/.github/workflows/rebuild_backup_image.yml
index bf5caddf0..111b055de 100644
--- a/.github/workflows/rebuild_backup_image.yml
+++ b/.github/workflows/rebuild_backup_image.yml
@@ -9,6 +9,8 @@ on:
 jobs:
   docker_image_build:
     runs-on: ubuntu-latest
+    permissions:
+      packages: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -19,17 +21,19 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      - name: Login to Docker Hub
+      - name: Login to GHCR
+        if: github.event_name != 'pull_request'
         uses: docker/login-action@v3
         with:
-          username: ${{ secrets.BACKUPIMAGEBUILD_ACTION_DOCKERHUB_USERNAME }}
-          password: ${{ secrets.BACKUPIMAGEBUILD_ACTION_DOCKERHUB_TOKEN }}
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build and push
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v5
         with:
           context: .
           platforms: linux/amd64,linux/arm64
           file: data/Dockerfiles/backup/Dockerfile
           push: true
-          tags: mailcow/backup:latest
+          tags: ghcr.io/mailcow/backup:latest
\ No newline at end of file
diff --git a/data/Dockerfiles/backup/Dockerfile b/data/Dockerfiles/backup/Dockerfile
index 61c8bbe58..6234e725b 100644
--- a/data/Dockerfiles/backup/Dockerfile
+++ b/data/Dockerfiles/backup/Dockerfile
@@ -1,3 +1,3 @@
 FROM debian:bookworm-slim
 
-RUN apt update && apt install pigz
\ No newline at end of file
+RUN apt update && apt install pigz -y --no-install-recommends
\ No newline at end of file
diff --git a/helper-scripts/backup_and_restore.sh b/helper-scripts/backup_and_restore.sh
index 581a84091..0cb37fce3 100755
--- a/helper-scripts/backup_and_restore.sh
+++ b/helper-scripts/backup_and_restore.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-DEBIAN_DOCKER_IMAGE="mailcow/backup:latest"
+DEBIAN_DOCKER_IMAGE="ghcr.io/mailcow/backup:latest"
 
 if [[ ! -z ${MAILCOW_BACKUP_LOCATION} ]]; then
   BACKUP_LOCATION="${MAILCOW_BACKUP_LOCATION}"

From a4c2cf4c67fa4a73ca4d933e675a8c58c00618ba Mon Sep 17 00:00:00 2001
From: DerLinkman <niklas.meyer@servercow.de>
Date: Thu, 27 Feb 2025 11:44:52 +0100
Subject: [PATCH 174/378] scripts: adapted new docker image names to
 docker_garbage function + removed dup

---
 helper-scripts/_cold-standby.sh | 40 ---------------------------------
 update.sh                       | 16 ++++++++++---
 2 files changed, 13 insertions(+), 43 deletions(-)

diff --git a/helper-scripts/_cold-standby.sh b/helper-scripts/_cold-standby.sh
index e2e5f1556..9e7362ec6 100755
--- a/helper-scripts/_cold-standby.sh
+++ b/helper-scripts/_cold-standby.sh
@@ -10,46 +10,6 @@ echo "If this script is run automatically by cron or a timer AND you are using b
 echo "The snapshots of your backup destination should run AFTER the cold standby script finished to ensure consistent snapshots."
 echo
 
-function docker_garbage() {
-  IMGS_TO_DELETE=()
-
-  for container in $(grep -oP "image: \Kmailcow.+" docker-compose.yml); do
-
-    REPOSITORY=${container/:*}
-    TAG=${container/*:}
-    V_MAIN=${container/*.}
-    V_SUB=${container/*.}
-    EXISTING_TAGS=$(docker images | grep ${REPOSITORY} | awk '{ print $2 }')
-
-    for existing_tag in ${EXISTING_TAGS[@]}; do
-
-      V_MAIN_EXISTING=${existing_tag/*.}
-      V_SUB_EXISTING=${existing_tag/*.}
-
-      # Not an integer
-      [[ ! ${V_MAIN_EXISTING} =~ ^[0-9]+$ ]] && continue
-      [[ ! ${V_SUB_EXISTING} =~ ^[0-9]+$ ]] && continue
-
-      if [[ ${V_MAIN_EXISTING} == "latest" ]]; then
-        echo "Found deprecated label \"latest\" for repository ${REPOSITORY}, it should be deleted."
-        IMGS_TO_DELETE+=(${REPOSITORY}:${existing_tag})
-      elif [[ ${V_MAIN_EXISTING} -lt ${V_MAIN} ]]; then
-        echo "Found tag ${existing_tag} for ${REPOSITORY}, which is older than the current tag ${TAG} and should be deleted."
-        IMGS_TO_DELETE+=(${REPOSITORY}:${existing_tag})
-      elif [[ ${V_SUB_EXISTING} -lt ${V_SUB} ]]; then
-        echo "Found tag ${existing_tag} for ${REPOSITORY}, which is older than the current tag ${TAG} and should be deleted."
-        IMGS_TO_DELETE+=(${REPOSITORY}:${existing_tag})
-      fi
-
-    done
-
-  done
-
-  if [[ ! -z ${IMGS_TO_DELETE[*]} ]]; then
-    docker rmi ${IMGS_TO_DELETE[*]}
-  fi
-}
-
 function preflight_local_checks() {
   if [[ -z "${REMOTE_SSH_KEY}" ]]; then
     >&2 echo -e "\e[31mREMOTE_SSH_KEY is not set\e[0m"
diff --git a/update.sh b/update.sh
index 9cfb02fd1..27972e82a 100755
--- a/update.sh
+++ b/update.sh
@@ -36,13 +36,23 @@ docker_garbage() {
   IMGS_TO_DELETE=()
 
   declare -A IMAGES_INFO
-  COMPOSE_IMAGES=($(grep -oP "image: \Kmailcow.+" "${SCRIPT_DIR}/docker-compose.yml"))
+  # Erfasse alle in docker-compose verwendeten Images (sowohl mailcow/... als auch ghcr.io/mailcow/...)
+  COMPOSE_IMAGES=($(grep -oP "image: \K(ghcr\.io/)?mailcow.+" "${SCRIPT_DIR}/docker-compose.yml"))
 
-  for existing_image in $(docker images --format "{{.ID}}:{{.Repository}}:{{.Tag}}" | grep 'mailcow/'); do
+  # Durchlaufe alle vorhandenen Images, die mailcow/ oder ghcr.io/mailcow/ beinhalten
+  for existing_image in $(docker images --format "{{.ID}}:{{.Repository}}:{{.Tag}}" | grep -E '(mailcow/|ghcr\.io/mailcow/)'); do
       ID=$(echo "$existing_image" | cut -d ':' -f 1)
       REPOSITORY=$(echo "$existing_image" | cut -d ':' -f 2)
       TAG=$(echo "$existing_image" | cut -d ':' -f 3)
 
+      # Für das Image mailcow/backup: nur löschen, wenn es untagged ist (TAG gleich "<none>")
+      if [[ "$REPOSITORY" == "mailcow/backup" || "$REPOSITORY" == "ghcr.io/mailcow/backup" ]]; then
+          if [[ "$TAG" != "<none>" ]]; then
+              continue
+          fi
+      fi
+
+      # Überspringe Images, die in der docker-compose.yml verwendet werden
       if [[ " ${COMPOSE_IMAGES[@]} " =~ " ${REPOSITORY}:${TAG} " ]]; then
           continue
       else
@@ -57,7 +67,7 @@ docker_garbage() {
           echo "    ${IMAGES_INFO[$id]} ($id)"
       done
 
-      if [ ! $FORCE ]; then
+      if [ -z "$FORCE" ]; then
           read -r -p "Do you want to delete them to free up some space? [y/N] " response
           if [[ "$response" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
               docker rmi ${IMGS_TO_DELETE[*]}

From 5296085189fd6ca6938734a0a112b53d41b9adc0 Mon Sep 17 00:00:00 2001
From: DerLinkman <niklas.meyer@servercow.de>
Date: Thu, 27 Feb 2025 11:47:08 +0100
Subject: [PATCH 175/378] update.sh: corrected typos inside update.sh

---
 update.sh | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/update.sh b/update.sh
index 27972e82a..838899f8b 100755
--- a/update.sh
+++ b/update.sh
@@ -36,23 +36,19 @@ docker_garbage() {
   IMGS_TO_DELETE=()
 
   declare -A IMAGES_INFO
-  # Erfasse alle in docker-compose verwendeten Images (sowohl mailcow/... als auch ghcr.io/mailcow/...)
   COMPOSE_IMAGES=($(grep -oP "image: \K(ghcr\.io/)?mailcow.+" "${SCRIPT_DIR}/docker-compose.yml"))
 
-  # Durchlaufe alle vorhandenen Images, die mailcow/ oder ghcr.io/mailcow/ beinhalten
   for existing_image in $(docker images --format "{{.ID}}:{{.Repository}}:{{.Tag}}" | grep -E '(mailcow/|ghcr\.io/mailcow/)'); do
       ID=$(echo "$existing_image" | cut -d ':' -f 1)
       REPOSITORY=$(echo "$existing_image" | cut -d ':' -f 2)
       TAG=$(echo "$existing_image" | cut -d ':' -f 3)
 
-      # Für das Image mailcow/backup: nur löschen, wenn es untagged ist (TAG gleich "<none>")
       if [[ "$REPOSITORY" == "mailcow/backup" || "$REPOSITORY" == "ghcr.io/mailcow/backup" ]]; then
           if [[ "$TAG" != "<none>" ]]; then
               continue
           fi
       fi
 
-      # Überspringe Images, die in der docker-compose.yml verwendet werden
       if [[ " ${COMPOSE_IMAGES[@]} " =~ " ${REPOSITORY}:${TAG} " ]]; then
           continue
       else

From 70190e52301197eb05b4a58f220db66457d27710 Mon Sep 17 00:00:00 2001
From: DerLinkman <niklas.meyer@servercow.de>
Date: Fri, 28 Feb 2025 15:38:05 +0100
Subject: [PATCH 176/378] rspamd: remove .info from fishy tlds (default)

---
 data/conf/rspamd/custom/fishy_tlds.map | 1 -
 1 file changed, 1 deletion(-)

diff --git a/data/conf/rspamd/custom/fishy_tlds.map b/data/conf/rspamd/custom/fishy_tlds.map
index 1b8b2b0d7..f19f70da5 100644
--- a/data/conf/rspamd/custom/fishy_tlds.map
+++ b/data/conf/rspamd/custom/fishy_tlds.map
@@ -24,7 +24,6 @@
 /.+\.guru$/i
 /.+\.icu$/i
 /.+\.id$/i
-/.+\.info$/i
 /.+\.in.net$/i
 /.+\.ir$/i
 /.+\.jetzt$/i

From 4bd267515ac9c08ae967c0a20315b32b5cf595b6 Mon Sep 17 00:00:00 2001
From: milkmaker <milkmaker@mailcow.de>
Date: Sat, 1 Mar 2025 13:32:21 +0100
Subject: [PATCH 177/378] update postscreen_access.cidr (#6345)

---
 data/conf/postfix/postscreen_access.cidr | 24 ++++++++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/data/conf/postfix/postscreen_access.cidr b/data/conf/postfix/postscreen_access.cidr
index 69be54247..c6ed2be93 100644
--- a/data/conf/postfix/postscreen_access.cidr
+++ b/data/conf/postfix/postscreen_access.cidr
@@ -1,6 +1,6 @@
-# Whitelist generated by Postwhite v3.4 on Sat Feb  1 00:18:03 UTC 2025
+# Whitelist generated by Postwhite v3.4 on Sat Mar  1 00:19:29 UTC 2025
 # https://github.com/stevejenkins/postwhite/
-# 1984 total rules
+# 2000 total rules
 2a00:1450:4000::/36	permit
 2a01:111:f400::/48	permit
 2a01:111:f403:8000::/50	permit
@@ -8,6 +8,13 @@
 2a01:111:f403::/49	permit
 2a01:111:f403:c000::/51	permit
 2a01:111:f403:f000::/52	permit
+2a01:b747:3000:200::/56	permit
+2a01:b747:3001:200::/56	permit
+2a01:b747:3002:200::/56	permit
+2a01:b747:3003:200::/56	permit
+2a01:b747:3004:200::/56	permit
+2a01:b747:3005:200::/56	permit
+2a01:b747:3006:200::/56	permit
 2a02:a60:0:5::/64	permit
 2c0f:fb50:4000::/36	permit
 2.207.151.53	permit
@@ -19,7 +26,6 @@
 8.20.114.31	permit
 8.25.194.0/23	permit
 8.25.196.0/23	permit
-10.162.0.0/16	permit
 12.130.86.238	permit
 13.110.208.0/21	permit
 13.110.209.0/24	permit
@@ -35,7 +41,9 @@
 17.57.156.0/24	permit
 17.58.0.0/16	permit
 17.142.0.0/15	permit
-17.143.234.140/30	permit
+18.97.0.8/30	permit
+18.97.1.184/29	permit
+18.97.2.64/26	permit
 18.156.89.250	permit
 18.157.243.190	permit
 18.194.95.56	permit
@@ -283,6 +291,9 @@
 64.207.219.13	permit
 64.207.219.14	permit
 64.207.219.15	permit
+64.207.219.24	permit
+64.207.219.25	permit
+64.207.219.26	permit
 64.207.219.71	permit
 64.207.219.72	permit
 64.207.219.73	permit
@@ -292,6 +303,9 @@
 64.207.219.77	permit
 64.207.219.78	permit
 64.207.219.79	permit
+64.207.219.88	permit
+64.207.219.89	permit
+64.207.219.90	permit
 64.207.219.135	permit
 64.207.219.136	permit
 64.207.219.137	permit
@@ -1464,6 +1478,8 @@
 159.135.224.0/20	permit
 159.135.228.10	permit
 159.183.0.0/16	permit
+159.183.68.71	permit
+159.183.79.38	permit
 160.1.62.192	permit
 161.38.192.0/20	permit
 161.38.204.0/22	permit

From 81803836f073b355f7d86f703e2265c3c365ff0a Mon Sep 17 00:00:00 2001
From: milkmaker <milkmaker@mailcow.de>
Date: Mon, 3 Mar 2025 22:49:23 +0100
Subject: [PATCH 178/378] [Web] Updated lang.ko-kr.json (#6350)

Co-authored-by: dongsu8142 <dongsu8142@naver.com>
---
 data/web/lang/lang.ko-kr.json | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/data/web/lang/lang.ko-kr.json b/data/web/lang/lang.ko-kr.json
index 27b028cd4..4bc14ab69 100644
--- a/data/web/lang/lang.ko-kr.json
+++ b/data/web/lang/lang.ko-kr.json
@@ -25,7 +25,10 @@
         "syncjobs": "동기화 작업",
         "tls_policy": "TLS 정책",
         "unlimited_quota": "메일에 무제한 할당",
-        "domain_desc": "도메인 설명 변경"
+        "domain_desc": "도메인 설명 변경",
+        "pw_reset": "mailcow 사용자 비밀번호 재설정 허용",
+        "domain_relayhost": "도메인의 릴레이 호스트 변경",
+        "mailbox_relayhost": "메일함의 릴레이 호스트 변경"
     },
     "add": {
         "activate_filter_warn": "활성화가 체크되어 있으면 모든 다른 필터들은 비활성화됩니다.",

From 79f4cf40211afc9c5010acb3c888a96bfff44a17 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Wed, 5 Mar 2025 16:35:46 +0100
Subject: [PATCH 179/378] chore(deps): update docker/build-push-action action
 to v6 (#6334)

---
 .github/workflows/rebuild_backup_image.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/rebuild_backup_image.yml b/.github/workflows/rebuild_backup_image.yml
index 111b055de..adf69eb35 100644
--- a/.github/workflows/rebuild_backup_image.yml
+++ b/.github/workflows/rebuild_backup_image.yml
@@ -30,7 +30,7 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build and push
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: .
           platforms: linux/amd64,linux/arm64

From 0435766c171f6ede78c6b57e15ac543bb42a5a64 Mon Sep 17 00:00:00 2001
From: milkmaker <milkmaker@mailcow.de>
Date: Wed, 5 Mar 2025 17:43:37 +0100
Subject: [PATCH 180/378] [Web] Updated lang.ko-kr.json (#6353)

Co-authored-by: dongsu8142 <dongsu8142@naver.com>
---
 data/web/lang/lang.ko-kr.json | 88 ++++++++++++++++++++++++++++++++---
 1 file changed, 81 insertions(+), 7 deletions(-)

diff --git a/data/web/lang/lang.ko-kr.json b/data/web/lang/lang.ko-kr.json
index 4bc14ab69..546ccdfcc 100644
--- a/data/web/lang/lang.ko-kr.json
+++ b/data/web/lang/lang.ko-kr.json
@@ -28,7 +28,8 @@
         "domain_desc": "도메인 설명 변경",
         "pw_reset": "mailcow 사용자 비밀번호 재설정 허용",
         "domain_relayhost": "도메인의 릴레이 호스트 변경",
-        "mailbox_relayhost": "메일함의 릴레이 호스트 변경"
+        "mailbox_relayhost": "메일함의 릴레이 호스트 변경",
+        "quarantine_category": "검역소 알림 카테고리 변경"
     },
     "add": {
         "activate_filter_warn": "활성화가 체크되어 있으면 모든 다른 필터들은 비활성화됩니다.",
@@ -104,7 +105,9 @@
         "timeout2": "로컬 호스트 연결 시간 초과",
         "username": "사용자명",
         "validate": "확인하기",
-        "validation_success": "성공적으로 확인됨"
+        "validation_success": "성공적으로 확인됨",
+        "tags": "태그",
+        "app_passwd_protocols": "앱 비밀번호에 대해 허용되는 프로토콜"
     },
     "admin": {
         "access": "접근",
@@ -304,7 +307,50 @@
         "username": "사용자 이름",
         "validate_license_now": "라이선스 서버와 GUID 확인",
         "verify": "확인",
-        "yes": "&#10003;"
+        "yes": "&#10003;",
+        "domain_admin": "도메인 관리자",
+        "f2b_filter": "정규식 필터",
+        "f2b_manage_external": "외부에서 Fail2Ban 관리",
+        "f2b_max_ban_time": "최대 차단 시간(초)",
+        "f2b_regex_info": "고려되는 로그: SOGo, Postfix, Dovecot, PHP-FPM.",
+        "html": "HTML",
+        "oauth2_apps": "OAuth2 앱",
+        "oauth2_add_client": "OAuth2 클라이언트 추가",
+        "optional": "선택 사항",
+        "options": "옵션",
+        "password_length": "비밀번호 길이",
+        "password_policy_chars": "하나 이상의 알파벳 문자를 포함해야 합니다.",
+        "password_policy_length": "최소 암호 길이가 %d입니다.",
+        "password_policy_numbers": "숫자 하나 이상을 포함해야 합니다.",
+        "password_policy_special_chars": "특수 문자를 포함해야 합니다.",
+        "password_reset_info": "복구 이메일이 제공되지 않으면 이 기능을 사용할 수 없습니다.",
+        "password_reset_settings": "비밀번호 복구 설정",
+        "password_reset_tmpl_html": "HTML 템플릿",
+        "password_reset_tmpl_text": "Text 템플릿",
+        "password_settings": "비밀번호 설정",
+        "queue_unban": "차단 해제",
+        "restore_template": "기본 템플릿을 복원하려면 비워둡니다.",
+        "service": "서비스",
+        "success": "성공",
+        "dkim_overwrite_key": "기존 DKIM 키 덮어쓰기",
+        "f2b_ban_time_increment": "차단 시간은 차단될 때마다 증가합니다.",
+        "password_policy": "비밀번호 정책",
+        "quarantine_max_score": "메일의 스팸 점수가 이 값보다 높으면 알림을 삭제합니다:<br><small>기본값: 9999.0</small>",
+        "f2b_manage_external_info": "Fail2ban은 차단 목록을 유지하지만 트래픽을 차단하는 규칙을 능동적으로 설정하지는 않습니다. 트래픽을 외부에서 차단하려면 아래 생성된 차단 목록을 사용하세요.",
+        "password_policy_lowerupper": "소문자 및 대문자를 포함해야 합니다.",
+        "transport_test_rcpt_info": "&#8226; null@hosted.mailcow.de 을 사용하여 해외 목적지로 릴레이를 테스트하세요.",
+        "ip_check_disabled": "IP 확인이 비활성화됩니다. 아래에서 활성화할 수 있습니다<br> <strong>시스템 > 구성 > 옵션 > 사용자 정의</strong>",
+        "logo_normal_label": "일반",
+        "logo_dark_label": "다크 모드의 경우 반전",
+        "convert_html_to_text": "HTML을 일반 텍스트로 변환",
+        "copy_to_clipboard": "클립보드에 텍스트가 복사되었습니다!",
+        "cors_settings": "CORS 설정",
+        "rsettings_preset_4": "도메인에 대해 Rspamd 비활성화",
+        "ip_check": "IP 확인",
+        "admins": "관리자",
+        "admins_ldap": "LDAP 관리자",
+        "api_read_only": "읽기 전용 액세스",
+        "api_read_write": "읽기-쓰기 액세스"
     },
     "danger": {
         "access_denied": "접근이 거부되거나 잘못된 데이터 양식",
@@ -418,7 +464,28 @@
         "username_invalid": "%s는 사용지 이름으로 사용할 수 없습니다.",
         "validity_missing": "유효 기간을 지정해주세요.",
         "value_missing": "모든 값을 입력해주세요.",
-        "yotp_verification_failed": "Yubico OTP 검증 실패: %s"
+        "yotp_verification_failed": "Yubico OTP 검증 실패: %s",
+        "dkim_domain_or_sel_exists": "“%s\"에 대한 DKIM 키가 존재하며 덮어쓰지 않습니다.",
+        "img_size_exceeded": "이미지가 최대 파일 크기를 초과합니다.",
+        "invalid_reset_token": "잘못된 리셋 토큰",
+        "nginx_reload_failed": "Nginx 리로드 실패: %s",
+        "password_reset_na": "현재 비밀번호 복구를 사용할 수 없습니다. 관리자에게 문의하세요.",
+        "reset_f2b_regex": "정규식 필터를 제때 재설정하지 못했습니다. 다시 시도하거나 몇 초 더 기다렸다가 웹사이트를 다시 로드하세요.",
+        "template_exists": "템플릿 %s이(가) 이미 존재합니다.",
+        "template_id_invalid": "템플릿 ID %s가 잘못되었습니다.",
+        "template_name_invalid": "템플릿 이름이 잘못되었습니다.",
+        "tfa_token_invalid": "TFA 토큰이 유효하지 않습니다.",
+        "to_invalid": "수신자가 비어 있지 않아야 합니다.",
+        "webauthn_authenticator_failed": "선택한 인증기를 찾을 수 없습니다.",
+        "webauthn_username_failed": "선택한 인증기가 다른 계정에 속해 있습니다.",
+        "demo_mode_enabled": "데모 모드가 활성화됨",
+        "recovery_email_failed": "복구 이메일을 보낼 수 없습니다. 관리자에게 문의하세요.",
+        "password_reset_invalid_user": "사서함을 찾을 수 없거나 복구 이메일이 설정되어 있지 않습니다.",
+        "webauthn_publickey_failed": "선택한 인증기에 대한 공개 키가 저장되지 않았습니다.",
+        "fido2_verification_failed": "FIDO2 인증 실패: %s",
+        "extended_sender_acl_denied": "외부 발신자 주소를 설정하는 ACL 누락",
+        "img_dimensions_exceeded": "이미지가 최대 이미지 크기를 초과합니다.",
+        "reset_token_limit_exceeded": "토큰 재설정 한도를 초과했습니다. 나중에 다시 시도해 주세요."
     },
     "debug": {
         "chart_this_server": "Chart (this server)",
@@ -437,7 +504,9 @@
         "uptime": "Uptime",
         "started_on": "Started on",
         "static_logs": "Static logs",
-        "system_containers": "System & Containers"
+        "system_containers": "System & Containers",
+        "current_time": "시스템 시간",
+        "no_update_available": "시스템이 최신 버전입니다."
     },
     "diagnostics": {
         "cname_from_a": "Value derived from A/AAAA record. This is supported as long as the record points to the correct resource.",
@@ -563,13 +632,14 @@
     "header": {
         "administration": "Configuration & Details",
         "apps": "Apps",
-        "debug": "System Information",
+        "debug": "정보",
         "email": "E-Mail",
         "mailcow_config": "Configuration",
         "quarantine": "Quarantine",
         "restart_netfilter": "Restart netfilter",
         "restart_sogo": "Restart SOGo",
-        "user_settings": "User Settings"
+        "user_settings": "User Settings",
+        "mailcow_system": "시스템"
     },
     "info": {
         "awaiting_tfa_confirmation": "Awaiting TFA confirmation",
@@ -1020,5 +1090,9 @@
         "quota_exceeded_scope": "Domain quota exceeded: Only unlimited mailboxes can be created in this domain scope.",
         "session_token": "Form token invalid: Token mismatch",
         "session_ua": "Form token invalid: User-Agent validation error"
+    },
+    "datatables": {
+        "collapse_all": "모두 접기",
+        "decimal": "."
     }
 }

From 8761d8fc47bc43b1a97fd7e08670586145f2c259 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 7 Mar 2025 09:54:35 +0100
Subject: [PATCH 181/378] [Web] Fix app layout issue

---
 data/web/css/build/015-responsive.css     | 32 ++++-------------------
 data/web/templates/admin_index.twig       |  2 +-
 data/web/templates/domainadmin_index.twig |  2 +-
 data/web/templates/user_index.twig        |  4 +--
 4 files changed, 9 insertions(+), 31 deletions(-)

diff --git a/data/web/css/build/015-responsive.css b/data/web/css/build/015-responsive.css
index 57ce80233..82be71069 100644
--- a/data/web/css/build/015-responsive.css
+++ b/data/web/css/build/015-responsive.css
@@ -6,15 +6,9 @@
   max-width: 350px;
 }
 
-.card-login .apps .btn {
-  width: auto;
-  float: left;
-  margin-right: 10px;
-  margin-top: auto;
-}
-.card-login .apps .btn:hover {
-  margin-top: 1px !important;
-  border-bottom-width: 3px;
+.card .apps {
+  display: flex;
+  flex-wrap: wrap;
 }
 
 .responsive-tabs .nav-tabs {
@@ -43,16 +37,6 @@
       opacity: 1;
   }
 
-  .card-login .apps .btn {
-    width: 100%;
-    float: none;
-    margin-bottom: 10px;
-  }
-
-  .card-login .apps .btn {
-    border-bottom-width: 4px;
-  }
-
   .xs-show {
     display: block !important;
   }
@@ -113,9 +97,6 @@
   .btn-group.nowrap .dropdown-menu {
     width: 100%;
   }
-  .card-login .btn-group {
-    display: block;
-  }
   .mass-actions-user .btn-group {
     float: none;
   }
@@ -191,9 +172,6 @@
   .btn-group .btn i {
     margin-right: 5px;
   }
-  .card-login .btn-group .btn {
-    display: block !important;
-  }
 
   .dt-sm-head-hidden .dtr-title {
     display: none !important;
@@ -206,7 +184,7 @@
   .senders-mw220 {
     max-width: 100% !important;
   }
-  
+
   table.dataTable.dtr-inline.collapsed>tbody>tr>td.dtr-control:before,
   table.dataTable.dtr-inline.collapsed>tbody>tr>th.dtr-control:before,
   table.dataTable td.dt-control:before {
@@ -215,7 +193,7 @@
       line-height: 2rem;
       margin-top: -15px;
   }
-  
+
   li .dtr-data {
       padding: 0;
   }
diff --git a/data/web/templates/admin_index.twig b/data/web/templates/admin_index.twig
index 93a892842..6f223889e 100644
--- a/data/web/templates/admin_index.twig
+++ b/data/web/templates/admin_index.twig
@@ -63,7 +63,7 @@
         <div class="my-4" id="fido2-alerts"></div>
         {% if (mailcow_apps or app_links) and not hide_mailcow_apps %}
         <legend><i class="bi bi-link-45deg"></i> {{ ui_texts.apps_name|raw }}</legend><hr />
-        <div class="my-2 d-grid gap-2 d-sm-block apps">
+        <div class="my-2 apps">
           {% for app in mailcow_apps %}
             {% if not app.hide %}
               {% if not skip_sogo or not is_uri('SOGo', app.link) %}
diff --git a/data/web/templates/domainadmin_index.twig b/data/web/templates/domainadmin_index.twig
index 41a9f2597..003fdba1f 100644
--- a/data/web/templates/domainadmin_index.twig
+++ b/data/web/templates/domainadmin_index.twig
@@ -63,7 +63,7 @@
         <div class="my-4" id="fido2-alerts"></div>
         {% if (mailcow_apps or app_links) and not hide_mailcow_apps %}
         <legend><i class="bi bi-link-45deg"></i> {{ ui_texts.apps_name|raw }}</legend><hr />
-        <div class="my-2 d-grid gap-2 d-sm-block apps">
+        <div class="my-2 apps">
           {% for app in mailcow_apps %}
             {% if not app.hide %}
               {% if not skip_sogo or not is_uri('SOGo', app.link) %}
diff --git a/data/web/templates/user_index.twig b/data/web/templates/user_index.twig
index 950482c9a..ee54c0e93 100644
--- a/data/web/templates/user_index.twig
+++ b/data/web/templates/user_index.twig
@@ -65,10 +65,10 @@
         </div>
         <div class="hr-title mt-5"><strong>{{ lang.login.other_logins }}</strong></div>
         <div class="d-flex flex-column align-items-center">
-          <a class="btn btn-xs-lg btn-secondary w-100" style="max-width: 400px;" href="#" id="fido2-login"><i class="bi bi-shield-fill-check"></i> {{ lang.login.fido2_webauthn }}</a>
           {% if has_iam_sso %}
           <a class="btn btn-xs-lg btn-secondary w-100 mt-2" style="max-width: 400px;" href="/?iam_sso=1"><i class="bi bi-cloud-arrow-up-fill"></i> {{ lang.admin.iam_sso }}</a>
           {% endif %}
+          <a class="btn btn-xs-lg btn-secondary w-100 mt-2" style="max-width: 400px;" href="#" id="fido2-login"><i class="bi bi-shield-fill-check"></i> {{ lang.login.fido2_webauthn }}</a>
         </div>
         {% if login_delay %}
         <p><div class="my-4 alert alert-info">{{ lang.login.delayed|format(login_delay) }}</b></div></p>
@@ -76,7 +76,7 @@
         <div class="my-4" id="fido2-alerts"></div>
         {% if not oauth2_request and (mailcow_apps or app_links) and not hide_mailcow_apps %}
         <legend><i class="bi bi-link-45deg"></i> {{ ui_texts.apps_name|raw }}</legend><hr />
-        <div class="my-2 d-grid gap-2 d-sm-block apps">
+        <div class="my-2 apps">
           {% for app in mailcow_apps %}
             {% if not app.hide %}
               {% if not skip_sogo or not is_uri('SOGo', app.link) %}

From 6f9c8deab76a652f23d2db18df7c1b43019765c3 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 7 Mar 2025 09:56:20 +0100
Subject: [PATCH 182/378] [Web] Support old style app links

---
 data/web/inc/functions.customize.inc.php | 15 ++++++++-------
 data/web/inc/header.inc.php              | 12 ++++++++++--
 data/web/templates/base.twig             |  2 +-
 3 files changed, 19 insertions(+), 10 deletions(-)

diff --git a/data/web/inc/functions.customize.inc.php b/data/web/inc/functions.customize.inc.php
index 5aef7d720..8c0feb69f 100644
--- a/data/web/inc/functions.customize.inc.php
+++ b/data/web/inc/functions.customize.inc.php
@@ -3,7 +3,7 @@ function customize($_action, $_item, $_data = null) {
 	global $redis;
 	global $lang;
   global $LOGO_LIMITS;
-  
+
   switch ($_action) {
     case 'add':
       // disable functionality when demo mode is enabled
@@ -267,12 +267,13 @@ function customize($_action, $_item, $_data = null) {
             return false;
           }
 
-          foreach($app_links as $key => $value){
-            foreach($value as $app => $details){
-              if (empty($details['user_link']) || empty($_SESSION['mailcow_cc_username'])){
-                $app_links[$key][$app]['user_link'] = $app_links[$key][$app]['link'];
-              } else {
-                $app_links[$key][$app]['user_link'] = str_replace('%u', $_SESSION['mailcow_cc_username'], $app_links[$key][$app]['user_link']);
+          // convert from old style
+          foreach($app_links as $i => $entry){
+            foreach($entry as $app => $link){
+              if (empty($link['link']) && empty($link['user_link'])){
+                $app_links[$i][$app] = array();
+                $app_links[$i][$app]['link'] = $link;
+                $app_links[$i][$app]['user_link'] = $link;
               }
             }
           }
diff --git a/data/web/inc/header.inc.php b/data/web/inc/header.inc.php
index b93787b02..9ab2ad174 100644
--- a/data/web/inc/header.inc.php
+++ b/data/web/inc/header.inc.php
@@ -39,7 +39,11 @@ for ($i = 0; $i < count($mailcow_apps_processed); $i++) {
     $hide_mailcow_apps = false;
   }
   if (!empty($_SESSION['mailcow_cc_username'])){
-    $mailcow_apps_processed[$i]['user_link'] = str_replace('%u', $_SESSION['mailcow_cc_username'], $mailcow_apps_processed[$i]['user_link']);
+    if ($app_links_processed[$i]['user_link']) {
+      $mailcow_apps_processed[$i]['user_link'] = str_replace('%u', $_SESSION['mailcow_cc_username'], $mailcow_apps_processed[$i]['user_link']);
+    } else {
+      $mailcow_apps_processed[$i]['user_link'] = $mailcow_apps_processed[$i]['link'];
+    }
   }
 }
 if ($app_links_processed){
@@ -49,7 +53,11 @@ if ($app_links_processed){
       $hide_mailcow_apps = false;
     }
     if (!empty($_SESSION['mailcow_cc_username'])){
-      $app_links_processed[$i][$key]['user_link'] = str_replace('%u', $_SESSION['mailcow_cc_username'], $app_links_processed[$i][$key]['user_link']);
+      if ($app_links_processed[$i][$key]['user_link']) {
+        $app_links_processed[$i][$key]['user_link'] = str_replace('%u', $_SESSION['mailcow_cc_username'], $app_links_processed[$i][$key]['user_link']);
+      } else {
+        $app_links_processed[$i][$key]['user_link'] = $app_links_processed[$i][$key]['link'];
+      }
     }
   }
 }
diff --git a/data/web/templates/base.twig b/data/web/templates/base.twig
index 4d0a30251..0ef5f668e 100644
--- a/data/web/templates/base.twig
+++ b/data/web/templates/base.twig
@@ -118,7 +118,7 @@
               </li>
               {% endif %}
             {% endfor %}
-            {% for row in app_links %}
+            {% for row in app_links_processed %}
               {% for key, val in row %}
               <li><a href="{{ val.user_link }}" class="dropdown-item">{{ key }}</a></li>
               {% endfor %}

From bc21e7fe503dcb0271a4cefaa53f6591d7792637 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 7 Mar 2025 13:12:48 +0100
Subject: [PATCH 183/378] [Web] Separate FIDO2 logins

---
 data/web/inc/functions.inc.php            | 76 +++++++++++++++++++++++
 data/web/inc/triggers.admin.inc.php       |  8 +++
 data/web/inc/triggers.domainadmin.inc.php |  8 +++
 data/web/inc/triggers.user.inc.php        |  8 +++
 data/web/json_api.php                     | 75 ----------------------
 data/web/templates/base.twig              | 16 +++--
 6 files changed, 107 insertions(+), 84 deletions(-)

diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index 8358f1bed..2a6968fe2 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -1250,6 +1250,7 @@ function set_tfa($_data) {
 }
 function fido2($_data) {
   global $pdo;
+  global $WebAuthn;
   $_data_log = $_data;
   // Not logging registration data, only actions
   // Silent errors for "get" requests
@@ -1383,6 +1384,81 @@ function fido2($_data) {
         'msg' => array('object_modified', htmlspecialchars($username))
       );
     break;
+    case "verify":
+      $tokenData = json_decode($_data['token']);
+      $clientDataJSON = base64_decode($tokenData->clientDataJSON);
+      $authenticatorData = base64_decode($tokenData->authenticatorData);
+      $signature = base64_decode($tokenData->signature);
+      $id = base64_decode($tokenData->id);
+      $challenge = $_SESSION['challenge'];
+      $process_fido2 = fido2(array("action" => "get_by_b64cid", "cid" => $tokenData->id));
+      if ($process_fido2['pub_key'] === false) {
+        $_SESSION['return'][] =  array(
+          'type' => 'danger',
+          'log' => array("fido2_login", $_data['user'], $process_fido2['username']),
+          'msg' => "login_failed"
+        );
+        return false;
+      }
+      try {
+        $WebAuthn->processGet($clientDataJSON, $authenticatorData, $signature, $process_fido2['pub_key'], $challenge, null, $GLOBALS['FIDO2_UV_FLAG_LOGIN'], $GLOBALS['FIDO2_USER_PRESENT_FLAG']);
+      }
+      catch (Throwable $ex) {
+        unset($process_fido2);
+        $_SESSION['return'][] =  array(
+          'type' => 'danger',
+          'log' => array("fido2_login", $_data['user'], $process_fido2['username'], $ex->getMessage()),
+          'msg' => "login_failed"
+        );
+        return false;
+      }
+      $return = new stdClass();
+      $return->success = true;
+      $stmt = $pdo->prepare("SELECT `superadmin` FROM `admin` WHERE `username` = :username");
+      $stmt->execute(array(':username' => $process_fido2['username']));
+      $obj_props = $stmt->fetch(PDO::FETCH_ASSOC);
+      if ($obj_props['superadmin'] === 1 && (!$_data['user'] || $_data['user'] == "admin")) {
+        $_SESSION["mailcow_cc_role"] = "admin";
+      }
+      elseif ($obj_props['superadmin'] === 0 && (!$_data['user'] || $_data['user'] == "domainadmin")) {
+        $_SESSION["mailcow_cc_role"] = "domainadmin";
+      }
+      elseif (!isset($obj_props['superadmin']) && (!$_data['user'] || $_data['user'] == "user")) {
+        $stmt = $pdo->prepare("SELECT `username` FROM `mailbox` WHERE `username` = :username");
+        $stmt->execute(array(':username' => $process_fido2['username']));
+        $row = $stmt->fetch(PDO::FETCH_ASSOC);
+        if ($row['username'] == $process_fido2['username']) {
+          $_SESSION["mailcow_cc_role"] = "user";
+        }
+      }
+      else {
+        $_SESSION['return'][] =  array(
+          'type' => 'danger',
+          'log' => array("fido2_login", $_data['user'], $process_fido2['username']),
+          'msg' => 'login_failed'
+        );
+        return false;
+      }
+      if (empty($_SESSION["mailcow_cc_role"])) {
+        session_unset();
+        session_destroy();
+        $_SESSION['return'][] =  array(
+          'type' => 'danger',
+          'log' => array("fido2_login", $_data['user'], $process_fido2['username']),
+          'msg' => 'login_failed'
+        );
+        return false;
+      }
+      $_SESSION["mailcow_cc_username"] = $process_fido2['username'];
+      $_SESSION["fido2_cid"] = $process_fido2['cid'];
+      unset($_SESSION["challenge"]);
+      $_SESSION['return'][] =  array(
+        'type' => 'success',
+        'log' => array("fido2_login", $_data['user'], $process_fido2['username']),
+        'msg' => array('logged_in_as', $process_fido2['username'])
+      );
+      return true;
+    break;
   }
 }
 function unset_tfa_key($_data) {
diff --git a/data/web/inc/triggers.admin.inc.php b/data/web/inc/triggers.admin.inc.php
index 5b1061f7e..883d9fd5c 100644
--- a/data/web/inc/triggers.admin.inc.php
+++ b/data/web/inc/triggers.admin.inc.php
@@ -18,6 +18,14 @@ if (isset($_POST["verify_tfa_login"])) {
   unset($_SESSION['pending_mailcow_cc_role']);
   unset($_SESSION['pending_tfa_methods']);
 }
+if (isset($_POST["verify_fido2_login"])) {
+  fido2(array(
+    "action" => "verify",
+    "token" => $_POST["token"],
+    "user" => "admin"
+  ));
+  exit;
+}
 
 if (isset($_GET["cancel_tfa_login"])) {
   unset($_SESSION['pending_pw_reset_token']);
diff --git a/data/web/inc/triggers.domainadmin.inc.php b/data/web/inc/triggers.domainadmin.inc.php
index 9ee53d67a..dd1c653bd 100644
--- a/data/web/inc/triggers.domainadmin.inc.php
+++ b/data/web/inc/triggers.domainadmin.inc.php
@@ -29,6 +29,14 @@ if (isset($_POST["verify_tfa_login"])) {
   unset($_SESSION['pending_mailcow_cc_role']);
   unset($_SESSION['pending_tfa_methods']);
 }
+if (isset($_POST["verify_fido2_login"])) {
+  fido2(array(
+    "action" => "verify",
+    "token" => $_POST["token"],
+    "user" => "domainadmin"
+  ));
+  exit;
+}
 
 if (isset($_GET["cancel_tfa_login"])) {
   unset($_SESSION['pending_pw_reset_token']);
diff --git a/data/web/inc/triggers.user.inc.php b/data/web/inc/triggers.user.inc.php
index c16edc10e..64282b075 100644
--- a/data/web/inc/triggers.user.inc.php
+++ b/data/web/inc/triggers.user.inc.php
@@ -83,6 +83,14 @@ if (isset($_POST["verify_tfa_login"])) {
   unset($_SESSION['pending_mailcow_cc_role']);
   unset($_SESSION['pending_tfa_methods']);
 }
+if (isset($_POST["verify_fido2_login"])) {
+  fido2(array(
+    "action" => "verify",
+    "token" => $_POST["token"],
+    "user" => "user"
+  ));
+  exit;
+}
 
 if (isset($_GET["cancel_tfa_login"])) {
   unset($_SESSION['pending_pw_reset_token']);
diff --git a/data/web/json_api.php b/data/web/json_api.php
index 14e7c47d3..f2a222b85 100644
--- a/data/web/json_api.php
+++ b/data/web/json_api.php
@@ -334,81 +334,6 @@ if (isset($_GET['query'])) {
           exit();
       }
     break;
-    case "process":
-      // only allow POST requests to process API endpoints
-      if ($_SERVER['REQUEST_METHOD'] != 'POST') {
-        http_response_code(405);
-        echo json_encode(array(
-            'type' => 'error',
-            'msg' => 'only POST method is allowed'
-        ));
-        exit();
-      }
-      switch ($category) {
-        case "fido2-args":
-          header('Content-Type: application/json');
-          $post = trim(file_get_contents('php://input'));
-          if ($post) {
-            $post = json_decode($post);
-          }
-          $clientDataJSON = base64_decode($post->clientDataJSON);
-          $authenticatorData = base64_decode($post->authenticatorData);
-          $signature = base64_decode($post->signature);
-          $id = base64_decode($post->id);
-          $challenge = $_SESSION['challenge'];
-          $process_fido2 = fido2(array("action" => "get_by_b64cid", "cid" => $post->id));
-          if ($process_fido2['pub_key'] === false) {
-            $return = new stdClass();
-            $return->success = false;
-            echo json_encode($return);
-            exit;
-          }
-          try {
-            $WebAuthn->processGet($clientDataJSON, $authenticatorData, $signature, $process_fido2['pub_key'], $challenge, null, $GLOBALS['FIDO2_UV_FLAG_LOGIN'], $GLOBALS['FIDO2_USER_PRESENT_FLAG']);
-          }
-          catch (Throwable $ex) {
-            unset($process_fido2);
-            $return = new stdClass();
-            $return->success = false;
-            echo json_encode($return);
-            exit;
-          }
-          $return = new stdClass();
-          $return->success = true;
-          $stmt = $pdo->prepare("SELECT `superadmin` FROM `admin` WHERE `username` = :username");
-          $stmt->execute(array(':username' => $process_fido2['username']));
-          $obj_props = $stmt->fetch(PDO::FETCH_ASSOC);
-          if ($obj_props['superadmin'] === 1) {
-            $_SESSION["mailcow_cc_role"] = "admin";
-          }
-          elseif ($obj_props['superadmin'] === 0) {
-            $_SESSION["mailcow_cc_role"] = "domainadmin";
-          }
-          else {
-            $stmt = $pdo->prepare("SELECT `username` FROM `mailbox` WHERE `username` = :username");
-            $stmt->execute(array(':username' => $process_fido2['username']));
-            $row = $stmt->fetch(PDO::FETCH_ASSOC);
-            if ($row['username'] == $process_fido2['username']) {
-              $_SESSION["mailcow_cc_role"] = "user";
-            }
-          }
-          if (empty($_SESSION["mailcow_cc_role"])) {
-            session_unset();
-            session_destroy();
-            exit;
-          }
-          $_SESSION["mailcow_cc_username"] = $process_fido2['username'];
-          $_SESSION["fido2_cid"] = $process_fido2['cid'];
-          unset($_SESSION["challenge"]);
-          $_SESSION['return'][] =  array(
-            'type' => 'success',
-            'log' => array("fido2_login"),
-            'msg' => array('logged_in_as', $process_fido2['username'])
-          );
-          echo json_encode($return);
-        break;
-      }
-    break;
     case "get":
       function process_get_return($data, $object = true) {
         if ($object === true) {
diff --git a/data/web/templates/base.twig b/data/web/templates/base.twig
index 0ef5f668e..8ec8e4159 100644
--- a/data/web/templates/base.twig
+++ b/data/web/templates/base.twig
@@ -391,16 +391,14 @@ function recursiveBase64StrToArrayBuffer(obj) {
         signature : cred.response.signature ? arrayBufferToBase64(cred.response.signature) : null
       };
     }).then(JSON.stringify).then(function(AuthenticatorAttestationResponse) {
-      return window.fetch("/api/v1/process/fido2-args", {method:'POST', body: AuthenticatorAttestationResponse, cache:'no-cache'});
+      var formData = new FormData();
+      formData.append("token", AuthenticatorAttestationResponse);
+      formData.append("verify_fido2_login", "true");
+
+      return window.fetch(window.location.href, {method:'POST', body: formData, cache:'no-cache'});
     }).then(function(response) {
-      return response.json();
-    }).then(function(json) {
-      if (json.success) {
-        window.location = window.location.href.split("#")[0];
-  } else {
-    throw new Error();
-  }
-  }).catch(function(err) {
+      window.location = window.location.href.split("#")[0];
+    }).catch(function(err) {
     if (typeof err.message === 'undefined') {
       mailcow_alert_box(lang_fido2.fido2_validation_failed, "danger");
     } else {

From 82eb3c64cd6c1eea94f450b22bf0de3e29f7eaa1 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 7 Mar 2025 13:15:27 +0100
Subject: [PATCH 184/378] [Web] Use SQL password only when authsource is
 mailcow

---
 data/web/inc/functions.auth.inc.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php
index 62329e305..8e695c359 100644
--- a/data/web/inc/functions.auth.inc.php
+++ b/data/web/inc/functions.auth.inc.php
@@ -277,7 +277,7 @@ function user_login($user, $pass, $extra = null){
       }
       return $result;
     break;
-    default:
+    case 'mailcow':
       // verify password
       if (verify_hash($row['password'], $pass) !== false) {
         // check for tfa authenticators

From 25d34b5acfcd881e1ffd41b20dcc73f42b4618ef Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 7 Mar 2025 14:52:08 +0100
Subject: [PATCH 185/378] [Web] Remove default ui help text

---
 data/web/lang/lang.ca-es.json      |  4 +---
 data/web/lang/lang.cs-cz.json      |  4 +---
 data/web/lang/lang.da-dk.json      |  4 +---
 data/web/lang/lang.de-de.json      |  4 +---
 data/web/lang/lang.en-gb.json      |  4 +---
 data/web/lang/lang.es-es.json      |  4 +---
 data/web/lang/lang.fi-fi.json      |  4 +---
 data/web/lang/lang.fr-fr.json      |  4 +---
 data/web/lang/lang.hu-hu.json      |  4 +---
 data/web/lang/lang.it-it.json      |  4 +---
 data/web/lang/lang.ja-jp.json      |  4 +---
 data/web/lang/lang.ko-kr.json      |  4 +---
 data/web/lang/lang.lv-lv.json      |  4 +---
 data/web/lang/lang.nl-nl.json      |  4 +---
 data/web/lang/lang.pl-pl.json      |  4 +---
 data/web/lang/lang.pt-br.json      |  4 +---
 data/web/lang/lang.pt-pt.json      |  4 +---
 data/web/lang/lang.ro-ro.json      |  4 +---
 data/web/lang/lang.ru-ru.json      |  4 +---
 data/web/lang/lang.sk-sk.json      |  4 +---
 data/web/lang/lang.sv-se.json      |  4 +---
 data/web/lang/lang.tr-tr.json      |  2 --
 data/web/lang/lang.uk-ua.json      |  4 +---
 data/web/lang/lang.zh-cn.json      |  4 +---
 data/web/lang/lang.zh-tw.json      |  4 +---
 data/web/templates/user_index.twig | 11 ++---------
 26 files changed, 26 insertions(+), 83 deletions(-)

diff --git a/data/web/lang/lang.ca-es.json b/data/web/lang/lang.ca-es.json
index 43079339d..af7cbd5fb 100644
--- a/data/web/lang/lang.ca-es.json
+++ b/data/web/lang/lang.ca-es.json
@@ -414,9 +414,7 @@
         "queue_manager": "Queue Manager"
     },
     "start": {
-        "help": "Mostrar/Ocultar panell d'ajuda",
-        "mailcow_apps_detail": "Tria una aplicació (de moment només SOGo) per a accedir als teus correus, calendari, contactes i més.",
-        "mailcow_panel_detail": "Els <b>administradors del domini</b> poden crear, modificar o esborrar bústies i àlies, configurar i obtenir informació detallada sobre els seus dominis<br>\r\n\tEls <b>usuaris d'e-mail</b> poden crear àlies temporals (spam àlies), canviar la seva contrasenya i la configuració del seu filtre anti-spam."
+        "help": "Mostrar/Ocultar panell d'ajuda"
     },
     "success": {
         "admin_modified": "Els canvis fets a l'administrador s'han desat",
diff --git a/data/web/lang/lang.cs-cz.json b/data/web/lang/lang.cs-cz.json
index c087c84fb..67eb52baa 100644
--- a/data/web/lang/lang.cs-cz.json
+++ b/data/web/lang/lang.cs-cz.json
@@ -1016,9 +1016,7 @@
     },
     "start": {
         "help": "Zobrazit/skrýt panel nápovědy",
-        "imap_smtp_server_auth_info": "Použijte celou e-mailovou adresu a zvolte způsob ověření PLAIN.<br>\r\nPřihlašovací údaje budou zašifrovány na straně serveru.",
-        "mailcow_apps_detail": "Použijte aplikace pro přístup k e-mailům, kalendáři, kontaktům atd.",
-        "mailcow_panel_detail": "<b>Správci domén</b> mohou vytvářet, upravovat nebo mazat schránky a aliasy, upravovat parametry domén a zobrazovat další informace o svých přidělených doménách.<br>\r\n<b>Uživatelé</b> mohou vytvářet dočasné aliasy (spam aliases), měnit svá hesla a nastavovat filtr spamu."
+        "imap_smtp_server_auth_info": "Použijte celou e-mailovou adresu a zvolte způsob ověření PLAIN.<br>\r\nPřihlašovací údaje budou zašifrovány na straně serveru."
     },
     "success": {
         "acl_saved": "ACL pro objekt %s uloženo",
diff --git a/data/web/lang/lang.da-dk.json b/data/web/lang/lang.da-dk.json
index 69dacffc9..f71fcfec2 100644
--- a/data/web/lang/lang.da-dk.json
+++ b/data/web/lang/lang.da-dk.json
@@ -822,9 +822,7 @@
     },
     "start": {
         "help": "Vis / skjul hjælpepanel",
-        "imap_smtp_server_auth_info": "Brug din fulde e-mail-adresse og PLAIN-godkendelsesmekanismen.<br>\r\nDine login-data bliver krypteret af den obligatoriske kryptering på serversiden.",
-        "mailcow_apps_detail": "Brug en mailcow-app til at få adgang til dine mails, kalender, kontakter og mere.",
-        "mailcow_panel_detail": "<b>Domæneadministratorer</b> oprette, ændre eller slette postkasser og aliasser, ændre domæner og læse yderligere information om deres tildelte domæner.<br>\r\n<b>Mailbox-brugere</b>er i stand til at oprette tidsbegrænsede aliaser (spamaliaser), ændre deres adgangskode og spamfilterindstillinger."
+        "imap_smtp_server_auth_info": "Brug din fulde e-mail-adresse og PLAIN-godkendelsesmekanismen.<br>\r\nDine login-data bliver krypteret af den obligatoriske kryptering på serversiden."
     },
     "success": {
         "acl_saved": "ACL til objekt %s gemt",
diff --git a/data/web/lang/lang.de-de.json b/data/web/lang/lang.de-de.json
index b8c7c3ac2..85a713c67 100644
--- a/data/web/lang/lang.de-de.json
+++ b/data/web/lang/lang.de-de.json
@@ -1067,9 +1067,7 @@
     },
     "start": {
         "help": "Hilfe ein-/ausblenden",
-        "imap_smtp_server_auth_info": "Bitte verwenden Sie Ihre vollständige E-Mail-Adresse sowie das PLAIN-Authentifizierungsverfahren.<br>\r\nIhre Anmeldedaten werden durch die obligatorische Verschlüsselung entgegen des Begriffes \"PLAIN\" nicht unverschlüsselt übertragen.",
-        "mailcow_apps_detail": "Verwenden Sie mailcow-Apps, um E-Mails abzurufen, Kalender und Kontakte zu verwalten und vieles mehr.",
-        "mailcow_panel_detail": "<b>Domain-Administratoren</b> erstellen, verändern oder löschen Mailboxen, verwalten die Domäne und sehen sonstige Einstellungen ein.<br>\r\n\tAls <b>Mailbox-Benutzer</b> erstellen Sie hier zeitlich limitierte Aliasse, ändern das Verhalten des Spamfilters, setzen ein neues Passwort und vieles mehr."
+        "imap_smtp_server_auth_info": "Bitte verwenden Sie Ihre vollständige E-Mail-Adresse sowie das PLAIN-Authentifizierungsverfahren.<br>\r\nIhre Anmeldedaten werden durch die obligatorische Verschlüsselung entgegen des Begriffes \"PLAIN\" nicht unverschlüsselt übertragen."
     },
     "success": {
         "acl_saved": "ACL für Objekt %s wurde gesetzt",
diff --git a/data/web/lang/lang.en-gb.json b/data/web/lang/lang.en-gb.json
index 7d87b4358..5f8e78a9b 100644
--- a/data/web/lang/lang.en-gb.json
+++ b/data/web/lang/lang.en-gb.json
@@ -1079,9 +1079,7 @@
     },
     "start": {
         "help": "Show/Hide help panel",
-        "imap_smtp_server_auth_info": "Please use your full email address and the PLAIN authentication mechanism.<br>\r\nYour login data will be encrypted by the server-side mandatory encryption.",
-        "mailcow_apps_detail": "Use a mailcow app to access your mails, calendar, contacts and more.",
-        "mailcow_panel_detail": "<b>Domain administrators</b> create, modify or delete mailboxes and aliases, change domains and read further information about their assigned domains.<br>\r\n<b>Mailbox users</b> are able to create time-limited aliases (spam aliases), change their password and spam filter settings."
+        "imap_smtp_server_auth_info": "Please use your full email address and the PLAIN authentication mechanism.<br>\r\nYour login data will be encrypted by the server-side mandatory encryption."
     },
     "success": {
         "acl_saved": "ACL for object %s saved",
diff --git a/data/web/lang/lang.es-es.json b/data/web/lang/lang.es-es.json
index 0bb1312b1..814142cc6 100644
--- a/data/web/lang/lang.es-es.json
+++ b/data/web/lang/lang.es-es.json
@@ -621,9 +621,7 @@
     },
     "start": {
         "help": "Mostrar/Ocultar panel de ayuda",
-        "imap_smtp_server_auth_info": "Por favor utiliza tu dirección de correo completa y el mecanismo de autenticación PLAIN.<br>\r\nTus datos para iniciar sesión serán cifrados por el cifrado obligatorio del servidor",
-        "mailcow_apps_detail": "Utiliza una aplicación de mailcow para acceder a tus correos, calendario, contactos y más.",
-        "mailcow_panel_detail": "<b>Administradores por dominio</b> pueden crear, modificar o eliminar buzones y alias, modificar los dominios asignados y ver información más detallada sobre los dominios asignados<br>\r\n\t<b>Usuarios de buzón</b> son capaces de crear alias de tiempo limitado (spam alias), cambiar su contraseña y la configuración del filtro de spam del buzón."
+        "imap_smtp_server_auth_info": "Por favor utiliza tu dirección de correo completa y el mecanismo de autenticación PLAIN.<br>\r\nTus datos para iniciar sesión serán cifrados por el cifrado obligatorio del servidor"
     },
     "success": {
         "acl_saved": "ACL para el objeto %s guardado",
diff --git a/data/web/lang/lang.fi-fi.json b/data/web/lang/lang.fi-fi.json
index 9cb71cf38..5dd6a9b2d 100644
--- a/data/web/lang/lang.fi-fi.json
+++ b/data/web/lang/lang.fi-fi.json
@@ -691,9 +691,7 @@
     },
     "start": {
         "help": "Näytä/Piilota help paneeli",
-        "imap_smtp_server_auth_info": "Käytä täydellistä sähkö posti osoitetta ja tavallista todennus mekanismia.<br>\r\nPalvelin puolen pakollinen salaus salaa kirjautumistietosi.",
-        "mailcow_apps_detail": "Käytä mailcow-sovellusta, kun haluat käyttää sähköposteja, kalenteria, yhteys tietoja ja paljon muuta",
-        "mailcow_panel_detail": "<b>Verkkotunnus alueen järjestelmänvalvojat</b> Luo, muokkaa tai poistaa posti laatikoita ja aliaksia, muita verkko tunnuksia ja lue lisä tietoja niiden määritetyista verkko tunnuksista.<br>\r\n<b>Posti laatikon käyttäjät</b> pystyvät luomaan rajoitetun ajan aliaksia (roska posti asetuksia), muuttamaan salasanaa ja roska posti suodattimen asetuksia."
+        "imap_smtp_server_auth_info": "Käytä täydellistä sähkö posti osoitetta ja tavallista todennus mekanismia.<br>\r\nPalvelin puolen pakollinen salaus salaa kirjautumistietosi."
     },
     "success": {
         "acl_saved": "Objektin ACL %s tallenettu",
diff --git a/data/web/lang/lang.fr-fr.json b/data/web/lang/lang.fr-fr.json
index e79abc3f7..e9bff05d5 100644
--- a/data/web/lang/lang.fr-fr.json
+++ b/data/web/lang/lang.fr-fr.json
@@ -987,9 +987,7 @@
     },
     "start": {
         "help": "Afficher/masquer le panneau d’aide",
-        "imap_smtp_server_auth_info": "Veuillez utiliser votre adresse courriel complète et le mécanisme d’authentification PLAIN.<br>\nVos données de connexion seront cryptées par le cryptage obligatoire côté serveur.",
-        "mailcow_apps_detail": "Utiliser une application mailcow pour accéder à vos messages, vos calendriers, vos contacts et plus.",
-        "mailcow_panel_detail": "<b>Les administrateurs de domaines</b> peuvent créer, modifier, ou supprimer des boîtes de réception et alias, changer de domaines et lire de plus amples renseignements sur les domaines qui leur sont attribués.<br>\n<b>Les utilisateurs de boîtes de réception</b> sont en mesure de créer des alias limités dans le temps (alias spam), de modifier leurs mots de passe et les paramètres du filtre anti-spam."
+        "imap_smtp_server_auth_info": "Veuillez utiliser votre adresse courriel complète et le mécanisme d’authentification PLAIN.<br>\nVos données de connexion seront cryptées par le cryptage obligatoire côté serveur."
     },
     "success": {
         "acl_saved": "ACL (Access Control List) pour l'objet %s enregistré",
diff --git a/data/web/lang/lang.hu-hu.json b/data/web/lang/lang.hu-hu.json
index 5737794fd..97f575a69 100644
--- a/data/web/lang/lang.hu-hu.json
+++ b/data/web/lang/lang.hu-hu.json
@@ -331,9 +331,7 @@
     },
     "start": {
         "help": "Súgó panel megjelenítése/elrejtése",
-        "imap_smtp_server_auth_info": "Kérjük használja a teljes email címét és a PLAIN hitelesítési mechanizmust.<br>\r\nAdatai el lesznek kódolva szerver-oldali kötelező titkosítással.",
-        "mailcow_apps_detail": "Használja a webmail appokat levelei, naptára és címjegyzéke eléréséhez.",
-        "mailcow_panel_detail": "<b>Domain adminisztrátorok</b> létre tudnak hozni, tudnak módosítani vagy törölni postafiókokat és aliasokat, módosíthatnak domaineket és hozzáférnek további információhoz a domainükről.<br>\r\n<b>Postafiók-felhasználók</b> létre tudnak hozni időkorlátos alias-okat (spam alias-okat), le tudják cserélni jelszavakat, valamint spam szűrőket állíthatnak be."
+        "imap_smtp_server_auth_info": "Kérjük használja a teljes email címét és a PLAIN hitelesítési mechanizmust.<br>\r\nAdatai el lesznek kódolva szerver-oldali kötelező titkosítással."
     },
     "success": {
         "admin_added": "Adminisztrátor %s hozzáadva",
diff --git a/data/web/lang/lang.it-it.json b/data/web/lang/lang.it-it.json
index ade6bc980..fdfa78161 100644
--- a/data/web/lang/lang.it-it.json
+++ b/data/web/lang/lang.it-it.json
@@ -974,9 +974,7 @@
     },
     "start": {
         "help": "Mostra/Nascondi pannello di aiuto",
-        "imap_smtp_server_auth_info": "Please use your full email address and the PLAIN authentication mechanism.<br />\r\nYour login data will be encrypted by the server-side mandatory encryption.",
-        "mailcow_apps_detail": "Usa l'app mailcow per accedere alla posta, calendari, contatti ed altro.",
-        "mailcow_panel_detail": "<b>Amministratori di dominio</b> crea, modifica od elimina caselle ed alias, cambia i domini e informazioni relative ai domini associati.<br />\r\n\t<b>Utenti di caselle</b> possono creare degli alias temporanei (spam aliases), cambiare la loro password e le impostazioni relative ai filtri spam."
+        "imap_smtp_server_auth_info": "Please use your full email address and the PLAIN authentication mechanism.<br />\r\nYour login data will be encrypted by the server-side mandatory encryption."
     },
     "success": {
         "acl_saved": "ACL for object %s saved",
diff --git a/data/web/lang/lang.ja-jp.json b/data/web/lang/lang.ja-jp.json
index 683cae373..ffd0a5bd3 100644
--- a/data/web/lang/lang.ja-jp.json
+++ b/data/web/lang/lang.ja-jp.json
@@ -1035,9 +1035,7 @@
     },
     "start": {
         "help": "ヘルプパネルを表示/非表示",
-        "imap_smtp_server_auth_info": "メールアドレス全体を使用し、PLAIN認証メカニズムを使用してください。<br>\r\nログインデータはサーバー側の強制暗号化により保護されます。",
-        "mailcow_apps_detail": "mailcowアプリを使用して、メール、カレンダー、連絡先などにアクセスできます。",
-        "mailcow_panel_detail": "<b>ドメイン管理者</b>は、メールボックスやエイリアスを作成、変更、削除したり、ドメインを変更したり、割り当てられたドメインに関する情報を確認できます。<br>\r\n<b>メールボックスユーザー</b>は、期間限定のエイリアス（スパムエイリアス）を作成したり、パスワードやスパムフィルターの設定を変更したりできます。"
+        "imap_smtp_server_auth_info": "メールアドレス全体を使用し、PLAIN認証メカニズムを使用してください。<br>\r\nログインデータはサーバー側の強制暗号化により保護されます。"
     },
     "success": {
         "acl_saved": "オブジェクト %s のACLを保存しました",
diff --git a/data/web/lang/lang.ko-kr.json b/data/web/lang/lang.ko-kr.json
index 27b028cd4..33afe448c 100644
--- a/data/web/lang/lang.ko-kr.json
+++ b/data/web/lang/lang.ko-kr.json
@@ -778,9 +778,7 @@
     },
     "start": {
         "help": "Show/Hide help panel",
-        "imap_smtp_server_auth_info": "Please use your full email address and the PLAIN authentication mechanism.<br>\r\nYour login data will be encrypted by the server-side mandatory encryption.",
-        "mailcow_apps_detail": "Use a mailcow app to access your mails, calendar, contacts and more.",
-        "mailcow_panel_detail": "<b>Domain administrators</b> create, modify or delete mailboxes and aliases, change domains and read further information about their assigned domains.<br>\r\n<b>Mailbox users</b> are able to create time-limited aliases (spam aliases), change their password and spam filter settings."
+        "imap_smtp_server_auth_info": "Please use your full email address and the PLAIN authentication mechanism.<br>\r\nYour login data will be encrypted by the server-side mandatory encryption."
     },
     "success": {
         "acl_saved": "ACL for object %s saved",
diff --git a/data/web/lang/lang.lv-lv.json b/data/web/lang/lang.lv-lv.json
index 6a3e179de..545bbe475 100644
--- a/data/web/lang/lang.lv-lv.json
+++ b/data/web/lang/lang.lv-lv.json
@@ -467,9 +467,7 @@
     },
     "start": {
         "help": "Rādīt/Paslēpt palīdzības paneli",
-        "imap_smtp_server_auth_info": "Lūgums izmantot pilnu e-pasta adresi un PLAIN autentificēšanās mehānismu.<br>\nPieteikšanās dati tiks šifrēti ar servera puses obligātu šifrēšanu.",
-        "mailcow_apps_detail": "Izmantojiet lietotni mailcow, lai piekļūtu savam pastam, kalendāram, kontaktiem un citām lietām.",
-        "mailcow_panel_detail": "<b>Domēna pārvaldītāji</b> izveido, maina vai izdzēš pastkastes un aizstājvārdus, maina domēnus un lasa papildu informāciju par piešķirtajiem domēniem.<br>\n<b>Pastkastes lietotāji</b> var izveidot laikā ierobežotus aizstājvārdus (surogātpasta aizstājvārdus), mainīt savu paroli un surogātpasta atlasīšanas iestatījumus."
+        "imap_smtp_server_auth_info": "Lūgums izmantot pilnu e-pasta adresi un PLAIN autentificēšanās mehānismu.<br>\nPieteikšanās dati tiks šifrēti ar servera puses obligātu šifrēšanu."
     },
     "success": {
         "admin_modified": "Izmaiņas administrātoram ir saglabātas",
diff --git a/data/web/lang/lang.nl-nl.json b/data/web/lang/lang.nl-nl.json
index 907a46d60..71ec97209 100644
--- a/data/web/lang/lang.nl-nl.json
+++ b/data/web/lang/lang.nl-nl.json
@@ -878,9 +878,7 @@
     },
     "start": {
         "help": "Toon/verberg hulppaneel",
-        "imap_smtp_server_auth_info": "Gebruik je volledige mailadres en het bijbehorende (onversleutelde) verificatiemechanisme.<br>De aanmeldgegevens worden versleuteld verzonden.",
-        "mailcow_apps_detail": "Gebruik een Mailcow-app om je mails, agenda, contacten en meer te bekijken.",
-        "mailcow_panel_detail": "<b>Domeinadministrators</b> kunnen mailboxen en aliassen aanmaken, wijzigen en verwijderen. Ook kunnen ze domeinen weergeven en aanpassen.<br><b>Gebruikers</b> kunnen tijdelijke aliassen aanmaken, hun wachtwoord aanpassen en de spamfilterinstellingen wijzigen."
+        "imap_smtp_server_auth_info": "Gebruik je volledige mailadres en het bijbehorende (onversleutelde) verificatiemechanisme.<br>De aanmeldgegevens worden versleuteld verzonden."
     },
     "success": {
         "acl_saved": "Toegangscontrole voor object %s is opgeslagen",
diff --git a/data/web/lang/lang.pl-pl.json b/data/web/lang/lang.pl-pl.json
index cba7372a0..521c17779 100644
--- a/data/web/lang/lang.pl-pl.json
+++ b/data/web/lang/lang.pl-pl.json
@@ -290,9 +290,7 @@
     },
     "start": {
         "help": "Pokaż/Ukryj panel pomocy",
-        "imap_smtp_server_auth_info": "Proszę korzystać z pełnego adresu email i mechanizmu uwierzytelniania PLAIN.<br>\r\nTwoje dane logowania zostaną zaszyfrowane przez obowiązkowe szyfrowanie po stronie serwera.",
-        "mailcow_apps_detail": "Użyj aplikacji mailcow, aby mieć dostęp do wiadomości, kalendarza, kontaktów i innych.",
-        "mailcow_panel_detail": "<b>Administratorzy domeny</b> tworzą, modyfikują lub usuwają skrzynki i aliasy, zmieniają domeny i czytają dalsze informacje o przypisanych im domenach.<br>\r\n\t<b>Użytkownicy skrzynek</b> mogą tworzyć ograniczone czasowo aliasy (aliasy spam), zmieniać swoje hasła i ustawienia filtru spam."
+        "imap_smtp_server_auth_info": "Proszę korzystać z pełnego adresu email i mechanizmu uwierzytelniania PLAIN.<br>\r\nTwoje dane logowania zostaną zaszyfrowane przez obowiązkowe szyfrowanie po stronie serwera."
     },
     "success": {
         "admin_modified": "Zapisano zmiany w administratorze",
diff --git a/data/web/lang/lang.pt-br.json b/data/web/lang/lang.pt-br.json
index a0448c188..57e79ede8 100644
--- a/data/web/lang/lang.pt-br.json
+++ b/data/web/lang/lang.pt-br.json
@@ -1030,9 +1030,7 @@
     },
     "start": {
         "help": "Mostrar/ocultar painel de ajuda",
-        "imap_smtp_server_auth_info": "Use seu endereço de e-mail completo e o mecanismo de autenticação PLAIN. <br>\r\nSeus dados de login serão criptografados pela criptografia obrigatória do lado do servidor.",
-        "mailcow_apps_detail": "Use um aplicativo mailcow para acessar seus e-mails, calendário, contatos e muito mais.",
-        "mailcow_panel_detail": "<b>Os administradores de domínio</b> criam, modificam ou excluem mailboxes e aliases, alteram domínios e leem mais informações sobre seus domínios atribuídos. <br>\n<b>Os usuários de mailbox </b> podem criar aliases com limite de tempo (aliases de spam), alterar suas configurações de senha e filtro de spam."
+        "imap_smtp_server_auth_info": "Use seu endereço de e-mail completo e o mecanismo de autenticação PLAIN. <br>\r\nSeus dados de login serão criptografados pela criptografia obrigatória do lado do servidor."
     },
     "success": {
         "acl_saved": "ACL para o objeto %s salvo",
diff --git a/data/web/lang/lang.pt-pt.json b/data/web/lang/lang.pt-pt.json
index 2279c2cec..baa90f797 100644
--- a/data/web/lang/lang.pt-pt.json
+++ b/data/web/lang/lang.pt-pt.json
@@ -197,9 +197,7 @@
     },
     "start": {
         "help": "Mostrar/Ocultar painel de ajuda",
-        "imap_smtp_server_auth_info": "Utilize o endereço de email completo com o método de autentucação PLAIN.<br>\r\nOs dados de login serão encryptados pelo servidor.",
-        "mailcow_apps_detail": "Use um mailcow app para acessar seus emails, calendário, contatos e outras informações.",
-        "mailcow_panel_detail": "<b>Administradores:</b> podem criar, alterar ou apagar contas e apelidos , alterar domínios e outras informações de seus domínios atribuídos.<br>\r\n\t<b>utilizadors:</b> podem criar apelidos por tempo determinado , alterar senha e configuração do nível do filtro de spam."
+        "imap_smtp_server_auth_info": "Utilize o endereço de email completo com o método de autentucação PLAIN.<br>\r\nOs dados de login serão encryptados pelo servidor."
     },
     "success": {
         "admin_modified": "Administrador alterado com sucesso",
diff --git a/data/web/lang/lang.ro-ro.json b/data/web/lang/lang.ro-ro.json
index 6a552a1b1..8b002fdf5 100644
--- a/data/web/lang/lang.ro-ro.json
+++ b/data/web/lang/lang.ro-ro.json
@@ -921,9 +921,7 @@
     },
     "start": {
         "help": "Afișează/Ascunde panoul de ajutor",
-        "imap_smtp_server_auth_info": "Utilizează adresa completă de email și mecanismul de autentificare SIMPLU.<br>\nDatele tale de conectare vor fi criptate prin criptarea obligatorie de la server.",
-        "mailcow_apps_detail": "Utilizează o aplicație mailcow pentru a accesa mailurile, agenda, contactele și altele.",
-        "mailcow_panel_detail": "<b>Administratorii de domeniu</b> creează, modifică sau șterg căsuțe poștale și aliasuri, modifică domenii și citesc informații suplimentare despre domeniile lor atribuite.<br>\n<b>Utilizatorii cu cutii poștale</b> pot să creeze aliasuri limitate în timp (aliasuri spam), să își schimbe parola și setările pentru filtrul de spam."
+        "imap_smtp_server_auth_info": "Utilizează adresa completă de email și mecanismul de autentificare SIMPLU.<br>\nDatele tale de conectare vor fi criptate prin criptarea obligatorie de la server."
     },
     "success": {
         "acl_saved": "ACL pentru obiectul %s a fost salvat",
diff --git a/data/web/lang/lang.ru-ru.json b/data/web/lang/lang.ru-ru.json
index c3a17f432..e9d856924 100644
--- a/data/web/lang/lang.ru-ru.json
+++ b/data/web/lang/lang.ru-ru.json
@@ -1035,9 +1035,7 @@
     },
     "start": {
         "help": "Справка",
-        "imap_smtp_server_auth_info": "Пожалуйста, используйте свой полный адрес электронной почты в формате <code>user@example.com</code> и PLAIN механизм авторизации.<br>\r\nВаши данные авторизации будут зашифрованы на уровне шифрования канала подключения к серверу, поэтому убедитесь, что вы используете надежное TLS подключение.",
-        "mailcow_apps_detail": "Используйте приложения для доступа к вашей почте, календарю, контактам, и прочим функциям.",
-        "mailcow_panel_detail": "<b>Администраторы домена</b> могут создавать, изменять или удалять почтовые ящики и псевдонимы, измененять домены и смотреть информацию о своих назначенных доменах. <br><b>Пользователи почтовых ящиков</b> имеют возможность создавать временные псевдонимы (спам псевдонимы), менять свой пароль и настройки фильтра спама."
+        "imap_smtp_server_auth_info": "Пожалуйста, используйте свой полный адрес электронной почты в формате <code>user@example.com</code> и PLAIN механизм авторизации.<br>\r\nВаши данные авторизации будут зашифрованы на уровне шифрования канала подключения к серверу, поэтому убедитесь, что вы используете надежное TLS подключение."
     },
     "success": {
         "acl_saved": "ACL для %s сохранено",
diff --git a/data/web/lang/lang.sk-sk.json b/data/web/lang/lang.sk-sk.json
index f84d83eae..cf480cc70 100644
--- a/data/web/lang/lang.sk-sk.json
+++ b/data/web/lang/lang.sk-sk.json
@@ -968,9 +968,7 @@
     },
     "start": {
         "help": "Zobraziť/Skryť panel nápoveď",
-        "imap_smtp_server_auth_info": "Prosím použite celú vašu emailovú adresu a metódu overenia PLAIN.<br>\r\n Vaše prihlasovacie údaje budú zašifrované na strane servera.",
-        "mailcow_apps_detail": "Použite mailcow aplikácie pre prístup k vašej mailovej schránke, kalendáru, kontaktom a viac.",
-        "mailcow_panel_detail": "<b>Administrátori domény</b> môžu vytvárať, modifikovať alebo mazať schránky a aliasy, meniť domény a zobraziť informácie o priradených doménach.<br>\r\n<b>Bežný používatelia</b> majú možnosť vytvoriť časovo obmedzené aliasy (spam aliasy), meniť heslá a nastavenia spam filtra."
+        "imap_smtp_server_auth_info": "Prosím použite celú vašu emailovú adresu a metódu overenia PLAIN.<br>\r\n Vaše prihlasovacie údaje budú zašifrované na strane servera."
     },
     "success": {
         "acl_saved": "ACL pre objekt %s uložený",
diff --git a/data/web/lang/lang.sv-se.json b/data/web/lang/lang.sv-se.json
index c889a57cb..56618938a 100644
--- a/data/web/lang/lang.sv-se.json
+++ b/data/web/lang/lang.sv-se.json
@@ -841,9 +841,7 @@
     },
     "start": {
         "help": "Visa/dölj hjälppanel",
-        "imap_smtp_server_auth_info": "Använd din fullständiga e-postadress och PLAIN-autentiseringsmekanism.<br>\r\nInloggningsuppgifterna överförs krypterat eftersom obligatorisk kryptering sker till servern.",
-        "mailcow_apps_detail": "Använd Mailcow-applikationen för att läsa e-postmeddelanden, kalender, kontakter och mer.",
-        "mailcow_panel_detail": "<b>Domänadministratörer</b> skapar, ändrar eller kan ta bort postlådor eller aliasadresser. Dom administrerar och felsöker sina tilldelade domäner.<br>\r\n<b>Användare av påstlådor</b> kan skapa tidsbegränsade aliasadresser (skräppostalias), ändra sitt lösenord och hantera spamfilterinställningar."
+        "imap_smtp_server_auth_info": "Använd din fullständiga e-postadress och PLAIN-autentiseringsmekanism.<br>\r\nInloggningsuppgifterna överförs krypterat eftersom obligatorisk kryptering sker till servern."
     },
     "success": {
         "acl_saved": "Åtkomstlistan för objektet %s har sparats",
diff --git a/data/web/lang/lang.tr-tr.json b/data/web/lang/lang.tr-tr.json
index 22dd902f1..73513e3c0 100644
--- a/data/web/lang/lang.tr-tr.json
+++ b/data/web/lang/lang.tr-tr.json
@@ -1062,9 +1062,7 @@
         "tfa": "Çift faktörlü doğrulama"
     },
     "start": {
-        "mailcow_panel_detail": "<b>Etki alanı yöneticileri</b> posta kutuları ve takma adlar oluşturur, değiştirir veya siler, alan adlarını değiştirir ve atanan alan adları hakkında daha fazla bilgi okur.<br>\\r\\n<b>Posta kutusu kullanıcıları</b> zaman oluşturabilir -sınırlı takma adlar (spam takma adları), şifrelerini ve spam filtresi ayarlarını değiştirin.",
         "imap_smtp_server_auth_info": "Lütfen tam e-posta adresinizi ve PLAIN kimlik doğrulama mekanizmasını kullanın.<br>\\r\\nGiriş verileriniz, sunucu tarafı zorunlu şifreleme ile şifrelenecektir.",
-        "mailcow_apps_detail": "Postalarınıza, takviminize, kişilerinize ve daha fazlasına erişmek için bir mailcow uygulaması kullanın.",
         "help": "Yardım panelini göster/gizle"
     },
     "queue": {
diff --git a/data/web/lang/lang.uk-ua.json b/data/web/lang/lang.uk-ua.json
index 2ca81e478..c6ded247b 100644
--- a/data/web/lang/lang.uk-ua.json
+++ b/data/web/lang/lang.uk-ua.json
@@ -987,9 +987,7 @@
     },
     "start": {
         "help": "Довідка",
-        "mailcow_apps_detail": "Використовуйте mailcow, щоб отримати доступ до своєї пошти, календаря, контактів тощо.",
-        "imap_smtp_server_auth_info": "Будь ласка, використовуйте повну адресу електронної пошти у форматі <code>user@example.com</code> та PLAIN механізм авторизації.<br>\nВаші дані авторизації будуть зашифровані на рівні шифрування каналу підключення до сервера, тому переконайтеся, що ви використовуєте надійне підключення TLS.",
-        "mailcow_panel_detail": "<b>Адміністратори домену</b> можуть створювати, змінювати або видаляти поштові скриньки та псевдоніми, змінювати домени та дивитися інформацію про свої призначені домени. <br><b>Користувачі поштових скриньок</b> мають можливість створювати тимчасові псевдоніми (спам псевдоніми), змінювати свій пароль та налаштування фільтра спаму."
+        "imap_smtp_server_auth_info": "Будь ласка, використовуйте повну адресу електронної пошти у форматі <code>user@example.com</code> та PLAIN механізм авторизації.<br>\nВаші дані авторизації будуть зашифровані на рівні шифрування каналу підключення до сервера, тому переконайтеся, що ви використовуєте надійне підключення TLS."
     },
     "success": {
         "acl_saved": "ACL для %s збережено",
diff --git a/data/web/lang/lang.zh-cn.json b/data/web/lang/lang.zh-cn.json
index 9a1927391..0740253a1 100644
--- a/data/web/lang/lang.zh-cn.json
+++ b/data/web/lang/lang.zh-cn.json
@@ -1008,9 +1008,7 @@
     },
     "start": {
         "help": "显示/隐藏 帮助面板",
-        "imap_smtp_server_auth_info": "请使用你的完整邮箱地址并使用 PLAIN (明文) 认证方法。<br>\r\n你的登录数据会被服务端强制加密。",
-        "mailcow_apps_detail": "使用 Mailcow 应用访问你的邮件、日历、联系人以及更多内容。",
-        "mailcow_panel_detail": "<b>域名管理员</b>可以创建、修改或删除邮箱的别名，更改分配给用户的域名并读取更多域名相关信息。<br>\r\n<b>邮箱用户</b>可以创建临时别名 (垃圾邮件别名)，更改密码以及设置垃圾邮件过滤器。"
+        "imap_smtp_server_auth_info": "请使用你的完整邮箱地址并使用 PLAIN (明文) 认证方法。<br>\r\n你的登录数据会被服务端强制加密。"
     },
     "success": {
         "acl_saved": "已保存对象 %s 的 ACL 设置",
diff --git a/data/web/lang/lang.zh-tw.json b/data/web/lang/lang.zh-tw.json
index 600664891..63ac5df04 100644
--- a/data/web/lang/lang.zh-tw.json
+++ b/data/web/lang/lang.zh-tw.json
@@ -985,9 +985,7 @@
     },
     "start": {
         "help": "顯示/隱藏 幫助面板",
-        "imap_smtp_server_auth_info": "請使用完整的信箱地址及明文認證 (PLAIN) 來登入。<br>\r\n你的登入資訊會在伺服器端被加密。",
-        "mailcow_apps_detail": "使用 mailcow 應用程式來存取你的郵件、行事曆、聯絡資訊及其他更多功能。",
-        "mailcow_panel_detail": "<b>域名管理員</b> 可以創建、修改、刪除信箱別名，以及讀取並修改被指定他們名下的域名。<br>\r\n<b>信箱使用者</b> 可以創建臨時別名 (垃圾郵件別名)，更改密碼和垃圾郵件過濾器設定。"
+        "imap_smtp_server_auth_info": "請使用完整的信箱地址及明文認證 (PLAIN) 來登入。<br>\r\n你的登入資訊會在伺服器端被加密。"
     },
     "success": {
         "acl_saved": "%s 的存取權限表已儲存",
diff --git a/data/web/templates/user_index.twig b/data/web/templates/user_index.twig
index ee54c0e93..4ed942143 100644
--- a/data/web/templates/user_index.twig
+++ b/data/web/templates/user_index.twig
@@ -101,7 +101,7 @@
     </div>
   </div>
 </div>
-{% if not oauth2_request %}
+{% if not oauth2_request and ui_texts.help_text %}
 <div class="row">
   <div class="col-12 col-md-7 col-lg-6 col-xl-5 ms-auto me-auto">
     <div class="card">
@@ -110,18 +110,11 @@
       </div>
       <div id="collapse1" class="card-collapse collapse">
         <div class="card-body">
-          {% if ui_texts.help_text %}
           <p>{{ ui_texts.help_text|raw }}</p>
-          {% else %}
-          <p><span style="border-bottom: 1px dotted #999;">{{ ui_texts.main_name|raw }}</span></p>
-          <p>{{ lang.start.mailcow_panel_detail|raw }}</p>
-          <p><span style="border-bottom: 1px dotted #999;">{{ ui_texts.apps_name|raw }}</span></p>
-          <p>{{ lang.start.mailcow_apps_detail|raw }}</p>
-          {% endif %}
         </div>
       </div>
     </div>
   </div>
-  {% endif %}
 </div>
+{% endif %}
 {% endblock %}

From 5f15475b55b91485781cb6a46f1ec43fb92719e7 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 7 Mar 2025 15:18:42 +0100
Subject: [PATCH 186/378] [Rspamd] Remove redis.conf from tracking

---
 data/conf/rspamd/local.d/redis.conf | 2 --
 1 file changed, 2 deletions(-)
 delete mode 100644 data/conf/rspamd/local.d/redis.conf

diff --git a/data/conf/rspamd/local.d/redis.conf b/data/conf/rspamd/local.d/redis.conf
deleted file mode 100644
index 5ee0ac196..000000000
--- a/data/conf/rspamd/local.d/redis.conf
+++ /dev/null
@@ -1,2 +0,0 @@
-servers = "redis:6379";
-timeout = 10;

From 03565df48dd5dd818899e8794cbef4ac1e6029c4 Mon Sep 17 00:00:00 2001
From: milkmaker <milkmaker@mailcow.de>
Date: Fri, 7 Mar 2025 21:37:31 +0100
Subject: [PATCH 187/378] [Web] Updated lang.ko-kr.json (#6356)

Co-authored-by: dongsu8142 <dongsu8142@naver.com>
---
 data/web/lang/lang.ko-kr.json | 54 +++++++++++++++++++++++++++++++----
 1 file changed, 48 insertions(+), 6 deletions(-)

diff --git a/data/web/lang/lang.ko-kr.json b/data/web/lang/lang.ko-kr.json
index 546ccdfcc..9e281584b 100644
--- a/data/web/lang/lang.ko-kr.json
+++ b/data/web/lang/lang.ko-kr.json
@@ -201,7 +201,7 @@
         "link": "Link",
         "loading": "잠시만 기다려주세요...",
         "logo_info": "이미지 크기는 상단 탐색 막대의 경우 40px, 시작 페이지의 경우 최대 너비 250px로 조정됩니다. 확장 가능한 그래픽을 권장합니다.",
-        "lookup_mx": "MX와 목적지 일치 (.outlook.com이 홉을 통해서 MX *.outlook.com을 대상으로 하는 모든 메일을 라우트한다.)",
+        "lookup_mx": "목적지가 MX 이름과 일치하는 정규 표현식입니다. (<code>.*\\.google\\.com</code>를 사용하여 이 홉을 통해 google.com으로 끝나는 모든 메일을 대상으로 하는 MX로 라우팅합니다.)",
         "main_name": "\"mailcow UI\" 이름",
         "merged_vars_hint": "회색으로 표시된 행은 <code>vars.(local.)php</code> 에서 병합되었고 이는 수정할 수 없습니다.",
         "message": "메세지",
@@ -350,7 +350,10 @@
         "admins": "관리자",
         "admins_ldap": "LDAP 관리자",
         "api_read_only": "읽기 전용 액세스",
-        "api_read_write": "읽기-쓰기 액세스"
+        "api_read_write": "읽기-쓰기 액세스",
+        "is_mx_based": "MX 기반",
+        "login_time": "로그인 시간",
+        "ip_check_opt_in": "외부 IP 주소 확인을 위해 타사 서비스 <strong>ipv4.mailcow.email</strong> 및 <strong>ipv6.mailcow.email</strong>을 사용하도록 설정합니다."
     },
     "danger": {
         "access_denied": "접근이 거부되거나 잘못된 데이터 양식",
@@ -485,7 +488,9 @@
         "fido2_verification_failed": "FIDO2 인증 실패: %s",
         "extended_sender_acl_denied": "외부 발신자 주소를 설정하는 ACL 누락",
         "img_dimensions_exceeded": "이미지가 최대 이미지 크기를 초과합니다.",
-        "reset_token_limit_exceeded": "토큰 재설정 한도를 초과했습니다. 나중에 다시 시도해 주세요."
+        "reset_token_limit_exceeded": "토큰 재설정 한도를 초과했습니다. 나중에 다시 시도해 주세요.",
+        "cors_invalid_method": "잘못된 허용 메서드를 지정했습니다.",
+        "cors_invalid_origin": "잘못된 허용 원본을 지정했습니다."
     },
     "debug": {
         "chart_this_server": "Chart (this server)",
@@ -506,7 +511,22 @@
         "static_logs": "Static logs",
         "system_containers": "System & Containers",
         "current_time": "시스템 시간",
-        "no_update_available": "시스템이 최신 버전입니다."
+        "no_update_available": "시스템이 최신 버전입니다.",
+        "architecture": "아키텍처",
+        "container_running": "실행 중",
+        "container_disabled": "컨테이너 중지 또는 비활성화",
+        "container_stopped": "중지됨",
+        "online_users": "온라인 사용자",
+        "service": "서비스",
+        "success": "성공",
+        "show_ip": "공인 IP 표시",
+        "timezone": "시간대",
+        "update_available": "사용 가능한 업데이트가 있습니다.",
+        "update_failed": "업데이트를 확인할 수 없습니다",
+        "username": "사용자 이름",
+        "memory": "메모리",
+        "error_show_ip": "공인 IP 주소를 확인할 수 없습니다",
+        "login_time": "시간"
     },
     "diagnostics": {
         "cname_from_a": "Value derived from A/AAAA record. This is supported as long as the record points to the correct resource.",
@@ -614,7 +634,13 @@
         "title": "Edit object",
         "unchanged_if_empty": "If unchanged leave blank",
         "username": "Username",
-        "validate_save": "Validate and save"
+        "validate_save": "Validate and save",
+        "allow_from_smtp": "다음 IP만 <b>SMTP</b>를 사용하도록 허용합니다.",
+        "allow_from_smtp_info": "모든 발신자를 허용하려면 비워둡니다.<br>IPv4/IPv6 주소 및 네트워크.",
+        "allowed_protocols": "허용된 프로토콜",
+        "app_passwd_protocols": "앱 비밀번호에 대해 허용되는 프로토콜",
+        "acl": "ACL (권한)",
+        "admin": "관리자 수정"
     },
     "footer": {
         "cancel": "Cancel",
@@ -1093,6 +1119,22 @@
     },
     "datatables": {
         "collapse_all": "모두 접기",
-        "decimal": "."
+        "decimal": ".",
+        "emptyTable": "테이블에 사용 가능한 데이터가 없습니다.",
+        "expand_all": "모두 펼치기",
+        "infoEmpty": "0개 항목 중 0개부터 0개까지 표시",
+        "infoFiltered": "(_MAX_ 총 항목에서 필터링됨)",
+        "thousands": ",",
+        "lengthMenu": "_MENU_ 항목 표시",
+        "loadingRecords": "로딩 중...",
+        "processing": "잠시만 기다려 주세요...",
+        "search": "검색:",
+        "zeroRecords": "일치하는 레코드가 없습니다.",
+        "paginate": {
+            "first": "처음",
+            "last": "마지막",
+            "next": "다음",
+            "previous": "이전"
+        }
     }
 }

From aac0a900cea3e57dafc80a0593c3ea6cc5d95645 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Mon, 10 Mar 2025 10:49:27 +0100
Subject: [PATCH 188/378] [Web] Fix JSON parsing issue for api requests

---
 data/web/js/build/011-api.js | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/data/web/js/build/011-api.js b/data/web/js/build/011-api.js
index c657c1344..1fe595c69 100644
--- a/data/web/js/build/011-api.js
+++ b/data/web/js/build/011-api.js
@@ -158,9 +158,11 @@ $(document).ready(function() {
         var attr_to_merge = $(this).closest("form").serializeObject();
         // parse possible JSON Strings
         for (var [key, value] of Object.entries(attr_to_merge)) {
-          try {
-            attr_to_merge[key] = JSON.parse(attr_to_merge[key]);
-          } catch {}
+          if (typeof value === "string" && /^[\[\{"].*[\}\]"]$/.test(value.trim())) {
+            try {
+              attr_to_merge[key] = JSON.parse(attr_to_merge[key]);
+            } catch {}
+          }
         }
         var api_attr = $.extend(api_attr, attr_to_merge)
       } else {
@@ -271,9 +273,11 @@ $(document).ready(function() {
         var attr_to_merge = $(this).closest("form").serializeObject();
         // parse possible JSON Strings
         for (var [key, value] of Object.entries(attr_to_merge)) {
-          try {
-            attr_to_merge[key] = JSON.parse(attr_to_merge[key]);
-          } catch {}
+          if (typeof value === "string" && /^[\[\{"].*[\}\]"]$/.test(value.trim())) {
+            try {
+              attr_to_merge[key] = JSON.parse(attr_to_merge[key]);
+            } catch {}
+          }
         }
         var api_attr = $.extend(api_attr, attr_to_merge)
       } else {
@@ -312,7 +316,7 @@ $(document).ready(function() {
                 var key = localStorage.key(i);
                 if(/formcache/.test(key)) {
                   localStorage.removeItem(key);
-                }  
+                }
               }
             }
           }

From 86df78255d8bc558ddcf23bfae0d2ef8313072ed Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Mon, 10 Mar 2025 11:39:19 +0100
Subject: [PATCH 189/378] chore(deps): update dependency composer/composer to
 v2.8.6 (#5719)

Signed-off-by: milkmaker <milkmaker@mailcow.de>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 data/Dockerfiles/phpfpm/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/Dockerfiles/phpfpm/Dockerfile b/data/Dockerfiles/phpfpm/Dockerfile
index 038c586a8..f5ae3fbd7 100644
--- a/data/Dockerfiles/phpfpm/Dockerfile
+++ b/data/Dockerfiles/phpfpm/Dockerfile
@@ -13,7 +13,7 @@ ARG MEMCACHED_PECL_VERSION=3.2.0
 # renovate: datasource=github-tags depName=phpredis/phpredis versioning=semver-coerced extractVersion=(?<version>.*)$
 ARG REDIS_PECL_VERSION=6.1.0
 # renovate: datasource=github-tags depName=composer/composer versioning=semver-coerced extractVersion=(?<version>.*)$
-ARG COMPOSER_VERSION=2.6.6
+ARG COMPOSER_VERSION=2.8.6
 
 RUN apk add -U --no-cache autoconf \
   aspell-dev \

From 0860a7503e29cf268a58e1a593367ea8f9f9816d Mon Sep 17 00:00:00 2001
From: DerLinkman <niklas.meyer@servercow.de>
Date: Mon, 10 Mar 2025 11:56:12 +0100
Subject: [PATCH 190/378] os: updated alpine containers to 3.21

---
 data/Dockerfiles/acme/Dockerfile      |  4 ++--
 data/Dockerfiles/dockerapi/Dockerfile |  2 +-
 data/Dockerfiles/dovecot/Dockerfile   |  4 ++--
 data/Dockerfiles/netfilter/Dockerfile |  2 +-
 data/Dockerfiles/olefy/Dockerfile     |  2 +-
 data/Dockerfiles/phpfpm/Dockerfile    |  2 +-
 data/Dockerfiles/unbound/Dockerfile   |  2 +-
 data/Dockerfiles/watchdog/Dockerfile  |  2 +-
 docker-compose.yml                    | 16 ++++++++--------
 9 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/data/Dockerfiles/acme/Dockerfile b/data/Dockerfiles/acme/Dockerfile
index 8aa16ad58..5b7378c7b 100644
--- a/data/Dockerfiles/acme/Dockerfile
+++ b/data/Dockerfiles/acme/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.20
+FROM alpine:3.21
 
 LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"
 
@@ -15,7 +15,7 @@ RUN apk upgrade --no-cache \
   tini \
   tzdata \
   python3 \
-  acme-tiny --repository=http://dl-cdn.alpinelinux.org/alpine/edge/community/
+  acme-tiny
 
 COPY acme.sh /srv/acme.sh
 COPY functions.sh /srv/functions.sh
diff --git a/data/Dockerfiles/dockerapi/Dockerfile b/data/Dockerfiles/dockerapi/Dockerfile
index bbd4542e6..872764317 100644
--- a/data/Dockerfiles/dockerapi/Dockerfile
+++ b/data/Dockerfiles/dockerapi/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.20
+FROM alpine:3.21
 
 LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"
 
diff --git a/data/Dockerfiles/dovecot/Dockerfile b/data/Dockerfiles/dovecot/Dockerfile
index 1c35639e9..6b846cec8 100644
--- a/data/Dockerfiles/dovecot/Dockerfile
+++ b/data/Dockerfiles/dovecot/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.20
+FROM alpine:3.21
 
 LABEL maintainer="The Infrastructure Company GmbH <info@servercow.de>"
 
@@ -65,7 +65,7 @@ RUN addgroup -g 5000 vmail \
   perl-par-packer \
   perl-parse-recdescent \
   perl-lockfile-simple \
-  libproc \
+  libproc2 \
   perl-readonly \
   perl-regexp-common \
   perl-sys-meminfo \
diff --git a/data/Dockerfiles/netfilter/Dockerfile b/data/Dockerfiles/netfilter/Dockerfile
index 86f9e3f69..57dbd6e94 100644
--- a/data/Dockerfiles/netfilter/Dockerfile
+++ b/data/Dockerfiles/netfilter/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.20
+FROM alpine:3.21
 
 LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"
 
diff --git a/data/Dockerfiles/olefy/Dockerfile b/data/Dockerfiles/olefy/Dockerfile
index 3b2729134..845b125f6 100644
--- a/data/Dockerfiles/olefy/Dockerfile
+++ b/data/Dockerfiles/olefy/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.20
+FROM alpine:3.21
 
 LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"
 
diff --git a/data/Dockerfiles/phpfpm/Dockerfile b/data/Dockerfiles/phpfpm/Dockerfile
index f5ae3fbd7..4ba8349f9 100644
--- a/data/Dockerfiles/phpfpm/Dockerfile
+++ b/data/Dockerfiles/phpfpm/Dockerfile
@@ -1,4 +1,4 @@
-FROM php:8.2-fpm-alpine3.20
+FROM php:8.2-fpm-alpine3.21
 
 LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"
 
diff --git a/data/Dockerfiles/unbound/Dockerfile b/data/Dockerfiles/unbound/Dockerfile
index 7e4f18dec..4903750ed 100644
--- a/data/Dockerfiles/unbound/Dockerfile
+++ b/data/Dockerfiles/unbound/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.20
+FROM alpine:3.21
 
 LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"
 
diff --git a/data/Dockerfiles/watchdog/Dockerfile b/data/Dockerfiles/watchdog/Dockerfile
index f8aa262bb..a55a97a4c 100644
--- a/data/Dockerfiles/watchdog/Dockerfile
+++ b/data/Dockerfiles/watchdog/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.20
+FROM alpine:3.21
 
 LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"
 
diff --git a/docker-compose.yml b/docker-compose.yml
index 4c470f5bd..7ddbd1240 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,7 +1,7 @@
 services:
 
     unbound-mailcow:
-      image: ghcr.io/mailcow/unbound:1.23
+      image: ghcr.io/mailcow/unbound:1.24
       environment:
         - TZ=${TZ}
         - SKIP_UNBOUND_HEALTHCHECK=${SKIP_UNBOUND_HEALTHCHECK:-n}
@@ -117,7 +117,7 @@ services:
             - rspamd
 
     php-fpm-mailcow:
-      image: ghcr.io/mailcow/phpfpm:1.92
+      image: ghcr.io/mailcow/phpfpm:1.93
       command: "php-fpm -d date.timezone=${TZ} -d expose_php=0"
       depends_on:
         - redis-mailcow
@@ -234,7 +234,7 @@ services:
             - sogo
 
     dovecot-mailcow:
-      image: ghcr.io/mailcow/dovecot:2.31
+      image: ghcr.io/mailcow/dovecot:2.32
       depends_on:
         - mysql-mailcow
         - netfilter-mailcow
@@ -419,7 +419,7 @@ services:
           condition: service_started
         unbound-mailcow:
           condition: service_healthy
-      image: ghcr.io/mailcow/acme:1.91
+      image: ghcr.io/mailcow/acme:1.92
       dns:
         - ${IPV4_NETWORK:-172.22.1}.254
       environment:
@@ -457,7 +457,7 @@ services:
             - acme
 
     netfilter-mailcow:
-      image: ghcr.io/mailcow/netfilter:1.61
+      image: ghcr.io/mailcow/netfilter:1.62
       stop_grace_period: 30s
       restart: always
       privileged: true
@@ -477,7 +477,7 @@ services:
         - /lib/modules:/lib/modules:ro
 
     watchdog-mailcow:
-      image: ghcr.io/mailcow/watchdog:2.06
+      image: ghcr.io/mailcow/watchdog:2.07
       dns:
         - ${IPV4_NETWORK:-172.22.1}.254
       tmpfs:
@@ -549,7 +549,7 @@ services:
             - watchdog
 
     dockerapi-mailcow:
-      image: ghcr.io/mailcow/dockerapi:2.10
+      image: ghcr.io/mailcow/dockerapi:2.11
       security_opt:
         - label=disable
       restart: always
@@ -569,7 +569,7 @@ services:
             - dockerapi
 
     olefy-mailcow:
-      image: ghcr.io/mailcow/olefy:1.13
+      image: ghcr.io/mailcow/olefy:1.14
       restart: always
       environment:
         - TZ=${TZ}

From 2f93f1d0c5b9642190c1358a03038be4c3f4bb43 Mon Sep 17 00:00:00 2001
From: DerLinkman <niklas.meyer@servercow.de>
Date: Mon, 10 Mar 2025 16:45:57 +0100
Subject: [PATCH 191/378] os: fixes for newer mariadb-client versions
 (especially on alpine 3.21)

---
 data/Dockerfiles/acme/Dockerfile              |  1 -
 data/Dockerfiles/acme/acme.sh                 |  4 +--
 data/Dockerfiles/dovecot/clean_q_aged.sh      |  4 +--
 data/Dockerfiles/dovecot/docker-entrypoint.sh | 10 +++----
 data/Dockerfiles/phpfpm/docker-entrypoint.sh  | 12 ++++----
 data/Dockerfiles/sogo/bootstrap-sogo.sh       | 28 +++++++++----------
 .../watchdog/check_mysql_slavestatus.sh       |  4 +--
 data/Dockerfiles/watchdog/watchdog.sh         |  2 +-
 8 files changed, 32 insertions(+), 33 deletions(-)

diff --git a/data/Dockerfiles/acme/Dockerfile b/data/Dockerfiles/acme/Dockerfile
index 5b7378c7b..f6e990e57 100644
--- a/data/Dockerfiles/acme/Dockerfile
+++ b/data/Dockerfiles/acme/Dockerfile
@@ -2,7 +2,6 @@ FROM alpine:3.21
 
 LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"
 
-
 RUN apk upgrade --no-cache \
   && apk add --update --no-cache \
   bash \
diff --git a/data/Dockerfiles/acme/acme.sh b/data/Dockerfiles/acme/acme.sh
index 64a4d1765..a6766efd0 100755
--- a/data/Dockerfiles/acme/acme.sh
+++ b/data/Dockerfiles/acme/acme.sh
@@ -138,7 +138,7 @@ log_f "Resolver OK"
 log_f "Waiting for domain table..."
 while [[ -z ${DOMAIN_TABLE} ]]; do
   curl --silent http://nginx.${COMPOSE_PROJECT_NAME}_mailcow-network/ >/dev/null 2>&1
-  DOMAIN_TABLE=$(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SHOW TABLES LIKE 'domain'" -Bs)
+  DOMAIN_TABLE=$(mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SHOW TABLES LIKE 'domain'" -Bs)
   [[ -z ${DOMAIN_TABLE} ]] && sleep 10
 done
 log_f "OK" no_date
@@ -231,7 +231,7 @@ while true; do
 
   #########################################
   # IP and webroot challenge verification #
-  SQL_DOMAINS=$(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT domain FROM domain WHERE backupmx=0 and active=1" -Bs)
+  SQL_DOMAINS=$(mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT domain FROM domain WHERE backupmx=0 and active=1" -Bs)
   if [[ ! $? -eq 0 ]]; then
     log_f "Failed to read SQL domains, retrying in 1 minute..."
     sleep 1m
diff --git a/data/Dockerfiles/dovecot/clean_q_aged.sh b/data/Dockerfiles/dovecot/clean_q_aged.sh
index 3fa8a7ddb..ebedc8999 100755
--- a/data/Dockerfiles/dovecot/clean_q_aged.sh
+++ b/data/Dockerfiles/dovecot/clean_q_aged.sh
@@ -15,6 +15,6 @@ if ! [[ ${MAX_AGE} =~ ${NUM_REGEXP} ]] ; then
   exit 1
 fi
 
-TO_DELETE=$(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT COUNT(id) FROM quarantine WHERE created < NOW() - INTERVAL ${MAX_AGE//[!0-9]/} DAY" -BN)
-mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "DELETE FROM quarantine WHERE created < NOW() - INTERVAL ${MAX_AGE//[!0-9]/} DAY"
+TO_DELETE=$(mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT COUNT(id) FROM quarantine WHERE created < NOW() - INTERVAL ${MAX_AGE//[!0-9]/} DAY" -BN)
+mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "DELETE FROM quarantine WHERE created < NOW() - INTERVAL ${MAX_AGE//[!0-9]/} DAY"
 echo "Deleted ${TO_DELETE} items from quarantine table (max age is ${MAX_AGE//[!0-9]/} days)"
diff --git a/data/Dockerfiles/dovecot/docker-entrypoint.sh b/data/Dockerfiles/dovecot/docker-entrypoint.sh
index af67579f1..9a4e2f252 100755
--- a/data/Dockerfiles/dovecot/docker-entrypoint.sh
+++ b/data/Dockerfiles/dovecot/docker-entrypoint.sh
@@ -414,15 +414,15 @@ printenv | sed 's/^\(.*\)$/export \1/g' > /source_env.sh
 
 # Clean stopped imapsync jobs
 rm -f /tmp/imapsync_busy.lock
-IMAPSYNC_TABLE=$(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SHOW TABLES LIKE 'imapsync'" -Bs)
-[[ ! -z ${IMAPSYNC_TABLE} ]] && mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "UPDATE imapsync SET is_running='0'"
+IMAPSYNC_TABLE=$(mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SHOW TABLES LIKE 'imapsync'" -Bs)
+[[ ! -z ${IMAPSYNC_TABLE} ]] && mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "UPDATE imapsync SET is_running='0'"
 
 # Envsubst maildir_gc
 echo "$(envsubst < /usr/local/bin/maildir_gc.sh)" > /usr/local/bin/maildir_gc.sh
 
 # GUID generation
 while [[ ${VERSIONS_OK} != 'OK' ]]; do
-  if [[ ! -z $(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "SELECT 'OK' FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA = \"${DBNAME}\" AND TABLE_NAME = 'versions'") ]]; then
+  if [[ ! -z $(mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "SELECT 'OK' FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA = \"${DBNAME}\" AND TABLE_NAME = 'versions'") ]]; then
     VERSIONS_OK=OK
   else
     echo "Waiting for versions table to be created..."
@@ -433,11 +433,11 @@ PUBKEY_MCRYPT=$(doveconf -P 2> /dev/null | grep -i mail_crypt_global_public_key
 if [ -f ${PUBKEY_MCRYPT} ]; then
   GUID=$(cat <(echo ${MAILCOW_HOSTNAME}) /mail_crypt/ecpubkey.pem | sha256sum | cut -d ' ' -f1 | tr -cd "[a-fA-F0-9.:/] ")
   if [ ${#GUID} -eq 64 ]; then
-    mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
+    mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
 REPLACE INTO versions (application, version) VALUES ("GUID", "${GUID}");
 EOF
   else
-    mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
+    mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
 REPLACE INTO versions (application, version) VALUES ("GUID", "INVALID");
 EOF
   fi
diff --git a/data/Dockerfiles/phpfpm/docker-entrypoint.sh b/data/Dockerfiles/phpfpm/docker-entrypoint.sh
index e6510de7a..0d09ac5fc 100755
--- a/data/Dockerfiles/phpfpm/docker-entrypoint.sh
+++ b/data/Dockerfiles/phpfpm/docker-entrypoint.sh
@@ -81,7 +81,7 @@ if [ ${SQL_CHANGED} -eq 1 ]; then
 fi
 
 # Check mysql tz import (master and slave)
-TZ_CHECK=$(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT CONVERT_TZ('2019-11-02 23:33:00','Europe/Berlin','UTC') AS time;" -BN 2> /dev/null)
+TZ_CHECK=$(mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT CONVERT_TZ('2019-11-02 23:33:00','Europe/Berlin','UTC') AS time;" -BN 2> /dev/null)
 if [[ -z ${TZ_CHECK} ]] || [[ "${TZ_CHECK}" == "NULL" ]]; then
   SQL_FULL_TZINFO_IMPORT_RETURN=$(curl --silent --insecure -XPOST https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/${CONTAINER_ID}/exec -d '{"cmd":"system", "task":"mysql_tzinfo_to_sql"}' --silent -H 'Content-type: application/json')
   echo "MySQL mysql_tzinfo_to_sql - debug output:"
@@ -120,11 +120,11 @@ if [[ "${MASTER}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
   while read line
   do
     DOMAIN_ARR+=("$line")
-  done < <(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT domain FROM domain" -Bs)
+  done < <(mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT domain FROM domain" -Bs)
   while read line
   do
     DOMAIN_ARR+=("$line")
-  done < <(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT alias_domain FROM alias_domain" -Bs)
+  done < <(mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT alias_domain FROM alias_domain" -Bs)
 
   if [[ ! -z ${DOMAIN_ARR} ]]; then
   for domain in "${DOMAIN_ARR[@]}"; do
@@ -146,13 +146,13 @@ if [[ "${MASTER}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
     VALIDATED_IPS=$(array_by_comma ${VALIDATED_API_ALLOW_FROM_ARR[*]})
     if [[ ! -z ${VALIDATED_IPS} ]]; then
       if [[ ${API_KEY} != "invalid" ]] && [[ ! -z ${API_KEY} ]]; then
-        mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
+        mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
 DELETE FROM api WHERE access = 'rw';
 INSERT INTO api (api_key, active, allow_from, access) VALUES ("${API_KEY}", "1", "${VALIDATED_IPS}", "rw");
 EOF
       fi
       if [[ ${API_KEY_READ_ONLY} != "invalid" ]] && [[ ! -z ${API_KEY_READ_ONLY} ]]; then
-        mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
+        mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
 DELETE FROM api WHERE access = 'ro';
 INSERT INTO api (api_key, active, allow_from, access) VALUES ("${API_KEY_READ_ONLY}", "1", "${VALIDATED_IPS}", "ro");
 EOF
@@ -161,7 +161,7 @@ EOF
   fi
 
   # Create events (master only, STATUS for event on slave will be SLAVESIDE_DISABLED)
-  mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
+  mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
 DROP EVENT IF EXISTS clean_spamalias;
 DELIMITER //
 CREATE EVENT clean_spamalias
diff --git a/data/Dockerfiles/sogo/bootstrap-sogo.sh b/data/Dockerfiles/sogo/bootstrap-sogo.sh
index 9cf36a805..dcf91b499 100755
--- a/data/Dockerfiles/sogo/bootstrap-sogo.sh
+++ b/data/Dockerfiles/sogo/bootstrap-sogo.sh
@@ -14,11 +14,11 @@ do
 done
 
 # Wait for updated schema
-DBV_NOW=$(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT version FROM versions WHERE application = 'db_schema';" -BN)
+DBV_NOW=$(mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT version FROM versions WHERE application = 'db_schema';" -BN)
 DBV_NEW=$(grep -oE '\$db_version = .*;' init_db.inc.php | sed 's/$db_version = //g;s/;//g' | cut -d \" -f2)
 while [[ "${DBV_NOW}" != "${DBV_NEW}" ]]; do
   echo "Waiting for schema update..."
-  DBV_NOW=$(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT version FROM versions WHERE application = 'db_schema';" -BN)
+  DBV_NOW=$(mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT version FROM versions WHERE application = 'db_schema';" -BN)
   DBV_NEW=$(grep -oE '\$db_version = .*;' init_db.inc.php | sed 's/$db_version = //g;s/;//g' | cut -d \" -f2)
   sleep 5
 done
@@ -27,9 +27,9 @@ echo "DB schema is ${DBV_NOW}"
 # Recreate view
 if [[ "${MASTER}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
   echo "We are master, preparing sogo_view..."
-  mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "DROP VIEW IF EXISTS sogo_view"
+  mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "DROP VIEW IF EXISTS sogo_view"
   while [[ ${VIEW_OK} != 'OK' ]]; do
-    mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
+    mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
 CREATE VIEW sogo_view (c_uid, domain, c_name, c_password, c_cn, mail, aliases, ad_aliases, ext_acl, kind, multiple_bookings) AS
 SELECT
    mailbox.username,
@@ -59,7 +59,7 @@ WHERE
 GROUP BY
    mailbox.username;
 EOF
-    if [[ ! -z $(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "SELECT 'OK' FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME = 'sogo_view'") ]]; then
+    if [[ ! -z $(mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "SELECT 'OK' FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME = 'sogo_view'") ]]; then
       VIEW_OK=OK
     else
       echo "Will retry to setup SOGo view in 3s..."
@@ -68,7 +68,7 @@ EOF
   done
 else
   while [[ ${VIEW_OK} != 'OK' ]]; do
-    if [[ ! -z $(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "SELECT 'OK' FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME = 'sogo_view'") ]]; then
+    if [[ ! -z $(mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "SELECT 'OK' FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME = 'sogo_view'") ]]; then
       VIEW_OK=OK
     else
       echo "Waiting for SOGo view to be created by master..."
@@ -81,12 +81,12 @@ fi
 if [[ "${MASTER}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
   echo "We are master, preparing _sogo_static_view..."
   while [[ ${STATIC_VIEW_OK} != 'OK' ]]; do
-    if [[ ! -z $(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "SELECT 'OK' FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME = '_sogo_static_view'") ]]; then
+    if [[ ! -z $(mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "SELECT 'OK' FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME = '_sogo_static_view'") ]]; then
       STATIC_VIEW_OK=OK
       echo "Updating _sogo_static_view content..."
       # If changed, also update init_db.inc.php
-      mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "REPLACE INTO _sogo_static_view (c_uid, domain, c_name, c_password, c_cn, mail, aliases, ad_aliases, ext_acl, kind, multiple_bookings) SELECT c_uid, domain, c_name, c_password, c_cn, mail, aliases, ad_aliases, ext_acl, kind, multiple_bookings from sogo_view;"
-      mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "DELETE FROM _sogo_static_view WHERE c_uid NOT IN (SELECT username FROM mailbox WHERE active = '1')"
+      mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "REPLACE INTO _sogo_static_view (c_uid, domain, c_name, c_password, c_cn, mail, aliases, ad_aliases, ext_acl, kind, multiple_bookings) SELECT c_uid, domain, c_name, c_password, c_cn, mail, aliases, ad_aliases, ext_acl, kind, multiple_bookings from sogo_view;"
+      mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "DELETE FROM _sogo_static_view WHERE c_uid NOT IN (SELECT username FROM mailbox WHERE active = '1')"
     else
       echo "Waiting for database initialization..."
       sleep 3
@@ -94,7 +94,7 @@ if [[ "${MASTER}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
   done
 else
   while [[ ${STATIC_VIEW_OK} != 'OK' ]]; do
-    if [[ ! -z $(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "SELECT 'OK' FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME = '_sogo_static_view'") ]]; then
+    if [[ ! -z $(mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "SELECT 'OK' FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME = '_sogo_static_view'") ]]; then
       STATIC_VIEW_OK=OK
     else
       echo "Waiting for database initialization by master..."
@@ -107,9 +107,9 @@ fi
 # Recreate password update trigger
 if [[ "${MASTER}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
   echo "We are master, preparing update trigger..."
-  mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "DROP TRIGGER IF EXISTS sogo_update_password"
+  mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "DROP TRIGGER IF EXISTS sogo_update_password"
   while [[ ${TRIGGER_OK} != 'OK' ]]; do
-  mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
+  mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
 DELIMITER -
 CREATE TRIGGER sogo_update_password AFTER UPDATE ON _sogo_static_view
 FOR EACH ROW
@@ -119,7 +119,7 @@ END;
 -
 DELIMITER ;
 EOF
-    if [[ ! -z $(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "SELECT 'OK' FROM INFORMATION_SCHEMA.TRIGGERS WHERE TRIGGER_NAME = 'sogo_update_password'") ]]; then
+    if [[ ! -z $(mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "SELECT 'OK' FROM INFORMATION_SCHEMA.TRIGGERS WHERE TRIGGER_NAME = 'sogo_update_password'") ]]; then
       TRIGGER_OK=OK
     else
       echo "Will retry to setup SOGo password update trigger in 3s"
@@ -216,7 +216,7 @@ while read -r line gal
   line=${line} envsubst < /etc/sogo/plist_ldap >> /var/lib/sogo/GNUstep/Defaults/sogod.plist
   echo "            </array>
         </dict>" >> /var/lib/sogo/GNUstep/Defaults/sogod.plist
-done < <(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT domain, CASE gal WHEN '1' THEN 'YES' ELSE 'NO' END AS gal FROM domain;" -B -N)
+done < <(mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT domain, CASE gal WHEN '1' THEN 'YES' ELSE 'NO' END AS gal FROM domain;" -B -N)
 
 # Generate footer
 echo '    </dict>
diff --git a/data/Dockerfiles/watchdog/check_mysql_slavestatus.sh b/data/Dockerfiles/watchdog/check_mysql_slavestatus.sh
index ed4f0db4d..4788b9b70 100755
--- a/data/Dockerfiles/watchdog/check_mysql_slavestatus.sh
+++ b/data/Dockerfiles/watchdog/check_mysql_slavestatus.sh
@@ -132,9 +132,9 @@ fi
 
 # Connect to the DB server and store output in vars
 if [[ -n $socket ]]; then 
-  ConnectionResult=$(mysql ${optfile} ${socket} ${user} -e "show slave ${connection} status\G" 2>&1)
+  ConnectionResult=$(mariadb --skip-ssl ${optfile} ${socket} ${user} -e "show slave ${connection} status\G" 2>&1)
 else
-  ConnectionResult=$(mysql ${optfile} ${host} ${port} ${user} -e "show slave ${connection} status\G" 2>&1)
+  ConnectionResult=$(mariadb --skip-ssl ${optfile} ${host} ${port} ${user} -e "show slave ${connection} status\G" 2>&1)
 fi
 
 if [ -z "`echo "${ConnectionResult}" |grep Slave_IO_State`" ]; then
diff --git a/data/Dockerfiles/watchdog/watchdog.sh b/data/Dockerfiles/watchdog/watchdog.sh
index dac0335fb..9d6f6609f 100755
--- a/data/Dockerfiles/watchdog/watchdog.sh
+++ b/data/Dockerfiles/watchdog/watchdog.sh
@@ -234,7 +234,7 @@ external_checks() {
   diff_c=0
   THRESHOLD=${EXTERNAL_CHECKS_THRESHOLD}
   # Reduce error count by 2 after restarting an unhealthy container
-  GUID=$(mysql -u${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT version FROM versions WHERE application = 'GUID'" -BN)
+  GUID=$(mariadb --skip-ssl -u${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT version FROM versions WHERE application = 'GUID'" -BN)
   trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
   while [ ${err_count} -lt ${THRESHOLD} ]; do
     err_c_cur=${err_count}

From 18acbc7a4c68e7b31a6d5aa94ffb7d4ee2d9f577 Mon Sep 17 00:00:00 2001
From: DerLinkman <niklas.meyer@servercow.de>
Date: Tue, 11 Mar 2025 12:35:13 +0100
Subject: [PATCH 192/378] cold-standby: changed texts + removed --no-parallel
 for pull

---
 helper-scripts/_cold-standby.sh | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/helper-scripts/_cold-standby.sh b/helper-scripts/_cold-standby.sh
index 9e7362ec6..bfda3ba94 100755
--- a/helper-scripts/_cold-standby.sh
+++ b/helper-scripts/_cold-standby.sh
@@ -99,11 +99,11 @@ EOF
 
 if [ $? = 0 ]; then
   COMPOSE_COMMAND="docker compose"
-  echo "DEBUG: Using native docker compose on remote"
+  echo "INFO: Using native docker compose on remote"
 
 elif [ $? = 1 ]; then
   COMPOSE_COMMAND="docker-compose"
-  echo "DEBUG: Using standalone docker compose on remote"
+  echo "INFO: Using standalone docker compose on remote"
 
 else
   echo -e "\e[31mCannot find any Docker Compose on remote, exiting...\e[0m"
@@ -284,7 +284,7 @@ echo "OK"
     -i "${REMOTE_SSH_KEY}" \
     ${REMOTE_SSH_HOST} \
     -p ${REMOTE_SSH_PORT} \
-    ${COMPOSE_COMMAND} -f "${SCRIPT_DIR}/../docker-compose.yml" pull --no-parallel --quiet 2>&1 ; then
+    ${COMPOSE_COMMAND} -f "${SCRIPT_DIR}/../docker-compose.yml" pull --quiet 2>&1 ; then
       >&2 echo -e "\e[31m[ERR]\e[0m - Could not pull images on remote"
   fi
 

From 062539b7d7ba3dcb883816ceb888c4f082a18364 Mon Sep 17 00:00:00 2001
From: "Marvin A. Ruder" <github@mruder.dev>
Date: Tue, 11 Mar 2025 15:30:46 +0100
Subject: [PATCH 193/378] dkim: Add support for 3072 and 4096 bit RSA keys
 (#6365)

* dkim: Add support for 3072 and 4096 bit RSA keys

Signed-off-by: Marvin A. Ruder <signed@mruder.dev>

* php: added missing ; in dkim function

* php: make 4096 DKIM default

* db: update schema to set dkim 4096 as default

* Revert "db: update schema to set dkim 4096 as default"

This reverts commit 790b40a69563722513cda540ba34e3ae30874e05.

* Revert "php: make 4096 DKIM default"

This reverts commit 7e643376c7e11d23b0dae95ae59a2a5cc195e057.

---------

Signed-off-by: Marvin A. Ruder <signed@mruder.dev>
Co-authored-by: DerLinkman <niklas.meyer@servercow.de>
---
 data/web/api/openapi.yaml                     | 2 +-
 data/web/inc/functions.dkim.inc.php           | 5 ++++-
 data/web/templates/admin/tab-config-dkim.twig | 2 ++
 data/web/templates/edit/domain-templates.twig | 2 ++
 data/web/templates/modals/mailbox.twig        | 6 ++++++
 5 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/data/web/api/openapi.yaml b/data/web/api/openapi.yaml
index 969aa7707..7fb4af308 100644
--- a/data/web/api/openapi.yaml
+++ b/data/web/api/openapi.yaml
@@ -409,7 +409,7 @@ paths:
                   description: a list of domains for which a dkim key should be generated
                   type: string
                 key_size:
-                  description: the key size (1024 or 2048)
+                  description: the key size (1024, 2048, 3072 or 4096)
                   type: number
               type: object
       summary: Generate DKIM Key
diff --git a/data/web/inc/functions.dkim.inc.php b/data/web/inc/functions.dkim.inc.php
index 8b1766a20..e7e411730 100644
--- a/data/web/inc/functions.dkim.inc.php
+++ b/data/web/inc/functions.dkim.inc.php
@@ -240,9 +240,12 @@ function dkim($_action, $_data = null, $privkey = false) {
         if (strlen($dkimdata['pubkey']) < 391) {
           $dkimdata['length'] = "1024";
         }
-        elseif (strlen($dkimdata['pubkey']) < 736) {
+        elseif (strlen($dkimdata['pubkey']) < 564) {
           $dkimdata['length'] = "2048";
         }
+        elseif (strlen($dkimdata['pubkey']) < 736) {
+          $dkimdata['length'] = "3072";
+        }
         elseif (strlen($dkimdata['pubkey']) < 1416) {
           $dkimdata['length'] = "4096";
         }
diff --git a/data/web/templates/admin/tab-config-dkim.twig b/data/web/templates/admin/tab-config-dkim.twig
index 85c6dc6ae..ec77139ed 100644
--- a/data/web/templates/admin/tab-config-dkim.twig
+++ b/data/web/templates/admin/tab-config-dkim.twig
@@ -117,6 +117,8 @@
             <select data-style="btn btn-light btn-sm" class="form-control" id="key_size" name="key_size" title="{{ lang.admin.dkim_key_length }}" required>
               <option data-subtext="bits">1024</option>
               <option data-subtext="bits">2048</option>
+              <option data-subtext="bits">3072</option>
+              <option data-subtext="bits">4096</option>
             </select>
           </div>
         </div>
diff --git a/data/web/templates/edit/domain-templates.twig b/data/web/templates/edit/domain-templates.twig
index 825e6674d..d4612a198 100644
--- a/data/web/templates/edit/domain-templates.twig
+++ b/data/web/templates/edit/domain-templates.twig
@@ -103,6 +103,8 @@
         <select data-style="btn btn-light" class="form-control" id="key_size" name="key_size">
           <option value="1024" data-subtext="bits" {% if template.attributes.key_size == 1024 %} selected{% endif %}>1024</option>
           <option value="2048" data-subtext="bits" {% if template.attributes.key_size == 2048 %} selected{% endif %}>2048</option>
+          <option value="3072" data-subtext="bits" {% if template.attributes.key_size == 3072 %} selected{% endif %}>3072</option>
+          <option value="4096" data-subtext="bits" {% if template.attributes.key_size == 4096 %} selected{% endif %}>4096</option>
         </select>
       </div>
     </div>
diff --git a/data/web/templates/modals/mailbox.twig b/data/web/templates/modals/mailbox.twig
index 0f1b23a7e..76f54ec31 100644
--- a/data/web/templates/modals/mailbox.twig
+++ b/data/web/templates/modals/mailbox.twig
@@ -490,6 +490,8 @@
               <select data-style="btn btn-light" class="form-control" id="key_size" name="key_size">
                 <option data-subtext="bits" value="1024">1024</option>
                 <option data-subtext="bits" value="2048" selected>2048</option>
+                <option data-subtext="bits" value="3072">3072</option>
+                <option data-subtext="bits" value="4096">4096</option>
               </select>
             </div>
           </div>
@@ -628,6 +630,8 @@
               <select data-style="btn btn-light" class="form-control" id="key_size" name="key_size">
                 <option data-subtext="bits">1024</option>
                 <option data-subtext="bits" selected>2048</option>
+                <option data-subtext="bits">3072</option>
+                <option data-subtext="bits">4096</option>
               </select>
             </div>
           </div>
@@ -843,6 +847,8 @@
               <select data-style="btn btn-light" class="form-control" id="key_size2" name="key_size">
                 <option data-subtext="bits">1024</option>
                 <option data-subtext="bits" selected>2048</option>
+                <option data-subtext="bits">3072</option>
+                <option data-subtext="bits">4096</option>
               </select>
             </div>
           </div>

From 2596b9d3860ed5804f25ae77c1d5f1e3af50c24f Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Wed, 12 Mar 2025 11:42:14 +0100
Subject: [PATCH 194/378] [Web] Improve auth logging and language strings

---
 data/web/inc/functions.auth.inc.php           | 66 ++++++++++++++-----
 data/web/inc/functions.inc.php                | 40 ++++++-----
 data/web/lang/lang.de-de.json                 |  8 ++-
 data/web/lang/lang.en-gb.json                 |  1 +
 .../admin/tab-config-identity-provider.twig   |  2 +-
 5 files changed, 75 insertions(+), 42 deletions(-)

diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php
index 8e695c359..e047b83ba 100644
--- a/data/web/inc/functions.auth.inc.php
+++ b/data/web/inc/functions.auth.inc.php
@@ -216,7 +216,7 @@ function user_login($user, $pass, $extra = null){
             unset($_SESSION['ldelay']);
             $_SESSION['return'][] =  array(
               'type' => 'success',
-              'log' => array(__FUNCTION__, $user, '*'),
+              'log' => array(__FUNCTION__, $user, '*', 'Provider: Keycloak'),
               'msg' => array('logged_in_as', $user)
             );
             return "pending";
@@ -229,7 +229,7 @@ function user_login($user, $pass, $extra = null){
               $stmt->execute(array(':user' => $user));
               $_SESSION['return'][] =  array(
                 'type' => 'success',
-                'log' => array(__FUNCTION__, $user, '*'),
+                'log' => array(__FUNCTION__, $user, '*', 'Provider: Keycloak'),
                 'msg' => array('logged_in_as', $user)
               );
             }
@@ -255,7 +255,7 @@ function user_login($user, $pass, $extra = null){
           unset($_SESSION['ldelay']);
           $_SESSION['return'][] =  array(
             'type' => 'success',
-            'log' => array(__FUNCTION__, $user, '*'),
+            'log' => array(__FUNCTION__, $user, '*', 'Provider: LDAP'),
             'msg' => array('logged_in_as', $user)
           );
           return "pending";
@@ -268,7 +268,7 @@ function user_login($user, $pass, $extra = null){
             $stmt->execute(array(':user' => $user));
             $_SESSION['return'][] =  array(
               'type' => 'success',
-              'log' => array(__FUNCTION__, $user, '*'),
+              'log' => array(__FUNCTION__, $user, '*', 'Provider: LDAP'),
               'msg' => array('logged_in_as', $user)
             );
           }
@@ -290,7 +290,7 @@ function user_login($user, $pass, $extra = null){
           unset($_SESSION['ldelay']);
           $_SESSION['return'][] =  array(
             'type' => 'success',
-            'log' => array(__FUNCTION__, $user, '*'),
+            'log' => array(__FUNCTION__, $user, '*', 'Provider: mailcow'),
             'msg' => array('logged_in_as', $user)
           );
           return "pending";
@@ -303,7 +303,7 @@ function user_login($user, $pass, $extra = null){
             $stmt->execute(array(':user' => $user));
             $_SESSION['return'][] =  array(
               'type' => 'success',
-              'log' => array(__FUNCTION__, $user, '*'),
+              'log' => array(__FUNCTION__, $user, '*', 'Provider: mailcow'),
               'msg' => array('logged_in_as', $user)
             );
           }
@@ -434,12 +434,27 @@ function keycloak_mbox_login_rest($user, $pass, $extra = null){
   $code = curl_getinfo($curl, CURLINFO_HTTP_CODE);
   curl_close($curl);
   if ($code != 200) {
+    $_SESSION['return'][] =  array(
+      'type' => 'danger',
+      'log' => array(__FUNCTION__, $user, '*', 'Identity Provider returned HTTP ' . $code),
+      'msg' => 'generic_server_error'
+    );
     return false;
   }
   if (!isset($user_res['attributes']['mailcow_password']) || !is_array($user_res['attributes']['mailcow_password'])){
+    $_SESSION['return'][] =  array(
+      'type' => 'danger',
+      'log' => array(__FUNCTION__, $user, '*', 'User has no mailcow_password attribute'),
+      'msg' => 'generic_server_error'
+    );
     return false;
   }
   if (empty($user_res['attributes']['mailcow_password'][0])){
+    $_SESSION['return'][] =  array(
+      'type' => 'danger',
+      'log' => array(__FUNCTION__, $user, '*', "User's mailcow_password attribute is empty"),
+      'msg' => 'generic_server_error'
+    );
     return false;
   }
 
@@ -469,8 +484,14 @@ function keycloak_mbox_login_rest($user, $pass, $extra = null){
   }
 
   // check if matching attribute exist
-  if (empty($iam_settings['mappers']) || !$user_template) return false;
-  if ($mapper_key === false) return false;
+  if (empty($iam_settings['mappers']) || !$user_template || $mapper_key === false) {
+    $_SESSION['return'][] =  array(
+      'type' => 'danger',
+      'log' => array(__FUNCTION__, $user, '*', 'No matching attribute mapping was found'),
+      'msg' => 'generic_server_error'
+    );
+    return false;
+  }
 
   // create mailbox
   $_SESSION['access_all_exception'] = '1';
@@ -484,6 +505,11 @@ function keycloak_mbox_login_rest($user, $pass, $extra = null){
   $_SESSION['access_all_exception'] = '0';
   if (!$create_res){
     clear_session();
+    $_SESSION['return'][] =  array(
+      'type' => 'danger',
+      'log' => array(__FUNCTION__, $user, '*', 'Could not create mailbox on login'),
+      'msg' => 'generic_server_error'
+    );
     return false;
   }
 
@@ -526,17 +552,12 @@ function ldap_mbox_login($user, $pass, $extra = null){
     $_SESSION['return'][] =  array(
       'type' => 'danger',
       'log' => array(__FUNCTION__, $user, '*', $e->getMessage()),
-      'msg' => 'ldap_error'
+      'msg' => 'generic_server_error'
     );
     return false;
   }
   try {
     if (!$iam_provider->auth()->attempt($user_res['dn'], $pass)) {
-      $_SESSION['return'][] =  array(
-        'type' => 'danger',
-        'log' => array(__FUNCTION__, $user, '*', $user_res),
-        'msg' => 'ldap_auth_failed'
-      );
       return false;
     }
   } catch (Exception $e) {
@@ -545,7 +566,7 @@ function ldap_mbox_login($user, $pass, $extra = null){
     $_SESSION['return'][] =  array(
       'type' => 'danger',
       'log' => array(__FUNCTION__, $user, '*', $e->getMessage()),
-      'msg' => 'ldap_error'
+      'msg' => 'generic_server_error'
     );
     return false;
   }
@@ -570,8 +591,14 @@ function ldap_mbox_login($user, $pass, $extra = null){
   }
 
   // check if matching attribute exist
-  if (empty($iam_settings['mappers']) || !$user_template) return false;
-  if ($mapper_key === false) return false;
+  if (empty($iam_settings['mappers']) || !$user_template || $mapper_key === false) {
+    $_SESSION['return'][] =  array(
+      'type' => 'danger',
+      'log' => array(__FUNCTION__, $user, '*', 'No matching attribute mapping was found'),
+      'msg' => 'generic_server_error'
+    );
+    return false;
+  }
 
   // create mailbox
   $_SESSION['access_all_exception'] = '1';
@@ -585,6 +612,11 @@ function ldap_mbox_login($user, $pass, $extra = null){
   $_SESSION['access_all_exception'] = '0';
   if (!$create_res){
     clear_session();
+    $_SESSION['return'][] =  array(
+      'type' => 'danger',
+      'log' => array(__FUNCTION__, $user, '*', 'Could not create mailbox on login'),
+      'msg' => 'generic_server_error'
+    );
     return false;
   }
 
diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index 2a6968fe2..187036b47 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -2271,7 +2271,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
       }
       // return default client_scopes for generic-oidc if none is set
       if ($settings["authsource"] == "generic-oidc" && empty($settings["client_scopes"])){
-        $settings["client_scopes"] = "openid profile email";
+        $settings["client_scopes"] = "openid profile email mailcow_template";
       }
       if ($_extra['hide_sensitive']){
         $settings['client_secret'] = '';
@@ -2348,7 +2348,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
           $_data['authorize_url']     = (!empty($_data['authorize_url'])) ? $_data['authorize_url'] : null;
           $_data['token_url']         = (!empty($_data['token_url'])) ? $_data['token_url'] : null;
           $_data['userinfo_url']      = (!empty($_data['userinfo_url'])) ? $_data['userinfo_url'] : null;
-          $_data['client_scopes']     = (!empty($_data['client_scopes'])) ? $_data['client_scopes'] : "openid profile email";
+          $_data['client_scopes']     = (!empty($_data['client_scopes'])) ? $_data['client_scopes'] : "openid profile email mailcow_template";
           $required_settings          = array('authsource', 'authorize_url', 'token_url', 'client_id', 'client_secret', 'redirect_url', 'userinfo_url', 'client_scopes', 'ignore_ssl_error');
         break;
         case "ldap":
@@ -2619,8 +2619,8 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
       if ($iam_settings['authsource'] != 'keycloak' && $iam_settings['authsource'] != 'generic-oidc'){
         $_SESSION['return'][] =  array(
           'type' => 'danger',
-          'log' => array(__FUNCTION__),
-          'msg' => array('login_failed', "no OIDC provider configured")
+          'log' => array(__FUNCTION__, "no OIDC provider configured"),
+          'msg' => 'login_failed'
         );
         return false;
       }
@@ -2633,13 +2633,20 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
       } catch (Throwable $e) {
         $_SESSION['return'][] =  array(
           'type' => 'danger',
-          'log' => array(__FUNCTION__),
-          'msg' => array('login_failed', $e->getMessage())
+          'log' => array(__FUNCTION__, $e->getMessage()),
+          'msg' => 'login_failed'
         );
         return false;
       }
       // check if email address is given
-      if (empty($info['email'])) return false;
+      if (empty($info['email'])) {
+        $_SESSION['return'][] =  array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, 'No email address found for user'),
+          'msg' => 'login_failed'
+        );
+        return false;
+      }
 
       // get mapped template
       $user_template = $info['mailcow_template'];
@@ -2678,21 +2685,12 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
         return true;
       }
 
-      if (empty($iam_settings['mappers']) || empty($user_template)){
+      if (empty($iam_settings['mappers']) || empty($user_template) || $mapper_key === false){
         clear_session();
         $_SESSION['return'][] =  array(
           'type' => 'danger',
-          'log' => array(__FUNCTION__, $info['email']),
-          'msg' => array('login_failed', 'empty attribute mapping or missing template attribute')
-        );
-        return false;
-      }
-      if ($mapper_key === false) {
-        clear_session();
-        $_SESSION['return'][] =  array(
-          'type' => 'danger',
-          'log' => array(__FUNCTION__, $info['email']),
-          'msg' => array('login_failed', 'specified template not found')
+          'log' => array(__FUNCTION__, $info['email'], 'No matching attribute mapping was found'),
+          'msg' => 'login_failed'
         );
         return false;
       }
@@ -2711,8 +2709,8 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
         clear_session();
         $_SESSION['return'][] =  array(
           'type' => 'danger',
-          'log' => array(__FUNCTION__, $info['email']),
-          'msg' => array('login_failed', 'mailbox creation failed')
+          'log' => array(__FUNCTION__, $info['email'], 'Could not create mailbox on login'),
+          'msg' => 'login_failed'
         );
         return false;
       }
diff --git a/data/web/lang/lang.de-de.json b/data/web/lang/lang.de-de.json
index 85a713c67..0857bc5f7 100644
--- a/data/web/lang/lang.de-de.json
+++ b/data/web/lang/lang.de-de.json
@@ -219,10 +219,10 @@
         "iam_extra_permission": "Damit die folgenden Einstellungen funktionieren, benötigt der mailcow Client in Keycloak ein <code>Service-Konto</code> und die Berechtigung <code>view-users</code>.",
         "iam_host": "Host",
         "iam_host_info": "Gib einen oder mehrere LDAP-Hosts ein, getrennt durch Kommas.",
-        "iam_import_users": "Import Users",
+        "iam_import_users": "Importiere Benutzer",
         "iam_mapping": "Attribut Mapping",
         "iam_bindpass": "Bind Passwort",
-        "iam_periodic_full_sync": "Periodic Full Sync",
+        "iam_periodic_full_sync": "Vollsynchronisation",
         "iam_port": "Port",
         "iam_realm": "Realm",
         "iam_redirect_url": "Redirect Url",
@@ -238,7 +238,7 @@
         "iam_use_ssl": "Benutze SSL",
         "iam_use_tls": "Benutze TLS",
         "iam_version": "Version",
-        "ignore_ssl_error": "Ignoriere SSL Errors",
+        "ignore_ssl_error": "Ignoriere SSL Fehler",
         "import": "Importieren",
         "import_private_key": "Private Key importieren",
         "in_use_by": "Verwendet von",
@@ -406,6 +406,7 @@
         "aliases_in_use": "Maximale Anzahl an Aliassen muss größer oder gleich %d sein",
         "app_name_empty": "App-Name darf nicht leer sein",
         "app_passwd_id_invalid": "App-Passwort ID %s ist ungültig",
+        "authsource_in_use": "Der Identity Provider kann nicht geändert oder gelöscht werden, da er derzeit von einem oder mehreren Benutzern verwendet wird.",
         "bcc_empty": "BCC-Ziel darf nicht leer sein",
         "bcc_exists": "Ein BCC-Map-Eintrag %s existiert bereits als Typ %s",
         "bcc_must_be_email": "BCC-Ziel %s ist keine gültige E-Mail-Adresse",
@@ -430,6 +431,7 @@
         "file_open_error": "Datei kann nicht zum Schreiben geöffnet werden",
         "filter_type": "Falscher Filtertyp",
         "from_invalid": "Die Absenderadresse muss eine gültige E-Mail-Adresse sein",
+        "generic_server_error": "Ein unerwarteter Serverfehler ist aufgetreten. Bitte kontaktieren Sie Ihren Administrator.",
         "global_filter_write_error": "Kann Filterdatei nicht schreiben: %s",
         "global_map_invalid": "Rspamd-Map %s ist ungültig",
         "global_map_write_error": "Kann globale Map ID %s nicht schreiben: %s",
diff --git a/data/web/lang/lang.en-gb.json b/data/web/lang/lang.en-gb.json
index 5f8e78a9b..64baade92 100644
--- a/data/web/lang/lang.en-gb.json
+++ b/data/web/lang/lang.en-gb.json
@@ -433,6 +433,7 @@
         "file_open_error": "File cannot be opened for writing",
         "filter_type": "Wrong filter type",
         "from_invalid": "Sender must not be empty",
+        "generic_server_error": "An unexpected server error occurred. Please contact your administrator.",
         "global_filter_write_error": "Could not write filter file: %s",
         "global_map_invalid": "Global map ID %s invalid",
         "global_map_write_error": "Could not write global map ID %s: %s",
diff --git a/data/web/templates/admin/tab-config-identity-provider.twig b/data/web/templates/admin/tab-config-identity-provider.twig
index 3381fe4d6..4a85b42fc 100644
--- a/data/web/templates/admin/tab-config-identity-provider.twig
+++ b/data/web/templates/admin/tab-config-identity-provider.twig
@@ -265,7 +265,7 @@
               <label class="control-label" for="iam_client_scopes">{{ lang.admin.iam_client_scopes }}:</label>
             </div>
             <div class="col-12 col-md-9 col-lg-4">
-              <input type="text" placeholder="openid profile email" class="form-control" id="iam_client_scopes" name="client_scopes" value="{{ iam_settings.client_scopes }}">
+              <input type="text" placeholder="openid profile email mailcow_template" class="form-control" id="iam_client_scopes" name="client_scopes" value="{{ iam_settings.client_scopes }}">
             </div>
           </div>
           <div class="row mb-2">

From cb08132a74db2ccfacbacd558066be602b447cfa Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Thu, 13 Mar 2025 14:39:03 +0100
Subject: [PATCH 195/378] [Web] Fix authentication when mailbox or domain is
 deactivated

---
 data/web/inc/functions.auth.inc.php | 56 ++++++++++++++++++++++++---
 data/web/inc/functions.inc.php      | 59 ++++++++++++++++++++++++++---
 2 files changed, 103 insertions(+), 12 deletions(-)

diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php
index e047b83ba..7fd535be1 100644
--- a/data/web/inc/functions.auth.inc.php
+++ b/data/web/inc/functions.auth.inc.php
@@ -178,25 +178,40 @@ function user_login($user, $pass, $extra = null){
     return false;
   }
 
-  $stmt = $pdo->prepare("SELECT * FROM `mailbox`
+  $stmt = $pdo->prepare("SELECT
+      mailbox.*,
+      domain.active AS d_active
+      FROM `mailbox`
       INNER JOIN domain on mailbox.domain = domain.domain
       WHERE `kind` NOT REGEXP 'location|thing|group'
-        AND `domain`.`active`='1'
         AND `username` = :user");
   $stmt->execute(array(':user' => $user));
   $row = $stmt->fetch(PDO::FETCH_ASSOC);
 
   // user does not exist, try call idp login and create user if possible via rest flow
   if (!$row){
+    $result = false;
     if ($iam_settings['authsource'] == 'keycloak' && intval($iam_settings['mailpassword_flow']) == 1){
       $result = keycloak_mbox_login_rest($user, $pass, array('is_internal' => $is_internal, 'create' => true));
-      if ($result !== false) return $result;
     } else if ($iam_settings['authsource'] == 'ldap') {
       $result = ldap_mbox_login($user, $pass, array('is_internal' => $is_internal, 'create' => true));
-      if ($result !== false) return $result;
     }
-  }
-  if ($row['active'] != 1) {
+    if ($result !== false){
+      // double check if mailbox is active
+      $stmt = $pdo->prepare("SELECT * FROM `mailbox`
+      INNER JOIN domain on mailbox.domain = domain.domain
+      WHERE `kind` NOT REGEXP 'location|thing|group'
+        AND `mailbox`.`active`='1'
+        AND `domain`.`active`='1'
+        AND `username` = :user");
+      $stmt->execute(array(':user' => $user));
+      $row = $stmt->fetch(PDO::FETCH_ASSOC);
+
+      if (!empty($row)) {
+        return true;
+      }
+    }
+    clear_session();
     return false;
   }
 
@@ -206,6 +221,19 @@ function user_login($user, $pass, $extra = null){
       if (intval($iam_settings['mailpassword_flow']) == 1){
         $result = keycloak_mbox_login_rest($user, $pass, array('is_internal' => $is_internal));
         if ($result !== false) {
+          // double check if mailbox and domain is active
+          $stmt = $pdo->prepare("SELECT * FROM `mailbox`
+          INNER JOIN domain on mailbox.domain = domain.domain
+          WHERE `kind` NOT REGEXP 'location|thing|group'
+            AND `mailbox`.`active`='1'
+            AND `domain`.`active`='1'
+            AND `username` = :user");
+          $stmt->execute(array(':user' => $user));
+          $row = $stmt->fetch(PDO::FETCH_ASSOC);
+          if (empty($row)) {
+            return false;
+          }
+
           // check for tfa authenticators
           $authenticators = get_tfa($user);
           if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 && !$is_internal) {
@@ -245,6 +273,19 @@ function user_login($user, $pass, $extra = null){
       // user authsource is ldap
       $result = ldap_mbox_login($user, $pass, array('is_internal' => $is_internal));
       if ($result !== false) {
+        // double check if mailbox and domain is active
+        $stmt = $pdo->prepare("SELECT * FROM `mailbox`
+        INNER JOIN domain on mailbox.domain = domain.domain
+        WHERE `kind` NOT REGEXP 'location|thing|group'
+          AND `mailbox`.`active`='1'
+          AND `domain`.`active`='1'
+          AND `username` = :user");
+        $stmt->execute(array(':user' => $user));
+        $row = $stmt->fetch(PDO::FETCH_ASSOC);
+        if (empty($row)) {
+          return false;
+        }
+
         // check for tfa authenticators
         $authenticators = get_tfa($user);
         if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 && !$is_internal) {
@@ -278,6 +319,9 @@ function user_login($user, $pass, $extra = null){
       return $result;
     break;
     case 'mailcow':
+      if ($row['active'] != 1 || $row['d_active'] != 1) {
+        return false;
+      }
       // verify password
       if (verify_hash($row['password'], $pass) !== false) {
         // check for tfa authenticators
diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index 187036b47..5b67dd1e4 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -2653,17 +2653,25 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
       $mapper_key = array_search($user_template, $iam_settings['mappers']);
 
       // token valid, get mailbox
-      $stmt = $pdo->prepare("SELECT * FROM `mailbox`
+      $stmt = $pdo->prepare("SELECT
+        mailbox.*,
+        domain.active AS d_active
+        FROM `mailbox`
         INNER JOIN domain on mailbox.domain = domain.domain
         WHERE `kind` NOT REGEXP 'location|thing|group'
-          AND `mailbox`.`active`='1'
-          AND `domain`.`active`='1'
-          AND `username` = :user
-          AND (`authsource`='keycloak' OR `authsource`='generic-oidc')");
+          AND `username` = :user");
       $stmt->execute(array(':user' => $info['email']));
       $row = $stmt->fetch(PDO::FETCH_ASSOC);
       if ($row){
-        // success
+        if (!in_array($row['authsource'], array("keycloak", "generic-oidc"))) {
+          clear_session();
+          $_SESSION['return'][] =  array(
+            'type' => 'danger',
+            'log' => array(__FUNCTION__, $info['email'], "The user's authentication source is not of type OIDC"),
+            'msg' => 'login_failed'
+          );
+          return false;
+        }
         if ($mapper_key !== false) {
           // update user
           $_SESSION['access_all_exception'] = '1';
@@ -2673,6 +2681,26 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
             'template' => $iam_settings['templates'][$mapper_key]
           ));
           $_SESSION['access_all_exception'] = '0';
+
+          // get updated row
+          $stmt = $pdo->prepare("SELECT
+            mailbox.*,
+            domain.active AS d_active
+            FROM `mailbox`
+            INNER JOIN domain on mailbox.domain = domain.domain
+            WHERE `kind` NOT REGEXP 'location|thing|group'
+              AND `username` = :user");
+          $stmt->execute(array(':user' => $info['email']));
+          $row = $stmt->fetch(PDO::FETCH_ASSOC);
+        }
+        if ($row['active'] != 1 || $row['d_active'] != 1) {
+          clear_session();
+          $_SESSION['return'][] =  array(
+            'type' => 'danger',
+            'log' => array(__FUNCTION__, $info['email'], 'Domain or mailbox is inactive'),
+            'msg' => 'login_failed'
+          );
+          return false;
         }
         set_user_loggedin_session($info['email']);
         $_SESSION['iam_token'] = $plain_token;
@@ -2715,6 +2743,25 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
         return false;
       }
 
+      // double check if mailbox and domain is active
+      $stmt = $pdo->prepare("SELECT * FROM `mailbox`
+      INNER JOIN domain on mailbox.domain = domain.domain
+      WHERE `kind` NOT REGEXP 'location|thing|group'
+        AND `mailbox`.`active`='1'
+        AND `domain`.`active`='1'
+        AND `username` = :user");
+      $stmt->execute(array(':user' => $info['email']));
+      $row = $stmt->fetch(PDO::FETCH_ASSOC);
+      if (empty($row)) {
+        clear_session();
+        $_SESSION['return'][] =  array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $info['email'], 'Domain or mailbox is inactive'),
+          'msg' => 'login_failed'
+        );
+        return false;
+      }
+
       set_user_loggedin_session($info['email']);
       $_SESSION['iam_token'] = $plain_token;
       $_SESSION['iam_refresh_token'] = $plain_refreshtoken;

From c3aa4f7418c66f991e4a957fb741b9433ac9adc9 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 14 Mar 2025 09:17:51 +0100
Subject: [PATCH 196/378] [Web] Add authsource property to mailbox API
 Documentation

---
 data/web/api/openapi.yaml | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/data/web/api/openapi.yaml b/data/web/api/openapi.yaml
index 969aa7707..198257bec 100644
--- a/data/web/api/openapi.yaml
+++ b/data/web/api/openapi.yaml
@@ -1112,6 +1112,7 @@ paths:
                 domain: domain.tld
                 local_part: info
                 name: Full name
+                authsource: mailcow
                 password: atedismonsin
                 password2: atedismonsin
                 quota: "3072"
@@ -1132,11 +1133,16 @@ paths:
                 name:
                   description: Full name of the mailbox user
                   type: string
+                authsource:
+                  description: Specifies the authentication source for the mailbox.
+                  type: string
+                  enum: [mailcow, ldap, keycloak, generic-oidc]
+                  default: mailcow
                 password2:
                   description: mailbox password for confirmation
                   type: string
                 password:
-                  description: mailbox password
+                  description: mailbox password when using `mailcow` as the authentication source.
                   type: string
                 quota:
                   description: mailbox quota
@@ -3374,6 +3380,7 @@ paths:
                   active: "1"
                   force_pw_update: "0"
                   name: Full name
+                  authsource: mailcow
                   password: ""
                   password2: ""
                   quota: "3072"
@@ -3398,11 +3405,15 @@ paths:
                     name:
                       description: Full name of the mailbox user
                       type: string
+                    authsource:
+                      description: Specifies the authentication source for the mailbox.
+                      type: string
+                      enum: [mailcow, ldap, keycloak, generic-oidc]
                     password2:
                       description: new mailbox password for confirmation
                       type: string
                     password:
-                      description: new mailbox password
+                      description: new mailbox password when using `mailcow` as the authentication source.
                       type: string
                     quota:
                       description: mailbox quota
@@ -5755,8 +5766,8 @@ paths:
       tags:
         - Cross-Origin Resource Sharing (CORS)
       description: >-
-        This endpoint allows you to manage Cross-Origin Resource Sharing (CORS) settings for the API. 
-        CORS is a security feature implemented by web browsers to prevent unauthorized cross-origin requests. 
+        This endpoint allows you to manage Cross-Origin Resource Sharing (CORS) settings for the API.
+        CORS is a security feature implemented by web browsers to prevent unauthorized cross-origin requests.
         By editing the CORS settings, you can specify which domains and which methods are permitted to access the API resources from outside the mailcow domain.
       operationId: Edit Cross-Origin Resource Sharing (CORS) settings
       requestBody:

From 43c15970510ad305e2f67d7067b78967b32e0b7e Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 14 Mar 2025 09:19:39 +0100
Subject: [PATCH 197/378] [Web] Check if authsource is configured before adding
 or updating a mailbox

---
 data/web/inc/functions.mailbox.inc.php | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/data/web/inc/functions.mailbox.inc.php b/data/web/inc/functions.mailbox.inc.php
index 6222e4aa9..54387f812 100644
--- a/data/web/inc/functions.mailbox.inc.php
+++ b/data/web/inc/functions.mailbox.inc.php
@@ -4,6 +4,8 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
   global $redis;
   global $lang;
   global $MAILBOX_DEFAULT_ATTRIBUTES;
+  global $iam_settings;
+
   $_data_log = $_data;
   !isset($_data_log['password']) ?: $_data_log['password'] = '*';
   !isset($_data_log['password2']) ?: $_data_log['password2'] = '*';
@@ -1022,7 +1024,8 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             );
             return false;
           }
-          if (in_array($_data['authsource'], array('mailcow', 'keycloak', 'generic-oidc', 'ldap'))){
+          if (in_array($_data['authsource'], array('mailcow', 'keycloak', 'generic-oidc', 'ldap')) &&
+              $iam_settings['authsource'] == $_data['authsource']){
             $authsource = $_data['authsource'];
           }
           if (empty($name)) {
@@ -2955,7 +2958,8 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               $tags                 = (is_array($_data['tags']) ? $_data['tags'] : array());
               $attribute_hash       = (!empty($_data['attribute_hash'])) ? $_data['attribute_hash'] : '';
               $authsource           = $is_now['authsource'];
-              if (in_array($_data['authsource'], array('mailcow', 'keycloak', 'generic-oidc', 'ldap'))){
+              if (in_array($_data['authsource'], array('mailcow', 'keycloak', 'generic-oidc', 'ldap')) &&
+                  $iam_settings['authsource'] == $_data['authsource']){
                 $authsource = $_data['authsource'];
               }
               if (in_array($authsource, array('keycloak', 'generic-oidc', 'ldap'))){

From c93106f9d6ae8b0c0a5282b9c62b3ca1b5fb5aa9 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 14 Mar 2025 09:29:02 +0100
Subject: [PATCH 198/378] [Web] Fix redirect after renaming mailbox

---
 data/web/templates/edit/mailbox.twig | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/data/web/templates/edit/mailbox.twig b/data/web/templates/edit/mailbox.twig
index 2f93e6e5d..32a3706c1 100644
--- a/data/web/templates/edit/mailbox.twig
+++ b/data/web/templates/edit/mailbox.twig
@@ -25,7 +25,7 @@
                   <input type="hidden" value="default" name="sender_acl">
                   <input type="hidden" value="0" name="force_pw_update">
                   <input type="hidden" value="0" name="sogo_access">
-                  <input type="hidden" value="0" name="protocol_access">      
+                  <input type="hidden" value="0" name="protocol_access">
                   <div class="row mb-2">
                     <label class="control-label col-sm-2">{{ lang.admin.iam }}</label>
                     <div class="col-sm-10">
@@ -542,7 +542,7 @@
                     </div>
                     <div class="row mb-2">
                       <div class="col-sm-12 offset-md-2 col-md-10 col-xl-8">
-                        <button class="btn btn-xs-lg d-block d-sm-inline btn-secondary" data-action="edit_selected" data-id="mboxrename" data-item="{{ mailbox }}" data-api-url='edit/rename-mbox' data-api-attr='{}' data-api-reload-location="/mailbox" href="#">{{ lang.edit.save }}</button>
+                        <button class="btn btn-xs-lg d-block d-sm-inline btn-secondary" data-action="edit_selected" data-id="mboxrename" data-item="{{ mailbox }}" data-api-url='edit/rename-mbox' data-api-attr='{}' data-api-reload-location="/{{mailcow_cc_role}}/mailbox" href="#">{{ lang.edit.save }}</button>
                       </div>
                     </div>
                   </form>

From 5a7275843ad35a383e14c4d05cceffbec5d6db2d Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 14 Mar 2025 09:30:33 +0100
Subject: [PATCH 199/378] Add error message when mailbox creation fails

---
 data/conf/phpfpm/crons/keycloak-sync.php | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/data/conf/phpfpm/crons/keycloak-sync.php b/data/conf/phpfpm/crons/keycloak-sync.php
index 98010648b..cdc5a6e99 100644
--- a/data/conf/phpfpm/crons/keycloak-sync.php
+++ b/data/conf/phpfpm/crons/keycloak-sync.php
@@ -79,7 +79,7 @@ if ($iam_settings['authsource'] != "keycloak" || (intval($iam_settings['periodic
 
 // Set pagination variables
 $start = 0;
-$max = 25;
+$max = 100;
 
 // lock sync if already running
 $lock_file = '/tmp/iam-sync.lock';
@@ -167,11 +167,13 @@ while (true) {
     $mailcow_template = $user['attributes']['mailcow_template'];
 
     // try get mailbox user
-    $stmt = $pdo->prepare("SELECT `mailbox`.* FROM `mailbox`
-    INNER JOIN domain on mailbox.domain = domain.domain
-    WHERE `kind` NOT REGEXP 'location|thing|group'
-      AND `domain`.`active`='1'
-      AND `username` = :user");
+    $stmt = $pdo->prepare("SELECT
+      mailbox.*,
+      domain.active AS d_active
+      FROM `mailbox`
+      INNER JOIN domain on mailbox.domain = domain.domain
+      WHERE `kind` NOT REGEXP 'location|thing|group'
+        AND `username` = :user");
     $stmt->execute(array(':user' => $user['email']));
     $row = $stmt->fetch(PDO::FETCH_ASSOC);
 
@@ -192,13 +194,17 @@ while (true) {
     if (!$row && intval($iam_settings['import_users']) == 1){
       // mailbox user does not exist, create...
       logMsg("info", "Creating user " . $user['email']);
-      mailbox('add', 'mailbox_from_template', array(
+      $create_res = mailbox('add', 'mailbox_from_template', array(
         'domain' => explode('@', $user['email'])[1],
         'local_part' => explode('@', $user['email'])[0],
         'name' => $user['firstName'] . " " . $user['lastName'],
         'authsource' => 'keycloak',
         'template' => $mbox_template
       ));
+      if (!$create_res){
+        logMsg("err", "Could not create user " . $user['email']);
+        continue;
+      }
     } else if ($row && intval($iam_settings['periodic_sync']) == 1) {
       // mailbox user does exist, sync attribtues...
       logMsg("info", "Syncing attributes for user " . $user['email']);

From e21696ff27c8793ce41f836d02d284ea958555de Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 14 Mar 2025 09:36:40 +0100
Subject: [PATCH 200/378] Add error message when mailbox creation fails

---
 data/conf/phpfpm/crons/ldap-sync.php | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/data/conf/phpfpm/crons/ldap-sync.php b/data/conf/phpfpm/crons/ldap-sync.php
index 8f7a08bf5..17000997c 100644
--- a/data/conf/phpfpm/crons/ldap-sync.php
+++ b/data/conf/phpfpm/crons/ldap-sync.php
@@ -79,7 +79,7 @@ if ($iam_settings['authsource'] != "ldap" || (intval($iam_settings['periodic_syn
 
 // Set pagination variables
 $start = 0;
-$max = 25;
+$max = 100;
 
 // lock sync if already running
 $lock_file = '/tmp/iam-sync.lock';
@@ -126,11 +126,13 @@ foreach ($response as $user) {
   $mailcow_template = $user[$iam_settings['attribute_field']][0];
 
   // try get mailbox user
-  $stmt = $pdo->prepare("SELECT `mailbox`.* FROM `mailbox`
-  INNER JOIN domain on mailbox.domain = domain.domain
-  WHERE `kind` NOT REGEXP 'location|thing|group'
-    AND `domain`.`active`='1'
-    AND `username` = :user");
+  $stmt = $pdo->prepare("SELECT
+    mailbox.*,
+    domain.active AS d_active
+    FROM `mailbox`
+    INNER JOIN domain on mailbox.domain = domain.domain
+    WHERE `kind` NOT REGEXP 'location|thing|group'
+      AND `username` = :user");
   $stmt->execute(array(':user' => $user[$iam_settings['username_field']][0]));
   $row = $stmt->fetch(PDO::FETCH_ASSOC);
 
@@ -156,13 +158,17 @@ foreach ($response as $user) {
   if (!$row && intval($iam_settings['import_users']) == 1){
     // mailbox user does not exist, create...
     logMsg("info", "Creating user " .  $user[$iam_settings['username_field']][0]);
-    mailbox('add', 'mailbox_from_template', array(
+    $create_res = mailbox('add', 'mailbox_from_template', array(
       'domain' => explode('@',  $user[$iam_settings['username_field']][0])[1],
       'local_part' => explode('@',  $user[$iam_settings['username_field']][0])[0],
       'name' => $user['displayname'][0],
       'authsource' => 'ldap',
       'template' => $mbox_template
     ));
+    if (!$create_res){
+      logMsg("err", "Could not create user " . $user[$iam_settings['username_field']][0]);
+      continue;
+    }
   } else if ($row && intval($iam_settings['periodic_sync']) == 1) {
     // mailbox user does exist, sync attribtues...
     logMsg("info", "Syncing attributes for user " . $user[$iam_settings['username_field']][0]);

From 2a15914324655af826255762722b5368ad623b2d Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 14 Mar 2025 11:22:57 +0100
Subject: [PATCH 201/378] Fix major update prompt

---
 update.sh | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/update.sh b/update.sh
index 838899f8b..b99dffe71 100755
--- a/update.sh
+++ b/update.sh
@@ -724,7 +724,13 @@ detect_major_update() {
       "2025-02"
     )
 
-    current_version=$(git describe --tags $(git rev-list --tags --max-count=1))
+    current_version=""
+    if [[ -f "${SCRIPT_DIR}/data/web/inc/app_info.inc.php" ]]; then
+      current_version=$(grep 'MAILCOW_GIT_VERSION' ${SCRIPT_DIR}/data/web/inc/app_info.inc.php | sed -E 's/.*MAILCOW_GIT_VERSION="([^"]+)".*/\1/')
+    fi
+    if [[ -z "$current_version" ]]; then
+      return 1
+    fi
     release_url="https://github.com/mailcow/mailcow-dockerized/releases/tag"
 
     updates_to_apply=()
@@ -741,8 +747,7 @@ detect_major_update() {
         echo "$update - $release_url/$update"
       done
 
-      echo -e "\n⚠️  Please read the release notes before proceeding.\n"
-
+      echo -e "\nPlease read the release notes before proceeding."
       read -p "Do you want to proceed with the update? [y/n] " response
       if [[ "${response}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
         echo "Proceeding with the update..."

From 463e3ab78c8c43095239dea4853467a7899df8f3 Mon Sep 17 00:00:00 2001
From: DerLinkman <niklas.meyer@servercow.de>
Date: Fri, 14 Mar 2025 12:18:59 +0100
Subject: [PATCH 202/378] rspamd: update rspamd to 3.11.1 (#6374)

---
 data/Dockerfiles/rspamd/Dockerfile | 2 +-
 docker-compose.yml                 | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/data/Dockerfiles/rspamd/Dockerfile b/data/Dockerfiles/rspamd/Dockerfile
index 248312094..ac5c0f2a0 100644
--- a/data/Dockerfiles/rspamd/Dockerfile
+++ b/data/Dockerfiles/rspamd/Dockerfile
@@ -2,7 +2,7 @@ FROM debian:bookworm-slim
 LABEL maintainer="The Infrastructure Company GmbH <info@servercow.de>"
 
 ARG DEBIAN_FRONTEND=noninteractive
-ARG RSPAMD_VER=rspamd_3.11.0-2~90a175b45
+ARG RSPAMD_VER=rspamd_3.11.1-1~ab0b44951
 ARG CODENAME=bookworm
 ENV LC_ALL=C
 
diff --git a/docker-compose.yml b/docker-compose.yml
index 4c470f5bd..5a42c4101 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -84,7 +84,7 @@ services:
             - clamd
 
     rspamd-mailcow:
-      image: ghcr.io/mailcow/rspamd:2.0
+      image: ghcr.io/mailcow/rspamd:2.1
       stop_grace_period: 30s
       depends_on:
         - dovecot-mailcow

From 8910135f02e54beb1ee4ab0698a9cbdd79c45111 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Mon, 17 Mar 2025 13:21:28 +0100
Subject: [PATCH 203/378] [Web] Add edit/identity-provider Api Documentation

---
 data/web/api/openapi.yaml | 213 +++++++++++++++++++++++++++++++++++++-
 1 file changed, 212 insertions(+), 1 deletion(-)

diff --git a/data/web/api/openapi.yaml b/data/web/api/openapi.yaml
index 198257bec..9eba76904 100644
--- a/data/web/api/openapi.yaml
+++ b/data/web/api/openapi.yaml
@@ -5698,7 +5698,7 @@ paths:
         - description: name of domain
           in: path
           name: domain
-          required: false
+          required: true
           schema:
             type: string
         - description: e.g. api-key-string
@@ -5825,6 +5825,215 @@ paths:
         Using this endpoint you can get the global spam filter score or the spam filter score of a certain mailbox.
       operationId: Get mailbox or global spam filter score
       summary: Get mailbox or global spam filter score
+  /api/v1/edit/identity-provider:
+    post:
+      responses:
+        "401":
+          $ref: "#/components/responses/Unauthorized"
+        "200":
+          content:
+            application/json:
+              examples:
+                response:
+                  value:
+                    - type: "success"
+                      log:
+                        - "identity_provider"
+                        - "edit"
+                        - authsource: "keycloak"
+                          server_url: "https://auth.mailcow.tld"
+                          realm: "mailcow"
+                          client_id: "mailcow_client"
+                          client_secret: "*"
+                          redirect_url: "https://mail.mailcow.tld"
+                          version: "26.1.3"
+                          mappers:
+                            - "Default"
+                            - "small_mbox"
+                            - "medium_mbox"
+                          templates:
+                            - "Default"
+                            - "small"
+                            - "medium"
+                          ignore_ssl_error: true
+                          mailpassword_flow: true
+                          periodic_sync: true
+                          import_users: true
+                          sync_interval: 30
+                      msg:
+                        - "object_modified"
+                        - ""
+          description: OK
+          headers: { }
+      tags:
+        - Identity Provider
+      description: >-
+        Configure an external Identity Provider to use as user authentication
+      operationId: Edit external Identity Provider settings
+      requestBody:
+        content:
+          application/json:
+            schema:
+              properties:
+                items:
+                  type: array
+                  default: ["identity-provider"]
+                attr:
+                  type: object
+                  properties:
+                    authsource:
+                      description: Specifies the type of the Identity Provider
+                      type: string
+                      enum: [ldap, keycloak, generic-oidc]
+                    server_url:
+                      description: The base URL of your Keycloak server. Required if `authsource` is keycloak.
+                      type: string
+                    realm:
+                      description: The Keycloak realm where the mailcow client is configured. Required if `authsource` is keycloak.
+                      type: string
+                    client_id:
+                      description: The Client ID assigned to mailcow Client in OIDC Provider. Required if `authsource` is keycloak or generic-oidc.
+                      type: string
+                    client_secret:
+                      description: The Client Secret assigned to mailcow Client in OIDC Provider. Required if `authsource` is keycloak or generic-oidc.
+                      type: string
+                    redirect_url:
+                      description: The redirect URL that OIDC Provider will use after authentication. Required if `authsource` is keycloak or generic-oidc.
+                      type: string
+                    version:
+                      description: Specifies the Keycloak version. Required if `authsource` is keycloak.
+                      type: string
+                    mappers:
+                      description: Attribute values used to match a mailbox template. Each element corresponds to the respective index in the templates array (i.e., the first element matches the first element of templates, the second matches the second, and so on).
+                      type: array
+                    templates:
+                      description: Defines the mailbox templates to be assigned. Each element corresponds to the respective index in the `mappers` array.
+                      type: array
+                    ignore_ssl_error:
+                      description: If enabled, SSL certificate validation is bypassed
+                      type: boolean
+                      default: false
+                    mailpassword_flow:
+                      description: If enabled, mailcow will attempt to validate user credentials using the Keycloak Admin REST API instead of relying solely on the Authorization Code Flow.
+                      type: boolean
+                      default: false
+                    periodic_sync:
+                      description: If enabled, mailcow periodically performs a full sync of all users from Keycloak or LDAP.
+                      type: boolean
+                      default: false
+                    import_users:
+                      description: If enabled, new users are automatically imported from Keycloak or LDAP into mailcow.
+                      type: boolean
+                      default: false
+                    sync_interval:
+                      description: Defines the time interval (in minutes) for periodic synchronization and user imports.
+                      type: number
+                      default: 15
+                    host:
+                      description: The address of your LDAP server. You can provide a single hostname or a comma-separated list of hosts for fallback in case the primary server is unreachable. Required if `authsource` is ldap.
+                      type: string
+                    port:
+                      description: The port used to connect to the LDAP server. Required if `authsource` is ldap.
+                      type: string
+                    use_ssl:
+                      description: enable LDAPS connection. If Port is set to 389 it will be overriden to 636.
+                      type: boolean
+                      default: false
+                    use_tls:
+                      description: enable TLS connection. TLS is recommended over SSL. SSL Ports cannot be used.
+                      type: boolean
+                      default: false
+                    basedn:
+                      description: The Distinguished Name (DN) from which searches will be performed. Required if `authsource` is ldap.
+                      type: string
+                    username_field:
+                      description: The LDAP attribute used to identify users during authentication. Required if `authsource` is ldap.
+                      type: string
+                      default: mail
+                    filter:
+                      description: An optional LDAP search filter to refine which users can authenticate.
+                      type: string
+                    attribute_field:
+                      description: Specifies an LDAP attribute that holds a specific value which can be mapped to a mailbox template using the Attribute Mapping section. Required if `authsource` is ldap.
+                      type: string
+                    binddn:
+                      description: The Distinguished Name (DN) of the LDAP user that will be used to authenticate and perform LDAP searches. This account should have sufficient permissions to read the required attributes. Required if `authsource` is ldap.
+                      type: string
+                    bindpass:
+                      description: The password for the Bind DN user. It is required for authentication when connecting to the LDAP server. Required if `authsource` is ldap.
+                      type: string
+                    authorize_url:
+                      description: The OIDC provider's authorization server URL. Required if `authsource` is generic-oidc.
+                      type: string
+                    token_url:
+                      description: The OIDC provider's token server URL. Required if `authsource` is generic-oidc.
+                      type: string
+                    userinfo_url:
+                      description: The OIDC provider's user info server URL. Required if `authsource` is generic-oidc.
+                      type: string
+                    client_scopes:
+                      description: Specifies the OIDC scopes requested during authentication.
+                      type: string
+                      default: "openid profile email mailcow_template"
+            examples:
+              keycloak:
+                value:
+                  items:
+                    - "identity-provider"
+                  attr:
+                    authsource: "keycloak"
+                    server_url: "https://auth.mailcow.tld"
+                    realm: "mailcow"
+                    client_id: "mailcow_client"
+                    client_secret: "Xy7GdPqvJ9m3R8sT2LkVZ5W1oNbCaYQf"
+                    redirect_url: "https://mail.mailcow.tld"
+                    version: "26.1.3"
+                    mappers: ["Default", "small_mbox", "medium_mbox"]
+                    templates: ["Default", "small", "medium"]
+                    ignore_ssl_error: true
+                    mailpassword_flow: true
+                    periodic_sync: true
+                    import_users: true
+                    sync_interval: 30
+              ldap:
+                value:
+                  items:
+                    - "identity-provider"
+                  attr:
+                    authsource: "ldap"
+                    host: "127.0.0.1"
+                    port: "389"
+                    use_ssl: false
+                    use_tls: false
+                    ignore_ssl_error: false
+                    basedn: "DC=mailcow,DC=local"
+                    username_field: "mail"
+                    filter: "(memberOf:1.2.840.113556.1.4.1941:=DC=mailcow,DC=local)"
+                    attribute_field: "othermailbox"
+                    binddn: "CN=LDAP Read Only,CN=Users,DC=mailcow,DC=local"
+                    bindpass: "moohoo"
+                    mappers: ["Default", "small_mbox", "medium_mbox"]
+                    templates: ["Default", "small", "medium"]
+                    periodic_sync: true
+                    import_users: true
+                    sync_interval: 30
+              generic-oidc:
+                value:
+                  items:
+                    - "identity-provider"
+                  attr:
+                    authsource: "generic-oidc"
+                    authorize_url: "https://auth.mailcow.tld/application/o/authorize/"
+                    token_url: "https://auth.mailcow.tld/application/o/token/"
+                    userinfo_url: "https://auth.mailcow.tld/application/o/userinfo/"
+                    client_id: "mailcow_client"
+                    client_secret: "Xy7GdPqvJ9m3R8sT2LkVZ5W1oNbCaYQf"
+                    redirect_url: "https://mail.mailcow.tld"
+                    client_scopes: "openid profile email mailcow_template"
+                    mappers: ["Default", "small_mbox", "medium_mbox"]
+                    templates: ["Default", "small", "medium"]
+                    ignore_ssl_error: true
+      summary: Edit external Identity Provider
 
 tags:
   - name: Domains
@@ -5871,3 +6080,5 @@ tags:
     description: Edit domain ratelimits
   - name: Cross-Origin Resource Sharing (CORS)
     description: Manage Cross-Origin Resource Sharing (CORS) settings
+  - name: Identity Provider
+    description: Manage external Identity Provider settings

From ceebc56e62b8845241325e6d29b585cdbd0c1bbd Mon Sep 17 00:00:00 2001
From: Nick Bouwhuis <2922075+NickBouwhuis@users.noreply.github.com>
Date: Tue, 18 Mar 2025 10:08:08 +0000
Subject: [PATCH 204/378] feat/replace bgp.he.net with bgp.tools

---
 data/web/js/site/user.js                     | 2 +-
 data/web/templates/admin/tab-config-f2b.twig | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/data/web/js/site/user.js b/data/web/js/site/user.js
index 2a5eccdf8..497bdc7de 100644
--- a/data/web/js/site/user.js
+++ b/data/web/js/site/user.js
@@ -103,7 +103,7 @@ jQuery(function($){
               var local_datetime = datetime.toLocaleDateString(undefined, {year: "numeric", month: "2-digit", day: "2-digit", hour: "2-digit", minute: "2-digit", second: "2-digit"});
               var service = '<div class="badge fs-6 bg-secondary">' + item.service.toUpperCase() + '</div>';
               var app_password = item.app_password ? ' <a href="/edit/app-passwd/' + item.app_password + '"><i class="bi bi-app-indicator"></i> ' + escapeHtml(item.app_password_name || "App") + '</a>' : '';
-              var real_rip = item.real_rip.startsWith("Web") ? item.real_rip : '<a href="https://bgp.he.net/ip/' + item.real_rip + '" target="_blank">' + item.real_rip + "</a>";
+              var real_rip = item.real_rip.startsWith("Web") ? item.real_rip : '<a href="https://bgp.tools/prefix/' + item.real_rip + '" target="_blank">' + item.real_rip + "</a>";
               var ip_location = item.location ? ' <span class="flag-icon flag-icon-' + item.location.toLowerCase() + '"></span>' : '';
               var ip_data = real_rip + ip_location + app_password;
               $(".last-login").append('<li class="list-group-item">' + local_datetime + " " + service + " " + lang.from + " " + ip_data + "</li>");
diff --git a/data/web/templates/admin/tab-config-f2b.twig b/data/web/templates/admin/tab-config-f2b.twig
index 75c626641..d33c242a8 100644
--- a/data/web/templates/admin/tab-config-f2b.twig
+++ b/data/web/templates/admin/tab-config-f2b.twig
@@ -110,7 +110,7 @@
         <p>
           <span class="badge fs-7 bg-info d-block d-sm-inline-block">
             <i class="bi bi-funnel-fill"></i>
-            <a href="https://bgp.he.net/ip/{{ active_ban.ip }}" target="_blank">
+            <a href="https://bgp.tools/prefix/{{ active_ban.ip }}" target="_blank">
               {{ active_ban.network }}
             </a>
             ({{ active_ban.banned_until }})
@@ -130,7 +130,7 @@
         <p>
           <span class="badge fs-7 bg-danger d-block d-sm-inline-block">
             <i class="bi bi-funnel-fill"></i>
-            <a href="https://bgp.he.net/ip/{{ perm_ban.ip }}" target="_blank">
+            <a href="https://bgp.tools/prefix/{{ perm_ban.ip }}" target="_blank">
               {{ perm_ban.network }}
             </a>
           </span>

From 887b7114a8bdd74a81f9ce7a6c5e006e28e135c0 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Wed, 19 Mar 2025 14:35:32 +0100
Subject: [PATCH 205/378] Add default template for IdP attribute mapping

---
 data/conf/phpfpm/crons/keycloak-sync.php      |  40 +++----
 data/conf/phpfpm/crons/ldap-sync.php          |  28 +++--
 data/web/inc/functions.auth.inc.php           |  40 ++++---
 data/web/inc/functions.inc.php                |  32 ++++--
 data/web/js/site/admin.js                     | 106 +++++++-----------
 data/web/lang/lang.de-de.json                 |   2 +
 data/web/lang/lang.en-gb.json                 |   2 +
 .../admin/tab-config-identity-provider.twig   |  90 ++++++++++++---
 8 files changed, 201 insertions(+), 139 deletions(-)

diff --git a/data/conf/phpfpm/crons/keycloak-sync.php b/data/conf/phpfpm/crons/keycloak-sync.php
index cdc5a6e99..8c2e66584 100644
--- a/data/conf/phpfpm/crons/keycloak-sync.php
+++ b/data/conf/phpfpm/crons/keycloak-sync.php
@@ -154,17 +154,6 @@ while (true) {
       logMsg("warning", "No email address in keycloak found for user " . $user['name']);
       continue;
     }
-    if (!isset($user['attributes'])){
-      logMsg("warning", "No attributes in keycloak found for user " . $user['email']);
-      continue;
-    }
-    if (!isset($user['attributes']['mailcow_template']) ||
-        !is_array($user['attributes']['mailcow_template']) ||
-        count($user['attributes']['mailcow_template']) == 0) {
-      logMsg("warning", "No mailcow_template in keycloak found for user " . $user['email']);
-      continue;
-    }
-    $mailcow_template = $user['attributes']['mailcow_template'];
 
     // try get mailbox user
     $stmt = $pdo->prepare("SELECT
@@ -178,20 +167,22 @@ while (true) {
     $row = $stmt->fetch(PDO::FETCH_ASSOC);
 
     // check if matching attribute mapping exists
-    $mbox_template = null;
-    foreach ($iam_settings['mappers'] as $index => $mapper){
-      if (in_array($mapper, $user['attributes']['mailcow_template'])) {
-        $mbox_template = $mapper;
-        break;
-      }
-    }
-    if (!$mbox_template){
-      logMsg("warning", "No matching attribute mapping found for user " . $user['email']);
-      continue;
-    }
+    $user_template = $user['attributes']['mailcow_template'][0];
+    $mapper_key = array_search($user_template, $iam_settings['mappers']);
 
     $_SESSION['access_all_exception'] = '1';
     if (!$row && intval($iam_settings['import_users']) == 1){
+      if ($mapper_key === false){
+        if (!empty($iam_settings['default_template'])) {
+          $mbox_template = $iam_settings['default_template'];
+          logMsg("warning", "Using default template for user " . $user['email']);
+        } else {
+          logMsg("warning", "No matching attribute mapping found for user " . $user['email']);
+          continue;
+        }
+      } else {
+        $mbox_template = $iam_settings['templates'][$mapper_key];
+      }
       // mailbox user does not exist, create...
       logMsg("info", "Creating user " . $user['email']);
       $create_res = mailbox('add', 'mailbox_from_template', array(
@@ -206,6 +197,11 @@ while (true) {
         continue;
       }
     } else if ($row && intval($iam_settings['periodic_sync']) == 1) {
+      if ($mapper_key === false){
+        logMsg("warning", "No matching attribute mapping found for user " . $user['email']);
+        continue;
+      }
+      $mbox_template = $iam_settings['templates'][$mapper_key];
       // mailbox user does exist, sync attribtues...
       logMsg("info", "Syncing attributes for user " . $user['email']);
       mailbox('edit', 'mailbox_from_template', array(
diff --git a/data/conf/phpfpm/crons/ldap-sync.php b/data/conf/phpfpm/crons/ldap-sync.php
index 17000997c..648f46c95 100644
--- a/data/conf/phpfpm/crons/ldap-sync.php
+++ b/data/conf/phpfpm/crons/ldap-sync.php
@@ -137,17 +137,8 @@ foreach ($response as $user) {
   $row = $stmt->fetch(PDO::FETCH_ASSOC);
 
   // check if matching attribute mapping exists
-  $mbox_template = null;
-  foreach ($iam_settings['mappers'] as $index => $mapper){
-    if ($mapper ==  $mailcow_template) {
-      $mbox_template = $iam_settings['templates'][$index];
-      break;
-    }
-  }
-  if (!$mbox_template){
-    logMsg("warning", "No matching attribute mapping found for user " . $user[$iam_settings['username_field']][0]);
-    continue;
-  }
+  $user_template = $user_res[$iam_settings['attribute_field']][0];
+  $mapper_key = array_search($user_template, $iam_settings['mappers']);
 
   if (empty($user[$iam_settings['username_field']][0])){
     logMsg("warning", "Skipping user " . $user['displayname'][0] . " due to empty LDAP ". $iam_settings['username_field'] . " property.");
@@ -156,6 +147,16 @@ foreach ($response as $user) {
 
   $_SESSION['access_all_exception'] = '1';
   if (!$row && intval($iam_settings['import_users']) == 1){
+    if ($mapper_key === false){
+      if (!empty($iam_settings['default_template'])) {
+        $mbox_template = $iam_settings['default_template'];
+      } else {
+        logMsg("warning", "No matching attribute mapping found for user " . $user[$iam_settings['username_field']][0]);
+        continue;
+      }
+    } else {
+      $mbox_template = $iam_settings['templates'][$mapper_key];
+    }
     // mailbox user does not exist, create...
     logMsg("info", "Creating user " .  $user[$iam_settings['username_field']][0]);
     $create_res = mailbox('add', 'mailbox_from_template', array(
@@ -170,6 +171,11 @@ foreach ($response as $user) {
       continue;
     }
   } else if ($row && intval($iam_settings['periodic_sync']) == 1) {
+    if ($mapper_key === false){
+      logMsg("warning", "No matching attribute mapping found for user " . $user[$iam_settings['username_field']][0]);
+      continue;
+    }
+    $mbox_template = $iam_settings['templates'][$mapper_key];
     // mailbox user does exist, sync attribtues...
     logMsg("info", "Syncing attributes for user " . $user[$iam_settings['username_field']][0]);
     mailbox('edit', 'mailbox_from_template', array(
diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php
index 7fd535be1..f432c3834 100644
--- a/data/web/inc/functions.auth.inc.php
+++ b/data/web/inc/functions.auth.inc.php
@@ -529,12 +529,18 @@ function keycloak_mbox_login_rest($user, $pass, $extra = null){
 
   // check if matching attribute exist
   if (empty($iam_settings['mappers']) || !$user_template || $mapper_key === false) {
-    $_SESSION['return'][] =  array(
-      'type' => 'danger',
-      'log' => array(__FUNCTION__, $user, '*', 'No matching attribute mapping was found'),
-      'msg' => 'generic_server_error'
-    );
-    return false;
+    if (!empty($iam_settings['default_template'])) {
+      $mbox_template = $iam_settings['default_template'];
+    } else {
+      $_SESSION['return'][] =  array(
+        'type' => 'danger',
+        'log' => array(__FUNCTION__, $user, '*', 'No matching attribute mapping was found'),
+        'msg' => 'generic_server_error'
+      );
+      return false;
+    }
+  } else {
+    $mbox_template = $iam_settings['templates'][$mapper_key];
   }
 
   // create mailbox
@@ -544,7 +550,7 @@ function keycloak_mbox_login_rest($user, $pass, $extra = null){
     'local_part' => explode('@', $user)[0],
     'name' => $user_res['name'],
     'authsource' => 'keycloak',
-    'template' => $iam_settings['templates'][$mapper_key]
+    'template' => $mbox_template
   ));
   $_SESSION['access_all_exception'] = '0';
   if (!$create_res){
@@ -636,12 +642,18 @@ function ldap_mbox_login($user, $pass, $extra = null){
 
   // check if matching attribute exist
   if (empty($iam_settings['mappers']) || !$user_template || $mapper_key === false) {
-    $_SESSION['return'][] =  array(
-      'type' => 'danger',
-      'log' => array(__FUNCTION__, $user, '*', 'No matching attribute mapping was found'),
-      'msg' => 'generic_server_error'
-    );
-    return false;
+    if (!empty($iam_settings['default_tempalte'])) {
+      $mbox_template = $iam_settings['default_tempalte'];
+    } else {
+      $_SESSION['return'][] =  array(
+        'type' => 'danger',
+        'log' => array(__FUNCTION__, $user, '*', 'No matching attribute mapping was found'),
+        'msg' => 'generic_server_error'
+      );
+      return false;
+    }
+  } else {
+    $mbox_template = $iam_settings['templates'][$mapper_key];
   }
 
   // create mailbox
@@ -651,7 +663,7 @@ function ldap_mbox_login($user, $pass, $extra = null){
     'local_part' => explode('@', $user)[0],
     'name' => $user_res['displayname'][0],
     'authsource' => 'ldap',
-    'template' => $iam_settings['templates'][$mapper_key]
+    'template' => $mbox_template
   ));
   $_SESSION['access_all_exception'] = '0';
   if (!$create_res){
diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index 5b67dd1e4..3593ff2c4 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -2387,8 +2387,16 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
       }
       $pdo->commit();
 
+      // add default template
+      if (isset($_data['default_template'])) {
+        $_data['default_template'] = (empty($_data['default_template'])) ? "" : $_data['default_template'];
+        $stmt = $pdo->prepare("INSERT INTO identity_provider (`key`, `value`) VALUES ('default_template', :value) ON DUPLICATE KEY UPDATE `value` = VALUES(`value`);");
+        $stmt->bindParam(':value', $_data['default_template']);
+        $stmt->execute();
+      }
+
       // add mappers
-      if ($_data['mappers'] && $_data['templates']){
+      if (isset($_data['mappers']) && isset($_data['templates'])){
         $_data['mappers'] = (!is_array($_data['mappers'])) ? array($_data['mappers']) : $_data['mappers'];
         $_data['templates'] = (!is_array($_data['templates'])) ? array($_data['templates']) : $_data['templates'];
 
@@ -2714,13 +2722,19 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
       }
 
       if (empty($iam_settings['mappers']) || empty($user_template) || $mapper_key === false){
-        clear_session();
-        $_SESSION['return'][] =  array(
-          'type' => 'danger',
-          'log' => array(__FUNCTION__, $info['email'], 'No matching attribute mapping was found'),
-          'msg' => 'login_failed'
-        );
-        return false;
+        if (!empty($iam_settings['default_template'])) {
+          $mbox_template = $iam_settings['default_template'];
+        } else {
+          clear_session();
+          $_SESSION['return'][] =  array(
+            'type' => 'danger',
+            'log' => array(__FUNCTION__, $info['email'], 'No matching attribute mapping was found'),
+            'msg' => 'login_failed'
+          );
+          return false;
+        }
+      } else {
+        $mbox_template = $iam_settings['templates'][$mapper_key];
       }
 
       // create mailbox
@@ -2730,7 +2744,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
         'local_part' => explode('@', $info['email'])[0],
         'name' => $info['name'],
         'authsource' => $iam_settings['authsource'],
-        'template' => $iam_settings['templates'][$mapper_key]
+        'template' => $mbox_template
       ));
       $_SESSION['access_all_exception'] = '0';
       if (!$create_res){
diff --git a/data/web/js/site/admin.js b/data/web/js/site/admin.js
index 5a5f37955..90c00002a 100644
--- a/data/web/js/site/admin.js
+++ b/data/web/js/site/admin.js
@@ -711,7 +711,7 @@ jQuery(function($){
   // App links
   // setup eventlistener
   setAppHideEvent();
-  function setAppHideEvent(){ 
+  function setAppHideEvent(){
     $('.app_hide').off('change');
     $('.app_hide').on('change', function (e) {
       var value = $(this).is(':checked') ? '1' : '0';
@@ -756,13 +756,13 @@ jQuery(function($){
   $('.iam_test_connection').click(async function(e){
     e.preventDefault();
     var data = { attr: $('form[data-id="' + $(this).data('id') + '"]').serializeObject() };
-    var res = await fetch("/api/v1/edit/identity-provider-test", { 
+    var res = await fetch("/api/v1/edit/identity-provider-test", {
       headers: {
         "Content-Type": "application/json",
       },
-      method:'POST', 
-      cache:'no-cache', 
-      body: JSON.stringify(data) 
+      method:'POST',
+      cache:'no-cache',
+      body: JSON.stringify(data)
     });
     res = await res.json();
     if (res.type === 'success'){
@@ -772,79 +772,22 @@ jQuery(function($){
   });
 
   $('.iam_rolemap_add_keycloak').click(async function(e){
-    e.preventDefault();
-
-    var parent = $('#iam_keycloak_mapping_list')
-    $(parent).children().last().clone().appendTo(parent);
-    var newChild = $(parent).children().last();
-    $(newChild).find('input').val('');
-    $(newChild).find('.dropdown-toggle').remove();
-    $(newChild).find('.dropdown-menu').remove();
-    $(newChild).find('.bs-title-option').remove();
-    $(newChild).find('select').selectpicker('destroy');
-    $(newChild).find('select').selectpicker();
-
-    $('.iam_keycloak_rolemap_del').off('click');
-    $('.iam_keycloak_rolemap_del').click(async function(e){
-      e.preventDefault();
-      if ($(this).parent().parent().parent().parent().children().length > 1)
-        $(this).parent().parent().parent().remove();
-    });
+    addAttributeMappingRow('#iam_keycloak_mapping_list', '.iam_keycloak_rolemap_del', e);
   });
   $('.iam_rolemap_add_generic').click(async function(e){
-    e.preventDefault();
-
-    var parent = $('#iam_generic_mapping_list')
-    $(parent).children().last().clone().appendTo(parent);
-    var newChild = $(parent).children().last();
-    $(newChild).find('input').val('');
-    $(newChild).find('.dropdown-toggle').remove();
-    $(newChild).find('.dropdown-menu').remove();
-    $(newChild).find('.bs-title-option').remove();
-    $(newChild).find('select').selectpicker('destroy');
-    $(newChild).find('select').selectpicker();
-
-    $('.iam_generic_rolemap_del').off('click');
-    $('.iam_generic_rolemap_del').click(async function(e){
-      e.preventDefault();
-      if ($(this).parent().parent().parent().parent().children().length > 1)
-        $(this).parent().parent().parent().remove();
-    });
+    addAttributeMappingRow('#iam_generic_mapping_list', '.iam_generic_rolemap_del', e);
   });
   $('.iam_rolemap_add_ldap').click(async function(e){
-    e.preventDefault();
-
-    var parent = $('#iam_ldap_mapping_list')
-    $(parent).children().last().clone().appendTo(parent);
-    var newChild = $(parent).children().last();
-    $(newChild).find('input').val('');
-    $(newChild).find('.dropdown-toggle').remove();
-    $(newChild).find('.dropdown-menu').remove();
-    $(newChild).find('.bs-title-option').remove();
-    $(newChild).find('select').selectpicker('destroy');
-    $(newChild).find('select').selectpicker();
-
-    $('.iam_ldap_rolemap_del').off('click');
-    $('.iam_ldap_rolemap_del').click(async function(e){
-      e.preventDefault();
-      if ($(this).parent().parent().parent().parent().children().length > 1)
-        $(this).parent().parent().parent().remove();
-    });
+    addAttributeMappingRow('#iam_ldap_mapping_list', '.iam_ldap_rolemap_del', e);
   });
   $('.iam_keycloak_rolemap_del').click(async function(e){
-    e.preventDefault();
-    if ($(this).parent().parent().parent().parent().children().length > 1)
-      $(this).parent().parent().parent().remove();
+    deleteAttributeMappingRow(this, e);
   });
   $('.iam_generic_rolemap_del').click(async function(e){
-    e.preventDefault();
-    if ($(this).parent().parent().parent().parent().children().length > 1)
-      $(this).parent().parent().parent().remove();
+    deleteAttributeMappingRow(this, e);
   });
   $('.iam_ldap_rolemap_del').click(async function(e){
-    e.preventDefault();
-    if ($(this).parent().parent().parent().parent().children().length > 1)
-      $(this).parent().parent().parent().remove();
+    deleteAttributeMappingRow(this, e);
   });
   // selecting identity provider
   $('#iam_provider').on('change', function(){
@@ -863,4 +806,31 @@ jQuery(function($){
       $('#keycloak_settings').addClass('d-none');
     }
   });
+  function addAttributeMappingRow(list_id, del_class, e) {
+    e.preventDefault();
+
+    var parent = $(list_id)
+    $(parent).children().last().clone().appendTo(parent);
+    var newChild = $(parent).children().last();
+    $(newChild).find('input').val('');
+    $(newChild).find('input').val('').prop('required', true);
+    $(newChild).find('.dropdown-toggle').remove();
+    $(newChild).find('.dropdown-menu').remove();
+    $(newChild).find('.bs-title-option').remove();
+    $(newChild).find('select').selectpicker('destroy');
+    $(newChild).find('select').selectpicker();
+    $(newChild).find('select').selectpicker().prop('required', true);
+
+    $(del_class).off('click');
+    $(del_class).click(async function(e){
+      deleteAttributeMappingRow(this, e);
+    });
+  }
+  function deleteAttributeMappingRow(elem, e) {
+    e.preventDefault();
+    if(!$(elem).parent().parent().parent().find('select').prop('required'))
+      return true;
+    if ($(elem).parent().parent().parent().parent().children().length > 1)
+      $(elem).parent().parent().parent().remove();
+  }
 });
diff --git a/data/web/lang/lang.de-de.json b/data/web/lang/lang.de-de.json
index 0857bc5f7..45c6e9f50 100644
--- a/data/web/lang/lang.de-de.json
+++ b/data/web/lang/lang.de-de.json
@@ -215,6 +215,8 @@
         "iam_client_id": "Client ID",
         "iam_client_secret": "Client Secret",
         "iam_client_scopes": "Client Scopes",
+        "iam_default_template": "Standardvorlage",
+        "iam_default_template_description": "Falls für einen Benutzer kein Template hinterlegt ist, wird die Standardvorlage zum Erstellen der Mailbox verwendet, jedoch nicht zum Aktualisieren der Mailbox.",
         "iam_description": "Konfiguriere einen externen Identity Provider für die Authentifizierung<br>Die Mailboxen der Benutzer werden bei ihrer ersten Anmeldung automatisch erstellt, vorausgesetzt, dass ein Attribut Mapping festgelegt wurde.",
         "iam_extra_permission": "Damit die folgenden Einstellungen funktionieren, benötigt der mailcow Client in Keycloak ein <code>Service-Konto</code> und die Berechtigung <code>view-users</code>.",
         "iam_host": "Host",
diff --git a/data/web/lang/lang.en-gb.json b/data/web/lang/lang.en-gb.json
index 64baade92..1876836de 100644
--- a/data/web/lang/lang.en-gb.json
+++ b/data/web/lang/lang.en-gb.json
@@ -222,6 +222,8 @@
         "iam_client_id": "Client ID",
         "iam_client_secret": "Client Secret",
         "iam_client_scopes": "Client Scopes",
+        "iam_default_template": "Default Template",
+        "iam_default_template_description": "If no template is assigned to a user, the default template will be used for creating the mailbox, but not for updating the mailbox.",
         "iam_description": "Configure an external Provider for Authentication<br>User's mailboxes will be automatically created upon their first login, provided that an attribute mapping has been set.",
         "iam_extra_permission": "For the following settings to work, the mailcow client in Keycloak needs a <code>Service account</code> and the permission to <code>view-users</code>.",
         "iam_host": "Host",
diff --git a/data/web/templates/admin/tab-config-identity-provider.twig b/data/web/templates/admin/tab-config-identity-provider.twig
index 4a85b42fc..9d4dcd286 100644
--- a/data/web/templates/admin/tab-config-identity-provider.twig
+++ b/data/web/templates/admin/tab-config-identity-provider.twig
@@ -93,6 +93,27 @@
             </div>
           </div>
           <div class="row mb-2" id="iam_keycloak_mapping_list">
+            <input type="hidden" name="mappers" value="">
+            <input type="hidden" name="templates" value="">
+            <div class="offset-md-3 col-12 col-md-9 col-lg-4 mb-2">
+              <div class="row px-2">
+                <div class="col-5 p-0 pe-2">
+                  <i style="font-size: 16px; cursor: pointer;" class="bi bi-patch-question-fill" data-bs-toggle="tooltip" data-bs-html="true" data-bs-placement="bottom" title="{{ lang.admin.iam_default_template_description }}"></i>
+                  <span>{{ lang.admin.iam_default_template}}</span>
+                </div>
+                <div class="col-5 p-0 pe-2 align-content-end">
+                  <select data-live-search="true" name="default_template" class="form-control" title="-- {{ lang.mailbox.template }} --">
+                  <option value="" {% if not iam_settings.default_template %}selected{% endif %}>-- {{ lang.mailbox.template }} --</option>
+                  {% for mbox_template in mbox_templates %}
+                    <option {% if mbox_template.template == iam_settings.default_template %}selected{% endif %}>
+                      {{ mbox_template.template }}
+                    </option>
+                  {% endfor %}
+                  </select>
+                </div>
+                <div class="col-2 p-0 d-flex"></div>
+              </div>
+            </div>
             {% for key, role in iam_settings.mappers %}
             <div class="offset-md-3 col-12 col-md-9 col-lg-4 mb-2">
               <div class="row px-2">
@@ -100,7 +121,7 @@
                   <input type="text" class="form-control me-2" name="mappers" value="{{ iam_settings.mappers[key] }}" required>
                 </div>
                 <div class="col-5 p-0 pe-2">
-                  <select data-live-search="true" name="templates" class="form-control" title="{{ lang.mailbox.template }}" required>
+                  <select data-live-search="true" name="templates" class="form-control" title="-- {{ lang.mailbox.template }} --" required>
                   {% for mbox_template in mbox_templates %}
                     <option{% if mbox_template.template == iam_settings.templates[key] %} selected{% endif %}>
                       {{ mbox_template.template }}
@@ -114,14 +135,14 @@
               </div>
             </div>
             {% endfor %}
-            {% if not iam_settings.mappers %}
             <div class="offset-md-3 col-12 col-md-9 col-lg-4 mb-2">
               <div class="row px-2">
                 <div class="col-5 p-0 pe-2">
-                  <input type="text" class="form-control me-2" name="mappers" value="" required>
+                  <input type="text" class="form-control me-2" name="mappers" value="">
                 </div>
                 <div class="col-5 p-0 pe-2">
-                  <select data-live-search="true" name="templates" class="form-control" title="{{ lang.mailbox.template }}" required>
+                  <select data-live-search="true" name="templates" class="form-control" title="-- {{ lang.mailbox.template }} --">
+                  <option value="" selected>-- {{ lang.mailbox.template }} --</option>
                   {% for mbox_template in mbox_templates %}
                     <option>
                       {{ mbox_template.template }}
@@ -134,7 +155,6 @@
                 </div>
               </div>
             </div>
-            {% endif %}
           </div>
           <div class="row mb-2 mt-4">
             <div class="col-md-3 d-flex align-items-center justify-content-md-end"></div>
@@ -283,6 +303,27 @@
             </div>
           </div>
           <div class="row mb-2" id="iam_generic_mapping_list">
+            <input type="hidden" name="mappers" value="">
+            <input type="hidden" name="templates" value="">
+            <div class="offset-md-3 col-12 col-md-9 col-lg-4 mb-2">
+              <div class="row px-2">
+                <div class="col-5 p-0 pe-2">
+                  <i style="font-size: 16px; cursor: pointer;" class="bi bi-patch-question-fill" data-bs-toggle="tooltip" data-bs-html="true" data-bs-placement="bottom" title="{{ lang.admin.iam_default_template_description }}"></i>
+                  <span>{{ lang.admin.iam_default_template}}</span>
+                </div>
+                <div class="col-5 p-0 pe-2 align-content-end">
+                  <select data-live-search="true" name="default_template" class="form-control" title="-- {{ lang.mailbox.template }} --">
+                  <option value="" {% if not iam_settings.default_template %}selected{% endif %}>-- {{ lang.mailbox.template }} --</option>
+                  {% for mbox_template in mbox_templates %}
+                    <option {% if mbox_template.template == iam_settings.default_template %}selected{% endif %}>
+                      {{ mbox_template.template }}
+                    </option>
+                  {% endfor %}
+                  </select>
+                </div>
+                <div class="col-2 p-0 d-flex"></div>
+              </div>
+            </div>
             {% for key, role in iam_settings.mappers %}
             <div class="offset-md-3 col-12 col-md-9 col-lg-4 mb-2">
               <div class="row px-2">
@@ -290,7 +331,7 @@
                   <input type="text" class="form-control me-2" name="mappers" value="{{ iam_settings.mappers[key] }}" required>
                 </div>
                 <div class="col-5 p-0 pe-2">
-                  <select data-live-search="true" name="templates" class="form-control" title="{{ lang.mailbox.template }}" required>
+                  <select data-live-search="true" name="templates" class="form-control" title="-- {{ lang.mailbox.template }} --" required>
                   {% for mbox_template in mbox_templates %}
                     <option{% if mbox_template.template == iam_settings.templates[key] %} selected{% endif %}>
                       {{ mbox_template.template }}
@@ -304,14 +345,14 @@
               </div>
             </div>
             {% endfor %}
-            {% if not iam_settings.mappers %}
             <div class="offset-md-3 col-12 col-md-9 col-lg-4 mb-2">
               <div class="row px-2">
                 <div class="col-5 p-0 pe-2">
-                  <input type="text" class="form-control me-2" name="mappers" value="" required>
+                  <input type="text" class="form-control me-2" name="mappers" value="">
                 </div>
                 <div class="col-5 p-0 pe-2">
-                  <select data-live-search="true" name="templates" class="form-control" title="{{ lang.mailbox.template }}" required>
+                  <select data-live-search="true" name="templates" class="form-control" title="-- {{ lang.mailbox.template }} --">
+                  <option value="" selected>-- {{ lang.mailbox.template }} --</option>
                   {% for mbox_template in mbox_templates %}
                     <option>
                       {{ mbox_template.template }}
@@ -324,7 +365,6 @@
                 </div>
               </div>
             </div>
-            {% endif %}
           </div>
           <div class="row mb-4">
             <div class="col-md-3 d-flex align-items-center justify-content-md-end">
@@ -463,6 +503,27 @@
             </div>
           </div>
           <div class="row mb-2" id="iam_ldap_mapping_list">
+            <input type="hidden" name="mappers" value="">
+            <input type="hidden" name="templates" value="">
+            <div class="offset-md-3 col-12 col-md-9 col-lg-4 mb-2">
+              <div class="row px-2">
+                <div class="col-5 p-0 pe-2">
+                  <i style="font-size: 16px; cursor: pointer;" class="bi bi-patch-question-fill" data-bs-toggle="tooltip" data-bs-html="true" data-bs-placement="bottom" title="{{ lang.admin.iam_default_template_description }}"></i>
+                  <span>{{ lang.admin.iam_default_template }}</span>
+                </div>
+                <div class="col-5 p-0 pe-2 align-content-end">
+                  <select data-live-search="true" name="default_template" class="form-control" title="-- {{ lang.mailbox.template }} --">
+                  <option value="" {% if not iam_settings.default_template %}selected{% endif %}>-- {{ lang.mailbox.template }} --</option>
+                  {% for mbox_template in mbox_templates %}
+                    <option {% if mbox_template.template == iam_settings.default_template %}selected{% endif %}>
+                      {{ mbox_template.template }}
+                    </option>
+                  {% endfor %}
+                  </select>
+                </div>
+                <div class="col-2 p-0 d-flex"></div>
+              </div>
+            </div>
             {% for key, role in iam_settings.mappers %}
             <div class="offset-md-3 col-12 col-md-9 col-lg-4 mb-2">
               <div class="row px-2">
@@ -470,7 +531,7 @@
                   <input type="text" class="form-control me-2" name="mappers" value="{{ iam_settings.mappers[key] }}" required>
                 </div>
                 <div class="col-5 p-0 pe-2">
-                  <select data-live-search="true" name="templates" class="form-control" title="{{ lang.mailbox.template }}" required>
+                  <select data-live-search="true" name="templates" class="form-control" title="-- {{ lang.mailbox.template }} --" required>
                   {% for mbox_template in mbox_templates %}
                     <option{% if mbox_template.template == iam_settings.templates[key] %} selected{% endif %}>
                       {{ mbox_template.template }}
@@ -484,14 +545,14 @@
               </div>
             </div>
             {% endfor %}
-            {% if not iam_settings.mappers %}
             <div class="offset-md-3 col-12 col-md-9 col-lg-4 mb-2">
               <div class="row px-2">
                 <div class="col-5 p-0 pe-2">
-                  <input type="text" class="form-control me-2" name="mappers" value="" required>
+                  <input type="text" class="form-control me-2" name="mappers" value="">
                 </div>
                 <div class="col-5 p-0 pe-2">
-                  <select data-live-search="true" name="templates" class="form-control" title="{{ lang.mailbox.template }}" required>
+                  <select data-live-search="true" name="templates" class="form-control" title="-- {{ lang.mailbox.template }} --">
+                  <option value="" selected>-- {{ lang.mailbox.template }} --</option>
                   {% for mbox_template in mbox_templates %}
                     <option>
                       {{ mbox_template.template }}
@@ -504,7 +565,6 @@
                 </div>
               </div>
             </div>
-            {% endif %}
           </div>
           <div class="row mb-2">
             <div class="col-md-3 d-flex align-items-center justify-content-md-end">

From 72ced70e338b35ae1a099c1a8f390ec17d0035e7 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Thu, 20 Mar 2025 13:08:42 +0100
Subject: [PATCH 206/378] [Web] Fix mailbox authsource selection

---
 data/web/inc/functions.mailbox.inc.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/data/web/inc/functions.mailbox.inc.php b/data/web/inc/functions.mailbox.inc.php
index 54387f812..bb9b23045 100644
--- a/data/web/inc/functions.mailbox.inc.php
+++ b/data/web/inc/functions.mailbox.inc.php
@@ -1024,8 +1024,8 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             );
             return false;
           }
-          if (in_array($_data['authsource'], array('mailcow', 'keycloak', 'generic-oidc', 'ldap')) &&
-              $iam_settings['authsource'] == $_data['authsource']){
+          if ($_data['authsource'] == "mailcow" ||
+              in_array($_data['authsource'], array('keycloak', 'generic-oidc', 'ldap')) && $iam_settings['authsource'] == $_data['authsource']){
             $authsource = $_data['authsource'];
           }
           if (empty($name)) {
@@ -2958,8 +2958,8 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               $tags                 = (is_array($_data['tags']) ? $_data['tags'] : array());
               $attribute_hash       = (!empty($_data['attribute_hash'])) ? $_data['attribute_hash'] : '';
               $authsource           = $is_now['authsource'];
-              if (in_array($_data['authsource'], array('mailcow', 'keycloak', 'generic-oidc', 'ldap')) &&
-                  $iam_settings['authsource'] == $_data['authsource']){
+              if ($_data['authsource'] == "mailcow" ||
+                  in_array($_data['authsource'], array('keycloak', 'generic-oidc', 'ldap')) && $iam_settings['authsource'] == $_data['authsource']){
                 $authsource = $_data['authsource'];
               }
               if (in_array($authsource, array('keycloak', 'generic-oidc', 'ldap'))){

From 94d4817ecb8d0cb21ff8cc393499dc5538dc8d3f Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Thu, 20 Mar 2025 13:38:27 +0100
Subject: [PATCH 207/378] [Web] Add default_template parameter to
 edit/identity-provider documentation

---
 data/web/api/openapi.yaml | 25 +++++++++++++++----------
 1 file changed, 15 insertions(+), 10 deletions(-)

diff --git a/data/web/api/openapi.yaml b/data/web/api/openapi.yaml
index 9eba76904..40887c11f 100644
--- a/data/web/api/openapi.yaml
+++ b/data/web/api/openapi.yaml
@@ -5847,12 +5847,11 @@ paths:
                           client_secret: "*"
                           redirect_url: "https://mail.mailcow.tld"
                           version: "26.1.3"
+                          default_template: "Default"
                           mappers:
-                            - "Default"
                             - "small_mbox"
                             - "medium_mbox"
                           templates:
-                            - "Default"
                             - "small"
                             - "medium"
                           ignore_ssl_error: true
@@ -5903,11 +5902,14 @@ paths:
                     version:
                       description: Specifies the Keycloak version. Required if `authsource` is keycloak.
                       type: string
+                    default_template:
+                      description: (Optional) If no matching Attribute Mapping exists for a User, the default template will be used for creating the mailbox, but not for updating the mailbox.
+                      type: string
                     mappers:
-                      description: Attribute values used to match a mailbox template. Each element corresponds to the respective index in the templates array (i.e., the first element matches the first element of templates, the second matches the second, and so on).
+                      description: (Optional) Attribute values used to match a mailbox template. Each element corresponds to the respective index in the templates array (i.e., the first element matches the first element of templates, the second matches the second, and so on).
                       type: array
                     templates:
-                      description: Defines the mailbox templates to be assigned. Each element corresponds to the respective index in the `mappers` array.
+                      description: (Optional) Defines the mailbox templates to be assigned. Each element corresponds to the respective index in the `mappers` array.
                       type: array
                     ignore_ssl_error:
                       description: If enabled, SSL certificate validation is bypassed
@@ -5988,8 +5990,9 @@ paths:
                     client_secret: "Xy7GdPqvJ9m3R8sT2LkVZ5W1oNbCaYQf"
                     redirect_url: "https://mail.mailcow.tld"
                     version: "26.1.3"
-                    mappers: ["Default", "small_mbox", "medium_mbox"]
-                    templates: ["Default", "small", "medium"]
+                    default_template: "Default"
+                    mappers: ["small_mbox", "medium_mbox"]
+                    templates: ["small", "medium"]
                     ignore_ssl_error: true
                     mailpassword_flow: true
                     periodic_sync: true
@@ -6012,8 +6015,9 @@ paths:
                     attribute_field: "othermailbox"
                     binddn: "CN=LDAP Read Only,CN=Users,DC=mailcow,DC=local"
                     bindpass: "moohoo"
-                    mappers: ["Default", "small_mbox", "medium_mbox"]
-                    templates: ["Default", "small", "medium"]
+                    default_template: "Default"
+                    mappers: ["small_mbox", "medium_mbox"]
+                    templates: ["small", "medium"]
                     periodic_sync: true
                     import_users: true
                     sync_interval: 30
@@ -6030,8 +6034,9 @@ paths:
                     client_secret: "Xy7GdPqvJ9m3R8sT2LkVZ5W1oNbCaYQf"
                     redirect_url: "https://mail.mailcow.tld"
                     client_scopes: "openid profile email mailcow_template"
-                    mappers: ["Default", "small_mbox", "medium_mbox"]
-                    templates: ["Default", "small", "medium"]
+                    default_template: "Default"
+                    mappers: ["small_mbox", "medium_mbox"]
+                    templates: ["small", "medium"]
                     ignore_ssl_error: true
       summary: Edit external Identity Provider
 

From 70ba3615837f4039941f51ad4b150255c480f5ad Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Thu, 20 Mar 2025 14:15:15 +0100
Subject: [PATCH 208/378] update.sh: Fix text in legacy update prompt

---
 update.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/update.sh b/update.sh
index 985d2cd1c..3a43dc288 100755
--- a/update.sh
+++ b/update.sh
@@ -1340,7 +1340,7 @@ elif [ "$NEW_BRANCH" == "legacy" ] && [ "$CURRENT_BRANCH" != "legacy" ]; then
   echo -e "\e[33mBefore you do: Please take a backup of all components to ensure that no Data is lost...\e[0m"
   sleep 1
   echo -e "\e[31mWARNING: A switch to stable or nightly is possible any time.\e[0m"
-  read -r -p "Are you sure you that want to continue upgrading to the legacy branch? [y/N] " response
+  read -r -p "Are you sure you want to continue upgrading to the legacy branch? [y/N] " response
   if [[ ! "${response}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
     echo "OK. If you prepared yourself for that please run the update.sh Script with the --legacy parameter again to trigger this process here."
     exit 0

From 684256b66ea073b6efc22edeb754fee87d55e7a8 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Thu, 20 Mar 2025 14:23:28 +0100
Subject: [PATCH 209/378] update.sh: Fix legacy typo

---
 update.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/update.sh b/update.sh
index 3a43dc288..cac1450c1 100755
--- a/update.sh
+++ b/update.sh
@@ -1267,7 +1267,7 @@ if ! [ "$NEW_BRANCH" ]; then
     sleep 1
     echo -e "\e[33mTo change that run the update.sh Script one time with the --stable parameter to switch to stable builds.\e[0m"
 
-  elif [ "${BRANCH}" == "legcy" ]; then
+  elif [ "${BRANCH}" == "legacy" ]; then
     echo -e "\e[31mYou are receiving legacy updates. The legacy branch will only recieve security updates until February 2026.\e[0m"
     sleep 1
     echo -e "\e[33mTo change that run the update.sh Script one time with the --stable parameter to switch to stable builds.\e[0m"

From ad5f07f0778c4fa586865c5fa5810e34a6670f88 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Mon, 24 Mar 2025 11:47:27 +0100
Subject: [PATCH 210/378] update.sh: add 2025-03 as major version

---
 update.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/update.sh b/update.sh
index b99dffe71..681a825d0 100755
--- a/update.sh
+++ b/update.sh
@@ -722,6 +722,7 @@ detect_major_update() {
     # Add major versions here
     MAJOR_VERSIONS=(
       "2025-02"
+      "2025-03"
     )
 
     current_version=""

From 986b0afbfadeeddd220a95c1d7dba50b87ce9512 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Mon, 24 Mar 2025 15:33:42 +0100
Subject: [PATCH 211/378] ldap-sync: Fix template selection

---
 data/conf/phpfpm/crons/ldap-sync.php | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/data/conf/phpfpm/crons/ldap-sync.php b/data/conf/phpfpm/crons/ldap-sync.php
index 648f46c95..66b76e64a 100644
--- a/data/conf/phpfpm/crons/ldap-sync.php
+++ b/data/conf/phpfpm/crons/ldap-sync.php
@@ -123,8 +123,6 @@ $response = $ldap_query->where($iam_settings['username_field'], "*")
 
 // Process the users
 foreach ($response as $user) {
-  $mailcow_template = $user[$iam_settings['attribute_field']][0];
-
   // try get mailbox user
   $stmt = $pdo->prepare("SELECT
     mailbox.*,
@@ -137,7 +135,7 @@ foreach ($response as $user) {
   $row = $stmt->fetch(PDO::FETCH_ASSOC);
 
   // check if matching attribute mapping exists
-  $user_template = $user_res[$iam_settings['attribute_field']][0];
+  $user_template = $user[$iam_settings['attribute_field']][0];
   $mapper_key = array_search($user_template, $iam_settings['mappers']);
 
   if (empty($user[$iam_settings['username_field']][0])){

From cd3b1ab828bdaacacbffebfd755c0fa919610f1c Mon Sep 17 00:00:00 2001
From: "Marvin A. Ruder" <signed@mruder.dev>
Date: Tue, 25 Mar 2025 20:24:33 +0100
Subject: [PATCH 212/378] Allow disabling Olefy

* Fixes #6389

Signed-off-by: Marvin A. Ruder <signed@mruder.dev>
---
 data/Dockerfiles/olefy/olefy.py       | 9 ++++++++-
 data/Dockerfiles/watchdog/watchdog.sh | 2 ++
 data/web/admin/dashboard.php          | 3 +++
 docker-compose.yml                    | 3 +++
 generate_config.sh                    | 4 ++++
 update.sh                             | 2 ++
 6 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/data/Dockerfiles/olefy/olefy.py b/data/Dockerfiles/olefy/olefy.py
index 776e78648..7c6880929 100644
--- a/data/Dockerfiles/olefy/olefy.py
+++ b/data/Dockerfiles/olefy/olefy.py
@@ -32,6 +32,13 @@ import time
 import magic
 import re
 
+skip_olefy = os.getenv('SKIP_OLEFY', '')
+
+if skip_olefy.lower() in ['yes', 'y']:
+    print("SKIP_OLEFY=y, skipping Olefy...")
+    time.sleep(365 * 24 * 60 * 60)
+    sys.exit(0)
+
 # merge variables from /etc/olefy.conf and the defaults
 olefy_listen_addr_string = os.getenv('OLEFY_BINDADDRESS', '127.0.0.1,::1')
 olefy_listen_port = int(os.getenv('OLEFY_BINDPORT', '10050'))
@@ -113,7 +120,7 @@ def oletools( stream, tmp_file_name, lid ):
         out = bytes(out.decode('utf-8', 'ignore').replace('  ', ' ').replace('\t', '').replace('\n', '').replace('XLMMacroDeobfuscator: pywin32 is not installed (only is required if you want to use MS Excel)', ''), encoding="utf-8")
         failed = False
         if out.__len__() < 30:
-            logger.error('{} olevba returned <30 chars - rc: {!r}, response: {!r}, error: {!r}'.format(lid,cmd_tmp.returncode, 
+            logger.error('{} olevba returned <30 chars - rc: {!r}, response: {!r}, error: {!r}'.format(lid,cmd_tmp.returncode,
                 out.decode('utf-8', 'ignore'), err.decode('utf-8', 'ignore')))
             out = b'[ { "error": "Unhandled error - too short olevba response" } ]'
             failed = True
diff --git a/data/Dockerfiles/watchdog/watchdog.sh b/data/Dockerfiles/watchdog/watchdog.sh
index 9d6f6609f..d1c659ce8 100755
--- a/data/Dockerfiles/watchdog/watchdog.sh
+++ b/data/Dockerfiles/watchdog/watchdog.sh
@@ -994,6 +994,7 @@ PID=$!
 echo "Spawned cert_checks with PID ${PID}"
 BACKGROUND_TASKS+=(${PID})
 
+if [[ "${SKIP_OLEFY}" =~ ^([nN][oO]|[nN])+$ ]]; then
 (
 while true; do
   if ! olefy_checks; then
@@ -1005,6 +1006,7 @@ done
 PID=$!
 echo "Spawned olefy_checks with PID ${PID}"
 BACKGROUND_TASKS+=(${PID})
+fi
 
 (
 while true; do
diff --git a/data/web/admin/dashboard.php b/data/web/admin/dashboard.php
index 473f28de2..443c2ea2a 100644
--- a/data/web/admin/dashboard.php
+++ b/data/web/admin/dashboard.php
@@ -18,6 +18,7 @@ elseif (!isset($_SESSION['mailcow_cc_role']) || $_SESSION['mailcow_cc_role'] !=
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/header.inc.php';
 $_SESSION['return_to'] = $_SERVER['REQUEST_URI'];
 $clamd_status = (preg_match("/^([yY][eE][sS]|[yY])+$/", $_ENV["SKIP_CLAMD"])) ? false : true;
+$olefy_status = (preg_match("/^([yY][eE][sS]|[yY])+$/", $_ENV["SKIP_OLEFY"])) ? false : true;
 
 
 if (!isset($_SESSION['gal']) && $license_cache = $redis->Get('LICENSE_STATUS_CACHE')) {
@@ -33,6 +34,7 @@ $vmail_df = explode(',', (string)json_decode(docker('post', 'dovecot-mailcow', '
 // containers
 $containers_info = (array) docker('info');
 if ($clamd_status === false) unset($containers_info['clamd-mailcow']);
+if ($olefy_status === false) unset($containers_info['olefy-mailcow']);
 ksort($containers_info);
 $containers = array();
 foreach ($containers_info as $container => $container_info) {
@@ -77,6 +79,7 @@ $template_data = [
   'gal' => @$_SESSION['gal'],
   'license_guid' => license('guid'),
   'clamd_status' => $clamd_status,
+  'olefy_status' => $olefy_status,
   'containers' => $containers,
   'ip_check' => customize('get', 'ip_check'),
   'lang_admin' => json_encode($lang['admin']),
diff --git a/docker-compose.yml b/docker-compose.yml
index 2d68b80ce..76739a09c 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -176,6 +176,7 @@ services:
         - COMPOSE_PROJECT_NAME=${COMPOSE_PROJECT_NAME:-mailcow-dockerized}
         - SKIP_FTS=${SKIP_FTS:-y}
         - SKIP_CLAMD=${SKIP_CLAMD:-n}
+        - SKIP_OLEFY=${SKIP_OLEFY:-n}
         - SKIP_SOGO=${SKIP_SOGO:-n}
         - ALLOW_ADMIN_EMAIL_LOGIN=${ALLOW_ADMIN_EMAIL_LOGIN:-n}
         - MASTER=${MASTER:-y}
@@ -538,6 +539,7 @@ services:
         - IP_BY_DOCKER_API=${IP_BY_DOCKER_API:-0}
         - CHECK_UNBOUND=${CHECK_UNBOUND:-1}
         - SKIP_CLAMD=${SKIP_CLAMD:-n}
+        - SKIP_OLEFY=${SKIP_OLEFY:-n}
         - SKIP_LETS_ENCRYPT=${SKIP_LETS_ENCRYPT:-n}
         - SKIP_SOGO=${SKIP_SOGO:-n}
         - HTTPS_PORT=${HTTPS_PORT:-443}
@@ -601,6 +603,7 @@ services:
         - OLEFY_LOGLVL=20
         - OLEFY_MINLENGTH=500
         - OLEFY_DEL_TMP=1
+        - SKIP_OLEFY=${SKIP_OLEFY:-n}
       networks:
         mailcow-network:
           aliases:
diff --git a/generate_config.sh b/generate_config.sh
index c7a7cb64f..c4396a9ce 100755
--- a/generate_config.sh
+++ b/generate_config.sh
@@ -382,6 +382,10 @@ SKIP_UNBOUND_HEALTHCHECK=n
 
 SKIP_CLAMD=${SKIP_CLAMD}
 
+# Skip Olefy (olefy-mailcow) anti-virus for Office documents (Rspamd will auto-detect a missing Olefy container) - y/n
+
+SKIP_OLEFY=n
+
 # Skip SOGo: Will disable SOGo integration and therefore webmail, DAV protocols and ActiveSync support (experimental, unsupported, not fully implemented) - y/n
 
 SKIP_SOGO=n
diff --git a/update.sh b/update.sh
index 5a258b529..bf5229653 100755
--- a/update.sh
+++ b/update.sh
@@ -323,6 +323,7 @@ adapt_new_options() {
   "WATCHDOG_EXTERNAL_CHECKS"
   "WATCHDOG_SUBJECT"
   "SKIP_CLAMD"
+  "SKIP_OLEFY"
   "SKIP_IP_CHECK"
   "ADDITIONAL_SAN"
   "DOVEADM_PORT"
@@ -967,6 +968,7 @@ CONFIG_ARRAY=(
   "WATCHDOG_EXTERNAL_CHECKS"
   "WATCHDOG_SUBJECT"
   "SKIP_CLAMD"
+  "SKIP_OLEFY"
   "SKIP_IP_CHECK"
   "ADDITIONAL_SAN"
   "AUTODISCOVER_SAN"

From 05fc4f7aba5bfb9e2db596d11d6beab00ae70320 Mon Sep 17 00:00:00 2001
From: "Marvin A. Ruder" <signed@mruder.dev>
Date: Tue, 25 Mar 2025 21:24:22 +0100
Subject: [PATCH 213/378] fix(ui): Swap translations for oversized dropdown

* Fix other typos
* Fixes #6400

Signed-off-by: Marvin A. Ruder <signed@mruder.dev>
---
 data/Dockerfiles/dockerapi/main.py            |  4 ++--
 .../watchdog/check_mysql_slavestatus.sh       | 22 +++++++++----------
 data/conf/phpfpm/crons/keycloak-sync.php      |  4 ++--
 data/web/inc/triggers.user.inc.php            |  2 +-
 data/web/lang/lang.en-gb.json                 |  4 ++--
 data/web/lang/lang.ja-jp.json                 |  4 ++--
 data/web/lang/lang.pt-br.json                 |  4 ++--
 data/web/lang/lang.tr-tr.json                 |  4 ++--
 data/web/lang/lang.zh-cn.json                 |  4 ++--
 data/web/lang/lang.zh-tw.json                 |  4 ++--
 update.sh                                     |  4 ++--
 11 files changed, 30 insertions(+), 30 deletions(-)

diff --git a/data/Dockerfiles/dockerapi/main.py b/data/Dockerfiles/dockerapi/main.py
index 00c2ad5e3..57e262864 100644
--- a/data/Dockerfiles/dockerapi/main.py
+++ b/data/Dockerfiles/dockerapi/main.py
@@ -241,9 +241,9 @@ async def handle_pubsub_messages(channel: aioredis.client.PubSub):
               else:
                 dockerapi.logger.error("api call: missing container_name, post_action or request")
             else:
-              dockerapi.logger.error("Unknwon PubSub recieved - %s" % json.dumps(data_json))
+              dockerapi.logger.error("Unknown PubSub received - %s" % json.dumps(data_json))
           else:
-            dockerapi.logger.error("Unknwon PubSub recieved - %s" % json.dumps(data_json))
+            dockerapi.logger.error("Unknown PubSub received - %s" % json.dumps(data_json))
 
         await asyncio.sleep(0.0)
     except asyncio.TimeoutError:
diff --git a/data/Dockerfiles/watchdog/check_mysql_slavestatus.sh b/data/Dockerfiles/watchdog/check_mysql_slavestatus.sh
index 4788b9b70..42eec59bb 100755
--- a/data/Dockerfiles/watchdog/check_mysql_slavestatus.sh
+++ b/data/Dockerfiles/watchdog/check_mysql_slavestatus.sh
@@ -49,7 +49,7 @@
 # 2013101601 Optical clean up                                           #
 # 2013101602 Rewrite help output                                        #
 # 2013101700 Handle Slave IO in 'Connecting' state                      #
-# 2013101701 Minor changes in output, handling UNKWNON situations now   #
+# 2013101701 Minor changes in output, handling UNKNOWN situations now   #
 # 2013101702 Exit CRITICAL when Slave IO in Connecting state            #
 # 2013123000 Slave_SQL_Running also matched Slave_SQL_Running_State     #
 # 2015011600 Added 'moving' check to catch possible connection issues   #
@@ -131,7 +131,7 @@ elif [[ -n "${socket}" && (-z "${user}" || -z "${password}") ]]; then
 fi
 
 # Connect to the DB server and store output in vars
-if [[ -n $socket ]]; then 
+if [[ -n $socket ]]; then
   ConnectionResult=$(mariadb --skip-ssl ${optfile} ${socket} ${user} -e "show slave ${connection} status\G" 2>&1)
 else
   ConnectionResult=$(mariadb --skip-ssl ${optfile} ${host} ${port} ${user} -e "show slave ${connection} status\G" 2>&1)
@@ -178,33 +178,33 @@ if [ ${check} = ${ok} ] && [ ${checkio} = ${ok} ]; then
   then echo "CRITICAL: Slave is ${delayinfo} seconds behind Master | delay=${delayinfo}s"; exit ${STATE_CRITICAL}
   elif [[ ${delayinfo} -ge ${warn_delay} ]]
   then echo "WARNING: Slave is ${delayinfo} seconds behind Master | delay=${delayinfo}s"; exit ${STATE_WARNING}
-  else 
+  else
     # Everything looks OK here but now let us check if the replication is moving
     if [[ -n ${moving} ]] && [[ -n ${tmpfile} ]] && [[ $readpos -eq $execpos ]]
-    then  
-      #echo "Debug: Read pos is $readpos - Exec pos is $execpos" 
+    then
+      #echo "Debug: Read pos is $readpos - Exec pos is $execpos"
       # Check if tmp file exists
       curtime=`date +%s`
-      if [[ -w $tmpfile ]] 
-      then 
+      if [[ -w $tmpfile ]]
+      then
         tmpfiletime=`date +%s -r $tmpfile`
         if [[ `expr $curtime - $tmpfiletime` -gt ${moving} ]]
         then
           exectmp=`cat $tmpfile`
           #echo "Debug: Exec pos in tmpfile is $exectmp"
           if [[ $exectmp -eq $execpos ]]
-          then 
+          then
             # The value read from the tmp file and from db are the same. Replication hasnt moved!
             echo "WARNING: Slave replication has not moved in ${moving} seconds. Manual check required."; exit ${STATE_WARNING}
-          else 
+          else
             # Replication has moved since the tmp file was written. Delete tmp file and output OK.
             rm $tmpfile
             echo "OK: Slave SQL running: ${check} Slave IO running: ${checkio} / master: ${masterinfo} / slave is ${delayinfo} seconds behind master | delay=${delayinfo}s"; exit ${STATE_OK};
           fi
-        else 
+        else
           echo "OK: Slave SQL running: ${check} Slave IO running: ${checkio} / master: ${masterinfo} / slave is ${delayinfo} seconds behind master | delay=${delayinfo}s"; exit ${STATE_OK};
         fi
-      else 
+      else
         echo "$execpos" > $tmpfile
         echo "OK: Slave SQL running: ${check} Slave IO running: ${checkio} / master: ${masterinfo} / slave is ${delayinfo} seconds behind master | delay=${delayinfo}s"; exit ${STATE_OK};
       fi
diff --git a/data/conf/phpfpm/crons/keycloak-sync.php b/data/conf/phpfpm/crons/keycloak-sync.php
index 8c2e66584..c9655a8ec 100644
--- a/data/conf/phpfpm/crons/keycloak-sync.php
+++ b/data/conf/phpfpm/crons/keycloak-sync.php
@@ -130,7 +130,7 @@ while (true) {
   curl_close($ch);
 
   if ($code != 200){
-    logMsg("err", "Recieved HTTP {$code}");
+    logMsg("err", "Received HTTP {$code}");
     session_destroy();
     exit;
   }
@@ -141,7 +141,7 @@ while (true) {
     break;
   }
   if (!is_array($response)){
-    logMsg("err", "Recieved malformed response from keycloak api");
+    logMsg("err", "Received malformed response from keycloak api");
     break;
   }
   if (count($response) == 0) {
diff --git a/data/web/inc/triggers.user.inc.php b/data/web/inc/triggers.user.inc.php
index 64282b075..5c66e8b92 100644
--- a/data/web/inc/triggers.user.inc.php
+++ b/data/web/inc/triggers.user.inc.php
@@ -21,7 +21,7 @@ if ($iam_provider){
     }
   } elseif ($_GET['code'] && $_GET['state'] === $_SESSION['oauth2state']) {
     // Check given state against previously stored one to mitigate CSRF attack
-    // Recieved access token in $_GET['code']
+    // Received access token in $_GET['code']
     // extract info and verify user
     identity_provider('verify-sso');
   }
diff --git a/data/web/lang/lang.en-gb.json b/data/web/lang/lang.en-gb.json
index 1876836de..5d6911e91 100644
--- a/data/web/lang/lang.en-gb.json
+++ b/data/web/lang/lang.en-gb.json
@@ -624,7 +624,7 @@
         "alias": "Edit alias",
         "allow_from_smtp": "Only allow these IPs to use <b>SMTP</b>",
         "allow_from_smtp_info": "Leave empty to allow all senders.<br>IPv4/IPv6 addresses and networks.",
-        "allowed_protocols": "Allowed protocols",
+        "allowed_protocols": "Allowed protocols for direct user access (does not affect app password protocols)",
         "app_name": "App name",
         "app_passwd": "App password",
         "app_passwd_protocols": "Allowed protocols for app password",
@@ -844,7 +844,7 @@
         "all_domains": "All Domains",
         "allow_from_smtp": "Only allow these IPs to use <b>SMTP</b>",
         "allow_from_smtp_info": "Leave empty to allow all senders.<br>IPv4/IPv6 addresses and networks.",
-        "allowed_protocols": "Allowed protocols for direct user access (does not affect app password protocols)",
+        "allowed_protocols": "Allowed protocols",
         "backup_mx": "Relay domain",
         "bcc": "BCC",
         "bcc_destination": "BCC destination",
diff --git a/data/web/lang/lang.ja-jp.json b/data/web/lang/lang.ja-jp.json
index ffd0a5bd3..74c04248c 100644
--- a/data/web/lang/lang.ja-jp.json
+++ b/data/web/lang/lang.ja-jp.json
@@ -581,7 +581,7 @@
         "alias": "エイリアスを編集",
         "allow_from_smtp": "<b>SMTP</b>を使用するこれらのIPのみを許可",
         "allow_from_smtp_info": "すべての送信者を許可するには空欄にしてください。<br>IPv4/IPv6アドレスおよびネットワークを指定できます。",
-        "allowed_protocols": "許可されたプロトコル",
+        "allowed_protocols": "直接ユーザーアクセスで許可されるプロトコル（アプリパスワードプロトコルには影響しません）",
         "app_name": "アプリ名",
         "app_passwd": "アプリパスワード",
         "app_passwd_protocols": "アプリパスワードで許可されるプロトコル",
@@ -798,7 +798,7 @@
         "all_domains": "すべてのドメイン",
         "allow_from_smtp": "<b>SMTP</b>を使用するこれらのIPのみを許可",
         "allow_from_smtp_info": "すべての送信者を許可するには空欄にしてください。<br>IPv4/IPv6アドレスおよびネットワークを指定可能。",
-        "allowed_protocols": "直接ユーザーアクセスで許可されるプロトコル（アプリパスワードプロトコルには影響しません）",
+        "allowed_protocols": "許可されたプロトコル",
         "backup_mx": "リレードメイン",
         "bcc": "BCC",
         "bcc_destination": "BCC送信先",
diff --git a/data/web/lang/lang.pt-br.json b/data/web/lang/lang.pt-br.json
index 57e79ede8..57a4abd3d 100644
--- a/data/web/lang/lang.pt-br.json
+++ b/data/web/lang/lang.pt-br.json
@@ -581,7 +581,7 @@
         "alias": "Editar alias",
         "allow_from_smtp": "<b>Permita que esses IPs usem apenas SMTP</b>",
         "allow_from_smtp_info": "Deixe em branco para permitir todos os remetentes. Endereços e <br>redes IPv4/IPv6.",
-        "allowed_protocols": "Protocolos permitidos",
+        "allowed_protocols": "Protocolos permitidos para acesso direto do usuário (não afeta os protocolos de senha do aplicativo)",
         "app_name": "Nome do aplicativo",
         "app_passwd": "Senha do aplicativo",
         "app_passwd_protocols": "Protocolos permitidos para a senha do aplicativo",
@@ -793,7 +793,7 @@
         "all_domains": "Todos os domínios",
         "allow_from_smtp": "<b>Permita que esses IPs usem apenas SMTP</b>",
         "allow_from_smtp_info": "Deixe em branco para permitir todos os remetentes. Endereços e <br>redes IPv4/IPv6.",
-        "allowed_protocols": "Protocolos permitidos para acesso direto do usuário (não afeta os protocolos de senha do aplicativo)",
+        "allowed_protocols": "Protocolos permitidos",
         "backup_mx": "Domínio de retransmissão",
         "bcc": "BCC",
         "bcc_destination": "Destino BCC",
diff --git a/data/web/lang/lang.tr-tr.json b/data/web/lang/lang.tr-tr.json
index 73513e3c0..aa1b90df1 100644
--- a/data/web/lang/lang.tr-tr.json
+++ b/data/web/lang/lang.tr-tr.json
@@ -482,7 +482,7 @@
         "sender_acl_disabled": "<span class=\\\"label label-danger\\\">Gönderen denetimi devre dışı</span>",
         "allow_from_smtp": "Yalnızca bu IP'lerin <b>SMTP</b> kullanmasına izin verin",
         "allow_from_smtp_info": "Tüm gönderenlere izin vermek için boş bırakın.<br>IPv4/IPv6 adresleri ve ağları.",
-        "allowed_protocols": "İzin verilen protokoller",
+        "allowed_protocols": "Doğrudan kullanıcı erişimi için izin verilen protokoller (uygulama parola protokollerini etkilemez)",
         "app_name": "Uygulama adı",
         "app_passwd": "Uygulama şifresi",
         "app_passwd_protocols": "Uygulama şifresi için izin verilen protokoller",
@@ -782,7 +782,7 @@
         "aliases": "Takma Adlar",
         "all_domains": "Tüm Alan Adları",
         "allow_from_smtp": "Yalnızca bu IP'lerin <b>SMTP</b> kullanmasına izin verin",
-        "allowed_protocols": "Doğrudan kullanıcı erişimi için izin verilen protokoller (uygulama parola protokollerini etkilemez)",
+        "allowed_protocols": "İzin verilen protokoller",
         "backup_mx": "Geçiş alanı",
         "bcc": "BCC",
         "bcc_destination": "Gizli hedef",
diff --git a/data/web/lang/lang.zh-cn.json b/data/web/lang/lang.zh-cn.json
index 0740253a1..70a48a91a 100644
--- a/data/web/lang/lang.zh-cn.json
+++ b/data/web/lang/lang.zh-cn.json
@@ -554,7 +554,7 @@
         "alias": "编辑别名",
         "allow_from_smtp": "只允许这些 IP 使用 <b>SMTP</b>",
         "allow_from_smtp_info": "留空以允许所有发送者。<br>IPv4/IPv6 地址和网络。",
-        "allowed_protocols": "允许的协议",
+        "allowed_protocols": "允许用户直接访问的协议 (不会影响应用的密码协议)",
         "app_name": "应用名称",
         "app_passwd": "应用密码",
         "app_passwd_protocols": "应用密码允许的协议",
@@ -770,7 +770,7 @@
         "all_domains": "全部域名",
         "allow_from_smtp": "只允许这些 IP 使用 <b>SMTP</b>",
         "allow_from_smtp_info": "留空以允许所有发送者。<br>IPv4/IPv6 地址或网络。",
-        "allowed_protocols": "允许用户直接访问的协议 (不会影响应用的密码协议)",
+        "allowed_protocols": "允许的协议",
         "backup_mx": "中继域名",
         "bcc": "BCC",
         "bcc_destination": "BCC 目标地址",
diff --git a/data/web/lang/lang.zh-tw.json b/data/web/lang/lang.zh-tw.json
index 63ac5df04..aaa6d756f 100644
--- a/data/web/lang/lang.zh-tw.json
+++ b/data/web/lang/lang.zh-tw.json
@@ -553,7 +553,7 @@
         "alias": "編輯別名",
         "allow_from_smtp": "只允許這些 IP 使用 <b>SMTP</b>",
         "allow_from_smtp_info": "留空將允許所有寄件人<br>IPv4/IPv6 地址或網路",
-        "allowed_protocols": "允許的協定",
+        "allowed_protocols": "使用者直接存取時允許的協定 (不影響應用程式密碼所能使用的協定)",
         "app_name": "應用程式名稱",
         "app_passwd": "應用程式密碼",
         "app_passwd_protocols": "應用程式密碼允許的協定",
@@ -763,7 +763,7 @@
         "all_domains": "所有域名",
         "allow_from_smtp": "只允許這些 IP 使用<b>SMTP</b>",
         "allow_from_smtp_info": "留空以允許所有發送者<br>IPv4/IPv6 地址或網路",
-        "allowed_protocols": "使用者直接存取時允許的協定 (不影響應用程式密碼所能使用的協定)",
+        "allowed_protocols": "允許的協定",
         "backup_mx": "中繼域名",
         "bcc": "密件副本",
         "bcc_destination": "密件副本目標地址",
diff --git a/update.sh b/update.sh
index 5a258b529..ea2fcf17f 100755
--- a/update.sh
+++ b/update.sh
@@ -911,7 +911,7 @@ while (($#)); do
   --skip-start         -   Do not start mailcow after update
   --skip-ping-check    -   Skip ICMP Check to public DNS resolvers (Use it only if you'\''ve blocked any ICMP Connections to your mailcow machine)
   --stable             -   Switch your mailcow updates to the stable (master) branch. Default unless you changed it with --nightly or --legacy.
-  --legacy             -   Switch your mailcow updates to the legacy branch. The legacy branch will only recieve security updates until February 2026.
+  --legacy             -   Switch your mailcow updates to the legacy branch. The legacy branch will only receive security updates until February 2026.
   -f|--force           -   Force update, do not ask questions
   -d|--dev             -   Enables Developer Mode (No Checkout of update.sh for tests)
 '
@@ -1318,7 +1318,7 @@ if ! [ "$NEW_BRANCH" ]; then
     echo -e "\e[33mTo change that run the update.sh Script one time with the --stable parameter to switch to stable builds.\e[0m"
 
   elif [ "${BRANCH}" == "legacy" ]; then
-    echo -e "\e[31mYou are receiving legacy updates. The legacy branch will only recieve security updates until February 2026.\e[0m"
+    echo -e "\e[31mYou are receiving legacy updates. The legacy branch will only receive security updates until February 2026.\e[0m"
     sleep 1
     echo -e "\e[33mTo change that run the update.sh Script one time with the --stable parameter to switch to stable builds.\e[0m"
 

From fcb1b29c890ca2cd5e6718b7cec9c078d3a5251a Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Wed, 26 Mar 2025 08:32:34 +0100
Subject: [PATCH 214/378] [Web] Fix SOGo access after Passwordless auth

---
 data/web/inc/functions.inc.php            | 17 ++++++++++-------
 data/web/inc/triggers.admin.inc.php       |  7 ++++++-
 data/web/inc/triggers.domainadmin.inc.php |  7 ++++++-
 data/web/inc/triggers.user.inc.php        |  6 +++++-
 4 files changed, 27 insertions(+), 10 deletions(-)

diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index 3593ff2c4..6a70eb6e3 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -1385,6 +1385,7 @@ function fido2($_data) {
       );
     break;
     case "verify":
+      $role = "";
       $tokenData = json_decode($_data['token']);
       $clientDataJSON = base64_decode($tokenData->clientDataJSON);
       $authenticatorData = base64_decode($tokenData->authenticatorData);
@@ -1418,17 +1419,17 @@ function fido2($_data) {
       $stmt->execute(array(':username' => $process_fido2['username']));
       $obj_props = $stmt->fetch(PDO::FETCH_ASSOC);
       if ($obj_props['superadmin'] === 1 && (!$_data['user'] || $_data['user'] == "admin")) {
-        $_SESSION["mailcow_cc_role"] = "admin";
+        $role = "admin";
       }
       elseif ($obj_props['superadmin'] === 0 && (!$_data['user'] || $_data['user'] == "domainadmin")) {
-        $_SESSION["mailcow_cc_role"] = "domainadmin";
+        $role = "domainadmin";
       }
       elseif (!isset($obj_props['superadmin']) && (!$_data['user'] || $_data['user'] == "user")) {
         $stmt = $pdo->prepare("SELECT `username` FROM `mailbox` WHERE `username` = :username");
         $stmt->execute(array(':username' => $process_fido2['username']));
         $row = $stmt->fetch(PDO::FETCH_ASSOC);
         if ($row['username'] == $process_fido2['username']) {
-          $_SESSION["mailcow_cc_role"] = "user";
+          $role = "user";
         }
       }
       else {
@@ -1439,7 +1440,7 @@ function fido2($_data) {
         );
         return false;
       }
-      if (empty($_SESSION["mailcow_cc_role"])) {
+      if (empty($role)) {
         session_unset();
         session_destroy();
         $_SESSION['return'][] =  array(
@@ -1449,15 +1450,17 @@ function fido2($_data) {
         );
         return false;
       }
-      $_SESSION["mailcow_cc_username"] = $process_fido2['username'];
-      $_SESSION["fido2_cid"] = $process_fido2['cid'];
       unset($_SESSION["challenge"]);
       $_SESSION['return'][] =  array(
         'type' => 'success',
         'log' => array("fido2_login", $_data['user'], $process_fido2['username']),
         'msg' => array('logged_in_as', $process_fido2['username'])
       );
-      return true;
+      return array(
+        "role" => $role,
+        "username" => $process_fido2['username'],
+        "cid" => $process_fido2['cid']
+      );
     break;
   }
 }
diff --git a/data/web/inc/triggers.admin.inc.php b/data/web/inc/triggers.admin.inc.php
index 883d9fd5c..df46a459c 100644
--- a/data/web/inc/triggers.admin.inc.php
+++ b/data/web/inc/triggers.admin.inc.php
@@ -19,11 +19,16 @@ if (isset($_POST["verify_tfa_login"])) {
   unset($_SESSION['pending_tfa_methods']);
 }
 if (isset($_POST["verify_fido2_login"])) {
-  fido2(array(
+  $res = fido2(array(
     "action" => "verify",
     "token" => $_POST["token"],
     "user" => "admin"
   ));
+  if (is_array($res) && $res['role'] == "admin" && !empty($res['username'])){
+    $_SESSION["mailcow_cc_username"] = $res['username'];
+    $_SESSION["mailcow_cc_role"] = $res['role'];
+    $_SESSION["fido2_cid"] = $res['cid'];
+  }
   exit;
 }
 
diff --git a/data/web/inc/triggers.domainadmin.inc.php b/data/web/inc/triggers.domainadmin.inc.php
index dd1c653bd..a9f913688 100644
--- a/data/web/inc/triggers.domainadmin.inc.php
+++ b/data/web/inc/triggers.domainadmin.inc.php
@@ -30,11 +30,16 @@ if (isset($_POST["verify_tfa_login"])) {
   unset($_SESSION['pending_tfa_methods']);
 }
 if (isset($_POST["verify_fido2_login"])) {
-  fido2(array(
+  $res = fido2(array(
     "action" => "verify",
     "token" => $_POST["token"],
     "user" => "domainadmin"
   ));
+  if (is_array($res) && $res['role'] == "domainadmin" && !empty($res['username'])){
+    $_SESSION["mailcow_cc_username"] = $res['username'];
+    $_SESSION["mailcow_cc_role"] = $res['role'];
+    $_SESSION["fido2_cid"] = $res['cid'];
+  }
   exit;
 }
 
diff --git a/data/web/inc/triggers.user.inc.php b/data/web/inc/triggers.user.inc.php
index 64282b075..842fad14a 100644
--- a/data/web/inc/triggers.user.inc.php
+++ b/data/web/inc/triggers.user.inc.php
@@ -84,11 +84,15 @@ if (isset($_POST["verify_tfa_login"])) {
   unset($_SESSION['pending_tfa_methods']);
 }
 if (isset($_POST["verify_fido2_login"])) {
-  fido2(array(
+  $res = fido2(array(
     "action" => "verify",
     "token" => $_POST["token"],
     "user" => "user"
   ));
+  if (is_array($res) && $res['role'] == "user" && !empty($res['username'])){
+    set_user_loggedin_session($res['username']);
+    $_SESSION["fido2_cid"] = $res['cid'];
+  }
   exit;
 }
 

From 348107dae84119f824b1e100073d8d30edcb2a05 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Wed, 26 Mar 2025 09:13:05 +0100
Subject: [PATCH 215/378] [Web] Fix oauth2 redirect after user login

---
 data/web/inc/triggers.user.inc.php | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/data/web/inc/triggers.user.inc.php b/data/web/inc/triggers.user.inc.php
index 64282b075..c6835037f 100644
--- a/data/web/inc/triggers.user.inc.php
+++ b/data/web/inc/triggers.user.inc.php
@@ -66,6 +66,14 @@ if (isset($_POST["verify_tfa_login"])) {
         die();
       } else {
         set_user_loggedin_session($_SESSION['pending_mailcow_cc_username']);
+
+        if (isset($_SESSION['oauth2_request'])) {
+          $oauth2_request = $_SESSION['oauth2_request'];
+          unset($_SESSION['oauth2_request']);
+          header('Location: ' . $oauth2_request);
+          die();
+        }
+
         $user_details = mailbox("get", "mailbox_details", $_SESSION['mailcow_cc_username']);
         $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false;
         if (intval($user_details['attributes']['sogo_access']) == 1 && !$is_dual) {
@@ -118,6 +126,12 @@ if (isset($_POST["login_user"]) && isset($_POST["pass_user"])) {
         header("Location: /mobileconfig.php");
         die();
     }
+    if (isset($_SESSION['oauth2_request'])) {
+      $oauth2_request = $_SESSION['oauth2_request'];
+      unset($_SESSION['oauth2_request']);
+      header('Location: ' . $oauth2_request);
+      die();
+    }
 
     $user_details = mailbox("get", "mailbox_details", $login_user);
     $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false;

From 21b11ed99923a0c26b32f26b6663d2dbbab7ce81 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Wed, 26 Mar 2025 09:24:03 +0100
Subject: [PATCH 216/378] [Swagger] Fix type property for /api/v1/add/bcc
 endpoint

---
 data/web/api/openapi.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/data/web/api/openapi.yaml b/data/web/api/openapi.yaml
index f1ad31eb3..afab5fb0c 100644
--- a/data/web/api/openapi.yaml
+++ b/data/web/api/openapi.yaml
@@ -346,7 +346,8 @@ paths:
                   description: the domain which emails should be forwarded
                   type: string
                 type:
-                  description: the type of bcc map can be `sender` or `recipient`
+                  description: the type of bcc map can be `sender` or `rcpt`
+                  enum: [sender, rcpt]
                   type: string
               type: object
       summary: Create BCC Map

From 95aa35e133d4c23498ce21d977478c038f7b1f8d Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Wed, 26 Mar 2025 10:10:22 +0100
Subject: [PATCH 217/378] [Web] Check if mailbox is active before renaming

---
 data/web/inc/functions.mailbox.inc.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/web/inc/functions.mailbox.inc.php b/data/web/inc/functions.mailbox.inc.php
index bb9b23045..d5daeddcd 100644
--- a/data/web/inc/functions.mailbox.inc.php
+++ b/data/web/inc/functions.mailbox.inc.php
@@ -3324,7 +3324,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
           }
 
           $is_now = mailbox('get', 'mailbox_details', $old_username);
-          if (empty($is_now)) {
+          if (empty($is_now) || ($is_now['active'] != '1' && $is_now['active'] != '2')) {
             $_SESSION['return'][] = array(
               'type' => 'danger',
               'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),

From a5ca3353dae37b338778b7faf6f9d471f5081701 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Wed, 26 Mar 2025 10:59:56 +0100
Subject: [PATCH 218/378] [Web] Use absolute paths for flag SVGs

---
 data/web/css/build/007-languages.min.css | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/web/css/build/007-languages.min.css b/data/web/css/build/007-languages.min.css
index 864e338df..9d8cb205d 100644
--- a/data/web/css/build/007-languages.min.css
+++ b/data/web/css/build/007-languages.min.css
@@ -1 +1 @@
-.flag-icon-background{background-size:contain;background-position:50%;background-repeat:no-repeat}.flag-icon{background-size:contain;background-position:50%;background-repeat:no-repeat;position:relative;display:inline-block;width:1.33333333em;line-height:1em}.flag-icon:before{content:'\00a0'}.flag-icon.flag-icon-squared{width:1em}.flag-icon-ad{background-image:url(../flags/4x3/ad.svg)}.flag-icon-ad.flag-icon-squared{background-image:url(../flags/1x1/ad.svg)}.flag-icon-ae{background-image:url(../flags/4x3/ae.svg)}.flag-icon-ae.flag-icon-squared{background-image:url(../flags/1x1/ae.svg)}.flag-icon-af{background-image:url(../flags/4x3/af.svg)}.flag-icon-af.flag-icon-squared{background-image:url(../flags/1x1/af.svg)}.flag-icon-ag{background-image:url(../flags/4x3/ag.svg)}.flag-icon-ag.flag-icon-squared{background-image:url(../flags/1x1/ag.svg)}.flag-icon-ai{background-image:url(../flags/4x3/ai.svg)}.flag-icon-ai.flag-icon-squared{background-image:url(../flags/1x1/ai.svg)}.flag-icon-al{background-image:url(../flags/4x3/al.svg)}.flag-icon-al.flag-icon-squared{background-image:url(../flags/1x1/al.svg)}.flag-icon-am{background-image:url(../flags/4x3/am.svg)}.flag-icon-am.flag-icon-squared{background-image:url(../flags/1x1/am.svg)}.flag-icon-ao{background-image:url(../flags/4x3/ao.svg)}.flag-icon-ao.flag-icon-squared{background-image:url(../flags/1x1/ao.svg)}.flag-icon-aq{background-image:url(../flags/4x3/aq.svg)}.flag-icon-aq.flag-icon-squared{background-image:url(../flags/1x1/aq.svg)}.flag-icon-ar{background-image:url(../flags/4x3/ar.svg)}.flag-icon-ar.flag-icon-squared{background-image:url(../flags/1x1/ar.svg)}.flag-icon-as{background-image:url(../flags/4x3/as.svg)}.flag-icon-as.flag-icon-squared{background-image:url(../flags/1x1/as.svg)}.flag-icon-at{background-image:url(../flags/4x3/at.svg)}.flag-icon-at.flag-icon-squared{background-image:url(../flags/1x1/at.svg)}.flag-icon-au{background-image:url(../flags/4x3/au.svg)}.flag-icon-au.flag-icon-squared{background-image:url(../flags/1x1/au.svg)}.flag-icon-aw{background-image:url(../flags/4x3/aw.svg)}.flag-icon-aw.flag-icon-squared{background-image:url(../flags/1x1/aw.svg)}.flag-icon-ax{background-image:url(../flags/4x3/ax.svg)}.flag-icon-ax.flag-icon-squared{background-image:url(../flags/1x1/ax.svg)}.flag-icon-az{background-image:url(../flags/4x3/az.svg)}.flag-icon-az.flag-icon-squared{background-image:url(../flags/1x1/az.svg)}.flag-icon-ba{background-image:url(../flags/4x3/ba.svg)}.flag-icon-ba.flag-icon-squared{background-image:url(../flags/1x1/ba.svg)}.flag-icon-bb{background-image:url(../flags/4x3/bb.svg)}.flag-icon-bb.flag-icon-squared{background-image:url(../flags/1x1/bb.svg)}.flag-icon-bd{background-image:url(../flags/4x3/bd.svg)}.flag-icon-bd.flag-icon-squared{background-image:url(../flags/1x1/bd.svg)}.flag-icon-be{background-image:url(../flags/4x3/be.svg)}.flag-icon-be.flag-icon-squared{background-image:url(../flags/1x1/be.svg)}.flag-icon-bf{background-image:url(../flags/4x3/bf.svg)}.flag-icon-bf.flag-icon-squared{background-image:url(../flags/1x1/bf.svg)}.flag-icon-bg{background-image:url(../flags/4x3/bg.svg)}.flag-icon-bg.flag-icon-squared{background-image:url(../flags/1x1/bg.svg)}.flag-icon-bh{background-image:url(../flags/4x3/bh.svg)}.flag-icon-bh.flag-icon-squared{background-image:url(../flags/1x1/bh.svg)}.flag-icon-bi{background-image:url(../flags/4x3/bi.svg)}.flag-icon-bi.flag-icon-squared{background-image:url(../flags/1x1/bi.svg)}.flag-icon-bj{background-image:url(../flags/4x3/bj.svg)}.flag-icon-bj.flag-icon-squared{background-image:url(../flags/1x1/bj.svg)}.flag-icon-bl{background-image:url(../flags/4x3/bl.svg)}.flag-icon-bl.flag-icon-squared{background-image:url(../flags/1x1/bl.svg)}.flag-icon-bm{background-image:url(../flags/4x3/bm.svg)}.flag-icon-bm.flag-icon-squared{background-image:url(../flags/1x1/bm.svg)}.flag-icon-bn{background-image:url(../flags/4x3/bn.svg)}.flag-icon-bn.flag-icon-squared{background-image:url(../flags/1x1/bn.svg)}.flag-icon-bo{background-image:url(../flags/4x3/bo.svg)}.flag-icon-bo.flag-icon-squared{background-image:url(../flags/1x1/bo.svg)}.flag-icon-bq{background-image:url(../flags/4x3/bq.svg)}.flag-icon-bq.flag-icon-squared{background-image:url(../flags/1x1/bq.svg)}.flag-icon-br{background-image:url(../flags/4x3/br.svg)}.flag-icon-br.flag-icon-squared{background-image:url(../flags/1x1/br.svg)}.flag-icon-bs{background-image:url(../flags/4x3/bs.svg)}.flag-icon-bs.flag-icon-squared{background-image:url(../flags/1x1/bs.svg)}.flag-icon-bt{background-image:url(../flags/4x3/bt.svg)}.flag-icon-bt.flag-icon-squared{background-image:url(../flags/1x1/bt.svg)}.flag-icon-bv{background-image:url(../flags/4x3/bv.svg)}.flag-icon-bv.flag-icon-squared{background-image:url(../flags/1x1/bv.svg)}.flag-icon-bw{background-image:url(../flags/4x3/bw.svg)}.flag-icon-bw.flag-icon-squared{background-image:url(../flags/1x1/bw.svg)}.flag-icon-by{background-image:url(../flags/4x3/by.svg)}.flag-icon-by.flag-icon-squared{background-image:url(../flags/1x1/by.svg)}.flag-icon-bz{background-image:url(../flags/4x3/bz.svg)}.flag-icon-bz.flag-icon-squared{background-image:url(../flags/1x1/bz.svg)}.flag-icon-ca{background-image:url(../flags/4x3/ca.svg)}.flag-icon-ca.flag-icon-squared{background-image:url(../flags/1x1/ca.svg)}.flag-icon-cc{background-image:url(../flags/4x3/cc.svg)}.flag-icon-cc.flag-icon-squared{background-image:url(../flags/1x1/cc.svg)}.flag-icon-cd{background-image:url(../flags/4x3/cd.svg)}.flag-icon-cd.flag-icon-squared{background-image:url(../flags/1x1/cd.svg)}.flag-icon-cf{background-image:url(../flags/4x3/cf.svg)}.flag-icon-cf.flag-icon-squared{background-image:url(../flags/1x1/cf.svg)}.flag-icon-cg{background-image:url(../flags/4x3/cg.svg)}.flag-icon-cg.flag-icon-squared{background-image:url(../flags/1x1/cg.svg)}.flag-icon-ch{background-image:url(../flags/4x3/ch.svg)}.flag-icon-ch.flag-icon-squared{background-image:url(../flags/1x1/ch.svg)}.flag-icon-ci{background-image:url(../flags/4x3/ci.svg)}.flag-icon-ci.flag-icon-squared{background-image:url(../flags/1x1/ci.svg)}.flag-icon-ck{background-image:url(../flags/4x3/ck.svg)}.flag-icon-ck.flag-icon-squared{background-image:url(../flags/1x1/ck.svg)}.flag-icon-cl{background-image:url(../flags/4x3/cl.svg)}.flag-icon-cl.flag-icon-squared{background-image:url(../flags/1x1/cl.svg)}.flag-icon-cm{background-image:url(../flags/4x3/cm.svg)}.flag-icon-cm.flag-icon-squared{background-image:url(../flags/1x1/cm.svg)}.flag-icon-zh{background-image:url(../flags/4x3/zh.svg)}.flag-iconzh.flag-icon-squared{background-image:url(../flags/1x1/zh.svg)}.flag-icon-cn{background-image:url(../flags/4x3/cn.svg)}.flag-icon-cn.flag-icon-squared{background-image:url(../flags/1x1/cn.svg)}.flag-icon-co{background-image:url(../flags/4x3/co.svg)}.flag-icon-co.flag-icon-squared{background-image:url(../flags/1x1/co.svg)}.flag-icon-cr{background-image:url(../flags/4x3/cr.svg)}.flag-icon-cr.flag-icon-squared{background-image:url(../flags/1x1/cr.svg)}.flag-icon-cu{background-image:url(../flags/4x3/cu.svg)}.flag-icon-cu.flag-icon-squared{background-image:url(../flags/1x1/cu.svg)}.flag-icon-cv{background-image:url(../flags/4x3/cv.svg)}.flag-icon-cv.flag-icon-squared{background-image:url(../flags/1x1/cv.svg)}.flag-icon-cw{background-image:url(../flags/4x3/cw.svg)}.flag-icon-cw.flag-icon-squared{background-image:url(../flags/1x1/cw.svg)}.flag-icon-cx{background-image:url(../flags/4x3/cx.svg)}.flag-icon-cx.flag-icon-squared{background-image:url(../flags/1x1/cx.svg)}.flag-icon-cy{background-image:url(../flags/4x3/cy.svg)}.flag-icon-cy.flag-icon-squared{background-image:url(../flags/1x1/cy.svg)}.flag-icon-cz{background-image:url(../flags/4x3/cz.svg)}.flag-icon-cz.flag-icon-squared{background-image:url(../flags/1x1/cz.svg)}.flag-icon-cs{background-image:url(../flags/4x3/cs.svg)}.flag-icon-cs.flag-icon-squared{background-image:url(../flags/1x1/cs.svg)}.flag-icon-de{background-image:url(../flags/4x3/de.svg)}.flag-icon-de.flag-icon-squared{background-image:url(../flags/1x1/de.svg)}.flag-icon-dj{background-image:url(../flags/4x3/dj.svg)}.flag-icon-dj.flag-icon-squared{background-image:url(../flags/1x1/dj.svg)}.flag-icon-da{background-image:url(../flags/4x3/da.svg)}.flag-icon-da.flag-icon-squared{background-image:url(../flags/1x1/d.svg)}.flag-icon-dk{background-image:url(../flags/4x3/dk.svg)}.flag-icon-dk.flag-icon-squared{background-image:url(../flags/1x1/dk.svg)}.flag-icon-dm{background-image:url(../flags/4x3/dm.svg)}.flag-icon-dm.flag-icon-squared{background-image:url(../flags/1x1/dm.svg)}.flag-icon-do{background-image:url(../flags/4x3/do.svg)}.flag-icon-do.flag-icon-squared{background-image:url(../flags/1x1/do.svg)}.flag-icon-dz{background-image:url(../flags/4x3/dz.svg)}.flag-icon-dz.flag-icon-squared{background-image:url(../flags/1x1/dz.svg)}.flag-icon-ec{background-image:url(../flags/4x3/ec.svg)}.flag-icon-ec.flag-icon-squared{background-image:url(../flags/1x1/ec.svg)}.flag-icon-ee{background-image:url(../flags/4x3/ee.svg)}.flag-icon-ee.flag-icon-squared{background-image:url(../flags/1x1/ee.svg)}.flag-icon-eg{background-image:url(../flags/4x3/eg.svg)}.flag-icon-eg.flag-icon-squared{background-image:url(../flags/1x1/eg.svg)}.flag-icon-eh{background-image:url(../flags/4x3/eh.svg)}.flag-icon-eh.flag-icon-squared{background-image:url(../flags/1x1/eh.svg)}.flag-icon-er{background-image:url(../flags/4x3/er.svg)}.flag-icon-er.flag-icon-squared{background-image:url(../flags/1x1/er.svg)}.flag-icon-es{background-image:url(../flags/4x3/es.svg)}.flag-icon-es.flag-icon-squared{background-image:url(../flags/1x1/es.svg)}.flag-icon-et{background-image:url(../flags/4x3/et.svg)}.flag-icon-et.flag-icon-squared{background-image:url(../flags/1x1/et.svg)}.flag-icon-fi{background-image:url(../flags/4x3/fi.svg)}.flag-icon-fi.flag-icon-squared{background-image:url(../flags/1x1/fi.svg)}.flag-icon-fj{background-image:url(../flags/4x3/fj.svg)}.flag-icon-fj.flag-icon-squared{background-image:url(../flags/1x1/fj.svg)}.flag-icon-fk{background-image:url(../flags/4x3/fk.svg)}.flag-icon-fk.flag-icon-squared{background-image:url(../flags/1x1/fk.svg)}.flag-icon-fm{background-image:url(../flags/4x3/fm.svg)}.flag-icon-fm.flag-icon-squared{background-image:url(../flags/1x1/fm.svg)}.flag-icon-fo{background-image:url(../flags/4x3/fo.svg)}.flag-icon-fo.flag-icon-squared{background-image:url(../flags/1x1/fo.svg)}.flag-icon-fr{background-image:url(../flags/4x3/fr.svg)}.flag-icon-fr.flag-icon-squared{background-image:url(../flags/1x1/fr.svg)}.flag-icon-ga{background-image:url(../flags/4x3/ga.svg)}.flag-icon-ga.flag-icon-squared{background-image:url(../flags/1x1/ga.svg)}.flag-icon-gb{background-image:url(../flags/4x3/en.svg)}.flag-icon-gb.flag-icon-squared{background-image:url(../flags/1x1/en.svg)}.flag-icon-gd{background-image:url(../flags/4x3/gd.svg)}.flag-icon-gd.flag-icon-squared{background-image:url(../flags/1x1/gd.svg)}.flag-icon-ge{background-image:url(../flags/4x3/ge.svg)}.flag-icon-ge.flag-icon-squared{background-image:url(../flags/1x1/ge.svg)}.flag-icon-gf{background-image:url(../flags/4x3/gf.svg)}.flag-icon-gf.flag-icon-squared{background-image:url(../flags/1x1/gf.svg)}.flag-icon-gg{background-image:url(../flags/4x3/gg.svg)}.flag-icon-gg.flag-icon-squared{background-image:url(../flags/1x1/gg.svg)}.flag-icon-gh{background-image:url(../flags/4x3/gh.svg)}.flag-icon-gh.flag-icon-squared{background-image:url(../flags/1x1/gh.svg)}.flag-icon-gi{background-image:url(../flags/4x3/gi.svg)}.flag-icon-gi.flag-icon-squared{background-image:url(../flags/1x1/gi.svg)}.flag-icon-gl{background-image:url(../flags/4x3/gl.svg)}.flag-icon-gl.flag-icon-squared{background-image:url(../flags/1x1/gl.svg)}.flag-icon-gm{background-image:url(../flags/4x3/gm.svg)}.flag-icon-gm.flag-icon-squared{background-image:url(../flags/1x1/gm.svg)}.flag-icon-gn{background-image:url(../flags/4x3/gn.svg)}.flag-icon-gn.flag-icon-squared{background-image:url(../flags/1x1/gn.svg)}.flag-icon-gp{background-image:url(../flags/4x3/gp.svg)}.flag-icon-gp.flag-icon-squared{background-image:url(../flags/1x1/gp.svg)}.flag-icon-gq{background-image:url(../flags/4x3/gq.svg)}.flag-icon-gq.flag-icon-squared{background-image:url(../flags/1x1/gq.svg)}.flag-icon-gr{background-image:url(../flags/4x3/gr.svg)}.flag-icon-gr.flag-icon-squared{background-image:url(../flags/1x1/gr.svg)}.flag-icon-gs{background-image:url(../flags/4x3/gs.svg)}.flag-icon-gs.flag-icon-squared{background-image:url(../flags/1x1/gs.svg)}.flag-icon-gt{background-image:url(../flags/4x3/gt.svg)}.flag-icon-gt.flag-icon-squared{background-image:url(../flags/1x1/gt.svg)}.flag-icon-gu{background-image:url(../flags/4x3/gu.svg)}.flag-icon-gu.flag-icon-squared{background-image:url(../flags/1x1/gu.svg)}.flag-icon-gw{background-image:url(../flags/4x3/gw.svg)}.flag-icon-gw.flag-icon-squared{background-image:url(../flags/1x1/gw.svg)}.flag-icon-gy{background-image:url(../flags/4x3/gy.svg)}.flag-icon-gy.flag-icon-squared{background-image:url(../flags/1x1/gy.svg)}.flag-icon-hk{background-image:url(../flags/4x3/hk.svg)}.flag-icon-hk.flag-icon-squared{background-image:url(../flags/1x1/hk.svg)}.flag-icon-hm{background-image:url(../flags/4x3/hm.svg)}.flag-icon-hm.flag-icon-squared{background-image:url(../flags/1x1/hm.svg)}.flag-icon-hn{background-image:url(../flags/4x3/hn.svg)}.flag-icon-hn.flag-icon-squared{background-image:url(../flags/1x1/hn.svg)}.flag-icon-hr{background-image:url(../flags/4x3/hr.svg)}.flag-icon-hr.flag-icon-squared{background-image:url(../flags/1x1/hr.svg)}.flag-icon-ht{background-image:url(../flags/4x3/ht.svg)}.flag-icon-ht.flag-icon-squared{background-image:url(../flags/1x1/ht.svg)}.flag-icon-hu{background-image:url(../flags/4x3/hu.svg)}.flag-icon-hu.flag-icon-squared{background-image:url(../flags/1x1/hu.svg)}.flag-icon-id{background-image:url(../flags/4x3/id.svg)}.flag-icon-id.flag-icon-squared{background-image:url(../flags/1x1/id.svg)}.flag-icon-ie{background-image:url(../flags/4x3/ie.svg)}.flag-icon-ie.flag-icon-squared{background-image:url(../flags/1x1/ie.svg)}.flag-icon-il{background-image:url(../flags/4x3/il.svg)}.flag-icon-il.flag-icon-squared{background-image:url(../flags/1x1/il.svg)}.flag-icon-im{background-image:url(../flags/4x3/im.svg)}.flag-icon-im.flag-icon-squared{background-image:url(../flags/1x1/im.svg)}.flag-icon-in{background-image:url(../flags/4x3/in.svg)}.flag-icon-in.flag-icon-squared{background-image:url(../flags/1x1/in.svg)}.flag-icon-io{background-image:url(../flags/4x3/io.svg)}.flag-icon-io.flag-icon-squared{background-image:url(../flags/1x1/io.svg)}.flag-icon-iq{background-image:url(../flags/4x3/iq.svg)}.flag-icon-iq.flag-icon-squared{background-image:url(../flags/1x1/iq.svg)}.flag-icon-ir{background-image:url(../flags/4x3/ir.svg)}.flag-icon-ir.flag-icon-squared{background-image:url(../flags/1x1/ir.svg)}.flag-icon-is{background-image:url(../flags/4x3/is.svg)}.flag-icon-is.flag-icon-squared{background-image:url(../flags/1x1/is.svg)}.flag-icon-it{background-image:url(../flags/4x3/it.svg)}.flag-icon-it.flag-icon-squared{background-image:url(../flags/1x1/it.svg)}.flag-icon-je{background-image:url(../flags/4x3/je.svg)}.flag-icon-je.flag-icon-squared{background-image:url(../flags/1x1/je.svg)}.flag-icon-jm{background-image:url(../flags/4x3/jm.svg)}.flag-icon-jm.flag-icon-squared{background-image:url(../flags/1x1/jm.svg)}.flag-icon-jo{background-image:url(../flags/4x3/jo.svg)}.flag-icon-jo.flag-icon-squared{background-image:url(../flags/1x1/jo.svg)}.flag-icon-jp{background-image:url(../flags/4x3/jp.svg)}.flag-icon-jp.flag-icon-squared{background-image:url(../flags/1x1/jp.svg)}.flag-icon-ke{background-image:url(../flags/4x3/ke.svg)}.flag-icon-ke.flag-icon-squared{background-image:url(../flags/1x1/ke.svg)}.flag-icon-kg{background-image:url(../flags/4x3/kg.svg)}.flag-icon-kg.flag-icon-squared{background-image:url(../flags/1x1/kg.svg)}.flag-icon-kh{background-image:url(../flags/4x3/kh.svg)}.flag-icon-kh.flag-icon-squared{background-image:url(../flags/1x1/kh.svg)}.flag-icon-ki{background-image:url(../flags/4x3/ki.svg)}.flag-icon-ki.flag-icon-squared{background-image:url(../flags/1x1/ki.svg)}.flag-icon-km{background-image:url(../flags/4x3/km.svg)}.flag-icon-km.flag-icon-squared{background-image:url(../flags/1x1/km.svg)}.flag-icon-kn{background-image:url(../flags/4x3/kn.svg)}.flag-icon-kn.flag-icon-squared{background-image:url(../flags/1x1/kn.svg)}.flag-icon-kp{background-image:url(../flags/4x3/kp.svg)}.flag-icon-kp.flag-icon-squared{background-image:url(../flags/1x1/kp.svg)}.flag-icon-ko{background-image:url(../flags/4x3/ko.svg)}.flag-icon-ko.flag-icon-squared{background-image:url(../flags/1x1/ko.svg)}.flag-icon-kr{background-image:url(../flags/4x3/kr.svg)}.flag-icon-kr.flag-icon-squared{background-image:url(../flags/1x1/kr.svg)}.flag-icon-kw{background-image:url(../flags/4x3/kw.svg)}.flag-icon-kw.flag-icon-squared{background-image:url(../flags/1x1/kw.svg)}.flag-icon-ky{background-image:url(../flags/4x3/ky.svg)}.flag-icon-ky.flag-icon-squared{background-image:url(../flags/1x1/ky.svg)}.flag-icon-kz{background-image:url(../flags/4x3/kz.svg)}.flag-icon-kz.flag-icon-squared{background-image:url(../flags/1x1/kz.svg)}.flag-icon-la{background-image:url(../flags/4x3/la.svg)}.flag-icon-la.flag-icon-squared{background-image:url(../flags/1x1/la.svg)}.flag-icon-lb{background-image:url(../flags/4x3/lb.svg)}.flag-icon-lb.flag-icon-squared{background-image:url(../flags/1x1/lb.svg)}.flag-icon-lc{background-image:url(../flags/4x3/lc.svg)}.flag-icon-lc.flag-icon-squared{background-image:url(../flags/1x1/lc.svg)}.flag-icon-li{background-image:url(../flags/4x3/li.svg)}.flag-icon-li.flag-icon-squared{background-image:url(../flags/1x1/li.svg)}.flag-icon-lk{background-image:url(../flags/4x3/lk.svg)}.flag-icon-lk.flag-icon-squared{background-image:url(../flags/1x1/lk.svg)}.flag-icon-lr{background-image:url(../flags/4x3/lr.svg)}.flag-icon-lr.flag-icon-squared{background-image:url(../flags/1x1/lr.svg)}.flag-icon-ls{background-image:url(../flags/4x3/ls.svg)}.flag-icon-ls.flag-icon-squared{background-image:url(../flags/1x1/ls.svg)}.flag-icon-lt{background-image:url(../flags/4x3/lt.svg)}.flag-icon-lt.flag-icon-squared{background-image:url(../flags/1x1/lt.svg)}.flag-icon-lu{background-image:url(../flags/4x3/lu.svg)}.flag-icon-lu.flag-icon-squared{background-image:url(../flags/1x1/lu.svg)}.flag-icon-lv{background-image:url(../flags/4x3/lv.svg)}.flag-icon-lv.flag-icon-squared{background-image:url(../flags/1x1/lv.svg)}.flag-icon-ly{background-image:url(../flags/4x3/ly.svg)}.flag-icon-ly.flag-icon-squared{background-image:url(../flags/1x1/ly.svg)}.flag-icon-ma{background-image:url(../flags/4x3/ma.svg)}.flag-icon-ma.flag-icon-squared{background-image:url(../flags/1x1/ma.svg)}.flag-icon-mc{background-image:url(../flags/4x3/mc.svg)}.flag-icon-mc.flag-icon-squared{background-image:url(../flags/1x1/mc.svg)}.flag-icon-md{background-image:url(../flags/4x3/md.svg)}.flag-icon-md.flag-icon-squared{background-image:url(../flags/1x1/md.svg)}.flag-icon-me{background-image:url(../flags/4x3/me.svg)}.flag-icon-me.flag-icon-squared{background-image:url(../flags/1x1/me.svg)}.flag-icon-mf{background-image:url(../flags/4x3/mf.svg)}.flag-icon-mf.flag-icon-squared{background-image:url(../flags/1x1/mf.svg)}.flag-icon-mg{background-image:url(../flags/4x3/mg.svg)}.flag-icon-mg.flag-icon-squared{background-image:url(../flags/1x1/mg.svg)}.flag-icon-mh{background-image:url(../flags/4x3/mh.svg)}.flag-icon-mh.flag-icon-squared{background-image:url(../flags/1x1/mh.svg)}.flag-icon-mk{background-image:url(../flags/4x3/mk.svg)}.flag-icon-mk.flag-icon-squared{background-image:url(../flags/1x1/mk.svg)}.flag-icon-ml{background-image:url(../flags/4x3/ml.svg)}.flag-icon-ml.flag-icon-squared{background-image:url(../flags/1x1/ml.svg)}.flag-icon-mm{background-image:url(../flags/4x3/mm.svg)}.flag-icon-mm.flag-icon-squared{background-image:url(../flags/1x1/mm.svg)}.flag-icon-mn{background-image:url(../flags/4x3/mn.svg)}.flag-icon-mn.flag-icon-squared{background-image:url(../flags/1x1/mn.svg)}.flag-icon-mo{background-image:url(../flags/4x3/mo.svg)}.flag-icon-mo.flag-icon-squared{background-image:url(../flags/1x1/mo.svg)}.flag-icon-mp{background-image:url(../flags/4x3/mp.svg)}.flag-icon-mp.flag-icon-squared{background-image:url(../flags/1x1/mp.svg)}.flag-icon-mq{background-image:url(../flags/4x3/mq.svg)}.flag-icon-mq.flag-icon-squared{background-image:url(../flags/1x1/mq.svg)}.flag-icon-mr{background-image:url(../flags/4x3/mr.svg)}.flag-icon-mr.flag-icon-squared{background-image:url(../flags/1x1/mr.svg)}.flag-icon-ms{background-image:url(../flags/4x3/ms.svg)}.flag-icon-ms.flag-icon-squared{background-image:url(../flags/1x1/ms.svg)}.flag-icon-mt{background-image:url(../flags/4x3/mt.svg)}.flag-icon-mt.flag-icon-squared{background-image:url(../flags/1x1/mt.svg)}.flag-icon-mu{background-image:url(../flags/4x3/mu.svg)}.flag-icon-mu.flag-icon-squared{background-image:url(../flags/1x1/mu.svg)}.flag-icon-mv{background-image:url(../flags/4x3/mv.svg)}.flag-icon-mv.flag-icon-squared{background-image:url(../flags/1x1/mv.svg)}.flag-icon-mw{background-image:url(../flags/4x3/mw.svg)}.flag-icon-mw.flag-icon-squared{background-image:url(../flags/1x1/mw.svg)}.flag-icon-mx{background-image:url(../flags/4x3/mx.svg)}.flag-icon-mx.flag-icon-squared{background-image:url(../flags/1x1/mx.svg)}.flag-icon-my{background-image:url(../flags/4x3/my.svg)}.flag-icon-my.flag-icon-squared{background-image:url(../flags/1x1/my.svg)}.flag-icon-mz{background-image:url(../flags/4x3/mz.svg)}.flag-icon-mz.flag-icon-squared{background-image:url(../flags/1x1/mz.svg)}.flag-icon-na{background-image:url(../flags/4x3/na.svg)}.flag-icon-na.flag-icon-squared{background-image:url(../flags/1x1/na.svg)}.flag-icon-nc{background-image:url(../flags/4x3/nc.svg)}.flag-icon-nc.flag-icon-squared{background-image:url(../flags/1x1/nc.svg)}.flag-icon-ne{background-image:url(../flags/4x3/ne.svg)}.flag-icon-ne.flag-icon-squared{background-image:url(../flags/1x1/ne.svg)}.flag-icon-nf{background-image:url(../flags/4x3/nf.svg)}.flag-icon-nf.flag-icon-squared{background-image:url(../flags/1x1/nf.svg)}.flag-icon-ng{background-image:url(../flags/4x3/ng.svg)}.flag-icon-ng.flag-icon-squared{background-image:url(../flags/1x1/ng.svg)}.flag-icon-ni{background-image:url(../flags/4x3/ni.svg)}.flag-icon-ni.flag-icon-squared{background-image:url(../flags/1x1/ni.svg)}.flag-icon-nl{background-image:url(../flags/4x3/nl.svg)}.flag-icon-nl.flag-icon-squared{background-image:url(../flags/1x1/nl.svg)}.flag-icon-no{background-image:url(../flags/4x3/no.svg)}.flag-icon-no.flag-icon-squared{background-image:url(../flags/1x1/no.svg)}.flag-icon-np{background-image:url(../flags/4x3/np.svg)}.flag-icon-np.flag-icon-squared{background-image:url(../flags/1x1/np.svg)}.flag-icon-nr{background-image:url(../flags/4x3/nr.svg)}.flag-icon-nr.flag-icon-squared{background-image:url(../flags/1x1/nr.svg)}.flag-icon-nu{background-image:url(../flags/4x3/nu.svg)}.flag-icon-nu.flag-icon-squared{background-image:url(../flags/1x1/nu.svg)}.flag-icon-nz{background-image:url(../flags/4x3/nz.svg)}.flag-icon-nz.flag-icon-squared{background-image:url(../flags/1x1/nz.svg)}.flag-icon-om{background-image:url(../flags/4x3/om.svg)}.flag-icon-om.flag-icon-squared{background-image:url(../flags/1x1/om.svg)}.flag-icon-pa{background-image:url(../flags/4x3/pa.svg)}.flag-icon-pa.flag-icon-squared{background-image:url(../flags/1x1/pa.svg)}.flag-icon-pe{background-image:url(../flags/4x3/pe.svg)}.flag-icon-pe.flag-icon-squared{background-image:url(../flags/1x1/pe.svg)}.flag-icon-pf{background-image:url(../flags/4x3/pf.svg)}.flag-icon-pf.flag-icon-squared{background-image:url(../flags/1x1/pf.svg)}.flag-icon-pg{background-image:url(../flags/4x3/pg.svg)}.flag-icon-pg.flag-icon-squared{background-image:url(../flags/1x1/pg.svg)}.flag-icon-ph{background-image:url(../flags/4x3/ph.svg)}.flag-icon-ph.flag-icon-squared{background-image:url(../flags/1x1/ph.svg)}.flag-icon-pk{background-image:url(../flags/4x3/pk.svg)}.flag-icon-pk.flag-icon-squared{background-image:url(../flags/1x1/pk.svg)}.flag-icon-pl{background-image:url(../flags/4x3/pl.svg)}.flag-icon-pl.flag-icon-squared{background-image:url(../flags/1x1/pl.svg)}.flag-icon-pm{background-image:url(../flags/4x3/pm.svg)}.flag-icon-pm.flag-icon-squared{background-image:url(../flags/1x1/pm.svg)}.flag-icon-pn{background-image:url(../flags/4x3/pn.svg)}.flag-icon-pn.flag-icon-squared{background-image:url(../flags/1x1/pn.svg)}.flag-icon-pr{background-image:url(../flags/4x3/pr.svg)}.flag-icon-pr.flag-icon-squared{background-image:url(../flags/1x1/pr.svg)}.flag-icon-ps{background-image:url(../flags/4x3/ps.svg)}.flag-icon-ps.flag-icon-squared{background-image:url(../flags/1x1/ps.svg)}.flag-icon-pt{background-image:url(../flags/4x3/pt.svg)}.flag-icon-pt.flag-icon-squared{background-image:url(../flags/1x1/pt.svg)}.flag-icon-pw{background-image:url(../flags/4x3/pw.svg)}.flag-icon-pw.flag-icon-squared{background-image:url(../flags/1x1/pw.svg)}.flag-icon-py{background-image:url(../flags/4x3/py.svg)}.flag-icon-py.flag-icon-squared{background-image:url(../flags/1x1/py.svg)}.flag-icon-qa{background-image:url(../flags/4x3/qa.svg)}.flag-icon-qa.flag-icon-squared{background-image:url(../flags/1x1/qa.svg)}.flag-icon-re{background-image:url(../flags/4x3/re.svg)}.flag-icon-re.flag-icon-squared{background-image:url(../flags/1x1/re.svg)}.flag-icon-ro{background-image:url(../flags/4x3/ro.svg)}.flag-icon-ro.flag-icon-squared{background-image:url(../flags/1x1/ro.svg)}.flag-icon-rs{background-image:url(../flags/4x3/rs.svg)}.flag-icon-rs.flag-icon-squared{background-image:url(../flags/1x1/rs.svg)}.flag-icon-ru{background-image:url(../flags/4x3/ru.svg)}.flag-icon-ru.flag-icon-squared{background-image:url(../flags/1x1/ru.svg)}.flag-icon-rw{background-image:url(../flags/4x3/rw.svg)}.flag-icon-rw.flag-icon-squared{background-image:url(../flags/1x1/rw.svg)}.flag-icon-sa{background-image:url(../flags/4x3/sa.svg)}.flag-icon-sa.flag-icon-squared{background-image:url(../flags/1x1/sa.svg)}.flag-icon-sb{background-image:url(../flags/4x3/sb.svg)}.flag-icon-sb.flag-icon-squared{background-image:url(../flags/1x1/sb.svg)}.flag-icon-sc{background-image:url(../flags/4x3/sc.svg)}.flag-icon-sc.flag-icon-squared{background-image:url(../flags/1x1/sc.svg)}.flag-icon-sd{background-image:url(../flags/4x3/sd.svg)}.flag-icon-sd.flag-icon-squared{background-image:url(../flags/1x1/sd.svg)}.flag-icon-se{background-image:url(../flags/4x3/se.svg)}.flag-icon-se.flag-icon-squared{background-image:url(../flags/1x1/se.svg)}.flag-icon-sg{background-image:url(../flags/4x3/sg.svg)}.flag-icon-sg.flag-icon-squared{background-image:url(../flags/1x1/sg.svg)}.flag-icon-sh{background-image:url(../flags/4x3/sh.svg)}.flag-icon-sh.flag-icon-squared{background-image:url(../flags/1x1/sh.svg)}.flag-icon-si{background-image:url(../flags/4x3/si.svg)}.flag-icon-si.flag-icon-squared{background-image:url(../flags/1x1/si.svg)}.flag-icon-sj{background-image:url(../flags/4x3/sj.svg)}.flag-icon-sj.flag-icon-squared{background-image:url(../flags/1x1/sj.svg)}.flag-icon-sk{background-image:url(../flags/4x3/sk.svg)}.flag-icon-sk.flag-icon-squared{background-image:url(../flags/1x1/sk.svg)}.flag-icon-sl{background-image:url(../flags/4x3/sl.svg)}.flag-icon-sl.flag-icon-squared{background-image:url(../flags/1x1/sl.svg)}.flag-icon-sm{background-image:url(../flags/4x3/sm.svg)}.flag-icon-sm.flag-icon-squared{background-image:url(../flags/1x1/sm.svg)}.flag-icon-sn{background-image:url(../flags/4x3/sn.svg)}.flag-icon-sn.flag-icon-squared{background-image:url(../flags/1x1/sn.svg)}.flag-icon-so{background-image:url(../flags/4x3/so.svg)}.flag-icon-so.flag-icon-squared{background-image:url(../flags/1x1/so.svg)}.flag-icon-sr{background-image:url(../flags/4x3/sr.svg)}.flag-icon-sr.flag-icon-squared{background-image:url(../flags/1x1/sr.svg)}.flag-icon-ss{background-image:url(../flags/4x3/ss.svg)}.flag-icon-ss.flag-icon-squared{background-image:url(../flags/1x1/ss.svg)}.flag-icon-st{background-image:url(../flags/4x3/st.svg)}.flag-icon-st.flag-icon-squared{background-image:url(../flags/1x1/st.svg)}.flag-icon-sv{background-image:url(../flags/4x3/sv.svg)}.flag-icon-sv.flag-icon-squared{background-image:url(../flags/1x1/sv.svg)}.flag-icon-sx{background-image:url(../flags/4x3/sx.svg)}.flag-icon-sx.flag-icon-squared{background-image:url(../flags/1x1/sx.svg)}.flag-icon-sy{background-image:url(../flags/4x3/sy.svg)}.flag-icon-sy.flag-icon-squared{background-image:url(../flags/1x1/sy.svg)}.flag-icon-sz{background-image:url(../flags/4x3/sz.svg)}.flag-icon-sz.flag-icon-squared{background-image:url(../flags/1x1/sz.svg)}.flag-icon-tc{background-image:url(../flags/4x3/tc.svg)}.flag-icon-tc.flag-icon-squared{background-image:url(../flags/1x1/tc.svg)}.flag-icon-td{background-image:url(../flags/4x3/td.svg)}.flag-icon-td.flag-icon-squared{background-image:url(../flags/1x1/td.svg)}.flag-icon-tf{background-image:url(../flags/4x3/tf.svg)}.flag-icon-tf.flag-icon-squared{background-image:url(../flags/1x1/tf.svg)}.flag-icon-tg{background-image:url(../flags/4x3/tg.svg)}.flag-icon-tg.flag-icon-squared{background-image:url(../flags/1x1/tg.svg)}.flag-icon-th{background-image:url(../flags/4x3/th.svg)}.flag-icon-th.flag-icon-squared{background-image:url(../flags/1x1/th.svg)}.flag-icon-tj{background-image:url(../flags/4x3/tj.svg)}.flag-icon-tj.flag-icon-squared{background-image:url(../flags/1x1/tj.svg)}.flag-icon-tk{background-image:url(../flags/4x3/tk.svg)}.flag-icon-tk.flag-icon-squared{background-image:url(../flags/1x1/tk.svg)}.flag-icon-tl{background-image:url(../flags/4x3/tl.svg)}.flag-icon-tl.flag-icon-squared{background-image:url(../flags/1x1/tl.svg)}.flag-icon-tm{background-image:url(../flags/4x3/tm.svg)}.flag-icon-tm.flag-icon-squared{background-image:url(../flags/1x1/tm.svg)}.flag-icon-tn{background-image:url(../flags/4x3/tn.svg)}.flag-icon-tn.flag-icon-squared{background-image:url(../flags/1x1/tn.svg)}.flag-icon-to{background-image:url(../flags/4x3/to.svg)}.flag-icon-to.flag-icon-squared{background-image:url(../flags/1x1/to.svg)}.flag-icon-tr{background-image:url(../flags/4x3/tr.svg)}.flag-icon-tr.flag-icon-squared{background-image:url(../flags/1x1/tr.svg)}.flag-icon-tt{background-image:url(../flags/4x3/tt.svg)}.flag-icon-tt.flag-icon-squared{background-image:url(../flags/1x1/tt.svg)}.flag-icon-tv{background-image:url(../flags/4x3/tv.svg)}.flag-icon-tv.flag-icon-squared{background-image:url(../flags/1x1/tv.svg)}.flag-icon-tw{background-image:url(../flags/4x3/tw.svg)}.flag-icon-tw.flag-icon-squared{background-image:url(../flags/1x1/tw.svg)}.flag-icon-tz{background-image:url(../flags/4x3/tz.svg)}.flag-icon-tz.flag-icon-squared{background-image:url(../flags/1x1/tz.svg)}.flag-icon-ua{background-image:url(../flags/4x3/ua.svg)}.flag-icon-ua.flag-icon-squared{background-image:url(../flags/1x1/ua.svg)}.flag-icon-ug{background-image:url(../flags/4x3/ug.svg)}.flag-icon-ug.flag-icon-squared{background-image:url(../flags/1x1/ug.svg)}.flag-icon-um{background-image:url(../flags/4x3/um.svg)}.flag-icon-um.flag-icon-squared{background-image:url(../flags/1x1/um.svg)}.flag-icon-us{background-image:url(../flags/4x3/us.svg)}.flag-icon-us.flag-icon-squared{background-image:url(../flags/1x1/us.svg)}.flag-icon-uy{background-image:url(../flags/4x3/uy.svg)}.flag-icon-uy.flag-icon-squared{background-image:url(../flags/1x1/uy.svg)}.flag-icon-uz{background-image:url(../flags/4x3/uz.svg)}.flag-icon-uz.flag-icon-squared{background-image:url(../flags/1x1/uz.svg)}.flag-icon-va{background-image:url(../flags/4x3/va.svg)}.flag-icon-va.flag-icon-squared{background-image:url(../flags/1x1/va.svg)}.flag-icon-vc{background-image:url(../flags/4x3/vc.svg)}.flag-icon-vc.flag-icon-squared{background-image:url(../flags/1x1/vc.svg)}.flag-icon-ve{background-image:url(../flags/4x3/ve.svg)}.flag-icon-ve.flag-icon-squared{background-image:url(../flags/1x1/ve.svg)}.flag-icon-vg{background-image:url(../flags/4x3/vg.svg)}.flag-icon-vg.flag-icon-squared{background-image:url(../flags/1x1/vg.svg)}.flag-icon-vi{background-image:url(../flags/4x3/vi.svg)}.flag-icon-vi.flag-icon-squared{background-image:url(../flags/1x1/vi.svg)}.flag-icon-vn{background-image:url(../flags/4x3/vn.svg)}.flag-icon-vn.flag-icon-squared{background-image:url(../flags/1x1/vn.svg)}.flag-icon-vu{background-image:url(../flags/4x3/vu.svg)}.flag-icon-vu.flag-icon-squared{background-image:url(../flags/1x1/vu.svg)}.flag-icon-wf{background-image:url(../flags/4x3/wf.svg)}.flag-icon-wf.flag-icon-squared{background-image:url(../flags/1x1/wf.svg)}.flag-icon-ws{background-image:url(../flags/4x3/ws.svg)}.flag-icon-ws.flag-icon-squared{background-image:url(../flags/1x1/ws.svg)}.flag-icon-ye{background-image:url(../flags/4x3/ye.svg)}.flag-icon-ye.flag-icon-squared{background-image:url(../flags/1x1/ye.svg)}.flag-icon-yt{background-image:url(../flags/4x3/yt.svg)}.flag-icon-yt.flag-icon-squared{background-image:url(../flags/1x1/yt.svg)}.flag-icon-za{background-image:url(../flags/4x3/za.svg)}.flag-icon-za.flag-icon-squared{background-image:url(../flags/1x1/za.svg)}.flag-icon-zm{background-image:url(../flags/4x3/zm.svg)}.flag-icon-zm.flag-icon-squared{background-image:url(../flags/1x1/zm.svg)}.flag-icon-zw{background-image:url(../flags/4x3/zw.svg)}.flag-icon-zw.flag-icon-squared{background-image:url(../flags/1x1/zw.svg)}.flag-icon-es-ct{background-image:url(../flags/4x3/es-ct.svg)}.flag-icon-es-ct.flag-icon-squared{background-image:url(../flags/1x1/es-ct.svg)}.flag-icon-es-ga{background-image:url(../flags/4x3/es-ga.svg)}.flag-icon-es-ga.flag-icon-squared{background-image:url(../flags/1x1/es-ga.svg)}.flag-icon-eu{background-image:url(../flags/4x3/eu.svg)}.flag-icon-eu.flag-icon-squared{background-image:url(../flags/1x1/eu.svg)}.flag-icon-gb-eng{background-image:url(../flags/4x3/gb-eng.svg)}.flag-icon-gb-eng.flag-icon-squared{background-image:url(../flags/1x1/gb-eng.svg)}.flag-icon-gb-nir{background-image:url(../flags/4x3/gb-nir.svg)}.flag-icon-gb-nir.flag-icon-squared{background-image:url(../flags/1x1/gb-nir.svg)}.flag-icon-gb-sct{background-image:url(../flags/4x3/gb-sct.svg)}.flag-icon-gb-sct.flag-icon-squared{background-image:url(../flags/1x1/gb-sct.svg)}.flag-icon-gb-wls{background-image:url(../flags/4x3/gb-wls.svg)}.flag-icon-gb-wls.flag-icon-squared{background-image:url(../flags/1x1/gb-wls.svg)}.flag-icon-un{background-image:url(../flags/4x3/un.svg)}.flag-icon-un.flag-icon-squared{background-image:url(../flags/1x1/un.svg)}.flag-icon-xk{background-image:url(../flags/4x3/xk.svg)}.flag-icon-xk.flag-icon-squared{background-image:url(../flags/1x1/xk.svg)}
+.flag-icon-background{background-size:contain;background-position:50%;background-repeat:no-repeat}.flag-icon{background-size:contain;background-position:50%;background-repeat:no-repeat;position:relative;display:inline-block;width:1.33333333em;line-height:1em}.flag-icon:before{content:'\00a0'}.flag-icon.flag-icon-squared{width:1em}.flag-icon-ad{background-image:url(/css/flags/4x3/ad.svg)}.flag-icon-ad.flag-icon-squared{background-image:url(/css/flags/1x1/ad.svg)}.flag-icon-ae{background-image:url(/css/flags/4x3/ae.svg)}.flag-icon-ae.flag-icon-squared{background-image:url(/css/flags/1x1/ae.svg)}.flag-icon-af{background-image:url(/css/flags/4x3/af.svg)}.flag-icon-af.flag-icon-squared{background-image:url(/css/flags/1x1/af.svg)}.flag-icon-ag{background-image:url(/css/flags/4x3/ag.svg)}.flag-icon-ag.flag-icon-squared{background-image:url(/css/flags/1x1/ag.svg)}.flag-icon-ai{background-image:url(/css/flags/4x3/ai.svg)}.flag-icon-ai.flag-icon-squared{background-image:url(/css/flags/1x1/ai.svg)}.flag-icon-al{background-image:url(/css/flags/4x3/al.svg)}.flag-icon-al.flag-icon-squared{background-image:url(/css/flags/1x1/al.svg)}.flag-icon-am{background-image:url(/css/flags/4x3/am.svg)}.flag-icon-am.flag-icon-squared{background-image:url(/css/flags/1x1/am.svg)}.flag-icon-ao{background-image:url(/css/flags/4x3/ao.svg)}.flag-icon-ao.flag-icon-squared{background-image:url(/css/flags/1x1/ao.svg)}.flag-icon-aq{background-image:url(/css/flags/4x3/aq.svg)}.flag-icon-aq.flag-icon-squared{background-image:url(/css/flags/1x1/aq.svg)}.flag-icon-ar{background-image:url(/css/flags/4x3/ar.svg)}.flag-icon-ar.flag-icon-squared{background-image:url(/css/flags/1x1/ar.svg)}.flag-icon-as{background-image:url(/css/flags/4x3/as.svg)}.flag-icon-as.flag-icon-squared{background-image:url(/css/flags/1x1/as.svg)}.flag-icon-at{background-image:url(/css/flags/4x3/at.svg)}.flag-icon-at.flag-icon-squared{background-image:url(/css/flags/1x1/at.svg)}.flag-icon-au{background-image:url(/css/flags/4x3/au.svg)}.flag-icon-au.flag-icon-squared{background-image:url(/css/flags/1x1/au.svg)}.flag-icon-aw{background-image:url(/css/flags/4x3/aw.svg)}.flag-icon-aw.flag-icon-squared{background-image:url(/css/flags/1x1/aw.svg)}.flag-icon-ax{background-image:url(/css/flags/4x3/ax.svg)}.flag-icon-ax.flag-icon-squared{background-image:url(/css/flags/1x1/ax.svg)}.flag-icon-az{background-image:url(/css/flags/4x3/az.svg)}.flag-icon-az.flag-icon-squared{background-image:url(/css/flags/1x1/az.svg)}.flag-icon-ba{background-image:url(/css/flags/4x3/ba.svg)}.flag-icon-ba.flag-icon-squared{background-image:url(/css/flags/1x1/ba.svg)}.flag-icon-bb{background-image:url(/css/flags/4x3/bb.svg)}.flag-icon-bb.flag-icon-squared{background-image:url(/css/flags/1x1/bb.svg)}.flag-icon-bd{background-image:url(/css/flags/4x3/bd.svg)}.flag-icon-bd.flag-icon-squared{background-image:url(/css/flags/1x1/bd.svg)}.flag-icon-be{background-image:url(/css/flags/4x3/be.svg)}.flag-icon-be.flag-icon-squared{background-image:url(/css/flags/1x1/be.svg)}.flag-icon-bf{background-image:url(/css/flags/4x3/bf.svg)}.flag-icon-bf.flag-icon-squared{background-image:url(/css/flags/1x1/bf.svg)}.flag-icon-bg{background-image:url(/css/flags/4x3/bg.svg)}.flag-icon-bg.flag-icon-squared{background-image:url(/css/flags/1x1/bg.svg)}.flag-icon-bh{background-image:url(/css/flags/4x3/bh.svg)}.flag-icon-bh.flag-icon-squared{background-image:url(/css/flags/1x1/bh.svg)}.flag-icon-bi{background-image:url(/css/flags/4x3/bi.svg)}.flag-icon-bi.flag-icon-squared{background-image:url(/css/flags/1x1/bi.svg)}.flag-icon-bj{background-image:url(/css/flags/4x3/bj.svg)}.flag-icon-bj.flag-icon-squared{background-image:url(/css/flags/1x1/bj.svg)}.flag-icon-bl{background-image:url(/css/flags/4x3/bl.svg)}.flag-icon-bl.flag-icon-squared{background-image:url(/css/flags/1x1/bl.svg)}.flag-icon-bm{background-image:url(/css/flags/4x3/bm.svg)}.flag-icon-bm.flag-icon-squared{background-image:url(/css/flags/1x1/bm.svg)}.flag-icon-bn{background-image:url(/css/flags/4x3/bn.svg)}.flag-icon-bn.flag-icon-squared{background-image:url(/css/flags/1x1/bn.svg)}.flag-icon-bo{background-image:url(/css/flags/4x3/bo.svg)}.flag-icon-bo.flag-icon-squared{background-image:url(/css/flags/1x1/bo.svg)}.flag-icon-bq{background-image:url(/css/flags/4x3/bq.svg)}.flag-icon-bq.flag-icon-squared{background-image:url(/css/flags/1x1/bq.svg)}.flag-icon-br{background-image:url(/css/flags/4x3/br.svg)}.flag-icon-br.flag-icon-squared{background-image:url(/css/flags/1x1/br.svg)}.flag-icon-bs{background-image:url(/css/flags/4x3/bs.svg)}.flag-icon-bs.flag-icon-squared{background-image:url(/css/flags/1x1/bs.svg)}.flag-icon-bt{background-image:url(/css/flags/4x3/bt.svg)}.flag-icon-bt.flag-icon-squared{background-image:url(/css/flags/1x1/bt.svg)}.flag-icon-bv{background-image:url(/css/flags/4x3/bv.svg)}.flag-icon-bv.flag-icon-squared{background-image:url(/css/flags/1x1/bv.svg)}.flag-icon-bw{background-image:url(/css/flags/4x3/bw.svg)}.flag-icon-bw.flag-icon-squared{background-image:url(/css/flags/1x1/bw.svg)}.flag-icon-by{background-image:url(/css/flags/4x3/by.svg)}.flag-icon-by.flag-icon-squared{background-image:url(/css/flags/1x1/by.svg)}.flag-icon-bz{background-image:url(/css/flags/4x3/bz.svg)}.flag-icon-bz.flag-icon-squared{background-image:url(/css/flags/1x1/bz.svg)}.flag-icon-ca{background-image:url(/css/flags/4x3/ca.svg)}.flag-icon-ca.flag-icon-squared{background-image:url(/css/flags/1x1/ca.svg)}.flag-icon-cc{background-image:url(/css/flags/4x3/cc.svg)}.flag-icon-cc.flag-icon-squared{background-image:url(/css/flags/1x1/cc.svg)}.flag-icon-cd{background-image:url(/css/flags/4x3/cd.svg)}.flag-icon-cd.flag-icon-squared{background-image:url(/css/flags/1x1/cd.svg)}.flag-icon-cf{background-image:url(/css/flags/4x3/cf.svg)}.flag-icon-cf.flag-icon-squared{background-image:url(/css/flags/1x1/cf.svg)}.flag-icon-cg{background-image:url(/css/flags/4x3/cg.svg)}.flag-icon-cg.flag-icon-squared{background-image:url(/css/flags/1x1/cg.svg)}.flag-icon-ch{background-image:url(/css/flags/4x3/ch.svg)}.flag-icon-ch.flag-icon-squared{background-image:url(/css/flags/1x1/ch.svg)}.flag-icon-ci{background-image:url(/css/flags/4x3/ci.svg)}.flag-icon-ci.flag-icon-squared{background-image:url(/css/flags/1x1/ci.svg)}.flag-icon-ck{background-image:url(/css/flags/4x3/ck.svg)}.flag-icon-ck.flag-icon-squared{background-image:url(/css/flags/1x1/ck.svg)}.flag-icon-cl{background-image:url(/css/flags/4x3/cl.svg)}.flag-icon-cl.flag-icon-squared{background-image:url(/css/flags/1x1/cl.svg)}.flag-icon-cm{background-image:url(/css/flags/4x3/cm.svg)}.flag-icon-cm.flag-icon-squared{background-image:url(/css/flags/1x1/cm.svg)}.flag-icon-zh{background-image:url(/css/flags/4x3/zh.svg)}.flag-iconzh.flag-icon-squared{background-image:url(/css/flags/1x1/zh.svg)}.flag-icon-cn{background-image:url(/css/flags/4x3/cn.svg)}.flag-icon-cn.flag-icon-squared{background-image:url(/css/flags/1x1/cn.svg)}.flag-icon-co{background-image:url(/css/flags/4x3/co.svg)}.flag-icon-co.flag-icon-squared{background-image:url(/css/flags/1x1/co.svg)}.flag-icon-cr{background-image:url(/css/flags/4x3/cr.svg)}.flag-icon-cr.flag-icon-squared{background-image:url(/css/flags/1x1/cr.svg)}.flag-icon-cu{background-image:url(/css/flags/4x3/cu.svg)}.flag-icon-cu.flag-icon-squared{background-image:url(/css/flags/1x1/cu.svg)}.flag-icon-cv{background-image:url(/css/flags/4x3/cv.svg)}.flag-icon-cv.flag-icon-squared{background-image:url(/css/flags/1x1/cv.svg)}.flag-icon-cw{background-image:url(/css/flags/4x3/cw.svg)}.flag-icon-cw.flag-icon-squared{background-image:url(/css/flags/1x1/cw.svg)}.flag-icon-cx{background-image:url(/css/flags/4x3/cx.svg)}.flag-icon-cx.flag-icon-squared{background-image:url(/css/flags/1x1/cx.svg)}.flag-icon-cy{background-image:url(/css/flags/4x3/cy.svg)}.flag-icon-cy.flag-icon-squared{background-image:url(/css/flags/1x1/cy.svg)}.flag-icon-cz{background-image:url(/css/flags/4x3/cz.svg)}.flag-icon-cz.flag-icon-squared{background-image:url(/css/flags/1x1/cz.svg)}.flag-icon-cs{background-image:url(/css/flags/4x3/cs.svg)}.flag-icon-cs.flag-icon-squared{background-image:url(/css/flags/1x1/cs.svg)}.flag-icon-de{background-image:url(/css/flags/4x3/de.svg)}.flag-icon-de.flag-icon-squared{background-image:url(/css/flags/1x1/de.svg)}.flag-icon-dj{background-image:url(/css/flags/4x3/dj.svg)}.flag-icon-dj.flag-icon-squared{background-image:url(/css/flags/1x1/dj.svg)}.flag-icon-da{background-image:url(/css/flags/4x3/da.svg)}.flag-icon-da.flag-icon-squared{background-image:url(/css/flags/1x1/d.svg)}.flag-icon-dk{background-image:url(/css/flags/4x3/dk.svg)}.flag-icon-dk.flag-icon-squared{background-image:url(/css/flags/1x1/dk.svg)}.flag-icon-dm{background-image:url(/css/flags/4x3/dm.svg)}.flag-icon-dm.flag-icon-squared{background-image:url(/css/flags/1x1/dm.svg)}.flag-icon-do{background-image:url(/css/flags/4x3/do.svg)}.flag-icon-do.flag-icon-squared{background-image:url(/css/flags/1x1/do.svg)}.flag-icon-dz{background-image:url(/css/flags/4x3/dz.svg)}.flag-icon-dz.flag-icon-squared{background-image:url(/css/flags/1x1/dz.svg)}.flag-icon-ec{background-image:url(/css/flags/4x3/ec.svg)}.flag-icon-ec.flag-icon-squared{background-image:url(/css/flags/1x1/ec.svg)}.flag-icon-ee{background-image:url(/css/flags/4x3/ee.svg)}.flag-icon-ee.flag-icon-squared{background-image:url(/css/flags/1x1/ee.svg)}.flag-icon-eg{background-image:url(/css/flags/4x3/eg.svg)}.flag-icon-eg.flag-icon-squared{background-image:url(/css/flags/1x1/eg.svg)}.flag-icon-eh{background-image:url(/css/flags/4x3/eh.svg)}.flag-icon-eh.flag-icon-squared{background-image:url(/css/flags/1x1/eh.svg)}.flag-icon-er{background-image:url(/css/flags/4x3/er.svg)}.flag-icon-er.flag-icon-squared{background-image:url(/css/flags/1x1/er.svg)}.flag-icon-es{background-image:url(/css/flags/4x3/es.svg)}.flag-icon-es.flag-icon-squared{background-image:url(/css/flags/1x1/es.svg)}.flag-icon-et{background-image:url(/css/flags/4x3/et.svg)}.flag-icon-et.flag-icon-squared{background-image:url(/css/flags/1x1/et.svg)}.flag-icon-fi{background-image:url(/css/flags/4x3/fi.svg)}.flag-icon-fi.flag-icon-squared{background-image:url(/css/flags/1x1/fi.svg)}.flag-icon-fj{background-image:url(/css/flags/4x3/fj.svg)}.flag-icon-fj.flag-icon-squared{background-image:url(/css/flags/1x1/fj.svg)}.flag-icon-fk{background-image:url(/css/flags/4x3/fk.svg)}.flag-icon-fk.flag-icon-squared{background-image:url(/css/flags/1x1/fk.svg)}.flag-icon-fm{background-image:url(/css/flags/4x3/fm.svg)}.flag-icon-fm.flag-icon-squared{background-image:url(/css/flags/1x1/fm.svg)}.flag-icon-fo{background-image:url(/css/flags/4x3/fo.svg)}.flag-icon-fo.flag-icon-squared{background-image:url(/css/flags/1x1/fo.svg)}.flag-icon-fr{background-image:url(/css/flags/4x3/fr.svg)}.flag-icon-fr.flag-icon-squared{background-image:url(/css/flags/1x1/fr.svg)}.flag-icon-ga{background-image:url(/css/flags/4x3/ga.svg)}.flag-icon-ga.flag-icon-squared{background-image:url(/css/flags/1x1/ga.svg)}.flag-icon-gb{background-image:url(/css/flags/4x3/en.svg)}.flag-icon-gb.flag-icon-squared{background-image:url(/css/flags/1x1/en.svg)}.flag-icon-gd{background-image:url(/css/flags/4x3/gd.svg)}.flag-icon-gd.flag-icon-squared{background-image:url(/css/flags/1x1/gd.svg)}.flag-icon-ge{background-image:url(/css/flags/4x3/ge.svg)}.flag-icon-ge.flag-icon-squared{background-image:url(/css/flags/1x1/ge.svg)}.flag-icon-gf{background-image:url(/css/flags/4x3/gf.svg)}.flag-icon-gf.flag-icon-squared{background-image:url(/css/flags/1x1/gf.svg)}.flag-icon-gg{background-image:url(/css/flags/4x3/gg.svg)}.flag-icon-gg.flag-icon-squared{background-image:url(/css/flags/1x1/gg.svg)}.flag-icon-gh{background-image:url(/css/flags/4x3/gh.svg)}.flag-icon-gh.flag-icon-squared{background-image:url(/css/flags/1x1/gh.svg)}.flag-icon-gi{background-image:url(/css/flags/4x3/gi.svg)}.flag-icon-gi.flag-icon-squared{background-image:url(/css/flags/1x1/gi.svg)}.flag-icon-gl{background-image:url(/css/flags/4x3/gl.svg)}.flag-icon-gl.flag-icon-squared{background-image:url(/css/flags/1x1/gl.svg)}.flag-icon-gm{background-image:url(/css/flags/4x3/gm.svg)}.flag-icon-gm.flag-icon-squared{background-image:url(/css/flags/1x1/gm.svg)}.flag-icon-gn{background-image:url(/css/flags/4x3/gn.svg)}.flag-icon-gn.flag-icon-squared{background-image:url(/css/flags/1x1/gn.svg)}.flag-icon-gp{background-image:url(/css/flags/4x3/gp.svg)}.flag-icon-gp.flag-icon-squared{background-image:url(/css/flags/1x1/gp.svg)}.flag-icon-gq{background-image:url(/css/flags/4x3/gq.svg)}.flag-icon-gq.flag-icon-squared{background-image:url(/css/flags/1x1/gq.svg)}.flag-icon-gr{background-image:url(/css/flags/4x3/gr.svg)}.flag-icon-gr.flag-icon-squared{background-image:url(/css/flags/1x1/gr.svg)}.flag-icon-gs{background-image:url(/css/flags/4x3/gs.svg)}.flag-icon-gs.flag-icon-squared{background-image:url(/css/flags/1x1/gs.svg)}.flag-icon-gt{background-image:url(/css/flags/4x3/gt.svg)}.flag-icon-gt.flag-icon-squared{background-image:url(/css/flags/1x1/gt.svg)}.flag-icon-gu{background-image:url(/css/flags/4x3/gu.svg)}.flag-icon-gu.flag-icon-squared{background-image:url(/css/flags/1x1/gu.svg)}.flag-icon-gw{background-image:url(/css/flags/4x3/gw.svg)}.flag-icon-gw.flag-icon-squared{background-image:url(/css/flags/1x1/gw.svg)}.flag-icon-gy{background-image:url(/css/flags/4x3/gy.svg)}.flag-icon-gy.flag-icon-squared{background-image:url(/css/flags/1x1/gy.svg)}.flag-icon-hk{background-image:url(/css/flags/4x3/hk.svg)}.flag-icon-hk.flag-icon-squared{background-image:url(/css/flags/1x1/hk.svg)}.flag-icon-hm{background-image:url(/css/flags/4x3/hm.svg)}.flag-icon-hm.flag-icon-squared{background-image:url(/css/flags/1x1/hm.svg)}.flag-icon-hn{background-image:url(/css/flags/4x3/hn.svg)}.flag-icon-hn.flag-icon-squared{background-image:url(/css/flags/1x1/hn.svg)}.flag-icon-hr{background-image:url(/css/flags/4x3/hr.svg)}.flag-icon-hr.flag-icon-squared{background-image:url(/css/flags/1x1/hr.svg)}.flag-icon-ht{background-image:url(/css/flags/4x3/ht.svg)}.flag-icon-ht.flag-icon-squared{background-image:url(/css/flags/1x1/ht.svg)}.flag-icon-hu{background-image:url(/css/flags/4x3/hu.svg)}.flag-icon-hu.flag-icon-squared{background-image:url(/css/flags/1x1/hu.svg)}.flag-icon-id{background-image:url(/css/flags/4x3/id.svg)}.flag-icon-id.flag-icon-squared{background-image:url(/css/flags/1x1/id.svg)}.flag-icon-ie{background-image:url(/css/flags/4x3/ie.svg)}.flag-icon-ie.flag-icon-squared{background-image:url(/css/flags/1x1/ie.svg)}.flag-icon-il{background-image:url(/css/flags/4x3/il.svg)}.flag-icon-il.flag-icon-squared{background-image:url(/css/flags/1x1/il.svg)}.flag-icon-im{background-image:url(/css/flags/4x3/im.svg)}.flag-icon-im.flag-icon-squared{background-image:url(/css/flags/1x1/im.svg)}.flag-icon-in{background-image:url(/css/flags/4x3/in.svg)}.flag-icon-in.flag-icon-squared{background-image:url(/css/flags/1x1/in.svg)}.flag-icon-io{background-image:url(/css/flags/4x3/io.svg)}.flag-icon-io.flag-icon-squared{background-image:url(/css/flags/1x1/io.svg)}.flag-icon-iq{background-image:url(/css/flags/4x3/iq.svg)}.flag-icon-iq.flag-icon-squared{background-image:url(/css/flags/1x1/iq.svg)}.flag-icon-ir{background-image:url(/css/flags/4x3/ir.svg)}.flag-icon-ir.flag-icon-squared{background-image:url(/css/flags/1x1/ir.svg)}.flag-icon-is{background-image:url(/css/flags/4x3/is.svg)}.flag-icon-is.flag-icon-squared{background-image:url(/css/flags/1x1/is.svg)}.flag-icon-it{background-image:url(/css/flags/4x3/it.svg)}.flag-icon-it.flag-icon-squared{background-image:url(/css/flags/1x1/it.svg)}.flag-icon-je{background-image:url(/css/flags/4x3/je.svg)}.flag-icon-je.flag-icon-squared{background-image:url(/css/flags/1x1/je.svg)}.flag-icon-jm{background-image:url(/css/flags/4x3/jm.svg)}.flag-icon-jm.flag-icon-squared{background-image:url(/css/flags/1x1/jm.svg)}.flag-icon-jo{background-image:url(/css/flags/4x3/jo.svg)}.flag-icon-jo.flag-icon-squared{background-image:url(/css/flags/1x1/jo.svg)}.flag-icon-jp{background-image:url(/css/flags/4x3/jp.svg)}.flag-icon-jp.flag-icon-squared{background-image:url(/css/flags/1x1/jp.svg)}.flag-icon-ke{background-image:url(/css/flags/4x3/ke.svg)}.flag-icon-ke.flag-icon-squared{background-image:url(/css/flags/1x1/ke.svg)}.flag-icon-kg{background-image:url(/css/flags/4x3/kg.svg)}.flag-icon-kg.flag-icon-squared{background-image:url(/css/flags/1x1/kg.svg)}.flag-icon-kh{background-image:url(/css/flags/4x3/kh.svg)}.flag-icon-kh.flag-icon-squared{background-image:url(/css/flags/1x1/kh.svg)}.flag-icon-ki{background-image:url(/css/flags/4x3/ki.svg)}.flag-icon-ki.flag-icon-squared{background-image:url(/css/flags/1x1/ki.svg)}.flag-icon-km{background-image:url(/css/flags/4x3/km.svg)}.flag-icon-km.flag-icon-squared{background-image:url(/css/flags/1x1/km.svg)}.flag-icon-kn{background-image:url(/css/flags/4x3/kn.svg)}.flag-icon-kn.flag-icon-squared{background-image:url(/css/flags/1x1/kn.svg)}.flag-icon-kp{background-image:url(/css/flags/4x3/kp.svg)}.flag-icon-kp.flag-icon-squared{background-image:url(/css/flags/1x1/kp.svg)}.flag-icon-ko{background-image:url(/css/flags/4x3/ko.svg)}.flag-icon-ko.flag-icon-squared{background-image:url(/css/flags/1x1/ko.svg)}.flag-icon-kr{background-image:url(/css/flags/4x3/kr.svg)}.flag-icon-kr.flag-icon-squared{background-image:url(/css/flags/1x1/kr.svg)}.flag-icon-kw{background-image:url(/css/flags/4x3/kw.svg)}.flag-icon-kw.flag-icon-squared{background-image:url(/css/flags/1x1/kw.svg)}.flag-icon-ky{background-image:url(/css/flags/4x3/ky.svg)}.flag-icon-ky.flag-icon-squared{background-image:url(/css/flags/1x1/ky.svg)}.flag-icon-kz{background-image:url(/css/flags/4x3/kz.svg)}.flag-icon-kz.flag-icon-squared{background-image:url(/css/flags/1x1/kz.svg)}.flag-icon-la{background-image:url(/css/flags/4x3/la.svg)}.flag-icon-la.flag-icon-squared{background-image:url(/css/flags/1x1/la.svg)}.flag-icon-lb{background-image:url(/css/flags/4x3/lb.svg)}.flag-icon-lb.flag-icon-squared{background-image:url(/css/flags/1x1/lb.svg)}.flag-icon-lc{background-image:url(/css/flags/4x3/lc.svg)}.flag-icon-lc.flag-icon-squared{background-image:url(/css/flags/1x1/lc.svg)}.flag-icon-li{background-image:url(/css/flags/4x3/li.svg)}.flag-icon-li.flag-icon-squared{background-image:url(/css/flags/1x1/li.svg)}.flag-icon-lk{background-image:url(/css/flags/4x3/lk.svg)}.flag-icon-lk.flag-icon-squared{background-image:url(/css/flags/1x1/lk.svg)}.flag-icon-lr{background-image:url(/css/flags/4x3/lr.svg)}.flag-icon-lr.flag-icon-squared{background-image:url(/css/flags/1x1/lr.svg)}.flag-icon-ls{background-image:url(/css/flags/4x3/ls.svg)}.flag-icon-ls.flag-icon-squared{background-image:url(/css/flags/1x1/ls.svg)}.flag-icon-lt{background-image:url(/css/flags/4x3/lt.svg)}.flag-icon-lt.flag-icon-squared{background-image:url(/css/flags/1x1/lt.svg)}.flag-icon-lu{background-image:url(/css/flags/4x3/lu.svg)}.flag-icon-lu.flag-icon-squared{background-image:url(/css/flags/1x1/lu.svg)}.flag-icon-lv{background-image:url(/css/flags/4x3/lv.svg)}.flag-icon-lv.flag-icon-squared{background-image:url(/css/flags/1x1/lv.svg)}.flag-icon-ly{background-image:url(/css/flags/4x3/ly.svg)}.flag-icon-ly.flag-icon-squared{background-image:url(/css/flags/1x1/ly.svg)}.flag-icon-ma{background-image:url(/css/flags/4x3/ma.svg)}.flag-icon-ma.flag-icon-squared{background-image:url(/css/flags/1x1/ma.svg)}.flag-icon-mc{background-image:url(/css/flags/4x3/mc.svg)}.flag-icon-mc.flag-icon-squared{background-image:url(/css/flags/1x1/mc.svg)}.flag-icon-md{background-image:url(/css/flags/4x3/md.svg)}.flag-icon-md.flag-icon-squared{background-image:url(/css/flags/1x1/md.svg)}.flag-icon-me{background-image:url(/css/flags/4x3/me.svg)}.flag-icon-me.flag-icon-squared{background-image:url(/css/flags/1x1/me.svg)}.flag-icon-mf{background-image:url(/css/flags/4x3/mf.svg)}.flag-icon-mf.flag-icon-squared{background-image:url(/css/flags/1x1/mf.svg)}.flag-icon-mg{background-image:url(/css/flags/4x3/mg.svg)}.flag-icon-mg.flag-icon-squared{background-image:url(/css/flags/1x1/mg.svg)}.flag-icon-mh{background-image:url(/css/flags/4x3/mh.svg)}.flag-icon-mh.flag-icon-squared{background-image:url(/css/flags/1x1/mh.svg)}.flag-icon-mk{background-image:url(/css/flags/4x3/mk.svg)}.flag-icon-mk.flag-icon-squared{background-image:url(/css/flags/1x1/mk.svg)}.flag-icon-ml{background-image:url(/css/flags/4x3/ml.svg)}.flag-icon-ml.flag-icon-squared{background-image:url(/css/flags/1x1/ml.svg)}.flag-icon-mm{background-image:url(/css/flags/4x3/mm.svg)}.flag-icon-mm.flag-icon-squared{background-image:url(/css/flags/1x1/mm.svg)}.flag-icon-mn{background-image:url(/css/flags/4x3/mn.svg)}.flag-icon-mn.flag-icon-squared{background-image:url(/css/flags/1x1/mn.svg)}.flag-icon-mo{background-image:url(/css/flags/4x3/mo.svg)}.flag-icon-mo.flag-icon-squared{background-image:url(/css/flags/1x1/mo.svg)}.flag-icon-mp{background-image:url(/css/flags/4x3/mp.svg)}.flag-icon-mp.flag-icon-squared{background-image:url(/css/flags/1x1/mp.svg)}.flag-icon-mq{background-image:url(/css/flags/4x3/mq.svg)}.flag-icon-mq.flag-icon-squared{background-image:url(/css/flags/1x1/mq.svg)}.flag-icon-mr{background-image:url(/css/flags/4x3/mr.svg)}.flag-icon-mr.flag-icon-squared{background-image:url(/css/flags/1x1/mr.svg)}.flag-icon-ms{background-image:url(/css/flags/4x3/ms.svg)}.flag-icon-ms.flag-icon-squared{background-image:url(/css/flags/1x1/ms.svg)}.flag-icon-mt{background-image:url(/css/flags/4x3/mt.svg)}.flag-icon-mt.flag-icon-squared{background-image:url(/css/flags/1x1/mt.svg)}.flag-icon-mu{background-image:url(/css/flags/4x3/mu.svg)}.flag-icon-mu.flag-icon-squared{background-image:url(/css/flags/1x1/mu.svg)}.flag-icon-mv{background-image:url(/css/flags/4x3/mv.svg)}.flag-icon-mv.flag-icon-squared{background-image:url(/css/flags/1x1/mv.svg)}.flag-icon-mw{background-image:url(/css/flags/4x3/mw.svg)}.flag-icon-mw.flag-icon-squared{background-image:url(/css/flags/1x1/mw.svg)}.flag-icon-mx{background-image:url(/css/flags/4x3/mx.svg)}.flag-icon-mx.flag-icon-squared{background-image:url(/css/flags/1x1/mx.svg)}.flag-icon-my{background-image:url(/css/flags/4x3/my.svg)}.flag-icon-my.flag-icon-squared{background-image:url(/css/flags/1x1/my.svg)}.flag-icon-mz{background-image:url(/css/flags/4x3/mz.svg)}.flag-icon-mz.flag-icon-squared{background-image:url(/css/flags/1x1/mz.svg)}.flag-icon-na{background-image:url(/css/flags/4x3/na.svg)}.flag-icon-na.flag-icon-squared{background-image:url(/css/flags/1x1/na.svg)}.flag-icon-nc{background-image:url(/css/flags/4x3/nc.svg)}.flag-icon-nc.flag-icon-squared{background-image:url(/css/flags/1x1/nc.svg)}.flag-icon-ne{background-image:url(/css/flags/4x3/ne.svg)}.flag-icon-ne.flag-icon-squared{background-image:url(/css/flags/1x1/ne.svg)}.flag-icon-nf{background-image:url(/css/flags/4x3/nf.svg)}.flag-icon-nf.flag-icon-squared{background-image:url(/css/flags/1x1/nf.svg)}.flag-icon-ng{background-image:url(/css/flags/4x3/ng.svg)}.flag-icon-ng.flag-icon-squared{background-image:url(/css/flags/1x1/ng.svg)}.flag-icon-ni{background-image:url(/css/flags/4x3/ni.svg)}.flag-icon-ni.flag-icon-squared{background-image:url(/css/flags/1x1/ni.svg)}.flag-icon-nl{background-image:url(/css/flags/4x3/nl.svg)}.flag-icon-nl.flag-icon-squared{background-image:url(/css/flags/1x1/nl.svg)}.flag-icon-no{background-image:url(/css/flags/4x3/no.svg)}.flag-icon-no.flag-icon-squared{background-image:url(/css/flags/1x1/no.svg)}.flag-icon-np{background-image:url(/css/flags/4x3/np.svg)}.flag-icon-np.flag-icon-squared{background-image:url(/css/flags/1x1/np.svg)}.flag-icon-nr{background-image:url(/css/flags/4x3/nr.svg)}.flag-icon-nr.flag-icon-squared{background-image:url(/css/flags/1x1/nr.svg)}.flag-icon-nu{background-image:url(/css/flags/4x3/nu.svg)}.flag-icon-nu.flag-icon-squared{background-image:url(/css/flags/1x1/nu.svg)}.flag-icon-nz{background-image:url(/css/flags/4x3/nz.svg)}.flag-icon-nz.flag-icon-squared{background-image:url(/css/flags/1x1/nz.svg)}.flag-icon-om{background-image:url(/css/flags/4x3/om.svg)}.flag-icon-om.flag-icon-squared{background-image:url(/css/flags/1x1/om.svg)}.flag-icon-pa{background-image:url(/css/flags/4x3/pa.svg)}.flag-icon-pa.flag-icon-squared{background-image:url(/css/flags/1x1/pa.svg)}.flag-icon-pe{background-image:url(/css/flags/4x3/pe.svg)}.flag-icon-pe.flag-icon-squared{background-image:url(/css/flags/1x1/pe.svg)}.flag-icon-pf{background-image:url(/css/flags/4x3/pf.svg)}.flag-icon-pf.flag-icon-squared{background-image:url(/css/flags/1x1/pf.svg)}.flag-icon-pg{background-image:url(/css/flags/4x3/pg.svg)}.flag-icon-pg.flag-icon-squared{background-image:url(/css/flags/1x1/pg.svg)}.flag-icon-ph{background-image:url(/css/flags/4x3/ph.svg)}.flag-icon-ph.flag-icon-squared{background-image:url(/css/flags/1x1/ph.svg)}.flag-icon-pk{background-image:url(/css/flags/4x3/pk.svg)}.flag-icon-pk.flag-icon-squared{background-image:url(/css/flags/1x1/pk.svg)}.flag-icon-pl{background-image:url(/css/flags/4x3/pl.svg)}.flag-icon-pl.flag-icon-squared{background-image:url(/css/flags/1x1/pl.svg)}.flag-icon-pm{background-image:url(/css/flags/4x3/pm.svg)}.flag-icon-pm.flag-icon-squared{background-image:url(/css/flags/1x1/pm.svg)}.flag-icon-pn{background-image:url(/css/flags/4x3/pn.svg)}.flag-icon-pn.flag-icon-squared{background-image:url(/css/flags/1x1/pn.svg)}.flag-icon-pr{background-image:url(/css/flags/4x3/pr.svg)}.flag-icon-pr.flag-icon-squared{background-image:url(/css/flags/1x1/pr.svg)}.flag-icon-ps{background-image:url(/css/flags/4x3/ps.svg)}.flag-icon-ps.flag-icon-squared{background-image:url(/css/flags/1x1/ps.svg)}.flag-icon-pt{background-image:url(/css/flags/4x3/pt.svg)}.flag-icon-pt.flag-icon-squared{background-image:url(/css/flags/1x1/pt.svg)}.flag-icon-pw{background-image:url(/css/flags/4x3/pw.svg)}.flag-icon-pw.flag-icon-squared{background-image:url(/css/flags/1x1/pw.svg)}.flag-icon-py{background-image:url(/css/flags/4x3/py.svg)}.flag-icon-py.flag-icon-squared{background-image:url(/css/flags/1x1/py.svg)}.flag-icon-qa{background-image:url(/css/flags/4x3/qa.svg)}.flag-icon-qa.flag-icon-squared{background-image:url(/css/flags/1x1/qa.svg)}.flag-icon-re{background-image:url(/css/flags/4x3/re.svg)}.flag-icon-re.flag-icon-squared{background-image:url(/css/flags/1x1/re.svg)}.flag-icon-ro{background-image:url(/css/flags/4x3/ro.svg)}.flag-icon-ro.flag-icon-squared{background-image:url(/css/flags/1x1/ro.svg)}.flag-icon-rs{background-image:url(/css/flags/4x3/rs.svg)}.flag-icon-rs.flag-icon-squared{background-image:url(/css/flags/1x1/rs.svg)}.flag-icon-ru{background-image:url(/css/flags/4x3/ru.svg)}.flag-icon-ru.flag-icon-squared{background-image:url(/css/flags/1x1/ru.svg)}.flag-icon-rw{background-image:url(/css/flags/4x3/rw.svg)}.flag-icon-rw.flag-icon-squared{background-image:url(/css/flags/1x1/rw.svg)}.flag-icon-sa{background-image:url(/css/flags/4x3/sa.svg)}.flag-icon-sa.flag-icon-squared{background-image:url(/css/flags/1x1/sa.svg)}.flag-icon-sb{background-image:url(/css/flags/4x3/sb.svg)}.flag-icon-sb.flag-icon-squared{background-image:url(/css/flags/1x1/sb.svg)}.flag-icon-sc{background-image:url(/css/flags/4x3/sc.svg)}.flag-icon-sc.flag-icon-squared{background-image:url(/css/flags/1x1/sc.svg)}.flag-icon-sd{background-image:url(/css/flags/4x3/sd.svg)}.flag-icon-sd.flag-icon-squared{background-image:url(/css/flags/1x1/sd.svg)}.flag-icon-se{background-image:url(/css/flags/4x3/se.svg)}.flag-icon-se.flag-icon-squared{background-image:url(/css/flags/1x1/se.svg)}.flag-icon-sg{background-image:url(/css/flags/4x3/sg.svg)}.flag-icon-sg.flag-icon-squared{background-image:url(/css/flags/1x1/sg.svg)}.flag-icon-sh{background-image:url(/css/flags/4x3/sh.svg)}.flag-icon-sh.flag-icon-squared{background-image:url(/css/flags/1x1/sh.svg)}.flag-icon-si{background-image:url(/css/flags/4x3/si.svg)}.flag-icon-si.flag-icon-squared{background-image:url(/css/flags/1x1/si.svg)}.flag-icon-sj{background-image:url(/css/flags/4x3/sj.svg)}.flag-icon-sj.flag-icon-squared{background-image:url(/css/flags/1x1/sj.svg)}.flag-icon-sk{background-image:url(/css/flags/4x3/sk.svg)}.flag-icon-sk.flag-icon-squared{background-image:url(/css/flags/1x1/sk.svg)}.flag-icon-sl{background-image:url(/css/flags/4x3/sl.svg)}.flag-icon-sl.flag-icon-squared{background-image:url(/css/flags/1x1/sl.svg)}.flag-icon-sm{background-image:url(/css/flags/4x3/sm.svg)}.flag-icon-sm.flag-icon-squared{background-image:url(/css/flags/1x1/sm.svg)}.flag-icon-sn{background-image:url(/css/flags/4x3/sn.svg)}.flag-icon-sn.flag-icon-squared{background-image:url(/css/flags/1x1/sn.svg)}.flag-icon-so{background-image:url(/css/flags/4x3/so.svg)}.flag-icon-so.flag-icon-squared{background-image:url(/css/flags/1x1/so.svg)}.flag-icon-sr{background-image:url(/css/flags/4x3/sr.svg)}.flag-icon-sr.flag-icon-squared{background-image:url(/css/flags/1x1/sr.svg)}.flag-icon-ss{background-image:url(/css/flags/4x3/ss.svg)}.flag-icon-ss.flag-icon-squared{background-image:url(/css/flags/1x1/ss.svg)}.flag-icon-st{background-image:url(/css/flags/4x3/st.svg)}.flag-icon-st.flag-icon-squared{background-image:url(/css/flags/1x1/st.svg)}.flag-icon-sv{background-image:url(/css/flags/4x3/sv.svg)}.flag-icon-sv.flag-icon-squared{background-image:url(/css/flags/1x1/sv.svg)}.flag-icon-sx{background-image:url(/css/flags/4x3/sx.svg)}.flag-icon-sx.flag-icon-squared{background-image:url(/css/flags/1x1/sx.svg)}.flag-icon-sy{background-image:url(/css/flags/4x3/sy.svg)}.flag-icon-sy.flag-icon-squared{background-image:url(/css/flags/1x1/sy.svg)}.flag-icon-sz{background-image:url(/css/flags/4x3/sz.svg)}.flag-icon-sz.flag-icon-squared{background-image:url(/css/flags/1x1/sz.svg)}.flag-icon-tc{background-image:url(/css/flags/4x3/tc.svg)}.flag-icon-tc.flag-icon-squared{background-image:url(/css/flags/1x1/tc.svg)}.flag-icon-td{background-image:url(/css/flags/4x3/td.svg)}.flag-icon-td.flag-icon-squared{background-image:url(/css/flags/1x1/td.svg)}.flag-icon-tf{background-image:url(/css/flags/4x3/tf.svg)}.flag-icon-tf.flag-icon-squared{background-image:url(/css/flags/1x1/tf.svg)}.flag-icon-tg{background-image:url(/css/flags/4x3/tg.svg)}.flag-icon-tg.flag-icon-squared{background-image:url(/css/flags/1x1/tg.svg)}.flag-icon-th{background-image:url(/css/flags/4x3/th.svg)}.flag-icon-th.flag-icon-squared{background-image:url(/css/flags/1x1/th.svg)}.flag-icon-tj{background-image:url(/css/flags/4x3/tj.svg)}.flag-icon-tj.flag-icon-squared{background-image:url(/css/flags/1x1/tj.svg)}.flag-icon-tk{background-image:url(/css/flags/4x3/tk.svg)}.flag-icon-tk.flag-icon-squared{background-image:url(/css/flags/1x1/tk.svg)}.flag-icon-tl{background-image:url(/css/flags/4x3/tl.svg)}.flag-icon-tl.flag-icon-squared{background-image:url(/css/flags/1x1/tl.svg)}.flag-icon-tm{background-image:url(/css/flags/4x3/tm.svg)}.flag-icon-tm.flag-icon-squared{background-image:url(/css/flags/1x1/tm.svg)}.flag-icon-tn{background-image:url(/css/flags/4x3/tn.svg)}.flag-icon-tn.flag-icon-squared{background-image:url(/css/flags/1x1/tn.svg)}.flag-icon-to{background-image:url(/css/flags/4x3/to.svg)}.flag-icon-to.flag-icon-squared{background-image:url(/css/flags/1x1/to.svg)}.flag-icon-tr{background-image:url(/css/flags/4x3/tr.svg)}.flag-icon-tr.flag-icon-squared{background-image:url(/css/flags/1x1/tr.svg)}.flag-icon-tt{background-image:url(/css/flags/4x3/tt.svg)}.flag-icon-tt.flag-icon-squared{background-image:url(/css/flags/1x1/tt.svg)}.flag-icon-tv{background-image:url(/css/flags/4x3/tv.svg)}.flag-icon-tv.flag-icon-squared{background-image:url(/css/flags/1x1/tv.svg)}.flag-icon-tw{background-image:url(/css/flags/4x3/tw.svg)}.flag-icon-tw.flag-icon-squared{background-image:url(/css/flags/1x1/tw.svg)}.flag-icon-tz{background-image:url(/css/flags/4x3/tz.svg)}.flag-icon-tz.flag-icon-squared{background-image:url(/css/flags/1x1/tz.svg)}.flag-icon-ua{background-image:url(/css/flags/4x3/ua.svg)}.flag-icon-ua.flag-icon-squared{background-image:url(/css/flags/1x1/ua.svg)}.flag-icon-ug{background-image:url(/css/flags/4x3/ug.svg)}.flag-icon-ug.flag-icon-squared{background-image:url(/css/flags/1x1/ug.svg)}.flag-icon-um{background-image:url(/css/flags/4x3/um.svg)}.flag-icon-um.flag-icon-squared{background-image:url(/css/flags/1x1/um.svg)}.flag-icon-us{background-image:url(/css/flags/4x3/us.svg)}.flag-icon-us.flag-icon-squared{background-image:url(/css/flags/1x1/us.svg)}.flag-icon-uy{background-image:url(/css/flags/4x3/uy.svg)}.flag-icon-uy.flag-icon-squared{background-image:url(/css/flags/1x1/uy.svg)}.flag-icon-uz{background-image:url(/css/flags/4x3/uz.svg)}.flag-icon-uz.flag-icon-squared{background-image:url(/css/flags/1x1/uz.svg)}.flag-icon-va{background-image:url(/css/flags/4x3/va.svg)}.flag-icon-va.flag-icon-squared{background-image:url(/css/flags/1x1/va.svg)}.flag-icon-vc{background-image:url(/css/flags/4x3/vc.svg)}.flag-icon-vc.flag-icon-squared{background-image:url(/css/flags/1x1/vc.svg)}.flag-icon-ve{background-image:url(/css/flags/4x3/ve.svg)}.flag-icon-ve.flag-icon-squared{background-image:url(/css/flags/1x1/ve.svg)}.flag-icon-vg{background-image:url(/css/flags/4x3/vg.svg)}.flag-icon-vg.flag-icon-squared{background-image:url(/css/flags/1x1/vg.svg)}.flag-icon-vi{background-image:url(/css/flags/4x3/vi.svg)}.flag-icon-vi.flag-icon-squared{background-image:url(/css/flags/1x1/vi.svg)}.flag-icon-vn{background-image:url(/css/flags/4x3/vn.svg)}.flag-icon-vn.flag-icon-squared{background-image:url(/css/flags/1x1/vn.svg)}.flag-icon-vu{background-image:url(/css/flags/4x3/vu.svg)}.flag-icon-vu.flag-icon-squared{background-image:url(/css/flags/1x1/vu.svg)}.flag-icon-wf{background-image:url(/css/flags/4x3/wf.svg)}.flag-icon-wf.flag-icon-squared{background-image:url(/css/flags/1x1/wf.svg)}.flag-icon-ws{background-image:url(/css/flags/4x3/ws.svg)}.flag-icon-ws.flag-icon-squared{background-image:url(/css/flags/1x1/ws.svg)}.flag-icon-ye{background-image:url(/css/flags/4x3/ye.svg)}.flag-icon-ye.flag-icon-squared{background-image:url(/css/flags/1x1/ye.svg)}.flag-icon-yt{background-image:url(/css/flags/4x3/yt.svg)}.flag-icon-yt.flag-icon-squared{background-image:url(/css/flags/1x1/yt.svg)}.flag-icon-za{background-image:url(/css/flags/4x3/za.svg)}.flag-icon-za.flag-icon-squared{background-image:url(/css/flags/1x1/za.svg)}.flag-icon-zm{background-image:url(/css/flags/4x3/zm.svg)}.flag-icon-zm.flag-icon-squared{background-image:url(/css/flags/1x1/zm.svg)}.flag-icon-zw{background-image:url(/css/flags/4x3/zw.svg)}.flag-icon-zw.flag-icon-squared{background-image:url(/css/flags/1x1/zw.svg)}.flag-icon-es-ct{background-image:url(/css/flags/4x3/es-ct.svg)}.flag-icon-es-ct.flag-icon-squared{background-image:url(/css/flags/1x1/es-ct.svg)}.flag-icon-es-ga{background-image:url(/css/flags/4x3/es-ga.svg)}.flag-icon-es-ga.flag-icon-squared{background-image:url(/css/flags/1x1/es-ga.svg)}.flag-icon-eu{background-image:url(/css/flags/4x3/eu.svg)}.flag-icon-eu.flag-icon-squared{background-image:url(/css/flags/1x1/eu.svg)}.flag-icon-gb-eng{background-image:url(/css/flags/4x3/gb-eng.svg)}.flag-icon-gb-eng.flag-icon-squared{background-image:url(/css/flags/1x1/gb-eng.svg)}.flag-icon-gb-nir{background-image:url(/css/flags/4x3/gb-nir.svg)}.flag-icon-gb-nir.flag-icon-squared{background-image:url(/css/flags/1x1/gb-nir.svg)}.flag-icon-gb-sct{background-image:url(/css/flags/4x3/gb-sct.svg)}.flag-icon-gb-sct.flag-icon-squared{background-image:url(/css/flags/1x1/gb-sct.svg)}.flag-icon-gb-wls{background-image:url(/css/flags/4x3/gb-wls.svg)}.flag-icon-gb-wls.flag-icon-squared{background-image:url(/css/flags/1x1/gb-wls.svg)}.flag-icon-un{background-image:url(/css/flags/4x3/un.svg)}.flag-icon-un.flag-icon-squared{background-image:url(/css/flags/1x1/un.svg)}.flag-icon-xk{background-image:url(/css/flags/4x3/xk.svg)}.flag-icon-xk.flag-icon-squared{background-image:url(/css/flags/1x1/xk.svg)}

From 65fb4c2aa81cb779bed1a4ad75836a151eab46db Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Wed, 26 Mar 2025 13:04:43 +0100
Subject: [PATCH 219/378] [Nginx] Move conf.d include before SNI vhosts

---
 data/conf/nginx/templates/nginx.conf.j2 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/data/conf/nginx/templates/nginx.conf.j2 b/data/conf/nginx/templates/nginx.conf.j2
index a4ff70e51..ff5f8f184 100644
--- a/data/conf/nginx/templates/nginx.conf.j2
+++ b/data/conf/nginx/templates/nginx.conf.j2
@@ -182,6 +182,8 @@ http {
         }
     }
 
+    include /etc/nginx/conf.d/*.conf;
+
     {% for cert in valid_cert_dirs %}
     server {
         {% if not HTTP_REDIRECT %}
@@ -206,6 +208,4 @@ http {
         include /etc/nginx/includes/sites-default.conf;
     }
     {% endfor %}
-
-    include /etc/nginx/conf.d/*.conf;
 }

From 8408b82e9c92d34f65f5aae31d6840704764e231 Mon Sep 17 00:00:00 2001
From: "Marvin A. Ruder" <signed@mruder.dev>
Date: Wed, 26 Mar 2025 17:17:13 +0100
Subject: [PATCH 220/378] Add new option with description to existing
 configuration files during next update

* Remove Olefy settings file from rspamd configuration
* Have rspamd container generate Olefy settings file at startup if not disabled

Signed-off-by: Marvin A. Ruder <signed@mruder.dev>
---
 data/Dockerfiles/rspamd/docker-entrypoint.sh  | 21 +++++++++++++++++++
 .../rspamd/local.d/external_services.conf     | 12 -----------
 update.sh                                     | 12 +++++++++++
 3 files changed, 33 insertions(+), 12 deletions(-)
 delete mode 100644 data/conf/rspamd/local.d/external_services.conf

diff --git a/data/Dockerfiles/rspamd/docker-entrypoint.sh b/data/Dockerfiles/rspamd/docker-entrypoint.sh
index cf44c3063..7385488b0 100755
--- a/data/Dockerfiles/rspamd/docker-entrypoint.sh
+++ b/data/Dockerfiles/rspamd/docker-entrypoint.sh
@@ -81,6 +81,27 @@ EOF
   redis-cli -h redis-mailcow -a ${REDISPASS} --no-auth-warning SLAVEOF NO ONE
 fi
 
+if [[ "${SKIP_OLEFY}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
+  if [[ -f /etc/rspamd/local.d/external_services.conf ]]; then
+    rm /etc/rspamd/local.d/external_services.conf
+  fi
+else
+  cat <<EOF > /etc/rspamd/local.d/external_services.conf
+oletools {
+  # default olefy settings
+  servers = "olefy:10055";
+  # needs to be set explicitly for Rspamd < 1.9.5
+  scan_mime_parts = true;
+  # mime-part regex matching in content-type or filename
+  # block all macros
+  extended = true;
+  max_size = 3145728;
+  timeout = 20.0;
+  retransmits = 1;
+}
+EOF
+fi
+
 # Provide additional lua modules
 ln -s /usr/lib/$(uname -m)-linux-gnu/liblua5.1-cjson.so.0.0.0 /usr/lib/rspamd/cjson.so
 
diff --git a/data/conf/rspamd/local.d/external_services.conf b/data/conf/rspamd/local.d/external_services.conf
deleted file mode 100644
index 2b091ff23..000000000
--- a/data/conf/rspamd/local.d/external_services.conf
+++ /dev/null
@@ -1,12 +0,0 @@
-oletools {
-  # default olefy settings
-  servers = "olefy:10055";
-  # needs to be set explicitly for Rspamd < 1.9.5
-  scan_mime_parts = true;
-  # mime-part regex matching in content-type or filename
-  # block all macros
-  extended = true;
-  max_size = 3145728;
-  timeout = 20.0;
-  retransmits = 1;
-}
diff --git a/update.sh b/update.sh
index bf5229653..c39d37834 100755
--- a/update.sh
+++ b/update.sh
@@ -1280,6 +1280,18 @@ for option in "${CONFIG_ARRAY[@]}"; do
       echo '# CAUTION: Disabling this may expose container ports to other neighbors on the same subnet, even if the ports are bound to localhost' >> mailcow.conf
       echo 'DISABLE_NETFILTER_ISOLATION_RULE=n' >> mailcow.conf
     fi
+  elif [[ "${option}" == "SKIP_CLAMD" ]]; then
+    if ! grep -q "${option}" mailcow.conf; then
+      echo "Adding new option \"${option}\" to mailcow.conf"
+      echo '# Skip ClamAV (clamd-mailcow) anti-virus (Rspamd will auto-detect a missing ClamAV container) - y/n' >> mailcow.conf
+      echo 'SKIP_CLAMD=n' >> mailcow.conf
+    fi
+  elif [[ "${option}" == "SKIP_OLEFY" ]]; then
+    if ! grep -q "${option}" mailcow.conf; then
+      echo "Adding new option \"${option}\" to mailcow.conf"
+      echo '# Skip Olefy (olefy-mailcow) anti-virus for Office documents (Rspamd will auto-detect a missing Olefy container) - y/n' >> mailcow.conf
+      echo 'SKIP_OLEFY=n' >> mailcow.conf
+    fi
   elif [[ "${option}" == "REDISPASS" ]]; then
     if ! grep -q "${option}" mailcow.conf; then
       echo "Adding new option \"${option}\" to mailcow.conf"

From 4ad24228108aadf7a915bda7af0a3ef9ecffb92c Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Thu, 27 Mar 2025 16:52:15 +0100
Subject: [PATCH 221/378] [Dovecot] Increase Timeout for HTTP Login Request

---
 data/conf/dovecot/auth/passwd-verify.lua | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/data/conf/dovecot/auth/passwd-verify.lua b/data/conf/dovecot/auth/passwd-verify.lua
index cb2e928d0..d235173da 100644
--- a/data/conf/dovecot/auth/passwd-verify.lua
+++ b/data/conf/dovecot/auth/passwd-verify.lua
@@ -3,10 +3,10 @@ function auth_password_verify(request, password)
     return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, "No such user"
   end
 
-  json = require "cjson"
-  ltn12 = require "ltn12"
-  https = require "ssl.https"
-  https.TIMEOUT = 5
+  local json = require "cjson"
+  local ltn12 = require "ltn12"
+  local https = require "ssl.https"
+  https.TIMEOUT = 30
 
   local req = {
     username = request.user,
@@ -16,8 +16,7 @@ function auth_password_verify(request, password)
   }
   req.protocol[request.service] = true
   local req_json = json.encode(req)
-  local res = {} 
-  
+  local res = {}
   local b, c = https.request {
     method = "POST",
     url = "https://nginx:9082",
@@ -29,11 +28,16 @@ function auth_password_verify(request, password)
     sink = ltn12.sink.table(res),
     insecure = true
   }
+
+  if c ~= 200 then
+    dovecot.i_info("HTTP request failed with " .. c .. " for user " .. request.user)
+    return dovecot.auth.PASSDB_RESULT_INTERNAL_FAILURE, "Upstream error"
+  end
+
   local api_response = json.decode(table.concat(res))
   if api_response.success == true then
     return dovecot.auth.PASSDB_RESULT_OK, ""
   end
-  
   return dovecot.auth.PASSDB_RESULT_PASSWORD_MISMATCH, "Failed to authenticate"
 end
 

From 65d872cc1487380e488e26d27a26154a12753f5f Mon Sep 17 00:00:00 2001
From: Bruno Antunes <bruno@nootch.net>
Date: Thu, 27 Mar 2025 20:21:25 +0000
Subject: [PATCH 222/378] Fix tiny typo

---
 helper-scripts/backup_and_restore.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/helper-scripts/backup_and_restore.sh b/helper-scripts/backup_and_restore.sh
index 0cb37fce3..c7615c294 100755
--- a/helper-scripts/backup_and_restore.sh
+++ b/helper-scripts/backup_and_restore.sh
@@ -236,7 +236,7 @@ function restore() {
       if [[ $(find "${RESTORE_LOCATION}" \( -name '*x86*' -o -name '*aarch*' \) -exec basename {} \; | sed 's/^\.//' | sed 's/^\.//') == "" ]]; then
         echo -e "\e[33mCould not find a architecture signature of the loaded backup... Maybe the backup was done before the multiarch update?"
         sleep 2
-        echo -e "Continuing anyhow. If rspamd is crashing opon boot try remove the rspamd volume with docker volume rm ${CMPS_PRJ}_rspamd-vol-1 after you've stopped the stack.\e[0m"
+        echo -e "Continuing anyhow. If rspamd is crashing upon boot try remove the rspamd volume with docker volume rm ${CMPS_PRJ}_rspamd-vol-1 after you've stopped the stack.\e[0m"
         sleep 2
         docker stop $(docker ps -qf name=rspamd-mailcow)
         docker run -i --name mailcow-backup --rm \

From 0157cbddafe59b253b8186d7e29a63da85a964d7 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Mon, 31 Mar 2025 10:36:20 +0200
Subject: [PATCH 223/378] [Netfilter] Downgrade to 1.61

---
 docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 2d68b80ce..4907b592d 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -477,7 +477,7 @@ services:
             - acme
 
     netfilter-mailcow:
-      image: ghcr.io/mailcow/netfilter:1.62
+      image: ghcr.io/mailcow/netfilter:1.61
       stop_grace_period: 30s
       restart: always
       privileged: true

From f37961b7d06b1e0f0fdb2f893f5dfa295c00f86f Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Mon, 31 Mar 2025 11:32:01 +0200
Subject: [PATCH 224/378] [SOGo] Use JS for mailcow logout

---
 data/Dockerfiles/sogo/navMailcowBtns.diff |  6 +-----
 data/conf/sogo/custom-sogo.js             | 10 ++++++++++
 docker-compose.yml                        |  2 +-
 3 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/data/Dockerfiles/sogo/navMailcowBtns.diff b/data/Dockerfiles/sogo/navMailcowBtns.diff
index 1b469aa60..563818fb6 100644
--- a/data/Dockerfiles/sogo/navMailcowBtns.diff
+++ b/data/Dockerfiles/sogo/navMailcowBtns.diff
@@ -7,14 +7,10 @@
 <     </md-button>
 <     <md-button class="md-icon-button"
 83c76
-<                onclick="document.getElementById('mc_logout').setAttribute('action', '/'); document.getElementById('mc_logout').submit();"
+<                onclick="mc_logout();"
 ---
 >                ng-show="::activeUser.path.logoff.length"
 85c78
 <                ng-href="#">
 ---
 >                ng-href="{{::activeUser.path.logoff}}">
-89,91d81
-<     <form method="POST" id="mc_logout" action="user">
-<       <input type="hidden" name="logout" value="1">
-<     </form>
diff --git a/data/conf/sogo/custom-sogo.js b/data/conf/sogo/custom-sogo.js
index e1f27e8ff..d3b90b085 100644
--- a/data/conf/sogo/custom-sogo.js
+++ b/data/conf/sogo/custom-sogo.js
@@ -5,6 +5,16 @@ document.addEventListener('DOMContentLoaded', function () {
         window.location.href = '/user';
     }
 });
+// logout function
+function mc_logout() {
+    fetch("/", {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/x-www-form-urlencoded"
+        },
+        body: "logout=1"
+    }).then(() => window.location.href = '/');
+}
 
 // Custom SOGo JS
 
diff --git a/docker-compose.yml b/docker-compose.yml
index 2d68b80ce..dea033a11 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -199,7 +199,7 @@ services:
             - phpfpm
 
     sogo-mailcow:
-      image: ghcr.io/mailcow/sogo:1.131
+      image: ghcr.io/mailcow/sogo:1.133
       environment:
         - DBNAME=${DBNAME}
         - DBUSER=${DBUSER}

From e452917de9786663dd9eb0af371dd916ab6d63be Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Mon, 31 Mar 2025 12:14:43 +0200
Subject: [PATCH 225/378] [SOGo] Show mailcow Settings Button to SOGoSuperUsers

---
 data/Dockerfiles/sogo/navMailcowBtns.diff | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/data/Dockerfiles/sogo/navMailcowBtns.diff b/data/Dockerfiles/sogo/navMailcowBtns.diff
index 563818fb6..2107b5b1f 100644
--- a/data/Dockerfiles/sogo/navMailcowBtns.diff
+++ b/data/Dockerfiles/sogo/navMailcowBtns.diff
@@ -1,9 +1,8 @@
-59,65d58
-<                ng-show="::!activeUser.isSuperUser"
+60,65d58
 <                var:ng-click="navButtonClick"
 <                ng-href="/user">
 <       <md-icon>build</md-icon>
-<       <md-tooltip><var:string label:value="mailcow"/></md-tooltip>
+<       <md-tooltip>mailcow <var:string label:value="Preferences"/></md-tooltip>
 <     </md-button>
 <     <md-button class="md-icon-button"
 83c76

From db3a577ae3b1cd8211bf88da7d8bedaddda31e3a Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Tue, 1 Apr 2025 16:39:15 +0200
Subject: [PATCH 226/378] [Web] Fix password reset

---
 data/web/reset-password.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/data/web/reset-password.php b/data/web/reset-password.php
index 7544d40c3..d717d9d8b 100644
--- a/data/web/reset-password.php
+++ b/data/web/reset-password.php
@@ -1,5 +1,6 @@
 <?php
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php';
+require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/triggers.user.inc.php';
 
 if (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == 'admin') {
   header('Location: /admin/dashboard');

From 4c5f48558782320905b10d7d10962fd509f68fbd Mon Sep 17 00:00:00 2001
From: milkmaker <milkmaker@mailcow.de>
Date: Tue, 1 Apr 2025 22:00:11 +0200
Subject: [PATCH 227/378] update postscreen_access.cidr (#6443)

---
 data/conf/postfix/postscreen_access.cidr | 83 +++++++++++++++++++++---
 1 file changed, 75 insertions(+), 8 deletions(-)

diff --git a/data/conf/postfix/postscreen_access.cidr b/data/conf/postfix/postscreen_access.cidr
index c6ed2be93..36c7e9fca 100644
--- a/data/conf/postfix/postscreen_access.cidr
+++ b/data/conf/postfix/postscreen_access.cidr
@@ -1,6 +1,6 @@
-# Whitelist generated by Postwhite v3.4 on Sat Mar  1 00:19:29 UTC 2025
+# Whitelist generated by Postwhite v3.4 on Tue Apr  1 00:20:51 UTC 2025
 # https://github.com/stevejenkins/postwhite/
-# 2000 total rules
+# 2067 total rules
 2a00:1450:4000::/36	permit
 2a01:111:f400::/48	permit
 2a01:111:f403:8000::/50	permit
@@ -26,7 +26,12 @@
 8.20.114.31	permit
 8.25.194.0/23	permit
 8.25.196.0/23	permit
+8.39.54.0/23	permit
+8.39.54.250/31	permit
+8.40.222.0/23	permit
+8.40.222.250/31	permit
 12.130.86.238	permit
+13.107.246.59	permit
 13.110.208.0/21	permit
 13.110.209.0/24	permit
 13.110.216.0/22	permit
@@ -60,8 +65,6 @@
 20.59.80.4/30	permit
 20.63.210.192/28	permit
 20.69.8.108/30	permit
-20.70.246.20	permit
-20.76.201.171	permit
 20.83.222.104/30	permit
 20.88.157.184/30	permit
 20.94.180.64/28	permit
@@ -70,14 +73,11 @@
 20.98.194.68/30	permit
 20.105.209.76/30	permit
 20.107.239.64/30	permit
-20.112.250.133	permit
 20.118.139.208/30	permit
 20.141.10.196	permit
 20.185.214.0/27	permit
 20.185.214.32/27	permit
 20.185.214.64/27	permit
-20.231.239.246	permit
-20.236.44.162	permit
 23.103.224.0/19	permit
 23.249.208.0/20	permit
 23.251.224.0/19	permit
@@ -103,6 +103,24 @@
 27.123.206.80/28	permit
 31.25.48.222	permit
 31.47.251.17	permit
+34.2.64.0/22	permit
+34.2.68.0/23	permit
+34.2.70.0/23	permit
+34.2.71.64/26	permit
+34.2.72.0/22	permit
+34.2.75.0/26	permit
+34.2.78.0/23	permit
+34.2.80.0/23	permit
+34.2.82.0/23	permit
+34.2.84.0/24	permit
+34.2.84.64/26	permit
+34.2.85.0/24	permit
+34.2.85.64/26	permit
+34.2.86.0/23	permit
+34.2.88.0/23	permit
+34.2.90.0/23	permit
+34.2.92.0/23	permit
+34.2.94.0/23	permit
 34.195.217.107	permit
 34.212.163.75	permit
 34.215.104.144	permit
@@ -215,7 +233,6 @@
 52.95.49.88/29	permit
 52.96.91.34	permit
 52.96.111.82	permit
-52.96.172.98	permit
 52.96.214.50	permit
 52.96.222.194	permit
 52.96.222.226	permit
@@ -255,6 +272,7 @@
 54.244.54.130	permit
 54.244.242.0/24	permit
 54.255.61.23	permit
+56.124.6.228	permit
 57.103.64.0/18	permit
 62.13.128.0/24	permit
 62.13.129.128/25	permit
@@ -341,6 +359,7 @@
 65.110.161.77	permit
 65.123.29.213	permit
 65.123.29.220	permit
+65.154.166.0/24	permit
 65.212.180.36	permit
 66.102.0.0/20	permit
 66.119.150.192/26	permit
@@ -1304,6 +1323,9 @@
 117.120.16.0/21	permit
 119.42.242.52/31	permit
 119.42.242.156	permit
+121.244.91.48	permit
+121.244.91.52	permit
+122.15.156.182	permit
 123.126.78.64/29	permit
 124.108.96.24/31	permit
 124.108.96.28/31	permit
@@ -1366,7 +1388,21 @@
 134.170.141.64/26	permit
 134.170.143.0/24	permit
 134.170.174.0/24	permit
+135.84.80.0/24	permit
+135.84.81.0/24	permit
+135.84.82.0/24	permit
+135.84.83.0/24	permit
 135.84.216.0/22	permit
+136.143.160.0/24	permit
+136.143.161.0/24	permit
+136.143.162.0/24	permit
+136.143.176.0/24	permit
+136.143.177.0/24	permit
+136.143.178.49	permit
+136.143.182.0/23	permit
+136.143.184.0/24	permit
+136.143.188.0/24	permit
+136.143.190.0/23	permit
 136.147.128.0/20	permit
 136.147.135.0/24	permit
 136.147.176.0/20	permit
@@ -1381,6 +1417,7 @@
 139.138.46.219	permit
 139.138.57.55	permit
 139.138.58.119	permit
+139.167.79.86	permit
 139.180.17.0/24	permit
 140.238.148.191	permit
 141.148.159.229	permit
@@ -1498,6 +1535,9 @@
 163.114.135.16	permit
 164.152.23.32	permit
 164.177.132.168/30	permit
+165.173.128.0/24	permit
+165.173.180.250/31	permit
+165.173.182.250/31	permit
 166.78.68.0/22	permit
 166.78.68.221	permit
 166.78.69.169	permit
@@ -1526,6 +1566,12 @@
 168.245.12.252	permit
 168.245.46.9	permit
 168.245.127.231	permit
+169.148.129.0/24	permit
+169.148.131.0/24	permit
+169.148.142.10	permit
+169.148.144.0/25	permit
+169.148.144.10	permit
+169.148.146.0/23	permit
 170.10.128.0/24	permit
 170.10.129.0/24	permit
 170.10.132.56/29	permit
@@ -1667,6 +1713,14 @@
 198.61.254.231	permit
 198.178.234.57	permit
 198.244.48.0/20	permit
+198.244.56.107	permit
+198.244.56.108	permit
+198.244.56.109	permit
+198.244.56.111	permit
+198.244.56.112	permit
+198.244.56.113	permit
+198.244.56.114	permit
+198.244.56.115	permit
 198.244.59.30	permit
 198.244.59.33	permit
 198.244.59.35	permit
@@ -1679,7 +1733,15 @@
 199.16.156.0/22	permit
 199.33.145.1	permit
 199.33.145.32	permit
+199.34.22.36	permit
 199.59.148.0/22	permit
+199.67.80.2	permit
+199.67.80.20	permit
+199.67.82.2	permit
+199.67.82.20	permit
+199.67.84.0/24	permit
+199.67.86.0/24	permit
+199.67.88.0/24	permit
 199.101.161.130	permit
 199.101.162.0/25	permit
 199.122.120.0/21	permit
@@ -1736,6 +1798,8 @@
 204.92.114.187	permit
 204.92.114.203	permit
 204.92.114.204/31	permit
+204.141.32.0/23	permit
+204.141.42.0/23	permit
 204.220.160.0/21	permit
 204.220.168.0/21	permit
 204.220.176.0/20	permit
@@ -1988,6 +2052,9 @@
 2603:1030:20e:3::23c	permit
 2603:1030:b:3::152	permit
 2603:1030:c02:8::14	permit
+2607:13c0:0001:0000:0000:0000:0000:7000/116	permit
+2607:13c0:0002:0000:0000:0000:0000:1000/116	permit
+2607:13c0:0004:0000:0000:0000:0000:0000/116	permit
 2607:f8b0:4000::/36	permit
 2620:109:c003:104::/64	permit
 2620:109:c003:104::215	permit

From a92832d115922cb11b2387c25919da804f708c4d Mon Sep 17 00:00:00 2001
From: DerLinkman <niklas.meyer@servercow.de>
Date: Wed, 2 Apr 2025 14:39:24 +0200
Subject: [PATCH 228/378] update README.md to include first 50 and 100$ monthly
 sponsors

---
 README.md | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/README.md b/README.md
index dc9b76be0..40288f10e 100644
--- a/README.md
+++ b/README.md
@@ -13,6 +13,22 @@ You can also [get a SAL](https://www.servercow.de/mailcow?lang=en#sal) which is
 
 Or just spread the word: moo.
 
+## Many thanks to our GitHub Sponsors ❤️
+A big thank you to everyone supporting us on GitHub Sponsors—your contributions mean the world to us! Special thanks to the following amazing supporters:
+
+### 100$/Month Sponsors
+  <a href="https://www.colba.net/" target=_blank><img
+    src="https://avatars.githubusercontent.com/u/204464723" height="58"
+  /></a>
+  <a href="https://www.maehdros.com/" target=_blank><img
+    src="https://avatars.githubusercontent.com/u/173894712" height="58"
+  /></a>
+
+### 50$/Month Sponsors
+  <a href="https://github.com/vnukhr" target=_blank><img
+    src="https://avatars.githubusercontent.com/u/7805987?s=52&v=4" height="58"
+  /></a>
+
 ## Info, documentation and support
 
 Please see [the official documentation](https://docs.mailcow.email/) for installation and support instructions. 🐄

From 805634f9a94529a2c611100aed22f5c0b2d11b34 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Thu, 3 Apr 2025 10:19:30 +0200
Subject: [PATCH 229/378] Fix sasl_logs

---
 data/conf/dovecot/auth/mailcowauth.php     | 15 ++++---
 data/conf/dovecot/auth/passwd-verify.lua   |  9 ++--
 data/web/inc/functions.auth.inc.php        | 50 ++++++++++++++--------
 data/web/inc/functions.inc.php             | 28 ++++++++++++
 data/web/js/site/user.js                   |  6 ---
 data/web/templates/user/tab-user-auth.twig |  3 +-
 6 files changed, 74 insertions(+), 37 deletions(-)

diff --git a/data/conf/dovecot/auth/mailcowauth.php b/data/conf/dovecot/auth/mailcowauth.php
index fc17df724..667419c57 100644
--- a/data/conf/dovecot/auth/mailcowauth.php
+++ b/data/conf/dovecot/auth/mailcowauth.php
@@ -69,29 +69,34 @@ require_once 'functions.acl.inc.php';
 
 $isSOGoRequest = $post['real_rip'] == getenv('IPV4_NETWORK') . '.248';
 $result = false;
-$protocol = $post['protocol'];
 if ($isSOGoRequest) {
-  $protocol = null;
   // This is a SOGo Auth request. First check for SSO password.
   $sogo_sso_pass = file_get_contents("/etc/sogo-sso/sogo-sso.pass");
   if ($sogo_sso_pass === $post['password']){
     error_log('MAILCOWAUTH: SOGo SSO auth for user ' . $post['username']);
+    set_sasl_log($post['username'], $post['real_rip'], "SOGO");
     $result = true;
   }
 }
 if ($result === false){
-  $result = apppass_login($post['username'], $post['password'], $protocol, array(
+  $result = apppass_login($post['username'], $post['password'], array($post['service'] => true), array(
     'is_internal' => true,
     'remote_addr' => $post['real_rip']
   ));
-  if ($result) error_log('MAILCOWAUTH: App auth for user ' . $post['username']);
+  if ($result) {
+    error_log('MAILCOWAUTH: App auth for user ' . $post['username']);
+    set_sasl_log($post['username'], $post['real_rip'], $post['service']);
+  }
 }
 if ($result === false){
   // Init Identity Provider
   $iam_provider = identity_provider('init');
   $iam_settings = identity_provider('get');
   $result = user_login($post['username'], $post['password'], array('is_internal' => true));
-  if ($result) error_log('MAILCOWAUTH: User auth for user ' . $post['username']);
+  if ($result) {
+    error_log('MAILCOWAUTH: User auth for user ' . $post['username']);
+    set_sasl_log($post['username'], $post['real_rip'], $post['service']);
+  }
 }
 
 if ($result) {
diff --git a/data/conf/dovecot/auth/passwd-verify.lua b/data/conf/dovecot/auth/passwd-verify.lua
index cb2e928d0..a6cb988d7 100644
--- a/data/conf/dovecot/auth/passwd-verify.lua
+++ b/data/conf/dovecot/auth/passwd-verify.lua
@@ -12,12 +12,11 @@ function auth_password_verify(request, password)
     username = request.user,
     password = password,
     real_rip = request.real_rip,
-    protocol = {}
+    service = request.service
   }
-  req.protocol[request.service] = true
   local req_json = json.encode(req)
-  local res = {} 
-  
+  local res = {}
+
   local b, c = https.request {
     method = "POST",
     url = "https://nginx:9082",
@@ -33,7 +32,7 @@ function auth_password_verify(request, password)
   if api_response.success == true then
     return dovecot.auth.PASSDB_RESULT_OK, ""
   end
-  
+
   return dovecot.auth.PASSDB_RESULT_PASSWORD_MISMATCH, "Failed to authenticate"
 end
 
diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php
index f432c3834..30d5943c4 100644
--- a/data/web/inc/functions.auth.inc.php
+++ b/data/web/inc/functions.auth.inc.php
@@ -9,25 +9,51 @@ function check_login($user, $pass, $app_passwd_data = false, $extra = null) {
   // Try validate admin
   if (!isset($role) || $role == "admin") {
     $result = admin_login($user, $pass);
-    if ($result !== false) return $result;
+    if ($result !== false){
+      return $result;
+    }
   }
 
   // Try validate domain admin
   if (!isset($role) || $role == "domain_admin") {
     $result = domainadmin_login($user, $pass);
-    if ($result !== false) return $result;
+    if ($result !== false) {
+      return $result;
+    }
   }
 
   // Try validate user
   if (!isset($role) || $role == "user") {
     $result = user_login($user, $pass);
-    if ($result !== false) return $result;
+    if ($result !== false) {
+      if ($app_passwd_data['eas'] === true) {
+        $service = 'EAS';
+      } elseif ($app_passwd_data['dav'] === true) {
+        $service = 'DAV';
+      } else {
+        $service = 'MAILCOWUI';
+      }
+      $real_rip = ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR']);
+      set_sasl_log($user, $real_rip, $service);
+      return $result;
+    }
   }
 
   // Try validate app password
   if (!isset($role) || $role == "app") {
     $result = apppass_login($user, $pass, $app_passwd_data);
-    if ($result !== false) return $result;
+    if ($result !== false) {
+      if ($app_passwd_data['eas'] === true) {
+        $service = 'EAS';
+      } elseif ($app_passwd_data['dav'] === true) {
+        $service = 'DAV';
+      } else {
+        $service = 'NONE';
+      }
+      $real_rip = ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR']);
+      set_sasl_log($user, $real_rip, $service, $pass);
+      return $result;
+    }
   }
 
   // skip log and only return false if it's an internal request
@@ -415,21 +441,7 @@ function apppass_login($user, $pass, $app_passwd_data, $extra = null){
 
     // verify password
     if (verify_hash($row['password'], $pass) !== false) {
-      if ($is_internal){
-        $remote_addr = $extra['remote_addr'];
-      } else {
-        $remote_addr = ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR']);
-      }
-
-      $service = strtoupper($is_app_passwd);
-      $stmt = $pdo->prepare("REPLACE INTO sasl_log (`service`, `app_password`, `username`, `real_rip`) VALUES (:service, :app_id, :username, :remote_addr)");
-      $stmt->execute(array(
-        ':service' => $service,
-        ':app_id' => $row['app_passwd_id'],
-        ':username' => $user,
-        ':remote_addr' => $remote_addr
-      ));
-
+      $_SESSION['app_passwd_id'] = $row['app_passwd_id'];
       unset($_SESSION['ldelay']);
       return "user";
     }
diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index 6a70eb6e3..49e26b978 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -350,6 +350,34 @@ function last_login($action, $username, $sasl_limit_days = 7, $ui_offset = 1) {
   }
 
 }
+function set_sasl_log($username, $real_rip, $service){
+  global $pdo;
+
+  try {
+    if (!empty($_SESSION['app_passwd_id'])) {
+      $app_password = $_SESSION['app_passwd_id'];
+    } else {
+      $app_password = 0;
+    }
+
+    $stmt = $pdo->prepare('REPLACE INTO `sasl_log` (`username`, `real_rip`, `service`, `app_password`) VALUES (:username, :real_rip, :service, :app_password)');
+    $stmt->execute(array(
+      ':username' => $username,
+      ':real_rip' => $real_rip,
+      ':service' => $service,
+      ':app_password' => $app_password
+    ));
+  } catch (PDOException $e) {
+    $_SESSION['return'][] =  array(
+      'type' => 'danger',
+      'log' => array(__FUNCTION__, $_data_log),
+      'msg' => array('mysql_error', $e)
+    );
+    return false;
+  }
+
+  return true;
+}
 function flush_memcached() {
   try {
     $m = new Memcached();
diff --git a/data/web/js/site/user.js b/data/web/js/site/user.js
index 8f64d4e20..678e23b19 100644
--- a/data/web/js/site/user.js
+++ b/data/web/js/site/user.js
@@ -90,13 +90,7 @@ jQuery(function($){
           console.log('error reading last logins');
         },
         success: function (data) {
-          $('.last-ui-login').html('');
           $('.last-sasl-login').html('');
-          if (data.ui.time) {
-            $('.last-ui-login').html('<i class="bi bi-person-fill"></i> ' + lang.last_ui_login + ': ' + unix_time_format(data.ui.time));
-          } else {
-            $('.last-ui-login').text(lang.no_last_login);
-          }
           if (data.sasl) {
             $('.last-sasl-login').append('<ul class="list-group">');
             $.each(data.sasl, function (i, item) {
diff --git a/data/web/templates/user/tab-user-auth.twig b/data/web/templates/user/tab-user-auth.twig
index a7e025431..bace33489 100644
--- a/data/web/templates/user/tab-user-auth.twig
+++ b/data/web/templates/user/tab-user-auth.twig
@@ -184,7 +184,7 @@
           </div>
           {% endif %}
         </div>
-        <div class="ms-auto col-xl-3 col-lg-5 col-md-12 col-12 d-flex flex-column well flex-grow-1">
+        <div class="ms-auto col-xl-3 col-lg-5 col-md-12 col-12 d-flex flex-column well flex-grow-1" id="recent-logins">
           <legend class="d-flex">
             <span>{{ lang.user.recent_successful_connections }}</span>
             <div id="spinner-last-login" class="ms-auto my-auto spinner-border spinner-border-sm d-none" role="status">
@@ -192,7 +192,6 @@
             </div>
           </legend>
           <hr>
-          <h6 class="last-ui-login"></h6>
           <div class="d-flex">
             <span class="clear-last-logins mt-auto mb-2">
               {{ lang.user.clear_recent_successful_connections }}

From ceeabded73c66c8022eeac69721908f3f1c90d46 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Thu, 3 Apr 2025 10:29:47 +0200
Subject: [PATCH 230/378] [Web] Fix transport routing test

---
 data/web/js/site/admin.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/web/js/site/admin.js b/data/web/js/site/admin.js
index 90c00002a..847c25aa8 100644
--- a/data/web/js/site/admin.js
+++ b/data/web/js/site/admin.js
@@ -681,7 +681,7 @@ jQuery(function($){
     $(this).html('<div class="spinner-border" role="status"><span class="visually-hidden">Loading...</span></div> ');
     $.ajax({
       type: 'GET',
-      url: 'inc/ajax/transport_check.php',
+      url: '/inc/ajax/transport_check.php',
       dataType: 'text',
       data: $('#test_transport_form').serialize(),
       complete: function (data) {

From e65478076b48e6986f0bec0e8b5020697192340d Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Thu, 3 Apr 2025 11:58:35 +0200
Subject: [PATCH 231/378] [Web] Prevent user sync for mismatched authsource

---
 data/conf/phpfpm/crons/keycloak-sync.php | 2 +-
 data/conf/phpfpm/crons/ldap-sync.php     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/data/conf/phpfpm/crons/keycloak-sync.php b/data/conf/phpfpm/crons/keycloak-sync.php
index c9655a8ec..f09a47d79 100644
--- a/data/conf/phpfpm/crons/keycloak-sync.php
+++ b/data/conf/phpfpm/crons/keycloak-sync.php
@@ -196,7 +196,7 @@ while (true) {
         logMsg("err", "Could not create user " . $user['email']);
         continue;
       }
-    } else if ($row && intval($iam_settings['periodic_sync']) == 1) {
+    } else if ($row && intval($iam_settings['periodic_sync']) == 1 && $row['authsource'] == "keycloak") {
       if ($mapper_key === false){
         logMsg("warning", "No matching attribute mapping found for user " . $user['email']);
         continue;
diff --git a/data/conf/phpfpm/crons/ldap-sync.php b/data/conf/phpfpm/crons/ldap-sync.php
index 66b76e64a..32026c071 100644
--- a/data/conf/phpfpm/crons/ldap-sync.php
+++ b/data/conf/phpfpm/crons/ldap-sync.php
@@ -168,7 +168,7 @@ foreach ($response as $user) {
       logMsg("err", "Could not create user " . $user[$iam_settings['username_field']][0]);
       continue;
     }
-  } else if ($row && intval($iam_settings['periodic_sync']) == 1) {
+  } else if ($row && intval($iam_settings['periodic_sync']) == 1 && $row['authsource'] == "ldap") {
     if ($mapper_key === false){
       logMsg("warning", "No matching attribute mapping found for user " . $user[$iam_settings['username_field']][0]);
       continue;

From 62f816e64a964a0eb3c9243595b6ffedff897cc6 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Thu, 3 Apr 2025 12:19:04 +0200
Subject: [PATCH 232/378] [Web] Check app password before user password on web
 login

---
 data/web/inc/functions.auth.inc.php | 33 +++++++++++++++--------------
 1 file changed, 17 insertions(+), 16 deletions(-)

diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php
index 30d5943c4..994915efc 100644
--- a/data/web/inc/functions.auth.inc.php
+++ b/data/web/inc/functions.auth.inc.php
@@ -22,22 +22,6 @@ function check_login($user, $pass, $app_passwd_data = false, $extra = null) {
     }
   }
 
-  // Try validate user
-  if (!isset($role) || $role == "user") {
-    $result = user_login($user, $pass);
-    if ($result !== false) {
-      if ($app_passwd_data['eas'] === true) {
-        $service = 'EAS';
-      } elseif ($app_passwd_data['dav'] === true) {
-        $service = 'DAV';
-      } else {
-        $service = 'MAILCOWUI';
-      }
-      $real_rip = ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR']);
-      set_sasl_log($user, $real_rip, $service);
-      return $result;
-    }
-  }
 
   // Try validate app password
   if (!isset($role) || $role == "app") {
@@ -56,6 +40,23 @@ function check_login($user, $pass, $app_passwd_data = false, $extra = null) {
     }
   }
 
+  // Try validate user
+  if (!isset($role) || $role == "user") {
+    $result = user_login($user, $pass);
+    if ($result !== false) {
+      if ($app_passwd_data['eas'] === true) {
+        $service = 'EAS';
+      } elseif ($app_passwd_data['dav'] === true) {
+        $service = 'DAV';
+      } else {
+        $service = 'MAILCOWUI';
+      }
+      $real_rip = ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR']);
+      set_sasl_log($user, $real_rip, $service);
+      return $result;
+    }
+  }
+
   // skip log and only return false if it's an internal request
   if ($is_internal == true) return false;
 

From 6794e6ff43449d34397e40931310169658c84ac4 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Thu, 3 Apr 2025 12:31:43 +0200
Subject: [PATCH 233/378] [Dovecot] Add service for authentication cache_key

---
 data/conf/dovecot/dovecot.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/conf/dovecot/dovecot.conf b/data/conf/dovecot/dovecot.conf
index 15be77fce..05d9264fa 100644
--- a/data/conf/dovecot/dovecot.conf
+++ b/data/conf/dovecot/dovecot.conf
@@ -53,7 +53,7 @@ mail_shared_explicit_inbox = yes
 mail_prefetch_count = 30
 passdb {
   driver = lua
-  args = file=/etc/dovecot/auth/passwd-verify.lua blocking=yes cache_key=%u:%w
+  args = file=/etc/dovecot/auth/passwd-verify.lua blocking=yes cache_key=%s:%u:%w
   result_success = return-ok
   result_failure = continue
   result_internalfail = continue

From 402bf53a5c24ac34ca7df63396640c9c0f2dc21c Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 4 Apr 2025 13:18:42 +0200
Subject: [PATCH 234/378] [Web] Improve clarity of LDAP SSL/TLS settings

---
 data/web/lang/lang.de-de.json                 |  4 ++-
 data/web/lang/lang.en-gb.json                 |  4 ++-
 .../admin/tab-config-identity-provider.twig   | 28 +++++++++++++++----
 3 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/data/web/lang/lang.de-de.json b/data/web/lang/lang.de-de.json
index 45c6e9f50..98d601738 100644
--- a/data/web/lang/lang.de-de.json
+++ b/data/web/lang/lang.de-de.json
@@ -238,7 +238,9 @@
         "iam_username_field": "Username Feld",
         "iam_binddn": "Bind DN",
         "iam_use_ssl": "Benutze SSL",
-        "iam_use_tls": "Benutze TLS",
+        "iam_use_ssl_info": "TLS wird gegenüber SSL empfohlen. SSL gilt als veralteter Mechanismus für die sichere Ausführung von LDAP-Operationen.<br><br>Wenn SSL aktiviert ist und der Port auf 389 gesetzt wurde, wird dieser automatisch auf 636 geändert.",
+        "iam_use_tls": "Benutze StartTLS",
+        "iam_use_tls_info": "Wenn TLS aktiviert wird, muss der Standardport deines LDAP-Servers (389) verwendet werden. SSL-Ports können dabei nicht verwendet werden.",
         "iam_version": "Version",
         "ignore_ssl_error": "Ignoriere SSL Fehler",
         "import": "Importieren",
diff --git a/data/web/lang/lang.en-gb.json b/data/web/lang/lang.en-gb.json
index 5d6911e91..9c1f30483 100644
--- a/data/web/lang/lang.en-gb.json
+++ b/data/web/lang/lang.en-gb.json
@@ -245,7 +245,9 @@
         "iam_username_field": "Username Field",
         "iam_binddn": "Bind DN",
         "iam_use_ssl": "Use SSL",
-        "iam_use_tls": "Use TLS",
+        "iam_use_ssl_info": "TLS is recommended over SSL. SSL is labelled as a deprecated mechanism for securely running LDAP operations.<br><br>If enabling SSL, and port is set to 389, it will be automatically overridden to use 636.",
+        "iam_use_tls": "Use StartTLS",
+        "iam_use_tls_info": "If enabling TLS, you must use the default port for your LDAP server (389). SSL ports cannot be used.",
         "iam_version": "Version",
         "ignore_ssl_error": "Ignore SSL Errors",
         "import": "Import",
diff --git a/data/web/templates/admin/tab-config-identity-provider.twig b/data/web/templates/admin/tab-config-identity-provider.twig
index 9d4dcd286..dce26f8c3 100644
--- a/data/web/templates/admin/tab-config-identity-provider.twig
+++ b/data/web/templates/admin/tab-config-identity-provider.twig
@@ -392,11 +392,11 @@
           <input type="hidden" name="authsource" value="ldap">
           <div class="row mb-2">
             <div class="col-md-3 d-flex align-items-center justify-content-md-end">
-              <i style="font-size: 16px; cursor: pointer;" class="bi bi-patch-question-fill m-2 ms-0" data-bs-toggle="tooltip" data-bs-html="true" data-bs-placement="bottom" title="{{ lang.admin.iam_host_info }}"></i>
+              <i style="font-size: 16px; cursor: pointer;" class="bi bi-patch-question-fill mx-2 ms-0" data-bs-toggle="tooltip" data-bs-html="true" data-bs-placement="bottom" title="{{ lang.admin.iam_host_info }}"></i>
               <label class="control-label" for="iam_ldap_host">{{ lang.admin.iam_host }}:</label>
             </div>
             <div class="col-12 col-md-9 col-lg-4 d-flex">
-            <input type="text" class="form-control" id="iam_ldap_host" name="host" value="{{ iam_settings.host }}" required>
+              <input type="text" class="form-control" id="iam_ldap_host" name="host" value="{{ iam_settings.host }}" required>
             </div>
           </div>
           <div class="row mb-2">
@@ -409,21 +409,37 @@
           </div>
           <div class="row mb-2">
             <div class="col-md-3 d-flex align-items-center justify-content-md-end">
+              <i style="font-size: 16px; cursor: pointer;" class="bi bi-patch-question-fill mx-2 ms-0" data-bs-toggle="tooltip" data-bs-html="true" data-bs-placement="bottom" title="{{ lang.admin.iam_use_ssl_info }}"></i>
               <label class="control-label">{{ lang.admin.iam_use_ssl }}</label>
             </div>
-            <div class="col-12 col-md-9">
+            <div class="col-12 col-md-9 d-flex align-items-center">
               <div class="form-check form-switch">
-                <input class="form-check-input" type="checkbox" role="switch" name="use_ssl" value="1" {% if iam_settings.use_ssl == 1 %}checked{% endif %}>
+                <input class="form-check-input"
+                       type="checkbox"
+                       role="switch"
+                       id="use_ssl"
+                       name="use_ssl"
+                       value="1"
+                       onchange="if(this.checked) document.getElementById('use_tls').checked = false"
+                       {% if iam_settings.use_ssl == 1 %}checked{% endif %}>
               </div>
             </div>
           </div>
           <div class="row mb-2">
             <div class="col-md-3 d-flex align-items-center justify-content-md-end">
+              <i style="font-size: 16px; cursor: pointer;" class="bi bi-patch-question-fill mx-2 ms-0" data-bs-toggle="tooltip" data-bs-html="true" data-bs-placement="bottom" title="{{ lang.admin.iam_use_tls_info }}"></i>
               <label class="control-label">{{ lang.admin.iam_use_tls }}</label>
             </div>
-            <div class="col-12 col-md-9">
+            <div class="col-12 col-md-9 d-flex align-items-center">
               <div class="form-check form-switch">
-                <input class="form-check-input" type="checkbox" role="switch" name="use_tls" value="1" {% if iam_settings.use_tls == 1 %}checked{% endif %}>
+                <input class="form-check-input"
+                       type="checkbox"
+                       role="switch"
+                       id="use_tls"
+                       name="use_tls"
+                       value="1"
+                       onchange="if(this.checked) document.getElementById('use_ssl').checked = false"
+                       {% if iam_settings.use_tls == 1 %}checked{% endif %}>
               </div>
             </div>
           </div>

From 0eb8f3879264288c5d586f8086a419cd8d03c008 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Mon, 7 Apr 2025 07:59:43 +0200
Subject: [PATCH 235/378] [Web] Update LDAP SSL/TLS tooltips

---
 data/web/lang/lang.de-de.json | 2 +-
 data/web/lang/lang.en-gb.json | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/data/web/lang/lang.de-de.json b/data/web/lang/lang.de-de.json
index 98d601738..f37c1d849 100644
--- a/data/web/lang/lang.de-de.json
+++ b/data/web/lang/lang.de-de.json
@@ -238,7 +238,7 @@
         "iam_username_field": "Username Feld",
         "iam_binddn": "Bind DN",
         "iam_use_ssl": "Benutze SSL",
-        "iam_use_ssl_info": "TLS wird gegenüber SSL empfohlen. SSL gilt als veralteter Mechanismus für die sichere Ausführung von LDAP-Operationen.<br><br>Wenn SSL aktiviert ist und der Port auf 389 gesetzt wurde, wird dieser automatisch auf 636 geändert.",
+        "iam_use_ssl_info": "Wenn SSL aktiviert ist und der Port auf 389 gesetzt wurde, wird dieser automatisch auf 636 geändert.",
         "iam_use_tls": "Benutze StartTLS",
         "iam_use_tls_info": "Wenn TLS aktiviert wird, muss der Standardport deines LDAP-Servers (389) verwendet werden. SSL-Ports können dabei nicht verwendet werden.",
         "iam_version": "Version",
diff --git a/data/web/lang/lang.en-gb.json b/data/web/lang/lang.en-gb.json
index 9c1f30483..3b5ff3fb4 100644
--- a/data/web/lang/lang.en-gb.json
+++ b/data/web/lang/lang.en-gb.json
@@ -245,7 +245,7 @@
         "iam_username_field": "Username Field",
         "iam_binddn": "Bind DN",
         "iam_use_ssl": "Use SSL",
-        "iam_use_ssl_info": "TLS is recommended over SSL. SSL is labelled as a deprecated mechanism for securely running LDAP operations.<br><br>If enabling SSL, and port is set to 389, it will be automatically overridden to use 636.",
+        "iam_use_ssl_info": "If enabling SSL, and port is set to 389, it will be automatically overridden to use 636.",
         "iam_use_tls": "Use StartTLS",
         "iam_use_tls_info": "If enabling TLS, you must use the default port for your LDAP server (389). SSL ports cannot be used.",
         "iam_version": "Version",

From 2c10c39bc4def2ecde8c1df9cf40487a0a4c08dd Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Mon, 7 Apr 2025 08:06:43 +0200
Subject: [PATCH 236/378] [Web] Update 2FA Info tooltip

---
 data/web/lang/lang.de-de.json | 2 +-
 data/web/lang/lang.en-gb.json | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/data/web/lang/lang.de-de.json b/data/web/lang/lang.de-de.json
index f37c1d849..747f7cf84 100644
--- a/data/web/lang/lang.de-de.json
+++ b/data/web/lang/lang.de-de.json
@@ -1335,7 +1335,7 @@
         "tag_in_subfolder": "In Unterordner",
         "tag_in_subject": "In Betreff",
         "text": "Text",
-        "tfa_info": "Zwei-Faktor-Authentifizierung hilft dabei, Ihr Konto zu schützen. Wenn Sie sie aktivieren, benötigen Sie möglicherweise App-Passwörter, um sich bei Apps oder Diensten anzumelden, die die Zwei-Faktor-Authentifizierung nicht unterstützen (z.B. Mailclients).",
+        "tfa_info": "Zwei-Faktor-Authentifizierung hilft dabei, Ihr Konto zu schützen. Wenn Sie sie aktivieren, benötigen Sie App-Passwörter, um sich bei Apps oder Diensten anzumelden, die die Zwei-Faktor-Authentifizierung nicht unterstützen (z.B. Mailclients).",
         "title": "Title",
         "tls_enforce_in": "TLS eingehend erzwingen",
         "tls_enforce_out": "TLS ausgehend erzwingen",
diff --git a/data/web/lang/lang.en-gb.json b/data/web/lang/lang.en-gb.json
index 3b5ff3fb4..ca8bb3adf 100644
--- a/data/web/lang/lang.en-gb.json
+++ b/data/web/lang/lang.en-gb.json
@@ -1357,7 +1357,7 @@
         "tag_in_subfolder": "In subfolder",
         "tag_in_subject": "In subject",
         "text": "Text",
-        "tfa_info": "Two-factor authentication helps protect your account. If you enable it, you may need app passwords to log in to apps or services that don't support two-factor authentication (e.g. Mailclients).",
+        "tfa_info": "Two-factor authentication helps protect your account. If you enable it, you need app passwords to log in to apps or services that don't support two-factor authentication (e.g. Mailclients).",
         "title": "Title",
         "tls_enforce_in": "Enforce TLS incoming",
         "tls_enforce_out": "Enforce TLS outgoing",

From 766c5e85801b9719e3447b935f03bb5dd84fda9e Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Wed, 9 Apr 2025 08:02:30 +0200
Subject: [PATCH 237/378] [Dovecot] Ignore app passwords protocol access on
 SOGo request

---
 data/conf/dovecot/auth/mailcowauth.php   | 4 +++-
 data/conf/dovecot/auth/passwd-verify.lua | 2 +-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/data/conf/dovecot/auth/mailcowauth.php b/data/conf/dovecot/auth/mailcowauth.php
index 667419c57..4eda382b7 100644
--- a/data/conf/dovecot/auth/mailcowauth.php
+++ b/data/conf/dovecot/auth/mailcowauth.php
@@ -79,7 +79,9 @@ if ($isSOGoRequest) {
   }
 }
 if ($result === false){
-  $result = apppass_login($post['username'], $post['password'], array($post['service'] => true), array(
+  // If it's a SOGo Request, don't check for protocol access
+  $service = (isSOGoRequest) ? false : array($post['service'] => true);
+  $result = apppass_login($post['username'], $post['password'], $service, array(
     'is_internal' => true,
     'remote_addr' => $post['real_rip']
   ));
diff --git a/data/conf/dovecot/auth/passwd-verify.lua b/data/conf/dovecot/auth/passwd-verify.lua
index 18c18dbe3..19dcc4bd6 100644
--- a/data/conf/dovecot/auth/passwd-verify.lua
+++ b/data/conf/dovecot/auth/passwd-verify.lua
@@ -29,7 +29,7 @@ function auth_password_verify(request, password)
     insecure = true
   }
 
-  if c ~= 200 then
+  if c ~= 200 and c ~= 401 then
     dovecot.i_info("HTTP request failed with " .. c .. " for user " .. request.user)
     return dovecot.auth.PASSDB_RESULT_INTERNAL_FAILURE, "Upstream error"
   end

From b96a5b1efd50f95711c630e7f26e5636a6fd8850 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Wed, 9 Apr 2025 08:07:46 +0200
Subject: [PATCH 238/378] [Web] Fix AJAX urls to absolute path

---
 data/web/js/site/admin.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/data/web/js/site/admin.js b/data/web/js/site/admin.js
index 847c25aa8..b6edf6f80 100644
--- a/data/web/js/site/admin.js
+++ b/data/web/js/site/admin.js
@@ -51,7 +51,7 @@ jQuery(function($){
     $('.submit_rspamd_regex').attr({"disabled": true});
   });
   $("#show_rspamd_global_filters").click(function() {
-    $.get("inc/ajax/show_rspamd_global_filters.php");
+    $.get("/inc/ajax/show_rspamd_global_filters.php");
     $("#confirm_show_rspamd_global_filters").hide();
     $("#rspamd_global_filters").removeClass("d-none");
   });
@@ -655,7 +655,7 @@ jQuery(function($){
     $(this).html('<i class="bi bi-arrow-repeat icon-spin"></i> ');
     $.ajax({
       type: 'GET',
-      url: 'inc/ajax/relay_check.php',
+      url: '/inc/ajax/relay_check.php',
       dataType: 'text',
       data: $('#test_relayhost_form').serialize(),
       complete: function (data) {

From 4ac839cf492a6428a30d0bd17e30184fbd7aa80f Mon Sep 17 00:00:00 2001
From: milkmaker <milkmaker@mailcow.de>
Date: Thu, 10 Apr 2025 17:11:30 +0200
Subject: [PATCH 239/378] Translations update from Weblate (#6463)

* [Web] Updated lang.hu-hu.json

Co-authored-by: Anonymous <noreply@weblate.org>
Co-authored-by: milkmaker <milkmaker@mailcow.de>

* [Web] Updated lang.lv-lv.json

[Web] Updated lang.lv-lv.json

Co-authored-by: Anonymous <noreply@weblate.org>
Co-authored-by: Edgars Andersons <Edgars+Mailcow+Weblate@gaitenis.id.lv>
Co-authored-by: milkmaker <milkmaker@mailcow.de>

* [Web] Added lang.bg-bg.json

Co-authored-by: Peter <magic@kthx.at>
Co-authored-by: milkmaker <milkmaker@mailcow.de>

* [Web] Updated lang.tr-tr.json

Co-authored-by: Anonymous <noreply@weblate.org>
Co-authored-by: milkmaker <milkmaker@mailcow.de>

* [Web] Updated lang.uk-ua.json

Co-authored-by: Anonymous <noreply@weblate.org>
Co-authored-by: milkmaker <milkmaker@mailcow.de>

* [Web] Updated lang.zh-cn.json

Co-authored-by: Easton Man <me@eastonman.com>
Co-authored-by: milkmaker <milkmaker@mailcow.de>

---------

Co-authored-by: Anonymous <noreply@weblate.org>
Co-authored-by: Edgars Andersons <Edgars+Mailcow+Weblate@gaitenis.id.lv>
Co-authored-by: Peter <magic@kthx.at>
Co-authored-by: Easton Man <me@eastonman.com>
---
 data/web/lang/lang.bg-bg.json |  1 +
 data/web/lang/lang.hu-hu.json |  2 +-
 data/web/lang/lang.lv-lv.json | 63 ++++++++++++++++++++++++-----------
 data/web/lang/lang.tr-tr.json |  2 +-
 data/web/lang/lang.uk-ua.json |  2 +-
 data/web/lang/lang.zh-cn.json | 63 +++++++++++++++++++++++++++++++----
 6 files changed, 103 insertions(+), 30 deletions(-)
 create mode 100644 data/web/lang/lang.bg-bg.json

diff --git a/data/web/lang/lang.bg-bg.json b/data/web/lang/lang.bg-bg.json
new file mode 100644
index 000000000..0967ef424
--- /dev/null
+++ b/data/web/lang/lang.bg-bg.json
@@ -0,0 +1 @@
+{}
diff --git a/data/web/lang/lang.hu-hu.json b/data/web/lang/lang.hu-hu.json
index 97f575a69..3b9eb5fbc 100644
--- a/data/web/lang/lang.hu-hu.json
+++ b/data/web/lang/lang.hu-hu.json
@@ -590,4 +590,4 @@
         "app_name": "Alkalmazás neve",
         "app_passwd_protocols": "Engedélyezett protokollok az alkalmazás jelszavához"
     }
-}
\ No newline at end of file
+}
diff --git a/data/web/lang/lang.lv-lv.json b/data/web/lang/lang.lv-lv.json
index 545bbe475..2b433b8e8 100644
--- a/data/web/lang/lang.lv-lv.json
+++ b/data/web/lang/lang.lv-lv.json
@@ -16,7 +16,16 @@
         "login_as": "Pieteikšanās kā pastkastes lietotājam",
         "mailbox_relayhost": "Pasta kastītes relayhost maiņa",
         "prohibited": "Aizliegts ar ACL",
-        "protocol_access": "Protokola piekļuves maiņa"
+        "protocol_access": "Protokola piekļuves maiņa",
+        "pw_reset": "Ļaut atiestatīt mailcow lietotāja paroli",
+        "ratelimit": "Piekļuves biežuma ierobežojums",
+        "quarantine": "Karantīnas darbības",
+        "quarantine_attachments": "Karantīnas pielikumi",
+        "quarantine_category": "Mainīt karantīnas paziņojumu kategoriju",
+        "quarantine_notification": "Mainīt karantīnas paziņojumus",
+        "smtp_ip_access": "Mainīt SMTP atļautos saimniekdatorus",
+        "sogo_access": "Atļaut SOGo piekļuves pārvaldību",
+        "sogo_profile_reset": "Atiestatīt SOGo profilu"
     },
     "add": {
         "activate_filter_warn": "Visi pārējie filtri tiks deaktivizēti, kad aktīvs ir atzīmēts.",
@@ -24,8 +33,8 @@
         "add": "Pievienot",
         "add_domain_only": "Tikai pievienot domēnu",
         "add_domain_restart": "Pievienot domēnu un restartēt SOGo",
-        "alias_address": "Aizstājaddrese/s",
-        "alias_address_info": "<small>Pilna epasta addrese/s vai @piemērs.com, lai notvertu visas domēna ziņas (komatu atdalītas). <b>tikai mailcow domēni</b>.</small>",
+        "alias_address": "Aizstājadrese/s",
+        "alias_address_info": "<small>Pilna epasta adrese/s vai @example.com, lai notvertu visus domēna ziņojumus (atdalītas ar komatu). <b>Tikai mailcow domēni</b>.</small>",
         "alias_domain": "Aizstājdomēni",
         "alias_domain_info": "<small>Tikai derīgi domēna vārdi (komatu atdalīti).</small>",
         "automap": "Mēģiniet automatizēt mapes (\"Nosūtītie vienumi\", \"Nosūtītie\" => \"Nosūtītie\" etc.)",
@@ -63,15 +72,17 @@
         "skipcrossduplicates": "Izlaist dublētus ziņojumus pa mapēm (pirmais nāk, pirmais kalpo)",
         "syncjob": "Pievienot sinhronizācijas darbu",
         "syncjob_hint": "Ņemiet vērā, ka parole ir jāuzglabā vienkāršā tekstā!",
-        "target_address": "Iet uz adresēm",
-        "target_address_info": "<small>Pilna epasta addrese/s (comma-separated).</small>",
+        "target_address": "Mērķa adreses",
+        "target_address_info": "<small>Pilna epasta adrese/s (atdalītas ar komatu).</small>",
         "target_domain": "Mērķa domēns",
         "username": "Lietotājvārds",
         "validate": "Apstiprināt",
         "validation_success": "Apstiprināts veiksmīgi",
         "bcc_dest_format": "BCC galamērķim ir jābūt vienai derīgai e-pasta adresei.<br>Ja ir nepieciešams nosūtīt kopiju vairākām adresēm, jāizveido aizstājvārds un jāizmanto tas šeit.",
         "domain_matches_hostname": "Domēns %s atbilst saimniekdatora nosaukumam",
-        "disable_login": "Neļaut pieteikšanos (ienākošais pasts joprojām tiks pieņemts)"
+        "disable_login": "Neļaut pieteikšanos (ienākošais pasts joprojām tiks pieņemts)",
+        "app_password": "Pievienot lietotnes paroli",
+        "app_passwd_protocols": "Atļautie lietotnes paroles protokoli"
     },
     "admin": {
         "access": "Pieeja",
@@ -114,7 +125,7 @@
         "f2b_whitelist": "Baltā saraksta tīkls/hosts",
         "filter_table": "Filtru tabula",
         "forwarding_hosts": "Hostu pārsūtīšana",
-        "forwarding_hosts_add_hint": "Var norādīt vai nu IPv4/IPv6 addreses, tīklu ar CIDR apzīmējumu, saimniekdatoru nosaukumus (kas tiks atrisināti IP adresēs) vai arī domēna vārdus (kas tiks atrisināti IP adresēs, vaicājot SPF ierakstus, vai, ja tādu nav, MX ierakstus).",
+        "forwarding_hosts_add_hint": "Var norādīt vai nu IPv4/IPv6 adreses, tīklu ar CIDR apzīmējumu, saimniekdatoru nosaukumus (kas tiks atrisināti IP adresēs) vai arī domēna vārdus (kas tiks atrisināti IP adresēs, vaicājot SPF ierakstus, vai, ja tādu nav, MX ierakstus).",
         "forwarding_hosts_hint": "Ienākošie ziņojumi tiek bez nosacījumiem pieņemti no visiem šeit norādītajiem saimniekdatoriem. Tie tad netiek pārbaudīti pret DNSBL vai pakļauti ievietošanai pelēkajā sarakstā. No tiem saņemtās mēstules nekad netiek noraidītas, bet pēc izvēles tās var pārvietot mapē \"Nevēlams\". Visbiežāk to izmanto, lai norādītu pasta serverus, kuros ir uzstādīts nosacījums, kas pārsūta ienākošās e-pasta vēstules uz Tavu mailcow serveri.",
         "help_text": "Pārrakstīt palīdzības tekstu zem pieteikšanās maskas (var izmantot HTML)",
         "host": "Hosts",
@@ -142,7 +153,7 @@
         "recipients": "Adresāts",
         "refresh": "Atsvaidzināt",
         "regen_api_key": "Reģenerēt API atslēgu",
-        "relay_from": "\"No:\" addrese",
+        "relay_from": "\"No:\" adrese",
         "relay_run": "Palaist testu",
         "relayhosts_hint": "Norādīt no sūtītāja atkarīgas piegādes, lai varētu tos atlasīt domēnu konfigurācijas uzvednē.<br>\n  Piegādes pakalpojums vienmēr ir \"smtp\", tādējādi tiks mēģināts TLS, kad piedāvāts. Iekļautais TLS (SMTPS) netiek atbalstīts. Tiek ņemts vērā lietotāja atsevišķais izejošā TLS nosacījuma iestatījums.<br>\n  Ietekmē atlasītos domēnus, tajā skaitā aizstājdomēnus.",
         "remove": "Noņemt",
@@ -222,7 +233,8 @@
         "targetd_not_found": "Mērķa domēns nav atrasts",
         "username_invalid": "Lietotājvārds nevar tikt izmantots",
         "validity_missing": "Lūdzu piešķiriet derīguma termiņu",
-        "domain_cannot_match_hostname": "Domēns nevar atbilst saimniekdatora nosaukumam"
+        "domain_cannot_match_hostname": "Domēns nevar atbilst saimniekdatora nosaukumam",
+        "app_passwd_id_invalid": "Lietotnes paroles Id %s ir nederīgs"
     },
     "diagnostics": {
         "cname_from_a": "Vērtība, kas iegūta no A/AAAA ieraksta. Tas tiek atbalstīts tik ilgi, kamēr ieraksts norāda uz pareizo resursu.",
@@ -257,7 +269,7 @@
         "hostname": "Saimniekdatora nosaukums",
         "inactive": "Neaktīvs",
         "kind": "Veids",
-        "mailbox": "Rediģēt pastkasti",
+        "mailbox": "Labot pastkasti",
         "max_aliases": "Lielākais aizstājvārdu skaits",
         "max_mailboxes": "Maks. iespējamās pastkastes",
         "max_quota": "Maks. kvota uz pastkasti (MiB)",
@@ -283,8 +295,8 @@
         "spam_policy": "Pievienot vai noņemt vienumus baltajā-/melnajā sarakstā",
         "spam_score": "Iestatīt pielāgotu surogātpasta vērtējumu",
         "subfolder2": "Sinhronizēt galamērķa apakšmapē<br><small>(tukšs = neizmantot apakšmapi)</small>",
-        "syncjob": "Rediģēt sinhronizācijas darbu",
-        "target_address": "Iet uz adresi/ēm <small>(komatu atdalītas)</small>",
+        "syncjob": "Labot sinhronizācijas darbu",
+        "target_address": "Mērķa adrese/s <small>(atdalītas ar komatu)</small>",
         "target_domain": "Mērķa domēns",
         "title": "Labot priekšmetu",
         "unchanged_if_empty": "Ja neizmainīts atstājiet tukšu",
@@ -300,8 +312,11 @@
         "sogo_visible": "Aizstājvārds ir redzams SOGo",
         "sogo_visible_info": "Šī iespēja ietekmē tikai tos objektus, kurus var parādīt SOGo (koplietojamās vai nekoplietojamās aizstājadreses, kas norāda uz vismaz vienu vietējo pastkasti). Ja paslēpts, netiks parādīts SOGo kā atlasāms sūtītājs.",
         "mbox_rl_info": "Šis pieprasījumu ierobežojums tiek piemērots SASL pieteikšanās vārdam, tas atbilst jebkurai \"from\" adresei, ko izmanto lietotājs, kurš ir pieteicies. Pastkastes pieprasījumu ierobežojums pārraksta domēna mēroga pieprasījumu ierobežojumu.",
-        "sogo_access": "Nodrošināt tiešu pieteikšanās piekļuvi SOGo",
-        "disable_login": "Neļaut pieteikšanos (ienākošais pasts joprojām tiks pieņemts)"
+        "sogo_access": "Tieša pārvirzīšana uz SOGo",
+        "disable_login": "Neļaut pieteikšanos (ienākošais pasts joprojām tiks pieņemts)",
+        "app_passwd_protocols": "Atļautie lietotnes paroles protokoli",
+        "allowed_protocols": "Atļautie protokoli tiešai lietotāja piekļuvei (neietekmē lietotnes paroles protokolus)",
+        "app_passwd": "Lietotnes parole"
     },
     "footer": {
         "cancel": "Atcelt",
@@ -508,7 +523,9 @@
         "verified_fido2_login": "Apliecināta FIDO2 pieteikšanās",
         "verified_webauthn_login": "Apliecināta WebAuthn pieteikšanās",
         "verified_totp_login": "Apliecināta TOTP pieteikšanās",
-        "verified_yotp_login": "Apliecināta Yubico OTP pieteikšanās"
+        "verified_yotp_login": "Apliecināta Yubico OTP pieteikšanās",
+        "app_passwd_removed": "Noņemta lietotnes parole ar Id %s",
+        "app_passwd_added": "Pievienota jauna lietotnes parole"
     },
     "tfa": {
         "api_register": "%s izmanto Yubico Cloud API. Lūdzu iegūstiet API atslēgu priekš Jūsu atslēgas<a href=\"https://upgrade.yubico.com/getapikey/\" target=\"_blank\">here</a>",
@@ -523,7 +540,7 @@
         "scan_qr_code": "Lūdzu, skenējiet šo kodu ar savu autentifikācijas lietojumprogrammu vai ievadiet kodu manuāli.",
         "select": "Lūdzu izvēlaties",
         "set_tfa": "Uzstādīt difi faktoru autentifik;acijas metodi",
-        "tfa": "Divu faktoru autentifikācija",
+        "tfa": "Divpakāpju pieteikšanās",
         "totp": "Uz laiku bāzēta vienreizēja parole (Google Autentifikātors utt.)",
         "webauthn": "WebAuthn autentifikācija",
         "waiting_usb_auth": "<i>Gaida USB ierīci...</i><br><br>Lūdzu, tagad nospiežiet pogu uz Jūsu WebAuthn USB ierīces.",
@@ -618,12 +635,18 @@
         "apple_connection_profile_mailonly": "Šis savienojuma profils iekļauj IMAP un SMTP konfigurācijas parametrus Apple ierīcei.",
         "pushover_info": "Pašpiegādes paziņojumu iestatījumi attieksies uz visu tīro (ne surogātpasta) pastu, kas piegādāts uz <b>%s</b>, ieskaitot aizstājvārdus (kopīgotus, nekopīgotus, ar birkām).",
         "app_hint": "Lietotņu paroles ir aizstājējparoles, lai pieteiktos IMAP, SMTP, CalDAV, CardDAV un EAS. Lietotājvārds paliek nemainīgs. SOGo tīmekļa pasts nav pieejams ar lietotņu parolēm.",
-        "direct_protocol_access": "Šim pastkastes lietotājam ir <b> tieša, ārēja piekļuve</b> zemāk uzskaitītajiem protokoliem un lietotnēm. Šo iestatījumu pārrauga pārvaldītājs. Lietotņu paroles var izveidot, lai nodrošinātu piekļuvi atsevišķiem protokoliem un lietotnēm.<br>Poga \"Pieteikties tīmekļa pastā\" nodrošina vienotu pieteikšanos SOGo un vienmēr ir pieejama.",
+        "direct_protocol_access": "Šim pastkastes lietotājam ir <b> tieša, ārēja piekļuve</b> zemāk uzskaitītajiem protokoliem un lietotnēm. Šo iestatījumu pārrauga pārvaldītājs. Lietotņu paroles var izveidot, lai nodrošinātu piekļuvi atsevišķiem protokoliem un lietotnēm.<br>Poga \"Tīmekļa pasts\" nodrošina vienotu pieteikšanos SOGo un vienmēr ir pieejama.",
         "last_ui_login": "Pēdējā pieteikšanās saskarnē",
         "login_history": "Pieteikšanās vēsture",
         "no_last_login": "Nav informācijas par pēdējām pieteikšanās saskarnē reizēm",
-        "open_webmail_sso": "Pieteikšanās tīmekļa pastā",
-        "last_mail_login": "Pēdējā pasta pieteikšanās"
+        "open_webmail_sso": "Tīmekļa pasts",
+        "last_mail_login": "Pēdējā pasta pieteikšanās",
+        "change_password_hint_app_passwords": "Kontā ir %d lietotņu paroles, kas netiks mainītas. Lai pārvaldītu tās, jādodas uz cilni \"Lietotņu paroles\".",
+        "with_app_password": "ar lietotnes paroli",
+        "apple_connection_profile_with_app_password": "Jauna lietotnes parole ir izveidota un pievienota profilam, lai ierīces iestatīšanas laikā nebūtu nepieciešams ievadīt paroli. Lūgums nekopīgot datni, jo tā nodrošina pilnu piekļuvi pastkastei.",
+        "tfa_info": "Divpakāpju autentificēšanās palīdz aizsargāt kontu.Ja tā ir iespējota, var būt nepieciešamas lietotņu paroles, lai pieteiktos lietotnēs vai pakalpojumos, kas nenodrošina divpakāpju autentificēšanos (piem., e-pasta klienti).",
+        "app_passwds": "Lietotņu paroles",
+        "create_app_passwd": "Izveidot lietotnes paroli"
     },
     "datatables": {
         "paginate": {
@@ -657,4 +680,4 @@
     "fido2": {
         "fido2_auth": "Pieteikties ar FIDO2"
     }
-}
\ No newline at end of file
+}
diff --git a/data/web/lang/lang.tr-tr.json b/data/web/lang/lang.tr-tr.json
index aa1b90df1..bc1da77e7 100644
--- a/data/web/lang/lang.tr-tr.json
+++ b/data/web/lang/lang.tr-tr.json
@@ -1309,4 +1309,4 @@
         "q_reject": "Reddedildi",
         "week": "Hafta"
     }
-}
\ No newline at end of file
+}
diff --git a/data/web/lang/lang.uk-ua.json b/data/web/lang/lang.uk-ua.json
index c6ded247b..61c401a07 100644
--- a/data/web/lang/lang.uk-ua.json
+++ b/data/web/lang/lang.uk-ua.json
@@ -1307,4 +1307,4 @@
         },
         "collapse_all": "Згорнути все"
     }
-}
\ No newline at end of file
+}
diff --git a/data/web/lang/lang.zh-cn.json b/data/web/lang/lang.zh-cn.json
index 70a48a91a..f9bb481da 100644
--- a/data/web/lang/lang.zh-cn.json
+++ b/data/web/lang/lang.zh-cn.json
@@ -358,7 +358,43 @@
         "ip_check_disabled": "IP 检查已禁用。你可透过以下路径启用<br> <strong>系统 > 配置 > 选项 > 页面自定义</strong>",
         "queue_unban": "解除封禁",
         "allowed_methods": "访问控制允许方式",
-        "allowed_origins": "访问控制允许原"
+        "allowed_origins": "访问控制允许原",
+        "iam": "身份识别提供者",
+        "iam_attribute_field": "Attribute 域",
+        "iam_authorize_url": "Authorization endpoint",
+        "iam_auth_flow": "认证流程",
+        "iam_basedn": "Base DN",
+        "iam_client_id": "客户端 ID",
+        "iam_client_secret": "客户端凭据",
+        "iam_client_scopes": "客户端 Scopes",
+        "iam_default_template": "默认模板",
+        "iam_default_template_description": "如果未为用户分配模板，则在创建邮箱时将使用默认模板，但在更新邮箱时不会使用默认模板。",
+        "iam_description": "配置外部认证提供者<br>如果已设置好属性映射，用户在首次登录时将会自动创建其 Mailbox。",
+        "iam_host": "Host",
+        "iam_host_info": "请输入一个或多个 LDAP 主机，使用英文逗号分隔。",
+        "iam_import_users": "导入用户",
+        "iam_mapping": "属性映射",
+        "iam_bindpass": "密码绑定（Bind Password）",
+        "iam_periodic_full_sync": "周期性全量同步",
+        "iam_port": "端口",
+        "iam_realm": "Realm",
+        "iam_redirect_url": "重定向 Url",
+        "iam_rest_flow": "Mailpassword 流程",
+        "iam_server_url": "服务器 Url",
+        "iam_sso": "单点登录（SSO）",
+        "iam_sync_interval": "同步/导入周期（min）",
+        "iam_test_connection": "测试连接",
+        "iam_token_url": "Token endpoint",
+        "iam_userinfo_url": "User info endpoint",
+        "iam_username_field": "Username 域",
+        "iam_binddn": "Bind DN",
+        "iam_use_ssl": "使用 SSL",
+        "iam_use_tls": "使用 TLS",
+        "iam_version": "版本",
+        "ignore_ssl_error": "忽略 SSL 错误",
+        "iam_auth_flow_info": "除了在单点登录（SSO）中使用的 Authorization Code 流程（在 Keycloak 中是标准流程）之外，mailcow 还支持使用 Credentials 的身份认证流程。Mailpassword 流程尝试通过 Keycloak 的 Admin REST API 验证用户凭据，mailcow 会从 Keycloak 中的 <code>mailcow_password</code> 属性中获取哈希后的密码。",
+        "filter": "过滤",
+        "iam_extra_permission": "要使以下设置生效，Keycloak 中的 mailcow 客户端需要一个 <code>服务账户（Service account）</code> 以及 <code>查看用户（view-users）</code> 的权限。"
     },
     "danger": {
         "access_denied": "访问被拒绝或者表单数据无效",
@@ -495,7 +531,11 @@
         "webauthn_authenticator_failed": "找不到所选的 authenticator",
         "webauthn_publickey_failed": "没有为选定的身份验证器保存公钥",
         "webauthn_username_failed": "所选的 authenticator 属于另一个账户",
-        "demo_mode_enabled": "演示模式已开启"
+        "demo_mode_enabled": "演示模式已开启",
+        "generic_server_error": "服务器错误。请联系您的管理员。",
+        "authsource_in_use": "由于当前有一个或多个用户正在使用该身份提供者（IDP），因此无法更改或删除。",
+        "iam_test_connection": "连接失败",
+        "required_data_missing": "缺少需要的 %s 数据"
     },
     "debug": {
         "chart_this_server": "图表 (此服务器)",
@@ -744,7 +784,10 @@
         "new_password_confirm": "确认新密码",
         "reset_password": "重置密码",
         "request_reset_password": "请求重置密码",
-        "invalid_pass_reset_token": "密码重置 token 无效或已过期。<br> 请重新获取新的密码重置链接。"
+        "invalid_pass_reset_token": "密码重置 token 无效或已过期。<br> 请重新获取新的密码重置链接。",
+        "login_user": "用户登录",
+        "login_dadmin": "域管理员登录",
+        "login_admin": "管理员登录"
     },
     "mailbox": {
         "action": "操作",
@@ -919,7 +962,8 @@
         "max_quota": "每个信箱的最大容量配额",
         "relay_unknown": "转发未知信箱",
         "templates": "模板",
-        "template": "模板"
+        "template": "模板",
+        "iam": "身份提供者（IDP）"
     },
     "oauth2": {
         "access_denied": "请作为邮箱所有者登录以使用 OAuth2 授权。",
@@ -1097,7 +1141,8 @@
         "recovery_email_sent": "重置邮件已发送至 %s",
         "template_added": "新增了模板 %s",
         "template_modified": "模板 %s 的修改已保存",
-        "template_removed": "模板 ID %s 已删除"
+        "template_removed": "模板 ID %s 已删除",
+        "iam_test_connection": "连接成功"
     },
     "tfa": {
         "api_register": "%s 使用了 Yubico Cloud API，请<a href=\"https://upgrade.yubico.com/getapikey/\" target=\"_blank\">在此</a>为你的密钥获取 API 密钥",
@@ -1292,7 +1337,11 @@
         "password_reset_info": "如果不提供密码重置邮箱，此功能将无法使用。",
         "pushover_sound": "声音",
         "value": "值",
-        "attribute": "属性"
+        "attribute": "属性",
+        "protocols": "协议",
+        "authentication": "认证",
+        "tfa_info": "两步验证有助于保护您的账户安全。启用后，对于不支持两步验证的应用程序或服务（例如邮件客户端），需要使用应用专用密码进行登录。",
+        "overview": "概览"
     },
     "warning": {
         "cannot_delete_self": "不能删除已登录的用户",
@@ -1332,4 +1381,4 @@
         "loadingRecords": "加载中...",
         "zeroRecords": "未找到符合条件的记录"
     }
-}
\ No newline at end of file
+}

From 84f67d66082b79e2e9c495ca7944bd55a3497104 Mon Sep 17 00:00:00 2001
From: milkmaker <milkmaker@mailcow.de>
Date: Thu, 10 Apr 2025 17:16:44 +0200
Subject: [PATCH 240/378] Translations update from Weblate (#6478)

* [Web] Updated lang.de-de.json

Co-authored-by: Jonas Leiner <jonas.leiner.123@gmail.com>

* [Web] Updated lang.fr-fr.json

Co-authored-by: Neuronnexion <support@nnx.com>

---------

Co-authored-by: Jonas Leiner <jonas.leiner.123@gmail.com>
Co-authored-by: Neuronnexion <support@nnx.com>
---
 data/web/lang/lang.de-de.json | 12 +++++++-----
 data/web/lang/lang.fr-fr.json |  5 ++++-
 2 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/data/web/lang/lang.de-de.json b/data/web/lang/lang.de-de.json
index 747f7cf84..911ebfc67 100644
--- a/data/web/lang/lang.de-de.json
+++ b/data/web/lang/lang.de-de.json
@@ -398,7 +398,8 @@
         "allowed_methods": "Access-Control-Allow-Methods",
         "allowed_origins": "Access-Control-Allow-Origin",
         "logo_dark_label": "Invertiert für den Darkmode",
-        "logo_normal_label": "Normal"
+        "logo_normal_label": "Normal",
+        "user_link": "Nutzer-Link"
     },
     "danger": {
         "access_denied": "Zugriff verweigert oder unvollständige/ungültige Daten",
@@ -806,9 +807,9 @@
         "forgot_password": "> Passwort vergessen?",
         "invalid_pass_reset_token": "Der Rücksetz-Token für das Passwort ist ungültig oder abgelaufen.<br>Bitte fordern Sie einen neuen Link zur Passwortwiederherstellung an.",
         "login": "Anmelden",
-        "login_user": "Benutzer Anmelden",
-        "login_dadmin": "Domain-Administrator Anmelden",
-        "login_admin": "Administrator Anmelden",
+        "login_user": "Anmeldung als Benutzer",
+        "login_dadmin": "Anmeldung als Domain-Administrator",
+        "login_admin": "Anmeldung als Administrator",
         "mobileconfig_info": "Bitte als Mailbox-Benutzer einloggen, um das Verbindungsprofil herunterzuladen.",
         "new_password": "Neues Passwort",
         "new_password_confirm": "Neues Passwort bestätigen",
@@ -991,7 +992,8 @@
         "syncjob_EXIT_TLS_FAILURE": "Problem mit verschlüsselter Verbindung",
         "syncjob_EXIT_AUTHENTICATION_FAILURE": "Authentifizierungsproblem",
         "syncjob_EXIT_OVERQUOTA": "Ziel Mailbox ist über dem Limit",
-        "syncjob_EXIT_CONNECTION_FAILURE_HOST1": "Kann keine Verbindung zum Zielserver herstellen"
+        "syncjob_EXIT_CONNECTION_FAILURE_HOST1": "Kann keine Verbindung zum Zielserver herstellen",
+        "iam": "Identitätsanbieter"
     },
     "oauth2": {
         "access_denied": "Bitte als Mailbox-Nutzer einloggen, um den Zugriff via OAuth2 zu erlauben.",
diff --git a/data/web/lang/lang.fr-fr.json b/data/web/lang/lang.fr-fr.json
index e9bff05d5..58300c0d4 100644
--- a/data/web/lang/lang.fr-fr.json
+++ b/data/web/lang/lang.fr-fr.json
@@ -730,7 +730,10 @@
         "new_password": "Nouveau mot de passe",
         "new_password_confirm": "Confirmer le nouveau mot de passe",
         "reset_password": "Réinitialiser le mot de passe",
-        "request_reset_password": "Demander le changement du mot de passe"
+        "request_reset_password": "Demander le changement du mot de passe",
+        "login_user": "Connexion Utilisateur",
+        "login_dadmin": "Connexion Administrateur de domaine",
+        "login_admin": "Connexion Administrateur"
     },
     "mailbox": {
         "action": "Action",

From a370499aaafade9527ebb2a8282033a4f42a2fc1 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Fri, 11 Apr 2025 08:30:54 +0200
Subject: [PATCH 241/378] Update dependency Imagick/imagick to v3.8.0 (#6480)

---
 data/Dockerfiles/phpfpm/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/Dockerfiles/phpfpm/Dockerfile b/data/Dockerfiles/phpfpm/Dockerfile
index 4ba8349f9..ff333f5b3 100644
--- a/data/Dockerfiles/phpfpm/Dockerfile
+++ b/data/Dockerfiles/phpfpm/Dockerfile
@@ -5,7 +5,7 @@ LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"
 # renovate: datasource=github-tags depName=krakjoe/apcu versioning=semver-coerced extractVersion=^v(?<version>.*)$
 ARG APCU_PECL_VERSION=5.1.24
 # renovate: datasource=github-tags depName=Imagick/imagick versioning=semver-coerced extractVersion=(?<version>.*)$
-ARG IMAGICK_PECL_VERSION=3.7.0
+ARG IMAGICK_PECL_VERSION=3.8.0
 # renovate: datasource=github-tags depName=php/pecl-mail-mailparse versioning=semver-coerced extractVersion=^v(?<version>.*)$
 ARG MAILPARSE_PECL_VERSION=3.1.8
 # renovate: datasource=github-tags depName=php-memcached-dev/php-memcached versioning=semver-coerced extractVersion=^v(?<version>.*)$

From 692355a08ad935b147ef8e877635d247a0e5aac3 Mon Sep 17 00:00:00 2001
From: PseudoResonance <75700a85-1205-4740-aebf-4413a352e81b@otake.pw>
Date: Sat, 12 Apr 2025 06:24:37 -0700
Subject: [PATCH 242/378] Allow additional domains in OAuth2 redirect URLs

---
 data/web/api/openapi.yaml                     |  6 ++
 data/web/inc/functions.inc.php                | 27 ++++++-
 data/web/js/site/admin.js                     | 30 ++++++++
 .../admin/tab-config-identity-provider.twig   | 72 +++++++++++++++++--
 4 files changed, 130 insertions(+), 5 deletions(-)

diff --git a/data/web/api/openapi.yaml b/data/web/api/openapi.yaml
index afab5fb0c..f207ee6a1 100644
--- a/data/web/api/openapi.yaml
+++ b/data/web/api/openapi.yaml
@@ -5847,6 +5847,7 @@ paths:
                           client_id: "mailcow_client"
                           client_secret: "*"
                           redirect_url: "https://mail.mailcow.tld"
+                          redirect_url_extra: ["https://extramail.mailcow.tld"]
                           version: "26.1.3"
                           default_template: "Default"
                           mappers:
@@ -5900,6 +5901,9 @@ paths:
                     redirect_url:
                       description: The redirect URL that OIDC Provider will use after authentication. Required if `authsource` is keycloak or generic-oidc.
                       type: string
+                    redirect_url_extra:
+                      description: Additional redirect URLs that OIDC Provider can use after authentication if valid.
+                      type: array
                     version:
                       description: Specifies the Keycloak version. Required if `authsource` is keycloak.
                       type: string
@@ -5990,6 +5994,7 @@ paths:
                     client_id: "mailcow_client"
                     client_secret: "Xy7GdPqvJ9m3R8sT2LkVZ5W1oNbCaYQf"
                     redirect_url: "https://mail.mailcow.tld"
+                    redirect_url_extra: ["https://extramail.mailcow.tld"]
                     version: "26.1.3"
                     default_template: "Default"
                     mappers: ["small_mbox", "medium_mbox"]
@@ -6034,6 +6039,7 @@ paths:
                     client_id: "mailcow_client"
                     client_secret: "Xy7GdPqvJ9m3R8sT2LkVZ5W1oNbCaYQf"
                     redirect_url: "https://mail.mailcow.tld"
+                    redirect_url_extra: ["https://extramail.mailcow.tld"]
                     client_scopes: "openid profile email mailcow_template"
                     default_template: "Default"
                     mappers: ["small_mbox", "medium_mbox"]
diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index 49e26b978..5f9c772d0 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -2286,6 +2286,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
       $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
       foreach($rows as $row){
         switch ($row["key"]) {
+          case "redirect_url_extra":
           case "mappers":
           case "templates":
             $settings[$row["key"]] = json_decode($row["value"]);
@@ -2418,6 +2419,18 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
       }
       $pdo->commit();
 
+      // add redirect_url_extra
+      if (isset($_data['redirect_url_extra'])){
+        $_data['redirect_url_extra'] = (!is_array($_data['redirect_url_extra'])) ? array($_data['redirect_url_extra']) : $_data['redirect_url_extra'];
+
+        $redirect_url_extra = array_filter($_data['redirect_url_extra']);
+        $redirect_url_extra = json_encode($redirect_url_extra);
+
+        $stmt = $pdo->prepare("INSERT INTO identity_provider (`key`, `value`) VALUES ('redirect_url_extra', :value) ON DUPLICATE KEY UPDATE `value` = VALUES(`value`);");
+        $stmt->bindParam(':value', $redirect_url_extra);
+        $stmt->execute();
+      }
+
       // add default template
       if (isset($_data['default_template'])) {
         $_data['default_template'] = (empty($_data['default_template'])) ? "" : $_data['default_template'];
@@ -2851,7 +2864,19 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
     case "get-redirect":
       if ($iam_settings['authsource'] != 'keycloak' && $iam_settings['authsource'] != 'generic-oidc')
         return false;
-      $authUrl = $iam_provider->getAuthorizationUrl();
+      $options = [];
+      if (isset($iam_settings['redirect_url_extra'])) {
+        // check if the current domain is used in an extra redirect URL
+        $targetDomain = strtolower($_SERVER['HTTP_HOST']);
+        foreach ($iam_settings['redirect_url_extra'] as $testUrl) {
+          $testUrlParsed = parse_url($testUrl);
+          if (isset($testUrlParsed['host']) && strtolower($testUrlParsed['host']) == $targetDomain) {
+            $options['redirect_uri'] = $testUrl;
+            break;
+          }
+        }
+      }
+      $authUrl = $iam_provider->getAuthorizationUrl($options);
       $_SESSION['oauth2state'] = $iam_provider->getState();
       return $authUrl;
     break;
diff --git a/data/web/js/site/admin.js b/data/web/js/site/admin.js
index b6edf6f80..cf1efd823 100644
--- a/data/web/js/site/admin.js
+++ b/data/web/js/site/admin.js
@@ -789,6 +789,18 @@ jQuery(function($){
   $('.iam_ldap_rolemap_del').click(async function(e){
     deleteAttributeMappingRow(this, e);
   });
+  $('.iam_redirect_add_keycloak').click(async function(e){
+    addRedirectUrlRow('#iam_keycloak_redirect_list', '.iam_keycloak_redirect_del', e);
+  });
+  $('.iam_redirect_add_generic').click(async function(e){
+    addRedirectUrlRow('#iam_generic_redirect_list', '.iam_generic_redirect_del', e);
+  });
+  $('.iam_keycloak_redirect_del').click(async function(e){
+    deleteRedirectUrlRow(this, e);
+  });
+  $('.iam_generic_redirect_del').click(async function(e){
+    deleteRedirectUrlRow(this, e);
+  });
   // selecting identity provider
   $('#iam_provider').on('change', function(){
     // toggle password fields
@@ -833,4 +845,22 @@ jQuery(function($){
     if ($(elem).parent().parent().parent().parent().children().length > 1)
       $(elem).parent().parent().parent().remove();
   }
+  function addRedirectUrlRow(list_id, del_class, e) {
+    e.preventDefault();
+
+    var parent = $(list_id)
+    $(parent).children().last().clone().appendTo(parent);
+    var newChild = $(parent).children().last();
+    $(newChild).find('input').val('');
+
+    $(del_class).off('click');
+    $(del_class).click(async function(e){
+      deleteRedirectUrlRow(this, e);
+    });
+  }
+  function deleteRedirectUrlRow(elem, e) {
+    e.preventDefault();
+    if ($(elem).parent().parent().parent().parent().children().length > 2)
+      $(elem).parent().parent().parent().remove();
+  }
 });
diff --git a/data/web/templates/admin/tab-config-identity-provider.twig b/data/web/templates/admin/tab-config-identity-provider.twig
index dce26f8c3..a93002257 100644
--- a/data/web/templates/admin/tab-config-identity-provider.twig
+++ b/data/web/templates/admin/tab-config-identity-provider.twig
@@ -64,10 +64,42 @@
           </div>
           <div class="row mb-2">
             <div class="col-md-3 d-flex align-items-center justify-content-md-end">
-              <label class="control-label" for="iam_keycloak_redirecturl">{{ lang.admin.iam_redirect_url }}:</label>
+              <label class="control-label">{{ lang.admin.iam_redirect_url }}:</label>
             </div>
             <div class="col-12 col-md-9 col-lg-4">
-              <input type="text" class="form-control" id="iam_keycloak_redirecturl" name="redirect_url" value="{{ iam_settings.redirect_url }}" required>
+              <div class="row px-2 align-items-center">
+                <span class="col-10 p-0 pe-2">
+                  <input type="text" class="form-control"  name="redirect_url" value="{{ iam_settings.redirect_url }}" required>
+                </span>
+                <div class="col-2 p-0 d-flex">
+                  <button class="btn btn-sm d-block d-sm-inline btn-secondary ms-auto iam_redirect_add_keycloak"><i class="bi bi-plus-lg"></i></button>
+                </div>
+              </div>
+            </div>
+          </div>
+          <div class="row mb-2" id="iam_keycloak_redirect_list">
+            <input type="hidden" name="redirect_url_extra" value="">
+            {% for key, url in iam_settings.redirect_url_extra %}
+            <div class="offset-md-3 col-12 col-md-9 col-lg-4 mb-2">
+              <div class="row px-2">
+                <div class="col-10 p-0 pe-2">
+                  <input type="text" class="form-control me-2" name="redirect_url_extra" value="{{ iam_settings.redirect_url_extra[key] }}">
+                </div>
+                <div class="col-2 p-0 d-flex">
+                  <button class="iam_keycloak_redirect_del btn btn-sm d-block d-sm-inline btn-secondary ms-auto"><i class="bi bi-x-lg"></i></button>
+                </div>
+              </div>
+            </div>
+            {% endfor %}
+            <div class="offset-md-3 col-12 col-md-9 col-lg-4 mb-2">
+              <div class="row px-2">
+                <div class="col-10 p-0 pe-2">
+                  <input type="text" class="form-control me-2" name="redirect_url_extra" value="">
+                </div>
+                <div class="col-2 p-0 d-flex">
+                  <button class="iam_keycloak_redirect_del btn btn-sm d-block d-sm-inline btn-secondary ms-auto"><i class="bi bi-x-lg"></i></button>
+                </div>
+              </div>
             </div>
           </div>
           <div class="row mb-4">
@@ -274,10 +306,42 @@
           </div>
           <div class="row mb-2">
             <div class="col-md-3 d-flex align-items-center justify-content-md-end">
-              <label class="control-label" for="iam_redirect_url">{{ lang.admin.iam_redirect_url }}:</label>
+              <label class="control-label">{{ lang.admin.iam_redirect_url }}:</label>
             </div>
             <div class="col-12 col-md-9 col-lg-4">
-              <input type="text" class="form-control" id="iam_redirect_url" name="redirect_url" value="{{ iam_settings.redirect_url }}" required>
+              <div class="row px-2 align-items-center">
+                <span class="col-10 p-0 pe-2">
+                  <input type="text" class="form-control" name="redirect_url" value="{{ iam_settings.redirect_url }}" required>
+                </span>
+                <div class="col-2 p-0 d-flex">
+                  <button class="btn btn-sm d-block d-sm-inline btn-secondary ms-auto iam_redirect_add_generic"><i class="bi bi-plus-lg"></i></button>
+                </div>
+              </div>
+            </div>
+          </div>
+          <div class="row mb-2" id="iam_generic_redirect_list">
+            <input type="hidden" name="redirect_url_extra" value="">
+            {% for key, url in iam_settings.redirect_url_extra %}
+            <div class="offset-md-3 col-12 col-md-9 col-lg-4 mb-2">
+              <div class="row px-2">
+                <div class="col-10 p-0 pe-2">
+                  <input type="text" class="form-control me-2" name="redirect_url_extra" value="{{ iam_settings.redirect_url_extra[key] }}">
+                </div>
+                <div class="col-2 p-0 d-flex">
+                  <button class="iam_generic_redirect_del btn btn-sm d-block d-sm-inline btn-secondary ms-auto"><i class="bi bi-x-lg"></i></button>
+                </div>
+              </div>
+            </div>
+            {% endfor %}
+            <div class="offset-md-3 col-12 col-md-9 col-lg-4 mb-2">
+              <div class="row px-2">
+                <div class="col-10 p-0 pe-2">
+                  <input type="text" class="form-control me-2" name="redirect_url_extra" value="">
+                </div>
+                <div class="col-2 p-0 d-flex">
+                  <button class="iam_generic_redirect_del btn btn-sm d-block d-sm-inline btn-secondary ms-auto"><i class="bi bi-x-lg"></i></button>
+                </div>
+              </div>
             </div>
           </div>
           <div class="row mb-4">

From 0d3e8dd73896dfe87a4a652f56a37a74df28bdc6 Mon Sep 17 00:00:00 2001
From: Habetdin <15926758+Habetdin@users.noreply.github.com>
Date: Sun, 13 Apr 2025 16:09:47 +0300
Subject: [PATCH 243/378] Update legacy admin dashboard links

---
 data/web/autoconfig.php   | 2 +-
 data/web/js/site/admin.js | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/data/web/autoconfig.php b/data/web/autoconfig.php
index 95952df0d..6a528d4a2 100644
--- a/data/web/autoconfig.php
+++ b/data/web/autoconfig.php
@@ -85,7 +85,7 @@ if (count($records) == 0 || $records[0]['target'] != '') { ?>
          <authentication>password-cleartext</authentication>
       </outgoingServer>
 
-      <enable visiturl="https://<?=$mailcow_hostname; ?><?php if ($port != 443) echo ':'.$port; ?>/admin.php">
+      <enable visiturl="https://<?=$mailcow_hostname; ?><?php if ($port != 443) echo ':'.$port; ?>/admin">
          <instruction>If you didn't change the password given to you by the administrator or if you didn't change it in a long time, please consider doing that now.</instruction>
          <instruction lang="de">Sollten Sie das Ihnen durch den Administrator vergebene Passwort noch nicht geändert haben, empfehlen wir dies nun zu tun. Auch ein altes Passwort sollte aus Sicherheitsgründen geändert werden.</instruction>
       </enable>
diff --git a/data/web/js/site/admin.js b/data/web/js/site/admin.js
index b6edf6f80..0195a9c3c 100644
--- a/data/web/js/site/admin.js
+++ b/data/web/js/site/admin.js
@@ -558,7 +558,7 @@ jQuery(function($){
     } else if (table == 'oauth2clientstable') {
       $.each(data, function (i, item) {
         item.action = '<div class="btn-group">' +
-          '<a href="/edit.php?oauth2client=' + encodeURI(item.id) + '" class="btn btn-xs btn-xs-lg btn-xs-half btn-secondary"><i class="bi bi-pencil-fill"></i> ' + lang.edit + '</a>' +
+          '<a href="/edit/oauth2client/' + encodeURI(item.id) + '" class="btn btn-xs btn-xs-lg btn-xs-half btn-secondary"><i class="bi bi-pencil-fill"></i> ' + lang.edit + '</a>' +
           '<a href="#" data-action="delete_selected" data-id="single-oauth2-client" data-api-url="delete/oauth2-client" data-item="' + encodeURI(item.id) + '" class="btn btn-xs btn-xs-lg btn-xs-half btn-danger"><i class="bi bi-trash"></i> ' + lang.remove + '</a>' +
           '</div>';
         item.scope = "profile";
@@ -573,7 +573,7 @@ jQuery(function($){
         item.action = '<div class="btn-group">' +
           '<a href="/edit/domainadmin/' + encodeURI(item.username) + '" class="btn btn-xs btn-xs-lg btn-xs-third btn-secondary"><i class="bi bi-pencil-fill"></i> ' + lang.edit + '</a>' +
           '<a href="#" data-action="delete_selected" data-id="single-domain-admin" data-api-url="delete/domain-admin" data-item="' + encodeURI(item.username) + '" class="btn btn-xs btn-xs-lg btn-xs-third btn-danger"><i class="bi bi-trash"></i> ' + lang.remove + '</a>' +
-          '<a href="/index.php?duallogin=' + encodeURIComponent(item.username) + '" class="btn btn-xs btn-xs-lg btn-xs-third btn-success"><i class="bi bi-person-fill"></i> Login</a>' +
+          '<a href="/domainadmin/?duallogin=' + encodeURIComponent(item.username) + '" class="btn btn-xs btn-xs-lg btn-xs-third btn-success"><i class="bi bi-person-fill"></i> Login</a>' +
           '</div>';
       });
     } else if (table == 'adminstable') {

From c4d0f35008b9dfa1f8f2e87e55d308cc220bf181 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Tue, 15 Apr 2025 10:49:56 +0200
Subject: [PATCH 244/378] [Dovecot] Fix EAS login and improve logging

---
 data/conf/dovecot/auth/mailcowauth.php   |  2 +-
 data/conf/dovecot/auth/passwd-verify.lua | 11 +++++++++--
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/data/conf/dovecot/auth/mailcowauth.php b/data/conf/dovecot/auth/mailcowauth.php
index 4eda382b7..c625522ba 100644
--- a/data/conf/dovecot/auth/mailcowauth.php
+++ b/data/conf/dovecot/auth/mailcowauth.php
@@ -80,7 +80,7 @@ if ($isSOGoRequest) {
 }
 if ($result === false){
   // If it's a SOGo Request, don't check for protocol access
-  $service = (isSOGoRequest) ? false : array($post['service'] => true);
+  $service = ($isSOGoRequest) ? false : array($post['service'] => true);
   $result = apppass_login($post['username'], $post['password'], $service, array(
     'is_internal' => true,
     'remote_addr' => $post['real_rip']
diff --git a/data/conf/dovecot/auth/passwd-verify.lua b/data/conf/dovecot/auth/passwd-verify.lua
index 19dcc4bd6..b8843c996 100644
--- a/data/conf/dovecot/auth/passwd-verify.lua
+++ b/data/conf/dovecot/auth/passwd-verify.lua
@@ -34,8 +34,15 @@ function auth_password_verify(request, password)
     return dovecot.auth.PASSDB_RESULT_INTERNAL_FAILURE, "Upstream error"
   end
 
-  local api_response = json.decode(table.concat(res))
-  if api_response.success == true then
+  local response_str = table.concat(res)
+  local is_response_valid, response_json = pcall(json.decode, response_str)
+
+  if not is_response_valid then
+    dovecot.i_info("Invalid JSON received: " .. response_str)
+    return dovecot.auth.PASSDB_RESULT_INTERNAL_FAILURE, "Invalid response format"
+  end
+
+  if response_json.success == true then
     return dovecot.auth.PASSDB_RESULT_OK, ""
   end
 

From cb47fa406f10ce929543e3e918c11b985a500ab2 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Tue, 15 Apr 2025 13:48:13 +0200
Subject: [PATCH 245/378] [Web] Fix force password update at next login

---
 data/web/inc/functions.auth.inc.php | 14 ++++++++++++++
 data/web/inc/functions.inc.php      |  1 +
 data/web/inc/triggers.user.inc.php  |  8 ++++++--
 data/web/sogo-auth.php              |  3 ++-
 4 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php
index 994915efc..57dec808d 100644
--- a/data/web/inc/functions.auth.inc.php
+++ b/data/web/inc/functions.auth.inc.php
@@ -242,6 +242,7 @@ function user_login($user, $pass, $extra = null){
     return false;
   }
 
+  $row['attributes'] = json_decode($row['attributes'], true);
   switch ($row['authsource']) {
     case 'keycloak':
       // user authsource is keycloak, try using via rest flow
@@ -261,6 +262,10 @@ function user_login($user, $pass, $extra = null){
             return false;
           }
 
+          if (intval($row['attributes']['force_pw_update']) == 1) {
+            $_SESSION['pending_pw_update'] = true;
+          }
+
           // check for tfa authenticators
           $authenticators = get_tfa($user);
           if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 && !$is_internal) {
@@ -313,6 +318,10 @@ function user_login($user, $pass, $extra = null){
           return false;
         }
 
+        if (intval($row['attributes']['force_pw_update']) == 1) {
+          $_SESSION['pending_pw_update'] = true;
+        }
+
         // check for tfa authenticators
         $authenticators = get_tfa($user);
         if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 && !$is_internal) {
@@ -351,6 +360,11 @@ function user_login($user, $pass, $extra = null){
       }
       // verify password
       if (verify_hash($row['password'], $pass) !== false) {
+
+        if (intval($row['attributes']['force_pw_update']) == 1) {
+          $_SESSION['pending_pw_update'] = true;
+        }
+
         // check for tfa authenticators
         $authenticators = get_tfa($user);
         if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 && !$is_internal) {
diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index 49e26b978..334b99e64 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -1001,6 +1001,7 @@ function edit_user_account($_data) {
       ':password_hashed' => $password_hashed,
       ':username' => $username
     ));
+    $_SESSION['pending_pw_update'] = false;
 
     update_sogo_static_view();
   }
diff --git a/data/web/inc/triggers.user.inc.php b/data/web/inc/triggers.user.inc.php
index 33eb83e7b..30bf0fe64 100644
--- a/data/web/inc/triggers.user.inc.php
+++ b/data/web/inc/triggers.user.inc.php
@@ -76,7 +76,9 @@ if (isset($_POST["verify_tfa_login"])) {
 
         $user_details = mailbox("get", "mailbox_details", $_SESSION['mailcow_cc_username']);
         $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false;
-        if (intval($user_details['attributes']['sogo_access']) == 1 && !$is_dual) {
+        if (intval($user_details['attributes']['sogo_access']) == 1 &&
+            intval($user_details['attributes']['force_pw_update']) != 1 &&
+            !$is_dual) {
           header("Location: /SOGo/so/{$_SESSION['mailcow_cc_username']}");
           die();
         } else {
@@ -139,7 +141,9 @@ if (isset($_POST["login_user"]) && isset($_POST["pass_user"])) {
 
     $user_details = mailbox("get", "mailbox_details", $login_user);
     $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false;
-    if (intval($user_details['attributes']['sogo_access']) == 1 && !$is_dual) {
+    if (intval($user_details['attributes']['sogo_access']) == 1 &&
+        intval($user_details['attributes']['force_pw_update']) != 1 &&
+        !$is_dual) {
       header("Location: /SOGo/so/{$login_user}");
       die();
     } else {
diff --git a/data/web/sogo-auth.php b/data/web/sogo-auth.php
index 5e0f3c39b..00709fe5f 100644
--- a/data/web/sogo-auth.php
+++ b/data/web/sogo-auth.php
@@ -94,7 +94,8 @@ elseif (isset($_SERVER['HTTP_X_ORIGINAL_URI']) && strcasecmp(substr($_SERVER['HT
         !empty($email) &&
         filter_var($email, FILTER_VALIDATE_EMAIL) &&
         is_array($_SESSION[$session_var_user_allowed]) &&
-        in_array($email, $_SESSION[$session_var_user_allowed])
+        in_array($email, $_SESSION[$session_var_user_allowed]) &&
+        !$_SESSION['pending_pw_update']
     ) {
       $username = $email;
       $password = file_get_contents("/etc/sogo-sso/sogo-sso.pass");

From d8c6ed919144b0b97eaa9a329fe3366a04c422e7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20K=C3=BChn?= <Andreas.Kuehn@diekuehnen.com>
Date: Tue, 22 Apr 2025 14:23:33 +0200
Subject: [PATCH 246/378] Check if skip_sogo is not set before redirecting to
 SOGo

---
 data/web/inc/triggers.user.inc.php | 4 ++--
 data/web/index.php                 | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/data/web/inc/triggers.user.inc.php b/data/web/inc/triggers.user.inc.php
index 33eb83e7b..07dc0372e 100644
--- a/data/web/inc/triggers.user.inc.php
+++ b/data/web/inc/triggers.user.inc.php
@@ -76,7 +76,7 @@ if (isset($_POST["verify_tfa_login"])) {
 
         $user_details = mailbox("get", "mailbox_details", $_SESSION['mailcow_cc_username']);
         $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false;
-        if (intval($user_details['attributes']['sogo_access']) == 1 && !$is_dual) {
+        if (intval($user_details['attributes']['sogo_access']) == 1 && !$is_dual && getenv('SKIP_SOGO') != "y") {
           header("Location: /SOGo/so/{$_SESSION['mailcow_cc_username']}");
           die();
         } else {
@@ -139,7 +139,7 @@ if (isset($_POST["login_user"]) && isset($_POST["pass_user"])) {
 
     $user_details = mailbox("get", "mailbox_details", $login_user);
     $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false;
-    if (intval($user_details['attributes']['sogo_access']) == 1 && !$is_dual) {
+    if (intval($user_details['attributes']['sogo_access']) == 1 && !$is_dual && getenv('SKIP_SOGO') != "y") {
       header("Location: /SOGo/so/{$login_user}");
       die();
     } else {
diff --git a/data/web/index.php b/data/web/index.php
index 1e91cb785..f306f1aed 100644
--- a/data/web/index.php
+++ b/data/web/index.php
@@ -11,7 +11,7 @@ if (isset($_SESSION['mailcow_cc_role']) && isset($_SESSION['oauth2_request'])) {
 elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == 'user') {
   $user_details = mailbox("get", "mailbox_details", $_SESSION['mailcow_cc_username']);
   $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false;
-  if (intval($user_details['attributes']['sogo_access']) == 1 && !$is_dual) {
+  if (intval($user_details['attributes']['sogo_access']) == 1 && !$is_dual && getenv('SKIP_SOGO') != "y") {
     header("Location: /SOGo/so/{$_SESSION['mailcow_cc_username']}");
   } else {
     header("Location: /user");

From aa4125fe62d3a0e7ebfe5899ab614fb9f3ba01ec Mon Sep 17 00:00:00 2001
From: DerLinkman <niklas.meyer@servercow.de>
Date: Wed, 23 Apr 2025 15:13:52 +0200
Subject: [PATCH 247/378] sogo: enabled SOGoEnableMailCleaning per default

---
 data/conf/sogo/sogo.conf | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/data/conf/sogo/sogo.conf b/data/conf/sogo/sogo.conf
index 8455f0cf3..2c8d80a12 100644
--- a/data/conf/sogo/sogo.conf
+++ b/data/conf/sogo/sogo.conf
@@ -16,6 +16,9 @@
     SOGoFoldersSendEMailNotifications = YES;
     SOGoForwardEnabled = YES;
 
+    // Added with SOGo 5.12 - Allows users to cleanup there maildirectories by deleting mails oder than X
+    SOGoEnableMailCleaning = YES;
+
     // Fixes "MODIFICATION_FAILED" error (HTTP 412) in Clients when accepting invitations from external services
     SOGoDisableOrganizerEventCheck = YES;
 
@@ -91,7 +94,7 @@
   //SoDebugBaseURL = YES;
   //ImapDebugEnabled = YES;
   //SOGoEASDebugEnabled = YES;
-  SOGoEASSearchInBody = YES; // Experimental. Enabled since 2023-10
+  SOGoEASSearchInBody = YES;
   //LDAPDebugEnabled = YES;
   //PGDebugEnabled = YES;
   //MySQL4DebugEnabled = YES;

From 06b3ba91a045330daaa786203c897c4df7174653 Mon Sep 17 00:00:00 2001
From: milkmaker <milkmaker@mailcow.de>
Date: Sun, 27 Apr 2025 18:47:08 +0200
Subject: [PATCH 248/378] [Web] Updated lang.zh-cn.json (#6502)

Co-authored-by: Easton Man <me@eastonman.com>
---
 data/web/lang/lang.zh-cn.json | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/data/web/lang/lang.zh-cn.json b/data/web/lang/lang.zh-cn.json
index f9bb481da..486e8dcc3 100644
--- a/data/web/lang/lang.zh-cn.json
+++ b/data/web/lang/lang.zh-cn.json
@@ -108,7 +108,8 @@
         "timeout2": "本地主机连接超时时间",
         "username": "用户名",
         "validate": "验证",
-        "validation_success": "验证成功"
+        "validation_success": "验证成功",
+        "dry": "模拟同步（Dry run）"
     },
     "admin": {
         "access": "权限管理",
@@ -994,7 +995,7 @@
         "neutral_danger": "无危险等级",
         "notified": "已发送通知",
         "qhandler_success": "已成功向系统发送请求，现在你可以关闭这个窗口了。",
-        "qid": "Rspamd QID",
+        "qid": "Rspamd 队列ID（QID）",
         "qinfo": "隔离系统会把已被拒绝接收的邮件以及作为拷贝发送到垃圾箱的邮件保存到数据库中 (发件人<em>不</em>会知道)。\r\n  <br>\"学习为垃圾并删除\" 会根据贝叶斯定理将消息作为垃圾学习并计算其模糊特征以拒绝未来收到相似消息。\r\n  <br>请注意，这取决于你的系统资源，学习多个消息可能会花费较长时间。<br>黑名单中项目会被隔离系统排除。",
         "qitem": "隔离项目",
         "quarantine": "隔离",

From d55f0fc36618a41ae68a9475826d003ee11a89e7 Mon Sep 17 00:00:00 2001
From: Marcel Schuster <mrclschstr@users.noreply.github.com>
Date: Tue, 29 Apr 2025 22:14:43 +0200
Subject: [PATCH 249/378] Update functions.quarantine.inc.php

Fix regex for quarantine release functions
---
 data/web/inc/functions.quarantine.inc.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/data/web/inc/functions.quarantine.inc.php b/data/web/inc/functions.quarantine.inc.php
index f4f49de49..39606f271 100644
--- a/data/web/inc/functions.quarantine.inc.php
+++ b/data/web/inc/functions.quarantine.inc.php
@@ -169,7 +169,7 @@ function quarantine($_action, $_data = null) {
           }
         }
         elseif ($release_format == 'raw') {
-          $detail_row['msg'] = preg_replace('/^X-Spam-Flag: (.*)/', 'X-Pre-Release-Spam-Flag $1', $detail_row['msg']);
+          $detail_row['msg'] = preg_replace('/^X-Spam-Flag: (.*)/m', 'X-Pre-Release-Spam-Flag: $1', $detail_row['msg']);
           $postfix_talk = array(
             array('220', 'HELO quarantine' . chr(10)),
             array('250', 'MAIL FROM: ' . $sender . chr(10)),
@@ -464,7 +464,7 @@ function quarantine($_action, $_data = null) {
             }
           }
           elseif ($release_format == 'raw') {
-            $row['msg'] = preg_replace('/^X-Spam-Flag: (.*)/', 'X-Pre-Release-Spam-Flag $1', $row['msg']);
+            $row['msg'] = preg_replace('/^X-Spam-Flag: (.*)/m', 'X-Pre-Release-Spam-Flag: $1', $row['msg']);
             $postfix_talk = array(
               array('220', 'HELO quarantine' . chr(10)),
               array('250', 'MAIL FROM: ' . $sender . chr(10)),

From 0c83255573914e91a047e6238c69e8cc9a480e8f Mon Sep 17 00:00:00 2001
From: milkmaker <milkmaker@mailcow.de>
Date: Thu, 1 May 2025 00:21:11 +0000
Subject: [PATCH 250/378] update postscreen_access.cidr

---
 data/conf/postfix/postscreen_access.cidr | 99 +++++++++++-------------
 1 file changed, 45 insertions(+), 54 deletions(-)

diff --git a/data/conf/postfix/postscreen_access.cidr b/data/conf/postfix/postscreen_access.cidr
index 36c7e9fca..10c609097 100644
--- a/data/conf/postfix/postscreen_access.cidr
+++ b/data/conf/postfix/postscreen_access.cidr
@@ -1,6 +1,6 @@
-# Whitelist generated by Postwhite v3.4 on Tue Apr  1 00:20:51 UTC 2025
+# Whitelist generated by Postwhite v3.4 on Thu May  1 00:21:10 UTC 2025
 # https://github.com/stevejenkins/postwhite/
-# 2067 total rules
+# 2058 total rules
 2a00:1450:4000::/36	permit
 2a01:111:f400::/48	permit
 2a01:111:f403:8000::/50	permit
@@ -18,6 +18,7 @@
 2a02:a60:0:5::/64	permit
 2c0f:fb50:4000::/36	permit
 2.207.151.53	permit
+2.207.217.30	permit
 3.70.123.177	permit
 3.93.157.0/24	permit
 3.94.40.108	permit
@@ -26,10 +27,8 @@
 8.20.114.31	permit
 8.25.194.0/23	permit
 8.25.196.0/23	permit
-8.39.54.0/23	permit
-8.39.54.250/31	permit
-8.40.222.0/23	permit
-8.40.222.250/31	permit
+8.36.116.0/24	permit
+8.39.144.0/24	permit
 12.130.86.238	permit
 13.107.246.59	permit
 13.110.208.0/21	permit
@@ -103,6 +102,7 @@
 27.123.206.80/28	permit
 31.25.48.222	permit
 31.47.251.17	permit
+31.186.239.0/24	permit
 34.2.64.0/22	permit
 34.2.68.0/23	permit
 34.2.70.0/23	permit
@@ -121,6 +121,10 @@
 34.2.90.0/23	permit
 34.2.92.0/23	permit
 34.2.94.0/23	permit
+34.70.158.162	permit
+34.74.74.140	permit
+34.83.159.189	permit
+34.141.160.224	permit
 34.195.217.107	permit
 34.212.163.75	permit
 34.215.104.144	permit
@@ -132,6 +136,7 @@
 35.190.247.0/24	permit
 35.191.0.0/16	permit
 35.205.92.9	permit
+35.228.216.85	permit
 35.242.169.159	permit
 37.188.97.188	permit
 37.218.248.47	permit
@@ -233,6 +238,7 @@
 52.95.49.88/29	permit
 52.96.91.34	permit
 52.96.111.82	permit
+52.96.172.98	permit
 52.96.214.50	permit
 52.96.222.194	permit
 52.96.222.226	permit
@@ -272,7 +278,6 @@
 54.244.54.130	permit
 54.244.242.0/24	permit
 54.255.61.23	permit
-56.124.6.228	permit
 57.103.64.0/18	permit
 62.13.128.0/24	permit
 62.13.129.128/25	permit
@@ -309,9 +314,6 @@
 64.207.219.13	permit
 64.207.219.14	permit
 64.207.219.15	permit
-64.207.219.24	permit
-64.207.219.25	permit
-64.207.219.26	permit
 64.207.219.71	permit
 64.207.219.72	permit
 64.207.219.73	permit
@@ -321,9 +323,6 @@
 64.207.219.77	permit
 64.207.219.78	permit
 64.207.219.79	permit
-64.207.219.88	permit
-64.207.219.89	permit
-64.207.219.90	permit
 64.207.219.135	permit
 64.207.219.136	permit
 64.207.219.137	permit
@@ -359,7 +358,6 @@
 65.110.161.77	permit
 65.123.29.213	permit
 65.123.29.220	permit
-65.154.166.0/24	permit
 65.212.180.36	permit
 66.102.0.0/20	permit
 66.119.150.192/26	permit
@@ -1323,9 +1321,6 @@
 117.120.16.0/21	permit
 119.42.242.52/31	permit
 119.42.242.156	permit
-121.244.91.48	permit
-121.244.91.52	permit
-122.15.156.182	permit
 123.126.78.64/29	permit
 124.108.96.24/31	permit
 124.108.96.28/31	permit
@@ -1388,21 +1383,7 @@
 134.170.141.64/26	permit
 134.170.143.0/24	permit
 134.170.174.0/24	permit
-135.84.80.0/24	permit
-135.84.81.0/24	permit
-135.84.82.0/24	permit
-135.84.83.0/24	permit
 135.84.216.0/22	permit
-136.143.160.0/24	permit
-136.143.161.0/24	permit
-136.143.162.0/24	permit
-136.143.176.0/24	permit
-136.143.177.0/24	permit
-136.143.178.49	permit
-136.143.182.0/23	permit
-136.143.184.0/24	permit
-136.143.188.0/24	permit
-136.143.190.0/23	permit
 136.147.128.0/20	permit
 136.147.135.0/24	permit
 136.147.176.0/20	permit
@@ -1417,7 +1398,6 @@
 139.138.46.219	permit
 139.138.57.55	permit
 139.138.58.119	permit
-139.167.79.86	permit
 139.180.17.0/24	permit
 140.238.148.191	permit
 141.148.159.229	permit
@@ -1452,6 +1432,7 @@
 146.20.215.0/24	permit
 146.20.215.182	permit
 146.88.28.0/24	permit
+146.148.116.76	permit
 147.154.32.0/25	permit
 147.243.1.47	permit
 147.243.1.48	permit
@@ -1533,11 +1514,10 @@
 163.114.132.120	permit
 163.114.134.16	permit
 163.114.135.16	permit
+163.116.128.0/17	permit
 164.152.23.32	permit
+164.152.25.241	permit
 164.177.132.168/30	permit
-165.173.128.0/24	permit
-165.173.180.250/31	permit
-165.173.182.250/31	permit
 166.78.68.0/22	permit
 166.78.68.221	permit
 166.78.69.169	permit
@@ -1566,12 +1546,6 @@
 168.245.12.252	permit
 168.245.46.9	permit
 168.245.127.231	permit
-169.148.129.0/24	permit
-169.148.131.0/24	permit
-169.148.142.10	permit
-169.148.144.0/25	permit
-169.148.144.10	permit
-169.148.146.0/23	permit
 170.10.128.0/24	permit
 170.10.129.0/24	permit
 170.10.132.56/29	permit
@@ -1697,6 +1671,21 @@
 193.123.56.63	permit
 194.19.134.0/25	permit
 194.64.234.129	permit
+194.97.196.0/24	permit
+194.97.196.3	permit
+194.97.196.4	permit
+194.97.196.11	permit
+194.97.196.12	permit
+194.97.204.0/24	permit
+194.97.204.3	permit
+194.97.204.4	permit
+194.97.204.11	permit
+194.97.204.12	permit
+194.97.212.0/24	permit
+194.97.212.3	permit
+194.97.212.4	permit
+194.97.212.11	permit
+194.97.212.12	permit
 194.106.220.0/23	permit
 194.113.24.0/22	permit
 194.154.193.192/27	permit
@@ -1733,15 +1722,7 @@
 199.16.156.0/22	permit
 199.33.145.1	permit
 199.33.145.32	permit
-199.34.22.36	permit
 199.59.148.0/22	permit
-199.67.80.2	permit
-199.67.80.20	permit
-199.67.82.2	permit
-199.67.82.20	permit
-199.67.84.0/24	permit
-199.67.86.0/24	permit
-199.67.88.0/24	permit
 199.101.161.130	permit
 199.101.162.0/25	permit
 199.122.120.0/21	permit
@@ -1798,8 +1779,6 @@
 204.92.114.187	permit
 204.92.114.203	permit
 204.92.114.204/31	permit
-204.141.32.0/23	permit
-204.141.42.0/23	permit
 204.220.160.0/21	permit
 204.220.168.0/21	permit
 204.220.176.0/20	permit
@@ -2046,15 +2025,27 @@
 2001:0868:0100:0600::/64	permit
 2001:4860:4000::/36	permit
 2001:748:100:40::2:0/112	permit
+2001:748:400:1300::3	permit
+2001:748:400:1300::4	permit
+2001:748:400:1301::0/64	permit
+2001:748:400:1301::3	permit
+2001:748:400:1301::4	permit
+2001:748:400:2300::3	permit
+2001:748:400:2300::4	permit
+2001:748:400:2301::0/64	permit
+2001:748:400:2301::3	permit
+2001:748:400:2301::4	permit
+2001:748:400:3300::3	permit
+2001:748:400:3300::4	permit
+2001:748:400:3301::0/64	permit
+2001:748:400:3301::3	permit
+2001:748:400:3301::4	permit
 2404:6800:4000::/36	permit
 2603:1010:3:3::5b	permit
 2603:1020:201:10::10f	permit
 2603:1030:20e:3::23c	permit
 2603:1030:b:3::152	permit
 2603:1030:c02:8::14	permit
-2607:13c0:0001:0000:0000:0000:0000:7000/116	permit
-2607:13c0:0002:0000:0000:0000:0000:1000/116	permit
-2607:13c0:0004:0000:0000:0000:0000:0000/116	permit
 2607:f8b0:4000::/36	permit
 2620:109:c003:104::/64	permit
 2620:109:c003:104::215	permit

From 401b744808ff127b625001d8512d80d108d58a6a Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Thu, 8 May 2025 11:38:29 +0200
Subject: [PATCH 251/378] [Dovecot] return PASSDB_RESULT_PASSWORD_MISMATCH
 instead of PASSDB_RESULT_INTERNAL_FAILURE

---
 data/conf/dovecot/auth/passwd-verify.lua | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/data/conf/dovecot/auth/passwd-verify.lua b/data/conf/dovecot/auth/passwd-verify.lua
index b8843c996..ea847932d 100644
--- a/data/conf/dovecot/auth/passwd-verify.lua
+++ b/data/conf/dovecot/auth/passwd-verify.lua
@@ -29,9 +29,12 @@ function auth_password_verify(request, password)
     insecure = true
   }
 
+  -- Returning PASSDB_RESULT_PASSWORD_MISMATCH will reset the user's auth cache entry.
+  -- Returning PASSDB_RESULT_INTERNAL_FAILURE keeps the existing cache entry,
+  -- even if the TTL has expired. Useful to avoid cache eviction during backend issues.
   if c ~= 200 and c ~= 401 then
     dovecot.i_info("HTTP request failed with " .. c .. " for user " .. request.user)
-    return dovecot.auth.PASSDB_RESULT_INTERNAL_FAILURE, "Upstream error"
+    return dovecot.auth.PASSDB_RESULT_PASSWORD_MISMATCH, "Upstream error"
   end
 
   local response_str = table.concat(res)
@@ -39,7 +42,7 @@ function auth_password_verify(request, password)
 
   if not is_response_valid then
     dovecot.i_info("Invalid JSON received: " .. response_str)
-    return dovecot.auth.PASSDB_RESULT_INTERNAL_FAILURE, "Invalid response format"
+    return dovecot.auth.PASSDB_RESULT_PASSWORD_MISMATCH, "Invalid response format"
   end
 
   if response_json.success == true then

From cb6ffe65c8fb0ec4b96abfd45c352f89a52bf40b Mon Sep 17 00:00:00 2001
From: Kai Biebel <38378574+seclution@users.noreply.github.com>
Date: Fri, 9 May 2025 11:24:49 +0200
Subject: [PATCH 252/378] fix: typo in default_template

---
 data/web/inc/functions.auth.inc.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php
index 57dec808d..ec32e6610 100644
--- a/data/web/inc/functions.auth.inc.php
+++ b/data/web/inc/functions.auth.inc.php
@@ -669,8 +669,8 @@ function ldap_mbox_login($user, $pass, $extra = null){
 
   // check if matching attribute exist
   if (empty($iam_settings['mappers']) || !$user_template || $mapper_key === false) {
-    if (!empty($iam_settings['default_tempalte'])) {
-      $mbox_template = $iam_settings['default_tempalte'];
+    if (!empty($iam_settings['default_template'])) {
+      $mbox_template = $iam_settings['default_template'];
     } else {
       $_SESSION['return'][] =  array(
         'type' => 'danger',

From ea0944d743c0f261cea57693dd1da9970206e99c Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 9 May 2025 15:13:44 +0200
Subject: [PATCH 253/378] [Web] Add quick links to other login pages and option
 to disable mailcow login form

---
 data/web/admin/index.php                      |  3 +-
 data/web/admin/system.php                     |  1 +
 data/web/domainadmin/index.php                |  1 +
 data/web/inc/functions.customize.inc.php      | 43 +++++++++++++
 data/web/index.php                            |  8 ++-
 data/web/json_api.php                         |  3 +
 data/web/lang/lang.de-de.json                 | 12 ++++
 data/web/lang/lang.en-gb.json                 | 12 ++++
 .../templates/admin/tab-config-customize.twig | 36 ++++++++++-
 data/web/templates/admin_index.twig           | 43 ++++++++-----
 data/web/templates/domainadmin_index.twig     | 43 ++++++++-----
 data/web/templates/user_index.twig            | 60 ++++++++++++-------
 12 files changed, 206 insertions(+), 59 deletions(-)

diff --git a/data/web/admin/index.php b/data/web/admin/index.php
index 05ba70337..9ae4a0380 100644
--- a/data/web/admin/index.php
+++ b/data/web/admin/index.php
@@ -22,7 +22,8 @@ $_SESSION['index_query_string'] = $_SERVER['QUERY_STRING'];
 
 $template = 'admin_index.twig';
 $template_data = [
-  'login_delay' => @$_SESSION['ldelay']
+  'login_delay' => @$_SESSION['ldelay'],
+  'custom_login' => customize('get', 'custom_login'),
 ];
 
 $js_minifier->add('/web/js/site/index.js');
diff --git a/data/web/admin/system.php b/data/web/admin/system.php
index c21d43f0d..9fd44e0d8 100644
--- a/data/web/admin/system.php
+++ b/data/web/admin/system.php
@@ -125,6 +125,7 @@ $template_data = [
   'logo_specs' => customize('get', 'main_logo_specs'),
   'logo_dark_specs' => customize('get', 'main_logo_dark_specs'),
   'ip_check' => customize('get', 'ip_check'),
+  'custom_login' => customize('get', 'custom_login'),
   'password_complexity' => password_complexity('get'),
   'show_rspamd_global_filters' => @$_SESSION['show_rspamd_global_filters'],
   'cors_settings' => $cors_settings,
diff --git a/data/web/domainadmin/index.php b/data/web/domainadmin/index.php
index 2d909f97f..0d70ec3ae 100644
--- a/data/web/domainadmin/index.php
+++ b/data/web/domainadmin/index.php
@@ -22,6 +22,7 @@ $_SESSION['index_query_string'] = $_SERVER['QUERY_STRING'];
 $template = 'domainadmin_index.twig';
 $template_data = [
   'login_delay' => @$_SESSION['ldelay'],
+  'custom_login' => customize('get', 'custom_login'),
 ];
 
 $js_minifier->add('/web/js/site/index.js');
diff --git a/data/web/inc/functions.customize.inc.php b/data/web/inc/functions.customize.inc.php
index 8c0feb69f..dc86bfe65 100644
--- a/data/web/inc/functions.customize.inc.php
+++ b/data/web/inc/functions.customize.inc.php
@@ -204,6 +204,35 @@ function customize($_action, $_item, $_data = null) {
             'msg' => 'ip_check_opt_in_modified'
           );
         break;
+        case 'custom_login':
+          $hide_user_quicklink        = ($_data['hide_user_quicklink'] == "1") ? 1 : 0;
+          $hide_domainadmin_quicklink = ($_data['hide_domainadmin_quicklink'] == "1") ? 1 : 0;
+          $hide_admin_quicklink       = ($_data['hide_admin_quicklink'] == "1") ? 1 : 0;
+          $force_sso                  = ($_data['force_sso'] == "1") ? 1 : 0;
+
+          $custom_login = array(
+            "hide_user_quicklink" => $hide_user_quicklink,
+            "hide_domainadmin_quicklink" => $hide_domainadmin_quicklink,
+            "hide_admin_quicklink" => $hide_admin_quicklink,
+            "force_sso" => $force_sso,
+          );
+          try {
+            $redis->set('CUSTOM_LOGIN', json_encode($custom_login));
+          }
+          catch (RedisException $e) {
+            $_SESSION['return'][] = array(
+              'type' => 'danger',
+              'log' => array(__FUNCTION__, $_action, $_item, $_data),
+              'msg' => array('redis_error', $e)
+            );
+            return false;
+          }
+          $_SESSION['return'][] = array(
+            'type' => 'success',
+            'log' => array(__FUNCTION__, $_action, $_item, $_data),
+            'msg' => 'custom_login_modified'
+          );
+        break;
       }
     break;
     case 'delete':
@@ -357,6 +386,20 @@ function customize($_action, $_item, $_data = null) {
             return false;
           }
         break;
+        case 'custom_login':
+          try {
+            $custom_login = ($custom_login = $redis->get('CUSTOM_LOGIN')) ? $custom_login : array();
+            return json_decode($custom_login, true);
+          }
+          catch (RedisException $e) {
+            $_SESSION['return'][] = array(
+              'type' => 'danger',
+              'log' => array(__FUNCTION__, $_action, $_item, $_data),
+              'msg' => array('redis_error', $e)
+            );
+            return false;
+          }
+        break;
       }
     break;
   }
diff --git a/data/web/index.php b/data/web/index.php
index f306f1aed..d21e54364 100644
--- a/data/web/index.php
+++ b/data/web/index.php
@@ -33,16 +33,18 @@ $_SESSION['index_query_string'] = $_SERVER['QUERY_STRING'];
 
 $has_iam_sso = false;
 if ($iam_provider){
-  $has_iam_sso = identity_provider("get-redirect") ? true : false;
+  $iam_redirect_url = identity_provider("get-redirect");
+  $has_iam_sso = $iam_redirect_url ? true : false;
 }
-
+$custom_login = customize('get', 'custom_login');
 
 $template = 'user_index.twig';
 $template_data = [
   'oauth2_request' => @$_SESSION['oauth2_request'],
   'is_mobileconfig' => str_contains($_SESSION['index_query_string'], 'mobileconfig'),
   'login_delay' => @$_SESSION['ldelay'],
-  'has_iam_sso' => $has_iam_sso
+  'has_iam_sso' => $has_iam_sso,
+  'custom_login' => $custom_login,
 ];
 
 $js_minifier->add('/web/js/site/index.js');
diff --git a/data/web/json_api.php b/data/web/json_api.php
index f2a222b85..a480b0ae0 100644
--- a/data/web/json_api.php
+++ b/data/web/json_api.php
@@ -1976,6 +1976,9 @@ if (isset($_GET['query'])) {
         case "ip_check":
           process_edit_return(customize('edit', 'ip_check', $attr));
         break;
+        case "custom_login":
+          process_edit_return(customize('edit', 'custom_login', $attr));
+        break;
         case "self":
           if ($_SESSION['mailcow_cc_role'] == "domainadmin") {
             process_edit_return(domain_admin('edit', $attr));
diff --git a/data/web/lang/lang.de-de.json b/data/web/lang/lang.de-de.json
index 911ebfc67..06d43b565 100644
--- a/data/web/lang/lang.de-de.json
+++ b/data/web/lang/lang.de-de.json
@@ -134,6 +134,7 @@
         "admin_domains": "Domain-Zuweisungen",
         "admins": "Administratoren",
         "admins_ldap": "LDAP-Administratoren",
+        "admin_quicklink": "Quicklink zur Admin-Loginseite ausblenden",
         "advanced_settings": "Erweiterte Einstellungen",
         "api_allow_from": "IP-Adressen oder Netzwerke (CIDR Notation) für Zugriff auf API",
         "api_info": "Die API befindet sich noch in Entwicklung, die Dokumentation kann unter <a href=\"/api\">/api</a> abgerufen werden.",
@@ -155,6 +156,7 @@
         "credentials_transport_warning": "<b>Warnung</b>: Das Hinzufügen einer neuen Regel bewirkt die Aktualisierung der Authentifizierungsdaten aller vorhandenen Einträge mit identischem Next Hop.",
         "customer_id": "Kunde",
         "customize": "UI-Anpassung",
+        "login_page": "Login-Seite",
         "destination": "Ziel",
         "dkim_add_key": "ARC/DKIM-Key hinzufügen",
         "dkim_domains_selector": "Selector",
@@ -173,6 +175,7 @@
         "domain": "Domain",
         "domain_admin": "Administrator hinzufügen",
         "domain_admins": "Domain-Administratoren",
+        "domainadmin_quicklink": "Quicklink zur Domainadmin-Loginseite ausblenden",
         "domain_s": "Domain(s)",
         "duplicate": "Duplizieren",
         "duplicate_dkim": "DKIM duplizieren",
@@ -195,6 +198,8 @@
         "f2b_retry_window": "Wiederholungen im Zeitraum von (s)",
         "f2b_whitelist": "Whitelist für Netzwerke und Hosts",
         "filter_table": "Tabelle filtern",
+        "force_sso_text": "Wenn ein externer OIDC-Provider konfiguriert ist, blendet diese Option die mailcow Loginform aus und zeigt nur den Single Sign-On-Button an.",
+        "force_sso": "mailcow Login deaktivieren und nur Single Sign-On anzeigen",
         "forwarding_hosts": "Weiterleitungs-Hosts",
         "forwarding_hosts_add_hint": "Sie können entweder IPv4-/IPv6-Adressen, Netzwerke in CIDR-Notation, Hostnamen (die zu IP-Adressen aufgelöst werden), oder Domainnamen (die zu IP-Adressen aufgelöst werden, indem ihr SPF-Record abgefragt wird oder, in dessen Abwesenheit, ihre MX-Records) angeben.",
         "forwarding_hosts_hint": "Eingehende Nachrichten werden von den hier gelisteten Hosts bedingungslos akzeptiert. Diese Hosts werden dann nicht mit DNSBLs abgeglichen oder Greylisting unterworfen. Von ihnen empfangener Spam wird nie abgelehnt, optional kann er aber in den Spam-Ordner einsortiert werden. Die übliche Verwendung für diese Funktion ist, um Mailserver anzugeben, auf denen eine Weiterleitung zu Ihrem mailcow-Server eingerichtet wurde.",
@@ -308,6 +313,7 @@
         "quarantine_release_format_att": "Als Anhang",
         "quarantine_release_format_raw": "Unverändertes Original",
         "quarantine_retention_size": "Rückhaltungen pro Mailbox:<br><small>0 bedeutet <b>inaktiv</b>.</small>",
+        "quicklink_text": "Quicklinks zu anderen Login-Seiten unter der Loginform ein- oder ausblenden",
         "quota_notification_html": "Benachrichtigungs-E-Mail Inhalt:<br><small>Leer lassen, um Standard-Template wiederherzustellen.</small>",
         "quota_notification_sender": "Benachrichtigungs-E-Mail Absender",
         "quota_notification_subject": "Benachrichtigungs-E-Mail Betreff",
@@ -387,6 +393,7 @@
         "unchanged_if_empty": "Unverändert, wenn leer",
         "upload": "Hochladen",
         "username": "Benutzername",
+        "user_quicklink": "Quicklink zur Benutzer-Loginseite ausblenden",
         "validate_license_now": "GUID erneut verifizieren",
         "verify": "Verifizieren",
         "yes": "&#10003;",
@@ -807,6 +814,10 @@
         "forgot_password": "> Passwort vergessen?",
         "invalid_pass_reset_token": "Der Rücksetz-Token für das Passwort ist ungültig oder abgelaufen.<br>Bitte fordern Sie einen neuen Link zur Passwortwiederherstellung an.",
         "login": "Anmelden",
+        "login_linkstext": "Nicht der richtige Login?",
+        "login_usertext": "Als Benutzer anmelden",
+        "login_domainadmintext": "Als Domainadmin anmelden",
+        "login_admintext": "Als Admin anmelden",
         "login_user": "Anmeldung als Benutzer",
         "login_dadmin": "Anmeldung als Domain-Administrator",
         "login_admin": "Anmeldung als Administrator",
@@ -1096,6 +1107,7 @@
         "bcc_edited": "BCC-Map-Eintrag %s wurde geändert",
         "bcc_saved": "BCC- Map-Eintrag wurde gespeichert",
         "cors_headers_edited": "CORS Einstellungen wurden erfolgreich gespeichert",
+        "custom_login_modified": "Login Anpassung wurde erfolgreich gespeichert",
         "db_init_complete": "Datenbankinitialisierung abgeschlossen",
         "delete_filter": "Filter-ID %s wurde gelöscht",
         "delete_filters": "Filter gelöscht: %s",
diff --git a/data/web/lang/lang.en-gb.json b/data/web/lang/lang.en-gb.json
index ca8bb3adf..707e2a60e 100644
--- a/data/web/lang/lang.en-gb.json
+++ b/data/web/lang/lang.en-gb.json
@@ -134,6 +134,7 @@
         "admin_domains": "Domain assignments",
         "admins": "Administrators",
         "admins_ldap": "LDAP Administrators",
+        "admin_quicklink": "Hide Quicklink to Admin Login Page",
         "advanced_settings": "Advanced settings",
         "allowed_methods": "Access-Control-Allow-Methods",
         "allowed_origins": "Access-Control-Allow-Origin",
@@ -161,6 +162,7 @@
         "credentials_transport_warning": "<b>Warning</b>: Adding a new transport map entry will update the credentials for all entries with a matching next hop column.",
         "customer_id": "Customer ID",
         "customize": "Customize",
+        "login_page": "Login Page",
         "destination": "Destination",
         "dkim_add_key": "Add ARC/DKIM key",
         "dkim_domains_selector": "Selector",
@@ -179,6 +181,7 @@
         "domain": "Domain",
         "domain_admin": "Domain administrator",
         "domain_admins": "Domain administrators",
+        "domainadmin_quicklink": "Hide Quicklink to Domainadmin Login Page",
         "domain_s": "Domain/s",
         "duplicate": "Duplicate",
         "duplicate_dkim": "Duplicate DKIM record",
@@ -202,6 +205,8 @@
         "f2b_whitelist": "Whitelisted networks/hosts",
         "filter": "Filter",
         "filter_table": "Filter table",
+        "force_sso_text": "If an external OIDC provider is configured, this option hides the default mailcow login froms and only shows the Singe Sign-On button",
+        "force_sso": "Disable mailcow Login and show only Singe Sign-On",
         "forwarding_hosts": "Forwarding Hosts",
         "forwarding_hosts_add_hint": "You can either specify IPv4/IPv6 addresses, networks in CIDR notation, host names (which will be resolved to IP addresses), or domain names (which will be resolved to IP addresses by querying SPF records or, in their absence, MX records).",
         "forwarding_hosts_hint": "Incoming messages are unconditionally accepted from any hosts listed here. These hosts are then not checked against DNSBLs or subjected to greylisting. Spam received from them is never rejected, but optionally it can be filed into the Junk folder. The most common use for this is to specify mail servers on which you have set up a rule that forwards incoming emails to your mailcow server.",
@@ -317,6 +322,7 @@
         "quarantine_release_format_att": "As attachment",
         "quarantine_release_format_raw": "Unmodified original",
         "quarantine_retention_size": "Retentions per mailbox:<br><small>0 indicates <b>inactive</b>.</small>",
+        "quicklink_text": "Show or hide quick links to other login pages under the login form",
         "quota_notification_html": "Notification email template:<br><small>Leave empty to restore default template.</small>",
         "quota_notification_sender": "Notification email sender",
         "quota_notification_subject": "Notification email subject",
@@ -398,6 +404,7 @@
         "upload": "Upload",
         "username": "Username",
         "user_link": "User-Link",
+        "user_quicklink": "Hide Quicklink to User Login Page",
         "validate_license_now": "Validate GUID against license server",
         "verify": "Verify",
         "yes": "&#10003;"
@@ -809,6 +816,10 @@
         "forgot_password": "> Forgot Password?",
         "invalid_pass_reset_token": "The reset password token is invalid or has expired.<br>Please request a new password reset link.",
         "login": "Login",
+        "login_linkstext": "Not the correct login?",
+        "login_usertext": "Log in as user",
+        "login_domainadmintext": "Log in as domain admin",
+        "login_admintext": "Log in as admin",
         "login_user": "User Login",
         "login_dadmin": "Domain-Administrator Login",
         "login_admin": "Administrator Login",
@@ -1105,6 +1116,7 @@
         "bcc_edited": "BCC map entry %s edited",
         "bcc_saved": "BCC map entry saved",
         "cors_headers_edited": "CORS settings have been saved",
+        "custom_login_modified": "Login customisation was saved successfully",
         "db_init_complete": "Database initialization completed",
         "delete_filter": "Deleted filters ID %s",
         "delete_filters": "Deleted filters: %s",
diff --git a/data/web/templates/admin/tab-config-customize.twig b/data/web/templates/admin/tab-config-customize.twig
index c2071c399..aecf1846e 100644
--- a/data/web/templates/admin/tab-config-customize.twig
+++ b/data/web/templates/admin/tab-config-customize.twig
@@ -51,7 +51,41 @@
           </div></p>
         </form>
       </div>
-      <legend>{{ lang.admin.app_links }}</legend><hr />
+      <legend style="padding-top:20px" unselectable="on">{{ lang.admin.login_page }}</legend><hr />
+      <div>
+        <form class="form" data-id="custom_login" role="form" method="post">
+          <p class="text-muted">{{ lang.admin.quicklink_text }}</p>
+          <div class="ms-2 mb-1">
+            <input class="form-check-input" type="checkbox" value="1" name="hide_user_quicklink" id="hide_user_quicklink" {% if custom_login.hide_user_quicklink == 1 %}checked{% endif %}>
+            <label class="form-check-label" for="hide_user_quicklink">
+              {{ lang.admin.user_quicklink|raw }}
+            </label>
+          </div>
+          <div class="ms-2 mb-1">
+            <input class="form-check-input" type="checkbox" value="1" name="hide_domainadmin_quicklink" id="hide_domainadmin_quicklink" {% if custom_login.hide_domainadmin_quicklink == 1 %}checked{% endif %}>
+            <label class="form-check-label" for="hide_domainadmin_quicklink">
+              {{ lang.admin.domainadmin_quicklink|raw }}
+            </label>
+          </div>
+          <div class="ms-2 mb-4">
+            <input class="form-check-input" type="checkbox" value="1" name="hide_admin_quicklink" id="hide_admin_quicklink" {% if custom_login.hide_admin_quicklink == 1 %}checked{% endif %}>
+            <label class="form-check-label" for="hide_admin_quicklink">
+              {{ lang.admin.admin_quicklink|raw }}
+            </label>
+          </div>
+          <p class="text-muted">{{ lang.admin.force_sso_text|raw }}</p>
+          <div class="ms-2 mb-4">
+            <input class="form-check-input" type="checkbox" value="1" name="force_sso" id="force_sso" {% if custom_login.force_sso == 1 %}checked{% endif %}>
+            <label class="form-check-label" for="force_sso">
+              {{ lang.admin.force_sso|raw }}
+            </label>
+          </div>
+          <p><div class="btn-group">
+            <button class="btn btn-sm btn-xs-half d-block d-sm-inline btn-success" data-action="edit_selected" data-item="admin" data-id="custom_login" data-reload="no" data-api-url='edit/custom_login' data-api-attr='{}' href="#"><i class="bi bi-check-lg"></i> {{ lang.admin.save }}</button>
+          </div></p>
+        </form>
+      </div>
+      <legend style="padding-top:20px">{{ lang.admin.app_links }}</legend><hr />
       <p class="text-muted">{{ lang.admin.merged_vars_hint|raw }}</p>
       <form class="form-inline" data-id="app_links" role="form" method="post">
         <table class="table table-condensed" style="white-space: nowrap;" id="app_link_table">
diff --git a/data/web/templates/admin_index.twig b/data/web/templates/admin_index.twig
index 6f223889e..0dcb9145e 100644
--- a/data/web/templates/admin_index.twig
+++ b/data/web/templates/admin_index.twig
@@ -5,13 +5,28 @@
 {% block content %}
 <div class="row mb-4" style="margin-top: 60px">
   <div class="col-12 col-md-7 col-lg-6 col-xl-5 ms-auto me-auto">
+
     <div class="card">
-      <div class="card-header d-flex align-items-center">
+      <div class="card-header d-flex align-items-center text-break">
         <i class="bi bi-person-fill me-2"></i> {{ lang.login.login_admin }}
         <div class="ms-auto form-check form-switch my-auto d-flex align-items-center">
           <label class="form-check-label"><i class="bi bi-moon-fill"></i></label>
           <input class="form-check-input ms-2" type="checkbox" id="dark-mode-toggle">
         </div>
+        <div class="ms-4 d-grid d-sm-block">
+          <button type="button" {% if available_languages|length == 1 %}disabled="true"{% endif %} class="text-secondary btn p-0 border-0 bg-transparent ms-auto dropdown-toggle" data-bs-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
+            <span class="flag-icon flag-icon-{{ mailcow_locale[-2:] }}"></span>
+          </button>
+          <ul class="dropdown-menu ms-auto login">
+            {% for key, val in available_languages %}
+              <li>
+                <a class="dropdown-item {% if mailcow_locale == key %}active{% endif %}" href="?{{ query_string({'lang': key}) }}">
+                  <span class="flag-icon flag-icon-{{ key[-2:] }}"></span>{{ val }}
+                </a>
+              </li>
+            {% endfor %}
+          </ul>
+        </div>
       </div>
       <div class="card-body">
         <div class="text-center mailcow-logo mb-4">
@@ -37,23 +52,10 @@
             </div>
           </div>
           <div class="d-flex justify-content-between mt-4" style="position: relative">
-            <button type="submit" class="btn btn-xs-lg btn-success" value="Login">{{ lang.login.login }}</button>            <div class="d-grid d-sm-block">
-            <button type="button" {% if available_languages|length == 1 %}disabled="true"{% endif %} class="btn btn-secondary ms-auto dropdown-toggle" data-bs-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
-              <span class="flag-icon flag-icon-{{ mailcow_locale[-2:] }}"></span>
-            </button>
-            <ul class="dropdown-menu ms-auto login">
-              {% for key, val in available_languages %}
-                <li>
-                  <a class="dropdown-item {% if mailcow_locale == key %}active{% endif %}" href="?{{ query_string({'lang': key}) }}">
-                    <span class="flag-icon flag-icon-{{ key[-2:] }}"></span>{{ val }}
-                  </a>
-                </li>
-              {% endfor %}
-            </ul>
-            </div>
+            <button type="submit" class="btn btn-xs-lg btn-success w-100 mt-2 mx-auto" style="max-width: 400px;" value="Login">{{ lang.login.login }}</button>
           </div>
         </form>
-        <div class="hr-title mt-5"><strong>{{ lang.login.other_logins }}</strong></div>
+        <div class="hr-title"><strong>{{ lang.login.other_logins }}</strong></div>
         <div class="d-flex flex-column align-items-center">
           <a class="btn btn-xs-lg btn-secondary w-100" style="max-width: 400px;" href="#" id="fido2-login"><i class="bi bi-shield-fill-check"></i> {{ lang.login.fido2_webauthn }}</a>
         </div>
@@ -86,6 +88,15 @@
         {% endif %}
       </div>
     </div>
+
+    {% if custom_login.hide_user_quicklink != 1 or custom_login.hide_domainadmin_quicklink != 1 %}
+    <p class="text-center mt-3 text-muted" style="font-size: 0.9rem;">
+      {{ lang.login.login_linkstext }}<br>
+      {% if custom_login.hide_user_quicklink != 1 %}<a href="/">{{ lang.login.login_usertext }}</a>{% endif %}
+      {% if custom_login.hide_user_quicklink != 1 and custom_login.hide_domainadmin_quicklink != 1 %}|{% endif %}
+      {% if custom_login.hide_domainadmin_quicklink != 1 %}<a href="/domainadmin">{{ lang.login.login_domainadmintext }}</a>{% endif %}
+    </p>
+    {% endif %}
   </div>
 </div>
 {% endblock %}
diff --git a/data/web/templates/domainadmin_index.twig b/data/web/templates/domainadmin_index.twig
index 003fdba1f..2fc7bad98 100644
--- a/data/web/templates/domainadmin_index.twig
+++ b/data/web/templates/domainadmin_index.twig
@@ -5,13 +5,28 @@
 {% block content %}
 <div class="row mb-4" style="margin-top: 60px">
   <div class="col-12 col-md-7 col-lg-6 col-xl-5 ms-auto me-auto">
+
     <div class="card">
-      <div class="card-header d-flex align-items-center">
+      <div class="card-header d-flex align-items-center text-break">
         <i class="bi bi-person-fill me-2"></i> {{ lang.login.login_dadmin }}
         <div class="ms-auto form-check form-switch my-auto d-flex align-items-center">
           <label class="form-check-label"><i class="bi bi-moon-fill"></i></label>
           <input class="form-check-input ms-2" type="checkbox" id="dark-mode-toggle">
         </div>
+        <div class="ms-4 d-grid d-sm-block">
+          <button type="button" {% if available_languages|length == 1 %}disabled="true"{% endif %} class="text-secondary btn p-0 border-0 bg-transparent ms-auto dropdown-toggle" data-bs-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
+            <span class="flag-icon flag-icon-{{ mailcow_locale[-2:] }}"></span>
+          </button>
+          <ul class="dropdown-menu ms-auto login">
+            {% for key, val in available_languages %}
+              <li>
+                <a class="dropdown-item {% if mailcow_locale == key %}active{% endif %}" href="?{{ query_string({'lang': key}) }}">
+                  <span class="flag-icon flag-icon-{{ key[-2:] }}"></span>{{ val }}
+                </a>
+              </li>
+            {% endfor %}
+          </ul>
+        </div>
       </div>
       <div class="card-body">
         <div class="text-center mailcow-logo mb-4">
@@ -37,23 +52,10 @@
             </div>
           </div>
           <div class="d-flex justify-content-between mt-4" style="position: relative">
-            <button type="submit" class="btn btn-xs-lg btn-success" value="Login">{{ lang.login.login }}</button>            <div class="d-grid d-sm-block">
-            <button type="button" {% if available_languages|length == 1 %}disabled="true"{% endif %} class="btn btn-secondary ms-auto dropdown-toggle" data-bs-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
-              <span class="flag-icon flag-icon-{{ mailcow_locale[-2:] }}"></span>
-            </button>
-            <ul class="dropdown-menu ms-auto login">
-              {% for key, val in available_languages %}
-                <li>
-                  <a class="dropdown-item {% if mailcow_locale == key %}active{% endif %}" href="?{{ query_string({'lang': key}) }}">
-                    <span class="flag-icon flag-icon-{{ key[-2:] }}"></span>{{ val }}
-                  </a>
-                </li>
-              {% endfor %}
-            </ul>
-            </div>
+            <button type="submit" class="btn btn-xs-lg btn-success w-100 mt-2 mx-auto" style="max-width: 400px;" value="Login">{{ lang.login.login }}</button>
           </div>
         </form>
-        <div class="hr-title mt-5"><strong>{{ lang.login.other_logins }}</strong></div>
+        <div class="hr-title"><strong>{{ lang.login.other_logins }}</strong></div>
         <div class="d-flex flex-column align-items-center">
           <a class="btn btn-xs-lg btn-secondary w-100" style="max-width: 400px;" href="#" id="fido2-login"><i class="bi bi-shield-fill-check"></i> {{ lang.login.fido2_webauthn }}</a>
         </div>
@@ -86,6 +88,15 @@
         {% endif %}
       </div>
     </div>
+
+    {% if custom_login.hide_user_quicklink != 1 or custom_login.hide_admin_quicklink != 1 %}
+    <p class="text-center mt-3 text-muted" style="font-size: 0.9rem;">
+      {{ lang.login.login_linkstext }}<br>
+      {% if custom_login.hide_user_quicklink != 1 %}<a href="/">{{ lang.login.login_usertext }}</a>{% endif %}
+      {% if custom_login.hide_user_quicklink != 1 and custom_login.hide_admin_quicklink != 1 %}|{% endif %}
+      {% if custom_login.hide_admin_quicklink != 1 %}<a href="/admin">{{ lang.login.login_admintext }}</a>{% endif %}
+    </p>
+    {% endif %}
   </div>
 </div>
 {% endblock %}
diff --git a/data/web/templates/user_index.twig b/data/web/templates/user_index.twig
index 4ed942143..234aa01cb 100644
--- a/data/web/templates/user_index.twig
+++ b/data/web/templates/user_index.twig
@@ -5,13 +5,30 @@
 {% block content %}
 <div class="row mb-4" style="margin-top: 60px">
   <div class="col-12 col-md-7 col-lg-6 col-xl-5 ms-auto me-auto">
+
     <div class="card">
-      <div class="card-header d-flex align-items-center">
+      <div class="card-header d-flex align-items-center text-break">
         <i class="bi bi-person-fill me-2"></i> {{ lang.login.login_user }}
         <div class="ms-auto form-check form-switch my-auto d-flex align-items-center">
           <label class="form-check-label"><i class="bi bi-moon-fill"></i></label>
           <input class="form-check-input ms-2" type="checkbox" id="dark-mode-toggle">
         </div>
+        {% if not oauth2_request %}
+        <div class="ms-4 d-grid d-sm-block">
+          <button type="button" {% if available_languages|length == 1 %}disabled="true"{% endif %} class="text-secondary btn p-0 border-0 bg-transparent ms-auto dropdown-toggle" data-bs-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
+            <span class="flag-icon flag-icon-{{ mailcow_locale[-2:] }}"></span>
+          </button>
+          <ul class="dropdown-menu ms-auto login">
+            {% for key, val in available_languages %}
+              <li>
+                <a class="dropdown-item {% if mailcow_locale == key %}active{% endif %}" href="?{{ query_string({'lang': key}) }}">
+                  <span class="flag-icon flag-icon-{{ key[-2:] }}"></span>{{ val }}
+                </a>
+              </li>
+            {% endfor %}
+          </ul>
+        </div>
+        {% endif %}
       </div>
       <div class="card-body">
         <div class="text-center mailcow-logo mb-4">
@@ -25,6 +42,7 @@
         {% if is_mobileconfig %}
         <div class="my-4 alert alert-info ">{{ lang.login.mobileconfig_info }}</div>
         {% endif %}
+        {% if custom_login.force_sso != 1 %}
         <form method="post" autofill="off">
           <div class="d-flex mt-3">
             <label class="visually-hidden" for="login_user">{{ lang.login.username }}</label>
@@ -40,35 +58,22 @@
               <input name="pass_user" type="password" id="pass_user" class="form-control" placeholder="{{ lang.login.password }}" required="" autocomplete="current-password">
             </div>
           </div>
+          <div class="mt-2 text-muted" style="font-size: 0.9rem;">
+            <a href="/reset-password">{{ lang.login.forgot_password }}</a>
+          </div>
           <div class="d-flex justify-content-between mt-4" style="position: relative">
-            <button type="submit" class="btn btn-xs-lg btn-success" value="Login">{{ lang.login.login }}</button>
-            {% if not oauth2_request %}
-            <div class="d-grid d-sm-block">
-            <button type="button" {% if available_languages|length == 1 %}disabled="true"{% endif %} class="btn btn-secondary ms-auto dropdown-toggle" data-bs-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
-              <span class="flag-icon flag-icon-{{ mailcow_locale[-2:] }}"></span>
-            </button>
-            <ul class="dropdown-menu ms-auto login">
-              {% for key, val in available_languages %}
-                <li>
-                  <a class="dropdown-item {% if mailcow_locale == key %}active{% endif %}" href="?{{ query_string({'lang': key}) }}">
-                    <span class="flag-icon flag-icon-{{ key[-2:] }}"></span>{{ val }}
-                  </a>
-                </li>
-              {% endfor %}
-            </ul>
-            </div>
-            {% endif %}
+            <button type="submit" class="btn btn-xs-lg btn-success w-100 mt-2 mx-auto" style="max-width: 400px;" value="Login">{{ lang.login.login }}</button>
           </div>
         </form>
-        <div class="mt-3">
-          <a href="/reset-password">{{ lang.login.forgot_password }}</a>
-        </div>
-        <div class="hr-title mt-5"><strong>{{ lang.login.other_logins }}</strong></div>
+        <div class="hr-title"><strong>{{ lang.login.other_logins }}</strong></div>
+        {% endif %}
         <div class="d-flex flex-column align-items-center">
           {% if has_iam_sso %}
           <a class="btn btn-xs-lg btn-secondary w-100 mt-2" style="max-width: 400px;" href="/?iam_sso=1"><i class="bi bi-cloud-arrow-up-fill"></i> {{ lang.admin.iam_sso }}</a>
           {% endif %}
+          {% if custom_login.force_sso != 1 %}
           <a class="btn btn-xs-lg btn-secondary w-100 mt-2" style="max-width: 400px;" href="#" id="fido2-login"><i class="bi bi-shield-fill-check"></i> {{ lang.login.fido2_webauthn }}</a>
+          {% endif %}
         </div>
         {% if login_delay %}
         <p><div class="my-4 alert alert-info">{{ lang.login.delayed|format(login_delay) }}</b></div></p>
@@ -96,9 +101,20 @@
             {% endfor %}
           {% endfor %}
         </div>
+        <div>
+        </div>
         {% endif %}
       </div>
     </div>
+
+    {% if custom_login.hide_admin_quicklink != 1 or custom_login.hide_domainadmin_quicklink != 1 %}
+    <p class="text-center mt-3 text-muted" style="font-size: 0.9rem;">
+      {{ lang.login.login_linkstext }}<br>
+      {% if custom_login.hide_admin_quicklink != 1 %}<a href="/admin">{{ lang.login.login_admintext }}</a>{% endif %}
+      {% if custom_login.hide_admin_quicklink != 1 and custom_login.hide_domainadmin_quicklink != 1 %}|{% endif %}
+      {% if custom_login.hide_domainadmin_quicklink != 1 %}<a href="/domainadmin">{{ lang.login.login_domainadmintext }}</a>{% endif %}
+    </p>
+    {% endif %}
   </div>
 </div>
 {% if not oauth2_request and ui_texts.help_text %}

From 486b2974092dc5a42178204ff587650a8452c9c0 Mon Sep 17 00:00:00 2001
From: krzsztf1 <131195155+krzsztf1@users.noreply.github.com>
Date: Fri, 9 May 2025 18:33:19 +0200
Subject: [PATCH 254/378] Fix typo in rspamd rule in composites.conf (#6515)

Co-authored-by: Krzysztof Nowak <k.nowak@intalio.pl>
---
 data/conf/rspamd/local.d/composites.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/conf/rspamd/local.d/composites.conf b/data/conf/rspamd/local.d/composites.conf
index 9bb84424a..4ce042aab 100644
--- a/data/conf/rspamd/local.d/composites.conf
+++ b/data/conf/rspamd/local.d/composites.conf
@@ -8,7 +8,7 @@ VIRUS_FOUND {
 }
 # Bad policy from free mail providers
 FREEMAIL_POLICY_FAILURE {
-  expression = "FREEMAIL_FROM & !DMARC_POLICY_ALLOW & !MAILLIST& !WHITELISTED_FWD_HOST & -g+:policies";
+  expression = "FREEMAIL_FROM & !DMARC_POLICY_ALLOW & !MAILLIST & !WHITELISTED_FWD_HOST & -g+:policies";
   score = 16.0;
 }
 # Applies to freemail with undisclosed recipients

From 1b2f424edc7b5f91c450b36b5cf64f012e7b821b Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Mon, 12 May 2025 12:20:23 +0200
Subject: [PATCH 255/378] [Web] Add identity_provider option to disable
 auto-creation of users on login

---
 data/web/inc/functions.auth.inc.php           | 33 ++++++++++++++-----
 data/web/inc/functions.inc.php                | 24 +++++++++++---
 data/web/lang/lang.de-de.json                 |  1 +
 data/web/lang/lang.en-gb.json                 |  1 +
 .../admin/tab-config-identity-provider.twig   | 32 +++++++++++++++++-
 5 files changed, 78 insertions(+), 13 deletions(-)

diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php
index 57dec808d..ebc432a1f 100644
--- a/data/web/inc/functions.auth.inc.php
+++ b/data/web/inc/functions.auth.inc.php
@@ -262,10 +262,6 @@ function user_login($user, $pass, $extra = null){
             return false;
           }
 
-          if (intval($row['attributes']['force_pw_update']) == 1) {
-            $_SESSION['pending_pw_update'] = true;
-          }
-
           // check for tfa authenticators
           $authenticators = get_tfa($user);
           if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 && !$is_internal) {
@@ -318,10 +314,6 @@ function user_login($user, $pass, $extra = null){
           return false;
         }
 
-        if (intval($row['attributes']['force_pw_update']) == 1) {
-          $_SESSION['pending_pw_update'] = true;
-        }
-
         // check for tfa authenticators
         $authenticators = get_tfa($user);
         if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 && !$is_internal) {
@@ -485,6 +477,9 @@ function keycloak_mbox_login_rest($user, $pass, $extra = null){
     }
     return false;
   }
+  if (!$iam_provider) {
+    return false;
+  }
 
   // get access_token for service account of mailcow client
   $admin_token = identity_provider("get-keycloak-admin-token");
@@ -554,6 +549,17 @@ function keycloak_mbox_login_rest($user, $pass, $extra = null){
     return 'user';
   }
 
+  // check if login provisioning is enabled before creating user
+  if (!$iam_settings['login_provisioning']){
+    if (!$is_internal){
+      $_SESSION['return'][] =  array(
+        'type' => 'danger',
+        'log' => array(__FUNCTION__, "Auto-create users on login is deactivated"),
+        'msg' => 'login_failed'
+      );
+    }
+    return false;
+  }
   // check if matching attribute exist
   if (empty($iam_settings['mappers']) || !$user_template || $mapper_key === false) {
     if (!empty($iam_settings['default_template'])) {
@@ -667,6 +673,17 @@ function ldap_mbox_login($user, $pass, $extra = null){
     return 'user';
   }
 
+  // check if login provisioning is enabled before creating user
+  if (!$iam_settings['login_provisioning']){
+    if (!$is_internal){
+      $_SESSION['return'][] =  array(
+        'type' => 'danger',
+        'log' => array(__FUNCTION__, "Auto-create users on login is deactivated"),
+        'msg' => 'login_failed'
+      );
+    }
+    return false;
+  }
   // check if matching attribute exist
   if (empty($iam_settings['mappers']) || !$user_template || $mapper_key === false) {
     if (!empty($iam_settings['default_tempalte'])) {
diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index aab579284..edf428d5a 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -2294,6 +2294,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
           break;
           case "use_ssl":
           case "use_tls":
+          case "login_provisioning":
           case "ignore_ssl_errors":
             $settings[$row["key"]] = boolval($row["value"]);
           break;
@@ -2302,6 +2303,10 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
           break;
         }
       }
+      // set login_provisioning if not exists
+      if (!array_key_exists('login_provisioning', $settings)) {
+        $settings['login_provisioning'] = 1;
+      }
       // return default client_scopes for generic-oidc if none is set
       if ($settings["authsource"] == "generic-oidc" && empty($settings["client_scopes"])){
         $settings["client_scopes"] = "openid profile email mailcow_template";
@@ -2366,7 +2371,8 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
         return false;
       }
 
-      $_data['ignore_ssl_error']  = isset($_data['ignore_ssl_error']) ? boolval($_data['ignore_ssl_error']) : false;
+      $_data['ignore_ssl_error']    = isset($_data['ignore_ssl_error']) ? boolval($_data['ignore_ssl_error']) : false;
+      $_data['login_provisioning']  = isset($_data['login_provisioning']) ? boolval($_data['login_provisioning']) : false;
       switch ($_data['authsource']) {
         case "keycloak":
           $_data['server_url']        = (!empty($_data['server_url'])) ? rtrim($_data['server_url'], '/') : null;
@@ -2375,14 +2381,14 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
           $_data['import_users']      = isset($_data['import_users']) ? intval($_data['import_users']) : 0;
           $_data['sync_interval']     = (!empty($_data['sync_interval'])) ? intval($_data['sync_interval']) : 15;
           $_data['sync_interval']     = $_data['sync_interval'] < 1 ? 1 : $_data['sync_interval'];
-          $required_settings          = array('authsource', 'server_url', 'realm', 'client_id', 'client_secret', 'redirect_url', 'version', 'mailpassword_flow', 'periodic_sync', 'import_users', 'sync_interval', 'ignore_ssl_error');
+          $required_settings          = array('authsource', 'server_url', 'realm', 'client_id', 'client_secret', 'redirect_url', 'version', 'mailpassword_flow', 'periodic_sync', 'import_users', 'sync_interval', 'ignore_ssl_error', 'login_provisioning');
         break;
         case "generic-oidc":
           $_data['authorize_url']     = (!empty($_data['authorize_url'])) ? $_data['authorize_url'] : null;
           $_data['token_url']         = (!empty($_data['token_url'])) ? $_data['token_url'] : null;
           $_data['userinfo_url']      = (!empty($_data['userinfo_url'])) ? $_data['userinfo_url'] : null;
           $_data['client_scopes']     = (!empty($_data['client_scopes'])) ? $_data['client_scopes'] : "openid profile email mailcow_template";
-          $required_settings          = array('authsource', 'authorize_url', 'token_url', 'client_id', 'client_secret', 'redirect_url', 'userinfo_url', 'client_scopes', 'ignore_ssl_error');
+          $required_settings          = array('authsource', 'authorize_url', 'token_url', 'client_id', 'client_secret', 'redirect_url', 'userinfo_url', 'client_scopes', 'ignore_ssl_error', 'login_provisioning');
         break;
         case "ldap":
           $_data['host']              = (!empty($_data['host'])) ? str_replace(" ", "", $_data['host']) : "";
@@ -2396,7 +2402,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
           $_data['use_tls']           = isset($_data['use_tls']) && !$_data['use_ssl'] ? boolval($_data['use_tls']) : false;
           $_data['sync_interval']     = (!empty($_data['sync_interval'])) ? intval($_data['sync_interval']) : 15;
           $_data['sync_interval']     = $_data['sync_interval'] < 1 ? 1 : $_data['sync_interval'];
-          $required_settings          = array('authsource', 'host', 'port', 'basedn', 'username_field', 'filter', 'attribute_field', 'binddn', 'bindpass', 'periodic_sync', 'import_users', 'sync_interval', 'use_ssl', 'use_tls', 'ignore_ssl_error');
+          $required_settings          = array('authsource', 'host', 'port', 'basedn', 'username_field', 'filter', 'attribute_field', 'binddn', 'bindpass', 'periodic_sync', 'import_users', 'sync_interval', 'use_ssl', 'use_tls', 'ignore_ssl_error', 'login_provisioning');
         break;
       }
 
@@ -2766,6 +2772,16 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
         return true;
       }
 
+      // user doesn't exist, check if login provisioning is enabled
+      if (!$iam_settings['login_provisioning']){
+        $_SESSION['return'][] =  array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, "Auto-create users on login is deactivated"),
+          'msg' => 'login_failed'
+        );
+        return false;
+      }
+
       if (empty($iam_settings['mappers']) || empty($user_template) || $mapper_key === false){
         if (!empty($iam_settings['default_template'])) {
           $mbox_template = $iam_settings['default_template'];
diff --git a/data/web/lang/lang.de-de.json b/data/web/lang/lang.de-de.json
index 06d43b565..6e1b4d4c2 100644
--- a/data/web/lang/lang.de-de.json
+++ b/data/web/lang/lang.de-de.json
@@ -227,6 +227,7 @@
         "iam_host": "Host",
         "iam_host_info": "Gib einen oder mehrere LDAP-Hosts ein, getrennt durch Kommas.",
         "iam_import_users": "Importiere Benutzer",
+        "iam_login_provisioning": "Benutzer beim Login erstellen",
         "iam_mapping": "Attribut Mapping",
         "iam_bindpass": "Bind Passwort",
         "iam_periodic_full_sync": "Vollsynchronisation",
diff --git a/data/web/lang/lang.en-gb.json b/data/web/lang/lang.en-gb.json
index 707e2a60e..fb8fbb6e4 100644
--- a/data/web/lang/lang.en-gb.json
+++ b/data/web/lang/lang.en-gb.json
@@ -234,6 +234,7 @@
         "iam_host": "Host",
         "iam_host_info": "Enter one or more LDAP hosts, separated by commas.",
         "iam_import_users": "Import Users",
+        "iam_login_provisioning": "Auto-create users on login",
         "iam_mapping": "Attribute Mapping",
         "iam_bindpass": "Bind Password",
         "iam_periodic_full_sync": "Periodic Full Sync",
diff --git a/data/web/templates/admin/tab-config-identity-provider.twig b/data/web/templates/admin/tab-config-identity-provider.twig
index a93002257..4572d7fb5 100644
--- a/data/web/templates/admin/tab-config-identity-provider.twig
+++ b/data/web/templates/admin/tab-config-identity-provider.twig
@@ -219,6 +219,16 @@
               </div>
             </div>
           </div>
+          <div class="row mb-2">
+            <div class="col-md-3 d-flex align-items-center justify-content-md-end">
+              <label class="control-label">{{ lang.admin.iam_login_provisioning }}</label>
+            </div>
+            <div class="col-12 col-md-9">
+              <div class="form-check form-switch">
+                <input class="form-check-input" type="checkbox" role="switch" name="login_provisioning"  value="1" {% if iam_settings.login_provisioning == 1 %}checked{% endif %}>
+              </div>
+            </div>
+          </div>
           <div class="row mb-2">
             <div class="col-md-3 d-flex align-items-center justify-content-md-end">
               <label class="control-label">{{ lang.admin.iam_periodic_full_sync }}</label>
@@ -430,7 +440,7 @@
               </div>
             </div>
           </div>
-          <div class="row mb-4">
+          <div class="row mb-2">
             <div class="col-md-3 d-flex align-items-center justify-content-md-end">
               <label class="control-label">{{ lang.admin.ignore_ssl_error }}</label>
             </div>
@@ -440,6 +450,16 @@
               </div>
             </div>
           </div>
+          <div class="row mb-4">
+            <div class="col-md-3 d-flex align-items-center justify-content-md-end">
+              <label class="control-label">{{ lang.admin.iam_login_provisioning }}</label>
+            </div>
+            <div class="col-12 col-md-9">
+              <div class="form-check form-switch">
+                <input class="form-check-input" type="checkbox" role="switch" name="login_provisioning"  value="1" {% if iam_settings.login_provisioning == 1 %}checked{% endif %}>
+              </div>
+            </div>
+          </div>
           <div class="row mt-4 mb-2">
             <div class="offset-md-3 col-12 col-md-9 d-flex flex-wrap">
               <div class="btn-group mb-2">
@@ -646,6 +666,16 @@
               </div>
             </div>
           </div>
+          <div class="row mb-2">
+            <div class="col-md-3 d-flex align-items-center justify-content-md-end">
+              <label class="control-label">{{ lang.admin.iam_login_provisioning }}</label>
+            </div>
+            <div class="col-12 col-md-9">
+              <div class="form-check form-switch">
+                <input class="form-check-input" type="checkbox" role="switch" name="login_provisioning"  value="1" {% if iam_settings.login_provisioning == 1 %}checked{% endif %}>
+              </div>
+            </div>
+          </div>
           <div class="row mb-2">
             <div class="col-md-3 d-flex align-items-center justify-content-md-end">
               <label class="control-label">{{ lang.admin.iam_periodic_full_sync }}</label>

From ffa29338737069d7e15fe26933cbb3aa8b8fcc2b Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Tue, 13 May 2025 09:49:53 +0200
Subject: [PATCH 256/378] increase Olefy, Rspamd and Watchdog docker images

---
 docker-compose.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 3b27a09a9..8f31c69c8 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -84,7 +84,7 @@ services:
             - clamd
 
     rspamd-mailcow:
-      image: ghcr.io/mailcow/rspamd:2.1
+      image: ghcr.io/mailcow/rspamd:2.2
       stop_grace_period: 30s
       depends_on:
         - dovecot-mailcow
@@ -498,7 +498,7 @@ services:
         - /lib/modules:/lib/modules:ro
 
     watchdog-mailcow:
-      image: ghcr.io/mailcow/watchdog:2.07
+      image: ghcr.io/mailcow/watchdog:2.08
       dns:
         - ${IPV4_NETWORK:-172.22.1}.254
       tmpfs:
@@ -591,7 +591,7 @@ services:
             - dockerapi
 
     olefy-mailcow:
-      image: ghcr.io/mailcow/olefy:1.14
+      image: ghcr.io/mailcow/olefy:1.15
       restart: always
       environment:
         - TZ=${TZ}

From 03d979c089a5bda1608c5e55b47e16c191036a25 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Tue, 13 May 2025 10:14:58 +0200
Subject: [PATCH 257/378] [Web] Fix get custom_login

---
 data/web/inc/functions.customize.inc.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/data/web/inc/functions.customize.inc.php b/data/web/inc/functions.customize.inc.php
index dc86bfe65..1d19066d2 100644
--- a/data/web/inc/functions.customize.inc.php
+++ b/data/web/inc/functions.customize.inc.php
@@ -388,8 +388,8 @@ function customize($_action, $_item, $_data = null) {
         break;
         case 'custom_login':
           try {
-            $custom_login = ($custom_login = $redis->get('CUSTOM_LOGIN')) ? $custom_login : array();
-            return json_decode($custom_login, true);
+            $custom_login = $redis->get('CUSTOM_LOGIN');
+            return $custom_login ? json_decode($custom_login, true) : array();
           }
           catch (RedisException $e) {
             $_SESSION['return'][] = array(

From 3bd01190bf84e67764801f64dd011b88603a10a3 Mon Sep 17 00:00:00 2001
From: milkmaker <milkmaker@mailcow.de>
Date: Fri, 16 May 2025 23:07:25 +0200
Subject: [PATCH 258/378] Translations update from Weblate (#6548)

* [Web] Updated lang.fr-fr.json

[Web] Updated lang.fr-fr.json

Co-authored-by: Samuel F. <20537389+samuelfranzini@users.noreply.github.com>
Co-authored-by: milkmaker <milkmaker@mailcow.de>

* [Web] Updated lang.ru-ru.json

[Web] Updated lang.ru-ru.json

[Web] Updated lang.ru-ru.json

Co-authored-by: Habetdin <15926758+Habetdin@users.noreply.github.com>
Co-authored-by: Peter <magic@kthx.at>
Co-authored-by: milkmaker <milkmaker@mailcow.de>

* [Web] Updated lang.zh-cn.json

Co-authored-by: Easton Man <me@eastonman.com>
Co-authored-by: milkmaker <milkmaker@mailcow.de>

* [Web] Updated lang.en-gb.json

Co-authored-by: Habetdin <15926758+Habetdin@users.noreply.github.com>
Co-authored-by: milkmaker <milkmaker@mailcow.de>

---------

Co-authored-by: Samuel F. <20537389+samuelfranzini@users.noreply.github.com>
Co-authored-by: Habetdin <15926758+Habetdin@users.noreply.github.com>
Co-authored-by: Peter <magic@kthx.at>
Co-authored-by: Easton Man <me@eastonman.com>
---
 data/web/lang/lang.en-gb.json |  2 +-
 data/web/lang/lang.fr-fr.json | 84 ++++++++++++++++++++++++++++++-----
 data/web/lang/lang.ru-ru.json | 83 ++++++++++++++++++++++++++++++----
 data/web/lang/lang.zh-cn.json | 20 +++++++--
 4 files changed, 165 insertions(+), 24 deletions(-)

diff --git a/data/web/lang/lang.en-gb.json b/data/web/lang/lang.en-gb.json
index fb8fbb6e4..a04234610 100644
--- a/data/web/lang/lang.en-gb.json
+++ b/data/web/lang/lang.en-gb.json
@@ -205,7 +205,7 @@
         "f2b_whitelist": "Whitelisted networks/hosts",
         "filter": "Filter",
         "filter_table": "Filter table",
-        "force_sso_text": "If an external OIDC provider is configured, this option hides the default mailcow login froms and only shows the Singe Sign-On button",
+        "force_sso_text": "If an external OIDC provider is configured, this option hides the default mailcow login forms and only shows the Singe Sign-On button",
         "force_sso": "Disable mailcow Login and show only Singe Sign-On",
         "forwarding_hosts": "Forwarding Hosts",
         "forwarding_hosts_add_hint": "You can either specify IPv4/IPv6 addresses, networks in CIDR notation, host names (which will be resolved to IP addresses), or domain names (which will be resolved to IP addresses by querying SPF records or, in their absence, MX records).",
diff --git a/data/web/lang/lang.fr-fr.json b/data/web/lang/lang.fr-fr.json
index 58300c0d4..313d6663c 100644
--- a/data/web/lang/lang.fr-fr.json
+++ b/data/web/lang/lang.fr-fr.json
@@ -359,7 +359,54 @@
         "service": "Service",
         "success": "Succès",
         "cors_settings": "Paramètres CORS",
-        "login_time": "Horodatage de connexion"
+        "login_time": "Horodatage de connexion",
+        "domainadmin_quicklink": "Masquer le lien rapide vers la page de connexion de l'administrateur du domaine",
+        "force_sso_text": "Si un fournisseur OIDC externe est configuré, cette option masque les formulaires de connexion par défaut de mailcow et n'affiche que le bouton Singe Sign-On",
+        "app_hide": "Masquer pour la connexion",
+        "admin_quicklink": "Masquer le lien rapide vers la page de connexion de l'administrateur",
+        "login_page": "Page de connexion",
+        "force_sso": "Désactiver la connexion mailcow et n'afficher que Singe Sign-On",
+        "iam_attribute_field": "Champ d'attribut",
+        "iam_authorize_url": "Endpoint d'autorisation",
+        "iam_auth_flow": "Flow d'authentification",
+        "iam_auth_flow_info": "Outre le flux de code d'autorisation (flux standard dans Keycloak), qui est utilisé pour la connexion unique, mailcow prend également en charge le flux d'authentification avec des informations d'identification directes. Le flux Mailpassword tente de valider les informations d'identification de l'utilisateur en utilisant l'API REST de Keycloak Admin. mailcow récupère le mot de passe haché dans l'attribut <code>mailcow_password</code>, qui est mappé dans Keycloak.",
+        "iam_basedn": "Base DN",
+        "iam_client_id": "ID Client",
+        "iam_client_secret": "Secret Client",
+        "iam_use_ssl": "Utiliser SSL",
+        "iam_redirect_url": "Url de redirection",
+        "iam_use_ssl_info": "Si le protocole SSL est activé et que le port est défini sur 389, il sera automatiquement remplacé par 636.",
+        "iam_use_tls_info": "Si vous activez TLS, vous devez utiliser le port par défaut de votre serveur LDAP (389). Les ports SSL ne peuvent pas être utilisés.",
+        "iam_version": "Version",
+        "ignore_ssl_error": "Ignorer les erreurs SSL",
+        "iam_login_provisioning": "Créer automatiquement l'utilisateur à la connexion",
+        "iam_mapping": "Mapping des attributs",
+        "iam_bindpass": "Lier le mot de passe",
+        "iam_periodic_full_sync": "Synchronisation complète périodique",
+        "iam_port": "Port",
+        "iam_realm": "Realm",
+        "iam_rest_flow": "Flow Mailpassword",
+        "iam_server_url": "URL du serveur",
+        "iam_sso": "Single Sign-On",
+        "iam_sync_interval": "Interval de Sync / Import (min)",
+        "iam_test_connection": "Test de connexion",
+        "iam_token_url": "Endpoint Token",
+        "iam_userinfo_url": "Endpoint User info",
+        "iam_username_field": "Champ du nom d'utilisateur",
+        "iam_binddn": "Bind DN",
+        "iam_use_tls": "Utiliser StartTLS",
+        "quicklink_text": "Afficher ou masquer les liens rapides vers d'autres pages de connexion sous le formulaire de connexion",
+        "task": "Tâche",
+        "user_link": "Lien utilisateur",
+        "user_quicklink": "Masquer le lien rapide vers la page de connexion de l'utilisateur",
+        "iam_client_scopes": "Scopes Client",
+        "iam_default_template": "Template par défaut",
+        "iam_default_template_description": "Si aucun modèle n'est attribué à un utilisateur, le modèle par défaut sera utilisé pour créer la boîte aux lettres, mais pas pour la mettre à jour.",
+        "iam_description": "Configurer un fournisseur externe pour l'authentification<br>Les boîtes aux lettres des utilisateurs seront automatiquement créées lors de leur première connexion, à condition qu'un mappage d'attributs ait été défini.",
+        "iam_extra_permission": "Pour que les paramètres suivants fonctionnent, le client mailcow dans Keycloak a besoin d'un <code>Compte de service</code> et de l'autorisation de <code>voir les utilisateurs</code>.",
+        "iam_host": "Hôte",
+        "iam_host_info": "Saisissez un ou plusieurs hôtes LDAP, séparés par des virgules.",
+        "iam_import_users": "Importer des utilisateurs"
     },
     "danger": {
         "access_denied": "Accès refusé ou données de formulaire non valides",
@@ -496,7 +543,11 @@
         "password_reset_invalid_user": "Boîte mail introuvable ou aucune adresse de récupération n'a été définie",
         "password_reset_na": "La réinitialisation des mots de passe est actuellement indisponible. Veuillez contacter votre administrateur.",
         "reset_token_limit_exceeded": "Le nombre limite de jetons de réinitialisation a été dépassé. Veuillez réessayer plus tard.",
-        "to_invalid": "Le destinataire ne doit pas être vide"
+        "to_invalid": "Le destinataire ne doit pas être vide",
+        "generic_server_error": "Une erreur de serveur inattendue s'est produite. Veuillez contacter votre administrateur.",
+        "authsource_in_use": "Le fournisseur d'identité ne peut pas être modifié ou supprimé car il est actuellement utilisé par un ou plusieurs utilisateurs.",
+        "iam_test_connection": "Échec de la connexion",
+        "required_data_missing": "La donnée requise %s est manquante"
     },
     "debug": {
         "chart_this_server": "Graphique (ce serveur)",
@@ -553,7 +604,7 @@
         "alias": "Éditer les alias",
         "allow_from_smtp": "Restreindre l'utilisation de <b>SMTP</b> à ces adresses IP",
         "allow_from_smtp_info": "Laissez vide pour autoriser tous les expéditeurs.<br>Adresses IPv4/IPv6 et réseaux.",
-        "allowed_protocols": "Protocoles autorisés",
+        "allowed_protocols": "Protocoles autorisés pour l'accès direct de l'utilisateur (n'affecte pas les protocoles de mot de passe de l'application)",
         "app_name": "Nom de l'application",
         "app_passwd": "Mot de passe de l'application",
         "automap": "Tenter de cibler automatiquement les dossiers (« Sent items », « Sent » => « Sent » etc.)",
@@ -672,7 +723,7 @@
         "none_inherit": "Aucun / Héritage",
         "quota_warning_bcc": "Avertissement sur les quotas BCC",
         "quota_warning_bcc_info": "Les avertissements seront envoyés en copies séparées aux destinataires suivants. Le sujet sera précédé du nom d'utilisateur correspondant entre parenthèses, par exemple : <code>Avertissement sur les quotas (user@example.com)</code>.",
-        "sogo_access_info": "L'authentification unique à partir de l'interface de messagerie reste opérationnelle. Ce paramètre n'affecte pas l'accès à tous les autres services et ne supprime ni, ne modifie le profil SOGo existant d'un utilisateur.",
+        "sogo_access_info": "Après s'être connecté, l'utilisateur est automatiquement redirigé vers SOGo.",
         "admin": "Modifier l'administrateur",
         "password_recovery_email": "Adresse email de récupération",
         "mailbox_rename_title": "Nouveau nom de la partie locale de la boîte de réception",
@@ -680,7 +731,7 @@
         "mailbox_rename_agree": "J'ai fait une sauvegarde.",
         "mailbox_rename_warning": "IMPORTANT ! Faites une sauvegarde avant de renommer la boîte de réception.",
         "mailbox_rename_alias": "Créer un alias automatiquement",
-        "sogo_access": "Autoriser la connexion directe à SOGo",
+        "sogo_access": "Redirection directe vers SOGo",
         "pushover": "Pushover",
         "pushover_sound": "Son"
     },
@@ -733,7 +784,11 @@
         "request_reset_password": "Demander le changement du mot de passe",
         "login_user": "Connexion Utilisateur",
         "login_dadmin": "Connexion Administrateur de domaine",
-        "login_admin": "Connexion Administrateur"
+        "login_admin": "Connexion Administrateur",
+        "login_linkstext": "L'identifiant n'est pas correct ?",
+        "login_usertext": "Se connecter en tant qu'utilisateur",
+        "login_domainadmintext": "Se connecter en tant qu'administrateur du domaine",
+        "login_admintext": "Se connecter en tant qu'administrateur"
     },
     "mailbox": {
         "action": "Action",
@@ -839,7 +894,7 @@
         "recipient_map_new": "Nouveau destinataire",
         "recipient_map_new_info": "La destination de la carte du destinataire doit être une adresse de courriel valide ou un nom de domaine.",
         "recipient_map_old": "Destinataire original",
-        "recipient_map_old_info": "Une carte de destination originale doit être une adresse de courriel valide ou un nom de domaine.",
+        "recipient_map_old_info": "La destination originale des cartes des destinataires doit être une adresse de courriel valide ou un nom de domaine.",
         "recipient_maps": "Cartes des bénéficiaires",
         "relay_all": "Relayer tous les destinataires",
         "remove": "Supprimer",
@@ -908,7 +963,8 @@
         "template": "Modèle",
         "syncjob_check_log": "Vérifier le journal",
         "recipient": "Destinataire",
-        "open_logs": "Afficher les journaux"
+        "open_logs": "Afficher les journaux",
+        "iam": "Fournisseur d'identité"
     },
     "oauth2": {
         "access_denied": "Veuillez vous connecter en tant que propriétaire de la boîte de réception pour accorder l’accès via Oauth2.",
@@ -1079,7 +1135,9 @@
         "recovery_email_sent": "Email de réinitialisation envoyé à %s",
         "mailbox_renamed": "La boîte de réception a été renommée de %s à %s",
         "template_modified": "Les modifications au modèle %s ont été enregistrées",
-        "password_policy_saved": "La politique de mot de passe a été enregistrée avec succès"
+        "password_policy_saved": "La politique de mot de passe a été enregistrée avec succès",
+        "custom_login_modified": "La personnalisation de la connexion a été sauvegardée avec succès",
+        "iam_test_connection": "Connexion réussie"
     },
     "tfa": {
         "api_register": "%s utilise l'API Yubico Cloud. Veuillez obtenir une clé API pour votre clé <a href=\"https://upgrade.yubico.com/getapikey/\" target=\"_blank\">ici</a>",
@@ -1259,8 +1317,8 @@
         "with_app_password": "avec le mot de passe de l'application",
         "apple_connection_profile_with_app_password": "Un nouveau mot de passe est généré et ajouté au profil, de sorte qu'aucun mot de passe ne doit être saisi lors de la configuration de votre appareil. Ne partagez pas le fichier car il vous donne un accès complet à votre boîte de réception.",
         "attribute": "Attribut",
-        "direct_protocol_access": "Cet utilisateur de la boîte aux lettres dispose d'un <b>accès externe direct</b> aux protocoles et applications suivants. Votre administrateur contrôle ce paramètre. Il est possible de créer des mots de passe d'application pour accorder l'accès à des protocoles et des applications individuels.<br>Le bouton « Connexion au webmail » permet une connexion unique à SOGo et est toujours disponible.",
-        "open_webmail_sso": "Connexion au webmail",
+        "direct_protocol_access": "Cet utilisateur de la boîte aux lettres dispose d'un <b>accès externe direct</b> aux protocoles et applications suivants. Votre administrateur contrôle ce paramètre. Il est possible de créer des mots de passe d'application pour accorder l'accès à des protocoles et des applications individuels.<br>Le bouton « Connexion au Webmail » permet une connexion unique à SOGo et est toujours disponible.",
+        "open_webmail_sso": "Connexion au Webmail",
         "recent_successful_connections": "Voir les connexions réussies",
         "syncjob_EXIT_TLS_FAILURE": "Problème de connexion chiffrée",
         "syncjob_EXIT_AUTHENTICATION_FAILURE": "Problème d'authentification",
@@ -1289,7 +1347,9 @@
         "open_logs": "Afficher les journaux",
         "pushover_sound": "Son",
         "mailbox_general": "Général",
-        "mailbox_settings": "Paramètres"
+        "mailbox_settings": "Paramètres",
+        "tfa_info": "L'authentification à deux facteurs permet de protéger votre compte. Si vous l'activez, vous aurez besoin de mots de passe d'application pour vous connecter à des applications ou des services qui ne prennent pas en charge l'authentification à deux facteurs (par exemple les clients e-mails).",
+        "overview": "Vue d'ensemble"
     },
     "warning": {
         "cannot_delete_self": "Impossible de supprimer l’utilisateur connecté",
diff --git a/data/web/lang/lang.ru-ru.json b/data/web/lang/lang.ru-ru.json
index e9d856924..e17327978 100644
--- a/data/web/lang/lang.ru-ru.json
+++ b/data/web/lang/lang.ru-ru.json
@@ -359,7 +359,56 @@
         "username": "Имя пользователя",
         "validate_license_now": "Получить лицензию на основе GUID с сервера лицензий",
         "verify": "Проверить",
-        "yes": "&#10003;"
+        "yes": "&#10003;",
+        "force_sso_text": "Если настроен внешний провайдер OIDC, эта опция скрывает стандартные формы входа mailcow и показывает только кнопку Singe Sign-On",
+        "domainadmin_quicklink": "Скрыть ссылку на вход для администраторов домена",
+        "iam_periodic_full_sync": "Периодическая полная синхронизация",
+        "iam_sync_interval": "Интервал синхронизации/импорта (мин)",
+        "iam_use_tls_info": "При включённом TLS необходимо использовать стандартный порт LDAP-сервера (389). Порты SSL не подходят.",
+        "iam_use_ssl_info": "При включённом SSL, если указан порт 389, то вместо него автоматически будет использоваться порт 636.",
+        "quicklink_text": "Показать или скрыть ссылки для быстрого перехода к другим страницам входа под формой авторизации",
+        "iam_login_provisioning": "Автоматическое создание пользователей при входе в систему",
+        "iam_mapping": "Сопоставление атрибутов",
+        "iam_bindpass": "Bind пароль",
+        "iam_port": "Порт",
+        "iam_realm": "Realm",
+        "iam_redirect_url": "URL переадресации",
+        "iam_rest_flow": "Поток Mailpassword",
+        "iam_server_url": "URL сервера",
+        "iam_sso": "Технология единого входа (SSO)",
+        "iam_token_url": "Token endpoint",
+        "iam_userinfo_url": "User info endpoint",
+        "iam_username_field": "Поле имени пользователя",
+        "iam_binddn": "Bind DN",
+        "iam_use_ssl": "Использовать SSL",
+        "iam_use_tls": "Использовать StartTLS",
+        "iam_version": "Версия",
+        "ignore_ssl_error": "Игнорировать ошибки SSL",
+        "task": "Задача",
+        "user_link": "Пользовательская ссылка",
+        "user_quicklink": "Скрыть ссылку на вход для пользователей",
+        "app_hide": "Скрыть для входа",
+        "iam_test_connection": "Проверка соединения",
+        "login_page": "Страница входа",
+        "filter": "Фильтр",
+        "force_sso": "Отключить mailcow авторизацию и показывать только Singe Sign-On",
+        "iam": "Провайдер идентификации",
+        "iam_attribute_field": "Поле атрибута",
+        "iam_authorize_url": "Конечная точка авторизации",
+        "iam_auth_flow": "Процесс аутентификации",
+        "iam_auth_flow_info": "В дополнение к потоку кода авторизации (стандартный поток в Keycloak), который используется для Single-Sign On входа, mailcow также поддерживает поток аутентификации с непосредственными учетными данными. Поток Mailpassword пытается проверить учетные данные пользователя с помощью REST API администратора Keycloak. mailcow извлекает хешированный пароль из атрибута <code>mailcow_password</code>, который отображается в Keycloak.",
+        "iam_basedn": "Base DN",
+        "iam_client_id": "ID клиента",
+        "iam_client_secret": "Секрет клиента",
+        "iam_client_scopes": "Области действия клиента",
+        "iam_default_template": "Шаблон по умолчанию",
+        "iam_default_template_description": "Если пользователю не назначен шаблон, шаблон по умолчанию будет использоваться при создании почтового ящика, но не при обновлении почтового ящика.",
+        "iam_description": "Настройка внешнего провайдера для аутентификации<br>Почтовые ящики пользователей будут автоматически создаваться при первом входе в систему, если было задано сопоставление атрибутов.",
+        "iam_extra_permission": "Для работы следующих настроек клиенту mailcow в Keycloak необходима <code>служебная учетная запись</code> и разрешение на <code>просмотр пользователей</code>.",
+        "iam_host": "Хост",
+        "iam_host_info": "Укажите один или несколько LDAP-хостов через запятую.",
+        "iam_import_users": "Импорт пользователей",
+        "admin_quicklink": "Скрыть ссылку на вход для администраторов"
     },
     "danger": {
         "access_denied": "Доступ запрещён, или указаны неверные данные",
@@ -496,7 +545,11 @@
         "webauthn_publickey_failed": "Для выбранного аутентификатора не был сохранен открытый ключ",
         "webauthn_username_failed": "Выбранный аутентификатор принадлежит другой учетной записи",
         "webauthn_verification_failed": "Ошибка валидации WebAuthn: %s",
-        "yotp_verification_failed": "Ошибка валидации Yubico OTP: %s"
+        "yotp_verification_failed": "Ошибка валидации Yubico OTP: %s",
+        "generic_server_error": "На сервере произошла непредвиденная ошибка. Пожалуйста, свяжитесь с вашим администратором.",
+        "authsource_in_use": "Поставщик идентификационных данных не может быть изменен или удален, так как в данный момент он используется одним или несколькими пользователями.",
+        "iam_test_connection": "Ошибка соединения",
+        "required_data_missing": "Отсутствуют необходимые данные %s"
     },
     "datatables": {
         "collapse_all": "Свернуть все",
@@ -581,7 +634,7 @@
         "alias": "Изменить псевдоним",
         "allow_from_smtp": "Разрешить использование <b>SMTP</b> только для этих IP",
         "allow_from_smtp_info": "Укажите IPv4/IPv6 адреса и/или подсети.<br>Оставьте поле пустым, чтобы разрешить отправку с любых адресов.",
-        "allowed_protocols": "Разрешённые протоколы",
+        "allowed_protocols": "Разрешённые протоколы для прямого доступа пользователей (не влияет на протоколы паролей приложений)",
         "app_name": "Название приложения",
         "app_passwd": "Пароль приложения",
         "app_passwd_protocols": "Разрешенные протоколы для пароля приложения",
@@ -771,7 +824,14 @@
         "password": "Пароль",
         "request_reset_password": "Запросить восстановление пароля",
         "reset_password": "Восстановление пароля",
-        "username": "Имя пользователя"
+        "username": "Имя пользователя",
+        "login_linkstext": "Неправильный логин?",
+        "login_usertext": "Войти как пользователь",
+        "login_domainadmintext": "Войти как администратор домена",
+        "login_admintext": "Войти как администратор",
+        "login_user": "Вход для пользователей",
+        "login_dadmin": "Вход для администраторов домена",
+        "login_admin": "Вход для администраторов"
     },
     "mailbox": {
         "action": "Действия",
@@ -946,7 +1006,8 @@
         "username": "Имя пользователя",
         "waiting": "В ожидании",
         "weekly": "Раз в неделю",
-        "yes": "&#10003;"
+        "yes": "&#10003;",
+        "iam": "Поставщик идентификационных данных"
     },
     "oauth2": {
         "access_denied": "Пожалуйста, войдите в систему как владелец почтового аккаунта, чтобы получить доступ через OAuth2.",
@@ -1124,7 +1185,9 @@
         "verified_fido2_login": "Авторизация FIDO2 пройдена",
         "verified_totp_login": "Авторизация TOTP пройдена",
         "verified_webauthn_login": "Авторизация WebAuthn пройдена",
-        "verified_yotp_login": "Авторизация Yubico OTP пройдена"
+        "verified_yotp_login": "Авторизация Yubico OTP пройдена",
+        "iam_test_connection": "Успешное соединение",
+        "custom_login_modified": "Настройки входа успешно сохранены"
     },
     "tfa": {
         "api_register": "%s использует Yubico Cloud API. Пожалуйста, получите ключ API для вашего ключа <a href=\"https://upgrade.yubico.com/getapikey/\" target=\"_blank\">здесь</a>",
@@ -1191,7 +1254,7 @@
         "delete_ays": "Пожалуйста, подтвердите удаление",
         "direct_aliases": "Личные псевдонимы",
         "direct_aliases_desc": "На личные псевдонимы распространяются фильтры нежелательной почты и параметры политики TLS.",
-        "direct_protocol_access": "Этот пользователь почтового ящика имеет <b>прямой, внешний доступ</b> к следующим протоколам и приложениям. Эта настройка контролируется вашим администратором. Для предоставления доступа к отдельным протоколам и приложениям могут быть созданы пароли приложений.<br> Кнопка \"Вход в веб-почту\" обеспечивает единый вход в SOGo и всегда доступна.",
+        "direct_protocol_access": "Этот пользователь почтового ящика имеет <b>прямой, внешний доступ</b> к следующим протоколам и приложениям. Эта настройка контролируется вашим администратором. Для предоставления доступа к отдельным протоколам и приложениям могут быть созданы пароли приложений.<br> Кнопка \"Веб-почта\" обеспечивает единый вход в SOGo и всегда доступна.",
         "eas_reset": "Сбросить кеш ActiveSync устройств",
         "eas_reset_help": "Во многих случаях сброс кеша устройств помогает восстановить повреждённый профиль ActiveSync.<br><b>Внимание:</b> все письма, календари и контакты будут загружены заново на все ваши устройства!",
         "eas_reset_now": "Сбросить кеш сейчас",
@@ -1319,7 +1382,11 @@
         "weeks": "недели",
         "with_app_password": "с паролем приложения",
         "year": "год",
-        "years": "лет"
+        "years": "лет",
+        "authentication": "Аутентификация",
+        "tfa_info": "Двухфакторная аутентификация помогает защитить вашу учетную запись. Если вы включите эту функцию, вам понадобятся пароли приложений для входа в приложения или службы, которые не поддерживают двухфакторную аутентификацию (например, почтовые клиенты).",
+        "protocols": "Протоколы",
+        "overview": "Обзор"
     },
     "warning": {
         "cannot_delete_self": "Вы не можете удалить сами себя",
diff --git a/data/web/lang/lang.zh-cn.json b/data/web/lang/lang.zh-cn.json
index 486e8dcc3..44541f7d1 100644
--- a/data/web/lang/lang.zh-cn.json
+++ b/data/web/lang/lang.zh-cn.json
@@ -395,7 +395,16 @@
         "ignore_ssl_error": "忽略 SSL 错误",
         "iam_auth_flow_info": "除了在单点登录（SSO）中使用的 Authorization Code 流程（在 Keycloak 中是标准流程）之外，mailcow 还支持使用 Credentials 的身份认证流程。Mailpassword 流程尝试通过 Keycloak 的 Admin REST API 验证用户凭据，mailcow 会从 Keycloak 中的 <code>mailcow_password</code> 属性中获取哈希后的密码。",
         "filter": "过滤",
-        "iam_extra_permission": "要使以下设置生效，Keycloak 中的 mailcow 客户端需要一个 <code>服务账户（Service account）</code> 以及 <code>查看用户（view-users）</code> 的权限。"
+        "iam_extra_permission": "要使以下设置生效，Keycloak 中的 mailcow 客户端需要一个 <code>服务账户（Service account）</code> 以及 <code>查看用户（view-users）</code> 的权限。",
+        "domainadmin_quicklink": "隐藏指向域管理员登陆页面的快捷链接",
+        "force_sso_text": "如果配置了外部的 OIDC 认证，这个选项隐藏默认的 mailcow 登陆界面，只显示单点登录（SSO）的按钮",
+        "iam_login_provisioning": "登录时自动创建用户",
+        "login_page": "登陆页面",
+        "iam_use_ssl_info": "如果使用了 SSL，且端口被设置为 389，该端口将自动被覆盖为 636。",
+        "quicklink_text": "显示或隐藏登陆表单下面指向其他登陆页面的快捷链接",
+        "user_quicklink": "隐藏指向用户登陆页面的快捷链接",
+        "admin_quicklink": "隐藏指向管理员登陆页面的快捷链接",
+        "force_sso": "强制要求单点登录（SSO）"
     },
     "danger": {
         "access_denied": "访问被拒绝或者表单数据无效",
@@ -788,7 +797,11 @@
         "invalid_pass_reset_token": "密码重置 token 无效或已过期。<br> 请重新获取新的密码重置链接。",
         "login_user": "用户登录",
         "login_dadmin": "域管理员登录",
-        "login_admin": "管理员登录"
+        "login_admin": "管理员登录",
+        "login_linkstext": "不是正确的登陆页面？",
+        "login_usertext": "以用户身份登陆",
+        "login_domainadmintext": "以域管理员身份登陆",
+        "login_admintext": "以管理员身份登陆"
     },
     "mailbox": {
         "action": "操作",
@@ -1143,7 +1156,8 @@
         "template_added": "新增了模板 %s",
         "template_modified": "模板 %s 的修改已保存",
         "template_removed": "模板 ID %s 已删除",
-        "iam_test_connection": "连接成功"
+        "iam_test_connection": "连接成功",
+        "custom_login_modified": "登陆选项保存成功"
     },
     "tfa": {
         "api_register": "%s 使用了 Yubico Cloud API，请<a href=\"https://upgrade.yubico.com/getapikey/\" target=\"_blank\">在此</a>为你的密钥获取 API 密钥",

From 372923ae2fca354e843c8aa90dc3e32be86f8c37 Mon Sep 17 00:00:00 2001
From: milkmaker <milkmaker@mailcow.de>
Date: Mon, 19 May 2025 13:36:15 +0200
Subject: [PATCH 259/378] [Web] Updated lang.zh-cn.json (#6552)

Co-authored-by: Easton Man <me@eastonman.com>
---
 data/web/lang/lang.zh-cn.json | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/data/web/lang/lang.zh-cn.json b/data/web/lang/lang.zh-cn.json
index 44541f7d1..3c46eb8a4 100644
--- a/data/web/lang/lang.zh-cn.json
+++ b/data/web/lang/lang.zh-cn.json
@@ -390,7 +390,7 @@
         "iam_username_field": "Username 域",
         "iam_binddn": "Bind DN",
         "iam_use_ssl": "使用 SSL",
-        "iam_use_tls": "使用 TLS",
+        "iam_use_tls": "使用  StartTLS",
         "iam_version": "版本",
         "ignore_ssl_error": "忽略 SSL 错误",
         "iam_auth_flow_info": "除了在单点登录（SSO）中使用的 Authorization Code 流程（在 Keycloak 中是标准流程）之外，mailcow 还支持使用 Credentials 的身份认证流程。Mailpassword 流程尝试通过 Keycloak 的 Admin REST API 验证用户凭据，mailcow 会从 Keycloak 中的 <code>mailcow_password</code> 属性中获取哈希后的密码。",
@@ -404,7 +404,8 @@
         "quicklink_text": "显示或隐藏登陆表单下面指向其他登陆页面的快捷链接",
         "user_quicklink": "隐藏指向用户登陆页面的快捷链接",
         "admin_quicklink": "隐藏指向管理员登陆页面的快捷链接",
-        "force_sso": "强制要求单点登录（SSO）"
+        "force_sso": "强制要求单点登录（SSO）",
+        "user_link": "自定义链接"
     },
     "danger": {
         "access_denied": "访问被拒绝或者表单数据无效",
@@ -690,7 +691,7 @@
         "sieve_desc": "简短描述",
         "sieve_type": "过滤器类型",
         "skipcrossduplicates": "跳过其他文件夹中已存在的邮件(保留已经存在的邮件)",
-        "sogo_access": "直接转发给 SOGo",
+        "sogo_access": "直接转到 SOGo",
         "sogo_access_info": "登录后，用户会自动跳转到 SOGo。",
         "sogo_visible": "SOGo 显示的别名",
         "sogo_visible_info": "此设置只影响 SOGo 上可显示的对象 (指向本地邮箱的共享或非共享别名地址)。如果设置为隐藏，则别名地址不会作为可选发件人的下拉项显示。",
@@ -905,7 +906,7 @@
         "recipient_map": "收件人映射",
         "recipient_map_info": "收件人映射用于在邮件被发送前替换收件人的地址。",
         "recipient_map_new": "新收件人",
-        "recipient_map_new_info": "新收件人必须为合法的邮箱地址。",
+        "recipient_map_new_info": "收件人映射的目标必须为合法的邮件地址或域名。",
         "recipient_map_old": "原收件人",
         "recipient_map_old_info": "原收件人必须为合法的邮箱地址。",
         "recipient_maps": "收件人映射",

From d4f899b091ed48e01fea3a674dd3278bf8b68caf Mon Sep 17 00:00:00 2001
From: DerLinkman <niklas.meyer@servercow.de>
Date: Mon, 26 May 2025 11:35:34 +0200
Subject: [PATCH 260/378] compose: add selinux label to mysql-socket-vol to
 prevent "access denied" (#6560)

---
 docker-compose.yml | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 8f31c69c8..a67475316 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -24,7 +24,7 @@ services:
       stop_grace_period: 45s
       volumes:
         - mysql-vol-1:/var/lib/mysql/
-        - mysql-socket-vol-1:/var/run/mysqld/
+        - mysql-socket-vol-1:/var/run/mysqld/:z
         - ./data/conf/mysql/:/etc/mysql/conf.d/:ro,Z
       environment:
         - TZ=${TZ}
@@ -134,7 +134,7 @@ services:
         - ./data/web/inc/functions.ratelimit.inc.php:/mailcowauth/functions.ratelimit.inc.php:z
         - ./data/web/inc/functions.acl.inc.php:/mailcowauth/functions.acl.inc.php:z
         - rspamd-vol-1:/var/lib/rspamd
-        - mysql-socket-vol-1:/var/run/mysqld/
+        - mysql-socket-vol-1:/var/run/mysqld/:z
         - ./data/conf/sogo/:/etc/sogo/:z
         - ./data/conf/rspamd/meta_exporter:/meta_exporter:ro,z
         - ./data/conf/phpfpm/crons:/crons:z
@@ -230,7 +230,7 @@ services:
         - ./data/conf/sogo/custom-fulllogo.png:/usr/lib/GNUstep/SOGo/WebServerResources/img/sogo-logo.png:z
         - ./data/conf/sogo/custom-theme.js:/usr/lib/GNUstep/SOGo/WebServerResources/js/theme.js:z
         - ./data/conf/sogo/custom-sogo.js:/usr/lib/GNUstep/SOGo/WebServerResources/js/custom-sogo.js:z
-        - mysql-socket-vol-1:/var/run/mysqld/
+        - mysql-socket-vol-1:/var/run/mysqld/:z
         - sogo-web-vol-1:/sogo_web
         - sogo-userdata-backup-vol-1:/sogo_backup
       labels:
@@ -272,7 +272,7 @@ services:
         - ./data/conf/rspamd/custom/:/etc/rspamd/custom:z
         - ./data/assets/templates:/templates:z
         - rspamd-vol-1:/var/lib/rspamd
-        - mysql-socket-vol-1:/var/run/mysqld/
+        - mysql-socket-vol-1:/var/run/mysqld/:z
       environment:
         - DOVECOT_MASTER_USER=${DOVECOT_MASTER_USER:-}
         - DOVECOT_MASTER_PASS=${DOVECOT_MASTER_PASS:-}
@@ -351,7 +351,7 @@ services:
         - postfix-vol-1:/var/spool/postfix
         - crypt-vol-1:/var/lib/zeyple
         - rspamd-vol-1:/var/lib/rspamd
-        - mysql-socket-vol-1:/var/run/mysqld/
+        - mysql-socket-vol-1:/var/run/mysqld/:z
       environment:
         - LOG_LINES=${LOG_LINES:-9999}
         - TZ=${TZ}
@@ -470,7 +470,7 @@ services:
         - ./data/web/.well-known/acme-challenge:/var/www/acme:z
         - ./data/assets/ssl:/var/lib/acme/:z
         - ./data/assets/ssl-example:/var/lib/ssl-example/:ro,Z
-        - mysql-socket-vol-1:/var/run/mysqld/
+        - mysql-socket-vol-1:/var/run/mysqld/:z
       restart: always
       networks:
         mailcow-network:
@@ -505,7 +505,7 @@ services:
         - /tmp
       volumes:
         - rspamd-vol-1:/var/lib/rspamd
-        - mysql-socket-vol-1:/var/run/mysqld/
+        - mysql-socket-vol-1:/var/run/mysqld/:z
         - postfix-vol-1:/var/spool/postfix
         - ./data/assets/ssl:/etc/ssl/mail/:ro,z
       restart: always

From 407e9d358488f6fde5ce000eff14943ec362be97 Mon Sep 17 00:00:00 2001
From: milkmaker <milkmaker@mailcow.de>
Date: Thu, 12 Jun 2025 13:13:57 +0200
Subject: [PATCH 261/378] Translations update from Weblate (#6582)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* [Web] Updated lang.en-gb.json

[Web] Updated lang.en-gb.json

Co-authored-by: Filip Hajny <filip@hajny.net>
Co-authored-by: milkmaker <milkmaker@mailcow.de>

* [Web] Updated lang.cs-cz.json

Co-authored-by: Filip Hajny <filip@hajny.net>
Co-authored-by: milkmaker <milkmaker@mailcow.de>

* [Web] Updated lang.si-si.json

[Web] Updated lang.si-si.json

Co-authored-by: Matjaž Tekavec <matjaz@moj-svet.si>
Co-authored-by: milkmaker <milkmaker@mailcow.de>

* [Web] Updated lang.it-it.json

Co-authored-by: Stefano <stefano.vassena@gmail.com>
Co-authored-by: milkmaker <milkmaker@mailcow.de>

---------

Co-authored-by: Filip Hajny <filip@hajny.net>
Co-authored-by: Matjaž Tekavec <matjaz@moj-svet.si>
Co-authored-by: Stefano <stefano.vassena@gmail.com>
---
 data/web/lang/lang.cs-cz.json | 183 ++++++++++++++-----
 data/web/lang/lang.en-gb.json |   4 +-
 data/web/lang/lang.it-it.json |  42 ++++-
 data/web/lang/lang.si-si.json | 334 ++++++++++++++++++++++++++++++++--
 4 files changed, 498 insertions(+), 65 deletions(-)

diff --git a/data/web/lang/lang.cs-cz.json b/data/web/lang/lang.cs-cz.json
index 67eb52baa..b33332f66 100644
--- a/data/web/lang/lang.cs-cz.json
+++ b/data/web/lang/lang.cs-cz.json
@@ -1,7 +1,7 @@
 {
     "acl": {
         "alias_domains": "Doménové aliasy",
-        "app_passwds": "Hesla aplikací",
+        "app_passwds": "Správa hesel aplikací",
         "bcc_maps": "BCC mapy",
         "delimiter_action": "Zacházení s označkovanou poštou",
         "domain_desc": "Změnit popis domény",
@@ -82,12 +82,12 @@
         "password": "Heslo",
         "password_repeat": "Potvrzení nového hesla (opakujte)",
         "port": "Port",
-        "post_domain_add": "Po přidání nové domény je nutné restartovat SOGo kontejner!",
+        "post_domain_add": "Po přidání nové domény se musí restartovat kontejner SOGo!<br><br>Je také třeba ověřit nastavení DNS nové domény. Po ověření restartujte kontejner \"acme-mailcow\", aby se vygenerovaly certifikáty domény (autoconfig.&lt;domain&gt;, autodiscover.&lt;domain&gt;).<br>Tento krok je volitelný, a provede se automaticky každých 24 hodin.",
         "private_comment": "Soukromý komentář",
         "public_comment": "Veřejný komentář",
         "quota_mb": "Kvóta (MiB)",
         "relay_all": "Předávání všech příjemců",
-        "relay_all_info": "<small>Pokud se rozhodnete <b>nepředávat</b> všechny příjemce, musíte přidat prázdnou mailovou schránku pro každého příjemce, který se má předávat.</small>",
+        "relay_all_info": "↪Pokud se rozhodnete <b>nepředávat</b> všechny příjemce, musíte přidat prázdnou mailovou schránku pro každého příjemce, který se má předávat.",
         "relay_domain": "Předávání domény",
         "relay_transport_info": "<div class=\"badge fs-6 bg-info\">Info</div> U této domény lze pro konkrétní cíl nastavit transportní mapu. Není-li nastavena, použije se MX záznam.",
         "relay_unknown_only": "Předávat jen neexistující schránky. Doručení do existujících proběhne lokálně.",
@@ -183,7 +183,7 @@
         "f2b_ban_time": "Doba blokování (s)",
         "f2b_blacklist": "Sítě/hostitelé na blacklistu",
         "f2b_filter": "Regex filtre",
-        "f2b_list_info": "Síť nebo hostitelé na blacklistu mají vždy větší váhu než položky na whitelistu. Blacklist se sestavuje vždy při startu kontejneru.",
+        "f2b_list_info": "Síť nebo hostitelé na blacklistu mají vždy větší váhu než položky na whitelistu. <b>Každá úprava seznamů trvá pár sekund.</b>",
         "f2b_max_attempts": "Max. pokusů",
         "f2b_netban_ipv4": "Rozsah IPv4 podsítě k zablokování (8-32)",
         "f2b_netban_ipv6": "Rozsah IPv6 podsítě k zablokování (8-128)",
@@ -256,7 +256,7 @@
         "quarantine_exclude_domains": "Vyloučené domény a doménové aliasy",
         "quarantine_max_age": "Maximální stáří ve dnech<br><small>Hodnota musí být rovna nebo větší než 1 den.</small>",
         "quarantine_max_score": "Neposílat notifikace pokud je spam skóre větší než hodnota:<br><small>Výchozí je 9999.0</small>",
-        "quarantine_max_size": "Maximální velikost v MiB (větší prvky budou smazány)<br />0 <b>neznamená</b> neomezeno.",
+        "quarantine_max_size": "Maximální velikost v MiB (větší prvky budou smazány)<br /><small>0 <b>neznamená</b> neomezeno.</small>",
         "quarantine_notification_html": "Šablona upozornění:<br><small>Ponechte prázdné, aby se obnovila výchozí šablona.</small>",
         "quarantine_notification_sender": "Odesílatel upozornění",
         "quarantine_notification_subject": "Předmět upozornění",
@@ -264,7 +264,7 @@
         "quarantine_release_format": "Formát propuštěných položek",
         "quarantine_release_format_att": "Jako příloha",
         "quarantine_release_format_raw": "Nezměněný originál",
-        "quarantine_retention_size": "Počet zadržených zpráv na mailovou schránku<br />0 znamená <b>neaktivní</b>.",
+        "quarantine_retention_size": "Počet zadržených zpráv na mailovou schránku<br /><small>0 znamená <b>neaktivní</b>.</small>",
         "quota_notification_html": "Šablona upozornění:<br><small>Ponechte prázdné, aby se obnovila výchozí šablona.</small>",
         "quota_notification_sender": "Odesílatel upozornění",
         "quota_notification_subject": "Předmět upozornění",
@@ -283,7 +283,7 @@
         "relay_rcpt": "\"Komu:\" adresa",
         "relay_run": "Provést test",
         "relayhosts": "Transporty podle odesílatele",
-        "relayhosts_hint": "Zde definujte transporty podle odesílatele, jež pak můžete použít v nastavení domény.<br>\r\nProtokol transportu je vždy \"smtp:\". Bere se v potaz uživatelské nastavení odchozího TLS.",
+        "relayhosts_hint": "Zde definujte transporty podle odesílatele, jež pak můžete použít v nastavení domény.<br>\nProtokol transportu je vždy \"smtp:\" a použije se TLS, je-li nabídnuto. Zabalené TLS (SMTPS) se nepodporuje. Bere se v potaz uživatelské nastavení odchozího TLS.<br>\nTýká se vybraných domén včetně doménových aliasů.",
         "remove": "Smazat",
         "remove_row": "Smazat řádek",
         "reset_default": "Obnovit výchozí nastavení",
@@ -299,7 +299,7 @@
         "rsettings_preset_2": "Postmasteři chtějí dostávat spam",
         "rsettings_preset_3": "Povolit jen určité odesílatele pro schránku (např. jen interní schránka)",
         "rsettings_preset_4": "Deaktivujte Rspamd pro doménu",
-        "rspamd_com_settings": "<a href=\"https://rspamd.com/doc/configuration/settings.html#settings-structure\" target=\"_blank\">Rspamd dokumentace</a>\r\n  - Název nastavení bude automaticky vygenerován, viz níže uvedené předvolby.",
+        "rspamd_com_settings": "Název nastavení se vygeneruje automaticky, viz ukázky nastavení níže. Více informací viz <a href=\"https://rspamd.com/doc/configuration/settings.html#settings-structure\" target=\"_blank\">Rspamd dokumentace</a>",
         "rspamd_global_filters": "Mapa globálních filtrů",
         "rspamd_global_filters_agree": "Budu opatrný!",
         "rspamd_global_filters_info": "Mapa globálních filtrů obsahuje jiné globální black- a whitelisty.",
@@ -324,8 +324,8 @@
         "to_top": "Zpět na začátek",
         "transport_dest_format": "Formát: example.org, .example.org, *, box@example.org (vícero položek lze oddělit čárkou)",
         "transport_maps": "Transportní mapy",
-        "transport_test_rcpt_info": "&#8226; Na otestování odchozí pošty je možné použít null@hosted.mailcow.de jako adresáta",
-        "transports_hint": "→ Položka transportní mapy <b>přebíjí</b> transportní mapu podle odesílatele</b>.<br>\r\n→ Uživatelské nastavení odchozího TLS se ignoruje a lze je výhradně vynutit mapováním TLS pravidel.<br>\r\n→ Protokol transportu je vždy \"smtp:\".<br>\r\n→ Adresy, jež odpovídají výrazu \"/localhost$/\", se vždy předají přes \"local:\", takže nejsou zahrnuty do definice cíle \"*\".<br>\r\n→ Pro stanovení přihlašovacích údajů dalšího skoku, např. \"[host]:25\", bude Postfix <b>vždy</b> hledat nejdříve \"host\" a teprve pak \"[host]:25\". Kvůli tomu nelze použít současně \"host\" a \"[host]:25\"",
+        "transport_test_rcpt_info": "&#8226; K otestování předávání pošty ven použijte null@hosted.mailcow.de.",
+        "transports_hint": "&#8226; Položka transportní mapy <b>přebíjí</b> transportní mapu podle odesílatele</b>.<br>\n&#8226; Transporty založené na MX mají přednost.<br>\n&#8226; Uživatelské nastavení odchozího TLS se ignoruje a lze je vynutit výhradně mapou TLS pravidel.<br>\n&#8226; Transportní služnou pro tyto transporty je vždy \"smtp:\" a použije se TLS, je-li nabídnuto. Zabalené TLS (SMTPS) se nepodporuje.<br>\n&#8226; Adresy, jež odpovídají výrazu \"/localhost$/\", se vždy předají přes \"local:\", takže nejsou zahrnuty do definice cíle \"*\".<br>\n&#8226; Pro stanovení přihlašovacích údajů dalšího skoku, např. \"[host]:25\", bude Postfix <b>vždy</b> hledat nejdříve \"host\" a teprve pak \"[host]:25\". Kvůli tomu nelze použít současně \"host\" a \"[host]:25\".",
         "ui_footer": "Pata stránka (HTML povoleno)",
         "ui_header_announcement": "Oznámení",
         "ui_header_announcement_active": "Nastavit jako aktivní",
@@ -344,17 +344,70 @@
         "validate_license_now": "Ověřit GUID na licenčním serveru",
         "verify": "Ověřit",
         "yes": "&#10003;",
-        "f2b_ban_time_increment": "Délka banu je prodlužována s každým dalším banem",
-        "f2b_max_ban_time": "Maximální délka banu (s)",
+        "f2b_ban_time_increment": "Délka bloku se prodlužuje s každým dalším zablokováním",
+        "f2b_max_ban_time": "Maximální délka bloku (s)",
         "cors_settings": "Nastavení CORS",
-        "queue_unban": "zrušit ban",
+        "queue_unban": "odblokovat",
         "password_reset_info": "Pokud není zadán žádný e-mail pro obnovení, nelze tuto funkci použít.",
         "password_reset_settings": "Nastavení obnovení hesla",
         "password_settings": "Nastavení hesel",
         "password_reset_tmpl_html": "HTML šablona",
         "password_reset_tmpl_text": "Textová šablona",
         "reset_password_vars": "<code>{{link}}</code> Vygenerovaný odkaz pro obnovení hesla<br><code>{{username}}</code> Název mailboxu uživatele, který požádal o resetování hesla.<br><code>{{username2}}</code> Název schránky pro obnovení<br><code>{{date}}</code> Datum podání žádosti o obnovení hesla<br><code>{{token_lifetime}}</code> Délka životnosti tokenu v minutách<br><code>{{hostname}}</code> Název serveru mailcow",
-        "restore_template": "Ponechte prázdné pro obnovení výchozí šablony."
+        "restore_template": "Ponechte prázdné pro obnovení výchozí šablony.",
+        "copy_to_clipboard": "Text zkopírován do schránky!",
+        "iam_login_provisioning": "Automaticky vytvořit uživatele při přihlášení",
+        "user_quicklink": "Skrýt zkratku na přihlášení uživatele",
+        "domainadmin_quicklink": "Skrýt zkratku na přihlášení správce domény",
+        "iam_auth_flow_info": "Kromě metody autorizačního kódu (Authorization Code Flow, výchozího v Keycloaku), jež se používá pro SSO, podporuje mailcow také metody autentizaci přímo pomocí přihlašovacích údajů. The metoda Mailpassword Flow se pokusí ověřit přihlašovací údaje uživatele přímo v Admin REST API Keycloaku. mailcow získá hash hesla z atributu <code>mailcow_password</code> , namapovaného v Keycloaku.",
+        "iam_default_template_description": "Nemá-li uživatel přiřazenu šablonu, použije se výchozí šablona k vytvoření schránky, ale ne k její úpravě či aktualizaci.",
+        "iam_userinfo_url": "Koncový bod pro informace o uživatelích",
+        "iam_redirect_url": "URL přesměrování",
+        "user_link": "Odkaz pro uživatele",
+        "force_sso_text": "Je-li nastaven externí poskytovatel OIDC, zapnutím této volby skryjete výchozí přihlašovací formulář. Zůstane vidět jen tlačítko pro SSO",
+        "iam_mapping": "Mapování atributů",
+        "iam_bindpass": "Heslo pro bind",
+        "iam_periodic_full_sync": "Pravidelná úplná synchronizace",
+        "iam_port": "Port",
+        "iam_realm": "Realm",
+        "iam_rest_flow": "Mailpassword Flow",
+        "iam_server_url": "URL serveru",
+        "iam_sso": "Single Sign-On",
+        "iam_sync_interval": "Interval synchronizace/importu (min)",
+        "iam_test_connection": "Test spojení",
+        "iam_token_url": "Koncový bod pro tokeny",
+        "iam_username_field": "Pole uživatelského jména",
+        "iam_binddn": "Doména pro bind",
+        "iam_use_ssl": "Používat SSL",
+        "iam_use_tls": "Používat StartTLS",
+        "iam_version": "Verze",
+        "quicklink_text": "Zobrazení zkratek k dalším přihlašovacím stránkám",
+        "iam_use_tls_info": "Je-li zapnuto TLS, musí se používat standardní port pro LDAP (389). Port SSL nelze použít.",
+        "ignore_ssl_error": "Ignorovat chyby SSL",
+        "iam_use_ssl_info": "Je-li zapnuto SSL a nastaven port 389, použije se automaticky port 636.",
+        "task": "Úloha",
+        "app_hide": "Skrýt při přihlášení",
+        "admin_quicklink": "Skrýt zkratku na přihlášení správce",
+        "allowed_methods": "Access-Control-Allow-Methods",
+        "allowed_origins": "Access-Control-Allow-Origin",
+        "login_page": "Přihlašovací stránka",
+        "f2b_manage_external": "Spravovat Fail2Ban externě",
+        "f2b_manage_external_info": "Fail2ban bude udržovat seznam zakázaných adres, ale nebude aktivně nastavovat pravidla blokování. Pro blokování použijte seznam adres níže.",
+        "filter": "Filtr",
+        "force_sso": "Vypnout přihlášení mailcow a ponechat jen SSO",
+        "iam": "Poskytovatel identity",
+        "iam_attribute_field": "Pole atributu",
+        "iam_authorize_url": "Autorizační koncový bod",
+        "iam_basedn": "Doména (Base DN)",
+        "iam_client_id": "ID klienta",
+        "iam_client_secret": "Tajný kód klienta",
+        "iam_client_scopes": "Scopes klienta",
+        "iam_default_template": "Výchozí šablona",
+        "iam_description": "Nastavení externího poskytovatele ověření<br>Schránky uživatele se vytvoří po prvním přihlášení automaticky, pokud je tedy nastaveno mapování atributů.",
+        "iam_extra_permission": "Aby vše fungovalo, musí mít mailcow klient v Keycloaku nastavený  <code>servisní účet</code> a povolení <code>view-users</code>.",
+        "iam_host": "Hostitel",
+        "iam_host_info": "Zadejte jeden či více hostitelů, oddělte čárkou",
+        "iam_import_users": "Importovat uživatele"
     },
     "danger": {
         "access_denied": "Přístup odepřen nebo jsou neplatná data ve formuláři",
@@ -408,7 +461,7 @@
         "is_alias": "%s je již známa jako adresa aliasu",
         "is_alias_or_mailbox": "%s je již známa jako adresa aliasu, mailové schránky nebo aliasu rozvedeného z aliasu domény.",
         "is_spam_alias": "%s je již známa jako adresa spamového aliasu",
-        "last_key": "Nelze smazat poslední klíč",
+        "last_key": "Nelze smazat poslední klíč, vypněte tedy celé TFA.",
         "login_failed": "Přihlášení selhalo",
         "mailbox_defquota_exceeds_mailbox_maxquota": "Výchozí kvóta překračuje maximální kvótu schránky\"",
         "mailbox_invalid": "Název mailové schránky je neplatný",
@@ -486,7 +539,16 @@
         "demo_mode_enabled": "Demo režim je zapnutý",
         "recovery_email_failed": "Nepodařilo se odeslat e-mail pro obnovení. Obraťte se prosím na svého správce.",
         "password_reset_invalid_user": "Mailbox nebyl nalezen nebo není nastaven žádný e-mail pro obnovu",
-        "password_reset_na": "Obnovení hesla není v současné době k dispozici. Obraťte se prosím na svého správce."
+        "password_reset_na": "Obnovení hesla není v současné době k dispozici. Obraťte se prosím na svého správce.",
+        "generic_server_error": "Došlo k nečekané chybě. Obraťte se na vašeho správce.",
+        "to_invalid": "Adresát nemůže být prázdný",
+        "authsource_in_use": "Poskytovatele identity nelze změnit nebo odstranit, neboť se právě používá pro jednoho či více uživatelů.",
+        "iam_test_connection": "Spojení selhalo",
+        "img_dimensions_exceeded": "Obrázek je větší než povolené rozměry",
+        "img_size_exceeded": "Obrázek má větší než povolenou velikost souboru",
+        "invalid_reset_token": "Neplatný resetovací token",
+        "required_data_missing": "Chybí potřebný údaj %s",
+        "reset_token_limit_exceeded": "Byl překročen limit na reset tokeny. Zkuste to později."
     },
     "datatables": {
         "emptyTable": "Tabulka neobsahuje žádná data",
@@ -548,7 +610,8 @@
         "update_failed": "Nepodařilo se zkontrolovat aktualizace",
         "wip": "Nedokončená vývojová verze",
         "memory": "Paměť",
-        "container_disabled": "Kontejner je zastaven nebo zakázán"
+        "container_disabled": "Kontejner je zastaven nebo zakázán",
+        "cores": "jádra"
     },
     "diagnostics": {
         "cname_from_a": "Hodnota odvozena z A/AAAA záznamu. Lze použít, pokud záznam ukazuje na správný zdroj.",
@@ -569,7 +632,7 @@
         "alias": "Upravit alias",
         "allow_from_smtp": "Umožnit pouze těmto IP adresám používat <b>SMTP</b>",
         "allow_from_smtp_info": "Nechte prázdné pro povolení všech odesílatelů.<br>IPv4/IPv6 adresy a sítě.",
-        "allowed_protocols": "Povolené protokoly",
+        "allowed_protocols": "Povolené protokoly pro přímá spojení (netýká se protokolů na změnu hesla)",
         "app_name": "Název aplikace",
         "app_passwd": "Heslo aplikace",
         "app_passwd_protocols": "Povolené protokoly pro hesla aplikací",
@@ -607,7 +670,7 @@
         "inactive": "Neaktivní",
         "kind": "Druh",
         "last_modified": "Naposledy změněn",
-        "lookup_mx": "Cíl je regulární výraz který se shoduje s MX záznamem (<code>.*\\.google\\.com</code> směřuje veškerou poštu na MX které jsou cílem pro google.com přes tento skok)",
+        "lookup_mx": "Cíl je regulární výraz, jenž se porovná s MX záznamem (např. <code>.*\\.google\\.com</code> na tento skok nasměruje veškerou poštu s MX, jež končí na *.google.com)",
         "mailbox": "Úprava mailové schránky",
         "mailbox_quota_def": "Výchozí kvóta schránky",
         "mailbox_relayhost_info": "Aplikované jen na uživatelskou schránku a přímé aliasy, přepisuje předávající server domény.",
@@ -641,7 +704,7 @@
         "ratelimit": "Omezení přenosu",
         "redirect_uri": "URL přesměrování/odvolání",
         "relay_all": "Předávání všech příjemců",
-        "relay_all_info": "<small>Pokud se rozhodnete <b>nepředávat</b> všechny příjemce, musíte přidat prázdnou mailovou schránku pro každého příjemce, který se má předávat.</small>",
+        "relay_all_info": "↪ Pokud se rozhodnete <b>nepředávat</b> všechny příjemce, musíte přidat prázdnou mailovou schránku pro každého příjemce, který se má předávat.",
         "relay_domain": "Předávání domény",
         "relay_transport_info": "<div class=\"badge fs-6 bg-info\">Info</div> U této domény lze pro konkrétní cíl nastavit transportní mapu. Není-li nastavena, použije se MX záznam.",
         "relay_unknown_only": "Předávat jen neexistující schránky. Doručení do existujících proběhne lokálně.",
@@ -666,7 +729,7 @@
         "spam_score": "Nastavte vlastní skóre spamu",
         "subfolder2": "Synchronizace do podsložky v cílovém umístění<br><small>(prázdné = nepoužívat podsložku)</small>",
         "syncjob": "Upravit synchronizační úlohu",
-        "target_address": "Cílová adresa/y<br /> <small>(oddělte čárkou)</small>",
+        "target_address": "Cílová adresa/y <small>(oddělte čárkou)</small>",
         "target_domain": "Cílová doména",
         "timeout1": "Časový limit pro připojení ke vzdálenému serveru",
         "timeout2": "Časový limit pro připojení k lokálnímu serveru",
@@ -690,7 +753,13 @@
         "custom_attributes": "Vlastní atributy",
         "footer_exclude": "Vyloučit ze zápatí",
         "domain_footer_skip_replies": "Ignorovat patičku u odpovědí na e-maily",
-        "password_recovery_email": "E-mail pro obnovu hesla"
+        "password_recovery_email": "E-mail pro obnovu hesla",
+        "mailbox_rename": "Přejmenovat schránku",
+        "mailbox_rename_agree": "Mám vytvořenou zálohu.",
+        "mailbox_rename_warning": "DŮLEŽITÉ! Vytvořte si zálohu schránky, než ji přejmenujete.",
+        "mailbox_rename_alias": "Automaticky vytvořit alias",
+        "mailbox_rename_title": "Nový název zdejší schránky",
+        "pushover": "Pushover"
     },
     "fido2": {
         "confirm": "Potvrdit",
@@ -711,7 +780,7 @@
         "cancel": "Zrušit",
         "confirm_delete": "Potvdit smazání",
         "delete_now": "Smazat",
-        "delete_these_items": "Prosím potvrďte změny objektu id:",
+        "delete_these_items": "Prosím potvrďte změny objektu id",
         "hibp_check": "Ověřit heslo v databázi hacknutých hesel haveibeenpwned.com",
         "hibp_nok": "Nalezeno! Toto je potenciálně nebezpečné heslo!",
         "hibp_ok": "Nebyla nalezena žádná shoda.",
@@ -720,12 +789,12 @@
         "restart_container": "Restartovat kontejner",
         "restart_container_info": "<b>Důležité:</b> Šetrný restart může chvíli trvat, prosím čekejte...",
         "restart_now": "Restartovat nyní",
-        "restarting_container": "Restartuje se kontejner, může to chvilku trvat..."
+        "restarting_container": "Restartuje se kontejner, může to chvilku trvat"
     },
     "header": {
         "administration": "Hlavní nastavení",
         "apps": "Aplikace",
-        "debug": "Systémové informace",
+        "debug": "Informace",
         "email": "E-Mail",
         "mailcow_system": "Systém",
         "mailcow_config": "Nastavení",
@@ -753,7 +822,14 @@
         "new_password": "Nové heslo",
         "new_password_confirm": "Ověření nového hesla",
         "reset_password": "Obnovit heslo",
-        "request_reset_password": "Požádat o změnu hesla"
+        "request_reset_password": "Požádat o změnu hesla",
+        "login_domainadmintext": "Přihlášení správce domény",
+        "login_linkstext": "Hledáte jinou přihlašovací stránku?",
+        "login_usertext": "Přihlášení uživatele",
+        "login_admintext": "Přihlášení správce",
+        "login_user": "Přihlášení uživatele",
+        "login_dadmin": "Přihlášení správce domény",
+        "login_admin": "Přihlášení správce"
     },
     "mailbox": {
         "action": "Akce",
@@ -785,7 +861,7 @@
         "bcc": "BCC",
         "bcc_destination": "Cíl kopie",
         "bcc_destinations": "Cíl kopií",
-        "bcc_info": "Skryté kopie (Mapa BCC) se používá pro tiché předávání kopií všech zpráv na jinou adresu. Při použití skryté kopie typu <i>Přijatý e-mail</i> budou přeposlány všechny maily směřující na dotyčnou adresu nebo doménu.\nU typu <i>Odeslaný e-mail</i> budou přeposlány všechny maily odeslané z dotyčné adresy nebo domény.\nPokud selže přeposlání na cílovou adresu, tak odesílatel o tom nebude informován.",
+        "bcc_info": "Skrytá kopie (mapa BCC) se používá pro tiché předávání kopií všech zpráv na jinou adresu. Mapa příjemců se použije, funguje-li je místní cíl jako adresát zprávy. Totéž platí pro mapy odesílatelů.\nMístní cíl se nedozví, selže-li doručení na cíl BCC.",
         "bcc_local_dest": "Týká se",
         "bcc_map": "Skrytá kopie",
         "bcc_map_type": "Typ skryté kopie",
@@ -840,7 +916,7 @@
         "last_run_reset": "Znovu naplánovat",
         "mailbox": "Mailová schránka",
         "mailbox_defaults": "Výchozí nastavení",
-        "mailbox_defaults_info": "Definuje výchozí nastavení pro nové schránky",
+        "mailbox_defaults_info": "Definuje výchozí nastavení pro nové schránky.",
         "mailbox_defquota": "Výchozí velikost schránky",
         "mailbox_templates": "Šablony schránek",
         "mailbox_quota": "Max. velikost schránky",
@@ -860,7 +936,7 @@
         "private_comment": "Soukromý komentář",
         "public_comment": "Veřejný komentář",
         "q_add_header": "Složka nevyžádaná pošta",
-        "q_all": "Všechny kategorie",
+        "q_all": " Nevyžádaná pošta a Odmítnuta",
         "q_reject": "Odmítnuta",
         "quarantine_category": "Kategorie oznámení karantény",
         "quarantine_notification": "Upozornění z karantény",
@@ -869,7 +945,7 @@
         "recipient_map": "Mapa příjemce",
         "recipient_map_info": "Mapy příjemců slouží k nahrazení cílové adresy zprávy před doručením.",
         "recipient_map_new": "Nový přijemce",
-        "recipient_map_new_info": "Cílová adresa mapy příjemce musí být emailová adresa nebo název domény.",
+        "recipient_map_new_info": "Cílovou adresou mapy příjemců musí být emailová adresa nebo název domény.",
         "recipient_map_old": "Původní příjemce",
         "recipient_map_old_info": "Původní příjemce musí být platná emailová adresa nebo název domény.",
         "recipient_maps": "Mapy příjemců",
@@ -888,7 +964,7 @@
         "sieve_preset_5": "Automatický odpovídač (dovolená)",
         "sieve_preset_6": "Odmítnout zprávu s odpovědí",
         "sieve_preset_7": "Přesměrovat a ponechat/zahodit",
-        "sieve_preset_8": "Zahodit zprávu poslanou na alias, do něhož patří i odesílatel",
+        "sieve_preset_8": "Zprávu od určitého odesílatele přesměrovat, označit jako přečtenou a uložit do složky",
         "sieve_preset_header": "Vizte následující ukázková pravidla. Více informací na <a href=\"https://en.wikipedia.org/wiki/Sieve_(mail_filtering_language)\" target=\"_blank\">Wikipedii</a>.",
         "sogo_visible": "Alias dostupný v SOGo",
         "sogo_visible_n": "Skrýt alias v SOGo",
@@ -928,7 +1004,8 @@
         "waiting": "Čekání",
         "weekly": "Každý týden",
         "yes": "&#10003;",
-        "relay_unknown": "Předávání neexistujících schránek"
+        "relay_unknown": "Předávání neexistujících schránek",
+        "iam": "Poskytovatel identity"
     },
     "oauth2": {
         "access_denied": "K udělení přístupu se přihlašte jako vlastník mailové schránky.",
@@ -936,7 +1013,7 @@
         "deny": "Zamítnout",
         "permit": "Ověřit aplikaci",
         "profile": "Profil",
-        "profile_desc": "Zobrazit osobní údaje: uživ. jméno, jméno, datum vytvoření a úpravy, stav",
+        "profile_desc": "Zobrazit osobní údaje: uživ. jméno, celé jméno, datum vytvoření a úpravy, stav",
         "scope_ask_permission": "Aplikace požádala o následující oprávnění"
     },
     "quarantine": {
@@ -1066,7 +1143,7 @@
         "logged_in_as": "Přihlášen jako %s",
         "mailbox_added": "Mailová schránka %s přidána",
         "mailbox_modified": "Změny mailové schránky %s uloženy",
-        "mailbox_removed": "Mailová schránka %s  odebrána",
+        "mailbox_removed": "Mailová schránka %s odstraněna",
         "nginx_reloaded": "Nginx reload byl úspěšný",
         "object_modified": "Změny objektu %s uloženy",
         "password_policy_saved": "Politika hesel byla úspěšně uložena",
@@ -1100,7 +1177,14 @@
         "verified_yotp_login": "Yubico OTP přihlášení ověřeno",
         "cors_headers_edited": "Nastavení CORS byla uložena",
         "domain_footer_modified": "Změny patičky domény %s byly uloženy",
-        "recovery_email_sent": "E-mail k obnovení byl odeslán na adresu %s"
+        "recovery_email_sent": "E-mail k obnovení byl odeslán na adresu %s",
+        "custom_login_modified": "Úpravy přihlašování úspěšně uloženy",
+        "domain_add_dkim_available": "Klíč DKIM už existoval",
+        "f2b_banlist_refreshed": "Seznam zákazů úspěšně obnoven",
+        "iam_test_connection": "Spojení úspěšně navázano",
+        "ip_check_opt_in_modified": "Kontrola IP adresy úspěšně uložena",
+        "mailbox_renamed": "Schránka přejmenována z %s na %s",
+        "password_changed_success": "Heslo úspěšně změněno"
     },
     "tfa": {
         "api_register": "%s používá Yubico Cloud API. Prosím získejte API klíč pro své Yubico <a href=\"https://upgrade.yubico.com/getapikey/\" target=\"_blank\">ZDE</a>",
@@ -1116,7 +1200,7 @@
         "none": "Deaktivovat",
         "reload_retry": "- (znovu načtěte stránku, opakuje-li se chyba)",
         "scan_qr_code": "Prosím načtěte následující kód svou aplikací na ověření nebo zadejte kód ručně.",
-        "select": "Prosím vyberte...",
+        "select": "Vyberte prosím",
         "set_tfa": "Nastavení způsobu dvoufaktorového ověření",
         "start_webauthn_validation": "Zahájit inicializaci",
         "tfa": "Dvoufaktorové ověření (TFA)",
@@ -1125,7 +1209,10 @@
         "webauthn": "WebAuthn ověření",
         "waiting_usb_auth": "<i>Čeká se na USB zařízení...</i><br><br>Prosím stiskněte tlačítko na svém WebAuthn USB zařízení.",
         "waiting_usb_register": "<i>Čeká se na USB zařízení...</i><br><br>Prosím zadejte své heslo výše a potvrďte WebAuthn registraci stiskem tlačítka na svém WebAuthn USB zařízení.",
-        "yubi_otp": "Yubico OTP ověření"
+        "yubi_otp": "Yubico OTP ověření",
+        "u2f_deprecated": "Zdá se, že váš klíč byl registrován zastaralou metodou U2F. Dojde k deaktivaci dvoufaktorové autentifikace a smazání klíče.",
+        "authenticators": "Autentifikátory",
+        "u2f_deprecated_important": "Registrujte svůj klíč novou metodou WebAuthn ve správě správců"
     },
     "user": {
         "action": "Akce",
@@ -1141,7 +1228,7 @@
         "alias_time_left": "Zbývající čas",
         "alias_valid_until": "Platný do",
         "aliases_also_send_as": "Smí odesílat také jako uživatel",
-        "aliases_send_as_all": "Nekontrolovat přístup odesílatele pro následující doménu(y) a jejich aliasy domény:",
+        "aliases_send_as_all": "Nekontrolovat přístup odesílatele pro následující doménu(y) a jejich aliasy",
         "allowed_protocols": "Povolené protokoly",
         "app_hint": "Hesla aplikací jsou alternativní heslo pro přihlášení k IMAP, SMTP, CalDAV, CardDAV a EAS. Uživatelské jméno zůstává stejné.<br>SOGo však nelze s heslem aplikace použít.",
         "app_name": "Název aplikace",
@@ -1162,8 +1249,8 @@
         "description": "Popis",
         "delete_ays": "Potvrďte odstranění.",
         "direct_aliases": "Přímé aliasy",
-        "direct_aliases_desc": "Na přímé aliasy se uplatňuje filtr spamu a nastavení pravidel TLS",
-        "direct_protocol_access": "Tento uživatel mailové schránky má <b>přímý externí přístup</b> k následujícím protokolům a aplikacím. Toto nastavení je řízeno správcem. Pro udělení přístupu k jednotlivým protokolům a aplikacím lze vytvořit hesla aplikací.<br>Tlačítko \"Webmailu\" zajišťuje jednotné přihlášení k SOGo a je vždy k dispozici.",
+        "direct_aliases_desc": "Na přímé aliasy se uplatňuje filtr spamu a nastavení pravidel TLS.",
+        "direct_protocol_access": "Tento uživatel mailové schránky má <b>přímý externí přístup</b> k následujícím protokolům a aplikacím. Toto nastavení je řízeno správcem. Pro udělení přístupu k jednotlivým protokolům a aplikacím lze vytvořit hesla aplikací.<br>Tlačítko \"Webmail\" zajišťuje jednotné přihlášení k SOGo a je vždy k dispozici.",
         "eas_reset": "Smazat mezipaměť zařízení ActiveSync",
         "eas_reset_help": "Obnovení mezipaměti zařízení pomůže zpravidla obnovit poškozený profil služby ActiveSync.<br><b>Upozornění:</b> Všechna data budou opětovně stažena!",
         "eas_reset_now": "Smazat",
@@ -1204,7 +1291,7 @@
         "no_last_login": "Žádný záznam o přihlášení",
         "no_record": "Žádný záznam",
         "open_logs": "Otevřít záznam",
-        "open_webmail_sso": "Webmailu",
+        "open_webmail_sso": "Webmail",
         "password": "Heslo",
         "password_now": "Současné heslo (pro potvrzení změny)",
         "password_repeat": "Heslo (znovu)",
@@ -1241,8 +1328,8 @@
         "spamfilter": "Filtr spamu",
         "spamfilter_behavior": "Hodnocení",
         "spamfilter_bl": "Seznam zakázaných adres (blacklist)",
-        "spamfilter_bl_desc": "Zakázané emailové adresy <b>budou vždy klasifikovány jako spam a odmítnuty</b>. Lze použít zástupné znaky (*). Filtr se použije pouze na přímé aliasy (s jednou cílovou mailovou schránkou), s výjimkou doménových košů a samotné mailové schránky.",
-        "spamfilter_default_score": "Výchozí hodnoty:",
+        "spamfilter_bl_desc": "Zakázané emailové adresy budou <b>vždy</b> klasifikovány jako spam a odmítnuty. Odmítnutá pošta <b>nebude</b> uložena do karantény. Lze použít zástupné znaky (*). Filtr se použije pouze na přímé aliasy (s jednou cílovou poštovní schránkou), s výjimkou doménových košů a samotné poštovní schránky.",
+        "spamfilter_default_score": "Výchozí hodnoty",
         "spamfilter_green": "Zelená: tato zpráva není spam",
         "spamfilter_hint": "První hodnota představuje \"nízké spam skóre\" a druhá \"vysoké spam skóre\".",
         "spamfilter_red": "Červená: Tato zpráva je spam a server ji odmítne",
@@ -1274,7 +1361,7 @@
         "tag_in_subject": "V předmětu",
         "text": "Text",
         "title": "Předmět",
-        "tls_enforce_in": "Vynutit TLS pro příchozí poštu ",
+        "tls_enforce_in": "Vynutit TLS pro příchozí poštu",
         "tls_enforce_out": "Vynutit TLS pro odchozí poštu",
         "tls_policy": "Politika šifrování",
         "tls_policy_warning": "<strong>Varování:</strong> Pokud se rozhodnete vynutit šifrovaný přenos pošty, může dojít ke ztrátě e-mailů.<br>Zprávy, které nesplňují tuto politiku, budou mailovým systémem odmítnuty.<br>Tato volba ovlivňuje primární e-mailovou adresu (přihlašovací jméno), všechny adresy odvozené z doménových aliasů i aliasy, jež mají tuto mailovou schránku jako cíl.",
@@ -1290,7 +1377,13 @@
         "years": "let",
         "pushover_sound": "Zvukové upozornění",
         "password_reset_info": "Pokud není zadán e-mail pro obnovení hesla, nelze tuto funkci použít.",
-        "pw_recovery_email": "E-mail pro obnovení hesla"
+        "pw_recovery_email": "E-mail pro obnovení hesla",
+        "tfa_info": "Dvoufaktorová autentizace vám pomáhá chránit svůj účet. Je-li zapnuta, musíte si vytvořit aplikační hesla pro aplikace, jež dvoufaktorovou autentizaci nepodporují (např. poštovní klienti).",
+        "attribute": "Atribut",
+        "authentication": "Autentifikace",
+        "overview": "Přehled",
+        "protocols": "Protokoly",
+        "value": "Hodnota"
     },
     "warning": {
         "cannot_delete_self": "Nelze smazat právě přihlášeného uživatele",
diff --git a/data/web/lang/lang.en-gb.json b/data/web/lang/lang.en-gb.json
index a04234610..21d26d8c8 100644
--- a/data/web/lang/lang.en-gb.json
+++ b/data/web/lang/lang.en-gb.json
@@ -205,8 +205,8 @@
         "f2b_whitelist": "Whitelisted networks/hosts",
         "filter": "Filter",
         "filter_table": "Filter table",
-        "force_sso_text": "If an external OIDC provider is configured, this option hides the default mailcow login forms and only shows the Singe Sign-On button",
-        "force_sso": "Disable mailcow Login and show only Singe Sign-On",
+        "force_sso_text": "If an external OIDC provider is configured, this option hides the default mailcow login forms and only shows the Single Sign-On button",
+        "force_sso": "Disable mailcow Login and show only Single Sign-On",
         "forwarding_hosts": "Forwarding Hosts",
         "forwarding_hosts_add_hint": "You can either specify IPv4/IPv6 addresses, networks in CIDR notation, host names (which will be resolved to IP addresses), or domain names (which will be resolved to IP addresses by querying SPF records or, in their absence, MX records).",
         "forwarding_hosts_hint": "Incoming messages are unconditionally accepted from any hosts listed here. These hosts are then not checked against DNSBLs or subjected to greylisting. Spam received from them is never rejected, but optionally it can be filed into the Junk folder. The most common use for this is to specify mail servers on which you have set up a rule that forwards incoming emails to your mailcow server.",
diff --git a/data/web/lang/lang.it-it.json b/data/web/lang/lang.it-it.json
index fdfa78161..a2f0a87e3 100644
--- a/data/web/lang/lang.it-it.json
+++ b/data/web/lang/lang.it-it.json
@@ -353,7 +353,30 @@
         "password_settings": "Impostazioni della password",
         "queue_unban": "sblocca",
         "restore_template": "Lasciare vuoto per ripristinare il modello predefinito.",
-        "logo_normal_label": "Normale"
+        "logo_normal_label": "Normale",
+        "app_hide": "Nascondi per il login",
+        "ip_check_disabled": "Il controllo IP è disabilitato. Puoi abilitarlo sotto <br><strong>Sistema > Configurazione > Opzioni > Personalizza </strong>",
+        "ip_check_opt_in": "Attiva l'utilizzo dei servizi di terze parti <strong>ipv4.mailcow.email</strong> e <strong> ipv6.mailcow.email</strong> per risolvere gli indirizzi IP esterni",
+        "iam_login_provisioning": "Creazione automatica di utenti al login",
+        "iam_port": "Porta",
+        "iam_redirect_url": "URL di reindirizzamento",
+        "iam_server_url": "URL server",
+        "iam_sso": "Single Sign-On",
+        "iam_test_connection": "Test connessione",
+        "iam_use_ssl": "Usa SSL",
+        "iam_use_tls": "Usa StartTLS",
+        "iam_version": "Versione",
+        "ignore_ssl_error": "Ignorare gli errori SSL",
+        "task": "Attività",
+        "login_page": "Pagina di accesso",
+        "filter": "Filtro",
+        "iam_attribute_field": "Campo attributo",
+        "iam_authorize_url": "Endpoint di autorizzazione",
+        "iam_auth_flow": "Flusso di autenticazione",
+        "iam_client_id": "ID cliente",
+        "iam_default_template": "Template predefinito",
+        "iam_host": "Host",
+        "iam_import_users": "Importa utenti"
     },
     "danger": {
         "access_denied": "Accesso negato o form di login non corretto",
@@ -484,7 +507,11 @@
         "password_reset_invalid_user": "La casella di posta elettronica non è stata trovata o non è stata impostata un'e-mail di recupero",
         "password_reset_na": "Il recupero della password non è attualmente disponibile. Contattare l'amministratore.",
         "recovery_email_failed": "Impossibile inviare un'e-mail di recupero. Contattare l'amministratore.",
-        "to_invalid": "Il destinatario non deve essere vuoto"
+        "to_invalid": "Il destinatario non deve essere vuoto",
+        "iam_test_connection": "Connessione non riuscita",
+        "webauthn_authenticator_failed": "L'autenticator selezionato non è stato trovato",
+        "webauthn_username_failed": "L'authenticator selezionato appartiene ad un altro account",
+        "webauthn_publickey_failed": "Nessuna chiave pubblica è stata salvata per l'authenticator selezionato"
     },
     "debug": {
         "chart_this_server": "Grafico (questo server)",
@@ -655,7 +682,10 @@
         "domain_footer_html": "Piè di pagina HTML",
         "domain_footer_plain": "Piè di pagina PLAIN",
         "footer_exclude": "Escludi dal piè di pagina",
-        "password_recovery_email": "E-mail di recupero password"
+        "password_recovery_email": "E-mail di recupero password",
+        "mailbox_rename": "Rinominare la casella mail",
+        "mailbox_rename_agree": "Ho creato un backup.",
+        "mailbox_rename_alias": "Creare alias automaticamente"
     },
     "fido2": {
         "confirm": "Conferma",
@@ -717,7 +747,11 @@
         "forgot_password": "> Password dimenticata?",
         "new_password": "Nuova password",
         "new_password_confirm": "Conferma la nuova password",
-        "reset_password": "Ripristino della password"
+        "reset_password": "Ripristino della password",
+        "login_linkstext": "Non è il login corretto?",
+        "login_usertext": "Accedere come utente",
+        "login_domainadmintext": "Accedere come domain admin",
+        "login_admintext": "Accedere come admin"
     },
     "mailbox": {
         "action": "Azione",
diff --git a/data/web/lang/lang.si-si.json b/data/web/lang/lang.si-si.json
index b5a093a35..2028996aa 100644
--- a/data/web/lang/lang.si-si.json
+++ b/data/web/lang/lang.si-si.json
@@ -352,13 +352,68 @@
         "allowed_origins": "Upravljanje-dostopa-Dovoljeni-Viri",
         "copy_to_clipboard": "Besedilo kopirano v odložišče!",
         "f2b_manage_external": "Zunanje upravljanje Fail2Ban",
-        "f2b_manage_external_info": "Fail2ban bo še vedno vzdrževal seznam prepovedi, vendar ne bo aktivno nastavil pravil za blokiranje prometa. Uporabite spodnji ustvarjeni seznam prepovedi za zunanje blokiranje prometa."
+        "f2b_manage_external_info": "Fail2ban bo še vedno vzdrževal seznam prepovedi, vendar ne bo aktivno nastavil pravil za blokiranje prometa. Uporabite spodnji ustvarjeni seznam prepovedi za zunanje blokiranje prometa.",
+        "force_sso_text": "Če je konfiguriran zunanji ponudnik OIDC, ta možnost skrije privzete obrazce za prijavo v Mailcow in prikaže samo gumb za enkratno prijavo.",
+        "app_hide": "Skrij za prijavo",
+        "iam_login_provisioning": "Samodejno ustvarjanje uporabnikov ob prijavi",
+        "admin_quicklink": "Skrij hitro povezavo do strani za prijavo skrbnika",
+        "login_page": "Prijavna stran",
+        "domainadmin_quicklink": "Skrij hitro povezavo do strani za prijavo v Skrbnik domen",
+        "filter": "Filter",
+        "force_sso": "Onemogoči prijavo v Mailcow in prikaži samo enotno prijavo",
+        "iam": "Ponudnik identitete",
+        "iam_attribute_field": "Polje atributa",
+        "iam_authorize_url": "Končna točka avtorizacije",
+        "iam_auth_flow": "Potek preverjanja pristnosti",
+        "iam_auth_flow_info": "Poleg toka avtorizacijske kode (standardni tok v Keycloaku), ki se uporablja za prijavo z enotno prijavo, mailcow podpira tudi tok preverjanja pristnosti z neposrednimi poverilnicami. Tok Mailpassword poskuša preveriti uporabnikove poverilnice z uporabo REST API-ja Keycloak Admin. mailcow pridobi zgoščeno geslo iz atributa <code>mailcow_password</code>, ki je preslikan v Keycloaku.",
+        "iam_basedn": "Osnovni DN",
+        "iam_client_id": "ID odjemalca",
+        "iam_client_secret": "Skrivnost odjemalca",
+        "iam_client_scopes": "Obsegi odjemalcev",
+        "iam_default_template": "Privzeta predloga",
+        "iam_default_template_description": "Če uporabniku ni dodeljena nobena predloga, bo privzeta predloga uporabljena za ustvarjanje nabiralnika, ne pa za posodabljanje nabiralnika.",
+        "iam_description": "Konfigurirajte zunanjega ponudnika za preverjanje pristnosti<br>Uporabnikovi poštni nabiralniki bodo samodejno ustvarjeni ob prvi prijavi, če je nastavljeno preslikavanje atributov.",
+        "iam_extra_permission": "Za delovanje naslednjih nastavitev potrebuje odjemalec mailcow v Keycloaku <code>Servisni račun</code> in dovoljenje za <code>ogled uporabnikov</code>.",
+        "iam_host": "Gostitelj",
+        "iam_host_info": "Vnesite enega ali več gostiteljev LDAP, ločenih z vejicami.",
+        "iam_import_users": "Uvozi uporabnike",
+        "iam_use_tls_info": "Če omogočite TLS, morate uporabiti privzeta vrata za strežnik LDAP (389). Vrat SSL ni mogoče uporabiti.",
+        "iam_sync_interval": "Interval sinhronizacije / uvoza (min)",
+        "user_quicklink": "Skrij hitro povezavo do strani za prijavo uporabnika",
+        "iam_use_ssl_info": "Če omogočite SSL in so vrata nastavljena na 389, bodo samodejno prepisana na uporabo 636.",
+        "iam_mapping": "Preslikava atributov",
+        "iam_bindpass": "Vezano geslo",
+        "iam_periodic_full_sync": "Periodična popolna sinhronizacija",
+        "iam_port": "Vrata",
+        "iam_redirect_url": "Preusmeri URL",
+        "iam_rest_flow": "Tok gesla za pošto",
+        "iam_server_url": "URL strežnika",
+        "iam_sso": "Enotna prijava",
+        "iam_test_connection": "Preizkus povezave",
+        "iam_token_url": "Končna točka žetona",
+        "iam_userinfo_url": "Končna točka z uporabniškimi podatki",
+        "iam_username_field": "Polje z uporabniškim imenom",
+        "iam_binddn": "Povezava DN",
+        "iam_use_ssl": "Uporabi SSL",
+        "iam_use_tls": "Uporabi StartTLS",
+        "iam_version": "Različica",
+        "ignore_ssl_error": "Prezri napake SSL",
+        "password_reset_info": "Če ni naveden e-poštni naslov za obnovitev, te funkcije ni mogoče uporabiti.",
+        "password_reset_settings": "Nastavitve za obnovitev gesla",
+        "password_reset_tmpl_html": "Predloga HTML",
+        "password_reset_tmpl_text": "Predloga besedila",
+        "password_settings": "Nastavitve gesla",
+        "quicklink_text": "Prikaži ali skrij hitre povezave do drugih strani za prijavo pod prijavnim obrazcem",
+        "reset_password_vars": "<code>{{link}}<code> Ustvarjena povezava za ponastavitev gesla<br><code>{{username}}<code> Ime nabiralnika uporabnika, ki je zahteval ponastavitev gesla<br><code>{{username2}}<code> Ime obnovitvenega nabiralnika<br><code>{{date}}<code> Datum zahteve za ponastavitev gesla<br><code>{{token_lifetime}}<code> Življenjska doba žetona v minutah<br><code>{{hostname}}<code> Ime gostitelja mailcow",
+        "restore_template": "Za obnovitev privzete predloge pustite polje prazno.",
+        "task": "Naloga",
+        "user_link": "Uporabniška povezava"
     },
     "danger": {
         "alias_goto_identical": "Alias in goto naslov morata biti identična",
         "aliasd_targetd_identical": "Alias domena ne sme biti enaka ciljni domeni: %s",
         "bcc_exists": "BCC preslikava obstaja za vrsto %s",
-        "dkim_domain_or_sel_exists": "DKIM ključ za \"%s\" obstaja in ne bo prepisan.",
+        "dkim_domain_or_sel_exists": "DKIM ključ za \"%s\" obstaja in ne bo prepisan",
         "domain_quota_m_in_use": "Kvota domene mora biti večja ali enaka %s MiB",
         "extra_acl_invalid_domain": "Zunanji pošiljatelj \"%s\" uporablja neveljavno domeno",
         "global_map_write_error": "Ni mogoče zapisati ID globalne preslikave %s: %s",
@@ -375,8 +430,8 @@
         "app_passwd_id_invalid": "ID gesla aplikacije %s je neveljaven",
         "bcc_empty": "BCC cilj ne more biti prazen",
         "bcc_must_be_email": "BCC cilj %s ni veljaven e-poštni naslov",
-        "comment_too_long": "Komentar je predolg, dovoljeno je največ 100 znakov.",
-        "defquota_empty": "Privzeta kvota na poštni predal ne more biti 0",
+        "comment_too_long": "Komentar je predolg, dovoljeno je največ 160 znakov",
+        "defquota_empty": "Privzeta kvota na poštni predal ne more biti 0.",
         "description_invalid": "Opis resursa za %s ni veljaven",
         "dkim_domain_or_sel_invalid": "Domena ali izbirnik DKIM ni veljaven: %s",
         "domain_cannot_match_hostname": "Domena se ne more ujemati z imenom gostitelja",
@@ -414,9 +469,9 @@
         "invalid_recipient_map_old": "Naveden neveljaven izvirni prejemnik: %s",
         "ip_list_empty": "Seznam dovoljenih IPjev ne sme biti prazen",
         "is_alias": "%s je že znan kot alias naslov",
-        "is_alias_or_mailbox": "%s je že znan kot alias, poštni naslov, ali alias izveden iz alias domene",
+        "is_alias_or_mailbox": "%s je že znan kot alias, poštni naslov, ali alias izveden iz alias domene.",
         "is_spam_alias": "%s že obstaja kot začasen alias (spam alias naslov)",
-        "last_key": "Zadnji ključ ne more biti izbrisan, prosim raje deaktivirajte dvofaktorsko avtentikacijo (TFA)",
+        "last_key": "Zadnji ključ ne more biti izbrisan, prosim raje deaktivirajte dvofaktorsko avtentikacijo (TFA).",
         "login_failed": "Prijava ni uspela",
         "mailbox_defquota_exceeds_mailbox_maxquota": "Privzeta kvota presega najvišjo omejitev",
         "mailbox_invalid": "Ime poštnega predala ni veljavno",
@@ -428,7 +483,7 @@
         "map_content_empty": "Preslikava vsebine ne more biti prazna",
         "max_alias_exceeded": "Preseženo največje število aliasov",
         "max_mailbox_exceeded": "Preseženo največje število poštnih predalov (%d od %d)",
-        "maxquota_empty": "Največja kvota na poštni predal ne more biti 0",
+        "maxquota_empty": "Največja kvota na poštni predal ne more biti 0.",
         "mysql_error": "Napaka MySQL: %s",
         "network_host_invalid": "Nepravilno omrežje ali gostitel: %s",
         "next_hop_interferes": "% moti naslednji skok %s",
@@ -483,7 +538,17 @@
         "cors_invalid_origin": "Naveden neveljaven Allow-Origin",
         "invalid_recipient_map_new": "Naveden neveljaven nov prejemnik: %s",
         "img_dimensions_exceeded": "Slika presega največje dovoljene dimenzije",
-        "img_size_exceeded": "Slika presega največjo dovoljeno velikost datoteke"
+        "img_size_exceeded": "Slika presega največjo dovoljeno velikost datoteke",
+        "iam_test_connection": "Povezava ni uspela",
+        "authsource_in_use": "Ponudnika identitete ni mogoče spremeniti ali izbrisati, ker ga trenutno uporablja eden ali več uporabnikov.",
+        "password_reset_na": "Obnovitev gesla trenutno ni na voljo. Obrnite se na skrbnika.",
+        "generic_server_error": "Prišlo je do nepričakovane napake strežnika. Obrnite se na skrbnika.",
+        "invalid_reset_token": "Neveljaven žeton za ponastavitev",
+        "password_reset_invalid_user": "Poštni predal ni bil najden ali pa ni nastavljen e-poštni naslov za obnovitev",
+        "recovery_email_failed": "E-poštnega sporočila za obnovitev ni bilo mogoče poslati. Obrnite se na skrbnika.",
+        "required_data_missing": "Manjkajo zahtevani podatki %s",
+        "reset_token_limit_exceeded": "Omejitev žetonov za ponastavitev je bila presežena. Poskusite znova pozneje.",
+        "to_invalid": "Polje za prejemnika ne sme biti prazno"
     },
     "debug": {
         "containers_info": "Informacije o vsebniku (containerju)",
@@ -583,8 +648,8 @@
         "pushover_sender_array": "Upoštevaj samo sledeče e-poštne naslove pošiljateljev <small>(ločeni z vejico)</small>",
         "mbox_rl_info": "Ta omejitev velja za SASL uporabniško ime, preverja se ujemanje s katerim koli \"from\" naslovom, ki ga uporablja prijavljeni uporabnik. Omejitev pošiljanja za poštni predal preglasi pravilo omejitve za domeno.",
         "kind": "Tip",
-        "client_secret": "Client secret",
-        "comment_info": "Zasebni komentar ni viden uporabniku, javni komentar pa je viden kot tooltip v uporabnikovem pregledu.",
+        "client_secret": "Skrivnost odjemalca",
+        "comment_info": "Zasebni komentar ni viden uporabniku, javni komentar pa se prikaže kot opis orodja, ko nanj v pregledu uporabnika zadržite miško",
         "created_on": "Ustvarjeno",
         "custom_attributes": "Atributi po meri",
         "delete1": "Izbriši na viru, ko je končano",
@@ -601,11 +666,11 @@
         "pushover_verify": "Preveri poverilnice",
         "quota_mb": "Omejitev (MiB)",
         "quota_warning_bcc": "BCC za sporočilo z opozorilom omejitve",
-        "quota_warning_bcc_info": "Opozorila bodo poslana kot ločene kopije sledečim prejemnikom. K naslovu sporočila bo dodano uporabniško ime v oklepajih, npr. <code>Opozorilo omejitve (user@example.com)</code>",
+        "quota_warning_bcc_info": "Opozorila bodo poslana kot ločene kopije naslednjim prejemnikom. Zadevi bo v oklepaju dodano ustrezno uporabniško ime, na primer: <code>Opozorilo o kvoti (uporabnik@example.com)</code>.",
         "ratelimit": "Omejitev pošiljanja",
         "advanced_settings": "Napredne nastavitve",
         "allow_from_smtp_info": "Pustite prazno da dovolite vse pošiljatelje.<br>IPv4/IPv6 naslovi in omrežja.",
-        "allowed_protocols": "Dovoljeni protokoli",
+        "allowed_protocols": "Dovoljeni protokoli za neposreden dostop uporabnikov (ne vpliva na protokole za gesla aplikacij)",
         "app_name": "Ime aplikacije",
         "app_passwd": "Geslo aplikacije",
         "app_passwd_protocols": "Dovoljeni protokoli za geslo aplikacije",
@@ -647,12 +712,253 @@
         "public_comment": "Javni komentar",
         "pushover": "Pushover",
         "pushover_evaluate_x_prio": "Eskaliraj visoko prednostno pošto [<code>X-Priority: 1</code>]",
-        "pushover_info": "Nastavitve potisnih obvestil bodo veljala za vsa čisto (ne spam) elektronsko pošto dostavljeno v <b>%s</b> vključno z aliasi (deljeni, nedeljeni, označeni)",
+        "pushover_info": "Nastavitve potisnih obvestil bodo veljale za vso čisto (ne neželeno) pošto, dostavljeno na <b>%s</b>, vključno z vzdevki (v skupni rabi, brez skupne rabe, označeni).",
         "pushover_only_x_prio": "Upoštevaj samo pošto z visoko prioriteto [<code>X-Priority: 1</code>]",
         "pushover_sender_regex": "Upoštevaj sledeči regex za pošiljatelja",
         "pushover_text": "Besedilo obvestila",
         "pushover_sound": "Zvok",
         "encryption": "Šifriranje",
-        "alias": "Uredi alias"
+        "alias": "Uredi alias",
+        "relayhost": "Prenosi, odvisni od pošiljatelja",
+        "mailbox_rename_alias": "Samodejno ustvari vzdevek",
+        "sender_acl_info": "Če lahko uporabnik poštnega predala A pošilja kot uporabnik poštnega predala B, se naslov pošiljatelja v SOGo ne prikaže samodejno kot izbirno polje \"od\".<br>\n  Uporabnik poštnega predala B mora v SOGo ustvariti pooblastilo, da lahko uporabnik poštnega predala A izbere svoj naslov kot pošiljatelja. Če želite pooblastiti poštni predal v SOGo, uporabite meni (tri pike) desno od imena vašega poštnega predala v zgornjem levem kotu v pogledu pošte. To vedenje ne velja za vzdevke.",
+        "redirect_uri": "URL za preusmeritev/povratni klic",
+        "relay_all": "Posreduj vsem prejemnikom",
+        "relay_unknown_only": "Posreduj samo neobstoječe poštne nabiralnike. Obstoječi poštni nabiralniki bodo dostavljeni lokalno.",
+        "relay_domain": "Posreduj to domeno",
+        "remove": "Odstrani",
+        "resource": "Vir",
+        "mailbox_rename_title": "Novo ime lokalnega poštnega predala",
+        "password_recovery_email": "E-poštno sporočilo za obnovitev gesla",
+        "relay_all_info": "↪ Če se odločite, da <b>ne</b> želite posredovati vseh prejemnikov, boste morali za vsakega posameznega prejemnika, ki ga želite posredovati, dodati (\"slepi\") poštni predal.",
+        "relay_transport_info": "<div class=\"badge fs-6 bg-info\">Informacije</div> Za to domeno lahko določite transportne zemljevide za cilj po meri. Če niso nastavljeni, bo izvedeno iskanje MX.",
+        "save": "Shrani spremembe",
+        "scope": "Obseg",
+        "sender_acl": "Dovoli pošiljanje kot",
+        "sender_acl_disabled": "<span class=\"badge fs-6 bg-danger\">Preverjanje pošiljatelja je onemogočeno</span>",
+        "sieve_type": "Vrsta filtra",
+        "skipcrossduplicates": "Preskoči podvojena sporočila med mapami (po principu \"kdor prej pride, prej melje\")",
+        "sogo_access": "Neposredno posredovanje na SOGo",
+        "sogo_access_info": "Po prijavi je uporabnik samodejno preusmerjen na SOGo.",
+        "sogo_visible": "Vzdevek je viden v SOGo",
+        "sogo_visible_info": "Ta možnost vpliva samo na objekte, ki jih je mogoče prikazati v SOGo (naslovi aliasov v skupni rabi ali brez nje, ki kažejo na vsaj en lokalni poštni predal). Če je skrita, vzdevek ne bo prikazan kot izbirni pošiljatelj v SOGo.",
+        "spam_alias": "Ustvarjanje ali spreminjanje časovno omejenih vzdevkovnih naslovov",
+        "spam_filter": "Filter neželene pošte",
+        "spam_policy": "Dodajanje ali odstranjevanje elementov na beli/črni seznam",
+        "spam_score": "Nastavite oceno neželene pošte po meri",
+        "subfolder2": "Sinhroniziraj v podmapo na cilju<br><small>(prazno = ne uporabi podmape)</small>",
+        "syncjob": "Urejanje sinhronizacijskega opravila",
+        "target_address": "Pojdi na naslov/e <small>(ločeno z vejico)</small>",
+        "target_domain": "Ciljna domena",
+        "timeout1": "Časovna omejitev za povezavo z oddaljenim gostiteljem",
+        "timeout2": "Časovna omejitev za povezavo z lokalnim gostiteljem",
+        "title": "Urejanje predmeta",
+        "unchanged_if_empty": "Če ni spremenjeno, pustite prazno",
+        "username": "Uporabniško ime",
+        "validate_save": "Potrdi in shrani",
+        "mailbox_rename": "Preimenuj poštni predal",
+        "mailbox_rename_agree": "Ustvaril/a sem varnostno kopijo.",
+        "mailbox_rename_warning": "POMEMBNO! Pred preimenovanjem nabiralnika ustvarite varnostno kopijo.",
+        "sieve_desc": "Kratek opis"
+    },
+    "footer": {
+        "restart_container_info": "<b>Pomembno:</b> Ugoden ponovni zagon lahko traja nekaj časa, zato počakajte, da se konča.",
+        "delete_these_items": "Prosimo, potrdite spremembe naslednjega ID-ja objekta",
+        "confirm_delete": "Potrdi brisanje",
+        "delete_now": "Izbriši zdaj",
+        "hibp_check": "Preverite na haveibeenpwned.com",
+        "hibp_nok": "Ujema se! To je potencialno nevarno geslo!",
+        "hibp_ok": "Ni najdenega ujemanja.",
+        "loading": "Prosim, počakajte...",
+        "nothing_selected": "Nič izbranega",
+        "restart_container": "Znova zaženite zabojnik",
+        "restart_now": "Znova zaženi zdaj",
+        "restarting_container": "Ponovni zagon zabojnika, to lahko traja nekaj časa",
+        "cancel": "Prekliči"
+    },
+    "login": {
+        "password": "Geslo",
+        "invalid_pass_reset_token": "Žeton za ponastavitev gesla je neveljaven ali je potekel.<br>Zahtevajte novo povezavo za ponastavitev gesla.",
+        "back_to_mailcow": "Nazaj v mailcow",
+        "delayed": "Prijava je bila zakasnjena za %s sekund.",
+        "fido2_webauthn": "Prijava FIDO2/WebAuthent",
+        "forgot_password": "> Ste pozabili geslo?",
+        "login": "Prijava",
+        "login_linkstext": "Ni pravilna prijava?",
+        "login_usertext": "Prijava kot uporabnik",
+        "login_domainadmintext": "Prijava kot skrbnik domene",
+        "login_admintext": "Prijava kot skrbnik",
+        "login_user": "Prijava uporabnika",
+        "login_dadmin": "Prijava skrbnika domene",
+        "login_admin": "Prijava skrbnika",
+        "mobileconfig_info": "Za prenos zahtevanega profila povezave Apple se prijavite kot uporabnik poštnega predala.",
+        "new_password": "Novo geslo",
+        "new_password_confirm": "Potrdi novo geslo",
+        "other_logins": "ali se prijavite s/z",
+        "reset_password": "Ponastavi geslo",
+        "request_reset_password": "Zahteva za spremembo gesla",
+        "username": "Uporabniško ime"
+    },
+    "mailbox": {
+        "last_mail_login": "Zadnja prijava v e-pošto",
+        "deactivate": "Deaktiviraj",
+        "domain_admins": "Skrbniki domen",
+        "kind": "Prijazno",
+        "mailbox_defaults_info": "Določite privzete nastavitve za nove poštne nabiralnike.",
+        "allowed_protocols": "Dovoljeni protokoli",
+        "add_alias": "Dodaj vzdevek",
+        "mins_interval": "Interval (min)",
+        "recipient_map_info": "Zemljevidi prejemnikov se uporabljajo za zamenjavo naslova prejemnika v sporočilu, preden je dostavljeno.",
+        "add_domain_record_first": "Najprej dodajte domeno",
+        "booking_ltnull": "Neomejeno, vendar se ob rezervaciji prikaži kot zasedeno",
+        "alias_domain_alias_hint": "Vzdevki se na vzdevke domen samodejno <b>ne</b> uporabijo. Naslov vzdevka <code>my-alias@domain</code> <b>ne</b> pokriva naslova <code>my-alias@alias-domain</code> (kjer je \"vzdevek domene\" namišljeni vzdevek domene za \"domeno\").<br>Za preusmeritev pošte v zunanji nabiralnik uporabite filter sito (glejte zavihek »Filtri« ali uporabite SOGo -> Posrednik). Za samodejno dodajanje manjkajočih vzdevkov uporabite \"Razširi vzdevek čez domene vzdevkov\".",
+        "q_all": " ob premiku v mapo Neželena pošta in ob zavrnitvi",
+        "bcc_info": "BCC zemljevidi se uporabljajo za tiho posredovanje kopij vseh sporočil na drug naslov. Vnos vrste preslikave prejemnika se uporablja, kadar lokalni cilj deluje kot prejemnik pošte. Preslikave pošiljatelja delujejo po istem načelu.<br>\nLokalni cilj ne bo obveščen o neuspeli dostavi.",
+        "force_pw_update": "Vsiljena posodobitev gesla ob naslednji prijavi",
+        "recipient_map_new_info": "Cilj zemljevida prejemnika mora biti veljaven e-poštni naslov ali ime domene.",
+        "recipient_map_old_info": "Izvirni cilj prejemnika mora biti veljaven e-poštni naslov ali ime domene.",
+        "action": "Dejanje",
+        "activate": "Aktiviraj",
+        "active": "Aktivno",
+        "add": "Dodaj",
+        "add_alias_expand": "Razširi vzdevek nad vzdevki domen",
+        "add_bcc_entry": "Dodaj zemljevid BCC",
+        "add_domain": "Dodaj domeno",
+        "add_domain_alias": "Dodaj vzdevek domene",
+        "add_filter": "Dodaj filter",
+        "add_mailbox": "Dodaj poštni predal",
+        "add_recipient_map_entry": "Dodaj zemljevid prejemnikov",
+        "add_resource": "Dodaj vir",
+        "add_template": "Dodaj predlogo",
+        "add_tls_policy_map": "Dodaj zemljevid pravilnikov TLS",
+        "address_rewriting": "Prepisovanje naslovov",
+        "alias": "Vzdevek",
+        "alias_domain_backupmx": "Vzdevek domene ni aktiven za posredovalno domeno",
+        "aliases": "Vzdevki",
+        "all_domains": "Vse domene",
+        "allow_from_smtp": "Dovoli samo tem IP-jem uporabo <b>SMTP</b>",
+        "allow_from_smtp_info": "Pustite prazno, da dovolite vse pošiljatelje.<br>Naslovi in omrežja IPv4/IPv6.",
+        "backup_mx": "Posredovalna domena",
+        "bcc": "BCC",
+        "bcc_destination": "Ciljna stran BCC",
+        "bcc_destinations": "Ciljna stran BCC",
+        "bcc_local_dest": "Lokalni cilj",
+        "bcc_map": "BCC zemljevid",
+        "bcc_map_type": "BCC tip",
+        "bcc_maps": "BCC zemljevidi",
+        "bcc_rcpt_map": "Zemljevid prejemnikov",
+        "bcc_sender_map": "Zemljevid pošiljatelja",
+        "bcc_to_rcpt": "Preklopi na vrsto zemljevida prejemnika",
+        "bcc_to_sender": "Preklopi na vrsto zemljevida pošiljatelja",
+        "bcc_type": "BCC tip",
+        "booking_null": "Vedno prikaži kot brezplačno",
+        "booking_0_short": "Vedno prost",
+        "booking_custom": "Točna omejitev na število rezervacij po meri",
+        "booking_custom_short": "Trda omejitev",
+        "booking_lt0_short": "Mehka omejitev",
+        "catch_all": "Zajemi vse",
+        "created_on": "Ustvarjeno dne",
+        "daily": "Dnevno",
+        "description": "Opis",
+        "disable_login": "Prepreči prijavo (dohodna pošta je še vedno sprejeta)",
+        "disable_x": "Onemogoči",
+        "dkim_domains_selector": "Izbirnik",
+        "dkim_key_length": "Dolžina ključa DKIM (biti)",
+        "domain": "Domena",
+        "domain_aliases": "Vzdevki domen",
+        "domain_templates": "Predloge domen",
+        "domain_quota": "Kvota",
+        "domain_quota_total": "Celotna kvota domene",
+        "domains": "Domene",
+        "edit": "Uredi",
+        "empty": "Ni rezultatov",
+        "enable_x": "Omogoči",
+        "filters": "Filtri",
+        "fname": "Polno ime",
+        "gal": "Globalni seznam naslovov",
+        "goto_ham": "Uči se kot <b>ham</b>",
+        "goto_spam": "Uči se kot <b>spam</b>",
+        "hourly": "Urno",
+        "iam": "Ponudnik identitete",
+        "in_use": "V uporabi (%)",
+        "inactive": "Neaktivno",
+        "insert_preset": "Vstavi primer prednastavitve \"%s\"",
+        "last_modified": "Zadnja sprememba",
+        "last_pw_change": "Zadnja sprememba gesla",
+        "last_run_reset": "Načrtuj naslednje",
+        "mailbox": "Poštni nabiralnik",
+        "mailbox_defaults": "Privzete nastavitve",
+        "mailbox_defquota": "Privzeta velikost poštnega nabiralnika",
+        "mailbox_templates": "Predloge poštnih nabiralnikov",
+        "mailbox_quota": "Največja velikost poštnega nabiralnika",
+        "mailboxes": "Poštni nabiralniki",
+        "max_aliases": "Največje število vzdevkov",
+        "max_mailboxes": "Največje možno število poštnih predalov",
+        "max_quota": "Največja kvota na poštni predal",
+        "msg_num": "Sporočilo #",
+        "multiple_bookings": "Več rezervacij",
+        "never": "Nikoli",
+        "no": "&#10005;",
+        "no_record": "Ni zapisa za objekt %s",
+        "no_record_single": "Ni zapisa",
+        "open_logs": "Odpri dnevnike",
+        "owner": "Lastnik",
+        "private_comment": "Zasebni komentar",
+        "public_comment": "Javni komentar",
+        "q_add_header": "ko je premaknjeno v mapo Neželena pošta",
+        "q_reject": "ob zavrnitvi",
+        "quarantine_category": "Kategorija obvestil o karanteni",
+        "quarantine_notification": "Obvestila o karanteni",
+        "quick_actions": "Dejanja",
+        "recipient": "Prejemnik",
+        "recipient_map": "Zemljevid prejemnikov",
+        "recipient_map_new": "Nov prejemnik",
+        "recipient_map_old": "Prvotni prejemnik",
+        "recipient_maps": "Zemljevidi prejemnikov",
+        "relay_all": "Posreduj vsem prejemnikom",
+        "relay_unknown": "Posredovanje neznanih poštnih predalov",
+        "remove": "Odstrani",
+        "resources": "Viri",
+        "running": "V teku",
+        "sender": "Pošiljatelj",
+        "set_postfilter": "Označi kot postfilter",
+        "set_prefilter": "Označi kot predfilter",
+        "sieve_preset_1": "Zavrzi pošto z verjetno nevarnimi vrstami datotek",
+        "filter_table": "Filtriraj tabelo",
+        "excludes": "Izključuje",
+        "last_run": "Zadnji zagon",
+        "sieve_preset_2": "Vedno označi e-pošto določenega pošiljatelja kot videno"
+    },
+    "fido2": {
+        "known_ids": "Znani ID-ji",
+        "set_fido2_touchid": "Registrirajte Touch ID na Apple M1",
+        "confirm": "Potrdi",
+        "fido2_auth": "Prijava s FIDO2",
+        "fido2_success": "Naprava je bila uspešno registrirana",
+        "fido2_validation_failed": "Preverjanje ni uspelo",
+        "fn": "Prijazno ime",
+        "none": "Onemogočeno",
+        "register_status": "Status registracije",
+        "rename": "Preimenuj",
+        "set_fido2": "Registrirajte napravo FIDO2",
+        "set_fn": "Nastavi prijazno ime",
+        "start_fido2_validation": "Začni validacijo FIDO2"
+    },
+    "info": {
+        "session_expires": "Vaša seja bo potekla čez približno 15 sekund",
+        "awaiting_tfa_confirmation": "Čakam na potrditev TFA",
+        "no_action": "Ni veljavnih ukrepov"
+    },
+    "header": {
+        "administration": "Konfiguracija in podrobnosti",
+        "apps": "Aplikacije",
+        "debug": "Informacije",
+        "email": "E-pošta",
+        "mailcow_system": "Sistem",
+        "mailcow_config": "Konfiguracija",
+        "quarantine": "Karantena",
+        "restart_netfilter": "Znova zaženite omrežni filter",
+        "restart_sogo": "Znova zaženite SOGo",
+        "user_settings": "Uporabniške nastavitve"
     }
 }

From dd475c0ab341398113cda317417ef7827dfbc19d Mon Sep 17 00:00:00 2001
From: milkmaker <milkmaker@mailcow.de>
Date: Thu, 12 Jun 2025 13:14:20 +0200
Subject: [PATCH 262/378] update postscreen_access.cidr (#6573)

---
 data/conf/postfix/postscreen_access.cidr | 86 ++++++++++++++++++++++--
 1 file changed, 80 insertions(+), 6 deletions(-)

diff --git a/data/conf/postfix/postscreen_access.cidr b/data/conf/postfix/postscreen_access.cidr
index 10c609097..57425e5df 100644
--- a/data/conf/postfix/postscreen_access.cidr
+++ b/data/conf/postfix/postscreen_access.cidr
@@ -1,6 +1,6 @@
-# Whitelist generated by Postwhite v3.4 on Thu May  1 00:21:10 UTC 2025
+# Whitelist generated by Postwhite v3.4 on Sun Jun  1 00:24:21 UTC 2025
 # https://github.com/stevejenkins/postwhite/
-# 2058 total rules
+# 2132 total rules
 2a00:1450:4000::/36	permit
 2a01:111:f400::/48	permit
 2a01:111:f403:8000::/50	permit
@@ -19,24 +19,37 @@
 2c0f:fb50:4000::/36	permit
 2.207.151.53	permit
 2.207.217.30	permit
+3.65.3.180	permit
 3.70.123.177	permit
+3.72.182.33	permit
+3.74.81.189	permit
+3.75.33.185	permit
 3.93.157.0/24	permit
 3.94.40.108	permit
 3.129.120.190	permit
 3.210.190.0/24	permit
+3.211.80.218	permit
+3.216.221.67	permit
+3.221.209.22	permit
 8.20.114.31	permit
 8.25.194.0/23	permit
 8.25.196.0/23	permit
 8.36.116.0/24	permit
+8.39.54.0/23	permit
+8.39.54.250/31	permit
 8.39.144.0/24	permit
+8.40.222.0/23	permit
+8.40.222.250/31	permit
 12.130.86.238	permit
-13.107.246.59	permit
+13.107.246.38	permit
 13.110.208.0/21	permit
 13.110.209.0/24	permit
 13.110.216.0/22	permit
 13.110.224.0/20	permit
 13.111.0.0/16	permit
 13.111.191.0/24	permit
+13.216.7.111	permit
+13.216.54.180	permit
 15.200.21.50	permit
 15.200.44.248	permit
 15.200.201.185	permit
@@ -49,9 +62,12 @@
 18.97.1.184/29	permit
 18.97.2.64/26	permit
 18.156.89.250	permit
+18.156.205.64	permit
 18.157.243.190	permit
 18.194.95.56	permit
+18.197.217.180	permit
 18.198.96.88	permit
+18.207.52.234	permit
 18.208.124.128/25	permit
 18.216.232.154	permit
 18.235.27.253	permit
@@ -88,6 +104,7 @@
 23.253.183.147	permit
 23.253.183.148	permit
 23.253.183.150	permit
+24.110.64.0/18	permit
 27.123.204.128/30	permit
 27.123.204.132/31	permit
 27.123.204.148/30	permit
@@ -125,15 +142,16 @@
 34.74.74.140	permit
 34.83.159.189	permit
 34.141.160.224	permit
+34.193.58.168	permit
 34.195.217.107	permit
 34.212.163.75	permit
 34.215.104.144	permit
 34.218.116.3	permit
 34.225.212.172	permit
+35.158.23.94	permit
 35.161.32.253	permit
 35.167.93.243	permit
 35.176.132.251	permit
-35.190.247.0/24	permit
 35.191.0.0/16	permit
 35.205.92.9	permit
 35.228.216.85	permit
@@ -154,6 +172,10 @@
 44.217.45.156	permit
 44.236.56.93	permit
 44.238.220.251	permit
+44.245.243.92	permit
+44.246.1.125	permit
+44.246.68.102	permit
+44.246.77.92	permit
 45.14.148.0/22	permit
 46.19.170.16	permit
 46.226.48.0/21	permit
@@ -221,11 +243,15 @@
 50.56.130.222	permit
 52.1.14.157	permit
 52.5.230.59	permit
+52.13.214.179	permit
+52.26.1.71	permit
 52.27.5.72	permit
 52.27.28.47	permit
 52.28.63.81	permit
+52.34.181.151	permit
 52.36.138.31	permit
 52.37.142.146	permit
+52.42.203.116	permit
 52.50.24.208	permit
 52.58.216.183	permit
 52.59.143.3	permit
@@ -272,12 +298,12 @@
 54.213.20.246	permit
 54.214.39.184	permit
 54.240.0.0/18	permit
-54.240.64.0/19	permit
-54.240.96.0/19	permit
+54.240.64.0/18	permit
 54.241.16.209	permit
 54.244.54.130	permit
 54.244.242.0/24	permit
 54.255.61.23	permit
+56.124.6.228	permit
 57.103.64.0/18	permit
 62.13.128.0/24	permit
 62.13.129.128/25	permit
@@ -293,6 +319,7 @@
 63.128.21.0/24	permit
 63.143.57.128/25	permit
 63.143.59.128/25	permit
+63.176.194.123	permit
 64.18.0.0/20	permit
 64.20.241.45	permit
 64.69.212.0/24	permit
@@ -358,6 +385,7 @@
 65.110.161.77	permit
 65.123.29.213	permit
 65.123.29.220	permit
+65.154.166.0/24	permit
 65.212.180.36	permit
 66.102.0.0/20	permit
 66.119.150.192/26	permit
@@ -1153,6 +1181,7 @@
 99.83.190.102	permit
 103.9.96.0/22	permit
 103.28.42.0/24	permit
+103.122.78.238	permit
 103.151.192.0/23	permit
 103.168.172.128/27	permit
 103.237.104.0/22	permit
@@ -1287,6 +1316,7 @@
 106.50.16.0/28	permit
 107.20.18.111	permit
 107.20.210.250	permit
+107.22.191.150	permit
 108.174.0.0/24	permit
 108.174.0.215	permit
 108.174.3.0/24	permit
@@ -1321,6 +1351,9 @@
 117.120.16.0/21	permit
 119.42.242.52/31	permit
 119.42.242.156	permit
+121.244.91.48	permit
+121.244.91.52	permit
+122.15.156.182	permit
 123.126.78.64/29	permit
 124.108.96.24/31	permit
 124.108.96.28/31	permit
@@ -1383,7 +1416,21 @@
 134.170.141.64/26	permit
 134.170.143.0/24	permit
 134.170.174.0/24	permit
+135.84.80.0/24	permit
+135.84.81.0/24	permit
+135.84.82.0/24	permit
+135.84.83.0/24	permit
 135.84.216.0/22	permit
+136.143.160.0/24	permit
+136.143.161.0/24	permit
+136.143.162.0/24	permit
+136.143.176.0/24	permit
+136.143.177.0/24	permit
+136.143.178.49	permit
+136.143.182.0/23	permit
+136.143.184.0/24	permit
+136.143.188.0/24	permit
+136.143.190.0/23	permit
 136.147.128.0/20	permit
 136.147.135.0/24	permit
 136.147.176.0/20	permit
@@ -1398,6 +1445,7 @@
 139.138.46.219	permit
 139.138.57.55	permit
 139.138.58.119	permit
+139.167.79.86	permit
 139.180.17.0/24	permit
 140.238.148.191	permit
 141.148.159.229	permit
@@ -1518,6 +1566,9 @@
 164.152.23.32	permit
 164.152.25.241	permit
 164.177.132.168/30	permit
+165.173.128.0/24	permit
+165.173.180.250/31	permit
+165.173.182.250/31	permit
 166.78.68.0/22	permit
 166.78.68.221	permit
 166.78.69.169	permit
@@ -1546,6 +1597,13 @@
 168.245.12.252	permit
 168.245.46.9	permit
 168.245.127.231	permit
+169.148.129.0/24	permit
+169.148.131.0/24	permit
+169.148.142.10	permit
+169.148.144.0/25	permit
+169.148.144.10	permit
+169.148.146.0/23	permit
+169.148.188.182	permit
 170.10.128.0/24	permit
 170.10.129.0/24	permit
 170.10.132.56/29	permit
@@ -1722,7 +1780,16 @@
 199.16.156.0/22	permit
 199.33.145.1	permit
 199.33.145.32	permit
+199.34.22.36	permit
 199.59.148.0/22	permit
+199.67.80.2	permit
+199.67.80.20	permit
+199.67.82.2	permit
+199.67.82.20	permit
+199.67.84.0/24	permit
+199.67.86.0/24	permit
+199.67.88.0/24	permit
+199.67.90.0/24	permit
 199.101.161.130	permit
 199.101.162.0/25	permit
 199.122.120.0/21	permit
@@ -1779,6 +1846,8 @@
 204.92.114.187	permit
 204.92.114.203	permit
 204.92.114.204/31	permit
+204.141.32.0/23	permit
+204.141.42.0/23	permit
 204.220.160.0/21	permit
 204.220.168.0/21	permit
 204.220.176.0/20	permit
@@ -1998,6 +2067,8 @@
 216.99.5.68	permit
 216.109.114.32/27	permit
 216.109.114.64/29	permit
+216.113.162.65	permit
+216.113.163.65	permit
 216.128.126.97	permit
 216.136.162.65	permit
 216.136.162.120/29	permit
@@ -2046,6 +2117,9 @@
 2603:1030:20e:3::23c	permit
 2603:1030:b:3::152	permit
 2603:1030:c02:8::14	permit
+2607:13c0:0001:0000:0000:0000:0000:7000/116	permit
+2607:13c0:0002:0000:0000:0000:0000:1000/116	permit
+2607:13c0:0004:0000:0000:0000:0000:0000/116	permit
 2607:f8b0:4000::/36	permit
 2620:109:c003:104::/64	permit
 2620:109:c003:104::215	permit

From 5861c9af29d7902995426d0779fefeedc11d2282 Mon Sep 17 00:00:00 2001
From: milkmaker <milkmaker@mailcow.de>
Date: Mon, 16 Jun 2025 19:45:13 +0200
Subject: [PATCH 263/378] [Web] Updated lang.cs-cz.json (#6589)

---
 data/web/lang/lang.cs-cz.json | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/data/web/lang/lang.cs-cz.json b/data/web/lang/lang.cs-cz.json
index b33332f66..9ef0304c8 100644
--- a/data/web/lang/lang.cs-cz.json
+++ b/data/web/lang/lang.cs-cz.json
@@ -404,9 +404,9 @@
         "iam_client_scopes": "Scopes klienta",
         "iam_default_template": "Výchozí šablona",
         "iam_description": "Nastavení externího poskytovatele ověření<br>Schránky uživatele se vytvoří po prvním přihlášení automaticky, pokud je tedy nastaveno mapování atributů.",
-        "iam_extra_permission": "Aby vše fungovalo, musí mít mailcow klient v Keycloaku nastavený  <code>servisní účet</code> a povolení <code>view-users</code>.",
+        "iam_extra_permission": "Aby vše fungovalo, musí mít mailcow klient v Keycloaku nastavený <code>servisní účet</code> a povolení <code>view-users</code>.",
         "iam_host": "Hostitel",
-        "iam_host_info": "Zadejte jeden či více hostitelů, oddělte čárkou",
+        "iam_host_info": "Zadejte jeden či více hostitelů, oddělte čárkou.",
         "iam_import_users": "Importovat uživatele"
     },
     "danger": {
@@ -1180,7 +1180,7 @@
         "recovery_email_sent": "E-mail k obnovení byl odeslán na adresu %s",
         "custom_login_modified": "Úpravy přihlašování úspěšně uloženy",
         "domain_add_dkim_available": "Klíč DKIM už existoval",
-        "f2b_banlist_refreshed": "Seznam zákazů úspěšně obnoven",
+        "f2b_banlist_refreshed": "Seznam zákazů úspěšně obnoven.",
         "iam_test_connection": "Spojení úspěšně navázano",
         "ip_check_opt_in_modified": "Kontrola IP adresy úspěšně uložena",
         "mailbox_renamed": "Schránka přejmenována z %s na %s",
@@ -1212,7 +1212,7 @@
         "yubi_otp": "Yubico OTP ověření",
         "u2f_deprecated": "Zdá se, že váš klíč byl registrován zastaralou metodou U2F. Dojde k deaktivaci dvoufaktorové autentifikace a smazání klíče.",
         "authenticators": "Autentifikátory",
-        "u2f_deprecated_important": "Registrujte svůj klíč novou metodou WebAuthn ve správě správců"
+        "u2f_deprecated_important": "Registrujte svůj klíč novou metodou WebAuthn ve správě správců."
     },
     "user": {
         "action": "Akce",

From cc0e4fee9dbaf99e02a5369ce5e4e17d016075aa Mon Sep 17 00:00:00 2001
From: milkmaker <milkmaker@mailcow.de>
Date: Fri, 20 Jun 2025 18:14:22 +0200
Subject: [PATCH 264/378] [Web] Updated lang.si-si.json (#6599)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Matjaž Tekavec <matjaz@moj-svet.si>
---
 data/web/lang/lang.si-si.json | 43 ++++++++++++++++++++++++++++++++---
 1 file changed, 40 insertions(+), 3 deletions(-)

diff --git a/data/web/lang/lang.si-si.json b/data/web/lang/lang.si-si.json
index 2028996aa..dd1c13607 100644
--- a/data/web/lang/lang.si-si.json
+++ b/data/web/lang/lang.si-si.json
@@ -353,14 +353,14 @@
         "copy_to_clipboard": "Besedilo kopirano v odložišče!",
         "f2b_manage_external": "Zunanje upravljanje Fail2Ban",
         "f2b_manage_external_info": "Fail2ban bo še vedno vzdrževal seznam prepovedi, vendar ne bo aktivno nastavil pravil za blokiranje prometa. Uporabite spodnji ustvarjeni seznam prepovedi za zunanje blokiranje prometa.",
-        "force_sso_text": "Če je konfiguriran zunanji ponudnik OIDC, ta možnost skrije privzete obrazce za prijavo v Mailcow in prikaže samo gumb za enkratno prijavo.",
+        "force_sso_text": "Če je konfiguriran zunanji ponudnik OIDC, ta možnost skrije privzete obrazce za prijavo v Mailcow in prikaže samo gumb za enotno prijavo",
         "app_hide": "Skrij za prijavo",
         "iam_login_provisioning": "Samodejno ustvarjanje uporabnikov ob prijavi",
         "admin_quicklink": "Skrij hitro povezavo do strani za prijavo skrbnika",
         "login_page": "Prijavna stran",
         "domainadmin_quicklink": "Skrij hitro povezavo do strani za prijavo v Skrbnik domen",
         "filter": "Filter",
-        "force_sso": "Onemogoči prijavo v Mailcow in prikaži samo enotno prijavo",
+        "force_sso": "Onemogoči prijavo v mailcow in prikaži samo enotno prijavo",
         "iam": "Ponudnik identitete",
         "iam_attribute_field": "Polje atributa",
         "iam_authorize_url": "Končna točka avtorizacije",
@@ -927,7 +927,44 @@
         "filter_table": "Filtriraj tabelo",
         "excludes": "Izključuje",
         "last_run": "Zadnji zagon",
-        "sieve_preset_2": "Vedno označi e-pošto določenega pošiljatelja kot videno"
+        "sieve_preset_2": "Vedno označi e-pošto določenega pošiljatelja kot videno",
+        "target_address": "Pojdi na naslov",
+        "syncjob_EXIT_TLS_FAILURE": "Težava s šifrirano povezavo",
+        "syncjob_EXIT_CONNECTION_FAILURE_HOST1": "Ni mogoče vzpostaviti povezave z oddaljenim strežnikom",
+        "tls_map_parameters_info": "Prazno ali parametri, na primer: protocols=!SSLv2 ciphers=medium exclude=3DES",
+        "tls_policy_maps_enforced_tls": "Ti pravilniki bodo preglasili tudi vedenje uporabnikov poštnih predalov, ki vsiljujejo odhodne povezave TLS. Če spodaj ni pravilnika, bodo ti uporabniki uporabili privzete vrednosti, določene kot <code>smtp_tls_mandatory_protocols</code> in <code>smtp_tls_mandatory_ciphers</code>.",
+        "spam_aliases": "Začasni vzdevek",
+        "sieve_preset_3": "Tiho zavrzite, ustavite vso nadaljnjo obdelavo s presejanjem",
+        "sieve_preset_4": "Vloži v mapo PREJETO, preskoči nadaljnjo obdelavo s sitastimi filtri",
+        "sieve_preset_5": "Samodejni odzivnik (dopust)",
+        "sieve_preset_6": "Zavrni pošto z odgovorom",
+        "sieve_preset_7": "Preusmeritev in ohrani/opusti",
+        "sieve_preset_8": "Preusmeritev e-pošte od določenega pošiljatelja, označitev kot prebrano in razvrščanje v podmapo",
+        "sieve_preset_header": "Spodaj si oglejte primere prednastavitev. Za več podrobnosti glejte <a href=\"https://en.wikipedia.org/wiki/Sieve_(mail_filtering_language)\" target=\"_blank\">Wikipedijo</a>.",
+        "sogo_visible": "Vzdevek je viden v SOGo",
+        "sogo_visible_n": "Skrij vzdevek v SOGo",
+        "sogo_visible_y": "Prikaži vzdevek v SOGo",
+        "stats": "Statistika",
+        "status": "Stanje",
+        "sync_jobs": "Sinhronizacija opravil",
+        "syncjob_check_log": "Preveri dnevnik",
+        "syncjob_last_run_result": "Rezultat zadnjega zagona",
+        "syncjob_EX_OK": "Uspešno",
+        "syncjob_EXIT_CONNECTION_FAILURE": "Težava s povezavo",
+        "syncjob_EXIT_AUTHENTICATION_FAILURE": "Težava z overjanjem",
+        "syncjob_EXIT_OVERQUOTA": "Ciljni poštni predal presega kvoto",
+        "table_size_show_n": "Prikaži %s elementov",
+        "target_domain": "Ciljna domena",
+        "template": "Predloga",
+        "tls_enforce_in": "Uveljavi dohodni TLS",
+        "tls_enforce_out": "Uveljavi odhodni TLS",
+        "tls_map_dest": "Cilj",
+        "tls_map_dest_info": "Primeri: example.org, .example.org, [mail.example.org]:25",
+        "tls_map_parameters": "Parametri",
+        "tls_map_policy": "Politika",
+        "tls_policy_maps": "Zemljevidi pravilnikov TLS",
+        "syncjob_EXIT_AUTHENTICATION_FAILURE_USER1": "Napačno uporabniško ime ali geslo",
+        "templates": "Predloge"
     },
     "fido2": {
         "known_ids": "Znani ID-ji",

From 8a89f5c685869c4fb28165751d1602cd5ad87deb Mon Sep 17 00:00:00 2001
From: DerLinkman <niklas.meyer@servercow.de>
Date: Mon, 23 Jun 2025 10:36:49 +0200
Subject: [PATCH 265/378] updated Readme (sponsors)

---
 README.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/README.md b/README.md
index 40288f10e..2aad841c2 100644
--- a/README.md
+++ b/README.md
@@ -23,6 +23,9 @@ A big thank you to everyone supporting us on GitHub Sponsors—your contribution
   <a href="https://www.maehdros.com/" target=_blank><img
     src="https://avatars.githubusercontent.com/u/173894712" height="58"
   /></a>
+  <a href="https://macarne.com/" target=_blank><img
+    src="https://avatars.githubusercontent.com/u/149550368?s=200&v=4" height="58"
+  /></a>
 
 ### 50$/Month Sponsors
   <a href="https://github.com/vnukhr" target=_blank><img

From 4c64cf18a69464a1f8c30e1e87433bf3241bc205 Mon Sep 17 00:00:00 2001
From: milkmaker <milkmaker@mailcow.de>
Date: Mon, 23 Jun 2025 21:58:50 +0200
Subject: [PATCH 266/378] [Web] Updated lang.si-si.json (#6600)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Matjaž Tekavec <matjaz@moj-svet.si>
---
 data/web/lang/lang.si-si.json | 42 ++++++++++++++++++++++++++++++++++-
 1 file changed, 41 insertions(+), 1 deletion(-)

diff --git a/data/web/lang/lang.si-si.json b/data/web/lang/lang.si-si.json
index dd1c13607..e3e35b508 100644
--- a/data/web/lang/lang.si-si.json
+++ b/data/web/lang/lang.si-si.json
@@ -964,7 +964,14 @@
         "tls_map_policy": "Politika",
         "tls_policy_maps": "Zemljevidi pravilnikov TLS",
         "syncjob_EXIT_AUTHENTICATION_FAILURE_USER1": "Napačno uporabniško ime ali geslo",
-        "templates": "Predloge"
+        "templates": "Predloge",
+        "tls_policy_maps_long": "Preglasitve zemljevidov pravilnikov odhodnega TLS",
+        "table_size": "Velikost tabele",
+        "toggle_all": "Preklopi vse",
+        "username": "Uporabniško ime",
+        "waiting": "Čakanje",
+        "yes": "&#10003;",
+        "weekly": "Tedensko"
     },
     "fido2": {
         "known_ids": "Znani ID-ji",
@@ -997,5 +1004,38 @@
         "restart_netfilter": "Znova zaženite omrežni filter",
         "restart_sogo": "Znova zaženite SOGo",
         "user_settings": "Uporabniške nastavitve"
+    },
+    "quarantine": {
+        "learn_spam_delete": "Uči se kot neželena pošta in izbriši",
+        "medium_danger": "Srednje",
+        "notified": "Obveščen",
+        "low_danger": "Nizko",
+        "qinfo": "Sistem karantene bo zavrnjeno pošto shranil v zbirko podatkov (pošiljatelj ne bo imel vtisa, da je bila pošta dostavljena), prav tako pa bo pošto, ki bo dostavljena kot kopija, shranil v mapo »Neželena pošta« v nabiralniku.\n<br>»Uči kot neželeno pošto in izbriši« bo sporočilo prepoznal kot neželeno pošto prek Bayesovega izreka in izračunal tudi mehke zgoščene vrednosti, da bi v prihodnje zavrnil podobna sporočila.\n<br>Upoštevajte, da je učenje več sporočil lahko – odvisno od vašega sistema – zamudno.<br>Elementi na črnem seznamu so izključeni iz karantene.",
+        "junk_folder": "Mapa z neželeno pošto",
+        "action": "Dejanje",
+        "atts": "Priloge",
+        "check_hash": "Iskanje zgoščene vrednosti datoteke @ VT",
+        "confirm": "Potrdi",
+        "confirm_delete": "Potrdite brisanje tega elementa.",
+        "danger": "Nevarnost",
+        "deliver_inbox": "Dostavi v mapo »Prejeto«",
+        "disabled_by_config": "Trenutna konfiguracija sistema onemogoča funkcionalnost karantene. Nastavite »število hranjenj na poštni predal« in »največjo velikost« za elemente karantene.",
+        "download_eml": "Prenesi (.eml)",
+        "empty": "Ni rezultatov",
+        "high_danger": "Visoko",
+        "info": "Informacija",
+        "neutral_danger": "Nevtralno",
+        "qhandler_success": "Zahteva je bila uspešno poslana v sistem. Zdaj lahko zaprete okno.",
+        "qid": "Rspamd QID",
+        "qitem": "Predmet iz karantene"
+    },
+    "oauth2": {
+        "access_denied": "Za odobritev dostopa prek OAuth2 se prijavite kot lastnik poštnega predala.",
+        "authorize_app": "Avtorizacija aplikacije",
+        "deny": "Zavrni",
+        "permit": "Avtorizacija aplikacije",
+        "profile": "Profil",
+        "profile_desc": "Ogled osebnih podatkov: uporabniško ime, polno ime, ustvarjeno, spremenjeno, aktivno",
+        "scope_ask_permission": "Aplikacija je zahtevala naslednja dovoljenja"
     }
 }

From 4e7adacda9643f5c91dd64350e4f4a6a0573afef Mon Sep 17 00:00:00 2001
From: milkmaker <milkmaker@mailcow.de>
Date: Tue, 24 Jun 2025 20:06:38 +0200
Subject: [PATCH 267/378] [Web] Updated lang.si-si.json (#6601)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Matjaž Tekavec <matjaz@moj-svet.si>
---
 data/web/lang/lang.si-si.json | 162 +++++++++++++++++++++++++++++++++-
 1 file changed, 160 insertions(+), 2 deletions(-)

diff --git a/data/web/lang/lang.si-si.json b/data/web/lang/lang.si-si.json
index e3e35b508..91d4916ac 100644
--- a/data/web/lang/lang.si-si.json
+++ b/data/web/lang/lang.si-si.json
@@ -971,7 +971,9 @@
         "username": "Uporabniško ime",
         "waiting": "Čakanje",
         "yes": "&#10003;",
-        "weekly": "Tedensko"
+        "weekly": "Tedensko",
+        "sieve_info": "Na uporabnika lahko shranite več filtrov, vendar je lahko hkrati aktiven le en predfilter in en postfilter.<br>\nVsak filter bo obdelan v opisanem vrstnem redu. Niti neuspešen skript niti izdan ukaz »keep;« ne bosta ustavila obdelave nadaljnjih skript. Spremembe globalnih skriptov sita bodo sprožile ponovni zagon Dovecota.<br><br>Globalni predfilter sita &#8226; Predfilter &#8226; Uporabniški skripti &#8226; Postfilter &#8226; Globalni postfilter sita",
+        "tls_policy_maps_info": "Ta preslikava pravilnikov preglasi pravila odhodnega prenosa TLS neodvisno od uporabnikovih nastavitev pravilnikov TLS.<br>\n  Za več informacij preverite <a href=\"http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps\" target=\"_blank\">dokumentacijo »smtp_tls_policy_maps«</a>."
     },
     "fido2": {
         "known_ids": "Znani ID-ji",
@@ -1027,7 +1029,36 @@
         "neutral_danger": "Nevtralno",
         "qhandler_success": "Zahteva je bila uspešno poslana v sistem. Zdaj lahko zaprete okno.",
         "qid": "Rspamd QID",
-        "qitem": "Predmet iz karantene"
+        "qitem": "Predmet iz karantene",
+        "spam_score": "Rezultat",
+        "text_from_html_content": "Vsebina (pretvorjen html)",
+        "quarantine": "Karantena",
+        "quick_delete_link": "Odpri povezavo za hitro brisanje",
+        "quick_info_link": "Odpri povezavo z informacijami",
+        "quick_release_link": "Odpri povezavo za hitro objavo",
+        "rcpt": "Prejemnik",
+        "received": "Prejeto",
+        "recipients": "Prejemniki",
+        "refresh": "Osveži",
+        "rejected": "Zavrnjeno",
+        "release": "Izdaja",
+        "release_body": "Vaše sporočilo smo priložili kot datoteko eml temu sporočilu.",
+        "release_subject": "Potencialno škodljiv predmet v karanteni %s",
+        "remove": "Odstrani",
+        "rewrite_subject": "Prepiši zadevo",
+        "rspamd_result": "Rezultat Rspamd",
+        "sender": "Pošiljatelj (SMTP)",
+        "sender_header": "Pošiljatelj (glava »Od«)",
+        "settings_info": "Največje število elementov za karanteno: %s<br>Največja velikost e-pošte: %s MiB",
+        "show_item": "Prikaži element",
+        "spam": "Neželena pošta",
+        "subj": "Zadeva",
+        "table_size": "Velikost tabele",
+        "table_size_show_n": "Prikaži %s elementov",
+        "text_plain_content": "Vsebina (besedilo/navadno)",
+        "toggle_all": "Preklopi vse",
+        "type": "Vrsta",
+        "quick_actions": "Dejanja"
     },
     "oauth2": {
         "access_denied": "Za odobritev dostopa prek OAuth2 se prijavite kot lastnik poštnega predala.",
@@ -1037,5 +1068,132 @@
         "profile": "Profil",
         "profile_desc": "Ogled osebnih podatkov: uporabniško ime, polno ime, ustvarjeno, spremenjeno, aktivno",
         "scope_ask_permission": "Aplikacija je zahtevala naslednja dovoljenja"
+    },
+    "queue": {
+        "info": "Čakalna vrsta pošte vsebuje vsa e-poštna sporočila, ki čakajo na dostavo. Če je e-poštno sporočilo dlje časa obtičalo v čakalni vrsti, ga sistem samodejno izbriše.<br>Sporočilo o napaki ustreznega e-poštnega sporočila vsebuje informacije o tem, zakaj sporočila ni bilo mogoče dostaviti.",
+        "delete": "Izbriši vse",
+        "flush": "Izprazni čakalno vrsto",
+        "legend": "Funkcije dejanj čakalne vrste pošte:",
+        "ays": "Potrdite, da želite izbrisati vse elemente iz trenutne čakalne vrste.",
+        "deliver_mail": "Dostavi",
+        "deliver_mail_legend": "Poskusi ponovne dostave izbranih e-poštnih sporočil.",
+        "hold_mail": "Zadrži",
+        "hold_mail_legend": "Zadrži izbrano pošto. (Prepreči nadaljnje poskuse dostave)",
+        "queue_manager": "Upravitelj čakalnih vrst",
+        "show_message": "Prikaži sporočilo",
+        "unban": "odblokiraj čakalno vrsto",
+        "unhold_mail": "Nezadrži",
+        "unhold_mail_legend": "Sprosti izbrana sporočila za dostavo. (Zahteva predhodno zadržanje)"
+    },
+    "success": {
+        "eas_reset": "Naprave ActiveSync za uporabnika %s so bile ponastavljene",
+        "alias_added": "Dodan je bil vzdevek %s (%d)",
+        "app_passwd_added": "Dodano novo geslo za aplikacijo",
+        "domain_add_dkim_available": "Ključ DKIM je že obstajal",
+        "custom_login_modified": "Prilagoditev prijave je bila uspešno shranjena",
+        "rl_saved": "Omejitev hitrosti za objekt %s je shranjena",
+        "domain_admin_modified": "Spremembe skrbnika domene %s so bile shranjene",
+        "license_modified": "Spremembe licence so bile shranjene",
+        "pushover_settings_edited": "Nastavitve Pushoverja so bile uspešno nastavljene, preverite poverilnice.",
+        "mailbox_renamed": "Poštni nabiralnik je bil preimenovan iz %s v %s",
+        "recovery_email_sent": "E-poštno sporočilo za obnovitev je bilo poslano na %s",
+        "relayhost_removed": "Vnos na zemljevidu %s je bil odstranjen",
+        "acl_saved": "ACL za objekt %s shranjen",
+        "admin_added": "Dodan je bil skrbnik %s",
+        "admin_api_modified": "Spremembe API-ja so bile shranjene",
+        "admin_modified": "Spremembe skrbnika so bile shranjene",
+        "admin_removed": "Administrator %s je bil odstranjen",
+        "alias_domain_removed": "Vzdevek domene %s je bil odstranjen",
+        "alias_modified": "Spremembe vzdevka %s so bile shranjene",
+        "alias_removed": "Vzdevek %s je bil odstranjen",
+        "aliasd_added": "Dodan vzdevek domene %s",
+        "aliasd_modified": "Spremembe vzdevka domene %s so bile shranjene",
+        "app_links": "Shranjene spremembe povezav aplikacij",
+        "app_passwd_removed": "Odstranjen ID gesla za aplikacijo %s",
+        "bcc_deleted": "Vnosi na zemljevidu BCC so izbrisani: %s",
+        "bcc_edited": "Vnos na zemljevidu BCC %s je bil urejen",
+        "db_init_complete": "Inicializacija baze podatkov končana",
+        "delete_filter": "Izbrisani filtri ID %s",
+        "delete_filters": "Izbrisani filtri: %s",
+        "deleted_syncjob": "Izbrisan ID sinhronizacijskega opravila %s",
+        "deleted_syncjobs": "Izbrisana opravila sinhronizacije: %s",
+        "dkim_added": "Ključ DKIM %s je bil shranjen",
+        "dkim_duplicated": "Ključ DKIM za domeno %s je bil kopiran v %s",
+        "dkim_removed": "Ključ DKIM %s je bil odstranjen",
+        "domain_added": "Dodana domena %s",
+        "domain_admin_added": "Dodan je bil skrbnik domene %s",
+        "domain_admin_removed": "Skrbnik domene %s je bil odstranjen",
+        "domain_footer_modified": "Spremembe v nogi domene %s so bile shranjene",
+        "domain_modified": "Spremembe domene %s so bile shranjene",
+        "domain_removed": "Domena %s je bila odstranjena",
+        "dovecot_restart_success": "Dovecot je bil uspešno ponovno zagnan",
+        "f2b_banlist_refreshed": "ID seznama prepovedanih je bil uspešno osvežen.",
+        "f2b_modified": "Spremembe parametrov Fail2ban so bile shranjene",
+        "forwarding_host_added": "Dodan je bil posredovalni gostitelj %s",
+        "forwarding_host_removed": "Gostitelj za posredovanje %s je bil odstranjen",
+        "global_filter_written": "Filter je bil uspešno zapisan v datoteko",
+        "hash_deleted": "Zgoščena vrednost je izbrisana",
+        "iam_test_connection": "Povezava je bila uspešna",
+        "ip_check_opt_in_modified": "Preverjanje IP-ja je bilo uspešno shranjeno",
+        "item_deleted": "Element %s je bil uspešno izbrisan",
+        "items_deleted": "Element %s je bil uspešno izbrisan",
+        "items_released": "Izbrani elementi so bili izdani",
+        "logged_in_as": "Prijavljen kot %s",
+        "mailbox_added": "Dodan je bil poštni predal %s",
+        "mailbox_modified": "Spremembe poštnega nabiralnika %s so bile shranjene",
+        "mailbox_removed": "Poštni nabiralnik %s je bil odstranjen",
+        "nginx_reloaded": "Nginx je bil ponovno naložen",
+        "object_modified": "Spremembe objekta %s so bile shranjene",
+        "password_policy_saved": "Pravilnik o geslih je bil uspešno shranjen",
+        "password_changed_success": "Geslo je bilo uspešno spremenjeno",
+        "qlearn_spam": "Sporočilo z ID-jem %s je bilo prepoznano kot neželena pošta in izbrisano",
+        "queue_command_success": "Ukaz za čakalno vrsto je bil uspešno zaključen",
+        "recipient_map_entry_deleted": "ID zemljevida prejemnika %s je bil izbrisan",
+        "recipient_map_entry_saved": "Vnos zemljevida prejemnika »%s« je bil shranjen",
+        "relayhost_added": "Dodan je bil vnos na zemljevid %s",
+        "reset_main_logo": "Ponastavi na privzeti logotip",
+        "resource_added": "Dodan je bil vir %s",
+        "resource_modified": "Spremembe poštnega nabiralnika %s so bile shranjene",
+        "resource_removed": "Vir %s je bil odstranjen",
+        "rspamd_ui_pw_set": "Geslo uporabniškega vmesnika Rspamd je bilo uspešno nastavljeno",
+        "settings_map_added": "Dodan vnos nastavitev zemljevida",
+        "settings_map_removed": "Odstranjen ID zemljevida nastavitev %s",
+        "sogo_profile_reset": "Profil SOGo za uporabnika %s je bil ponastavljen",
+        "template_added": "Dodana predloga %s",
+        "template_modified": "Spremembe predloge %s so bile shranjene",
+        "template_removed": "ID predloge %s je bil izbrisan",
+        "tls_policy_map_entry_deleted": "ID zemljevida pravilnika TLS %s je bil izbrisan",
+        "tls_policy_map_entry_saved": "Vnos zemljevida pravilnika TLS »%s« je bil shranjen",
+        "ui_texts": "Shranjene spremembe besedil uporabniškega vmesnika",
+        "upload_success": "Datoteka je bila uspešno naložena",
+        "verified_fido2_login": "Preverjena prijava v FIDO2",
+        "verified_totp_login": "Preverjena prijava v TOTP",
+        "verified_webauthn_login": "Preverjena prijava v WebAuth",
+        "verified_yotp_login": "Preverjena prijava z enkratnim geslom Yubico",
+        "bcc_saved": "Vnos na zemljevidu BCC je shranjen",
+        "cors_headers_edited": "Nastavitve CORS so bile shranjene",
+        "item_released": "Izdan je bil element %s",
+        "saved_settings": "Shranjene nastavitve"
+    },
+    "start": {
+        "imap_smtp_server_auth_info": "Prosimo, uporabite svoj celoten e-poštni naslov in mehanizem za preverjanje pristnosti PLAIN.<br>\nVaši podatki za prijavo bodo šifrirani z obveznim šifriranjem na strani strežnika.",
+        "help": "Prikaži/skrij ploščo s pomočjo"
+    },
+    "tfa": {
+        "api_register": "%s uporablja Yubico Cloud API. Pridobite API ključ za svoj ključ <a href=\"https://upgrade.yubico.com/getapikey/\" target=\"_blank\">tukaj</a>",
+        "authenticators": "Preverjevalniki pristnosti",
+        "confirm": "Potrdi",
+        "delete_tfa": "Onemogoči TFA",
+        "disable_tfa": "Onemogoči TFA do naslednje uspešne prijave",
+        "enter_qr_code": "Vaša koda TOTP, če vaša naprava ne more skenirati kod QR",
+        "error_code": "Koda napake",
+        "confirm_totp_token": "Spremembe potrdite z vnosom ustvarjenega žetona."
+    },
+    "ratelimit": {
+        "disabled": "Onemogočeno",
+        "second": "sporočil / sekundo",
+        "minute": "sporočil / minuto",
+        "hour": "sporočil / uro",
+        "day": "sporočil / dan"
     }
 }

From a0f5454c2a980c9de255fdc4b777bf1aad958858 Mon Sep 17 00:00:00 2001
From: milkmaker <milkmaker@mailcow.de>
Date: Sun, 29 Jun 2025 18:12:59 +0200
Subject: [PATCH 268/378] [Web] Updated lang.si-si.json (#6609)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Matjaž Tekavec <matjaz@moj-svet.si>
---
 data/web/lang/lang.si-si.json | 212 +++++++++++++++++++++++++++++++++-
 1 file changed, 208 insertions(+), 4 deletions(-)

diff --git a/data/web/lang/lang.si-si.json b/data/web/lang/lang.si-si.json
index 91d4916ac..474328e38 100644
--- a/data/web/lang/lang.si-si.json
+++ b/data/web/lang/lang.si-si.json
@@ -407,7 +407,8 @@
         "reset_password_vars": "<code>{{link}}<code> Ustvarjena povezava za ponastavitev gesla<br><code>{{username}}<code> Ime nabiralnika uporabnika, ki je zahteval ponastavitev gesla<br><code>{{username2}}<code> Ime obnovitvenega nabiralnika<br><code>{{date}}<code> Datum zahteve za ponastavitev gesla<br><code>{{token_lifetime}}<code> Življenjska doba žetona v minutah<br><code>{{hostname}}<code> Ime gostitelja mailcow",
         "restore_template": "Za obnovitev privzete predloge pustite polje prazno.",
         "task": "Naloga",
-        "user_link": "Uporabniška povezava"
+        "user_link": "Uporabniška povezava",
+        "iam_realm": "Realm"
     },
     "danger": {
         "alias_goto_identical": "Alias in goto naslov morata biti identična",
@@ -813,7 +814,7 @@
         "booking_ltnull": "Neomejeno, vendar se ob rezervaciji prikaži kot zasedeno",
         "alias_domain_alias_hint": "Vzdevki se na vzdevke domen samodejno <b>ne</b> uporabijo. Naslov vzdevka <code>my-alias@domain</code> <b>ne</b> pokriva naslova <code>my-alias@alias-domain</code> (kjer je \"vzdevek domene\" namišljeni vzdevek domene za \"domeno\").<br>Za preusmeritev pošte v zunanji nabiralnik uporabite filter sito (glejte zavihek »Filtri« ali uporabite SOGo -> Posrednik). Za samodejno dodajanje manjkajočih vzdevkov uporabite \"Razširi vzdevek čez domene vzdevkov\".",
         "q_all": " ob premiku v mapo Neželena pošta in ob zavrnitvi",
-        "bcc_info": "BCC zemljevidi se uporabljajo za tiho posredovanje kopij vseh sporočil na drug naslov. Vnos vrste preslikave prejemnika se uporablja, kadar lokalni cilj deluje kot prejemnik pošte. Preslikave pošiljatelja delujejo po istem načelu.<br>\nLokalni cilj ne bo obveščen o neuspeli dostavi.",
+        "bcc_info": "BCC zemljevidi se uporabljajo za tiho posredovanje kopij vseh sporočil na drug naslov. Vnos vrste preslikave prejemnika se uporablja, kadar lokalni cilj deluje kot prejemnik pošte. Preslikave pošiljatelja delujejo po istem načelu.<br>\n  Lokalni cilj ne bo obveščen o neuspeli dostavi.",
         "force_pw_update": "Vsiljena posodobitev gesla ob naslednji prijavi",
         "recipient_map_new_info": "Cilj zemljevida prejemnika mora biti veljaven e-poštni naslov ali ime domene.",
         "recipient_map_old_info": "Izvirni cilj prejemnika mora biti veljaven e-poštni naslov ali ime domene.",
@@ -1173,7 +1174,8 @@
         "bcc_saved": "Vnos na zemljevidu BCC je shranjen",
         "cors_headers_edited": "Nastavitve CORS so bile shranjene",
         "item_released": "Izdan je bil element %s",
-        "saved_settings": "Shranjene nastavitve"
+        "saved_settings": "Shranjene nastavitve",
+        "learned_ham": "Uspešno naučen ID %s kot zaželjen"
     },
     "start": {
         "imap_smtp_server_auth_info": "Prosimo, uporabite svoj celoten e-poštni naslov in mehanizem za preverjanje pristnosti PLAIN.<br>\nVaši podatki za prijavo bodo šifrirani z obveznim šifriranjem na strani strežnika.",
@@ -1187,7 +1189,25 @@
         "disable_tfa": "Onemogoči TFA do naslednje uspešne prijave",
         "enter_qr_code": "Vaša koda TOTP, če vaša naprava ne more skenirati kod QR",
         "error_code": "Koda napake",
-        "confirm_totp_token": "Spremembe potrdite z vnosom ustvarjenega žetona."
+        "confirm_totp_token": "Spremembe potrdite z vnosom ustvarjenega žetona",
+        "tfa": "Dvofaktorska avtentikacija",
+        "webauthn": "Preverjanje pristnosti WebAuthn",
+        "none": "Deaktiviraj",
+        "init_webauthn": "Inicializacija, prosim počakajte...",
+        "key_id": "Identifikator za vašo napravo",
+        "key_id_totp": "Identifikator za vaš ključ",
+        "reload_retry": "- (če napaka vztraja, znova zaženite brskalnik)",
+        "scan_qr_code": "Prosimo, skenirajte naslednjo kodo z aplikacijo za preverjanje pristnosti ali jo vnesite ročno.",
+        "select": "Prosimo, izberite",
+        "set_tfa": "Nastavite metodo dvofaktorske avtentikacije",
+        "start_webauthn_validation": "Začni validacijo",
+        "tfa_token_invalid": "Žeton TFA neveljaven",
+        "totp": "Enkratno geslo na podlagi časa (Google Authenticator, Authy itd.)",
+        "u2f_deprecated": "Zdi se, da je bil vaš ključ registriran z zastarelo metodo U2F. Deaktivirali bomo dvofaktorsko overjanje in izbrisali vaš ključ.",
+        "u2f_deprecated_important": "Prosimo, registrirajte svoj ključ v skrbniški plošči z novo metodo WebAuthn.",
+        "waiting_usb_auth": "<i>Čakanje na napravo USB ...</i><br><br>Zdaj se dotaknite gumba na napravi USB.",
+        "waiting_usb_register": "<i>Čakanje na napravo USB ...</i><br><br>Vnesite svoje geslo zgoraj in potrdite registracijo tako, da tapnete gumb na napravi USB.",
+        "yubi_otp": "Avtentikacija z enkratnim geslom Yubico"
     },
     "ratelimit": {
         "disabled": "Onemogočeno",
@@ -1195,5 +1215,189 @@
         "minute": "sporočil / minuto",
         "hour": "sporočil / uro",
         "day": "sporočil / dan"
+    },
+    "user": {
+        "create_syncjob": "Ustvari novo sinhronizacijsko opravilo",
+        "open_webmail_sso": "Spletna pošta",
+        "attribute": "Atribut",
+        "description": "Opis",
+        "direct_aliases_desc": "Na neposredne vzdevke vplivajo nastavitve filtra neželene pošte in pravilnika TLS.",
+        "direct_protocol_access": "Ta uporabnik poštnega predala ima <b>neposreden zunanji dostop</b> do naslednjih protokolov in aplikacij. To nastavitev nadzoruje vaš skrbnik. Za dostop do posameznih protokolov in aplikacij je mogoče ustvariti gesla za aplikacije.<br>Gumb »Spletna pošta« omogoča enotno prijavo v SOGo in je vedno na voljo.",
+        "shared_aliases_desc": "Na uporabniške nastavitve, kot sta filter neželene pošte ali pravilnik za šifriranje, ne vplivajo skupni vzdevki. Ustrezne filtre neželene pošte lahko nastavi le skrbnik kot pravilnik za celotno domeno.",
+        "force_pw_update": "Za dostop do storitev, povezanih s skupinsko programsko opremo, <b>morate</b> nastaviti novo geslo.",
+        "new_password": "Novo geslo",
+        "password_reset_info": "Če ni naveden e-poštni naslov za obnovitev gesla, te funkcije ni mogoče uporabiti.",
+        "pushover_sender_array": "Upoštevajte naslednje e-poštne naslove pošiljateljev <small>(ločeni z vejico)</small>",
+        "tag_help_explain": "V podmapi: pod mapo INBOX (\"INBOX/Facebook\") bo ustvarjena nova podmapa, poimenovana po oznaki.<br>\nV zadevi: ime oznake bo dodano pred zadevo e-poštnega sporočila, na primer: \"[Facebook] Moje novice\".",
+        "pushover_vars": "Če filter pošiljatelja ni definiran, bodo upoštevana vsa e-poštna sporočila.<br>Filtre regularnih izrazov in natančna preverjanja pošiljateljev je mogoče definirati posamično in bodo obravnavana zaporedno. Niso odvisna drug od drugega.<br>Uporabne spremenljivke za besedilo in naslov (upoštevajte pravilnike o varstvu podatkov)",
+        "quarantine_notification_info": "Ko je obvestilo poslano, bodo elementi označeni kot »obveščeni« in za ta določen element ne bodo poslana nobena nadaljnja obvestila.",
+        "verify": "Preveri",
+        "spamfilter_bl_desc": "E-poštni naslovi na črnem seznamu, ki jih <b>vedno</b> razvrstite kot neželeno pošto in zavrnete. Zavrnjena pošta <b>ne</b> bo kopirana v karanteno. Uporabite lahko nadomestne znake. Filter se uporabi samo za neposredne vzdevke (vzdevke z enim samim ciljnim nabiralnikom), izključujoč vseobsegajoče vzdevke in sam nabiralnik.",
+        "spamfilter_wl_desc": "E-poštni naslovi na belem seznamu so programirani tako, da se <b>nikoli</b> ne razvrstijo kot neželena pošta. Uporabijo se lahko nadomestni znaki. Filter se uporabi samo za neposredne vzdevke (vzdevke z enim samim ciljnim poštnim predalom), izključujoč vseobsegajoče vzdevke in sam poštni predal.",
+        "tls_policy_warning": "<strong>Opozorilo:</strong> Če se odločite za uveljavitev šifriranega prenosa pošte, lahko izgubite e-pošto.<br>Sporočila, ki ne ustrezajo pravilniku, bo poštni sistem zavrnil s popolno napako.<br>Ta možnost velja za vaš primarni e-poštni naslov (prijavno ime), vse naslove, izpeljane iz vzdevkov domen, in vzdevke, <b>ki imajo samo ta en poštni predal</b> kot cilj.",
+        "allowed_protocols": "Dovoljeni protokoli",
+        "title": "Naslov",
+        "action": "Dejanje",
+        "active": "Aktivno",
+        "active_sieve": "Aktiven filter",
+        "advanced_settings": "Napredne nastavitve",
+        "alias": "Vzdevek",
+        "alias_create_random": "Generiraj naključne vzdevke",
+        "alias_extend_all": "Podaljšaj vzdevek za 1 uro",
+        "alias_full_date": "d.m.Y, H:i:s T",
+        "alias_remove_all": "Odstrani vse vzdevke",
+        "alias_select_validity": "Obdobje veljavnosti",
+        "alias_time_left": "Preostali čas",
+        "alias_valid_until": "Veljavno do",
+        "aliases_also_send_as": "Pošiljanje je dovoljeno tudi kot uporabnik",
+        "aliases_send_as_all": "Ne preverjaj dostopa pošiljatelja za naslednje domene in njihove vzdevke",
+        "app_hint": "Gesla aplikacij so alternativna gesla za prijavo v IMAP, SMTP, CalDAV, CardDAV in EAS. Uporabniško ime ostane nespremenjeno. Spletna pošta SOGo ni na voljo prek gesel aplikacij.",
+        "app_name": "Ime aplikacije",
+        "app_passwds": "Gesla aplikacij",
+        "apple_connection_profile": "Profil povezave Apple",
+        "apple_connection_profile_complete": "Ta profil povezave vključuje parametre IMAP in SMTP ter poti CalDAV (koledarji) in CardDAV (stiki) za napravo Apple.",
+        "apple_connection_profile_mailonly": "Ta profil povezave vključuje konfiguracijske parametre IMAP in SMTP za napravo Apple.",
+        "apple_connection_profile_with_app_password": "Novo geslo za aplikacijo se ustvari in doda v profil, tako da pri nastavitvi naprave ni treba vnesti gesla. Datoteke ne delite, saj omogoča poln dostop do vašega nabiralnika.",
+        "authentication": "Avtentikacija",
+        "change_password": "Spremeni geslo",
+        "change_password_hint_app_passwords": "Vaš račun ima %d gesel aplikacij, ki ne bodo spremenjena. Če jih želite upravljati, odprite zavihek Gesla aplikacij.",
+        "clear_recent_successful_connections": "Jasno vidne uspešne povezave",
+        "client_configuration": "Prikaži vodnike za konfiguracijo e-poštnih odjemalcev in pametnih telefonov",
+        "create_app_passwd": "Ustvari geslo za aplikacijo",
+        "created_on": "Ustvarjeno dne",
+        "daily": "Dnevno",
+        "day": "dan",
+        "delete_ays": "Prosimo, potrdite postopek brisanja.",
+        "direct_aliases": "Neposredni vzdevki",
+        "eas_reset": "Ponastavi predpomnilnik naprave ActiveSync",
+        "eas_reset_help": "V mnogih primerih bo ponastavitev predpomnilnika naprave pomagala obnoviti pokvarjen profil ActiveSync.<br><b>Pozor:</b> Vsi elementi bodo ponovno preneseni!",
+        "eas_reset_now": "Ponastavi zdaj",
+        "edit": "Uredi",
+        "email": "E-pošta",
+        "email_and_dav": "E-pošta, koledarji in stiki",
+        "empty": "Ni rezultatov",
+        "encryption": "Šifriranje",
+        "excludes": "Izključuje",
+        "expire_in": "Poteče čez",
+        "fido2_webauthn": "FIDO2/WebAuthn",
+        "from": "od",
+        "generate": "ustvari",
+        "hour": "ura",
+        "hourly": "Urno",
+        "hours": "ure",
+        "in_use": "Uporabljeno",
+        "interval": "Interval",
+        "is_catch_all": "Vseobsegajoča povezava za domeno/e",
+        "last_mail_login": "Zadnja prijava v e-pošto",
+        "last_pw_change": "Zadnja sprememba gesla",
+        "last_run": "Zadnji zagon",
+        "last_ui_login": "Zadnja prijava v uporabniški vmesnik",
+        "loading": "Nalaganje ...",
+        "login_history": "Zgodovina prijav",
+        "mailbox": "Poštni nabiralnik",
+        "mailbox_details": "Podrobnosti",
+        "mailbox_general": "Splošno",
+        "mailbox_settings": "Nastavitve",
+        "messages": "sporočila",
+        "month": "mesec",
+        "months": "meseci",
+        "never": "Nikoli",
+        "new_password_repeat": "Potrditveno geslo (ponovite)",
+        "no_active_filter": "Ni aktivnega filtra",
+        "no_last_login": "Ni zadnjih podatkov za prijavo v uporabniški vmesnik",
+        "no_record": "Ni zapisa",
+        "open_logs": "Odpri dnevnike",
+        "overview": "Pregled",
+        "password": "Geslo",
+        "password_now": "Trenutno geslo (potrdite spremembe)",
+        "password_repeat": "Geslo (ponovite)",
+        "protocols": "Protokoli",
+        "pushover_evaluate_x_prio": "Eskalacija e-pošte z visoko prioriteto [<code>X-Priority: 1</code>]",
+        "pushover_info": "Nastavitve potisnih obvestil bodo veljale za vso čisto (ne neželeno) pošto, dostavljeno na <b>%s</b>, vključno z vzdevki (v skupni rabi, brez skupne rabe, označeni).",
+        "pushover_only_x_prio": "Upoštevaj samo pošto z visoko prioriteto [<code>X-Priority: 1</code>]",
+        "pushover_sender_regex": "Poišči ujemanje pošiljateljev z naslednjim regularnim izrazom",
+        "pushover_text": "Besedilo obvestila",
+        "pushover_title": "Naslov obvestila",
+        "pushover_sound": "Zvok",
+        "pushover_verify": "Preverite poverilnice",
+        "pw_recovery_email": "E-poštno sporočilo za obnovitev gesla",
+        "q_add_header": "Mapa z neželeno pošto",
+        "q_reject": "Zavrnjeno",
+        "quarantine_category": "Kategorija obvestil o karanteni",
+        "quarantine_category_info": "Kategorija obvestil »Zavrnjeno« vključuje zavrnjeno pošto, medtem ko »Mapa z neželeno pošto« obvesti uporabnika o e-pošti, ki je bila premaknjena v mapo z neželeno pošto.",
+        "quarantine_notification": "Obvestila o karanteni",
+        "recent_successful_connections": "Videne uspešne povezave",
+        "remove": "Odstrani",
+        "running": "V teku",
+        "save": "Shrani spremembe",
+        "save_changes": "Shrani spremembe",
+        "sender_acl_disabled": "<span class=\"badge fs-6 bg-danger\">Preverjanje pošiljatelja je onemogočeno</span>",
+        "shared_aliases": "Skupni vzdevki",
+        "show_sieve_filters": "Prikaži filter sita aktivnega uporabnika",
+        "sogo_profile_reset": "Ponastavi profil SOGo",
+        "sogo_profile_reset_help": "S tem boste uničili uporabnikov profil SOGo in <b>nepovratno izbrisali vse stike in podatke koledarja</b>.",
+        "sogo_profile_reset_now": "Ponastavi profil zdaj",
+        "spam_aliases": "Začasni vzdevki e-pošte",
+        "spam_score_reset": "Ponastavi na privzete nastavitve strežnika",
+        "spamfilter": "Filter neželene pošte",
+        "spamfilter_behavior": "Ocena",
+        "spamfilter_bl": "Črna lista",
+        "spamfilter_default_score": "Privzete vrednosti",
+        "spamfilter_green": "Zelena: to sporočilo ni neželena pošta",
+        "spamfilter_hint": "Prva vrednost opisuje »nizko oceno neželene pošte«, druga pa »visoko oceno neželene pošte«.",
+        "spamfilter_red": "Rdeča: To sporočilo je neželena pošta in ga bo strežnik zavrnil.",
+        "spamfilter_table_action": "Dejanje",
+        "spamfilter_table_add": "Dodaj element",
+        "spamfilter_table_domain_policy": "ni na voljo (pravilnik domene)",
+        "spamfilter_table_empty": "Ni podatkov za prikaz",
+        "spamfilter_table_remove": "odstrani",
+        "spamfilter_table_rule": "Pravilo",
+        "spamfilter_wl": "Bela lista",
+        "spamfilter_yellow": "Rumena: to sporočilo je morda neželena pošta, označeno bo kot neželena pošta in premaknjeno v mapo z neželeno pošto",
+        "status": "Stanje",
+        "sync_jobs": "Sinhronizacija opravil",
+        "syncjob_check_log": "Preveri dnevnik",
+        "syncjob_last_run_result": "Rezultat zadnjega zagona",
+        "syncjob_EXIT_CONNECTION_FAILURE": "Težava s povezavo",
+        "syncjob_EXIT_TLS_FAILURE": "Težava s šifrirano povezavo",
+        "syncjob_EXIT_AUTHENTICATION_FAILURE": "Težava z overjanjem",
+        "syncjob_EXIT_OVERQUOTA": "Ciljni poštni predal presega kvoto",
+        "syncjob_EXIT_CONNECTION_FAILURE_HOST1": "Ni mogoče vzpostaviti povezave z oddaljenim strežnikom",
+        "syncjob_EXIT_AUTHENTICATION_FAILURE_USER1": "Napačno uporabniško ime ali geslo",
+        "tag_handling": "Nastavitev obravnave označene pošte",
+        "tag_help_example": "Primer označenega e-poštnega naslova: jaz<b>+Facebook</b>@example.org",
+        "tag_in_none": "Ne naredi ničesar",
+        "tag_in_subfolder": "V podmapi",
+        "tag_in_subject": "V zadevi",
+        "text": "Besedilo",
+        "tfa_info": "Dvofaktorska avtentikacija pomaga zaščititi vaš račun. Če jo omogočite, boste za prijavo v aplikacije ali storitve, ki ne podpirajo dvofaktorske avtentikacije (npr. poštni odjemalci), potrebovali gesla za aplikacije.",
+        "tls_enforce_in": "Uveljavi dohodni TLS",
+        "tls_enforce_out": "Uveljavi odhodni TLS",
+        "tls_policy": "Pravilnik o šifriranju",
+        "user_settings": "Uporabniške nastavitve",
+        "username": "Uporabniško ime",
+        "value": "Vrednost",
+        "week": "teden",
+        "weekly": "Tedensko",
+        "weeks": "tedni",
+        "with_app_password": "z geslom za aplikacijo",
+        "year": "leto",
+        "years": "leta",
+        "waiting": "Čakanje",
+        "q_all": "Vse kategorije",
+        "syncjob_EX_OK": "Uspeh"
+    },
+    "warning": {
+        "cannot_delete_self": "Prijavljenega uporabnika ni mogoče izbrisati",
+        "domain_added_sogo_failed": "Domena je bila dodana, vendar ponovni zagon SOGo ni uspel. Preverite dnevnike strežnika.",
+        "dovecot_restart_failed": "Dovecota ni uspelo znova zagnati, preverite dnevnike.",
+        "fuzzy_learn_error": "Napaka učenja mehkega zgoščevanja: %s",
+        "hash_not_found": "Zgoščena vrednost ni bila najdena ali je bila že izbrisana",
+        "ip_invalid": "Preskočen neveljaven IP: %s",
+        "is_not_primary_alias": "Preskočen neprimarni vzdevek %s",
+        "no_active_admin": "Zadnjega aktivnega skrbnika ni mogoče deaktivirati",
+        "quota_exceeded_scope": "Kvota domene presežena: V tem obsegu domene je mogoče ustvariti le neomejeno število poštnih predalov.",
+        "session_token": "Neveljaven žeton obrazca: Neujemanje žetonov",
+        "session_ua": "Neveljaven žeton obrazca: Napaka pri preverjanju uporabniškega agenta"
     }
 }

From 1e4f3c55d82503dffa7987499c877780ae7d00d6 Mon Sep 17 00:00:00 2001
From: milkmaker <milkmaker@mailcow.de>
Date: Tue, 1 Jul 2025 17:14:24 +0200
Subject: [PATCH 269/378] [Web] Updated lang.pt-pt.json (#6614)

Co-authored-by: luiscanato <luiscanato@gmail.com>
---
 data/web/lang/lang.pt-pt.json | 65 +++++++++++++++++++++++++++++++----
 1 file changed, 59 insertions(+), 6 deletions(-)

diff --git a/data/web/lang/lang.pt-pt.json b/data/web/lang/lang.pt-pt.json
index baa90f797..fafb957c9 100644
--- a/data/web/lang/lang.pt-pt.json
+++ b/data/web/lang/lang.pt-pt.json
@@ -1,7 +1,7 @@
 {
     "add": {
         "active": "Ativo",
-        "add": "Salvar",
+        "add": "Guardar",
         "alias_address": "Apelidos:",
         "alias_address_info": "<small>Endereço de email completo ou @example.com, para uma conta coringa -catch all. (separado por vírgula). <b>apenas domínios cadastrados</b>.</small>",
         "alias_domain": "Encaminhamento de Domínio",
@@ -17,7 +17,7 @@
         "max_mailboxes": "Máximo de contas:",
         "password": "Senha:",
         "password_repeat": "Confirmar a senha (repetir):",
-        "port": "Port",
+        "port": "Porta",
         "quota_mb": "Espaço (MiB):",
         "relay_all": "Relay para todas as contas",
         "relay_all_info": "<small>Se <b>não</b> selecionar para retransmitir todas as contas, você deve adicionar uma (\"blind\") para cada conta que será direcionada.</small>",
@@ -27,13 +27,25 @@
         "target_address": "Encaminhar para:",
         "target_address_info": "<small>Endereço de email completo (separado por vírgulas).</small>",
         "target_domain": "Domínio de Destino:",
-        "username": "Administrador"
+        "username": "Nome de utilizador",
+        "app_name": "Nome da App",
+        "destination": "Destino",
+        "generate": "gerar",
+        "private_comment": "Comentário privado",
+        "inactive": "Inativo",
+        "public_comment": "Comentário público",
+        "sieve_desc": "Breve descrição",
+        "sieve_type": "Tipo de filtro",
+        "subscribeall": "Subscrever todas as pastas",
+        "syncjob": "Adicionar sincronização",
+        "validate": "Validar",
+        "validation_success": "Validado com sucesso"
     },
     "admin": {
         "access": "Acessos",
         "action": "Ação",
         "active": "Ativo",
-        "add": "Salvar",
+        "add": "Adicionar",
         "add_domain_admin": "Adicionar administrador de domínio(s)",
         "admin": "Administrador",
         "admin_details": "Editar informações do administrator",
@@ -58,7 +70,43 @@
         "search_domain_da": "Selecione o(s) domínio(s)",
         "spamfilter": "Filtro de Spam",
         "unchanged_if_empty": "Deixar em branco para não alterar",
-        "username": "Administrador"
+        "username": "Administrador",
+        "add_row": "Adicionar linha",
+        "add_transport": "Adicionar transporte",
+        "change_logo": "Alterar logo",
+        "filter": "Filtro",
+        "iam_port": "Porta",
+        "iam_use_ssl": "Usar SSL",
+        "iam_version": "Versão",
+        "import": "Importar",
+        "import_private_key": "Importar chave privada",
+        "message": "Mensagem",
+        "dkim_private_key": "Chave privada",
+        "customize": "Personalizar",
+        "destination": "Destino",
+        "dkim_from": "De",
+        "activate_api": "Ativar API",
+        "add_admin": "Adicionar administrador",
+        "admins": "Administradores",
+        "advanced_settings": "Configurações avançadas",
+        "api_key": "Chave API",
+        "api_read_only": "Acesso leitura",
+        "api_read_write": "Acesso leitura e escrita",
+        "login_page": "Página de login",
+        "dkim_key_missing": "Chave em falta",
+        "dkim_key_valid": "Chave válida",
+        "dkim_to": "Para",
+        "domain_admin": "Administrador de dominio",
+        "domain_s": "Dominio(s)",
+        "duplicate": "Duplicar",
+        "duplicate_dkim": "Duplicar registo DKIM",
+        "empty": "Sem resultados",
+        "excludes": "Excluir estes recipientes",
+        "f2b_filter": "Filtros de regex",
+        "from": "De",
+        "generate": "gerar",
+        "html": "HTML",
+        "iam_import_users": "Importar Utilizadores"
     },
     "danger": {
         "access_denied": "Acesso negado ou dados inválidos",
@@ -270,5 +318,10 @@
         "username": "Administrador",
         "week": "Semana",
         "weeks": "Semanas"
+    },
+    "acl": {
+        "tls_policy": "Política de TLS",
+        "quarantine_attachments": "Anexos de quarentena",
+        "filters": "Filtros"
     }
-}
\ No newline at end of file
+}

From 2fbbbbe9a981ed90834ee838016a3842915a00bd Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <75116288+FreddleSpl0it@users.noreply.github.com>
Date: Wed, 2 Jul 2025 08:59:29 +0200
Subject: [PATCH 270/378] [Dovecot] Use Jinja2 sandbox for rendering quota and
 quarantine notifications

---
 data/Dockerfiles/dovecot/quarantine_notify.py | 26 ++++++++++++-------
 data/Dockerfiles/dovecot/quota_notify.py      | 22 +++++++++++-----
 docker-compose.yml                            |  2 +-
 3 files changed, 32 insertions(+), 18 deletions(-)

diff --git a/data/Dockerfiles/dovecot/quarantine_notify.py b/data/Dockerfiles/dovecot/quarantine_notify.py
index dfcb1f2c6..824d4092f 100755
--- a/data/Dockerfiles/dovecot/quarantine_notify.py
+++ b/data/Dockerfiles/dovecot/quarantine_notify.py
@@ -8,7 +8,8 @@ from email.mime.multipart import MIMEMultipart
 from email.mime.text import MIMEText
 from email.utils import COMMASPACE, formatdate
 import jinja2
-from jinja2 import Template
+from jinja2 import TemplateError
+from jinja2.sandbox import SandboxedEnvironment
 import json
 import redis
 import time
@@ -80,17 +81,22 @@ try:
     if len(meta_query) == 0:
       return
     msg_count = len(meta_query)
+    env = SandboxedEnvironment()
     if r.get('Q_HTML'):
-      try:
-        template = Template(r.get('Q_HTML'))
-      except:
-        print("Error: Cannot parse quarantine template, falling back to default template.")
-        with open('/templates/quarantine.tpl') as file_:
-          template = Template(file_.read())
+        try:
+            template = env.from_string(r.get('Q_HTML'))
+        except Exception:
+            print("Error: Cannot parse quarantine template, falling back to default template.")
+            with open('/templates/quarantine.tpl') as file_:
+                template = env.from_string(file_.read())
     else:
-      with open('/templates/quarantine.tpl') as file_:
-        template = Template(file_.read())
-    html = template.render(meta=meta_query, username=rcpt, counter=msg_count, hostname=mailcow_hostname, quarantine_acl=quarantine_acl)
+        with open('/templates/quarantine.tpl') as file_:
+            template = env.from_string(file_.read())
+    try:
+        html = template.render(meta=meta_query, username=rcpt, counter=msg_count, hostname=mailcow_hostname, quarantine_acl=quarantine_acl)
+    except (jinja2.exceptions.SecurityError, TemplateError) as ex:
+        print(f"SecurityError or TemplateError in template rendering: {ex}")
+        return
     text = html2text.html2text(html)
     count = 0
     while count < 15:
diff --git a/data/Dockerfiles/dovecot/quota_notify.py b/data/Dockerfiles/dovecot/quota_notify.py
index 598134e22..99be7cc68 100755
--- a/data/Dockerfiles/dovecot/quota_notify.py
+++ b/data/Dockerfiles/dovecot/quota_notify.py
@@ -6,7 +6,7 @@ from email.mime.multipart import MIMEMultipart
 from email.mime.text import MIMEText
 from email.utils import COMMASPACE, formatdate
 import jinja2
-from jinja2 import Template
+from jinja2.sandbox import SandboxedEnvironment
 import redis
 import time
 import json
@@ -33,16 +33,24 @@ while True:
 
 if r.get('QW_HTML'):
   try:
-    template = Template(r.get('QW_HTML'))
-  except:
-    print("Error: Cannot parse quarantine template, falling back to default template.")
+    env = SandboxedEnvironment()
+    template = env.from_string(r.get('QW_HTML'))
+  except Exception:
+    print("Error: Cannot parse quota template, falling back to default template.")
     with open('/templates/quota.tpl') as file_:
-      template = Template(file_.read())
+      env = SandboxedEnvironment()
+      template = env.from_string(file_.read())
 else:
   with open('/templates/quota.tpl') as file_:
-    template = Template(file_.read())
+    env = SandboxedEnvironment()
+    template = env.from_string(file_.read())
+
+try:
+  html = template.render(username=username, percent=percent)
+except (jinja2.exceptions.SecurityError, jinja2.TemplateError) as ex:
+  print(f"SecurityError or TemplateError in template rendering: {ex}")
+  sys.exit(1)
 
-html = template.render(username=username, percent=percent)
 text = html2text.html2text(html)
 
 try:
diff --git a/docker-compose.yml b/docker-compose.yml
index a67475316..6db20454e 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -251,7 +251,7 @@ services:
             - sogo
 
     dovecot-mailcow:
-      image: ghcr.io/mailcow/dovecot:2.33
+      image: ghcr.io/mailcow/dovecot:2.34
       depends_on:
         - mysql-mailcow
         - netfilter-mailcow

From ec6dbb099aa4ae559b10217906a62da694c6f182 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <75116288+FreddleSpl0it@users.noreply.github.com>
Date: Wed, 2 Jul 2025 10:37:23 +0200
Subject: [PATCH 271/378] [ACME] Remove deprecated ACME_CONTACT variable

---
 data/Dockerfiles/acme/acme.sh               | 14 +------
 data/Dockerfiles/acme/obtain-certificate.sh |  4 +-
 docker-compose.yml                          |  3 +-
 generate_config.sh                          |  7 ----
 update.sh                                   | 44 ++++++++++-----------
 5 files changed, 25 insertions(+), 47 deletions(-)

diff --git a/data/Dockerfiles/acme/acme.sh b/data/Dockerfiles/acme/acme.sh
index a6766efd0..15b757ff9 100755
--- a/data/Dockerfiles/acme/acme.sh
+++ b/data/Dockerfiles/acme/acme.sh
@@ -159,18 +159,6 @@ while true; do
   fi
   if [[ ! -f ${ACME_BASE}/acme/account.pem ]]; then
     log_f "Generating missing Lets Encrypt account key..."
-    if [[ ! -z ${ACME_CONTACT} ]]; then
-      if ! verify_email "${ACME_CONTACT}"; then
-        log_f "Invalid email address, will not start registration!"
-        sleep 365d
-        exec $(readlink -f "$0")
-      else
-        ACME_CONTACT_PARAMETER="--contact mailto:${ACME_CONTACT}"
-        log_f "Valid email address, using ${ACME_CONTACT} for registration"
-      fi
-    else
-      ACME_CONTACT_PARAMETER=""
-    fi
     openssl genrsa 4096 > ${ACME_BASE}/acme/account.pem
   else
     log_f "Using existing Lets Encrypt account key ${ACME_BASE}/acme/account.pem"
@@ -299,7 +287,7 @@ while true; do
     VALIDATED_CERTIFICATES+=("${CERT_NAME}")
 
     # obtain server certificate if required
-    ACME_CONTACT_PARAMETER=${ACME_CONTACT_PARAMETER} DOMAINS=${SERVER_SAN_VALIDATED[@]} /srv/obtain-certificate.sh rsa
+    DOMAINS=${SERVER_SAN_VALIDATED[@]} /srv/obtain-certificate.sh rsa
     RETURN="$?"
     if [[ "$RETURN" == "0" ]]; then # 0 = cert created successfully
       CERT_AMOUNT_CHANGED=1
diff --git a/data/Dockerfiles/acme/obtain-certificate.sh b/data/Dockerfiles/acme/obtain-certificate.sh
index 16c4e2588..f476bf666 100644
--- a/data/Dockerfiles/acme/obtain-certificate.sh
+++ b/data/Dockerfiles/acme/obtain-certificate.sh
@@ -93,8 +93,8 @@ until dig letsencrypt.org +time=3 +tries=1 @unbound > /dev/null; do
   sleep 2
 done
 log_f "Resolver OK"
-log_f "Using command acme-tiny ${DIRECTORY_URL} ${ACME_CONTACT_PARAMETER} --account-key ${ACME_BASE}/acme/account.pem --disable-check --csr ${CSR} --acme-dir /var/www/acme/"
-ACME_RESPONSE=$(acme-tiny ${DIRECTORY_URL} ${ACME_CONTACT_PARAMETER} \
+log_f "Using command acme-tiny ${DIRECTORY_URL} --account-key ${ACME_BASE}/acme/account.pem --disable-check --csr ${CSR} --acme-dir /var/www/acme/"
+ACME_RESPONSE=$(acme-tiny ${DIRECTORY_URL} \
   --account-key ${ACME_BASE}/acme/account.pem \
   --disable-check \
   --csr ${CSR} \
diff --git a/docker-compose.yml b/docker-compose.yml
index a67475316..edc2b10ff 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -440,12 +440,11 @@ services:
           condition: service_started
         unbound-mailcow:
           condition: service_healthy
-      image: ghcr.io/mailcow/acme:1.92
+      image: ghcr.io/mailcow/acme:1.93
       dns:
         - ${IPV4_NETWORK:-172.22.1}.254
       environment:
         - LOG_LINES=${LOG_LINES:-9999}
-        - ACME_CONTACT=${ACME_CONTACT:-}
         - ADDITIONAL_SAN=${ADDITIONAL_SAN}
         - AUTODISCOVER_SAN=${AUTODISCOVER_SAN:-y}
         - MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
diff --git a/generate_config.sh b/generate_config.sh
index c4396a9ce..61b72109c 100755
--- a/generate_config.sh
+++ b/generate_config.sh
@@ -498,13 +498,6 @@ DOVECOT_MASTER_USER=
 # LEAVE EMPTY IF UNSURE
 DOVECOT_MASTER_PASS=
 
-# Let's Encrypt registration contact information
-# Optional: Leave empty for none
-# This value is only used on first order!
-# Setting it at a later point will require the following steps:
-# https://docs.mailcow.email/troubleshooting/debug-reset_tls/
-ACME_CONTACT=
-
 # WebAuthn device manufacturer verification
 # After setting WEBAUTHN_ONLY_TRUSTED_VENDORS=y only devices from trusted manufacturers are allowed
 # root certificates can be placed for validation under mailcow-dockerized/data/web/inc/lib/WebAuthn/rootCertificates
diff --git a/update.sh b/update.sh
index e4e88afb3..2c6cbaff2 100755
--- a/update.sh
+++ b/update.sh
@@ -353,7 +353,6 @@ adapt_new_options() {
   "DOVECOT_MASTER_PASS"
   "MAILCOW_PASS_SCHEME"
   "ADDITIONAL_SERVER_NAMES"
-  "ACME_CONTACT"
   "WATCHDOG_VERBOSE"
   "WEBAUTHN_ONLY_TRUSTED_VENDORS"
   "SPAMHAUS_DQS_KEY"
@@ -599,16 +598,6 @@ adapt_new_options() {
         echo '# Comma separated list without spaces! Example: ADDITIONAL_SERVER_NAMES=a.b.c,d.e.f' >> mailcow.conf
         echo 'ADDITIONAL_SERVER_NAMES=' >> mailcow.conf
       fi
-    elif [[ ${option} == "ACME_CONTACT" ]]; then
-      if ! grep -q ${option} mailcow.conf; then
-        echo "Adding new option \"${option}\" to mailcow.conf"
-        echo '# Lets Encrypt registration contact information' >> mailcow.conf
-        echo '# Optional: Leave empty for none' >> mailcow.conf
-        echo '# This value is only used on first order!' >> mailcow.conf
-        echo '# Setting it at a later point will require the following steps:' >> mailcow.conf
-        echo '# https://docs.mailcow.email/troubleshooting/debug-reset_tls/' >> mailcow.conf
-        echo 'ACME_CONTACT=' >> mailcow.conf
-      fi
     elif [[ ${option} == "WEBAUTHN_ONLY_TRUSTED_VENDORS" ]]; then
       if ! grep -q ${option} mailcow.conf; then
         echo "Adding new option \"${option}\" to mailcow.conf"
@@ -761,6 +750,26 @@ detect_major_update() {
   fi
 }
 
+remove_obsolete_options() {
+  OBSOLETE_OPTIONS=(
+    "ACME_CONTACT"
+  )
+
+  for option in "${OBSOLETE_OPTIONS[@]}"; do
+    if [[ "$option" == "ACME_CONTACT" ]]; then
+      sed -i '/^# Lets Encrypt registration contact information/d' mailcow.conf
+      sed -i '/^# Optional: Leave empty for none/d' mailcow.conf
+      sed -i '/^# This value is only used on first order!/d' mailcow.conf
+      sed -i '/^# Setting it at a later point will require the following steps:/d' mailcow.conf
+      sed -i '/^# https:\/\/docs.mailcow.email\/troubleshooting\/debug-reset_tls\//d' mailcow.conf
+      sed -i '/^ACME_CONTACT=.*/d' mailcow.conf
+      sed -i '/^#ACME_CONTACT=.*/d' mailcow.conf
+    else
+      sed -i "/^${option}=.*/d" mailcow.conf
+      sed -i "/^#${option}=.*/d" mailcow.conf
+    fi
+  done
+}
 ############## End Function Section ##############
 
 # Check permissions
@@ -996,7 +1005,6 @@ CONFIG_ARRAY=(
   "DOVECOT_MASTER_PASS"
   "MAILCOW_PASS_SCHEME"
   "ADDITIONAL_SERVER_NAMES"
-  "ACME_CONTACT"
   "WATCHDOG_VERBOSE"
   "WEBAUTHN_ONLY_TRUSTED_VENDORS"
   "SPAMHAUS_DQS_KEY"
@@ -1232,17 +1240,6 @@ for option in "${CONFIG_ARRAY[@]}"; do
       echo '# in the reverse proxy.' >> mailcow.conf
       echo 'AUTODISCOVER_SAN=y' >> mailcow.conf
     fi
-
-  elif [[ "${option}" == "ACME_CONTACT" ]]; then
-    if ! grep -q "${option}" mailcow.conf; then
-      echo "Adding new option \"${option}\" to mailcow.conf"
-      echo '# Lets Encrypt registration contact information' >> mailcow.conf
-      echo '# Optional: Leave empty for none' >> mailcow.conf
-      echo '# This value is only used on first order!' >> mailcow.conf
-      echo '# Setting it at a later point will require the following steps:' >> mailcow.conf
-      echo '# https://docs.mailcow.email/troubleshooting/debug-reset_tls/' >> mailcow.conf
-      echo 'ACME_CONTACT=' >> mailcow.conf
-    fi
   elif [[ "${option}" == "WEBAUTHN_ONLY_TRUSTED_VENDORS" ]]; then
     if ! grep -q "${option}" mailcow.conf; then
       echo "Adding new option \"${option}\" to mailcow.conf"
@@ -1488,6 +1485,7 @@ done
 [[ -f data/conf/nginx/ZZZ-ejabberd.conf ]] && rm data/conf/nginx/ZZZ-ejabberd.conf
 migrate_solr_config_options
 adapt_new_options
+remove_obsolete_options
 
 # Silently fixing remote url from andryyy to mailcow
 # git remote set-url origin https://github.com/mailcow/mailcow-dockerized

From b12ce1eacd6ae74c9eb3d1570c8cbc79a7a7a174 Mon Sep 17 00:00:00 2001
From: milkmaker <milkmaker@mailcow.de>
Date: Wed, 2 Jul 2025 17:12:06 +0200
Subject: [PATCH 272/378] update postscreen_access.cidr (#6611)

---
 data/conf/postfix/postscreen_access.cidr | 38 ++++++++++++++++++------
 1 file changed, 29 insertions(+), 9 deletions(-)

diff --git a/data/conf/postfix/postscreen_access.cidr b/data/conf/postfix/postscreen_access.cidr
index 57425e5df..259bd062b 100644
--- a/data/conf/postfix/postscreen_access.cidr
+++ b/data/conf/postfix/postscreen_access.cidr
@@ -1,6 +1,6 @@
-# Whitelist generated by Postwhite v3.4 on Sun Jun  1 00:24:21 UTC 2025
+# Whitelist generated by Postwhite v3.4 on Tue Jul  1 00:22:55 UTC 2025
 # https://github.com/stevejenkins/postwhite/
-# 2132 total rules
+# 2105 total rules
 2a00:1450:4000::/36	permit
 2a01:111:f400::/48	permit
 2a01:111:f403:8000::/50	permit
@@ -19,6 +19,7 @@
 2c0f:fb50:4000::/36	permit
 2.207.151.53	permit
 2.207.217.30	permit
+3.64.237.68	permit
 3.65.3.180	permit
 3.70.123.177	permit
 3.72.182.33	permit
@@ -41,7 +42,7 @@
 8.40.222.0/23	permit
 8.40.222.250/31	permit
 12.130.86.238	permit
-13.107.246.38	permit
+13.107.246.51	permit
 13.110.208.0/21	permit
 13.110.209.0/24	permit
 13.110.216.0/22	permit
@@ -64,9 +65,11 @@
 18.156.89.250	permit
 18.156.205.64	permit
 18.157.243.190	permit
+18.158.153.154	permit
 18.194.95.56	permit
 18.197.217.180	permit
 18.198.96.88	permit
+18.199.210.3	permit
 18.207.52.234	permit
 18.208.124.128/25	permit
 18.216.232.154	permit
@@ -144,15 +147,22 @@
 34.141.160.224	permit
 34.193.58.168	permit
 34.195.217.107	permit
+34.197.10.50	permit
+34.197.254.9	permit
+34.198.94.229	permit
+34.198.218.121	permit
 34.212.163.75	permit
 34.215.104.144	permit
+34.218.115.239	permit
 34.218.116.3	permit
 34.225.212.172	permit
+35.83.148.184	permit
+35.155.198.111	permit
 35.158.23.94	permit
 35.161.32.253	permit
+35.162.73.231	permit
 35.167.93.243	permit
 35.176.132.251	permit
-35.191.0.0/16	permit
 35.205.92.9	permit
 35.228.216.85	permit
 35.242.169.159	permit
@@ -169,6 +179,7 @@
 40.233.83.78	permit
 40.233.88.28	permit
 44.206.138.57	permit
+44.210.169.44	permit
 44.217.45.156	permit
 44.236.56.93	permit
 44.238.220.251	permit
@@ -228,6 +239,7 @@
 46.243.88.177	permit
 46.243.95.179	permit
 46.243.95.180	permit
+50.16.246.183	permit
 50.18.45.249	permit
 50.18.121.236	permit
 50.18.121.248	permit
@@ -241,18 +253,23 @@
 50.56.130.220	permit
 50.56.130.221	permit
 50.56.130.222	permit
+50.112.246.219	permit
 52.1.14.157	permit
 52.5.230.59	permit
+52.12.53.23	permit
 52.13.214.179	permit
 52.26.1.71	permit
 52.27.5.72	permit
 52.27.28.47	permit
 52.28.63.81	permit
+52.28.197.132	permit
 52.34.181.151	permit
+52.35.192.45	permit
 52.36.138.31	permit
 52.37.142.146	permit
 52.42.203.116	permit
 52.50.24.208	permit
+52.57.120.243	permit
 52.58.216.183	permit
 52.59.143.3	permit
 52.60.41.5	permit
@@ -295,6 +312,7 @@
 54.174.63.0/24	permit
 54.186.193.102	permit
 54.191.223.56	permit
+54.211.126.101	permit
 54.213.20.246	permit
 54.214.39.184	permit
 54.240.0.0/18	permit
@@ -320,6 +338,8 @@
 63.143.57.128/25	permit
 63.143.59.128/25	permit
 63.176.194.123	permit
+63.178.132.221	permit
+63.178.143.178	permit
 64.18.0.0/20	permit
 64.20.241.45	permit
 64.69.212.0/24	permit
@@ -388,8 +408,8 @@
 65.154.166.0/24	permit
 65.212.180.36	permit
 66.102.0.0/20	permit
+66.102.0.0/21	permit
 66.119.150.192/26	permit
-66.162.193.226/31	permit
 66.163.184.0/24	permit
 66.163.185.0/24	permit
 66.163.186.0/24	permit
@@ -595,7 +615,6 @@
 74.86.241.250/31	permit
 74.112.67.243	permit
 74.125.0.0/16	permit
-74.202.227.40	permit
 74.208.4.200	permit
 74.208.4.201	permit
 74.208.4.220	permit
@@ -1402,7 +1421,6 @@
 129.213.195.191	permit
 130.61.9.72	permit
 130.162.39.83	permit
-130.211.0.0/22	permit
 130.248.172.0/24	permit
 130.248.173.0/24	permit
 131.253.30.0/24	permit
@@ -1593,6 +1611,7 @@
 168.138.5.36	permit
 168.138.73.51	permit
 168.138.77.31	permit
+168.138.237.153	permit
 168.245.0.0/17	permit
 168.245.12.252	permit
 168.245.46.9	permit
@@ -1846,11 +1865,11 @@
 204.92.114.187	permit
 204.92.114.203	permit
 204.92.114.204/31	permit
-204.141.32.0/23	permit
-204.141.42.0/23	permit
+204.216.164.202	permit
 204.220.160.0/21	permit
 204.220.168.0/21	permit
 204.220.176.0/20	permit
+204.220.181.105	permit
 204.232.168.0/24	permit
 205.139.110.0/24	permit
 205.201.128.0/20	permit
@@ -2030,6 +2049,7 @@
 216.17.150.242	permit
 216.17.150.251	permit
 216.24.224.0/20	permit
+216.27.86.152/31	permit
 216.39.60.154/31	permit
 216.39.60.156/30	permit
 216.39.60.160/30	permit

From fc43c26c4852d741311a867cf5aa39ae58b77a14 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <75116288+FreddleSpl0it@users.noreply.github.com>
Date: Thu, 3 Jul 2025 12:38:28 +0200
Subject: [PATCH 273/378] Remove obsolete ACME_CONTACT option and related
 comments from mailcow.conf

---
 update.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/update.sh b/update.sh
index 2c6cbaff2..b7d22bf8a 100755
--- a/update.sh
+++ b/update.sh
@@ -758,6 +758,7 @@ remove_obsolete_options() {
   for option in "${OBSOLETE_OPTIONS[@]}"; do
     if [[ "$option" == "ACME_CONTACT" ]]; then
       sed -i '/^# Lets Encrypt registration contact information/d' mailcow.conf
+      sed -i "/^# Let's Encrypt registration contact information/d" mailcow.conf
       sed -i '/^# Optional: Leave empty for none/d' mailcow.conf
       sed -i '/^# This value is only used on first order!/d' mailcow.conf
       sed -i '/^# Setting it at a later point will require the following steps:/d' mailcow.conf

From d5b30a7a0870ba14377ab02e143ec25d3c2b1c6d Mon Sep 17 00:00:00 2001
From: milkmaker <milkmaker@mailcow.de>
Date: Sun, 6 Jul 2025 16:42:58 +0200
Subject: [PATCH 274/378] [Web] Updated lang.pt-pt.json (#6622)

Co-authored-by: luiscanato <luiscanato@gmail.com>
---
 data/web/lang/lang.pt-pt.json | 50 +++++++++++++++++++++++++++++------
 1 file changed, 42 insertions(+), 8 deletions(-)

diff --git a/data/web/lang/lang.pt-pt.json b/data/web/lang/lang.pt-pt.json
index fafb957c9..e86391fa7 100644
--- a/data/web/lang/lang.pt-pt.json
+++ b/data/web/lang/lang.pt-pt.json
@@ -39,7 +39,8 @@
         "subscribeall": "Subscrever todas as pastas",
         "syncjob": "Adicionar sincronização",
         "validate": "Validar",
-        "validation_success": "Validado com sucesso"
+        "validation_success": "Validado com sucesso",
+        "app_passwd_protocols": "Protocolos permitidos para senha de aplicação"
     },
     "admin": {
         "access": "Acessos",
@@ -106,7 +107,11 @@
         "from": "De",
         "generate": "gerar",
         "html": "HTML",
-        "iam_import_users": "Importar Utilizadores"
+        "iam_import_users": "Importar Utilizadores",
+        "ui_header_announcement_content": "Texto (HTML permitido)",
+        "ui_footer": "Rodapé (HTML permitido)",
+        "activate_send": "Ativar botão de envio",
+        "help_text": "Anular texto de ajuda abaixo da máscara de login (HTML permitido)"
     },
     "danger": {
         "access_denied": "Acesso negado ou dados inválidos",
@@ -145,7 +150,10 @@
         "target_domain_invalid": "O endereço de Domínio Destino é inválido",
         "targetd_not_found": "Domínio de Destino não encontrado",
         "username_invalid": "Nome de utilizador inválido",
-        "validity_missing": "Você deve definir um período de validade"
+        "validity_missing": "Você deve definir um período de validade",
+        "comment_too_long": "Comentário demasiado longo, máximo 160 chars permitidos",
+        "ip_list_empty": "Lista de IPs permitidos não pode estar vazia",
+        "last_key": "A última tecla não pode ser apagada, por favor desactivar a TFA."
     },
     "edit": {
         "active": "Ativo",
@@ -177,7 +185,9 @@
         "target_domain": "Domínio de Destino:",
         "title": "Editar dos Objetos",
         "unchanged_if_empty": "Deixar em branco para não modificar",
-        "username": "Administrador"
+        "username": "Administrador",
+        "app_passwd_protocols": "Protocolos permitidos para palavra-passe de aplicação",
+        "allowed_protocols": "Protocolos permitidos para acesso direto do utilizador (não afeta os protocolos de palavra-passe da aplicação)"
     },
     "footer": {
         "loading": "Aguarde..."
@@ -234,11 +244,15 @@
         "target_domain": "Domínio Destino",
         "tls_enforce_in": "Forçar TLS na entrada",
         "tls_enforce_out": "Forçar TLS na saída",
-        "username": "Utilizador"
+        "username": "Utilizador",
+        "allowed_protocols": "Protocolos permitidos",
+        "activate": "Ativar",
+        "deactivate": "Desativar"
     },
     "quarantine": {
         "action": "Ação",
-        "remove": "Remover"
+        "remove": "Remover",
+        "check_hash": "Pesquisar hash de ficheiro @ VT"
     },
     "queue": {
         "queue_manager": "Queue Manager"
@@ -317,11 +331,31 @@
         "user_settings": "Configurações do utilizador",
         "username": "Administrador",
         "week": "Semana",
-        "weeks": "Semanas"
+        "weeks": "Semanas",
+        "aliases_also_send_as": "Também autorizado a enviar como utilizador",
+        "app_hint": "As senhas de aplicação são senhas alternativas para o seu login IMAP, SMTP, CalDAV, CardDAV e EAS. O nome de utilizador permanece inalterado. O webmail SOGo não está disponível através de passwords de aplicação.",
+        "allowed_protocols": "Protocolos permitidos"
     },
     "acl": {
         "tls_policy": "Política de TLS",
         "quarantine_attachments": "Anexos de quarentena",
-        "filters": "Filtros"
+        "filters": "Filtros",
+        "smtp_ip_access": "Mudar anfitriões permitidos para SMTP"
+    },
+    "warning": {
+        "no_active_admin": "Não é possível desactivar o último administrador activo"
+    },
+    "tfa": {
+        "u2f_deprecated": "Parece que a sua chave foi registada usando o método U2F depreciado. Desactivaremos dois factores-autenticação para si e apagaremos a sua Chave.",
+        "none": "Desativar"
+    },
+    "datatables": {
+        "search": "Procurar:",
+        "info": "A mostrar _START_ a _END_ de _TOTAL_ entradas",
+        "infoEmpty": "A mostrar 0 a 0 de 0 entradas",
+        "aria": {
+            "sortAscending": ": activar para ordenar a coluna ascendente",
+            "sortDescending": ": activar para ordenar a coluna descendente"
+        }
     }
 }

From 4c7a9ed1953e986ee76dc68a74a78d18414bd053 Mon Sep 17 00:00:00 2001
From: milkmaker <milkmaker@mailcow.de>
Date: Sun, 13 Jul 2025 16:20:40 +0200
Subject: [PATCH 275/378] Translations update from Weblate (#6629)

* [Web] Updated lang.fr-fr.json

Co-authored-by: Tagada <githubtagada@cant.at>

* [Web] Updated lang.pl-pl.json

Co-authored-by: robsonek <admin@licytant.pl>

---------

Co-authored-by: Tagada <githubtagada@cant.at>
Co-authored-by: robsonek <admin@licytant.pl>
---
 data/web/lang/lang.fr-fr.json | 3 ++-
 data/web/lang/lang.pl-pl.json | 5 +++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/data/web/lang/lang.fr-fr.json b/data/web/lang/lang.fr-fr.json
index 313d6663c..07ac641b8 100644
--- a/data/web/lang/lang.fr-fr.json
+++ b/data/web/lang/lang.fr-fr.json
@@ -406,7 +406,8 @@
         "iam_extra_permission": "Pour que les paramètres suivants fonctionnent, le client mailcow dans Keycloak a besoin d'un <code>Compte de service</code> et de l'autorisation de <code>voir les utilisateurs</code>.",
         "iam_host": "Hôte",
         "iam_host_info": "Saisissez un ou plusieurs hôtes LDAP, séparés par des virgules.",
-        "iam_import_users": "Importer des utilisateurs"
+        "iam_import_users": "Importer des utilisateurs",
+        "filter": "Filtrer"
     },
     "danger": {
         "access_denied": "Accès refusé ou données de formulaire non valides",
diff --git a/data/web/lang/lang.pl-pl.json b/data/web/lang/lang.pl-pl.json
index 521c17779..02c892c64 100644
--- a/data/web/lang/lang.pl-pl.json
+++ b/data/web/lang/lang.pl-pl.json
@@ -2,7 +2,8 @@
     "acl": {
         "sogo_profile_reset": "Usuń profil SOGo (webmail)",
         "syncjobs": "Polecenie synchronizacji",
-        "alias_domains": "Dodaj aliasy domen"
+        "alias_domains": "Dodaj aliasy domen",
+        "delimiter_action": "Akcja oparta na separatorze"
     },
     "add": {
         "active": "Aktywny",
@@ -430,4 +431,4 @@
         "weekly": "Co tydzień",
         "weeks": "Tygodnie"
     }
-}
\ No newline at end of file
+}

From 1e5fcfe3922a4eeb755f0c2a218ea948820e0101 Mon Sep 17 00:00:00 2001
From: Peter <magic@kthx.at>
Date: Wed, 16 Jul 2025 09:29:35 +0200
Subject: [PATCH 276/378] Bulgarian language added (#6623)

---
 data/web/inc/vars.inc.php     |    1 +
 data/web/lang/lang.bg-bg.json | 1398 ++++++++++++++++++++++++++++++++-
 2 files changed, 1398 insertions(+), 1 deletion(-)

diff --git a/data/web/inc/vars.inc.php b/data/web/inc/vars.inc.php
index 62197e54a..802a41f95 100644
--- a/data/web/inc/vars.inc.php
+++ b/data/web/inc/vars.inc.php
@@ -83,6 +83,7 @@ $DEFAULT_LANG = 'en-gb';
 // https://en.wikipedia.org/wiki/IETF_language_tag
 $AVAILABLE_LANGUAGES = array(
   // 'ca-es' => 'Català (Catalan)',
+  'bg-bg' => 'Български (Bulgarian)',
   'cs-cz' => 'Čeština (Czech)',
   'da-dk' => 'Danish (Dansk)',
   'de-de' => 'Deutsch (German)',
diff --git a/data/web/lang/lang.bg-bg.json b/data/web/lang/lang.bg-bg.json
index 0967ef424..0d8632859 100644
--- a/data/web/lang/lang.bg-bg.json
+++ b/data/web/lang/lang.bg-bg.json
@@ -1 +1,1397 @@
-{}
+{
+  "acl": {
+    "alias_domains": "Добавяне на домейни за псевдоними",
+    "app_passwds": "Управление на пароли за приложения",
+    "bcc_maps": "BCC карти",
+    "delimiter_action": "Действие на разделител",
+    "domain_desc": "Промяна на описанието на домейна",
+    "domain_relayhost": "Промяна на релеен хост за домейн",
+    "eas_reset": "Нулиране на устройствата с ActiveSync",
+    "extend_sender_acl": "Разрешаване на разширяване на ACL на изпращащите от външни адреси",
+    "filters": "Филтри",
+    "login_as": "Вход като потребител на пощенска кутия",
+    "mailbox_relayhost": "Промяна на релеен хост за пощенска кутия",
+    "prohibited": "Забранено от ACL",
+    "protocol_access": "Промяна на достъпа до протоколи",
+    "pushover": "Pushover",
+    "pw_reset": "Разрешаване на нулиране на паролата на потребител на mailcow",
+    "quarantine": "Действия с карантина",
+    "quarantine_attachments": "Прикачени файлове в карантина",
+    "quarantine_category": "Промяна на категорията на уведомленията за карантина",
+    "quarantine_notification": "Промяна на уведомленията за карантина",
+    "ratelimit": "Ограничение на скоростта",
+    "recipient_maps": "Карти на получатели",
+    "smtp_ip_access": "Промяна на разрешените хостове за SMTP",
+    "sogo_access": "Разрешаване на управление на достъпа до SOGo",
+    "sogo_profile_reset": "Нулиране на профила на SOGo",
+    "spam_alias": "Временни псевдоними",
+    "spam_policy": "Черен/Бял списък",
+    "spam_score": "Резултат за спам",
+    "syncjobs": "Синхронизиращи задачи",
+    "tls_policy": "Политика за TLS",
+    "unlimited_quota": "Неограничена квота за пощенски кутии"
+  },
+  "add": {
+    "activate_filter_warn": "Всички други филтри ще бъдат деактивирани, когато активното е отбелязано.",
+    "active": "Активен",
+    "add": "Добавяне",
+    "add_domain_only": "Добавяне само на домейн",
+    "add_domain_restart": "Добавяне на домейн и рестартиране на SOGo",
+    "alias_address": "Адрес/и за псевдоним",
+    "alias_address_info": "<small>Пълни имейл адреси или @example.com, за да хванете всички съобщения за домейн (разделени с запетая). <b>само домейни на mailcow</b>.</small>",
+    "alias_domain": "Домейн за псевдоним",
+    "alias_domain_info": "<small>Валидни имена на домейни (разделени с запетая).</small>",
+    "app_name": "Име на приложението",
+    "app_password": "Добавяне на парола за приложение",
+    "app_passwd_protocols": "Разрешени протоколи за паролата на приложението",
+    "automap": "Опит за автоматично картографиране на папки (\"Изпратени\", \"Изпратени\" => \"Изпратени\" и т.н.)",
+    "backup_mx_options": "Опции за реле",
+    "bcc_dest_format": "BCC дестинацията трябва да бъде един валиден имейл адрес.<br>Ако имате нужда да изпратите копие до множество адреси, създайте псевдоним и го използвайте тук.",
+    "comment_info": "Частен коментар не е видим за потребителя, докато публичен коментар се показва като подсказка при преминаване с мишката върху него в прегледа на потребителя",
+    "custom_params": "Персонализирани параметри",
+    "custom_params_hint": "Дясно: --param=xy, грешно: --param xy",
+    "delete1": "Изтриване от източника след завършване",
+    "delete2": "Изтриване на съобщенията в дестинацията, които не са в източника",
+    "delete2duplicates": "Изтриване на дубликати в дестинацията",
+    "description": "Описание",
+    "destination": "Дестинация",
+    "disable_login": "Забраняване на вход (входящите съобщения все още се приемат)",
+    "domain": "Домейн",
+    "domain_matches_hostname": "Домейнът %s съвпада с името на хоста",
+    "domain_quota_m": "Обща квота на домейна (MiB)",
+    "dry": "Симулиране на синхронизация",
+    "enc_method": "Метод на криптиране",
+    "exclude": "Изключване на обекти (regex)",
+    "full_name": "Пълно име",
+    "gal": "Глобален адресен списък",
+    "gal_info": "Глобалният адресен списък съдържа всички обекти на домейна и не може да бъде редактиран от нито един потребител. Липсва информация за заетост/свободно време в SOGo, ако е деактивирано! <b>Рестартирайте SOGo, за да приложите промените.</b>",
+    "generate": "генериране",
+    "goto_ham": "Учен като <span class=\"text-success\"><b>не е спам</b></span>",
+    "goto_null": "Тихо изхвърляне на имейла",
+    "goto_spam": "Учен като <span class=\"text-danger\"><b>спам</b></span>",
+    "hostname": "Хост",
+    "inactive": "Неактивен",
+    "kind": "Вид",
+    "mailbox_quota_def": "Квота по подразбиране за пощенска кутия",
+    "mailbox_quota_m": "Макс. квота за пощенска кутия (MiB)",
+    "mailbox_username": "Потребителско име (лява част на имейл адрес)",
+    "max_aliases": "Макс. възможни псевдоними",
+    "max_mailboxes": "Макс. възможни пощенски кутии",
+    "mins_interval": "Интервал за проверка (минути)",
+    "multiple_bookings": "Множествени резервации",
+    "nexthop": "Следващ хоп",
+    "password": "Парола",
+    "password_repeat": "Потвърждаване на паролата (повторете)",
+    "port": "Порт",
+    "post_domain_add": "След добавянето на нов домейн, контейнерът на SOGo, \"sogo-mailcow\", трябва да бъде рестартиран!<br><br>Освен това, конфигурацията на DNS на домейна трябва да бъде прегледана. След като конфигурацията на DNS бъде одобрена, рестартирайте \"acme-mailcow\", за да генерирате автоматично сертификати за вашия нов домейн (autoconfig.&lt;domain&gt;, autodiscover.&lt;domain&gt;).<br>Тази стъпка е опционална и ще бъде повторена всеки 24 часа.",
+    "private_comment": "Частен коментар",
+    "public_comment": "Публичен коментар",
+    "quota_mb": "Квота (MiB)",
+    "relay_all": "Реле на всички получатели",
+    "relay_all_info": "↪ Ако изберете да <b>не</b> релеирате всички получатели, ще трябва да добавите (\"скрита\") пощенска кутия за всеки отделен получател, който трябва да бъде релеиран.",
+    "relay_domain": "Реле на този домейн",
+    "relay_transport_info": "<div class=\"badge fs-6 bg-info\">Инфо</div> Можете да дефинирате транспортни карти за персонализирана дестинация за този домейн. Ако не е зададено, ще бъде направен MX lookup.",
+    "relay_unknown_only": "Реле на несъществуващи пощенски кутии. Съществуващите пощенски кутии ще бъдат доставени локално.",
+    "relayhost_wrapped_tls_info": "Моля, <b>не</b> използвайте TLS-wrapped портове (най-често използвани на порт 465).<br>\r\nИзползвайте всеки не-wrapped порт и издайте STARTTLS. Политика за TLS може да бъде създадена в \"TLS политики\", за да се наложи TLS.",
+    "select": "Моля, изберете...",
+    "select_domain": "Моля, изберете първо домейн",
+    "sieve_desc": "Кратко описание",
+    "sieve_type": "Тип на филтър",
+    "skipcrossduplicates": "Пропускане на дублирани съобщения между папки (първи дошъл, първи обслужен)",
+    "subscribeall": "Абониране за всички папки",
+    "syncjob": "Добавяне на синхронизираща задача",
+    "syncjob_hint": "Имайте предвид, че паролите трябва да бъдат запазени като обикновен текст!",
+    "tags": "Тагове",
+    "target_address": "Адреси за пренасочване",
+    "target_address_info": "<small>Пълни имейл адреси (разделени с запетая).</small>",
+    "target_domain": "Целеви домейн",
+    "timeout1": "Таймаут за връзка с отдалечен хост",
+    "timeout2": "Таймаут за връзка с локален хост",
+    "username": "Потребителско име",
+    "validate": "Валидиране",
+    "validation_success": "Успешно валидиране"
+  },
+  "admin": {
+    "access": "Достъп",
+    "action": "Действие",
+    "activate_api": "Активиране на API",
+    "activate_send": "Активиране на бутона за изпращане",
+    "active": "Активен",
+    "active_rspamd_settings_map": "Активна карта с настройки",
+    "add": "Добавяне",
+    "add_admin": "Добавяне на администратор",
+    "add_domain_admin": "Добавяне на администратор на домейн",
+    "add_forwarding_host": "Добавяне на хост за препращане",
+    "add_relayhost": "Добавяне на транспорт, зависим от изпращач",
+    "add_relayhost_hint": "Имайте предвид, че данните за удостоверяване, ако има такива, ще бъдат запазени като обикновен текст.",
+    "add_row": "Добавяне на ред",
+    "add_settings_rule": "Добавяне на правило за настройки",
+    "add_transport": "Добавяне на транспорт",
+    "add_transports_hint": "Имайте предвид, че данните за удостоверяване, ако има такива, ще бъдат запазени като обикновен текст.",
+    "additional_rows": "добавени допълнителни редове",
+    "admin": "Администратор",
+    "admin_details": "Редактиране на детайлите на администратора",
+    "admin_domains": "Назначения на домейни",
+    "admins": "Администратори",
+    "admins_ldap": "LDAP администратори",
+    "advanced_settings": "Разширени настройки",
+    "allowed_methods": "Access-Control-Allow-Methods",
+    "allowed_origins": "Access-Control-Allow-Origin",
+    "api_allow_from": "Разрешаване на API достъп от тези IP адреси/CIDR мрежови нотации",
+    "api_info": "API е в процес на разработка. Документацията може да бъде намерена на <a href=\"/api\">/api</a>",
+    "api_key": "API ключ",
+    "api_read_only": "Достъп само за четене",
+    "api_read_write": "Достъп за четене и писане",
+    "api_skip_ip_check": "Пропускане на IP проверка за API",
+    "app_hide": "Скриване за вход",
+    "app_links": "Връзки към приложения",
+    "app_name": "Име на приложението",
+    "apps_name": "Име на \"mailcow приложенията\"",
+    "arrival_time": "Време на пристигане (време на сървъра)",
+    "authed_user": "Удостоверен потребител",
+    "ays": "Сигурни ли сте, че искате да продължите?",
+    "ban_list_info": "Вижте списък с блокирани IP адреси по-долу: <b>мрежа (оставащо време за блокиране) - [действия]</b>.<br />IP адресите в опашката за разблокиране ще бъдат премахнати от активния списък с блокирани в рамките на няколко секунди.<br />Червените етикети показват активни постоянни блокирания от черния списък.",
+    "change_logo": "Промяна на логото",
+    "logo_normal_label": "Нормално",
+    "logo_dark_label": "Обърнато за тъмен режим",
+    "configuration": "Конфигурация",
+    "convert_html_to_text": "Конвертиране на HTML в обикновен текст",
+    "copy_to_clipboard": "Текстът е копиран в клипборда!",
+    "cors_settings": "Настройки на CORS",
+    "credentials_transport_warning": "<b>Внимание</b>: Добавянето на нов запис в картата на транспорта ще обнови данните за удостоверяване за всички записи с съвпадаща колона за следващ хоп.",
+    "customer_id": "Идентификатор на клиента",
+    "customize": "Персонализиране",
+    "destination": "Дестинация",
+    "dkim_add_key": "Добавяне на ARC/DKIM ключ",
+    "dkim_domains_selector": "Селектор",
+    "dkim_domains_wo_keys": "Избор на домейни без ключове",
+    "dkim_from": "От",
+    "dkim_from_title": "Източник на домейн за копиране на данни",
+    "dkim_key_length": "Дължина на DKIM ключа (битове)",
+    "dkim_key_missing": "Липсващ ключ",
+    "dkim_key_unused": "Неизползван ключ",
+    "dkim_key_valid": "Валиден ключ",
+    "dkim_keys": "ARC/DKIM ключове",
+    "dkim_overwrite_key": "Презаписване на съществуващ DKIM ключ",
+    "dkim_private_key": "Частен ключ",
+    "dkim_to": "До",
+    "dkim_to_title": "Целеви домейн/и - ще бъде презаписан",
+    "domain": "Домейн",
+    "domain_admin": "Администратор на домейн",
+    "domain_admins": "Администратори на домейн",
+    "domain_s": "Домейн/и",
+    "duplicate": "Дублиране",
+    "duplicate_dkim": "Дублиране на DKIM запис",
+    "edit": "Редактиране",
+    "empty": "Няма резултати",
+    "excludes": "Изключване на тези получатели",
+    "f2b_ban_time": "Време за блокиране (с)",
+    "f2b_ban_time_increment": "Времето за блокиране се увеличава с всяко блокиране",
+    "f2b_blacklist": "Черни списъци/хостове",
+    "f2b_filter": "Филтри с регулярни изрази",
+    "f2b_list_info": "Черният списък на хостове или мрежи винаги ще надделява над белия списък. <b>Актуализациите на списъка отнемат няколко секунди, за да бъдат приложени.</b>",
+    "f2b_manage_external": "Управление на Fail2Ban външно",
+    "f2b_manage_external_info": "Fail2ban все още ще поддържа черния списък, но няма да задава правила за блокиране на трафика. Използвайте генерирания черн списък по-долу, за да блокирате трафика външно.",
+    "f2b_max_attempts": "Макс. опити",
+    "f2b_max_ban_time": "Макс. време за блокиране (с)",
+    "f2b_netban_ipv4": "IPv4 размер на подмрежа за прилагане на блокиране (8-32)",
+    "f2b_netban_ipv6": "IPv6 размер на подмрежа за прилагане на блокиране (8-128)",
+    "f2b_parameters": "Параметри на Fail2ban",
+    "f2b_regex_info": "Логовете, които се вземат предвид: SOGo, Postfix, Dovecot, PHP-FPM.",
+    "f2b_retry_window": "Прозорец за повторен опит (с) за макс. опити",
+    "f2b_whitelist": "Бели списъци/хостове",
+    "filter": "Филтър",
+    "filter_table": "Таблица с филтри",
+    "forwarding_hosts": "Хостове за препращане",
+    "forwarding_hosts_add_hint": "Можете да посочите IPv4/IPv6 адреси, мрежи в CIDR нотация, имена на хостове (които ще бъдат разрешени в IP адреси), или имена на домейни (които ще бъдат разрешени в IP адреси чрез заявки към SPF записи или, при липсата им, MX записи).",
+    "forwarding_hosts_hint": "Входящите съобщения се приемат безрезервно от всички хостове, изброени тук. Тези хостове след това не се проверяват срещу DNSBL или подлагат на сиво списък. Спамът, получен от тях, никога не се отхвърля, но опционално може да бъде поставен във файла за нежелана поща. Най-често използваната употреба за това е да се посочат пощенски сървъри, на които сте настроили правило, което препраща входящите имейли към вашия mailcow сървър.",
+    "from": "От",
+    "generate": "генериране",
+    "guid": "GUID - уникален инстанционен идентификатор",
+    "guid_and_license": "GUID & Лиценз",
+    "hash_remove_info": "Премахването на хеш за ограничение на скоростта (ако все още съществува) ще нулира неговия брояч напълно.<br>\r\nВсеки хеш е показан с индивидуален цвят.",
+    "help_text": "Презаписване на помощния текст под маската за вход (разрешен е HTML)",
+    "host": "Хост",
+    "html": "HTML",
+    "iam": "Доставчик на идентичност",
+    "iam_attribute_field": "Поле за атрибут",
+    "iam_authorize_url": "Крайна точка за удостоверяване",
+    "iam_auth_flow": "Поток за удостоверяване",
+    "iam_auth_flow_info": "Освен стандартния поток за удостоверяване (поток с код за удостоверяване в Keycloak), който се използва за единичен вход, mailcow поддържа и поток за удостоверяване с пряки удостоверения. Потокът за удостоверяване с пароли за поща проверява удостоверенията на потребителя, като използва Keycloak Admin REST API. mailcow извлича хешираната парола от атрибута <code>mailcow_password</code>, който е картиран в Keycloak.",
+    "iam_basedn": "Основен DN",
+    "iam_client_id": "Идентификатор на клиента",
+    "iam_client_secret": "Тайна на клиента",
+    "iam_client_scopes": "Обхват на клиента",
+    "iam_default_template": "Шаблон по подразбиране",
+    "iam_default_template_description": "Ако няма зададен шаблон за потребител, шаблонът по подразбиране ще бъде използван за създаване на пощенската кутия, но не и за актуализиране на пощенската кутия.",
+    "iam_description": "Конфигуриране на външен доставчик за удостоверяване<br>Потребителските пощенски кутии ще бъдат създавани автоматично при първия им вход, при условие че е зададено картиране на атрибути.",
+    "iam_extra_permission": "За да работят следните настройки, клиентът на mailcow в Keycloak трябва да има <code>услуга акаунт</code> и разрешението да <code>вижда потребители</code>.",
+    "iam_host": "Хост",
+    "iam_host_info": "Въведете един или повече LDAP хостове, разделени с запетаи.",
+    "iam_import_users": "Импортиране на потребители",
+    "iam_mapping": "Картиране на атрибути",
+    "iam_bindpass": "Парола за свързване",
+    "iam_periodic_full_sync": "Периодичен пълен синхрон",
+    "iam_port": "Порт",
+    "iam_realm": "Реалм",
+    "iam_redirect_url": "URL за пренасочване",
+    "iam_rest_flow": "Поток за пароли за поща",
+    "iam_server_url": "URL на сървъра",
+    "iam_sso": "Единичен вход",
+    "iam_sync_interval": "Интервал за синхронизиране/импортиране (мин)",
+    "iam_test_connection": "Тест на връзката",
+    "iam_token_url": "Крайна точка за токени",
+    "iam_userinfo_url": "Крайна точка за информация за потребителя",
+    "iam_username_field": "Поле за потребителско име",
+    "iam_binddn": "DN за свързване",
+    "iam_use_ssl": "Използване на SSL",
+    "iam_use_ssl_info": "Ако активирате SSL и портът е зададен на 389, той ще бъде автоматично променен на 636.",
+    "iam_use_tls": "Използване на StartTLS",
+    "iam_use_tls_info": "Ако активирате TLS, трябва да използвате стандартния порт за вашия LDAP сървър (389). SSL портовете не могат да бъдат използвани.",
+    "iam_version": "Версия",
+    "ignore_ssl_error": "Игнориране на SSL грешки",
+    "import": "Импортиране",
+    "import_private_key": "Импортиране на частен ключ",
+    "in_use_by": "Използван от",
+    "inactive": "Неактивен",
+    "include_exclude": "Включване/Изключване",
+    "include_exclude_info": "По подразбиране - без избор - <b>всички пощенски кутии</b> се адресират",
+    "includes": "Включване на тези получатели",
+    "ip_check": "Проверка на IP",
+    "ip_check_disabled": "Проверката на IP е деактивирана. Можете да я активирате в <br> <strong>Система > Конфигурация > Опции > Персонализиране</strong>",
+    "ip_check_opt_in": "Оптиране за използване на услугата на трета страна <strong>ipv4.mailcow.email</strong> и <strong>ipv6.mailcow.email</strong>, за да разрешавате външни IP адреси.",
+    "is_mx_based": "MX базиран",
+    "last_applied": "Последно приложено",
+    "license_info": "Лицензът не е задължителен, но помага за по-нататъшното развитие.<br><a href=\"https://www.servercow.de/mailcow?lang=en#sal\" target=\"_blank\" alt=\"SAL поръчка\">Регистрирайте вашия GUID тук</a> или <a href=\"https://www.servercow.de/mailcow?lang=en#support\" target=\"_blank\" alt=\"Поддръжка поръчка\">купете поддръжка за вашата инсталация на mailcow.</a>",
+    "link": "Връзка",
+    "loading": "Моля, изчакайте...",
+    "login_time": "Време за вход",
+    "logo_info": "Вашето изображение ще бъде мащабирано до височина 40 px за горната навигационна лента и макс. ширина 250 px за началната страница. Препоръчва се използването на скалируема графика.",
+    "lookup_mx": "Дестинацията е регулярен израз за съвпадение с MX име (<code>.*\\.google\\.com</code> за пренасочване на всички съобщения, предназначени за MX, завършващ на google.com, през този хоп)",
+    "main_name": "Име на \"mailcow UI\"",
+    "merged_vars_hint": "Редовете в сиво са сляти от <code>vars.(local.)inc.php</code> и не могат да бъдат променени.",
+    "message": "Съобщение",
+    "message_size": "Размер на съобщението",
+    "nexthop": "Следващ хоп",
+    "no": "&#10005;",
+    "no_active_bans": "Няма активни блокирания",
+    "no_new_rows": "Няма допълнителни редове",
+    "no_record": "Няма запис",
+    "oauth2_apps": "OAuth2 приложения",
+    "oauth2_add_client": "Добавяне на OAuth2 клиент",
+    "oauth2_client_id": "Идентификатор на клиента",
+    "oauth2_client_secret": "Тайна на клиента",
+    "oauth2_info": "Реализацията на OAuth2 поддържа типа разрешение \"Код за удостоверяване\" и издава токени за презареждане.<br>\r\nСървърът автоматично издава нови токени за презареждане, след като токен за презареждане е бил използван.<br><br>\r\n&#8226; Обхватът по подразбиране е <i>профил</i>. Само потребителите на пощенски кутии могат да бъдат удостоверени срещу OAuth2. Ако параметърът за обхват е пропуснат, той се връща към <i>профил</i>.<br>\r\n&#8226; Параметърът <i>state</i> трябва да бъде изпратен от клиента като част от заявката за удостоверяване.<br><br>\r\nПътища за заявки към OAuth2 API: <br>\r\n<ul>\r\n  <li>Крайна точка за удостоверяване: <code>/oauth/authorize</code></li>\r\n  <li>Крайна точка за токени: <code>/oauth/token</code></li>\r\n  <li>Страница с ресурси:  <code>/oauth/profile</code></li>\r\n</ul>\r\nГенерирането на нова тайна на клиента няма да анулира съществуващите кодове за удостоверяване, но те няма да могат да подновят своя токен.<br><br>\r\nАнулирането на токените на клиента ще доведе до незабавно прекратяване на всички активни сесии. Всички клиенти ще трябва да се преудостоверят.",
+    "oauth2_redirect_uri": "URI за пренасочване",
+    "oauth2_renew_secret": "Генериране на нова тайна на клиента",
+    "oauth2_revoke_tokens": "Анулиране на всички токени на клиента",
+    "optional": "опционално",
+    "options": "Опции",
+    "password": "Парола",
+    "password_length": "Дължина на паролата",
+    "password_policy": "Политика за пароли",
+    "password_policy_chars": "Трябва да съдържа поне една буквена буква",
+    "password_policy_length": "Минималната дължина на паролата е %d",
+    "password_policy_lowerupper": "Трябва да съдържа малки и главни букви",
+    "password_policy_numbers": "Трябва да съдържа поне една цифра",
+    "password_policy_special_chars": "Трябва да съдържа специални символи",
+    "password_repeat": "Потвърждаване на паролата (повторете)",
+    "password_reset_info": "Ако не е зададен имейл за възстановяване, тази функция не може да бъде използвана.",
+    "password_reset_settings": "Настройки за възстановяване на парола",
+    "password_reset_tmpl_html": "HTML шаблон",
+    "password_reset_tmpl_text": "Текстов шаблон",
+    "password_settings": "Настройки на паролата",
+    "priority": "Приоритет",
+    "private_key": "Частен ключ",
+    "quarantine": "Карантина",
+    "quarantine_bcc": "Изпращане на копие от всички уведомления (BCC) до този получател:<br><small>Оставете празно, за да деактивирате. <b>Неподписано, непроверено имейл. Трябва да бъде доставено само вътрешно.</b></small>",
+    "quarantine_exclude_domains": "Изключване на домейни и домейни на псевдоними",
+    "quarantine_max_age": "Максимална възраст в дни<br><small>Стойността трябва да бъде равна или по-голяма от 1 ден.</small>",
+    "quarantine_max_score": "Изхвърляне на уведомление, ако резултатът за спам на имейла е по-висок от тази стойност:<br><small>По подразбиране е 9999.0</small>",
+    "quarantine_max_size": "Максимален размер в MiB (по-големи елементи се изхвърлят):<br><small>0 не означава неограничен.</small>",
+    "quarantine_notification_html": "Шаблон на имейл за уведомление:<br><small>Оставете празно, за да възстановите шаблона по подразбиране.</small>",
+    "quarantine_notification_sender": "Изпращач на имейл за уведомление",
+    "quarantine_notification_subject": "Тема на имейл за уведомление",
+    "quarantine_redirect": "<b>Пренасочване на всички уведомления</b> към този получател:<br><small>Оставете празно, за да деактивирате. <b>Неподписано, непроверено имейл. Трябва да бъде доставено само вътрешно.</b></small>",
+    "quarantine_release_format": "Формат на освободените елементи",
+    "quarantine_release_format_att": "Като прикачен файл",
+    "quarantine_release_format_raw": "Непроменен оригинал",
+    "quarantine_retention_size": "Задържания за пощенска кутия:<br><small>0 показва <b>неактивен</b>.</small>",
+    "quota_notification_html": "Шаблон на имейл за уведомление:<br><small>Оставете празно, за да възстановите шаблона по подразбиране.</small>",
+    "quota_notification_sender": "Изпращач на имейл за уведомление",
+    "quota_notification_subject": "Тема на имейл за уведомление",
+    "quota_notifications": "Уведомления за квота",
+    "quota_notifications_info": "Уведомленията за квота се изпращат на потребителите веднъж при преминаване на 80% и веднъж при преминаване на 95% използване.",
+    "quota_notifications_vars": "{{percent}} е равно на текущата квота на потребителя<br>{{username}} е името на пощенската кутия",
+    "queue_unban": "разблокиране",
+    "r_active": "Активни ограничения",
+    "r_inactive": "Неактивни ограничения",
+    "r_info": "Елементите в сиво в списъка с активни ограничения не са известни като валидни ограничения за mailcow и не могат да бъдат преместени. Неизвестните ограничения ще бъдат зададени в реда на появяване все пак.<br>Можете да добавяте нови елементи в <code>inc/vars.local.inc.php</code>, за да можете да ги превключвате.",
+    "rate_name": "Име на ограничението",
+    "recipients": "Получатели",
+    "refresh": "Опресняване",
+    "regen_api_key": "Регенериране на API ключ",
+    "regex_maps": "Карти с регулярни изрази",
+    "relay_from": "Адрес \"From:\"",
+    "relay_rcpt": "Адрес \"To:\"",
+    "relay_run": "Изпълнение на тест",
+    "relayhosts": "Транспорти, зависими от изпращач",
+    "relayhosts_hint": "Дефинирайте транспорти, зависими от изпращач, за да можете да ги избирате в диалоговия прозорец за конфигурация на домейн.<br>\r\n  Услугата за транспорт винаги е \"smtp:\" и ще се опита да използва TLS, ако бъде предложена. Wrapped TLS (SMTPS) не се поддържа. Политиката за TLS на потребителя ще бъде взета предвид.<br>\r\n  Засегнатите домейни, включително домейни на псевдоними.",
+    "remove": "Премахване",
+    "remove_row": "Премахване на ред",
+    "reset_default": "Нулиране до подразбиране",
+    "reset_limit": "Премахване на хеш",
+    "reset_password_vars": "<code>{{link}}</code> Генерираната връзка за нулиране на парола<br><code>{{username}}</code> Името на пощенската кутия на потребителя, който е поискал нулиране на парола<br><code>{{username2}}</code> Името на пощенската кутия за възстановяване<br><code>{{date}}</code> Датата на заявката за нулиране на парола<br><code>{{token_lifetime}}</code> Времетраенето на токена в минути<br><code>{{hostname}}</code> Името на хоста на mailcow",
+    "restore_template": "Оставете празно, за да възстановите шаблона по подразбиране.",
+    "routing": "Маршрутизация",
+    "rsetting_add_rule": "Добавяне на правило",
+    "rsetting_content": "Съдържание на правилото",
+    "rsetting_desc": "Кратко описание",
+    "rsetting_no_selection": "Моля, изберете правило",
+    "rsetting_none": "Няма налични правила",
+    "rsettings_insert_preset": "Вмъкване на примерен предефиниран набор \"%s\"",
+    "rsettings_preset_1": "Деактивиране на всичко, освен DKIM и ограничение на скоростта за удостоверени потребители",
+    "rsettings_preset_2": "Пощенските администратори искат спам",
+    "rsettings_preset_3": "Разрешаване само на определени изпращачи за пощенска кутия (напр. използване като вътрешна пощенска кутия)",
+    "rsettings_preset_4": "Деактивиране на Rspamd за домейн",
+    "rspamd_com_settings": "Името на настройката ще бъде автоматично генерирано, моля, вижте примерните предефинирани набори по-долу. За повече детайли вижте <a href=\"https://rspamd.com/doc/configuration/settings.html#settings-structure\" target=\"_blank\">документацията на Rspamd</a>",
+    "rspamd_global_filters": "Глобални карти на филтри",
+    "rspamd_global_filters_agree": "Ще бъда внимателен!",
+    "rspamd_global_filters_info": "Глобалните карти на филтри съдържат различни видове глобални черни и бели списъци.",
+    "rspamd_global_filters_regex": "Имената им обясняват тяхната цел. Всичкото съдържание трябва да съдържа валиден регулярен израз във формат \"/pattern/options\" (напр. <code>/.+@domain\\.tld/i</code>).<br>\r\n  Въпреки че се извършват основни проверки за всеки ред с регулярен израз, функционалността на Rspamd може да бъде нарушена, ако не успява да прочете синтаксиса коректно.<br>\r\n  Rspamd ще се опита да прочете съдържанието на картата при промяна. Ако срещнете проблеми, <a href=\"\" data-toggle=\"modal\" data-container=\"rspamd-mailcow\" data-target=\"#RestartContainer\">рестартирайте Rspamd</a>, за да наложите презареждане на картата.<br>Елементите в черния списък са изключени от карантина.",
+    "rspamd_settings_map": "Карта с настройки на Rspamd",
+    "sal_level": "Ниво на Moo",
+    "save": "Запазване на промените",
+    "search_domain_da": "Търсене на домейни",
+    "send": "Изпращане",
+    "sender": "Изпращач",
+    "service": "Услуга",
+    "service_id": "Идентификатор на услугата",
+    "source": "Източник",
+    "spamfilter": "Филтър за спам",
+    "subject": "Тема",
+    "success": "Успех",
+    "sys_mails": "Системни имейли",
+    "task": "Задача",
+    "text": "Текст",
+    "time": "Време",
+    "title": "Заглавие",
+    "title_name": "Име на уеб страницата на \"mailcow UI\"",
+    "to_top": "Обратно нагоре",
+    "transport_dest_format": "Регулярен израз или синтаксис: example.org, .example.org, *, box@example.org (няколко стойности могат да бъдат разделени с запетая)",
+    "transport_maps": "Карти за транспорт",
+    "transport_test_rcpt_info": "&#8226; Използвайте null@hosted.mailcow.de, за да тествате препращането към чуждестранна дестинация.",
+    "transports_hint": "&#8226; Записът в картата на транспорта <b>пренарежда</b> запис в картата на транспорт, зависим от изпращач</b>.<br>\r\n&#8226; Транспортите, базирани на MX, се използват предимно.<br>\r\n&#8226; Настройките за политика на TLS на потребителя се игнорират и могат да бъдат приложени само чрез записи в картите на политиката на TLS.<br>\r\n&#8226; Услугата за транспорт за дефинираните транспорти винаги е \"smtp:\" и ще се опита да използва TLS, ако бъде предложена. Wrapped TLS (SMTPS) не се поддържа.<br>\r\n&#8226; Адресите, съвпадащи с \"/localhost$/\", винаги ще бъдат транспортирани през \"local:\", следователно записът \"*\" няма да се приложи към тези адреси.<br>\r\n&#8226; За да определите удостоверения за следващ хоп \"[host]:25\", Postfix <b>винаги</b> заявява за \"host\", преди да търси за \"[host]:25\". Това поведение прави невъзможно да се използват \"host\" и \"[host]:25\" едновременно.",
+    "ui_footer": "Подвал (разрешен е HTML)",
+    "ui_header_announcement": "Обяви",
+    "ui_header_announcement_active": "Задаване на активна обява",
+    "ui_header_announcement_content": "Текст (разрешен е HTML)",
+    "ui_header_announcement_help": "Обявата е видима за всички влезли потребители и на екрана за вход на UI.",
+    "ui_header_announcement_select": "Избор на тип обява",
+    "ui_header_announcement_type": "Тип",
+    "ui_header_announcement_type_danger": "Много важно",
+    "ui_header_announcement_type_info": "Информация",
+    "ui_header_announcement_type_warning": "Важно",
+    "ui_texts": "Етикети и текстове на UI",
+    "unban_pending": "разблокиране в опашката",
+    "unchanged_if_empty": "Ако не е променено, оставете празно",
+    "upload": "Качване",
+    "username": "Потребителско име",
+    "user_link": "Връзка към потребител",
+    "validate_license_now": "Валидиране на GUID срещу лицензен сървър",
+    "verify": "Проверка",
+    "yes": "&#10003;"
+  },
+  "danger": {
+    "access_denied": "Достъпът е отказан или данните от формуляра са невалидни",
+    "alias_domain_invalid": "Домейнът на псевдонима %s е невалиден",
+    "alias_empty": "Адресът на псевдонима не трябва да е празен",
+    "alias_goto_identical": "Адресът на псевдонима и адресът за пренасочване не трябва да са идентични",
+    "alias_invalid": "Адресът на псевдонима %s е невалиден",
+    "aliasd_targetd_identical": "Домейнът на псевдонима не трябва да е равен на целевия домейн: %s",
+    "aliases_in_use": "Макс. псевдоними трябва да бъдат по-големи или равни на %d",
+    "app_name_empty": "Името на приложението не може да бъде празно",
+    "app_passwd_id_invalid": "Идентификаторът на паролата за приложението %s е невалиден",
+    "authsource_in_use": "Доставчикът на идентичност не може да бъде променен или изтрит, тъй като се използва в момента от един или повече потребители.",
+    "bcc_empty": "BCC дестинацията не може да бъде празна",
+    "bcc_exists": "Картата BCC %s съществува за тип %s",
+    "bcc_must_be_email": "BCC дестинацията %s не е валиден имейл адрес",
+    "comment_too_long": "Коментарът е твърде дълъг, разрешени са макс. 160 символа",
+    "cors_invalid_method": "Зададен е невалиден метод за разрешаване",
+    "cors_invalid_origin": "Зададен е невалиден източник за разрешаване",
+    "defquota_empty": "Квотата по подразбиране за пощенска кутия не трябва да бъде 0.",
+    "demo_mode_enabled": "Режимът на демонстрация е активиран",
+    "description_invalid": "Описанието на ресурса за %s е невалидно",
+    "dkim_domain_or_sel_exists": "Съществува DKIM ключ за \"%s\", който няма да бъде презаписан",
+    "dkim_domain_or_sel_invalid": "DKIM домейн или селектор е невалиден: %s",
+    "domain_cannot_match_hostname": "Домейнът не може да съвпада с името на хоста",
+    "domain_exists": "Домейнът %s вече съществува",
+    "domain_invalid": "Името на домейна е празно или невалидно",
+    "domain_not_empty": "Не може да бъде премахнат непразен домейн %s",
+    "domain_not_found": "Домейнът %s не е намерен",
+    "domain_quota_m_in_use": "Квотата на домейна трябва да бъде по-голяма или равна на %s MiB",
+    "extended_sender_acl_denied": "липсва ACL за задаване на външни адреси на изпращач",
+    "extra_acl_invalid": "Външният адрес на изпращач \"%s\" е невалиден",
+    "extra_acl_invalid_domain": "Външният изпращач \"%s\" използва невалиден домейн",
+    "fido2_verification_failed": "Проверката на FIDO2 е неуспешна: %s",
+    "file_open_error": "Файлът не може да бъде отворен за писане",
+    "filter_type": "Грешен тип на филтър",
+    "from_invalid": "Изпращачът не трябва да бъде празен",
+    "generic_server_error": "Възникна неочаквана грешка на сървъра. Моля, свържете се с вашия администратор.",
+    "global_filter_write_error": "Файлът с филтър не може да бъде записан: %s",
+    "global_map_invalid": "Идентификаторът на глобалната карта %s е невалиден",
+    "global_map_write_error": "Глобалният идентификатор на картата %s не може да бъде записан: %s",
+    "goto_empty": "Адресът на псевдоним трябва да съдържа поне един валиден адрес за пренасочване",
+    "goto_invalid": "Адресът за пренасочване %s е невалиден",
+    "ham_learn_error": "Грешка при обучение за не-спам: %s",
+    "iam_test_connection": "Връзката е неуспешна",
+    "imagick_exception": "Грешка: Грешка при четене на изображение с Imagick",
+    "img_dimensions_exceeded": "Изображението надхвърля максималния размер",
+    "img_invalid": "Не може да се валидира файл с изображение",
+    "img_size_exceeded": "Изображението надхвърля максималния размер на файла",
+    "img_tmp_missing": "Не може да се валидира файл с изображение: Липсва временен файл",
+    "invalid_bcc_map_type": "Невалиден тип на картата BCC",
+    "invalid_destination": "Форматът на дестинацията \"%s\" е невалиден",
+    "invalid_filter_type": "Невалиден тип на филтър",
+    "invalid_host": "Зададен е невалиден хост: %s",
+    "invalid_mime_type": "Невалиден MIME тип",
+    "invalid_nexthop": "Форматът на следващия хоп е невалиден",
+    "invalid_nexthop_authenticated": "Следващият хоп съществува с различни удостоверения, моля, актуализирайте съществуващите удостоверения за този следващ хоп първо.",
+    "invalid_recipient_map_new": "Зададен е невалиден нов получател: %s",
+    "invalid_recipient_map_old": "Зададен е невалиден оригинален получател: %s",
+    "invalid_reset_token": "Невалиден токен за нулиране",
+    "ip_list_empty": "Списъкът с разрешени IP адреси не може да бъде празен",
+    "is_alias": "%s вече е известен като адрес на псевдоним",
+    "is_alias_or_mailbox": "%s вече е известен като адрес на псевдоним, пощенска кутия или адрес на псевдоним, разширен от домейн на псевдоним.",
+    "is_spam_alias": "%s вече е известен като временен адрес на псевдоним (спам адрес на псевдоним)",
+    "last_key": "Последното ключове не може да бъде изтрито, моля, деактивирайте TFA вместо това.",
+    "login_failed": "Неуспешен вход",
+    "mailbox_defquota_exceeds_mailbox_maxquota": "Квотата по подразбиране надхвърля лимита на макс. квота",
+    "mailbox_invalid": "Името на пощенската кутия е невалидно",
+    "mailbox_quota_exceeded": "Квотата надхвърля лимита на домейна (макс. %d MiB)",
+    "mailbox_quota_exceeds_domain_quota": "Макс. квотата надхвърля лимита на квотата на домейна",
+    "mailbox_quota_left_exceeded": "Няма достатъчно място (оставащо място: %d MiB)",
+    "mailboxes_in_use": "Макс. пощенски кутии трябва да бъдат по-големи или равни на %d",
+    "malformed_username": "Неправилно формирано потребителско име",
+    "map_content_empty": "Съдържанието на картата не може да бъде празно",
+    "max_alias_exceeded": "Макс. псевдоними са надхвърлени",
+    "max_mailbox_exceeded": "Макс. пощенски кутии са надхвърлени (%d от %d)",
+    "max_quota_in_use": "Квотата на пощенската кутия трябва да бъде по-голяма или равна на %d MiB",
+    "maxquota_empty": "Макс. квотата за пощенска кутия не трябва да бъде 0.",
+    "mysql_error": "Грешка на MySQL: %s",
+    "network_host_invalid": "Невалидна мрежа или хост: %s",
+    "next_hop_interferes": "%s се намесва с nexthop %s",
+    "next_hop_interferes_any": "Съществуващ следващ хоп се намесва с %s",
+    "nginx_reload_failed": "Презареждането на Nginx е неуспешно: %s",
+    "no_user_defined": "Няма зададен потребител",
+    "object_exists": "Обектът %s вече съществува",
+    "object_is_not_numeric": "Стойността %s не е числова",
+    "password_complexity": "Паролата не отговаря на изискванията",
+    "password_empty": "Паролата не трябва да бъде празна",
+    "password_mismatch": "Паролата за потвърждение не съвпада",
+    "password_reset_invalid_user": "Пощенската кутия не е намерена или не е зададен имейл за възстановяване",
+    "password_reset_na": "Възстановяването на парола в момента е недостъпно. Моля, свържете се с вашия администратор.",
+    "policy_list_from_exists": "Съществува запис с даденото име",
+    "policy_list_from_invalid": "Записът има невалиден формат",
+    "private_key_error": "Грешка с частен ключ: %s",
+    "pushover_credentials_missing": "Липсва токен или ключ на Pushover",
+    "pushover_key": "Ключът на Pushover има грешен формат",
+    "pushover_token": "Токенът на Pushover има грешен формат",
+    "quota_not_0_not_numeric": "Квотата трябва да бъде числова и >= 0",
+    "recipient_map_entry_exists": "Съществува запис в картата на получатели \"%s\"",
+    "recovery_email_failed": "Не може да бъде изпратен имейл за възстановяване. Моля, свържете се с вашия администратор.",
+    "redis_error": "Грешка на Redis: %s",
+    "relayhost_invalid": "Записът в картата %s е невалиден",
+    "release_send_failed": "Съобщението не може да бъде освободено: %s",
+    "required_data_missing": "Липсват необходими данни %s",
+    "reset_f2b_regex": "Регулярният филтър не може да бъде нулиран навреме, моля, опитайте отново или изчакайте още няколко секунди и презаредете уеб сайта.",
+    "reset_token_limit_exceeded": "Лимитът на токена за нулиране е надхвърлен. Моля, опитайте по-късно.",
+    "resource_invalid": "Името на ресурса %s е невалидно",
+    "rl_timeframe": "Временният интервал за ограничение на скоростта е некоректен",
+    "rspamd_ui_pw_length": "Паролата на UI на Rspamd трябва да бъде поне 6 символа",
+    "script_empty": "Скриптът не може да бъде празен",
+    "sender_acl_invalid": "Стойността на ACL на изпращач %s е невалидна",
+    "set_acl_failed": "Неуспешно задаване на ACL",
+    "settings_map_invalid": "Идентификаторът на картата с настройки %s е невалиден",
+    "sieve_error": "Грешка при синтаксиса на Sieve: %s",
+    "spam_learn_error": "Грешка при обучение за спам: %s",
+    "subject_empty": "Темата не трябва да бъде празна",
+    "target_domain_invalid": "Целевият домейн %s е невалиден",
+    "targetd_not_found": "Целевият домейн %s не е намерен",
+    "targetd_relay_domain": "Целевият домейн %s е домейн за реле",
+    "template_exists": "Шаблонът %s вече съществува",
+    "template_id_invalid": "Идентификаторът на шаблона %s е невалиден",
+    "template_name_invalid": "Името на шаблона е невалидно",
+    "temp_error": "Временна грешка",
+    "text_empty": "Текстът не трябва да бъде празен",
+    "tfa_token_invalid": "Токенът за TFA е невалиден",
+    "tls_policy_map_dest_invalid": "Дестинацията на политиката е невалидна",
+    "tls_policy_map_entry_exists": "Съществува запис в картата на политиката на TLS \"%s\"",
+    "tls_policy_map_parameter_invalid": "Параметърът на политиката е невалиден",
+    "to_invalid": "Получателят не трябва да бъде празен",
+    "totp_verification_failed": "Проверката на TOTP е неуспешна",
+    "transport_dest_exists": "Дестинацията на транспорта \"%s\" съществува",
+    "webauthn_verification_failed": "Проверката на WebAuthn е неуспешна: %s",
+    "webauthn_authenticator_failed": "Избраният аутентикатор не е намерен",
+    "webauthn_publickey_failed": "Не е запазен публичен ключ за избрания аутентикатор",
+    "webauthn_username_failed": "Избраният аутентикатор принадлежи на друга сметка",
+    "unknown": "Възникна неизвестна грешка",
+    "unknown_tfa_method": "Неизвестен метод за TFA",
+    "unlimited_quota_acl": "Неограничената квота е забранена от ACL",
+    "username_invalid": "Потребителското име %s не може да бъде използвано",
+    "validity_missing": "Моля, задайте период на валидност",
+    "value_missing": "Моля, предоставете всички стойности",
+    "yotp_verification_failed": "Проверката на Yubico OTP е неуспешна: %s"
+  },
+  "datatables": {
+    "collapse_all": "Свиване на всичко",
+    "decimal": ".",
+    "emptyTable": "Няма данни в таблицата",
+    "expand_all": "Разширяване на всичко",
+    "info": "Показване на _START_ до _END_ от _TOTAL_ записа",
+    "infoEmpty": "Показване на 0 до 0 от 0 записа",
+    "infoFiltered": "(филтрирани от общо _MAX_ записа)",
+    "infoPostFix": "",
+    "thousands": ",",
+    "lengthMenu": "Показване на _MENU_ записа",
+    "loadingRecords": "Зареждане...",
+    "processing": "Моля, изчакайте...",
+    "search": "Търсене:",
+    "zeroRecords": "Няма съвпадащи записи",
+    "paginate": {
+      "first": "Първи",
+      "last": "Последен",
+      "next": "Следващ",
+      "previous": "Предишен"
+    },
+    "aria": {
+      "sortAscending": ": активиране за сортиране на колоната във възходящ ред",
+      "sortDescending": ": активиране за сортиране на колоната в низходящ ред"
+    }
+  },
+  "debug": {
+    "architecture": "Архитектура",
+    "chart_this_server": "Графика (този сървър)",
+    "containers_info": "Информация за контейнерите",
+    "container_running": "Изпълнява се",
+    "container_disabled": "Контейнерът е спрян или деактивиран",
+    "container_stopped": "Спрян",
+    "cores": "Ядра",
+    "current_time": "Системно време",
+    "disk_usage": "Използване на диска",
+    "docs": "Документи",
+    "error_show_ip": "Не може да се разреши публичния IP адрес",
+    "external_logs": "Външни логове",
+    "history_all_servers": "История (всички сървъри)",
+    "in_memory_logs": "Логове в паметта",
+    "last_modified": "Последно модифициране",
+    "log_info": "<p>Логовете на mailcow <b>в паметта</b> се събират в списъци на Redis и се подрязват до LOG_LINES (%d) на всяка минута, за да се намали натоварването.<br>Логовете в паметта не са предназначени да бъдат постоянни. Всички приложения, които записват в паметта, също записват в демона на Docker и следователно в основния драйвер за логсване.<br>Логовете в паметта трябва да се използват за отстраняване на леки проблеми с контейнери.</p>\r\n  <p><b>Външните логове</b> се събират чрез API на даденото приложение.</p>\r\n  <p><b>Статичните логове</b> са най-вече логове на активност, които не се записват в демона на Docker, но все още трябва да бъдат постоянни (с изключение на логовете на API).</p>",
+    "login_time": "Време",
+    "logs": "Логове",
+    "memory": "Памет",
+    "online_users": "Потребители онлайн",
+    "restart_container": "Рестартиране",
+    "service": "Услуга",
+    "show_ip": "Показване на публичен IP",
+    "size": "Размер",
+    "started_at": "Стартирано в",
+    "started_on": "Стартирано на",
+    "static_logs": "Статични логове",
+    "success": "Успех",
+    "system_containers": "Система & Контейнери",
+    "timezone": "Часова зона",
+    "uptime": "Време на работа",
+    "update_available": "Има налична актуализация",
+    "no_update_available": "Системата е на последното издание",
+    "update_failed": "Не може да се провери за актуализация",
+    "username": "Потребителско име",
+    "wip": "В момента се работи"
+  },
+  "diagnostics": {
+    "cname_from_a": "Стойността е извлечена от A/AAAA запис. Това се поддържа, докато записът сочи към правилния ресурс.",
+    "dns_records": "DNS записи",
+    "dns_records_24hours": "Моля, имайте предвид, че промените в DNS може да отнемат до 24 часа, за да имат актуалното си състояние правилно отразено на тази страница. Тя е предназначена да ви позволи лесно да видите как да конфигурирате вашите DNS записи и да проверите дали всичките ви записи са правилно запазени в DNS.",
+    "dns_records_data": "Правилни данни",
+    "dns_records_docs": "Моля, вижте и <a target=\"_blank\" href=\"https://docs.mailcow.email/getstarted/prerequisite-dns\">документацията</a>.",
+    "dns_records_name": "Име",
+    "dns_records_status": "Текущо състояние",
+    "dns_records_type": "Тип",
+    "optional": "Този запис е опционален."
+  },
+  "edit": {
+    "acl": "ACL (Разрешение)",
+    "active": "Активен",
+    "admin": "Редактиране на администратор",
+    "advanced_settings": "Разширени настройки",
+    "alias": "Редактиране на псевдоним",
+    "allow_from_smtp": "Разрешаване само на тези IP адреси да използват <b>SMTP</b>",
+    "allow_from_smtp_info": "Оставете празно, за да разрешите всички изпращачи.<br>IPv4/IPv6 адреси и мрежи.",
+    "allowed_protocols": "Разрешени протоколи за пряк потребителски достъп (не засяга протоколите за пароли на приложения)",
+    "app_name": "Име на приложението",
+    "app_passwd": "Парола за приложение",
+    "app_passwd_protocols": "Разрешени протоколи за паролата на приложението",
+    "automap": "Опит за автоматично картографиране на папки (\"Изпратени\", \"Изпратени\" => \"Изпратени\" и т.н.)",
+    "backup_mx_options": "Опции за реле",
+    "bcc_dest_format": "BCC дестинацията трябва да бъде един валиден имейл адрес.<br>Ако имате нужда да изпратите копие до множество адреси, създайте псевдоним и го използвайте тук.",
+    "client_id": "Идентификатор на клиента",
+    "client_secret": "Тайна на клиента",
+    "comment_info": "Частен коментар не е видим за потребителя, докато публичен коментар се показва като подсказка при преминаване с мишката върху него в прегледа на потребителя",
+    "created_on": "Създаден на",
+    "custom_attributes": "Персонализирани атрибути",
+    "delete1": "Изтриване от източника след завършване",
+    "delete2": "Изтриване на съобщенията в дестинацията, които не са в източника",
+    "delete2duplicates": "Изтриване на дубликати в дестинацията",
+    "delete_ays": "Моля, потвърдете процеса на изтриване.",
+    "description": "Описание",
+    "disable_login": "Забраняване на вход (входящите съобщения все още се приемат)",
+    "domain": "Редактиране на домейн",
+    "domain_admin": "Редактиране на администратор на домейн",
+    "domain_footer": "Подвал за домейн",
+    "domain_footer_html": "HTML подвал",
+    "domain_footer_info": "Подвалите за домейн се добавят към всички изходящи имейли, свързани с адрес в този домейн. Следните променливи могат да бъдат използвани за подвала:",
+    "domain_footer_info_vars": {
+      "auth_user": "{= auth_user =}   - Удостоверен потребител, посочен от MTA",
+      "from_user": "{= from_user =}   - Потребителска част на обвивката, напр. за \"moo@mailcow.tld\" връща \"moo\"",
+      "from_name": "{= from_name =}   - Име на обвивката, напр. за \"Mailcow &lt;moo@mailcow.tld&gt;\" връща \"Mailcow\"",
+      "from_addr": "{= from_addr =}   - Адресна част на обвивката",
+      "from_domain": "{= from_domain =} - Домейна част на обвивката",
+      "custom": "{= foo =}         - Ако пощенската кутия има персонализиран атрибут \"foo\" със стойност \"bar\", ще върне \"bar\""
+    },
+    "domain_footer_plain": "PLAIN подвал",
+    "domain_footer_skip_replies": "Игнориране на подвал в отговорни имейли",
+    "domain_quota": "Квота на домейна",
+    "domains": "Домейни",
+    "dont_check_sender_acl": "Деактивиране на проверката на изпращач за домейн %s (+ домейни на псевдоними)",
+    "edit_alias_domain": "Редактиране на домейн на псевдоним",
+    "encryption": "Криптиране",
+    "exclude": "Изключване на обекти (regex)",
+    "extended_sender_acl": "Външни адреси на изпращач",
+    "extended_sender_acl_info": "Трябва да бъде импортиран DKIM домейн ключ, ако е наличен.<br>\r\n  Помнете да добавите този сървър към съответния SPF TXT запис.<br>\r\n  Когато домейн или домейн на псевдоним бъде добавен към този сървър, който се припокрива с външен адрес, външният адрес ще бъде премахнат.<br>\r\n  Използвайте @domain.tld, за да разрешите изпращане като *@domain.tld.",
+    "footer_exclude": "Изключване от подвал",
+    "force_pw_update": "Принудително обновяване на парола при следващия вход",
+    "force_pw_update_info": "Този потребител ще може да влезе само в %s. Паролите за приложения остават използваеми.",
+    "full_name": "Пълно име",
+    "gal": "Глобален адресен списък",
+    "gal_info": "Глобалният адресен списък съдържа всички обекти на домейна и не може да бъде редактиран от нито един потребител. Липсва информация за заетост/свободно време в SOGo, ако е деактивирано! <b>Рестартирайте SOGo, за да приложите промените.</b>",
+    "generate": "генериране",
+    "grant_types": "Типове разрешения",
+    "hostname": "Име на хост",
+    "inactive": "Неактивен",
+    "kind": "Вид",
+    "last_modified": "Последно модифициране",
+    "lookup_mx": "Дестинацията е регулярен израз за съвпадение с MX име (<code>.*\\.google\\.com</code> за пренасочване на всички съобщения, предназначени за MX, завършващ на google.com, през този хоп)",
+    "mailbox": "Редактиране на пощенска кутия",
+    "mailbox_quota_def": "Квота по подразбиране за пощенска кутия",
+    "mailbox_relayhost_info": "Прилага се за пощенската кутия и директните псевдоними само, пренарежда запис в картата на транспорта за домейн.",
+    "mailbox_rename": "Преименуване на пощенска кутия",
+    "mailbox_rename_agree": "Създадох резервно копие.",
+    "mailbox_rename_alias": "Автоматично създаване на псевдоним",
+    "mailbox_rename_title": "Ново локално име на пощенска кутия",
+    "mailbox_rename_warning": "ВНИМАНИЕ! Създайте резервно копие преди преименуване на пощенската кутия.",
+    "max_aliases": "Макс. псевдоними",
+    "max_mailboxes": "Макс. възможни пощенски кутии",
+    "max_quota": "Макс. квота за пощенска кутия (MiB)",
+    "maxage": "Максимална възраст на съобщенията в дни, които ще бъдат проверени от отдалечен<br><small>(0 = игнорирай възраст)</small>",
+    "maxbytespersecond": "Макс. байтове за секунда <br><small>(0 = неограничен)</small>",
+    "mbox_rl_info": "Това ограничение на скоростта се прилага върху SASL името за вход, то съвпада с всеки \"от\" адрес, използван от влезлия потребител. Ограничението на скоростта на пощенска кутия пренарежда ограничението на скоростта за домейн.",
+    "mins_interval": "Интервал (мин)",
+    "multiple_bookings": "Множествени резервации",
+    "nexthop": "Следващ хоп",
+    "none_inherit": "Без / Наследяване",
+    "password": "Парола",
+    "password_recovery_email": "Имейл за възстановяване на парола",
+    "password_repeat": "Потвърждаване на паролата (повторете)",
+    "previous": "Предишна страница",
+    "private_comment": "Частен коментар",
+    "public_comment": "Публичен коментар",
+    "pushover": "Pushover",
+    "pushover_evaluate_x_prio": "Ескалиране на високоприоритетни съобщения [<code>X-Priority: 1</code>]",
+    "pushover_info": "Настройките за известия на Pushover ще се прилагат за всички чисти (не-спам) съобщения, доставени до <b>%s</b>, включително псевдоними (споделени, несподелени, таговани).",
+    "pushover_only_x_prio": "Разглеждане само на високоприоритетни съобщения [<code>X-Priority: 1</code>]",
+    "pushover_sender_array": "Разглеждане само на следните адреси на изпращач <small>(разделени с запетая)</small>",
+    "pushover_sender_regex": "Разглеждане на следния regex на изпращач",
+    "pushover_sound": "Звук",
+    "pushover_text": "Текст на известието",
+    "pushover_title": "Заглавие на известието",
+    "pushover_vars": "Когато не е зададен филтър на изпращач, всички съобщения ще бъдат разглеждани.<br>Филтрите с регулярен израз, както и точните проверки на изпращач, могат да бъдат дефинирани индивидуално и ще бъдат разглеждани последователно. Те не зависят един от друг.<br>Използвайте следните променливи за текст и заглавие (моля, вземете предвид политиките за поверителност на данните)",
+    "pushover_verify": "Проверка на удостоверения",
+    "quota_mb": "Квота (MiB)",
+    "quota_warning_bcc": "Предупреждения за квота ще бъдат изпращани като отделни копия до следните получатели:",
+    "quota_warning_bcc_info": "Съобщенията ще бъдат изпратени с тема, допълнена с името на потребителя в скоби, например: <code>Предупреждение за квота (user@example.com)</code>.",
+    "ratelimit": "Ограничение на скоростта",
+    "redirect_uri": "URI за пренасочване/обратно извикване",
+    "relay_all": "Реле на всички получатели",
+    "relay_all_info": "↪ Ако изберете да <b>не</b> релеирате всички получатели, ще трябва да добавите (\"скрита\") пощенска кутия за всеки отделен получател, който трябва да бъде релеиран.",
+    "relay_domain": "Реле на този домейн",
+    "relay_transport_info": "<div class=\"badge fs-6 bg-info\">Инфо</div> Можете да дефинирате транспортни карти за персонализирана дестинация за този домейн. Ако не е зададено, ще бъде направен MX lookup.",
+    "relay_unknown_only": "Реле на несъществуващи пощенски кутии. Съществуващите пощенски кутии ще бъдат доставени локално.",
+    "relayhost": "Транспорти, зависими от изпращач",
+    "remove": "Премахване",
+    "resource": "Ресурс",
+    "save": "Запазване на промените",
+    "scope": "Обхват",
+    "sender_acl": "Разрешаване на изпращане като",
+    "sender_acl_disabled": "<span class=\"badge fs-6 bg-danger\">Проверката на изпращач е деактивирана</span>",
+    "sender_acl_info": "Ако потребителят на пощенска кутия A е разрешен да изпраща като потребителя на пощенска кутия B, адресът на изпращач не се показва автоматично като избираем \"от\" поле в SOGo.<br>\r\n  Потребителят на пощенска кутия B трябва да създаде делегация в SOGo, за да разреши на потребителя на пощенска кутия A да избира техния адрес като изпращач. За да делегирате пощенска кутия в SOGo, използвайте менюто (три точки) вдясно от името на пощенската кутия в горния ляв ъгъл, докато сте в режим на поща. Това поведение не се прилага за адреси на псевдоними.",
+    "sieve_desc": "Кратко описание",
+    "sieve_type": "Тип на филтър",
+    "skipcrossduplicates": "Пропускане на дублирани съобщения между папки (първи дошъл, първи обслужен)",
+    "sogo_access": "Директно препращане към SOGo",
+    "sogo_access_info": "След влизане, потребителят се пренасочва автоматично към SOGo.",
+    "sogo_visible": "Псевдонимът е видим в SOGo",
+    "sogo_visible_info": "Тази опция засяга само обекти, които могат да бъдат показани в SOGo (споделени или несподелени адреси на псевдоними, сочещи поне една локална пощенска кутия). Ако е скрит, псевдонимът няма да се появи като избираем адрес на изпращач в SOGo.",
+    "spam_alias": "Създаване или промяна на временни псевдоними",
+    "spam_filter": "Филтър за спам",
+    "spam_policy": "Добавяне или премахване на елементи към черния/бял списък",
+    "spam_score": "Задаване на персонализиран резултат за спам",
+    "subfolder2": "Синхронизиране в подпапка в дестинацията<br><small>(празно = не използвай подпапка)</small>",
+    "syncjob": "Редактиране на синхронизираща задача",
+    "target_address": "Адрес/и за пренасочване <small>(разделени с запетая)</small>",
+    "target_domain": "Целеви домейн",
+    "timeout1": "Таймаут за връзка с отдалечен хост",
+    "timeout2": "Таймаут за връзка с локален хост",
+    "title": "Редактиране на обект",
+    "unchanged_if_empty": "Ако не е променено, оставете празно",
+    "username": "Потребителско име",
+    "validate_save": "Валидиране и запазване"
+  },
+  "fido2": {
+    "confirm": "Потвърждаване",
+    "fido2_auth": "Вход с FIDO2",
+    "fido2_success": "Устройството е регистрирано успешно",
+    "fido2_validation_failed": "Проверката е неуспешна",
+    "fn": "Приятелско име",
+    "known_ids": "Известни идентификатори",
+    "none": "Деактивирано",
+    "register_status": "Състояние на регистрация",
+    "rename": "Преименуване",
+    "set_fido2": "Регистриране на FIDO2 устройство",
+    "set_fido2_touchid": "Регистриране на Touch ID на Apple M1",
+    "set_fn": "Задаване на приятелско име",
+    "start_fido2_validation": "Стартиране на проверка на FIDO2"
+  },
+  "footer": {
+    "cancel": "Отказ",
+    "confirm_delete": "Потвърждаване на изтриването",
+    "delete_now": "Изтриване сега",
+    "delete_these_items": "Моля, потвърдете промените за следния идентификатор на обект",
+    "hibp_check": "Проверка срещу haveibeenpwned.com",
+    "hibp_nok": "Съвпадение! Това е потенциално опасна парола!",
+    "hibp_ok": "Няма съвпадение.",
+    "loading": "Моля, изчакайте...",
+    "nothing_selected": "Няма избрани елементи",
+    "restart_container": "Рестартиране на контейнер",
+    "restart_container_info": "<b>Важно:</b> Грациозното рестартиране може да отнеме известно време за завършване, моля, изчакайте да приключи.",
+    "restart_now": "Рестартиране сега",
+    "restarting_container": "Рестартиране на контейнера, това може да отнеме известно време"
+  },
+  "header": {
+    "administration": "Конфигурация & Детайли",
+    "apps": "Приложения",
+    "debug": "Информация",
+    "email": "Имейл",
+    "mailcow_system": "Система",
+    "mailcow_config": "Конфигурация",
+    "quarantine": "Карантина",
+    "restart_netfilter": "Рестартиране на netfilter",
+    "restart_sogo": "Рестартиране на SOGo",
+    "user_settings": "Настройки на потребителя"
+  },
+  "info": {
+    "awaiting_tfa_confirmation": "Изчакване на потвърждение за TFA",
+    "no_action": "Няма приложимо действие",
+    "session_expires": "Вашата сесия ще изтече след около 15 секунди"
+  },
+  "login": {
+    "back_to_mailcow": "Обратно към mailcow",
+    "delayed": "Входът е забавен с %s секунди.",
+    "fido2_webauthn": "Вход с FIDO2/WebAuthn",
+    "forgot_password": "> Забравена парола?",
+    "invalid_pass_reset_token": "Токенът за нулиране на парола е невалиден или е изтекъл.<br>Моля, заявете нов линк за нулиране на парола.",
+    "login": "Вход",
+    "login_admin": "Вход на администратор",
+    "login_dadmin": "Вход на администратор на домейн",
+    "login_user": "Потребителски вход",
+    "mobileconfig_info": "Моля, влезте като потребител на пощенска кутия, за да изтеглите поискания Apple профил за връзка.",
+    "new_password": "Нова парола",
+    "new_password_confirm": "Потвърждаване на новата парола",
+    "other_logins": "или вход с",
+    "password": "Парола",
+    "request_reset_password": "Заявка за промяна на парола",
+    "reset_password": "Нулиране на парола",
+    "username": "Потребителско име"
+  },
+  "mailbox": {
+    "action": "Действие",
+    "activate": "Активиране",
+    "active": "Активен",
+    "add": "Добавяне",
+    "add_alias": "Добавяне на псевдоним",
+    "add_alias_expand": "Разширяване на псевдоним над домейни на псевдоними",
+    "add_bcc_entry": "Добавяне на запис в картата BCC",
+    "add_domain": "Добавяне на домейн",
+    "add_domain_alias": "Добавяне на псевдоним на домейн",
+    "add_domain_record_first": "Моля, добавете първо домейн",
+    "add_filter": "Добавяне на филтър",
+    "add_mailbox": "Добавяне на пощенска кутия",
+    "add_recipient_map_entry": "Добавяне на запис в картата на получатели",
+    "add_resource": "Добавяне на ресурс",
+    "add_template": "Добавяне на шаблон",
+    "add_tls_policy_map": "Добавяне на карта на политиката на TLS",
+    "address_rewriting": "Презаписване на адрес",
+    "alias": "Псевдоним",
+    "alias_domain_alias_hint": "Псевдонимите <b>не</b> се прилагат автоматично към домейни на псевдоними. Псевдонимът <code>my-alias@domain</code> <b>не</b> покрива адреса <code>my-alias@alias-domain</code> (където \"alias-domain\" е имагинерен псевдоним на домейн).<br>Моля, използвайте филтър на Sieve, за да пренасочите имейл към външна пощенска кутия (вижте раздела \"Филтри\" или SOGo -> Пренасочвач). Използвайте \"Разширяване на псевдоним над домейни на псевдоними\", за да добавите автоматично липсващи псевдоними.",
+    "alias_domain_backupmx": "Псевдонимът на домейн е неактивен за домейн за реле",
+    "aliases": "Псевдоними",
+    "all_domains": "Всички домейни",
+    "allow_from_smtp": "Разрешаване само на тези IP адреси да използват <b>SMTP</b>",
+    "allow_from_smtp_info": "Оставете празно, за да разрешите всички изпращачи.<br>IPv4/IPv6 адреси и мрежи.",
+    "allowed_protocols": "Разрешени протоколи",
+    "backup_mx": "Домейн за реле",
+    "bcc": "BCC",
+    "bcc_destination": "BCC дестинация",
+    "bcc_destinations": "BCC дестинации",
+    "bcc_info": "Картите BCC се използват, за да препращат тихо копия от всички съобщения до друг адрес. Записът от тип получател на карта се използва, когато локалната дестинация действа като получател на имейл. Записът от тип изпращач на карта се използва, когато локалната дестинация действа като изпращач на имейл. Локалната дестинация няма да бъде информирана за неуспешна доставка.",
+    "bcc_local_dest": "Локална дестинация",
+    "bcc_map": "Карта BCC",
+    "bcc_map_type": "Тип BCC",
+    "bcc_maps": "Карти BCC",
+    "bcc_rcpt_map": "Карта на получател",
+    "bcc_sender_map": "Карта на изпращач",
+    "bcc_to_rcpt": "Превключване към карта на получател",
+    "bcc_to_sender": "Превключване към карта на изпращач",
+    "bcc_type": "Тип BCC",
+    "booking_null": "Винаги показване като свободен",
+    "booking_0_short": "Винаги свободен",
+    "booking_custom": "Твърдо ограничение до определен брой резервации",
+    "booking_custom_short": "Твърдо ограничение",
+    "booking_ltnull": "Неограничено, но показване като заето, когато е резервирано",
+    "booking_lt0_short": "Меко ограничение",
+    "catch_all": "Catch-All",
+    "created_on": "Създаден на",
+    "daily": "Ежедневно",
+    "deactivate": "Деактивиране",
+    "description": "Описание",
+    "disable_login": "Забраняване на вход (входящите съобщения все още се приемат)",
+    "disable_x": "Деактивиране",
+    "dkim_domains_selector": "Селектор",
+    "dkim_key_length": "Дължина на DKIM ключа (битове)",
+    "domain": "Домейн",
+    "domain_admins": "Администратори на домейн",
+    "domain_aliases": "Псевдоними на домейн",
+    "domain_templates": "Шаблони за домейн",
+    "domain_quota": "Квота",
+    "domain_quota_total": "Обща квота на домейна",
+    "domains": "Домейни",
+    "edit": "Редактиране",
+    "empty": "Няма резултати",
+    "enable_x": "Активиране",
+    "excludes": "Изключване",
+    "filter_table": "Таблица с филтри",
+    "filters": "Филтри",
+    "fname": "Пълно име",
+    "force_pw_update": "Принудително обновяване на парола при следващия вход",
+    "gal": "Глобален адресен списък",
+    "goto_ham": "Учен като <span class=\"text-success\"><b>не е спам</b></span>",
+    "goto_spam": "Учен като <span class=\"text-danger\"><b>спам</b></span>",
+    "hourly": "Часово",
+    "iam": "Доставчик на идентичност",
+    "in_use": "В употреба (%)",
+    "inactive": "Неактивен",
+    "insert_preset": "Вмъкване на примерен предефиниран набор \"%s\"",
+    "kind": "Вид",
+    "last_mail_login": "Последен вход в пощата",
+    "last_modified": "Последно модифициране",
+    "last_pw_change": "Последна промяна на парола",
+    "last_run": "Последно изпълнение",
+    "last_run_reset": "Задаване на следващо",
+    "mailbox": "Пощенска кутия",
+    "mailbox_defaults": "Настройки по подразбиране",
+    "mailbox_defaults_info": "Дефинирайте настройки по подразбиране за нови пощенски кутии.",
+    "mailbox_defquota": "Размер по подразбиране на пощенска кутия",
+    "mailbox_templates": "Шаблони за пощенска кутия",
+    "mailbox_quota": "Макс. размер на пощенска кутия",
+    "mailboxes": "Пощенски кутии",
+    "max_aliases": "Макс. псевдоними",
+    "max_mailboxes": "Макс. възможни пощенски кутии",
+    "max_quota": "Макс. квота за пощенска кутия",
+    "mins_interval": "Интервал (мин)",
+    "msg_num": "Съобщение №",
+    "multiple_bookings": "Множествени резервации",
+    "never": "Никога",
+    "no": "&#10005;",
+    "no_record": "Няма запис за обект %s",
+    "no_record_single": "Няма запис",
+    "open_logs": "Отваряне на логове",
+    "owner": "Собственик",
+    "private_comment": "Частен коментар",
+    "public_comment": "Публичен коментар",
+    "q_add_header": "при преместване в папката за нежелана поща",
+    "q_all": " при преместване в папката за нежелана поща и при отхвърляне",
+    "q_reject": "при отхвърляне",
+    "quarantine_category": "Категория на уведомленията за карантина",
+    "quarantine_notification": "Уведомления за карантина",
+    "quick_actions": "Действия",
+    "recipient": "Получател",
+    "recipient_map": "Карта на получател",
+    "recipient_map_info": "Картите на получател се използват, за да се замени адресът на дестинация на съобщението, преди да бъде доставено.",
+    "recipient_map_new": "Нов получател",
+    "recipient_map_new_info": "Дестинацията на картата на получател трябва да бъде валиден имейл адрес или име на домейн.",
+    "recipient_map_old": "Оригинален получател",
+    "recipient_map_old_info": "Оригиналната дестинация на картата на получател трябва да бъде валиден имейл адрес или име на домейн.",
+    "recipient_maps": "Карти на получател",
+    "relay_all": "Реле на всички получатели",
+    "relay_unknown": "Реле на несъществуващи пощенски кутии",
+    "remove": "Премахване",
+    "resources": "Ресурси",
+    "running": "Изпълнява се",
+    "sender": "Изпращач",
+    "set_postfilter": "Маркиране като постфилтър",
+    "set_prefilter": "Маркиране като префилтър",
+    "sieve_info": "Можете да запазите множество филтри за всеки потребител, но само един префилтър и един постфилтър могат да бъдат активни едновременно.<br>\r\nВсеки филтър ще бъде обработен в описания ред. Нито един неуспешен скрипт, нито издадена команда \"keep;\" няма да спре обработката на следващите скриптове. Промените в глобалните филтри на sieve ще предизвикат рестартиране на Dovecot.<br><br>Глобален префилтър на sieve &#8226; Префилтър &#8226; Потребителски скриптове &#8226; Постфилтър &#8226; Глобален постфилтър на sieve",
+    "sieve_preset_1": "Изтриване на съобщения с потенциално опасни типове файлове",
+    "sieve_preset_2": "Винаги маркиране на имейла на определен изпращач като прочетен",
+    "sieve_preset_3": "Тихо изтриване, спиране на всякаква допълнителна обработка на sieve филтри",
+    "sieve_preset_4": "Архивиране на съобщението във ВХОДНА, пропускане на допълнителна обработка от sieve филтри",
+    "sieve_preset_5": "Автоотговор (ваканция)",
+    "sieve_preset_6": "Отхвърляне на съобщение с отговор",
+    "sieve_preset_7": "Пренасочване и запазване/изтриване",
+    "sieve_preset_8": "Пренасочване на имейл от определен изпращач, маркиране като прочетен и сортиране в подпапка",
+    "sieve_preset_header": "Моля, вижте примерните предефинирани набори по-долу. За повече детайли вижте <a href=\"https://en.wikipedia.org/wiki/Sieve_(mail_filtering_language)\" target=\"_blank\">Wikipedia</a>.",
+    "sogo_visible": "Псевдонимът е видим в SOGo",
+    "sogo_visible_n": "Скриване на псевдоним в SOGo",
+    "sogo_visible_y": "Показване на псевдоним в SOGo",
+    "spam_aliases": "Времеви псевдоними",
+    "stats": "Статистика",
+    "status": "Статус",
+    "sync_jobs": "Синхронизиращи задачи",
+    "syncjob_check_log": "Проверка на лога",
+    "syncjob_last_run_result": "Резултат от последното изпълнение",
+    "syncjob_EX_OK": "Успех",
+    "syncjob_EXIT_CONNECTION_FAILURE": "Проблем с връзката",
+    "syncjob_EXIT_TLS_FAILURE": "Проблем с криптираната връзка",
+    "syncjob_EXIT_AUTHENTICATION_FAILURE": "Проблем с удостоверяването",
+    "syncjob_EXIT_OVERQUOTA": "Целевата пощенска кутия е над квотата",
+    "syncjob_EXIT_CONNECTION_FAILURE_HOST1": "Не може да се свърже с отдалечен сървър",
+    "syncjob_EXIT_AUTHENTICATION_FAILURE_USER1": "Грешно потребителско име или парола",
+    "table_size": "Размер на таблицата",
+    "table_size_show_n": "Показване на %s елемента",
+    "target_address": "Адрес за пренасочване",
+    "target_domain": "Целеви домейн",
+    "templates": "Шаблони",
+    "template": "Шаблон",
+    "tls_enforce_in": "Принудително използване на TLS за входящи",
+    "tls_enforce_out": "Принудително използване на TLS за изходящи",
+    "tls_map_dest": "Дестинация",
+    "tls_map_dest_info": "Примери: example.org, .example.org, [mail.example.org]:25",
+    "tls_map_parameters": "Параметри",
+    "tls_map_parameters_info": "Празно или параметри, например: protocols=!SSLv2 ciphers=medium exclude=3DES",
+    "tls_map_policy": "Политика",
+    "tls_policy_maps": "Пренареждания на политиката на TLS",
+    "tls_policy_maps_enforced_tls": "Тези политики ще пренареждат и поведението за потребители на пощенски кутии, които принудително използват изходящи TLS връзки. Ако няма политика, съществуваща по-долу, тези потребители ще приложат стойностите по подразбиране, зададени като <code>smtp_tls_mandatory_protocols</code> и <code>smtp_tls_mandatory_ciphers</code>.",
+    "tls_policy_maps_info": "Тази политика за пренареждане на TLS транспортни правила е независима от настройките за политика на TLS на потребителя.<br>\r\n  Моля, вижте <a href=\"http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps\" target=\"_blank\">документацията за \"smtp_tls_policy_maps\"</a> за повече информация.",
+    "tls_policy_maps_long": "Пренареждания на политиката на TLS за изходящи",
+    "toggle_all": "Превключване на всички",
+    "username": "Потребителско име",
+    "waiting": "Изчакване",
+    "weekly": "Седмично",
+    "yes": "&#10003;"
+  },
+  "oauth2": {
+    "access_denied": "Моля, влезте като собственик на пощенска кутия, за да удостоверите чрез OAuth2.",
+    "authorize_app": "Удостоверяване на приложение",
+    "deny": "Отказ",
+    "permit": "Удостоверяване на приложение",
+    "profile": "Профил",
+    "profile_desc": "Преглед на лични данни: потребителско име, пълно име, създадено, модифицирано, активно",
+    "scope_ask_permission": "Приложението заявява следните разрешения",
+    "client_id": "Идентификатор на клиента",
+    "client_secret": "Тайна на клиента",
+    "redirect_uri": "URI за пренасочване",
+    "renew_secret": "Генериране на нова тайна на клиента",
+    "revoke_tokens": "Анулиране на всички токени на клиента"
+  },
+  "quarantine": {
+    "action": "Действие",
+    "atts": "Прикачени файлове",
+    "check_hash": "Търсене на файлов хеш в VirusTotal",
+    "confirm": "Потвърждаване",
+    "confirm_delete": "Потвърждаване на изтриването на този елемент.",
+    "danger": "Опасност",
+    "deliver_inbox": "Доставяне в пощенската кутия",
+    "disabled_by_config": "Текущата системна конфигурация деактивира функционалността на карантината. Моля, задайте \"задържания за пощенска кутия\" и \"максимален размер\" за елементите на карантината.",
+    "download_eml": "Изтегляне (.eml)",
+    "empty": "Няма резултати",
+    "high_danger": "Висока",
+    "info": "Информация",
+    "junk_folder": "Папка за нежелана поща",
+    "learn_spam_delete": "Учен като спам и изтриване",
+    "low_danger": "Ниска",
+    "medium_danger": "Средна",
+    "neutral_danger": "Неутрална",
+    "notified": "Уведомен",
+    "qhandler_success": "Заявката е изпратена успешно до системата. Можете да затворите прозореца сега.",
+    "qid": "QID на Rspamd",
+    "qinfo": "Системата за карантина ще запази отхвърлените съобщения в базата данни (изпращачът няма да бъде информиран за доставеното съобщение) както и съобщенията, доставени като копие в папката за нежелана поща на пощенска кутия.<br> <br>\"Учен като спам и изтриване\" ще научи съобщението като спам чрез теоремата на Бейс и също ще изчисли размити хешове, за да отхвърли подобни съобщения в бъдеще.<br> <br>Моля, имайте предвид, че обучаването на множество съобщения може да бъде - в зависимост от вашата система - времеемко.<br>Елементите в черния списък са изключени от карантината.",
+    "qitem": "Елемент в карантина",
+    "quarantine": "Карантина",
+    "quick_actions": "Действия",
+    "quick_delete_link": "Отваряне на бърз линк за изтриване",
+    "quick_info_link": "Отваряне на бърз информационен линк",
+    "quick_release_link": "Отваряне на бърз линк за освобождане",
+    "rcpt": "Получател",
+    "received": "Получено",
+    "recipients": "Получатели",
+    "refresh": "Опресняване",
+    "rejected": "Отхвърлено",
+    "release": "Освобождане",
+    "release_body": "Прикаченото съобщение е добавено към това съобщение.",
+    "release_subject": "Потенциално вреден елемент в карантина %s",
+    "remove": "Премахване",
+    "rewrite_subject": "Презаписване на темата",
+    "rspamd_result": "Резултат от Rspamd",
+    "sender": "Изпращач (SMTP)",
+    "sender_header": "Изпращач (\"From\" заглавие)",
+    "settings_info": "Максимален брой елементи за карантиниране: %s<br>Максимален размер на имейл: %s MiB",
+    "show_item": "Показване на елемент",
+    "spam": "Спам",
+    "spam_score": "Резултат",
+    "subj": "Тема",
+    "table_size": "Размер на таблицата",
+    "table_size_show_n": "Показване на %s елемента",
+    "text_from_html_content": "Съдържание (конвертиран HTML)",
+    "text_plain_content": "Съдържание (обикновен текст)",
+    "toggle_all": "Превключване на всички",
+    "type": "Тип"
+  },
+  "queue": {
+    "delete": "Изтриване на всички",
+    "flush": "Изчистване на опашката",
+    "info": "Опашката на имейлите съдържа всички имейли, които чакат за доставка. Ако имейлът е засечен в опашката за дълго време, той автоматично се изтрива от системата.<br>Съобщението за грешка на съответния имейл дава информация защо имейлът не може да бъде доставен.",
+    "legend": "Функции на действията в опашката на имейлите:",
+    "ays": "Моля, потвърдете, че искате да изтриете всички елементи от текущата опашка.",
+    "deliver_mail": "Доставяне",
+    "deliver_mail_legend": "Опит за повторно доставяне на избраните съобщения.",
+    "hold_mail": "Задържане",
+    "hold_mail_legend": "Задържа избраните съобщения. (Предотвратява допълнителни опити за доставяне)",
+    "queue_manager": "Мениджър на опашката",
+    "show_message": "Показване на съобщение",
+    "unban": "разблокиране на опашката",
+    "unhold_mail": "Освобождаване",
+    "unhold_mail_legend": "Освобождава избраните съобщения за доставка. (Изисква предварително задържане)"
+  },
+  "ratelimit": {
+    "disabled": "Деактивирано",
+    "second": "съобщения/секунда",
+    "minute": "съобщения/минута",
+    "hour": "съобщения/час",
+    "day": "съобщения/ден"
+  },
+  "start": {
+    "help": "Показване/Скриване на панела за помощ",
+    "imap_smtp_server_auth_info": "Моля, използвайте пълния си имейл адрес и механизма за удостоверяване PLAIN.<br>\r\nВашите данни за вход ще бъдат криптирани от сървърната страна чрез задължително сървърно криптиране."
+  },
+  "success": {
+    "acl_saved": "ACL за обект %s е запазен",
+    "admin_added": "Администраторът %s е добавен",
+    "admin_api_modified": "Промените в API са запазени",
+    "admin_modified": "Промените в администратора са запазени",
+    "admin_removed": "Администраторът %s е премахнат",
+    "alias_added": "Адресът на псевдонима %s (%d) е добавен",
+    "alias_domain_removed": "Домейнът на псевдонима %s е премахнат",
+    "alias_modified": "Промените в адреса на псевдонима %s са запазени",
+    "alias_removed": "Псевдонимът %s е премахнат",
+    "aliasd_added": "Добавен домейн на псевдоним %s",
+    "aliasd_modified": "Промените в домейна на псевдоним %s са запазени",
+    "app_links": "Запазени промени в линковете на приложенията",
+    "app_passwd_added": "Добавена нова парола за приложение",
+    "app_passwd_removed": "Премахната парола за приложение с ID %s",
+    "bcc_deleted": "Записи в картата BCC са изтрити: %s",
+    "bcc_edited": "Записът в картата BCC %s е редактиран",
+    "bcc_saved": "Записът в картата BCC е запазен",
+    "cors_headers_edited": "Настройките на CORS са запазени",
+    "db_init_complete": "Инициализацията на базата данни е завършена",
+    "delete_filter": "Изтрити филтри с ID %s",
+    "delete_filters": "Изтрити филтри: %s",
+    "deleted_syncjob": "Изтрита синхронизираща задача с ID %s",
+    "deleted_syncjobs": "Изтрити синхронизиращи задачи: %s",
+    "dkim_added": "Добавен DKIM ключ %s",
+    "dkim_duplicated": "DKIM ключът за домейн %s е копиран в %s",
+    "dkim_removed": "DKIM ключът %s е премахнат",
+    "domain_add_dkim_available": "DKIM ключът вече съществува",
+    "domain_added": "Добавен домейн %s",
+    "domain_admin_added": "Добавен администратор на домейн %s",
+    "domain_admin_modified": "Промените в администратора на домейн %s са запазени",
+    "domain_admin_removed": "Администраторът на домейн %s е премахнат",
+    "domain_footer_modified": "Промените в подвала на домейн %s са запазени",
+    "domain_modified": "Промените в домейн %s са запазени",
+    "domain_removed": "Домейнът %s е премахнат",
+    "dovecot_restart_success": "Dovecot е рестартиран успешно",
+    "eas_reset": "Устройствата с ActiveSync за потребителя %s са нулирани",
+    "f2b_banlist_refreshed": "Списъкът с ID на блокираните е актуализиран успешно.",
+    "f2b_modified": "Промените в параметрите на Fail2ban са запазени",
+    "forwarding_host_added": "Добавен хост за препращане %s",
+    "forwarding_host_removed": "Премахнат хост за препращане %s",
+    "global_filter_written": "Филтърът е записан успешно във файл",
+    "hash_deleted": "Хешът е изтрит",
+    "iam_test_connection": "Връзката е успешна",
+    "ip_check_opt_in": "Оптирането за използване на услугата на трета страна е запазено успешно",
+    "ip_check_opt_in_modified": "Проверката на IP беше успешно запазена",
+    "item_deleted": "Елементът %s е изтрит успешно",
+    "item_released": "Елементът %s е освободен",
+    "items_deleted": "Елементът %s е изтрит успешно",
+    "items_released": "Избраните елементи са освободени",
+    "learned_ham": "Успешно научен ID %s като не е спам",
+    "license_modified": "Промените в лиценза са запазени",
+    "logged_in_as": "Вписан като %s",
+    "mailbox_added": "Пощенската кутия %s е добавена",
+    "mailbox_modified": "Промените в пощенската кутия %s са запазени",
+    "mailbox_removed": "Пощенската кутия %s е премахната",
+    "mailbox_renamed": "Пощенската кутия е преименувана от %s на %s",
+    "nginx_reloaded": "Nginx е презареден",
+    "object_modified": "Промените в обект %s са запазени",
+    "password_changed_success": "Паролата е променена успешно",
+    "password_policy_saved": "Политиката за парола е запазена успешно",
+    "pushover_settings_edited": "Настройките на Pushover са запазени успешно, моля, проверете удостоверенията.",
+    "qlearn_spam": "Съобщението с ID %s е научено като спам и изтрито",
+    "queue_command_success": "Командата на опашката е завършена успешно",
+    "recipient_map_entry_deleted": "Записът в картата на получател с ID %s е изтрит",
+    "recipient_map_entry_saved": "Записът в картата на получател \"%s\" е запазен",
+    "recovery_email_sent": "Изпратен имейл за възстановяване до %s",
+    "relayhost_added": "Записът в картата %s е добавен",
+    "relayhost_removed": "Записът в картата %s е премахнат",
+    "reset_main_logo": "Нулиране на логото по подразбиране",
+    "resource_added": "Ресурсът %s е добавен",
+    "resource_modified": "Промените в пощенската кутия %s са запазени",
+    "resource_removed": "Ресурсът %s е премахнат",
+    "rl_saved": "Ограничението на скоростта за обект %s е запазено",
+    "rspamd_ui_pw_set": "Паролата на UI на Rspamd е зададена успешно",
+    "saved_settings": "Запазени настройки",
+    "settings_map_added": "Добавен запис в картата с настройки",
+    "settings_map_removed": "Премахнат запис в картата с настройки с ID %s",
+    "sogo_profile_reset": "Профилът на SOGo за потребителя %s е нулиран",
+    "template_added": "Добавен шаблон %s",
+    "template_modified": "Промените в шаблон %s са запазени",
+    "template_removed": "Шаблонът с ID %s е премахнат",
+    "tls_policy_map_entry_deleted": "Записът в картата на политиката на TLS с ID %s е изтрит",
+    "tls_policy_map_entry_saved": "Записът в картата на политиката на TLS \"%s\" е запазен",
+    "ui_texts": "Запазени промени в текстовете на UI",
+    "upload_success": "Файлът е качен успешно",
+    "verified_fido2_login": "Потвърдено вход с FIDO2",
+    "verified_totp_login": "Потвърдено вход с TOTP",
+    "verified_webauthn_login": "Потвърдено вход с WebAuthn",
+    "verified_yotp_login": "Потвърдено вход с Yubico OTP"
+  },
+  "tfa": {
+    "authenticators": "Аутентикатори",
+    "api_register": "%s използва облачното API на Yubico. Моля, вземете API ключ за вашия ключ <a href=\"https://upgrade.yubico.com/getapikey/\" target=\"_blank\">тук</a>",
+    "confirm": "Потвърждаване",
+    "confirm_totp_token": "Моля, потвърдете промените, като въведете генерирания токен",
+    "delete_tfa": "Деактивиране на TFA",
+    "disable_tfa": "Деактивиране на TFA до следващия успешен вход",
+    "enter_qr_code": "Вашият TOTP код, ако вашето устройство не може да сканира QR кодове",
+    "error_code": "Код на грешка",
+    "init_webauthn": "Инициализиране, моля, изчакайте...",
+    "key_id": "Идентификатор за вашето устройство",
+    "key_id_totp": "Идентификатор за вашия ключ",
+    "none": "Деактивиране",
+    "reload_retry": "- (презаредете браузъра, ако грешката продължи)",
+    "scan_qr_code": "Моля, сканирайте следния код с вашето приложение за аутентикация или въведете кода ръчно.",
+    "select": "Моля, изберете",
+    "set_tfa": "Задаване на метод за двуфакторно удостоверяване",
+    "start_webauthn_validation": "Стартиране на проверка",
+    "tfa": "Двуфакторно удостоверяване",
+    "tfa_token_invalid": "Невалиден токен за TFA",
+    "totp": "Временен OTP (Google Authenticator, Authy и др.)",
+    "u2f_deprecated": "Изглежда, че вашият ключ е регистриран с депрекирания метод U2F. Ще деактивираме двуфакторното удостоверяване за вас и ще изтрием вашия ключ.",
+    "u2f_deprecated_important": "Моля, регистрирайте вашия ключ в административния панел с новия метод WebAuthn.",
+    "webauthn": "Удостоверяване с WebAuthn",
+    "waiting_usb_auth": "<i>Изчакване на USB устройство...</i><br><br>Моля, докоснете бутона на вашето USB устройство сега.",
+    "waiting_usb_register": "<i>Изчакване на USB устройство...</i><br><br>Моля, въведете паролата си по-горе и потвърдете регистрацията си, като докоснете бутона на вашето USB устройство.",
+    "yubi_otp": "Удостоверяване с Yubico OTP"
+  },
+  "user": {
+    "action": "Действие",
+    "active": "Активен",
+    "active_sieve": "Активен филтър",
+    "advanced_settings": "Разширени настройки",
+    "alias": "Псевдоним",
+    "alias_create_random": "Генериране на случаен псевдоним",
+    "alias_extend_all": "Удължаване на всички псевдоними с 1 час",
+    "alias_full_date": "d.m.Y, H:i:s T",
+    "alias_remove_all": "Премахване на всички псевдоними",
+    "alias_select_validity": "Период на валидност",
+    "alias_time_left": "Оставащо време",
+    "alias_valid_until": "Валиден до",
+    "aliases_also_send_as": "Разрешено да изпраща и като потребител",
+    "aliases_send_as_all": "Не проверявай достъпа на изпращач за следните домейни и техните псевдоними",
+    "allowed_protocols": "Разрешени протоколи",
+    "app_hint": "Паролите за приложения са алтернативни пароли за вашия IMAP, SMTP, CalDAV, CardDAV и EAS вход. Потребителското име остава непроменено. SOGo уеб пощата не е достъпна чрез пароли за приложения.",
+    "app_name": "Име на приложението",
+    "app_passwds": "Пароли за приложения",
+    "apple_connection_profile": "Профил за връзка на Apple",
+    "apple_connection_profile_complete": "Този профил за връзка включва настройки за IMAP и SMTP, както и пътища за CalDAV (календари) и CardDAV (контакти) за устройство на Apple.",
+    "apple_connection_profile_mailonly": "Този профил за връзка включва настройки за IMAP и SMTP за устройство на Apple.",
+    "apple_connection_profile_with_app_password": "Генерирана е нова парола за приложение и е добавена към профила, така че не е необходимо да се въвежда парола при настройката на вашето устройство. Моля, не споделяйте файла, тъй като той предоставя пълен достъп до вашата пощенска кутия.",
+    "attribute": "Атрибут",
+    "authentication": "Удостоверяване",
+    "change_password": "Промяна на парола",
+    "change_password_hint_app_passwords": "Вашият акаунт има %d пароли за приложения, които няма да бъдат променени. За управление на тях, отидете в раздела \"Пароли за приложения\".",
+    "clear_recent_successful_connections": "Изчистване на видимите успешни връзки",
+    "client_configuration": "Показване на ръководства за настройка на пощенски клиенти и смартфони",
+    "create_app_passwd": "Създаване на парола за приложение",
+    "create_syncjob": "Създаване на нова синхронизираща задача",
+    "created_on": "Създаден на",
+    "daily": "Ежедневно",
+    "day": "ден",
+    "delete_ays": "Моля, потвърдете процеса на изтриване.",
+    "description": "Описание",
+    "direct_aliases": "Директни адреси на псевдоними",
+    "direct_aliases_desc": "Директните адреси на псевдоними се засягат от настройките за филтър за спам и политика за TLS.",
+    "direct_protocol_access": "Този потребител на пощенска кутия има <b>директен, външен достъп</b> до следните протоколи и приложения. Тази настройка се контролира от вашия администратор. Паролите за приложения могат да бъдат създадени, за да се предостави достъп до отделни протоколи и приложения.<br>Бутонът \"Уеб поща\" предоставя еднократно удостоверяване към SOGo и винаги е достъпен.",
+    "eas_reset": "Нулиране на кеша на устройствата с ActiveSync",
+    "eas_reset_help": "В много случаи нулирането на кеша на устройството ще помогне за възстановяването на повреден профил на ActiveSync.<br><b>Внимание:</b> Всички елементи ще бъдат презаредени!",
+    "eas_reset_now": "Нулиране сега",
+    "edit": "Редактиране",
+    "email": "Имейл",
+    "email_and_dav": "Имейл, календари и контакти",
+    "empty": "Няма резултати",
+    "encryption": "Криптиране",
+    "excludes": "Изключване",
+    "expire_in": "Изтича след",
+    "fido2_webauthn": "FIDO2/WebAuthn",
+    "force_pw_update": "Трябва да зададете нова парола, за да имате достъп до груповите услуги.",
+    "from": "от",
+    "generate": "генериране",
+    "hour": "час",
+    "hourly": "Часово",
+    "hours": "часа",
+    "in_use": "В употреба",
+    "interval": "Интервал",
+    "is_catch_all": "Catch-all за домейн/и",
+    "last_mail_login": "Последен вход в пощата",
+    "last_pw_change": "Последна промяна на парола",
+    "last_run": "Последно изпълнение",
+    "last_ui_login": "Последен вход в UI",
+    "loading": "Зареждане...",
+    "login_history": "История на входовете",
+    "mailbox": "Пощенска кутия",
+    "mailbox_details": "Детайли",
+    "mailbox_general": "Общи",
+    "mailbox_settings": "Настройки",
+    "messages": "съобщения",
+    "month": "месец",
+    "months": "месеца",
+    "never": "Никога",
+    "new_password": "Нова парола",
+    "new_password_repeat": "Потвърждаване на новата парола",
+    "no_active_filter": "Няма активен филтър",
+    "no_last_login": "Няма информация за последен вход в UI",
+    "no_record": "Няма запис",
+    "open_logs": "Отваряне на логове",
+    "open_webmail_sso": "Уеб поща",
+    "overview": "Преглед",
+    "password": "Парола",
+    "password_now": "Текуща парола (потвърждаване на промените)",
+    "password_repeat": "Парола (повторете)",
+    "password_reset_info": "Ако не е зададен имейл за възстановяване на парола, тази функция не може да бъде използвана.",
+    "protocols": "Протоколи",
+    "pushover_evaluate_x_prio": "Ескалиране на високоприоритетни съобщения [<code>X-Priority: 1</code>]",
+    "pushover_info": "Настройките за известия на Pushover ще се прилагат за всички чисти (не-спам) съобщения, доставени до <b>%s</b>, включително псевдоними (споделени, несподелени, таговани).",
+    "pushover_only_x_prio": "Разглеждане само на високоприоритетни съобщения [<code>X-Priority: 1</code>]",
+    "pushover_sender_array": "Разглеждане на следните адреси на изпращач <small>(разделени с запетая)</small>",
+    "pushover_sender_regex": "Съвпадение на изпращач с следния regex",
+    "pushover_sound": "Звук",
+    "pushover_text": "Текст на известието",
+    "pushover_title": "Заглавие на известието",
+    "pushover_vars": "Когато не е зададен филтър на изпращач, всички съобщения ще бъдат разглеждани.<br>Филтрите с регулярен израз, както и точните проверки на изпращач, могат да бъдат дефинирани индивидуално и ще бъдат разглеждани последователно. Те не зависят един от друг.<br>Използвайте следните променливи за текст и заглавие (моля, вземете предвид политиките за поверителност на данните)",
+    "pushover_verify": "Проверка на удостоверения",
+    "pw_recovery_email": "Имейл за възстановяване на парола",
+    "q_add_header": "Папка за нежелана поща",
+    "q_all": "Всички категории",
+    "q_reject": "Отхвърлени",
+    "quarantine_category": "Категория на уведомленията за карантина",
+    "quarantine_category_info": "Категорията \"Отхвърлени\" включва съобщения, които са били отхвърлени, докато категорията \"Папка за нежелана поща\" ще уведоми потребителя за съобщения, които са били поставени в папката за нежелана поща.",
+    "quarantine_notification": "Уведомления за карантина",
+    "quarantine_notification_info": "След като уведомлението е изпратено, елементите ще бъдат маркирани като \"уведомени\" и няма да бъдат изпращани допълнителни уведомления за този конкретен елемент.",
+    "recent_successful_connections": "Видими успешни връзки",
+    "remove": "Премахване",
+    "running": "Изпълнява се",
+    "save": "Запазване на промените",
+    "save_changes": "Запазване на промените",
+    "sender_acl_disabled": "<span class=\"badge fs-6 bg-danger\">Проверката на изпращач е деактивирана</span>",
+    "shared_aliases": "Споделени адреси на псевдоними",
+    "shared_aliases_desc": "Споделените псевдоними не се засягат от настройките за филтър за спам и политика за TLS на потребителя. Съответните настройки за спам филтър могат да бъдат направени само от администратор като настройка за домейн.",
+    "show_sieve_filters": "Показване на активния потребителски филтър на sieve",
+    "sogo_profile_reset": "Нулиране на профила на SOGo",
+    "sogo_profile_reset_help": "Това ще унищожи профила на SOGo и <b>ще изтрие всички данни за контакти и календар безвъзвратно</b>.",
+    "sogo_profile_reset_now": "Нулиране сега",
+    "spam_aliases": "Временни адреси на псевдоними",
+    "spam_score_reset": "Нулиране до настройките на сървъра по подразбиране",
+    "spamfilter": "Филтър за спам",
+    "spamfilter_behavior": "Рейтинг",
+    "spamfilter_bl": "Черен списък",
+    "spamfilter_bl_desc": "Адресите в черния списък <b>винаги</b> ще бъдат класифицирани като спам и отхвърлени. Отхвърлените съобщения <b>не</b> ще бъдат копирани в карантина. Поддържат се уайлдкардове.<br>Отхвърлените съобщения няма да бъдат доставени до папката за нежелана поща.",
+    "spamfilter_default_score": "Стойности по подразбиране",
+    "spamfilter_green": "Зелено: това съобщение не е спам",
+    "spamfilter_hint": "Първата стойност описва \"нисък резултат за спам\", втората представлява \"висок резултат за спам\".",
+    "spamfilter_red": "Червено: това съобщение е спам и ще бъде отхвърлено от сървъра",
+    "spamfilter_table_action": "Действие",
+    "spamfilter_table_add": "Добавяне на елемент",
+    "spamfilter_table_domain_policy": "политика на домейна",
+    "spamfilter_table_empty": "Няма данни за показване",
+    "spamfilter_table_remove": "премахване",
+    "spamfilter_table_rule": "Правило",
+    "spamfilter_wl": "Бял списък",
+    "spamfilter_wl_desc": "Адресите в белия списък <b>никога</b> ще бъдат класифицирани като спам. Поддържат се уайлдкардове.<br>Съобщенията, които не са класифицирани като спам, ще бъдат доставени в папката за нежелана поща, ако резултатът за спам е над стойността за висок резултат за спам.",
+    "spamfilter_yellow": "Жълто: това съобщение може да е спам, ще бъде маркирано като спам и преместено в папката за нежелана поща",
+    "status": "Статус",
+    "sync_jobs": "Синхронизиращи задачи",
+    "syncjob_EXIT_AUTHENTICATION_FAILURE": "Проблем с удостоверяването",
+    "syncjob_EXIT_AUTHENTICATION_FAILURE_USER1": "Грешно потребителско име или парола",
+    "syncjob_EXIT_CONNECTION_FAILURE": "Проблем с връзката",
+    "syncjob_EXIT_CONNECTION_FAILURE_HOST1": "Не може да се свърже с отдалечен сървър",
+    "syncjob_EXIT_OVERQUOTA": "Целевата пощенска кутия е над квотата",
+    "syncjob_EXIT_TLS_FAILURE": "Проблем с криптираната връзка",
+    "syncjob_EX_OK": "Успех",
+    "syncjob_check_log": "Проверка на лога",
+    "syncjob_last_run_result": "Резултат от последното изпълнение",
+    "tag_handling": "Настройка за тагове",
+    "tag_help_example": "Пример за тагован имейл адрес: me<b>+Facebook</b>@example.org",
+    "tag_help_explain": "В подпапка: ще бъде създадена нова подпапка под INBOX (\"INBOX/Facebook\").<br>\r\nВ тема: първото име на тага ще бъде добавено към темата на съобщението, например: \"[Facebook] Моите новини\".",
+    "tag_in_none": "Не прави нищо",
+    "tag_in_subfolder": "В подпапка",
+    "tag_in_subject": "В тема",
+    "text": "Текст",
+    "tfa_info": "Двуфакторното удостоверяване помага за защита на вашия акаунт. Ако го активирате, ще ви трябват пароли за приложения, за да влезете в приложения или услуги, които не поддържат двуфакторно удостоверяване (напр. пощенски клиенти).",
+    "title": "Заглавие",
+    "tls_enforce_in": "Принудително използване на TLS за входящи",
+    "tls_enforce_out": "Принудително използване на TLS за изходящи",
+    "tls_policy": "Политика за криптиране",
+    "tls_policy_warning": "<strong>Внимание:</strong> Ако решите да принудите преноса на криптирани съобщения, може да загубите съобщения.<br>Съобщенията, които не удовлетворяват политиката, ще бъдат върнати с твърдо отхвърляне от системата за поща.<br>Тази опция засяга вашия основен адрес на пощенска кутия (логин име), всички адреси, произтичащи от домейни на псевдоними, както и адреси на псевдоними, <b>с единствена целева пощенска кутия</b>.",
+    "user_settings": "Настройки на потребителя",
+    "username": "Потребителско име",
+    "value": "Стойност",
+    "verify": "Проверка",
+    "waiting": "Изчакване",
+    "week": "седмица",
+    "weekly": "Weekly",
+    "weeks": "седмици",
+    "with_app_password": "с парола за приложение",
+    "year": "година",
+    "years": "години"
+  },
+  "warning": {
+    "cannot_delete_self": "Не може да изтриете влезлия потребител",
+    "domain_added_sogo_failed": "Добавен домейн, но неуспешно рестартиране на SOGo, моля, проверете системните логове.",
+    "dovecot_restart_failed": "Dovecot не успя да рестартира, моля, проверете логовете",
+    "fuzzy_learn_error": "Грешка при обучение на размит хеш: %s",
+    "hash_not_found": "Хешът не е намерен или вече е изтрит",
+    "ip_invalid": "Пропуснат невалиден IP: %s",
+    "is_not_primary_alias": "Пропуснат неосновен псевдоним %s",
+    "no_active_admin": "Не може да деактивирате последния активен администратор",
+    "quota_exceeded_scope": "Квотата на домейна е надвишена: Само неограничени пощенски кутии могат да бъдат създадени в този домейн.",
+    "session_token": "Невалиден формулярен токен: Несъответствие на токена.",
+    "session_ua": "Невалиден формулярен токен: Грешка при проверка на User-Agent."
+  }
+}
\ No newline at end of file

From 95eb350f15a3ceade4854a8c143a4624d0fbd48d Mon Sep 17 00:00:00 2001
From: Denis Evers <denis-ev@users.noreply.github.com>
Date: Wed, 16 Jul 2025 16:08:55 +0800
Subject: [PATCH 277/378] [netfilter] fix negative timer, no unbanning of IPs
 (#6575)

* [netfilter] added debug logs and updated autopurge

* updated "Allow/Blacklist" terms

* netfilter: bumped compose version

* netfilter: changed black/whitelist terms in code

---------

Co-authored-by: Denis Evers <git@evers.sh>
Co-authored-by: DerLinkman <niklas.meyer@servercow.de>
---
 data/Dockerfiles/netfilter/main.py           | 163 ++++++++++++-------
 data/web/inc/vars.inc.php                    |  12 +-
 data/web/lang/lang.de-de.json                |  23 +--
 data/web/lang/lang.en-gb.json                |  27 +--
 data/web/templates/admin/tab-config-f2b.twig |   4 +-
 docker-compose.yml                           |   2 +-
 6 files changed, 137 insertions(+), 94 deletions(-)

diff --git a/data/Dockerfiles/netfilter/main.py b/data/Dockerfiles/netfilter/main.py
index 2b332d205..2232d0d1d 100644
--- a/data/Dockerfiles/netfilter/main.py
+++ b/data/Dockerfiles/netfilter/main.py
@@ -1,5 +1,7 @@
 #!/usr/bin/env python3
 
+DEBUG = False
+
 import re
 import os
 import sys
@@ -20,10 +22,13 @@ from modules.Logger import Logger
 from modules.IPTables import IPTables
 from modules.NFTables import NFTables
 
+def logdebug(msg):
+  if DEBUG:
+    logger.logInfo("DEBUG: %s" % msg)
 
-# globals
+# Globals
 WHITELIST = []
-BLACKLIST= []
+BLACKLIST = []
 bans = {}
 quit_now = False
 exit_code = 0
@@ -33,12 +38,10 @@ r = None
 pubsub = None
 clear_before_quit = False
 
-
 def refreshF2boptions():
   global f2boptions
   global quit_now
   global exit_code
-
   f2boptions = {}
 
   if not r.get('F2B_OPTIONS'):
@@ -52,8 +55,9 @@ def refreshF2boptions():
   else:
     try:
       f2boptions = json.loads(r.get('F2B_OPTIONS'))
-    except ValueError:
-      logger.logCrit('Error loading F2B options: F2B_OPTIONS is not json')
+    except ValueError as e:
+      logger.logCrit(
+        'Error loading F2B options: F2B_OPTIONS is not json. Exception: %s' % e)
       quit_now = True
       exit_code = 2
 
@@ -61,15 +65,15 @@ def refreshF2boptions():
   r.set('F2B_OPTIONS', json.dumps(f2boptions, ensure_ascii=False))
 
 def verifyF2boptions(f2boptions):
-  verifyF2boption(f2boptions,'ban_time', 1800)
-  verifyF2boption(f2boptions,'max_ban_time', 10000)
-  verifyF2boption(f2boptions,'ban_time_increment', True)
-  verifyF2boption(f2boptions,'max_attempts', 10)
-  verifyF2boption(f2boptions,'retry_window', 600)
-  verifyF2boption(f2boptions,'netban_ipv4', 32)
-  verifyF2boption(f2boptions,'netban_ipv6', 128)
-  verifyF2boption(f2boptions,'banlist_id', str(uuid.uuid4()))
-  verifyF2boption(f2boptions,'manage_external', 0)
+  verifyF2boption(f2boptions, 'ban_time', 1800)
+  verifyF2boption(f2boptions, 'max_ban_time', 10000)
+  verifyF2boption(f2boptions, 'ban_time_increment', True)
+  verifyF2boption(f2boptions, 'max_attempts', 10)
+  verifyF2boption(f2boptions, 'retry_window', 600)
+  verifyF2boption(f2boptions, 'netban_ipv4', 32)
+  verifyF2boption(f2boptions, 'netban_ipv6', 128)
+  verifyF2boption(f2boptions, 'banlist_id', str(uuid.uuid4()))
+  verifyF2boption(f2boptions, 'manage_external', 0)
 
 def verifyF2boption(f2boptions, f2boption, f2bdefault):
   f2boptions[f2boption] = f2boptions[f2boption] if f2boption in f2boptions and f2boptions[f2boption] is not None else f2bdefault
@@ -111,7 +115,7 @@ def get_ip(address):
 def ban(address):
   global f2boptions
   global lock
-
+  logdebug("ban() called with address=%s" % address)
   refreshF2boptions()
   MAX_ATTEMPTS = int(f2boptions['max_attempts'])
   RETRY_WINDOW = int(f2boptions['retry_window'])
@@ -119,31 +123,43 @@ def ban(address):
   NETBAN_IPV6 = '/' + str(f2boptions['netban_ipv6'])
 
   ip = get_ip(address)
-  if not ip: return
+  if not ip:
+    logdebug("No valid IP -- skipping ban()")
+    return
   address = str(ip)
   self_network = ipaddress.ip_network(address)
 
   with lock:
     temp_whitelist = set(WHITELIST)
-  if temp_whitelist:
-    for wl_key in temp_whitelist:
-      wl_net = ipaddress.ip_network(wl_key, False)
-      if wl_net.overlaps(self_network):
-        logger.logInfo('Address %s is whitelisted by rule %s' % (self_network, wl_net))
-        return
+    logdebug("Checking if %s overlaps with any WHITELIST entries" % self_network)
+    if temp_whitelist:
+      for wl_key in temp_whitelist:
+        wl_net = ipaddress.ip_network(wl_key, False)
+        logdebug("Checking overlap between %s and %s" % (self_network, wl_net))
+        if wl_net.overlaps(self_network):
+          logger.logInfo(
+            'Address %s is allowlisted by rule %s' % (self_network, wl_net))
+          return
 
-  net = ipaddress.ip_network((address + (NETBAN_IPV4 if type(ip) is ipaddress.IPv4Address else NETBAN_IPV6)), strict=False)
+  net = ipaddress.ip_network(
+    (address + (NETBAN_IPV4 if type(ip) is ipaddress.IPv4Address else NETBAN_IPV6)), strict=False)
   net = str(net)
+  logdebug("Ban net: %s" % net)
 
   if not net in bans:
     bans[net] = {'attempts': 0, 'last_attempt': 0, 'ban_counter': 0}
+    logdebug("Initing new ban counter for %s" % net)
 
   current_attempt = time.time()
+  logdebug("Current attempt ts=%s, previous: %s, retry_window: %s" %
+           (current_attempt, bans[net]['last_attempt'], RETRY_WINDOW))
   if current_attempt - bans[net]['last_attempt'] > RETRY_WINDOW:
     bans[net]['attempts'] = 0
+    logdebug("Ban counter for %s reset as window expired" % net)
 
   bans[net]['attempts'] += 1
   bans[net]['last_attempt'] = current_attempt
+  logdebug("%s attempts now %d" % (net, bans[net]['attempts']))
 
   if bans[net]['attempts'] >= MAX_ATTEMPTS:
     cur_time = int(round(time.time()))
@@ -151,34 +167,41 @@ def ban(address):
     logger.logCrit('Banning %s for %d minutes' % (net, NET_BAN_TIME / 60 ))
     if type(ip) is ipaddress.IPv4Address and int(f2boptions['manage_external']) != 1:
       with lock:
+        logdebug("Calling tables.banIPv4(%s)" % net)
         tables.banIPv4(net)
     elif int(f2boptions['manage_external']) != 1:
       with lock:
+        logdebug("Calling tables.banIPv6(%s)" % net)
         tables.banIPv6(net)
 
+    logdebug("Updating F2B_ACTIVE_BANS[%s]=%d" %
+              (net, cur_time + NET_BAN_TIME))
     r.hset('F2B_ACTIVE_BANS', '%s' % net, cur_time + NET_BAN_TIME)
   else:
-    logger.logWarn('%d more attempts in the next %d seconds until %s is banned' % (MAX_ATTEMPTS - bans[net]['attempts'], RETRY_WINDOW, net))
+    logger.logWarn('%d more attempts in the next %d seconds until %s is banned' % (
+      MAX_ATTEMPTS - bans[net]['attempts'], RETRY_WINDOW, net))
 
 def unban(net):
   global lock
-
+  logdebug("Calling unban() with net=%s" % net)
   if not net in bans:
-   logger.logInfo('%s is not banned, skipping unban and deleting from queue (if any)' % net)
-   r.hdel('F2B_QUEUE_UNBAN', '%s' % net)
-   return
-
+    logger.logInfo(
+      '%s is not banned, skipping unban and deleting from queue (if any)' % net)
+    r.hdel('F2B_QUEUE_UNBAN', '%s' % net)
+    return
   logger.logInfo('Unbanning %s' % net)
   if type(ipaddress.ip_network(net)) is ipaddress.IPv4Network:
     with lock:
+      logdebug("Calling tables.unbanIPv4(%s)" % net)
       tables.unbanIPv4(net)
   else:
     with lock:
+      logdebug("Calling tables.unbanIPv6(%s)" % net)
       tables.unbanIPv6(net)
-
   r.hdel('F2B_ACTIVE_BANS', '%s' % net)
   r.hdel('F2B_QUEUE_UNBAN', '%s' % net)
   if net in bans:
+    logdebug("Unban for %s, setting attempts=0, ban_counter+=1" % net)
     bans[net]['attempts'] = 0
     bans[net]['ban_counter'] += 1
 
@@ -204,17 +227,19 @@ def permBan(net, unban=False):
 
   if is_unbanned:
     r.hdel('F2B_PERM_BANS', '%s' % net)
-    logger.logCrit('Removed host/network %s from blacklist' % net)
+    logger.logCrit('Removed host/network %s from denylist' % net)
   elif is_banned:
     r.hset('F2B_PERM_BANS', '%s' % net, int(round(time.time())))
-    logger.logCrit('Added host/network %s to blacklist' % net)
+    logger.logCrit('Added host/network %s to denylist' % net)
 
 def clear():
   global lock
   logger.logInfo('Clearing all bans')
   for net in bans.copy():
+    logdebug("Unbanning net: %s" % net)
     unban(net)
   with lock:
+    logdebug("Clearing IPv4/IPv6 table")
     tables.clearIPv4Table()
     tables.clearIPv6Table()
     try:
@@ -275,21 +300,35 @@ def snat6(snat_target):
 
 def autopurge():
   global f2boptions
-
+  logdebug("autopurge thread started")
   while not quit_now:
+    logdebug("autopurge tick")
     time.sleep(10)
     refreshF2boptions()
     MAX_ATTEMPTS = int(f2boptions['max_attempts'])
     QUEUE_UNBAN = r.hgetall('F2B_QUEUE_UNBAN')
+    logdebug("QUEUE_UNBAN: %s" % QUEUE_UNBAN)
     if QUEUE_UNBAN:
       for net in QUEUE_UNBAN:
+        logdebug("Autopurge: unbanning queued net: %s" % net)
         unban(str(net))
-    for net in bans.copy():
-      if bans[net]['attempts'] >= MAX_ATTEMPTS:
-        NET_BAN_TIME = calcNetBanTime(bans[net]['ban_counter'])
-        TIME_SINCE_LAST_ATTEMPT = time.time() - bans[net]['last_attempt']
-        if TIME_SINCE_LAST_ATTEMPT > NET_BAN_TIME:
-          unban(net)
+    # Only check expiry for actively banned IPs:
+    active_bans = r.hgetall('F2B_ACTIVE_BANS')
+    now = time.time()
+    for net_str, expire_str in active_bans.items():
+      logdebug("Checking ban expiry for (actively banned): %s" % net_str)
+      # Defensive: always process if timer missing or expired
+      try:
+        expire = float(expire_str)
+      except Exception:
+        logdebug("Invalid expire time for %s; unbanning" % net_str)
+        unban(net_str)
+        continue
+      time_left = expire - now
+      logdebug("Time left for %s: %.1f seconds" % (net_str, time_left))
+      if time_left <= 0:
+        logdebug("Ban expired for %s" % net_str)
+        unban(net_str)
 
 def mailcowChainOrder():
   global lock
@@ -359,7 +398,7 @@ def whitelistUpdate():
     with lock:
       if Counter(new_whitelist) != Counter(WHITELIST):
         WHITELIST = new_whitelist
-        logger.logInfo('Whitelist was changed, it has %s entries' % len(WHITELIST))
+        logger.logInfo('Allowlist was changed, it has %s entries' % len(WHITELIST))
     time.sleep(60.0 - ((time.time() - start_time) % 60.0))
 
 def blacklistUpdate():
@@ -375,7 +414,7 @@ def blacklistUpdate():
       addban = set(new_blacklist).difference(BLACKLIST)
       delban = set(BLACKLIST).difference(new_blacklist)
       BLACKLIST = new_blacklist
-      logger.logInfo('Blacklist was changed, it has %s entries' % len(BLACKLIST))
+      logger.logInfo('Denylist was changed, it has %s entries' % len(BLACKLIST))
       if addban:
         for net in addban:
           permBan(net=net)
@@ -386,25 +425,25 @@ def blacklistUpdate():
 
 def sigterm_quit(signum, frame):
   global clear_before_quit
+  logdebug("SIGTERM received, setting clear_before_quit to True and exiting")
   clear_before_quit = True
   sys.exit(exit_code)
 
-def berfore_quit():
+def before_quit():
+  logdebug("before_quit called, clear_before_quit=%s" % clear_before_quit)
   if clear_before_quit:
     clear()
   if pubsub is not None:
     pubsub.unsubscribe()
 
-
 if __name__ == '__main__':
-  atexit.register(berfore_quit)
+  logger = Logger()
+  logdebug("Sys.argv: %s" % sys.argv)
+  atexit.register(before_quit)
   signal.signal(signal.SIGTERM, sigterm_quit)
 
-  # init Logger
-  logger = Logger()
-
-  # init backend
   backend = sys.argv[1]
+  logdebug("Backend: %s" % backend)
   if backend == "nftables":
     logger.logInfo('Using NFTables backend')
     tables = NFTables(chain_name, logger)
@@ -412,16 +451,12 @@ if __name__ == '__main__':
     logger.logInfo('Using IPTables backend')
     tables = IPTables(chain_name, logger)
 
-  # In case a previous session was killed without cleanup
   clear()
-
-  # Reinit MAILCOW chain
-  # Is called before threads start, no locking
   logger.logInfo("Initializing mailcow netfilter chain")
   tables.initChainIPv4()
   tables.initChainIPv6()
 
-  if os.getenv("DISABLE_NETFILTER_ISOLATION_RULE").lower() in ("y", "yes"):
+  if os.getenv("DISABLE_NETFILTER_ISOLATION_RULE", "").lower() in ("y", "yes"):
     logger.logInfo(f"Skipping {chain_name} isolation")
   else:
     logger.logInfo(f"Setting {chain_name} isolation")
@@ -432,23 +467,28 @@ if __name__ == '__main__':
     try:
       redis_slaveof_ip = os.getenv('REDIS_SLAVEOF_IP', '')
       redis_slaveof_port = os.getenv('REDIS_SLAVEOF_PORT', '')
+      logdebug(
+        "Connecting redis (SLAVEOF_IP:%s, PORT:%s)" % (redis_slaveof_ip, redis_slaveof_port))
       if "".__eq__(redis_slaveof_ip):
-        r = redis.StrictRedis(host=os.getenv('IPV4_NETWORK', '172.22.1') + '.249', decode_responses=True, port=6379, db=0, password=os.environ['REDISPASS'])
+        r = redis.StrictRedis(
+          host=os.getenv('IPV4_NETWORK', '172.22.1') + '.249', decode_responses=True, port=6379, db=0, password=os.environ['REDISPASS'])
       else:
-        r = redis.StrictRedis(host=redis_slaveof_ip, decode_responses=True, port=redis_slaveof_port, db=0, password=os.environ['REDISPASS'])
+        r = redis.StrictRedis(
+          host=redis_slaveof_ip, decode_responses=True, port=redis_slaveof_port, db=0, password=os.environ['REDISPASS'])
       r.ping()
       pubsub = r.pubsub()
     except Exception as ex:
-      print('%s - trying again in 3 seconds'  % (ex))
+      logdebug(
+        'Redis connection failed: %s - trying again in 3 seconds' % (ex))
       time.sleep(3)
     else:
       break
   logger.set_redis(r)
+  logdebug("Redis connection established, setting up F2B keys")
 
-  # rename fail2ban to netfilter
   if r.exists('F2B_LOG'):
+    logdebug("Renaming F2B_LOG to NETFILTER_LOG")
     r.rename('F2B_LOG', 'NETFILTER_LOG')
-  # clear bans in redis
   r.delete('F2B_ACTIVE_BANS')
   r.delete('F2B_PERM_BANS')
 
@@ -463,7 +503,7 @@ if __name__ == '__main__':
       snat_ip = os.getenv('SNAT_TO_SOURCE')
       snat_ipo = ipaddress.ip_address(snat_ip)
       if type(snat_ipo) is ipaddress.IPv4Address:
-        snat4_thread = Thread(target=snat4,args=(snat_ip,))
+        snat4_thread = Thread(target=snat4, args=(snat_ip,))
         snat4_thread.daemon = True
         snat4_thread.start()
     except ValueError:
@@ -499,4 +539,5 @@ if __name__ == '__main__':
   while not quit_now:
     time.sleep(0.5)
 
-  sys.exit(exit_code)
+  logdebug("Exiting with code %s" % exit_code)
+  sys.exit(exit_code)
\ No newline at end of file
diff --git a/data/web/inc/vars.inc.php b/data/web/inc/vars.inc.php
index 802a41f95..671e20334 100644
--- a/data/web/inc/vars.inc.php
+++ b/data/web/inc/vars.inc.php
@@ -238,12 +238,12 @@ $FIDO2_FORMATS = array('apple', 'android-key', 'android-safetynet', 'fido-u2f',
 // Set visible Rspamd maps in mailcow UI, do not change unless you know what you are doing
 $RSPAMD_MAPS = array(
   'regex' => array(
-    'Header-From: Blacklist' => 'global_mime_from_blacklist.map',
-    'Header-From: Whitelist' => 'global_mime_from_whitelist.map',
-    'Envelope Sender Blacklist' => 'global_smtp_from_blacklist.map',
-    'Envelope Sender Whitelist' => 'global_smtp_from_whitelist.map',
-    'Recipient Blacklist' => 'global_rcpt_blacklist.map',
-    'Recipient Whitelist' => 'global_rcpt_whitelist.map',
+    'Header-From: Denylist' => 'global_mime_from_blacklist.map',
+    'Header-From: Allowlist' => 'global_mime_from_whitelist.map',
+    'Envelope Sender Denylist' => 'global_smtp_from_blacklist.map',
+    'Envelope Sender Allowlist' => 'global_smtp_from_whitelist.map',
+    'Recipient Denylist' => 'global_rcpt_blacklist.map',
+    'Recipient Allowlist' => 'global_rcpt_whitelist.map',
     'Fishy TLDS (only fired in combination with bad words)' => 'fishy_tlds.map',
     'Bad Words (only fired in combination with fishy TLDs)' => 'bad_words.map',
     'Bad Words DE (only fired in combination with fishy TLDs)' => 'bad_words_de.map',
diff --git a/data/web/lang/lang.de-de.json b/data/web/lang/lang.de-de.json
index 6e1b4d4c2..df41b8946 100644
--- a/data/web/lang/lang.de-de.json
+++ b/data/web/lang/lang.de-de.json
@@ -25,7 +25,7 @@
         "sogo_access": "Verwalten des SOGo-Zugriffsrechts erlauben",
         "sogo_profile_reset": "SOGo-Profil zurücksetzen",
         "spam_alias": "Temporäre E-Mail-Aliasse",
-        "spam_policy": "Blacklist/Whitelist",
+        "spam_policy": "Deny/Allowlist",
         "spam_score": "Spam-Bewertung",
         "syncjobs": "Sync Jobs",
         "tls_policy": "Verschlüsselungsrichtlinie",
@@ -147,7 +147,7 @@
         "arrival_time": "Ankunftszeit (Serverzeit)",
         "authed_user": "Auth. Benutzer",
         "ays": "Soll der Vorgang wirklich ausgeführt werden?",
-        "ban_list_info": "Übersicht ausgesperrter Netzwerke: <b>Netzwerk (verbleibende Bannzeit) - [Aktionen]</b>.<br />IPs, die zum Entsperren eingereiht werden, verlassen die Liste aktiver Banns nach wenigen Sekunden.<br />Rote Labels sind Indikatoren für aktive Blacklist-Einträge.",
+        "ban_list_info": "Übersicht ausgesperrter Netzwerke: <b>Netzwerk (verbleibende Bannzeit) - [Aktionen]</b>.<br />IPs, die zum Entsperren eingereiht werden, verlassen die Liste aktiver Banns nach wenigen Sekunden.<br />Rote Labels sind Indikatoren für aktive Allowlist-Einträge.",
         "change_logo": "Logo ändern",
         "configuration": "Konfiguration",
         "convert_html_to_text": "Konvertiere HTML zu reinem Text",
@@ -184,9 +184,9 @@
         "excludes": "Diese Empfänger ausschließen",
         "f2b_ban_time": "Bannzeit in Sekunden",
         "f2b_ban_time_increment": "Bannzeit erhöht sich mit jedem Bann",
-        "f2b_blacklist": "Blacklist für Netzwerke und Hosts",
+        "f2b_blacklist": "Denyliste für Netzwerke und Hosts",
         "f2b_filter": "Regex-Filter",
-        "f2b_list_info": "Ein Host oder Netzwerk auf der Blacklist wird immer eine Whitelist-Einheit überwiegen. <b>Die Aktualisierung der Liste dauert einige Sekunden.</b>",
+        "f2b_list_info": "Ein Host oder Netzwerk auf der Denyliste wird immer eine Allowlist-Einheit überwiegen. <b>Die Aktualisierung der Liste dauert einige Sekunden.</b>",
         "f2b_manage_external": "Fail2Ban extern verwalten",
         "f2b_manage_external_info": "Fail2ban wird die Banlist weiterhin pflegen, jedoch werden keine aktiven Regeln zum blockieren gesetzt. Die unten generierte Banlist, kann verwendet werden, um den Datenverkehr extern zu blockieren.",
         "f2b_max_attempts": "Max. Versuche",
@@ -196,7 +196,7 @@
         "f2b_parameters": "Fail2ban-Parameter",
         "f2b_regex_info": "Berücksichtigte Logs: SOGo, Postfix, Dovecot, PHP-FPM.",
         "f2b_retry_window": "Wiederholungen im Zeitraum von (s)",
-        "f2b_whitelist": "Whitelist für Netzwerke und Hosts",
+        "f2b_whitelist": "Allowliste für Netzwerke und Hosts",
         "filter_table": "Tabelle filtern",
         "force_sso_text": "Wenn ein externer OIDC-Provider konfiguriert ist, blendet diese Option die mailcow Loginform aus und zeigt nur den Single Sign-On-Button an.",
         "force_sso": "mailcow Login deaktivieren und nur Single Sign-On anzeigen",
@@ -272,6 +272,7 @@
         "message": "Nachricht",
         "message_size": "Nachrichtengröße",
         "nexthop": "Next Hop",
+        "needs_restart": "benötigt Neustart",
         "no": "&#10005;",
         "no_active_bans": "Keine aktiven Banns",
         "no_new_rows": "Keine weiteren Zeilen vorhanden",
@@ -354,8 +355,8 @@
         "rspamd_com_settings": "Ein Name wird automatisch generiert. Beispielinhalte zur Einsicht stehen nachstehend bereit. Siehe auch <a href=\"https://rspamd.com/doc/configuration/settings.html#settings-structure\" target=\"_blank\">Rspamd docs</a>",
         "rspamd_global_filters": "Globale Filter-Maps",
         "rspamd_global_filters_agree": "Ich werde vorsichtig sein!",
-        "rspamd_global_filters_info": "Globale Filter-Maps steuern globales White- und Blacklisting dieses Servers.",
-        "rspamd_global_filters_regex": "Die akzeptierte Form für Einträge sind <b>ausschließlich</b> Regular Expressions.\r\n  Trotz rudimentärer Überprüfung der Map, kann es zu fehlerhaften Einträgen kommen, die Rspamd im schlechtesten Fall mit unvorhersehbarer Funktionalität bestraft.<br>\r\n  Das korrekte Format lautet \"/pattern/options\" (Beispiel: <code>/.+@domain\\.tld/i</code>).<br>\r\n  Der Name der Map beschreibt die jeweilige Funktion.<br>\r\n  Rspamd versucht die Maps umgehend aufzulösen. Bei Problemen sollte <a href=\"\" data-toggle=\"modal\" data-container=\"rspamd-mailcow\" data-target=\"#RestartContainer\">Rspamd manuell neugestartet werden</a>.<br>Elemente auf Blacklists sind von der Quarantäne ausgeschlossen.",
+        "rspamd_global_filters_info": "Globale Filter-Maps steuern globales Allow- und Denylisting dieses Servers.",
+        "rspamd_global_filters_regex": "Die akzeptierte Form für Einträge sind <b>ausschließlich</b> Regular Expressions.\r\n  Trotz rudimentärer Überprüfung der Map, kann es zu fehlerhaften Einträgen kommen, die Rspamd im schlechtesten Fall mit unvorhersehbarer Funktionalität bestraft.<br>\r\n  Das korrekte Format lautet \"/pattern/options\" (Beispiel: <code>/.+@domain\\.tld/i</code>).<br>\r\n  Der Name der Map beschreibt die jeweilige Funktion.<br>\r\n  Rspamd versucht die Maps umgehend aufzulösen. Bei Problemen sollte <a href=\"\" data-toggle=\"modal\" data-container=\"rspamd-mailcow\" data-target=\"#RestartContainer\">Rspamd manuell neugestartet werden</a>.<br>Elemente auf Denylisten sind von der Quarantäne ausgeschlossen.",
         "rspamd_settings_map": "Rspamd-Settings-Map",
         "sal_level": "Moo-Level",
         "save": "Änderungen speichern",
@@ -747,7 +748,7 @@
         "sogo_visible_info": "Diese Option hat lediglich Einfluss auf Objekte, die in SOGo darstellbar sind (geteilte oder nicht-geteilte Alias-Adressen mit dem Ziel mindestens einer lokalen Mailbox).",
         "spam_alias": "Anpassen temporärer Alias-Adressen",
         "spam_filter": "Spamfilter",
-        "spam_policy": "Hinzufügen und Entfernen von Einträgen in White- und Blacklists",
+        "spam_policy": "Hinzufügen und Entfernen von Einträgen in Allow- und Denylisten",
         "spam_score": "Einen benutzerdefiniterten Spam-Score festlegen",
         "subfolder2": "Ziel-Ordner<br><small>(leer = kein Unterordner)</small>",
         "syncjob": "Sync-Job bearbeiten",
@@ -1037,7 +1038,7 @@
         "notified": "Benachrichtigt",
         "qhandler_success": "Aktion wurde an das System übergeben. Sie dürfen dieses Fenster nun schließen.",
         "qid": "Rspamd QID",
-        "qinfo": "Das Quarantänesystem speichert abgelehnte Nachrichten in der Datenbank (dem Sender wird <em>nicht</em> signalisiert, dass seine E-Mail zugestellt wurde) als auch diese, die als Kopie in den Junk-Ordner der jeweiligen Mailbox zugestellt wurden.\r\n  <br>\"Als Spam lernen und löschen\" lernt Nachrichten nach bayesscher Statistik als Spam und erstellt Fuzzy Hashes ausgehend von der jeweiligen Nachricht, um ähnliche Inhalte zukünftig zu unterbinden.\r\n  <br>Der Prozess des Lernens kann abhängig vom System zeitintensiv sein.<br>Auf Blacklists vorkommende Elemente sind von der Quarantäne ausgeschlossen.",
+        "qinfo": "Das Quarantänesystem speichert abgelehnte Nachrichten in der Datenbank (dem Sender wird <em>nicht</em> signalisiert, dass seine E-Mail zugestellt wurde) als auch diese, die als Kopie in den Junk-Ordner der jeweiligen Mailbox zugestellt wurden.\r\n  <br>\"Als Spam lernen und löschen\" lernt Nachrichten nach bayesscher Statistik als Spam und erstellt Fuzzy Hashes ausgehend von der jeweiligen Nachricht, um ähnliche Inhalte zukünftig zu unterbinden.\r\n  <br>Der Prozess des Lernens kann abhängig vom System zeitintensiv sein.<br>Auf Denylisten vorkommende Elemente sind von der Quarantäne ausgeschlossen.",
         "qitem": "Quarantäneeintrag",
         "quarantine": "Quarantäne",
         "quick_actions": "Aktionen",
@@ -1326,7 +1327,7 @@
         "spam_score_reset": "Auf Server-Standard zurücksetzen",
         "spamfilter": "Spamfilter",
         "spamfilter_behavior": "Bewertung",
-        "spamfilter_bl": "Blacklist",
+        "spamfilter_bl": "Denyliste",
         "spamfilter_bl_desc": "Für E-Mail-Adressen, die vom Spamfilter <b>immer</b> als Spam erfasst und abgelehnt werden. Die Quarantäne-Funktion ist für diese Nachrichten deaktiviert. Die Verwendung von Wildcards ist gestattet. Ein Filter funktioniert lediglich für direkte nicht-\"Catch All\" Alias-Adressen (Alias-Adressen mit lediglich einer Mailbox als Ziel-Adresse) sowie die Mailbox-Adresse selbst.",
         "spamfilter_default_score": "Standardwert",
         "spamfilter_green": "Grün: Die Nachricht ist kein Spam",
@@ -1338,7 +1339,7 @@
         "spamfilter_table_empty": "Keine Einträge vorhanden",
         "spamfilter_table_remove": "Entfernen",
         "spamfilter_table_rule": "Regel",
-        "spamfilter_wl": "Whitelist",
+        "spamfilter_wl": "Allowliste",
         "spamfilter_wl_desc": "Für E-Mail-Adressen, die vom Spamfilter <b>nicht</b> erfasst werden sollen. Die Verwendung von Wildcards ist gestattet. Ein Filter funktioniert lediglich für direkte nicht-\"Catch All\" Alias-Adressen (Alias-Adressen mit lediglich einer Mailbox als Ziel-Adresse) sowie die Mailbox-Adresse selbst.",
         "spamfilter_yellow": "Gelb: Die Nachricht ist vielleicht Spam, wird als Spam markiert und in den Junk-Ordner verschoben",
         "status": "Status",
diff --git a/data/web/lang/lang.en-gb.json b/data/web/lang/lang.en-gb.json
index 21d26d8c8..727fd687c 100644
--- a/data/web/lang/lang.en-gb.json
+++ b/data/web/lang/lang.en-gb.json
@@ -25,7 +25,7 @@
         "sogo_access": "Allow management of SOGo access",
         "sogo_profile_reset": "Reset SOGo profile",
         "spam_alias": "Temporary aliases",
-        "spam_policy": "Blacklist/Whitelist",
+        "spam_policy": "Denylist/Allowlist",
         "spam_score": "Spam score",
         "syncjobs": "Sync jobs",
         "tls_policy": "TLS policy",
@@ -151,7 +151,7 @@
         "arrival_time": "Arrival time (server time)",
         "authed_user": "Auth. user",
         "ays": "Are you sure you want to proceed?",
-        "ban_list_info": "See a list of banned IPs below: <b>network (remaining ban time) - [actions]</b>.<br />IPs queued to be unbanned will be removed from the active ban list within a few seconds.<br />Red labels indicate active permanent bans by blacklisting.",
+        "ban_list_info": "See a list of banned IPs below: <b>network (remaining ban time) - [actions]</b>.<br />IPs queued to be unbanned will be removed from the active ban list within a few seconds.<br />Red labels indicate active permanent bans by denylisting.",
         "change_logo": "Change logo",
         "logo_normal_label": "Normal",
         "logo_dark_label": "Inverted for dark mode",
@@ -190,9 +190,9 @@
         "excludes": "Excludes these recipients",
         "f2b_ban_time": "Ban time (s)",
         "f2b_ban_time_increment": "Ban time is incremented with each ban",
-        "f2b_blacklist": "Blacklisted networks/hosts",
+        "f2b_blacklist": "Denylisted networks/hosts",
         "f2b_filter": "Regex filters",
-        "f2b_list_info": "A blacklisted host or network will always outweigh a whitelist entity. <b>List updates will take a few seconds to be applied.</b>",
+        "f2b_list_info": "A denylisted host or network will always outweigh a allowlist entity. <b>List updates will take a few seconds to be applied.</b>",
         "f2b_manage_external": "Manage Fail2Ban externally",
         "f2b_manage_external_info": "Fail2ban will still maintain the banlist, but it will not actively set rules to block traffic. Use the generated banlist below to externally block the traffic.",
         "f2b_max_attempts": "Max. attempts",
@@ -202,7 +202,7 @@
         "f2b_parameters": "Fail2ban parameters",
         "f2b_regex_info": "Logs taken into consideration: SOGo, Postfix, Dovecot, PHP-FPM.",
         "f2b_retry_window": "Retry window (s) for max. attempts",
-        "f2b_whitelist": "Whitelisted networks/hosts",
+        "f2b_whitelist": "Allowlisted networks/hosts",
         "filter": "Filter",
         "filter_table": "Filter table",
         "force_sso_text": "If an external OIDC provider is configured, this option hides the default mailcow login forms and only shows the Single Sign-On button",
@@ -279,6 +279,7 @@
         "message": "Message",
         "message_size": "Message size",
         "nexthop": "Next hop",
+        "needs_restart": "needs restart",
         "no": "&#10005;",
         "no_active_bans": "No active bans",
         "no_new_rows": "No further rows available",
@@ -364,8 +365,8 @@
         "rspamd_com_settings": "A setting name will be auto-generated, please see the example presets below. For more details see <a href=\"https://rspamd.com/doc/configuration/settings.html#settings-structure\" target=\"_blank\">Rspamd docs</a>",
         "rspamd_global_filters": "Global filter maps",
         "rspamd_global_filters_agree": "I will be careful!",
-        "rspamd_global_filters_info": "Global filter maps contain different kind of global black and whitelists.",
-        "rspamd_global_filters_regex": "Their names explain their purpose. All content must contain valid regular expression in the format of \"/pattern/options\" (e.g. <code>/.+@domain\\.tld/i</code>).<br>\r\n  Although rudimentary checks are being executed on each line of regex, Rspamds functionality can be broken, if it fails to read the syntax correctly.<br>\r\n  Rspamd will try to read the map content when changed. If you experience problems, <a href=\"\" data-toggle=\"modal\" data-container=\"rspamd-mailcow\" data-target=\"#RestartContainer\">restart Rspamd</a> to enforce a map reload.<br>Blacklisted elements are excluded from quarantine.",
+        "rspamd_global_filters_info": "Global filter maps contain different kind of global deny and allowlists.",
+        "rspamd_global_filters_regex": "Their names explain their purpose. All content must contain valid regular expression in the format of \"/pattern/options\" (e.g. <code>/.+@domain\\.tld/i</code>).<br>\r\n  Although rudimentary checks are being executed on each line of regex, Rspamds functionality can be broken, if it fails to read the syntax correctly.<br>\r\n  Rspamd will try to read the map content when changed. If you experience problems, <a href=\"\" data-toggle=\"modal\" data-container=\"rspamd-mailcow\" data-target=\"#RestartContainer\">restart Rspamd</a> to enforce a map reload.<br>Denylisted elements are excluded from quarantine.",
         "rspamd_settings_map": "Rspamd settings map",
         "sal_level": "Moo level",
         "save": "Save changes",
@@ -750,7 +751,7 @@
         "sogo_visible_info": "This option only affects objects, that can be displayed in SOGo (shared or non-shared alias addresses pointing to at least one local mailbox). If hidden, an alias will not appear as selectable sender in SOGo.",
         "spam_alias": "Create or change time limited alias addresses",
         "spam_filter": "Spam filter",
-        "spam_policy": "Add or remove items to white-/blacklist",
+        "spam_policy": "Add or remove items to allow-/denylist",
         "spam_score": "Set a custom spam score",
         "subfolder2": "Sync into subfolder on destination<br><small>(empty = do not use subfolder)</small>",
         "syncjob": "Edit sync job",
@@ -1039,7 +1040,7 @@
         "notified": "Notified",
         "qhandler_success": "Request successfully sent to the system. You can now close the window.",
         "qid": "Rspamd QID",
-        "qinfo": "The quarantine system will save rejected mail to the database (the sender will <em>not</em> be given the impression of a delivered mail) as well as mail, that is delivered as copy into the Junk folder of a mailbox.\r\n  <br>\"Learn as spam and delete\" will learn a message as spam via Bayesian theorem and also calculate fuzzy hashes to deny similar messages in the future.\r\n  <br>Please be aware that learning multiple messages can be - depending on your system - time consuming.<br>Blacklisted elements are excluded from the quarantine.",
+        "qinfo": "The quarantine system will save rejected mail to the database (the sender will <em>not</em> be given the impression of a delivered mail) as well as mail, that is delivered as copy into the Junk folder of a mailbox.\r\n  <br>\"Learn as spam and delete\" will learn a message as spam via Bayesian theorem and also calculate fuzzy hashes to deny similar messages in the future.\r\n  <br>Please be aware that learning multiple messages can be - depending on your system - time consuming.<br>Denylisted elements are excluded from the quarantine.",
         "qitem": "Quarantine item",
         "quarantine": "Quarantine",
         "quick_actions": "Actions",
@@ -1337,8 +1338,8 @@
         "spam_score_reset": "Reset to server default",
         "spamfilter": "Spam filter",
         "spamfilter_behavior": "Rating",
-        "spamfilter_bl": "Blacklist",
-        "spamfilter_bl_desc": "Blacklisted email addresses to <b>always</b> classify as spam and reject. Rejected mail will <b>not</b> be copied to quarantine. Wildcards may be used. A filter is only applied to direct aliases (aliases with a single target mailbox) excluding catch-all aliases and a mailbox itself.",
+        "spamfilter_bl": "Denylist",
+        "spamfilter_bl_desc": "Denylisted email addresses to <b>always</b> classify as spam and reject. Rejected mail will <b>not</b> be copied to quarantine. Wildcards may be used. A filter is only applied to direct aliases (aliases with a single target mailbox) excluding catch-all aliases and a mailbox itself.",
         "spamfilter_default_score": "Default values",
         "spamfilter_green": "Green: this message is not spam",
         "spamfilter_hint": "The first value describes the \"low spam score\", the second represents the \"high spam score\".",
@@ -1349,8 +1350,8 @@
         "spamfilter_table_empty": "No data to display",
         "spamfilter_table_remove": "remove",
         "spamfilter_table_rule": "Rule",
-        "spamfilter_wl": "Whitelist",
-        "spamfilter_wl_desc": "Whitelisted email addresses are programmed to <b>never</b> classify as spam. Wildcards may be used. A filter is only applied to direct aliases (aliases with a single target mailbox) excluding catch-all aliases and a mailbox itself.",
+        "spamfilter_wl": "Allowlist",
+        "spamfilter_wl_desc": "Allowlisted email addresses are programmed to <b>never</b> classify as spam. Wildcards may be used. A filter is only applied to direct aliases (aliases with a single target mailbox) excluding catch-all aliases and a mailbox itself.",
         "spamfilter_yellow": "Yellow: this message may be spam, will be tagged as spam and moved to your junk folder",
         "status": "Status",
         "sync_jobs": "Sync jobs",
diff --git a/data/web/templates/admin/tab-config-f2b.twig b/data/web/templates/admin/tab-config-f2b.twig
index d33c242a8..29535b723 100644
--- a/data/web/templates/admin/tab-config-f2b.twig
+++ b/data/web/templates/admin/tab-config-f2b.twig
@@ -118,8 +118,8 @@
           <span class="d-none d-sm-inline"> - </span>
             {% if active_ban.queued_for_unban == 0 %}
             <a data-action="edit_selected" data-item="{{ active_ban.network }}" data-id="f2b-quick" data-api-url='edit/fail2ban' data-api-attr='{"action":"unban"}' href="#">[{{ lang.admin.queue_unban }}]</a>
-            <a data-action="edit_selected" data-item="{{ active_ban.network }}" data-id="f2b-quick" data-api-url='edit/fail2ban' data-api-attr='{"action":"whitelist"}' href="#">[whitelist]</a>
-            <a data-action="edit_selected" data-item="{{ active_ban.network }}" data-id="f2b-quick" data-api-url='edit/fail2ban' data-api-attr='{"action":"blacklist"}' href="#">[blacklist (<b>needs restart</b>)]</a>
+            <a data-action="edit_selected" data-item="{{ active_ban.network }}" data-id="f2b-quick" data-api-url='edit/fail2ban' data-api-attr='{"action":"whitelist"}' href="#">[allowlist]</a>
+            <a data-action="edit_selected" data-item="{{ active_ban.network }}" data-id="f2b-quick" data-api-url='edit/fail2ban' data-api-attr='{"action":"blacklist"}' href="#">[denylist (<b>{{ lang.admin.needs_restart }}</b>)]</a>
             {% else %}
             <i>{{ lang.admin.unban_pending }}</i>
             {% endif %}
diff --git a/docker-compose.yml b/docker-compose.yml
index d95241462..f447dea4a 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -477,7 +477,7 @@ services:
             - acme
 
     netfilter-mailcow:
-      image: ghcr.io/mailcow/netfilter:1.61
+      image: ghcr.io/mailcow/netfilter:1.62
       stop_grace_period: 30s
       restart: always
       privileged: true

From 3ee3d7d969aad4c13b7045821f4315561b9f36f4 Mon Sep 17 00:00:00 2001
From: milkmaker <milkmaker@mailcow.de>
Date: Wed, 16 Jul 2025 20:31:58 +0200
Subject: [PATCH 278/378] Translations update from Weblate (#6637)

* [Web] Language file updated by 'Cleanup translation files' addon

Co-authored-by: milkmaker <milkmaker@mailcow.de>

* [Web] Updated lang.zh-tw.json

Co-authored-by: Anonymous <noreply@weblate.org>

* [Web] Updated lang.ca-es.json

Co-authored-by: Anonymous <noreply@weblate.org>

---------

Co-authored-by: Anonymous <noreply@weblate.org>
---
 data/web/lang/lang.bg-bg.json | 2782 ++++++++++++++++-----------------
 data/web/lang/lang.ca-es.json |    2 +-
 data/web/lang/lang.zh-tw.json |    2 +-
 3 files changed, 1390 insertions(+), 1396 deletions(-)

diff --git a/data/web/lang/lang.bg-bg.json b/data/web/lang/lang.bg-bg.json
index 0d8632859..d17c4dd2b 100644
--- a/data/web/lang/lang.bg-bg.json
+++ b/data/web/lang/lang.bg-bg.json
@@ -1,1397 +1,1391 @@
 {
-  "acl": {
-    "alias_domains": "Добавяне на домейни за псевдоними",
-    "app_passwds": "Управление на пароли за приложения",
-    "bcc_maps": "BCC карти",
-    "delimiter_action": "Действие на разделител",
-    "domain_desc": "Промяна на описанието на домейна",
-    "domain_relayhost": "Промяна на релеен хост за домейн",
-    "eas_reset": "Нулиране на устройствата с ActiveSync",
-    "extend_sender_acl": "Разрешаване на разширяване на ACL на изпращащите от външни адреси",
-    "filters": "Филтри",
-    "login_as": "Вход като потребител на пощенска кутия",
-    "mailbox_relayhost": "Промяна на релеен хост за пощенска кутия",
-    "prohibited": "Забранено от ACL",
-    "protocol_access": "Промяна на достъпа до протоколи",
-    "pushover": "Pushover",
-    "pw_reset": "Разрешаване на нулиране на паролата на потребител на mailcow",
-    "quarantine": "Действия с карантина",
-    "quarantine_attachments": "Прикачени файлове в карантина",
-    "quarantine_category": "Промяна на категорията на уведомленията за карантина",
-    "quarantine_notification": "Промяна на уведомленията за карантина",
-    "ratelimit": "Ограничение на скоростта",
-    "recipient_maps": "Карти на получатели",
-    "smtp_ip_access": "Промяна на разрешените хостове за SMTP",
-    "sogo_access": "Разрешаване на управление на достъпа до SOGo",
-    "sogo_profile_reset": "Нулиране на профила на SOGo",
-    "spam_alias": "Временни псевдоними",
-    "spam_policy": "Черен/Бял списък",
-    "spam_score": "Резултат за спам",
-    "syncjobs": "Синхронизиращи задачи",
-    "tls_policy": "Политика за TLS",
-    "unlimited_quota": "Неограничена квота за пощенски кутии"
-  },
-  "add": {
-    "activate_filter_warn": "Всички други филтри ще бъдат деактивирани, когато активното е отбелязано.",
-    "active": "Активен",
-    "add": "Добавяне",
-    "add_domain_only": "Добавяне само на домейн",
-    "add_domain_restart": "Добавяне на домейн и рестартиране на SOGo",
-    "alias_address": "Адрес/и за псевдоним",
-    "alias_address_info": "<small>Пълни имейл адреси или @example.com, за да хванете всички съобщения за домейн (разделени с запетая). <b>само домейни на mailcow</b>.</small>",
-    "alias_domain": "Домейн за псевдоним",
-    "alias_domain_info": "<small>Валидни имена на домейни (разделени с запетая).</small>",
-    "app_name": "Име на приложението",
-    "app_password": "Добавяне на парола за приложение",
-    "app_passwd_protocols": "Разрешени протоколи за паролата на приложението",
-    "automap": "Опит за автоматично картографиране на папки (\"Изпратени\", \"Изпратени\" => \"Изпратени\" и т.н.)",
-    "backup_mx_options": "Опции за реле",
-    "bcc_dest_format": "BCC дестинацията трябва да бъде един валиден имейл адрес.<br>Ако имате нужда да изпратите копие до множество адреси, създайте псевдоним и го използвайте тук.",
-    "comment_info": "Частен коментар не е видим за потребителя, докато публичен коментар се показва като подсказка при преминаване с мишката върху него в прегледа на потребителя",
-    "custom_params": "Персонализирани параметри",
-    "custom_params_hint": "Дясно: --param=xy, грешно: --param xy",
-    "delete1": "Изтриване от източника след завършване",
-    "delete2": "Изтриване на съобщенията в дестинацията, които не са в източника",
-    "delete2duplicates": "Изтриване на дубликати в дестинацията",
-    "description": "Описание",
-    "destination": "Дестинация",
-    "disable_login": "Забраняване на вход (входящите съобщения все още се приемат)",
-    "domain": "Домейн",
-    "domain_matches_hostname": "Домейнът %s съвпада с името на хоста",
-    "domain_quota_m": "Обща квота на домейна (MiB)",
-    "dry": "Симулиране на синхронизация",
-    "enc_method": "Метод на криптиране",
-    "exclude": "Изключване на обекти (regex)",
-    "full_name": "Пълно име",
-    "gal": "Глобален адресен списък",
-    "gal_info": "Глобалният адресен списък съдържа всички обекти на домейна и не може да бъде редактиран от нито един потребител. Липсва информация за заетост/свободно време в SOGo, ако е деактивирано! <b>Рестартирайте SOGo, за да приложите промените.</b>",
-    "generate": "генериране",
-    "goto_ham": "Учен като <span class=\"text-success\"><b>не е спам</b></span>",
-    "goto_null": "Тихо изхвърляне на имейла",
-    "goto_spam": "Учен като <span class=\"text-danger\"><b>спам</b></span>",
-    "hostname": "Хост",
-    "inactive": "Неактивен",
-    "kind": "Вид",
-    "mailbox_quota_def": "Квота по подразбиране за пощенска кутия",
-    "mailbox_quota_m": "Макс. квота за пощенска кутия (MiB)",
-    "mailbox_username": "Потребителско име (лява част на имейл адрес)",
-    "max_aliases": "Макс. възможни псевдоними",
-    "max_mailboxes": "Макс. възможни пощенски кутии",
-    "mins_interval": "Интервал за проверка (минути)",
-    "multiple_bookings": "Множествени резервации",
-    "nexthop": "Следващ хоп",
-    "password": "Парола",
-    "password_repeat": "Потвърждаване на паролата (повторете)",
-    "port": "Порт",
-    "post_domain_add": "След добавянето на нов домейн, контейнерът на SOGo, \"sogo-mailcow\", трябва да бъде рестартиран!<br><br>Освен това, конфигурацията на DNS на домейна трябва да бъде прегледана. След като конфигурацията на DNS бъде одобрена, рестартирайте \"acme-mailcow\", за да генерирате автоматично сертификати за вашия нов домейн (autoconfig.&lt;domain&gt;, autodiscover.&lt;domain&gt;).<br>Тази стъпка е опционална и ще бъде повторена всеки 24 часа.",
-    "private_comment": "Частен коментар",
-    "public_comment": "Публичен коментар",
-    "quota_mb": "Квота (MiB)",
-    "relay_all": "Реле на всички получатели",
-    "relay_all_info": "↪ Ако изберете да <b>не</b> релеирате всички получатели, ще трябва да добавите (\"скрита\") пощенска кутия за всеки отделен получател, който трябва да бъде релеиран.",
-    "relay_domain": "Реле на този домейн",
-    "relay_transport_info": "<div class=\"badge fs-6 bg-info\">Инфо</div> Можете да дефинирате транспортни карти за персонализирана дестинация за този домейн. Ако не е зададено, ще бъде направен MX lookup.",
-    "relay_unknown_only": "Реле на несъществуващи пощенски кутии. Съществуващите пощенски кутии ще бъдат доставени локално.",
-    "relayhost_wrapped_tls_info": "Моля, <b>не</b> използвайте TLS-wrapped портове (най-често използвани на порт 465).<br>\r\nИзползвайте всеки не-wrapped порт и издайте STARTTLS. Политика за TLS може да бъде създадена в \"TLS политики\", за да се наложи TLS.",
-    "select": "Моля, изберете...",
-    "select_domain": "Моля, изберете първо домейн",
-    "sieve_desc": "Кратко описание",
-    "sieve_type": "Тип на филтър",
-    "skipcrossduplicates": "Пропускане на дублирани съобщения между папки (първи дошъл, първи обслужен)",
-    "subscribeall": "Абониране за всички папки",
-    "syncjob": "Добавяне на синхронизираща задача",
-    "syncjob_hint": "Имайте предвид, че паролите трябва да бъдат запазени като обикновен текст!",
-    "tags": "Тагове",
-    "target_address": "Адреси за пренасочване",
-    "target_address_info": "<small>Пълни имейл адреси (разделени с запетая).</small>",
-    "target_domain": "Целеви домейн",
-    "timeout1": "Таймаут за връзка с отдалечен хост",
-    "timeout2": "Таймаут за връзка с локален хост",
-    "username": "Потребителско име",
-    "validate": "Валидиране",
-    "validation_success": "Успешно валидиране"
-  },
-  "admin": {
-    "access": "Достъп",
-    "action": "Действие",
-    "activate_api": "Активиране на API",
-    "activate_send": "Активиране на бутона за изпращане",
-    "active": "Активен",
-    "active_rspamd_settings_map": "Активна карта с настройки",
-    "add": "Добавяне",
-    "add_admin": "Добавяне на администратор",
-    "add_domain_admin": "Добавяне на администратор на домейн",
-    "add_forwarding_host": "Добавяне на хост за препращане",
-    "add_relayhost": "Добавяне на транспорт, зависим от изпращач",
-    "add_relayhost_hint": "Имайте предвид, че данните за удостоверяване, ако има такива, ще бъдат запазени като обикновен текст.",
-    "add_row": "Добавяне на ред",
-    "add_settings_rule": "Добавяне на правило за настройки",
-    "add_transport": "Добавяне на транспорт",
-    "add_transports_hint": "Имайте предвид, че данните за удостоверяване, ако има такива, ще бъдат запазени като обикновен текст.",
-    "additional_rows": "добавени допълнителни редове",
-    "admin": "Администратор",
-    "admin_details": "Редактиране на детайлите на администратора",
-    "admin_domains": "Назначения на домейни",
-    "admins": "Администратори",
-    "admins_ldap": "LDAP администратори",
-    "advanced_settings": "Разширени настройки",
-    "allowed_methods": "Access-Control-Allow-Methods",
-    "allowed_origins": "Access-Control-Allow-Origin",
-    "api_allow_from": "Разрешаване на API достъп от тези IP адреси/CIDR мрежови нотации",
-    "api_info": "API е в процес на разработка. Документацията може да бъде намерена на <a href=\"/api\">/api</a>",
-    "api_key": "API ключ",
-    "api_read_only": "Достъп само за четене",
-    "api_read_write": "Достъп за четене и писане",
-    "api_skip_ip_check": "Пропускане на IP проверка за API",
-    "app_hide": "Скриване за вход",
-    "app_links": "Връзки към приложения",
-    "app_name": "Име на приложението",
-    "apps_name": "Име на \"mailcow приложенията\"",
-    "arrival_time": "Време на пристигане (време на сървъра)",
-    "authed_user": "Удостоверен потребител",
-    "ays": "Сигурни ли сте, че искате да продължите?",
-    "ban_list_info": "Вижте списък с блокирани IP адреси по-долу: <b>мрежа (оставащо време за блокиране) - [действия]</b>.<br />IP адресите в опашката за разблокиране ще бъдат премахнати от активния списък с блокирани в рамките на няколко секунди.<br />Червените етикети показват активни постоянни блокирания от черния списък.",
-    "change_logo": "Промяна на логото",
-    "logo_normal_label": "Нормално",
-    "logo_dark_label": "Обърнато за тъмен режим",
-    "configuration": "Конфигурация",
-    "convert_html_to_text": "Конвертиране на HTML в обикновен текст",
-    "copy_to_clipboard": "Текстът е копиран в клипборда!",
-    "cors_settings": "Настройки на CORS",
-    "credentials_transport_warning": "<b>Внимание</b>: Добавянето на нов запис в картата на транспорта ще обнови данните за удостоверяване за всички записи с съвпадаща колона за следващ хоп.",
-    "customer_id": "Идентификатор на клиента",
-    "customize": "Персонализиране",
-    "destination": "Дестинация",
-    "dkim_add_key": "Добавяне на ARC/DKIM ключ",
-    "dkim_domains_selector": "Селектор",
-    "dkim_domains_wo_keys": "Избор на домейни без ключове",
-    "dkim_from": "От",
-    "dkim_from_title": "Източник на домейн за копиране на данни",
-    "dkim_key_length": "Дължина на DKIM ключа (битове)",
-    "dkim_key_missing": "Липсващ ключ",
-    "dkim_key_unused": "Неизползван ключ",
-    "dkim_key_valid": "Валиден ключ",
-    "dkim_keys": "ARC/DKIM ключове",
-    "dkim_overwrite_key": "Презаписване на съществуващ DKIM ключ",
-    "dkim_private_key": "Частен ключ",
-    "dkim_to": "До",
-    "dkim_to_title": "Целеви домейн/и - ще бъде презаписан",
-    "domain": "Домейн",
-    "domain_admin": "Администратор на домейн",
-    "domain_admins": "Администратори на домейн",
-    "domain_s": "Домейн/и",
-    "duplicate": "Дублиране",
-    "duplicate_dkim": "Дублиране на DKIM запис",
-    "edit": "Редактиране",
-    "empty": "Няма резултати",
-    "excludes": "Изключване на тези получатели",
-    "f2b_ban_time": "Време за блокиране (с)",
-    "f2b_ban_time_increment": "Времето за блокиране се увеличава с всяко блокиране",
-    "f2b_blacklist": "Черни списъци/хостове",
-    "f2b_filter": "Филтри с регулярни изрази",
-    "f2b_list_info": "Черният списък на хостове или мрежи винаги ще надделява над белия списък. <b>Актуализациите на списъка отнемат няколко секунди, за да бъдат приложени.</b>",
-    "f2b_manage_external": "Управление на Fail2Ban външно",
-    "f2b_manage_external_info": "Fail2ban все още ще поддържа черния списък, но няма да задава правила за блокиране на трафика. Използвайте генерирания черн списък по-долу, за да блокирате трафика външно.",
-    "f2b_max_attempts": "Макс. опити",
-    "f2b_max_ban_time": "Макс. време за блокиране (с)",
-    "f2b_netban_ipv4": "IPv4 размер на подмрежа за прилагане на блокиране (8-32)",
-    "f2b_netban_ipv6": "IPv6 размер на подмрежа за прилагане на блокиране (8-128)",
-    "f2b_parameters": "Параметри на Fail2ban",
-    "f2b_regex_info": "Логовете, които се вземат предвид: SOGo, Postfix, Dovecot, PHP-FPM.",
-    "f2b_retry_window": "Прозорец за повторен опит (с) за макс. опити",
-    "f2b_whitelist": "Бели списъци/хостове",
-    "filter": "Филтър",
-    "filter_table": "Таблица с филтри",
-    "forwarding_hosts": "Хостове за препращане",
-    "forwarding_hosts_add_hint": "Можете да посочите IPv4/IPv6 адреси, мрежи в CIDR нотация, имена на хостове (които ще бъдат разрешени в IP адреси), или имена на домейни (които ще бъдат разрешени в IP адреси чрез заявки към SPF записи или, при липсата им, MX записи).",
-    "forwarding_hosts_hint": "Входящите съобщения се приемат безрезервно от всички хостове, изброени тук. Тези хостове след това не се проверяват срещу DNSBL или подлагат на сиво списък. Спамът, получен от тях, никога не се отхвърля, но опционално може да бъде поставен във файла за нежелана поща. Най-често използваната употреба за това е да се посочат пощенски сървъри, на които сте настроили правило, което препраща входящите имейли към вашия mailcow сървър.",
-    "from": "От",
-    "generate": "генериране",
-    "guid": "GUID - уникален инстанционен идентификатор",
-    "guid_and_license": "GUID & Лиценз",
-    "hash_remove_info": "Премахването на хеш за ограничение на скоростта (ако все още съществува) ще нулира неговия брояч напълно.<br>\r\nВсеки хеш е показан с индивидуален цвят.",
-    "help_text": "Презаписване на помощния текст под маската за вход (разрешен е HTML)",
-    "host": "Хост",
-    "html": "HTML",
-    "iam": "Доставчик на идентичност",
-    "iam_attribute_field": "Поле за атрибут",
-    "iam_authorize_url": "Крайна точка за удостоверяване",
-    "iam_auth_flow": "Поток за удостоверяване",
-    "iam_auth_flow_info": "Освен стандартния поток за удостоверяване (поток с код за удостоверяване в Keycloak), който се използва за единичен вход, mailcow поддържа и поток за удостоверяване с пряки удостоверения. Потокът за удостоверяване с пароли за поща проверява удостоверенията на потребителя, като използва Keycloak Admin REST API. mailcow извлича хешираната парола от атрибута <code>mailcow_password</code>, който е картиран в Keycloak.",
-    "iam_basedn": "Основен DN",
-    "iam_client_id": "Идентификатор на клиента",
-    "iam_client_secret": "Тайна на клиента",
-    "iam_client_scopes": "Обхват на клиента",
-    "iam_default_template": "Шаблон по подразбиране",
-    "iam_default_template_description": "Ако няма зададен шаблон за потребител, шаблонът по подразбиране ще бъде използван за създаване на пощенската кутия, но не и за актуализиране на пощенската кутия.",
-    "iam_description": "Конфигуриране на външен доставчик за удостоверяване<br>Потребителските пощенски кутии ще бъдат създавани автоматично при първия им вход, при условие че е зададено картиране на атрибути.",
-    "iam_extra_permission": "За да работят следните настройки, клиентът на mailcow в Keycloak трябва да има <code>услуга акаунт</code> и разрешението да <code>вижда потребители</code>.",
-    "iam_host": "Хост",
-    "iam_host_info": "Въведете един или повече LDAP хостове, разделени с запетаи.",
-    "iam_import_users": "Импортиране на потребители",
-    "iam_mapping": "Картиране на атрибути",
-    "iam_bindpass": "Парола за свързване",
-    "iam_periodic_full_sync": "Периодичен пълен синхрон",
-    "iam_port": "Порт",
-    "iam_realm": "Реалм",
-    "iam_redirect_url": "URL за пренасочване",
-    "iam_rest_flow": "Поток за пароли за поща",
-    "iam_server_url": "URL на сървъра",
-    "iam_sso": "Единичен вход",
-    "iam_sync_interval": "Интервал за синхронизиране/импортиране (мин)",
-    "iam_test_connection": "Тест на връзката",
-    "iam_token_url": "Крайна точка за токени",
-    "iam_userinfo_url": "Крайна точка за информация за потребителя",
-    "iam_username_field": "Поле за потребителско име",
-    "iam_binddn": "DN за свързване",
-    "iam_use_ssl": "Използване на SSL",
-    "iam_use_ssl_info": "Ако активирате SSL и портът е зададен на 389, той ще бъде автоматично променен на 636.",
-    "iam_use_tls": "Използване на StartTLS",
-    "iam_use_tls_info": "Ако активирате TLS, трябва да използвате стандартния порт за вашия LDAP сървър (389). SSL портовете не могат да бъдат използвани.",
-    "iam_version": "Версия",
-    "ignore_ssl_error": "Игнориране на SSL грешки",
-    "import": "Импортиране",
-    "import_private_key": "Импортиране на частен ключ",
-    "in_use_by": "Използван от",
-    "inactive": "Неактивен",
-    "include_exclude": "Включване/Изключване",
-    "include_exclude_info": "По подразбиране - без избор - <b>всички пощенски кутии</b> се адресират",
-    "includes": "Включване на тези получатели",
-    "ip_check": "Проверка на IP",
-    "ip_check_disabled": "Проверката на IP е деактивирана. Можете да я активирате в <br> <strong>Система > Конфигурация > Опции > Персонализиране</strong>",
-    "ip_check_opt_in": "Оптиране за използване на услугата на трета страна <strong>ipv4.mailcow.email</strong> и <strong>ipv6.mailcow.email</strong>, за да разрешавате външни IP адреси.",
-    "is_mx_based": "MX базиран",
-    "last_applied": "Последно приложено",
-    "license_info": "Лицензът не е задължителен, но помага за по-нататъшното развитие.<br><a href=\"https://www.servercow.de/mailcow?lang=en#sal\" target=\"_blank\" alt=\"SAL поръчка\">Регистрирайте вашия GUID тук</a> или <a href=\"https://www.servercow.de/mailcow?lang=en#support\" target=\"_blank\" alt=\"Поддръжка поръчка\">купете поддръжка за вашата инсталация на mailcow.</a>",
-    "link": "Връзка",
-    "loading": "Моля, изчакайте...",
-    "login_time": "Време за вход",
-    "logo_info": "Вашето изображение ще бъде мащабирано до височина 40 px за горната навигационна лента и макс. ширина 250 px за началната страница. Препоръчва се използването на скалируема графика.",
-    "lookup_mx": "Дестинацията е регулярен израз за съвпадение с MX име (<code>.*\\.google\\.com</code> за пренасочване на всички съобщения, предназначени за MX, завършващ на google.com, през този хоп)",
-    "main_name": "Име на \"mailcow UI\"",
-    "merged_vars_hint": "Редовете в сиво са сляти от <code>vars.(local.)inc.php</code> и не могат да бъдат променени.",
-    "message": "Съобщение",
-    "message_size": "Размер на съобщението",
-    "nexthop": "Следващ хоп",
-    "no": "&#10005;",
-    "no_active_bans": "Няма активни блокирания",
-    "no_new_rows": "Няма допълнителни редове",
-    "no_record": "Няма запис",
-    "oauth2_apps": "OAuth2 приложения",
-    "oauth2_add_client": "Добавяне на OAuth2 клиент",
-    "oauth2_client_id": "Идентификатор на клиента",
-    "oauth2_client_secret": "Тайна на клиента",
-    "oauth2_info": "Реализацията на OAuth2 поддържа типа разрешение \"Код за удостоверяване\" и издава токени за презареждане.<br>\r\nСървърът автоматично издава нови токени за презареждане, след като токен за презареждане е бил използван.<br><br>\r\n&#8226; Обхватът по подразбиране е <i>профил</i>. Само потребителите на пощенски кутии могат да бъдат удостоверени срещу OAuth2. Ако параметърът за обхват е пропуснат, той се връща към <i>профил</i>.<br>\r\n&#8226; Параметърът <i>state</i> трябва да бъде изпратен от клиента като част от заявката за удостоверяване.<br><br>\r\nПътища за заявки към OAuth2 API: <br>\r\n<ul>\r\n  <li>Крайна точка за удостоверяване: <code>/oauth/authorize</code></li>\r\n  <li>Крайна точка за токени: <code>/oauth/token</code></li>\r\n  <li>Страница с ресурси:  <code>/oauth/profile</code></li>\r\n</ul>\r\nГенерирането на нова тайна на клиента няма да анулира съществуващите кодове за удостоверяване, но те няма да могат да подновят своя токен.<br><br>\r\nАнулирането на токените на клиента ще доведе до незабавно прекратяване на всички активни сесии. Всички клиенти ще трябва да се преудостоверят.",
-    "oauth2_redirect_uri": "URI за пренасочване",
-    "oauth2_renew_secret": "Генериране на нова тайна на клиента",
-    "oauth2_revoke_tokens": "Анулиране на всички токени на клиента",
-    "optional": "опционално",
-    "options": "Опции",
-    "password": "Парола",
-    "password_length": "Дължина на паролата",
-    "password_policy": "Политика за пароли",
-    "password_policy_chars": "Трябва да съдържа поне една буквена буква",
-    "password_policy_length": "Минималната дължина на паролата е %d",
-    "password_policy_lowerupper": "Трябва да съдържа малки и главни букви",
-    "password_policy_numbers": "Трябва да съдържа поне една цифра",
-    "password_policy_special_chars": "Трябва да съдържа специални символи",
-    "password_repeat": "Потвърждаване на паролата (повторете)",
-    "password_reset_info": "Ако не е зададен имейл за възстановяване, тази функция не може да бъде използвана.",
-    "password_reset_settings": "Настройки за възстановяване на парола",
-    "password_reset_tmpl_html": "HTML шаблон",
-    "password_reset_tmpl_text": "Текстов шаблон",
-    "password_settings": "Настройки на паролата",
-    "priority": "Приоритет",
-    "private_key": "Частен ключ",
-    "quarantine": "Карантина",
-    "quarantine_bcc": "Изпращане на копие от всички уведомления (BCC) до този получател:<br><small>Оставете празно, за да деактивирате. <b>Неподписано, непроверено имейл. Трябва да бъде доставено само вътрешно.</b></small>",
-    "quarantine_exclude_domains": "Изключване на домейни и домейни на псевдоними",
-    "quarantine_max_age": "Максимална възраст в дни<br><small>Стойността трябва да бъде равна или по-голяма от 1 ден.</small>",
-    "quarantine_max_score": "Изхвърляне на уведомление, ако резултатът за спам на имейла е по-висок от тази стойност:<br><small>По подразбиране е 9999.0</small>",
-    "quarantine_max_size": "Максимален размер в MiB (по-големи елементи се изхвърлят):<br><small>0 не означава неограничен.</small>",
-    "quarantine_notification_html": "Шаблон на имейл за уведомление:<br><small>Оставете празно, за да възстановите шаблона по подразбиране.</small>",
-    "quarantine_notification_sender": "Изпращач на имейл за уведомление",
-    "quarantine_notification_subject": "Тема на имейл за уведомление",
-    "quarantine_redirect": "<b>Пренасочване на всички уведомления</b> към този получател:<br><small>Оставете празно, за да деактивирате. <b>Неподписано, непроверено имейл. Трябва да бъде доставено само вътрешно.</b></small>",
-    "quarantine_release_format": "Формат на освободените елементи",
-    "quarantine_release_format_att": "Като прикачен файл",
-    "quarantine_release_format_raw": "Непроменен оригинал",
-    "quarantine_retention_size": "Задържания за пощенска кутия:<br><small>0 показва <b>неактивен</b>.</small>",
-    "quota_notification_html": "Шаблон на имейл за уведомление:<br><small>Оставете празно, за да възстановите шаблона по подразбиране.</small>",
-    "quota_notification_sender": "Изпращач на имейл за уведомление",
-    "quota_notification_subject": "Тема на имейл за уведомление",
-    "quota_notifications": "Уведомления за квота",
-    "quota_notifications_info": "Уведомленията за квота се изпращат на потребителите веднъж при преминаване на 80% и веднъж при преминаване на 95% използване.",
-    "quota_notifications_vars": "{{percent}} е равно на текущата квота на потребителя<br>{{username}} е името на пощенската кутия",
-    "queue_unban": "разблокиране",
-    "r_active": "Активни ограничения",
-    "r_inactive": "Неактивни ограничения",
-    "r_info": "Елементите в сиво в списъка с активни ограничения не са известни като валидни ограничения за mailcow и не могат да бъдат преместени. Неизвестните ограничения ще бъдат зададени в реда на появяване все пак.<br>Можете да добавяте нови елементи в <code>inc/vars.local.inc.php</code>, за да можете да ги превключвате.",
-    "rate_name": "Име на ограничението",
-    "recipients": "Получатели",
-    "refresh": "Опресняване",
-    "regen_api_key": "Регенериране на API ключ",
-    "regex_maps": "Карти с регулярни изрази",
-    "relay_from": "Адрес \"From:\"",
-    "relay_rcpt": "Адрес \"To:\"",
-    "relay_run": "Изпълнение на тест",
-    "relayhosts": "Транспорти, зависими от изпращач",
-    "relayhosts_hint": "Дефинирайте транспорти, зависими от изпращач, за да можете да ги избирате в диалоговия прозорец за конфигурация на домейн.<br>\r\n  Услугата за транспорт винаги е \"smtp:\" и ще се опита да използва TLS, ако бъде предложена. Wrapped TLS (SMTPS) не се поддържа. Политиката за TLS на потребителя ще бъде взета предвид.<br>\r\n  Засегнатите домейни, включително домейни на псевдоними.",
-    "remove": "Премахване",
-    "remove_row": "Премахване на ред",
-    "reset_default": "Нулиране до подразбиране",
-    "reset_limit": "Премахване на хеш",
-    "reset_password_vars": "<code>{{link}}</code> Генерираната връзка за нулиране на парола<br><code>{{username}}</code> Името на пощенската кутия на потребителя, който е поискал нулиране на парола<br><code>{{username2}}</code> Името на пощенската кутия за възстановяване<br><code>{{date}}</code> Датата на заявката за нулиране на парола<br><code>{{token_lifetime}}</code> Времетраенето на токена в минути<br><code>{{hostname}}</code> Името на хоста на mailcow",
-    "restore_template": "Оставете празно, за да възстановите шаблона по подразбиране.",
-    "routing": "Маршрутизация",
-    "rsetting_add_rule": "Добавяне на правило",
-    "rsetting_content": "Съдържание на правилото",
-    "rsetting_desc": "Кратко описание",
-    "rsetting_no_selection": "Моля, изберете правило",
-    "rsetting_none": "Няма налични правила",
-    "rsettings_insert_preset": "Вмъкване на примерен предефиниран набор \"%s\"",
-    "rsettings_preset_1": "Деактивиране на всичко, освен DKIM и ограничение на скоростта за удостоверени потребители",
-    "rsettings_preset_2": "Пощенските администратори искат спам",
-    "rsettings_preset_3": "Разрешаване само на определени изпращачи за пощенска кутия (напр. използване като вътрешна пощенска кутия)",
-    "rsettings_preset_4": "Деактивиране на Rspamd за домейн",
-    "rspamd_com_settings": "Името на настройката ще бъде автоматично генерирано, моля, вижте примерните предефинирани набори по-долу. За повече детайли вижте <a href=\"https://rspamd.com/doc/configuration/settings.html#settings-structure\" target=\"_blank\">документацията на Rspamd</a>",
-    "rspamd_global_filters": "Глобални карти на филтри",
-    "rspamd_global_filters_agree": "Ще бъда внимателен!",
-    "rspamd_global_filters_info": "Глобалните карти на филтри съдържат различни видове глобални черни и бели списъци.",
-    "rspamd_global_filters_regex": "Имената им обясняват тяхната цел. Всичкото съдържание трябва да съдържа валиден регулярен израз във формат \"/pattern/options\" (напр. <code>/.+@domain\\.tld/i</code>).<br>\r\n  Въпреки че се извършват основни проверки за всеки ред с регулярен израз, функционалността на Rspamd може да бъде нарушена, ако не успява да прочете синтаксиса коректно.<br>\r\n  Rspamd ще се опита да прочете съдържанието на картата при промяна. Ако срещнете проблеми, <a href=\"\" data-toggle=\"modal\" data-container=\"rspamd-mailcow\" data-target=\"#RestartContainer\">рестартирайте Rspamd</a>, за да наложите презареждане на картата.<br>Елементите в черния списък са изключени от карантина.",
-    "rspamd_settings_map": "Карта с настройки на Rspamd",
-    "sal_level": "Ниво на Moo",
-    "save": "Запазване на промените",
-    "search_domain_da": "Търсене на домейни",
-    "send": "Изпращане",
-    "sender": "Изпращач",
-    "service": "Услуга",
-    "service_id": "Идентификатор на услугата",
-    "source": "Източник",
-    "spamfilter": "Филтър за спам",
-    "subject": "Тема",
-    "success": "Успех",
-    "sys_mails": "Системни имейли",
-    "task": "Задача",
-    "text": "Текст",
-    "time": "Време",
-    "title": "Заглавие",
-    "title_name": "Име на уеб страницата на \"mailcow UI\"",
-    "to_top": "Обратно нагоре",
-    "transport_dest_format": "Регулярен израз или синтаксис: example.org, .example.org, *, box@example.org (няколко стойности могат да бъдат разделени с запетая)",
-    "transport_maps": "Карти за транспорт",
-    "transport_test_rcpt_info": "&#8226; Използвайте null@hosted.mailcow.de, за да тествате препращането към чуждестранна дестинация.",
-    "transports_hint": "&#8226; Записът в картата на транспорта <b>пренарежда</b> запис в картата на транспорт, зависим от изпращач</b>.<br>\r\n&#8226; Транспортите, базирани на MX, се използват предимно.<br>\r\n&#8226; Настройките за политика на TLS на потребителя се игнорират и могат да бъдат приложени само чрез записи в картите на политиката на TLS.<br>\r\n&#8226; Услугата за транспорт за дефинираните транспорти винаги е \"smtp:\" и ще се опита да използва TLS, ако бъде предложена. Wrapped TLS (SMTPS) не се поддържа.<br>\r\n&#8226; Адресите, съвпадащи с \"/localhost$/\", винаги ще бъдат транспортирани през \"local:\", следователно записът \"*\" няма да се приложи към тези адреси.<br>\r\n&#8226; За да определите удостоверения за следващ хоп \"[host]:25\", Postfix <b>винаги</b> заявява за \"host\", преди да търси за \"[host]:25\". Това поведение прави невъзможно да се използват \"host\" и \"[host]:25\" едновременно.",
-    "ui_footer": "Подвал (разрешен е HTML)",
-    "ui_header_announcement": "Обяви",
-    "ui_header_announcement_active": "Задаване на активна обява",
-    "ui_header_announcement_content": "Текст (разрешен е HTML)",
-    "ui_header_announcement_help": "Обявата е видима за всички влезли потребители и на екрана за вход на UI.",
-    "ui_header_announcement_select": "Избор на тип обява",
-    "ui_header_announcement_type": "Тип",
-    "ui_header_announcement_type_danger": "Много важно",
-    "ui_header_announcement_type_info": "Информация",
-    "ui_header_announcement_type_warning": "Важно",
-    "ui_texts": "Етикети и текстове на UI",
-    "unban_pending": "разблокиране в опашката",
-    "unchanged_if_empty": "Ако не е променено, оставете празно",
-    "upload": "Качване",
-    "username": "Потребителско име",
-    "user_link": "Връзка към потребител",
-    "validate_license_now": "Валидиране на GUID срещу лицензен сървър",
-    "verify": "Проверка",
-    "yes": "&#10003;"
-  },
-  "danger": {
-    "access_denied": "Достъпът е отказан или данните от формуляра са невалидни",
-    "alias_domain_invalid": "Домейнът на псевдонима %s е невалиден",
-    "alias_empty": "Адресът на псевдонима не трябва да е празен",
-    "alias_goto_identical": "Адресът на псевдонима и адресът за пренасочване не трябва да са идентични",
-    "alias_invalid": "Адресът на псевдонима %s е невалиден",
-    "aliasd_targetd_identical": "Домейнът на псевдонима не трябва да е равен на целевия домейн: %s",
-    "aliases_in_use": "Макс. псевдоними трябва да бъдат по-големи или равни на %d",
-    "app_name_empty": "Името на приложението не може да бъде празно",
-    "app_passwd_id_invalid": "Идентификаторът на паролата за приложението %s е невалиден",
-    "authsource_in_use": "Доставчикът на идентичност не може да бъде променен или изтрит, тъй като се използва в момента от един или повече потребители.",
-    "bcc_empty": "BCC дестинацията не може да бъде празна",
-    "bcc_exists": "Картата BCC %s съществува за тип %s",
-    "bcc_must_be_email": "BCC дестинацията %s не е валиден имейл адрес",
-    "comment_too_long": "Коментарът е твърде дълъг, разрешени са макс. 160 символа",
-    "cors_invalid_method": "Зададен е невалиден метод за разрешаване",
-    "cors_invalid_origin": "Зададен е невалиден източник за разрешаване",
-    "defquota_empty": "Квотата по подразбиране за пощенска кутия не трябва да бъде 0.",
-    "demo_mode_enabled": "Режимът на демонстрация е активиран",
-    "description_invalid": "Описанието на ресурса за %s е невалидно",
-    "dkim_domain_or_sel_exists": "Съществува DKIM ключ за \"%s\", който няма да бъде презаписан",
-    "dkim_domain_or_sel_invalid": "DKIM домейн или селектор е невалиден: %s",
-    "domain_cannot_match_hostname": "Домейнът не може да съвпада с името на хоста",
-    "domain_exists": "Домейнът %s вече съществува",
-    "domain_invalid": "Името на домейна е празно или невалидно",
-    "domain_not_empty": "Не може да бъде премахнат непразен домейн %s",
-    "domain_not_found": "Домейнът %s не е намерен",
-    "domain_quota_m_in_use": "Квотата на домейна трябва да бъде по-голяма или равна на %s MiB",
-    "extended_sender_acl_denied": "липсва ACL за задаване на външни адреси на изпращач",
-    "extra_acl_invalid": "Външният адрес на изпращач \"%s\" е невалиден",
-    "extra_acl_invalid_domain": "Външният изпращач \"%s\" използва невалиден домейн",
-    "fido2_verification_failed": "Проверката на FIDO2 е неуспешна: %s",
-    "file_open_error": "Файлът не може да бъде отворен за писане",
-    "filter_type": "Грешен тип на филтър",
-    "from_invalid": "Изпращачът не трябва да бъде празен",
-    "generic_server_error": "Възникна неочаквана грешка на сървъра. Моля, свържете се с вашия администратор.",
-    "global_filter_write_error": "Файлът с филтър не може да бъде записан: %s",
-    "global_map_invalid": "Идентификаторът на глобалната карта %s е невалиден",
-    "global_map_write_error": "Глобалният идентификатор на картата %s не може да бъде записан: %s",
-    "goto_empty": "Адресът на псевдоним трябва да съдържа поне един валиден адрес за пренасочване",
-    "goto_invalid": "Адресът за пренасочване %s е невалиден",
-    "ham_learn_error": "Грешка при обучение за не-спам: %s",
-    "iam_test_connection": "Връзката е неуспешна",
-    "imagick_exception": "Грешка: Грешка при четене на изображение с Imagick",
-    "img_dimensions_exceeded": "Изображението надхвърля максималния размер",
-    "img_invalid": "Не може да се валидира файл с изображение",
-    "img_size_exceeded": "Изображението надхвърля максималния размер на файла",
-    "img_tmp_missing": "Не може да се валидира файл с изображение: Липсва временен файл",
-    "invalid_bcc_map_type": "Невалиден тип на картата BCC",
-    "invalid_destination": "Форматът на дестинацията \"%s\" е невалиден",
-    "invalid_filter_type": "Невалиден тип на филтър",
-    "invalid_host": "Зададен е невалиден хост: %s",
-    "invalid_mime_type": "Невалиден MIME тип",
-    "invalid_nexthop": "Форматът на следващия хоп е невалиден",
-    "invalid_nexthop_authenticated": "Следващият хоп съществува с различни удостоверения, моля, актуализирайте съществуващите удостоверения за този следващ хоп първо.",
-    "invalid_recipient_map_new": "Зададен е невалиден нов получател: %s",
-    "invalid_recipient_map_old": "Зададен е невалиден оригинален получател: %s",
-    "invalid_reset_token": "Невалиден токен за нулиране",
-    "ip_list_empty": "Списъкът с разрешени IP адреси не може да бъде празен",
-    "is_alias": "%s вече е известен като адрес на псевдоним",
-    "is_alias_or_mailbox": "%s вече е известен като адрес на псевдоним, пощенска кутия или адрес на псевдоним, разширен от домейн на псевдоним.",
-    "is_spam_alias": "%s вече е известен като временен адрес на псевдоним (спам адрес на псевдоним)",
-    "last_key": "Последното ключове не може да бъде изтрито, моля, деактивирайте TFA вместо това.",
-    "login_failed": "Неуспешен вход",
-    "mailbox_defquota_exceeds_mailbox_maxquota": "Квотата по подразбиране надхвърля лимита на макс. квота",
-    "mailbox_invalid": "Името на пощенската кутия е невалидно",
-    "mailbox_quota_exceeded": "Квотата надхвърля лимита на домейна (макс. %d MiB)",
-    "mailbox_quota_exceeds_domain_quota": "Макс. квотата надхвърля лимита на квотата на домейна",
-    "mailbox_quota_left_exceeded": "Няма достатъчно място (оставащо място: %d MiB)",
-    "mailboxes_in_use": "Макс. пощенски кутии трябва да бъдат по-големи или равни на %d",
-    "malformed_username": "Неправилно формирано потребителско име",
-    "map_content_empty": "Съдържанието на картата не може да бъде празно",
-    "max_alias_exceeded": "Макс. псевдоними са надхвърлени",
-    "max_mailbox_exceeded": "Макс. пощенски кутии са надхвърлени (%d от %d)",
-    "max_quota_in_use": "Квотата на пощенската кутия трябва да бъде по-голяма или равна на %d MiB",
-    "maxquota_empty": "Макс. квотата за пощенска кутия не трябва да бъде 0.",
-    "mysql_error": "Грешка на MySQL: %s",
-    "network_host_invalid": "Невалидна мрежа или хост: %s",
-    "next_hop_interferes": "%s се намесва с nexthop %s",
-    "next_hop_interferes_any": "Съществуващ следващ хоп се намесва с %s",
-    "nginx_reload_failed": "Презареждането на Nginx е неуспешно: %s",
-    "no_user_defined": "Няма зададен потребител",
-    "object_exists": "Обектът %s вече съществува",
-    "object_is_not_numeric": "Стойността %s не е числова",
-    "password_complexity": "Паролата не отговаря на изискванията",
-    "password_empty": "Паролата не трябва да бъде празна",
-    "password_mismatch": "Паролата за потвърждение не съвпада",
-    "password_reset_invalid_user": "Пощенската кутия не е намерена или не е зададен имейл за възстановяване",
-    "password_reset_na": "Възстановяването на парола в момента е недостъпно. Моля, свържете се с вашия администратор.",
-    "policy_list_from_exists": "Съществува запис с даденото име",
-    "policy_list_from_invalid": "Записът има невалиден формат",
-    "private_key_error": "Грешка с частен ключ: %s",
-    "pushover_credentials_missing": "Липсва токен или ключ на Pushover",
-    "pushover_key": "Ключът на Pushover има грешен формат",
-    "pushover_token": "Токенът на Pushover има грешен формат",
-    "quota_not_0_not_numeric": "Квотата трябва да бъде числова и >= 0",
-    "recipient_map_entry_exists": "Съществува запис в картата на получатели \"%s\"",
-    "recovery_email_failed": "Не може да бъде изпратен имейл за възстановяване. Моля, свържете се с вашия администратор.",
-    "redis_error": "Грешка на Redis: %s",
-    "relayhost_invalid": "Записът в картата %s е невалиден",
-    "release_send_failed": "Съобщението не може да бъде освободено: %s",
-    "required_data_missing": "Липсват необходими данни %s",
-    "reset_f2b_regex": "Регулярният филтър не може да бъде нулиран навреме, моля, опитайте отново или изчакайте още няколко секунди и презаредете уеб сайта.",
-    "reset_token_limit_exceeded": "Лимитът на токена за нулиране е надхвърлен. Моля, опитайте по-късно.",
-    "resource_invalid": "Името на ресурса %s е невалидно",
-    "rl_timeframe": "Временният интервал за ограничение на скоростта е некоректен",
-    "rspamd_ui_pw_length": "Паролата на UI на Rspamd трябва да бъде поне 6 символа",
-    "script_empty": "Скриптът не може да бъде празен",
-    "sender_acl_invalid": "Стойността на ACL на изпращач %s е невалидна",
-    "set_acl_failed": "Неуспешно задаване на ACL",
-    "settings_map_invalid": "Идентификаторът на картата с настройки %s е невалиден",
-    "sieve_error": "Грешка при синтаксиса на Sieve: %s",
-    "spam_learn_error": "Грешка при обучение за спам: %s",
-    "subject_empty": "Темата не трябва да бъде празна",
-    "target_domain_invalid": "Целевият домейн %s е невалиден",
-    "targetd_not_found": "Целевият домейн %s не е намерен",
-    "targetd_relay_domain": "Целевият домейн %s е домейн за реле",
-    "template_exists": "Шаблонът %s вече съществува",
-    "template_id_invalid": "Идентификаторът на шаблона %s е невалиден",
-    "template_name_invalid": "Името на шаблона е невалидно",
-    "temp_error": "Временна грешка",
-    "text_empty": "Текстът не трябва да бъде празен",
-    "tfa_token_invalid": "Токенът за TFA е невалиден",
-    "tls_policy_map_dest_invalid": "Дестинацията на политиката е невалидна",
-    "tls_policy_map_entry_exists": "Съществува запис в картата на политиката на TLS \"%s\"",
-    "tls_policy_map_parameter_invalid": "Параметърът на политиката е невалиден",
-    "to_invalid": "Получателят не трябва да бъде празен",
-    "totp_verification_failed": "Проверката на TOTP е неуспешна",
-    "transport_dest_exists": "Дестинацията на транспорта \"%s\" съществува",
-    "webauthn_verification_failed": "Проверката на WebAuthn е неуспешна: %s",
-    "webauthn_authenticator_failed": "Избраният аутентикатор не е намерен",
-    "webauthn_publickey_failed": "Не е запазен публичен ключ за избрания аутентикатор",
-    "webauthn_username_failed": "Избраният аутентикатор принадлежи на друга сметка",
-    "unknown": "Възникна неизвестна грешка",
-    "unknown_tfa_method": "Неизвестен метод за TFA",
-    "unlimited_quota_acl": "Неограничената квота е забранена от ACL",
-    "username_invalid": "Потребителското име %s не може да бъде използвано",
-    "validity_missing": "Моля, задайте период на валидност",
-    "value_missing": "Моля, предоставете всички стойности",
-    "yotp_verification_failed": "Проверката на Yubico OTP е неуспешна: %s"
-  },
-  "datatables": {
-    "collapse_all": "Свиване на всичко",
-    "decimal": ".",
-    "emptyTable": "Няма данни в таблицата",
-    "expand_all": "Разширяване на всичко",
-    "info": "Показване на _START_ до _END_ от _TOTAL_ записа",
-    "infoEmpty": "Показване на 0 до 0 от 0 записа",
-    "infoFiltered": "(филтрирани от общо _MAX_ записа)",
-    "infoPostFix": "",
-    "thousands": ",",
-    "lengthMenu": "Показване на _MENU_ записа",
-    "loadingRecords": "Зареждане...",
-    "processing": "Моля, изчакайте...",
-    "search": "Търсене:",
-    "zeroRecords": "Няма съвпадащи записи",
-    "paginate": {
-      "first": "Първи",
-      "last": "Последен",
-      "next": "Следващ",
-      "previous": "Предишен"
+    "acl": {
+        "alias_domains": "Добавяне на домейни за псевдоними",
+        "app_passwds": "Управление на пароли за приложения",
+        "bcc_maps": "BCC карти",
+        "delimiter_action": "Действие на разделител",
+        "domain_desc": "Промяна на описанието на домейна",
+        "domain_relayhost": "Промяна на релеен хост за домейн",
+        "eas_reset": "Нулиране на устройствата с ActiveSync",
+        "extend_sender_acl": "Разрешаване на разширяване на ACL на изпращащите от външни адреси",
+        "filters": "Филтри",
+        "login_as": "Вход като потребител на пощенска кутия",
+        "mailbox_relayhost": "Промяна на релеен хост за пощенска кутия",
+        "prohibited": "Забранено от ACL",
+        "protocol_access": "Промяна на достъпа до протоколи",
+        "pushover": "Pushover",
+        "pw_reset": "Разрешаване на нулиране на паролата на потребител на mailcow",
+        "quarantine": "Действия с карантина",
+        "quarantine_attachments": "Прикачени файлове в карантина",
+        "quarantine_category": "Промяна на категорията на уведомленията за карантина",
+        "quarantine_notification": "Промяна на уведомленията за карантина",
+        "ratelimit": "Ограничение на скоростта",
+        "recipient_maps": "Карти на получатели",
+        "smtp_ip_access": "Промяна на разрешените хостове за SMTP",
+        "sogo_access": "Разрешаване на управление на достъпа до SOGo",
+        "sogo_profile_reset": "Нулиране на профила на SOGo",
+        "spam_alias": "Временни псевдоними",
+        "spam_policy": "Черен/Бял списък",
+        "spam_score": "Резултат за спам",
+        "syncjobs": "Синхронизиращи задачи",
+        "tls_policy": "Политика за TLS",
+        "unlimited_quota": "Неограничена квота за пощенски кутии"
     },
-    "aria": {
-      "sortAscending": ": активиране за сортиране на колоната във възходящ ред",
-      "sortDescending": ": активиране за сортиране на колоната в низходящ ред"
+    "add": {
+        "activate_filter_warn": "Всички други филтри ще бъдат деактивирани, когато активното е отбелязано.",
+        "active": "Активен",
+        "add": "Добавяне",
+        "add_domain_only": "Добавяне само на домейн",
+        "add_domain_restart": "Добавяне на домейн и рестартиране на SOGo",
+        "alias_address": "Адрес/и за псевдоним",
+        "alias_address_info": "<small>Пълни имейл адреси или @example.com, за да хванете всички съобщения за домейн (разделени с запетая). <b>само домейни на mailcow</b>.</small>",
+        "alias_domain": "Домейн за псевдоним",
+        "alias_domain_info": "<small>Валидни имена на домейни (разделени с запетая).</small>",
+        "app_name": "Име на приложението",
+        "app_password": "Добавяне на парола за приложение",
+        "app_passwd_protocols": "Разрешени протоколи за паролата на приложението",
+        "automap": "Опит за автоматично картографиране на папки (\"Изпратени\", \"Изпратени\" => \"Изпратени\" и т.н.)",
+        "backup_mx_options": "Опции за реле",
+        "bcc_dest_format": "BCC дестинацията трябва да бъде един валиден имейл адрес.<br>Ако имате нужда да изпратите копие до множество адреси, създайте псевдоним и го използвайте тук.",
+        "comment_info": "Частен коментар не е видим за потребителя, докато публичен коментар се показва като подсказка при преминаване с мишката върху него в прегледа на потребителя",
+        "custom_params": "Персонализирани параметри",
+        "custom_params_hint": "Дясно: --param=xy, грешно: --param xy",
+        "delete1": "Изтриване от източника след завършване",
+        "delete2": "Изтриване на съобщенията в дестинацията, които не са в източника",
+        "delete2duplicates": "Изтриване на дубликати в дестинацията",
+        "description": "Описание",
+        "destination": "Дестинация",
+        "disable_login": "Забраняване на вход (входящите съобщения все още се приемат)",
+        "domain": "Домейн",
+        "domain_matches_hostname": "Домейнът %s съвпада с името на хоста",
+        "domain_quota_m": "Обща квота на домейна (MiB)",
+        "dry": "Симулиране на синхронизация",
+        "enc_method": "Метод на криптиране",
+        "exclude": "Изключване на обекти (regex)",
+        "full_name": "Пълно име",
+        "gal": "Глобален адресен списък",
+        "gal_info": "Глобалният адресен списък съдържа всички обекти на домейна и не може да бъде редактиран от нито един потребител. Липсва информация за заетост/свободно време в SOGo, ако е деактивирано! <b>Рестартирайте SOGo, за да приложите промените.</b>",
+        "generate": "генериране",
+        "goto_ham": "Учен като <span class=\"text-success\"><b>не е спам</b></span>",
+        "goto_null": "Тихо изхвърляне на имейла",
+        "goto_spam": "Учен като <span class=\"text-danger\"><b>спам</b></span>",
+        "hostname": "Хост",
+        "inactive": "Неактивен",
+        "kind": "Вид",
+        "mailbox_quota_def": "Квота по подразбиране за пощенска кутия",
+        "mailbox_quota_m": "Макс. квота за пощенска кутия (MiB)",
+        "mailbox_username": "Потребителско име (лява част на имейл адрес)",
+        "max_aliases": "Макс. възможни псевдоними",
+        "max_mailboxes": "Макс. възможни пощенски кутии",
+        "mins_interval": "Интервал за проверка (минути)",
+        "multiple_bookings": "Множествени резервации",
+        "nexthop": "Следващ хоп",
+        "password": "Парола",
+        "password_repeat": "Потвърждаване на паролата (повторете)",
+        "port": "Порт",
+        "post_domain_add": "След добавянето на нов домейн, контейнерът на SOGo, \"sogo-mailcow\", трябва да бъде рестартиран!<br><br>Освен това, конфигурацията на DNS на домейна трябва да бъде прегледана. След като конфигурацията на DNS бъде одобрена, рестартирайте \"acme-mailcow\", за да генерирате автоматично сертификати за вашия нов домейн (autoconfig.&lt;domain&gt;, autodiscover.&lt;domain&gt;).<br>Тази стъпка е опционална и ще бъде повторена всеки 24 часа.",
+        "private_comment": "Частен коментар",
+        "public_comment": "Публичен коментар",
+        "quota_mb": "Квота (MiB)",
+        "relay_all": "Реле на всички получатели",
+        "relay_all_info": "↪ Ако изберете да <b>не</b> релеирате всички получатели, ще трябва да добавите (\"скрита\") пощенска кутия за всеки отделен получател, който трябва да бъде релеиран.",
+        "relay_domain": "Реле на този домейн",
+        "relay_transport_info": "<div class=\"badge fs-6 bg-info\">Инфо</div> Можете да дефинирате транспортни карти за персонализирана дестинация за този домейн. Ако не е зададено, ще бъде направен MX lookup.",
+        "relay_unknown_only": "Реле на несъществуващи пощенски кутии. Съществуващите пощенски кутии ще бъдат доставени локално.",
+        "relayhost_wrapped_tls_info": "Моля, <b>не</b> използвайте TLS-wrapped портове (най-често използвани на порт 465).<br>\r\nИзползвайте всеки не-wrapped порт и издайте STARTTLS. Политика за TLS може да бъде създадена в \"TLS политики\", за да се наложи TLS.",
+        "select": "Моля, изберете...",
+        "select_domain": "Моля, изберете първо домейн",
+        "sieve_desc": "Кратко описание",
+        "sieve_type": "Тип на филтър",
+        "skipcrossduplicates": "Пропускане на дублирани съобщения между папки (първи дошъл, първи обслужен)",
+        "subscribeall": "Абониране за всички папки",
+        "syncjob": "Добавяне на синхронизираща задача",
+        "syncjob_hint": "Имайте предвид, че паролите трябва да бъдат запазени като обикновен текст!",
+        "tags": "Тагове",
+        "target_address": "Адреси за пренасочване",
+        "target_address_info": "<small>Пълни имейл адреси (разделени с запетая).</small>",
+        "target_domain": "Целеви домейн",
+        "timeout1": "Таймаут за връзка с отдалечен хост",
+        "timeout2": "Таймаут за връзка с локален хост",
+        "username": "Потребителско име",
+        "validate": "Валидиране",
+        "validation_success": "Успешно валидиране"
+    },
+    "admin": {
+        "access": "Достъп",
+        "action": "Действие",
+        "activate_api": "Активиране на API",
+        "activate_send": "Активиране на бутона за изпращане",
+        "active": "Активен",
+        "active_rspamd_settings_map": "Активна карта с настройки",
+        "add": "Добавяне",
+        "add_admin": "Добавяне на администратор",
+        "add_domain_admin": "Добавяне на администратор на домейн",
+        "add_forwarding_host": "Добавяне на хост за препращане",
+        "add_relayhost": "Добавяне на транспорт, зависим от изпращач",
+        "add_relayhost_hint": "Имайте предвид, че данните за удостоверяване, ако има такива, ще бъдат запазени като обикновен текст.",
+        "add_row": "Добавяне на ред",
+        "add_settings_rule": "Добавяне на правило за настройки",
+        "add_transport": "Добавяне на транспорт",
+        "add_transports_hint": "Имайте предвид, че данните за удостоверяване, ако има такива, ще бъдат запазени като обикновен текст.",
+        "additional_rows": "добавени допълнителни редове",
+        "admin": "Администратор",
+        "admin_details": "Редактиране на детайлите на администратора",
+        "admin_domains": "Назначения на домейни",
+        "admins": "Администратори",
+        "admins_ldap": "LDAP администратори",
+        "advanced_settings": "Разширени настройки",
+        "allowed_methods": "Access-Control-Allow-Methods",
+        "allowed_origins": "Access-Control-Allow-Origin",
+        "api_allow_from": "Разрешаване на API достъп от тези IP адреси/CIDR мрежови нотации",
+        "api_info": "API е в процес на разработка. Документацията може да бъде намерена на <a href=\"/api\">/api</a>",
+        "api_key": "API ключ",
+        "api_read_only": "Достъп само за четене",
+        "api_read_write": "Достъп за четене и писане",
+        "api_skip_ip_check": "Пропускане на IP проверка за API",
+        "app_hide": "Скриване за вход",
+        "app_links": "Връзки към приложения",
+        "app_name": "Име на приложението",
+        "apps_name": "Име на \"mailcow приложенията\"",
+        "arrival_time": "Време на пристигане (време на сървъра)",
+        "authed_user": "Удостоверен потребител",
+        "ays": "Сигурни ли сте, че искате да продължите?",
+        "ban_list_info": "Вижте списък с блокирани IP адреси по-долу: <b>мрежа (оставащо време за блокиране) - [действия]</b>.<br />IP адресите в опашката за разблокиране ще бъдат премахнати от активния списък с блокирани в рамките на няколко секунди.<br />Червените етикети показват активни постоянни блокирания от черния списък.",
+        "change_logo": "Промяна на логото",
+        "logo_normal_label": "Нормално",
+        "logo_dark_label": "Обърнато за тъмен режим",
+        "configuration": "Конфигурация",
+        "convert_html_to_text": "Конвертиране на HTML в обикновен текст",
+        "copy_to_clipboard": "Текстът е копиран в клипборда!",
+        "cors_settings": "Настройки на CORS",
+        "credentials_transport_warning": "<b>Внимание</b>: Добавянето на нов запис в картата на транспорта ще обнови данните за удостоверяване за всички записи с съвпадаща колона за следващ хоп.",
+        "customer_id": "Идентификатор на клиента",
+        "customize": "Персонализиране",
+        "destination": "Дестинация",
+        "dkim_add_key": "Добавяне на ARC/DKIM ключ",
+        "dkim_domains_selector": "Селектор",
+        "dkim_domains_wo_keys": "Избор на домейни без ключове",
+        "dkim_from": "От",
+        "dkim_from_title": "Източник на домейн за копиране на данни",
+        "dkim_key_length": "Дължина на DKIM ключа (битове)",
+        "dkim_key_missing": "Липсващ ключ",
+        "dkim_key_unused": "Неизползван ключ",
+        "dkim_key_valid": "Валиден ключ",
+        "dkim_keys": "ARC/DKIM ключове",
+        "dkim_overwrite_key": "Презаписване на съществуващ DKIM ключ",
+        "dkim_private_key": "Частен ключ",
+        "dkim_to": "До",
+        "dkim_to_title": "Целеви домейн/и - ще бъде презаписан",
+        "domain": "Домейн",
+        "domain_admin": "Администратор на домейн",
+        "domain_admins": "Администратори на домейн",
+        "domain_s": "Домейн/и",
+        "duplicate": "Дублиране",
+        "duplicate_dkim": "Дублиране на DKIM запис",
+        "edit": "Редактиране",
+        "empty": "Няма резултати",
+        "excludes": "Изключване на тези получатели",
+        "f2b_ban_time": "Време за блокиране (с)",
+        "f2b_ban_time_increment": "Времето за блокиране се увеличава с всяко блокиране",
+        "f2b_blacklist": "Черни списъци/хостове",
+        "f2b_filter": "Филтри с регулярни изрази",
+        "f2b_list_info": "Черният списък на хостове или мрежи винаги ще надделява над белия списък. <b>Актуализациите на списъка отнемат няколко секунди, за да бъдат приложени.</b>",
+        "f2b_manage_external": "Управление на Fail2Ban външно",
+        "f2b_manage_external_info": "Fail2ban все още ще поддържа черния списък, но няма да задава правила за блокиране на трафика. Използвайте генерирания черн списък по-долу, за да блокирате трафика външно.",
+        "f2b_max_attempts": "Макс. опити",
+        "f2b_max_ban_time": "Макс. време за блокиране (с)",
+        "f2b_netban_ipv4": "IPv4 размер на подмрежа за прилагане на блокиране (8-32)",
+        "f2b_netban_ipv6": "IPv6 размер на подмрежа за прилагане на блокиране (8-128)",
+        "f2b_parameters": "Параметри на Fail2ban",
+        "f2b_regex_info": "Логовете, които се вземат предвид: SOGo, Postfix, Dovecot, PHP-FPM.",
+        "f2b_retry_window": "Прозорец за повторен опит (с) за макс. опити",
+        "f2b_whitelist": "Бели списъци/хостове",
+        "filter": "Филтър",
+        "filter_table": "Таблица с филтри",
+        "forwarding_hosts": "Хостове за препращане",
+        "forwarding_hosts_add_hint": "Можете да посочите IPv4/IPv6 адреси, мрежи в CIDR нотация, имена на хостове (които ще бъдат разрешени в IP адреси), или имена на домейни (които ще бъдат разрешени в IP адреси чрез заявки към SPF записи или, при липсата им, MX записи).",
+        "forwarding_hosts_hint": "Входящите съобщения се приемат безрезервно от всички хостове, изброени тук. Тези хостове след това не се проверяват срещу DNSBL или подлагат на сиво списък. Спамът, получен от тях, никога не се отхвърля, но опционално може да бъде поставен във файла за нежелана поща. Най-често използваната употреба за това е да се посочат пощенски сървъри, на които сте настроили правило, което препраща входящите имейли към вашия mailcow сървър.",
+        "from": "От",
+        "generate": "генериране",
+        "guid": "GUID - уникален инстанционен идентификатор",
+        "guid_and_license": "GUID & Лиценз",
+        "hash_remove_info": "Премахването на хеш за ограничение на скоростта (ако все още съществува) ще нулира неговия брояч напълно.<br>\r\nВсеки хеш е показан с индивидуален цвят.",
+        "help_text": "Презаписване на помощния текст под маската за вход (разрешен е HTML)",
+        "host": "Хост",
+        "html": "HTML",
+        "iam": "Доставчик на идентичност",
+        "iam_attribute_field": "Поле за атрибут",
+        "iam_authorize_url": "Крайна точка за удостоверяване",
+        "iam_auth_flow": "Поток за удостоверяване",
+        "iam_auth_flow_info": "Освен стандартния поток за удостоверяване (поток с код за удостоверяване в Keycloak), който се използва за единичен вход, mailcow поддържа и поток за удостоверяване с пряки удостоверения. Потокът за удостоверяване с пароли за поща проверява удостоверенията на потребителя, като използва Keycloak Admin REST API. mailcow извлича хешираната парола от атрибута <code>mailcow_password</code>, който е картиран в Keycloak.",
+        "iam_basedn": "Основен DN",
+        "iam_client_id": "Идентификатор на клиента",
+        "iam_client_secret": "Тайна на клиента",
+        "iam_client_scopes": "Обхват на клиента",
+        "iam_default_template": "Шаблон по подразбиране",
+        "iam_default_template_description": "Ако няма зададен шаблон за потребител, шаблонът по подразбиране ще бъде използван за създаване на пощенската кутия, но не и за актуализиране на пощенската кутия.",
+        "iam_description": "Конфигуриране на външен доставчик за удостоверяване<br>Потребителските пощенски кутии ще бъдат създавани автоматично при първия им вход, при условие че е зададено картиране на атрибути.",
+        "iam_extra_permission": "За да работят следните настройки, клиентът на mailcow в Keycloak трябва да има <code>услуга акаунт</code> и разрешението да <code>вижда потребители</code>.",
+        "iam_host": "Хост",
+        "iam_host_info": "Въведете един или повече LDAP хостове, разделени с запетаи.",
+        "iam_import_users": "Импортиране на потребители",
+        "iam_mapping": "Картиране на атрибути",
+        "iam_bindpass": "Парола за свързване",
+        "iam_periodic_full_sync": "Периодичен пълен синхрон",
+        "iam_port": "Порт",
+        "iam_realm": "Реалм",
+        "iam_redirect_url": "URL за пренасочване",
+        "iam_rest_flow": "Поток за пароли за поща",
+        "iam_server_url": "URL на сървъра",
+        "iam_sso": "Единичен вход",
+        "iam_sync_interval": "Интервал за синхронизиране/импортиране (мин)",
+        "iam_test_connection": "Тест на връзката",
+        "iam_token_url": "Крайна точка за токени",
+        "iam_userinfo_url": "Крайна точка за информация за потребителя",
+        "iam_username_field": "Поле за потребителско име",
+        "iam_binddn": "DN за свързване",
+        "iam_use_ssl": "Използване на SSL",
+        "iam_use_ssl_info": "Ако активирате SSL и портът е зададен на 389, той ще бъде автоматично променен на 636.",
+        "iam_use_tls": "Използване на StartTLS",
+        "iam_use_tls_info": "Ако активирате TLS, трябва да използвате стандартния порт за вашия LDAP сървър (389). SSL портовете не могат да бъдат използвани.",
+        "iam_version": "Версия",
+        "ignore_ssl_error": "Игнориране на SSL грешки",
+        "import": "Импортиране",
+        "import_private_key": "Импортиране на частен ключ",
+        "in_use_by": "Използван от",
+        "inactive": "Неактивен",
+        "include_exclude": "Включване/Изключване",
+        "include_exclude_info": "По подразбиране - без избор - <b>всички пощенски кутии</b> се адресират",
+        "includes": "Включване на тези получатели",
+        "ip_check": "Проверка на IP",
+        "ip_check_disabled": "Проверката на IP е деактивирана. Можете да я активирате в <br> <strong>Система > Конфигурация > Опции > Персонализиране</strong>",
+        "ip_check_opt_in": "Оптиране за използване на услугата на трета страна <strong>ipv4.mailcow.email</strong> и <strong>ipv6.mailcow.email</strong>, за да разрешавате външни IP адреси.",
+        "is_mx_based": "MX базиран",
+        "last_applied": "Последно приложено",
+        "license_info": "Лицензът не е задължителен, но помага за по-нататъшното развитие.<br><a href=\"https://www.servercow.de/mailcow?lang=en#sal\" target=\"_blank\" alt=\"SAL поръчка\">Регистрирайте вашия GUID тук</a> или <a href=\"https://www.servercow.de/mailcow?lang=en#support\" target=\"_blank\" alt=\"Поддръжка поръчка\">купете поддръжка за вашата инсталация на mailcow.</a>",
+        "link": "Връзка",
+        "loading": "Моля, изчакайте...",
+        "login_time": "Време за вход",
+        "logo_info": "Вашето изображение ще бъде мащабирано до височина 40 px за горната навигационна лента и макс. ширина 250 px за началната страница. Препоръчва се използването на скалируема графика.",
+        "lookup_mx": "Дестинацията е регулярен израз за съвпадение с MX име (<code>.*\\.google\\.com</code> за пренасочване на всички съобщения, предназначени за MX, завършващ на google.com, през този хоп)",
+        "main_name": "Име на \"mailcow UI\"",
+        "merged_vars_hint": "Редовете в сиво са сляти от <code>vars.(local.)inc.php</code> и не могат да бъдат променени.",
+        "message": "Съобщение",
+        "message_size": "Размер на съобщението",
+        "nexthop": "Следващ хоп",
+        "no": "&#10005;",
+        "no_active_bans": "Няма активни блокирания",
+        "no_new_rows": "Няма допълнителни редове",
+        "no_record": "Няма запис",
+        "oauth2_apps": "OAuth2 приложения",
+        "oauth2_add_client": "Добавяне на OAuth2 клиент",
+        "oauth2_client_id": "Идентификатор на клиента",
+        "oauth2_client_secret": "Тайна на клиента",
+        "oauth2_info": "Реализацията на OAuth2 поддържа типа разрешение \"Код за удостоверяване\" и издава токени за презареждане.<br>\r\nСървърът автоматично издава нови токени за презареждане, след като токен за презареждане е бил използван.<br><br>\r\n&#8226; Обхватът по подразбиране е <i>профил</i>. Само потребителите на пощенски кутии могат да бъдат удостоверени срещу OAuth2. Ако параметърът за обхват е пропуснат, той се връща към <i>профил</i>.<br>\r\n&#8226; Параметърът <i>state</i> трябва да бъде изпратен от клиента като част от заявката за удостоверяване.<br><br>\r\nПътища за заявки към OAuth2 API: <br>\r\n<ul>\r\n  <li>Крайна точка за удостоверяване: <code>/oauth/authorize</code></li>\r\n  <li>Крайна точка за токени: <code>/oauth/token</code></li>\r\n  <li>Страница с ресурси:  <code>/oauth/profile</code></li>\r\n</ul>\r\nГенерирането на нова тайна на клиента няма да анулира съществуващите кодове за удостоверяване, но те няма да могат да подновят своя токен.<br><br>\r\nАнулирането на токените на клиента ще доведе до незабавно прекратяване на всички активни сесии. Всички клиенти ще трябва да се преудостоверят.",
+        "oauth2_redirect_uri": "URI за пренасочване",
+        "oauth2_renew_secret": "Генериране на нова тайна на клиента",
+        "oauth2_revoke_tokens": "Анулиране на всички токени на клиента",
+        "optional": "опционално",
+        "options": "Опции",
+        "password": "Парола",
+        "password_length": "Дължина на паролата",
+        "password_policy": "Политика за пароли",
+        "password_policy_chars": "Трябва да съдържа поне една буквена буква",
+        "password_policy_length": "Минималната дължина на паролата е %d",
+        "password_policy_lowerupper": "Трябва да съдържа малки и главни букви",
+        "password_policy_numbers": "Трябва да съдържа поне една цифра",
+        "password_policy_special_chars": "Трябва да съдържа специални символи",
+        "password_repeat": "Потвърждаване на паролата (повторете)",
+        "password_reset_info": "Ако не е зададен имейл за възстановяване, тази функция не може да бъде използвана.",
+        "password_reset_settings": "Настройки за възстановяване на парола",
+        "password_reset_tmpl_html": "HTML шаблон",
+        "password_reset_tmpl_text": "Текстов шаблон",
+        "password_settings": "Настройки на паролата",
+        "priority": "Приоритет",
+        "private_key": "Частен ключ",
+        "quarantine": "Карантина",
+        "quarantine_bcc": "Изпращане на копие от всички уведомления (BCC) до този получател:<br><small>Оставете празно, за да деактивирате. <b>Неподписано, непроверено имейл. Трябва да бъде доставено само вътрешно.</b></small>",
+        "quarantine_exclude_domains": "Изключване на домейни и домейни на псевдоними",
+        "quarantine_max_age": "Максимална възраст в дни<br><small>Стойността трябва да бъде равна или по-голяма от 1 ден.</small>",
+        "quarantine_max_score": "Изхвърляне на уведомление, ако резултатът за спам на имейла е по-висок от тази стойност:<br><small>По подразбиране е 9999.0</small>",
+        "quarantine_max_size": "Максимален размер в MiB (по-големи елементи се изхвърлят):<br><small>0 не означава неограничен.</small>",
+        "quarantine_notification_html": "Шаблон на имейл за уведомление:<br><small>Оставете празно, за да възстановите шаблона по подразбиране.</small>",
+        "quarantine_notification_sender": "Изпращач на имейл за уведомление",
+        "quarantine_notification_subject": "Тема на имейл за уведомление",
+        "quarantine_redirect": "<b>Пренасочване на всички уведомления</b> към този получател:<br><small>Оставете празно, за да деактивирате. <b>Неподписано, непроверено имейл. Трябва да бъде доставено само вътрешно.</b></small>",
+        "quarantine_release_format": "Формат на освободените елементи",
+        "quarantine_release_format_att": "Като прикачен файл",
+        "quarantine_release_format_raw": "Непроменен оригинал",
+        "quarantine_retention_size": "Задържания за пощенска кутия:<br><small>0 показва <b>неактивен</b>.</small>",
+        "quota_notification_html": "Шаблон на имейл за уведомление:<br><small>Оставете празно, за да възстановите шаблона по подразбиране.</small>",
+        "quota_notification_sender": "Изпращач на имейл за уведомление",
+        "quota_notification_subject": "Тема на имейл за уведомление",
+        "quota_notifications": "Уведомления за квота",
+        "quota_notifications_info": "Уведомленията за квота се изпращат на потребителите веднъж при преминаване на 80% и веднъж при преминаване на 95% използване.",
+        "quota_notifications_vars": "{{percent}} е равно на текущата квота на потребителя<br>{{username}} е името на пощенската кутия",
+        "queue_unban": "разблокиране",
+        "r_active": "Активни ограничения",
+        "r_inactive": "Неактивни ограничения",
+        "r_info": "Елементите в сиво в списъка с активни ограничения не са известни като валидни ограничения за mailcow и не могат да бъдат преместени. Неизвестните ограничения ще бъдат зададени в реда на появяване все пак.<br>Можете да добавяте нови елементи в <code>inc/vars.local.inc.php</code>, за да можете да ги превключвате.",
+        "rate_name": "Име на ограничението",
+        "recipients": "Получатели",
+        "refresh": "Опресняване",
+        "regen_api_key": "Регенериране на API ключ",
+        "regex_maps": "Карти с регулярни изрази",
+        "relay_from": "Адрес \"From:\"",
+        "relay_rcpt": "Адрес \"To:\"",
+        "relay_run": "Изпълнение на тест",
+        "relayhosts": "Транспорти, зависими от изпращач",
+        "relayhosts_hint": "Дефинирайте транспорти, зависими от изпращач, за да можете да ги избирате в диалоговия прозорец за конфигурация на домейн.<br>\r\n  Услугата за транспорт винаги е \"smtp:\" и ще се опита да използва TLS, ако бъде предложена. Wrapped TLS (SMTPS) не се поддържа. Политиката за TLS на потребителя ще бъде взета предвид.<br>\r\n  Засегнатите домейни, включително домейни на псевдоними.",
+        "remove": "Премахване",
+        "remove_row": "Премахване на ред",
+        "reset_default": "Нулиране до подразбиране",
+        "reset_limit": "Премахване на хеш",
+        "reset_password_vars": "<code>{{link}}</code> Генерираната връзка за нулиране на парола<br><code>{{username}}</code> Името на пощенската кутия на потребителя, който е поискал нулиране на парола<br><code>{{username2}}</code> Името на пощенската кутия за възстановяване<br><code>{{date}}</code> Датата на заявката за нулиране на парола<br><code>{{token_lifetime}}</code> Времетраенето на токена в минути<br><code>{{hostname}}</code> Името на хоста на mailcow",
+        "restore_template": "Оставете празно, за да възстановите шаблона по подразбиране.",
+        "routing": "Маршрутизация",
+        "rsetting_add_rule": "Добавяне на правило",
+        "rsetting_content": "Съдържание на правилото",
+        "rsetting_desc": "Кратко описание",
+        "rsetting_no_selection": "Моля, изберете правило",
+        "rsetting_none": "Няма налични правила",
+        "rsettings_insert_preset": "Вмъкване на примерен предефиниран набор \"%s\"",
+        "rsettings_preset_1": "Деактивиране на всичко, освен DKIM и ограничение на скоростта за удостоверени потребители",
+        "rsettings_preset_2": "Пощенските администратори искат спам",
+        "rsettings_preset_3": "Разрешаване само на определени изпращачи за пощенска кутия (напр. използване като вътрешна пощенска кутия)",
+        "rsettings_preset_4": "Деактивиране на Rspamd за домейн",
+        "rspamd_com_settings": "Името на настройката ще бъде автоматично генерирано, моля, вижте примерните предефинирани набори по-долу. За повече детайли вижте <a href=\"https://rspamd.com/doc/configuration/settings.html#settings-structure\" target=\"_blank\">документацията на Rspamd</a>",
+        "rspamd_global_filters": "Глобални карти на филтри",
+        "rspamd_global_filters_agree": "Ще бъда внимателен!",
+        "rspamd_global_filters_info": "Глобалните карти на филтри съдържат различни видове глобални черни и бели списъци.",
+        "rspamd_global_filters_regex": "Имената им обясняват тяхната цел. Всичкото съдържание трябва да съдържа валиден регулярен израз във формат \"/pattern/options\" (напр. <code>/.+@domain\\.tld/i</code>).<br>\r\n  Въпреки че се извършват основни проверки за всеки ред с регулярен израз, функционалността на Rspamd може да бъде нарушена, ако не успява да прочете синтаксиса коректно.<br>\r\n  Rspamd ще се опита да прочете съдържанието на картата при промяна. Ако срещнете проблеми, <a href=\"\" data-toggle=\"modal\" data-container=\"rspamd-mailcow\" data-target=\"#RestartContainer\">рестартирайте Rspamd</a>, за да наложите презареждане на картата.<br>Елементите в черния списък са изключени от карантина.",
+        "rspamd_settings_map": "Карта с настройки на Rspamd",
+        "sal_level": "Ниво на Moo",
+        "save": "Запазване на промените",
+        "search_domain_da": "Търсене на домейни",
+        "send": "Изпращане",
+        "sender": "Изпращач",
+        "service": "Услуга",
+        "service_id": "Идентификатор на услугата",
+        "source": "Източник",
+        "spamfilter": "Филтър за спам",
+        "subject": "Тема",
+        "success": "Успех",
+        "sys_mails": "Системни имейли",
+        "task": "Задача",
+        "text": "Текст",
+        "time": "Време",
+        "title": "Заглавие",
+        "title_name": "Име на уеб страницата на \"mailcow UI\"",
+        "to_top": "Обратно нагоре",
+        "transport_dest_format": "Регулярен израз или синтаксис: example.org, .example.org, *, box@example.org (няколко стойности могат да бъдат разделени с запетая)",
+        "transport_maps": "Карти за транспорт",
+        "transport_test_rcpt_info": "&#8226; Използвайте null@hosted.mailcow.de, за да тествате препращането към чуждестранна дестинация.",
+        "transports_hint": "&#8226; Записът в картата на транспорта <b>пренарежда</b> запис в картата на транспорт, зависим от изпращач</b>.<br>\r\n&#8226; Транспортите, базирани на MX, се използват предимно.<br>\r\n&#8226; Настройките за политика на TLS на потребителя се игнорират и могат да бъдат приложени само чрез записи в картите на политиката на TLS.<br>\r\n&#8226; Услугата за транспорт за дефинираните транспорти винаги е \"smtp:\" и ще се опита да използва TLS, ако бъде предложена. Wrapped TLS (SMTPS) не се поддържа.<br>\r\n&#8226; Адресите, съвпадащи с \"/localhost$/\", винаги ще бъдат транспортирани през \"local:\", следователно записът \"*\" няма да се приложи към тези адреси.<br>\r\n&#8226; За да определите удостоверения за следващ хоп \"[host]:25\", Postfix <b>винаги</b> заявява за \"host\", преди да търси за \"[host]:25\". Това поведение прави невъзможно да се използват \"host\" и \"[host]:25\" едновременно.",
+        "ui_footer": "Подвал (разрешен е HTML)",
+        "ui_header_announcement": "Обяви",
+        "ui_header_announcement_active": "Задаване на активна обява",
+        "ui_header_announcement_content": "Текст (разрешен е HTML)",
+        "ui_header_announcement_help": "Обявата е видима за всички влезли потребители и на екрана за вход на UI.",
+        "ui_header_announcement_select": "Избор на тип обява",
+        "ui_header_announcement_type": "Тип",
+        "ui_header_announcement_type_danger": "Много важно",
+        "ui_header_announcement_type_info": "Информация",
+        "ui_header_announcement_type_warning": "Важно",
+        "ui_texts": "Етикети и текстове на UI",
+        "unban_pending": "разблокиране в опашката",
+        "unchanged_if_empty": "Ако не е променено, оставете празно",
+        "upload": "Качване",
+        "username": "Потребителско име",
+        "user_link": "Връзка към потребител",
+        "validate_license_now": "Валидиране на GUID срещу лицензен сървър",
+        "verify": "Проверка",
+        "yes": "&#10003;"
+    },
+    "danger": {
+        "access_denied": "Достъпът е отказан или данните от формуляра са невалидни",
+        "alias_domain_invalid": "Домейнът на псевдонима %s е невалиден",
+        "alias_empty": "Адресът на псевдонима не трябва да е празен",
+        "alias_goto_identical": "Адресът на псевдонима и адресът за пренасочване не трябва да са идентични",
+        "alias_invalid": "Адресът на псевдонима %s е невалиден",
+        "aliasd_targetd_identical": "Домейнът на псевдонима не трябва да е равен на целевия домейн: %s",
+        "aliases_in_use": "Макс. псевдоними трябва да бъдат по-големи или равни на %d",
+        "app_name_empty": "Името на приложението не може да бъде празно",
+        "app_passwd_id_invalid": "Идентификаторът на паролата за приложението %s е невалиден",
+        "authsource_in_use": "Доставчикът на идентичност не може да бъде променен или изтрит, тъй като се използва в момента от един или повече потребители.",
+        "bcc_empty": "BCC дестинацията не може да бъде празна",
+        "bcc_exists": "Картата BCC %s съществува за тип %s",
+        "bcc_must_be_email": "BCC дестинацията %s не е валиден имейл адрес",
+        "comment_too_long": "Коментарът е твърде дълъг, разрешени са макс. 160 символа",
+        "cors_invalid_method": "Зададен е невалиден метод за разрешаване",
+        "cors_invalid_origin": "Зададен е невалиден източник за разрешаване",
+        "defquota_empty": "Квотата по подразбиране за пощенска кутия не трябва да бъде 0.",
+        "demo_mode_enabled": "Режимът на демонстрация е активиран",
+        "description_invalid": "Описанието на ресурса за %s е невалидно",
+        "dkim_domain_or_sel_exists": "Съществува DKIM ключ за \"%s\", който няма да бъде презаписан",
+        "dkim_domain_or_sel_invalid": "DKIM домейн или селектор е невалиден: %s",
+        "domain_cannot_match_hostname": "Домейнът не може да съвпада с името на хоста",
+        "domain_exists": "Домейнът %s вече съществува",
+        "domain_invalid": "Името на домейна е празно или невалидно",
+        "domain_not_empty": "Не може да бъде премахнат непразен домейн %s",
+        "domain_not_found": "Домейнът %s не е намерен",
+        "domain_quota_m_in_use": "Квотата на домейна трябва да бъде по-голяма или равна на %s MiB",
+        "extended_sender_acl_denied": "липсва ACL за задаване на външни адреси на изпращач",
+        "extra_acl_invalid": "Външният адрес на изпращач \"%s\" е невалиден",
+        "extra_acl_invalid_domain": "Външният изпращач \"%s\" използва невалиден домейн",
+        "fido2_verification_failed": "Проверката на FIDO2 е неуспешна: %s",
+        "file_open_error": "Файлът не може да бъде отворен за писане",
+        "filter_type": "Грешен тип на филтър",
+        "from_invalid": "Изпращачът не трябва да бъде празен",
+        "generic_server_error": "Възникна неочаквана грешка на сървъра. Моля, свържете се с вашия администратор.",
+        "global_filter_write_error": "Файлът с филтър не може да бъде записан: %s",
+        "global_map_invalid": "Идентификаторът на глобалната карта %s е невалиден",
+        "global_map_write_error": "Глобалният идентификатор на картата %s не може да бъде записан: %s",
+        "goto_empty": "Адресът на псевдоним трябва да съдържа поне един валиден адрес за пренасочване",
+        "goto_invalid": "Адресът за пренасочване %s е невалиден",
+        "ham_learn_error": "Грешка при обучение за не-спам: %s",
+        "iam_test_connection": "Връзката е неуспешна",
+        "imagick_exception": "Грешка: Грешка при четене на изображение с Imagick",
+        "img_dimensions_exceeded": "Изображението надхвърля максималния размер",
+        "img_invalid": "Не може да се валидира файл с изображение",
+        "img_size_exceeded": "Изображението надхвърля максималния размер на файла",
+        "img_tmp_missing": "Не може да се валидира файл с изображение: Липсва временен файл",
+        "invalid_bcc_map_type": "Невалиден тип на картата BCC",
+        "invalid_destination": "Форматът на дестинацията \"%s\" е невалиден",
+        "invalid_filter_type": "Невалиден тип на филтър",
+        "invalid_host": "Зададен е невалиден хост: %s",
+        "invalid_mime_type": "Невалиден MIME тип",
+        "invalid_nexthop": "Форматът на следващия хоп е невалиден",
+        "invalid_nexthop_authenticated": "Следващият хоп съществува с различни удостоверения, моля, актуализирайте съществуващите удостоверения за този следващ хоп първо.",
+        "invalid_recipient_map_new": "Зададен е невалиден нов получател: %s",
+        "invalid_recipient_map_old": "Зададен е невалиден оригинален получател: %s",
+        "invalid_reset_token": "Невалиден токен за нулиране",
+        "ip_list_empty": "Списъкът с разрешени IP адреси не може да бъде празен",
+        "is_alias": "%s вече е известен като адрес на псевдоним",
+        "is_alias_or_mailbox": "%s вече е известен като адрес на псевдоним, пощенска кутия или адрес на псевдоним, разширен от домейн на псевдоним.",
+        "is_spam_alias": "%s вече е известен като временен адрес на псевдоним (спам адрес на псевдоним)",
+        "last_key": "Последното ключове не може да бъде изтрито, моля, деактивирайте TFA вместо това.",
+        "login_failed": "Неуспешен вход",
+        "mailbox_defquota_exceeds_mailbox_maxquota": "Квотата по подразбиране надхвърля лимита на макс. квота",
+        "mailbox_invalid": "Името на пощенската кутия е невалидно",
+        "mailbox_quota_exceeded": "Квотата надхвърля лимита на домейна (макс. %d MiB)",
+        "mailbox_quota_exceeds_domain_quota": "Макс. квотата надхвърля лимита на квотата на домейна",
+        "mailbox_quota_left_exceeded": "Няма достатъчно място (оставащо място: %d MiB)",
+        "mailboxes_in_use": "Макс. пощенски кутии трябва да бъдат по-големи или равни на %d",
+        "malformed_username": "Неправилно формирано потребителско име",
+        "map_content_empty": "Съдържанието на картата не може да бъде празно",
+        "max_alias_exceeded": "Макс. псевдоними са надхвърлени",
+        "max_mailbox_exceeded": "Макс. пощенски кутии са надхвърлени (%d от %d)",
+        "max_quota_in_use": "Квотата на пощенската кутия трябва да бъде по-голяма или равна на %d MiB",
+        "maxquota_empty": "Макс. квотата за пощенска кутия не трябва да бъде 0.",
+        "mysql_error": "Грешка на MySQL: %s",
+        "network_host_invalid": "Невалидна мрежа или хост: %s",
+        "next_hop_interferes": "%s се намесва с nexthop %s",
+        "next_hop_interferes_any": "Съществуващ следващ хоп се намесва с %s",
+        "nginx_reload_failed": "Презареждането на Nginx е неуспешно: %s",
+        "no_user_defined": "Няма зададен потребител",
+        "object_exists": "Обектът %s вече съществува",
+        "object_is_not_numeric": "Стойността %s не е числова",
+        "password_complexity": "Паролата не отговаря на изискванията",
+        "password_empty": "Паролата не трябва да бъде празна",
+        "password_mismatch": "Паролата за потвърждение не съвпада",
+        "password_reset_invalid_user": "Пощенската кутия не е намерена или не е зададен имейл за възстановяване",
+        "password_reset_na": "Възстановяването на парола в момента е недостъпно. Моля, свържете се с вашия администратор.",
+        "policy_list_from_exists": "Съществува запис с даденото име",
+        "policy_list_from_invalid": "Записът има невалиден формат",
+        "private_key_error": "Грешка с частен ключ: %s",
+        "pushover_credentials_missing": "Липсва токен или ключ на Pushover",
+        "pushover_key": "Ключът на Pushover има грешен формат",
+        "pushover_token": "Токенът на Pushover има грешен формат",
+        "quota_not_0_not_numeric": "Квотата трябва да бъде числова и >= 0",
+        "recipient_map_entry_exists": "Съществува запис в картата на получатели \"%s\"",
+        "recovery_email_failed": "Не може да бъде изпратен имейл за възстановяване. Моля, свържете се с вашия администратор.",
+        "redis_error": "Грешка на Redis: %s",
+        "relayhost_invalid": "Записът в картата %s е невалиден",
+        "release_send_failed": "Съобщението не може да бъде освободено: %s",
+        "required_data_missing": "Липсват необходими данни %s",
+        "reset_f2b_regex": "Регулярният филтър не може да бъде нулиран навреме, моля, опитайте отново или изчакайте още няколко секунди и презаредете уеб сайта.",
+        "reset_token_limit_exceeded": "Лимитът на токена за нулиране е надхвърлен. Моля, опитайте по-късно.",
+        "resource_invalid": "Името на ресурса %s е невалидно",
+        "rl_timeframe": "Временният интервал за ограничение на скоростта е некоректен",
+        "rspamd_ui_pw_length": "Паролата на UI на Rspamd трябва да бъде поне 6 символа",
+        "script_empty": "Скриптът не може да бъде празен",
+        "sender_acl_invalid": "Стойността на ACL на изпращач %s е невалидна",
+        "set_acl_failed": "Неуспешно задаване на ACL",
+        "settings_map_invalid": "Идентификаторът на картата с настройки %s е невалиден",
+        "sieve_error": "Грешка при синтаксиса на Sieve: %s",
+        "spam_learn_error": "Грешка при обучение за спам: %s",
+        "subject_empty": "Темата не трябва да бъде празна",
+        "target_domain_invalid": "Целевият домейн %s е невалиден",
+        "targetd_not_found": "Целевият домейн %s не е намерен",
+        "targetd_relay_domain": "Целевият домейн %s е домейн за реле",
+        "template_exists": "Шаблонът %s вече съществува",
+        "template_id_invalid": "Идентификаторът на шаблона %s е невалиден",
+        "template_name_invalid": "Името на шаблона е невалидно",
+        "temp_error": "Временна грешка",
+        "text_empty": "Текстът не трябва да бъде празен",
+        "tfa_token_invalid": "Токенът за TFA е невалиден",
+        "tls_policy_map_dest_invalid": "Дестинацията на политиката е невалидна",
+        "tls_policy_map_entry_exists": "Съществува запис в картата на политиката на TLS \"%s\"",
+        "tls_policy_map_parameter_invalid": "Параметърът на политиката е невалиден",
+        "to_invalid": "Получателят не трябва да бъде празен",
+        "totp_verification_failed": "Проверката на TOTP е неуспешна",
+        "transport_dest_exists": "Дестинацията на транспорта \"%s\" съществува",
+        "webauthn_verification_failed": "Проверката на WebAuthn е неуспешна: %s",
+        "webauthn_authenticator_failed": "Избраният аутентикатор не е намерен",
+        "webauthn_publickey_failed": "Не е запазен публичен ключ за избрания аутентикатор",
+        "webauthn_username_failed": "Избраният аутентикатор принадлежи на друга сметка",
+        "unknown": "Възникна неизвестна грешка",
+        "unknown_tfa_method": "Неизвестен метод за TFA",
+        "unlimited_quota_acl": "Неограничената квота е забранена от ACL",
+        "username_invalid": "Потребителското име %s не може да бъде използвано",
+        "validity_missing": "Моля, задайте период на валидност",
+        "value_missing": "Моля, предоставете всички стойности",
+        "yotp_verification_failed": "Проверката на Yubico OTP е неуспешна: %s"
+    },
+    "datatables": {
+        "collapse_all": "Свиване на всичко",
+        "decimal": ".",
+        "emptyTable": "Няма данни в таблицата",
+        "expand_all": "Разширяване на всичко",
+        "info": "Показване на _START_ до _END_ от _TOTAL_ записа",
+        "infoEmpty": "Показване на 0 до 0 от 0 записа",
+        "infoFiltered": "(филтрирани от общо _MAX_ записа)",
+        "infoPostFix": "",
+        "thousands": ",",
+        "lengthMenu": "Показване на _MENU_ записа",
+        "loadingRecords": "Зареждане...",
+        "processing": "Моля, изчакайте...",
+        "search": "Търсене:",
+        "zeroRecords": "Няма съвпадащи записи",
+        "paginate": {
+            "first": "Първи",
+            "last": "Последен",
+            "next": "Следващ",
+            "previous": "Предишен"
+        },
+        "aria": {
+            "sortAscending": ": активиране за сортиране на колоната във възходящ ред",
+            "sortDescending": ": активиране за сортиране на колоната в низходящ ред"
+        }
+    },
+    "debug": {
+        "architecture": "Архитектура",
+        "chart_this_server": "Графика (този сървър)",
+        "containers_info": "Информация за контейнерите",
+        "container_running": "Изпълнява се",
+        "container_disabled": "Контейнерът е спрян или деактивиран",
+        "container_stopped": "Спрян",
+        "cores": "Ядра",
+        "current_time": "Системно време",
+        "disk_usage": "Използване на диска",
+        "docs": "Документи",
+        "error_show_ip": "Не може да се разреши публичния IP адрес",
+        "external_logs": "Външни логове",
+        "history_all_servers": "История (всички сървъри)",
+        "in_memory_logs": "Логове в паметта",
+        "last_modified": "Последно модифициране",
+        "log_info": "<p>Логовете на mailcow <b>в паметта</b> се събират в списъци на Redis и се подрязват до LOG_LINES (%d) на всяка минута, за да се намали натоварването.<br>Логовете в паметта не са предназначени да бъдат постоянни. Всички приложения, които записват в паметта, също записват в демона на Docker и следователно в основния драйвер за логсване.<br>Логовете в паметта трябва да се използват за отстраняване на леки проблеми с контейнери.</p>\r\n  <p><b>Външните логове</b> се събират чрез API на даденото приложение.</p>\r\n  <p><b>Статичните логове</b> са най-вече логове на активност, които не се записват в демона на Docker, но все още трябва да бъдат постоянни (с изключение на логовете на API).</p>",
+        "login_time": "Време",
+        "logs": "Логове",
+        "memory": "Памет",
+        "online_users": "Потребители онлайн",
+        "restart_container": "Рестартиране",
+        "service": "Услуга",
+        "show_ip": "Показване на публичен IP",
+        "size": "Размер",
+        "started_at": "Стартирано в",
+        "started_on": "Стартирано на",
+        "static_logs": "Статични логове",
+        "success": "Успех",
+        "system_containers": "Система & Контейнери",
+        "timezone": "Часова зона",
+        "uptime": "Време на работа",
+        "update_available": "Има налична актуализация",
+        "no_update_available": "Системата е на последното издание",
+        "update_failed": "Не може да се провери за актуализация",
+        "username": "Потребителско име",
+        "wip": "В момента се работи"
+    },
+    "diagnostics": {
+        "cname_from_a": "Стойността е извлечена от A/AAAA запис. Това се поддържа, докато записът сочи към правилния ресурс.",
+        "dns_records": "DNS записи",
+        "dns_records_24hours": "Моля, имайте предвид, че промените в DNS може да отнемат до 24 часа, за да имат актуалното си състояние правилно отразено на тази страница. Тя е предназначена да ви позволи лесно да видите как да конфигурирате вашите DNS записи и да проверите дали всичките ви записи са правилно запазени в DNS.",
+        "dns_records_data": "Правилни данни",
+        "dns_records_docs": "Моля, вижте и <a target=\"_blank\" href=\"https://docs.mailcow.email/getstarted/prerequisite-dns\">документацията</a>.",
+        "dns_records_name": "Име",
+        "dns_records_status": "Текущо състояние",
+        "dns_records_type": "Тип",
+        "optional": "Този запис е опционален."
+    },
+    "edit": {
+        "acl": "ACL (Разрешение)",
+        "active": "Активен",
+        "admin": "Редактиране на администратор",
+        "advanced_settings": "Разширени настройки",
+        "alias": "Редактиране на псевдоним",
+        "allow_from_smtp": "Разрешаване само на тези IP адреси да използват <b>SMTP</b>",
+        "allow_from_smtp_info": "Оставете празно, за да разрешите всички изпращачи.<br>IPv4/IPv6 адреси и мрежи.",
+        "allowed_protocols": "Разрешени протоколи за пряк потребителски достъп (не засяга протоколите за пароли на приложения)",
+        "app_name": "Име на приложението",
+        "app_passwd": "Парола за приложение",
+        "app_passwd_protocols": "Разрешени протоколи за паролата на приложението",
+        "automap": "Опит за автоматично картографиране на папки (\"Изпратени\", \"Изпратени\" => \"Изпратени\" и т.н.)",
+        "backup_mx_options": "Опции за реле",
+        "bcc_dest_format": "BCC дестинацията трябва да бъде един валиден имейл адрес.<br>Ако имате нужда да изпратите копие до множество адреси, създайте псевдоним и го използвайте тук.",
+        "client_id": "Идентификатор на клиента",
+        "client_secret": "Тайна на клиента",
+        "comment_info": "Частен коментар не е видим за потребителя, докато публичен коментар се показва като подсказка при преминаване с мишката върху него в прегледа на потребителя",
+        "created_on": "Създаден на",
+        "custom_attributes": "Персонализирани атрибути",
+        "delete1": "Изтриване от източника след завършване",
+        "delete2": "Изтриване на съобщенията в дестинацията, които не са в източника",
+        "delete2duplicates": "Изтриване на дубликати в дестинацията",
+        "delete_ays": "Моля, потвърдете процеса на изтриване.",
+        "description": "Описание",
+        "disable_login": "Забраняване на вход (входящите съобщения все още се приемат)",
+        "domain": "Редактиране на домейн",
+        "domain_admin": "Редактиране на администратор на домейн",
+        "domain_footer": "Подвал за домейн",
+        "domain_footer_html": "HTML подвал",
+        "domain_footer_info": "Подвалите за домейн се добавят към всички изходящи имейли, свързани с адрес в този домейн. Следните променливи могат да бъдат използвани за подвала:",
+        "domain_footer_info_vars": {
+            "auth_user": "{= auth_user =}   - Удостоверен потребител, посочен от MTA",
+            "from_user": "{= from_user =}   - Потребителска част на обвивката, напр. за \"moo@mailcow.tld\" връща \"moo\"",
+            "from_name": "{= from_name =}   - Име на обвивката, напр. за \"Mailcow &lt;moo@mailcow.tld&gt;\" връща \"Mailcow\"",
+            "from_addr": "{= from_addr =}   - Адресна част на обвивката",
+            "from_domain": "{= from_domain =} - Домейна част на обвивката",
+            "custom": "{= foo =}         - Ако пощенската кутия има персонализиран атрибут \"foo\" със стойност \"bar\", ще върне \"bar\""
+        },
+        "domain_footer_plain": "PLAIN подвал",
+        "domain_footer_skip_replies": "Игнориране на подвал в отговорни имейли",
+        "domain_quota": "Квота на домейна",
+        "domains": "Домейни",
+        "dont_check_sender_acl": "Деактивиране на проверката на изпращач за домейн %s (+ домейни на псевдоними)",
+        "edit_alias_domain": "Редактиране на домейн на псевдоним",
+        "encryption": "Криптиране",
+        "exclude": "Изключване на обекти (regex)",
+        "extended_sender_acl": "Външни адреси на изпращач",
+        "extended_sender_acl_info": "Трябва да бъде импортиран DKIM домейн ключ, ако е наличен.<br>\r\n  Помнете да добавите този сървър към съответния SPF TXT запис.<br>\r\n  Когато домейн или домейн на псевдоним бъде добавен към този сървър, който се припокрива с външен адрес, външният адрес ще бъде премахнат.<br>\r\n  Използвайте @domain.tld, за да разрешите изпращане като *@domain.tld.",
+        "footer_exclude": "Изключване от подвал",
+        "force_pw_update": "Принудително обновяване на парола при следващия вход",
+        "force_pw_update_info": "Този потребител ще може да влезе само в %s. Паролите за приложения остават използваеми.",
+        "full_name": "Пълно име",
+        "gal": "Глобален адресен списък",
+        "gal_info": "Глобалният адресен списък съдържа всички обекти на домейна и не може да бъде редактиран от нито един потребител. Липсва информация за заетост/свободно време в SOGo, ако е деактивирано! <b>Рестартирайте SOGo, за да приложите промените.</b>",
+        "generate": "генериране",
+        "grant_types": "Типове разрешения",
+        "hostname": "Име на хост",
+        "inactive": "Неактивен",
+        "kind": "Вид",
+        "last_modified": "Последно модифициране",
+        "lookup_mx": "Дестинацията е регулярен израз за съвпадение с MX име (<code>.*\\.google\\.com</code> за пренасочване на всички съобщения, предназначени за MX, завършващ на google.com, през този хоп)",
+        "mailbox": "Редактиране на пощенска кутия",
+        "mailbox_quota_def": "Квота по подразбиране за пощенска кутия",
+        "mailbox_relayhost_info": "Прилага се за пощенската кутия и директните псевдоними само, пренарежда запис в картата на транспорта за домейн.",
+        "mailbox_rename": "Преименуване на пощенска кутия",
+        "mailbox_rename_agree": "Създадох резервно копие.",
+        "mailbox_rename_alias": "Автоматично създаване на псевдоним",
+        "mailbox_rename_title": "Ново локално име на пощенска кутия",
+        "mailbox_rename_warning": "ВНИМАНИЕ! Създайте резервно копие преди преименуване на пощенската кутия.",
+        "max_aliases": "Макс. псевдоними",
+        "max_mailboxes": "Макс. възможни пощенски кутии",
+        "max_quota": "Макс. квота за пощенска кутия (MiB)",
+        "maxage": "Максимална възраст на съобщенията в дни, които ще бъдат проверени от отдалечен<br><small>(0 = игнорирай възраст)</small>",
+        "maxbytespersecond": "Макс. байтове за секунда <br><small>(0 = неограничен)</small>",
+        "mbox_rl_info": "Това ограничение на скоростта се прилага върху SASL името за вход, то съвпада с всеки \"от\" адрес, използван от влезлия потребител. Ограничението на скоростта на пощенска кутия пренарежда ограничението на скоростта за домейн.",
+        "mins_interval": "Интервал (мин)",
+        "multiple_bookings": "Множествени резервации",
+        "nexthop": "Следващ хоп",
+        "none_inherit": "Без / Наследяване",
+        "password": "Парола",
+        "password_recovery_email": "Имейл за възстановяване на парола",
+        "password_repeat": "Потвърждаване на паролата (повторете)",
+        "previous": "Предишна страница",
+        "private_comment": "Частен коментар",
+        "public_comment": "Публичен коментар",
+        "pushover": "Pushover",
+        "pushover_evaluate_x_prio": "Ескалиране на високоприоритетни съобщения [<code>X-Priority: 1</code>]",
+        "pushover_info": "Настройките за известия на Pushover ще се прилагат за всички чисти (не-спам) съобщения, доставени до <b>%s</b>, включително псевдоними (споделени, несподелени, таговани).",
+        "pushover_only_x_prio": "Разглеждане само на високоприоритетни съобщения [<code>X-Priority: 1</code>]",
+        "pushover_sender_array": "Разглеждане само на следните адреси на изпращач <small>(разделени с запетая)</small>",
+        "pushover_sender_regex": "Разглеждане на следния regex на изпращач",
+        "pushover_sound": "Звук",
+        "pushover_text": "Текст на известието",
+        "pushover_title": "Заглавие на известието",
+        "pushover_vars": "Когато не е зададен филтър на изпращач, всички съобщения ще бъдат разглеждани.<br>Филтрите с регулярен израз, както и точните проверки на изпращач, могат да бъдат дефинирани индивидуално и ще бъдат разглеждани последователно. Те не зависят един от друг.<br>Използвайте следните променливи за текст и заглавие (моля, вземете предвид политиките за поверителност на данните)",
+        "pushover_verify": "Проверка на удостоверения",
+        "quota_mb": "Квота (MiB)",
+        "quota_warning_bcc": "Предупреждения за квота ще бъдат изпращани като отделни копия до следните получатели:",
+        "quota_warning_bcc_info": "Съобщенията ще бъдат изпратени с тема, допълнена с името на потребителя в скоби, например: <code>Предупреждение за квота (user@example.com)</code>.",
+        "ratelimit": "Ограничение на скоростта",
+        "redirect_uri": "URI за пренасочване/обратно извикване",
+        "relay_all": "Реле на всички получатели",
+        "relay_all_info": "↪ Ако изберете да <b>не</b> релеирате всички получатели, ще трябва да добавите (\"скрита\") пощенска кутия за всеки отделен получател, който трябва да бъде релеиран.",
+        "relay_domain": "Реле на този домейн",
+        "relay_transport_info": "<div class=\"badge fs-6 bg-info\">Инфо</div> Можете да дефинирате транспортни карти за персонализирана дестинация за този домейн. Ако не е зададено, ще бъде направен MX lookup.",
+        "relay_unknown_only": "Реле на несъществуващи пощенски кутии. Съществуващите пощенски кутии ще бъдат доставени локално.",
+        "relayhost": "Транспорти, зависими от изпращач",
+        "remove": "Премахване",
+        "resource": "Ресурс",
+        "save": "Запазване на промените",
+        "scope": "Обхват",
+        "sender_acl": "Разрешаване на изпращане като",
+        "sender_acl_disabled": "<span class=\"badge fs-6 bg-danger\">Проверката на изпращач е деактивирана</span>",
+        "sender_acl_info": "Ако потребителят на пощенска кутия A е разрешен да изпраща като потребителя на пощенска кутия B, адресът на изпращач не се показва автоматично като избираем \"от\" поле в SOGo.<br>\r\n  Потребителят на пощенска кутия B трябва да създаде делегация в SOGo, за да разреши на потребителя на пощенска кутия A да избира техния адрес като изпращач. За да делегирате пощенска кутия в SOGo, използвайте менюто (три точки) вдясно от името на пощенската кутия в горния ляв ъгъл, докато сте в режим на поща. Това поведение не се прилага за адреси на псевдоними.",
+        "sieve_desc": "Кратко описание",
+        "sieve_type": "Тип на филтър",
+        "skipcrossduplicates": "Пропускане на дублирани съобщения между папки (първи дошъл, първи обслужен)",
+        "sogo_access": "Директно препращане към SOGo",
+        "sogo_access_info": "След влизане, потребителят се пренасочва автоматично към SOGo.",
+        "sogo_visible": "Псевдонимът е видим в SOGo",
+        "sogo_visible_info": "Тази опция засяга само обекти, които могат да бъдат показани в SOGo (споделени или несподелени адреси на псевдоними, сочещи поне една локална пощенска кутия). Ако е скрит, псевдонимът няма да се появи като избираем адрес на изпращач в SOGo.",
+        "spam_alias": "Създаване или промяна на временни псевдоними",
+        "spam_filter": "Филтър за спам",
+        "spam_policy": "Добавяне или премахване на елементи към черния/бял списък",
+        "spam_score": "Задаване на персонализиран резултат за спам",
+        "subfolder2": "Синхронизиране в подпапка в дестинацията<br><small>(празно = не използвай подпапка)</small>",
+        "syncjob": "Редактиране на синхронизираща задача",
+        "target_address": "Адрес/и за пренасочване <small>(разделени с запетая)</small>",
+        "target_domain": "Целеви домейн",
+        "timeout1": "Таймаут за връзка с отдалечен хост",
+        "timeout2": "Таймаут за връзка с локален хост",
+        "title": "Редактиране на обект",
+        "unchanged_if_empty": "Ако не е променено, оставете празно",
+        "username": "Потребителско име",
+        "validate_save": "Валидиране и запазване"
+    },
+    "fido2": {
+        "confirm": "Потвърждаване",
+        "fido2_auth": "Вход с FIDO2",
+        "fido2_success": "Устройството е регистрирано успешно",
+        "fido2_validation_failed": "Проверката е неуспешна",
+        "fn": "Приятелско име",
+        "known_ids": "Известни идентификатори",
+        "none": "Деактивирано",
+        "register_status": "Състояние на регистрация",
+        "rename": "Преименуване",
+        "set_fido2": "Регистриране на FIDO2 устройство",
+        "set_fido2_touchid": "Регистриране на Touch ID на Apple M1",
+        "set_fn": "Задаване на приятелско име",
+        "start_fido2_validation": "Стартиране на проверка на FIDO2"
+    },
+    "footer": {
+        "cancel": "Отказ",
+        "confirm_delete": "Потвърждаване на изтриването",
+        "delete_now": "Изтриване сега",
+        "delete_these_items": "Моля, потвърдете промените за следния идентификатор на обект",
+        "hibp_check": "Проверка срещу haveibeenpwned.com",
+        "hibp_nok": "Съвпадение! Това е потенциално опасна парола!",
+        "hibp_ok": "Няма съвпадение.",
+        "loading": "Моля, изчакайте...",
+        "nothing_selected": "Няма избрани елементи",
+        "restart_container": "Рестартиране на контейнер",
+        "restart_container_info": "<b>Важно:</b> Грациозното рестартиране може да отнеме известно време за завършване, моля, изчакайте да приключи.",
+        "restart_now": "Рестартиране сега",
+        "restarting_container": "Рестартиране на контейнера, това може да отнеме известно време"
+    },
+    "header": {
+        "administration": "Конфигурация & Детайли",
+        "apps": "Приложения",
+        "debug": "Информация",
+        "email": "Имейл",
+        "mailcow_system": "Система",
+        "mailcow_config": "Конфигурация",
+        "quarantine": "Карантина",
+        "restart_netfilter": "Рестартиране на netfilter",
+        "restart_sogo": "Рестартиране на SOGo",
+        "user_settings": "Настройки на потребителя"
+    },
+    "info": {
+        "awaiting_tfa_confirmation": "Изчакване на потвърждение за TFA",
+        "no_action": "Няма приложимо действие",
+        "session_expires": "Вашата сесия ще изтече след около 15 секунди"
+    },
+    "login": {
+        "back_to_mailcow": "Обратно към mailcow",
+        "delayed": "Входът е забавен с %s секунди.",
+        "fido2_webauthn": "Вход с FIDO2/WebAuthn",
+        "forgot_password": "> Забравена парола?",
+        "invalid_pass_reset_token": "Токенът за нулиране на парола е невалиден или е изтекъл.<br>Моля, заявете нов линк за нулиране на парола.",
+        "login": "Вход",
+        "login_admin": "Вход на администратор",
+        "login_dadmin": "Вход на администратор на домейн",
+        "login_user": "Потребителски вход",
+        "mobileconfig_info": "Моля, влезте като потребител на пощенска кутия, за да изтеглите поискания Apple профил за връзка.",
+        "new_password": "Нова парола",
+        "new_password_confirm": "Потвърждаване на новата парола",
+        "other_logins": "или вход с",
+        "password": "Парола",
+        "request_reset_password": "Заявка за промяна на парола",
+        "reset_password": "Нулиране на парола",
+        "username": "Потребителско име"
+    },
+    "mailbox": {
+        "action": "Действие",
+        "activate": "Активиране",
+        "active": "Активен",
+        "add": "Добавяне",
+        "add_alias": "Добавяне на псевдоним",
+        "add_alias_expand": "Разширяване на псевдоним над домейни на псевдоними",
+        "add_bcc_entry": "Добавяне на запис в картата BCC",
+        "add_domain": "Добавяне на домейн",
+        "add_domain_alias": "Добавяне на псевдоним на домейн",
+        "add_domain_record_first": "Моля, добавете първо домейн",
+        "add_filter": "Добавяне на филтър",
+        "add_mailbox": "Добавяне на пощенска кутия",
+        "add_recipient_map_entry": "Добавяне на запис в картата на получатели",
+        "add_resource": "Добавяне на ресурс",
+        "add_template": "Добавяне на шаблон",
+        "add_tls_policy_map": "Добавяне на карта на политиката на TLS",
+        "address_rewriting": "Презаписване на адрес",
+        "alias": "Псевдоним",
+        "alias_domain_alias_hint": "Псевдонимите <b>не</b> се прилагат автоматично към домейни на псевдоними. Псевдонимът <code>my-alias@domain</code> <b>не</b> покрива адреса <code>my-alias@alias-domain</code> (където \"alias-domain\" е имагинерен псевдоним на домейн).<br>Моля, използвайте филтър на Sieve, за да пренасочите имейл към външна пощенска кутия (вижте раздела \"Филтри\" или SOGo -> Пренасочвач). Използвайте \"Разширяване на псевдоним над домейни на псевдоними\", за да добавите автоматично липсващи псевдоними.",
+        "alias_domain_backupmx": "Псевдонимът на домейн е неактивен за домейн за реле",
+        "aliases": "Псевдоними",
+        "all_domains": "Всички домейни",
+        "allow_from_smtp": "Разрешаване само на тези IP адреси да използват <b>SMTP</b>",
+        "allow_from_smtp_info": "Оставете празно, за да разрешите всички изпращачи.<br>IPv4/IPv6 адреси и мрежи.",
+        "allowed_protocols": "Разрешени протоколи",
+        "backup_mx": "Домейн за реле",
+        "bcc": "BCC",
+        "bcc_destination": "BCC дестинация",
+        "bcc_destinations": "BCC дестинации",
+        "bcc_info": "Картите BCC се използват, за да препращат тихо копия от всички съобщения до друг адрес. Записът от тип получател на карта се използва, когато локалната дестинация действа като получател на имейл. Записът от тип изпращач на карта се използва, когато локалната дестинация действа като изпращач на имейл. Локалната дестинация няма да бъде информирана за неуспешна доставка.",
+        "bcc_local_dest": "Локална дестинация",
+        "bcc_map": "Карта BCC",
+        "bcc_map_type": "Тип BCC",
+        "bcc_maps": "Карти BCC",
+        "bcc_rcpt_map": "Карта на получател",
+        "bcc_sender_map": "Карта на изпращач",
+        "bcc_to_rcpt": "Превключване към карта на получател",
+        "bcc_to_sender": "Превключване към карта на изпращач",
+        "bcc_type": "Тип BCC",
+        "booking_null": "Винаги показване като свободен",
+        "booking_0_short": "Винаги свободен",
+        "booking_custom": "Твърдо ограничение до определен брой резервации",
+        "booking_custom_short": "Твърдо ограничение",
+        "booking_ltnull": "Неограничено, но показване като заето, когато е резервирано",
+        "booking_lt0_short": "Меко ограничение",
+        "catch_all": "Catch-All",
+        "created_on": "Създаден на",
+        "daily": "Ежедневно",
+        "deactivate": "Деактивиране",
+        "description": "Описание",
+        "disable_login": "Забраняване на вход (входящите съобщения все още се приемат)",
+        "disable_x": "Деактивиране",
+        "dkim_domains_selector": "Селектор",
+        "dkim_key_length": "Дължина на DKIM ключа (битове)",
+        "domain": "Домейн",
+        "domain_admins": "Администратори на домейн",
+        "domain_aliases": "Псевдоними на домейн",
+        "domain_templates": "Шаблони за домейн",
+        "domain_quota": "Квота",
+        "domain_quota_total": "Обща квота на домейна",
+        "domains": "Домейни",
+        "edit": "Редактиране",
+        "empty": "Няма резултати",
+        "enable_x": "Активиране",
+        "excludes": "Изключване",
+        "filter_table": "Таблица с филтри",
+        "filters": "Филтри",
+        "fname": "Пълно име",
+        "force_pw_update": "Принудително обновяване на парола при следващия вход",
+        "gal": "Глобален адресен списък",
+        "goto_ham": "Учен като <span class=\"text-success\"><b>не е спам</b></span>",
+        "goto_spam": "Учен като <span class=\"text-danger\"><b>спам</b></span>",
+        "hourly": "Часово",
+        "iam": "Доставчик на идентичност",
+        "in_use": "В употреба (%)",
+        "inactive": "Неактивен",
+        "insert_preset": "Вмъкване на примерен предефиниран набор \"%s\"",
+        "kind": "Вид",
+        "last_mail_login": "Последен вход в пощата",
+        "last_modified": "Последно модифициране",
+        "last_pw_change": "Последна промяна на парола",
+        "last_run": "Последно изпълнение",
+        "last_run_reset": "Задаване на следващо",
+        "mailbox": "Пощенска кутия",
+        "mailbox_defaults": "Настройки по подразбиране",
+        "mailbox_defaults_info": "Дефинирайте настройки по подразбиране за нови пощенски кутии.",
+        "mailbox_defquota": "Размер по подразбиране на пощенска кутия",
+        "mailbox_templates": "Шаблони за пощенска кутия",
+        "mailbox_quota": "Макс. размер на пощенска кутия",
+        "mailboxes": "Пощенски кутии",
+        "max_aliases": "Макс. псевдоними",
+        "max_mailboxes": "Макс. възможни пощенски кутии",
+        "max_quota": "Макс. квота за пощенска кутия",
+        "mins_interval": "Интервал (мин)",
+        "msg_num": "Съобщение №",
+        "multiple_bookings": "Множествени резервации",
+        "never": "Никога",
+        "no": "&#10005;",
+        "no_record": "Няма запис за обект %s",
+        "no_record_single": "Няма запис",
+        "open_logs": "Отваряне на логове",
+        "owner": "Собственик",
+        "private_comment": "Частен коментар",
+        "public_comment": "Публичен коментар",
+        "q_add_header": "при преместване в папката за нежелана поща",
+        "q_all": " при преместване в папката за нежелана поща и при отхвърляне",
+        "q_reject": "при отхвърляне",
+        "quarantine_category": "Категория на уведомленията за карантина",
+        "quarantine_notification": "Уведомления за карантина",
+        "quick_actions": "Действия",
+        "recipient": "Получател",
+        "recipient_map": "Карта на получател",
+        "recipient_map_info": "Картите на получател се използват, за да се замени адресът на дестинация на съобщението, преди да бъде доставено.",
+        "recipient_map_new": "Нов получател",
+        "recipient_map_new_info": "Дестинацията на картата на получател трябва да бъде валиден имейл адрес или име на домейн.",
+        "recipient_map_old": "Оригинален получател",
+        "recipient_map_old_info": "Оригиналната дестинация на картата на получател трябва да бъде валиден имейл адрес или име на домейн.",
+        "recipient_maps": "Карти на получател",
+        "relay_all": "Реле на всички получатели",
+        "relay_unknown": "Реле на несъществуващи пощенски кутии",
+        "remove": "Премахване",
+        "resources": "Ресурси",
+        "running": "Изпълнява се",
+        "sender": "Изпращач",
+        "set_postfilter": "Маркиране като постфилтър",
+        "set_prefilter": "Маркиране като префилтър",
+        "sieve_info": "Можете да запазите множество филтри за всеки потребител, но само един префилтър и един постфилтър могат да бъдат активни едновременно.<br>\r\nВсеки филтър ще бъде обработен в описания ред. Нито един неуспешен скрипт, нито издадена команда \"keep;\" няма да спре обработката на следващите скриптове. Промените в глобалните филтри на sieve ще предизвикат рестартиране на Dovecot.<br><br>Глобален префилтър на sieve &#8226; Префилтър &#8226; Потребителски скриптове &#8226; Постфилтър &#8226; Глобален постфилтър на sieve",
+        "sieve_preset_1": "Изтриване на съобщения с потенциално опасни типове файлове",
+        "sieve_preset_2": "Винаги маркиране на имейла на определен изпращач като прочетен",
+        "sieve_preset_3": "Тихо изтриване, спиране на всякаква допълнителна обработка на sieve филтри",
+        "sieve_preset_4": "Архивиране на съобщението във ВХОДНА, пропускане на допълнителна обработка от sieve филтри",
+        "sieve_preset_5": "Автоотговор (ваканция)",
+        "sieve_preset_6": "Отхвърляне на съобщение с отговор",
+        "sieve_preset_7": "Пренасочване и запазване/изтриване",
+        "sieve_preset_8": "Пренасочване на имейл от определен изпращач, маркиране като прочетен и сортиране в подпапка",
+        "sieve_preset_header": "Моля, вижте примерните предефинирани набори по-долу. За повече детайли вижте <a href=\"https://en.wikipedia.org/wiki/Sieve_(mail_filtering_language)\" target=\"_blank\">Wikipedia</a>.",
+        "sogo_visible": "Псевдонимът е видим в SOGo",
+        "sogo_visible_n": "Скриване на псевдоним в SOGo",
+        "sogo_visible_y": "Показване на псевдоним в SOGo",
+        "spam_aliases": "Времеви псевдоними",
+        "stats": "Статистика",
+        "status": "Статус",
+        "sync_jobs": "Синхронизиращи задачи",
+        "syncjob_check_log": "Проверка на лога",
+        "syncjob_last_run_result": "Резултат от последното изпълнение",
+        "syncjob_EX_OK": "Успех",
+        "syncjob_EXIT_CONNECTION_FAILURE": "Проблем с връзката",
+        "syncjob_EXIT_TLS_FAILURE": "Проблем с криптираната връзка",
+        "syncjob_EXIT_AUTHENTICATION_FAILURE": "Проблем с удостоверяването",
+        "syncjob_EXIT_OVERQUOTA": "Целевата пощенска кутия е над квотата",
+        "syncjob_EXIT_CONNECTION_FAILURE_HOST1": "Не може да се свърже с отдалечен сървър",
+        "syncjob_EXIT_AUTHENTICATION_FAILURE_USER1": "Грешно потребителско име или парола",
+        "table_size": "Размер на таблицата",
+        "table_size_show_n": "Показване на %s елемента",
+        "target_address": "Адрес за пренасочване",
+        "target_domain": "Целеви домейн",
+        "templates": "Шаблони",
+        "template": "Шаблон",
+        "tls_enforce_in": "Принудително използване на TLS за входящи",
+        "tls_enforce_out": "Принудително използване на TLS за изходящи",
+        "tls_map_dest": "Дестинация",
+        "tls_map_dest_info": "Примери: example.org, .example.org, [mail.example.org]:25",
+        "tls_map_parameters": "Параметри",
+        "tls_map_parameters_info": "Празно или параметри, например: protocols=!SSLv2 ciphers=medium exclude=3DES",
+        "tls_map_policy": "Политика",
+        "tls_policy_maps": "Пренареждания на политиката на TLS",
+        "tls_policy_maps_enforced_tls": "Тези политики ще пренареждат и поведението за потребители на пощенски кутии, които принудително използват изходящи TLS връзки. Ако няма политика, съществуваща по-долу, тези потребители ще приложат стойностите по подразбиране, зададени като <code>smtp_tls_mandatory_protocols</code> и <code>smtp_tls_mandatory_ciphers</code>.",
+        "tls_policy_maps_info": "Тази политика за пренареждане на TLS транспортни правила е независима от настройките за политика на TLS на потребителя.<br>\r\n  Моля, вижте <a href=\"http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps\" target=\"_blank\">документацията за \"smtp_tls_policy_maps\"</a> за повече информация.",
+        "tls_policy_maps_long": "Пренареждания на политиката на TLS за изходящи",
+        "toggle_all": "Превключване на всички",
+        "username": "Потребителско име",
+        "waiting": "Изчакване",
+        "weekly": "Седмично",
+        "yes": "&#10003;"
+    },
+    "oauth2": {
+        "access_denied": "Моля, влезте като собственик на пощенска кутия, за да удостоверите чрез OAuth2.",
+        "authorize_app": "Удостоверяване на приложение",
+        "deny": "Отказ",
+        "permit": "Удостоверяване на приложение",
+        "profile": "Профил",
+        "profile_desc": "Преглед на лични данни: потребителско име, пълно име, създадено, модифицирано, активно",
+        "scope_ask_permission": "Приложението заявява следните разрешения"
+    },
+    "quarantine": {
+        "action": "Действие",
+        "atts": "Прикачени файлове",
+        "check_hash": "Търсене на файлов хеш в VirusTotal",
+        "confirm": "Потвърждаване",
+        "confirm_delete": "Потвърждаване на изтриването на този елемент.",
+        "danger": "Опасност",
+        "deliver_inbox": "Доставяне в пощенската кутия",
+        "disabled_by_config": "Текущата системна конфигурация деактивира функционалността на карантината. Моля, задайте \"задържания за пощенска кутия\" и \"максимален размер\" за елементите на карантината.",
+        "download_eml": "Изтегляне (.eml)",
+        "empty": "Няма резултати",
+        "high_danger": "Висока",
+        "info": "Информация",
+        "junk_folder": "Папка за нежелана поща",
+        "learn_spam_delete": "Учен като спам и изтриване",
+        "low_danger": "Ниска",
+        "medium_danger": "Средна",
+        "neutral_danger": "Неутрална",
+        "notified": "Уведомен",
+        "qhandler_success": "Заявката е изпратена успешно до системата. Можете да затворите прозореца сега.",
+        "qid": "QID на Rspamd",
+        "qinfo": "Системата за карантина ще запази отхвърлените съобщения в базата данни (изпращачът няма да бъде информиран за доставеното съобщение) както и съобщенията, доставени като копие в папката за нежелана поща на пощенска кутия.<br> <br>\"Учен като спам и изтриване\" ще научи съобщението като спам чрез теоремата на Бейс и също ще изчисли размити хешове, за да отхвърли подобни съобщения в бъдеще.<br> <br>Моля, имайте предвид, че обучаването на множество съобщения може да бъде - в зависимост от вашата система - времеемко.<br>Елементите в черния списък са изключени от карантината.",
+        "qitem": "Елемент в карантина",
+        "quarantine": "Карантина",
+        "quick_actions": "Действия",
+        "quick_delete_link": "Отваряне на бърз линк за изтриване",
+        "quick_info_link": "Отваряне на бърз информационен линк",
+        "quick_release_link": "Отваряне на бърз линк за освобождане",
+        "rcpt": "Получател",
+        "received": "Получено",
+        "recipients": "Получатели",
+        "refresh": "Опресняване",
+        "rejected": "Отхвърлено",
+        "release": "Освобождане",
+        "release_body": "Прикаченото съобщение е добавено към това съобщение.",
+        "release_subject": "Потенциално вреден елемент в карантина %s",
+        "remove": "Премахване",
+        "rewrite_subject": "Презаписване на темата",
+        "rspamd_result": "Резултат от Rspamd",
+        "sender": "Изпращач (SMTP)",
+        "sender_header": "Изпращач (\"From\" заглавие)",
+        "settings_info": "Максимален брой елементи за карантиниране: %s<br>Максимален размер на имейл: %s MiB",
+        "show_item": "Показване на елемент",
+        "spam": "Спам",
+        "spam_score": "Резултат",
+        "subj": "Тема",
+        "table_size": "Размер на таблицата",
+        "table_size_show_n": "Показване на %s елемента",
+        "text_from_html_content": "Съдържание (конвертиран HTML)",
+        "text_plain_content": "Съдържание (обикновен текст)",
+        "toggle_all": "Превключване на всички",
+        "type": "Тип"
+    },
+    "queue": {
+        "delete": "Изтриване на всички",
+        "flush": "Изчистване на опашката",
+        "info": "Опашката на имейлите съдържа всички имейли, които чакат за доставка. Ако имейлът е засечен в опашката за дълго време, той автоматично се изтрива от системата.<br>Съобщението за грешка на съответния имейл дава информация защо имейлът не може да бъде доставен.",
+        "legend": "Функции на действията в опашката на имейлите:",
+        "ays": "Моля, потвърдете, че искате да изтриете всички елементи от текущата опашка.",
+        "deliver_mail": "Доставяне",
+        "deliver_mail_legend": "Опит за повторно доставяне на избраните съобщения.",
+        "hold_mail": "Задържане",
+        "hold_mail_legend": "Задържа избраните съобщения. (Предотвратява допълнителни опити за доставяне)",
+        "queue_manager": "Мениджър на опашката",
+        "show_message": "Показване на съобщение",
+        "unban": "разблокиране на опашката",
+        "unhold_mail": "Освобождаване",
+        "unhold_mail_legend": "Освобождава избраните съобщения за доставка. (Изисква предварително задържане)"
+    },
+    "ratelimit": {
+        "disabled": "Деактивирано",
+        "second": "съобщения/секунда",
+        "minute": "съобщения/минута",
+        "hour": "съобщения/час",
+        "day": "съобщения/ден"
+    },
+    "start": {
+        "help": "Показване/Скриване на панела за помощ",
+        "imap_smtp_server_auth_info": "Моля, използвайте пълния си имейл адрес и механизма за удостоверяване PLAIN.<br>\r\nВашите данни за вход ще бъдат криптирани от сървърната страна чрез задължително сървърно криптиране."
+    },
+    "success": {
+        "acl_saved": "ACL за обект %s е запазен",
+        "admin_added": "Администраторът %s е добавен",
+        "admin_api_modified": "Промените в API са запазени",
+        "admin_modified": "Промените в администратора са запазени",
+        "admin_removed": "Администраторът %s е премахнат",
+        "alias_added": "Адресът на псевдонима %s (%d) е добавен",
+        "alias_domain_removed": "Домейнът на псевдонима %s е премахнат",
+        "alias_modified": "Промените в адреса на псевдонима %s са запазени",
+        "alias_removed": "Псевдонимът %s е премахнат",
+        "aliasd_added": "Добавен домейн на псевдоним %s",
+        "aliasd_modified": "Промените в домейна на псевдоним %s са запазени",
+        "app_links": "Запазени промени в линковете на приложенията",
+        "app_passwd_added": "Добавена нова парола за приложение",
+        "app_passwd_removed": "Премахната парола за приложение с ID %s",
+        "bcc_deleted": "Записи в картата BCC са изтрити: %s",
+        "bcc_edited": "Записът в картата BCC %s е редактиран",
+        "bcc_saved": "Записът в картата BCC е запазен",
+        "cors_headers_edited": "Настройките на CORS са запазени",
+        "db_init_complete": "Инициализацията на базата данни е завършена",
+        "delete_filter": "Изтрити филтри с ID %s",
+        "delete_filters": "Изтрити филтри: %s",
+        "deleted_syncjob": "Изтрита синхронизираща задача с ID %s",
+        "deleted_syncjobs": "Изтрити синхронизиращи задачи: %s",
+        "dkim_added": "Добавен DKIM ключ %s",
+        "dkim_duplicated": "DKIM ключът за домейн %s е копиран в %s",
+        "dkim_removed": "DKIM ключът %s е премахнат",
+        "domain_add_dkim_available": "DKIM ключът вече съществува",
+        "domain_added": "Добавен домейн %s",
+        "domain_admin_added": "Добавен администратор на домейн %s",
+        "domain_admin_modified": "Промените в администратора на домейн %s са запазени",
+        "domain_admin_removed": "Администраторът на домейн %s е премахнат",
+        "domain_footer_modified": "Промените в подвала на домейн %s са запазени",
+        "domain_modified": "Промените в домейн %s са запазени",
+        "domain_removed": "Домейнът %s е премахнат",
+        "dovecot_restart_success": "Dovecot е рестартиран успешно",
+        "eas_reset": "Устройствата с ActiveSync за потребителя %s са нулирани",
+        "f2b_banlist_refreshed": "Списъкът с ID на блокираните е актуализиран успешно.",
+        "f2b_modified": "Промените в параметрите на Fail2ban са запазени",
+        "forwarding_host_added": "Добавен хост за препращане %s",
+        "forwarding_host_removed": "Премахнат хост за препращане %s",
+        "global_filter_written": "Филтърът е записан успешно във файл",
+        "hash_deleted": "Хешът е изтрит",
+        "iam_test_connection": "Връзката е успешна",
+        "ip_check_opt_in_modified": "Проверката на IP беше успешно запазена",
+        "item_deleted": "Елементът %s е изтрит успешно",
+        "item_released": "Елементът %s е освободен",
+        "items_deleted": "Елементът %s е изтрит успешно",
+        "items_released": "Избраните елементи са освободени",
+        "learned_ham": "Успешно научен ID %s като не е спам",
+        "license_modified": "Промените в лиценза са запазени",
+        "logged_in_as": "Вписан като %s",
+        "mailbox_added": "Пощенската кутия %s е добавена",
+        "mailbox_modified": "Промените в пощенската кутия %s са запазени",
+        "mailbox_removed": "Пощенската кутия %s е премахната",
+        "mailbox_renamed": "Пощенската кутия е преименувана от %s на %s",
+        "nginx_reloaded": "Nginx е презареден",
+        "object_modified": "Промените в обект %s са запазени",
+        "password_changed_success": "Паролата е променена успешно",
+        "password_policy_saved": "Политиката за парола е запазена успешно",
+        "pushover_settings_edited": "Настройките на Pushover са запазени успешно, моля, проверете удостоверенията.",
+        "qlearn_spam": "Съобщението с ID %s е научено като спам и изтрито",
+        "queue_command_success": "Командата на опашката е завършена успешно",
+        "recipient_map_entry_deleted": "Записът в картата на получател с ID %s е изтрит",
+        "recipient_map_entry_saved": "Записът в картата на получател \"%s\" е запазен",
+        "recovery_email_sent": "Изпратен имейл за възстановяване до %s",
+        "relayhost_added": "Записът в картата %s е добавен",
+        "relayhost_removed": "Записът в картата %s е премахнат",
+        "reset_main_logo": "Нулиране на логото по подразбиране",
+        "resource_added": "Ресурсът %s е добавен",
+        "resource_modified": "Промените в пощенската кутия %s са запазени",
+        "resource_removed": "Ресурсът %s е премахнат",
+        "rl_saved": "Ограничението на скоростта за обект %s е запазено",
+        "rspamd_ui_pw_set": "Паролата на UI на Rspamd е зададена успешно",
+        "saved_settings": "Запазени настройки",
+        "settings_map_added": "Добавен запис в картата с настройки",
+        "settings_map_removed": "Премахнат запис в картата с настройки с ID %s",
+        "sogo_profile_reset": "Профилът на SOGo за потребителя %s е нулиран",
+        "template_added": "Добавен шаблон %s",
+        "template_modified": "Промените в шаблон %s са запазени",
+        "template_removed": "Шаблонът с ID %s е премахнат",
+        "tls_policy_map_entry_deleted": "Записът в картата на политиката на TLS с ID %s е изтрит",
+        "tls_policy_map_entry_saved": "Записът в картата на политиката на TLS \"%s\" е запазен",
+        "ui_texts": "Запазени промени в текстовете на UI",
+        "upload_success": "Файлът е качен успешно",
+        "verified_fido2_login": "Потвърдено вход с FIDO2",
+        "verified_totp_login": "Потвърдено вход с TOTP",
+        "verified_webauthn_login": "Потвърдено вход с WebAuthn",
+        "verified_yotp_login": "Потвърдено вход с Yubico OTP"
+    },
+    "tfa": {
+        "authenticators": "Аутентикатори",
+        "api_register": "%s използва облачното API на Yubico. Моля, вземете API ключ за вашия ключ <a href=\"https://upgrade.yubico.com/getapikey/\" target=\"_blank\">тук</a>",
+        "confirm": "Потвърждаване",
+        "confirm_totp_token": "Моля, потвърдете промените, като въведете генерирания токен",
+        "delete_tfa": "Деактивиране на TFA",
+        "disable_tfa": "Деактивиране на TFA до следващия успешен вход",
+        "enter_qr_code": "Вашият TOTP код, ако вашето устройство не може да сканира QR кодове",
+        "error_code": "Код на грешка",
+        "init_webauthn": "Инициализиране, моля, изчакайте...",
+        "key_id": "Идентификатор за вашето устройство",
+        "key_id_totp": "Идентификатор за вашия ключ",
+        "none": "Деактивиране",
+        "reload_retry": "- (презаредете браузъра, ако грешката продължи)",
+        "scan_qr_code": "Моля, сканирайте следния код с вашето приложение за аутентикация или въведете кода ръчно.",
+        "select": "Моля, изберете",
+        "set_tfa": "Задаване на метод за двуфакторно удостоверяване",
+        "start_webauthn_validation": "Стартиране на проверка",
+        "tfa": "Двуфакторно удостоверяване",
+        "tfa_token_invalid": "Невалиден токен за TFA",
+        "totp": "Временен OTP (Google Authenticator, Authy и др.)",
+        "u2f_deprecated": "Изглежда, че вашият ключ е регистриран с депрекирания метод U2F. Ще деактивираме двуфакторното удостоверяване за вас и ще изтрием вашия ключ.",
+        "u2f_deprecated_important": "Моля, регистрирайте вашия ключ в административния панел с новия метод WebAuthn.",
+        "webauthn": "Удостоверяване с WebAuthn",
+        "waiting_usb_auth": "<i>Изчакване на USB устройство...</i><br><br>Моля, докоснете бутона на вашето USB устройство сега.",
+        "waiting_usb_register": "<i>Изчакване на USB устройство...</i><br><br>Моля, въведете паролата си по-горе и потвърдете регистрацията си, като докоснете бутона на вашето USB устройство.",
+        "yubi_otp": "Удостоверяване с Yubico OTP"
+    },
+    "user": {
+        "action": "Действие",
+        "active": "Активен",
+        "active_sieve": "Активен филтър",
+        "advanced_settings": "Разширени настройки",
+        "alias": "Псевдоним",
+        "alias_create_random": "Генериране на случаен псевдоним",
+        "alias_extend_all": "Удължаване на всички псевдоними с 1 час",
+        "alias_full_date": "d.m.Y, H:i:s T",
+        "alias_remove_all": "Премахване на всички псевдоними",
+        "alias_select_validity": "Период на валидност",
+        "alias_time_left": "Оставащо време",
+        "alias_valid_until": "Валиден до",
+        "aliases_also_send_as": "Разрешено да изпраща и като потребител",
+        "aliases_send_as_all": "Не проверявай достъпа на изпращач за следните домейни и техните псевдоними",
+        "allowed_protocols": "Разрешени протоколи",
+        "app_hint": "Паролите за приложения са алтернативни пароли за вашия IMAP, SMTP, CalDAV, CardDAV и EAS вход. Потребителското име остава непроменено. SOGo уеб пощата не е достъпна чрез пароли за приложения.",
+        "app_name": "Име на приложението",
+        "app_passwds": "Пароли за приложения",
+        "apple_connection_profile": "Профил за връзка на Apple",
+        "apple_connection_profile_complete": "Този профил за връзка включва настройки за IMAP и SMTP, както и пътища за CalDAV (календари) и CardDAV (контакти) за устройство на Apple.",
+        "apple_connection_profile_mailonly": "Този профил за връзка включва настройки за IMAP и SMTP за устройство на Apple.",
+        "apple_connection_profile_with_app_password": "Генерирана е нова парола за приложение и е добавена към профила, така че не е необходимо да се въвежда парола при настройката на вашето устройство. Моля, не споделяйте файла, тъй като той предоставя пълен достъп до вашата пощенска кутия.",
+        "attribute": "Атрибут",
+        "authentication": "Удостоверяване",
+        "change_password": "Промяна на парола",
+        "change_password_hint_app_passwords": "Вашият акаунт има %d пароли за приложения, които няма да бъдат променени. За управление на тях, отидете в раздела \"Пароли за приложения\".",
+        "clear_recent_successful_connections": "Изчистване на видимите успешни връзки",
+        "client_configuration": "Показване на ръководства за настройка на пощенски клиенти и смартфони",
+        "create_app_passwd": "Създаване на парола за приложение",
+        "create_syncjob": "Създаване на нова синхронизираща задача",
+        "created_on": "Създаден на",
+        "daily": "Ежедневно",
+        "day": "ден",
+        "delete_ays": "Моля, потвърдете процеса на изтриване.",
+        "description": "Описание",
+        "direct_aliases": "Директни адреси на псевдоними",
+        "direct_aliases_desc": "Директните адреси на псевдоними се засягат от настройките за филтър за спам и политика за TLS.",
+        "direct_protocol_access": "Този потребител на пощенска кутия има <b>директен, външен достъп</b> до следните протоколи и приложения. Тази настройка се контролира от вашия администратор. Паролите за приложения могат да бъдат създадени, за да се предостави достъп до отделни протоколи и приложения.<br>Бутонът \"Уеб поща\" предоставя еднократно удостоверяване към SOGo и винаги е достъпен.",
+        "eas_reset": "Нулиране на кеша на устройствата с ActiveSync",
+        "eas_reset_help": "В много случаи нулирането на кеша на устройството ще помогне за възстановяването на повреден профил на ActiveSync.<br><b>Внимание:</b> Всички елементи ще бъдат презаредени!",
+        "eas_reset_now": "Нулиране сега",
+        "edit": "Редактиране",
+        "email": "Имейл",
+        "email_and_dav": "Имейл, календари и контакти",
+        "empty": "Няма резултати",
+        "encryption": "Криптиране",
+        "excludes": "Изключване",
+        "expire_in": "Изтича след",
+        "fido2_webauthn": "FIDO2/WebAuthn",
+        "force_pw_update": "Трябва да зададете нова парола, за да имате достъп до груповите услуги.",
+        "from": "от",
+        "generate": "генериране",
+        "hour": "час",
+        "hourly": "Часово",
+        "hours": "часа",
+        "in_use": "В употреба",
+        "interval": "Интервал",
+        "is_catch_all": "Catch-all за домейн/и",
+        "last_mail_login": "Последен вход в пощата",
+        "last_pw_change": "Последна промяна на парола",
+        "last_run": "Последно изпълнение",
+        "last_ui_login": "Последен вход в UI",
+        "loading": "Зареждане...",
+        "login_history": "История на входовете",
+        "mailbox": "Пощенска кутия",
+        "mailbox_details": "Детайли",
+        "mailbox_general": "Общи",
+        "mailbox_settings": "Настройки",
+        "messages": "съобщения",
+        "month": "месец",
+        "months": "месеца",
+        "never": "Никога",
+        "new_password": "Нова парола",
+        "new_password_repeat": "Потвърждаване на новата парола",
+        "no_active_filter": "Няма активен филтър",
+        "no_last_login": "Няма информация за последен вход в UI",
+        "no_record": "Няма запис",
+        "open_logs": "Отваряне на логове",
+        "open_webmail_sso": "Уеб поща",
+        "overview": "Преглед",
+        "password": "Парола",
+        "password_now": "Текуща парола (потвърждаване на промените)",
+        "password_repeat": "Парола (повторете)",
+        "password_reset_info": "Ако не е зададен имейл за възстановяване на парола, тази функция не може да бъде използвана.",
+        "protocols": "Протоколи",
+        "pushover_evaluate_x_prio": "Ескалиране на високоприоритетни съобщения [<code>X-Priority: 1</code>]",
+        "pushover_info": "Настройките за известия на Pushover ще се прилагат за всички чисти (не-спам) съобщения, доставени до <b>%s</b>, включително псевдоними (споделени, несподелени, таговани).",
+        "pushover_only_x_prio": "Разглеждане само на високоприоритетни съобщения [<code>X-Priority: 1</code>]",
+        "pushover_sender_array": "Разглеждане на следните адреси на изпращач <small>(разделени с запетая)</small>",
+        "pushover_sender_regex": "Съвпадение на изпращач с следния regex",
+        "pushover_sound": "Звук",
+        "pushover_text": "Текст на известието",
+        "pushover_title": "Заглавие на известието",
+        "pushover_vars": "Когато не е зададен филтър на изпращач, всички съобщения ще бъдат разглеждани.<br>Филтрите с регулярен израз, както и точните проверки на изпращач, могат да бъдат дефинирани индивидуално и ще бъдат разглеждани последователно. Те не зависят един от друг.<br>Използвайте следните променливи за текст и заглавие (моля, вземете предвид политиките за поверителност на данните)",
+        "pushover_verify": "Проверка на удостоверения",
+        "pw_recovery_email": "Имейл за възстановяване на парола",
+        "q_add_header": "Папка за нежелана поща",
+        "q_all": "Всички категории",
+        "q_reject": "Отхвърлени",
+        "quarantine_category": "Категория на уведомленията за карантина",
+        "quarantine_category_info": "Категорията \"Отхвърлени\" включва съобщения, които са били отхвърлени, докато категорията \"Папка за нежелана поща\" ще уведоми потребителя за съобщения, които са били поставени в папката за нежелана поща.",
+        "quarantine_notification": "Уведомления за карантина",
+        "quarantine_notification_info": "След като уведомлението е изпратено, елементите ще бъдат маркирани като \"уведомени\" и няма да бъдат изпращани допълнителни уведомления за този конкретен елемент.",
+        "recent_successful_connections": "Видими успешни връзки",
+        "remove": "Премахване",
+        "running": "Изпълнява се",
+        "save": "Запазване на промените",
+        "save_changes": "Запазване на промените",
+        "sender_acl_disabled": "<span class=\"badge fs-6 bg-danger\">Проверката на изпращач е деактивирана</span>",
+        "shared_aliases": "Споделени адреси на псевдоними",
+        "shared_aliases_desc": "Споделените псевдоними не се засягат от настройките за филтър за спам и политика за TLS на потребителя. Съответните настройки за спам филтър могат да бъдат направени само от администратор като настройка за домейн.",
+        "show_sieve_filters": "Показване на активния потребителски филтър на sieve",
+        "sogo_profile_reset": "Нулиране на профила на SOGo",
+        "sogo_profile_reset_help": "Това ще унищожи профила на SOGo и <b>ще изтрие всички данни за контакти и календар безвъзвратно</b>.",
+        "sogo_profile_reset_now": "Нулиране сега",
+        "spam_aliases": "Временни адреси на псевдоними",
+        "spam_score_reset": "Нулиране до настройките на сървъра по подразбиране",
+        "spamfilter": "Филтър за спам",
+        "spamfilter_behavior": "Рейтинг",
+        "spamfilter_bl": "Черен списък",
+        "spamfilter_bl_desc": "Адресите в черния списък <b>винаги</b> ще бъдат класифицирани като спам и отхвърлени. Отхвърлените съобщения <b>не</b> ще бъдат копирани в карантина. Поддържат се уайлдкардове.<br>Отхвърлените съобщения няма да бъдат доставени до папката за нежелана поща.",
+        "spamfilter_default_score": "Стойности по подразбиране",
+        "spamfilter_green": "Зелено: това съобщение не е спам",
+        "spamfilter_hint": "Първата стойност описва \"нисък резултат за спам\", втората представлява \"висок резултат за спам\".",
+        "spamfilter_red": "Червено: това съобщение е спам и ще бъде отхвърлено от сървъра",
+        "spamfilter_table_action": "Действие",
+        "spamfilter_table_add": "Добавяне на елемент",
+        "spamfilter_table_domain_policy": "политика на домейна",
+        "spamfilter_table_empty": "Няма данни за показване",
+        "spamfilter_table_remove": "премахване",
+        "spamfilter_table_rule": "Правило",
+        "spamfilter_wl": "Бял списък",
+        "spamfilter_wl_desc": "Адресите в белия списък <b>никога</b> ще бъдат класифицирани като спам. Поддържат се уайлдкардове.<br>Съобщенията, които не са класифицирани като спам, ще бъдат доставени в папката за нежелана поща, ако резултатът за спам е над стойността за висок резултат за спам.",
+        "spamfilter_yellow": "Жълто: това съобщение може да е спам, ще бъде маркирано като спам и преместено в папката за нежелана поща",
+        "status": "Статус",
+        "sync_jobs": "Синхронизиращи задачи",
+        "syncjob_EXIT_AUTHENTICATION_FAILURE": "Проблем с удостоверяването",
+        "syncjob_EXIT_AUTHENTICATION_FAILURE_USER1": "Грешно потребителско име или парола",
+        "syncjob_EXIT_CONNECTION_FAILURE": "Проблем с връзката",
+        "syncjob_EXIT_CONNECTION_FAILURE_HOST1": "Не може да се свърже с отдалечен сървър",
+        "syncjob_EXIT_OVERQUOTA": "Целевата пощенска кутия е над квотата",
+        "syncjob_EXIT_TLS_FAILURE": "Проблем с криптираната връзка",
+        "syncjob_EX_OK": "Успех",
+        "syncjob_check_log": "Проверка на лога",
+        "syncjob_last_run_result": "Резултат от последното изпълнение",
+        "tag_handling": "Настройка за тагове",
+        "tag_help_example": "Пример за тагован имейл адрес: me<b>+Facebook</b>@example.org",
+        "tag_help_explain": "В подпапка: ще бъде създадена нова подпапка под INBOX (\"INBOX/Facebook\").<br>\r\nВ тема: първото име на тага ще бъде добавено към темата на съобщението, например: \"[Facebook] Моите новини\".",
+        "tag_in_none": "Не прави нищо",
+        "tag_in_subfolder": "В подпапка",
+        "tag_in_subject": "В тема",
+        "text": "Текст",
+        "tfa_info": "Двуфакторното удостоверяване помага за защита на вашия акаунт. Ако го активирате, ще ви трябват пароли за приложения, за да влезете в приложения или услуги, които не поддържат двуфакторно удостоверяване (напр. пощенски клиенти).",
+        "title": "Заглавие",
+        "tls_enforce_in": "Принудително използване на TLS за входящи",
+        "tls_enforce_out": "Принудително използване на TLS за изходящи",
+        "tls_policy": "Политика за криптиране",
+        "tls_policy_warning": "<strong>Внимание:</strong> Ако решите да принудите преноса на криптирани съобщения, може да загубите съобщения.<br>Съобщенията, които не удовлетворяват политиката, ще бъдат върнати с твърдо отхвърляне от системата за поща.<br>Тази опция засяга вашия основен адрес на пощенска кутия (логин име), всички адреси, произтичащи от домейни на псевдоними, както и адреси на псевдоними, <b>с единствена целева пощенска кутия</b>.",
+        "user_settings": "Настройки на потребителя",
+        "username": "Потребителско име",
+        "value": "Стойност",
+        "verify": "Проверка",
+        "waiting": "Изчакване",
+        "week": "седмица",
+        "weekly": "Weekly",
+        "weeks": "седмици",
+        "with_app_password": "с парола за приложение",
+        "year": "година",
+        "years": "години"
+    },
+    "warning": {
+        "cannot_delete_self": "Не може да изтриете влезлия потребител",
+        "domain_added_sogo_failed": "Добавен домейн, но неуспешно рестартиране на SOGo, моля, проверете системните логове.",
+        "dovecot_restart_failed": "Dovecot не успя да рестартира, моля, проверете логовете",
+        "fuzzy_learn_error": "Грешка при обучение на размит хеш: %s",
+        "hash_not_found": "Хешът не е намерен или вече е изтрит",
+        "ip_invalid": "Пропуснат невалиден IP: %s",
+        "is_not_primary_alias": "Пропуснат неосновен псевдоним %s",
+        "no_active_admin": "Не може да деактивирате последния активен администратор",
+        "quota_exceeded_scope": "Квотата на домейна е надвишена: Само неограничени пощенски кутии могат да бъдат създадени в този домейн.",
+        "session_token": "Невалиден формулярен токен: Несъответствие на токена.",
+        "session_ua": "Невалиден формулярен токен: Грешка при проверка на User-Agent."
     }
-  },
-  "debug": {
-    "architecture": "Архитектура",
-    "chart_this_server": "Графика (този сървър)",
-    "containers_info": "Информация за контейнерите",
-    "container_running": "Изпълнява се",
-    "container_disabled": "Контейнерът е спрян или деактивиран",
-    "container_stopped": "Спрян",
-    "cores": "Ядра",
-    "current_time": "Системно време",
-    "disk_usage": "Използване на диска",
-    "docs": "Документи",
-    "error_show_ip": "Не може да се разреши публичния IP адрес",
-    "external_logs": "Външни логове",
-    "history_all_servers": "История (всички сървъри)",
-    "in_memory_logs": "Логове в паметта",
-    "last_modified": "Последно модифициране",
-    "log_info": "<p>Логовете на mailcow <b>в паметта</b> се събират в списъци на Redis и се подрязват до LOG_LINES (%d) на всяка минута, за да се намали натоварването.<br>Логовете в паметта не са предназначени да бъдат постоянни. Всички приложения, които записват в паметта, също записват в демона на Docker и следователно в основния драйвер за логсване.<br>Логовете в паметта трябва да се използват за отстраняване на леки проблеми с контейнери.</p>\r\n  <p><b>Външните логове</b> се събират чрез API на даденото приложение.</p>\r\n  <p><b>Статичните логове</b> са най-вече логове на активност, които не се записват в демона на Docker, но все още трябва да бъдат постоянни (с изключение на логовете на API).</p>",
-    "login_time": "Време",
-    "logs": "Логове",
-    "memory": "Памет",
-    "online_users": "Потребители онлайн",
-    "restart_container": "Рестартиране",
-    "service": "Услуга",
-    "show_ip": "Показване на публичен IP",
-    "size": "Размер",
-    "started_at": "Стартирано в",
-    "started_on": "Стартирано на",
-    "static_logs": "Статични логове",
-    "success": "Успех",
-    "system_containers": "Система & Контейнери",
-    "timezone": "Часова зона",
-    "uptime": "Време на работа",
-    "update_available": "Има налична актуализация",
-    "no_update_available": "Системата е на последното издание",
-    "update_failed": "Не може да се провери за актуализация",
-    "username": "Потребителско име",
-    "wip": "В момента се работи"
-  },
-  "diagnostics": {
-    "cname_from_a": "Стойността е извлечена от A/AAAA запис. Това се поддържа, докато записът сочи към правилния ресурс.",
-    "dns_records": "DNS записи",
-    "dns_records_24hours": "Моля, имайте предвид, че промените в DNS може да отнемат до 24 часа, за да имат актуалното си състояние правилно отразено на тази страница. Тя е предназначена да ви позволи лесно да видите как да конфигурирате вашите DNS записи и да проверите дали всичките ви записи са правилно запазени в DNS.",
-    "dns_records_data": "Правилни данни",
-    "dns_records_docs": "Моля, вижте и <a target=\"_blank\" href=\"https://docs.mailcow.email/getstarted/prerequisite-dns\">документацията</a>.",
-    "dns_records_name": "Име",
-    "dns_records_status": "Текущо състояние",
-    "dns_records_type": "Тип",
-    "optional": "Този запис е опционален."
-  },
-  "edit": {
-    "acl": "ACL (Разрешение)",
-    "active": "Активен",
-    "admin": "Редактиране на администратор",
-    "advanced_settings": "Разширени настройки",
-    "alias": "Редактиране на псевдоним",
-    "allow_from_smtp": "Разрешаване само на тези IP адреси да използват <b>SMTP</b>",
-    "allow_from_smtp_info": "Оставете празно, за да разрешите всички изпращачи.<br>IPv4/IPv6 адреси и мрежи.",
-    "allowed_protocols": "Разрешени протоколи за пряк потребителски достъп (не засяга протоколите за пароли на приложения)",
-    "app_name": "Име на приложението",
-    "app_passwd": "Парола за приложение",
-    "app_passwd_protocols": "Разрешени протоколи за паролата на приложението",
-    "automap": "Опит за автоматично картографиране на папки (\"Изпратени\", \"Изпратени\" => \"Изпратени\" и т.н.)",
-    "backup_mx_options": "Опции за реле",
-    "bcc_dest_format": "BCC дестинацията трябва да бъде един валиден имейл адрес.<br>Ако имате нужда да изпратите копие до множество адреси, създайте псевдоним и го използвайте тук.",
-    "client_id": "Идентификатор на клиента",
-    "client_secret": "Тайна на клиента",
-    "comment_info": "Частен коментар не е видим за потребителя, докато публичен коментар се показва като подсказка при преминаване с мишката върху него в прегледа на потребителя",
-    "created_on": "Създаден на",
-    "custom_attributes": "Персонализирани атрибути",
-    "delete1": "Изтриване от източника след завършване",
-    "delete2": "Изтриване на съобщенията в дестинацията, които не са в източника",
-    "delete2duplicates": "Изтриване на дубликати в дестинацията",
-    "delete_ays": "Моля, потвърдете процеса на изтриване.",
-    "description": "Описание",
-    "disable_login": "Забраняване на вход (входящите съобщения все още се приемат)",
-    "domain": "Редактиране на домейн",
-    "domain_admin": "Редактиране на администратор на домейн",
-    "domain_footer": "Подвал за домейн",
-    "domain_footer_html": "HTML подвал",
-    "domain_footer_info": "Подвалите за домейн се добавят към всички изходящи имейли, свързани с адрес в този домейн. Следните променливи могат да бъдат използвани за подвала:",
-    "domain_footer_info_vars": {
-      "auth_user": "{= auth_user =}   - Удостоверен потребител, посочен от MTA",
-      "from_user": "{= from_user =}   - Потребителска част на обвивката, напр. за \"moo@mailcow.tld\" връща \"moo\"",
-      "from_name": "{= from_name =}   - Име на обвивката, напр. за \"Mailcow &lt;moo@mailcow.tld&gt;\" връща \"Mailcow\"",
-      "from_addr": "{= from_addr =}   - Адресна част на обвивката",
-      "from_domain": "{= from_domain =} - Домейна част на обвивката",
-      "custom": "{= foo =}         - Ако пощенската кутия има персонализиран атрибут \"foo\" със стойност \"bar\", ще върне \"bar\""
-    },
-    "domain_footer_plain": "PLAIN подвал",
-    "domain_footer_skip_replies": "Игнориране на подвал в отговорни имейли",
-    "domain_quota": "Квота на домейна",
-    "domains": "Домейни",
-    "dont_check_sender_acl": "Деактивиране на проверката на изпращач за домейн %s (+ домейни на псевдоними)",
-    "edit_alias_domain": "Редактиране на домейн на псевдоним",
-    "encryption": "Криптиране",
-    "exclude": "Изключване на обекти (regex)",
-    "extended_sender_acl": "Външни адреси на изпращач",
-    "extended_sender_acl_info": "Трябва да бъде импортиран DKIM домейн ключ, ако е наличен.<br>\r\n  Помнете да добавите този сървър към съответния SPF TXT запис.<br>\r\n  Когато домейн или домейн на псевдоним бъде добавен към този сървър, който се припокрива с външен адрес, външният адрес ще бъде премахнат.<br>\r\n  Използвайте @domain.tld, за да разрешите изпращане като *@domain.tld.",
-    "footer_exclude": "Изключване от подвал",
-    "force_pw_update": "Принудително обновяване на парола при следващия вход",
-    "force_pw_update_info": "Този потребител ще може да влезе само в %s. Паролите за приложения остават използваеми.",
-    "full_name": "Пълно име",
-    "gal": "Глобален адресен списък",
-    "gal_info": "Глобалният адресен списък съдържа всички обекти на домейна и не може да бъде редактиран от нито един потребител. Липсва информация за заетост/свободно време в SOGo, ако е деактивирано! <b>Рестартирайте SOGo, за да приложите промените.</b>",
-    "generate": "генериране",
-    "grant_types": "Типове разрешения",
-    "hostname": "Име на хост",
-    "inactive": "Неактивен",
-    "kind": "Вид",
-    "last_modified": "Последно модифициране",
-    "lookup_mx": "Дестинацията е регулярен израз за съвпадение с MX име (<code>.*\\.google\\.com</code> за пренасочване на всички съобщения, предназначени за MX, завършващ на google.com, през този хоп)",
-    "mailbox": "Редактиране на пощенска кутия",
-    "mailbox_quota_def": "Квота по подразбиране за пощенска кутия",
-    "mailbox_relayhost_info": "Прилага се за пощенската кутия и директните псевдоними само, пренарежда запис в картата на транспорта за домейн.",
-    "mailbox_rename": "Преименуване на пощенска кутия",
-    "mailbox_rename_agree": "Създадох резервно копие.",
-    "mailbox_rename_alias": "Автоматично създаване на псевдоним",
-    "mailbox_rename_title": "Ново локално име на пощенска кутия",
-    "mailbox_rename_warning": "ВНИМАНИЕ! Създайте резервно копие преди преименуване на пощенската кутия.",
-    "max_aliases": "Макс. псевдоними",
-    "max_mailboxes": "Макс. възможни пощенски кутии",
-    "max_quota": "Макс. квота за пощенска кутия (MiB)",
-    "maxage": "Максимална възраст на съобщенията в дни, които ще бъдат проверени от отдалечен<br><small>(0 = игнорирай възраст)</small>",
-    "maxbytespersecond": "Макс. байтове за секунда <br><small>(0 = неограничен)</small>",
-    "mbox_rl_info": "Това ограничение на скоростта се прилага върху SASL името за вход, то съвпада с всеки \"от\" адрес, използван от влезлия потребител. Ограничението на скоростта на пощенска кутия пренарежда ограничението на скоростта за домейн.",
-    "mins_interval": "Интервал (мин)",
-    "multiple_bookings": "Множествени резервации",
-    "nexthop": "Следващ хоп",
-    "none_inherit": "Без / Наследяване",
-    "password": "Парола",
-    "password_recovery_email": "Имейл за възстановяване на парола",
-    "password_repeat": "Потвърждаване на паролата (повторете)",
-    "previous": "Предишна страница",
-    "private_comment": "Частен коментар",
-    "public_comment": "Публичен коментар",
-    "pushover": "Pushover",
-    "pushover_evaluate_x_prio": "Ескалиране на високоприоритетни съобщения [<code>X-Priority: 1</code>]",
-    "pushover_info": "Настройките за известия на Pushover ще се прилагат за всички чисти (не-спам) съобщения, доставени до <b>%s</b>, включително псевдоними (споделени, несподелени, таговани).",
-    "pushover_only_x_prio": "Разглеждане само на високоприоритетни съобщения [<code>X-Priority: 1</code>]",
-    "pushover_sender_array": "Разглеждане само на следните адреси на изпращач <small>(разделени с запетая)</small>",
-    "pushover_sender_regex": "Разглеждане на следния regex на изпращач",
-    "pushover_sound": "Звук",
-    "pushover_text": "Текст на известието",
-    "pushover_title": "Заглавие на известието",
-    "pushover_vars": "Когато не е зададен филтър на изпращач, всички съобщения ще бъдат разглеждани.<br>Филтрите с регулярен израз, както и точните проверки на изпращач, могат да бъдат дефинирани индивидуално и ще бъдат разглеждани последователно. Те не зависят един от друг.<br>Използвайте следните променливи за текст и заглавие (моля, вземете предвид политиките за поверителност на данните)",
-    "pushover_verify": "Проверка на удостоверения",
-    "quota_mb": "Квота (MiB)",
-    "quota_warning_bcc": "Предупреждения за квота ще бъдат изпращани като отделни копия до следните получатели:",
-    "quota_warning_bcc_info": "Съобщенията ще бъдат изпратени с тема, допълнена с името на потребителя в скоби, например: <code>Предупреждение за квота (user@example.com)</code>.",
-    "ratelimit": "Ограничение на скоростта",
-    "redirect_uri": "URI за пренасочване/обратно извикване",
-    "relay_all": "Реле на всички получатели",
-    "relay_all_info": "↪ Ако изберете да <b>не</b> релеирате всички получатели, ще трябва да добавите (\"скрита\") пощенска кутия за всеки отделен получател, който трябва да бъде релеиран.",
-    "relay_domain": "Реле на този домейн",
-    "relay_transport_info": "<div class=\"badge fs-6 bg-info\">Инфо</div> Можете да дефинирате транспортни карти за персонализирана дестинация за този домейн. Ако не е зададено, ще бъде направен MX lookup.",
-    "relay_unknown_only": "Реле на несъществуващи пощенски кутии. Съществуващите пощенски кутии ще бъдат доставени локално.",
-    "relayhost": "Транспорти, зависими от изпращач",
-    "remove": "Премахване",
-    "resource": "Ресурс",
-    "save": "Запазване на промените",
-    "scope": "Обхват",
-    "sender_acl": "Разрешаване на изпращане като",
-    "sender_acl_disabled": "<span class=\"badge fs-6 bg-danger\">Проверката на изпращач е деактивирана</span>",
-    "sender_acl_info": "Ако потребителят на пощенска кутия A е разрешен да изпраща като потребителя на пощенска кутия B, адресът на изпращач не се показва автоматично като избираем \"от\" поле в SOGo.<br>\r\n  Потребителят на пощенска кутия B трябва да създаде делегация в SOGo, за да разреши на потребителя на пощенска кутия A да избира техния адрес като изпращач. За да делегирате пощенска кутия в SOGo, използвайте менюто (три точки) вдясно от името на пощенската кутия в горния ляв ъгъл, докато сте в режим на поща. Това поведение не се прилага за адреси на псевдоними.",
-    "sieve_desc": "Кратко описание",
-    "sieve_type": "Тип на филтър",
-    "skipcrossduplicates": "Пропускане на дублирани съобщения между папки (първи дошъл, първи обслужен)",
-    "sogo_access": "Директно препращане към SOGo",
-    "sogo_access_info": "След влизане, потребителят се пренасочва автоматично към SOGo.",
-    "sogo_visible": "Псевдонимът е видим в SOGo",
-    "sogo_visible_info": "Тази опция засяга само обекти, които могат да бъдат показани в SOGo (споделени или несподелени адреси на псевдоними, сочещи поне една локална пощенска кутия). Ако е скрит, псевдонимът няма да се появи като избираем адрес на изпращач в SOGo.",
-    "spam_alias": "Създаване или промяна на временни псевдоними",
-    "spam_filter": "Филтър за спам",
-    "spam_policy": "Добавяне или премахване на елементи към черния/бял списък",
-    "spam_score": "Задаване на персонализиран резултат за спам",
-    "subfolder2": "Синхронизиране в подпапка в дестинацията<br><small>(празно = не използвай подпапка)</small>",
-    "syncjob": "Редактиране на синхронизираща задача",
-    "target_address": "Адрес/и за пренасочване <small>(разделени с запетая)</small>",
-    "target_domain": "Целеви домейн",
-    "timeout1": "Таймаут за връзка с отдалечен хост",
-    "timeout2": "Таймаут за връзка с локален хост",
-    "title": "Редактиране на обект",
-    "unchanged_if_empty": "Ако не е променено, оставете празно",
-    "username": "Потребителско име",
-    "validate_save": "Валидиране и запазване"
-  },
-  "fido2": {
-    "confirm": "Потвърждаване",
-    "fido2_auth": "Вход с FIDO2",
-    "fido2_success": "Устройството е регистрирано успешно",
-    "fido2_validation_failed": "Проверката е неуспешна",
-    "fn": "Приятелско име",
-    "known_ids": "Известни идентификатори",
-    "none": "Деактивирано",
-    "register_status": "Състояние на регистрация",
-    "rename": "Преименуване",
-    "set_fido2": "Регистриране на FIDO2 устройство",
-    "set_fido2_touchid": "Регистриране на Touch ID на Apple M1",
-    "set_fn": "Задаване на приятелско име",
-    "start_fido2_validation": "Стартиране на проверка на FIDO2"
-  },
-  "footer": {
-    "cancel": "Отказ",
-    "confirm_delete": "Потвърждаване на изтриването",
-    "delete_now": "Изтриване сега",
-    "delete_these_items": "Моля, потвърдете промените за следния идентификатор на обект",
-    "hibp_check": "Проверка срещу haveibeenpwned.com",
-    "hibp_nok": "Съвпадение! Това е потенциално опасна парола!",
-    "hibp_ok": "Няма съвпадение.",
-    "loading": "Моля, изчакайте...",
-    "nothing_selected": "Няма избрани елементи",
-    "restart_container": "Рестартиране на контейнер",
-    "restart_container_info": "<b>Важно:</b> Грациозното рестартиране може да отнеме известно време за завършване, моля, изчакайте да приключи.",
-    "restart_now": "Рестартиране сега",
-    "restarting_container": "Рестартиране на контейнера, това може да отнеме известно време"
-  },
-  "header": {
-    "administration": "Конфигурация & Детайли",
-    "apps": "Приложения",
-    "debug": "Информация",
-    "email": "Имейл",
-    "mailcow_system": "Система",
-    "mailcow_config": "Конфигурация",
-    "quarantine": "Карантина",
-    "restart_netfilter": "Рестартиране на netfilter",
-    "restart_sogo": "Рестартиране на SOGo",
-    "user_settings": "Настройки на потребителя"
-  },
-  "info": {
-    "awaiting_tfa_confirmation": "Изчакване на потвърждение за TFA",
-    "no_action": "Няма приложимо действие",
-    "session_expires": "Вашата сесия ще изтече след около 15 секунди"
-  },
-  "login": {
-    "back_to_mailcow": "Обратно към mailcow",
-    "delayed": "Входът е забавен с %s секунди.",
-    "fido2_webauthn": "Вход с FIDO2/WebAuthn",
-    "forgot_password": "> Забравена парола?",
-    "invalid_pass_reset_token": "Токенът за нулиране на парола е невалиден или е изтекъл.<br>Моля, заявете нов линк за нулиране на парола.",
-    "login": "Вход",
-    "login_admin": "Вход на администратор",
-    "login_dadmin": "Вход на администратор на домейн",
-    "login_user": "Потребителски вход",
-    "mobileconfig_info": "Моля, влезте като потребител на пощенска кутия, за да изтеглите поискания Apple профил за връзка.",
-    "new_password": "Нова парола",
-    "new_password_confirm": "Потвърждаване на новата парола",
-    "other_logins": "или вход с",
-    "password": "Парола",
-    "request_reset_password": "Заявка за промяна на парола",
-    "reset_password": "Нулиране на парола",
-    "username": "Потребителско име"
-  },
-  "mailbox": {
-    "action": "Действие",
-    "activate": "Активиране",
-    "active": "Активен",
-    "add": "Добавяне",
-    "add_alias": "Добавяне на псевдоним",
-    "add_alias_expand": "Разширяване на псевдоним над домейни на псевдоними",
-    "add_bcc_entry": "Добавяне на запис в картата BCC",
-    "add_domain": "Добавяне на домейн",
-    "add_domain_alias": "Добавяне на псевдоним на домейн",
-    "add_domain_record_first": "Моля, добавете първо домейн",
-    "add_filter": "Добавяне на филтър",
-    "add_mailbox": "Добавяне на пощенска кутия",
-    "add_recipient_map_entry": "Добавяне на запис в картата на получатели",
-    "add_resource": "Добавяне на ресурс",
-    "add_template": "Добавяне на шаблон",
-    "add_tls_policy_map": "Добавяне на карта на политиката на TLS",
-    "address_rewriting": "Презаписване на адрес",
-    "alias": "Псевдоним",
-    "alias_domain_alias_hint": "Псевдонимите <b>не</b> се прилагат автоматично към домейни на псевдоними. Псевдонимът <code>my-alias@domain</code> <b>не</b> покрива адреса <code>my-alias@alias-domain</code> (където \"alias-domain\" е имагинерен псевдоним на домейн).<br>Моля, използвайте филтър на Sieve, за да пренасочите имейл към външна пощенска кутия (вижте раздела \"Филтри\" или SOGo -> Пренасочвач). Използвайте \"Разширяване на псевдоним над домейни на псевдоними\", за да добавите автоматично липсващи псевдоними.",
-    "alias_domain_backupmx": "Псевдонимът на домейн е неактивен за домейн за реле",
-    "aliases": "Псевдоними",
-    "all_domains": "Всички домейни",
-    "allow_from_smtp": "Разрешаване само на тези IP адреси да използват <b>SMTP</b>",
-    "allow_from_smtp_info": "Оставете празно, за да разрешите всички изпращачи.<br>IPv4/IPv6 адреси и мрежи.",
-    "allowed_protocols": "Разрешени протоколи",
-    "backup_mx": "Домейн за реле",
-    "bcc": "BCC",
-    "bcc_destination": "BCC дестинация",
-    "bcc_destinations": "BCC дестинации",
-    "bcc_info": "Картите BCC се използват, за да препращат тихо копия от всички съобщения до друг адрес. Записът от тип получател на карта се използва, когато локалната дестинация действа като получател на имейл. Записът от тип изпращач на карта се използва, когато локалната дестинация действа като изпращач на имейл. Локалната дестинация няма да бъде информирана за неуспешна доставка.",
-    "bcc_local_dest": "Локална дестинация",
-    "bcc_map": "Карта BCC",
-    "bcc_map_type": "Тип BCC",
-    "bcc_maps": "Карти BCC",
-    "bcc_rcpt_map": "Карта на получател",
-    "bcc_sender_map": "Карта на изпращач",
-    "bcc_to_rcpt": "Превключване към карта на получател",
-    "bcc_to_sender": "Превключване към карта на изпращач",
-    "bcc_type": "Тип BCC",
-    "booking_null": "Винаги показване като свободен",
-    "booking_0_short": "Винаги свободен",
-    "booking_custom": "Твърдо ограничение до определен брой резервации",
-    "booking_custom_short": "Твърдо ограничение",
-    "booking_ltnull": "Неограничено, но показване като заето, когато е резервирано",
-    "booking_lt0_short": "Меко ограничение",
-    "catch_all": "Catch-All",
-    "created_on": "Създаден на",
-    "daily": "Ежедневно",
-    "deactivate": "Деактивиране",
-    "description": "Описание",
-    "disable_login": "Забраняване на вход (входящите съобщения все още се приемат)",
-    "disable_x": "Деактивиране",
-    "dkim_domains_selector": "Селектор",
-    "dkim_key_length": "Дължина на DKIM ключа (битове)",
-    "domain": "Домейн",
-    "domain_admins": "Администратори на домейн",
-    "domain_aliases": "Псевдоними на домейн",
-    "domain_templates": "Шаблони за домейн",
-    "domain_quota": "Квота",
-    "domain_quota_total": "Обща квота на домейна",
-    "domains": "Домейни",
-    "edit": "Редактиране",
-    "empty": "Няма резултати",
-    "enable_x": "Активиране",
-    "excludes": "Изключване",
-    "filter_table": "Таблица с филтри",
-    "filters": "Филтри",
-    "fname": "Пълно име",
-    "force_pw_update": "Принудително обновяване на парола при следващия вход",
-    "gal": "Глобален адресен списък",
-    "goto_ham": "Учен като <span class=\"text-success\"><b>не е спам</b></span>",
-    "goto_spam": "Учен като <span class=\"text-danger\"><b>спам</b></span>",
-    "hourly": "Часово",
-    "iam": "Доставчик на идентичност",
-    "in_use": "В употреба (%)",
-    "inactive": "Неактивен",
-    "insert_preset": "Вмъкване на примерен предефиниран набор \"%s\"",
-    "kind": "Вид",
-    "last_mail_login": "Последен вход в пощата",
-    "last_modified": "Последно модифициране",
-    "last_pw_change": "Последна промяна на парола",
-    "last_run": "Последно изпълнение",
-    "last_run_reset": "Задаване на следващо",
-    "mailbox": "Пощенска кутия",
-    "mailbox_defaults": "Настройки по подразбиране",
-    "mailbox_defaults_info": "Дефинирайте настройки по подразбиране за нови пощенски кутии.",
-    "mailbox_defquota": "Размер по подразбиране на пощенска кутия",
-    "mailbox_templates": "Шаблони за пощенска кутия",
-    "mailbox_quota": "Макс. размер на пощенска кутия",
-    "mailboxes": "Пощенски кутии",
-    "max_aliases": "Макс. псевдоними",
-    "max_mailboxes": "Макс. възможни пощенски кутии",
-    "max_quota": "Макс. квота за пощенска кутия",
-    "mins_interval": "Интервал (мин)",
-    "msg_num": "Съобщение №",
-    "multiple_bookings": "Множествени резервации",
-    "never": "Никога",
-    "no": "&#10005;",
-    "no_record": "Няма запис за обект %s",
-    "no_record_single": "Няма запис",
-    "open_logs": "Отваряне на логове",
-    "owner": "Собственик",
-    "private_comment": "Частен коментар",
-    "public_comment": "Публичен коментар",
-    "q_add_header": "при преместване в папката за нежелана поща",
-    "q_all": " при преместване в папката за нежелана поща и при отхвърляне",
-    "q_reject": "при отхвърляне",
-    "quarantine_category": "Категория на уведомленията за карантина",
-    "quarantine_notification": "Уведомления за карантина",
-    "quick_actions": "Действия",
-    "recipient": "Получател",
-    "recipient_map": "Карта на получател",
-    "recipient_map_info": "Картите на получател се използват, за да се замени адресът на дестинация на съобщението, преди да бъде доставено.",
-    "recipient_map_new": "Нов получател",
-    "recipient_map_new_info": "Дестинацията на картата на получател трябва да бъде валиден имейл адрес или име на домейн.",
-    "recipient_map_old": "Оригинален получател",
-    "recipient_map_old_info": "Оригиналната дестинация на картата на получател трябва да бъде валиден имейл адрес или име на домейн.",
-    "recipient_maps": "Карти на получател",
-    "relay_all": "Реле на всички получатели",
-    "relay_unknown": "Реле на несъществуващи пощенски кутии",
-    "remove": "Премахване",
-    "resources": "Ресурси",
-    "running": "Изпълнява се",
-    "sender": "Изпращач",
-    "set_postfilter": "Маркиране като постфилтър",
-    "set_prefilter": "Маркиране като префилтър",
-    "sieve_info": "Можете да запазите множество филтри за всеки потребител, но само един префилтър и един постфилтър могат да бъдат активни едновременно.<br>\r\nВсеки филтър ще бъде обработен в описания ред. Нито един неуспешен скрипт, нито издадена команда \"keep;\" няма да спре обработката на следващите скриптове. Промените в глобалните филтри на sieve ще предизвикат рестартиране на Dovecot.<br><br>Глобален префилтър на sieve &#8226; Префилтър &#8226; Потребителски скриптове &#8226; Постфилтър &#8226; Глобален постфилтър на sieve",
-    "sieve_preset_1": "Изтриване на съобщения с потенциално опасни типове файлове",
-    "sieve_preset_2": "Винаги маркиране на имейла на определен изпращач като прочетен",
-    "sieve_preset_3": "Тихо изтриване, спиране на всякаква допълнителна обработка на sieve филтри",
-    "sieve_preset_4": "Архивиране на съобщението във ВХОДНА, пропускане на допълнителна обработка от sieve филтри",
-    "sieve_preset_5": "Автоотговор (ваканция)",
-    "sieve_preset_6": "Отхвърляне на съобщение с отговор",
-    "sieve_preset_7": "Пренасочване и запазване/изтриване",
-    "sieve_preset_8": "Пренасочване на имейл от определен изпращач, маркиране като прочетен и сортиране в подпапка",
-    "sieve_preset_header": "Моля, вижте примерните предефинирани набори по-долу. За повече детайли вижте <a href=\"https://en.wikipedia.org/wiki/Sieve_(mail_filtering_language)\" target=\"_blank\">Wikipedia</a>.",
-    "sogo_visible": "Псевдонимът е видим в SOGo",
-    "sogo_visible_n": "Скриване на псевдоним в SOGo",
-    "sogo_visible_y": "Показване на псевдоним в SOGo",
-    "spam_aliases": "Времеви псевдоними",
-    "stats": "Статистика",
-    "status": "Статус",
-    "sync_jobs": "Синхронизиращи задачи",
-    "syncjob_check_log": "Проверка на лога",
-    "syncjob_last_run_result": "Резултат от последното изпълнение",
-    "syncjob_EX_OK": "Успех",
-    "syncjob_EXIT_CONNECTION_FAILURE": "Проблем с връзката",
-    "syncjob_EXIT_TLS_FAILURE": "Проблем с криптираната връзка",
-    "syncjob_EXIT_AUTHENTICATION_FAILURE": "Проблем с удостоверяването",
-    "syncjob_EXIT_OVERQUOTA": "Целевата пощенска кутия е над квотата",
-    "syncjob_EXIT_CONNECTION_FAILURE_HOST1": "Не може да се свърже с отдалечен сървър",
-    "syncjob_EXIT_AUTHENTICATION_FAILURE_USER1": "Грешно потребителско име или парола",
-    "table_size": "Размер на таблицата",
-    "table_size_show_n": "Показване на %s елемента",
-    "target_address": "Адрес за пренасочване",
-    "target_domain": "Целеви домейн",
-    "templates": "Шаблони",
-    "template": "Шаблон",
-    "tls_enforce_in": "Принудително използване на TLS за входящи",
-    "tls_enforce_out": "Принудително използване на TLS за изходящи",
-    "tls_map_dest": "Дестинация",
-    "tls_map_dest_info": "Примери: example.org, .example.org, [mail.example.org]:25",
-    "tls_map_parameters": "Параметри",
-    "tls_map_parameters_info": "Празно или параметри, например: protocols=!SSLv2 ciphers=medium exclude=3DES",
-    "tls_map_policy": "Политика",
-    "tls_policy_maps": "Пренареждания на политиката на TLS",
-    "tls_policy_maps_enforced_tls": "Тези политики ще пренареждат и поведението за потребители на пощенски кутии, които принудително използват изходящи TLS връзки. Ако няма политика, съществуваща по-долу, тези потребители ще приложат стойностите по подразбиране, зададени като <code>smtp_tls_mandatory_protocols</code> и <code>smtp_tls_mandatory_ciphers</code>.",
-    "tls_policy_maps_info": "Тази политика за пренареждане на TLS транспортни правила е независима от настройките за политика на TLS на потребителя.<br>\r\n  Моля, вижте <a href=\"http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps\" target=\"_blank\">документацията за \"smtp_tls_policy_maps\"</a> за повече информация.",
-    "tls_policy_maps_long": "Пренареждания на политиката на TLS за изходящи",
-    "toggle_all": "Превключване на всички",
-    "username": "Потребителско име",
-    "waiting": "Изчакване",
-    "weekly": "Седмично",
-    "yes": "&#10003;"
-  },
-  "oauth2": {
-    "access_denied": "Моля, влезте като собственик на пощенска кутия, за да удостоверите чрез OAuth2.",
-    "authorize_app": "Удостоверяване на приложение",
-    "deny": "Отказ",
-    "permit": "Удостоверяване на приложение",
-    "profile": "Профил",
-    "profile_desc": "Преглед на лични данни: потребителско име, пълно име, създадено, модифицирано, активно",
-    "scope_ask_permission": "Приложението заявява следните разрешения",
-    "client_id": "Идентификатор на клиента",
-    "client_secret": "Тайна на клиента",
-    "redirect_uri": "URI за пренасочване",
-    "renew_secret": "Генериране на нова тайна на клиента",
-    "revoke_tokens": "Анулиране на всички токени на клиента"
-  },
-  "quarantine": {
-    "action": "Действие",
-    "atts": "Прикачени файлове",
-    "check_hash": "Търсене на файлов хеш в VirusTotal",
-    "confirm": "Потвърждаване",
-    "confirm_delete": "Потвърждаване на изтриването на този елемент.",
-    "danger": "Опасност",
-    "deliver_inbox": "Доставяне в пощенската кутия",
-    "disabled_by_config": "Текущата системна конфигурация деактивира функционалността на карантината. Моля, задайте \"задържания за пощенска кутия\" и \"максимален размер\" за елементите на карантината.",
-    "download_eml": "Изтегляне (.eml)",
-    "empty": "Няма резултати",
-    "high_danger": "Висока",
-    "info": "Информация",
-    "junk_folder": "Папка за нежелана поща",
-    "learn_spam_delete": "Учен като спам и изтриване",
-    "low_danger": "Ниска",
-    "medium_danger": "Средна",
-    "neutral_danger": "Неутрална",
-    "notified": "Уведомен",
-    "qhandler_success": "Заявката е изпратена успешно до системата. Можете да затворите прозореца сега.",
-    "qid": "QID на Rspamd",
-    "qinfo": "Системата за карантина ще запази отхвърлените съобщения в базата данни (изпращачът няма да бъде информиран за доставеното съобщение) както и съобщенията, доставени като копие в папката за нежелана поща на пощенска кутия.<br> <br>\"Учен като спам и изтриване\" ще научи съобщението като спам чрез теоремата на Бейс и също ще изчисли размити хешове, за да отхвърли подобни съобщения в бъдеще.<br> <br>Моля, имайте предвид, че обучаването на множество съобщения може да бъде - в зависимост от вашата система - времеемко.<br>Елементите в черния списък са изключени от карантината.",
-    "qitem": "Елемент в карантина",
-    "quarantine": "Карантина",
-    "quick_actions": "Действия",
-    "quick_delete_link": "Отваряне на бърз линк за изтриване",
-    "quick_info_link": "Отваряне на бърз информационен линк",
-    "quick_release_link": "Отваряне на бърз линк за освобождане",
-    "rcpt": "Получател",
-    "received": "Получено",
-    "recipients": "Получатели",
-    "refresh": "Опресняване",
-    "rejected": "Отхвърлено",
-    "release": "Освобождане",
-    "release_body": "Прикаченото съобщение е добавено към това съобщение.",
-    "release_subject": "Потенциално вреден елемент в карантина %s",
-    "remove": "Премахване",
-    "rewrite_subject": "Презаписване на темата",
-    "rspamd_result": "Резултат от Rspamd",
-    "sender": "Изпращач (SMTP)",
-    "sender_header": "Изпращач (\"From\" заглавие)",
-    "settings_info": "Максимален брой елементи за карантиниране: %s<br>Максимален размер на имейл: %s MiB",
-    "show_item": "Показване на елемент",
-    "spam": "Спам",
-    "spam_score": "Резултат",
-    "subj": "Тема",
-    "table_size": "Размер на таблицата",
-    "table_size_show_n": "Показване на %s елемента",
-    "text_from_html_content": "Съдържание (конвертиран HTML)",
-    "text_plain_content": "Съдържание (обикновен текст)",
-    "toggle_all": "Превключване на всички",
-    "type": "Тип"
-  },
-  "queue": {
-    "delete": "Изтриване на всички",
-    "flush": "Изчистване на опашката",
-    "info": "Опашката на имейлите съдържа всички имейли, които чакат за доставка. Ако имейлът е засечен в опашката за дълго време, той автоматично се изтрива от системата.<br>Съобщението за грешка на съответния имейл дава информация защо имейлът не може да бъде доставен.",
-    "legend": "Функции на действията в опашката на имейлите:",
-    "ays": "Моля, потвърдете, че искате да изтриете всички елементи от текущата опашка.",
-    "deliver_mail": "Доставяне",
-    "deliver_mail_legend": "Опит за повторно доставяне на избраните съобщения.",
-    "hold_mail": "Задържане",
-    "hold_mail_legend": "Задържа избраните съобщения. (Предотвратява допълнителни опити за доставяне)",
-    "queue_manager": "Мениджър на опашката",
-    "show_message": "Показване на съобщение",
-    "unban": "разблокиране на опашката",
-    "unhold_mail": "Освобождаване",
-    "unhold_mail_legend": "Освобождава избраните съобщения за доставка. (Изисква предварително задържане)"
-  },
-  "ratelimit": {
-    "disabled": "Деактивирано",
-    "second": "съобщения/секунда",
-    "minute": "съобщения/минута",
-    "hour": "съобщения/час",
-    "day": "съобщения/ден"
-  },
-  "start": {
-    "help": "Показване/Скриване на панела за помощ",
-    "imap_smtp_server_auth_info": "Моля, използвайте пълния си имейл адрес и механизма за удостоверяване PLAIN.<br>\r\nВашите данни за вход ще бъдат криптирани от сървърната страна чрез задължително сървърно криптиране."
-  },
-  "success": {
-    "acl_saved": "ACL за обект %s е запазен",
-    "admin_added": "Администраторът %s е добавен",
-    "admin_api_modified": "Промените в API са запазени",
-    "admin_modified": "Промените в администратора са запазени",
-    "admin_removed": "Администраторът %s е премахнат",
-    "alias_added": "Адресът на псевдонима %s (%d) е добавен",
-    "alias_domain_removed": "Домейнът на псевдонима %s е премахнат",
-    "alias_modified": "Промените в адреса на псевдонима %s са запазени",
-    "alias_removed": "Псевдонимът %s е премахнат",
-    "aliasd_added": "Добавен домейн на псевдоним %s",
-    "aliasd_modified": "Промените в домейна на псевдоним %s са запазени",
-    "app_links": "Запазени промени в линковете на приложенията",
-    "app_passwd_added": "Добавена нова парола за приложение",
-    "app_passwd_removed": "Премахната парола за приложение с ID %s",
-    "bcc_deleted": "Записи в картата BCC са изтрити: %s",
-    "bcc_edited": "Записът в картата BCC %s е редактиран",
-    "bcc_saved": "Записът в картата BCC е запазен",
-    "cors_headers_edited": "Настройките на CORS са запазени",
-    "db_init_complete": "Инициализацията на базата данни е завършена",
-    "delete_filter": "Изтрити филтри с ID %s",
-    "delete_filters": "Изтрити филтри: %s",
-    "deleted_syncjob": "Изтрита синхронизираща задача с ID %s",
-    "deleted_syncjobs": "Изтрити синхронизиращи задачи: %s",
-    "dkim_added": "Добавен DKIM ключ %s",
-    "dkim_duplicated": "DKIM ключът за домейн %s е копиран в %s",
-    "dkim_removed": "DKIM ключът %s е премахнат",
-    "domain_add_dkim_available": "DKIM ключът вече съществува",
-    "domain_added": "Добавен домейн %s",
-    "domain_admin_added": "Добавен администратор на домейн %s",
-    "domain_admin_modified": "Промените в администратора на домейн %s са запазени",
-    "domain_admin_removed": "Администраторът на домейн %s е премахнат",
-    "domain_footer_modified": "Промените в подвала на домейн %s са запазени",
-    "domain_modified": "Промените в домейн %s са запазени",
-    "domain_removed": "Домейнът %s е премахнат",
-    "dovecot_restart_success": "Dovecot е рестартиран успешно",
-    "eas_reset": "Устройствата с ActiveSync за потребителя %s са нулирани",
-    "f2b_banlist_refreshed": "Списъкът с ID на блокираните е актуализиран успешно.",
-    "f2b_modified": "Промените в параметрите на Fail2ban са запазени",
-    "forwarding_host_added": "Добавен хост за препращане %s",
-    "forwarding_host_removed": "Премахнат хост за препращане %s",
-    "global_filter_written": "Филтърът е записан успешно във файл",
-    "hash_deleted": "Хешът е изтрит",
-    "iam_test_connection": "Връзката е успешна",
-    "ip_check_opt_in": "Оптирането за използване на услугата на трета страна е запазено успешно",
-    "ip_check_opt_in_modified": "Проверката на IP беше успешно запазена",
-    "item_deleted": "Елементът %s е изтрит успешно",
-    "item_released": "Елементът %s е освободен",
-    "items_deleted": "Елементът %s е изтрит успешно",
-    "items_released": "Избраните елементи са освободени",
-    "learned_ham": "Успешно научен ID %s като не е спам",
-    "license_modified": "Промените в лиценза са запазени",
-    "logged_in_as": "Вписан като %s",
-    "mailbox_added": "Пощенската кутия %s е добавена",
-    "mailbox_modified": "Промените в пощенската кутия %s са запазени",
-    "mailbox_removed": "Пощенската кутия %s е премахната",
-    "mailbox_renamed": "Пощенската кутия е преименувана от %s на %s",
-    "nginx_reloaded": "Nginx е презареден",
-    "object_modified": "Промените в обект %s са запазени",
-    "password_changed_success": "Паролата е променена успешно",
-    "password_policy_saved": "Политиката за парола е запазена успешно",
-    "pushover_settings_edited": "Настройките на Pushover са запазени успешно, моля, проверете удостоверенията.",
-    "qlearn_spam": "Съобщението с ID %s е научено като спам и изтрито",
-    "queue_command_success": "Командата на опашката е завършена успешно",
-    "recipient_map_entry_deleted": "Записът в картата на получател с ID %s е изтрит",
-    "recipient_map_entry_saved": "Записът в картата на получател \"%s\" е запазен",
-    "recovery_email_sent": "Изпратен имейл за възстановяване до %s",
-    "relayhost_added": "Записът в картата %s е добавен",
-    "relayhost_removed": "Записът в картата %s е премахнат",
-    "reset_main_logo": "Нулиране на логото по подразбиране",
-    "resource_added": "Ресурсът %s е добавен",
-    "resource_modified": "Промените в пощенската кутия %s са запазени",
-    "resource_removed": "Ресурсът %s е премахнат",
-    "rl_saved": "Ограничението на скоростта за обект %s е запазено",
-    "rspamd_ui_pw_set": "Паролата на UI на Rspamd е зададена успешно",
-    "saved_settings": "Запазени настройки",
-    "settings_map_added": "Добавен запис в картата с настройки",
-    "settings_map_removed": "Премахнат запис в картата с настройки с ID %s",
-    "sogo_profile_reset": "Профилът на SOGo за потребителя %s е нулиран",
-    "template_added": "Добавен шаблон %s",
-    "template_modified": "Промените в шаблон %s са запазени",
-    "template_removed": "Шаблонът с ID %s е премахнат",
-    "tls_policy_map_entry_deleted": "Записът в картата на политиката на TLS с ID %s е изтрит",
-    "tls_policy_map_entry_saved": "Записът в картата на политиката на TLS \"%s\" е запазен",
-    "ui_texts": "Запазени промени в текстовете на UI",
-    "upload_success": "Файлът е качен успешно",
-    "verified_fido2_login": "Потвърдено вход с FIDO2",
-    "verified_totp_login": "Потвърдено вход с TOTP",
-    "verified_webauthn_login": "Потвърдено вход с WebAuthn",
-    "verified_yotp_login": "Потвърдено вход с Yubico OTP"
-  },
-  "tfa": {
-    "authenticators": "Аутентикатори",
-    "api_register": "%s използва облачното API на Yubico. Моля, вземете API ключ за вашия ключ <a href=\"https://upgrade.yubico.com/getapikey/\" target=\"_blank\">тук</a>",
-    "confirm": "Потвърждаване",
-    "confirm_totp_token": "Моля, потвърдете промените, като въведете генерирания токен",
-    "delete_tfa": "Деактивиране на TFA",
-    "disable_tfa": "Деактивиране на TFA до следващия успешен вход",
-    "enter_qr_code": "Вашият TOTP код, ако вашето устройство не може да сканира QR кодове",
-    "error_code": "Код на грешка",
-    "init_webauthn": "Инициализиране, моля, изчакайте...",
-    "key_id": "Идентификатор за вашето устройство",
-    "key_id_totp": "Идентификатор за вашия ключ",
-    "none": "Деактивиране",
-    "reload_retry": "- (презаредете браузъра, ако грешката продължи)",
-    "scan_qr_code": "Моля, сканирайте следния код с вашето приложение за аутентикация или въведете кода ръчно.",
-    "select": "Моля, изберете",
-    "set_tfa": "Задаване на метод за двуфакторно удостоверяване",
-    "start_webauthn_validation": "Стартиране на проверка",
-    "tfa": "Двуфакторно удостоверяване",
-    "tfa_token_invalid": "Невалиден токен за TFA",
-    "totp": "Временен OTP (Google Authenticator, Authy и др.)",
-    "u2f_deprecated": "Изглежда, че вашият ключ е регистриран с депрекирания метод U2F. Ще деактивираме двуфакторното удостоверяване за вас и ще изтрием вашия ключ.",
-    "u2f_deprecated_important": "Моля, регистрирайте вашия ключ в административния панел с новия метод WebAuthn.",
-    "webauthn": "Удостоверяване с WebAuthn",
-    "waiting_usb_auth": "<i>Изчакване на USB устройство...</i><br><br>Моля, докоснете бутона на вашето USB устройство сега.",
-    "waiting_usb_register": "<i>Изчакване на USB устройство...</i><br><br>Моля, въведете паролата си по-горе и потвърдете регистрацията си, като докоснете бутона на вашето USB устройство.",
-    "yubi_otp": "Удостоверяване с Yubico OTP"
-  },
-  "user": {
-    "action": "Действие",
-    "active": "Активен",
-    "active_sieve": "Активен филтър",
-    "advanced_settings": "Разширени настройки",
-    "alias": "Псевдоним",
-    "alias_create_random": "Генериране на случаен псевдоним",
-    "alias_extend_all": "Удължаване на всички псевдоними с 1 час",
-    "alias_full_date": "d.m.Y, H:i:s T",
-    "alias_remove_all": "Премахване на всички псевдоними",
-    "alias_select_validity": "Период на валидност",
-    "alias_time_left": "Оставащо време",
-    "alias_valid_until": "Валиден до",
-    "aliases_also_send_as": "Разрешено да изпраща и като потребител",
-    "aliases_send_as_all": "Не проверявай достъпа на изпращач за следните домейни и техните псевдоними",
-    "allowed_protocols": "Разрешени протоколи",
-    "app_hint": "Паролите за приложения са алтернативни пароли за вашия IMAP, SMTP, CalDAV, CardDAV и EAS вход. Потребителското име остава непроменено. SOGo уеб пощата не е достъпна чрез пароли за приложения.",
-    "app_name": "Име на приложението",
-    "app_passwds": "Пароли за приложения",
-    "apple_connection_profile": "Профил за връзка на Apple",
-    "apple_connection_profile_complete": "Този профил за връзка включва настройки за IMAP и SMTP, както и пътища за CalDAV (календари) и CardDAV (контакти) за устройство на Apple.",
-    "apple_connection_profile_mailonly": "Този профил за връзка включва настройки за IMAP и SMTP за устройство на Apple.",
-    "apple_connection_profile_with_app_password": "Генерирана е нова парола за приложение и е добавена към профила, така че не е необходимо да се въвежда парола при настройката на вашето устройство. Моля, не споделяйте файла, тъй като той предоставя пълен достъп до вашата пощенска кутия.",
-    "attribute": "Атрибут",
-    "authentication": "Удостоверяване",
-    "change_password": "Промяна на парола",
-    "change_password_hint_app_passwords": "Вашият акаунт има %d пароли за приложения, които няма да бъдат променени. За управление на тях, отидете в раздела \"Пароли за приложения\".",
-    "clear_recent_successful_connections": "Изчистване на видимите успешни връзки",
-    "client_configuration": "Показване на ръководства за настройка на пощенски клиенти и смартфони",
-    "create_app_passwd": "Създаване на парола за приложение",
-    "create_syncjob": "Създаване на нова синхронизираща задача",
-    "created_on": "Създаден на",
-    "daily": "Ежедневно",
-    "day": "ден",
-    "delete_ays": "Моля, потвърдете процеса на изтриване.",
-    "description": "Описание",
-    "direct_aliases": "Директни адреси на псевдоними",
-    "direct_aliases_desc": "Директните адреси на псевдоними се засягат от настройките за филтър за спам и политика за TLS.",
-    "direct_protocol_access": "Този потребител на пощенска кутия има <b>директен, външен достъп</b> до следните протоколи и приложения. Тази настройка се контролира от вашия администратор. Паролите за приложения могат да бъдат създадени, за да се предостави достъп до отделни протоколи и приложения.<br>Бутонът \"Уеб поща\" предоставя еднократно удостоверяване към SOGo и винаги е достъпен.",
-    "eas_reset": "Нулиране на кеша на устройствата с ActiveSync",
-    "eas_reset_help": "В много случаи нулирането на кеша на устройството ще помогне за възстановяването на повреден профил на ActiveSync.<br><b>Внимание:</b> Всички елементи ще бъдат презаредени!",
-    "eas_reset_now": "Нулиране сега",
-    "edit": "Редактиране",
-    "email": "Имейл",
-    "email_and_dav": "Имейл, календари и контакти",
-    "empty": "Няма резултати",
-    "encryption": "Криптиране",
-    "excludes": "Изключване",
-    "expire_in": "Изтича след",
-    "fido2_webauthn": "FIDO2/WebAuthn",
-    "force_pw_update": "Трябва да зададете нова парола, за да имате достъп до груповите услуги.",
-    "from": "от",
-    "generate": "генериране",
-    "hour": "час",
-    "hourly": "Часово",
-    "hours": "часа",
-    "in_use": "В употреба",
-    "interval": "Интервал",
-    "is_catch_all": "Catch-all за домейн/и",
-    "last_mail_login": "Последен вход в пощата",
-    "last_pw_change": "Последна промяна на парола",
-    "last_run": "Последно изпълнение",
-    "last_ui_login": "Последен вход в UI",
-    "loading": "Зареждане...",
-    "login_history": "История на входовете",
-    "mailbox": "Пощенска кутия",
-    "mailbox_details": "Детайли",
-    "mailbox_general": "Общи",
-    "mailbox_settings": "Настройки",
-    "messages": "съобщения",
-    "month": "месец",
-    "months": "месеца",
-    "never": "Никога",
-    "new_password": "Нова парола",
-    "new_password_repeat": "Потвърждаване на новата парола",
-    "no_active_filter": "Няма активен филтър",
-    "no_last_login": "Няма информация за последен вход в UI",
-    "no_record": "Няма запис",
-    "open_logs": "Отваряне на логове",
-    "open_webmail_sso": "Уеб поща",
-    "overview": "Преглед",
-    "password": "Парола",
-    "password_now": "Текуща парола (потвърждаване на промените)",
-    "password_repeat": "Парола (повторете)",
-    "password_reset_info": "Ако не е зададен имейл за възстановяване на парола, тази функция не може да бъде използвана.",
-    "protocols": "Протоколи",
-    "pushover_evaluate_x_prio": "Ескалиране на високоприоритетни съобщения [<code>X-Priority: 1</code>]",
-    "pushover_info": "Настройките за известия на Pushover ще се прилагат за всички чисти (не-спам) съобщения, доставени до <b>%s</b>, включително псевдоними (споделени, несподелени, таговани).",
-    "pushover_only_x_prio": "Разглеждане само на високоприоритетни съобщения [<code>X-Priority: 1</code>]",
-    "pushover_sender_array": "Разглеждане на следните адреси на изпращач <small>(разделени с запетая)</small>",
-    "pushover_sender_regex": "Съвпадение на изпращач с следния regex",
-    "pushover_sound": "Звук",
-    "pushover_text": "Текст на известието",
-    "pushover_title": "Заглавие на известието",
-    "pushover_vars": "Когато не е зададен филтър на изпращач, всички съобщения ще бъдат разглеждани.<br>Филтрите с регулярен израз, както и точните проверки на изпращач, могат да бъдат дефинирани индивидуално и ще бъдат разглеждани последователно. Те не зависят един от друг.<br>Използвайте следните променливи за текст и заглавие (моля, вземете предвид политиките за поверителност на данните)",
-    "pushover_verify": "Проверка на удостоверения",
-    "pw_recovery_email": "Имейл за възстановяване на парола",
-    "q_add_header": "Папка за нежелана поща",
-    "q_all": "Всички категории",
-    "q_reject": "Отхвърлени",
-    "quarantine_category": "Категория на уведомленията за карантина",
-    "quarantine_category_info": "Категорията \"Отхвърлени\" включва съобщения, които са били отхвърлени, докато категорията \"Папка за нежелана поща\" ще уведоми потребителя за съобщения, които са били поставени в папката за нежелана поща.",
-    "quarantine_notification": "Уведомления за карантина",
-    "quarantine_notification_info": "След като уведомлението е изпратено, елементите ще бъдат маркирани като \"уведомени\" и няма да бъдат изпращани допълнителни уведомления за този конкретен елемент.",
-    "recent_successful_connections": "Видими успешни връзки",
-    "remove": "Премахване",
-    "running": "Изпълнява се",
-    "save": "Запазване на промените",
-    "save_changes": "Запазване на промените",
-    "sender_acl_disabled": "<span class=\"badge fs-6 bg-danger\">Проверката на изпращач е деактивирана</span>",
-    "shared_aliases": "Споделени адреси на псевдоними",
-    "shared_aliases_desc": "Споделените псевдоними не се засягат от настройките за филтър за спам и политика за TLS на потребителя. Съответните настройки за спам филтър могат да бъдат направени само от администратор като настройка за домейн.",
-    "show_sieve_filters": "Показване на активния потребителски филтър на sieve",
-    "sogo_profile_reset": "Нулиране на профила на SOGo",
-    "sogo_profile_reset_help": "Това ще унищожи профила на SOGo и <b>ще изтрие всички данни за контакти и календар безвъзвратно</b>.",
-    "sogo_profile_reset_now": "Нулиране сега",
-    "spam_aliases": "Временни адреси на псевдоними",
-    "spam_score_reset": "Нулиране до настройките на сървъра по подразбиране",
-    "spamfilter": "Филтър за спам",
-    "spamfilter_behavior": "Рейтинг",
-    "spamfilter_bl": "Черен списък",
-    "spamfilter_bl_desc": "Адресите в черния списък <b>винаги</b> ще бъдат класифицирани като спам и отхвърлени. Отхвърлените съобщения <b>не</b> ще бъдат копирани в карантина. Поддържат се уайлдкардове.<br>Отхвърлените съобщения няма да бъдат доставени до папката за нежелана поща.",
-    "spamfilter_default_score": "Стойности по подразбиране",
-    "spamfilter_green": "Зелено: това съобщение не е спам",
-    "spamfilter_hint": "Първата стойност описва \"нисък резултат за спам\", втората представлява \"висок резултат за спам\".",
-    "spamfilter_red": "Червено: това съобщение е спам и ще бъде отхвърлено от сървъра",
-    "spamfilter_table_action": "Действие",
-    "spamfilter_table_add": "Добавяне на елемент",
-    "spamfilter_table_domain_policy": "политика на домейна",
-    "spamfilter_table_empty": "Няма данни за показване",
-    "spamfilter_table_remove": "премахване",
-    "spamfilter_table_rule": "Правило",
-    "spamfilter_wl": "Бял списък",
-    "spamfilter_wl_desc": "Адресите в белия списък <b>никога</b> ще бъдат класифицирани като спам. Поддържат се уайлдкардове.<br>Съобщенията, които не са класифицирани като спам, ще бъдат доставени в папката за нежелана поща, ако резултатът за спам е над стойността за висок резултат за спам.",
-    "spamfilter_yellow": "Жълто: това съобщение може да е спам, ще бъде маркирано като спам и преместено в папката за нежелана поща",
-    "status": "Статус",
-    "sync_jobs": "Синхронизиращи задачи",
-    "syncjob_EXIT_AUTHENTICATION_FAILURE": "Проблем с удостоверяването",
-    "syncjob_EXIT_AUTHENTICATION_FAILURE_USER1": "Грешно потребителско име или парола",
-    "syncjob_EXIT_CONNECTION_FAILURE": "Проблем с връзката",
-    "syncjob_EXIT_CONNECTION_FAILURE_HOST1": "Не може да се свърже с отдалечен сървър",
-    "syncjob_EXIT_OVERQUOTA": "Целевата пощенска кутия е над квотата",
-    "syncjob_EXIT_TLS_FAILURE": "Проблем с криптираната връзка",
-    "syncjob_EX_OK": "Успех",
-    "syncjob_check_log": "Проверка на лога",
-    "syncjob_last_run_result": "Резултат от последното изпълнение",
-    "tag_handling": "Настройка за тагове",
-    "tag_help_example": "Пример за тагован имейл адрес: me<b>+Facebook</b>@example.org",
-    "tag_help_explain": "В подпапка: ще бъде създадена нова подпапка под INBOX (\"INBOX/Facebook\").<br>\r\nВ тема: първото име на тага ще бъде добавено към темата на съобщението, например: \"[Facebook] Моите новини\".",
-    "tag_in_none": "Не прави нищо",
-    "tag_in_subfolder": "В подпапка",
-    "tag_in_subject": "В тема",
-    "text": "Текст",
-    "tfa_info": "Двуфакторното удостоверяване помага за защита на вашия акаунт. Ако го активирате, ще ви трябват пароли за приложения, за да влезете в приложения или услуги, които не поддържат двуфакторно удостоверяване (напр. пощенски клиенти).",
-    "title": "Заглавие",
-    "tls_enforce_in": "Принудително използване на TLS за входящи",
-    "tls_enforce_out": "Принудително използване на TLS за изходящи",
-    "tls_policy": "Политика за криптиране",
-    "tls_policy_warning": "<strong>Внимание:</strong> Ако решите да принудите преноса на криптирани съобщения, може да загубите съобщения.<br>Съобщенията, които не удовлетворяват политиката, ще бъдат върнати с твърдо отхвърляне от системата за поща.<br>Тази опция засяга вашия основен адрес на пощенска кутия (логин име), всички адреси, произтичащи от домейни на псевдоними, както и адреси на псевдоними, <b>с единствена целева пощенска кутия</b>.",
-    "user_settings": "Настройки на потребителя",
-    "username": "Потребителско име",
-    "value": "Стойност",
-    "verify": "Проверка",
-    "waiting": "Изчакване",
-    "week": "седмица",
-    "weekly": "Weekly",
-    "weeks": "седмици",
-    "with_app_password": "с парола за приложение",
-    "year": "година",
-    "years": "години"
-  },
-  "warning": {
-    "cannot_delete_self": "Не може да изтриете влезлия потребител",
-    "domain_added_sogo_failed": "Добавен домейн, но неуспешно рестартиране на SOGo, моля, проверете системните логове.",
-    "dovecot_restart_failed": "Dovecot не успя да рестартира, моля, проверете логовете",
-    "fuzzy_learn_error": "Грешка при обучение на размит хеш: %s",
-    "hash_not_found": "Хешът не е намерен или вече е изтрит",
-    "ip_invalid": "Пропуснат невалиден IP: %s",
-    "is_not_primary_alias": "Пропуснат неосновен псевдоним %s",
-    "no_active_admin": "Не може да деактивирате последния активен администратор",
-    "quota_exceeded_scope": "Квотата на домейна е надвишена: Само неограничени пощенски кутии могат да бъдат създадени в този домейн.",
-    "session_token": "Невалиден формулярен токен: Несъответствие на токена.",
-    "session_ua": "Невалиден формулярен токен: Грешка при проверка на User-Agent."
-  }
-}
\ No newline at end of file
+}
diff --git a/data/web/lang/lang.ca-es.json b/data/web/lang/lang.ca-es.json
index af7cbd5fb..ba84543a2 100644
--- a/data/web/lang/lang.ca-es.json
+++ b/data/web/lang/lang.ca-es.json
@@ -557,4 +557,4 @@
         "week": "Setmana",
         "weeks": "Setmanes"
     }
-}
\ No newline at end of file
+}
diff --git a/data/web/lang/lang.zh-tw.json b/data/web/lang/lang.zh-tw.json
index aaa6d756f..592efa809 100644
--- a/data/web/lang/lang.zh-tw.json
+++ b/data/web/lang/lang.zh-tw.json
@@ -1324,4 +1324,4 @@
         "hold_mail": "保留",
         "unhold_mail": "取消保留"
     }
-}
\ No newline at end of file
+}

From 2f1eb4b004a6882f7e0875632b1b5d5498a5caca Mon Sep 17 00:00:00 2001
From: milkmaker <milkmaker@mailcow.de>
Date: Thu, 24 Jul 2025 21:42:00 +0200
Subject: [PATCH 279/378] Translations update from Weblate (#6649)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* [Web] Updated lang.es-es.json

Co-authored-by: sariegos <informatica@sariegos.es>

* [Web] Updated lang.si-si.json

Co-authored-by: Matjaž Tekavec <matjaz@moj-svet.si>

* [Web] Updated lang.pt-br.json

[Web] Updated lang.pt-br.json

Co-authored-by: Bruno Zouein Pereira <zopostyle@gmail.com>
Co-authored-by: Peter <magic@kthx.at>

---------

Co-authored-by: sariegos <informatica@sariegos.es>
Co-authored-by: Matjaž Tekavec <matjaz@moj-svet.si>
Co-authored-by: Bruno Zouein Pereira <zopostyle@gmail.com>
Co-authored-by: Peter <magic@kthx.at>
---
 data/web/lang/lang.es-es.json | 492 +++++++++++++++++++++++++++++++---
 data/web/lang/lang.pt-br.json |   9 +-
 data/web/lang/lang.si-si.json |  29 +-
 3 files changed, 478 insertions(+), 52 deletions(-)

diff --git a/data/web/lang/lang.es-es.json b/data/web/lang/lang.es-es.json
index 814142cc6..f357b9a80 100644
--- a/data/web/lang/lang.es-es.json
+++ b/data/web/lang/lang.es-es.json
@@ -10,11 +10,11 @@
         "quarantine": "Acciones de cuarentena",
         "quarantine_attachments": "Archivos ajuntos en cuarentena",
         "quarantine_notification": "Notificaciones de cuarentena",
-        "ratelimit": "Rate limit",
+        "ratelimit": "Límite de peticiones",
         "recipient_maps": "Rutas del destinatario",
         "sogo_profile_reset": "Resetear perfil SOGo",
         "spam_alias": "Aliases temporales",
-        "spam_policy": "Lista blanca/negra",
+        "spam_policy": "Lista de bloqueo/desbloqueo",
         "spam_score": "Puntuación de spam",
         "syncjobs": "Trabajos de sincronización",
         "tls_policy": "Póliza de TLS",
@@ -25,8 +25,10 @@
         "quarantine_category": "Cambiar categoría de las notificaciones de cuarentena",
         "domain_relayhost": "Cambiar relayhost por un dominio",
         "extend_sender_acl": "Permitir extender la ACL del remitente por direcciones externas",
-        "pw_reset": "Permitir el reset  de la contraseña del usario mailcow",
-        "sogo_access": "Permitir la gestión del acceso a SOGo"
+        "pw_reset": "Permitir el restablecimiento de la contraseña del usuario mailcow",
+        "sogo_access": "Permitir la gestión del acceso a SOGo",
+        "mailbox_relayhost": "Cambiar el host de reenvío para un buzón",
+        "smtp_ip_access": "Cambiar hosts permitidos para SMTP"
     },
     "add": {
         "activate_filter_warn": "Todos los demás filtros se desactivarán cuando este filtro se active.",
@@ -34,7 +36,7 @@
         "add": "Agregar",
         "add_domain_only": "Agregar dominio solamente",
         "add_domain_restart": "Agregar dominio y reiniciar SOGo",
-        "alias_address": "Dirección(es) alias:",
+        "alias_address": "Dirección(es) alias",
         "alias_address_info": "<small>Dirección(es) de correo completa(s) ó @dominio.com, para atrapar todos los mensajes para un dominio (separado por coma). <b>Dominios que existan en mailcow solamente</b>.</small>",
         "alias_domain": "Dominio alias",
         "alias_domain_info": "<small>Nombres de dominio válidos solamente (separado por coma).</small>",
@@ -45,13 +47,13 @@
         "delete1": "Eliminar de la fuente cuando se complete",
         "delete2": "Eliminar mensajes en el destino que no están en la fuente",
         "delete2duplicates": "Eliminar duplicados en el destino",
-        "description": "Descripción:",
+        "description": "Descripción",
         "destination": "Destino",
         "domain": "Dominio",
-        "domain_quota_m": "Cuota total del dominio (MiB):",
+        "domain_quota_m": "Cuota total del dominio (MiB)",
         "enc_method": "Método de cifrado",
         "exclude": "Excluir objectos (regex)",
-        "full_name": "Nombre completo:",
+        "full_name": "Nombre completo",
         "gal": "Lista global de direcciones (GAL)",
         "gal_info": "El GAL contiene todos los objetos de un dominio y no puede ser editado por ningún usuario. Falta información de disponibilidad en SOGo, si está desactivada. <b>Reinicia SOGo para aplicar los cambios.</b>",
         "generate": "Generar",
@@ -61,20 +63,20 @@
         "hostname": "Host",
         "kind": "Tipo",
         "mailbox_quota_def": "Cuota de buzón predeterminada",
-        "mailbox_quota_m": "Máx. cuota por buzón (MiB):",
-        "mailbox_username": "Nombre de usuario (parte izquierda de una dirección de correo):",
-        "max_aliases": "Máx. alias posibles:",
-        "max_mailboxes": "Máx. buzones posibles:",
+        "mailbox_quota_m": "Máx. cuota por buzón (MiB)",
+        "mailbox_username": "Nombre de usuario (parte izquierda de una dirección de correo)",
+        "max_aliases": "Máx. alias posibles",
+        "max_mailboxes": "Máx. buzones posibles",
         "mins_interval": "Intervalo de sondeo (minutos)",
         "multiple_bookings": "Múltiples reservas",
         "nexthop": "Siguiente destino",
-        "password": "Constraseña:",
-        "password_repeat": "Confirmación de contraseña (repetir):",
+        "password": "Contraseña",
+        "password_repeat": "Confirmación de contraseña (repetir)",
         "port": "Puerto",
-        "post_domain_add": "<b>Nota:</b> Necesitarás reiniciar el contenedor del servicio SOGo despues de agregar un nuevo dominio",
-        "quota_mb": "Cuota (MiB):",
+        "post_domain_add": "Es necesario reiniciar el contenedor del servicio SOGo, \"sogo-mailcow\", tras agregar un nuevo dominio.<br><br>Además, la configuración DNS de los dominios debería ser comprobada. En cuanto la configuración DNS se apruebe, reinicie \"acme-mailcow\" para generar automáticamente certificados para su nuevo dominio (autoconfig.&lt;dominio&gt;, autodiscover.&lt;dominio&gt;).<br>Este paso es opcional y se reintentará cada 24 horas.",
+        "quota_mb": "Cuota (MiB)",
         "relay_all": "Retransmitir todos los destinatarios",
-        "relay_all_info": "<small>Si eliges <b>no</b> retransmitir a todos los destinatarios, necesitas agregar un buzón \"ciego\" por cada destinatario que debe ser retransmitido.</small>",
+        "relay_all_info": "↪ Si se elige <b>no</b> retransmitir todos los destinatarios, será necesario agregar un buzón \"ciego\" por cada destinatario que deba ser retransmitido.",
         "relay_domain": "Retransmitir este dominio",
         "select": "Por favor selecciona...",
         "select_domain": "Por favor elige un dominio primero",
@@ -83,7 +85,7 @@
         "skipcrossduplicates": "Omitir mensajes duplicados en carpetas (orden de llegada)",
         "subscribeall": "Suscribirse a todas las carpetas",
         "syncjob": "Añadir trabajo de sincronización",
-        "syncjob_hint": "Ten en cuenta que las contraseñas deben guardarse en texto sin cifrado",
+        "syncjob_hint": "Tenga en cuenta que las contraseñas deben guardarse en texto plano sin cifrar",
         "target_address": "Direcciones destino:",
         "target_address_info": "<small>Dirección(es) de correo completa(s) (separado por coma).</small>",
         "target_domain": "Dominio destino:",
@@ -100,7 +102,13 @@
         "comment_info": "Los comentarios privados no son visibles al usuario, mientras que los comentarios públicos aparecerán sobre la información general del usuario",
         "dry": "Simular la sincronización",
         "private_comment": "Comentario privado",
-        "app_passwd_protocols": "Protocolos autorizados para la contraseña de la aplicación"
+        "app_passwd_protocols": "Protocolos autorizados para la contraseña de la aplicación",
+        "relay_transport_info": "<div class=\"label label-info\">Información</div> Puede definir mapas de transporte para un destino personalizado para este dominio. En caso de no definirlo, se realizará una búsqueda MX.",
+        "bcc_dest_format": "El destino del CCO debe ser una única dirección de correo electrónico válida.<br>Si necesita enviar una copia a varias direcciones, cree un alias y utilícelo aquí.",
+        "domain_matches_hostname": "El dominio %s coincide con el nombre de host",
+        "relay_unknown_only": "Reenviar sólo los buzones no existentes. Los buzones existentes se entregarán localmente.",
+        "relayhost_wrapped_tls_info": "Por favor, no utilice puertos con TLS (habitualmente, el puerto 465). <br>Utilice cualquier puerto no cifrado y emita STARTTLS. Se puede crear una política para imponer TLS en \"TLS policy maps\".",
+        "tags": "Etiquetas"
     },
     "admin": {
         "access": "Acceso",
@@ -129,7 +137,7 @@
         "app_name": "Nombre de la app",
         "apps_name": "Nombre \"mailcow Apps\"",
         "arrival_time": "Tiempo de llegada (hora del servidor)",
-        "ban_list_info": "Lista de IPs bloqueadas: <b>red (tiempo de prohibición restante) - [acciones]</b>.<br />Las IPs en cola para ser desbloqueadas se eliminarán de la lista de bloqueos en unos pocos segundos.<br />Las etiquetas rojas indican bloqueos permanentes mediante la inclusión en la lista negra.",
+        "ban_list_info": "Lista de direcciones IP bloqueadas: <b>red (tiempo de prohibición restante) - [acciones]</b>.<br />Las direcciones IP en cola para ser desbloqueadas se eliminarán de la lista de bloqueos en unos segundos.<br />Las etiquetas rojas indican bloqueos permanentes por inclusión en la lista de bloqueo.",
         "change_logo": "Cambiar logo",
         "configuration": "Configuración",
         "credentials_transport_warning": "<b>Advertencia</b>: al agregar una nueva entrada de ruta de transporte se actualizarán las credenciales para todas las entradas con una columna de \"siguiente destino\" coincidente.",
@@ -157,15 +165,15 @@
         "excludes": "Excluye a estos destinatarios",
         "f2b_ban_time": "Tiempo de restricción (s)",
         "f2b_ban_time_increment": "Tiempo de restricción se incrementa con cada restricción",
-        "f2b_blacklist": "Redes y hosts en lista negra",
-        "f2b_list_info": "Un host o red en lista negra siempre superará a una entidad de la lista blanca. <b>Las actualizaciones de la lista tardarán unos segundos en aplicarse.</b>",
+        "f2b_blacklist": "Redes y hosts en lista de bloqueo",
+        "f2b_list_info": "Un host o red en lista de bloqueo siempre tendrá prioridad sobre una entidad de la lista de desbloqueo. <b>Las actualizaciones de la lista tardarán unos segundos en aplicarse.</b>",
         "f2b_max_attempts": "Max num. de intentos",
         "f2b_max_ban_time": "Max tiempo de restricción (s)",
         "f2b_netban_ipv4": "Tamaño de subred IPv4 para aplicar la restricción (8-32)",
         "f2b_netban_ipv6": "Tamaño de subred IPv6 para aplicar la restricción (8-128)",
         "f2b_parameters": "Parametros Fail2ban",
         "f2b_retry_window": "Ventana de tiempo entre reintentos",
-        "f2b_whitelist": "Redes y hosts en lista blanca",
+        "f2b_whitelist": "Redes y hosts en lista de desbloqueo",
         "filter_table": "Filtrar tabla",
         "forwarding_hosts": "Hosts de reenvío",
         "forwarding_hosts_add_hint": "Se puede especificar direcciones IPv4 / IPv6, redes en notación CIDR, nombres de host (que se resolverán en direcciones IP) o dominios (que se resolverán en direcciones IP consultando registros SPF o, en su defecto, registros MX)",
@@ -253,7 +261,146 @@
         "unban_pending": "Desbloqueo pendiente",
         "unchanged_if_empty": "Si no hay cambios déjalo en blanco",
         "upload": "Cargar",
-        "username": "Nombre de usuario"
+        "username": "Nombre de usuario",
+        "force_sso_text": "Si se configura un proveedor OIDC externo, esta opción oculta los formularios por defecto de inicio de sesión y muestra solamente el botón de inicio de sesión único",
+        "admin_quicklink": "Ocultar enlace rápido a página de inicio de sesión para administradores",
+        "iam_default_template_description": "Si no se asigna una plantilla a un usuario, se utilizará la plantilla por defecto para crear el buzón, pero no para actualizarlo.",
+        "reset_password_vars": "<code>{{link}}</code> El enlace generado para el restablecimiento de contraseña<br><code>{{username}}</code> El buzón del usuario que ha solicitado el restablecimiento de contraseña<br><code>{{username2}}</code> La dirección del buzón de recuperación de contraseña<br><code>{{date}}</code> La fecha en que se realizó la solicitud de restablecimiento de contraseña<br><code>{{token_lifetime}}</code> El periodo de vigencia del token en minutos<br><code>{{hostname}}</code> El servidor Mailcow",
+        "api_info": "La API es un trabajo en curso. La documentación se puede encontrar en <a href=\"/api\">/api</a>",
+        "iam_description": "Configurar un proveedor de autenticación externo<br>Los buzones de usuario se crearán automáticamente la primera vez que se inicie sesión, siempre que se hayan configurado las equivalencias de atributos",
+        "ui_header_announcement_help": "El anuncio será visible para todos los usuarios conectados y también en la pantalla de inicio de sesión.",
+        "html": "HTML",
+        "oauth2_redirect_uri": "URI de redirección",
+        "quarantine_bcc": "Remitir una copia de todas las notificaciones (CCO) a este destinatario: <br><small>Dejar en blanco para desactivar. <b>Correo sin firmar y sin comprobar. Debe entregarse solo internamente.</b></small>",
+        "quarantine_redirect": "<b>Redirigir todas las notificaciones</b> a este destinatario:<br><small>Dejar en blanco para desactivar. <b>Correo sin firmar y sin comprobar. Debe entregarse sólo internamente.</b></small>",
+        "iam_authorize_url": "Endpoint de autorización",
+        "sal_level": "Nivel de Moo",
+        "ui_footer": "Pie de página (se permite HTML)",
+        "is_mx_based": "Basado en MX",
+        "password_reset_tmpl_text": "Plantilla de texto",
+        "password_length": "Longitud de la contraseña",
+        "quicklink_text": "Mostrar u ocultar enlaces rápidos a otras páginas de inicio bajo el formulario de inicio de sesión",
+        "password_policy_lowerupper": "Debe contener caracteres en minúsculas y mayúsculas",
+        "rspamd_global_filters_regex": "Sus nombres indican su propósito. Todo el contenido debe constar de expresiones regulares válidas con el formato \"/patrón/opciones\" (por ejemplo, <code>/.+@domain\\.tld/i</code>).<br>\n  Si bien se llevan a cabo comprobaciones básicas de cada expresión regular, la funcionalidad de Rspamd puede verse inutilizada, si no consigue interpretar correctamente la sintaxis utilizada.<br>\n  Rspamd intentará leer el contenido del mapa cuando éste se modifique. En caso de de problemas, <a href=\"\" data-toggle=\"modal\" data-container=\"rspamd-mailcow\" data-target=\"#RestartContainer\">reinicie Rspamd</a> para forzar una recarga del mapa.<br>Los elementos incluidos en listas de bloqueo se excluyen de la cuarentena.",
+        "iam_use_ssl_info": "Si se habilita SSL y el puerto se establece en el 389, se cambiará automáticamente al 636.",
+        "iam_login_provisioning": "Crear usuarios automáticamente al iniciar sesión",
+        "iam_periodic_full_sync": "Sincronización completa periódica",
+        "iam_port": "Puerto",
+        "iam_realm": "Ámbito",
+        "iam_redirect_url": "URL de redirección",
+        "iam_server_url": "URL del servidor",
+        "iam_sso": "Inicio de sesión único (SSO)",
+        "iam_sync_interval": "Intervalo de sincronización/importación (minutos)",
+        "iam_test_connection": "Comprobar conexión",
+        "iam_token_url": "Endpoint del token",
+        "iam_username_field": "Campo de nombre de usuario",
+        "iam_use_ssl": "Utilizar SSL",
+        "iam_use_tls": "Utilizar STARTTLS",
+        "iam_userinfo_url": "Endopint de información de usuario",
+        "iam_use_tls_info": "Si se habilita TLS, se debe utilizar el puerto por defecto del servidor LDAP (389). No se permiten puertos SSL.",
+        "iam_version": "Versión",
+        "ignore_ssl_error": "Ignorar errores de SSL",
+        "ip_check": "Comprobación IP",
+        "ip_check_disabled": "La comprobación de IP está desactivada. Puede activarla en<br> <strong>Sistema > Configuración > Opciones > Personalizar</strong>.",
+        "ip_check_opt_in": "Aceptar utilizar el servicio de terceros <strong>ipv4.mailcow.email</strong> y <strong>ipv6.mailcow.email</strong> para resolver direcciones IP externas.",
+        "last_applied": "Aplicado por última vez",
+        "license_info": "No es obligatorio contar con una licencia, pero ayuda a continuar el desarrollo.<br><a href=\"https://www.servercow.de/mailcow?lang=en#sal\" target=\"_blank\" alt=\"SAL order\">Indique aquí su GUID</a> o <a href=\"https://www.servercow.de/mailcow?lang=en#support\" target=\"_blank\" alt=\"Support order\">adquiera servicios de soporte para su instalación de Mailcow.</a>",
+        "login_time": "Hora de inicio de sesión",
+        "lookup_mx": "Destino es una expresión regular con la que contrastar el nombre MX (<code>.*\\.google\\.com</code> para dirigir todo el tráfico dirigido a un MX que termina en google.com a través de este salto)",
+        "message": "Mensaje",
+        "no": "&#10005;",
+        "optional": "opcional",
+        "app_hide": "Ocultar para inicio de sesión",
+        "convert_html_to_text": "Convertir HTML a texto plano",
+        "cors_settings": "Configuración de CORS",
+        "customer_id": "ID de cliente",
+        "dkim_overwrite_key": "Sobrescribir la clave DKIM existente",
+        "domain_admin": "Administrador de dominio",
+        "f2b_manage_external": "Gestionar Fail2Ban de manera externa",
+        "f2b_manage_external_info": "Fail2Ban conservará la lista de bloqueo, pero no establecerá activamente reglas para bloquear el tráfico. Utilizar la lista de bloqueo siguiente para bloquear externamente el tráfico.",
+        "filter": "Filtrar",
+        "admins": "Administradores",
+        "admins_ldap": "Administradores de LDAP",
+        "advanced_settings": "Configuración avanzada",
+        "allowed_methods": "Access-Control-Allow-Methods",
+        "allowed_origins": "Access-Control-Allow-Origin",
+        "api_read_only": "Acceso de sólo lectura",
+        "api_read_write": "Acceso de lectura y escritura",
+        "api_skip_ip_check": "Omitir la comprobación de la IP para la API",
+        "authed_user": "Usuario autentificado",
+        "ays": "¿Está seguro de querer continuar?",
+        "logo_normal_label": "Normal",
+        "logo_dark_label": "Invertido para modo oscuro",
+        "copy_to_clipboard": "¡Texto copiado al portapapeles!",
+        "login_page": "Inicio de sesión",
+        "domainadmin_quicklink": "Ocultar enlace rápido a página de inicio de sesión para administradores de dominios",
+        "domain_s": "Dominio(s)",
+        "f2b_filter": "Filtros regex",
+        "f2b_regex_info": "Registros tomados en consideración: SOGo, Postfix, Dovecot, PHP-FPM.",
+        "force_sso": "Deshabilitar el inicio de sesión de Mailcow y mostrar solamente el inicio de sesión único",
+        "guid": "GUID - ID de instancia único",
+        "guid_and_license": "GUID y licencia",
+        "hash_remove_info": "Al eliminar un hash de límite de velocidad (si todavía existe) se reiniciará su contador por completo.<br> Cada hash se indica con un color individual.",
+        "iam": "Proveedor de identidad",
+        "iam_attribute_field": "Campo de atributo",
+        "iam_auth_flow": "Flujo de autenticación",
+        "iam_basedn": "DN de base",
+        "iam_client_id": "ID de cliente",
+        "iam_client_secret": "Secreto de cliente",
+        "iam_client_scopes": "Ámbitos de cliente",
+        "iam_default_template": "Plantilla por defecto",
+        "iam_host": "Host",
+        "iam_host_info": "Introduzca uno o más hosts de LDAP, separados por comas.",
+        "iam_import_users": "Importar usuarios",
+        "iam_mapping": "Equivalencias de atributos",
+        "needs_restart": "necesita reinicio",
+        "oauth2_apps": "Aplicaciones OAuth2",
+        "oauth2_add_client": "Añadir cliente OAuth2",
+        "oauth2_renew_secret": "Generar nuevo secreto de cliente",
+        "oauth2_revoke_tokens": "Revocar todos los tokens de cliente",
+        "options": "Opciones",
+        "password_policy": "Política de contraseñas",
+        "password_policy_chars": "Debe contener al menos un caracter alfabético",
+        "password_policy_length": "La longitud mínima de la contraseña es %d",
+        "password_policy_numbers": "Debe contener al menos un número",
+        "password_policy_special_chars": "Debe contener caracteres especiales",
+        "password_reset_info": "Si no se indica una dirección para la recuperación de contraseñas, esta función no puede utilizarse.",
+        "password_reset_settings": "Configuración de recuperación de contraseña",
+        "password_reset_tmpl_html": "Plantilla HTML",
+        "password_settings": "Configuración de contraseña",
+        "priority": "Prioridad",
+        "quarantine_max_score": "Descartar notificación si la puntuación de spam de un mensaje de correo es mayor que este valor:<br><small>Por defecto 9999.0</small>",
+        "queue_unban": "desbloquear",
+        "regex_maps": "Mapas regex",
+        "relay_rcpt": "Dirección \"Para:\"",
+        "reset_limit": "Eliminar hash",
+        "restore_template": "Dejar en blanco para restablecer la plantilla por defecto",
+        "rsetting_no_selection": "Seleccione una regla",
+        "rsettings_preset_3": "Permitir solamente remitentes específicos para un buzón (utilizar únicamente como buzón interno)",
+        "rsettings_preset_4": "Deshabilitar Rspamd para un dominio",
+        "rspamd_global_filters": "Mapas de filtrado globales",
+        "rspamd_global_filters_agree": "¡Tendré cuidado!",
+        "rspamd_global_filters_info": "Los mapas de filtrado globales contienen distintos tipos de listos de bloqueo y desbloqueo.",
+        "service": "Servicio",
+        "service_id": "ID de servicio",
+        "success": "Éxito",
+        "task": "Tarea",
+        "time": "Tiempo",
+        "title": "Título",
+        "transport_dest_format": "Regex o sintaxis: ejemplo.org, .ejemplo.org, *, buzon@ejemplo.org (se pueden introducir varios valores separados por comas)",
+        "transport_test_rcpt_info": "&#8226; Utilizar null@hosted.mailcow.de para comprobar la retransmisión a un destino externo.",
+        "ui_header_announcement": "Anuncios",
+        "ui_header_announcement_content": "Texto (se permite HTML)",
+        "ui_header_announcement_select": "Seleccionar tipo de anuncio",
+        "ui_header_announcement_type": "Tipo",
+        "ui_header_announcement_type_danger": "Muy importante",
+        "ui_header_announcement_type_info": "Información",
+        "ui_header_announcement_type_warning": "Importante",
+        "user_link": "Enlace de usuario",
+        "user_quicklink": "Ocultar enlace rápido a página de inicio de sesión de usuario",
+        "validate_license_now": "Validar el GUID contra el servidor de licencias",
+        "verify": "Verificar",
+        "yes": "&#10003;"
     },
     "danger": {
         "access_denied": "Acceso denegado o datos del formulario inválidos",
@@ -341,7 +488,60 @@
         "username_invalid": "Nombre de usuario no se puede utilizar",
         "validity_missing": "Por favor asigna un periodo de validez",
         "value_missing": "Por favor proporcione todos los valores",
-        "yotp_verification_failed": "Verificación Yubico OTP fallida: %s"
+        "yotp_verification_failed": "Verificación Yubico OTP fallida: %s",
+        "last_key": "La última clave no se puede eliminar, en su lugar desactive la autenticación de doble factor.",
+        "img_dimensions_exceeded": "La imagen excede el tamaño máximo permitido",
+        "authsource_in_use": "El proveedor de identidades no se puede cambiar al estar en uso por uno o más usuario(s).",
+        "app_name_empty": "El nombre de la aplicación no puede quedar vacío",
+        "recovery_email_failed": "No se ha podido enviar un correo de recuperación. Contacte con su administrador.",
+        "tls_policy_map_dest_invalid": "Destino de política no válido",
+        "cors_invalid_method": "Allow-Method especificado no válido",
+        "dkim_domain_or_sel_exists": "Ya existe una clave DKIM para \"%s\" y no será sobrescrita",
+        "webauthn_publickey_failed": "No se ha almacenado ninguna clave pública para el autenticador seleccionado",
+        "invalid_reset_token": "Token de restablecimiento no válido",
+        "password_reset_na": "El restablecimiento de contraseña no está disponible en estos momentos. Contacte con su administrador.",
+        "generic_server_error": "Se ha producido un error inesperado en el servidor. Contacte con su administrador.",
+        "reset_f2b_regex": "El filtro Regex no se ha podido restablecer a tiempo, inténtelo de nuevo o espere unos segundos y vuelva a cargar la página web.",
+        "extra_acl_invalid": "Dirección de remitente externo \"%s\" no válida",
+        "extra_acl_invalid_domain": "El remitente externo \"%s\" utiliza un dominio no válido",
+        "max_alias_exceeded": "Se ha excedido el número máximo de alias",
+        "app_passwd_id_invalid": "Contraseña de aplicación con ID %s no válida",
+        "comment_too_long": "Comentario demasiado largo, máximo de 160 caracteres permitidos",
+        "cors_invalid_origin": "Allow-Origin especificado no válido",
+        "demo_mode_enabled": "Modo demo activado",
+        "description_invalid": "Descripción de recurso para %s no válida",
+        "extended_sender_acl_denied": "no se encuentra ACL para establecer direcciones de remitente externo",
+        "fido2_verification_failed": "Verificación FIDO2 fallida: %s",
+        "file_open_error": "El archivo no se puede abrir para escritura",
+        "global_filter_write_error": "No se ha podido escribir el archivo de filtro: %s",
+        "global_map_invalid": "Mapa global con ID %s no válido",
+        "global_map_write_error": "No se ha podido guardar el mapa global con ID %s: %s",
+        "ham_learn_error": "Error de aprendizaje de correo deseado: %s",
+        "iam_test_connection": "Conexión fallida",
+        "imagick_exception": "Error: Excepción en Imagick al leer la imagen",
+        "img_invalid": "No se ha podido validar el archivo de imagen",
+        "img_size_exceeded": "La imagen excede el tamaño máximo de archivo",
+        "img_tmp_missing": "No se ha podido validar el archivo de imagen: archivo temporal no encontrado",
+        "invalid_filter_type": "Tipo de filtro no válido",
+        "invalid_mime_type": "Tipo MIME no válido",
+        "maxquota_empty": "La cuota máxima por buzón no debe ser cero.",
+        "nginx_reload_failed": "Recarga de Nginx fallida: %s",
+        "password_reset_invalid_user": "Buzón no encontrado o dirección de correo para recuperación no establecida",
+        "pushover_credentials_missing": "Falta el token y/o la clave de Pushover",
+        "pushover_key": "La clave de Pushover tiene un formato incorrecto",
+        "pushover_token": "El token de Pushover tiene un formato incorrecto",
+        "required_data_missing": "Datos necesarios %s no proporcionados",
+        "reset_token_limit_exceeded": "Se ha superado el límite de tokens de restablecimiento. Inténtelo más tarde.",
+        "resource_invalid": "Nombre de recurso %s no válido",
+        "targetd_relay_domain": "El dominio de destino %s es un dominio de retransmisión",
+        "template_exists": "La plantilla %s ya existe",
+        "template_id_invalid": "Plantilla con ID %s no válida",
+        "template_name_invalid": "Nombre de plantilla no válido",
+        "temp_error": "Error transitorio",
+        "tfa_token_invalid": "Token de autenticación de doble factor no válido",
+        "to_invalid": "El destinatario no puede quedar en blanco",
+        "webauthn_authenticator_failed": "No se ha localizado el autenticador seleccionado",
+        "webauthn_username_failed": "El autenticador seleccionado pertenece a otra cuenta"
     },
     "debug": {
         "containers_info": "Información de los contenedores",
@@ -357,7 +557,29 @@
         "started_at": "Iniciado el",
         "uptime": "Uptime",
         "static_logs": "Logs estáticos",
-        "system_containers": "Sistema y Contenedores"
+        "system_containers": "Sistema y Contenedores",
+        "show_ip": "Mostrar IP pública",
+        "wip": "Actualmente incompleto",
+        "current_time": "Hora del sistema",
+        "service": "Servicio",
+        "timezone": "Huso horario",
+        "update_available": "Hay una actualización disponible",
+        "update_failed": "No se han podido comprobar las actualizaciones",
+        "architecture": "Arquitectura",
+        "chart_this_server": "Gráfico (este servidor)",
+        "container_running": "En ejecución",
+        "container_disabled": "Contenedor detenido o desactivado",
+        "container_stopped": "Detenido",
+        "cores": "Núcleos",
+        "error_show_ip": "No se han podido resolver las direcciones IP públicas",
+        "history_all_servers": "Historial (todos los servidores)",
+        "login_time": "Tiempo",
+        "memory": "Memoria",
+        "online_users": "Usuarios conectados",
+        "started_on": "Iniciado",
+        "success": "Éxito",
+        "no_update_available": "El sistema está actualizado",
+        "username": "Nombre de usuario"
     },
     "diagnostics": {
         "cname_from_a": "Valor derivado del registro A / AAAA. Esto es permitido siempre que el registro apunte al recurso correcto.",
@@ -367,7 +589,8 @@
         "dns_records_name": "Nombre",
         "dns_records_status": "Información actual",
         "dns_records_type": "Tipo",
-        "optional": "Este récord es opcional."
+        "optional": "Este récord es opcional.",
+        "dns_records_docs": "Consulte también <a target=\"_blank\" href=\"https://docs.mailcow.email/getstarted/prerequisite-dns\">la documentación</a>."
     },
     "edit": {
         "active": "Activo",
@@ -435,13 +658,79 @@
         "title": "Editar objeto",
         "unchanged_if_empty": "Si no hay cambios dejalo en blanco",
         "username": "Nombre de usuario",
-        "validate_save": "Validar y guardar"
+        "validate_save": "Validar y guardar",
+        "app_passwd_protocols": "Protocolos permitidos con contraseña de aplicación",
+        "domain_footer_info": "Los pies de página de dominio se añaden a todos los mensajes salientes remitidos por una dirección de dicho dominio.<br> Están disponibles las siguientes variables para el pie de página:",
+        "sender_acl_info": "Si el usuario del buzón A tiene permitido enviar como el buzón B, la dirección de remitente no se mostrará automáticamente como seleccionable en el campo \"De\" en SOGo.<br>\n  El usuario del buzón B necesitará crear una delegación en SOGo para permitir al usuario A seleccionar su dirección como remitente. Para delegar un buzón en SOGo, utilice el menú (tres puntos) a la derecha del nombre del buzón en la esquina superior izquierda, en la vista de correo. Este comportamiento no se aplica a direcciones alias.",
+        "sogo_access_info": "Tras iniciar sesión, el usuario será redirigido automáticamente a SOGo.",
+        "comment_info": "Un comentario privado no es visible para el usuario, mientras que un comentario público se muestra como descripción emergente al pasar el ratón en la vista general del usuario",
+        "quota_warning_bcc_info": "Los avisos se enviarán como copias separadas a los siguientes destinatarios. Se indicará en el asunto el usuario afectado entre paréntesis, como por ejemplo: <code>Aviso de cuota (usuario@ejemplo.com)</code>.",
+        "sogo_access": "Redirección directa a SOGo",
+        "sogo_visible_info": "Esta opción solamente afecta a objetos que puedan ser visualizados en SOGo (alias compartidos o no compartidos que apunten al menos a un buzón interno). Si se oculta, el alias no aparecerá como seleccionable en SOGo.",
+        "extended_sender_acl_info": "Se aconseja importar una clave de dominio DKIM, si está disponible.<br>\n  Recuerde añadir este servidor al registro SPF correspondiente.<br>\n  Siempre que se añada un dominio o alias a este servidor, que se superponga con una dirección externa, se eliminará la dirección externa.<br>\n  Utilice @dominio.tld para permitir enviar como *@dominio.tld.",
+        "pushover_info": "La configuración de notificaciones push se aplicará a todos los mensajes limpios (no spam) entregados a <b>%s</b> incluyendo alias (compartidos, no compartidos, etiquetados).",
+        "mbox_rl_info": "Este límite de peticiones se aplica al nombre de inicio de sesión SASL, coincide con cualquier dirección \"de\" que utilice el usuario conectado. Un límite de buzón tiene precedencia sobre un límite del dominio.",
+        "admin": "Editar administrador",
+        "none_inherit": "Ninguno / heredar",
+        "sender_acl_disabled": "<span class=\"badge fs-6 bg-danger\">Comprobación de remitente desactivada</span>",
+        "footer_exclude": "Excluir del pie de página",
+        "acl": "ACL (permisos)",
+        "advanced_settings": "Configuración avanzada",
+        "allow_from_smtp": "Permitir únicamente a las siguientes direcciones IP utilizar <b>SMTP</b>",
+        "allow_from_smtp_info": "Dejar en blanco para permitir cualquier remitente.<br>Direcciones y redes IPv4/IPv6.",
+        "allowed_protocols": "Protocolos permitidos para acceso directo del usuario (no afecta a protocolos con contraseña de aplicación)",
+        "app_name": "Nombre de aplicación",
+        "app_passwd": "Contraseña de aplicación",
+        "created_on": "Creado",
+        "custom_attributes": "Atributos personalizados",
+        "delete_ays": "Por favor, confirme el proceso de eliminación.",
+        "disable_login": "Deshabilitar inicio de sesión (se aceptará el correo entrante)",
+        "domain_footer": "Pie de página para todos los usuarios del dominio",
+        "domain_footer_html": "Pie de página HTML",
+        "domain_footer_skip_replies": "Descartar pie de página en correos de respuesta",
+        "extended_sender_acl": "Direcciones de remisión externas",
+        "generate": "generar",
+        "lookup_mx": "El destino es una expresión regular con la que contrastar el nombre MX (<code>.*\\.google\\.com</code> para dirigir todo el correo enviado a un MX que termine en google.com a través de este salto)",
+        "mailbox_relayhost_info": "Aplicable únicamente al buzón y sus alias directos, anula el host de retransmisión para el dominio",
+        "mailbox_rename": "Renombrar buzón",
+        "mailbox_rename_agree": "He creado una copia de seguridad.",
+        "mailbox_rename_warning": "¡IMPORTANTE! Realice una copia de seguridad antes de renombrar el buzón.",
+        "mailbox_rename_alias": "Crear alias automáticamente",
+        "mailbox_rename_title": "Nuevo nombre de buzón local",
+        "password_recovery_email": "Dirección de correo para recuperación de contraseña",
+        "private_comment": "Comentario privado",
+        "public_comment": "Comentario público",
+        "pushover": "Pushover",
+        "pushover_evaluate_x_prio": "Escalar correo de alta prioridad [<code>X-Priority: 1</code>]",
+        "pushover_sender_array": "Tener en cuenta únicamente las siguientes direcciones de correo de remitente <small>(separados por comas)</small>",
+        "pushover_text": "Texto de notificación",
+        "pushover_title": "Título de notificación",
+        "pushover_sound": "Sonido",
+        "pushover_verify": "Verificar credenciales",
+        "quota_warning_bcc": "CCO de aviso de cuota",
+        "ratelimit": "Límite de peticiones",
+        "relay_transport_info": "<div class=\"badge fs-6 bg-info\">Información</div> Puede definir mapas de transporte para destinatarios personalizados para este dominio. Si no se establece, se realizará una búsqueda MX.",
+        "relay_unknown_only": "Reenviar solamente los buzones no existentes. Los buzones existentes se entregarán localmente.",
+        "sogo_visible": "Alias visible en SOGo.",
+        "spam_alias": "Crear o modificar alias temporales (con caducidad)",
+        "spam_filter": "Filtro de spam",
+        "spam_policy": "Añadir o eliminar elementos de la lista de bloqueo/desbloqueo",
+        "spam_score": "Establecer una puntuación de spam personalizada"
     },
     "footer": {
         "hibp_nok": "¡Se encontró coincidencia - esta es una contraseña <b>no segura</b>, selecciona otra!",
         "hibp_ok": "No se encontraron coincidencias",
         "loading": "Espera por favor...",
-        "restart_now": "Reiniciar ahora"
+        "restart_now": "Reiniciar ahora",
+        "restart_container": "Reiniciar contenedor",
+        "restart_container_info": "<b>Importante:</b> Un reinicio limpio puede llevar un tiempo. Por favor, espere a que finalice.",
+        "cancel": "Cancelar",
+        "confirm_delete": "Confirmar eliminación",
+        "delete_now": "Eliminar ahora",
+        "delete_these_items": "Confirme sus cambios para el siguiente ID de objeto",
+        "hibp_check": "Comprobar en haveibeenpwned.com",
+        "nothing_selected": "Nada seleccionado",
+        "restarting_container": "Reiniciando contenedor, puede llevar un tiempo"
     },
     "header": {
         "administration": "Administración",
@@ -450,17 +739,38 @@
         "mailcow_config": "Configuración",
         "quarantine": "Cuarentena",
         "restart_sogo": "Reiniciar SOGo",
-        "user_settings": "Configuraciones de usuario"
+        "user_settings": "Configuraciones de usuario",
+        "mailcow_system": "Sistema",
+        "apps": "Aplicaciones",
+        "restart_netfilter": "Reiniciar netfilter"
     },
     "info": {
         "awaiting_tfa_confirmation": "En espera de confirmación de TFA",
-        "no_action": "No hay acción aplicable"
+        "no_action": "No hay acción aplicable",
+        "session_expires": "Su sesión expirará en unos 15 segundos"
     },
     "login": {
         "delayed": "El inicio de sesión ha sido retrasado %s segundos.",
         "login": "Inicio de sesión",
         "password": "Contraseña",
-        "username": "Nombre de usuario"
+        "username": "Nombre de usuario",
+        "login_admin": "Inicio de sesión de administrador",
+        "invalid_pass_reset_token": "El token de restablecimiento de contraseña no es válido o ha caducado.<br>Solicite un nuevo enlace de restablecimiento de contraseña.",
+        "fido2_webauthn": "Inicio de sesión FIDO2/WebAuthn",
+        "forgot_password": "> ¿Contraseña olvidada?",
+        "mobileconfig_info": "Inicie sesión como usuario de buzón para descargar el perfil de conexión solicitado para dispositivos Apple.",
+        "new_password": "Nueva contraseña",
+        "back_to_mailcow": "Volver a mailcow",
+        "login_linkstext": "¿Sesión incorrecta?",
+        "login_usertext": "Iniciar sesión como usuario",
+        "login_domainadmintext": "Iniciar sesión como administrador de dominio",
+        "login_admintext": "Iniciar sesión como administrador",
+        "login_user": "Inicio de sesión de usuario",
+        "login_dadmin": "Inicio de sesión de administrador de dominio",
+        "new_password_confirm": "Confirmar nueva contraseña",
+        "other_logins": "o iniciar sesión con",
+        "reset_password": "Restablecer contraseña",
+        "request_reset_password": "Solicitar cambio de contraseña"
     },
     "mailbox": {
         "action": "Acción",
@@ -572,7 +882,67 @@
         "toggle_all": "Selecionar todo",
         "username": "Nombre de usuario",
         "waiting": "Esperando",
-        "weekly": "Cada semana"
+        "weekly": "Cada semana",
+        "sieve_preset_4": "Colocar en bandeja de entrada, omitir procesamiento posterior en filtros de sieve",
+        "goto_spam": "Aprender como <b>correo no deseado</b>",
+        "sieve_preset_header": "Vea los preajustes de ejemplo más abajo. Para más detalles, consulte <a href=\"https://en.wikipedia.org/wiki/Sieve_(mail_filtering_language)\" target=\"_blank\">Wikipedia</a>.",
+        "syncjob_EXIT_AUTHENTICATION_FAILURE_USER1": "Nombre de usuario o contraseña incorrectos",
+        "tls_policy_maps_enforced_tls": "Estas políticas tendrán precedencia también para aquellos usuarios de buzones en los que sea obligatoria una conexión TLS. Si no se indica ninguna política a continuación, dichos usuarios aplicarán los valores predeterminados que se especifiquen en <code>smtp_tls_mandatory_protocols</code> y <code>smtp_tls_mandatory_ciphers</code>.",
+        "alias_domain_alias_hint": "Los alias <b>no</b> se aplican a dominios de alias automáticamente. Una dirección alias <code>mi-alias@dominio</code> <b>no cubre</b> la dirección <code>mi-alias@dominio-alias</code> (donde \"dominio-alias\" es un hipotético alias para el dominio \"dominio\").<br>Utilice un filtro sieve para redirigir el correo a un buzón externo (ver la pestaña \"Filtros\" o utilice SOGo -> Desvío). Utilice \"expandir alias a dominio de alias\" para agregar automáticamente los alias que falten.",
+        "domain_templates": "Plantillas de dominio",
+        "sieve_preset_1": "Desechar correo con tipos de archivo probablemente peligrosos",
+        "created_on": "Creado",
+        "disable_login": "No permitir iniciar sesión (se seguirá aceptando el correo entrante)",
+        "mailbox": "Buzón",
+        "mailbox_defaults": "Ajustes por defecto",
+        "sogo_visible_y": "Mostrar alias en SOGo",
+        "spam_aliases": "Alias temporal",
+        "add_template": "Añadir plantilla",
+        "all_domains": "Todos los dominios",
+        "allow_from_smtp": "Permitir únicamente a estas direcciones IP utilizar <b>SMTP</b>",
+        "allow_from_smtp_info": "Dejar vacío para permitir cualquier remitente.<br>Direcciones y redes IPv4/IPv6.",
+        "allowed_protocols": "Protocolos permitidos",
+        "goto_ham": "Aprender como <b>correo deseado</b>",
+        "iam": "Proveedor de identidad",
+        "insert_preset": "Insertar valor predeterminado de ejemplo \"%s\"",
+        "last_mail_login": "Último acceso al correo",
+        "last_pw_change": "Último cambio de contraseña",
+        "mailbox_defaults_info": "Definir configuración por defecto para nuevos buzones.",
+        "mailbox_templates": "Plantillas de buzón",
+        "no": "&#10005;",
+        "open_logs": "Abrir registros",
+        "owner": "Propietario",
+        "private_comment": "Comentario privado",
+        "public_comment": "Comentario público",
+        "q_add_header": "al mover a carpeta de Spam",
+        "q_all": " al mover a carpeta de Spam y al rechazar",
+        "q_reject": "al rechazar",
+        "quarantine_category": "Categoría de notificación de cuarentena",
+        "recipient": "Destinatario",
+        "relay_unknown": "Retransmitir buzones desconocidos",
+        "sender": "Remitente",
+        "sieve_preset_2": "Marcar siempre el correo de un remitente específico como leído",
+        "sieve_preset_3": "Descartar silenciosamente, detener procesado de sieve",
+        "sieve_preset_5": "Respuesta automática (vacaciones)",
+        "sieve_preset_6": "Rechazar correo con respuesta",
+        "sieve_preset_7": "Redireccionar y guardar/descartar",
+        "sieve_preset_8": "Redirigir correo de un remitente específico, marcarlo como leído y clasificarlo en subcarpeta",
+        "sogo_visible": "Alias visible en SOGo",
+        "sogo_visible_n": "Ocultar alias en SOGo",
+        "stats": "Estadísticas",
+        "syncjob_check_log": "Comprobar registros",
+        "syncjob_last_run_result": "Resultado de la última ejecución",
+        "syncjob_EX_OK": "Éxito",
+        "syncjob_EXIT_CONNECTION_FAILURE": "Problema de conexión",
+        "syncjob_EXIT_TLS_FAILURE": "Problema con la conexión cifrada",
+        "syncjob_EXIT_AUTHENTICATION_FAILURE": "Problema de autenticación",
+        "syncjob_EXIT_OVERQUOTA": "El buzón de destino ha superado la cuota",
+        "syncjob_EXIT_CONNECTION_FAILURE_HOST1": "No es posible conectar con el servidor remoto",
+        "table_size": "Tamaño de la tabla",
+        "table_size_show_n": "Mostrar %s elementos",
+        "templates": "Plantillas",
+        "template": "Plantilla",
+        "yes": "&#10003;"
     },
     "oauth2": {
         "access_denied": "Inicie sesión como propietario del buzón para otorgar acceso a través de OAuth2.",
@@ -614,7 +984,13 @@
         "subj": "Asunto",
         "text_from_html_content": "Contenido (html convertido)",
         "text_plain_content": "Contenido (text/plain)",
-        "toggle_all": "Seleccionar todos"
+        "toggle_all": "Seleccionar todos",
+        "confirm": "Confirmar",
+        "deliver_inbox": "Entregar en bandeja de entrada",
+        "download_eml": "Descargar (.eml)",
+        "info": "Información",
+        "junk_folder": "Carpeta de correo no deseado",
+        "notified": "Notificado"
     },
     "queue": {
         "queue_manager": "Administrador de cola"
@@ -773,11 +1149,55 @@
         "waiting": "Esperando",
         "week": "Semana",
         "weekly": "Cada semana",
-        "weeks": "Semanas"
+        "weeks": "Semanas",
+        "with_app_password": "con contraseña de aplicación",
+        "year": "año",
+        "years": "años"
     },
     "warning": {
         "domain_added_sogo_failed": "Se agregó el dominio pero no se pudo reiniciar SOGo, revisa los logs del servidor.",
         "fuzzy_learn_error": "Error aprendiendo hash: %s",
-        "ip_invalid": "IP inválida omitida: %s"
+        "ip_invalid": "IP inválida omitida: %s",
+        "cannot_delete_self": "No se puede eliminar el usuario conectado"
+    },
+    "datatables": {
+        "collapse_all": "Contraer todo",
+        "aria": {
+            "sortAscending": ": activar para ordenar ascendentemente según la columna",
+            "sortDescending": ": activar para ordenar descendentemente según la columna"
+        },
+        "infoEmpty": "Mostrando 0 a 0 de 0 apuntes",
+        "paginate": {
+            "last": "Última",
+            "next": "Siguiente",
+            "previous": "Anterior",
+            "first": "Primero"
+        },
+        "processing": "Espere, por favor...",
+        "decimal": ".",
+        "emptyTable": "Sin datos disponibles en la tabla",
+        "expand_all": "Ampliar todo",
+        "info": "Mostrando apuntes _START_ a _END_ de _TOTAL_",
+        "infoFiltered": "(filtrado a partir de _MAX_ entradas totales)",
+        "thousands": ",",
+        "lengthMenu": "Mostrar entradas de _MENU_",
+        "loadingRecords": "Cargando...",
+        "search": "Buscar:",
+        "zeroRecords": "No se han encontrado registros coincidentes"
+    },
+    "fido2": {
+        "set_fido2": "Registrar dispositivo FIDO2",
+        "set_fido2_touchid": "Registrar Touch ID en Apple M1",
+        "set_fn": "Establecer nombre amistoso (fácil de recordar)",
+        "confirm": "Confirmar",
+        "fido2_auth": "Iniciar sesión con FIDO2",
+        "fido2_success": "Dispositivo registrado con éxito",
+        "fido2_validation_failed": "Validación fallida",
+        "fn": "Nombre amistoso (fácil de recordar)",
+        "known_ids": "ID conocidas",
+        "none": "Deshabilitado",
+        "register_status": "Estado de registro",
+        "rename": "Renombrar",
+        "start_fido2_validation": "Iniciar validación FIDO2"
     }
 }
diff --git a/data/web/lang/lang.pt-br.json b/data/web/lang/lang.pt-br.json
index 57a4abd3d..f9c08ef02 100644
--- a/data/web/lang/lang.pt-br.json
+++ b/data/web/lang/lang.pt-br.json
@@ -359,7 +359,12 @@
         "username": "Nome de usuário",
         "validate_license_now": "Valide o GUID em relação ao servidor de licenças",
         "verify": "Verificar",
-        "yes": "✓"
+        "yes": "✓",
+        "iam_client_id": "ID de cliente",
+        "iam_client_secret": "Senha de cliente",
+        "iam_auth_flow": "Fluxo de autenticação",
+        "iam_client_scopes": "Escopo do cliente",
+        "iam_default_template": "Template Padrão"
     },
     "danger": {
         "access_denied": "Acesso negado ou dados de formulário inválidos",
@@ -508,7 +513,7 @@
         "infoFiltered": "(filtrado do total de entradas _MAX_)",
         "infoPostFix": "",
         "thousands": ",",
-        "lengthMenu": "Mostrar _ MENU_ entradas",
+        "lengthMenu": "Mostrar _MENU_ entradas",
         "loadingRecords": "Carregando...",
         "processing": "Por favor, aguarde...",
         "search": "Pesquisa:",
diff --git a/data/web/lang/lang.si-si.json b/data/web/lang/lang.si-si.json
index 474328e38..35c4eaa96 100644
--- a/data/web/lang/lang.si-si.json
+++ b/data/web/lang/lang.si-si.json
@@ -20,7 +20,7 @@
         "sogo_access": "Dovoli upravljanje SOGo dostopa",
         "sogo_profile_reset": "Ponastavi SOGo profil",
         "spam_alias": "Začasni vzdevki",
-        "spam_policy": "Črna lista/Bela lista",
+        "spam_policy": "Seznam zavrnjenih/dovoljenih",
         "spam_score": "Ocena neželene pošte",
         "tls_policy": "Politika TLS",
         "unlimited_quota": "Neomejena kvota za poštne predale",
@@ -172,7 +172,7 @@
         "excludes": "Izključuje te prejemnike",
         "f2b_ban_time": "Čas blokade (s)",
         "f2b_ban_time_increment": "Čas blokade se poveča z vsako blokado",
-        "f2b_blacklist": "Mreže/gostitelji na blacklisti",
+        "f2b_blacklist": "Omrežja/gostitelji na seznamu zavrnjenih",
         "f2b_filter": "Regex filtri",
         "f2b_max_attempts": "Največ poskusov",
         "f2b_max_ban_time": "Maksimalno trajanje blokade (s)",
@@ -181,7 +181,7 @@
         "f2b_parameters": "Fail2ban parametri",
         "f2b_regex_info": "Upoštevajo se dnevniki SOGo, Postfix, Dovecot, PHP-FPM.",
         "f2b_retry_window": "Upoštevan čas (s) za največ poskusov",
-        "f2b_whitelist": "Mreže/gostitelji na whitelisti",
+        "f2b_whitelist": "Omrežja/gostitelji na seznamu dovoljenih",
         "filter_table": "Filtriraj tabelo",
         "from": "Od",
         "generate": "ustvari",
@@ -281,16 +281,16 @@
         "rspamd_com_settings": "Ime nastavitve bo samodejno generirano. Prosim oglejte si primere nastavitev spodaj. Za več informacij si oglejte <a href=\"https://rspamd.com/doc/configuration/settings.html#settings-structure\" target=\"_blank\">dokumentacijo Rspamd</a>",
         "rspamd_global_filters": "Globalne preslikave filtrov",
         "rspamd_global_filters_agree": "Previden bom!",
-        "rspamd_global_filters_info": "Globalne preslikave filtrov vsebujejo različne vrste globalnih blacklist in whitelist.",
+        "rspamd_global_filters_info": "Globalni filtri vsebujejo različne vrste globalnih seznamov zavrnjenih in dovoljenih vsebin.",
         "add_admin": "Dodaj skrbnika",
         "add_relayhost_hint": "Prosimo zavedajte se, da se podatki za avtentikacijo, če obstajajo, shranijo v golo besedilo.",
         "admin": "Skrbnik",
         "api_allow_from": "Dovoli API dostop s teh IP naslovov / CIDR mrežnih zapisov",
         "apps_name": "Ime aplikacije v mailcow",
-        "ban_list_info": "Oglejte si seznam blokiranih IP naslovov spodaj: <b>network (remaining ban time) - [actions]</b>.<br />. IPji v vrsti za odstranitev blokade bodo odstranjeni iz aktivnega seznama blokad v nekaj sekundah.<br />Rdeče oznake prikazujejo trajne blokade z blacklisto.",
+        "ban_list_info": "Spodaj si oglejte seznam prepovedanih IP-jev: <b>omrežje (preostali čas prepovedi) - [dejanja]</b>.<br />IP-ji, ki so v čakalni vrsti za odpravo prepovedi, bodo v nekaj sekundah odstranjeni s seznama aktivnih prepovedi.<br />Rdeče oznake označujejo aktivne trajne prepovedi s seznama zavrnjenih.",
         "dkim_key_length": "Dolžina DKIM ključa (v bitih)",
         "dkim_to_title": "Ciljne domene bodo prepisane",
-        "f2b_list_info": "Gostitelj ali omrežje na blacklisti bo vedno prevladal zapis na whitelisti. <b>Apliciranje sprememb seznama traja nekaj sekund.</b>",
+        "f2b_list_info": "Gostitelj ali omrežje na seznamu zavrnjenih bo vedno imelo prednost pred entiteto na seznamu dovoljenih. <b>Posodobitve seznama bodo trajale nekaj sekund, da se uporabijo.</b>",
         "forwarding_hosts": "Gostitelji za posredovanje",
         "forwarding_hosts_add_hint": "Lahko vpišete IPv4/IPv6 naslove, mreže v CIDR obliki, imena gostiteljev (kateri se prevedejo v IP naslove) ali imena domen (katera se prevedejo v IP naslove glede na poizvedbo po SPF zapisih, v primeru manjkajočih zapisov pa MX zapisih).",
         "forwarding_hosts_hint": "Dohodna sporočila so brezpogojno sprejeta od katerih koli gostiteljev v tem seznamu. Ti gostitelji se ne bodo preverjali po DNSBL seznamih in ne bodo dodani v greyliste. Prejeti spam s teh gostiteljev ni nikoli zavrnjen, opcijsko pa se lahko premakne v mapo neželene pošte. Najpogostejša uporaba za to je navedba poštnih strežnikov, iz katerih ste nastavili pravilo za posredovanje pošte na vaš mailcow strežnik.",
@@ -306,7 +306,7 @@
         "relayhosts_hint": "Določite transporte glede na pošiljatelja, da jih lahko izberete v konfiguraciji domene.<br>\nTransportni servis je vedno \"smtp:\" in bo poskušal s TLS ko bo na voljo. Wrapped TLS (SMTPS) ni podprto. Upošteva se uporabnikova politika odhodnega TLS.<br>\nVpliva na izbrane domene vključno z alias domenami.",
         "transport_dest_format": "Regex ali sintaksa: example.org, .example.org, *, box@example.org (več vrednosti ločite z vejico)",
         "transport_test_rcpt_info": "&#8226; Uporabite null@hosted.mailcow.de za testiranje relaya na drugo destinacijo.",
-        "rspamd_global_filters_regex": "Njihovi nazivi pojasnijo njihov namen. Vsa vsebina mora imeti veljaven regular expression v obliki \"/pattern/options\" (npr. <code>/.+@domain\\.tld/i</code>).<br>\nČeprav se v vsaki vrstici regexa izvedejo osnovni pregledi, je lahko funkcionalnost programa Rspamd motena, če sintaksa ni pravilna.<br>\nRspamd bo poskušal prebrati vsebino preslikave, ko bo spremenjena. Če imate težave, <a href=\"\" data-toggle=\"modal\" data-container=\"rspamd-mailcow\" data-target=\"#RestartContainer\">ponovno zaženite Rspamd</a>, da prisilite ponovno nalaganje preslikav.<br> Elementi z Blackliste so izključeni iz karantene.",
+        "rspamd_global_filters_regex": "Njihovi nazivi pojasnijo njihov namen. Vsa vsebina mora imeti veljaven regular expression v obliki \"/pattern/options\" (npr. <code>/.+@domain\\.tld/i</code>).<br>\nČeprav se v vsaki vrstici regexa izvedejo osnovni pregledi, je lahko funkcionalnost programa Rspamd motena, če sintaksa ni pravilna.<br>\nRspamd bo poskušal prebrati vsebino preslikave, ko bo spremenjena. Če imate težave, <a href=\"\" data-toggle=\"modal\" data-container=\"rspamd-mailcow\" data-target=\"#RestartContainer\">ponovno zaženite Rspamd</a>, da prisilite ponovno nalaganje preslikav.<br> Elementi na seznamu zavrnjenih so izključeni iz karantene.",
         "rspamd_settings_map": "Preslikava nastavitev Rspamd",
         "sal_level": "Moo stopnja",
         "save": "Shrani spremembe",
@@ -408,7 +408,8 @@
         "restore_template": "Za obnovitev privzete predloge pustite polje prazno.",
         "task": "Naloga",
         "user_link": "Uporabniška povezava",
-        "iam_realm": "Realm"
+        "iam_realm": "Realm",
+        "needs_restart": "potreben je ponovni zagon"
     },
     "danger": {
         "alias_goto_identical": "Alias in goto naslov morata biti identična",
@@ -745,7 +746,7 @@
         "sogo_visible_info": "Ta možnost vpliva samo na objekte, ki jih je mogoče prikazati v SOGo (naslovi aliasov v skupni rabi ali brez nje, ki kažejo na vsaj en lokalni poštni predal). Če je skrita, vzdevek ne bo prikazan kot izbirni pošiljatelj v SOGo.",
         "spam_alias": "Ustvarjanje ali spreminjanje časovno omejenih vzdevkovnih naslovov",
         "spam_filter": "Filter neželene pošte",
-        "spam_policy": "Dodajanje ali odstranjevanje elementov na beli/črni seznam",
+        "spam_policy": "Dodajanje ali odstranjevanje elementov na seznam dovoljenih/zavrnjenih",
         "spam_score": "Nastavite oceno neželene pošte po meri",
         "subfolder2": "Sinhroniziraj v podmapo na cilju<br><small>(prazno = ne uporabi podmape)</small>",
         "syncjob": "Urejanje sinhronizacijskega opravila",
@@ -1013,7 +1014,7 @@
         "medium_danger": "Srednje",
         "notified": "Obveščen",
         "low_danger": "Nizko",
-        "qinfo": "Sistem karantene bo zavrnjeno pošto shranil v zbirko podatkov (pošiljatelj ne bo imel vtisa, da je bila pošta dostavljena), prav tako pa bo pošto, ki bo dostavljena kot kopija, shranil v mapo »Neželena pošta« v nabiralniku.\n<br>»Uči kot neželeno pošto in izbriši« bo sporočilo prepoznal kot neželeno pošto prek Bayesovega izreka in izračunal tudi mehke zgoščene vrednosti, da bi v prihodnje zavrnil podobna sporočila.\n<br>Upoštevajte, da je učenje več sporočil lahko – odvisno od vašega sistema – zamudno.<br>Elementi na črnem seznamu so izključeni iz karantene.",
+        "qinfo": "Sistem karantene bo zavrnjeno pošto shranil v zbirko podatkov (pošiljatelj ne bo imel vtisa, da je bila pošta dostavljena), prav tako pa bo pošto, ki bo dostavljena kot kopija, shranil v mapo »Neželena pošta« v nabiralniku.\n<br>»Uči kot neželeno pošto in izbriši« bo sporočilo prepoznal kot neželeno pošto prek Bayesovega izreka in izračunal tudi mehke zgoščene vrednosti, da bi v prihodnje zavrnil podobna sporočila.\n<br>Upoštevajte, da je učenje več sporočil lahko – odvisno od vašega sistema – zamudno.<br>Elementi na seznamu zavrnjenih so izključeni iz karantene.",
         "junk_folder": "Mapa z neželeno pošto",
         "action": "Dejanje",
         "atts": "Priloge",
@@ -1232,8 +1233,8 @@
         "pushover_vars": "Če filter pošiljatelja ni definiran, bodo upoštevana vsa e-poštna sporočila.<br>Filtre regularnih izrazov in natančna preverjanja pošiljateljev je mogoče definirati posamično in bodo obravnavana zaporedno. Niso odvisna drug od drugega.<br>Uporabne spremenljivke za besedilo in naslov (upoštevajte pravilnike o varstvu podatkov)",
         "quarantine_notification_info": "Ko je obvestilo poslano, bodo elementi označeni kot »obveščeni« in za ta določen element ne bodo poslana nobena nadaljnja obvestila.",
         "verify": "Preveri",
-        "spamfilter_bl_desc": "E-poštni naslovi na črnem seznamu, ki jih <b>vedno</b> razvrstite kot neželeno pošto in zavrnete. Zavrnjena pošta <b>ne</b> bo kopirana v karanteno. Uporabite lahko nadomestne znake. Filter se uporabi samo za neposredne vzdevke (vzdevke z enim samim ciljnim nabiralnikom), izključujoč vseobsegajoče vzdevke in sam nabiralnik.",
-        "spamfilter_wl_desc": "E-poštni naslovi na belem seznamu so programirani tako, da se <b>nikoli</b> ne razvrstijo kot neželena pošta. Uporabijo se lahko nadomestni znaki. Filter se uporabi samo za neposredne vzdevke (vzdevke z enim samim ciljnim poštnim predalom), izključujoč vseobsegajoče vzdevke in sam poštni predal.",
+        "spamfilter_bl_desc": "E-poštni naslovi na seznamu zavrnjenih, ki bodo <b>vedno</b> razvrščeni kot neželena pošta in zavrnjeni. Zavrnjena pošta <b>ne</b> bo kopirana v karanteno. Uporabite lahko nadomestne znake. Filter se uporabi samo za neposredne vzdevke (vzdevke z enim samim ciljnim nabiralnikom), izključujoč vseobsegajoče vzdevke in sam nabiralnik.",
+        "spamfilter_wl_desc": "E-poštni naslovi na seznamu dovoljenih so programirani tako, da se <b>nikoli</b> ne razvrstijo kot neželena pošta. Uporabijo se lahko nadomestni znaki. Filter se uporabi samo za neposredne vzdevke (vzdevke z enim samim ciljnim poštnim predalom), izključujoč vseobsegajoče vzdevke in sam poštni predal.",
         "tls_policy_warning": "<strong>Opozorilo:</strong> Če se odločite za uveljavitev šifriranega prenosa pošte, lahko izgubite e-pošto.<br>Sporočila, ki ne ustrezajo pravilniku, bo poštni sistem zavrnil s popolno napako.<br>Ta možnost velja za vaš primarni e-poštni naslov (prijavno ime), vse naslove, izpeljane iz vzdevkov domen, in vzdevke, <b>ki imajo samo ta en poštni predal</b> kot cilj.",
         "allowed_protocols": "Dovoljeni protokoli",
         "title": "Naslov",
@@ -1341,7 +1342,7 @@
         "spam_score_reset": "Ponastavi na privzete nastavitve strežnika",
         "spamfilter": "Filter neželene pošte",
         "spamfilter_behavior": "Ocena",
-        "spamfilter_bl": "Črna lista",
+        "spamfilter_bl": "Seznam zavrnjenih",
         "spamfilter_default_score": "Privzete vrednosti",
         "spamfilter_green": "Zelena: to sporočilo ni neželena pošta",
         "spamfilter_hint": "Prva vrednost opisuje »nizko oceno neželene pošte«, druga pa »visoko oceno neželene pošte«.",
@@ -1352,7 +1353,7 @@
         "spamfilter_table_empty": "Ni podatkov za prikaz",
         "spamfilter_table_remove": "odstrani",
         "spamfilter_table_rule": "Pravilo",
-        "spamfilter_wl": "Bela lista",
+        "spamfilter_wl": "Seznam dovoljenih",
         "spamfilter_yellow": "Rumena: to sporočilo je morda neželena pošta, označeno bo kot neželena pošta in premaknjeno v mapo z neželeno pošto",
         "status": "Stanje",
         "sync_jobs": "Sinhronizacija opravil",

From 6b8e981bdc4e647c9c39638c259d4ff7b1945e2d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Paul=20S=C3=BCtterlin?= <paul@paulsuetterlin.de>
Date: Sat, 26 Jul 2025 01:06:24 +0000
Subject: [PATCH 280/378] fix: Only use HTTP_ORIGIN if it is sent.

---
 data/web/inc/functions.inc.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index edf428d5a..55329e73a 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -2211,7 +2211,7 @@ function cors($action, $data = null) {
       $cors_settings['allowed_origins'] = $allowed_origins[0];
       if (in_array('*', $allowed_origins)){
         $cors_settings['allowed_origins'] = '*';
-      } else if (in_array($_SERVER['HTTP_ORIGIN'], $allowed_origins)) {
+      } else if (array_key_exists('HTTP_ORIGIN', $_SERVER) && in_array($_SERVER['HTTP_ORIGIN'], $allowed_origins)) {
         $cors_settings['allowed_origins'] = $_SERVER['HTTP_ORIGIN'];
       }
       // always allow OPTIONS for preflight request

From 3d5b57889a3169dbe835febd4a832701684af44b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Paul=20S=C3=BCtterlin?= <paul@paulsuetterlin.de>
Date: Sat, 26 Jul 2025 01:08:16 +0000
Subject: [PATCH 281/378] fix: Empty App Links

The return value of the function caused a warning
in header.inc.php:42 if no additional links were set.

header.inc.php is the only caller of this function,
thus it is safe to return an empty array here.
---
 data/web/inc/functions.customize.inc.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/web/inc/functions.customize.inc.php b/data/web/inc/functions.customize.inc.php
index 1d19066d2..56527ff96 100644
--- a/data/web/inc/functions.customize.inc.php
+++ b/data/web/inc/functions.customize.inc.php
@@ -293,7 +293,7 @@ function customize($_action, $_item, $_data = null) {
           }
 
           if (empty($app_links)){
-            return false;
+            return [];
           }
 
           // convert from old style

From ad9b328ed56316efbfb8606088897194ba2bb20f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Paul=20S=C3=BCtterlin?= <paul@paulsuetterlin.de>
Date: Sat, 26 Jul 2025 01:12:48 +0000
Subject: [PATCH 282/378] fix: Undefined array key "pending_tfa_methods" in
 /web/inc/footer.inc.php on line 29

---
 data/web/inc/footer.inc.php | 36 +++++++++++++++++++-----------------
 1 file changed, 19 insertions(+), 17 deletions(-)

diff --git a/data/web/inc/footer.inc.php b/data/web/inc/footer.inc.php
index ac1bff033..ecc4ddce1 100644
--- a/data/web/inc/footer.inc.php
+++ b/data/web/inc/footer.inc.php
@@ -26,23 +26,25 @@ if (is_array($alertbox_log_parser)) {
 
 // map tfa details for twig
 $pending_tfa_authmechs = [];
-foreach($_SESSION['pending_tfa_methods'] as $authdata){
-  $pending_tfa_authmechs[$authdata['authmech']] = false;
-}
-if (isset($pending_tfa_authmechs['webauthn'])) {
-  $pending_tfa_authmechs['webauthn'] = true;
-}
-if (!isset($pending_tfa_authmechs['webauthn']) 
-    && isset($pending_tfa_authmechs['yubi_otp'])) {
-  $pending_tfa_authmechs['yubi_otp'] = true;
-}
-if (!isset($pending_tfa_authmechs['webauthn']) 
-    && !isset($pending_tfa_authmechs['yubi_otp'])
-    && isset($pending_tfa_authmechs['totp'])) {
-  $pending_tfa_authmechs['totp'] = true;
-}
-if (isset($pending_tfa_authmechs['u2f'])) {
-  $pending_tfa_authmechs['u2f'] = true;
+if (array_key_exists('pending_tfa_methods', $_SESSION)) {
+  foreach($_SESSION['pending_tfa_methods'] as $authdata){
+    $pending_tfa_authmechs[$authdata['authmech']] = false;
+  }
+  if (isset($pending_tfa_authmechs['webauthn'])) {
+    $pending_tfa_authmechs['webauthn'] = true;
+  }
+  if (!isset($pending_tfa_authmechs['webauthn']) 
+      && isset($pending_tfa_authmechs['yubi_otp'])) {
+    $pending_tfa_authmechs['yubi_otp'] = true;
+  }
+  if (!isset($pending_tfa_authmechs['webauthn']) 
+      && !isset($pending_tfa_authmechs['yubi_otp'])
+      && isset($pending_tfa_authmechs['totp'])) {
+    $pending_tfa_authmechs['totp'] = true;
+  }
+  if (isset($pending_tfa_authmechs['u2f'])) {
+    $pending_tfa_authmechs['u2f'] = true;
+  }
 }
 
 // globals

From 795bcdc5d225f69eb64793adedb10041f46953a2 Mon Sep 17 00:00:00 2001
From: milkmaker <milkmaker@mailcow.de>
Date: Sun, 27 Jul 2025 19:30:10 +0200
Subject: [PATCH 283/378] [Web] Updated lang.ru-ru.json (#6654)

---
 data/web/lang/lang.ru-ru.json | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/data/web/lang/lang.ru-ru.json b/data/web/lang/lang.ru-ru.json
index e17327978..b0180256d 100644
--- a/data/web/lang/lang.ru-ru.json
+++ b/data/web/lang/lang.ru-ru.json
@@ -184,7 +184,7 @@
         "excludes": "Исключает этих получателей",
         "f2b_ban_time": "Время бана (в секундах)",
         "f2b_ban_time_increment": "Время бана увеличивается с каждым баном",
-        "f2b_blacklist": "Черный список подсетей/хостов",
+        "f2b_blacklist": "Черный список сетей/хостов",
         "f2b_filter": "Правила фильтрации с помощью регулярных выражений",
         "f2b_list_info": "Хосты или подсети, занесенные в черный список, всегда будут перевешивать объекты из белого списка. <b>Обновление списка займет несколько секунд.</b>",
         "f2b_manage_external": "Внешнее управление Fail2Ban",
@@ -196,7 +196,7 @@
         "f2b_parameters": "Настройки Fail2ban",
         "f2b_regex_info": "Журналы которые принимаются во внимание: SOGo, Postfix, Dovecot, PHP-FPM.",
         "f2b_retry_window": "Промежуток времени для следующего бана (в секундах)",
-        "f2b_whitelist": "Белый список подсетей/хостов",
+        "f2b_whitelist": "Белый список сетей/хостов",
         "filter_table": "Поиск",
         "forwarding_hosts": "Переадресация хостов",
         "forwarding_hosts_add_hint": "Можно указывать: IPv4/IPv6 подсети в нотации CIDR, имена хостов (которые будут разрешаться в IP-адреса) или доменные имена (которые будут решаться с IP-адресами путем запроса SPF записей или, в случае их отсутствия - запросом MX записей).",
@@ -319,7 +319,7 @@
         "rspamd_global_filters": "Глобальные правила фильтрации",
         "rspamd_global_filters_agree": "Я понимаю, что я делаю, и буду осторожен!",
         "rspamd_global_filters_info": "Глобальные правила фильтрации содержат различные виды глобальных черных и белых списков.",
-        "rspamd_global_filters_regex": "Названия фильтров отражают их предназначение. Все правила должены состоять из регулярных выражений в формате \"/pattern/options\" (например: <code>/.+@domain\\.tld/i</code>).<br>\r\nНесмотря на то, что перед сохранением правил выполняется проверка регулярных выражений, функциональность Rspamds может быть нарушена, если будет использован<br>\r\n некорректный синтаксис. Будьте внимательны при написании правил.<br>Электронные письма от адресов электронной почты, проходящие по регулярным выражениям черных списков, будут отклонены без сохранения в карантин.<br>\r\n Rspamd попытается прочитать содержимое правил при их изменении. Но, если что, вы можете <a href=\"\" data-toggle=\"modal\" data-container=\"rspamd-mailcow\" data-target=\"#RestartContainer\">перезапустить Rspamd</a>, чтобы принять последние изменения принудительно.",
+        "rspamd_global_filters_regex": "Названия фильтров отражают их предназначение. Все правила должны состоять из регулярных выражений в формате \"/pattern/options\" (например: <code>/.+@domain\\.tld/i</code>).<br>\nНесмотря на то, что перед сохранением правил выполняется проверка регулярных выражений, функциональность Rspamds может быть нарушена, если будет использован<br>\n некорректный синтаксис. Будьте внимательны при написании правил.<br>Электронные письма от адресов электронной почты, проходящие по регулярным выражениям черных списков, будут отклонены без сохранения в карантин.<br>\n Rspamd попытается прочитать содержимое правил при их изменении. Но, если что, вы можете <a href=\"\" data-toggle=\"modal\" data-container=\"rspamd-mailcow\" data-target=\"#RestartContainer\">перезапустить Rspamd</a>, чтобы принять последние изменения принудительно.",
         "rspamd_settings_map": "Правила Rspamd",
         "sal_level": "Уровень Муу",
         "save": "Сохранить изменения",
@@ -408,7 +408,8 @@
         "iam_host": "Хост",
         "iam_host_info": "Укажите один или несколько LDAP-хостов через запятую.",
         "iam_import_users": "Импорт пользователей",
-        "admin_quicklink": "Скрыть ссылку на вход для администраторов"
+        "admin_quicklink": "Скрыть ссылку на вход для администраторов",
+        "needs_restart": "необходим перезапуск"
     },
     "danger": {
         "access_denied": "Доступ запрещён, или указаны неверные данные",
@@ -750,7 +751,7 @@
         "sogo_visible_info": "Влияет только на объекты, которые могут отображаться в SOGo (персональные или общие псевдонимы, указывающие как минимум на один локальный почтовый аккаунт). Учтите, что если функция отключена, у пользователей не будет возможности выбрать адрес псевдонима в качестве отправителя в SOGo.",
         "spam_alias": "Создать или изменить временные (спам) псевдонимы",
         "spam_filter": "Спам фильтр",
-        "spam_policy": "Добавление или удаление элементов в белом/черном списке",
+        "spam_policy": "Добавить или удалить элементы белого/черного списка",
         "spam_score": "Задать индивидуальное определение спама",
         "subfolder2": "Синхронизировать в подпапку<br><small>(пусто = в корень)</small>",
         "syncjob": "Изменить задание синхронизации",
@@ -1039,7 +1040,7 @@
         "notified": "Увед.",
         "qhandler_success": "Запрос успешно отправлен в систему. Теперь вы можете закрыть окно.",
         "qid": "Rspamd QID",
-        "qinfo": "Карантин сохраняет входящие сообщения, классифицированные как нежелательные, в базу данных.\r\n  <br>Отправители писем, которые помечены как отвергнутые, будут уверены что их письма <b>не</b> были доставлены вам.\r\n  <br>\"Освободить из карантина\" изучит сообщение как полезную почту; по теореме Байеса и доставит его вам в Inbox.\r\n  <br>\"Запомнить как спам и удалить\" изучит сообщение как спам по теореме Байеса, а также вычислит нечёткие хэши, чтобы лучше блокировать подобные сообщения в дальнейшем.\r\n  <br>Учтите, что в зависимости от технических характеристик вашей системы, изучение большого количества сообщений может занять много времени.",
+        "qinfo": "Карантин сохраняет входящие сообщения, классифицированные как нежелательные, в базу данных.\n  <br>Отправители писем, которые помечены как отвергнутые, будут уверены что их письма <b>не</b> были доставлены вам.\n  <br>\"Освободить из карантина\" изучит сообщение как полезную почту; по теореме Байеса и доставит его вам в Inbox.\n  <br>\"Запомнить как спам и удалить\" изучит сообщение как спам по теореме Байеса, а также вычислит нечёткие хэши, чтобы лучше блокировать подобные сообщения в дальнейшем.\n  <br>Учтите, что в зависимости от технических характеристик вашей системы, изучение большого количества сообщений может занять много времени.",
         "qitem": "Обьект карантина",
         "quarantine": "Карантин",
         "quick_actions": "Действия",

From 2e9ba1e9b31deec42b0cbdde4889bce3fb4a91b1 Mon Sep 17 00:00:00 2001
From: milkmaker <milkmaker@mailcow.de>
Date: Tue, 5 Aug 2025 00:37:47 +0200
Subject: [PATCH 284/378] update postscreen_access.cidr (#6660)

---
 data/conf/postfix/postscreen_access.cidr | 38 ++++++++++++++++--------
 1 file changed, 26 insertions(+), 12 deletions(-)

diff --git a/data/conf/postfix/postscreen_access.cidr b/data/conf/postfix/postscreen_access.cidr
index 259bd062b..4453feca3 100644
--- a/data/conf/postfix/postscreen_access.cidr
+++ b/data/conf/postfix/postscreen_access.cidr
@@ -1,6 +1,6 @@
-# Whitelist generated by Postwhite v3.4 on Tue Jul  1 00:22:55 UTC 2025
+# Whitelist generated by Postwhite v3.4 on Fri Aug  1 00:24:14 UTC 2025
 # https://github.com/stevejenkins/postwhite/
-# 2105 total rules
+# 2166 total rules
 2a00:1450:4000::/36	permit
 2a01:111:f400::/48	permit
 2a01:111:f403:8000::/50	permit
@@ -42,7 +42,7 @@
 8.40.222.0/23	permit
 8.40.222.250/31	permit
 12.130.86.238	permit
-13.107.246.51	permit
+13.107.253.40	permit
 13.110.208.0/21	permit
 13.110.209.0/24	permit
 13.110.216.0/22	permit
@@ -120,7 +120,6 @@
 27.123.206.56/29	permit
 27.123.206.76/30	permit
 27.123.206.80/28	permit
-31.25.48.222	permit
 31.47.251.17	permit
 31.186.239.0/24	permit
 34.2.64.0/22	permit
@@ -156,6 +155,7 @@
 34.218.115.239	permit
 34.218.116.3	permit
 34.225.212.172	permit
+34.241.242.183	permit
 35.83.148.184	permit
 35.155.198.111	permit
 35.158.23.94	permit
@@ -256,6 +256,7 @@
 50.112.246.219	permit
 52.1.14.157	permit
 52.5.230.59	permit
+52.6.74.205	permit
 52.12.53.23	permit
 52.13.214.179	permit
 52.26.1.71	permit
@@ -329,7 +330,6 @@
 62.13.144.0/21	permit
 62.13.152.0/21	permit
 62.17.146.128/26	permit
-62.179.121.0/24	permit
 62.201.172.0/27	permit
 62.201.172.32/27	permit
 62.253.227.114	permit
@@ -352,6 +352,7 @@
 64.127.115.252	permit
 64.132.88.0/23	permit
 64.132.92.0/24	permit
+64.181.194.190	permit
 64.207.219.7	permit
 64.207.219.8	permit
 64.207.219.9	permit
@@ -408,7 +409,6 @@
 65.154.166.0/24	permit
 65.212.180.36	permit
 66.102.0.0/20	permit
-66.102.0.0/21	permit
 66.119.150.192/26	permit
 66.163.184.0/24	permit
 66.163.185.0/24	permit
@@ -658,9 +658,6 @@
 82.165.159.45	permit
 82.165.159.130	permit
 82.165.159.131	permit
-84.116.6.0/23	permit
-84.116.36.0/24	permit
-84.116.50.0/23	permit
 85.158.136.0/21	permit
 86.61.88.25	permit
 87.238.80.0/21	permit
@@ -701,12 +698,13 @@
 87.248.117.205	permit
 87.253.232.0/21	permit
 89.22.108.0/24	permit
+91.198.2.0/24	permit
 91.211.240.0/22	permit
-94.169.2.0/23	permit
 94.236.119.0/26	permit
 94.245.112.0/27	permit
 94.245.112.10/31	permit
 95.131.104.0/21	permit
+95.217.114.154	permit
 96.43.144.0/20	permit
 96.43.144.64/28	permit
 96.43.144.64/31	permit
@@ -1344,7 +1342,7 @@
 108.174.6.215	permit
 108.175.18.45	permit
 108.175.30.45	permit
-108.177.8.0/21	permit
+108.177.8.0/22	permit
 108.177.96.0/19	permit
 108.179.144.0/20	permit
 109.237.142.0/24	permit
@@ -1429,6 +1427,8 @@
 132.226.26.225	permit
 132.226.49.32	permit
 132.226.56.24	permit
+134.128.64.0/19	permit
+134.128.96.0/19	permit
 134.170.27.8	permit
 134.170.113.0/26	permit
 134.170.141.64/26	permit
@@ -1618,10 +1618,14 @@
 168.245.127.231	permit
 169.148.129.0/24	permit
 169.148.131.0/24	permit
+169.148.138.0/24	permit
 169.148.142.10	permit
 169.148.144.0/25	permit
 169.148.144.10	permit
 169.148.146.0/23	permit
+169.148.174.33	permit
+169.148.175.3	permit
+169.148.188.0/24	permit
 169.148.188.182	permit
 170.10.128.0/24	permit
 170.10.129.0/24	permit
@@ -1662,6 +1666,8 @@
 182.50.78.64/28	permit
 183.240.219.64/29	permit
 185.4.120.0/22	permit
+185.11.253.128/27	permit
+185.11.255.0/24	permit
 185.12.80.0/22	permit
 185.28.196.0/22	permit
 185.58.84.93	permit
@@ -1672,6 +1678,8 @@
 185.138.56.128/25	permit
 185.189.236.0/22	permit
 185.211.120.0/22	permit
+185.233.188.0/23	permit
+185.233.190.0/23	permit
 185.250.236.0/22	permit
 185.250.239.148	permit
 185.250.239.168	permit
@@ -1746,6 +1754,9 @@
 193.109.254.0/23	permit
 193.122.128.100	permit
 193.123.56.63	permit
+193.142.157.0/24	permit
+193.142.157.191	permit
+193.142.157.198	permit
 194.19.134.0/25	permit
 194.64.234.129	permit
 194.97.196.0/24	permit
@@ -1865,6 +1876,8 @@
 204.92.114.187	permit
 204.92.114.203	permit
 204.92.114.204/31	permit
+204.141.32.0/23	permit
+204.141.42.0/23	permit
 204.216.164.202	permit
 204.220.160.0/21	permit
 204.220.168.0/21	permit
@@ -2039,7 +2052,8 @@
 212.227.126.225	permit
 212.227.126.226	permit
 212.227.126.227	permit
-213.46.255.0/24	permit
+213.95.19.64/27	permit
+213.95.135.4	permit
 213.199.128.139	permit
 213.199.128.145	permit
 213.199.138.181	permit

From 7557802933e3f454acae79fcd684441695c7b376 Mon Sep 17 00:00:00 2001
From: milkmaker <milkmaker@mailcow.de>
Date: Tue, 5 Aug 2025 06:37:55 +0200
Subject: [PATCH 285/378] [Web] Updated lang.de-de.json (#6661)

Co-authored-by: whitehotaru <whitehotaru@posteo.net>
---
 data/web/lang/lang.de-de.json | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/data/web/lang/lang.de-de.json b/data/web/lang/lang.de-de.json
index df41b8946..5887499b3 100644
--- a/data/web/lang/lang.de-de.json
+++ b/data/web/lang/lang.de-de.json
@@ -198,8 +198,8 @@
         "f2b_retry_window": "Wiederholungen im Zeitraum von (s)",
         "f2b_whitelist": "Allowliste für Netzwerke und Hosts",
         "filter_table": "Tabelle filtern",
-        "force_sso_text": "Wenn ein externer OIDC-Provider konfiguriert ist, blendet diese Option die mailcow Loginform aus und zeigt nur den Single Sign-On-Button an.",
-        "force_sso": "mailcow Login deaktivieren und nur Single Sign-On anzeigen",
+        "force_sso_text": "Wenn ein externer OIDC-Provider konfiguriert ist, blendet diese Option die mailcow-Loginform aus und zeigt nur den Single-Sign-On-Button an.",
+        "force_sso": "mailcow-Login deaktivieren und nur Single Sign-On anzeigen",
         "forwarding_hosts": "Weiterleitungs-Hosts",
         "forwarding_hosts_add_hint": "Sie können entweder IPv4-/IPv6-Adressen, Netzwerke in CIDR-Notation, Hostnamen (die zu IP-Adressen aufgelöst werden), oder Domainnamen (die zu IP-Adressen aufgelöst werden, indem ihr SPF-Record abgefragt wird oder, in dessen Abwesenheit, ihre MX-Records) angeben.",
         "forwarding_hosts_hint": "Eingehende Nachrichten werden von den hier gelisteten Hosts bedingungslos akzeptiert. Diese Hosts werden dann nicht mit DNSBLs abgeglichen oder Greylisting unterworfen. Von ihnen empfangener Spam wird nie abgelehnt, optional kann er aber in den Spam-Ordner einsortiert werden. Die übliche Verwendung für diese Funktion ist, um Mailserver anzugeben, auf denen eine Weiterleitung zu Ihrem mailcow-Server eingerichtet wurde.",
@@ -548,7 +548,8 @@
         "yotp_verification_failed": "Yubico OTP-Verifizierung fehlgeschlagen: %s",
         "template_exists": "Vorlage %s existiert bereits",
         "template_id_invalid": "Vorlagen-ID %s ungültig",
-        "template_name_invalid": "Name der Vorlage ungültig"
+        "template_name_invalid": "Name der Vorlage ungültig",
+        "required_data_missing": "Die benötigten Daten: %s fehlen"
     },
     "datatables": {
         "collapse_all": "Alle Einklappen",
@@ -942,7 +943,7 @@
         "recipient_map_new": "Neuer Empfänger",
         "recipient_map_new_info": "Der neue Empfänger muss eine E-Mail-Adresse oder ein Domainname sein.",
         "recipient_map_old": "Original-Empfänger",
-        "recipient_map_old_info": "Der originale Empfänger muss eine E-Mail-Adresse oder ein Domainname sein.",
+        "recipient_map_old_info": "Der originäre Empfänger muss eine E-Mail-Adresse oder ein Domainname sein.",
         "recipient_maps": "Empfängerumschreibungen",
         "relay_all": "Alle Empfänger-Adressen relayen",
         "relay_unknown": "Unbekannte Mailboxen relayen",
@@ -1328,7 +1329,7 @@
         "spamfilter": "Spamfilter",
         "spamfilter_behavior": "Bewertung",
         "spamfilter_bl": "Denyliste",
-        "spamfilter_bl_desc": "Für E-Mail-Adressen, die vom Spamfilter <b>immer</b> als Spam erfasst und abgelehnt werden. Die Quarantäne-Funktion ist für diese Nachrichten deaktiviert. Die Verwendung von Wildcards ist gestattet. Ein Filter funktioniert lediglich für direkte nicht-\"Catch All\" Alias-Adressen (Alias-Adressen mit lediglich einer Mailbox als Ziel-Adresse) sowie die Mailbox-Adresse selbst.",
+        "spamfilter_bl_desc": "Für E-Mail-Adressen, die vom Spamfilter <b>immer</b> als Spam erfasst und abgelehnt werden. Die Quarantäne-Funktion ist für diese Nachrichten <b>deaktiviert</b>. Die Verwendung von Wildcards ist gestattet. Ein Filter funktioniert lediglich für direkte Nicht-„Catch-All“-Alias-Adressen (Alias-Adressen mit lediglich einer Mailbox als Ziel-Adresse) sowie die Mailbox-Adresse selbst.",
         "spamfilter_default_score": "Standardwert",
         "spamfilter_green": "Grün: Die Nachricht ist kein Spam",
         "spamfilter_hint": "Der erste Wert beschreibt den \"low spam score\", der zweite Wert den \"high spam score\".",
@@ -1340,7 +1341,7 @@
         "spamfilter_table_remove": "Entfernen",
         "spamfilter_table_rule": "Regel",
         "spamfilter_wl": "Allowliste",
-        "spamfilter_wl_desc": "Für E-Mail-Adressen, die vom Spamfilter <b>nicht</b> erfasst werden sollen. Die Verwendung von Wildcards ist gestattet. Ein Filter funktioniert lediglich für direkte nicht-\"Catch All\" Alias-Adressen (Alias-Adressen mit lediglich einer Mailbox als Ziel-Adresse) sowie die Mailbox-Adresse selbst.",
+        "spamfilter_wl_desc": "Für E-Mail-Adressen, die vom Spamfilter <b>nicht</b> erfasst werden sollen. Die Verwendung von Wildcards ist gestattet. Ein Filter funktioniert lediglich für direkte Nicht-„Catch-All“-Alias-Adressen (Alias-Adressen mit lediglich einer Mailbox als Ziel-Adresse) sowie die Mailbox-Adresse selbst.",
         "spamfilter_yellow": "Gelb: Die Nachricht ist vielleicht Spam, wird als Spam markiert und in den Junk-Ordner verschoben",
         "status": "Status",
         "sync_jobs": "Sync Jobs",

From 360fe0349734098bd9da75841c8cd221fbf8c32f Mon Sep 17 00:00:00 2001
From: DerLinkman <niklas.meyer@servercow.de>
Date: Tue, 5 Aug 2025 16:01:47 +0200
Subject: [PATCH 286/378] sogo: update to 5.12.3

---
 docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index f447dea4a..02ca8f9a2 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -200,7 +200,7 @@ services:
             - phpfpm
 
     sogo-mailcow:
-      image: ghcr.io/mailcow/sogo:1.133
+      image: ghcr.io/mailcow/sogo:1.134
       environment:
         - DBNAME=${DBNAME}
         - DBUSER=${DBUSER}

From 69420113f74bacf3264fd5bbb5c93202e4f43be8 Mon Sep 17 00:00:00 2001
From: Markus Machatschek <markus.machatschek@hey.com>
Date: Wed, 6 Aug 2025 08:33:11 +0200
Subject: [PATCH 287/378] rspamd: update rspamd to 3.12.1 (#6643)

* rspamd: update rspamd to 3.12.1

* compose: correct rspamd tag + pushed image

---------

Co-authored-by: DerLinkman <niklas.meyer@servercow.de>
---
 data/Dockerfiles/rspamd/Dockerfile | 2 +-
 docker-compose.yml                 | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/data/Dockerfiles/rspamd/Dockerfile b/data/Dockerfiles/rspamd/Dockerfile
index 68b38d3a7..e46981aa4 100644
--- a/data/Dockerfiles/rspamd/Dockerfile
+++ b/data/Dockerfiles/rspamd/Dockerfile
@@ -2,7 +2,7 @@ FROM debian:bookworm-slim
 LABEL maintainer="The Infrastructure Company GmbH <info@servercow.de>"
 
 ARG DEBIAN_FRONTEND=noninteractive
-ARG RSPAMD_VER=rspamd_3.11.1-1~ab0b44951
+ARG RSPAMD_VER=rspamd_3.12.1-1~6dbfca2fa
 ARG CODENAME=bookworm
 ENV LC_ALL=C
 
diff --git a/docker-compose.yml b/docker-compose.yml
index 02ca8f9a2..e6b5dc20d 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -84,7 +84,7 @@ services:
             - clamd
 
     rspamd-mailcow:
-      image: ghcr.io/mailcow/rspamd:2.2
+      image: ghcr.io/mailcow/rspamd:2.3
       stop_grace_period: 30s
       depends_on:
         - dovecot-mailcow

From 1fc36263dce6312b0b7e403089d3880411cb1e1a Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Wed, 6 Aug 2025 08:33:41 +0200
Subject: [PATCH 288/378] chore(deps): update dependency krakjoe/apcu to
 v5.1.26 (#6656)

Signed-off-by: milkmaker <milkmaker@mailcow.de>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 data/Dockerfiles/phpfpm/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/Dockerfiles/phpfpm/Dockerfile b/data/Dockerfiles/phpfpm/Dockerfile
index ff333f5b3..6d0cfdd36 100644
--- a/data/Dockerfiles/phpfpm/Dockerfile
+++ b/data/Dockerfiles/phpfpm/Dockerfile
@@ -3,7 +3,7 @@ FROM php:8.2-fpm-alpine3.21
 LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"
 
 # renovate: datasource=github-tags depName=krakjoe/apcu versioning=semver-coerced extractVersion=^v(?<version>.*)$
-ARG APCU_PECL_VERSION=5.1.24
+ARG APCU_PECL_VERSION=5.1.26
 # renovate: datasource=github-tags depName=Imagick/imagick versioning=semver-coerced extractVersion=(?<version>.*)$
 ARG IMAGICK_PECL_VERSION=3.8.0
 # renovate: datasource=github-tags depName=php/pecl-mail-mailparse versioning=semver-coerced extractVersion=^v(?<version>.*)$

From 728fcdb37537eab42bd7f00da30ec35f3a2f1805 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Wed, 6 Aug 2025 08:34:30 +0200
Subject: [PATCH 289/378] Update dependency tianon/gosu to v1.17 (#6640)

Signed-off-by: milkmaker <milkmaker@mailcow.de>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 data/Dockerfiles/dovecot/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/Dockerfiles/dovecot/Dockerfile b/data/Dockerfiles/dovecot/Dockerfile
index 9e49d88cc..10e141ab8 100644
--- a/data/Dockerfiles/dovecot/Dockerfile
+++ b/data/Dockerfiles/dovecot/Dockerfile
@@ -3,7 +3,7 @@ FROM alpine:3.21
 LABEL maintainer="The Infrastructure Company GmbH <info@servercow.de>"
 
 # renovate: datasource=github-releases depName=tianon/gosu versioning=semver-coerced extractVersion=^(?<version>.*)$
-ARG GOSU_VERSION=1.16
+ARG GOSU_VERSION=1.17
 
 ENV LANG=C.UTF-8
 ENV LC_ALL=C.UTF-8

From 14d58c8163b2b8d210e08adc1d1b32e294f6ebcc Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Wed, 6 Aug 2025 08:34:53 +0200
Subject: [PATCH 290/378] Update dependency phpredis/phpredis to v6.2.0 (#6639)

Signed-off-by: milkmaker <milkmaker@mailcow.de>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 data/Dockerfiles/phpfpm/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/Dockerfiles/phpfpm/Dockerfile b/data/Dockerfiles/phpfpm/Dockerfile
index 6d0cfdd36..483b90fcb 100644
--- a/data/Dockerfiles/phpfpm/Dockerfile
+++ b/data/Dockerfiles/phpfpm/Dockerfile
@@ -11,7 +11,7 @@ ARG MAILPARSE_PECL_VERSION=3.1.8
 # renovate: datasource=github-tags depName=php-memcached-dev/php-memcached versioning=semver-coerced extractVersion=^v(?<version>.*)$
 ARG MEMCACHED_PECL_VERSION=3.2.0
 # renovate: datasource=github-tags depName=phpredis/phpredis versioning=semver-coerced extractVersion=(?<version>.*)$
-ARG REDIS_PECL_VERSION=6.1.0
+ARG REDIS_PECL_VERSION=6.2.0
 # renovate: datasource=github-tags depName=composer/composer versioning=semver-coerced extractVersion=(?<version>.*)$
 ARG COMPOSER_VERSION=2.8.6
 

From 3803b5d3513ed64177bcef067b768408dab10fc2 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Wed, 6 Aug 2025 08:35:14 +0200
Subject: [PATCH 291/378] Update dependency php-memcached-dev/php-memcached to
 v3.3.0 (#6638)

Signed-off-by: milkmaker <milkmaker@mailcow.de>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 data/Dockerfiles/phpfpm/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/Dockerfiles/phpfpm/Dockerfile b/data/Dockerfiles/phpfpm/Dockerfile
index 483b90fcb..e7b43790b 100644
--- a/data/Dockerfiles/phpfpm/Dockerfile
+++ b/data/Dockerfiles/phpfpm/Dockerfile
@@ -9,7 +9,7 @@ ARG IMAGICK_PECL_VERSION=3.8.0
 # renovate: datasource=github-tags depName=php/pecl-mail-mailparse versioning=semver-coerced extractVersion=^v(?<version>.*)$
 ARG MAILPARSE_PECL_VERSION=3.1.8
 # renovate: datasource=github-tags depName=php-memcached-dev/php-memcached versioning=semver-coerced extractVersion=^v(?<version>.*)$
-ARG MEMCACHED_PECL_VERSION=3.2.0
+ARG MEMCACHED_PECL_VERSION=3.3.0
 # renovate: datasource=github-tags depName=phpredis/phpredis versioning=semver-coerced extractVersion=(?<version>.*)$
 ARG REDIS_PECL_VERSION=6.2.0
 # renovate: datasource=github-tags depName=composer/composer versioning=semver-coerced extractVersion=(?<version>.*)$

From 88bf9b02e112bced1d37c69a885d8dbad4cd657a Mon Sep 17 00:00:00 2001
From: DerLinkman <niklas.meyer@servercow.de>
Date: Wed, 6 Aug 2025 08:36:40 +0200
Subject: [PATCH 292/378] core: modules splitting + ipv6 nat rewrite (#6634)

* ipv6: added ipv6 detection + removed ip6 nat container

* nginx: renamed DISABLE_IPv6 to ENABLE_IPV6 to align

* initial commit for script overhauls

* rewrite to scripts after testing (improved error handling)

* fixed missing fi in update.sh

* fixed/added comments for modules

* fix broken EXIT_CODE var handling

* added jq as dependancy

* fixed docker version check for daemon

* improved _modules handling while running

* reintegrated module loading (update.sh)

* added error handling for blank daemon.json

* adapted removal of ACME_CONTACT for nightly

* move detect_major_update func to core submodule

* removed unnecessary message on every call of function

* Update _modules/scripts/new_options.sh

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Update _modules/scripts/core.sh

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* improve ENABLE_IPV6 check in nginx bootstrap

* improve detection of ENABLE_IPV6

* ip6_controller: moved docker major detection upwards

* Update _modules/scripts/new_options.sh

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Update _modules/scripts/new_options.sh

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* reuse DOCKER_MAJOR Variable in ip6_controller

* fix some smaller typos in update.sh

* smaller bugfixes in submodules

* completely remove ACME_CONTACT Variable

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 _modules/scripts/core.sh            |  223 +++++
 _modules/scripts/ipv6_controller.sh |  168 ++++
 _modules/scripts/migrate_options.sh |   96 +++
 _modules/scripts/new_options.sh     |  299 +++++++
 data/Dockerfiles/nginx/bootstrap.py |    4 +-
 docker-compose.yml                  |   35 +-
 generate_config.sh                  |  104 +--
 update.sh                           | 1227 ++-------------------------
 8 files changed, 869 insertions(+), 1287 deletions(-)
 create mode 100644 _modules/scripts/core.sh
 create mode 100644 _modules/scripts/ipv6_controller.sh
 create mode 100644 _modules/scripts/migrate_options.sh
 create mode 100644 _modules/scripts/new_options.sh

diff --git a/_modules/scripts/core.sh b/_modules/scripts/core.sh
new file mode 100644
index 000000000..42133aa6b
--- /dev/null
+++ b/_modules/scripts/core.sh
@@ -0,0 +1,223 @@
+#!/usr/bin/env bash
+# _modules/scripts/core.sh
+# THIS SCRIPT IS DESIGNED TO BE RUNNING BY MAILCOW SCRIPTS ONLY!
+# DO NOT, AGAIN, NOT TRY TO RUN THIS SCRIPT STANDALONE!!!!!!
+
+# ANSI color for red errors
+RED='\e[31m'
+GREEN='\e[32m'
+YELLOW='\e[33m'
+BLUE='\e[34m'
+MAGENTA='\e[35m'
+LIGHT_RED='\e[91m'
+LIGHT_GREEN='\e[92m'
+NC='\e[0m'
+
+caller="${BASH_SOURCE[1]##*/}"
+
+get_installed_tools(){
+    for bin in openssl curl docker git awk sha1sum grep cut jq; do
+        if [[ -z $(command -v ${bin}) ]]; then echo "Cannot find ${bin}, exiting..."; exit 1; fi
+    done
+
+    if grep --help 2>&1 | head -n 1 | grep -q -i "busybox"; then echo -e "${LIGHT_RED}BusyBox grep detected, please install gnu grep, \"apk add --no-cache --upgrade grep\"${NC}"; exit 1; fi
+    # This will also cover sort
+    if cp --help 2>&1 | head -n 1 | grep -q -i "busybox"; then echo -e "${LIGHT_RED}BusyBox cp detected, please install coreutils, \"apk add --no-cache --upgrade coreutils\"${NC}"; exit 1; fi
+    if sed --help 2>&1 | head -n 1 | grep -q -i "busybox"; then echo -e "${LIGHT_RED}BusyBox sed detected, please install gnu sed, \"apk add --no-cache --upgrade sed\"${NC}"; exit 1; fi
+}
+
+get_docker_version(){
+    # Check Docker Version (need at least 24.X)
+    docker_version=$(docker version --format '{{.Server.Version}}' | cut -d '.' -f 1)
+}
+
+get_compose_type(){
+    if docker compose > /dev/null 2>&1; then
+        if docker compose version --short | grep -e "^2." -e "^v2." > /dev/null 2>&1; then
+            COMPOSE_VERSION=native
+            COMPOSE_COMMAND="docker compose"
+            if [[ "$caller" == "update.sh" ]]; then
+                sed -i 's/^DOCKER_COMPOSE_VERSION=.*/DOCKER_COMPOSE_VERSION=native/' "$SCRIPT_DIR/mailcow.conf"
+            fi
+            echo -e "\e[33mFound Docker Compose Plugin (native).\e[0m"
+            echo -e "\e[33mSetting the DOCKER_COMPOSE_VERSION Variable to native\e[0m"
+            sleep 2
+            echo -e "\e[33mNotice: You'll have to update this Compose Version via your Package Manager manually!\e[0m"
+        else
+            echo -e "\e[31mCannot find Docker Compose with a Version Higher than 2.X.X.\e[0m"
+            echo -e "\e[31mPlease update/install it manually regarding to this doc site: https://docs.mailcow.email/install/\e[0m"
+            exit 1
+        fi
+    elif docker-compose > /dev/null 2>&1; then
+    if ! [[ $(alias docker-compose 2> /dev/null) ]] ; then
+        if docker-compose version --short | grep "^2." > /dev/null 2>&1; then
+            COMPOSE_VERSION=standalone
+            COMPOSE_COMMAND="docker-compose"
+            if [[ "$caller" == "update.sh" ]]; then
+                sed -i 's/^DOCKER_COMPOSE_VERSION=.*/DOCKER_COMPOSE_VERSION=standalone/' "$SCRIPT_DIR/mailcow.conf"
+            fi
+            echo -e "\e[33mFound Docker Compose Standalone.\e[0m"
+            echo -e "\e[33mSetting the DOCKER_COMPOSE_VERSION Variable to standalone\e[0m"
+            sleep 2
+            echo -e "\e[33mNotice: For an automatic update of docker-compose please use the update_compose.sh scripts located at the helper-scripts folder.\e[0m"
+        else
+            echo -e "\e[31mCannot find Docker Compose with a Version Higher than 2.X.X.\e[0m"
+            echo -e "\e[31mPlease update/install manually regarding to this doc site: https://docs.mailcow.email/install/\e[0m"
+            exit 1
+        fi
+    fi
+    else
+        echo -e "\e[31mCannot find Docker Compose.\e[0m"
+        echo -e "\e[31mPlease install it regarding to this doc site: https://docs.mailcow.email/install/\e[0m"
+        exit 1
+    fi
+}
+
+detect_bad_asn() {
+  echo -e "\e[33mDetecting if your IP is listed on Spamhaus Bad ASN List...\e[0m"
+  response=$(curl --connect-timeout 15 --max-time 30 -s -o /dev/null -w "%{http_code}" "https://asn-check.mailcow.email")
+  if [ "$response" -eq 503 ]; then
+    if [ -z "$SPAMHAUS_DQS_KEY" ]; then
+      echo -e "\e[33mYour server's public IP uses an AS that is blocked by Spamhaus to use their DNS public blocklists for Postfix.\e[0m"
+      echo -e "\e[33mmailcow did not detected a value for the variable SPAMHAUS_DQS_KEY inside mailcow.conf!\e[0m"
+      sleep 2
+      echo ""
+      echo -e "\e[33mTo use the Spamhaus DNS Blocklists again, you will need to create a FREE account for their Data Query Service (DQS) at: https://www.spamhaus.com/free-trial/sign-up-for-a-free-data-query-service-account\e[0m"
+      echo -e "\e[33mOnce done, enter your DQS API key in mailcow.conf and mailcow will do the rest for you!\e[0m"
+      echo ""
+      sleep 2
+    else
+      echo -e "\e[33mYour server's public IP uses an AS that is blocked by Spamhaus to use their DNS public blocklists for Postfix.\e[0m"
+      echo -e "\e[32mmailcow detected a Value for the variable SPAMHAUS_DQS_KEY inside mailcow.conf. Postfix will use DQS with the given API key...\e[0m"
+    fi
+  elif [ "$response" -eq 200 ]; then
+    echo -e "\e[33mCheck completed! Your IP is \e[32mclean\e[0m"
+  elif [ "$response" -eq 429 ]; then
+    echo -e "\e[33mCheck completed! \e[31mYour IP seems to be rate limited on the ASN Check service... please try again later!\e[0m"
+  else
+    echo -e "\e[31mCheck failed! \e[0mMaybe a DNS or Network problem?\e[0m"
+  fi
+}
+
+check_online_status() {
+  CHECK_ONLINE_DOMAINS=('https://github.com' 'https://hub.docker.com')
+  for domain in "${CHECK_ONLINE_DOMAINS[@]}"; do
+    if timeout 6 curl --head --silent --output /dev/null ${domain}; then
+      return 0
+    fi
+  done
+  return 1
+}
+
+prefetch_images() {
+  [[ -z ${BRANCH} ]] && { echo -e "\e[33m\nUnknown branch...\e[0m"; exit 1; }
+  git fetch origin #${BRANCH}
+  while read image; do
+    RET_C=0
+    until docker pull "${image}"; do
+      RET_C=$((RET_C + 1))
+      echo -e "\e[33m\nError pulling $image, retrying...\e[0m"
+      [ ${RET_C} -gt 3 ] && { echo -e "\e[31m\nToo many failed retries, exiting\e[0m"; exit 1; }
+      sleep 1
+    done
+  done < <(git show "origin/${BRANCH}:docker-compose.yml" | grep "image:" | awk '{ gsub("image:","", $3); print $2 }')
+}
+
+docker_garbage() {
+  SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )/../.." && pwd )"
+  IMGS_TO_DELETE=()
+
+  declare -A IMAGES_INFO
+  COMPOSE_IMAGES=($(grep -oP "image: \K(ghcr\.io/)?mailcow.+" "${SCRIPT_DIR}/docker-compose.yml"))
+
+  for existing_image in $(docker images --format "{{.ID}}:{{.Repository}}:{{.Tag}}" | grep -E '(mailcow/|ghcr\.io/mailcow/)'); do
+      ID=$(echo "$existing_image" | cut -d ':' -f 1)
+      REPOSITORY=$(echo "$existing_image" | cut -d ':' -f 2)
+      TAG=$(echo "$existing_image" | cut -d ':' -f 3)
+
+      if [[ "$REPOSITORY" == "mailcow/backup" || "$REPOSITORY" == "ghcr.io/mailcow/backup" ]]; then
+          if [[ "$TAG" != "<none>" ]]; then
+              continue
+          fi
+      fi
+
+      if [[ " ${COMPOSE_IMAGES[@]} " =~ " ${REPOSITORY}:${TAG} " ]]; then
+          continue
+      else
+          IMGS_TO_DELETE+=("$ID")
+          IMAGES_INFO["$ID"]="$REPOSITORY:$TAG"
+      fi
+  done
+
+  if [[ ! -z ${IMGS_TO_DELETE[*]} ]]; then
+      echo "The following unused mailcow images were found:"
+      for id in "${IMGS_TO_DELETE[@]}"; do
+          echo "    ${IMAGES_INFO[$id]} ($id)"
+      done
+
+      if [ -z "$FORCE" ]; then
+          read -r -p "Do you want to delete them to free up some space? [y/N] " response
+          if [[ "$response" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
+              docker rmi ${IMGS_TO_DELETE[*]}
+          else
+              echo "OK, skipped."
+          fi
+      else
+          echo "Running in forced mode! Force removing old mailcow images..."
+          docker rmi ${IMGS_TO_DELETE[*]}
+      fi
+      echo -e "\e[32mFurther cleanup...\e[0m"
+      echo "If you want to cleanup further garbage collected by Docker, please make sure all containers are up and running before cleaning your system by executing \"docker system prune\""
+  fi
+}
+
+in_array() {
+  local e match="$1"
+  shift
+  for e; do [[ "$e" == "$match" ]] && return 0; done
+  return 1
+}
+
+detect_major_update() {
+  if [ ${BRANCH} == "master" ]; then
+    # Array with major versions
+    # Add major versions here
+    MAJOR_VERSIONS=(
+      "2025-02"
+      "2025-03"
+    )
+
+    current_version=""
+    if [[ -f "${SCRIPT_DIR}/data/web/inc/app_info.inc.php" ]]; then
+      current_version=$(grep 'MAILCOW_GIT_VERSION' ${SCRIPT_DIR}/data/web/inc/app_info.inc.php | sed -E 's/.*MAILCOW_GIT_VERSION="([^"]+)".*/\1/')
+    fi
+    if [[ -z "$current_version" ]]; then
+      return 1
+    fi
+    release_url="https://github.com/mailcow/mailcow-dockerized/releases/tag"
+
+    updates_to_apply=()
+
+    for version in "${MAJOR_VERSIONS[@]}"; do
+      if [[ "$current_version" < "$version" ]]; then
+        updates_to_apply+=("$version")
+      fi
+    done
+
+    if [[ ${#updates_to_apply[@]} -gt 0 ]]; then
+      echo -e "\e[33m\nMAJOR UPDATES to be applied:\e[0m"
+      for update in "${updates_to_apply[@]}"; do
+        echo "$update - $release_url/$update"
+      done
+
+      echo -e "\nPlease read the release notes before proceeding."
+      read -p "Do you want to proceed with the update? [y/n] " response
+      if [[ "${response}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
+        echo "Proceeding with the update..."
+      else
+        echo "Update canceled. Exiting."
+        exit 1
+      fi
+    fi
+  fi
+}
\ No newline at end of file
diff --git a/_modules/scripts/ipv6_controller.sh b/_modules/scripts/ipv6_controller.sh
new file mode 100644
index 000000000..7fe7d3cbd
--- /dev/null
+++ b/_modules/scripts/ipv6_controller.sh
@@ -0,0 +1,168 @@
+#!/usr/bin/env bash
+# _modules/scripts/ipv6_controller.sh
+# THIS SCRIPT IS DESIGNED TO BE RUNNING BY MAILCOW SCRIPTS ONLY!
+# DO NOT, AGAIN, NOT TRY TO RUN THIS SCRIPT STANDALONE!!!!!!
+
+# 1) Check if the host supports IPv6
+get_ipv6_support() {
+  if grep -qs '^1' /proc/sys/net/ipv6/conf/all/disable_ipv6 2>/dev/null \
+    || ! ip -6 route show default &>/dev/null; then
+    DETECTED_IPV6=false
+    echo -e "${YELLOW}IPv6 not detected on host – ${LIGHT_RED}disabling IPv6 support${YELLOW}.${NC}"
+  else
+    DETECTED_IPV6=true
+    echo -e "IPv6 detected on host – ${LIGHT_GREEN}leaving IPv6 support enabled${YELLOW}.${NC}"
+  fi
+}
+
+# 2) Ensure Docker daemon.json has (or create) the required IPv6 settings
+docker_daemon_edit(){
+  DOCKER_DAEMON_CONFIG="/etc/docker/daemon.json"
+  DOCKER_MAJOR=$(docker version --format '{{.Server.Version}}' 2>/dev/null | cut -d. -f1)
+  MISSING=()
+
+  _has_kv() { grep -Eq "\"$1\"\s*:\s*$2" "$DOCKER_DAEMON_CONFIG" 2>/dev/null; }
+
+  if [[ -f "$DOCKER_DAEMON_CONFIG" ]]; then
+
+    # reject empty or whitespace-only file immediately
+    if [[ ! -s "$DOCKER_DAEMON_CONFIG" ]] || ! grep -Eq '[{}]' "$DOCKER_DAEMON_CONFIG"; then
+      echo -e "${RED}ERROR: $DOCKER_DAEMON_CONFIG exists but is empty or contains no JSON braces – please initialize it with valid JSON (e.g. {}).${NC}"
+      exit 1
+    fi
+
+    # Validate JSON if jq is present
+    if command -v jq &>/dev/null && ! jq empty "$DOCKER_DAEMON_CONFIG" &>/dev/null; then
+      echo -e "${RED}ERROR: Invalid JSON in $DOCKER_DAEMON_CONFIG – please correct manually.${NC}"
+      exit 1
+    fi
+
+    # Gather missing keys
+    ! _has_kv ipv6 true       && MISSING+=("ipv6: true")
+    ! grep -Eq '"fixed-cidr-v6"\s*:\s*".+"' "$DOCKER_DAEMON_CONFIG" \
+                              && MISSING+=('fixed-cidr-v6: "fd00:dead:beef:c0::/80"')
+    if [[ -n "$DOCKER_MAJOR" && "$DOCKER_MAJOR" -ge 27 ]]; then
+      _has_kv ipv6 true && ! _has_kv ip6tables true && MISSING+=("ip6tables: true")
+      ! _has_kv experimental true                 && MISSING+=("experimental: true")
+    fi
+
+    # Fix if needed
+    if ((${#MISSING[@]}>0)); then
+      echo -e "${MAGENTA}Your daemon.json is missing: ${YELLOW}${MISSING[*]}${NC}"
+      if [[ -n "$FORCE" ]]; then
+        ans=Y
+      else
+        read -p "Would you like to update $DOCKER_DAEMON_CONFIG now? [Y/n] " ans
+        ans=${ans:-Y}
+      fi
+
+      if [[ $ans =~ ^[Yy]$ ]]; then
+        cp "$DOCKER_DAEMON_CONFIG" "${DOCKER_DAEMON_CONFIG}.bak"
+        if command -v jq &>/dev/null; then
+          TMP=$(mktemp)
+          JQ_FILTER='.ipv6 = true | .["fixed-cidr-v6"] = "fd00:dead:beef:c0::/80"'
+          [[ "$DOCKER_MAJOR" && "$DOCKER_MAJOR" -lt 27 ]] \
+            && JQ_FILTER+=' | .ip6tables = true | .experimental = true'
+          jq "$JQ_FILTER" "$DOCKER_DAEMON_CONFIG" >"$TMP" && mv "$TMP" "$DOCKER_DAEMON_CONFIG"
+          echo -e "${LIGHT_GREEN}daemon.json updated. Restarting Docker...${NC}"
+          (command -v systemctl &>/dev/null && systemctl restart docker) || service docker restart
+          echo -e "${YELLOW}Docker restarted.${NC}"
+        else
+          echo -e "${RED}Please install jq or manually update daemon.json and restart Docker.${NC}"
+          exit 1
+        fi
+      else
+        echo -e "${YELLOW}User declined Docker update – please insert these changes manually:${NC}"
+        echo "${MISSING[*]}"
+        exit 1
+      fi
+    fi
+
+  else
+    # Create new daemon.json if missing
+    if [[ -n "$FORCE" ]]; then
+      ans=Y
+    else
+      read -p "$DOCKER_DAEMON_CONFIG not found. Create it with IPv6 settings? [Y/n] " ans
+      ans=${ans:-Y}
+    fi
+
+    if [[ $ans =~ ^[Yy]$ ]]; then
+      if [[ -n "$DOCKER_MAJOR" && "$DOCKER_MAJOR" -lt 27 ]]; then
+        cat > "$DOCKER_DAEMON_CONFIG" <<EOF
+{
+  "ipv6": true,
+  "fixed-cidr-v6": "fd00:dead:beef:c0::/80",
+  "ip6tables": true,
+  "experimental": true
+}
+EOF
+      else
+        cat > "$DOCKER_DAEMON_CONFIG" <<EOF
+{
+  "ipv6": true,
+  "fixed-cidr-v6": "fd00:dead:beef:c0::/80"
+}
+EOF
+      fi
+      echo -e "${GREEN}Created $DOCKER_DAEMON_CONFIG with IPv6 settings.${NC}"
+      echo "Restarting Docker..."
+      (command -v systemctl &>/dev/null && systemctl restart docker) || service docker restart
+      echo "Docker restarted."
+    else
+      echo "User declined to create daemon.json – please manually merge the docker daemon with these configs:"
+      echo "${MISSING[*]}"
+      exit 1
+    fi
+  fi
+}
+
+# 3) Main wrapper for generate_config.sh and update.sh
+configure_ipv6() {
+  # detect manual override if mailcow.conf is present
+  if [[ -n "$MAILCOW_CONF" && -f "$MAILCOW_CONF" ]] && grep -q '^ENABLE_IPV6=' "$MAILCOW_CONF"; then
+    MANUAL_SETTING=$(grep '^ENABLE_IPV6=' "$MAILCOW_CONF" | cut -d= -f2)
+  elif [[ -z "$MAILCOW_CONF" ]] && [[ ! -z "${ENABLE_IPV6:-}" ]]; then
+    MANUAL_SETTING="$ENABLE_IPV6"
+  else
+    MANUAL_SETTING=""
+  fi
+
+  get_ipv6_support
+
+  # if user manually set it, check for mismatch
+  if [[ -n "$MANUAL_SETTING" ]]; then
+    if [[ "$MANUAL_SETTING" == "false" && "$DETECTED_IPV6" == "true" ]]; then
+      echo -e "${RED}ERROR: You have ENABLE_IPV6=false but your host and Docker support IPv6.${NC}"
+      echo -e "${RED}This can create an open relay. Please set ENABLE_IPV6=true in your mailcow.conf and re-run.${NC}"
+      exit 1
+    elif [[ "$MANUAL_SETTING" == "true" && "$DETECTED_IPV6" == "false" ]]; then
+      echo -e "${RED}ERROR: You have ENABLE_IPV6=true but your host does not support IPv6.${NC}"
+      echo -e "${RED}Please disable or fix your host/Docker IPv6 support, or set ENABLE_IPV6=false.${NC}"
+      exit 1
+    else
+      return
+    fi
+  fi
+
+  # no manual override: proceed to set or export
+  if [[ "$DETECTED_IPV6" == "true" ]]; then
+    docker_daemon_edit
+  else
+    echo "Skipping Docker IPv6 configuration because host does not support IPv6."
+  fi
+
+  # now write into mailcow.conf or export
+  if [[ -n "$MAILCOW_CONF" && -f "$MAILCOW_CONF" ]]; then
+    LINE="ENABLE_IPV6=$DETECTED_IPV6"
+    if grep -q '^ENABLE_IPV6=' "$MAILCOW_CONF"; then
+      sed -i "s/^ENABLE_IPV6=.*/$LINE/" "$MAILCOW_CONF"
+    else
+      echo "$LINE" >> "$MAILCOW_CONF"
+    fi
+  else
+    export IPV6_BOOL="$DETECTED_IPV6"
+  fi
+
+  echo "IPv6 configuration complete: ENABLE_IPV6=$DETECTED_IPV6"
+}
\ No newline at end of file
diff --git a/_modules/scripts/migrate_options.sh b/_modules/scripts/migrate_options.sh
new file mode 100644
index 000000000..6a584b9f7
--- /dev/null
+++ b/_modules/scripts/migrate_options.sh
@@ -0,0 +1,96 @@
+#!/usr/bin/env bash
+# _modules/scripts/migrate_options.sh
+# THIS SCRIPT IS DESIGNED TO BE RUNNING BY MAILCOW SCRIPTS ONLY!
+# DO NOT, AGAIN, NOT TRY TO RUN THIS SCRIPT STANDALONE!!!!!!
+
+migrate_config_options() {
+
+  sed -i --follow-symlinks '$a\' mailcow.conf
+
+  KEYS=(
+    SOLR_HEAP
+    SKIP_SOLR
+    SOLR_PORT
+    FLATCURVE_EXPERIMENTAL
+    DISABLE_IPv6
+    ACME_CONTACT
+  )
+
+  for key in "${KEYS[@]}"; do
+    if grep -q "${key}" mailcow.conf; then
+      case "${key}" in
+        SOLR_HEAP)
+          echo "Removing ${key} in mailcow.conf"
+          sed -i '/# Solr heap size in MB\b/d' mailcow.conf
+          sed -i '/# Solr is a prone to run\b/d' mailcow.conf
+          sed -i '/SOLR_HEAP\b/d' mailcow.conf
+          ;;
+        SKIP_SOLR)
+          echo "Removing ${key} in mailcow.conf"
+          sed -i '/\bSkip Solr on low-memory\b/d' mailcow.conf
+          sed -i '/\bSolr is disabled by default\b/d' mailcow.conf
+          sed -i '/\bDisable Solr or\b/d' mailcow.conf
+          sed -i '/\bSKIP_SOLR\b/d' mailcow.conf
+          ;;
+        SOLR_PORT)
+          echo "Removing ${key} in mailcow.conf"
+          sed -i '/\bSOLR_PORT\b/d' mailcow.conf
+          ;;
+        FLATCURVE_EXPERIMENTAL)
+          echo "Removing ${key} in mailcow.conf"
+          sed -i '/\bFLATCURVE_EXPERIMENTAL\b/d' mailcow.conf
+          ;;
+        DISABLE_IPv6)
+          echo "Migrating ${key} to ENABLE_IPv6 in mailcow.conf"
+          local old=$(grep '^DISABLE_IPv6=' "mailcow.conf" | cut -d'=' -f2)
+          local new
+          if [[ "$old" == "y" ]]; then
+            new="false"
+          else
+            new="true"
+          fi
+          sed -i '/^DISABLE_IPv6=/d' "mailcow.conf"
+          echo "ENABLE_IPV6=$new" >> "mailcow.conf"
+          ;;
+        ACME_CONTACT)
+          echo "Deleting obsoleted ${key} in mailcow.conf"
+          sed -i '/^# Lets Encrypt registration contact information/d' mailcow.conf
+          sed -i '/^# Optional: Leave empty for none/d' mailcow.conf
+          sed -i '/^# This value is only used on first order!/d' mailcow.conf
+          sed -i '/^# Setting it at a later point will require the following steps:/d' mailcow.conf
+          sed -i '/^# https:\/\/docs.mailcow.email\/troubleshooting\/debug-reset_tls\//d' mailcow.conf
+          sed -i '/^ACME_CONTACT=.*/d' mailcow.conf
+          sed -i '/^#ACME_CONTACT=.*/d' mailcow.conf
+          ;;
+      esac
+    fi
+  done
+
+  solr_volume=$(docker volume ls -qf name=^${COMPOSE_PROJECT_NAME}_solr-vol-1)
+  if [[ -n $solr_volume ]]; then
+    echo -e "\e[34mSolr has been replaced within mailcow since 2025-01.\nThe volume $solr_volume is unused.\e[0m"
+    sleep 1
+    if [ ! "$FORCE" ]; then
+      read -r -p "Remove $solr_volume? [y/N] " response
+      if [[ "$response" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
+        echo -e "\e[33mRemoving $solr_volume...\e[0m"
+        docker volume rm $solr_volume || echo -e "\e[31mFailed to remove. Remove it manually!\e[0m"
+        echo -e "\e[32mSuccessfully removed $solr_volume!\e[0m"
+      else
+        echo -e "Not removing $solr_volume. Run \`docker volume rm $solr_volume\` manually if needed."
+      fi
+    else
+      echo -e "\e[33mForce removing $solr_volume...\e[0m"
+      docker volume rm $solr_volume || echo -e "\e[31mFailed to remove. Remove it manually!\e[0m"
+      echo -e "\e[32mSuccessfully removed $solr_volume!\e[0m"
+    fi
+  fi
+
+  # Delete old fts.conf before forced switch to flatcurve to ensure update is working properly
+  FTS_CONF_PATH="${SCRIPT_DIR}/data/conf/dovecot/conf.d/fts.conf"
+  if [[ -f "$FTS_CONF_PATH" ]]; then
+    if grep -q "Autogenerated by mailcow" "$FTS_CONF_PATH"; then
+      rm -rf $FTS_CONF_PATH
+    fi
+  fi
+}
\ No newline at end of file
diff --git a/_modules/scripts/new_options.sh b/_modules/scripts/new_options.sh
new file mode 100644
index 000000000..a3f47dc61
--- /dev/null
+++ b/_modules/scripts/new_options.sh
@@ -0,0 +1,299 @@
+#!/usr/bin/env bash
+# _modules/scripts/new_options.sh
+# THIS SCRIPT IS DESIGNED TO BE RUNNING BY MAILCOW SCRIPTS ONLY!
+# DO NOT, AGAIN, NOT TRY TO RUN THIS SCRIPT STANDALONE!!!!!!
+
+adapt_new_options() {
+
+  CONFIG_ARRAY=(
+  "AUTODISCOVER_SAN"
+  "SKIP_LETS_ENCRYPT"
+  "SKIP_SOGO"
+  "USE_WATCHDOG"
+  "WATCHDOG_NOTIFY_EMAIL"
+  "WATCHDOG_NOTIFY_WEBHOOK"
+  "WATCHDOG_NOTIFY_WEBHOOK_BODY"
+  "WATCHDOG_NOTIFY_BAN"
+  "WATCHDOG_NOTIFY_START"
+  "WATCHDOG_EXTERNAL_CHECKS"
+  "WATCHDOG_SUBJECT"
+  "SKIP_CLAMD"
+  "SKIP_OLEFY"
+  "SKIP_IP_CHECK"
+  "ADDITIONAL_SAN"
+  "DOVEADM_PORT"
+  "IPV4_NETWORK"
+  "IPV6_NETWORK"
+  "LOG_LINES"
+  "SNAT_TO_SOURCE"
+  "SNAT6_TO_SOURCE"
+  "COMPOSE_PROJECT_NAME"
+  "DOCKER_COMPOSE_VERSION"
+  "SQL_PORT"
+  "API_KEY"
+  "API_KEY_READ_ONLY"
+  "API_ALLOW_FROM"
+  "MAILDIR_GC_TIME"
+  "MAILDIR_SUB"
+  "ACL_ANYONE"
+  "FTS_HEAP"
+  "FTS_PROCS"
+  "SKIP_FTS"
+  "ENABLE_SSL_SNI"
+  "ALLOW_ADMIN_EMAIL_LOGIN"
+  "SKIP_HTTP_VERIFICATION"
+  "SOGO_EXPIRE_SESSION"
+  "REDIS_PORT"
+  "REDISPASS"
+  "DOVECOT_MASTER_USER"
+  "DOVECOT_MASTER_PASS"
+  "MAILCOW_PASS_SCHEME"
+  "ADDITIONAL_SERVER_NAMES"
+  "WATCHDOG_VERBOSE"
+  "WEBAUTHN_ONLY_TRUSTED_VENDORS"
+  "SPAMHAUS_DQS_KEY"
+  "SKIP_UNBOUND_HEALTHCHECK"
+  "DISABLE_NETFILTER_ISOLATION_RULE"
+  "HTTP_REDIRECT"
+  "ENABLE_IPV6"
+  )
+
+  sed -i --follow-symlinks '$a\' mailcow.conf
+  for option in ${CONFIG_ARRAY[@]}; do
+    if grep -q "${option}" mailcow.conf; then
+      continue
+    fi
+
+    echo "Adding new option \"${option}\" to mailcow.conf"
+
+    case "${option}" in
+        AUTODISCOVER_SAN)
+            echo '# Obtain certificates for autodiscover.* and autoconfig.* domains.' >> mailcow.conf
+            echo '# This can be useful to switch off in case you are in a scenario where a reverse proxy already handles those.' >> mailcow.conf
+            echo '# There are mixed scenarios where ports 80,443 are occupied and you do not want to share certs' >> mailcow.conf
+            echo '# between services. So acme-mailcow obtains for maildomains and all web-things get handled' >> mailcow.conf
+            echo '# in the reverse proxy.' >> mailcow.conf
+            echo 'AUTODISCOVER_SAN=y' >> mailcow.conf
+            ;;
+
+        DOCKER_COMPOSE_VERSION)
+            echo "# Used Docker Compose version" >> mailcow.conf
+            echo "# Switch here between native (compose plugin) and standalone" >> mailcow.conf
+            echo "# For more informations take a look at the mailcow docs regarding the configuration options." >> mailcow.conf
+            echo "# Normally this should be untouched but if you decided to use either of those you can switch it manually here." >> mailcow.conf
+            echo "# Please be aware that at least one of those variants should be installed on your machine or mailcow will fail." >> mailcow.conf
+            echo "" >> mailcow.conf
+            echo "DOCKER_COMPOSE_VERSION=${DOCKER_COMPOSE_VERSION}" >> mailcow.conf
+            ;;
+
+        DOVEADM_PORT)
+            echo "DOVEADM_PORT=127.0.0.1:19991" >> mailcow.conf
+            ;;
+
+        LOG_LINES)
+            echo '# Max log lines per service to keep in Redis logs' >> mailcow.conf
+            echo "LOG_LINES=9999" >> mailcow.conf
+            ;;
+        
+        IPV4_NETWORK)
+            echo '# Internal IPv4 /24 subnet, format n.n.n. (expands to n.n.n.0/24)' >> mailcow.conf
+            echo "IPV4_NETWORK=172.22.1" >> mailcow.conf
+            ;;
+        IPV6_NETWORK)
+            echo '# Internal IPv6 subnet in fc00::/7' >> mailcow.conf
+            echo "IPV6_NETWORK=fd4d:6169:6c63:6f77::/64" >> mailcow.conf
+            ;;
+        SQL_PORT)
+            echo '# Bind SQL to 127.0.0.1 on port 13306' >> mailcow.conf
+            echo "SQL_PORT=127.0.0.1:13306" >> mailcow.conf
+            ;;
+        API_KEY)
+            echo '# Create or override API key for web UI' >> mailcow.conf
+            echo "#API_KEY=" >> mailcow.conf
+            ;;
+        API_KEY_READ_ONLY)
+            echo '# Create or override read-only API key for web UI' >> mailcow.conf
+            echo "#API_KEY_READ_ONLY=" >> mailcow.conf
+            ;;
+        API_ALLOW_FROM)
+            echo '# Must be set for API_KEY to be active' >> mailcow.conf
+            echo '# IPs only, no networks (networks can be set via UI)' >> mailcow.conf
+            echo "#API_ALLOW_FROM=" >> mailcow.conf
+            ;;
+        SNAT_TO_SOURCE)
+            echo '# Use this IPv4 for outgoing connections (SNAT)' >> mailcow.conf
+            echo "#SNAT_TO_SOURCE=" >> mailcow.conf
+            ;;
+        SNAT6_TO_SOURCE)
+            echo '# Use this IPv6 for outgoing connections (SNAT)' >> mailcow.conf
+            echo "#SNAT6_TO_SOURCE=" >> mailcow.conf
+            ;;
+        MAILDIR_GC_TIME)
+            echo '# Garbage collector cleanup' >> mailcow.conf
+            echo '# Deleted domains and mailboxes are moved to /var/vmail/_garbage/timestamp_sanitizedstring' >> mailcow.conf
+            echo '# How long should objects remain in the garbage until they are being deleted? (value in minutes)' >> mailcow.conf
+            echo '# Check interval is hourly' >> mailcow.conf
+            echo 'MAILDIR_GC_TIME=1440' >> mailcow.conf
+            ;;
+        ACL_ANYONE)
+            echo '# Set this to "allow" to enable the anyone pseudo user. Disabled by default.' >> mailcow.conf
+            echo '# When enabled, ACL can be created, that apply to "All authenticated users"' >> mailcow.conf
+            echo '# This should probably only be activated on mail hosts, that are used exclusively by one organisation.' >> mailcow.conf
+            echo '# Otherwise a user might share data with too many other users.' >> mailcow.conf
+            echo 'ACL_ANYONE=disallow' >> mailcow.conf
+            ;;
+        FTS_HEAP)
+            echo '# Dovecot Indexing (FTS) Process maximum heap size in MB, there is no recommendation, please see Dovecot docs.' >> mailcow.conf
+            echo '# Flatcurve is used as FTS Engine. It is supposed to be pretty efficient in CPU and RAM consumption.' >> mailcow.conf
+            echo '# Please always monitor your Resource consumption!' >> mailcow.conf
+            echo "FTS_HEAP=128" >> mailcow.conf
+            ;;
+        SKIP_FTS)
+            echo '# Skip FTS (Fulltext Search) for Dovecot on low-memory, low-threaded systems or if you simply want to disable it.' >> mailcow.conf
+            echo "# Dovecot inside mailcow use Flatcurve as FTS Backend." >> mailcow.conf
+            echo "SKIP_FTS=y" >> mailcow.conf
+            ;;
+        FTS_PROCS)
+            echo '# Controls how many processes the Dovecot indexing process can spawn at max.' >> mailcow.conf
+            echo '# Too many indexing processes can use a lot of CPU and Disk I/O' >> mailcow.conf
+            echo '# Please visit: https://doc.dovecot.org/configuration_manual/service_configuration/#indexer-worker for more informations' >> mailcow.conf
+            echo "FTS_PROCS=1" >> mailcow.conf
+            ;;
+        ENABLE_SSL_SNI)
+            echo '# Create seperate certificates for all domains - y/n' >> mailcow.conf
+            echo '# this will allow adding more than 100 domains, but some email clients will not be able to connect with alternative hostnames' >> mailcow.conf
+            echo '# see https://wiki.dovecot.org/SSL/SNIClientSupport' >> mailcow.conf
+            echo "ENABLE_SSL_SNI=n" >> mailcow.conf
+            ;;
+        SKIP_SOGO)
+            echo '# Skip SOGo: Will disable SOGo integration and therefore webmail, DAV protocols and ActiveSync support (experimental, unsupported, not fully implemented) - y/n' >> mailcow.conf
+            echo "SKIP_SOGO=n" >> mailcow.conf
+            ;;
+        MAILDIR_SUB)
+            echo '# MAILDIR_SUB defines a path in a users virtual home to keep the maildir in. Leave empty for updated setups.' >> mailcow.conf
+            echo "#MAILDIR_SUB=Maildir" >> mailcow.conf
+            echo "MAILDIR_SUB=" >> mailcow.conf
+            ;;
+        WATCHDOG_NOTIFY_WEBHOOK)
+            echo '# Send notifications to a webhook URL that receives a POST request with the content type "application/json".' >> mailcow.conf
+            echo '# You can use this to send notifications to services like Discord, Slack and others.' >> mailcow.conf
+            echo '#WATCHDOG_NOTIFY_WEBHOOK=https://discord.com/api/webhooks/XXXXXXXXXXXXXXXXXXX/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' >> mailcow.conf
+            ;;
+        WATCHDOG_NOTIFY_WEBHOOK_BODY)
+            echo '# JSON body included in the webhook POST request. Needs to be in single quotes.' >> mailcow.conf
+            echo '# Following variables are available: SUBJECT, BODY' >> mailcow.conf
+            WEBHOOK_BODY='{"username": "mailcow Watchdog", "content": "**${SUBJECT}**\n${BODY}"}'
+            echo "#WATCHDOG_NOTIFY_WEBHOOK_BODY='${WEBHOOK_BODY}'" >> mailcow.conf
+            ;;
+        WATCHDOG_NOTIFY_BAN)
+            echo '# Notify about banned IP. Includes whois lookup.' >> mailcow.conf
+            echo "WATCHDOG_NOTIFY_BAN=y" >> mailcow.conf
+            ;;
+        WATCHDOG_NOTIFY_START)
+            echo '# Send a notification when the watchdog is started.' >> mailcow.conf
+            echo "WATCHDOG_NOTIFY_START=y" >> mailcow.conf
+            ;;
+        WATCHDOG_SUBJECT)
+            echo '# Subject for watchdog mails. Defaults to "Watchdog ALERT" followed by the error message.' >> mailcow.conf
+            echo "#WATCHDOG_SUBJECT=" >> mailcow.conf
+            ;;
+        WATCHDOG_EXTERNAL_CHECKS)
+            echo '# Checks if mailcow is an open relay. Requires a SAL. More checks will follow.' >> mailcow.conf
+            echo '# No data is collected. Opt-in and anonymous.' >> mailcow.conf
+            echo '# Will only work with unmodified mailcow setups.' >> mailcow.conf
+            echo "WATCHDOG_EXTERNAL_CHECKS=n" >> mailcow.conf
+            ;;
+        SOGO_EXPIRE_SESSION)
+            echo '# SOGo session timeout in minutes' >> mailcow.conf
+            echo "SOGO_EXPIRE_SESSION=480" >> mailcow.conf
+            ;;
+        REDIS_PORT)
+            echo "REDIS_PORT=127.0.0.1:7654" >> mailcow.conf
+            ;;
+        DOVECOT_MASTER_USER)
+            echo '# DOVECOT_MASTER_USER and _PASS must _both_ be provided. No special chars.' >> mailcow.conf
+            echo '# Empty by default to auto-generate master user and password on start.' >> mailcow.conf
+            echo '# User expands to DOVECOT_MASTER_USER@mailcow.local' >> mailcow.conf
+            echo '# LEAVE EMPTY IF UNSURE' >> mailcow.conf
+            echo "DOVECOT_MASTER_USER=" >> mailcow.conf
+            ;;
+        DOVECOT_MASTER_PASS)
+            echo '# LEAVE EMPTY IF UNSURE' >> mailcow.conf
+            echo "DOVECOT_MASTER_PASS=" >> mailcow.conf
+            ;;
+        MAILCOW_PASS_SCHEME)
+            echo '# Password hash algorithm' >> mailcow.conf
+            echo '# Only certain password hash algorithm are supported. For a fully list of supported schemes,' >> mailcow.conf
+            echo '# see https://docs.mailcow.email/models/model-passwd/' >> mailcow.conf
+            echo "MAILCOW_PASS_SCHEME=BLF-CRYPT" >> mailcow.conf
+            ;;
+        ADDITIONAL_SERVER_NAMES)
+            echo '# Additional server names for mailcow UI' >> mailcow.conf
+            echo '#' >> mailcow.conf
+            echo '# Specify alternative addresses for the mailcow UI to respond to' >> mailcow.conf
+            echo '# This is useful when you set mail.* as ADDITIONAL_SAN and want to make sure mail.maildomain.com will always point to the mailcow UI.' >> mailcow.conf
+            echo '# If the server name does not match a known site, Nginx decides by best-guess and may redirect users to the wrong web root.' >> mailcow.conf
+            echo '# You can understand this as server_name directive in Nginx.' >> mailcow.conf
+            echo '# Comma separated list without spaces! Example: ADDITIONAL_SERVER_NAMES=a.b.c,d.e.f' >> mailcow.conf
+            echo 'ADDITIONAL_SERVER_NAMES=' >> mailcow.conf
+            ;;
+        WEBAUTHN_ONLY_TRUSTED_VENDORS)
+            echo "# WebAuthn device manufacturer verification" >> mailcow.conf
+            echo '# After setting WEBAUTHN_ONLY_TRUSTED_VENDORS=y only devices from trusted manufacturers are allowed' >> mailcow.conf
+            echo '# root certificates can be placed for validation under mailcow-dockerized/data/web/inc/lib/WebAuthn/rootCertificates' >> mailcow.conf
+            echo 'WEBAUTHN_ONLY_TRUSTED_VENDORS=n' >> mailcow.conf
+            ;;
+        SPAMHAUS_DQS_KEY)
+            echo "# Spamhaus Data Query Service Key" >> mailcow.conf
+            echo '# Optional: Leave empty for none' >> mailcow.conf
+            echo '# Enter your key here if you are using a blocked ASN (OVH, AWS, Cloudflare e.g) for the unregistered Spamhaus Blocklist.' >> mailcow.conf
+            echo '# If empty, it will completely disable Spamhaus blocklists if it detects that you are running on a server using a blocked AS.' >> mailcow.conf
+            echo '# Otherwise it will work as usual.' >> mailcow.conf
+            echo 'SPAMHAUS_DQS_KEY=' >> mailcow.conf
+            ;;
+        WATCHDOG_VERBOSE)
+            echo '# Enable watchdog verbose logging' >> mailcow.conf
+            echo 'WATCHDOG_VERBOSE=n' >> mailcow.conf
+            ;;
+        SKIP_UNBOUND_HEALTHCHECK)
+            echo '# Skip Unbound (DNS Resolver) Healthchecks (NOT Recommended!) - y/n' >> mailcow.conf
+            echo 'SKIP_UNBOUND_HEALTHCHECK=n' >> mailcow.conf
+            ;;
+        DISABLE_NETFILTER_ISOLATION_RULE)
+            echo '# Prevent netfilter from setting an iptables/nftables rule to isolate the mailcow docker network - y/n' >> mailcow.conf
+            echo '# CAUTION: Disabling this may expose container ports to other neighbors on the same subnet, even if the ports are bound to localhost' >> mailcow.conf
+            echo 'DISABLE_NETFILTER_ISOLATION_RULE=n' >> mailcow.conf
+            ;;
+        HTTP_REDIRECT)
+            echo '# Redirect HTTP connections to HTTPS - y/n' >> mailcow.conf
+            echo 'HTTP_REDIRECT=n' >> mailcow.conf
+            ;;
+        ENABLE_IPV6)
+            echo '# IPv6 Controller Section' >> mailcow.conf
+            echo '# This variable controls the usage of IPv6 within mailcow.' >> mailcow.conf
+            echo '# Can either be true or false | Defaults to true' >> mailcow.conf
+            echo '# WARNING: MAKE SURE TO PROPERLY CONFIGURE IPv6 ON YOUR HOST FIRST BEFORE ENABLING THIS AS FAULTY CONFIGURATIONS CAN LEAD TO OPEN RELAYS!' >> mailcow.conf
+            echo '# A COMPLETE DOCKER STACK REBUILD (compose down && compose up -d) IS NEEDED TO APPLY THIS.' >> mailcow.conf
+            echo ENABLE_IPV6=${IPV6_BOOL} >> mailcow.conf
+            ;;
+    
+        SKIP_CLAMD)
+            echo '# Skip ClamAV (clamd-mailcow) anti-virus (Rspamd will auto-detect a missing ClamAV container) - y/n' >> mailcow.conf
+            echo 'SKIP_CLAMD=n' >> mailcow.conf
+            ;;
+
+        SKIP_OLEFY)
+            echo '# Skip Olefy (olefy-mailcow) anti-virus for Office documents (Rspamd will auto-detect a missing Olefy container) - y/n' >> mailcow.conf
+            echo 'SKIP_OLEFY=n' >> mailcow.conf
+            ;;
+        
+        REDISPASS)
+            echo "REDISPASS=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2>/dev/null | head -c 28)" >> mailcow.conf
+            ;;
+                  
+        *)
+            echo "${option}=" >> mailcow.conf
+            ;;
+    esac
+  done
+}
\ No newline at end of file
diff --git a/data/Dockerfiles/nginx/bootstrap.py b/data/Dockerfiles/nginx/bootstrap.py
index 11e6fc202..d2d01c0b9 100644
--- a/data/Dockerfiles/nginx/bootstrap.py
+++ b/data/Dockerfiles/nginx/bootstrap.py
@@ -10,7 +10,7 @@ def includes_conf(env, template_vars):
   server_name_config = f"server_name {template_vars['MAILCOW_HOSTNAME']} autodiscover.* autoconfig.* {' '.join(template_vars['ADDITIONAL_SERVER_NAMES'])};"
   listen_plain_config = f"listen {template_vars['HTTP_PORT']};"
   listen_ssl_config = f"listen {template_vars['HTTPS_PORT']};"
-  if not template_vars['DISABLE_IPv6']:
+  if not template_vars['ENABLE_IPV6']:
     listen_plain_config += f"\nlisten [::]:{template_vars['HTTP_PORT']};"
     listen_ssl_config += f"\nlisten [::]:{template_vars['HTTPS_PORT']} ssl;"
   listen_ssl_config += "\nhttp2 on;"
@@ -58,7 +58,7 @@ def prepare_template_vars():
     'SOGOHOST': os.getenv("SOGOHOST", ipv4_network + ".248"),
     'RSPAMDHOST': os.getenv("RSPAMDHOST", "rspamd-mailcow"),
     'PHPFPMHOST': os.getenv("PHPFPMHOST", "php-fpm-mailcow"),
-    'DISABLE_IPv6': os.getenv("DISABLE_IPv6", "n").lower() in ("y", "yes"),
+    'ENABLE_IPV6': os.getenv("ENABLE_IPV6", "true").lower() != "false",
     'HTTP_REDIRECT': os.getenv("HTTP_REDIRECT", "n").lower() in ("y", "yes"),
   }
 
diff --git a/docker-compose.yml b/docker-compose.yml
index e6b5dc20d..c55158dbb 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -394,7 +394,7 @@ services:
         - php-fpm-mailcow
         - sogo-mailcow
         - rspamd-mailcow
-      image: ghcr.io/mailcow/nginx:1.03
+      image: ghcr.io/mailcow/nginx:1.04
       dns:
         - ${IPV4_NETWORK:-172.22.1}.254
       environment:
@@ -405,7 +405,7 @@ services:
         - TZ=${TZ}
         - SKIP_SOGO=${SKIP_SOGO:-n}
         - SKIP_RSPAMD=${SKIP_RSPAMD:-n}
-        - DISABLE_IPv6=${DISABLE_IPv6:-n}
+        - ENABLE_IPV6=${ENABLE_IPV6:-true}
         - HTTP_REDIRECT=${HTTP_REDIRECT:-n}
         - PHPFPMHOST=${PHPFPMHOST:-}
         - SOGOHOST=${SOGOHOST:-}
@@ -629,41 +629,12 @@ services:
           aliases:
             - ofelia
 
-    ipv6nat-mailcow:
-      depends_on:
-        - unbound-mailcow
-        - mysql-mailcow
-        - redis-mailcow
-        - clamd-mailcow
-        - rspamd-mailcow
-        - php-fpm-mailcow
-        - sogo-mailcow
-        - dovecot-mailcow
-        - postfix-mailcow
-        - memcached-mailcow
-        - nginx-mailcow
-        - acme-mailcow
-        - netfilter-mailcow
-        - watchdog-mailcow
-        - dockerapi-mailcow
-      environment:
-        - TZ=${TZ}
-      image: robbertkl/ipv6nat
-      security_opt:
-        - label=disable
-      restart: always
-      privileged: true
-      network_mode: "host"
-      volumes:
-        - /var/run/docker.sock:/var/run/docker.sock:ro
-        - /lib/modules:/lib/modules:ro
-
 networks:
   mailcow-network:
     driver: bridge
     driver_opts:
       com.docker.network.bridge.name: br-mailcow
-    enable_ipv6: true
+    enable_ipv6: ${ENABLE_IPV6:-true}
     ipam:
       driver: default
       config:
diff --git a/generate_config.sh b/generate_config.sh
index 61b72109c..9610bf18d 100755
--- a/generate_config.sh
+++ b/generate_config.sh
@@ -1,32 +1,13 @@
 #!/usr/bin/env bash
 
+# Load mailcow Generic Scripts
+source _modules/scripts/core.sh
+source _modules/scripts/ipv6_controller.sh
+
 set -o pipefail
 
-if [[ "$(uname -r)" =~ ^4\.15\.0-60 ]]; then
-  echo "DO NOT RUN mailcow ON THIS UBUNTU KERNEL!";
-  echo "Please update to 5.x or use another distribution."
-  exit 1
-fi
-
-if [[ "$(uname -r)" =~ ^4\.4\. ]]; then
-  if grep -q Ubuntu <<< "$(uname -a)"; then
-    echo "DO NOT RUN mailcow ON THIS UBUNTU KERNEL!";
-    echo "Please update to linux-generic-hwe-16.04 by running \"apt-get install --install-recommends linux-generic-hwe-16.04\""
-    exit 1
-  fi
-fi
-
-if grep --help 2>&1 | head -n 1 | grep -q -i "busybox"; then echo "BusyBox grep detected, please install gnu grep, \"apk add --no-cache --upgrade grep\""; exit 1; fi
-# This will also cover sort
-if cp --help 2>&1 | head -n 1 | grep -q -i "busybox"; then echo "BusyBox cp detected, please install coreutils, \"apk add --no-cache --upgrade coreutils\""; exit 1; fi
-if sed --help 2>&1 | head -n 1 | grep -q -i "busybox"; then echo "BusyBox sed detected, please install gnu sed, \"apk add --no-cache --upgrade sed\""; exit 1; fi
-
-for bin in openssl curl docker git awk sha1sum grep cut; do
-  if [[ -z $(which ${bin}) ]]; then echo "Cannot find ${bin}, exiting..."; exit 1; fi
-done
-
-# Check Docker Version (need at least 24.X)
-docker_version=$(docker version --format '{{.Server.Version}}' | cut -d '.' -f 1)
+get_installed_tools
+get_docker_version
 
 if [[ $docker_version -lt 24 ]]; then
   echo -e "\e[31mCannot find Docker with a Version higher or equals 24.0.0\e[0m"
@@ -35,65 +16,7 @@ if [[ $docker_version -lt 24 ]]; then
   exit 1
 fi
 
-if docker compose > /dev/null 2>&1; then
-    if docker compose version --short | grep -e "^2." -e "^v2." > /dev/null 2>&1; then
-      COMPOSE_VERSION=native
-      echo -e "\e[33mFound Docker Compose Plugin (native).\e[0m"
-      echo -e "\e[33mSetting the DOCKER_COMPOSE_VERSION Variable to native\e[0m"
-      sleep 2
-      echo -e "\e[33mNotice: You'll have to update this Compose Version via your Package Manager manually!\e[0m"
-    else
-      echo -e "\e[31mCannot find Docker Compose with a Version Higher than 2.X.X.\e[0m"
-      echo -e "\e[31mPlease update/install it manually regarding to this doc site: https://docs.mailcow.email/install/\e[0m"
-      exit 1
-    fi
-elif docker-compose > /dev/null 2>&1; then
-  if ! [[ $(alias docker-compose 2> /dev/null) ]] ; then
-    if docker-compose version --short | grep "^2." > /dev/null 2>&1; then
-      COMPOSE_VERSION=standalone
-      echo -e "\e[33mFound Docker Compose Standalone.\e[0m"
-      echo -e "\e[33mSetting the DOCKER_COMPOSE_VERSION Variable to standalone\e[0m"
-      sleep 2
-      echo -e "\e[33mNotice: For an automatic update of docker-compose please use the update_compose.sh scripts located at the helper-scripts folder.\e[0m"
-    else
-      echo -e "\e[31mCannot find Docker Compose with a Version Higher than 2.X.X.\e[0m"
-      echo -e "\e[31mPlease update/install manually regarding to this doc site: https://docs.mailcow.email/install/\e[0m"
-      exit 1
-    fi
-  fi
-
-else
-  echo -e "\e[31mCannot find Docker Compose.\e[0m"
-  echo -e "\e[31mPlease install it regarding to this doc site: https://docs.mailcow.email/install/\e[0m"
-  exit 1
-fi
-
-detect_bad_asn() {
-  echo -e "\e[33mDetecting if your IP is listed on Spamhaus Bad ASN List...\e[0m"
-  response=$(curl --connect-timeout 15 --max-time 30 -s -o /dev/null -w "%{http_code}" "https://asn-check.mailcow.email")
-  if [ "$response" -eq 503 ]; then
-    if [ -z "$SPAMHAUS_DQS_KEY" ]; then
-      echo -e "\e[33mYour server's public IP uses an AS that is blocked by Spamhaus to use their DNS public blocklists for Postfix.\e[0m"
-      echo -e "\e[33mmailcow did not detected a value for the variable SPAMHAUS_DQS_KEY inside mailcow.conf!\e[0m"
-      sleep 2
-      echo ""
-      echo -e "\e[33mTo use the Spamhaus DNS Blocklists again, you will need to create a FREE account for their Data Query Service (DQS) at: https://www.spamhaus.com/free-trial/sign-up-for-a-free-data-query-service-account\e[0m"
-      echo -e "\e[33mOnce done, enter your DQS API key in mailcow.conf and mailcow will do the rest for you!\e[0m"
-      echo ""
-      sleep 2
-
-    else
-      echo -e "\e[33mYour server's public IP uses an AS that is blocked by Spamhaus to use their DNS public blocklists for Postfix.\e[0m"
-      echo -e "\e[32mmailcow detected a Value for the variable SPAMHAUS_DQS_KEY inside mailcow.conf. Postfix will use DQS with the given API key...\e[0m"
-    fi
-  elif [ "$response" -eq 200 ]; then
-    echo -e "\e[33mCheck completed! Your IP is \e[32mclean\e[0m"
-  elif [ "$response" -eq 429 ]; then
-    echo -e "\e[33mCheck completed! \e[31mYour IP seems to be rate limited on the ASN Check service... please try again later!\e[0m"
-  else
-    echo -e "\e[31mCheck failed! \e[0mMaybe a DNS or Network problem?\e[0m"
-  fi
-}
+detect_bad_asn
 
 ### If generate_config.sh is started with --dev or -d it will not check out nightly or master branch and will keep on the current branch
 if [[ ${1} == "--dev" || ${1} == "-d" ]]; then
@@ -217,6 +140,8 @@ if [ ! -z "${MAILCOW_BRANCH}" ]; then
   git_branch=${MAILCOW_BRANCH}
 fi
 
+configure_ipv6
+
 [ ! -f ./data/conf/rspamd/override.d/worker-controller-password.inc ] && echo '# Placeholder' > ./data/conf/rspamd/override.d/worker-controller-password.inc
 
 cat << EOF > mailcow.conf
@@ -510,6 +435,13 @@ WEBAUTHN_ONLY_TRUSTED_VENDORS=n
 # Otherwise it will work normally.
 SPAMHAUS_DQS_KEY=
 
+# IPv6 Controller Section
+# This variable controls the usage of IPv6 within mailcow.
+# Can either be true or false | Defaults to true
+# WARNING: MAKE SURE TO PROPERLY CONFIGURE IPv6 ON YOUR HOST FIRST BEFORE ENABLING THIS AS FAULTY CONFIGURATIONS CAN LEAD TO OPEN RELAYS!
+# A COMPLETE DOCKER STACK REBUILD (compose down && compose up -d) IS NEEDED TO APPLY THIS.
+ENABLE_IPV6=${IPV6_BOOL}
+
 # Prevent netfilter from setting an iptables/nftables rule to isolate the mailcow docker network - y/n
 # CAUTION: Disabling this may expose container ports to other neighbors on the same subnet, even if the ports are bound to localhost
 DISABLE_NETFILTER_ISOLATION_RULE=n
@@ -588,6 +520,4 @@ else
   echo '  $MAILCOW_UPDATEDAT='$(date +%s)';' >> data/web/inc/app_info.inc.php
   echo '?>' >> data/web/inc/app_info.inc.php
   echo -e "\e[33mCannot determine current git repository version...\e[0m"
-fi
-
-detect_bad_asn
+fi
\ No newline at end of file
diff --git a/update.sh b/update.sh
index b7d22bf8a..89dec3e66 100755
--- a/update.sh
+++ b/update.sh
@@ -2,775 +2,23 @@
 
 ############## Begin Function Section ##############
 
-check_online_status() {
-  CHECK_ONLINE_DOMAINS=('https://github.com' 'https://hub.docker.com')
-  for domain in "${CHECK_ONLINE_DOMAINS[@]}"; do
-    if timeout 6 curl --head --silent --output /dev/null ${domain}; then
-      return 0
-    fi
-  done
-  return 1
-}
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+BRANCH="$(cd "${SCRIPT_DIR}" && git rev-parse --abbrev-ref HEAD)"
 
-prefetch_images() {
-  [[ -z ${BRANCH} ]] && { echo -e "\e[33m\nUnknown branch...\e[0m"; exit 1; }
-  git fetch origin #${BRANCH}
-  while read image; do
-    if [[ "${image}" == "robbertkl/ipv6nat" ]]; then
-      if ! grep -qi "ipv6nat-mailcow" docker-compose.yml || grep -qi "enable_ipv6: false" docker-compose.yml; then
-        continue
-      fi
-    fi
-    RET_C=0
-    until docker pull "${image}"; do
-      RET_C=$((RET_C + 1))
-      echo -e "\e[33m\nError pulling $image, retrying...\e[0m"
-      [ ${RET_C} -gt 3 ] && { echo -e "\e[31m\nToo many failed retries, exiting\e[0m"; exit 1; }
-      sleep 1
-    done
-  done < <(git show "origin/${BRANCH}:docker-compose.yml" | grep "image:" | awk '{ gsub("image:","", $3); print $2 }')
-}
-
-docker_garbage() {
-  SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-  IMGS_TO_DELETE=()
-
-  declare -A IMAGES_INFO
-  COMPOSE_IMAGES=($(grep -oP "image: \K(ghcr\.io/)?mailcow.+" "${SCRIPT_DIR}/docker-compose.yml"))
-
-  for existing_image in $(docker images --format "{{.ID}}:{{.Repository}}:{{.Tag}}" | grep -E '(mailcow/|ghcr\.io/mailcow/)'); do
-      ID=$(echo "$existing_image" | cut -d ':' -f 1)
-      REPOSITORY=$(echo "$existing_image" | cut -d ':' -f 2)
-      TAG=$(echo "$existing_image" | cut -d ':' -f 3)
-
-      if [[ "$REPOSITORY" == "mailcow/backup" || "$REPOSITORY" == "ghcr.io/mailcow/backup" ]]; then
-          if [[ "$TAG" != "<none>" ]]; then
-              continue
-          fi
-      fi
-
-      if [[ " ${COMPOSE_IMAGES[@]} " =~ " ${REPOSITORY}:${TAG} " ]]; then
-          continue
-      else
-          IMGS_TO_DELETE+=("$ID")
-          IMAGES_INFO["$ID"]="$REPOSITORY:$TAG"
-      fi
-  done
-
-  if [[ ! -z ${IMGS_TO_DELETE[*]} ]]; then
-      echo "The following unused mailcow images were found:"
-      for id in "${IMGS_TO_DELETE[@]}"; do
-          echo "    ${IMAGES_INFO[$id]} ($id)"
-      done
-
-      if [ -z "$FORCE" ]; then
-          read -r -p "Do you want to delete them to free up some space? [y/N] " response
-          if [[ "$response" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
-              docker rmi ${IMGS_TO_DELETE[*]}
-          else
-              echo "OK, skipped."
-          fi
-      else
-          echo "Running in forced mode! Force removing old mailcow images..."
-          docker rmi ${IMGS_TO_DELETE[*]}
-      fi
-      echo -e "\e[32mFurther cleanup...\e[0m"
-      echo "If you want to cleanup further garbage collected by Docker, please make sure all containers are up and running before cleaning your system by executing \"docker system prune\""
-  fi
-}
-
-in_array() {
-  local e match="$1"
-  shift
-  for e; do [[ "$e" == "$match" ]] && return 0; done
-  return 1
-}
-
-migrate_docker_nat() {
-  NAT_CONFIG='{"ipv6":true,"fixed-cidr-v6":"fd00:dead:beef:c0::/80","experimental":true,"ip6tables":true}'
-  # Min Docker version
-  DOCKERV_REQ=20.10.2
-  # Current Docker version
-  DOCKERV_CUR=$(docker version -f '{{.Server.Version}}')
-  if grep -qi "ipv6nat-mailcow" docker-compose.yml && grep -qi "enable_ipv6: true" docker-compose.yml; then
-    echo -e "\e[32mNative IPv6 implementation available.\e[0m"
-    echo "This will enable experimental features in the Docker daemon and configure Docker to do the IPv6 NATing instead of ipv6nat-mailcow."
-    echo '!!! This step is recommended !!!'
-    echo "mailcow will try to roll back the changes if starting Docker fails after modifying the daemon.json configuration file."
-    read -r -p "Should we try to enable the native IPv6 implementation in Docker now (recommended)? [y/N] " dockernatresponse
-    if [[ ! "${dockernatresponse}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
-      echo "OK, skipping this step."
-      return 0
-    fi
-  fi
-  # Sort versions and check if we are running a newer or equal version to req
-  if [ $(printf "${DOCKERV_REQ}\n${DOCKERV_CUR}" | sort -V | tail -n1) == "${DOCKERV_CUR}" ]; then
-    # If Dockerd daemon json exists
-    if [ -s /etc/docker/daemon.json ]; then
-      IFS=',' read -r -a dockerconfig <<< $(cat /etc/docker/daemon.json | tr -cd '[:alnum:],')
-      if ! in_array ipv6true "${dockerconfig[@]}" || \
-        ! in_array experimentaltrue "${dockerconfig[@]}" || \
-        ! in_array ip6tablestrue "${dockerconfig[@]}" || \
-        ! grep -qi "fixed-cidr-v6" /etc/docker/daemon.json; then
-          echo -e "\e[33mWarning:\e[0m You seem to have modified the /etc/docker/daemon.json configuration by yourself and not fully/correctly activated the native IPv6 NAT implementation."
-          echo "You will need to merge your existing configuration manually or fix/delete the existing daemon.json configuration before trying the update process again."
-          echo -e "Please merge the following content and restart the Docker daemon:\n"
-          echo "${NAT_CONFIG}"
-          return 1
-      fi
-    else
-      echo "Working on IPv6 NAT, please wait..."
-      echo "${NAT_CONFIG}" > /etc/docker/daemon.json
-      ip6tables -F -t nat
-      [[ -e /etc/rc.conf ]] && rc-service docker restart || systemctl restart docker.service
-      if [[ $? -ne 0 ]]; then
-        echo -e "\e[31mError:\e[0m Failed to activate IPv6 NAT! Reverting and exiting."
-        rm /etc/docker/daemon.json
-        if [[ -e /etc/rc.conf ]]; then
-          rc-service docker restart
-        else
-          systemctl reset-failed docker.service
-          systemctl restart docker.service
-        fi
-        return 1
-      fi
-    fi
-    # Removing legacy container
-    sed -i '/ipv6nat-mailcow:$/,/^$/d' docker-compose.yml
-    if [ -s docker-compose.override.yml ]; then
-        sed -i '/ipv6nat-mailcow:$/,/^$/d' docker-compose.override.yml
-        if [[ "$(cat docker-compose.override.yml | sed '/^\s*$/d' | wc -l)" == "2" ]]; then
-            mv docker-compose.override.yml docker-compose.override.yml_backup
-        fi
-    fi
-    echo -e "\e[32mGreat! \e[0mNative IPv6 NAT is active.\e[0m"
-  else
-    echo -e "\e[31mPlease upgrade Docker to version ${DOCKERV_REQ} or above.\e[0m"
-    return 0
-  fi
-}
-
-remove_obsolete_nginx_ports() {
-    # Removing obsolete docker-compose.override.yml
-    for override in docker-compose.override.yml docker-compose.override.yaml; do
-    if [ -s $override ] ; then
-        if cat $override | grep nginx-mailcow > /dev/null 2>&1; then
-          if cat $override | grep -E '(\[::])' > /dev/null 2>&1; then
-            if cat $override | grep -w 80:80 > /dev/null 2>&1 && cat $override | grep -w 443:443 > /dev/null 2>&1 ; then
-              echo -e "\e[33mBacking up ${override} to preserve custom changes...\e[0m"
-              echo -e "\e[33m!!! Manual Merge needed (if other overrides are set) !!!\e[0m"
-              sleep 3
-              cp $override ${override}_backup
-              sed -i '/nginx-mailcow:$/,/^$/d' $override
-              echo -e "\e[33mRemoved obsolete NGINX IPv6 Bind from original override File.\e[0m"
-                if [[ "$(cat $override | sed '/^\s*$/d' | wc -l)" == "2" ]]; then
-                  mv $override ${override}_empty
-                  echo -e "\e[31m${override} is empty. Renamed it to ensure mailcow is startable.\e[0m"
-                fi
-            fi
-          fi
-        fi
-    fi
-    done
-}
-
-detect_docker_compose_command(){
-if ! [[ "${DOCKER_COMPOSE_VERSION}" =~ ^(native|standalone)$ ]]; then
-  if docker compose > /dev/null 2>&1; then
-      if docker compose version --short | grep -e "^2." -e "^v2." > /dev/null 2>&1; then
-        DOCKER_COMPOSE_VERSION=native
-        COMPOSE_COMMAND="docker compose"
-        echo -e "\e[33mFound Docker Compose Plugin (native).\e[0m"
-        echo -e "\e[33mSetting the DOCKER_COMPOSE_VERSION Variable to native\e[0m"
-        sed -i 's/^DOCKER_COMPOSE_VERSION=.*/DOCKER_COMPOSE_VERSION=native/' "$SCRIPT_DIR/mailcow.conf"
-        sleep 2
-        echo -e "\e[33mNotice: You'll have to update this Compose Version via your Package Manager manually!\e[0m"
-      else
-        echo -e "\e[31mCannot find Docker Compose with a Version Higher than 2.X.X.\e[0m"
-        echo -e "\e[31mPlease update/install it manually regarding to this doc site: https://docs.mailcow.email/install/\e[0m"
-        exit 1
-      fi
-  elif docker-compose > /dev/null 2>&1; then
-    if ! [[ $(alias docker-compose 2> /dev/null) ]] ; then
-      if docker-compose version --short | grep "^2." > /dev/null 2>&1; then
-        DOCKER_COMPOSE_VERSION=standalone
-        COMPOSE_COMMAND="docker-compose"
-        echo -e "\e[33mFound Docker Compose Standalone.\e[0m"
-        echo -e "\e[33mSetting the DOCKER_COMPOSE_VERSION Variable to standalone\e[0m"
-        sed -i 's/^DOCKER_COMPOSE_VERSION=.*/DOCKER_COMPOSE_VERSION=standalone/' "$SCRIPT_DIR/mailcow.conf"
-        sleep 2
-        echo -e "\e[33mNotice: For an automatic update of docker-compose please use the update_compose.sh scripts located at the helper-scripts folder.\e[0m"
-      else
-        echo -e "\e[31mCannot find Docker Compose with a Version Higher than 2.X.X.\e[0m"
-        echo -e "\e[31mPlease update/install regarding to this doc site: https://docs.mailcow.email/install/\e[0m"
-        exit 1
-      fi
-    fi
-
-  else
-    echo -e "\e[31mCannot find Docker Compose.\e[0m"
-    echo -e "\e[31mPlease install it regarding to this doc site: https://docs.mailcow.email/install/\e[0m"
-    exit 1
-  fi
-
-elif [ "${DOCKER_COMPOSE_VERSION}" == "native" ]; then
-  COMPOSE_COMMAND="docker compose"
-  # Check if Native Compose works and has not been deleted
-  if ! $COMPOSE_COMMAND > /dev/null 2>&1; then
-    # IF it not exists/work anymore try the other command
-    COMPOSE_COMMAND="docker-compose"
-    if ! $COMPOSE_COMMAND > /dev/null 2>&1 || ! $COMPOSE_COMMAND --version | grep "^2." > /dev/null 2>&1; then
-      # IF it cannot find Standalone in > 2.X, then script stops
-      echo -e "\e[31mCannot find Docker Compose or the Version is lower then 2.X.X.\e[0m"
-      echo -e "\e[31mPlease install it regarding to this doc site: https://docs.mailcow.email/install/\e[0m"
-      exit 1
-    fi
-      # If it finds the standalone Plugin it will use this instead and change the mailcow.conf Variable accordingly
-      echo -e "\e[31mFound different Docker Compose Version then declared in mailcow.conf!\e[0m"
-      echo -e "\e[31mSetting the DOCKER_COMPOSE_VERSION Variable from native to standalone\e[0m"
-      sed -i 's/^DOCKER_COMPOSE_VERSION=.*/DOCKER_COMPOSE_VERSION=standalone/' "$SCRIPT_DIR/mailcow.conf"
-      sleep 2
-  fi
-
-
-elif [ "${DOCKER_COMPOSE_VERSION}" == "standalone" ]; then
-  COMPOSE_COMMAND="docker-compose"
-  # Check if Standalone Compose works and has not been deleted
-  if ! $COMPOSE_COMMAND > /dev/null 2>&1 && ! $COMPOSE_COMMAND --version > /dev/null 2>&1 | grep "^2." > /dev/null 2>&1; then
-    # IF it not exists/work anymore try the other command
-    COMPOSE_COMMAND="docker compose"
-    if ! $COMPOSE_COMMAND > /dev/null 2>&1; then
-      # IF it cannot find Native in > 2.X, then script stops
-      echo -e "\e[31mCannot find Docker Compose.\e[0m"
-      echo -e "\e[31mPlease install it regarding to this doc site: https://docs.mailcow.email/install/\e[0m"
-      exit 1
-    fi
-      # If it finds the native Plugin it will use this instead and change the mailcow.conf Variable accordingly
-      echo -e "\e[31mFound different Docker Compose Version then declared in mailcow.conf!\e[0m"
-      echo -e "\e[31mSetting the DOCKER_COMPOSE_VERSION Variable from standalone to native\e[0m"
-      sed -i 's/^DOCKER_COMPOSE_VERSION=.*/DOCKER_COMPOSE_VERSION=native/' "$SCRIPT_DIR/mailcow.conf"
-      sleep 2
-  fi
+MODULE_DIR="${SCRIPT_DIR}/_modules"
+if [[ ! -d "${MODULE_DIR}" || -z "$(ls -A "${MODULE_DIR}")" ]]; then
+  echo -e "\e[33m_modules is missing or empty – fetching all Modules from origin/${BRANCH}…\e[0m"
+  git fetch origin "${BRANCH}"
+  git checkout "origin/${BRANCH}" -- _modules
+  echo -e "\e[33mDone. Please restart the script...\e[0m"
+  exit 2
 fi
-}
 
-detect_bad_asn() {
-  echo -e "\e[33mDetecting if your IP is listed on Spamhaus Bad ASN List...\e[0m"
-  response=$(curl --connect-timeout 15 --max-time 30 -s -o /dev/null -w "%{http_code}" "https://asn-check.mailcow.email")
-  if [ "$response" -eq 503 ]; then
-    if [ -z "$SPAMHAUS_DQS_KEY" ]; then
-      echo -e "\e[33mYour server's public IP uses an AS that is blocked by Spamhaus to use their DNS public blocklists for Postfix.\e[0m"
-      echo -e "\e[33mmailcow did not detected a value for the variable SPAMHAUS_DQS_KEY inside mailcow.conf!\e[0m"
-      sleep 2
-      echo ""
-      echo -e "\e[33mTo use the Spamhaus DNS Blocklists again, you will need to create a FREE account for their Data Query Service (DQS) at: https://www.spamhaus.com/free-trial/sign-up-for-a-free-data-query-service-account\e[0m"
-      echo -e "\e[33mOnce done, enter your DQS API key in mailcow.conf and mailcow will do the rest for you!\e[0m"
-      echo ""
-      sleep 2
+source _modules/scripts/core.sh
+source _modules/scripts/ipv6_controller.sh
+source _modules/scripts/new_options.sh
+source _modules/scripts/migrate_options.sh
 
-    else
-      echo -e "\e[33mYour server's public IP uses an AS that is blocked by Spamhaus to use their DNS public blocklists for Postfix.\e[0m"
-      echo -e "\e[32mmailcow detected a Value for the variable SPAMHAUS_DQS_KEY inside mailcow.conf. Postfix will use DQS with the given API key...\e[0m"
-    fi
-  elif [ "$response" -eq 200 ]; then
-    echo -e "\e[33mCheck completed! Your IP is \e[32mclean\e[0m"
-  elif [ "$response" -eq 429 ]; then
-    echo -e "\e[33mCheck completed! \e[31mYour IP seems to be rate limited on the ASN Check service... please try again later!\e[0m"
-  else
-    echo -e "\e[31mCheck failed! \e[0mMaybe a DNS or Network problem?\e[0m"
-  fi
-}
-
-fix_broken_dnslist_conf() {
-
-# Fixing issue: #6143. To be removed in a later patch
-
-  local file="${SCRIPT_DIR}/data/conf/postfix/dns_blocklists.cf"
-    # Check if the file exists
-  if [[ ! -f "$file" ]]; then
-      return 1
-  fi
-
-  # Check if the file contains the autogenerated comment
-  if grep -q "# Autogenerated by mailcow" "$file"; then
-      # Ask the user if custom changes were made
-      echo -e "\e[91mWARNING!!! \e[31mAn old version of dns_blocklists.cf has been detected which may cause a broken postfix upon startup (see: https://github.com/mailcow/mailcow-dockerized/issues/6143)...\e[0m"
-      echo -e "\e[31mIf you have any custom settings in there you might copy it away and adapt the changes after the file is regenerated...\e[0m"
-      read -p "Do you want to delete the file now and let mailcow regenerate it properly? [y/n]" response
-      if [[ "${response}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
-        rm "$file"
-        echo -e "\e[32mdns_blocklists.cf has been deleted and will be properly regenerated"
-        return 0
-      else
-        echo -e "\e[35mOk, not deleting it! Please make sure you take a look at postfix upon start then..."
-        return 2
-      fi
-  fi
-
-}
-
-adapt_new_options() {
-
-  CONFIG_ARRAY=(
-  "SKIP_LETS_ENCRYPT"
-  "SKIP_SOGO"
-  "USE_WATCHDOG"
-  "WATCHDOG_NOTIFY_EMAIL"
-  "WATCHDOG_NOTIFY_WEBHOOK"
-  "WATCHDOG_NOTIFY_WEBHOOK_BODY"
-  "WATCHDOG_NOTIFY_BAN"
-  "WATCHDOG_NOTIFY_START"
-  "WATCHDOG_EXTERNAL_CHECKS"
-  "WATCHDOG_SUBJECT"
-  "SKIP_CLAMD"
-  "SKIP_OLEFY"
-  "SKIP_IP_CHECK"
-  "ADDITIONAL_SAN"
-  "DOVEADM_PORT"
-  "IPV4_NETWORK"
-  "IPV6_NETWORK"
-  "LOG_LINES"
-  "SNAT_TO_SOURCE"
-  "SNAT6_TO_SOURCE"
-  "COMPOSE_PROJECT_NAME"
-  "DOCKER_COMPOSE_VERSION"
-  "SQL_PORT"
-  "API_KEY"
-  "API_KEY_READ_ONLY"
-  "API_ALLOW_FROM"
-  "MAILDIR_GC_TIME"
-  "MAILDIR_SUB"
-  "ACL_ANYONE"
-  "FTS_HEAP"
-  "FTS_PROCS"
-  "SKIP_FTS"
-  "ENABLE_SSL_SNI"
-  "ALLOW_ADMIN_EMAIL_LOGIN"
-  "SKIP_HTTP_VERIFICATION"
-  "SOGO_EXPIRE_SESSION"
-  "REDIS_PORT"
-  "DOVECOT_MASTER_USER"
-  "DOVECOT_MASTER_PASS"
-  "MAILCOW_PASS_SCHEME"
-  "ADDITIONAL_SERVER_NAMES"
-  "WATCHDOG_VERBOSE"
-  "WEBAUTHN_ONLY_TRUSTED_VENDORS"
-  "SPAMHAUS_DQS_KEY"
-  "SKIP_UNBOUND_HEALTHCHECK"
-  "DISABLE_NETFILTER_ISOLATION_RULE"
-  "HTTP_REDIRECT"
-  )
-
-  sed -i --follow-symlinks '$a\' mailcow.conf
-  for option in ${CONFIG_ARRAY[@]}; do
-    if [[ ${option} == "ADDITIONAL_SAN" ]]; then
-      if ! grep -q ${option} mailcow.conf; then
-        echo "Adding new option \"${option}\" to mailcow.conf"
-        echo "${option}=" >> mailcow.conf
-      fi
-    elif [[ ${option} == "COMPOSE_PROJECT_NAME" ]]; then
-      if ! grep -q ${option} mailcow.conf; then
-        echo "Adding new option \"${option}\" to mailcow.conf"
-        echo "COMPOSE_PROJECT_NAME=mailcowdockerized" >> mailcow.conf
-      fi
-    elif [[ ${option} == "DOCKER_COMPOSE_VERSION" ]]; then
-      if ! grep -q ${option} mailcow.conf; then
-        echo "Adding new option \"${option}\" to mailcow.conf"
-        echo "# Used Docker Compose version" >> mailcow.conf
-        echo "# Switch here between native (compose plugin) and standalone" >> mailcow.conf
-        echo "# For more informations take a look at the mailcow docs regarding the configuration options." >> mailcow.conf
-        echo "# Normally this should be untouched but if you decided to use either of those you can switch it manually here." >> mailcow.conf
-        echo "# Please be aware that at least one of those variants should be installed on your maschine or mailcow will fail." >> mailcow.conf
-        echo "" >> mailcow.conf
-        echo "DOCKER_COMPOSE_VERSION=${DOCKER_COMPOSE_VERSION}" >> mailcow.conf
-      fi
-    elif [[ ${option} == "DOVEADM_PORT" ]]; then
-      if ! grep -q ${option} mailcow.conf; then
-        echo "Adding new option \"${option}\" to mailcow.conf"
-        echo "DOVEADM_PORT=127.0.0.1:19991" >> mailcow.conf
-      fi
-    elif [[ ${option} == "WATCHDOG_NOTIFY_EMAIL" ]]; then
-      if ! grep -q ${option} mailcow.conf; then
-        echo "Adding new option \"${option}\" to mailcow.conf"
-        echo "WATCHDOG_NOTIFY_EMAIL=" >> mailcow.conf
-      fi
-    elif [[ ${option} == "LOG_LINES" ]]; then
-      if ! grep -q ${option} mailcow.conf; then
-        echo "Adding new option \"${option}\" to mailcow.conf"
-        echo '# Max log lines per service to keep in Redis logs' >> mailcow.conf
-        echo "LOG_LINES=9999" >> mailcow.conf
-      fi
-    elif [[ ${option} == "IPV4_NETWORK" ]]; then
-      if ! grep -q ${option} mailcow.conf; then
-        echo "Adding new option \"${option}\" to mailcow.conf"
-        echo '# Internal IPv4 /24 subnet, format n.n.n. (expands to n.n.n.0/24)' >> mailcow.conf
-        echo "IPV4_NETWORK=172.22.1" >> mailcow.conf
-      fi
-    elif [[ ${option} == "IPV6_NETWORK" ]]; then
-      if ! grep -q ${option} mailcow.conf; then
-        echo "Adding new option \"${option}\" to mailcow.conf"
-        echo '# Internal IPv6 subnet in fc00::/7' >> mailcow.conf
-        echo "IPV6_NETWORK=fd4d:6169:6c63:6f77::/64" >> mailcow.conf
-      fi
-    elif [[ ${option} == "SQL_PORT" ]]; then
-      if ! grep -q ${option} mailcow.conf; then
-        echo "Adding new option \"${option}\" to mailcow.conf"
-        echo '# Bind SQL to 127.0.0.1 on port 13306' >> mailcow.conf
-        echo "SQL_PORT=127.0.0.1:13306" >> mailcow.conf
-      fi
-    elif [[ ${option} == "API_KEY" ]]; then
-      if ! grep -q ${option} mailcow.conf; then
-        echo "Adding new option \"${option}\" to mailcow.conf"
-        echo '# Create or override API key for web UI' >> mailcow.conf
-        echo "#API_KEY=" >> mailcow.conf
-      fi
-    elif [[ ${option} == "API_KEY_READ_ONLY" ]]; then
-      if ! grep -q ${option} mailcow.conf; then
-        echo "Adding new option \"${option}\" to mailcow.conf"
-        echo '# Create or override read-only API key for web UI' >> mailcow.conf
-        echo "#API_KEY_READ_ONLY=" >> mailcow.conf
-      fi
-    elif [[ ${option} == "API_ALLOW_FROM" ]]; then
-      if ! grep -q ${option} mailcow.conf; then
-        echo "Adding new option \"${option}\" to mailcow.conf"
-        echo '# Must be set for API_KEY to be active' >> mailcow.conf
-        echo '# IPs only, no networks (networks can be set via UI)' >> mailcow.conf
-        echo "#API_ALLOW_FROM=" >> mailcow.conf
-      fi
-    elif [[ ${option} == "SNAT_TO_SOURCE" ]]; then
-      if ! grep -q ${option} mailcow.conf; then
-        echo "Adding new option \"${option}\" to mailcow.conf"
-        echo '# Use this IPv4 for outgoing connections (SNAT)' >> mailcow.conf
-        echo "#SNAT_TO_SOURCE=" >> mailcow.conf
-      fi
-    elif [[ ${option} == "SNAT6_TO_SOURCE" ]]; then
-      if ! grep -q ${option} mailcow.conf; then
-        echo "Adding new option \"${option}\" to mailcow.conf"
-        echo '# Use this IPv6 for outgoing connections (SNAT)' >> mailcow.conf
-        echo "#SNAT6_TO_SOURCE=" >> mailcow.conf
-      fi
-    elif [[ ${option} == "MAILDIR_GC_TIME" ]]; then
-      if ! grep -q ${option} mailcow.conf; then
-        echo "Adding new option \"${option}\" to mailcow.conf"
-        echo '# Garbage collector cleanup' >> mailcow.conf
-        echo '# Deleted domains and mailboxes are moved to /var/vmail/_garbage/timestamp_sanitizedstring' >> mailcow.conf
-        echo '# How long should objects remain in the garbage until they are being deleted? (value in minutes)' >> mailcow.conf
-        echo '# Check interval is hourly' >> mailcow.conf
-        echo 'MAILDIR_GC_TIME=1440' >> mailcow.conf
-      fi
-    elif [[ ${option} == "ACL_ANYONE" ]]; then
-      if ! grep -q ${option} mailcow.conf; then
-        echo "Adding new option \"${option}\" to mailcow.conf"
-        echo '# Set this to "allow" to enable the anyone pseudo user. Disabled by default.' >> mailcow.conf
-        echo '# When enabled, ACL can be created, that apply to "All authenticated users"' >> mailcow.conf
-        echo '# This should probably only be activated on mail hosts, that are used exclusivly by one organisation.' >> mailcow.conf
-        echo '# Otherwise a user might share data with too many other users.' >> mailcow.conf
-        echo 'ACL_ANYONE=disallow' >> mailcow.conf
-      fi
-    elif [[ ${option} == "FTS_HEAP" ]]; then
-      if ! grep -q ${option} mailcow.conf; then
-        echo "Adding new option \"${option}\" to mailcow.conf"
-        echo '# Dovecot Indexing (FTS) Process maximum heap size in MB, there is no recommendation, please see Dovecot docs.' >> mailcow.conf
-        echo '# Flatcurve is used as FTS Engine. It is supposed to be pretty efficient in CPU and RAM consumption.' >> mailcow.conf
-        echo '# Please always monitor your Resource consumption!' >> mailcow.conf
-        echo "FTS_HEAP=128" >> mailcow.conf
-      fi
-    elif [[ ${option} == "SKIP_FTS" ]]; then
-      if ! grep -q ${option} mailcow.conf; then
-        echo "Adding new option \"${option}\" to mailcow.conf"
-        echo '# Skip FTS (Fulltext Search) for Dovecot on low-memory, low-threaded systems or if you simply want to disable it.' >> mailcow.conf
-        echo "# Dovecot inside mailcow use Flatcurve as FTS Backend." >> mailcow.conf
-        echo "SKIP_FTS=y" >> mailcow.conf
-      fi
-    elif [[ ${option} == "FTS_PROCS" ]]; then
-      if ! grep -q ${option} mailcow.conf; then
-        echo "Adding new option \"${option}\" to mailcow.conf"
-        echo '# Controls how many processes the Dovecot indexing process can spawn at max.' >> mailcow.conf
-        echo '# Too many indexing processes can use a lot of CPU and Disk I/O' >> mailcow.conf
-        echo '# Please visit: https://doc.dovecot.org/configuration_manual/service_configuration/#indexer-worker for more informations' >> mailcow.conf
-        echo "FTS_PROCS=1" >> mailcow.conf
-      fi
-    elif [[ ${option} == "ENABLE_SSL_SNI" ]]; then
-      if ! grep -q ${option} mailcow.conf; then
-        echo "Adding new option \"${option}\" to mailcow.conf"
-        echo '# Create seperate certificates for all domains - y/n' >> mailcow.conf
-        echo '# this will allow adding more than 100 domains, but some email clients will not be able to connect with alternative hostnames' >> mailcow.conf
-        echo '# see https://wiki.dovecot.org/SSL/SNIClientSupport' >> mailcow.conf
-        echo "ENABLE_SSL_SNI=n" >> mailcow.conf
-      fi
-    elif [[ ${option} == "SKIP_SOGO" ]]; then
-      if ! grep -q ${option} mailcow.conf; then
-        echo "Adding new option \"${option}\" to mailcow.conf"
-        echo '# Skip SOGo: Will disable SOGo integration and therefore webmail, DAV protocols and ActiveSync support (experimental, unsupported, not fully implemented) - y/n' >> mailcow.conf
-        echo "SKIP_SOGO=n" >> mailcow.conf
-      fi
-    elif [[ ${option} == "MAILDIR_SUB" ]]; then
-      if ! grep -q ${option} mailcow.conf; then
-        echo "Adding new option \"${option}\" to mailcow.conf"
-        echo '# MAILDIR_SUB defines a path in a users virtual home to keep the maildir in. Leave empty for updated setups.' >> mailcow.conf
-        echo "#MAILDIR_SUB=Maildir" >> mailcow.conf
-        echo "MAILDIR_SUB=" >> mailcow.conf
-      fi
-    elif [[ ${option} == "WATCHDOG_NOTIFY_WEBHOOK" ]]; then
-      if ! grep -q ${option} mailcow.conf; then
-        echo "Adding new option \"${option}\" to mailcow.conf"
-        echo '# Send notifications to a webhook URL that receives a POST request with the content type "application/json".' >> mailcow.conf
-        echo '# You can use this to send notifications to services like Discord, Slack and others.' >> mailcow.conf
-        echo '#WATCHDOG_NOTIFY_WEBHOOK=https://discord.com/api/webhooks/XXXXXXXXXXXXXXXXXXX/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' >> mailcow.conf
-      fi
-    elif [[ ${option} == "WATCHDOG_NOTIFY_WEBHOOK_BODY" ]]; then
-      if ! grep -q ${option} mailcow.conf; then
-        echo "Adding new option \"${option}\" to mailcow.conf"
-        echo '# JSON body included in the webhook POST request. Needs to be in single quotes.' >> mailcow.conf
-        echo '# Following variables are available: SUBJECT, BODY' >> mailcow.conf
-        WEBHOOK_BODY='{"username": "mailcow Watchdog", "content": "**${SUBJECT}**\n${BODY}"}'
-        echo "#WATCHDOG_NOTIFY_WEBHOOK_BODY='${WEBHOOK_BODY}'" >> mailcow.conf
-      fi
-    elif [[ ${option} == "WATCHDOG_NOTIFY_BAN" ]]; then
-      if ! grep -q ${option} mailcow.conf; then
-        echo "Adding new option \"${option}\" to mailcow.conf"
-        echo '# Notify about banned IP. Includes whois lookup.' >> mailcow.conf
-        echo "WATCHDOG_NOTIFY_BAN=y" >> mailcow.conf
-      fi
-    elif [[ ${option} == "WATCHDOG_NOTIFY_START" ]]; then
-      if ! grep -q ${option} mailcow.conf; then
-        echo "Adding new option \"${option}\" to mailcow.conf"
-        echo '# Send a notification when the watchdog is started.' >> mailcow.conf
-        echo "WATCHDOG_NOTIFY_START=y" >> mailcow.conf
-      fi
-    elif [[ ${option} == "WATCHDOG_SUBJECT" ]]; then
-      if ! grep -q ${option} mailcow.conf; then
-        echo "Adding new option \"${option}\" to mailcow.conf"
-        echo '# Subject for watchdog mails. Defaults to "Watchdog ALERT" followed by the error message.' >> mailcow.conf
-        echo "#WATCHDOG_SUBJECT=" >> mailcow.conf
-      fi
-    elif [[ ${option} == "WATCHDOG_EXTERNAL_CHECKS" ]]; then
-      if ! grep -q ${option} mailcow.conf; then
-        echo "Adding new option \"${option}\" to mailcow.conf"
-        echo '# Checks if mailcow is an open relay. Requires a SAL. More checks will follow.' >> mailcow.conf
-        echo '# No data is collected. Opt-in and anonymous.' >> mailcow.conf
-        echo '# Will only work with unmodified mailcow setups.' >> mailcow.conf
-        echo "WATCHDOG_EXTERNAL_CHECKS=n" >> mailcow.conf
-      fi
-    elif [[ ${option} == "SOGO_EXPIRE_SESSION" ]]; then
-      if ! grep -q ${option} mailcow.conf; then
-        echo "Adding new option \"${option}\" to mailcow.conf"
-        echo '# SOGo session timeout in minutes' >> mailcow.conf
-        echo "SOGO_EXPIRE_SESSION=480" >> mailcow.conf
-      fi
-    elif [[ ${option} == "REDIS_PORT" ]]; then
-      if ! grep -q ${option} mailcow.conf; then
-        echo "Adding new option \"${option}\" to mailcow.conf"
-        echo "REDIS_PORT=127.0.0.1:7654" >> mailcow.conf
-      fi
-    elif [[ ${option} == "DOVECOT_MASTER_USER" ]]; then
-      if ! grep -q ${option} mailcow.conf; then
-        echo "Adding new option \"${option}\" to mailcow.conf"
-        echo '# DOVECOT_MASTER_USER and _PASS must _both_ be provided. No special chars.' >> mailcow.conf
-        echo '# Empty by default to auto-generate master user and password on start.' >> mailcow.conf
-        echo '# User expands to DOVECOT_MASTER_USER@mailcow.local' >> mailcow.conf
-        echo '# LEAVE EMPTY IF UNSURE' >> mailcow.conf
-        echo "DOVECOT_MASTER_USER=" >> mailcow.conf
-      fi
-    elif [[ ${option} == "DOVECOT_MASTER_PASS" ]]; then
-      if ! grep -q ${option} mailcow.conf; then
-        echo "Adding new option \"${option}\" to mailcow.conf"
-        echo '# LEAVE EMPTY IF UNSURE' >> mailcow.conf
-        echo "DOVECOT_MASTER_PASS=" >> mailcow.conf
-      fi
-    elif [[ ${option} == "MAILCOW_PASS_SCHEME" ]]; then
-      if ! grep -q ${option} mailcow.conf; then
-        echo "Adding new option \"${option}\" to mailcow.conf"
-        echo '# Password hash algorithm' >> mailcow.conf
-        echo '# Only certain password hash algorithm are supported. For a fully list of supported schemes,' >> mailcow.conf
-        echo '# see https://docs.mailcow.email/models/model-passwd/' >> mailcow.conf
-        echo "MAILCOW_PASS_SCHEME=BLF-CRYPT" >> mailcow.conf
-      fi
-    elif [[ ${option} == "ADDITIONAL_SERVER_NAMES" ]]; then
-      if ! grep -q ${option} mailcow.conf; then
-        echo "Adding new option \"${option}\" to mailcow.conf"
-        echo '# Additional server names for mailcow UI' >> mailcow.conf
-        echo '#' >> mailcow.conf
-        echo '# Specify alternative addresses for the mailcow UI to respond to' >> mailcow.conf
-        echo '# This is useful when you set mail.* as ADDITIONAL_SAN and want to make sure mail.maildomain.com will always point to the mailcow UI.' >> mailcow.conf
-        echo '# If the server name does not match a known site, Nginx decides by best-guess and may redirect users to the wrong web root.' >> mailcow.conf
-        echo '# You can understand this as server_name directive in Nginx.' >> mailcow.conf
-        echo '# Comma separated list without spaces! Example: ADDITIONAL_SERVER_NAMES=a.b.c,d.e.f' >> mailcow.conf
-        echo 'ADDITIONAL_SERVER_NAMES=' >> mailcow.conf
-      fi
-    elif [[ ${option} == "WEBAUTHN_ONLY_TRUSTED_VENDORS" ]]; then
-      if ! grep -q ${option} mailcow.conf; then
-        echo "Adding new option \"${option}\" to mailcow.conf"
-        echo "# WebAuthn device manufacturer verification" >> mailcow.conf
-        echo '# After setting WEBAUTHN_ONLY_TRUSTED_VENDORS=y only devices from trusted manufacturers are allowed' >> mailcow.conf
-        echo '# root certificates can be placed for validation under mailcow-dockerized/data/web/inc/lib/WebAuthn/rootCertificates' >> mailcow.conf
-        echo 'WEBAUTHN_ONLY_TRUSTED_VENDORS=n' >> mailcow.conf
-      fi
-    elif [[ ${option} == "SPAMHAUS_DQS_KEY" ]]; then
-      if ! grep -q ${option} mailcow.conf; then
-        echo "Adding new option \"${option}\" to mailcow.conf"
-        echo "# Spamhaus Data Query Service Key" >> mailcow.conf
-        echo '# Optional: Leave empty for none' >> mailcow.conf
-        echo '# Enter your key here if you are using a blocked ASN (OVH, AWS, Cloudflare e.g) for the unregistered Spamhaus Blocklist.' >> mailcow.conf
-        echo '# If empty, it will completely disable Spamhaus blocklists if it detects that you are running on a server using a blocked AS.' >> mailcow.conf
-        echo '# Otherwise it will work as usual.' >> mailcow.conf
-        echo 'SPAMHAUS_DQS_KEY=' >> mailcow.conf
-      fi
-    elif [[ ${option} == "WATCHDOG_VERBOSE" ]]; then
-      if ! grep -q ${option} mailcow.conf; then
-        echo "Adding new option \"${option}\" to mailcow.conf"
-        echo '# Enable watchdog verbose logging' >> mailcow.conf
-        echo 'WATCHDOG_VERBOSE=n' >> mailcow.conf
-      fi
-    elif [[ ${option} == "SKIP_UNBOUND_HEALTHCHECK" ]]; then
-      if ! grep -q ${option} mailcow.conf; then
-        echo "Adding new option \"${option}\" to mailcow.conf"
-        echo '# Skip Unbound (DNS Resolver) Healthchecks (NOT Recommended!) - y/n' >> mailcow.conf
-        echo 'SKIP_UNBOUND_HEALTHCHECK=n' >> mailcow.conf
-      fi
-    elif [[ ${option} == "DISABLE_NETFILTER_ISOLATION_RULE" ]]; then
-      if ! grep -q ${option} mailcow.conf; then
-        echo "Adding new option \"${option}\" to mailcow.conf"
-        echo '# Prevent netfilter from setting an iptables/nftables rule to isolate the mailcow docker network - y/n' >> mailcow.conf
-        echo '# CAUTION: Disabling this may expose container ports to other neighbors on the same subnet, even if the ports are bound to localhost' >> mailcow.conf
-        echo 'DISABLE_NETFILTER_ISOLATION_RULE=n' >> mailcow.conf
-      fi
-    elif [[ ${option} == "HTTP_REDIRECT" ]]; then
-      if ! grep -q ${option} mailcow.conf; then
-        echo "Adding new option \"${option}\" to mailcow.conf"
-        echo '# Redirect HTTP connections to HTTPS - y/n' >> mailcow.conf
-        echo 'HTTP_REDIRECT=n' >> mailcow.conf
-      fi
-    elif ! grep -q ${option} mailcow.conf; then
-      echo "Adding new option \"${option}\" to mailcow.conf"
-      echo "${option}=n" >> mailcow.conf
-    fi
-  done
-}
-
-migrate_solr_config_options() {
-
-  sed -i --follow-symlinks '$a\' mailcow.conf
-
-  if grep -q "SOLR_HEAP" mailcow.conf; then
-    echo "Removing SOLR_HEAP in mailcow.conf"
-    sed -i '/# Solr heap size in MB\b/d' mailcow.conf
-    sed -i '/# Solr is a prone to run\b/d' mailcow.conf
-    sed -i '/SOLR_HEAP\b/d' mailcow.conf
-  fi
-
-  if grep -q "SKIP_SOLR" mailcow.conf; then
-    echo "Removing SKIP_SOLR in mailcow.conf"
-    sed -i '/\bSkip Solr on low-memory\b/d' mailcow.conf
-    sed -i '/\bSolr is disabled by default\b/d' mailcow.conf
-    sed -i '/\bDisable Solr or\b/d' mailcow.conf
-    sed -i '/\bSKIP_SOLR\b/d' mailcow.conf
-  fi
-
-  if grep -q "SOLR_PORT" mailcow.conf; then
-    echo "Removing SOLR_PORT in mailcow.conf"
-    sed -i '/\bSOLR_PORT\b/d' mailcow.conf
-  fi
-
-  if grep -q "FLATCURVE_EXPERIMENTAL" mailcow.conf; then
-    echo "Removing FLATCURVE_EXPERIMENTAL in mailcow.conf"
-    sed -i '/\bFLATCURVE_EXPERIMENTAL\b/d' mailcow.conf
-  fi
-
-  solr_volume=$(docker volume ls -qf name=^${COMPOSE_PROJECT_NAME}_solr-vol-1)
-  if [[ -n $solr_volume ]]; then
-    echo -e "\e[34mSolr has been replaced within mailcow since 2025-01.\nThe volume $solr_volume is unused.\e[0m"
-    sleep 1
-    if [ ! "$FORCE" ]; then
-      read -r -p "Remove $solr_volume? [y/N] " response
-      if [[ "$response" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
-        echo -e "\e[33mRemoving $solr_volume...\e[0m"
-        docker volume rm $solr_volume || echo -e "\e[31mFailed to remove. Remove it manually!\e[0m"
-        echo -e "\e[32mSuccessfully removed $solr_volume!\e[0m"
-      else
-        echo -e "Not removing $solr_volume. Run \`docker volume rm $solr_volume\` manually if needed."
-      fi
-    else
-      echo -e "\e[33mForce removing $solr_volume...\e[0m"
-      docker volume rm $solr_volume || echo -e "\e[31mFailed to remove. Remove it manually!\e[0m"
-      echo -e "\e[32mSuccessfully removed $solr_volume!\e[0m"
-    fi
-  fi
-
-  # Delete old fts.conf before forced switch to flatcurve to ensure update is working properly
-  FTS_CONF_PATH="${SCRIPT_DIR}/data/conf/dovecot/conf.d/fts.conf"
-  if [[ -f "$FTS_CONF_PATH" ]]; then
-    if grep -q "Autogenerated by mailcow" "$FTS_CONF_PATH"; then
-      rm -rf $FTS_CONF_PATH
-    fi
-  fi
-}
-
-detect_major_update() {
-  if [ ${BRANCH} == "master" ]; then
-    # Array with major versions
-    # Add major versions here
-    MAJOR_VERSIONS=(
-      "2025-02"
-      "2025-03"
-    )
-
-    current_version=""
-    if [[ -f "${SCRIPT_DIR}/data/web/inc/app_info.inc.php" ]]; then
-      current_version=$(grep 'MAILCOW_GIT_VERSION' ${SCRIPT_DIR}/data/web/inc/app_info.inc.php | sed -E 's/.*MAILCOW_GIT_VERSION="([^"]+)".*/\1/')
-    fi
-    if [[ -z "$current_version" ]]; then
-      return 1
-    fi
-    release_url="https://github.com/mailcow/mailcow-dockerized/releases/tag"
-
-    updates_to_apply=()
-
-    for version in "${MAJOR_VERSIONS[@]}"; do
-      if [[ "$current_version" < "$version" ]]; then
-        updates_to_apply+=("$version")
-      fi
-    done
-
-    if [[ ${#updates_to_apply[@]} -gt 0 ]]; then
-      echo -e "\e[33m\nMAJOR UPDATES to be applied:\e[0m"
-      for update in "${updates_to_apply[@]}"; do
-        echo "$update - $release_url/$update"
-      done
-
-      echo -e "\nPlease read the release notes before proceeding."
-      read -p "Do you want to proceed with the update? [y/n] " response
-      if [[ "${response}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
-        echo "Proceeding with the update..."
-      else
-        echo "Update canceled. Exiting."
-        exit 1
-      fi
-    fi
-  fi
-}
-
-remove_obsolete_options() {
-  OBSOLETE_OPTIONS=(
-    "ACME_CONTACT"
-  )
-
-  for option in "${OBSOLETE_OPTIONS[@]}"; do
-    if [[ "$option" == "ACME_CONTACT" ]]; then
-      sed -i '/^# Lets Encrypt registration contact information/d' mailcow.conf
-      sed -i "/^# Let's Encrypt registration contact information/d" mailcow.conf
-      sed -i '/^# Optional: Leave empty for none/d' mailcow.conf
-      sed -i '/^# This value is only used on first order!/d' mailcow.conf
-      sed -i '/^# Setting it at a later point will require the following steps:/d' mailcow.conf
-      sed -i '/^# https:\/\/docs.mailcow.email\/troubleshooting\/debug-reset_tls\//d' mailcow.conf
-      sed -i '/^ACME_CONTACT=.*/d' mailcow.conf
-      sed -i '/^#ACME_CONTACT=.*/d' mailcow.conf
-    else
-      sed -i "/^${option}=.*/d" mailcow.conf
-      sed -i "/^#${option}=.*/d" mailcow.conf
-    fi
-  done
-}
 ############## End Function Section ##############
 
 # Check permissions
@@ -786,22 +34,6 @@ if [ -f "${SCRIPT_DIR}/pre_update_hook.sh" ]; then
   bash "${SCRIPT_DIR}/pre_update_hook.sh"
 fi
 
-if [[ "$(uname -r)" =~ ^4\.15\.0-60 ]]; then
-  echo "DO NOT RUN mailcow ON THIS UBUNTU KERNEL!";
-  echo "Please update to 5.x or use another distribution."
-  exit 1
-fi
-
-if [[ "$(uname -r)" =~ ^4\.4\. ]]; then
-  if grep -q Ubuntu <<< "$(uname -a)"; then
-    echo "DO NOT RUN mailcow ON THIS UBUNTU KERNEL!"
-    echo "Please update to linux-generic-hwe-16.04 by running \"apt-get install --install-recommends linux-generic-hwe-16.04\""
-    exit 1
-  fi
-  echo "mailcow on a 4.4.x kernel is not supported. It may or may not work, please upgrade your kernel or continue at your own risk."
-  read -p "Press any key to continue..." < /dev/tty
-fi
-
 # Exit on error and pipefail
 set -o pipefail
 
@@ -817,22 +49,9 @@ umask 0022
 unset COMPOSE_COMMAND
 unset DOCKER_COMPOSE_VERSION
 
-for bin in curl docker git awk sha1sum grep cut; do
-  if [[ -z $(command -v ${bin}) ]]; then
-  echo "Cannot find ${bin}, exiting..."
-  exit 1;
-  fi
-done
+get_installed_tools
 
-# Check Docker Version (need at least 24.X)
-docker_version=$(docker -v | grep -oP '\d+\.\d+\.\d+' | cut -d '.' -f 1 | head -1)
-
-if [[ $docker_version -lt 24 ]]; then
-  echo -e "\e[31mCannot find Docker with a Version higher or equals 24.0.0\e[0m"
-  echo -e "\e[33mmailcow needs a newer Docker version to work properly... continuing on your own risk!\e[0m"
-  echo -e "\e[31mPlease update your Docker installation... sleeping 10s\e[0m"
-  sleep 10
-fi
+get_docker_version
 
 export LC_ALL=C
 DATE=$(date +%Y-%m-%d_%H_%M_%S)
@@ -936,9 +155,7 @@ done
 chmod 600 mailcow.conf
 source mailcow.conf
 
-detect_docker_compose_command
-
-fix_broken_dnslist_conf
+get_compose_type
 
 DOTS=${MAILCOW_HOSTNAME//[^.]};
 if [ ${#DOTS} -lt 1 ]; then
@@ -961,349 +178,8 @@ elif [ ${#DOTS} -eq 1 ]; then
   fi
 fi
 
-if grep --help 2>&1 | head -n 1 | grep -q -i "busybox"; then echo "BusyBox grep detected, please install gnu grep, \"apk add --no-cache --upgrade grep\""; exit 1; fi
-# This will also cover sort
-if cp --help 2>&1 | head -n 1 | grep -q -i "busybox"; then echo "BusyBox cp detected, please install coreutils, \"apk add --no-cache --upgrade coreutils\""; exit 1; fi
-if sed --help 2>&1 | head -n 1 | grep -q -i "busybox"; then echo "BusyBox sed detected, please install gnu sed, \"apk add --no-cache --upgrade sed\""; exit 1; fi
-
-CONFIG_ARRAY=(
-  "SKIP_LETS_ENCRYPT"
-  "SKIP_SOGO"
-  "USE_WATCHDOG"
-  "WATCHDOG_NOTIFY_EMAIL"
-  "WATCHDOG_NOTIFY_WEBHOOK"
-  "WATCHDOG_NOTIFY_WEBHOOK_BODY"
-  "WATCHDOG_NOTIFY_BAN"
-  "WATCHDOG_NOTIFY_START"
-  "WATCHDOG_EXTERNAL_CHECKS"
-  "WATCHDOG_SUBJECT"
-  "SKIP_CLAMD"
-  "SKIP_OLEFY"
-  "SKIP_IP_CHECK"
-  "ADDITIONAL_SAN"
-  "AUTODISCOVER_SAN"
-  "DOVEADM_PORT"
-  "IPV4_NETWORK"
-  "IPV6_NETWORK"
-  "LOG_LINES"
-  "SNAT_TO_SOURCE"
-  "SNAT6_TO_SOURCE"
-  "COMPOSE_PROJECT_NAME"
-  "DOCKER_COMPOSE_VERSION"
-  "SQL_PORT"
-  "API_KEY"
-  "API_KEY_READ_ONLY"
-  "API_ALLOW_FROM"
-  "MAILDIR_GC_TIME"
-  "MAILDIR_SUB"
-  "ACL_ANYONE"
-  "ENABLE_SSL_SNI"
-  "ALLOW_ADMIN_EMAIL_LOGIN"
-  "SKIP_HTTP_VERIFICATION"
-  "SOGO_EXPIRE_SESSION"
-  "REDIS_PORT"
-  "DOVECOT_MASTER_USER"
-  "DOVECOT_MASTER_PASS"
-  "MAILCOW_PASS_SCHEME"
-  "ADDITIONAL_SERVER_NAMES"
-  "WATCHDOG_VERBOSE"
-  "WEBAUTHN_ONLY_TRUSTED_VENDORS"
-  "SPAMHAUS_DQS_KEY"
-  "SKIP_UNBOUND_HEALTHCHECK"
-  "DISABLE_NETFILTER_ISOLATION_RULE"
-  "REDISPASS"
-)
-
 detect_bad_asn
 
-sed -i --follow-symlinks '$a\' mailcow.conf
-for option in "${CONFIG_ARRAY[@]}"; do
-  if [[ ${option} == "ADDITIONAL_SAN" ]]; then
-    if ! grep -q "${option}" mailcow.conf; then
-      echo "Adding new option \"${option}\" to mailcow.conf"
-      echo "${option}=" >> mailcow.conf
-    fi
-  elif [[ "${option}" == "COMPOSE_PROJECT_NAME" ]]; then
-    if ! grep -q "${option}" mailcow.conf; then
-      echo "Adding new option \"${option}\" to mailcow.conf"
-      echo "COMPOSE_PROJECT_NAME=mailcowdockerized" >> mailcow.conf
-    fi
-  elif [[ "${option}" == "DOCKER_COMPOSE_VERSION" ]]; then
-    if ! grep -q "${option}" mailcow.conf; then
-      echo "Adding new option \"${option}\" to mailcow.conf"
-      echo "# Used Docker Compose version" >> mailcow.conf
-      echo "# Switch here between native (compose plugin) and standalone" >> mailcow.conf
-      echo "# For more informations take a look at the mailcow docs regarding the configuration options." >> mailcow.conf
-      echo "# Normally this should be untouched but if you decided to use either of those you can switch it manually here." >> mailcow.conf
-      echo "# Please be aware that at least one of those variants should be installed on your maschine or mailcow will fail." >> mailcow.conf
-      echo "" >> mailcow.conf
-      echo "DOCKER_COMPOSE_VERSION=${DOCKER_COMPOSE_VERSION}" >> mailcow.conf
-    fi
-  elif [[ "${option}" == "DOVEADM_PORT" ]]; then
-    if ! grep -q "${option}" mailcow.conf; then
-      echo "Adding new option \"${option}\" to mailcow.conf"
-      echo "DOVEADM_PORT=127.0.0.1:19991" >> mailcow.conf
-    fi
-  elif [[ "${option}" == "WATCHDOG_NOTIFY_EMAIL" ]]; then
-    if ! grep -q "${option}" mailcow.conf; then
-      echo "Adding new option \"${option}\" to mailcow.conf"
-      echo "WATCHDOG_NOTIFY_EMAIL=" >> mailcow.conf
-    fi
-  elif [[ "${option}" == "LOG_LINES" ]]; then
-    if ! grep -q "${option}" mailcow.conf; then
-      echo "Adding new option \"${option}\" to mailcow.conf"
-      echo '# Max log lines per service to keep in Redis logs' >> mailcow.conf
-      echo "LOG_LINES=9999" >> mailcow.conf
-    fi
-  elif [[ "${option}" == "IPV4_NETWORK" ]]; then
-    if ! grep -q "${option}" mailcow.conf; then
-      echo "Adding new option \"${option}\" to mailcow.conf"
-      echo '# Internal IPv4 /24 subnet, format n.n.n. (expands to n.n.n.0/24)' >> mailcow.conf
-      echo "IPV4_NETWORK=172.22.1" >> mailcow.conf
-    fi
-  elif [[ "${option}" == "IPV6_NETWORK" ]]; then
-    if ! grep -q "${option}" mailcow.conf; then
-      echo "Adding new option \"${option}\" to mailcow.conf"
-      echo '# Internal IPv6 subnet in fc00::/7' >> mailcow.conf
-      echo "IPV6_NETWORK=fd4d:6169:6c63:6f77::/64" >> mailcow.conf
-    fi
-  elif [[ "${option}" == "SQL_PORT" ]]; then
-    if ! grep -q "${option}" mailcow.conf; then
-      echo "Adding new option \"${option}\" to mailcow.conf"
-      echo '# Bind SQL to 127.0.0.1 on port 13306' >> mailcow.conf
-      echo "SQL_PORT=127.0.0.1:13306" >> mailcow.conf
-    fi
-  elif [[ "${option}" == "API_KEY" ]]; then
-    if ! grep -q "${option}" mailcow.conf; then
-      echo "Adding new option \"${option}\" to mailcow.conf"
-      echo '# Create or override API key for web UI' >> mailcow.conf
-      echo "#API_KEY=" >> mailcow.conf
-    fi
-  elif [[ "${option}" == "API_KEY_READ_ONLY" ]]; then
-    if ! grep -q "${option}" mailcow.conf; then
-      echo "Adding new option \"${option}\" to mailcow.conf"
-      echo '# Create or override read-only API key for web UI' >> mailcow.conf
-      echo "#API_KEY_READ_ONLY=" >> mailcow.conf
-    fi
-  elif [[ "${option}" == "API_ALLOW_FROM" ]]; then
-    if ! grep -q "${option}" mailcow.conf; then
-      echo "Adding new option \"${option}\" to mailcow.conf"
-      echo '# Must be set for API_KEY to be active' >> mailcow.conf
-      echo '# IPs only, no networks (networks can be set via UI)' >> mailcow.conf
-      echo "#API_ALLOW_FROM=" >> mailcow.conf
-    fi
-  elif [[ "${option}" == "SNAT_TO_SOURCE" ]]; then
-    if ! grep -q "${option}" mailcow.conf; then
-      echo "Adding new option \"${option}\" to mailcow.conf"
-      echo '# Use this IPv4 for outgoing connections (SNAT)' >> mailcow.conf
-      echo "#SNAT_TO_SOURCE=" >> mailcow.conf
-    fi
-  elif [[ "${option}" == "SNAT6_TO_SOURCE" ]]; then
-    if ! grep -q "${option}" mailcow.conf; then
-      echo "Adding new option \"${option}\" to mailcow.conf"
-      echo '# Use this IPv6 for outgoing connections (SNAT)' >> mailcow.conf
-      echo "#SNAT6_TO_SOURCE=" >> mailcow.conf
-    fi
-  elif [[ "${option}" == "MAILDIR_GC_TIME" ]]; then
-    if ! grep -q "${option}" mailcow.conf; then
-      echo "Adding new option \"${option}\" to mailcow.conf"
-      echo '# Garbage collector cleanup' >> mailcow.conf
-      echo '# Deleted domains and mailboxes are moved to /var/vmail/_garbage/timestamp_sanitizedstring' >> mailcow.conf
-      echo '# How long should objects remain in the garbage until they are being deleted? (value in minutes)' >> mailcow.conf
-      echo '# Check interval is hourly' >> mailcow.conf
-      echo 'MAILDIR_GC_TIME=1440' >> mailcow.conf
-    fi
-  elif [[ "${option}" == "ACL_ANYONE" ]]; then
-    if ! grep -q "${option}" mailcow.conf; then
-      echo "Adding new option \"${option}\" to mailcow.conf"
-      echo '# Set this to "allow" to enable the anyone pseudo user. Disabled by default.' >> mailcow.conf
-      echo '# When enabled, ACL can be created, that apply to "All authenticated users"' >> mailcow.conf
-      echo '# This should probably only be activated on mail hosts, that are used exclusivly by one organisation.' >> mailcow.conf
-      echo '# Otherwise a user might share data with too many other users.' >> mailcow.conf
-      echo 'ACL_ANYONE=disallow' >> mailcow.conf
-    fi
-  elif [[ "${option}" == "ENABLE_SSL_SNI" ]]; then
-    if ! grep -q "${option}" mailcow.conf; then
-      echo "Adding new option \"${option}\" to mailcow.conf"
-      echo '# Create seperate certificates for all domains - y/n' >> mailcow.conf
-      echo '# this will allow adding more than 100 domains, but some email clients will not be able to connect with alternative hostnames' >> mailcow.conf
-      echo '# see https://wiki.dovecot.org/SSL/SNIClientSupport' >> mailcow.conf
-      echo "ENABLE_SSL_SNI=n" >> mailcow.conf
-    fi
-  elif [[ "${option}" == "SKIP_SOGO" ]]; then
-    if ! grep -q "${option}" mailcow.conf; then
-      echo "Adding new option \"${option}\" to mailcow.conf"
-      echo '# Skip SOGo: Will disable SOGo integration and therefore webmail, DAV protocols and ActiveSync support (experimental, unsupported, not fully implemented) - y/n' >> mailcow.conf
-      echo "SKIP_SOGO=n" >> mailcow.conf
-    fi
-  elif [[ "${option}" == "MAILDIR_SUB" ]]; then
-    if ! grep -q "${option}" mailcow.conf; then
-      echo "Adding new option \"${option}\" to mailcow.conf"
-      echo '# MAILDIR_SUB defines a path in a users virtual home to keep the maildir in. Leave empty for updated setups.' >> mailcow.conf
-      echo "#MAILDIR_SUB=Maildir" >> mailcow.conf
-      echo "MAILDIR_SUB=" >> mailcow.conf
-    fi
-  elif [[ "${option}" == "WATCHDOG_NOTIFY_WEBHOOK" ]]; then
-    if ! grep -q "${option}" mailcow.conf; then
-      echo "Adding new option \"${option}\" to mailcow.conf"
-      echo '# Send notifications to a webhook URL that receives a POST request with the content type "application/json".' >> mailcow.conf
-      echo '# You can use this to send notifications to services like Discord, Slack and others.' >> mailcow.conf
-      echo '#WATCHDOG_NOTIFY_WEBHOOK=https://discord.com/api/webhooks/XXXXXXXXXXXXXXXXXXX/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' >> mailcow.conf
-    fi
-  elif [[ "${option}" == "WATCHDOG_NOTIFY_WEBHOOK_BODY" ]]; then
-    if ! grep -q "${option}" mailcow.conf; then
-      echo "Adding new option \"${option}\" to mailcow.conf"
-      echo '# JSON body included in the webhook POST request. Needs to be in single quotes.' >> mailcow.conf
-      echo '# Following variables are available: SUBJECT, BODY' >> mailcow.conf
-      WEBHOOK_BODY='{"username": "mailcow Watchdog", "content": "**${SUBJECT}**\n${BODY}"}'
-      echo "#WATCHDOG_NOTIFY_WEBHOOK_BODY='${WEBHOOK_BODY}'" >> mailcow.conf
-    fi
-  elif [[ "${option}" == "WATCHDOG_NOTIFY_BAN" ]]; then
-    if ! grep -q "${option}" mailcow.conf; then
-      echo "Adding new option \"${option}\" to mailcow.conf"
-      echo '# Notify about banned IP. Includes whois lookup.' >> mailcow.conf
-      echo "WATCHDOG_NOTIFY_BAN=y" >> mailcow.conf
-    fi
-  elif [[ "${option}" == "WATCHDOG_NOTIFY_START" ]]; then
-    if ! grep -q "${option}" mailcow.conf; then
-      echo "Adding new option \"${option}\" to mailcow.conf"
-      echo '# Send a notification when the watchdog is started.' >> mailcow.conf
-      echo "WATCHDOG_NOTIFY_START=y" >> mailcow.conf
-    fi
-  elif [[ "${option}" == "WATCHDOG_SUBJECT" ]]; then
-    if ! grep -q "${option}" mailcow.conf; then
-      echo "Adding new option \"${option}\" to mailcow.conf"
-      echo '# Subject for watchdog mails. Defaults to "Watchdog ALERT" followed by the error message.' >> mailcow.conf
-      echo "#WATCHDOG_SUBJECT=" >> mailcow.conf
-    fi
-  elif [[ "${option}" == "WATCHDOG_EXTERNAL_CHECKS" ]]; then
-    if ! grep -q "${option}" mailcow.conf; then
-      echo "Adding new option \"${option}\" to mailcow.conf"
-      echo '# Checks if mailcow is an open relay. Requires a SAL. More checks will follow.' >> mailcow.conf
-      echo '# No data is collected. Opt-in and anonymous.' >> mailcow.conf
-      echo '# Will only work with unmodified mailcow setups.' >> mailcow.conf
-      echo "WATCHDOG_EXTERNAL_CHECKS=n" >> mailcow.conf
-    fi
-  elif [[ "${option}" == "SOGO_EXPIRE_SESSION" ]]; then
-    if ! grep -q "${option}" mailcow.conf; then
-      echo "Adding new option \"${option}\" to mailcow.conf"
-      echo '# SOGo session timeout in minutes' >> mailcow.conf
-      echo "SOGO_EXPIRE_SESSION=480" >> mailcow.conf
-    fi
-  elif [[ "${option}" == "REDIS_PORT" ]]; then
-    if ! grep -q "${option}" mailcow.conf; then
-      echo "Adding new option \"${option}\" to mailcow.conf"
-      echo "REDIS_PORT=127.0.0.1:7654" >> mailcow.conf
-    fi
-  elif [[ "${option}" == "DOVECOT_MASTER_USER" ]]; then
-    if ! grep -q "${option}" mailcow.conf; then
-      echo "Adding new option \"${option}\" to mailcow.conf"
-      echo '# DOVECOT_MASTER_USER and _PASS must _both_ be provided. No special chars.' >> mailcow.conf
-      echo '# Empty by default to auto-generate master user and password on start.' >> mailcow.conf
-      echo '# User expands to DOVECOT_MASTER_USER@mailcow.local' >> mailcow.conf
-      echo '# LEAVE EMPTY IF UNSURE' >> mailcow.conf
-      echo "DOVECOT_MASTER_USER=" >> mailcow.conf
-    fi
-  elif [[ "${option}" == "DOVECOT_MASTER_PASS" ]]; then
-    if ! grep -q "${option}" mailcow.conf; then
-      echo "Adding new option \"${option}\" to mailcow.conf"
-      echo '# LEAVE EMPTY IF UNSURE' >> mailcow.conf
-      echo "DOVECOT_MASTER_PASS=" >> mailcow.conf
-    fi
-  elif [[ "${option}" == "MAILCOW_PASS_SCHEME" ]]; then
-    if ! grep -q "${option}" mailcow.conf; then
-      echo "Adding new option \"${option}\" to mailcow.conf"
-      echo '# Password hash algorithm' >> mailcow.conf
-      echo '# Only certain password hash algorithm are supported. For a fully list of supported schemes,' >> mailcow.conf
-      echo '# see https://docs.mailcow.email/models/model-passwd/' >> mailcow.conf
-      echo "MAILCOW_PASS_SCHEME=BLF-CRYPT" >> mailcow.conf
-    fi
-  elif [[ "${option}" == "ADDITIONAL_SERVER_NAMES" ]]; then
-    if ! grep -q "${option}" mailcow.conf; then
-      echo "Adding new option \"${option}\" to mailcow.conf"
-      echo '# Additional server names for mailcow UI' >> mailcow.conf
-      echo '#' >> mailcow.conf
-      echo '# Specify alternative addresses for the mailcow UI to respond to' >> mailcow.conf
-      echo '# This is useful when you set mail.* as ADDITIONAL_SAN and want to make sure mail.maildomain.com will always point to the mailcow UI.' >> mailcow.conf
-      echo '# If the server name does not match a known site, Nginx decides by best-guess and may redirect users to the wrong web root.' >> mailcow.conf
-      echo '# You can understand this as server_name directive in Nginx.' >> mailcow.conf
-      echo '# Comma separated list without spaces! Example: ADDITIONAL_SERVER_NAMES=a.b.c,d.e.f' >> mailcow.conf
-      echo 'ADDITIONAL_SERVER_NAMES=' >> mailcow.conf
-    fi
-
-  elif [[ "${option}" == "AUTODISCOVER_SAN" ]]; then
-    if ! grep -q "${option}" mailcow.conf; then
-      echo "Adding new option \"${option}\" to mailcow.conf"
-      echo '# Obtain certificates for autodiscover.* and autoconfig.* domains.' >> mailcow.conf
-      echo '# This can be useful to switch off in case you are in a scenario where a reverse proxy already handles those.' >> mailcow.conf
-      echo '# There are mixed scenarios where ports 80,443 are occupied and you do not want to share certs' >> mailcow.conf
-      echo '# between services. So acme-mailcow obtains for maildomains and all web-things get handled' >> mailcow.conf
-      echo '# in the reverse proxy.' >> mailcow.conf
-      echo 'AUTODISCOVER_SAN=y' >> mailcow.conf
-    fi
-  elif [[ "${option}" == "WEBAUTHN_ONLY_TRUSTED_VENDORS" ]]; then
-    if ! grep -q "${option}" mailcow.conf; then
-      echo "Adding new option \"${option}\" to mailcow.conf"
-      echo "# WebAuthn device manufacturer verification" >> mailcow.conf
-      echo '# After setting WEBAUTHN_ONLY_TRUSTED_VENDORS=y only devices from trusted manufacturers are allowed' >> mailcow.conf
-      echo '# root certificates can be placed for validation under mailcow-dockerized/data/web/inc/lib/WebAuthn/rootCertificates' >> mailcow.conf
-      echo 'WEBAUTHN_ONLY_TRUSTED_VENDORS=n' >> mailcow.conf
-    fi
-  elif [[ "${option}" == "SPAMHAUS_DQS_KEY" ]]; then
-    if ! grep -q "${option}" mailcow.conf; then
-      echo "Adding new option \"${option}\" to mailcow.conf"
-      echo "# Spamhaus Data Query Service Key" >> mailcow.conf
-      echo '# Optional: Leave empty for none' >> mailcow.conf
-      echo '# Enter your key here if you are using a blocked ASN (OVH, AWS, Cloudflare e.g) for the unregistered Spamhaus Blocklist.' >> mailcow.conf
-      echo '# If empty, it will completely disable Spamhaus blocklists if it detects that you are running on a server using a blocked AS.' >> mailcow.conf
-      echo '# Otherwise it will work as usual.' >> mailcow.conf
-      echo 'SPAMHAUS_DQS_KEY=' >> mailcow.conf
-    fi
-  elif [[ "${option}" == "WATCHDOG_VERBOSE" ]]; then
-    if ! grep -q "${option}" mailcow.conf; then
-      echo "Adding new option \"${option}\" to mailcow.conf"
-      echo '# Enable watchdog verbose logging' >> mailcow.conf
-      echo 'WATCHDOG_VERBOSE=n' >> mailcow.conf
-    fi
-  elif [[ "${option}" == "SKIP_UNBOUND_HEALTHCHECK" ]]; then
-    if ! grep -q "${option}" mailcow.conf; then
-      echo "Adding new option \"${option}\" to mailcow.conf"
-      echo '# Skip Unbound (DNS Resolver) Healthchecks (NOT Recommended!) - y/n' >> mailcow.conf
-      echo 'SKIP_UNBOUND_HEALTHCHECK=n' >> mailcow.conf
-    fi
-  elif [[ "${option}" == "DISABLE_NETFILTER_ISOLATION_RULE" ]]; then
-    if ! grep -q "${option}" mailcow.conf; then
-      echo "Adding new option \"${option}\" to mailcow.conf"
-      echo '# Prevent netfilter from setting an iptables/nftables rule to isolate the mailcow docker network - y/n' >> mailcow.conf
-      echo '# CAUTION: Disabling this may expose container ports to other neighbors on the same subnet, even if the ports are bound to localhost' >> mailcow.conf
-      echo 'DISABLE_NETFILTER_ISOLATION_RULE=n' >> mailcow.conf
-    fi
-  elif [[ "${option}" == "SKIP_CLAMD" ]]; then
-    if ! grep -q "${option}" mailcow.conf; then
-      echo "Adding new option \"${option}\" to mailcow.conf"
-      echo '# Skip ClamAV (clamd-mailcow) anti-virus (Rspamd will auto-detect a missing ClamAV container) - y/n' >> mailcow.conf
-      echo 'SKIP_CLAMD=n' >> mailcow.conf
-    fi
-  elif [[ "${option}" == "SKIP_OLEFY" ]]; then
-    if ! grep -q "${option}" mailcow.conf; then
-      echo "Adding new option \"${option}\" to mailcow.conf"
-      echo '# Skip Olefy (olefy-mailcow) anti-virus for Office documents (Rspamd will auto-detect a missing Olefy container) - y/n' >> mailcow.conf
-      echo 'SKIP_OLEFY=n' >> mailcow.conf
-    fi
-  elif [[ "${option}" == "REDISPASS" ]]; then
-    if ! grep -q "${option}" mailcow.conf; then
-      echo "Adding new option \"${option}\" to mailcow.conf"
-      echo -e '\n# ------------------------------' >> mailcow.conf
-      echo '# REDIS configuration' >> mailcow.conf
-      echo -e '# ------------------------------\n' >> mailcow.conf
-      echo "REDISPASS=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2> /dev/null | head -c 28)" >> mailcow.conf
-    fi
-  elif ! grep -q "${option}" mailcow.conf; then
-    echo "Adding new option \"${option}\" to mailcow.conf"
-    echo "${option}=n" >> mailcow.conf
-  fi
-done
-
 if [[ ("${SKIP_PING_CHECK}" == "y") ]]; then
 echo -e "\e[32mSkipping Ping Check...\e[0m"
 
@@ -1422,16 +298,38 @@ elif [ "$NEW_BRANCH" == "legacy" ] && [ "$CURRENT_BRANCH" != "legacy" ]; then
 fi
 
 if [ ! "$DEV" ]; then
+  EXIT_COUNT=0
   echo -e "\e[32mChecking for newer update script...\e[0m"
   SHA1_1="$(sha1sum update.sh)"
-  git fetch origin #${BRANCH}
-  git checkout "origin/${BRANCH}" update.sh
-  SHA1_2=$(sha1sum update.sh)
+  git fetch origin
+  git checkout "origin/${BRANCH}" -- update.sh
+  SHA1_2="$(sha1sum update.sh)"
   if [[ "${SHA1_1}" != "${SHA1_2}" ]]; then
-    echo "update.sh changed, please run this script again, exiting."
     chmod +x update.sh
+    EXIT_COUNT+=1
+  fi
+
+  MODULE_DIR="$(dirname "$0")/_modules"
+  echo -e "\e[32mChecking for updates in _modules...\e[0m"
+  if [ ! -d "${MODULE_DIR}" ] || [ -z "$(ls -A "${MODULE_DIR}")" ]; then
+    echo -e "\e[33m_modules missing or empty — fetching from origin...\e[0m"
+    git checkout "origin/${BRANCH}" -- _modules
+  else
+    OLD_SUM="$(find "${MODULE_DIR}" -type f -exec sha1sum {} \; | sort | sha1sum)"
+    git fetch origin
+    git checkout "origin/${BRANCH}" -- _modules
+    NEW_SUM="$(find "${MODULE_DIR}" -type f -exec sha1sum {} \; | sort | sha1sum)"
+
+    if [[ "${OLD_SUM}" != "${NEW_SUM}" ]]; then
+      EXIT_COUNT+=1
+    fi
+  fi
+
+  if [ ${EXIT_COUNT} -ge 1 ]; then
+    echo "Changes for the update Script, please run this script again, exiting!"
     exit 2
   fi
+
 fi
 
 if [ ! "$FORCE" ]; then
@@ -1441,11 +339,8 @@ if [ ! "$FORCE" ]; then
     exit 0
   fi
   detect_major_update
-  migrate_docker_nat
 fi
 
-remove_obsolete_nginx_ports
-
 echo -e "\e[32mValidating docker-compose stack configuration...\e[0m"
 sed -i 's/HTTPS_BIND:-:/HTTPS_BIND:-/g' docker-compose.yml
 sed -i 's/HTTP_BIND:-:/HTTP_BIND:-/g' docker-compose.yml
@@ -1483,28 +378,28 @@ for container in "${MAILCOW_CONTAINERS[@]}"; do
   docker rm -f "$container" 2> /dev/null
 done
 
+configure_ipv6
+
 [[ -f data/conf/nginx/ZZZ-ejabberd.conf ]] && rm data/conf/nginx/ZZZ-ejabberd.conf
-migrate_solr_config_options
+migrate_config_options
 adapt_new_options
-remove_obsolete_options
 
-# Silently fixing remote url from andryyy to mailcow
-# git remote set-url origin https://github.com/mailcow/mailcow-dockerized
-
-DEFAULT_REPO="https://github.com/mailcow/mailcow-dockerized"
-CURRENT_REPO=$(git config --get remote.origin.url)
-if [ "$CURRENT_REPO" != "$DEFAULT_REPO" ]; then
-  echo "The Repository currently used is not the default Mailcow Repository."
-  echo "Currently Repository: $CURRENT_REPO"
-  echo "Default Repository:   $DEFAULT_REPO"
-  if [ ! "$FORCE" ]; then
-    read -r -p "Should it be changed back to default? [y/N] " repo_response
-    if [[ "$repo_response" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
-      git remote set-url origin $DEFAULT_REPO
+if [ ! "$DEV" ]; then
+  DEFAULT_REPO="https://github.com/mailcow/mailcow-dockerized"
+  CURRENT_REPO=$(git config --get remote.origin.url)
+  if [ "$CURRENT_REPO" != "$DEFAULT_REPO" ]; then
+    echo "The Repository currently used is not the default mailcow Repository."
+    echo "Currently Repository: $CURRENT_REPO"
+    echo "Default Repository:   $DEFAULT_REPO"
+    if [ ! "$FORCE" ]; then
+      read -r -p "Should it be changed back to default? [y/N] " repo_response
+      if [[ "$repo_response" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
+        git remote set-url origin $DEFAULT_REPO
+      fi
+    else
+        echo "Running in forced mode... setting Repo to default!"
+        git remote set-url origin $DEFAULT_REPO
     fi
-  else
-      echo "Running in forced mode... setting Repo to default!"
-      git remote set-url origin $DEFAULT_REPO
   fi
 fi
 
@@ -1538,7 +433,7 @@ if [ ! "$DEV" ]; then
     echo "Run $COMPOSE_COMMAND up -d to restart your stack without updates or try again after fixing the mentioned errors."
     exit 1
   fi
-elif [ "$DEV" ]; then
+else
   echo -e "\e[33mDEVELOPER MODE: Not creating a git diff and commiting it to prevent development stuff within a backup diff...\e[0m"
 fi
 

From ef5739c32fcf2607d19255fd9ca820e136e975a7 Mon Sep 17 00:00:00 2001
From: DerLinkman <niklas.meyer@servercow.de>
Date: Wed, 6 Aug 2025 08:39:21 +0200
Subject: [PATCH 293/378] add 2025-08 as breaking major release

---
 _modules/scripts/core.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/_modules/scripts/core.sh b/_modules/scripts/core.sh
index 42133aa6b..ab67f25c6 100644
--- a/_modules/scripts/core.sh
+++ b/_modules/scripts/core.sh
@@ -185,6 +185,7 @@ detect_major_update() {
     MAJOR_VERSIONS=(
       "2025-02"
       "2025-03"
+      "2025-08"
     )
 
     current_version=""

From e91d678bd16156ca80e63c16b559a5acd0946830 Mon Sep 17 00:00:00 2001
From: DerLinkman <niklas.meyer@servercow.de>
Date: Wed, 6 Aug 2025 09:36:05 +0200
Subject: [PATCH 294/378] fix docker version detection

---
 _modules/scripts/ipv6_controller.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/_modules/scripts/ipv6_controller.sh b/_modules/scripts/ipv6_controller.sh
index 7fe7d3cbd..de5272048 100644
--- a/_modules/scripts/ipv6_controller.sh
+++ b/_modules/scripts/ipv6_controller.sh
@@ -41,7 +41,7 @@ docker_daemon_edit(){
     ! _has_kv ipv6 true       && MISSING+=("ipv6: true")
     ! grep -Eq '"fixed-cidr-v6"\s*:\s*".+"' "$DOCKER_DAEMON_CONFIG" \
                               && MISSING+=('fixed-cidr-v6: "fd00:dead:beef:c0::/80"')
-    if [[ -n "$DOCKER_MAJOR" && "$DOCKER_MAJOR" -ge 27 ]]; then
+    if [[ -n "$DOCKER_MAJOR" && "$DOCKER_MAJOR" -le 27 ]]; then
       _has_kv ipv6 true && ! _has_kv ip6tables true && MISSING+=("ip6tables: true")
       ! _has_kv experimental true                 && MISSING+=("experimental: true")
     fi

From 842cb235b610c54f7eb5ae9337ca36cfe997fb40 Mon Sep 17 00:00:00 2001
From: Dmitriy Alekseev <1865999+dragoangel@users.noreply.github.com>
Date: Wed, 6 Aug 2025 09:38:22 +0200
Subject: [PATCH 295/378] [Rspamd] Fill module name for set_pre_result actions
 (#6630)

* [Rspamd] Fill module name for postmaster handler

* Update rspamd.local.lua
---
 data/conf/rspamd/lua/rspamd.local.lua | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/data/conf/rspamd/lua/rspamd.local.lua b/data/conf/rspamd/lua/rspamd.local.lua
index 5f23ef6b8..5fe66f75f 100644
--- a/data/conf/rspamd/lua/rspamd.local.lua
+++ b/data/conf/rspamd/lua/rspamd.local.lua
@@ -102,7 +102,7 @@ rspamd_config:register_symbol({
       local rcpt_split = rspamd_str_split(rcpt['addr'], '@')
       if #rcpt_split == 2 then
         if rcpt_split[1] == 'postmaster' then
-          task:set_pre_result('accept', 'whitelisting postmaster smtp rcpt')
+          task:set_pre_result('accept', 'whitelisting postmaster smtp rcpt', 'postmaster')
           return
         end
       end
@@ -167,7 +167,7 @@ rspamd_config:register_symbol({
         for k,v in pairs(data) do
           if (v and v ~= userdata and v == '1') then
             rspamd_logger.infox(rspamd_config, "found ip in keep_spam map, setting pre-result")
-            task:set_pre_result('accept', 'ip matched with forward hosts')
+            task:set_pre_result('accept', 'ip matched with forward hosts', 'keep_spam')
           end
         end
       end

From 1e42b8dd21fb021e1ddcbb2cae94f79146fe4d39 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <75116288+FreddleSpl0it@users.noreply.github.com>
Date: Wed, 6 Aug 2025 09:40:47 +0200
Subject: [PATCH 296/378] [Web] Add delimiter_action to mailbox and
 mailbox_template add/edit admin forms (#6620)

---
 data/web/edit.php                             |   1 +
 data/web/inc/functions.mailbox.inc.php        |  17 ++
 data/web/inc/vars.inc.php                     | 148 +++++++++---------
 data/web/js/site/mailbox.js                   |  18 +++
 .../web/templates/edit/mailbox-templates.twig |  17 ++
 data/web/templates/edit/mailbox.twig          |  31 +++-
 data/web/templates/modals/mailbox.twig        |  34 ++++
 7 files changed, 193 insertions(+), 73 deletions(-)

diff --git a/data/web/edit.php b/data/web/edit.php
index 9a1e5a5c1..7ce4d0c6a 100644
--- a/data/web/edit.php
+++ b/data/web/edit.php
@@ -125,6 +125,7 @@ if (isset($_SESSION['mailcow_cc_role'])) {
           'mailbox' => $mailbox,
           'rl' => $rl,
           'pushover_data' => $pushover_data,
+          'get_tagging_options' => mailbox('get', 'delimiter_action', $mailbox),
           'quarantine_notification' => $quarantine_notification,
           'quarantine_category' => $quarantine_category,
           'get_tls_policy' => $get_tls_policy,
diff --git a/data/web/inc/functions.mailbox.inc.php b/data/web/inc/functions.mailbox.inc.php
index d5daeddcd..6ea4f5717 100644
--- a/data/web/inc/functions.mailbox.inc.php
+++ b/data/web/inc/functions.mailbox.inc.php
@@ -1223,6 +1223,14 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
           $stmt->execute(array(
             ':username' => $username
           ));
+          // save delimiter_action
+          if (isset($_data['tagged_mail_handler'])) {
+            mailbox('edit', 'delimiter_action', array(
+              'username' => $username,
+              'tagged_mail_handler' => $_data['tagged_mail_handler']
+            ));
+          }
+
           // save tags
           foreach($tags as $index => $tag){
             if (empty($tag)) continue;
@@ -1613,6 +1621,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
           $attr = array();
           $attr["quota"]                       = isset($_data['quota']) ? intval($_data['quota']) * 1048576 : 0;
           $attr['tags']                        = (isset($_data['tags'])) ? $_data['tags'] : array();
+          $attr["tagged_mail_handler"]         = (!empty($_data['tagged_mail_handler'])) ? $_data['tagged_mail_handler'] : strval($MAILBOX_DEFAULT_ATTRIBUTES['tagged_mail_handler']);
           $attr["quarantine_notification"]     = (!empty($_data['quarantine_notification'])) ? $_data['quarantine_notification'] : strval($MAILBOX_DEFAULT_ATTRIBUTES['quarantine_notification']);
           $attr["quarantine_category"]         = (!empty($_data['quarantine_category'])) ? $_data['quarantine_category'] : strval($MAILBOX_DEFAULT_ATTRIBUTES['quarantine_category']);
           $attr["rl_frame"]                    = (!empty($_data['rl_frame'])) ? $_data['rl_frame'] : "s";
@@ -3259,6 +3268,13 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               );
               return false;
             }
+            // save delimiter_action
+            if (isset($_data['tagged_mail_handler'])) {
+              mailbox('edit', 'delimiter_action', array(
+                'username' => $username,
+                'tagged_mail_handler' => $_data['tagged_mail_handler']
+              ));
+            }
             // save tags
             foreach($tags as $index => $tag){
               if (empty($tag)) continue;
@@ -3604,6 +3620,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             $attr = array();
             $attr["quota"]                       = isset($_data['quota']) ? intval($_data['quota']) * 1048576 : 0;
             $attr['tags']                        = (isset($_data['tags'])) ? $_data['tags'] : $is_now['tags'];
+            $attr["tagged_mail_handler"]         = (!empty($_data['tagged_mail_handler'])) ? $_data['tagged_mail_handler'] : $is_now['tagged_mail_handler'];
             $attr["quarantine_notification"]     = (!empty($_data['quarantine_notification'])) ? $_data['quarantine_notification'] : $is_now['quarantine_notification'];
             $attr["quarantine_category"]         = (!empty($_data['quarantine_category'])) ? $_data['quarantine_category'] : $is_now['quarantine_category'];
             $attr["rl_frame"]                    = (!empty($_data['rl_frame'])) ? $_data['rl_frame'] : $is_now['rl_frame'];
diff --git a/data/web/inc/vars.inc.php b/data/web/inc/vars.inc.php
index 671e20334..568105308 100644
--- a/data/web/inc/vars.inc.php
+++ b/data/web/inc/vars.inc.php
@@ -186,6 +186,12 @@ $MAILBOX_DEFAULT_ATTRIBUTES['force_pw_update'] = false;
 // Enable SOGo access - Users will be redirected to SOGo after login (set to false to disable redirect by default)
 $MAILBOX_DEFAULT_ATTRIBUTES['sogo_access'] = true;
 
+// How to handle tagged emails
+// none      - No special handling
+// subfolder - Create subfolder under INBOX (e.g. "INBOX/Facebook")
+// subject   - Add tag to subject (e.g. "[Facebook] Subject")
+$MAILBOX_DEFAULT_ATTRIBUTES['tagged_mail_handler'] = "none";
+
 // Send notification when quarantine is not empty (never, hourly, daily, weekly)
 $MAILBOX_DEFAULT_ATTRIBUTES['quarantine_notification'] = 'hourly';
 
@@ -257,57 +263,57 @@ $RSPAMD_MAPS = array(
 
 $IMAPSYNC_OPTIONS = array(
   'whitelist' => array(
-    'abort',     
-    'authmd51',        
-    'authmd52',           
+    'abort',
+    'authmd51',
+    'authmd52',
     'authmech1',
     'authmech2',
-    'authuser1', 
-    'authuser2', 
-    'debug',   
-    'debugcontent', 
-    'debugcrossduplicates', 
-    'debugflags',    
-    'debugfolders',            
-    'debugimap',    
-    'debugimap1',     
-    'debugimap2',   
-    'debugmemory',       
-    'debugssl',              
+    'authuser1',
+    'authuser2',
+    'debug',
+    'debugcontent',
+    'debugcrossduplicates',
+    'debugflags',
+    'debugfolders',
+    'debugimap',
+    'debugimap1',
+    'debugimap2',
+    'debugmemory',
+    'debugssl',
     'delete1emptyfolders',
-    'delete2folders',    
-    'disarmreadreceipts', 
+    'delete2folders',
+    'disarmreadreceipts',
     'domain1',
     'domain2',
-    'domino1',   
-    'domino2',  
+    'domino1',
+    'domino2',
     'dry',
     'errorsmax',
-    'exchange1',   
-    'exchange2',   
+    'exchange1',
+    'exchange2',
     'exitwhenover',
     'expunge1',
-    'f1f2',  
-    'filterbuggyflags',  
+    'f1f2',
+    'filterbuggyflags',
     'folder',
     'folderfirst',
     'folderlast',
     'folderrec',
-    'gmail1',     
-    'gmail2',    
-    'idatefromheader',   
+    'gmail1',
+    'gmail2',
+    'idatefromheader',
     'include',
     'inet4',
     'inet6',
-    'justconnect',  
-    'justfolders',  
-    'justfoldersizes',  
-    'justlogin',   
-    'keepalive1',   
-    'keepalive2',   
+    'justconnect',
+    'justfolders',
+    'justfoldersizes',
+    'justlogin',
+    'keepalive1',
+    'keepalive2',
     'log',
     'logdir',
-    'logfile',        
+    'logfile',
     'maxbytesafter',
     'maxlinelength',
     'maxmessagespersecond',
@@ -315,62 +321,62 @@ $IMAPSYNC_OPTIONS = array(
     'maxsleep',
     'minage',
     'minsize',
-    'noabletosearch', 
-    'noabletosearch1',  
-    'noabletosearch2',   
-    'noexpunge1',        
-    'noexpunge2',   
+    'noabletosearch',
+    'noabletosearch1',
+    'noabletosearch2',
+    'noexpunge1',
+    'noexpunge2',
     'nofoldersizesatend',
-    'noid',       
-    'nolog',  
-    'nomixfolders',          
-    'noresyncflags',   
-    'nossl1',   
-    'nossl2',            
-    'nosyncacls',      
-    'notls1', 
-    'notls2',              
-    'nouidexpunge2',   
-    'nousecache',      
+    'noid',
+    'nolog',
+    'nomixfolders',
+    'noresyncflags',
+    'nossl1',
+    'nossl2',
+    'nosyncacls',
+    'notls1',
+    'notls2',
+    'nouidexpunge2',
+    'nousecache',
     'oauthaccesstoken1',
     'oauthaccesstoken2',
     'oauthdirect1',
     'oauthdirect2',
-    'office1',    
-    'office2',      
-    'pidfile', 
-    'pidfilelocking', 
+    'office1',
+    'office2',
+    'pidfile',
+    'pidfilelocking',
     'prefix1',
     'prefix2',
-    'proxyauth1',  
-    'proxyauth2',         
-    'resyncflags',     
-    'resynclabels',     
-    'search', 
+    'proxyauth1',
+    'proxyauth2',
+    'resyncflags',
+    'resynclabels',
+    'search',
     'search1',
-    'search2', 
+    'search2',
     'sep1',
     'sep2',
     'showpasswords',
     'skipemptyfolders',
-    'ssl2',            
+    'ssl2',
     'sslargs1',
-    'sslargs2', 
+    'sslargs2',
     'subfolder1',
-    'subscribe',   
+    'subscribe',
     'subscribed',
     'syncacls',
     'syncduplicates',
     'syncinternaldates',
-    'synclabels', 
-    'tests',     
-    'testslive',       
-    'testslive6',     
-    'tls2',             
-    'truncmess',  
-    'usecache', 
-    'useheader',  
-    'useuid'    
+    'synclabels',
+    'tests',
+    'testslive',
+    'testslive6',
+    'tls2',
+    'truncmess',
+    'usecache',
+    'useheader',
+    'useuid'
   ),
   'blacklist' => array(
     'skipmess',
diff --git a/data/web/js/site/mailbox.js b/data/web/js/site/mailbox.js
index 28e6fd284..135ec764a 100644
--- a/data/web/js/site/mailbox.js
+++ b/data/web/js/site/mailbox.js
@@ -269,6 +269,24 @@ $(document).ready(function() {
   function setMailboxTemplateData(template){
     $("#addInputQuota").val(template.quota / 1048576);
 
+    if (template.tagged_mail_handler === "subfolder"){
+      $('#tagged_mail_handler_subfolder').prop('checked', true);
+      $('#tagged_mail_handler_subject').prop('checked', false);
+      $('#tagged_mail_handler_none').prop('checked', false);
+    } else if(template.tagged_mail_handler === "subject"){
+      $('#tagged_mail_handler_subfolder').prop('checked', false);
+      $('#tagged_mail_handler_subject').prop('checked', true);
+      $('#tagged_mail_handler_none').prop('checked', false);
+    } else if(template.tagged_mail_handler === "none"){
+      $('#tagged_mail_handler_subfolder').prop('checked', false);
+      $('#tagged_mail_handler_subject').prop('checked', false);
+      $('#tagged_mail_handler_none').prop('checked', true);
+    } else {
+      $('#tagged_mail_handler_subfolder').prop('checked', false);
+      $('#tagged_mail_handler_subject').prop('checked', false);
+      $('#tagged_mail_handler_none').prop('checked', true);
+    }
+
     if (template.quarantine_notification === "never"){
       $('#quarantine_notification_never').prop('checked', true);
       $('#quarantine_notification_hourly').prop('checked', false);
diff --git a/data/web/templates/edit/mailbox-templates.twig b/data/web/templates/edit/mailbox-templates.twig
index 6d150b263..65a83cd2a 100644
--- a/data/web/templates/edit/mailbox-templates.twig
+++ b/data/web/templates/edit/mailbox-templates.twig
@@ -36,6 +36,23 @@
         <small class="text-muted">0 = ∞</small>
       </div>
     </div>
+    <div class="row mb-2">
+      <label class="control-label col-sm-2">{{ lang.user.tag_handling }}</label>
+      <div class="col-sm-10">
+        <div class="btn-group">
+          <input type="radio" class="btn-check" name="tagged_mail_handler" id="tagged_mail_handler_subfolder" autocomplete="off" value="subfolder" {% if template.attributes.tagged_mail_handler == 'subfolder' %}checked{% endif %}>
+          <label class="btn btn-sm btn-xs-quart d-block d-sm-inline btn-light" for="tagged_mail_handler_subfolder">{{ lang.user.tag_in_subfolder }}</label>
+
+          <input type="radio" class="btn-check" name="tagged_mail_handler" id="tagged_mail_handler_subject" autocomplete="off" value="subject" {% if template.attributes.tagged_mail_handler == 'subject' %}checked{% endif %}>
+          <label class="btn btn-sm btn-xs-quart d-block d-sm-inline btn-light" for="tagged_mail_handler_subject">{{ lang.user.tag_in_subject }}</label>
+
+          <input type="radio" class="btn-check" name="tagged_mail_handler" id="tagged_mail_handler_none" autocomplete="off" value="none" {% if template.attributes.tagged_mail_handler == 'none' %}checked{% endif %}>
+          <label class="btn btn-sm btn-xs-quart d-block d-sm-inline btn-light" for="tagged_mail_handler_none">{{ lang.user.tag_in_none }}</label>
+        </div>
+        <p class="text-muted"><small>{{ lang.user.tag_help_explain|raw }}</small></p>
+        <p class="text-muted"><small>{{ lang.user.tag_help_example|raw }}</small></p>
+      </div>
+    </div>
     <div class="row mb-2">
       <label class="control-label col-sm-2">{{ lang.user.quarantine_notification }}</label>
       <div class="col-sm-10">
diff --git a/data/web/templates/edit/mailbox.twig b/data/web/templates/edit/mailbox.twig
index 32a3706c1..12c1f3b93 100644
--- a/data/web/templates/edit/mailbox.twig
+++ b/data/web/templates/edit/mailbox.twig
@@ -117,7 +117,7 @@
                   <div class="row mb-2">
                     <label class="control-label col-sm-2" for="relayhost">{{ lang.edit.relayhost }}</label>
                     <div class="col-sm-10">
-                      <select data-acl="{{ acl.mailbox_relayhost }}" data-live-search="true" id="relayhost" name="relayhost" class="form-control mb-4">
+                      <select data-acl="{{ acl.mailbox_relayhost }}" data-live-search="true" id="relayhost" name="relayhost" class="form-control">
                         {% for rlyhost in rlyhosts %}
                           <option
                             style="{% if rlyhost.active != '1' %}background: #ff4136; color: #fff{% endif %}"
@@ -131,7 +131,34 @@
                         </option>
                       </select>
                       <p class="d-block d-sm-none" style="margin: 0;padding: 0">&nbsp;</p>
-                      <small class="text-muted d-block">{{ lang.edit.mailbox_relayhost_info }}</small>
+                      <small class="text-muted d-block mb-4">{{ lang.edit.mailbox_relayhost_info }}</small>
+                    </div>
+                  </div>
+                  <div class="row mb-2">
+                    <label class="control-label col-sm-2">{{ lang.user.tag_handling }}</label>
+                    <div class="col-sm-10">
+                      <div class="btn-group" data-acl="{{ acl.delimiter_action }}">
+                        <button type="button" class="btn btn-sm btn-xs-third d-block d-sm-inline{% if get_tagging_options == 'subfolder' %} btn-dark{% else %} btn-light{% endif %}"
+                        data-action="edit_selected"
+                        data-item="{{ mailbox }}"
+                        data-id="delimiter_action"
+                        data-api-url='edit/delimiter_action'
+                        data-api-attr='{"tagged_mail_handler":"subfolder"}'>{{ lang.user.tag_in_subfolder }}</button>
+                        <button type="button" class="btn btn-sm btn-xs-third d-block d-sm-inline{% if get_tagging_options == 'subject' %} btn-dark{% else %} btn-light{% endif %}"
+                        data-action="edit_selected"
+                        data-item="{{ mailbox }}"
+                        data-id="delimiter_action"
+                        data-api-url='edit/delimiter_action'
+                        data-api-attr='{"tagged_mail_handler":"subject"}'>{{ lang.user.tag_in_subject }}</button>
+                        <button type="button" class="btn btn-sm btn-xs-third d-block d-sm-inline{% if get_tagging_options == 'none' %} btn-dark{% else %} btn-light{% endif %}"
+                        data-action="edit_selected"
+                        data-item="{{ mailbox }}"
+                        data-id="delimiter_action"
+                        data-api-url='edit/delimiter_action'
+                        data-api-attr='{"tagged_mail_handler":"none"}'>{{ lang.user.tag_in_none }}</button>
+                      </div>
+                      <p class="text-muted"><small>{{ lang.user.tag_help_explain|raw }}</small></p>
+                      <p class="text-muted"><small>{{ lang.user.tag_help_example|raw }}</small></p>
                     </div>
                   </div>
                   <div class="row mb-2">
diff --git a/data/web/templates/modals/mailbox.twig b/data/web/templates/modals/mailbox.twig
index 85091da41..0c164332b 100644
--- a/data/web/templates/modals/mailbox.twig
+++ b/data/web/templates/modals/mailbox.twig
@@ -76,6 +76,23 @@
               <div class="badge fs-5 bg-warning addInputQuotaExhausted" style="display:none;">{{ lang.warning.quota_exceeded_scope }}</div>
             </div>
           </div>
+          <div class="row mb-2">
+            <label class="control-label col-sm-2 text-sm-end text-sm-end">{{ lang.user.tag_handling }}</label>
+            <div class="col-sm-10">
+              <div class="btn-group">
+                <input type="radio" class="btn-check" name="tagged_mail_handler" id="tagged_mail_handler_subfolder" autocomplete="off" value="subfolder">
+                <label class="btn btn-sm btn-xs-quart d-block d-sm-inline btn-light" for="tagged_mail_handler_subfolder">{{ lang.user.tag_in_subfolder }}</label>
+
+                <input type="radio" class="btn-check" name="tagged_mail_handler" id="tagged_mail_handler_subject" autocomplete="off" value="subject">
+                <label class="btn btn-sm btn-xs-quart d-block d-sm-inline btn-light" for="tagged_mail_handler_subject">{{ lang.user.tag_in_subject }}</label>
+
+                <input type="radio" class="btn-check" name="tagged_mail_handler" id="tagged_mail_handler_none" autocomplete="off" value="none">
+                <label class="btn btn-sm btn-xs-quart d-block d-sm-inline btn-light" for="tagged_mail_handler_none">{{ lang.user.tag_in_none }}</label>
+              </div>
+              <p class="text-muted"><small>{{ lang.user.tag_help_explain|raw }}</small></p>
+              <p class="text-muted"><small>{{ lang.user.tag_help_example|raw }}</small></p>
+            </div>
+          </div>
           <div class="row mb-2">
             <label class="control-label col-sm-2 text-sm-end text-sm-end">{{ lang.user.quarantine_notification }}</label>
             <div class="col-sm-10">
@@ -246,6 +263,23 @@
               <small class="text-muted">0 = ∞</small>
             </div>
           </div>
+          <div class="row mb-2">
+            <label class="control-label col-sm-2 text-sm-end text-sm-end">{{ lang.user.tag_handling }}</label>
+            <div class="col-sm-10">
+              <div class="btn-group">
+                <input type="radio" class="btn-check" name="tagged_mail_handler" id="template_tagged_mail_handler_subfolder" autocomplete="off" value="subfolder">
+                <label class="btn btn-sm btn-xs-quart d-block d-sm-inline btn-light" for="template_tagged_mail_handler_subfolder">{{ lang.user.tag_in_subfolder }}</label>
+
+                <input type="radio" class="btn-check" name="tagged_mail_handler" id="template_tagged_mail_handler_subject" autocomplete="off" value="subject">
+                <label class="btn btn-sm btn-xs-quart d-block d-sm-inline btn-light" for="template_tagged_mail_handler_subject">{{ lang.user.tag_in_subject }}</label>
+
+                <input type="radio" class="btn-check" name="tagged_mail_handler" id="template_tagged_mail_handler_none" autocomplete="off" value="none">
+                <label class="btn btn-sm btn-xs-quart d-block d-sm-inline btn-light" for="template_tagged_mail_handler_none">{{ lang.user.tag_in_none }}</label>
+              </div>
+              <p class="text-muted"><small>{{ lang.user.tag_help_explain|raw }}</small></p>
+              <p class="text-muted"><small>{{ lang.user.tag_help_example|raw }}</small></p>
+            </div>
+          </div>
           <div class="row mb-2">
             <label class="control-label col-sm-2 text-sm-end text-sm-end">{{ lang.user.quarantine_notification }}</label>
             <div class="col-sm-10">

From 8cdb0b869e4a239ba760c5b294343f5cad44b043 Mon Sep 17 00:00:00 2001
From: CodeShell <122738806+CodeShellDev@users.noreply.github.com>
Date: Wed, 6 Aug 2025 09:42:43 +0200
Subject: [PATCH 297/378] fixed favicon.png (#6570)

---
 data/web/favicon.png | Bin 15428 -> 17611 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)

diff --git a/data/web/favicon.png b/data/web/favicon.png
index 69eb2fcd1f25c33001a6e67f9b2a257a5fc5c8d9..5413613598da70cb968f7597c796422a6f3b9fa4 100644
GIT binary patch
literal 17611
zcmdsf`9G9h`2Rgpgz!{CNGgiSk|ax(l7tWj*_D0Ep507O;Yp|nWiKRSD{IzK9($H#
ztl8H{b_QeSdri;h^ZNV`-+rmr%W>{=pL4G3dN0@AliS*AhnS8tAqa9v{pNK&1fhd}
z(jklo;IDPRo*np$-u|lARRsAM9ki<(iy$Wv_3KwLe#wi&j?ei9UXN_e+KdRgEe4`$
zmUe6JxfW%8%<N)l`^&SL)%33ij|Jtgy>T<_XO(yHcR@>CwDFA<^}HF~{37hM<{8`9
z$uGjD?x<`=9#<~3al2FX@V-?1f!oYZDh4y=lFyWWh@^9#-?ACbt8AlkerA-u?KU%{
zY*f?PKFxa&*7g6%AF&Hb!*z+T)1p~krLMNiTDujcR;YGIX-M6T5{i_%XWJBY>qCnx
z9pdg|_%X7>)X}6j_418bm$y2RUp*$zo+T&Bj_gjyc{MiQw@czVf&9{JZ4XpnQxCXx
zgROa9vE|3vpK{hFXP+a;b8ctO{I3G1`AUiyY`>aDcoB|=Jh&T@VbcHnp*;2J#G-WC
zu6$8|;SDyPCpxPL5)@HdB)R$i!i+(~PW@+bQL1sg(LqUOWRt&Dp6b$Rxprl3OK{KN
zw7+o*GlJ8$wpIG@WcwXH6sx$(-!3Y(OVVOPT67G|<`%byBzG8Y%%s}!^CP%|dy8))
zw`)w2gMxnzEMtmUhe{AD>=|rG(JUeUE7dOYzEiIU3c;PpIX~dGUAx`1C!dhr8~EWJ
zJuXz?^MfSP=*xA7i_r`SQt)p_TO!qG`NwMc*HOLX&2tM($fn@*%-#sK{wDR&8LUDR
z+~%m_-dZ!vs^w;ou-xl+iayAzKu7oH03v^2W036P1q4wJ=p7vR*AHvG{+c<^+*yA=
z?jm+j{;!w6(zstUeDBGgnYJY>OUiN=hJ5}!cwGa}GYG*UnHrf;NX0ta#zwrv*v1yw
zTy~G*&+WRidzpbyy?QZ0au#u)(IJ|$1Z?@;c=oB+q9!)Ey8Cgpm7Wk+f)Q`5Fl!r{
zrDcl2#<Qk-kY5TxMB7>o#hZKMZP8vuasGnS#)98UT%_{PTsduO>iC;Gzcn=~jgRcP
zu90!617-DFJb)5+VMfU}fA_2U+TLn_+so0wjOtXL>5Y+-;;&w^XzoW4xwQQA=Zs~u
z{I)Y=reie>wM7nQXKv*0dI@n3HSMID%MLYj%J0Wj5azb!8((1)3kpjw?uZOi*`~He
z%L?idr0YUVgyG1ps~~zIuzl2I*IuPFj~sWykllrJdh4rZ7Ek0iuZ8(rF)n#?d!w=W
zF8!WO2vQ=EJJ-)&5J=LDxiEA2*ycKU_(pBnI5HMEQ!aS%d2PO?i>>zfo5IU`Cm0cA
z@f~@EpzAub@s6+4WG`bofg!wb!{^YSRr!DATC>a}<ZH&n=^Q;lJ}v+&Dit{!@^=0#
zwKk_oO43@xiTb^?w%`q76-i0hC|_4?S#5d@Cu)RGCOr|!P8s>(ocs~HWMYIW;6`RB
zZ~b!Pwt1q`dR(v81u*(uEvuZuFd)iRB3QDU9t(DIxh(l-aajP-9#!Cfrn7DD^1IKr
zAvIq<1e8$(xd}a1k9=BI4~8<Nou!A(wb&-H8SG6_z49bQq80I9x@yE!v3-MR!lEw`
zvC5Aubs~*mJ*MvZZ!5-?T{$h@x6nN`e-TAn-mC~e^$p%W<foxc<li5g;+Cq6Ln-o8
z)4Rvfu@%-U)7|<;JA1hYaNE?bwfC8(JhHk4B?ciML#jTvZM>JNFtsT7DAZ@hf{NRp
zEr%c`Ne0^){Fz*o)W1KTja#T$nNZ?9u;d|=yLGv6J<#Y7()iudZT(E>n<^#KBs8&*
zerlIT;c+IB-F+;#C{Fgz6tM=|{rvcVO~G=>NntLmNk!^{(pp=^2+#3arjyQvGEIdP
z796oSigy&v(uNLNxvMhCxnM-cq!PtD^Y%=lp5K`NF=jfXq=GoEH2ujqZN=dDXn~ny
z+jNNjc5RqgM_cQU@{)4j2~UD=17c;Vr!6^jT=r`1(hQnnp+NuZ7B^k$qy~bdD-3wo
zkG@LQI5ISyASPcf=(rJIS8B9&`9`CV-RyM8QUq$OI$-HVkJqAMmRV<S?&UEKOyUnw
zf=qYwxR}OU;rw4zKEZF1`g{nI)G8Da9nu#}3Y6U+D?iOJX+)JHoKxa*oqOeRkDu_P
z(DDL8lKtLQb-?28?MAkOZJ)+A;a8tF2|cp|tNw7xr{R<bA88%s+e>x2=q4A(U6^il
z&#0b1ey`icy6Mtp(Hc1db@HRS3aU<AI$k+5fbpD`O9H>yc2VOrJ0u?0yL|NosfvY(
zA@3*$KZ=R@X6Zxp0mQm}G3rv6U-8DiT@fv_pP$3f#nWp{Y(c8({aw-!KQ8A@_17uB
zKf($8J)?<e7CGW}sKBLFUfiXGv{|DN=DPQ94lYjXyRd)Sbb92>`2H*U$}%r4G)!Ey
zzP(s_|A69}Ejh^`qV?M|#5Sb#(;L;TNKEqR<>k;_CZk%qlYtv&cYA9)JQ@g^p$S;R
ziiwNQ3w8u?;B&6W{x;8+j71YI<8&^P`=VdCxg2QnAcwvViSt3emKHAZST?p@_Fir4
z3uJ0c!xU^C$S!&+V6|<t<Fya@V4<!$KJJ!pO{&U&wd-%Ok8NBtrsC@@f+zA}Gx5d0
zq|h+!ps0*<T!E*|8D&Uxu;LH0F%e(tM=@6jqdC7OmURO6?|rXsocWM&#!_Y=j*~8?
zVkSPMaq76-N-0sLj(F^7C9kQe5S)s%g`Tb-$(KW%_kqZoXU+V;YSs)3mN;7AeErmJ
zsOJ8t`{%1s^QL_74xv`M!?`#1BXxq((ML}N=&pPb$d(iD%kGXJmZV%#vUL0B7!%T+
z#qR!8KQ3PsEw}D-4G@k#4CaHu6Aaou7PXdHqE#k#Bu!CHB=f02I^m5iqZpo=MLXhw
zPcr0$Xj!8FHY!fYbT*cnc#H+{X?PK?7m8aRV~*gAw&~$O(s>33i@xmZ%;Kd~*^uwu
zNXhCeLMfXZLhbXd<PhWt4JTZMOem$gXIxw;Y^*qrndJyGc>oVQft<;aA>)`H`Brh{
zhvK#$4M^=r=9tPVdtTIAIz2*8s)xSW?GDAA9>uu+u5n4EL%d5gpLW1=7L3oi?JH45
zo_B}g65nnSwBP|UIc(I~xX1R%^Mke|P1mCcqyP!;G}CV;j55@PKfis{^tI`*SEDOw
zx8YkEH$^XLKcX(eGLrwLYwy0Qy4JVdQ3Kaaqd%))Ob8<kg?WW|U_SpFO&iN|;Lq6U
z6Le4x9xeR^+mqnqK~np!?UN9OEsk#*<#OdlGB+OMmhf_W8q!)QWKi$0ma{E&$-8|y
zA#-zqqz`Y};wKx|N%-#fLJOm~!w{26CT&K_?L$hQo=G(H8<QPqP1aB0zx7_~qn2dI
zjTGBl*Fq$(Woz`^M00(#f#GxpHhsQl<W>OWqVO|veR1`c^El)rY+g8TZeD9sZQ=ZY
zQs-MiMER-amy1kW*iv*jp=YKXQ4}4;R@nr_*^kEC@D!l2>xJ_hrnSjh)(9>>_OboZ
z6MhzDm2;Scg#o<Pua+`?iXH>(P3{mQ5By4uDI@8jjdQEpUR0h5to0w8?aVJK;_rAV
zI_mFEi>3NDisE$IwubX2<}zX;RpJb`Nd&{`_0D1^W~7TQX8H&dTW!|{EVT|fNmNmm
zpk)5IhQr9NSi@!Xe!sI!O>}V`$Pw!ceDwE9w!9NblkYfkM!3%_c!%A6b=2<rQN&9B
zU(KfZH1c;A>c_KFa+-rzn+_m9^#$rKlp1L7$s1^sb#IuX5NW+??_1yAaN0VfwS6GF
z%fl_>JAq`DvX6!QeCN57jZZ#9k0{Gm$&e?TbHqk{HPzU#Im~ppGt(NTaMARYVCl~!
z=b4b_S$^a0d#TunaZBv0>S7<bYV!i=Qon26RW`ngV-zX%k(G3ajevzr-tzM0tjq~a
z!V*EN;hUP|JigRh3weHqAeGbo@8(f~u>=w9x=KZ!D1!9!u8==_*JH;viCNR~TSe4t
z9|IVv#HGVY*Fn*nw#J@=9Vsao{89BYocduQW_2-tfeu%4oKDDB&TaHg%Ah7Af;(oA
z6lesQ@MhTz#)zvrcOi_>lLhfMR4?nwNUF7orQN4b_!O-C^fJK|BIqJ4$;XwpB$*gV
z`d|9q>stp=a4=5AZXy9ni^~M@i~<u&BL*br1f51~m2LIk`sS`PhhQl#MT5VRA{0rf
zYn>AiBjyTZLD;JnG)unXk>}F%|8n~rKt9C`e&zWYMqS>6NQ%=nT6~0ja55J-*${jd
zpeHdWSU8-zPlQDReznftFI0dA7A84U=AFEj&dIF?0$%7xVAMwVN50W!k?1RVU+Pi@
zq=;dRNZRD|?m{O$B%<_bv!EmBhULz!(ReL=*9gR&JK>sgOHP6GR`eH@(dRKvH&Rf_
zTlmyq;fCeQFv*u?0t;Oohu?NcT-mSqmWoiE-+0%&2nL?!5I;YVfT7GWL>t`rJZIgy
zHJYfdvlxxIb66CVhX~@JRwUUe)GPJ*>I*6O(9zXh$_qsR-C#JydG-9}7CMG*(;;Fx
z$&`xS<;yod_fN7=olhcCb!{8?5<ykQJ7i_JfUv*MuR#RRE_wMW>!XnhIc7^y@LG@w
z4@rgyn={^#y8$^%ZDX8zr2K8^_^4N~w3ZJS9qthTw;L8Abva@da_{EG`fQxhv|Ucg
z@LYYS&w|zYO#04(WuQmY8rc9DKsFK!%7j!5FZL;-^-0=$&v~665xrqpM`xJt9Gx;#
zqxd@}6yQ2IPP41i|LS05_b!&deOiyzgaHzC${LO0y=e!}vB(ky+s+<6LBhNE2xoL4
z>3c7qQ6(Cdw+s^dKQHS%K|ZiHq5+(JSD?>JHuPKehxu;8&E99wN$$>XCW+9nL8Se6
z4ChHC@4E@(GIPDQPfP1rSeSW7Z#Z=zAsHW;U`@J=LZu&!G`cNOp&8=QlOtxleSMrV
z8lV5wwuc)j5y@TsxRlLB@!x+$o|~ejj5r*goIZN%mpdEkTM3kyBTxcf00t}V%)u*?
zeVfIh02%oTAX48N*x4iD6~18<=wEi))8=AK%H*Z&55va(g(T*MxH*NBt-j=lJ$YB+
zIfmAF`xBxBr)76Ul|M+FxGb*q`yS~sH|ivFqmkpiBrnDfG|Zx?!-#bG8-`<DH?^{h
zO2?Nt4qSA~3;YWyDmqSQHmXy@Mfb&v`_ch~=WFlL;AQiz@g;`bg?tHeu`<#ev!XAm
z<JdOK0b3fgeCtLOs_wwYOR8$M8H2wHlUuvRs-hcVCc7*9Cv_^qar1Bgd%cpv(s8A&
z0{wxk@zFG0>*tIJkF_ZM`p6jO!3FyBX|3-sAk8;v@WAvp+|lC71(A9sXL?-Jy({~z
zbuyVz3~5G1L6RAbNP5fvp^vXq0gybsYPc_j>6}Jf&c%w+_r!CY2ztnlq;KROqK4LM
z+p<uj)R2Dn4ff|tRRcLrqV)f2^4s-rB6-iEPKSnDc%PtH6zC|#R&i5!B9RZmkr5fs
z;9`AyQwV2L!pox;!CLd)Z)M;Azz=iDiquHC`Z#t(TC0_vT@9{*==8+0rQ8h0*Mqd1
z1wSLg&xlTpbA<LBJf(f}(rlXx(&e%-6x&(FMkOQlw1bmQ(FKYzz3b+SFY=HjK9WYd
z&O^vt6692TfL~kPC!!@uzRZJ4S3RnB!jl!{m{ztQw^0e8MMs8cew@+}DW{Ubh=^v&
ztUh1;Uo=8}0;$Iqib_y)zL>}lD#zBiCD%PtIXj*5Q(;!6^e<z>f55;CH+VA}u|>&g
z7HY2w;&2sG=?@j0IWy{h+kHCa3>VwG!S$nUaM!v|A|>ww7(X@TH}@Xp+m2r=Fh$%&
z%Otax>x`1a36{Keq;d#FW;Dxi?jNWjZ9MFo1bZ(#Ur&_<BCMZc$!j3-dD+c?9(N3K
zIy#u~mA^vLJH$IG^Ga+8N$2<T6;E!Tu#Hnl$-{Mlu`Pp?!2~URAZdrS&_AfemuV0S
zTwz%BX{6-Imoan5fWPk88YpfCLzLR9OXV-u0qX`Tr1a{xqvzQ)@(_YbkDA(b)8wb?
zs7Y4WLF9A}r)nvY&z7k-cD}zTbp(~(p2>>hr!X6I*1n|uT<vh`U6Sv?f^Q{nf~c-B
zD+Z~-nlY}Q3drBs07;~_zrTnq<|&fX67t35h|>XOB3ywQl0olW&eG$gOUt6%@$6Pd
zrpqbQ5O!VBF>(4#Y#}M*qpBnxXY1|SBm>@HOpFH}%};$Hl8sG;R~ytW3i?}zV*U@I
zR5}3&<mdh)o`+CzN0a~{zh|R9vW(3am4^qpS&_<RDKm1)0M{XsM9djU#(=#X{DCSj
za8Yz5$V0r?K)zFeCR*8-j{s6Q1N&N%=lAo@UJ-V1e2G+iAU_=Gx;igVw-;juIhzrs
z%=siCT3BxVtqZR#aeC+eJ(4e6j_{TZvurD}<23}=rXf#W3obv$6>P>r?YN4}DOYsI
z_Xwm1k=3|;_FEM<Fo$#S?F8TfJWMjCJVv_Sh=n5M1{J`G->j}cSaIOm4~z2}`jL`~
zJOKHOV$t;kmA??VI|U`GSx**)uhoekL@6^E^H4NIw0*W8%42x_&tw#Q7+^&BI@lV&
zhvV3&S!RaZ^j!fH6<ghG)NzK3^Gx|Tq-%fgHQd6;526?L&FV*`qXLM7PHBZN$BAv}
zdj14eWbSZ?M8V016T`%un#V}`A>z!4f%lYrOuj6U<G>Q_gz1zySDv0`5&~qsq$%A3
z=h}{ur#@&M$CfjxY{Ak2*r&IdF`@jkE9ZL@Rn-V;jEIRDq)64J?A<9#u1bItT@j3k
zIb>%Vn{PzR5Q%mpm_M*X`6<4=HfL_%R=NdO2#$8XNLN<%mvq1#dXI6JVegqu`j+`W
zU4%JWVUD~LbPrlds@atQG9sdb+O`j$#<^g!H$?)dRUP$&=H(?PdYl*#iuv+=WGI@8
zM;eht^kR}6kd!!klJ6xt1ayam@_jI~sd3-(5<xWSU6(W?@_hX#`)yBrZhKAc^74|L
zxD=gLFy7u$;{rJfGMfZh;0c1$Sy|l^aUBqi^<qY?kWtr=4-fJ7*ql{0rRNLFY&ZDz
zYnOWS2CpRvAY&J+&D{20BYo^2-2Y)mTyQ(fzQcLBie#_g%eLJ|29KZ+%MZuss?7@Z
z%@yc_>ir8nkf@xH)urKZ!Ud+r6ZWJ@W=7=GdGWs7?szGIv47sGh##iI3FRhJUbpg7
zmF}xH0<+WuNL%d4<Qj$G(EkS_65o67*wX|d({F>zOBIUnew#2C{;9yp(It$pF#Tfy
z5Z>XfIZEmm$O=#;E|5J8=n=En70nHMy48K!J}cc9LK#vM@<kz+bq#<5mDk#$^Z+fH
zsxdkAa-l*DX1u_NIQ+Bnl*YPQX=oypfgogR3b!NuB81ePxbI57XcIn4h@&J7)`h|S
z4eYnMV1L7LoUrwex>>N+L2*K57s=lw=#b<*G(9gV!o}x8MhC9rHf1hcSaExoN$5c{
zn^2J>6W<faT8(Yl%qVnPPayz6T-$$0gYqBJ`1PDW5)!!FF%*&m;EW(MPkYVtfFQb3
zA)^XrC+=*GYlkW62_PpgO-?T)@O^)b+arjYzHWmBr`(Bqws#djo;I_~c1H!NtK<?-
z5Tn2Tor&#=8l!STu?YWeEna^&883E-`XX}Y+U1jo)o^5jzQj)o(hYA#%XR6Y1J{9z
zJ-<idG;||eAb(V(N2Ee8$if?DF`>}A1Q3lnVA%eF>)#kg^?i0Y{@{llM9f_lMm}57
z4@FF0>jUAthE&$iFBi7g{=__RB(d4`a8({cA?>A=T<QfS#GGIE7#TZldbqmiK>gSy
z%qo)il(R%TCCJ|}Fi+ab(MY8@N%|`~jLP;!G;onWxLuyy8p)q0R=-##!09eZkJy}c
zWqdDon6AtJKLJI0D^;Jnp5OQsa#FrgUxHHNS#wz?ZU6wto~3S4(5Z|@+@Y74qbGLG
z;@fK$Fm|2_8*LO8tj%Kt=fa&~_3Pjk`)yM|fX<JRlJd;AK!5%S6&EW~cg|AH+yLm%
zBQF2=gyEQ*iXEAopGTbzQ!+V@LU=My(5(iS%NT&z!5ongZTtP$a}*6X1P}X@0xJ|Z
zT>QhvpB=i2)E%HHjuR*7CT{+L(hkg=;nePMnpU9$T7?Z+572&^DvUEdgxV{YH!x>G
zF$3{pzN2JnYUsTjdbA#^oYi8_Md`l{OQFk{XjaL&rtC-J=}0hm80Eh5Aa3#^dSjfR
z*(h%Joy&bc3`&GCz+a{fU#{jjoz!%$S29-oNfRmz28)u$pMgPC_fCXmxbQ!4KvRNb
z2u6o&#=9#ygu|#)+T4ZDb?xhje<2@!LYB;t@Gdmf)iXCYj$+5P$3B?WAjlNSk=Gy)
z&3I6V=o<;YXH4~5pn8ZF22d73n<)5VIHS)>)!om6EdhVZ<i_1GF^+J4cQl;p61K_T
z_mY)@%XambeU?7_l+UmJZsC&@O3<}eo`g^nhWcQ@>))S$ZkjT$e7r2kV*K-L+;tEp
zLL9GU9faLyfM=c^#hUK0OYAv8b&QE|Fd2V1+kJ?-0;T-oJd3*;qO1v2=$+NNhx)sf
zQ%UFKb~<Sw!`O1pf-@ZJ-w5=)*dS|V5!S~G>oY7^655~ftVNi<86Wg(_c0<x99%93
zh*4?QX$Uz+J&eE9L4j=aBtCwjN*#)KjQU@69knlEz7xO-n6{|VyUR;8FUFt6H)3Bq
z_(Ns`lJxTgo#GBk09lC13wpaewpK)h%)hgYP5v`1#eo@gTaHMDMe@E<z#SNcwWpDl
z*UoAhYUi^;)K><Lwr`9tc`q>a`_UsMQ9Jb*D5NX=IglT@eL}Tgo=<x}y5@U=QvQC9
z{DbL(EbJXR#8DI9mjgNP8l$qxe^SLsQ&SIo8%=YW%Ybq&#g9T<o5Z#7QsWd8gFg&v
z+YPF1%1H~k`1>TbALF$T_J3%B$uyz1cK`ce)_^FIO-X?{V|0xi>><0VhFjdaKwiRl
zkUoQKP^5w=53N30!6e}^+SEvPT<1Rt(Y@hV02@$)Jw^$14u8S=FA-$kTHRB_vqOGl
zfb~BB#GnUZmlH-<lkQb!7C_P$iCc!FqLUoS^H92=E=wmhcCAi?sxYx(^)>L?KB40b
zToi{udc>Q)P~v^}RDrj^SpSwP<D4R30*LUiwPkS{;;l=8_jG}Cl?yZC!Z^0w=T>sZ
z=V~wJh9gNfJ=`W*i)8tTXmYBJvo=lrgTk7j!j5$5R+E+YG?XLQ*@KrAt|@cAZ?Aqc
zx90}@?b$iFZJ@~TJVS8NG#W2(vTqV&loafBiKZHawHqe+n}7Q@>dO*v14NU!CBmiR
zT3ov_qO4|O#3(aC`N^JNC|9cXjR9B=SKzJfTGJvY=6)%7lRq_bO3c5)0zko!DgXs)
z8jPrvw=jCzntDx}E%3Mwu=3W85x8u1cBhc^3>Zt30TLFx{-@q6y@=7ck#aW!(@FlL
zx@?V8Ga(Dw^>We>)|_9Xcuq+Jyjiuo-v*z@HRURN>UL;r6L#*7?R-69wi5I=ll>^f
z{IigOann{!7Lon=y*L?{+SZ&jJYYa!k^Hp~keT4wlY*tpOr48yTHETB384!f{Zk#!
z<7mTx&g=Ch%#P@9d|8>fL|<|eHa{^xG@@hCeCsU9@8>I^gKfR>Nj=;}da^6j0%ua8
za3`eq)f^#j`Vt`+9Us-kl)ZV*v3vT5&Gz-Z2Z%tr>cGyj(q6WfyoJ;*n)v0SmfVRh
z6L_JU(mCgn2Xiw6-sCiC#p|2{(laoBPygA|jUp(lkAzsMrS(D)??!L)YF*y?q|AI0
z7T%wUcW_FJX}u=Yr1RzC#t@3=63u3`F>a}_JIl?dXehOZpICK~ZeoxIv4gL{f_ztD
z*3cm+Tbwo;jVhSE>SdfeH^={p4ckO;OX@kQRr5Aea_PZ|^w7VME?Jki4)X>LU}e0v
zOvEg0U{x*df+F|i9k5dEg9+i6!=pI(_U!Rmgb9pYWMTKetQ=}5Jmk&w4E*jtJA9v-
zPP>2Hc?L4D3WwI5ue9*2)%v4}2-5IC8m*qQ(@7^salqXq+F5vsT(q$GJf*$;`PJ%P
zdBJJ=^Rh%#{yzwA(?0+0>&r*OXOmmWR<}T2iOIq8^!)hxZVHt0KfM6q^{lh(R%kC;
z(gLe4dH%Vcp1${#DZZToPxhl}6-sMcNlOHShH-}EXzR(MFJ6Ih%hHU4ypTCML=yK(
zozU4Sc-r*;vcB#dW|kJp?xro}u_-4}6|5MeqA!7yuQf!NMyX{$PGxCcO!w6N?S^r2
zvPH;P$5DZk81MVfT%sD@bk#zlvCgf>Za>zKv*b0DsNG|(r=FV31;seTu{%F$UT^OK
z&RWUgHi!gsJQ3!=Kl7HDjJc{O`lc9uWA4sbls|AnGj-P7VpJZ28|n&jbjBd9X5Pz=
zOsLx7JZ_n_;@Z05;v-j^pMUNO>F<dwYi*xTay;R{+00ia{(_WT%-3n=12>XoB;(7N
zf_9UR6YVZGH`->)rE|c^#JA3l>iYaVoqfDe;u93UC=M<NN__~*G4B(mrn=s9stuZI
zDf90B(yaP>{)uMKfB;NS^Ncc8Lg{4M=PQ?THpk+<<-wEm>FqGz1DMai=cfv7K3X1Y
z45uCkBQNlazoj3K8mvnToR9Lg@ry35#!%Rf%2R@~xhc*}^=#*q+{5*?^vv<$NLlm^
z9!Q$`m>Jgh^M3xrZCiz`)N8H9$M;)5Ly!7CH8qCYMe<GIzoU|pFLv(Aay8h>e^7^l
zY3hrF1@++H6U&dFO3q;P*-$@yQ|P4u*0^R!`YOjYY^69=2aU?Xx-y__z@T}<cnpXE
zwDZhcBM*c4;Tx3u_Qd9cHd2<))@`WQvg?9zAfpW)fJxpIx&IqXnhh`tzuHxz7;*ZU
zjOB^=d||m&KA=txCj2R1<2!-ra|n(bXUi2zq<6;)QG=f;;-TbeUsAWV_|}6iQqOk`
zMvNhLrwxupzn8>z<upzO9KH41X<p)vK5xkF(9cyrBEY<uTaqs{>vN595F)llSlqpn
z^~7A#;^R*R4mEzCkOODL(u|}^6WDR_Hvkjlik;B9K-Sz~sO$A$BbflUktawBC7s(D
zOUscfJ)87y(Co05@Rel_LEEMpUZ#2=2rpNXl*kM7ow!f6hYlxnq7y?@i#%=wqZXj-
zwc*A1^auREB`Cu~U$as#g}w<ia5uZET?D9`lcwLsrVbhuc>+2qY?b?6Hp^hmRF>&i
zRsUL7V&~IZCA)`IhI<4%uJ<~ujW*Xdxk~%ehN@+E%}$)*-7#&zOx}4W!vxA#amk-K
z!)MUhkWj9c6^&tL877&8%GzEzpP%nJ@4RqLCL9M;-sCVqqwIijYtZh%YVH5{rXH&m
zGR8V<K7A$!QaL_($MFDP>9eUXO&dCt=&FV7EcG~PPg3Cpnj4+674c7oqw4oU8d1Jb
z#|Lv|!CYXOc;a*1);%{$M~dTVdEr~r8Sd;#U{!k4|2`{r#5XiNRfC0Dl$C*T0G>-X
z>3etFrf2iupv7O&0_n$61?khX;NDA$9l{Q|N3E>FzV`Qw6NE;6i~s(3RA6kq(?F4;
zQb7(Zukxd$zpWQ<ZG53`UN9>M*voZf*|PW;9dCJbL8v_=%7Gie#N)x$7EHa;tA63a
z<pxoU%bEpSLLirDG%lLv2F!p(LBeX5t*I!x{x%O)3+eM;B!gZJE~qD^xIJ=(<JPa6
zoOE_0w=eHkEO~cqTl?DOT+uW=sWr6hA?zgjRe#99-tcA9g4uxm)&RLG5;$t8e8M?)
zJp(g<B0yj;?Vv`3%mWZltS=XBe9=N1GNFH{0F?07vk`V9pi?9P;np(Xr`%U!)N0kS
z-~s<91^8#Oit-}al!-0aysRu)*FGs51a1rnTeEGW8?$H=H#iB4`y1Rxo7kUE5Q5WR
zGa~&`rE%YXD<M%v)G6SJy+*}7X_!%gNk4*|1zCAKkdSre3P5L`^EtwDJG=N~vh{3t
ziQ65QlAYpnRZ|=XlIIyw{kMP<M40$VgESoF77M~QOhX(s@MS}(OJ%uJ-Goz>0PyqF
z8y-6f$5`sPCHQ<Tr}s|(mBzL{&Nr=9;keabL#ODiGJp|`&ljrH%sde8=Ykz?6W6lq
zyK{qVl~*hNaMH=Atc=E>FtQtGotnnk#ZM4htEe|WPHwixV7RK)RA&v2T~1qh3I#QK
zK^G&=dzRj+9;SRVv20d3uC$rynI$@KDgMGAsF=MQQ!1@HJ;jf{vi^2W!#}A}2%k)G
z+~cF-13PJf##MRwQKNKY1N-v@AAHqOI$RXcny@Dsj-dthmbn0IcE0Wmo(u8#RIBjO
z$h{zHmd$B;n5qw0QF1QN-^Jf>{4*yw8frQ5wfRdWbDvuDm?cBhfs%a>#mSZ%NIWco
z-Dm$Pt$Km!2LHl8<Ag>u3;v~N(mhjiJ#X-{K_Z{c^15iB4?0**oNtK!%EWFCt1hqq
zO<*vIKl*1bgs4M_er*QMPUT$f!DG)MHNMs?7oDG9UaAr<u9bfJA3S~iQvO)4-AGsK
z5cM{(7&~$p-P)kZ?_^7LgP0BPc)Hs|^c@5QKe9d|os_VUZ@J;YiuyfdwXc8?X~vkP
z>PwXxN#_9ERy#4@49jfW$gyur0HH{qI5b$)%D<OO9HL8FbG!g}1mHvHE>^82bn++b
zy&yP2AJV8#p~ew;Tk>0dbKCKMMApK=F?=rVhZgmY%`8fHaI%aTr+xsGVcTP{AQ1w&
z+8)3U{?nDDc`o2S5v*915UOjd<(AP)o)DR}EYH}u?*K3_8f050<PD83W^;=dS_PS!
z=KcI&L9^#uhM`*j@{Y?aa=)|cDZ=vO^<CdNLm>92a?YQ-Qm!VQBSVC|Hy1HZuyZ|I
z?=Yi9G}O*k)UIBCGjVz}UYJE#saC7vMbp&AaHd^;sy&(+h<*OxdTvC5qS@BUtpa<W
z-5GBq<-r#TOW=NFuWhN?-X}!PFPuW!A<upnBnpOt9ukhdJ4g9V7O<x|7CDmG+i{_%
z7vx^%f6evWnT3m1aqI3)N}c)Yu3K!MR|YhL-Kw?hW7;n*))t=~cRtOqn*4F1VGI7H
zS3IJ-1rlRpxvb^kCHjqUWnYmi<$XVQGp>|dN`@GPTH63^c&CBqoKJJ-E%z6t$>w9`
z+&;t;P=COE#9vu+9`G?Uv9w07;oGYV2EQ&OgnVmjo7xeh-Zs&T%eQzQRqvCws{wMu
zdzqL$*9gNIjxeZ%w*f?bU;Mbb?R&=h<x<t9`rlp9IpC0(S(fK6(y+{5U3Ge7?|ztB
z=f-N;CKN6$^^I$5I?pkGn${|2_;;NmEwSx|OYu<(ZckU4>p`)SQ#xsy8m!hxYTbD7
zTP3z%W|*h`8>XyGk2+=PwYz?Y>ytkC2H*-S(3&X96my|sCk<=p`)#8(T(%|asb2HB
zD!-p6Z$9}DVHX1UzUAxAwJn<D<igv#<k)MNJP$W1w<~O+#*N<E6NHhnfWjZa-_m=n
zFfg}*X`0W7V4*3gK^L?qNIL_TIc2NrcENAt*^v)o(ySb*!x@<~4=UtFu}Kl9+2Bgf
zHgC8XbovlJ?kpR5rOu5qhIm|uY4RDW#cD@K8I`zb4%kpyY$@dBlk`^Rq>k%O(qd>h
zp<vS1@YiKutLkc)DR;J#(6h>O3dj}I9DK>N<|@;pq+#u$<wpnMg2;y9u73l~w%%*t
zQdl%V2@w!n)SgTxuK$nRzqsyLW&pde|HzQR;Hn@P@I(!47~FT@gG8@kw{v}g^>*do
z<2|$TLA;UK6A?gimX9IH1DTa_WbluHuSt-T>cpd))B4|K23#d(S>r|1+$~%`%0`l{
z%t9XyO_!76o;-Mgb~OO(02rURT*;g(kS_JnJVfG!BX;gQ{hywZnw&7K#O7lzN;?o$
z(An<*ipMZ_;>%W_OgP9*hg~@&nM$7c2iDQLVU`e}a@x$8<~784G5+(;LSN!z4LaWN
zh8Gm;4^QhySNK-V9H0LEtqIKPe^%laDku|WE$Tk%0MXQabk%)~rCAqpcLj+%bSg$e
zSG)Wq8xtbMCpn=5)1tr#Uf$yF&5*lYD^GkfUo6yIRprUOvKxQ=5URHqG6*OX^>AC8
z2iX!Z^;oiFD*dRkMJ@HX^Dk^b`l~kbMU$(+e2lqJcs!X<-wQ>c*b`)u9kC8rGN$p8
zv8lfI{j{}cpAd<TWjFO1eQMPYr3{0f1nmcb){R02s``N(377p!)k^q6Bq!%x@*L*l
zF!hAmx`WgwsD&4_?uK!1fs;Asq2)&orIg}fD_uaiceGt5Zu|3{2x2>8rXDi(fQG;D
z6{Ip&0mMidshc(rBKWoD<kb?<_52QH<T}2NUAz9wnE5z!Zw5M~c5Z^n8uYV&wYi_!
zYd$=G^uUrfH{GUPan+eYfYxcHa%A&9t}UiV5NHzQhmpkc&f2z|#>N+4yu^>tEd#I#
z(x^0V{LeqIsSW~^Nh$${4RYj98b%LH_FcR_dkV3NGXShYjMtGh@ZWw&9Jg$KFODSW
zbA>2F;YoIyH}xglV#J-HLkx-GRQ2rR;-iJY&%%^Gs7KVZ72M|-{*+m!$A<EF1$quA
z_)kHU#h3Nigh+na3)~Ix9%-v?ZiF6`H+<|!rP(%l2rm{qg_)cV0Q<aUnZe|`$CLn=
zRi1ctJf|T|(yrt{r9X|E9nri@KI_{yr2zs=U5c*6=ABmd4^W$IdN@tEQR$j-vzxh<
zemyyjq^uoVY?xBl-@VuB4rv>x`+N+M$FX<$fJXvQUzymzmJG>B&#_Hx6U$(d2ypqa
zr$V2sfnZ!Hk^Of2d-0M}bjk@i=Xnin$AhyI!OWiCfwHCioeL!07L35j#6dO2xl>@K
z=o!o8wUPz0k56(MB>wok%rN)_WM&0ng49pUu>`Q-D;Z&77|v(V|5G(J%|M&QE;75D
zROT&UwPVoI2rjcBcw%(Kh76I;npuo>bv2YrZi=$JDKqNxCw*hyc2FbWY3}qmRwMHr
ziQ(n6AHszau)BzK<jT=oE&#Y><3J`x$7o49u_Q$yU7zus(YZkszU)NJdaO)F0pcQM
z?McJ);?Z)%2Ivj=*~f_DivXvMHV}eFzkQGmq|YvYn)9}_By&ZRaqc!e4`ZsB0}-Nq
zsc{Mlf;$CFuwX8zxA*Mv?CkB;!p2Fu_Wdj{P#*?5%oxS+*6K!C64aWP8RSMx7~O*#
zv&%e9AhSKjv0g*wPL{^$=pCX;=^WhWV7Xx*{2+@NRUEBk-Bkom-P<zHcc~pIVFcKm
z@2i?eUT^GAzr<bmp|V4bpl`l+Y_d?5(E$t3y3O1vlITCYD3J0J9g3RcO}K^|(nupR
zpH1eMys;nveWx;sdQvI(NmT_Ltm$i9O5o!9MzAk`Tyt)85Cw<zn3_IQwpqe2DF9yf
zq<x>7Ne^MmQ+#*x#DZ@!I#|OHjs*Mfho~Q$Qnr{Gy0&i>r~$6{d9CgT1tipXM#S};
zSf_}_M{Qq;omVs|3@-MA+5Aw1CIpIwq_;x!RbDfMaWmZyQZ8jzPBfox-57oeM<%B_
z$bQ?{&oXZN5vY{s*^$AUdard9$ZLD$v{|%iSvB!T+$nlqUEA@S5F#M4xt_{_zD^o+
zk)uHu8`3`andx1K6#<%<DYC|J5as$e(sdvPTnXqP3Zw38W&81h_OKKqt~|?wH~*r;
zYc|2nYrlp#ct9{vT9m}(i5y|S^+7HHjkQZuEEHF*Zw~zMG47Ze;&2yAIUr`x-5>ed
z!?NyAavY%18g4qp*7xW<PUs;JES+Aj$Igw=em$Q&aTEOFXgsH42mF`;mA+rF)Hc-K
zGCoQryAtvk3l@1z^GO@a)f;`^7m0M%!dYGg``+65&0DWP{X<mH3LvNv$hYsh|Bc27
zq?dWh71xeMBVE^AL@|E9ZDB&ttf{Ur70<g9bYQ*PKE9*+-Hn~j1R_ke|5M)bj}u$t
zpiDryg*78)skF{Oigzo!yHIg$mkhKNfEAt)*CQrFoZh{!>#_a~){e_v)1)=Cz3ww$
z?gUBmxC+v50~)?h3$4X21Kdqo)239TxGSWa$2PYnRi$;M_7Z_nJct@kWJHphg*X83
z!L7FX<)O|x>W(~r0f>mHG1Z$DHNNf~k@54_@p=Pj&Um6F0@|j5-fLfc+lE=wGDDXq
z<Qz1Y4|%}GI#j<9^tXd3t0VoH@BUz7LTPFdHw7`dz1KTs4Q4)Q77=Z;7Z;clpz*{C
zEElm(u-i3EA=ylmJ{&?^@`6USI@r#d@}Lu;^R3_NR&12bByn760W-sJgsBnc8dRxW
zvYYLTUEq)26v_D%EORa3*2}1(2ZhiqRw({yylDOy;!*&6O!I&4)6~ox=HuU?r{;4b
zQ?`XqNLPb+v?Li-k`F^fSd_*v`dH-vHUX=B?9iEW1c*I4`W@(k6YuF}H_A}yrAH6Y
z6toa97}4E<DV8t7c<7Yl4Z{fw5k?7R!_dRTg}5XGR_&0FvoJf6!v36_PT4LGum^^D
zxVL(fNd?ZDFPrB6Jo1$%_RDCLsxiU&G(U#=^v(&LCSw4kI8F$<M7JY%=y2`&T$Rt*
zyRI=JTIF)k)Iuv?(1{DR5akVZE*NB{-xzCW^kW<gJCfLnzq0!P?sx^w*MiQSlIZ`8
zFR4-;X;x?g+=Vgk6v?@q(ef~lVwe)H0BU5p9Ptd1rcn#fOC3a|tAo-87E^@<?Z@CM
z-2u3k;sn9udBfa?jZXQ<%h{3tl(;`$^)UF*kd4!c+@Kx_(z_g{tCNGOrth=zN<XS4
z4pJ<{cAXPr^M=_HCJw_1MgY_{quJ9)o{B9c9sg7<#pzZ-CWxJ20nsk+18A00dJS!g
zv08ZU4I<<UVS^dA9FWJL2C9ZBA!fZMjQ#U4*UZt>Ax*}c524czN}9njR(T@q%a{p#
za*+KJ?dpNo5b=t5XYr!6G;(Ji_`F(N0~_WwoUxY&X%?CynGm_hH2+j|^aB0A)5h0u
zr=k09enQt^W>cQX1p@59tnfIgRzHy_B|#-FUy-L7+^YJ8H>Eq?f9!y?a~t$ccvUa_
z1&ga$Eh(!^DztFtYo)cq>2T2fsYr*QGcdh!{RM350~kkBJz&nv(qnWHr?qW8{O(_(
zKf`^gmzxpkyKSoY28c<rQ*Rh_3_;R?UX4a0iH{cz82_OGakKrXF%c(d(Q7B0#JE;B
zlRyKODy~J+lX{dei!UwRcW)b*Za-#s=b*=--{&W5Um`Cg<Z@Avu3NOm{~rQ{5_1?M
z)9vfueicrw7guYtBVv>HoS?63D4G8b3Xyt8vDy&ZV*e1N@r^}bYz_J^^-X0n9A<o4
zD*yBy>aRX}^6U6MB(K(_=KD5r9;ga2w-Ow5(#su{(?7!q3#|qS&U^l8?xMzDblNh6
zZ$vP~a_0-9s^>``ng@&G?mHXpLwcJ?R~6`G#0pbqN`GssB3;>>(e8W{9T_(>6ygx=
z6N)q$n9J+-G2py4)e2atBRrA|%!s?IP#<)yoe$~S5J=D6r);K}c5jW5CbdFDIs7Hm
zmtp0Z9cc*-2Y-qc*lbS0<~+#6YVzAZ_2YEw)^M`1C4%?@&dzEvmkb%h7#Yh<RM!M%
z&$S}YF*6)m;L?C+M)S9pssy1)2w9l;Q@TWH?W(}?F~%}r=;h}w&?)N~WBkN`FoxXR
zrkK*MQWwhx`v<ftqs;sH2}r_DTIL+cd_DG=iym|}u`0bM*Dca+hl7x~(sL1dh@k~M
zd)Fn@$sCK@GNo$L!v9;lq9Fzlo6l`*&;f4V*d|Y;1=GeCXe%O`RGvcqL~6}>o+?%<
z$T`*W5PFF5>L1zFn+;X$mK!kcC#_ZbJemzrceV8)seuRhxe7*}rH$nIjAj9`PQcnz
z+h=;998=?d3OavP)EE$u<X_r>m6-!cg|^QAn?MRb|7l<D16I}gKDWK^BdV?-WL3ur
zTB~V>Ggrt-+MG$B*%|?{B}6XWw&iHA9{4DbetI7cS_buZe}rSH`67^B(@%rzqA{uS
zKlIcSikGxz(|!b$`_4tM$vtUqD;^NVpDo%CHiiOyKd{FIK2AD05d`>x6G-E3_elGc
z6P7h&p%T4}tY<Vkgz}JyGq>i+v!<&HpmDf6v>tF1-2!`Oz;fCIyv%$gd)Hs6Iw9iD
za^ZQXkpTskd=#OiMrcMvgS-edZCYxdOP)K;iMnMM?E12d4Ux_fNgPbLN3t~1!NT2|
zGx=jpLx-lr4oAcE04QXPu6#&dzHs7T_NSnc95JK8qJW>_<7~+A|CCobV*i<8vZLT4
z50o%)xn`Aupcx!G$I5pV!48dw{>tsU%cbma=`PNTm@dlhcZDTz0E*Rr%^#U7RT~A9
zk^bIU7-N$s_M}}M8j2T4-xGSHbySOxdXMx>_>~oDA5w5082#Gc?$S9uoN2jYc0C5t
zgU-hXuYX&2#)sOcK+$r*`=q0g;q2No<UQ?6(qe_R5hIEM>A`e3bMx2%e-hh8G78ZK
zvqg4^(Uc9f`?4n<szk-$Y2;3>!^|NNk>ulu<qy3_nU5nl`2I`yn)3VQUu~{`(G8wN
z?x+?Mv@ehu0NQmdGa#9UT$M(D$dn7Oh#UYrTEUSuxq{pQF<j3T%qoLm(o)Py1osAf
z;&BWpc8ZF!o~f?i=5#zON|X<Q45_>ErAhk|t;yp_3hcb{_oLzbnA)Xd*))9ypwPgl
zWG(%Lo+4B_5CMY(MNj<7YA^`n@hgvLQRAHp+2FT8dcf83iUd<h`aCqkC7yJ4q0MX8
zz<j4GKfz3AuSlt$AK(nlq1hOj!^C0|=8foLG`{Z|ck<j9_1&NTzf=lhw>;7kkRgK1
z(>`HasQH{Dlp_W@)#X_B=Z2d5aX^s_j*a-@FMz;Dt6r(JHH>|S>T?!)raE#&a=sRZ
z;Y@A>S2(^#ZX3(IZT)f=aKrLw18kRz1h6i3Xp@u!g66NPziV=ezT`Uc{yYt7Uj^#L
zF<-9){l7-gv>i%gUxNR!FMG&Ru`bEF)=|br$Oma--+eUM<Lja?{w`bzlfPFm$FU|M
z65~MB>^Zb+Du1(E_3097(a1veV_ox|+tX`Hazrk1OMXh|XP*=vP}wAE;bXKZhDoSK
zQl-b~dROksJw>cCowa?Pzcb+GL!SYXwYtXu+ty_g39@7ofFWRTTEdAT3O<YuBx5@3
z+UG|LxR5+4Z2OU>xE&)oyankFq?cr;K3XO7P~?Xkb<yI!k2bX7oA}-McB_)zD)s;;
zSJ4RPrf_YmC{oo`_m`21@+8eA4aX`NE40HFm6QZ9_KOutOhM6tGPG&rxp#Ybj_HxV
zHDUP;rL`Q1?2z{C$}H>dYRTGJe)et@dh*1zTzqTG>5w|R_e!~C(5en%BLFKiyG&Q_
z1G7HA*9hLzrikI8MS`=l=Ao3TW2rtA&Z>29LE7sn&b#F<zD(c;!XuhyQll|~@LXOO
z_+etO6H<F+Z`+b^4_S_MbU2%u88Dt`sZXP9A?=Hlu$B3QJ-*RGdL*60EWmbHlwN8l
z*({hMz5Hgd|5>}+Jo7$Ms}XXAuVPa->(dqAjnQZC^jWAxj(82z<Ao?By@88xhj5rC
z$>&<g6s&G<73^H{m`?1R?+g4e^XDVHIvwwgi-j5@vp!k$ht<9Va#g=f=Igt203OK=
zT(Ipvlx^=@(-r7v6PZ_rx;*kK$X8&wGM*0G&*R=YpODEBj;`&$Zl*{8LFJgR1k;VQ
z+hEp&A4lNp$`#H3dK`yJ%PRdaaohV6_G(N>p|d*$-kX+|zl{pHkW|tV=2CC%VDlU2
z@z<SXFEhnL2d6@49*I_*sctw0pSjkNvM{E7M#n~sY$;v#A);cPEscHTNHJ&IHIJfM
zPlE487B0%dDYIg5Rk)?sZC{VCoagB84>CLNSA#Fh65;bcZCVGV2995b2v9D!$o;2b
zi0k%s>(Is%zXKmk7Zq+;Dj;Vz?co#6#urZGXEj8ab2jC~;Cqoj7ASl+1D~Mgc29|M
z69DGCR(jt$!BC{GRXQDeh<GO#-QnRCb**^Wb4e|xKsKc&h~Q!tul2+5!1?GanL*S=
z?MpC0Rc2-8@{hJdg)`-i;?W}amr-^7jq+-Q1I`Z9@ZSVD(f(h6ql;BPmdrPpa2JY-
zcCMa2tB%)%HdG03T3+djs}3Rn?Y5zPK$B5#*{ycE^LnA#3c2sR4tdEW*aP)&<G&s<
z^LEAa@Bw8#nk5ImsF0<XY7FUng)Thm-Hu4C|C-QMr<T1Ig<c>#2<r3zMn<8s7QYI+
z6AuQC?k$;ZR7dePoM}-il5VIaB<ONg)4uUZ^f(9K?EXz_BmbE3T42odk&d|ehQ(DC
zl+|3@IFIC}Wnp;|fDp*5h*&+m9oMK3H`cuAV{eD>EOpX3*jxpr9CJ8{ybm3?n1U@h
zIf|_U?JG-^0a`(}KY!9VvcQbGv57q~_z^z!wCr<7xc2nCySetZauQcoTQ@#@WJ8d?
zd!E6oPf!1h$lq%i6R#h2p1V@el)B5Npd=-UZL7)ML9<oVCP8)_@z<w^<pSP{s4oV5
zVPZb1M6~v`U$t1hzErRrd!x2r7U{oCEdKCgm)~anQ=nUd-?rj*gRXyr?sh2ZwHdZJ
z4F>_Y-&l}n3-*NI^jbt)aRl1yzWi*+%JVlDT8bZaJ}$guGQo?SaU3tDd^@8NayRmX
zwm!DOj{G)~zlUn?8MC6q!{l<_Ip1bD{`djpq*r5tjo8KVd%`&_LL37!dWY2(csA4Q
zIa=r4Sc3hxN99YCHiMW8H=Yfi+YU{HW+_DZksd3yWn7@HlP4&^u@_TKIPWZ8)qWB|
znxjh}bO`M%IEE2QqS1(R%$9+f%+T)J7nGrm6U^{2<d<6eDQfnk&hs^Cn~V#ri1Q5f
z?Uqt;W61aBNa=-F2r_oq+1B>g<?sMQirU&^!(Okvckn@;TyeSY+n00YE^n!=uhz>s
z5v0yu(9mr*a(j1Qr&<3{<m9DGNS-Y9X=->)^7d%{I{y*a=$oA;f&Hyy%lgjq)VAEk
z-?JjI$Ok(Qw^0QT(e1z(O4$WFnKm!@B<$)v=Z);tgrMDRC1&c>WvsqdklP2b@5l$C
z?VN};g)G86_ma|!Z<etoKBqgF;mh(5dS`N#%DV|@`pwaGg&I%kwl&wA2&p<$Vb2#G
zU9K5$KK}Qb&F>H0K8@!H+<Wj%tZv@Ro14`(ic&Y!@`$Fj7u?phEd1)LG^eBHt@Y{Z
zrthG=W~OUDj{M6)d`Zvae_v^~u-{2`q}huOkv4j3miD!={p!N&{(u$ok9#tKeU_u2
juENdx|L9M`26f-FtS8FRn3TV1ucfZ4eZAnC)!+XQK_f`(

literal 15428
zcmeIZ`6HD77x#b7pzMT5GNZ*3Wl5oIqmAscR1!*|1&Qp;NLjO#gvee(QBigyYsnT#
zA!A0CD8|+d#>{=@{ki{y@AtR+hqBFeUFWr(=Q)pat{6*mLjm6Hya<8_oH9Co8bQ$T
zEgIq81Yec|zOKO+PB#NH0|a@K$j7+I1wZrLG&<*lAc9Tof2ger#sv7Kr0<EdzSdr@
zzWx_)T|sVMyz1$z?0Lmk=Ag2w@&UC4nX4%XqW$62aRZwG$G<;$l6DM+lDxm4GNyE+
z$9P2c7@_wB5Gsw9^cpiLp~*61#or(QIs4e-M~rF8mDMEU=a)b8UitLU`2A7q<EM)X
zI#O(8t&A58=E7Sk4w-z;5_~T?lOF{*Pw8E(uNzd)5wB&1YHvJud!9I7He>w=`7`_@
zD~rkUOPJ%jD}0oD=l}cf|GPO5X{)1cSWDEiPR?|gI`uUF4*x3uPNi`DbeZW&A=AG`
z|Ion!l6omCm=kw1;or)i2h1HfzO~cIYsBFd#@YuPryjf+jTYiD6Q3o~?^TfXnLpFl
znz@oy{>Yx{6Tgs}`C?FlalPK4bU?2(YHe^C&m!44&1ApJo)LJC_$Gug(m5W}{gI&;
zW%Bt`qpxXko=!c5x6f6%&8)P_Yo5Fk@{rjsbm0ZQN+lg@$Ew`p$&W}IqL8L$#;%um
zHH?W+fujlWL5<4W9+4ONj?|@j;+Lf)44pK{Jh65W<txF3aI08vN@#en_Vo)<|BAOu
zMWnX=2J?>4?}(1}WdV}>1`cV8KqJR-P8KIwG^P3au)eo#F9gnf#XC{U>OPQC*T^rW
zgk&BmAh?1@{TsR}QyK-251#a*B}+1>U2BmZ+1|%ccXx0h(Ro=#zD_fmT`HsTY9p%w
z^V9Pd^#xwNZ+>VB<Gx!Vgz3IS67v!%s>kF0ukO|m2eP|U&um{jT3A2~kr`Tcq1V&a
zgS|ZNPyU<wi!FF;x<dQ&(9`t1K-S9xQaz{B$yXF>S3@jZ`>R*<ImX61cQ0mhqzzJk
zU_0~vJYSl@zb79|!Az&PovmGd7Mrdagt>8l`rpJ~>^>vuzb5g~nt59};%xn9Pbd<n
zG;Fo#1&Y$EwzgqYCv44#1=sEoPq!=LOA-c{>I50vLF^V5Ec3S#`-S1+CmVdWf%8H(
ztFJ7IDda<n#Cc4LRJHMy$nK;mXTIlarzbk4unpB}#ly*a=PM!?1>7HBJym^Su!PcL
zUCj7bxO{RgR!_KI?#6M%;{*z+$+M$BFRoi(FV<R(QzZJo>+r0`^|U|EJ{<5l)3r*i
zG$J0u#7Z>e>T|@|OiW9(2%vMCVe++X9Ibx5O8w~5zgf4CrAJlgej+MduwI|MC7SeA
zXlZ)`t)ih~3*svXD;~b0s2`N7rSg=2nPKnZyIJ(7A~TL2zaxEc{rWSaxCSR7As0a|
zoYA7+)snwpwnD4Rz?=;+b_uBz*JYHYG@L4VJFJ|~iTpec_7-a`+}FaM|CYK|-p1{<
z|2H#>C`vRy6i_$`Sk%(1!&KVxFZ(cY=i>QeO3xXYzrCCvFs8(Rc$Cy7ni@%Q<D}Rh
zQ^oqHPUc=H%X-6iPd}CY$nV=GJU{UlG$`!f_eoI2dLY8$MQ3DxE3tB6R20X99En3C
zz77`|R^Ea`E5&`I!?xZufhN)?U(_~#=5fO6(fW_M>2cl94*Yw4<X^Ls%|J|{jh}lA
z-RlNe76p$?xV4?hQD3Z6Gn7%*E;m^Gr%inVFaL2l+t<aVU_CBdlQmKK@+GM%a;T-h
zhVvkPcjA&Uj+{Y><PcWnMS6G6+Fty##e43Yz&@LaQ2(c@PG*wAtXF?}q;~&w>f_MO
z78Mt@ZJ#A>Se(&be(9;`7Q-5qs|~!Tj3NnZ$PjQ~fnaYlp0z=#D?b2V>&snd-(X9x
zGtUtkvUKAg%&EXk;>9E~Kh*uxU*GgCP}Z5gV`28jj4UCU3&q|kL!GzjDyO$@-0pKY
zWL)d@kmwm%)bQ29N9wf6c9;6<wCfwQD$1P>rl*H|N&+|%OQgd}?};?3qj1BP2;pB*
zjR32&@sjOfDnZL4QJv_Z8T^;<2REM_|7Fx+6t8>xUPV%Y-?ZeyCi64ebtfk@o+^da
z$5)Sd9ikly97nqga3SuAGuIX8=idccxLOLa-bA$=K4R^;v`X2oZnpBQ;rq6~U9!5p
z>n|&MO@ENfTczX{j2kB>C`U9NAvtESW2u=@ti9NfC#8~I_&u+u=C|k9SMT^czq&gx
zS9I&iQZcXZnQ~6Ovd;Ia9t+4K?i{>`@JsPX{B4F+pl5gPfqyww-}Z&-21~(Zrtmy@
z<%7opmjxFh&zY6luI`tJo&9k+vd3!RkJCpfX#yU6h}OUv+pwNj6vo?6H?+)bh4hqr
zOr$pWZmZ98q|I2Qux~W2LJtRf2Nn!}NoimQMP7UFl|{ID;mkxzGHboWryj>IQN7&P
zLbQ*?nS0!)ttQXS|BzKaaO^L2i4uP;b}#C@iumBWTuuZ9C+L-rH1k+taAA+cluPoh
z^UA`5S-&^JzfQz2=;4<ocBEG~?&FASk^0qhB!%P`Q`d0s47$(h;XFUm#lE<xF7H;Y
zr`Xh^cuj_UmY8dv{=L7cF|$3szB#n_Z2{T(zZ<eDDn9y7Zcg${!Y9Z&yYs*_ad9Cx
z-6C1tvn{KaMZZ!td9_Qo5Zhs*gbuc?Gty^FY+Ft|S1Vji@l49NZKj$28;%2?0z#1T
zqO<O3rQYbgw|FfoOWZXlgHk%_+5Dv;8RG@x>|aGYSEUj<zNmck7a>$zAqeT(#C)+s
zIWf?}W%RYgFRJDx8-(8)tt>&zjt`WVl|`sAXoOA?U_B^lIegh=@=9+rDf%4hg_70{
zXJcec6!y=Pb*fWw6sw%_^1AIlJ_7kPx^L1Zc77u_U<#EMjz$hXvs+8(@H{WuBOT`_
zh~NF5tI>T;I-%bRO_+o|9C%oWMfMpw!iYaBf#g>$*)Oc0PZy!ixwUGG;yAdF*Tq|j
zfAtvW4_i4VUvfhDD@9(PO(Ct`4=6<UDj<!S*IK=b{ya`u40$sR6D4AW@EarSvn><b
z1V36M_bH{bt;3hD7&lrl>jUIDVostE*P^Wrxlycpi#l&UdK@XsZzdVppj2aPJ%zmz
z2O4+TG8g7!{WX%#iXmg1qf}CzL)LEb6*BQ;=DEL*s?g4sXaWM33mx~MOU3L%BG2=j
zePQesdb(~Yyam=g>)PCvlpnsOI-2`x4m09g#F6}pDe;B(KUPko5m4c;Q7r0#i+0~9
zG|DX7<(!1wtPA(lAltfS$GR+{wK<Zui6MI&4$%fa!elLQH7fkAK35mNv{!nys>&LP
z!J%+>Y|EXj(&J59e>jUiCVN>T+l_<0`YTKPzx~Y=l0{-ppm0a41zC)5DY=r&O<c}T
zz_G4)ES*OO+5R>p?wQ+zdufFv;Rcpd?YA+nxBlqgFGi3YF~%8hm0ua;)8-RC4;Gjn
z+IZN(zkiDx!E9R;(Eug<i1zcD*KS$lbsi#P0H^-F$+E*a&FkHFQC!Y~V0`ZqrJJJ#
zl!?dc@LHfQqenP#RpTNC3}|dpLUHi54trT=2H1_n5YFZzGN?K-k$iCBtXDG0uPAFb
zS(<GqW@3X@lR`N52x);>Lv88^gKt<xV(Qd)OXSIzJ(_nsF-Ci<FrOIGa(1G=r)YU>
zFXhcoImKpD4sx*QElY3y4z91~lJz#c%}6!jV?HAD9PIp<66APy{VMCX0-|Rls554V
zZZqXMtAAadV^=(yunkoDTqT(}uITM~SCXqyeoEvuE3Dqf3N5@Fo@2WDRAOZz^i2SN
zWekO?selM7x(F3_<}{lh<-uiIBEq{%n~7CRyD6E`XkJ2o$M<6ivSWIoV<BcEsBj|~
zr(B2rYQ;E}XqPEuWq@)Izs~b9ar6`qZrKVE=9s{;5-?0b>`DTieeeCn3Ho^^1eWG~
zOSEvH7;-#wiAuU1p(T_Ti54b&Gj61{NQ-jo@*=xlLdY=^$(jq`$48)rg~8@^@lcsi
z+Yy6sOBi;Zu@^H^k9ovl_6jYYvY=nAfS`&oAr4nGG8LJ1;JS~Ca3NcM9buRRFMHc-
z%^6B^$v8hk_H2URS_dtOt_6Ii>L;LkH?4@=tfBi1|MFwrIbyeZ-n*UaXcU^j4SO*y
zVC3EGKr_p3K?}QCjG$3uu2Xb?y>Q#$9^@m8&%yJ;iSynt<lV-|C75V#XL?UOy4UqN
z=jEu!(Zh{$mE+rOmGEaqa>Ffi5Sd@G$wUQ=)2mI(RP2TQn4a-SbT8`NF^k$1!h;e8
z6t@a5a`dHEwYg5IeL9&que_jzF%%;R=5osTDInZ?Bk?{8h_sFN@_lA?YV2^cT;&F@
zt<uK3s(g+M$51%#twOr;7{gba#ETc1!7bx{nO4Y=mwwad3PqBBzK<0l+=QjN94p!r
z-EN`eMJFj?%En>*TreIq7qYX7N=rod%D!vvDf&Y_OnLw2lV|<efmo6_7Qq?9LW<m5
zFl-%v#&#W`!~r4Zyu3Jx>Qq9U0%}?h49`*h7afpUafu$RfLw4j#(4&$SH(jJGkt^?
zskv6)PwnAXcBN}t!YBO#;yXN!Sd5r!{OI~@`-&<+4oCSST*!s|C>C?QWjxQ!m3rA$
zGT2B*P<{)S%$^aGMqXp2CIU?;b*68=hZf%D$n!m<p{o8yok$X^hKfTCMWYGkB@L5W
z42z3&5Q&TGt9O)9N-Z9)$>5}lCmkPS58|{fk=|25^eI}Ycp_fIm42ojo03?`V~FC0
z<;x?$9WK%<xwvFr`tp4As<s^Q({SYZ7-kzLj55eWazu;EX2|%cfV%SktI2X$Cvq-w
z_s1{$3uwF8;U2ki?;>TC(*vw2&Qbw!*HmZtllEbzZp<{ZyjQDYg)EV#1Q7ywmYk>C
zm>!0xXtXu@{e@kghEipm1;l;&RRlXLq*poRjE(1DJjJ_9PTe=M*j#5X)=-U)OXk40
z>J&n*Yz=3~sjwu}s~jXpx|2!@d>Wurev!TocM~&4j^0HRa?}{wv1sALvo;skuTV7J
zsmbQtTIO4f5WH!C!V%a?IFfL^Wjxi)Z`#y0Bfwb8?vkDu!RXdLl$3csr;L^u!r3Cl
z+<hjdeLn~-HppJ<WS*oL;bR_W&S%(!NHY=E_rY_M#*ZnKfA3%_Y;8x^GwIHpPfnt6
zao3*Bzj)cKa^Oe2i6j%1gS6m2<mwi7wW=wg*m}R88p(QZySVTvPmhtkHSr!b3N0-9
z2=N6+n6QmW#-XAg+-cT!?~jPHU47aUEp)mu7L9CvN2#>=M*j2s2ia#E6O|7R%X{h_
z<=^}5Ih>6sE=2F$L57gN3TA060WExNPIm0Xf&pK&0z%ETqsukxUsgcWY<;yd?1G$g
z6<Kuu*3Bxad|ZfGG05ZFjMUHV(s3itukf=p^1$PI4+>D;SHf7&i6I9+gwnGMqgdM)
zzDGJ+BA2?WIqNotDG`!%*s4n}CW(`J40%cB-;*dKq)?=nRKj*h^qfsPV#rw=AC;0$
z>H+fiOYL6Fr^ir6(S2FxTh>1$h#-8t$mEy~L-T*Sn0S#J!v#`f(x}hUUNA_wn~&fu
zyO><f`nwbmo^d<$>0;ksE|dsqo|C9X{((PdY+T1rFKoNiOr00x#i3LFjh4<wjGm)?
z3Q<65!DRGT{ilgR^s=pqw(cstxTA+t3D}Ld^f5y;>@Lf$kaRNEK#aiYvme!ZYGb9z
z0O2`?BG^Idc;J{xi_1NMX5u<L`3$DsnuL9XXyqV#vcN<8@igmmDj=4SK>S{BdB*ut
zREXDzn-`a7+mD~oW8hyTN;kdXetH5$Xs_lp)!B{Nk%Wj5T8ejU)OA1zt0VVamC<|;
zO%MWw{rhy&*%~6a2A&frqdik(VrYt9H~blPujnHh$%F?7elBMGf5MokIjzi#xO(qL
z-CJmHiP&^07M-M!LeqnVDWbTLBFR`sF(i6M*7-pI>4#VwcB>F3dM7XLQW`lMqjMsp
zb6D(Tsc@nS_hy)Oo5NH@7V*hP_S}IXdA|#AFbJ?joF^R6f;t64m{~VzQxHVL_ma9L
z$w>TtD@0Yr8hwBxu66y(a}dl>;atuZaW0u}9rJZBJ`<bAv&dLU*e8&=C3WzhMym>N
z$-H-n!h28MrYvxfkE3w?;JHGB&eq9c+=VZS5zZ>Ie)T6bv+NhD!l`*kV`>nO*10+h
zkH!3wy(oYW(N7l>@rFY9s3ih51HZ=#89NU-#04~isHUJFBrhvtu7JFu=zw2Qz{m@S
zi6L6KoCLHmmY;PQ?so1rV@siW#DqWTWmJ0!C7gT9QB?H3zKrbNL=%<-T1kzuI}uHI
zY$K#M=XX)qn61vcdIIV5)hBc?GWOuHBxPlC;cT~2H*+E3FH#Bpt?NT_m9v{}zg&zB
zARPS&pD%&UxVA9mPp3g5d%m?@KQ9JNXta^fvPs_=CGvVnLIGuU92H&A_rPfjHp;KQ
zxQ-^c;GH-P;gsbg0%tCAT(BA24{D-ijeZOJZT+WQ<&r&HB6V)=ybBLMy+$T(#roTE
z1kp2+19%dBj$^qH4=e5Eit{|%s$)fjw}LNHFfSFwdfB<s=W9(uLUv=ob}3_AC)gKG
zPOJtmZ|BI<OM6!#^!=+zBPn|G!MmJXGRv`1PQq9xI}W}TD)D@X&TdDztad2ZZDph0
zW<==5+hMyR``_A>aDkmT6!$wyOFw12!&rzFTOCwL)jG+5+irQ4LLiC@-JCwai*r|F
zeBtLsj<hMEnx~@IBLrk+3KWpsUk4cKY~0bfK^YfcfFRXyKu~|)4*lM-0D}0K%{sn3
zTr$4AE{U;;SP)^nO-S9YQ3YgL%NS=0()bKSlwS4b5?y{f$l*m$(f&Y6!$oTq6iHl&
zFs%yDt>R~Oj(sYItddSYegLdG^sf2(2s>ddwxdS|$Q<8ng&cLRSNub?2+8~oariOH
zxX34P{%5SvyY8cVukhn5B0)(@%w|Mh2i~j7{vIGJ!%A%m-y&^*n$DWJUi^CAal!jy
zvZT%l+jcB0qY;J|X}Y+`1#yI=<MZO`)QN~aLviR{>HlddR!C!o%zD9~AKL{Bi+MzF
z&qaJO%~%vHx&z<}#^V%<p38U&;m?_05pqKj=-zYxrMDgwrdRThn@`w5TUg!BFQ6{}
zH;>IpRzRM*K<JmzvN0M-7LtPJ$B4j&Cv<~=bWxa|&D8b~_<Y%?+ls`$BHpYwpZND%
z4J?~1eh~YRi&QvGY)u&sd|H(~d^xh)av(;2qJ3*GBo!a6&_}^=N0<Uh2;q8<@}#Zh
zh1@(btAKb|E8$bgiSHq@-1V)f>EGwp&`)i3g7y&RFUZ7+TOmVDY*~z5FaJ+DVM9{C
zqb@`I$}KBnqkx3_V3<;pOe&nP=r6L)zZAW*-vUJl#w%ca$<b)x7qGPyrz~%lOQp_`
zSud$)QGXPW=sl?-N#LbY2|Y2Joxs&{w(+z6yf>NH_;!b!Xa|w^xz?xHEwueg#<-jC
zjGGu{^JkmCR3C~9hdacv59~$)Usd7H0ayf=q=30k=HSY?@;|w}dj=Mzj-G}*flc`9
zP_1aTvopj3wqk_GAQ2<aeI%LOoLtBo%aPECs_b)+jV4>fZFV~tjvjkyM^|bm<Fks*
zO1EG+2u_e9oV*G#c7yAo*On=GhBn1u`%(^~RWv~?Wh>}<{t197{CLh-G~w*tztty3
zNG}yoo(f0<q`mu<zP|Y+(GrTe33mL^N+nc=S?jpF2#O(2u#;^4`d1g3ZXc+IwJ=(f
ziF*I(jhFu4!rTV`Q_}!yBmv!fP@SRP{P}KZw=(heGykhMu3|Ua!_973p@(2Ui$&@;
zu^+6II9k-lAt*cc5oF@<^IW8}<jJZ}%8x3W@9lpUhn26;^Z&w>*Dp5I?l8v1il}0F
z3AUi{vUBG(MyV`v&AD|o;e))0NN(LcW<EZwufg4V?Tbp>W`B1v!eLu=C%^4Xz#6|d
zQpkzj5X`G7uFv0A1Q89zi3={q7@~x2`&EiMdnG9imtB-^@BdqggE4_tZP0#;yfzw<
z_fSBgc^mh2H{*X9d*iu=z;m_~?FeXm#knKMQD<6SoNJ6TB|qC=im6>HPP5MWsel;m
z`JeuT_CE)989=qz!`ry|zogPT`_0}zRVPRE!_C2#H;}Lufmfg~uO8!Z&p`qd4OuN$
z=@R~q@^h)ULNLR<RF)l}Yw?TRL+2>YZ-g7yJ~E2bKMGNAOG$!$u}R}zO4v2<GqY|2
z_gahsP_Wl(y~Jq8a{2+eOgf<dkqV;>j+)@^@ZnaUlB};r(UQ_k>`d0Ny#T#)a)YR9
zm72HGMJz+jc8I-s+>5qk#*9-*K5<nf)X$?R<arS$WTc4m7p>IXk;ljxr9j-+TbO(*
z<==?noEJ_L7^7sJ$QU(nE{KPorKNRg??tX0#y>A@ewL%{P;f?7HtHuZ4Nf@9KaCsb
zGFF^JY<I}KNzOrA1}zP)Y|OHXA5MJHZrR}D2KuJD`G4xNF$mr{h4T^Nt{75C)_)D`
zZ-5fUbr&Mh*Ds`l>{AKqt)buL-1Md{1fJNT@a6#lZMpWPESgr9BFS8z6Q{|`m;!#$
znUQT|siWSgpwv{5$<w`k8`lOuQw=Y(!A<~H$XCmd@BldaKnH2-X47A-Rfw2S+1B|U
z*GGP&J#&UQNbHfgnHEuVEMI1+Bbs?~$H52U{pj8fNI(6VyLsUWJFbaN7U5ahoJp4}
zU!8u}=id@8dQNR0(i&6PvfiV=#6!?--QeYh&`}2Lwwupqk{E8HwIaeL=+}CUWRmkJ
ze-#Vk%|bU3&`77HHY2k`Fnj-8<*N?Qb48##JRAylE?FbrN}9emQ#J<PhMy?DHHPxm
z=ctKCBc|5cjJggFd%3xCgQ8S|7jJ~ZrAy%Nv=~wcAP~Ru$G{uUQ3HtV;8!^(%j&MF
zxb>10=6(x?Puw36oyV+5)udf}X1H={94BZ$l}7dL1Zn>41Wp=%d}N;B3ACu~m%T3I
zO!RuOndfJ&Vqmo?(t3uBU@2=fTTRGfTvp1+z<d#7`X^=MQu0DpAM1s`H}?0uN1ez`
zs#+k6qXx!hTDr8Ux*~fhtxT=;!%Hjt?=hVP5|Go>6P29D-yvyaBE%ZZ*J>OgYu2mg
zvd+y#qpi>NzS9WGAVfcwsXboxXGaV@I!(AHWg~uHACMcYN+HCX*dAJ%T71o0t{_h6
zC{ZM?%PoYxE)rrzSyU0@`{txt@obT*@qZeVejW7`a-2KA$wZHoD*TX9GmB$%otr^?
zl=LMr>e}Sz#a`Z$7h4G(N{Ukl85UN6W+&Fq`|L$cGDIeIMEipNJBXG+bT9vH%#6oH
zL*zqELH%j4>mS~!X50i6rBm0WV9eFX&ypUD9sb!C+%bB9k$C+d?#R>X22NRa5d*gi
zc(X9gBx8+=cXaT2{OO${_{6G&_`N7_9jQ@gzaK9^()v}WPL_&SR>mLZ@?9AdUEEMo
zn5#2)Xm88B(UIwEY%k=l34X3n_13d0i=i}8jzhYPM0Hu`VOdI$hAY)3ff=LKc~ln7
zm7~YlAdyDP)$}4+-mTJu(X&6&Ty}yXAf<T_SBuaL*@l=qc!f=dZc2@vwNKZ4T2I?d
zvE++Sl0bZhCSEqbr$w?_teZlAWHt%1dNcxL8w0T%BjAy?wMv7uoyc$&>}2Pv6O=W(
zh{6|(+Syy8&MVxlLekXtyH>8@|2<<q3YjhYT&w%pS5Ov_2FJgvN&v6UpS5MshrHMj
zvD|p+0y@lM$E^zzedsX()_#eO;r=G2V1rST;Il*#f;p`Izu4MR37Ub_yz~%CFk;*x
z3!_n(wI5uN_xIbj+<dtGtlRVaaTLFbkAf-#5t{TtGB7z&Vz!xQfA!k?&ZSeLG6<;P
zlh0JIl|y5zV*YD*ji%a)Kf^>>!TM4jV8xRS&);S+oIdZ=t}{)o_p9gW`Kv1fnJti&
zH@3G9|NfkG*yQ{=OrtVZ(u4-la|TgakXXuX1(!1OJG2}Uce+IqNf!QeS7QQ;wmVJK
zJl)6m<8|~a2uL0q2YZUsw55pI>z=k>$o#h)d9)VQyt(}xjCgT}mfV8q+52xO)vifO
zYcHRFKOVUARz|8dx>o~CHWy<*v*+}-XOIMH@oOt`ay3dZ*Us+p*e#`gR$GIS2uVMr
z$k8dlPg^&-TpN7qD>FXZPTZ%E-%%|8q$x`fX1-<z%?~EMk2l*;Ot`T9#pJ;+f`hSu
zNP3loDNhKyd67%`dW>MVzt=T>VwmmKBYyer-LfkD?FrMDP%r9O@}uP%eHw4nh~fSl
zl~<=koISN=5eU;{!~ySp3ZnNkv|O)zWY~3RW+RnwXRqqJmGa2T!?%kNo6(Jz7-nJY
zaFZNyC6CH)X^q~YEN#YvO9F%I7N@V(TdZQ4eJej}U)9Yk&+o?fdA#4dgZ@JDBc<_1
zhO!u8QClUb@YLh?;qj{qS%I1j6<xKhA)P%%oN2p6-)3`tfdf^LVmSYGJ-G+u!AOX;
zxpk!}r*7U8LS2$i#(y~Q=KB*-e7N6T7F8+ve@mAA1g07f$~I<hSk(N~m~^@K2&sVR
z<Krz1bF%Wv#d_7EKg6D^-zWSW#xHOhZqEsy1+Bw`888B;T+E64JV>f)Q#*4wbEMeO
z-+a+6Vp-~JxIF;1D#vZ<!`FD@=;dcG0~>%$ztv#-3v)5HQ}W8%vL&p0HLYLSWcbj1
z$aRb8KHn|Ty}Uq43+q^pETVJ<xeQ<O_#2=4(v5p2JgV5l5-7|rS_&9v@Znxj%~E`-
zLdvbad&gJlHg{$wXw`nf^QcNl=W#ZI7CxY8FoNsLlE1~>0k%7uA>NwZb<#_I>1*Jy
z-p<}O^jK)8S3awJU2^i^=RUvtcOYxEW>iD|&PGa?wd$2UBUuf#Eh~8~A(uWBak@jv
zIGAW=67gOZ0<M8U8}D1M8b}QN*^6l$PbxO@pjLNv{@SCy9ybU#7M~Cx?Ke^_i(1F>
zE^K4Ar;CcGi%NXbFL`?Sf+s{8$x)>x1ojC{Rjh0#8^;JtR&@0F#q9zd3^-dCcNB%2
zP9Oa6G?F!{4JLFdp#<F;wUzaQ3ZbU5U(lI!M-drVDPGQZ@;*}C<2|`1)b}s;?MzGZ
z=)m4**@JS%USY@mA#b_1GDwt&TkjpA9A+eznCp;z1sUT9)-*r&JxC0;sEp&NK8J$E
z_@eUS599{JKQgOGgPyWEP|NYwbq2(Fw1inxNg{iNN!6WjP%($f)B@&MUk~Z!pKozC
zY?u{My%$Ol?6L{=HeF%Lmm{t&S?<)Zym|3vtbdT-o(`|b<8BZH8<&>(%U`5p&wz^e
z7hQJih<7LgzAnVf-U2zm<YGP7d{-tj?x*i)QReQOM+<Wxrv9lJJBxyZAa`7cksR<k
z<KSQ#@$3jD>`G+MLaDO5a{2IA!_67{kV#SQXLzP<nY$5bP-ST`N-~=AFIo*F!427F
z?rD};J1b*^T_GAY;az%CR&l{0{eW{;o(hm~S~|mi;e1e9j{?_G)Qc2WGIKxcb1~za
zS5Xt)MX~np>3T;#i>02VVc$~PxxlMZdkla^WJw-#hAb_9=7ao>DEzYix-{p~gLcz6
zi&yMkh`0|2=Ic35x_<81-Olp&Te=lWTE&+?!H!OiREw1s-`8%?be(@i2{Hoyb2Qvv
zdvkt}CF|SYn{tOGtV4AT3-pCX8h7c|d5Ypk3vMxeJKaO{)le+RrE7*-tj)34l}=Ja
z=AT+-IOOBcH<*sN8q6F=sZO<(CFsjBGf%lGU;XPFcK^!&JOJ|Bn&PlF^(de0#G7s9
ztH7wnmmeCJ51mJXX1Njz8Lu+ClYT$NXfv_dEev?Vb{ZM~tP10*o|=AWSm~oCMS8Fl
z?L0c|HoBm^p_BIN)>xSC*9|A>WDx{zofkHs&XRwtX5rxj-*g6ZES^^ut1K$X;UgTT
zg$6F0FZ^pRtz%&dMTA>TF7E~e>zlcLyGN4w>VOyKv)8$zO1Ie_ZcbaI^G#!LGS-4t
zc~=A>f*A@+k19SxTvK}-uiLDzFu6N*@);^MF<E-h9yM)S-KDfltv*v1debG#VBx}?
zDUa4oVikr0b&7<ANGQ*F<6i^t{_=}&bd{r1<6m&`IT9C6=*h_BQvK(DPb|WsD>v`|
zFMQc@>d3nTGw?uefOQi`v$oI4_{g1HQhP(`P7EmArs4Hby{s$PEjwdjdC`V-ADzP*
z&CDl-EXrtyyzlU+ZVZ0>A@g2$-Li8><g)ITI(DTl^e7KO8pw{DUh3SfFWV#W+tS@G
z&0I^KO)zD#7Kw(HX*659GHP;{iHlI&?9MP?HA;iz?BTjhGB&IRiN+@+srED&C8_}U
zxdjkJFIgp^Y}J@XGz+CK`Fe9&BD-=b)?F98U0sZksY}uNyvR^9KV+jV>!WRAn<DWL
zz3*zOTR0t5_aluKYKdk~%a~c|Z7JsD>9VN7kJoqIS3tI$9=TmluPTR3-k`Kq_zb{t
z6CtQM#<i@E0C_wmMu_%S1aQ98Ew%GilsibZRzfo=<Z@?-silMH#gnLLnWZfjzrEd$
z@kGn>BIvi>+UfUworZzR_%sDYBfPld=}P;J6Ad$<VdQYQbtjyEM4h3sb>2<N$JjX%
zUjR(&<?Hcl3*J|grH@32u<LadogVb;XW(GA3?5^TqBN|?eO2v<L>c6f_6|Z{z$2RQ
z?mh!qj6k!#2GH*@8?;8&Cl{?v3dqgLgN&%hFNQdYx-G!O#5+v_N?O`W0A8)ZA1VLV
zb~fv~0%RoHqXV!OkJtn<++R2!z`9b%L;0%!)m#6nw-lDlaAxmJ0L(gKIwR6pts?@Z
zndgUU%T3#<iHCS`JKp(fSQz6T!Mcc5lJSaDTM{*SaSp#ll7?@E)2rU+avlc)zjUkS
z;kIUd9tFgE(jHxv=LUmup74{jDwWL=79&(aM7nfq!P^t&ZW9~c4*A3Z;)SVerUXSx
z1N{CfHyFTiA*gORjpEFEw?eK73h`D~=RGJJuFX`79l*W=WSxPZjgQJzP8>DHMFY@{
z>!)JRzJzo+c6R4`;M|u+M^c9?OhXvMmguH9Hh?xfGrL~s|83(6++!avuBqxV0T%o=
z&sq7>n7LeJj6=CuU-z|<t)PxfY1DUM$w?65x9C$A8t;e*>xm%&9qV)7XmQO{5*|*Q
zNH{vla`Gz?@{!?ZYqNV%7Y$GZ43jo}vB9z~d$NEPdW97VE{LBOcPCI5hiz{ik2rC0
zU2$XO5kVE$yF(zW-n^Nl<0A7a>Ub`)C$oCT>*{^412SJL+#s4d2mx_7dfgGeUSGKI
zY~9VAAJ5?DLgoNK8GGwO2bD~2W+Wb8rkFUow>0WFKw=l=m8X(Nj%m4mw?fy%p_6cv
zyMsNO@$bM=7`>3q1(QZ753Te9YrCt~tgl{mw$9>42h=$SkL6h*H_>IBY?>eWUCcl1
zxP#DNczP1V4Cc+miYYs9-8~pCq#OV<`7FA0>)^3<OGG5^2s7HhH0*Z+_?qTBus|zg
z<DRn4gDaFEcOh6rEg{xV&6rsfP=wA;4k9}00kHu$-sEz!jh_T*>^EcBEa<)7`?tZ$
zK`1Q}jVKL@SPuD=S7Gj)Kt-z!k}Wt40T-s7spqV!V;J#3YJ)Q!AVrU>GJt-RZsrEh
zVZ0&mv2OF;8*mnEo(7y2V)eKF1%w!70r0--73VU$DXVp*_Xsbp6WCZ&LP_fiyG#>O
z1hHiQsgDY%zXnj5g6=9s?TX_gqZ<5pEtpD8Fl5v}wF)z0g<NV1r28m)R^=m&r#9^O
z=#?Ec=HcGKC9?^R=|D4S;$dcL+$_qBP3c=FPXBV`sWNmBV#49>mSP5-Hy-{TNlt`z
zi(ZjJ5ohI7r9^XkAtoGc=$o3VyiiOG`}uMO$%c`n2ioiF_9|gYCJRh(|Lq)iC?Dlr
zi^{f!>R5}%^=7Ie0VMY>v}+V7ZpOf}`G6byrNgLnEFfl)6C1(9q(S5ynwiJxE5apn
z=~~p_3#flVrSOy2g`xyASU1ic5D&fR8`WN3=y2lsm?on7FR2RihwTor%&C~+emM|<
zNd2L3K>z8<Orv(SjLxx3#sm&toQ-M2*g=L*#+d*orBWU?XMPW@9Vc|Mex!+5O5@Ku
z2p!<Xi9xC!SY0LUv5o1j4t}}q6=x>pLa3#^P`MS-1TzA4TX&bN{m%6KE*NtO1+wt*
z3<24kKrw=9hQn-qn2LwKlscnpovY<g_!vx^U+V?U==Q@>K6{sEKD4*4P}Ri<uNNa(
z#@@p}erY@fSOW~KcT1OG@$UodGG`|=6d2Fe_53jz?rO`F%JHKIUewLm4+@t?>Av1N
zo)v!vEte%W$iXFZcNvObF;!hRwlSyC!23IjIQgF%@T9??Y<5Jk+MbQxM*TVz{yrDU
z83(T$({3PTOt_C0-acEWw0vr~0~QweLynSzG0ty1eeLXOMU~@eAoL$@(=()>kP}Pc
z!s~2z-F`yKxG_cn*=f10`t-<2jUTzPe?CrYK>YBLLGeuw2&o`T6lMcjKX);z+4>wm
z{w_2QT>#G+@cU~H;%jxWeSlrG=YQIraZXrV47p2K{l45vS?B`>7L_gf%>?R&sa2tw
z_sEHskbCXfVbVx_dmJC~1X=)EpAN<hx3p=$lWoS5K|i8_O0fPEol=I7S8%-UTl5wn
z@Xu0a3r*$b#b)4lw`$&Qg^xlqPM;P@f*>KI$HIXJ%rLr2Go$#uE^_*|xW!vn21<t9
z^798~KDUk+1EV-qbN>ie4hN*OTPwo_nz35|Bm`7HChV8k^Bg352$W65F6B*B>k2^_
zY#cG=`R-d9kogX<)VsweYDZD-`HR!iYi@s^u0Ti|#fqQ=;XcBS4uTR$rZJ&<Pw<Ed
z!j)s@5Qz_R-qMV<g0buY5eP^R8F?2S3<g#h1d=YSx%qBmvJVHxQFiX8>bCJ2a2XcA
zzf*Ro>+q(6Lu|o&4WM{M)nAfHgOj@xz)t~mm6@yzwwHmWXq!?0#Ad3~i;ngAt#F$J
zxQ&_w>cEnr4(9x?%2y(Taj?;GfQXkOtC!2WKS?oZ(X%M_c=rql>W<r>*-JiqVk?&n
z0?v~-7~F=l7mDVFgzmEv>X^x0m+}jl#xRr<DIC~=X8Z%XdbgPn>x(wb3^&Y7-!)MS
z=m%gUnG*tBIb5!Ew@u=4`lOL<%xD3)iOMHg0($HP6ejzrDu3%QI0!|{K$`x+;hJta
z*_WK=afV$vaI~>RcBJ($yKb@&$Cp;8lkpi<7-1_m?+0vD!<i|!qxNs7aLTth==-sl
zMC&r6@Ex^sgbEB)Gm#eKdd^HmOtS|Yu0Tr_FF|Nvp}nqT`ILU5*;QH>tW66z677MA
zHLZC|bf+xo*-8@t`+_y9MVmS5An@<A#>TKF2X|hz;A1;SnfJxx%JVCIvd&(<j&skD
z&fPIy{HQ08rN4wm6ZblD2HM%`X+Vbu-H?&L69;ZTTDLMWBtzt8RFz|zB{FHLf4D`G
z;!(M`?H9ilP80z8-KwnRc(lw-X{PsK-95c~fP3vuC=4w`IvZ{C2+yHKOkstOxVjHD
zSzNZWo+`!VyggEX45E`5(Lxa%%Ke3OSoc+M!my$oA^^*eA7~z-$&RfM%l;6Z9Lmls
zAWt+IQ9a^bg%Eg_WxT^A2}56*T_EYFAe5wwcW_(q7=@tVE~6fF;ExceW1%?@mzS<d
zPuE;KrG5!;IQ>PHW1(yf5X@{yp90ozES^_6-7Y7|G|~Zc%XDh&d${njGN8q_Z5Xk^
z*@6~v!qBhn(9kt;RF^RrdmRlWe58UcVu9>Zp-{~1ZQ}!cjlcL5D+8+oYHvV8r!$>H
zA3n65y$aPAUCh;QD66Tw8szz;gp@Wr;o&T@y9d&qLld8O*!MJ(PX7|lJtfFA$}_7e
z)icoy3Ou7Gn<!6kx7es2ns~*gqT{QFURHCysc_VmEkr;#&8E~CD5$Fmi}{mex<xZQ
z9}zB#5kB1>ZU0v=d@*^rqI11~P$dT`k!lnL+CHl<vB@gC#ievma6tu0Xx7*6q;8%x
zKq32@9MP8?5%9h5jTuahALM62bbY0lo1Nhe8P!C#LLYW<DLr`}%5YVVNtYau|4Mc(
z^B&FA&CrMfopg5S#})OQE$@*uaKofQx!MKO`B*|<5aJ3v+D!2V(IHb?V<r7-gOicV
zIRs8)EU6z#jdZv;<fanJ?cFO*-&aVQ|92D37q<7{ppkmy`f~@*6Vl*%y@|>TirqUi
z{+wLuTlS#@y;AtwaEcM8ej*QH2SyA>c6X6{7VH^kXnzh-_cA9Q&oqQ#_@Gr#Z}uXd
z*h;N<vJiv|h<RswzlzAzL$i8LPX9|aXT=EYUe5W8;{vRRMDRTB(9(PJO1F9K?Pprq
zH|om!H`$<fIU%viQx`NOoM2gB<v|B-uWX~k6}u<a8qYb?_=aPyul2q|CrRs_uQLdH
z^lxNesfRUju`izzgoJ?guNF%!Yma80(U`n$zaQ157mNu(ZL{Asn&Vo1!S9Pha5`Ct
z^DY|U{IGgp<vC}S)AI&4<@lK%vX$WLR4lXqz|-o*2fh(ctcHSX9rOLaJz<Zw4FjVc
zV_()%SL&5DlscJe7WUbAN(AK0*um#{{)TSi|LyCo-@E@-o?|G-x2_t4rHgcqTv%}Q
zF9-B{Xp3~!PY9?eqb0Drh9S$(@7txms#|NtcG|NH0oL;Wy3eXGgvU^QA*7e|K1p1U
zS?X-!_aPE(G}qrAE7iYk>r&T~?ThcxKNZ($BN=?Q&PpUwU-$@=sRTNC@JFoBoxuwQ
zw_Q6tOrQSPHoxRnT;^6^@zIoBKax6R4FPvhnu^$9S~8OcwL1t+*>zHPQHXpU6nixJ
ze6~7Vtv?6--mEaDQ*l?u+5lFCzRI>Yo%vOw;GXM&c^q_vA1sAL@M#5x01+2K<A6#s
zH2HmA863{$QO%A{Zt#0v#LRlr=I*8Z`@`2GS98<r5>>f1|7a~O*R#l^638LM2RVcl
zpnczUQt@4vo~{1Vz$jwHsP~HI*UwJDcN)I3uHFAPd1+Kt2D-^zZ@y{RdCLUK7AGi!
zT_868Y_p-OY8vr*XI}`Y?3%Z3bDfP$XqTz=Mo}uef&Iot_Z@sb@x`9~8rBnyhHgJq
zmmcVnnu$(qnQ?o?mE)m+;G)u?=6~cuTBzToVs&58WRO-LG5cyUk(Lgo>p@%h;ImfO
zCqFDZshU0fMl3(i`r?YpYE3aTH>4rcIe^)MZq_~`%$lEV4?$b3`Lp}&!=B*lr(U+5
zh3lDF`VYl3KUE~TB(J2RipLYR_*su=_HD~pL7XAXn_x*QVKOW@yE~J{qHn+VK&ch4
z-fx5NafkOFOxEI)OH;)kr49b=(iZ8u7gRv3R2$?>Yw$*V*$+qi96IlFB=oA>P+G~<
zlX8J4<>SV9{r)cvS!Eh0YlsT(#-^6h$?6i1E^B5@XfeFRH3bO?Iq)(G#U9Pbyhh(>
z5F+($`^`+AGYLIse~_CUVoGu0+QBU4V&aWCR_c_T^a0{W&9-V*fs<3ktz!KZm8Pcs
z><x{Bw@qG#%H~X!$6L)|E+EXpx~dG<ZVY$MZkSYVn>Nf>C@D%!?_W$e<FmMa-<y`E
z$?+sngqzf;30qYWUIEyHhF-#}_o?612S`h#yIx}^7o#>RB9S8rXyk5mzof5Q+RW_X
zCm4I*Yw)&97HwTGq*NJo_;<!3mj<8h9Miytg%6}~&?@cFYvyY!ZPS9vzr(YfM2SCi
zI;XaF3GLa)L2978?yl)=%HEXWI)}`{rJ32)%}%Mzm1H|dUezgHg}H_g+I$a}k8w<E
z!QIf%8d?IWLkj6uZdU4&(>PwxYwIS9Ben3RPvTHbj{MKmA;l0Er?*l)%cYkuo1+}0
z@!z$}A5>T&6<c9Js%{qtQF&}3a8jJ38*Q}cg{frdTRRn}{nr28*7m~Fsnd}C5)vH3
zFKC~W1%IeN6e}mtDWsq`9bV@rp3c)bYE;woKYP`4<B(hD?J)2H8zI6YwOg%Hc_FO4
z$K%MED^cC<q2GH7qVQ|+Uqj=!{A8wy<Pfip$s)KZ)0LGS>{s57`v%dm7L)U4JkyfG
zUSfn^@WEfM=*?-a1kH4}8O?=+9eF=?3=YY>k)|N73e@h!%#W1cP66I7V*Z-H8@?`C
zZ|Kf{(iFpOgTJ|}xlIg||C5>&SdCwhN~o*f`EHMHQqT!fW1|X&Qzifw@<_tJXD8oo
z)K_Yp^wjcM#s-&~)1EOmpFp^w2qzr2=3QeU#Jauz!cb-ZC(r468xpnby5Tb{FAk_Q
zq4&shd<;`RJv<q+G4A*DN15pAZ<<8N^t6<`?&CR=`aJxLN>@e_QUi|nZo3V>xFCwj
z8X*3~A0QUN8RL#Wb0C6G<<s&C<Ke%R{7_w1PTYqAW^PH}CR8u5ikzk899AlLBL5Y<
z=CjSG%YL(%o_;wrjisWRwlq__&g)WME3~W!fiC0|^YC)s+vL88IOWWsjbop~3qCQd
z=Vkk{IZjcTvqee;>AeuT(H#HHjh%8!4Asw#$ohY8c>e$Jf~&~$eP^jGlsvk?CIb<0
Sgg1VXQzy)immYP#^M3$sTufvD


From 2b2da1679e7f05a61c268db208c5e1fbacb70a78 Mon Sep 17 00:00:00 2001
From: Christoph Lechleitner <christoph.lechleitner@iteg.at>
Date: Wed, 6 Aug 2025 16:02:25 +0200
Subject: [PATCH 298/378] [DB][Web] optimize qhandler by keeping SHA2 in new
 column qhash (#6556)

* [DB][Web] optimize qhandler by keeping SHA2(id+qid) in new column quarantine.qhash, for feature #6555, might also help with #6361

* rspamd: only add qhash to new entries while passing rspamd not all existing

* compose: bump dovecot image + push to registry

---------

Co-authored-by: DerLinkman <niklas.meyer@servercow.de>
---
 data/Dockerfiles/dovecot/quarantine_notify.py |  2 +-
 data/conf/rspamd/meta_exporter/pipe.php       |  3 +++
 data/web/inc/functions.quarantine.inc.php     |  6 +++---
 data/web/inc/init_db.inc.php                  | 10 +++++++++-
 4 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/data/Dockerfiles/dovecot/quarantine_notify.py b/data/Dockerfiles/dovecot/quarantine_notify.py
index 824d4092f..a681c1fda 100755
--- a/data/Dockerfiles/dovecot/quarantine_notify.py
+++ b/data/Dockerfiles/dovecot/quarantine_notify.py
@@ -76,7 +76,7 @@ try:
 
   def notify_rcpt(rcpt, msg_count, quarantine_acl, category):
     if category == "add_header": category = "add header"
-    meta_query = query_mysql('SELECT SHA2(CONCAT(id, qid), 256) AS qhash, id, subject, score, sender, created, action FROM quarantine WHERE notified = 0 AND rcpt = "%s" AND score < %f AND (action = "%s" OR "all" = "%s")' % (rcpt, max_score, category, category))
+    meta_query = query_mysql('SELECT `qhash`, id, subject, score, sender, created, action FROM quarantine WHERE notified = 0 AND rcpt = "%s" AND score < %f AND (action = "%s" OR "all" = "%s")' % (rcpt, max_score, category, category))
     print("%s: %d of %d messages qualify for notification" % (rcpt, len(meta_query), msg_count))
     if len(meta_query) == 0:
       return
diff --git a/data/conf/rspamd/meta_exporter/pipe.php b/data/conf/rspamd/meta_exporter/pipe.php
index 4d8e2a132..bd5d875bd 100644
--- a/data/conf/rspamd/meta_exporter/pipe.php
+++ b/data/conf/rspamd/meta_exporter/pipe.php
@@ -236,6 +236,9 @@ foreach ($rcpt_final_mailboxes as $rcpt_final) {
       ':action' => $action,
       ':fuzzy_hashes' => $fuzzy
     ));
+    $lastId = $pdo->lastInsertId();
+    $stmt_update = $pdo->prepare("UPDATE `quarantine` SET `qhash` = SHA2(CONCAT(`id`, `qid`), 256) WHERE `id` = :id");
+    $stmt_update->execute(array(':id' => $lastId));
     $stmt = $pdo->prepare('DELETE FROM `quarantine` WHERE `rcpt` = :rcpt AND `id` NOT IN (
       SELECT `id`
       FROM (
diff --git a/data/web/inc/functions.quarantine.inc.php b/data/web/inc/functions.quarantine.inc.php
index 39606f271..5df86ef33 100644
--- a/data/web/inc/functions.quarantine.inc.php
+++ b/data/web/inc/functions.quarantine.inc.php
@@ -22,7 +22,7 @@ function quarantine($_action, $_data = null) {
         return false;
       }
       $stmt = $pdo->prepare('SELECT `id` FROM `quarantine` LEFT OUTER JOIN `user_acl` ON `user_acl`.`username` = `rcpt`
-        WHERE SHA2(CONCAT(`id`, `qid`), 256) = :hash
+        WHERE `qhash` = :hash
           AND user_acl.quarantine = 1
           AND rcpt IN (SELECT username FROM mailbox)');
       $stmt->execute(array(':hash' => $hash));
@@ -65,7 +65,7 @@ function quarantine($_action, $_data = null) {
         return false;
       }
       $stmt = $pdo->prepare('SELECT `id` FROM `quarantine` LEFT OUTER JOIN `user_acl` ON `user_acl`.`username` = `rcpt`
-        WHERE SHA2(CONCAT(`id`, `qid`), 256) = :hash
+        WHERE `qhash` = :hash
           AND `user_acl`.`quarantine` = 1
           AND `username` IN (SELECT `username` FROM `mailbox`)');
       $stmt->execute(array(':hash' => $hash));
@@ -833,7 +833,7 @@ function quarantine($_action, $_data = null) {
         )));
         return false;
       }
-      $stmt = $pdo->prepare('SELECT * FROM `quarantine` WHERE SHA2(CONCAT(`id`, `qid`), 256) = :hash');
+      $stmt = $pdo->prepare('SELECT * FROM `quarantine` WHERE `qhash` = :hash');
       $stmt->execute(array(':hash' => $hash));
       return $stmt->fetch(PDO::FETCH_ASSOC);
     break;
diff --git a/data/web/inc/init_db.inc.php b/data/web/inc/init_db.inc.php
index 767a0024e..422c3f1aa 100644
--- a/data/web/inc/init_db.inc.php
+++ b/data/web/inc/init_db.inc.php
@@ -4,7 +4,7 @@ function init_db_schema()
   try {
     global $pdo;
 
-    $db_version = "27012025_1555";
+    $db_version = "21052025_2215";
 
     $stmt = $pdo->query("SHOW TABLES LIKE 'versions'");
     $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
@@ -345,10 +345,14 @@ function init_db_schema()
           "notified" => "TINYINT(1) NOT NULL DEFAULT '0'",
           "created" => "DATETIME(0) NOT NULL DEFAULT NOW(0)",
           "user" => "VARCHAR(255) NOT NULL DEFAULT 'unknown'",
+          "qhash" => "VARCHAR(255)",
         ),
         "keys" => array(
           "primary" => array(
             "" => array("id")
+          ),
+          "key" => array(
+            "qhash" => array("qhash")
           )
         ),
         "attr" => "ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=DYNAMIC"
@@ -1482,6 +1486,10 @@ function init_db_schema()
         'msg' => 'db_init_complete'
       );
     }
+
+    // fill quarantine.qhash
+    $pdo->query("UPDATE `quarantine` SET `qhash` = SHA2(CONCAT(`id`, `qid`), 256) WHERE ISNULL(`qhash`)");
+
   } catch (PDOException $e) {
     if (php_sapi_name() == "cli") {
       echo "DB initialization failed: " . print_r($e, true) . PHP_EOL;

From 2b93b59cdd006b973b52cdace418b139b72d6940 Mon Sep 17 00:00:00 2001
From: DerLinkman <niklas.meyer@servercow.de>
Date: Wed, 6 Aug 2025 16:11:23 +0200
Subject: [PATCH 299/378] db: change qhash varchar to 64 instead of 255

---
 data/web/inc/init_db.inc.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/data/web/inc/init_db.inc.php b/data/web/inc/init_db.inc.php
index 422c3f1aa..6a9d042a9 100644
--- a/data/web/inc/init_db.inc.php
+++ b/data/web/inc/init_db.inc.php
@@ -4,7 +4,7 @@ function init_db_schema()
   try {
     global $pdo;
 
-    $db_version = "21052025_2215";
+    $db_version = "06082025_1611";
 
     $stmt = $pdo->query("SHOW TABLES LIKE 'versions'");
     $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
@@ -345,7 +345,7 @@ function init_db_schema()
           "notified" => "TINYINT(1) NOT NULL DEFAULT '0'",
           "created" => "DATETIME(0) NOT NULL DEFAULT NOW(0)",
           "user" => "VARCHAR(255) NOT NULL DEFAULT 'unknown'",
-          "qhash" => "VARCHAR(255)",
+          "qhash" => "VARCHAR(64)",
         ),
         "keys" => array(
           "primary" => array(

From af871fdacbff1464668f8e45982e98bfe7ece112 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Wed, 13 Aug 2025 18:47:28 +0200
Subject: [PATCH 300/378] chore(deps): update devops-infra/action-pull-request
 action to v0.6.1 (#6676)

Signed-off-by: milkmaker <milkmaker@mailcow.de>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 .github/workflows/pr_to_nightly.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/pr_to_nightly.yml b/.github/workflows/pr_to_nightly.yml
index 0cf59eeac..51df14f6e 100644
--- a/.github/workflows/pr_to_nightly.yml
+++ b/.github/workflows/pr_to_nightly.yml
@@ -12,7 +12,7 @@ jobs:
         with:
           fetch-depth: 0
       - name: Run the Action
-        uses: devops-infra/action-pull-request@v0.6.0
+        uses: devops-infra/action-pull-request@v0.6.1
         with:
           github_token: ${{ secrets.PRTONIGHTLY_ACTION_PAT }}
           title: Automatic PR to nightly from ${{ github.event.repository.updated_at}}

From 53c35493a5c673968db35e8eb47463f673cfe3c0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Paul=20S=C3=BCtterlin?= <paul@paulsuetterlin.de>
Date: Thu, 21 Aug 2025 18:36:01 +0000
Subject: [PATCH 301/378] fix: imapsync gets correct timeouts

Previously imapsync only attached the timeout1 / timeout2 arguments if the argument was negative (which is not even possible). Now the argument is added for every positive number.

Fixes #6590
---
 data/Dockerfiles/dovecot/imapsync_runner.pl | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/data/Dockerfiles/dovecot/imapsync_runner.pl b/data/Dockerfiles/dovecot/imapsync_runner.pl
index 9eaf5f431..1030603ce 100644
--- a/data/Dockerfiles/dovecot/imapsync_runner.pl
+++ b/data/Dockerfiles/dovecot/imapsync_runner.pl
@@ -132,8 +132,8 @@ while ($row = $sth->fetchrow_arrayref()) {
   "--tmpdir", "/tmp",
   "--nofoldersizes",
   "--addheader",
-  ($timeout1 gt "0" ? () : ('--timeout1', $timeout1)),
-  ($timeout2 gt "0" ? () : ('--timeout2', $timeout2)),
+  ($timeout1 le "0" ? () : ('--timeout1', $timeout1)),
+  ($timeout2 le "0" ? () : ('--timeout2', $timeout2)),
   ($exclude eq "" ? () : ("--exclude", $exclude)),
   ($subfolder2 eq "" ? () : ('--subfolder2', $subfolder2)),
   ($maxage eq "0" ? () : ('--maxage', $maxage)),

From c39712af671cc150595e6aadc7c31868eef14408 Mon Sep 17 00:00:00 2001
From: DerLinkman <niklas.meyer@servercow.de>
Date: Tue, 26 Aug 2025 09:57:05 +0200
Subject: [PATCH 302/378] pf/php: add mta-sts support (outbound) (#6686)

* added mta-sts-resolver into postfix config + daemon

* [Web] Add MTA-STS support

* [Web] Fix mta-sts server_name

* updated .gitignore

* [ACME] fetch cert for mta-sts subdomain

* [Web] change MTA-STS id to human-readable timestamp

* [Web] Remove MTA-STS version STSv2

* [Web] Fix MTA-STS DNS check

* [Web] add max_age limit for MTA-STS policy

* Added tooltips and info texts to mta-sts webui page

* postfix: replace mta-sts-resolver with postfix-tlspol

---------

Co-authored-by: FreddleSpl0it <75116288+FreddleSpl0it@users.noreply.github.com>
---
 .gitignore                                    |   1 +
 data/Dockerfiles/acme/acme.sh                 |   2 +-
 data/Dockerfiles/postfix/Dockerfile           |  15 +-
 data/Dockerfiles/postfix/postfix.sh           |  24 +-
 data/Dockerfiles/postfix/supervisord.conf     |   9 +
 data/conf/nginx/templates/nginx.conf.j2       |  12 +-
 .../nginx/templates/sites-default.conf.j2     |   8 +
 data/conf/postfix/main.cf                     |   2 +-
 data/web/edit.php                             |   7 +
 data/web/inc/ajax/dns_diagnostics.php         |  46 +++-
 data/web/inc/functions.mailbox.inc.php        | 211 ++++++++++++++++++
 data/web/inc/init_db.inc.php                  |  19 +-
 data/web/json_api.php                         |   6 +
 data/web/lang/lang.de-de.json                 |  19 +-
 data/web/lang/lang.en-gb.json                 |  15 ++
 data/web/mta-sts.php                          |  30 +++
 data/web/templates/edit/domain.twig           |  77 +++++++
 docker-compose.yml                            |   4 +-
 18 files changed, 488 insertions(+), 19 deletions(-)
 create mode 100644 data/web/mta-sts.php

diff --git a/.gitignore b/.gitignore
index c225dc090..8d0fe16fd 100644
--- a/.gitignore
+++ b/.gitignore
@@ -75,3 +75,4 @@ refresh_images.sh
 update_diffs/
 create_cold_standby.sh
 !data/conf/nginx/mailcow_auth.conf
+data/conf/postfix/mta-sts-resolver
\ No newline at end of file
diff --git a/data/Dockerfiles/acme/acme.sh b/data/Dockerfiles/acme/acme.sh
index 15b757ff9..69b18bc1f 100755
--- a/data/Dockerfiles/acme/acme.sh
+++ b/data/Dockerfiles/acme/acme.sh
@@ -206,7 +206,7 @@ while true; do
 
   if [[ ${AUTODISCOVER_SAN} == "y" ]]; then
   # Fetch certs for autoconfig and autodiscover subdomains
-  ADDITIONAL_WC_ARR+=('autodiscover' 'autoconfig')
+  ADDITIONAL_WC_ARR+=('autodiscover' 'autoconfig' 'mta-sts')
   fi
 
   if [[ ${SKIP_IP_CHECK} != "y" ]]; then
diff --git a/data/Dockerfiles/postfix/Dockerfile b/data/Dockerfiles/postfix/Dockerfile
index 5449360b3..d1a32917d 100644
--- a/data/Dockerfiles/postfix/Dockerfile
+++ b/data/Dockerfiles/postfix/Dockerfile
@@ -1,9 +1,19 @@
+FROM golang:1.25-bookworm AS builder
+WORKDIR /src
+
+ENV CGO_ENABLED=0 \
+    GO111MODULE=on
+
+RUN git clone https://github.com/Zuplu/postfix-tlspol.git && \
+	cd postfix-tlspol && \
+	scripts/build.sh build-only
+
 FROM debian:bookworm-slim
 
-LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"
+LABEL maintainer="The Infrastructure Company GmbH <info@servercow.de>"
 
 ARG DEBIAN_FRONTEND=noninteractive
-ENV LC_ALL C
+ENV LC_ALL=C
 
 RUN dpkg-divert --local --rename --add /sbin/initctl \
 	&& ln -sf /bin/true /sbin/initctl \
@@ -48,6 +58,7 @@ COPY rspamd-pipe-spam /usr/local/bin/rspamd-pipe-spam
 COPY whitelist_forwardinghosts.sh /usr/local/bin/whitelist_forwardinghosts.sh
 COPY stop-supervisor.sh /usr/local/sbin/stop-supervisor.sh
 COPY docker-entrypoint.sh /docker-entrypoint.sh
+COPY --from=builder /src/postfix-tlspol/build/postfix-tlspol /usr/local/bin/postfix-tlspol
 
 RUN chmod +x /opt/postfix.sh \
   /usr/local/bin/rspamd-pipe-ham \
diff --git a/data/Dockerfiles/postfix/postfix.sh b/data/Dockerfiles/postfix/postfix.sh
index e5dbf88fc..fcb6c26a2 100755
--- a/data/Dockerfiles/postfix/postfix.sh
+++ b/data/Dockerfiles/postfix/postfix.sh
@@ -3,6 +3,8 @@
 trap "postfix stop" EXIT
 
 [[ ! -d /opt/postfix/conf/sql/ ]] && mkdir -p /opt/postfix/conf/sql/
+[[ ! -d /etc/postfix-tlspol ]] && mkdir -p /etc/postfix-tlspol
+[[ ! -d /var/lib/postfix-tlspol ]] && mkdir -p /var/lib/postfix-tlspol
 
 # Wait for MySQL to warm-up
 while ! mariadb-admin status --ssl=false --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do
@@ -503,6 +505,26 @@ if [[ ! -f /opt/postfix/conf/custom_postscreen_whitelist.cidr ]]; then
 EOF
 fi
 
+cat <<EOF > /opt/postfix/conf/postfix-tlspol/config.yaml
+server:
+  address: 127.0.0.1:8642
+
+  log-level: info
+
+  prefetch: true
+
+  cache-file: /var/lib/postfix-tlspol/cache.db
+
+dns:
+  # must support DNSSEC
+  address: 127.0.0.11:53
+EOF
+
+# Fixing local command execution of postfix-tlspol with symlink to config
+if [ ! -L /etc/postfix-tlspol/config.yaml ]; then
+  ln -s /opt/postfix/conf/postfix-tlspol/config.yaml /etc/postfix-tlspol/config.yaml
+fi
+
 # Fix Postfix permissions
 chown -R root:postfix /opt/postfix/conf/sql/ /opt/postfix/conf/custom_transport.pcre
 chmod 640 /opt/postfix/conf/sql/*.cf /opt/postfix/conf/custom_transport.pcre
@@ -524,4 +546,4 @@ if [[ $? != 0 ]]; then
 else
   postfix -c /opt/postfix/conf start
   sleep 126144000
-fi
+fi
\ No newline at end of file
diff --git a/data/Dockerfiles/postfix/supervisord.conf b/data/Dockerfiles/postfix/supervisord.conf
index ba70f8edf..26fec862c 100644
--- a/data/Dockerfiles/postfix/supervisord.conf
+++ b/data/Dockerfiles/postfix/supervisord.conf
@@ -11,6 +11,15 @@ stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 autostart=true
 
+[program:postfix-tlspol]
+startsecs=10
+autorestart=true
+command=/usr/local/bin/postfix-tlspol -config /opt/postfix/conf/postfix-tlspol/config.yaml
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+
 [program:postfix]
 command=/opt/postfix.sh
 stdout_logfile=/dev/stdout
diff --git a/data/conf/nginx/templates/nginx.conf.j2 b/data/conf/nginx/templates/nginx.conf.j2
index ff5f8f184..d71d63e56 100644
--- a/data/conf/nginx/templates/nginx.conf.j2
+++ b/data/conf/nginx/templates/nginx.conf.j2
@@ -48,13 +48,21 @@ http {
         listen {{ HTTP_PORT }} default_server;
         listen [::]:{{ HTTP_PORT }} default_server;
 
-        server_name {{ MAILCOW_HOSTNAME }} autodiscover.* autoconfig.* {{ ADDITIONAL_SERVER_NAMES | join(' ') }};
+        server_name {{ MAILCOW_HOSTNAME }} autodiscover.* autoconfig.* mta-sts.* {{ ADDITIONAL_SERVER_NAMES | join(' ') }};
 
         if ( $request_uri ~* "%0A|%0D" ) { return 403; }
         location ^~ /.well-known/acme-challenge/ {
             allow all;
             default_type "text/plain";
         }
+        location ^~ /.well-known/mta-sts.txt {
+            allow all;
+            fastcgi_split_path_info ^(.+\.php)(/.+)$;
+            fastcgi_pass {{ PHPFPMHOST }}:9002;
+            include /etc/nginx/fastcgi_params;
+            fastcgi_param SCRIPT_FILENAME $document_root/mta-sts.php;
+            fastcgi_param PATH_INFO $fastcgi_path_info;
+        }
         location / {
             return 301 https://$host$uri$is_args$args;
         }
@@ -82,7 +90,7 @@ http {
         ssl_certificate /etc/ssl/mail/cert.pem;
         ssl_certificate_key /etc/ssl/mail/key.pem;
 
-        server_name {{ MAILCOW_HOSTNAME }} autodiscover.* autoconfig.*;
+        server_name {{ MAILCOW_HOSTNAME }} autodiscover.* autoconfig.* mta-sts.*;
 
         include /etc/nginx/includes/sites-default.conf;
     }
diff --git a/data/conf/nginx/templates/sites-default.conf.j2 b/data/conf/nginx/templates/sites-default.conf.j2
index 574bdb052..23fe7b788 100644
--- a/data/conf/nginx/templates/sites-default.conf.j2
+++ b/data/conf/nginx/templates/sites-default.conf.j2
@@ -76,6 +76,14 @@ location ^~ /.well-known/acme-challenge/ {
     allow all;
     default_type "text/plain";
 }
+location ^~ /.well-known/mta-sts.txt {
+    allow all;
+    fastcgi_split_path_info ^(.+\.php)(/.+)$;
+    fastcgi_pass {{ PHPFPMHOST }}:9002;
+    include /etc/nginx/fastcgi_params;
+    fastcgi_param SCRIPT_FILENAME $document_root/mta-sts.php;
+    fastcgi_param PATH_INFO $fastcgi_path_info;
+}
 
 rewrite ^/.well-known/caldav$ /SOGo/dav/ permanent;
 rewrite ^/.well-known/carddav$ /SOGo/dav/ permanent;
diff --git a/data/conf/postfix/main.cf b/data/conf/postfix/main.cf
index 07065f045..e4354c40c 100644
--- a/data/conf/postfix/main.cf
+++ b/data/conf/postfix/main.cf
@@ -152,7 +152,7 @@ smtp_sasl_auth_enable = yes
 smtp_sasl_password_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_sasl_passwd_maps_sender_dependent.cf
 smtp_sasl_security_options =
 smtp_sasl_mechanism_filter = plain, login
-smtp_tls_policy_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_tls_policy_override_maps.cf
+smtp_tls_policy_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_tls_policy_override_maps.cf socketmap:inet:127.0.0.1:8642:QUERY
 smtp_header_checks = pcre:/opt/postfix/conf/anonymize_headers.pcre
 mail_name = Postcow
 # local_transport map catches local destinations and prevents routing local dests when the next map would route "*"
diff --git a/data/web/edit.php b/data/web/edit.php
index 7ce4d0c6a..57cf24bd2 100644
--- a/data/web/edit.php
+++ b/data/web/edit.php
@@ -48,6 +48,12 @@ if (isset($_SESSION['mailcow_cc_role'])) {
           $rl = ratelimit('get', 'domain', $domain);
           $rlyhosts = relayhost('get');
           $domain_footer = mailbox('get', 'domain_wide_footer', $domain);
+          $mta_sts = mailbox('get', 'mta_sts', $domain);
+          if (count($mta_sts) == 0) {
+            $mta_sts = false;
+          } elseif (isset($mta_sts['mx'])) {
+            $mta_sts['mx'] = implode(',', $mta_sts['mx']);
+          }
           $template = 'edit/domain.twig';
           $template_data = [
             'acl' => $_SESSION['acl'],
@@ -58,6 +64,7 @@ if (isset($_SESSION['mailcow_cc_role'])) {
             'dkim' => dkim('details', $domain),
             'domain_details' => $result,
             'domain_footer' => $domain_footer,
+            'mta_sts' => $mta_sts,
             'mailboxes' => mailbox('get', 'mailboxes', $_GET["domain"]),
             'aliases' => mailbox('get', 'aliases', $_GET["domain"], 'address'),
             'alias_domains' => mailbox('get', 'alias_domains', $_GET["domain"])
diff --git a/data/web/inc/ajax/dns_diagnostics.php b/data/web/inc/ajax/dns_diagnostics.php
index 15cb3a30f..b48239e10 100644
--- a/data/web/inc/ajax/dns_diagnostics.php
+++ b/data/web/inc/ajax/dns_diagnostics.php
@@ -71,6 +71,7 @@ if (isset($_SESSION['mailcow_cc_role']) && ($_SESSION['mailcow_cc_role'] == "adm
   // Init records array
   $spf_link = '<a href="http://www.open-spf.org/SPF_Record_Syntax/" target="_blank">SPF Record Syntax</a><br />';
   $dmarc_link = '<a href="https://www.kitterman.com/dmarc/assistant.html" target="_blank">DMARC Assistant</a>';
+  $mtasts_report_link = '<a href="https://mxtoolbox.com/dmarc/smtp-tls/how-to-setup-smtp-tls-reports" target="_blank">TLS Report Record Syntax</a>';
 
   $records = array();
 
@@ -128,6 +129,27 @@ if (isset($_SESSION['mailcow_cc_role']) && ($_SESSION['mailcow_cc_role'] == "adm
     );
   }
 
+  $mta_sts = mailbox('get', 'mta_sts', $domain);
+  if (count($mta_sts) > 0 && $mta_sts['active'] == 1) {
+    if (!in_array($domain, $alias_domains)) {
+      $records[] = array(
+        'mta-sts.' . $domain,
+        'CNAME',
+        $mailcow_hostname
+      );
+    }
+    $records[] = array(
+        '_mta-sts.' . $domain,
+        'TXT',
+        "v={$mta_sts['version']};id={$mta_sts['id']};",
+    );
+    $records[] = array(
+        '_smtp._tls.' . $domain,
+        'TXT',
+        $mtasts_report_link,
+    );
+  }
+
   $records[] = array(
     $domain,
     'TXT',
@@ -341,15 +363,25 @@ if (isset($_SESSION['mailcow_cc_role']) && ($_SESSION['mailcow_cc_role'] == "adm
         }
 
         foreach ($currents as &$current) {
+          if ($current['type'] == "TXT" &&
+              stripos(strtolower($current['txt']), 'v=sts') === 0) {
+            if (strtolower($current[$data_field[$current['type']]]) == strtolower($record[2])) {
+              $state = state_good;
+            }
+            else {
+              $state = state_nomatch;
+            }
+            $state .= '<br />' . $current[$data_field[$current['type']]];
+          }
           if ($current['type'] == 'TXT' &&
-          stripos($current['txt'], 'v=dmarc') === 0 &&
-          $record[2] == $dmarc_link) {
+              stripos($current['txt'], 'v=dmarc') === 0 &&
+              $record[2] == $dmarc_link) {
             $current['txt'] = str_replace(' ', '', $current['txt']);
             $state = $current[$data_field[$current['type']]] . state_optional;
           }
           elseif ($current['type'] == 'TXT' &&
-          stripos($current['txt'], 'v=spf') === 0 &&
-          $record[2] == $spf_link) {
+                  stripos($current['txt'], 'v=spf') === 0 &&
+                  $record[2] == $spf_link) {
             $state = state_nomatch;
             $rslt = get_spf_allowed_hosts($record[0], true);
             if (in_array($ip, $rslt) && in_array(expand_ipv6($ip6), $rslt)) {
@@ -358,8 +390,8 @@ if (isset($_SESSION['mailcow_cc_role']) && ($_SESSION['mailcow_cc_role'] == "adm
             $state .= '<br />' . $current[$data_field[$current['type']]] . state_optional;
           }
           elseif ($current['type'] == 'TXT' &&
-          stripos($current['txt'], 'v=dkim') === 0 &&
-          stripos($record[2], 'v=dkim') === 0) {
+                  stripos($current['txt'], 'v=dkim') === 0 &&
+                  stripos($record[2], 'v=dkim') === 0) {
             preg_match('/v=DKIM1;.*k=rsa;.*p=([^;]*).*/i', $current[$data_field[$current['type']]], $dkim_matches_current);
             preg_match('/v=DKIM1;.*k=rsa;.*p=([^;]*).*/i', $record[2], $dkim_matches_good);
             if ($dkim_matches_current[1] == $dkim_matches_good[1]) {
@@ -367,7 +399,7 @@ if (isset($_SESSION['mailcow_cc_role']) && ($_SESSION['mailcow_cc_role'] == "adm
             }
           }
           elseif ($current['type'] != 'TXT' &&
-          isset($data_field[$current['type']]) && $state != state_good) {
+                  isset($data_field[$current['type']]) && $state != state_good) {
             $state = state_nomatch;
             if ($current[$data_field[$current['type']]] == $record[2]) {
               $state = state_good;
diff --git a/data/web/inc/functions.mailbox.inc.php b/data/web/inc/functions.mailbox.inc.php
index 6ea4f5717..a74d182cf 100644
--- a/data/web/inc/functions.mailbox.inc.php
+++ b/data/web/inc/functions.mailbox.inc.php
@@ -1400,6 +1400,80 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
 
           return mailbox('add', 'mailbox', $mailbox_attributes);
         break;
+        case 'mta_sts':
+          $domain       = idn_to_ascii(strtolower(trim($_data['domain'])), 0, INTL_IDNA_VARIANT_UTS46);
+          $version      = strtolower($_data['version']);
+          $mode         = strtolower($_data['mode']);
+          $mx           = explode(",", preg_replace('/\s+/', '', $_data['mx']));
+          $max_age      = intval($_data['max_age']);
+          $active       = (intval($_data['active']) == 1) ? 1 : 0;
+          $id           = date('YmdHis');
+
+          if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $domain)) {
+            $_SESSION['return'][] = array(
+              'type' => 'danger',
+              'log' => array(__FUNCTION__, $_action, $_type, $_data, $_attr),
+              'msg' => 'access_denied'
+            );
+            return false;
+          }
+          if (empty($version) || !in_array($version, array('stsv1'))) {
+            $_SESSION['return'][] = array(
+              'type' => 'danger',
+              'log' => array(__FUNCTION__, $_action, $_type, $_data, $_attr),
+              'msg' => array('version_invalid', htmlspecialchars($domain))
+            );
+            return false;
+          }
+          if (empty($mode) || !in_array($mode, array('enforce', 'testing', 'none'))) {
+            $_SESSION['return'][] = array(
+              'type' => 'danger',
+              'log' => array(__FUNCTION__, $_action, $_type, $_data, $_attr),
+              'msg' => array('mode_invalid', htmlspecialchars($domain))
+            );
+            return false;
+          }
+          if (empty($max_age) || $max_age < 0 || $max_age > 31536000) {
+            $_SESSION['return'][] = array(
+              'type' => 'danger',
+              'log' => array(__FUNCTION__, $_action, $_type, $_data, $_attr),
+              'msg' => array('max_age_invalid', htmlspecialchars($domain))
+            );
+            return false;
+          }
+          foreach ($mx as $index => $mx_domain) {
+            $mx_domain = idn_to_ascii(strtolower(trim($mx_domain)), 0, INTL_IDNA_VARIANT_UTS46);
+            if (!is_valid_domain_name($mx_domain)) {
+              $_SESSION['return'][] = array(
+                'type' => 'danger',
+                'log' => array(__FUNCTION__, $_action, $_type, $_data, $_attr),
+                'msg' => array('mx_invalid', htmlspecialchars($mx_domain))
+              );
+              return false;
+            }
+          }
+
+          try {
+            $stmt = $pdo->prepare("INSERT INTO `mta_sts` (`id`, `domain`, `version`, `mode`, `mx`, `max_age`, `active`)
+              VALUES (:id, :domain, :version, :mode, :mx, :max_age, :active)");
+            $stmt->execute(array(
+              ':id' => $id,
+              ':domain' => $domain,
+              ':version' => $version,
+              ':mode' => $mode,
+              ':mx' => implode(",", $mx),
+              ':max_age' => $max_age,
+              ':active' => $active
+            ));
+          } catch (PDOException $e) {
+            $_SESSION['return'][] = array(
+              'type' => 'danger',
+              'log' => array(__FUNCTION__, $_action, $_type, $_data),
+              'msg' => $e->getMessage()
+            );
+            return false;
+          }
+        break;
         case 'resource':
           $domain             = idn_to_ascii(strtolower(trim($_data['domain'])), 0, INTL_IDNA_VARIANT_UTS46);
           $description        = $_data['description'];
@@ -3741,6 +3815,125 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
 
           return true;
         break;
+        case 'mta_sts':
+          if (!is_array($_data['domains'])) {
+            $domains = array();
+            $domains[] = $_data['domains'];
+          }
+          else {
+            $domains = $_data['domains'];
+          }
+
+          foreach ($domains as $domain) {
+            $domain       = idn_to_ascii(strtolower(trim($domain)), 0, INTL_IDNA_VARIANT_UTS46);
+
+            if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $domain)) {
+              $_SESSION['return'][] = array(
+                'type' => 'danger',
+                'log' => array(__FUNCTION__, $_action, $_type, $_data, $_attr),
+                'msg' => 'access_denied'
+              );
+              continue;
+            }
+
+            $is_now = mailbox('get', 'mta_sts', $domain);
+            if (!empty($is_now)) {
+              $version               = (isset($_data['version'])) ? strtolower($_data['version']) : $is_now['version'];
+              $active                = (isset($_data['active'])) ? intval($_data['active']) : $is_now['active'];
+              $active                = ($active == 1) ? 1 : 0;
+              $mode                  = (isset($_data['mode'])) ? strtolower($_data['mode']) : $is_now['mode'];
+              $mx                    = (isset($_data['mx'])) ? explode(",", preg_replace('/\s+/', '', $_data['mx'])) : $is_now['mx'];
+              $max_age               = (isset($_data['max_age'])) ? intval($_data['max_age']) : $is_now['max_age'];
+
+              // Update ID if neccesary
+              if ($version != strtolower($is_now['version']) ||
+                  $mode != strtolower($is_now['mode']) ||
+                  $mx != $is_now['mx'] ||
+                  $max_age != $is_now['max_age']) {
+                $id           = date('YmdHis');
+              } else {
+                $id           = $is_now['id'];
+              }
+
+            } else {
+              $_SESSION['return'][] = array(
+                'type' => 'danger',
+                'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
+                'msg' => 'access_denied'
+              );
+              continue;
+            }
+
+            if (empty($version) || !in_array($version, array('stsv1'))) {
+              $_SESSION['return'][] = array(
+                'type' => 'danger',
+                'log' => array(__FUNCTION__, $_action, $_type, $_data, $_attr),
+                'msg' => array('version_invalid', htmlspecialchars($version))
+              );
+              continue;
+            }
+            if (empty($mode) || !in_array($mode, array('enforce', 'testing', 'none'))) {
+              $_SESSION['return'][] = array(
+                'type' => 'danger',
+                'log' => array(__FUNCTION__, $_action, $_type, $_data, $_attr),
+                'msg' => array('mode_invalid', htmlspecialchars($domain))
+              );
+              continue;
+            }
+            if (empty($max_age) || $max_age < 0 || $max_age > 31557600) {
+              $_SESSION['return'][] = array(
+                'type' => 'danger',
+                'log' => array(__FUNCTION__, $_action, $_type, $_data, $_attr),
+                'msg' => array('max_age_invalid', htmlspecialchars($domain))
+              );
+              continue;
+            }
+            foreach ($mx as $index => $mx_domain) {
+              $mx_domain = idn_to_ascii(strtolower(trim($mx_domain)), 0, INTL_IDNA_VARIANT_UTS46);
+              $invalid_mx = false;
+              if (!is_valid_domain_name($mx_domain)) {
+                $invalid_mx = $mx_domain;
+                break;
+              }
+            }
+            if ($invalid_mx) {
+              $_SESSION['return'][] = array(
+                'type' => 'danger',
+                'log' => array(__FUNCTION__, $_action, $_type, $_data, $_attr),
+                'msg' => array('mx_invalid', htmlspecialchars($invalid_mx))
+              );
+              continue;
+            }
+
+            try {
+              $stmt = $pdo->prepare("UPDATE `mta_sts` SET `id` = :id, `version` = :version, `mode` = :mode, `mx` = :mx, `max_age` = :max_age, `active` = :active WHERE `domain` = :domain");
+              $stmt->execute(array(
+                ':id' => $id,
+                ':domain' => $domain,
+                ':version' => $version,
+                ':mode' => $mode,
+                ':mx' => implode(",", $mx),
+                ':max_age' => $max_age,
+                ':active' => $active
+              ));
+            } catch (PDOException $e) {
+              $_SESSION['return'][] = array(
+                'type' => 'danger',
+                'log' => array(__FUNCTION__, $_action, $_type, $_data),
+                'msg' => $e->getMessage()
+              );
+              continue;
+            }
+
+            $_SESSION['return'][] = array(
+              'type' => 'success',
+              'log' => array(__FUNCTION__, $_action, $_type, $_data, $_attr),
+              'msg' => array('object_modified', $domain)
+            );
+          }
+
+          return true;
+        break;
         case 'resource':
           if (!is_array($_data['name'])) {
             $names = array();
@@ -5029,6 +5222,20 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             return $rows;
           }
         break;
+        case 'mta_sts':
+          $stmt = $pdo->prepare("SELECT * FROM `mta_sts` WHERE `domain` = :domain");
+          $stmt->execute(array(
+            ':domain' => $_data,
+          ));
+          $row = $stmt->fetch(PDO::FETCH_ASSOC);
+          if (empty($row)){
+            return [];
+          }
+          $row['mx'] = explode(',', $row['mx']);
+          $row['version'] = strtoupper(substr($row['version'], 0, 3)) . substr($row['version'], 3);
+
+          return $row;
+        break;
         case 'resource_details':
           $resourcedata = array();
           if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
@@ -5414,6 +5621,10 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             $stmt->execute(array(
               ':domain' => $domain,
             ));
+            $stmt = $pdo->prepare("DELETE FROM `mta_sts` WHERE `domain` = :domain");
+            $stmt->execute(array(
+              ':domain' => $domain,
+            ));
             $stmt = $pdo->query("DELETE FROM `admin` WHERE `superadmin` = 0 AND `username` NOT IN (SELECT `username`FROM `domain_admins`);");
             $stmt = $pdo->query("DELETE FROM `da_acl` WHERE `username` NOT IN (SELECT `username`FROM `domain_admins`);");
             try {
diff --git a/data/web/inc/init_db.inc.php b/data/web/inc/init_db.inc.php
index 6a9d042a9..ecb87c380 100644
--- a/data/web/inc/init_db.inc.php
+++ b/data/web/inc/init_db.inc.php
@@ -4,7 +4,7 @@ function init_db_schema()
   try {
     global $pdo;
 
-    $db_version = "06082025_1611";
+    $db_version = "19082025_1436";
 
     $stmt = $pdo->query("SHOW TABLES LIKE 'versions'");
     $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
@@ -475,6 +475,23 @@ function init_db_schema()
         ),
         "attr" => "ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=DYNAMIC"
       ),
+      "mta_sts" => array(
+        "cols" => array(
+          "id" => "BIGINT NOT NULL",
+          "domain" => "VARCHAR(255) NOT NULL",
+          "version" => "VARCHAR(255) NOT NULL",
+          "mode" => "VARCHAR(255) NOT NULL",
+          "mx" => "VARCHAR(255) NOT NULL",
+          "max_age" => "VARCHAR(255) NOT NULL",
+          "active" => "TINYINT(1) NOT NULL DEFAULT '1'"
+        ),
+        "keys" => array(
+          "primary" => array(
+            "" => array("domain")
+          )
+        ),
+        "attr" => "ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=DYNAMIC"
+      ),
       "user_acl" => array(
         "cols" => array(
           "username" => "VARCHAR(255) NOT NULL",
diff --git a/data/web/json_api.php b/data/web/json_api.php
index a480b0ae0..4d7159ad2 100644
--- a/data/web/json_api.php
+++ b/data/web/json_api.php
@@ -324,6 +324,9 @@ if (isset($_GET['query'])) {
         case "app-passwd":
           process_add_return(app_passwd('add', $attr));
         break;
+        case "mta-sts":
+          process_add_return(mailbox('add', 'mta_sts', $attr));
+        break;
         // return no route found if no case is matched
         default:
           http_response_code(404);
@@ -2001,6 +2004,9 @@ if (isset($_GET['query'])) {
         case "reset-password-notification":
           process_edit_return(reset_password('edit_notification', $attr));
         break;
+        case "mta-sts":
+          process_edit_return(mailbox('edit', 'mta_sts', array_merge(array('domains' => $items), $attr)));
+        break;
         // return no route found if no case is matched
         default:
           http_response_code(404);
diff --git a/data/web/lang/lang.de-de.json b/data/web/lang/lang.de-de.json
index 5887499b3..1d2edc1b4 100644
--- a/data/web/lang/lang.de-de.json
+++ b/data/web/lang/lang.de-de.json
@@ -482,10 +482,13 @@
         "mailboxes_in_use": "Maximale Anzahl an Mailboxen muss größer oder gleich %d sein",
         "malformed_username": "Benutzername hat ein falsches Format",
         "map_content_empty": "Inhalt darf nicht leer sein",
+        "max_age_invalid": "Maximales Alter %s ist ungültig",
         "max_alias_exceeded": "Anzahl an Alias-Adressen überschritten",
         "max_mailbox_exceeded": "Anzahl an Mailboxen überschritten (%d von %d)",
         "max_quota_in_use": "Mailbox-Speicherplatzlimit muss größer oder gleich %d MiB sein",
         "maxquota_empty": "Max. Speicherplatz pro Mailbox darf nicht 0 sein.",
+        "mode_invalid": "Modus %s ist ungültig",
+        "mx_invalid": "MX-Eintrag %s ist ungültig",
         "mysql_error": "MySQL-Fehler: %s",
         "network_host_invalid": "Netzwerk oder Host ungültig: %s",
         "next_hop_interferes": "%s verhindert das Hinzufügen von Next Hop %s",
@@ -545,6 +548,7 @@
         "username_invalid": "Benutzername %s kann nicht verwendet werden",
         "validity_missing": "Bitte geben Sie eine Gültigkeitsdauer an",
         "value_missing": "Bitte alle Felder ausfüllen",
+        "version_invalid": "Version %s ist ungültig",
         "yotp_verification_failed": "Yubico OTP-Verifizierung fehlgeschlagen: %s",
         "template_exists": "Vorlage %s existiert bereits",
         "template_id_invalid": "Vorlagen-ID %s ungültig",
@@ -703,6 +707,17 @@
         "maxbytespersecond": "Max. Übertragungsrate in Bytes/s (0 für unlimitiert)",
         "mbox_rl_info": "Dieses Limit wird auf den SASL Loginnamen angewendet und betrifft daher alle Absenderadressen, die der eingeloggte Benutzer verwendet. Bei Mailbox Ratelimit überwiegt ein Domain-weites Ratelimit.",
         "mins_interval": "Intervall (min)",
+        "mta_sts": "MTA-STS",
+        "mta_sts_info": "<a href='https://de.wikipedia.org/wiki/STARTTLS#MTA-STS' target='_blank'>MTA-STS</a> ist ein Standard, der den E-Mail-Versand zwischen Mailservern zwingt, TLS mit gültigen Zertifikaten zu verwenden. <br>Er wird verwendet, wenn <a target='_blank' href='https://de.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities'>DANE</a> aufgrund fehlender oder nicht unterstützter DNSSEC nicht möglich ist.<br><b>Hinweis</b>: Wenn die empfangende Domain DANE mit DNSSEC unterstützt, wird DANE <b>immer</b> bevorzugt – MTA-STS fungiert nur als Fallback.",
+        "mta_sts_version": "Version",
+        "mta_sts_version_info": "Definiert die Version des MTA-STS-Standards – derzeit ist nur <code>STSv1</code> gültig.",
+        "mta_sts_mode": "Modus",
+        "mta_sts_mode_info": "Es gibt drei Modi zur Auswahl:<ul><li><em>testing</em> – Die Richtlinie wird nur überwacht, Verstöße haben keine Auswirkungen.</li><li><em>enforce</em> – Die Richtlinie wird strikt durchgesetzt, Verbindungen ohne gültiges TLS werden abgelehnt.</li><li><em>none</em> – Die Richtlinie wird veröffentlicht, aber nicht angewendet.</li></ul>",
+        "mta_sts_max_age": "Maximales Alter",
+        "mta_sts_max_age_info": "Zeit in Sekunden, die empfangende Mailserver diese Richtlinie zwischenspeichern dürfen, bevor sie erneut abgerufen wird.",
+        "mta_sts_mx": "MX-Server",
+        "mta_sts_mx_info": "Erlaubt das Senden nur an explizit aufgeführte Mailserver-Hostnamen; der sendende MTA überprüft, ob der DNS-MX-Hostname mit der Richtlinienliste übereinstimmt, und erlaubt die Zustellung nur mit einem gültigen TLS-Zertifikat (schützt vor MITM).",
+        "mta_sts_mx_notice": "Es können mehrere MX-Server angegeben werden (durch Kommas getrennt).",
         "multiple_bookings": "Mehrfaches Buchen",
         "nexthop": "Next Hop",
         "none_inherit": "Keine Auswahl / Erben",
@@ -852,7 +867,7 @@
         "add_tls_policy_map": "TLS-Richtlinieneintrag hinzufügen",
         "address_rewriting": "Adressumschreibung",
         "alias": "Alias",
-        "alias_domain_alias_hint": "Alias-Adressen werden <b>nicht</b> automatisch auch auf Domain-Alias Adressen angewendet. Eine Alias-Adresse <code>mein-alias@domain</code> bildet demnach <b>nicht</b> die Adresse <code>mein-alias@alias-domain</code> ab.<br>E-Mail-Weiterleitungen an externe Postfächer sollten über Sieve (SOGo Weiterleitung oder im Reiter \"Filter\") angelegt werden. Der Button \"Alias über Alias-Domains expandieren\" erstellt fehlende Alias-Adressen in Alias-Domains.",
+        "alias_domain_alias_hint": "Alias-Adressen werden <b>nicht</b> automatisch auch auf Domain-Alias Adressen angewendet. Eine Alias-Adresse <code>mein-alias@domain</code> bildet demnach <b>nicht</b> die Adresse <code>mein-alias@alias-domain</code> ab.<br>E-Mail-Weiterleitungen an externe Postfächer sollten über Sieve (SOGo Weiterleitung oder im Reiter Filter) angelegt werden. Der Button Alias über Alias-Domains expandieren erstellt fehlende Alias-Adressen in Alias-Domains.",
         "alias_domain_backupmx": "Alias-Domain für Relay-Domain inaktiv",
         "aliases": "Aliasse",
         "allow_from_smtp": "Nur folgende IPs für <b>SMTP</b> erlauben",
@@ -1248,7 +1263,7 @@
         "delete_ays": "Soll der Löschvorgang wirklich ausgeführt werden?",
         "direct_aliases": "Direkte Alias-Adressen",
         "direct_aliases_desc": "Nur direkte Alias-Adressen werden für benutzerdefinierte Einstellungen berücksichtigt.",
-        "direct_protocol_access": "Der Hauptbenutzer hat <b>direkten, externen Zugriff</b> auf folgende Protokolle und Anwendungen. Diese Einstellung wird vom Administrator gesteuert. App-Passwörter können verwendet werden, um individuelle Zugänge für Protokolle und Anwendungen zu erstellen.<br>Der Button \"Webmail\" kann unabhängig der Einstellung immer verwendet werden.",
+        "direct_protocol_access": "Der Hauptbenutzer hat <b>direkten, externen Zugriff</b> auf folgende Protokolle und Anwendungen. Diese Einstellung wird vom Administrator gesteuert. App-Passwörter können verwendet werden, um individuelle Zugänge für Protokolle und Anwendungen zu erstellen.<br>Der Button Webmail kann unabhängig der Einstellung immer verwendet werden.",
         "eas_reset": "ActiveSync-Geräte-Cache zurücksetzen",
         "eas_reset_help": "In vielen Fällen kann ein ActiveSync-Profil durch das Zurücksetzen des Caches repariert werden.<br><b>Vorsicht:</b> Alle Elemente werden erneut heruntergeladen!",
         "eas_reset_now": "Jetzt zurücksetzen",
diff --git a/data/web/lang/lang.en-gb.json b/data/web/lang/lang.en-gb.json
index 727fd687c..78059c0b8 100644
--- a/data/web/lang/lang.en-gb.json
+++ b/data/web/lang/lang.en-gb.json
@@ -483,10 +483,13 @@
         "mailboxes_in_use": "Max. mailboxes must be greater or equal to %d",
         "malformed_username": "Malformed username",
         "map_content_empty": "Map content cannot be empty",
+        "max_age_invalid": "Max age %s is invalid",
         "max_alias_exceeded": "Max. aliases exceeded",
         "max_mailbox_exceeded": "Max. mailboxes exceeded (%d of %d)",
         "max_quota_in_use": "Mailbox quota must be greater or equal to %d MiB",
         "maxquota_empty": "Max. quota per mailbox must not be 0.",
+        "mode_invalid": "Mode %s is invalid",
+        "mx_invalid": "MX record %s is invalid",
         "mysql_error": "MySQL error: %s",
         "network_host_invalid": "Invalid network or host: %s",
         "next_hop_interferes": "%s interferes with nexthop %s",
@@ -550,6 +553,7 @@
         "username_invalid": "Username %s cannot be used",
         "validity_missing": "Please assign a period of validity",
         "value_missing": "Please provide all values",
+        "version_invalid": "Version %s is invalid",
         "yotp_verification_failed": "Yubico OTP verification failed: %s"
     },
     "datatables": {
@@ -704,6 +708,17 @@
         "maxbytespersecond": "Max. bytes per second <br><small>(0 = unlimited)</small>",
         "mbox_rl_info": "This rate limit is applied on the SASL login name, it matches any \"from\" address used by the logged-in user. A mailbox rate limit overrides a domain-wide rate limit.",
         "mins_interval": "Interval (min)",
+        "mta_sts": "MTA-STS",
+        "mta_sts_info": "<a href='https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol#SMTP_MTA_Strict_Transport_Security' target='_blank'>MTA-STS</a> is a standard that enforces email delivery between mail servers to use TLS with valid certificates. <br>It is used when <a target='_blank' href='https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities'>DANE</a> is not possible due to missing or unsupported DNSSEC.<br><b>Note</b>: If the receiving domain supports DANE with DNSSEC, DANE is <b>always</b> preferred – MTA-STS only acts as a fallback.",
+        "mta_sts_version": "Version",
+        "mta_sts_version_info": "Defines the version of the MTA-STS standard – currently only <code>STSv1</code> is valid." ,
+        "mta_sts_mode": "Mode",
+        "mta_sts_mode_info": "There are three modes to choose from:<ul><li><em>testing</em> – policy is only monitored, violations have no impact.</li><li><em>enforce</em> – policy is strictly enforced, connections without valid TLS are rejected.</li><li><em>none</em> – policy is published but not applied.</li></ul>",
+        "mta_sts_max_age": "Max age",
+        "mta_sts_max_age_info": "Time in seconds that receiving mail servers may cache this policy until refetching.",
+        "mta_sts_mx": "MX server",
+        "mta_sts_mx_info": "Allows sending only to explicitly listed mail server hostnames; the sending MTA checks if the DNS MX hostname matches the policy list, and only allows delivery with a valid TLS certificate (guards against MITM).",
+        "mta_sts_mx_notice": "Multiple MX servers can be specified (separated by commas).",
         "multiple_bookings": "Multiple bookings",
         "none_inherit": "None / Inherit",
         "nexthop": "Next hop",
diff --git a/data/web/mta-sts.php b/data/web/mta-sts.php
new file mode 100644
index 000000000..51c39eb2f
--- /dev/null
+++ b/data/web/mta-sts.php
@@ -0,0 +1,30 @@
+<?php
+require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php';
+
+if (!isset($_SERVER['HTTP_HOST']) || strpos($_SERVER['HTTP_HOST'], 'mta-sts.') !== 0) {
+  http_response_code(404);
+  exit;
+}
+
+$domain = str_replace('mta-sts.', '', $_SERVER['HTTP_HOST']);
+$mta_sts = mailbox('get', 'mta_sts', $domain);
+
+if (count($mta_sts) == 0 ||
+    !isset($mta_sts['version']) ||
+    !isset($mta_sts['mode']) ||
+    !isset($mta_sts['max_age']) ||
+    !isset($mta_sts['mx']) ||
+    $mta_sts['active'] != 1) {
+  http_response_code(404);
+  exit;
+}
+
+header('Content-Type: text/plain; charset=utf-8');
+echo "version: {$mta_sts['version']}\n";
+echo "mode: {$mta_sts['mode']}\n";
+echo "max_age: {$mta_sts['max_age']}\n";
+foreach ($mta_sts['mx'] as $mx) {
+  echo "mx: {$mx}\n";
+}
+
+?>
diff --git a/data/web/templates/edit/domain.twig b/data/web/templates/edit/domain.twig
index 6d1d85c73..774b30996 100644
--- a/data/web/templates/edit/domain.twig
+++ b/data/web/templates/edit/domain.twig
@@ -8,6 +8,7 @@
       <li role="presentation" class="nav-item"><button class="nav-link" data-bs-toggle="tab" data-bs-target="#dratelimit">{{ lang.edit.ratelimit }}</button></li>
       <li role="presentation" class="nav-item"><button class="nav-link" data-bs-toggle="tab" data-bs-target="#dspamfilter">{{ lang.edit.spam_filter }}</button></li>
       <li role="presentation" class="nav-item"><button class="nav-link" data-bs-toggle="tab" data-bs-target="#dqwbcc">{{ lang.edit.quota_warning_bcc }}</button></li>
+      <li role="presentation" class="nav-item"><button class="nav-link" data-bs-toggle="tab" data-bs-target="#dmtasts">{{ lang.edit.mta_sts }}</button></li>
       <li role="presentation" class="nav-item"><button class="nav-link" data-bs-toggle="tab" data-bs-target="#dfooter">{{ lang.edit.domain_footer }}</button></li>
     </ul>
     <hr class="d-none d-md-block">
@@ -278,6 +279,82 @@
             </div>
         </div>
       </div>
+      <div id="dmtasts" class="tab-pane fade" role="tabpanel" aria-labelledby="domain-mtasts">
+        <div class="card mb-4">
+            <div class="card-header d-flex d-md-none fs-5">
+              <button class="btn flex-grow-1 text-start" data-bs-target="#collapse-tab-mtasts" data-bs-toggle="collapse" aria-controls="collapse-tab-mtasts">
+                {{ lang.edit.mta_sts }} <span class="badge bg-info table-lines"></span>
+              </button>
+            </div>
+            <div id="collapse-tab-mtasts" class="card-body collapse" data-bs-parent="#domain-content">
+                <h4>{{ lang.edit.mta_sts }}</h4>
+                <p>{{ lang.edit.mta_sts_info|raw }}</p>
+                <form data-id="dommtasts" method="post">
+                  <input type="hidden" value="0" name="active">
+                  <input type="hidden" value="{{ domain }}" name="domain">
+                  <div class="row mb-2">
+                    <label class="control-label col-sm-2" for="version"> 
+                      <i style="font-size: 16px; cursor: pointer;" class="bi bi-patch-question-fill m-2 ms-0" data-bs-toggle="tooltip" data-bs-html="true" data-bs-placement="bottom" title="{{ lang.edit.mta_sts_version_info|raw }}"></i>
+                      {{ lang.edit.mta_sts_version }}
+                    </label>
+                    <div class="col-sm-10">
+                      <select data-style="btn btn-light" class="form-control" name="version" title="" required>
+                        <option value="stsv1"{% if mta_sts.version == 'STSv1' %} selected{% endif %}>STSv1</option>
+                      </select>
+                    </div>
+                  </div>
+                  <div class="row mb-2">
+                    <label class="control-label col-sm-2" for="mode">
+                    <i style="font-size: 16px; cursor: pointer;" class="bi bi-patch-question-fill m-2 ms-0" data-bs-toggle="tooltip" data-bs-html="true" data-bs-placement="bottom" title="{{ lang.edit.mta_sts_mode_info|raw }}"></i>
+                      {{ lang.edit.mta_sts_mode }}
+                    </label>
+                    <div class="col-sm-10">
+                      <select data-style="btn btn-light" class="form-control" name="mode" title="" required>
+                        <option value="enforce"{% if mta_sts.mode == 'enforce' %} selected{% endif %}>enforce</option>
+                        <option value="testing"{% if mta_sts.mode == 'testing' %} selected{% endif %}>testing</option>
+                        <option value="none"{% if mta_sts.mode == 'none' %} selected{% endif %}>none</option>
+                      </select>
+                    </div>
+                  </div>
+                  <div class="row mb-2">
+                    <label class="control-label col-sm-2" for="max_age">
+                      <i style="font-size: 16px; cursor: pointer;" class="bi bi-patch-question-fill m-2 ms-0" data-bs-toggle="tooltip" data-bs-html="true" data-bs-placement="bottom" title="{{ lang.edit.mta_sts_max_age_info|raw }}"></i>
+                      {{ lang.edit.mta_sts_max_age }}
+                    </label>
+                    <div class="col-sm-10">
+                      <input type="number" class="form-control" name="max_age" value="{{ mta_sts.max_age }}">
+                    </div>
+                  </div>
+                  <div class="row mb-2">
+                    <label class="control-label col-sm-2" for="mx">
+                      <i style="font-size: 16px; cursor: pointer;" class="bi bi-patch-question-fill m-2 ms-0" data-bs-toggle="tooltip" data-bs-html="true" data-bs-placement="bottom" title="{{ lang.edit.mta_sts_mx_info|raw }}"></i>
+                      {{ lang.edit.mta_sts_mx }}
+                    </label>
+                    <div class="col-sm-10">
+                      <textarea autocorrect="off" autocapitalize="none" class="form-control" rows="5" name="mx">{{ mta_sts.mx }}</textarea>
+                      <small class="text-muted">{{ lang.edit.mta_sts_mx_notice|raw }}</small>
+                    </div>
+                  </div>
+                  <div class="row mb-4">
+                    <div class="offset-sm-2 col-sm-10">
+                      <div class="form-check">
+                        <label><input type="checkbox" class="form-check-input" value="1" name="active"{% if mta_sts.active == '1' %} checked{% endif %}> {{ lang.edit.active }}</label>
+                      </div>
+                    </div>
+                  </div>
+                  <div class="row mb-2">
+                    <div class="offset-sm-2 col-sm-10">
+                      {% if mta_sts == false %}
+                      <button class="btn btn-xs-lg d-block d-sm-inline btn-secondary" data-action="add_item" data-id="dommtasts" data-item="{{ domain }}" data-api-url='add/mta-sts' data-api-attr='{}' href="#">{{ lang.admin.save }}</button>
+                      {% else %}
+                      <button class="btn btn-xs-lg d-block d-sm-inline btn-secondary" data-action="edit_selected" data-id="dommtasts" data-item="{{ domain }}" data-api-url='edit/mta-sts' data-api-attr='{}' href="#">{{ lang.admin.save }}</button>
+                      {% endif %}
+                    </div>
+                  </div>
+                </form>
+            </div>
+        </div>
+      </div>
       <div id="dfooter" class="tab-pane fade" role="tabpanel" aria-labelledby="domain-footer">
         <div class="card mb-4">
             <div class="card-header d-flex d-md-none fs-5">
diff --git a/docker-compose.yml b/docker-compose.yml
index c55158dbb..cbccbcde4 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -338,7 +338,7 @@ services:
             - dovecot
 
     postfix-mailcow:
-      image: ghcr.io/mailcow/postfix:1.80
+      image: ghcr.io/mailcow/postfix:1.81
       depends_on:
         mysql-mailcow:
           condition: service_started
@@ -440,7 +440,7 @@ services:
           condition: service_started
         unbound-mailcow:
           condition: service_healthy
-      image: ghcr.io/mailcow/acme:1.93
+      image: ghcr.io/mailcow/acme:1.94
       dns:
         - ${IPV4_NETWORK:-172.22.1}.254
       environment:

From e1410baaebbf3a67dc0e558a8cc2cd0b1652b45d Mon Sep 17 00:00:00 2001
From: DerLinkman <niklas.meyer@servercow.de>
Date: Tue, 26 Aug 2025 09:58:18 +0200
Subject: [PATCH 303/378] fix gitignore

---
 .gitignore | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.gitignore b/.gitignore
index 8d0fe16fd..a06c3da7f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -75,4 +75,4 @@ refresh_images.sh
 update_diffs/
 create_cold_standby.sh
 !data/conf/nginx/mailcow_auth.conf
-data/conf/postfix/mta-sts-resolver
\ No newline at end of file
+data/conf/postfix/postfix-tlspol
\ No newline at end of file

From 3826c4b5be9d04805a807b922dc96b41128814af Mon Sep 17 00:00:00 2001
From: DerLinkman <niklas.meyer@servercow.de>
Date: Tue, 26 Aug 2025 10:10:16 +0200
Subject: [PATCH 304/378] fix postfix tlspol missing folders for config

---
 data/Dockerfiles/postfix/postfix.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/data/Dockerfiles/postfix/postfix.sh b/data/Dockerfiles/postfix/postfix.sh
index fcb6c26a2..44b7d7d39 100755
--- a/data/Dockerfiles/postfix/postfix.sh
+++ b/data/Dockerfiles/postfix/postfix.sh
@@ -3,6 +3,7 @@
 trap "postfix stop" EXIT
 
 [[ ! -d /opt/postfix/conf/sql/ ]] && mkdir -p /opt/postfix/conf/sql/
+[[ ! -d /opt/postfix/conf/postfix-tlspol ]] && mkdir -p /opt/postfix/conf/postfix-tlspol
 [[ ! -d /etc/postfix-tlspol ]] && mkdir -p /etc/postfix-tlspol
 [[ ! -d /var/lib/postfix-tlspol ]] && mkdir -p /var/lib/postfix-tlspol
 

From 169aafec505ca1fd69e303c7eab6c53d63d14867 Mon Sep 17 00:00:00 2001
From: DerLinkman <niklas.meyer@servercow.de>
Date: Wed, 27 Aug 2025 14:09:29 +0200
Subject: [PATCH 305/378] compose: fix dovecot image tag

---
 docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index cbccbcde4..5878a8b49 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -251,7 +251,7 @@ services:
             - sogo
 
     dovecot-mailcow:
-      image: ghcr.io/mailcow/dovecot:2.34
+      image: ghcr.io/mailcow/dovecot:2.35
       depends_on:
         - mysql-mailcow
         - netfilter-mailcow

From 1cb38bacdb0d652781007175fc37eb0361da6aa4 Mon Sep 17 00:00:00 2001
From: DerLinkman <niklas.meyer@servercow.de>
Date: Thu, 28 Aug 2025 10:18:18 +0200
Subject: [PATCH 306/378] Postfix: Split TLSPol companion app into separate
 container (#6688)

* postfix: split postfix-tlspol service into new container

* postfix-tls-pol: added debug mode

* pf-tlspol: removed obsoleted standalone conf from Dockerfiles

* pf-tlspol: use git instead of wget
---
 data/Dockerfiles/postfix-tlspol/Dockerfile    | 49 +++++++++++++++++
 .../postfix-tlspol/docker-entrypoint.sh       |  7 +++
 .../postfix-tlspol/postfix-tlspol.sh          | 52 +++++++++++++++++++
 .../postfix-tlspol/stop-supervisor.sh         |  8 +++
 .../postfix-tlspol/supervisord.conf           | 25 +++++++++
 .../postfix-tlspol/syslog-ng-redis_slave.conf | 45 ++++++++++++++++
 .../Dockerfiles/postfix-tlspol/syslog-ng.conf | 45 ++++++++++++++++
 data/Dockerfiles/postfix/Dockerfile           | 11 ----
 data/Dockerfiles/postfix/postfix.sh           | 23 --------
 data/Dockerfiles/postfix/supervisord.conf     |  9 ----
 data/conf/postfix/main.cf                     |  2 +-
 docker-compose.yml                            | 25 +++++++++
 12 files changed, 257 insertions(+), 44 deletions(-)
 create mode 100644 data/Dockerfiles/postfix-tlspol/Dockerfile
 create mode 100755 data/Dockerfiles/postfix-tlspol/docker-entrypoint.sh
 create mode 100755 data/Dockerfiles/postfix-tlspol/postfix-tlspol.sh
 create mode 100755 data/Dockerfiles/postfix-tlspol/stop-supervisor.sh
 create mode 100644 data/Dockerfiles/postfix-tlspol/supervisord.conf
 create mode 100644 data/Dockerfiles/postfix-tlspol/syslog-ng-redis_slave.conf
 create mode 100644 data/Dockerfiles/postfix-tlspol/syslog-ng.conf

diff --git a/data/Dockerfiles/postfix-tlspol/Dockerfile b/data/Dockerfiles/postfix-tlspol/Dockerfile
new file mode 100644
index 000000000..95a035265
--- /dev/null
+++ b/data/Dockerfiles/postfix-tlspol/Dockerfile
@@ -0,0 +1,49 @@
+FROM golang:1.25-bookworm AS builder
+WORKDIR /src
+
+ENV CGO_ENABLED=0 \
+    GO111MODULE=on \
+    VERSION=1.8.14
+
+RUN git clone --branch v${VERSION} https://github.com/Zuplu/postfix-tlspol && \
+    cd /src/postfix-tlspol && \
+    scripts/build.sh build-only
+
+
+FROM debian:bookworm-slim
+LABEL maintainer="The Infrastructure Company GmbH <info@servercow.de>"
+
+ARG DEBIAN_FRONTEND=noninteractive
+ENV LC_ALL=C
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+	ca-certificates \
+	dirmngr \
+  	dnsutils \
+	iputils-ping \
+	sudo \
+	supervisor \
+	redis-tools \
+	syslog-ng \
+	syslog-ng-core \
+	syslog-ng-mod-redis \
+  	tzdata \
+	&& rm -rf /var/lib/apt/lists/* \
+	&& touch /etc/default/locale
+
+COPY supervisord.conf /etc/supervisor/supervisord.conf
+COPY syslog-ng.conf /etc/syslog-ng/syslog-ng.conf
+COPY syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng-redis_slave.conf
+COPY postfix-tlspol.sh /opt/postfix-tlspol.sh
+COPY stop-supervisor.sh /usr/local/sbin/stop-supervisor.sh
+COPY docker-entrypoint.sh /docker-entrypoint.sh
+COPY --from=builder /src/postfix-tlspol/build/postfix-tlspol /usr/local/bin/postfix-tlspol
+
+RUN chmod +x /opt/postfix-tlspol.sh \
+  /usr/local/sbin/stop-supervisor.sh \
+  /docker-entrypoint.sh
+RUN rm -rf /tmp/* /var/tmp/*
+
+ENTRYPOINT ["/docker-entrypoint.sh"]
+
+CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"]
\ No newline at end of file
diff --git a/data/Dockerfiles/postfix-tlspol/docker-entrypoint.sh b/data/Dockerfiles/postfix-tlspol/docker-entrypoint.sh
new file mode 100755
index 000000000..8c4f2c43e
--- /dev/null
+++ b/data/Dockerfiles/postfix-tlspol/docker-entrypoint.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
+  cp /etc/syslog-ng/syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng.conf
+fi
+
+exec "$@"
\ No newline at end of file
diff --git a/data/Dockerfiles/postfix-tlspol/postfix-tlspol.sh b/data/Dockerfiles/postfix-tlspol/postfix-tlspol.sh
new file mode 100755
index 000000000..407a08f6f
--- /dev/null
+++ b/data/Dockerfiles/postfix-tlspol/postfix-tlspol.sh
@@ -0,0 +1,52 @@
+#!/bin/bash
+
+LOGLVL=info
+
+if [ ${DEV_MODE} != "n" ]; then
+  echo -e "\e[31mEnabling debug mode\e[0m"
+  set -x
+  LOGLVL=debug
+fi
+
+[[ ! -d /etc/postfix-tlspol ]] && mkdir -p /etc/postfix-tlspol
+[[ ! -d /var/lib/postfix-tlspol ]] && mkdir -p /var/lib/postfix-tlspol
+
+until dig +short mailcow.email > /dev/null; do
+  echo "Waiting for DNS..."
+  sleep 1
+done
+
+# Do not attempt to write to slave
+if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
+  export REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT} -a ${REDISPASS} --no-auth-warning"
+else
+  export REDIS_CMDLINE="redis-cli -h redis -p 6379 -a ${REDISPASS} --no-auth-warning"
+fi
+
+until [[ $(${REDIS_CMDLINE} PING) == "PONG" ]]; do
+  echo "Waiting for Redis..."
+  sleep 2
+done
+
+echo "Waiting for Postfix..."
+until ping postfix -c1 > /dev/null; do
+  sleep 1
+done
+echo "Postfix OK"
+
+cat <<EOF > /etc/postfix-tlspol/config.yaml
+server:
+  address: 0.0.0.0:8642
+
+  log-level: ${LOGLVL}
+
+  prefetch: true
+
+  cache-file: /var/lib/postfix-tlspol/cache.db
+
+dns:
+  # must support DNSSEC
+  address: 127.0.0.11:53
+EOF
+
+/usr/local/bin/postfix-tlspol -config /etc/postfix-tlspol/config.yaml
\ No newline at end of file
diff --git a/data/Dockerfiles/postfix-tlspol/stop-supervisor.sh b/data/Dockerfiles/postfix-tlspol/stop-supervisor.sh
new file mode 100755
index 000000000..5394490ce
--- /dev/null
+++ b/data/Dockerfiles/postfix-tlspol/stop-supervisor.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+printf "READY\n";
+
+while read line; do
+  echo "Processing Event: $line" >&2;
+  kill -3 $(cat "/var/run/supervisord.pid")
+done < /dev/stdin
diff --git a/data/Dockerfiles/postfix-tlspol/supervisord.conf b/data/Dockerfiles/postfix-tlspol/supervisord.conf
new file mode 100644
index 000000000..90cf785ad
--- /dev/null
+++ b/data/Dockerfiles/postfix-tlspol/supervisord.conf
@@ -0,0 +1,25 @@
+[supervisord]
+pidfile=/var/run/supervisord.pid
+nodaemon=true
+user=root
+
+[program:syslog-ng]
+command=/usr/sbin/syslog-ng --foreground  --no-caps
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+autostart=true
+
+[program:postfix-tlspol]
+startsecs=10
+autorestart=true
+command=/opt/postfix-tlspol.sh
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+
+[eventlistener:processes]
+command=/usr/local/sbin/stop-supervisor.sh
+events=PROCESS_STATE_STOPPED, PROCESS_STATE_EXITED, PROCESS_STATE_FATAL
\ No newline at end of file
diff --git a/data/Dockerfiles/postfix-tlspol/syslog-ng-redis_slave.conf b/data/Dockerfiles/postfix-tlspol/syslog-ng-redis_slave.conf
new file mode 100644
index 000000000..3862a3547
--- /dev/null
+++ b/data/Dockerfiles/postfix-tlspol/syslog-ng-redis_slave.conf
@@ -0,0 +1,45 @@
+@version: 3.38
+@include "scl.conf"
+options {
+  chain_hostnames(off);
+  flush_lines(0);
+  use_dns(no);
+  dns_cache(no);
+  use_fqdn(no);
+  owner("root"); group("adm"); perm(0640);
+  stats_freq(0);
+  bad_hostname("^gconfd$");
+};
+source s_src {
+  unix-stream("/dev/log");
+  internal();
+};
+destination d_stdout { pipe("/dev/stdout"); };
+destination d_redis_ui_log {
+  redis(
+    host("`REDIS_SLAVEOF_IP`")
+    persist-name("redis1")
+    port(`REDIS_SLAVEOF_PORT`)
+    auth("`REDISPASS`")
+    command("LPUSH" "POSTFIX_MAILLOG" "$(format-json time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
+  );
+};
+filter f_mail { facility(mail); };
+# start
+# overriding warnings are still displayed when the entrypoint runs its initial check
+# warnings logged by postfix-mailcow to syslog are hidden to reduce repeating msgs
+# Some other warnings are ignored
+filter f_ignore {
+  not match("overriding earlier entry" value("MESSAGE"));
+  not match("TLS SNI from checks.mailcow.email" value("MESSAGE"));
+  not match("no SASL support" value("MESSAGE"));
+  not facility (local0, local1, local2, local3, local4, local5, local6, local7);
+};
+# end
+log {
+  source(s_src);
+  filter(f_ignore);
+  destination(d_stdout);
+  filter(f_mail);
+  destination(d_redis_ui_log);
+};
diff --git a/data/Dockerfiles/postfix-tlspol/syslog-ng.conf b/data/Dockerfiles/postfix-tlspol/syslog-ng.conf
new file mode 100644
index 000000000..7126c1250
--- /dev/null
+++ b/data/Dockerfiles/postfix-tlspol/syslog-ng.conf
@@ -0,0 +1,45 @@
+@version: 3.38
+@include "scl.conf"
+options {
+  chain_hostnames(off);
+  flush_lines(0);
+  use_dns(no);
+  dns_cache(no);
+  use_fqdn(no);
+  owner("root"); group("adm"); perm(0640);
+  stats_freq(0);
+  bad_hostname("^gconfd$");
+};
+source s_src {
+  unix-stream("/dev/log");
+  internal();
+};
+destination d_stdout { pipe("/dev/stdout"); };
+destination d_redis_ui_log {
+  redis(
+    host("redis-mailcow")
+    persist-name("redis1")
+    port(6379)
+    auth("`REDISPASS`")
+    command("LPUSH" "POSTFIX_MAILLOG" "$(format-json time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
+  );
+};
+filter f_mail { facility(mail); };
+# start
+# overriding warnings are still displayed when the entrypoint runs its initial check
+# warnings logged by postfix-mailcow to syslog are hidden to reduce repeating msgs
+# Some other warnings are ignored
+filter f_ignore {
+  not match("overriding earlier entry" value("MESSAGE"));
+  not match("TLS SNI from checks.mailcow.email" value("MESSAGE"));
+  not match("no SASL support" value("MESSAGE"));
+  not facility (local0, local1, local2, local3, local4, local5, local6, local7);
+};
+# end
+log {
+  source(s_src);
+  filter(f_ignore);
+  destination(d_stdout);
+  filter(f_mail);
+  destination(d_redis_ui_log);
+};
diff --git a/data/Dockerfiles/postfix/Dockerfile b/data/Dockerfiles/postfix/Dockerfile
index d1a32917d..994612ec4 100644
--- a/data/Dockerfiles/postfix/Dockerfile
+++ b/data/Dockerfiles/postfix/Dockerfile
@@ -1,13 +1,3 @@
-FROM golang:1.25-bookworm AS builder
-WORKDIR /src
-
-ENV CGO_ENABLED=0 \
-    GO111MODULE=on
-
-RUN git clone https://github.com/Zuplu/postfix-tlspol.git && \
-	cd postfix-tlspol && \
-	scripts/build.sh build-only
-
 FROM debian:bookworm-slim
 
 LABEL maintainer="The Infrastructure Company GmbH <info@servercow.de>"
@@ -58,7 +48,6 @@ COPY rspamd-pipe-spam /usr/local/bin/rspamd-pipe-spam
 COPY whitelist_forwardinghosts.sh /usr/local/bin/whitelist_forwardinghosts.sh
 COPY stop-supervisor.sh /usr/local/sbin/stop-supervisor.sh
 COPY docker-entrypoint.sh /docker-entrypoint.sh
-COPY --from=builder /src/postfix-tlspol/build/postfix-tlspol /usr/local/bin/postfix-tlspol
 
 RUN chmod +x /opt/postfix.sh \
   /usr/local/bin/rspamd-pipe-ham \
diff --git a/data/Dockerfiles/postfix/postfix.sh b/data/Dockerfiles/postfix/postfix.sh
index 44b7d7d39..0a6494ed6 100755
--- a/data/Dockerfiles/postfix/postfix.sh
+++ b/data/Dockerfiles/postfix/postfix.sh
@@ -3,9 +3,6 @@
 trap "postfix stop" EXIT
 
 [[ ! -d /opt/postfix/conf/sql/ ]] && mkdir -p /opt/postfix/conf/sql/
-[[ ! -d /opt/postfix/conf/postfix-tlspol ]] && mkdir -p /opt/postfix/conf/postfix-tlspol
-[[ ! -d /etc/postfix-tlspol ]] && mkdir -p /etc/postfix-tlspol
-[[ ! -d /var/lib/postfix-tlspol ]] && mkdir -p /var/lib/postfix-tlspol
 
 # Wait for MySQL to warm-up
 while ! mariadb-admin status --ssl=false --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do
@@ -506,26 +503,6 @@ if [[ ! -f /opt/postfix/conf/custom_postscreen_whitelist.cidr ]]; then
 EOF
 fi
 
-cat <<EOF > /opt/postfix/conf/postfix-tlspol/config.yaml
-server:
-  address: 127.0.0.1:8642
-
-  log-level: info
-
-  prefetch: true
-
-  cache-file: /var/lib/postfix-tlspol/cache.db
-
-dns:
-  # must support DNSSEC
-  address: 127.0.0.11:53
-EOF
-
-# Fixing local command execution of postfix-tlspol with symlink to config
-if [ ! -L /etc/postfix-tlspol/config.yaml ]; then
-  ln -s /opt/postfix/conf/postfix-tlspol/config.yaml /etc/postfix-tlspol/config.yaml
-fi
-
 # Fix Postfix permissions
 chown -R root:postfix /opt/postfix/conf/sql/ /opt/postfix/conf/custom_transport.pcre
 chmod 640 /opt/postfix/conf/sql/*.cf /opt/postfix/conf/custom_transport.pcre
diff --git a/data/Dockerfiles/postfix/supervisord.conf b/data/Dockerfiles/postfix/supervisord.conf
index 26fec862c..ba70f8edf 100644
--- a/data/Dockerfiles/postfix/supervisord.conf
+++ b/data/Dockerfiles/postfix/supervisord.conf
@@ -11,15 +11,6 @@ stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 autostart=true
 
-[program:postfix-tlspol]
-startsecs=10
-autorestart=true
-command=/usr/local/bin/postfix-tlspol -config /opt/postfix/conf/postfix-tlspol/config.yaml
-stdout_logfile=/dev/stdout
-stdout_logfile_maxbytes=0
-stderr_logfile=/dev/stderr
-stderr_logfile_maxbytes=0
-
 [program:postfix]
 command=/opt/postfix.sh
 stdout_logfile=/dev/stdout
diff --git a/data/conf/postfix/main.cf b/data/conf/postfix/main.cf
index e4354c40c..f091cb3f9 100644
--- a/data/conf/postfix/main.cf
+++ b/data/conf/postfix/main.cf
@@ -152,7 +152,7 @@ smtp_sasl_auth_enable = yes
 smtp_sasl_password_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_sasl_passwd_maps_sender_dependent.cf
 smtp_sasl_security_options =
 smtp_sasl_mechanism_filter = plain, login
-smtp_tls_policy_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_tls_policy_override_maps.cf socketmap:inet:127.0.0.1:8642:QUERY
+smtp_tls_policy_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_tls_policy_override_maps.cf socketmap:inet:postfix-tlspol:8642:QUERY
 smtp_header_checks = pcre:/opt/postfix/conf/anonymize_headers.pcre
 mail_name = Postcow
 # local_transport map catches local destinations and prevents routing local dests when the next map would route "*"
diff --git a/docker-compose.yml b/docker-compose.yml
index 5878a8b49..1b47cf592 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -378,6 +378,30 @@ services:
           aliases:
             - postfix
 
+    postfix-tlspol-mailcow:
+      image: ghcr.io/mailcow/postfix-tlspol:1.0
+      depends_on:
+        unbound-mailcow:
+          condition: service_healthy
+        postfix-mailcow:
+          condition: service_started
+      volumes:
+        - postfix-tlspol-vol-1:/var/lib/postfix-tlspol
+      environment:
+        - LOG_LINES=${LOG_LINES:-9999}
+        - TZ=${TZ}
+        - REDIS_SLAVEOF_IP=${REDIS_SLAVEOF_IP:-}
+        - REDIS_SLAVEOF_PORT=${REDIS_SLAVEOF_PORT:-}
+        - REDISPASS=${REDISPASS}
+        - DEV_MODE=${DEV_MODE:-n}
+      restart: always
+      dns:
+        - ${IPV4_NETWORK:-172.22.1}.254
+      networks:
+        mailcow-network:
+          aliases:
+            - postfix-tlspol
+
     memcached-mailcow:
       image: memcached:alpine
       restart: always
@@ -649,6 +673,7 @@ volumes:
   redis-vol-1:
   rspamd-vol-1:
   postfix-vol-1:
+  postfix-tlspol-vol-1:
   crypt-vol-1:
   sogo-web-vol-1:
   sogo-userdata-backup-vol-1:

From 29e28b47ed3dac40c8f7522e3dbddad965ff2992 Mon Sep 17 00:00:00 2001
From: DerLinkman <niklas.meyer@servercow.de>
Date: Thu, 28 Aug 2025 10:20:21 +0200
Subject: [PATCH 307/378] compose: add depends on for postfix-tlspol

---
 docker-compose.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 1b47cf592..8fa7e0606 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -344,6 +344,8 @@ services:
           condition: service_started
         unbound-mailcow:
           condition: service_healthy
+        postfix-tlspol-mailcow:
+          condition: service_started
       volumes:
         - ./data/hooks/postfix:/hooks:Z
         - ./data/conf/postfix:/opt/postfix/conf:z
@@ -383,8 +385,6 @@ services:
       depends_on:
         unbound-mailcow:
           condition: service_healthy
-        postfix-mailcow:
-          condition: service_started
       volumes:
         - postfix-tlspol-vol-1:/var/lib/postfix-tlspol
       environment:

From 4d88e191068c0b17a3e0e00d73f417788c756ae2 Mon Sep 17 00:00:00 2001
From: Sajjad hassanzadeh <32982356+Hassanzadeh-sd@users.noreply.github.com>
Date: Thu, 28 Aug 2025 14:06:43 +0330
Subject: [PATCH 308/378] Feat/prometheus-exporter : Add prometheus exporter
 and grafana dashboard for mailcow. (#6314)

* add : readme for prometheus exporter configs

* add : grafana dashboard json file

* add: prometheus exporter service on docker-compose.override.yml

* migrate: doc files into docs.mailcow.email project

* add : security configs in prometheus exporter compose file

* add : explain more in my comment part in prometheus override compose file

* remove : mailcow dockerized docs

---------

Co-authored-by: Saji <saji@abrnoc>
---
 .../docker-compose.override.yml                | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 helper-scripts/docker-compose.override.yml.d/PROMETHEUS_EXPORTER/docker-compose.override.yml

diff --git a/helper-scripts/docker-compose.override.yml.d/PROMETHEUS_EXPORTER/docker-compose.override.yml b/helper-scripts/docker-compose.override.yml.d/PROMETHEUS_EXPORTER/docker-compose.override.yml
new file mode 100644
index 000000000..6fd4e8e08
--- /dev/null
+++ b/helper-scripts/docker-compose.override.yml.d/PROMETHEUS_EXPORTER/docker-compose.override.yml
@@ -0,0 +1,18 @@
+services:
+    prometheus-exporter-mailcow:
+      image: ghcr.io/mailcow/prometheus-exporter:2
+      ports:
+        - "9099:9099"
+      restart: always
+      environment:
+        MAILCOW_EXPORTER_HOST: "<your-mail-domain>" # Replace with your Mailcow hostname
+        MAILCOW_EXPORTER_API_KEY: "<your-API-Key>" # Replace with your API key
+        MAILCOW_EXPORTER_TOKEN: "<your-secure-token>" # Replace with your secure key
+        # MAILCOW_EXPORTER_TOKEN_DISABLE: "true" # Uncomment only if it is safe to disable token authentication (e.g., internal network only)
+      dns:
+        - ${IPV4_NETWORK:-172.22.1}.254
+      networks:
+        mailcow-network:
+          ipv4_address: ${IPV4_NETWORK:-172.22.1}.209
+          aliases:
+            - prometheus-exporter

From 5e66ffa36604e8c41bb23c7606ad951ed888b6b4 Mon Sep 17 00:00:00 2001
From: maxi322 <66129899+maxi322@users.noreply.github.com>
Date: Thu, 28 Aug 2025 12:56:37 +0200
Subject: [PATCH 309/378] watchdog: use dig instead of check_dns (#6685)

* watchdog: use dig instead of check_dns

check_dns is slower and uses more system resources,
dig wrapped in a script is a more performant approach and uses
fewer system resources

* added debug mode + compose image bump

---------

Co-authored-by: maxi322 <maxi322@users.noreply.github.com>
Co-authored-by: DerLinkman <niklas.meyer@servercow.de>
---
 data/Dockerfiles/watchdog/Dockerfile   |  5 ++--
 data/Dockerfiles/watchdog/check_dns.sh | 39 ++++++++++++++++++++++++++
 data/Dockerfiles/watchdog/watchdog.sh  |  7 ++++-
 docker-compose.yml                     |  3 +-
 4 files changed, 50 insertions(+), 4 deletions(-)
 create mode 100755 data/Dockerfiles/watchdog/check_dns.sh

diff --git a/data/Dockerfiles/watchdog/Dockerfile b/data/Dockerfiles/watchdog/Dockerfile
index a55a97a4c..6d8541d79 100644
--- a/data/Dockerfiles/watchdog/Dockerfile
+++ b/data/Dockerfiles/watchdog/Dockerfile
@@ -16,7 +16,6 @@ RUN apk add --update \
   fcgi \
   openssl \
   nagios-plugins-mysql \
-  nagios-plugins-dns \
   nagios-plugins-disk \
   bind-tools \
   redis \
@@ -32,9 +31,11 @@ RUN apk add --update \
   tzdata \
   whois \
   && curl https://raw.githubusercontent.com/mludvig/smtp-cli/v3.10/smtp-cli -o /smtp-cli \
-  && chmod +x smtp-cli
+  && chmod +x smtp-cli \
+  && mkdir /usr/lib/mailcow
 
 COPY watchdog.sh /watchdog.sh
 COPY check_mysql_slavestatus.sh /usr/lib/nagios/plugins/check_mysql_slavestatus.sh
+COPY check_dns.sh /usr/lib/mailcow/check_dns.sh
 
 CMD ["/watchdog.sh"]
diff --git a/data/Dockerfiles/watchdog/check_dns.sh b/data/Dockerfiles/watchdog/check_dns.sh
new file mode 100755
index 000000000..ce4cfa3b1
--- /dev/null
+++ b/data/Dockerfiles/watchdog/check_dns.sh
@@ -0,0 +1,39 @@
+#!/bin/sh
+
+while getopts "H:s:" opt; do
+  case "$opt" in
+    H) HOST="$OPTARG" ;;
+    s) SERVER="$OPTARG" ;;
+    *) echo "Usage: $0 -H host -s server"; exit 3 ;;
+  esac
+done
+
+if [ -z "$SERVER" ]; then
+  echo "No DNS Server provided"
+  exit 3
+fi
+
+if [ -z "$HOST" ]; then
+  echo "No host to test provided"
+  exit 3
+fi
+
+# run dig and measure the time it takes to run
+START_TIME=$(date +%s%3N)
+dig_output=$(dig +short +timeout=2 +tries=1 "$HOST" @"$SERVER" 2>/dev/null)
+dig_rc=$?
+dig_output_ips=$(echo "$dig_output" | grep -E '^[0-9.]+$' | sort | paste -sd ',' -)
+END_TIME=$(date +%s%3N)
+ELAPSED_TIME=$((END_TIME - START_TIME))
+
+# validate and perform nagios like output and exit codes
+if [ $dig_rc -ne 0 ] || [ -z "$dig_output" ]; then
+  echo "Domain $HOST was not found by the server"
+  exit 2
+elif [ $dig_rc -eq 0 ]; then
+  echo "DNS OK: $ELAPSED_TIME ms response time. $HOST returns $dig_output_ips"
+  exit 0
+else
+  echo "Unknown error"
+  exit 3
+fi
diff --git a/data/Dockerfiles/watchdog/watchdog.sh b/data/Dockerfiles/watchdog/watchdog.sh
index d1c659ce8..a087ca5f1 100755
--- a/data/Dockerfiles/watchdog/watchdog.sh
+++ b/data/Dockerfiles/watchdog/watchdog.sh
@@ -1,5 +1,10 @@
 #!/bin/bash
 
+if [ "${DEV_MODE}" != "n" ]; then
+  echo -e "\e[31mEnabled Debug Mode\e[0m"
+  set -x
+fi
+
 trap "exit" INT TERM
 trap "kill 0" EXIT
 
@@ -297,7 +302,7 @@ unbound_checks() {
     touch /tmp/unbound-mailcow; echo "$(tail -50 /tmp/unbound-mailcow)" > /tmp/unbound-mailcow
     host_ip=$(get_container_ip unbound-mailcow)
     err_c_cur=${err_count}
-    /usr/lib/nagios/plugins/check_dns -s ${host_ip} -H stackoverflow.com 2>> /tmp/unbound-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/mailcow/check_dns.sh -s ${host_ip} -H stackoverflow.com 2>> /tmp/unbound-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
     DNSSEC=$(dig com +dnssec | egrep 'flags:.+ad')
     if [[ -z ${DNSSEC} ]]; then
       echo "DNSSEC failure" 2>> /tmp/unbound-mailcow 1>&2
diff --git a/docker-compose.yml b/docker-compose.yml
index 8fa7e0606..ce33e3d93 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -521,7 +521,7 @@ services:
         - /lib/modules:/lib/modules:ro
 
     watchdog-mailcow:
-      image: ghcr.io/mailcow/watchdog:2.08
+      image: ghcr.io/mailcow/watchdog:2.09
       dns:
         - ${IPV4_NETWORK:-172.22.1}.254
       tmpfs:
@@ -588,6 +588,7 @@ services:
         - OLEFY_THRESHOLD=${OLEFY_THRESHOLD:-5}
         - MAILQ_THRESHOLD=${MAILQ_THRESHOLD:-20}
         - MAILQ_CRIT=${MAILQ_CRIT:-30}
+        - DEV_MODE=${DEV_MODE:-n}
       networks:
         mailcow-network:
           aliases:

From 6c5d82c4df2cf24be38608e45b4e1e6bed6e61b2 Mon Sep 17 00:00:00 2001
From: DerLinkman <niklas.meyer@servercow.de>
Date: Thu, 28 Aug 2025 14:06:17 +0200
Subject: [PATCH 310/378] expanded postscreen whitelist with modern freemailers
 + included checks.mailcow.email

---
 data/conf/postfix/postscreen_access.cidr      | 98 +++++++++++++++----
 helper-scripts/update_postscreen_whitelist.sh |  5 +-
 2 files changed, 82 insertions(+), 21 deletions(-)

diff --git a/data/conf/postfix/postscreen_access.cidr b/data/conf/postfix/postscreen_access.cidr
index 4453feca3..1783620dd 100644
--- a/data/conf/postfix/postscreen_access.cidr
+++ b/data/conf/postfix/postscreen_access.cidr
@@ -1,13 +1,25 @@
-# Whitelist generated by Postwhite v3.4 on Fri Aug  1 00:24:14 UTC 2025
+# Whitelist generated by Postwhite v3.4 on Do 28. Aug 14:05:16 CEST 2025
 # https://github.com/stevejenkins/postwhite/
-# 2166 total rules
+# 2225 total rules
 2a00:1450:4000::/36	permit
 2a01:111:f400::/48	permit
+2a01:111:f403::/49	permit
 2a01:111:f403:8000::/50	permit
 2a01:111:f403:8000::/51	permit
-2a01:111:f403::/49	permit
 2a01:111:f403:c000::/51	permit
 2a01:111:f403:f000::/52	permit
+2a01:238:20a:202:5370::1	permit
+2a01:238:20a:202:5372::1	permit
+2a01:238:20a:202:5373::1	permit
+2a01:238:400:101:53::1	permit
+2a01:238:400:102:53::1	permit
+2a01:238:400:103:53::1	permit
+2a01:238:400:301:53::1	permit
+2a01:238:400:302:53::1	permit
+2a01:238:400:303:53::1	permit
+2a01:238:400:470:53::1	permit
+2a01:238:400:471:53::1	permit
+2a01:238:400:472:53::1	permit
 2a01:b747:3000:200::/56	permit
 2a01:b747:3001:200::/56	permit
 2a01:b747:3002:200::/56	permit
@@ -17,16 +29,17 @@
 2a01:b747:3006:200::/56	permit
 2a02:a60:0:5::/64	permit
 2c0f:fb50:4000::/36	permit
-2.207.151.53	permit
 2.207.217.30	permit
 3.64.237.68	permit
 3.65.3.180	permit
 3.70.123.177	permit
 3.72.182.33	permit
 3.74.81.189	permit
+3.74.125.228	permit
 3.75.33.185	permit
 3.93.157.0/24	permit
 3.94.40.108	permit
+3.121.107.214	permit
 3.129.120.190	permit
 3.210.190.0/24	permit
 3.211.80.218	permit
@@ -42,7 +55,7 @@
 8.40.222.0/23	permit
 8.40.222.250/31	permit
 12.130.86.238	permit
-13.107.253.40	permit
+13.107.253.44	permit
 13.110.208.0/21	permit
 13.110.209.0/24	permit
 13.110.216.0/22	permit
@@ -64,6 +77,8 @@
 18.97.2.64/26	permit
 18.156.89.250	permit
 18.156.205.64	permit
+18.157.70.148	permit
+18.157.114.255	permit
 18.157.243.190	permit
 18.158.153.154	permit
 18.194.95.56	permit
@@ -75,9 +90,7 @@
 18.216.232.154	permit
 18.235.27.253	permit
 18.236.40.242	permit
-18.236.56.161	permit
 20.51.6.32/30	permit
-20.51.98.61	permit
 20.52.52.2	permit
 20.52.128.133	permit
 20.59.80.4/30	permit
@@ -153,7 +166,6 @@
 34.212.163.75	permit
 34.215.104.144	permit
 34.218.115.239	permit
-34.218.116.3	permit
 34.225.212.172	permit
 34.241.242.183	permit
 35.83.148.184	permit
@@ -171,6 +183,7 @@
 37.218.249.47	permit
 37.218.251.62	permit
 39.156.163.64/29	permit
+40.90.65.81	permit
 40.92.0.0/15	permit
 40.92.0.0/16	permit
 40.107.0.0/16	permit
@@ -178,6 +191,7 @@
 40.233.64.216	permit
 40.233.83.78	permit
 40.233.88.28	permit
+43.239.212.33	permit
 44.206.138.57	permit
 44.210.169.44	permit
 44.217.45.156	permit
@@ -188,7 +202,10 @@
 44.246.68.102	permit
 44.246.77.92	permit
 45.14.148.0/22	permit
-46.19.170.16	permit
+45.143.132.0/24	permit
+45.143.133.0/24	permit
+45.143.134.0/24	permit
+45.143.135.0/24	permit
 46.226.48.0/21	permit
 46.228.36.37	permit
 46.228.36.38/31	permit
@@ -254,6 +271,9 @@
 50.56.130.221	permit
 50.56.130.222	permit
 50.112.246.219	permit
+51.77.79.158	permit
+51.83.17.38	permit
+51.89.119.103	permit
 52.1.14.157	permit
 52.5.230.59	permit
 52.6.74.205	permit
@@ -304,6 +324,8 @@
 52.234.172.96/28	permit
 52.235.253.128	permit
 52.236.28.240/28	permit
+54.36.149.183	permit
+54.38.221.122	permit
 54.90.148.255	permit
 54.165.19.38	permit
 54.174.52.0/24	permit
@@ -324,6 +346,7 @@
 54.255.61.23	permit
 56.124.6.228	permit
 57.103.64.0/18	permit
+57.129.93.249	permit
 62.13.128.0/24	permit
 62.13.129.128/25	permit
 62.13.136.0/21	permit
@@ -643,6 +666,11 @@
 77.238.189.142	permit
 77.238.189.146/31	permit
 77.238.189.148/30	permit
+79.135.106.0/24	permit
+79.135.107.0/24	permit
+81.169.146.243	permit
+81.169.146.245	permit
+81.169.146.246	permit
 81.223.46.0/27	permit
 82.165.159.2	permit
 82.165.159.3	permit
@@ -658,7 +686,17 @@
 82.165.159.45	permit
 82.165.159.130	permit
 82.165.159.131	permit
+85.9.206.169	permit
+85.9.210.45	permit
 85.158.136.0/21	permit
+85.215.255.39	permit
+85.215.255.40	permit
+85.215.255.41	permit
+85.215.255.45	permit
+85.215.255.46	permit
+85.215.255.47	permit
+85.215.255.48	permit
+85.215.255.49	permit
 86.61.88.25	permit
 87.238.80.0/21	permit
 87.248.103.12	permit
@@ -698,6 +736,7 @@
 87.248.117.205	permit
 87.253.232.0/21	permit
 89.22.108.0/24	permit
+91.134.188.129	permit
 91.198.2.0/24	permit
 91.211.240.0/22	permit
 94.236.119.0/26	permit
@@ -1342,9 +1381,9 @@
 108.174.6.215	permit
 108.175.18.45	permit
 108.175.30.45	permit
-108.177.8.0/22	permit
-108.177.96.0/19	permit
+108.177.96.0/20	permit
 108.179.144.0/20	permit
+109.224.244.0/24	permit
 109.237.142.0/24	permit
 111.221.23.128/25	permit
 111.221.26.0/27	permit
@@ -1508,7 +1547,6 @@
 148.105.0.0/16	permit
 148.105.8.0/21	permit
 149.72.0.0/16	permit
-149.72.223.204	permit
 149.72.248.236	permit
 149.97.173.180	permit
 150.230.98.160	permit
@@ -1623,7 +1661,6 @@
 169.148.144.0/25	permit
 169.148.144.10	permit
 169.148.146.0/23	permit
-169.148.174.33	permit
 169.148.175.3	permit
 169.148.188.0/24	permit
 169.148.188.182	permit
@@ -1671,6 +1708,9 @@
 185.12.80.0/22	permit
 185.28.196.0/22	permit
 185.58.84.93	permit
+185.70.40.0/24	permit
+185.70.41.0/24	permit
+185.70.43.0/24	permit
 185.80.93.204	permit
 185.80.93.227	permit
 185.80.95.31	permit
@@ -1732,6 +1772,7 @@
 188.125.85.234/31	permit
 188.125.85.236/31	permit
 188.125.85.238	permit
+188.165.51.139	permit
 188.172.128.0/20	permit
 192.0.64.0/18	permit
 192.18.139.154	permit
@@ -1757,7 +1798,11 @@
 193.142.157.0/24	permit
 193.142.157.191	permit
 193.142.157.198	permit
+193.201.168.38	permit
+193.201.168.170/31	permit
 194.19.134.0/25	permit
+194.25.134.16/28	permit
+194.25.134.80/28	permit
 194.64.234.129	permit
 194.97.196.0/24	permit
 194.97.196.3	permit
@@ -1957,8 +2002,6 @@
 208.71.42.212/31	permit
 208.71.42.214	permit
 208.72.249.240/29	permit
-208.74.204.5	permit
-208.74.204.9	permit
 208.75.120.0/22	permit
 208.76.62.0/24	permit
 208.76.63.0/24	permit
@@ -2022,6 +2065,8 @@
 212.227.15.4	permit
 212.227.15.5	permit
 212.227.15.6	permit
+212.227.15.7	permit
+212.227.15.8	permit
 212.227.15.14	permit
 212.227.15.15	permit
 212.227.15.18	permit
@@ -2038,16 +2083,30 @@
 212.227.15.53	permit
 212.227.15.54	permit
 212.227.15.55	permit
+212.227.17.1	permit
+212.227.17.2	permit
+212.227.17.7	permit
 212.227.17.11	permit
 212.227.17.12	permit
+212.227.17.16	permit
+212.227.17.17	permit
 212.227.17.18	permit
 212.227.17.19	permit
 212.227.17.20	permit
 212.227.17.21	permit
 212.227.17.22	permit
 212.227.17.26	permit
+212.227.17.27	permit
 212.227.17.28	permit
 212.227.17.29	permit
+212.227.126.206	permit
+212.227.126.207	permit
+212.227.126.208	permit
+212.227.126.209	permit
+212.227.126.220	permit
+212.227.126.221	permit
+212.227.126.222	permit
+212.227.126.223	permit
 212.227.126.224	permit
 212.227.126.225	permit
 212.227.126.226	permit
@@ -2155,16 +2214,17 @@
 2607:13c0:0002:0000:0000:0000:0000:1000/116	permit
 2607:13c0:0004:0000:0000:0000:0000:0000/116	permit
 2607:f8b0:4000::/36	permit
-2620:109:c003:104::/64	permit
 2620:109:c003:104::215	permit
-2620:109:c006:104::/64	permit
+2620:109:c003:104::/64	permit
 2620:109:c006:104::215	permit
+2620:109:c006:104::/64	permit
 2620:109:c00d:104::/64	permit
 2620:10d:c090:400::8:1	permit
 2620:10d:c091:400::8:1	permit
 2620:10d:c09b:400::8:1	permit
 2620:10d:c09c:400::8:1	permit
-2620:119:50c0:207::/64	permit
 2620:119:50c0:207::215	permit
+2620:119:50c0:207::/64	permit
 2800:3f0:4000::/36	permit
-194.25.134.0/24 permit # t-online.de
+49.12.4.251 permit # checks.mailcow.email
+2a01:4f8:c17:7906::10 permit # checks.mailcow.email
diff --git a/helper-scripts/update_postscreen_whitelist.sh b/helper-scripts/update_postscreen_whitelist.sh
index 04335bda5..dda64b263 100644
--- a/helper-scripts/update_postscreen_whitelist.sh
+++ b/helper-scripts/update_postscreen_whitelist.sh
@@ -6,9 +6,10 @@ SPFTOOLS_DIR=${WORKING_DIR}/spf-tools
 POSTWHITE_DIR=${WORKING_DIR}/postwhite
 POSTWHITE_CONF=${POSTWHITE_DIR}/postwhite.conf
 
-CUSTOM_HOSTS='"web.de gmx.net mail.de freenet.de arcor.de unity-mail.de"'
+CUSTOM_HOSTS='"web.de gmx.net mail.de freenet.de arcor.de unity-mail.de protonmail.ch ionos.com strato.com t-online.de"'
 STATIC_HOSTS=(
-    "194.25.134.0/24 permit # t-online.de"
+    "49.12.4.251 permit # checks.mailcow.email"
+    "2a01:4f8:c17:7906::10 permit # checks.mailcow.email"
 )
 
 mkdir ${SCRIPT_DIR}/postwhite_tmp

From 0b0a65a3f338a2e3b191841d6322d4dcc4834e70 Mon Sep 17 00:00:00 2001
From: DerLinkman <niklas.meyer@servercow.de>
Date: Thu, 28 Aug 2025 17:02:16 +0200
Subject: [PATCH 311/378] web: rename login placeholder for mailbox to email
 address (#6693)

---
 data/web/lang/lang.de-de.json      | 3 ++-
 data/web/lang/lang.en-gb.json      | 3 ++-
 data/web/templates/user_index.twig | 2 +-
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/data/web/lang/lang.de-de.json b/data/web/lang/lang.de-de.json
index 1d2edc1b4..55fc11ab4 100644
--- a/data/web/lang/lang.de-de.json
+++ b/data/web/lang/lang.de-de.json
@@ -846,7 +846,8 @@
         "password": "Passwort",
         "reset_password": "Passwort zurücksetzen",
         "request_reset_password": "Passwortänderung anfordern",
-        "username": "Benutzername"
+        "username": "Benutzername",
+        "email": "E-Mail-Adresse"
     },
     "mailbox": {
         "action": "Aktion",
diff --git a/data/web/lang/lang.en-gb.json b/data/web/lang/lang.en-gb.json
index 78059c0b8..4ee5675be 100644
--- a/data/web/lang/lang.en-gb.json
+++ b/data/web/lang/lang.en-gb.json
@@ -847,7 +847,8 @@
         "password": "Password",
         "reset_password": "Reset Password",
         "request_reset_password": "Request password change",
-        "username": "Username"
+        "username": "Username",
+        "email": "Email address"
     },
     "mailbox": {
         "action": "Action",
diff --git a/data/web/templates/user_index.twig b/data/web/templates/user_index.twig
index 234aa01cb..28eb6389c 100644
--- a/data/web/templates/user_index.twig
+++ b/data/web/templates/user_index.twig
@@ -48,7 +48,7 @@
             <label class="visually-hidden" for="login_user">{{ lang.login.username }}</label>
             <div class="input-group">
               <div class="input-group-text"><i class="bi bi-person-fill"></i></div>
-              <input name="login_user" autocorrect="off" autocapitalize="none" type="{% if is_mobileconfig %}email{% else %}text{% endif %}" id="login_user" class="form-control" placeholder="{{ lang.login.username }}" required="" autofocus="" autocomplete="username">
+              <input name="login_user" autocorrect="off" autocapitalize="none" type="{% if is_mobileconfig %}email{% else %}text{% endif %}" id="login_user" class="form-control" placeholder="{{ lang.login.email }}" required="" autofocus="" autocomplete="username">
             </div>
           </div>
           <div class="d-flex mt-3">

From c0b7a98e6c44c62ee06eb7462ac05d313e2a808e Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Fri, 29 Aug 2025 18:23:56 +0200
Subject: [PATCH 312/378] chore(deps): update actions/checkout action to v5
 (#6671)

Signed-off-by: milkmaker <milkmaker@mailcow.de>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 .github/workflows/image_builds.yml                  | 2 +-
 .github/workflows/pr_to_nightly.yml                 | 2 +-
 .github/workflows/rebuild_backup_image.yml          | 2 +-
 .github/workflows/update_postscreen_access_list.yml | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/image_builds.yml b/.github/workflows/image_builds.yml
index 27fc9a2d5..a5ebb902f 100644
--- a/.github/workflows/image_builds.yml
+++ b/.github/workflows/image_builds.yml
@@ -27,7 +27,7 @@ jobs:
           - "watchdog-mailcow"
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Setup Docker
         run: |
           curl -sSL https://get.docker.com/ | CHANNEL=stable sudo sh
diff --git a/.github/workflows/pr_to_nightly.yml b/.github/workflows/pr_to_nightly.yml
index 51df14f6e..334dcf69a 100644
--- a/.github/workflows/pr_to_nightly.yml
+++ b/.github/workflows/pr_to_nightly.yml
@@ -8,7 +8,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
       - name: Run the Action
diff --git a/.github/workflows/rebuild_backup_image.yml b/.github/workflows/rebuild_backup_image.yml
index adf69eb35..a8679d980 100644
--- a/.github/workflows/rebuild_backup_image.yml
+++ b/.github/workflows/rebuild_backup_image.yml
@@ -13,7 +13,7 @@ jobs:
       packages: write
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
diff --git a/.github/workflows/update_postscreen_access_list.yml b/.github/workflows/update_postscreen_access_list.yml
index 3d79e801b..eed07876e 100644
--- a/.github/workflows/update_postscreen_access_list.yml
+++ b/.github/workflows/update_postscreen_access_list.yml
@@ -15,7 +15,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
 
     - name: Generate postscreen_access.cidr
       run: |

From 48e90a72dce562eef8cf237faffe2b03f32d8a28 Mon Sep 17 00:00:00 2001
From: Peter <magic@kthx.at>
Date: Fri, 29 Aug 2025 18:27:34 +0200
Subject: [PATCH 313/378] Changed clamavs tmp folder structure

---
 data/Dockerfiles/clamd/clamd.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/Dockerfiles/clamd/clamd.sh b/data/Dockerfiles/clamd/clamd.sh
index 2c6e75dc6..c656be065 100755
--- a/data/Dockerfiles/clamd/clamd.sh
+++ b/data/Dockerfiles/clamd/clamd.sh
@@ -8,7 +8,7 @@ fi
 
 # Cleaning up garbage
 echo "Cleaning up tmp files..."
-rm -rf /var/lib/clamav/clamav-*.tmp
+rm -rf /var/lib/clamav/tmp.*
 
 # Prepare whitelist
 

From 921de02a2b09d1a80cc68dca811cbf892b44ee2f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A1ndor?= <9724897+sandroshu@users.noreply.github.com>
Date: Fri, 29 Aug 2025 18:32:17 +0200
Subject: [PATCH 314/378] Update lang.hu-hu.json (#6697)

Extended Hungarian translation
---
 data/web/lang/lang.hu-hu.json | 624 +++++++++++++++++++++++++++++++---
 1 file changed, 586 insertions(+), 38 deletions(-)

diff --git a/data/web/lang/lang.hu-hu.json b/data/web/lang/lang.hu-hu.json
index 3b9eb5fbc..6ec3ed68a 100644
--- a/data/web/lang/lang.hu-hu.json
+++ b/data/web/lang/lang.hu-hu.json
@@ -9,11 +9,11 @@
         "source": "Forrás",
         "spamfilter": "Spam szűrő",
         "subject": "Tárgy",
-        "sys_mails": "Rendszer-üzenetek",
+        "sys_mails": "Rendszerüzenetek",
         "text": "Szöveg",
         "time": "Idő",
         "title": "Cím",
-        "title_name": "\"mailcow UI\" website címe",
+        "title_name": "\"mailcow UI\" weboldal címe",
         "to_top": "Vissza a tetejére",
         "transport_dest_format": "Szintaxis: pelda.hu, .pelda.hu, *, fiok@pelda.hu (több érték esetén vesszővel elválasztva)",
         "upload": "Feltöltés",
@@ -29,14 +29,14 @@
         "logo_dark_label": "Sötét üzemmódhoz invertálva",
         "f2b_regex_info": "Figyelembe vett naplók: SOGo, Postfix, Dovecot, PHP-FPM.",
         "f2b_retry_window": "Újrapróbálkozási ablak (s) a maximális próbálkozásokhoz",
-        "f2b_whitelist": "Fehérlistás hálózatok/hostok",
+        "f2b_whitelist": "Engedélyezési listás hálózatok/hostok",
         "filter_table": "Szűrő táblázat",
         "forwarding_hosts": "Továbbító hostok",
-        "forwarding_hosts_add_hint": "Megadhat IPv4/IPv6 címeket, hálózatokat CIDR jelölésben, állomásneveket (amelyek IP-címekre lesznek feloldva) vagy tartományneveket (amelyek IP-címekre lesznek feloldva az SPF rekordok vagy ezek hiányában az MX rekordok lekérdezésével).",
+        "forwarding_hosts_add_hint": "Megadhat IPv4/IPv6 címeket, hálózatokat CIDR jelölésben, állomásneveket (amelyek IP címekre lesznek feloldva) vagy tartományneveket (amelyek IP címekre lesznek feloldva az SPF rekordok vagy ezek hiányában az MX rekordok lekérdezésével).",
         "from": "A címről",
         "copy_to_clipboard": "Szöveg másolva a vágólapra!",
         "f2b_manage_external": "A Fail2Ban külső kezelése",
-        "f2b_manage_external_info": "A Fail2ban továbbra is karbantartja a tiltólistát, de nem állít be aktívan szabályokat a forgalom blokkolására. Használja az alábbi generált tiltólistát a forgalom külső blokkolásához.",
+        "f2b_manage_external_info": "A Fail2ban továbbra is karbantartja a tiltólistát, de nem állít be aktívan szabályokat a forgalom blokkolásához. Használja az alábbi generált tiltólistát a forgalom külső blokkolásához.",
         "f2b_max_ban_time": "Maximális tiltási idő (s)",
         "f2b_netban_ipv4": "IPv4 alhálózat mérete, amelyre tilalmat kell alkalmazni (8-32)",
         "f2b_netban_ipv6": "IPv6 alhálózat mérete, amelyre tilalmat kell alkalmazni (8-128)",
@@ -47,13 +47,13 @@
         "html": "HTML",
         "import": "Import",
         "ip_check": "IP ellenőrzés",
-        "ip_check_disabled": "Az IP-ellenőrzés le van tiltva. Bekapcsolhatja a következő menüpont alatt<br> <strong>Rendszer > Beállítások > Opciók > Személyreszabás</strong>",
+        "ip_check_disabled": "Az IP ellenőrzés le van tiltva. Bekapcsolhatja a következő menüpont alatt<br> <strong>Rendszer > Beállítások > Opciók > Személyreszabás</strong>",
         "is_mx_based": "MX alapú",
         "last_applied": "Utoljára alkalmazott",
         "link": "Link",
         "loading": "Kérjük, várj...",
         "login_time": "Bejelentkezési idő",
-        "f2b_list_info": "Egy feketelistán szereplő állomás vagy hálózat mindig nagyobb súlyú, mint egy fehérlistás entitás. <b>A lista frissítései néhány másodpercig tartanak.</b>",
+        "f2b_list_info": "Egy tiltólistán szereplő állomás vagy hálózat mindig nagyobb súlyú, mint egy engedélyezési listás elem. <b>A lista frissítései néhány másodpercig tartanak.</b>",
         "f2b_ban_time_increment": "A tiltási idő minden egyes tiltással növekszik",
         "additional_rows": " - további sorokat adtak hozzá",
         "admin": "Adminisztrátor",
@@ -68,7 +68,7 @@
         "api_key": "API-kulcs",
         "api_read_only": "Csak olvasható hozzáférés",
         "api_read_write": "Olvasás-írás hozzáférés",
-        "api_skip_ip_check": "IP-ellenőrzés kihagyása az API esetében",
+        "api_skip_ip_check": "IP ellenőrzés kihagyása az API esetében",
         "cors_settings": "CORS beállítások",
         "guid": "GUID - egyedi példányazonosító",
         "dkim_to": "A címre",
@@ -82,8 +82,8 @@
         "edit": "Szerkesztés",
         "empty": "Nincs eredmény",
         "excludes": "Kizárja ezeket a kedvezményezetteket",
-        "f2b_ban_time": "Tilalmi idő (s)",
-        "f2b_blacklist": "Feketelistás hálózatok/hostok",
+        "f2b_ban_time": "Tiltás időtartam (s)",
+        "f2b_blacklist": "Tiltólistás címek",
         "f2b_filter": "Regex szűrők",
         "logo_info": "A képed 40px magasságúra lesz méretezve a felső navigációs sávhoz és max. 250px szélességűre a kezdőlaphoz. A skálázható grafika használata erősen ajánlott.",
         "dkim_add_key": "ARC/DKIM kulcs hozzáadása",
@@ -122,21 +122,187 @@
         "arrival_time": "Érkezési idő (szerveridő)",
         "authed_user": "Azonosított felhasználó",
         "ays": "Biztos, hogy folytatni akarod?",
-        "ban_list_info": "A tiltott IP-címek listáját lásd alább: <b>hálózat (fennmaradó tiltási idő) - [akciók]</b>.<br />A tiltás feloldására várakozó IP-ket néhány másodpercen belül eltávolítjuk az aktív tiltási listáról.<br />A piros címkék a feketelistán szereplő aktív állandó tiltásokat jelzik.",
+        "ban_list_info": "A tiltott IP címek listáját lásd alább: <b>hálózat (fennmaradó tiltási idő) - [akciók]</b>.<br />A tiltás feloldására várakozó IP-ket néhány másodpercen belül eltávolítjuk az aktív tiltási listáról.<br />A piros címkék a tiltólistán szereplő aktív állandó tiltásokat jelzik.",
         "configuration": "Konfiguráció",
         "convert_html_to_text": "HTML átalakítása egyszerű szöveggé",
         "credentials_transport_warning": "<b>Figyelmeztetés</b>: Egy új közlekedési térképbejegyzés hozzáadása frissíti a hitelesítő adatokat minden olyan bejegyzéshez, amelynek a következő ugrás oszlopa megegyezik.",
         "customize": "Testreszabás",
         "destination": "Célállomás",
         "customer_id": "Ügyfél azonosító",
-        "apps_name": "\"mailcow Apps\" név"
+        "apps_name": "\"mailcow Apps\" név",
+        "admin_quicklink": "Gyorshivatkozás elrejtése az Adminisztrátori bejelentkezési oldalra",
+        "app_hide": "Elrejtés a bejelentkezéshez",
+        "domainadmin_quicklink": "Gyorshivatkozás elrejtése a Domain adminisztrátori bejelentkezési oldalra",
+        "filter": "Szűrő",
+        "force_sso_text": "Ha egy külső OIDC-szolgáltató van beállítva, ez az opció elrejti az alapértelmezett mailcow bejelentkezési űrlapokat, és csak az egységes bejelentkezési (Single Sign-On) gombot jeleníti meg",
+        "force_sso": "A mailcow bejelentkezés letiltása és csak az egységes bejelentkezés megjelenítése",
+        "hash_remove_info": "Egy arányszám-korlát hash eltávolítása (ha még létezik) teljesen visszaállítja a számlálóját.<br>\r\n  Minden hash-t egyedi szín jelöl.",
+        "iam": "Azonosítási szolgáltató",
+        "iam_attribute_field": "Attribútum mező",
+        "iam_authorize_url": "Engedélyezési végpont",
+        "iam_auth_flow": "Azonosítási folyamat",
+        "iam_auth_flow_info": "Az engedélyezési kód áramláson (Authorization Code Flow) kívül, amelyet az egységes bejelentkezéshez (Single-Sign On) használnak (ez a standard áramlás Keycloak-ban), a mailcow támogatja a közvetlen hitelesítő adatokkal történő hitelesítési áramlást is. A Jelszóáramlás (Mailpassword Flow) megpróbálja érvényesíteni a felhasználó hitelesítő adatait a Keycloak Admin REST API használatával. A mailcow a <code>mailcow_password</code> attribútumból olvassa be a hash-elt jelszót, amely a Keycloak-ban van leképezve.",
+        "iam_basedn": "Bázis DN",
+        "iam_client_id": "Kliens azonosító",
+        "iam_client_secret": "Kliens titok",
+        "iam_client_scopes": "Kliens hatókörök",
+        "iam_default_template": "Alapértelmezett sablon",
+        "iam_default_template_description": "Ha nincs sablon hozzárendelve egy felhasználóhoz, az alapértelmezett sablon lesz felhasználva a postafiók létrehozásához, de a postafiók frissítéséhez nem.",
+        "iam_description": "Külső azonosítási szolgáltató konfigurálása.<br>A felhasználók postafiókjai automatikusan létrejönnek az első bejelentkezéskor, feltéve, hogy van attribútum-hozzárendelés beállítva.",
+        "iam_extra_permission": "A következő beállításokhoz a Keycloak-ban lévő mailcow kliensnek szüksége van egy <code>Service account</code>-ra és a <code>view-users</code> engedélyre.",
+        "iam_host": "Házigazda",
+        "iam_host_info": "Adjon meg egy vagy több LDAP állomást, vesszővel elválasztva.",
+        "iam_import_users": "Felhasználók importálása",
+        "iam_login_provisioning": "Felhasználók automatikus létrehozása bejelentkezéskor",
+        "iam_mapping": "Attribútum-hozzárendelés",
+        "iam_bindpass": "Bind jelszó",
+        "iam_periodic_full_sync": "Időszakos teljes szinkronizálás",
+        "iam_port": "Port",
+        "iam_realm": "Tartomány",
+        "iam_redirect_url": "Átirányítási URL",
+        "iam_rest_flow": "Mailpassword Flow",
+        "iam_server_url": "Szerver URL",
+        "iam_sso": "Egységes bejelentkezés",
+        "iam_sync_interval": "Szinkronizálási / importálási időtartam (perc)",
+        "iam_test_connection": "Kapcsolat tesztelése",
+        "iam_token_url": "Token végpont",
+        "iam_userinfo_url": "Felhasználói információ végpont",
+        "iam_username_field": "Felhasználónév mező",
+        "iam_binddn": "Bind DN",
+        "iam_use_ssl": "SSL használata",
+        "iam_use_ssl_info": "Ha az SSL-t engedélyezi, és a port 389-re van állítva, az automatikusan felülíródik 636-ra.",
+        "iam_use_tls": "StartTLS használata",
+        "iam_use_tls_info": "Ha a TLS-t engedélyezi, az LDAP szerver alapértelmezett portját kell használnia (389). Az SSL portok nem használhatók.",
+        "iam_version": "Verzió",
+        "ignore_ssl_error": "SSL hibák figyelmen kívül hagyása",
+        "ip_check_opt_in": "Választás a harmadik féltől származó <strong>ipv4.mailcow.email</strong> és <strong>ipv6.mailcow.email</strong> szolgáltatás használatára a külső IP címek feloldásához.",
+        "license_info": "A licensz nem kötelező, de segít a további fejlesztésben.<br><a href=\"https://www.servercow.de/mailcow?lang=en#sal\" target=\"_blank\" alt=\"SAL order\">Regisztrálja a GUID-ját itt</a> vagy <a href=\"https://www.servercow.de/mailcow?lang=en#support\" target=\"_blank\" alt=\"Support order\">vásároljon támogatást a mailcow telepítéséhez.</a>",
+        "lookup_mx": "A cél egy reguláris kifejezés, amely illeszkedik az MX névre (<code>.*\\.google\\.com</code>, hogy a google.com-ra végződő MX-en keresztül továbbítsa az összes levelet)",
+        "main_name": "\"mailcow UI\" név",
+        "merged_vars_hint": "A szürkével jelölt sorok a <code>vars.(local.)inc.php</code> fájlból lettek összevonva, és nem módosíthatók.",
+        "message": "Üzenet",
+        "message_size": "Üzenet mérete",
+        "nexthop": "Következő ugrás",
+        "no": "&#10005;",
+        "no_active_bans": "Nincs aktív tiltás",
+        "no_new_rows": "Nincs több sor elérhető",
+        "no_record": "Nincs bejegyzés",
+        "oauth2_apps": "OAuth2 alkalmazások",
+        "oauth2_add_client": "OAuth2 kliens hozzáadása",
+        "oauth2_client_id": "Kliens azonosító",
+        "oauth2_client_secret": "Kliens titok",
+        "oauth2_info": "Az OAuth2 implementáció támogatja az \"Authorization Code\" engedélyezési típust és frissítési tokeneket ad ki.<br>\r\nA szerver automatikusan új frissítési tokeneket is kiad, miután egy frissítési token fel lett használva.<br><br>\r\n&#8226; Az alapértelmezett hatókör a <i>profile</i>. Csak postafiók-felhasználók hitelesíthetők az OAuth2-vel szemben. Ha a scope paraméter elmarad, az visszaesik a <i>profile</i>-ra.<br>\r\n&#8226; A <i>state</i> paramétert a kliensnek kötelező elküldenie az engedélyezési kérelem részeként.<br><br>\r\nAz OAuth2 API-hoz intézett kérések útvonalai: <br>\r\n<ul>\r\n  <li>Engedélyezési végpont: <code>/oauth/authorize</code></li>\r\n  <li>Token végpont: <code>/oauth/token</code></li>\r\n  <li>Erőforrás oldal:  <code>/oauth/profile</code></li>\r\n</ul>\r\nA kliens titok újragenerálása nem jár le a meglévő engedélyezési kódok lejáratával, de azok nem tudják megújítani a tokenjüket.<br><br>\r\nA kliens tokenek visszavonása az összes aktív munkamenet azonnali leállítását okozza. Minden kliensnek újra kell hitelesítenie magát.",
+        "oauth2_redirect_uri": "Átirányítási URI",
+        "oauth2_renew_secret": "Új kliens titok generálása",
+        "oauth2_revoke_tokens": "Minden kliens token visszavonása",
+        "optional": "opcionális",
+        "options": "Opciók",
+        "password": "Jelszó",
+        "password_length": "Jelszó hossza",
+        "password_policy": "Jelszó házirend",
+        "password_policy_chars": "Legalább egy betűkaraktert kell tartalmaznia",
+        "password_policy_length": "A jelszó minimális hossza %d",
+        "password_policy_lowerupper": "Kis- és nagybetűket kell tartalmaznia",
+        "password_policy_numbers": "Legalább egy számot kell tartalmaznia",
+        "password_policy_special_chars": "Speciális karaktereket kell tartalmaznia",
+        "password_repeat": "Megerősítő jelszó (ismétlés)",
+        "password_reset_info": "Ha nincs megadva helyreállítási e-mail cím, ez a funkció nem használható.",
+        "password_reset_settings": "Jelszó-helyreállítási beállítások",
+        "password_reset_tmpl_html": "HTML sablon",
+        "password_reset_tmpl_text": "Szöveges sablon",
+        "password_settings": "Jelszó beállítások",
+        "priority": "Prioritás",
+        "private_key": "Privát kulcs",
+        "quarantine": "Karantén",
+        "quarantine_bcc": "Az összes értesítés másolatának elküldése (BCC) erre a címzettnek:<br><small>Hagyja üresen a letiltáshoz. <b>Aláíratlan, nem ellenőrzött levél. Csak belső kézbesítésre alkalmas.</b></small>",
+        "quarantine_exclude_domains": "Tartományok és alias-tartományok kizárása",
+        "quarantine_max_age": "Maximális életkor napokban<br><small>Az értéknek legalább 1 napnak kell lennie.</small>",
+        "quarantine_max_score": "Az értesítés elvetése, ha egy levél spam pontszáma magasabb ennél az értéknél:<br><small>Alapértelmezett értéke 9999.0</small>",
+        "quarantine_max_size": "Maximális méret MiB-ban (a nagyobb elemeket elveti):<br><small>A 0 <b>nem</b> jelent korlátlant.</small>",
+        "quarantine_notification_html": "Értesítő e-mail sablon:<br><small>Hagyja üresen az alapértelmezett sablon visszaállításához.</small>",
+        "quarantine_notification_sender": "Értesítő e-mail feladója",
+        "quarantine_notification_subject": "Értesítő e-mail tárgya",
+        "quarantine_redirect": "<b>Az összes értesítés átirányítása</b> erre a címzettnek:<br><small>Hagyja üresen a letiltáshoz. <b>Aláíratlan, nem ellenőrzött levél. Csak belső kézbesítésre alkalmas.</b></small>",
+        "quarantine_release_format": "A feloldott elemek formátuma",
+        "quarantine_release_format_att": "Csatolmányként",
+        "quarantine_release_format_raw": "Eredeti, módosítatlan formában",
+        "quarantine_retention_size": "Megőrzések postafiókonként:<br><small>A 0 <b>inaktívat</b> jelent.</small>",
+        "quicklink_text": "A gyorshivatkozások megjelenítése vagy elrejtése a bejelentkezési űrlap alatt",
+        "quota_notification_html": "Értesítő e-mail sablon:<br><small>Hagyja üresen az alapértelmezett sablon visszaállításához.</small>",
+        "quota_notification_sender": "Kvóta értesítő e-mail feladója",
+        "quota_notification_subject": "Kvóta értesítő e-mail tárgya",
+        "quota_notifications": "Kvóta értesítések",
+        "quota_notifications_info": "A kvóta értesítéseket a felhasználók egyszer kapják meg, amikor a 80%-os határt, majd a 95%-os határt átlépik.",
+        "quota_notifications_vars": "{{percent}} a felhasználó aktuális kvótáját jelenti<br>{{username}} a postafiók neve",
+        "queue_unban": "tiltás feloldása",
+        "r_active": "Aktív korlátozások",
+        "r_inactive": "Inaktív korlátozások",
+        "r_info": "A szürkével/letiltva jelölt elemek az aktív korlátozások listáján a mailcow számára nem érvényes korlátozások, és nem mozgathatók. Az ismeretlen korlátozások a megjelenési sorrendben lesznek beállítva. <br>Új elemeket adhat hozzá a <code>inc/vars.local.inc.php</code> fájlban, hogy váltani tudja őket.",
+        "rate_name": "Arányszám neve",
+        "recipients": "Címzettek",
+        "refresh": "Frissítés",
+        "regen_api_key": "API kulcs újragenerálása",
+        "regex_maps": "Regex térképek",
+        "relay_from": "\"Feladó:\" cím",
+        "relay_rcpt": "\"Címzett:\" cím",
+        "relay_run": "Teszt futtatása",
+        "relayhosts": "Feladófüggő szállítások",
+        "relayhosts_hint": "Határozzon meg feladófüggő szállításokat, hogy kiválaszthassa őket egy tartomány konfigurációs párbeszédpanelén.<br>\r\n  A szállítási szolgáltatás mindig \"smtp:\" és ezért megpróbálja a TLS-t, ha felajánlják. A becsomagolt TLS (SMTPS) nem támogatott. A felhasználók egyéni kimenő TLS-szabályzati beállításai figyelembe vételre kerülnek.<br>\r\n  Érintik a kiválasztott tartományokat, beleértve az alias tartományokat is.",
+        "remove": "Eltávolítás",
+        "remove_row": "Sor eltávolítása",
+        "reset_default": "Visszaállítás alapértelmezettre",
+        "reset_limit": "Hash eltávolítása",
+        "reset_password_vars": "<code>{{link}}</code> A generált jelszó-helyreállítási link<br><code>{{username}}</code> A jelszó-helyreállítást kérő felhasználó postafiók neve<br><code>{{username2}}</code> A helyreállítási postafiók neve<br><code>{{date}}</code> A jelszó-helyreállítási kérelem dátuma<br><code>{{token_lifetime}}</code> A token élettartama percekben<br><code>{{hostname}}</code> A mailcow hosztnév",
+        "restore_template": "Hagyja üresen az alapértelmezett sablon visszaállításához.",
+        "routing": "Útválasztás",
+        "rsetting_add_rule": "Szabály hozzáadása",
+        "rsetting_content": "Szabály tartalma",
+        "rsetting_desc": "Rövid leírás",
+        "rsetting_no_selection": "Kérjük, válasszon egy szabályt",
+        "rsetting_none": "Nincsenek elérhető szabályok",
+        "rsettings_insert_preset": "Példa előre beállított \"%s\" beillesztése",
+        "rsettings_preset_1": "Minden letiltása, kivéve a DKIM és az arányszám-korlátot a hitelesített felhasználók számára",
+        "rsettings_preset_2": "A Postmasterek spamet akarnak",
+        "rsettings_preset_3": "Csak bizonyos feladókat engedélyezzen egy postafiók számára (pl. csak belső postafiókként használva)",
+        "rsettings_preset_4": "Rspamd letiltása egy tartomány számára",
+        "rspamd_com_settings": "A beállítás neve automatikusan generálódik, kérjük, nézze meg a lenti példa-előrebeállításokat. További részletekért lásd a <a href=\"https://rspamd.com/doc/configuration/settings.html#settings-structure\" target=\"_blank\">Rspamd dokumentációját</a>",
+        "rspamd_global_filters": "Globális szűrőtérképek",
+        "rspamd_global_filters_agree": "Óvatos leszek!",
+        "rspamd_global_filters_info": "A globális szűrőtérképek különböző típusú globális tiltó- és engedélyezési listákat tartalmaznak.",
+        "rspamd_global_filters_regex": "A nevük elmagyarázza a céljukat. Minden tartalomnak érvényes reguláris kifejezést kell tartalmaznia \"/pattern/options\" formátumban (pl. <code>/.+@domain\\.tld/i</code>).<br>\r\n  Bár alapvető ellenőrzések történnek minden regex soron, az Rspamd funkcionalitása megszakadhat, ha nem sikerül helyesen értelmeznie a szintaxist.<br>\r\n  Az Rspamd megpróbálja elolvasni a térkép tartalmát, amikor az megváltozik. Ha problémákat tapasztal, <a href=\"\" data-toggle=\"modal\" data-container=\"rspamd-mailcow\" data-target=\"#RestartContainer\">indítsa újra az Rspamd-et</a>, hogy kikényszerítse a térkép újratöltését.<br>A tiltólistára került elemek ki vannak zárva a karanténból.",
+        "rspamd_settings_map": "Rspamd beállítási térkép",
+        "sal_level": "Moo szint",
+        "service": "Szolgáltatás",
+        "service_id": "Szolgáltatás azonosító",
+        "sys_mails": "Rendszer e-mailek",
+        "task": "Feladat",
+        "transport_maps": "Szállítási térképek",
+        "transport_test_rcpt_info": "&#8226; Használja a null@hosted.mailcow.de címet a külföldi célra történő továbbítás teszteléséhez.",
+        "transports_hint": "&#8226; Egy szállítási térkép bejegyzés <b>felülírja</b> a feladófüggő szállítási térképet</b>.<br>\r\n&#8226; Az MX-alapú szállítások előnyben részesítettek.<br>\r\n&#8226; A felhasználónkénti kimenő TLS-szabályzati beállítások figyelmen kívül hagyódnak, és csak a TLS-szabályzati térkép bejegyzései kényszeríthetik ki őket.<br>\r\n&#8226; A definiált szállításokhoz a szállítási szolgáltatás mindig \"smtp:\" és ezért megpróbálja a TLS-t, ha felajánlják. A becsomagolt TLS (SMTPS) nem támogatott.<br>\r\n&#8226; A \"/localhost$/\"-nek megfelelő címek mindig \"local:\"-on keresztül lesznek szállítva, ezért a \"*\" cél nem vonatkozik ezekre a címekre.<br>\r\n&#8226; A hitelesítő adatok meghatározásához egy példa következő ugráshoz \"[host]:25\", a Postfix <b>mindig</b> lekérdezi a \"host\"-ot, mielőtt a \"[host]:25\"-re keresne. Ez a viselkedés lehetetlenné teszi a \"host\" és a \"[host]:25\" egyidejű használatát.",
+        "ui_footer": "Lábléc (HTML engedélyezett)",
+        "ui_header_announcement": "Közlemények",
+        "ui_header_announcement_active": "Közlemény beállítása aktívra",
+        "ui_header_announcement_content": "Szöveg (HTML engedélyezett)",
+        "ui_header_announcement_help": "A közlemény minden bejelentkezett felhasználó számára látható, valamint a felhasználói felület bejelentkezési képernyőjén.",
+        "ui_header_announcement_select": "Válassza ki a közlemény típusát",
+        "ui_header_announcement_type": "Típus",
+        "ui_header_announcement_type_danger": "Nagyon fontos",
+        "ui_header_announcement_type_info": "Információ",
+        "ui_header_announcement_type_warning": "Fontos",
+        "ui_texts": "Felhasználói felület címkéi és szövegei",
+        "unban_pending": "tiltás feloldása függőben",
+        "unchanged_if_empty": "Ha nem változik, hagyja üresen",
+        "user_link": "Felhasználói-link",
+        "user_quicklink": "Gyorshivatkozás elrejtése a Felhasználói bejelentkezési oldalra",
+        "validate_license_now": "GUID érvényesítése a licenszszerverrel szemben",
+        "yes": "&#10003;"
     },
     "edit": {
         "active": "Aktív",
         "advanced_settings": "Haladó beállítások",
         "alias": "Alias szerkesztése",
-        "allow_from_smtp": "Kizárólag ezen IP-címek használhatnak <b>SMTP</b>-t",
-        "allow_from_smtp_info": "Leave empty to allow all senders.<br>IPv4/IPv6 addresses and networks.",
+        "allow_from_smtp": "Kizárólag ezen IP címek használhatnak <b>SMTP</b>-t",
+        "allow_from_smtp_info": "Hagyja üresen minden feladó engedélyezéséhez.<br>IPv4/IPv6 címek és hálózatok.",
         "allowed_protocols": "Engedélyezett protokollok",
         "app_name": "Applikáció neve",
         "app_passwd": "Applikáció jelszava",
@@ -146,7 +312,127 @@
         "description": "Leírás",
         "domain_quota": "Domain kvóta",
         "domains": "Domainek",
-        "edit_alias_domain": "Alias domain szerkesztése"
+        "edit_alias_domain": "Alias domain szerkesztése",
+        "acl": "ACL (Engedélyek)",
+        "admin": "Adminisztrátor szerkesztése",
+        "app_passwd_protocols": "Engedélyezett protokollok az alkalmazás jelszavához",
+        "automap": "Próbálja automatikusan feltérképezni a mappákat (\"Elküldött elemek\", \"Elküldött\" => \"Elküldött\" stb.)",
+        "bcc_dest_format": "A BCC-célpontnak egyetlen érvényes e-mail címnek kell lennie.<br>Ha több címre kell másolatot küldenie, hozzon létre egy aliast, és használja azt itt.",
+        "comment_info": "A privát megjegyzés nem látható a felhasználó számára, míg a nyilvános megjegyzés tooltip-ként jelenik meg, amikor a felhasználó áttekintésében a megjegyzésre mutat.",
+        "created_on": "Létrehozva",
+        "custom_attributes": "Egyéni attribútumok",
+        "delete1": "Törlés a forrásból, ha befejeződött",
+        "delete2": "Üzenetek törlése a célállomáson, amelyek nincsenek a forráson",
+        "delete2duplicates": "Duplikáltak törlése a célállomáson",
+        "delete_ays": "Erősítse meg a törlési folyamatot.",
+        "disable_login": "Bejelentkezés letiltása (a bejövő leveleket továbbra is elfogadja)",
+        "domain": "Domain szerkesztése",
+        "domain_admin": "Domain adminisztrátor szerkesztése",
+        "domain_footer": "Tartományszintű lábléc",
+        "domain_footer_html": "HTML lábléc",
+        "domain_footer_info": "A tartományszintű lábléceket a tartományon belüli címmel társított összes kimenő e-mailhez hozzáadják. <br> A következő változók használhatók a lábléchez:",
+        "domain_footer_info_vars": {
+            "auth_user": "{= auth_user =}   - Hitelesített felhasználónév az MTA által megadott",
+            "from_user": "{= from_user =}   - A boríték feladójának felhasználói része, pl. a \"moo@mailcow.tld\" esetén \"moo\"-t ad vissza",
+            "from_name": "{= from_name =}   - A boríték feladójának neve, pl. a \"Mailcow &lt;moo@mailcow.tld&gt;\" esetén \"Mailcow\"-t ad vissza",
+            "from_addr": "{= from_addr =}   - A boríték feladójának címe",
+            "from_domain": "{= from_domain =} - A boríték feladójának tartománya",
+            "custom": "{= foo =}         - Ha a postafiók rendelkezik a \"foo\" egyéni attribútummal, amelynek értéke \"bar\", akkor \"bar\"-t ad vissza"
+        },
+        "domain_footer_plain": "Egyszerű szöveges lábléc",
+        "domain_footer_skip_replies": "Lábléc figyelmen kívül hagyása válasz e-maileknél",
+        "dont_check_sender_acl": "Küldő ellenőrzés letiltása a(z) %s tartományhoz (+ alias tartományok)",
+        "encryption": "Titkosítás",
+        "exclude": "Objektumok kizárása (regex)",
+        "extended_sender_acl": "Külső feladói címek",
+        "extended_sender_acl_info": "Importálni kell egy DKIM tartomány kulcsot, ha elérhető.<br>\r\n  Ne felejtse el hozzáadni ezt a szervert a megfelelő SPF TXT rekordhoz.<br>\r\n  Amikor egy tartományt vagy alias tartományt ad hozzá ehhez a szerverhez, amely átfedésben van egy külső címmel, a külső cím eltávolításra kerül.<br>\r\n  Használja a @domain.tld címet, hogy engedélyezze a küldést *@domain.tld néven.",
+        "force_pw_update": "Jelszófrissítés kényszerítése a következő bejelentkezéskor",
+        "force_pw_update_info": "Ez a felhasználó csak a(z) %s címre tud bejelentkezni. Az alkalmazás jelszavak használhatóak maradnak.",
+        "footer_exclude": "Kizárás a láblécből",
+        "full_name": "Teljes név",
+        "gal": "Globális címlista",
+        "gal_info": "A GAL tartalmazza a tartomány összes objektumát, és egyetlen felhasználó sem szerkesztheti. A Szabad/Foglalt információ a SOGo-ban hiányzik, ha le van tiltva! <b>Indítsa újra a SOGo-t a változások alkalmazásához.</b>",
+        "generate": "generál",
+        "grant_types": "Engedélyezési típusok",
+        "hostname": "Hosztnév",
+        "inactive": "Inaktív",
+        "kind": "Típus",
+        "last_modified": "Utoljára módosítva",
+        "lookup_mx": "A cél egy reguláris kifejezés, amely illeszkedik az MX névre (<code>.*\\.google\\.com</code>, hogy a google.com-ra végződő MX-en keresztül továbbítsa az összes levelet)",
+        "mailbox": "Postafiók szerkesztése",
+        "mailbox_quota_def": "Alapértelmezett postafiók kvóta",
+        "mailbox_relayhost_info": "A postafiókra és csak a közvetlen aliasokra vonatkozik, felülírja a tartományi továbbító hostot.",
+        "mailbox_rename": "Postafiók átnevezése",
+        "mailbox_rename_agree": "Készítettem biztonsági másolatot.",
+        "mailbox_rename_warning": "FONTOS! Hozzon létre biztonsági másolatot a postafiók átnevezése előtt.",
+        "mailbox_rename_alias": "Alias automatikus létrehozása",
+        "mailbox_rename_title": "Új helyi postafiók neve",
+        "max_aliases": "Max. aliasok",
+        "max_mailboxes": "Max. lehetséges postafiókok",
+        "max_quota": "Max. kvóta postafiókonként (MiB)",
+        "maxage": "Üzenetek maximális életkora napokban, amelyek lekérdezésre kerülnek a távolról<br><small>(0 = figyelmen kívül hagyás)</small>",
+        "maxbytespersecond": "Max. bájt/másodperc <br><small>(0 = korlátlan)</small>",
+        "mbox_rl_info": "Ez a sebességkorlátozás a SASL bejelentkezési névre vonatkozik, és illeszkedik minden, a bejelentkezett felhasználó által használt \"from\" címre. Egy postafiók sebességkorlátozása felülírja a tartományszintű sebességkorlátozást.",
+        "mins_interval": "Időköz (perc)",
+        "multiple_bookings": "Több foglalás",
+        "none_inherit": "Nincs / Örökölt",
+        "nexthop": "Következő ugrás",
+        "password": "Jelszó",
+        "password_recovery_email": "Jelszó-helyreállítási e-mail",
+        "password_repeat": "Megerősítő jelszó (ismétlés)",
+        "previous": "Előző oldal",
+        "private_comment": "Privát megjegyzés",
+        "public_comment": "Nyilvános megjegyzés",
+        "pushover": "Pushover",
+        "pushover_evaluate_x_prio": "Magas prioritású levelek továbbítása [<code>X-Priority: 1</code>]",
+        "pushover_info": "A push értesítési beállítások az összes tiszta (nem-spam) levélre vonatkoznak, amelyeket a <b>%s</b> címre kézbesítettek, beleértve az aliasokat is (megosztott, nem megosztott, címkézett).",
+        "pushover_only_x_prio": "Csak a magas prioritású leveleket vegye figyelembe [<code>X-Priority: 1</code>]",
+        "pushover_sender_array": "Csak a következő feladói e-mail címeket vegye figyelembe <small>(vesszővel elválasztva)</small>",
+        "pushover_sender_regex": "Feladók egyeztetése a következő regex-szel",
+        "pushover_text": "Értesítési szöveg",
+        "pushover_title": "Értesítési cím",
+        "pushover_sound": "Hang",
+        "pushover_vars": "Ha nincs feladói szűrő meghatározva, minden e-mail figyelembe vételre kerül.<br>A Regex szűrők, valamint a pontos feladói ellenőrzések egyénileg definiálhatók, és sorban lesznek figyelembe véve. Nem függenek egymástól.<br>Használható változók a szöveghez és a címhez (kérjük, vegye figyelembe az adatvédelmi szabályzatokat)",
+        "pushover_verify": "Hitelesítő adatok ellenőrzése",
+        "quota_mb": "Kvóta (MiB)",
+        "quota_warning_bcc": "Kvóta figyelmeztetés BCC",
+        "quota_warning_bcc_info": "A figyelmeztetések külön másolatként lesznek elküldve a következő címzetteknek. A tárgyat a megfelelő felhasználónévvel egészítik ki zárójelben, például: <code>Quota warning (user@example.com)</code>.",
+        "ratelimit": "Arányszám-korlát",
+        "redirect_uri": "Átirányítási/Visszahívási URL",
+        "relay_all": "Az összes címzett továbbítása",
+        "relay_all_info": "↪ Ha úgy döntesz, hogy <b>nem</b> továbbítod az összes címzettet, akkor minden egyes címzett számára, akit továbbítani kell, létre kell hoznod egy (\"vak\") postafiókot.",
+        "relay_domain": "Továbbítsa ezt a tartományt",
+        "relay_transport_info": "<div class=\"badge fs-6 bg-info\">Információ</div> Definiálhatsz szállítási térképeket ehhez a tartományhoz egyedi célállomásra. Ha nincs beállítva, egy MX lekérdezés történik.",
+        "relay_unknown_only": "Csak a nem létező postafiókok továbbítása. A létező postafiókok helyben lesznek kézbesítve.",
+        "relayhost": "Feladófüggő szállítások",
+        "remove": "Eltávolítás",
+        "resource": "Erőforrás",
+        "save": "Módosítások mentése",
+        "scope": "Hatókör",
+        "sender_acl": "Engedélyezés küldésre mint",
+        "sender_acl_disabled": "<span class=\"badge fs-6 bg-danger\">A küldő ellenőrzése le van tiltva</span>",
+        "sender_acl_info": "Ha az A postafiók felhasználója küldhet a B postafiók felhasználójaként, a feladói cím nem jelenik meg automatikusan választható \"from\" mezőként a SOGo-ban.<br>\r\n  A B postafiók felhasználójának delegálást kell létrehoznia a SOGo-ban, hogy az A postafiók felhasználója kiválaszthassa a címét feladóként. A SOGo-ban egy postafiók delegálásához használja a menüt (három pont) a postafiók neve jobb oldalán a bal felső sarokban, a levélnézetben. Ez a viselkedés nem vonatkozik az alias címekre.",
+        "sieve_desc": "Rövid leírás",
+        "sieve_type": "Szűrő típusa",
+        "skipcrossduplicates": "Átugrani a duplikált üzeneteket a mappák között (aki előbb jön, előbb kapja)",
+        "sogo_access": "Közvetlen továbbítás a SOGo-ra",
+        "sogo_access_info": "A bejelentkezés után a felhasználó automatikusan átirányításra kerül a SOGo-ra.",
+        "sogo_visible": "Alias látható a SOGo-ban",
+        "sogo_visible_info": "Ez az opció csak azokra az objektumokra vonatkozik, amelyek megjeleníthetők a SOGo-ban (megosztott vagy nem megosztott alias címek, amelyek legalább egy helyi postafiókra mutatnak). Ha el van rejtve, egy alias nem jelenik meg választható feladóként a SOGo-ban.",
+        "spam_alias": "Időkorlátos alias címek létrehozása vagy módosítása",
+        "spam_filter": "Spam szűrő",
+        "spam_policy": "Elemek hozzáadása vagy eltávolítása a tiltó- vagy engedélyezési listán",
+        "spam_score": "Egyéni spam pontszám beállítása",
+        "subfolder2": "Szinkronizálás a célállomáson egy almappába<br><small>(üres = ne használjon almappát)</small>",
+        "syncjob": "Szinkronizálási feladat szerkesztése",
+        "target_address": "Célcím(ek) <small>(vesszővel elválasztva)</small>",
+        "target_domain": "Cél domain",
+        "timeout1": "Időtúllépés a távoli állomáshoz való csatlakozáskor",
+        "timeout2": "Időtúllépés a helyi állomáshoz való csatlakozáskor",
+        "title": "Objektum szerkesztése",
+        "unchanged_if_empty": "Ha nem változik, hagyja üresen",
+        "username": "Felhasználónév",
+        "validate_save": "Érvényesítés és mentés"
     },
     "footer": {
         "cancel": "Mégse",
@@ -159,7 +445,9 @@
         "restart_container": "Konténer újraindítása",
         "restart_container_info": "<b>Fontos:</b> A teljes újraindulás eltarthat egy ideig, kérjük várjon, amíg befejeződik!",
         "restart_now": "Újraindítás most",
-        "restarting_container": "Konténer újraindítása. Ez eltarthat egy darabig."
+        "restarting_container": "Konténer újraindítása. Ez eltarthat egy darabig.",
+        "hibp_check": "Ellenőrzés a haveibeenpwned.com-on",
+        "nothing_selected": "Nincs semmi kiválasztva"
     },
     "header": {
         "administration": "Beállítások és részletek",
@@ -170,7 +458,8 @@
         "quarantine": "Karantén",
         "restart_netfilter": "Netfilter újraindítása",
         "restart_sogo": "SOGo újraindítása",
-        "user_settings": "Felhasználó beállításai"
+        "user_settings": "Felhasználó beállításai",
+        "mailcow_system": "Rendszer"
     },
     "info": {
         "awaiting_tfa_confirmation": "TFA megerősítésre várakozás",
@@ -182,7 +471,23 @@
         "login": "Bejelentkezés",
         "mobileconfig_info": "A kért Apple kapcsolat profil letöltéséhez jelentkezzen be, mint postafiók-felhasználó.",
         "password": "Jelszó",
-        "username": "Felhasználónév"
+        "username": "Felhasználónév",
+        "back_to_mailcow": "Vissza a mailcow-hoz",
+        "fido2_webauthn": "FIDO2/WebAuthn bejelentkezés",
+        "forgot_password": "> Elfelejtett jelszó?",
+        "invalid_pass_reset_token": "A jelszó-helyreállítási token érvénytelen vagy lejárt.<br>Kérjen új jelszó-helyreállítási linket.",
+        "login_linkstext": "Nem a megfelelő bejelentkezés?",
+        "login_usertext": "Bejelentkezés felhasználóként",
+        "login_domainadmintext": "Bejelentkezés domain adminisztrátorként",
+        "login_admintext": "Bejelentkezés adminisztrátorként",
+        "login_user": "Felhasználói bejelentkezés",
+        "login_dadmin": "Domain-adminisztrátori bejelentkezés",
+        "login_admin": "Adminisztrátori bejelentkezés",
+        "new_password": "Új jelszó",
+        "new_password_confirm": "Új jelszó megerősítése",
+        "other_logins": "vagy bejelentkezés",
+        "reset_password": "Jelszó visszaállítása",
+        "request_reset_password": "Jelszó módosítás kérése"
     },
     "mailbox": {
         "action": "Művelet",
@@ -200,10 +505,10 @@
         "add_resource": "Erőforrás hozzáadása",
         "add_tls_policy_map": "TLS irányelv-térkép hozzáadása",
         "address_rewriting": "Címátírás",
-        "alias": "Alias",
+        "alias": "Álnév",
         "alias_domain_backupmx": "Alias domain inaktív a továbbító domain részére",
-        "aliases": "Alias-ok",
-        "allow_from_smtp": "Kizárólag ezek az IP-címek használhatják az <b>SMTP</b>-t",
+        "aliases": "Álnevek",
+        "allow_from_smtp": "Kizárólag ezek az IP címek használhatják az <b>SMTP</b>-t",
         "allow_from_smtp_info": "Hagyja üresen minden feladó engedélyezéséhez.<br>IPv4/IPv6 címek és hálózatok.",
         "allowed_protocols": "Engedélyezett protokollok",
         "backup_mx": "Továbbító domain",
@@ -221,7 +526,7 @@
         "domain_admins": "Domain adminisztrátorok",
         "domain_aliases": "Domain alias-ok",
         "domain_quota": "Kvóta",
-        "domains": "Domain-ek",
+        "domains": "Domainek",
         "edit": "Szerkesztés",
         "empty": "Nincs találat",
         "enable_x": "Engedélyezés",
@@ -277,7 +582,88 @@
         "toggle_all": "Összes átváltása",
         "username": "Felhasználónév",
         "waiting": "Várakozás",
-        "weekly": "Hetente"
+        "weekly": "Hetente",
+        "add_alias_expand": "Alias kiterjesztése alias tartományokra",
+        "alias_domain_alias_hint": "Az aliasok <b>nem</b> vonatkoznak automatikusan a domain aliasokra. Egy <code>my-alias@domain</code> alias cím <b>nem</b> fedezi a <code>my-alias@alias-domain</code> címet (ahol az \"alias-domain\" a \"domain\" képzeletbeli alias tartománya).<br>Kérjük, használjon sieve szűrőt a levél külső postafiókba történő átirányításához (lásd a \"Szűrők\" fület vagy a SOGo -> Továbbító). Használja az \"Alias kiterjesztése alias tartományokra\" opciót a hiányzó aliasok automatikus hozzáadásához.",
+        "all_domains": "Minden tartomány",
+        "bcc_info": "A BCC térképek arra szolgálnak, hogy csendesen továbbítsák az összes üzenet másolatát egy másik címre. A címzett térkép típust akkor használják, ha a helyi célpont egy levél címzettjeként működik. A feladói térképek ugyanazon elv szerint működnek.<br/>\r\n  A helyi célpontot nem értesítik a sikertelen kézbesítésről.",
+        "bcc_map_type": "BCC típus",
+        "bcc_maps": "BCC térképek",
+        "bcc_rcpt_map": "Címzett térkép",
+        "bcc_sender_map": "Feladó térkép",
+        "bcc_to_rcpt": "Váltás címzett térkép típusra",
+        "bcc_to_sender": "Váltás feladó térkép típusra",
+        "bcc_type": "BCC típus",
+        "booking_null": "Mindig szabadként mutat",
+        "booking_0_short": "Mindig szabad",
+        "booking_custom": "Kemény korlát a foglalások egyéni számára",
+        "booking_custom_short": "Kemény korlát",
+        "booking_ltnull": "Korlátlan, de foglaltnak mutatja magát, ha le van foglalva",
+        "booking_lt0_short": "Lágy korlát",
+        "catch_all": "Catch-All",
+        "created_on": "Létrehozva",
+        "dkim_domains_selector": "Válogató",
+        "dkim_key_length": "DKIM kulcs hossza (bit)",
+        "domain_templates": "Domain sablonok",
+        "domain_quota_total": "Teljes domain kvóta",
+        "gal": "Globális címlista",
+        "goto_ham": "Tanulás <b>ham</b>-ként",
+        "goto_spam": "Tanulás <b>spam</b>-ként",
+        "iam": "Azonosítási szolgáltató",
+        "last_modified": "Utoljára módosítva",
+        "last_pw_change": "Utolsó jelszócsere",
+        "mailbox_defaults": "Alapértelmezett beállítások",
+        "mailbox_defaults_info": "Alapértelmezett beállítások meghatározása az új postafiókokhoz.",
+        "mailbox_templates": "Postafiók sablonok",
+        "max_aliases": "Max. aliasok",
+        "max_mailboxes": "Max. lehetséges postafiókok",
+        "max_quota": "Max. kvóta postafiókonként",
+        "no": "&#10005;",
+        "open_logs": "Naplók megnyitása",
+        "q_add_header": "amikor a levélszemét mappába kerül",
+        "q_all": " amikor a levélszemét mappába kerül és elutasításkor",
+        "q_reject": "elutasításkor",
+        "quarantine_category": "Karantén értesítési kategória",
+        "recipient": "Címzett",
+        "recipient_map_info": "A címzett térképeket arra használják, hogy egy üzenet célcímét kicseréljék, mielőtt azt kézbesítenék.",
+        "recipient_map_new_info": "A címzett térkép célja érvényes e-mail címnek vagy tartománynévnek kell lennie.",
+        "recipient_map_old_info": "Egy címzett térkép eredeti céljának érvényes e-mail címnek vagy tartománynévnek kell lennie.",
+        "relay_all": "Az összes címzett továbbítása",
+        "relay_unknown": "Ismeretlen postafiókok továbbítása",
+        "sender": "Feladó",
+        "set_postfilter": "Megjelölés poszt-szűrőként",
+        "set_prefilter": "Megjelölés pre-szűrőként",
+        "sieve_info": "Több szűrőt is tárolhatsz felhasználónként, de egyszerre csak egy pre-szűrő és egy poszt-szűrő lehet aktív.<br>\r\nMinden szűrő a leírt sorrendben lesz feldolgozva. Sem a sikertelen szkript, sem a kiadott \"keep;\" parancs nem állítja le a további szkriptek feldolgozását. A globális sieve szkriptek változásai a Dovecot újraindítását váltják ki.<br><br>Globális sieve pre-szűrő &#8226; Pre-szűrő &#8226; Felhasználói szkriptek &#8226; Poszt-szűrő &#8226; Globális sieve poszt-szűrő",
+        "sieve_preset_1": "Levél eldobása valószínűleg veszélyes fájltípusokkal",
+        "sieve_preset_2": "Egy adott feladó e-mailjét mindig olvasottként jelölje meg",
+        "sieve_preset_3": "Csendesen elvetni, leállítani minden további sieve feldolgozást",
+        "sieve_preset_4": "Fájl az INBOX-ba, kihagyni a további feldolgozást a sieve szűrőkkel",
+        "sieve_preset_5": "Auto válaszadó (szabadság)",
+        "sieve_preset_6": "Levél elutasítása válasszal",
+        "sieve_preset_7": "Átirányítás és megtartás/eldobás",
+        "sieve_preset_8": "E-mail átirányítása egy adott feladótól, olvasottként jelölés és almappába rendezés",
+        "sieve_preset_header": "Kérjük, nézze meg az alábbi példa-előrebeállításokat. További részletekért lásd a <a href=\"https://en.wikipedia.org/wiki/Sieve_(mail_filtering_language)\" target=\"_blank\">Wikipedia</a>-t.",
+        "sogo_visible": "Alias látható a SOGo-ban",
+        "sogo_visible_n": "Alias elrejtése a SOGo-ban",
+        "sogo_visible_y": "Alias megjelenítése a SOGo-ban",
+        "sender": "Feladó",
+        "syncjob_check_log": "Napló ellenőrzése",
+        "syncjob_last_run_result": "Utolsó futás eredménye",
+        "syncjob_EX_OK": "Siker",
+        "syncjob_EXIT_CONNECTION_FAILURE": "Kapcsolati probléma",
+        "syncjob_EXIT_TLS_FAILURE": "Probléma a titkosított kapcsolattal",
+        "syncjob_EXIT_AUTHENTICATION_FAILURE": "Hitelesítési probléma",
+        "syncjob_EXIT_OVERQUOTA": "A cél postafiók túllépte a kvótát",
+        "syncjob_EXIT_CONNECTION_FAILURE_HOST1": "Nem lehet csatlakozni a távoli szerverhez",
+        "syncjob_EXIT_AUTHENTICATION_FAILURE_USER1": "Hibás felhasználónév vagy jelszó",
+        "templates": "Sablonok",
+        "template": "Sablon",
+        "tls_map_policy": "Irányelv",
+        "tls_policy_maps": "TLS irányelv térképek",
+        "tls_policy_maps_enforced_tls": "Ezek az irányelvek felülírják a kimenő TLS szállítási szabályokat függetlenül a felhasználó TLS irányelvi beállításaitól. Ha nincs alább egyetlen irányelv sem, ezek a felhasználók az alapértelmezett értékeket alkalmazzák, amelyeket a <code>smtp_tls_mandatory_protocols</code> és a <code>smtp_tls_mandatory_ciphers</code> határoz meg.",
+        "tls_policy_maps_info": "Ez az irányelv térkép felülírja a kimenő TLS szállítási szabályokat függetlenül a felhasználó TLS irányelvi beállításaitól.<br>\r\n  Kérjük, ellenőrizze a <a href=\"http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps\" target=\"_blank\">\"smtp_tls_policy_maps\" dokumentációját</a> további információkért.",
+        "tls_policy_maps_long": "Kimenő TLS irányelv térkép felülírások",
+        "yes": "&#10003;"
     },
     "oauth2": {
         "access_denied": "Kérjük jelentkezzen be postafiók felhasználójával az OAuth2 használatához.",
@@ -301,7 +687,7 @@
         "medium_danger": "Közepes veszély",
         "neutral_danger": "Semleges",
         "notified": "Értesítve",
-        "qinfo": "A karantén-rendszer elmenti a visszautasított leveleket az adatbázisba, miközben a feladónak nem lesz az a benyomása, hogy a levelet kézbesítették.\r\n  <br>\"Spamnek jelölés és törlés\" spam-ként jegyzi meg az üzenetet a Bayes-tétel segítségével, illetve fuzzy hash-eket számít, hogy hasonló üzenetek is spam-be kerüljenek a jövőben.\r\n  <br>Több üzenet spamként való megjegyzése időigényes lehet.<br>Feketelistára vett levelek nem kerülnek karanténba.",
+        "qinfo": "A karantén-rendszer elmenti a visszautasított leveleket az adatbázisba, miközben a feladónak nem lesz az a benyomása, hogy a levelet kézbesítették.\r\n  <br>\"Spamnek jelölés és törlés\" spam-ként jegyzi meg az üzenetet a Bayes-tétel segítségével, illetve fuzzy hash-eket számít, hogy hasonló üzenetek is spam-be kerüljenek a jövőben.\r\n  <br>Több üzenet spamként való megjegyzése időigényes lehet.<br>Tiltólistára vett levelek nem kerülnek karanténba.",
         "qitem": "Tétel",
         "quarantine": "Karantén",
         "quick_actions": "Műveletek",
@@ -324,10 +710,38 @@
         "table_size_show_n": "%s tétel mutatása",
         "text_from_html_content": "Tartalom (konvertált html)",
         "text_plain_content": "Tartalom (sima szöveg)",
-        "toggle_all": "Összes átkapcsolása"
+        "toggle_all": "Összes átkapcsolása",
+        "check_hash": "Fájl hash keresése @ VT",
+        "confirm": "Megerősítés",
+        "deliver_inbox": "Kézbesítés a beérkező mappába",
+        "disabled_by_config": "A jelenlegi rendszerkonfiguráció letiltja a karantén funkcionalitást. Kérjük, állítsa be a \"megőrzéseket postafiókonként\" és a \"maximális méretet\" a karantén elemek számára.",
+        "info": "Információ",
+        "junk_folder": "Levélszemét mappa",
+        "qhandler_success": "A kérés sikeresen elküldve a rendszernek. Most már bezárhatja az ablakot.",
+        "qid": "Rspamd QID",
+        "rejected": "Elutasítva",
+        "release_body": "A levelét eml fájlként csatoltuk ehhez az üzenethez.",
+        "rewrite_subject": "Tárgy átírása",
+        "settings_info": "A karanténba helyezhető elemek maximális száma: %s<br>Maximális e-mail méret: %s MiB",
+        "spam": "Spam",
+        "quick_info_link": "Információs link megnyitása",
+        "type": "Típus"
     },
     "queue": {
-        "queue_manager": "Queue Manager"
+        "queue_manager": "Queue Manager",
+        "delete": "Összes törlése",
+        "flush": "Üzenetsor ürítése",
+        "info": "A levelezési üzenetsor tartalmazza az összes kézbesítésre váró e-mailt. Ha egy e-mail hosszú ideig ragad az üzenetsorban, a rendszer automatikusan törli.<br>A megfelelő levél hibaüzenete tájékoztatást ad arról, miért nem lehetett a levelet kézbesíteni.",
+        "legend": "A levelezési üzenetsor műveleti funkciói:",
+        "ays": "Kérjük, erősítse meg, hogy törölni szeretné az összes elemet az aktuális üzenetsorból.",
+        "deliver_mail": "Kézbesítés",
+        "deliver_mail_legend": "Megpróbálja újra kézbesíteni a kiválasztott leveleket.",
+        "hold_mail": "Visszatartás",
+        "hold_mail_legend": "Visszatartja a kiválasztott leveleket. (Megakadályozza a további kézbesítési kísérleteket)",
+        "show_message": "Üzenet megjelenítése",
+        "unban": "üzenetsor tiltás feloldása",
+        "unhold_mail": "Visszatartás feloldása",
+        "unhold_mail_legend": "Kiadja a kiválasztott leveleket a kézbesítéshez. (Előzetes visszatartás szükséges)"
     },
     "start": {
         "help": "Súgó panel megjelenítése/elrejtése",
@@ -380,7 +794,49 @@
         "resource_modified": "Postafiók %s módosításai mentve",
         "resource_removed": "Erőforrás %s eltávolítva",
         "saved_settings": "Beállítások mentve",
-        "upload_success": "File sikeresen feltöltve"
+        "upload_success": "File sikeresen feltöltve",
+        "acl_saved": "Az ACL a(z) %s objektumhoz mentve",
+        "bcc_deleted": "BCC térkép bejegyzések törölve: %s",
+        "bcc_edited": "BCC térkép bejegyzés %s szerkesztve",
+        "bcc_saved": "BCC térkép bejegyzés mentve",
+        "cors_headers_edited": "A CORS beállítások mentve",
+        "custom_login_modified": "A bejelentkezési testreszabás sikeresen mentve",
+        "domain_add_dkim_available": "Egy DKIM kulcs már létezett",
+        "dkim_duplicated": "A DKIM kulcs a(z) %s tartományhoz sikeresen átmásolva a(z) %s tartományba",
+        "domain_footer_modified": "A(z) %s tartományi lábléc módosításai mentve",
+        "f2b_banlist_refreshed": "A tiltólista azonosítója sikeresen frissítve.",
+        "f2b_modified": "A Fail2ban paraméterek módosításai mentve",
+        "forwarding_host_added": "A továbbító állomás %s hozzáadva",
+        "forwarding_host_removed": "A továbbító állomás %s eltávolítva",
+        "iam_test_connection": "Kapcsolat sikeres",
+        "ip_check_opt_in_modified": "Az IP ellenőrzés sikeresen mentve",
+        "nginx_reloaded": "Az Nginx újra lett töltve",
+        "password_policy_saved": "A jelszó házirend sikeresen mentve",
+        "password_changed_success": "A jelszó sikeresen megváltoztatva",
+        "pushover_settings_edited": "A Pushover beállítások sikeresen elmentve, kérjük, ellenőrizze a hitelesítő adatokat.",
+        "queue_command_success": "A sor parancs sikeresen befejeződött",
+        "recipient_map_entry_deleted": "A címzett térkép ID %s törölve",
+        "recipient_map_entry_saved": "A címzett térkép bejegyzés \"%s\" mentve",
+        "recovery_email_sent": "Helyreállítási e-mail elküldve a(z) %s címre",
+        "relayhost_added": "A térkép bejegyzés %s hozzáadva",
+        "relayhost_removed": "A térkép bejegyzés %s eltávolítva",
+        "reset_main_logo": "Visszaállítás alapértelmezett logóra",
+        "rl_saved": "Arányszám-korlát a(z) %s objektumhoz mentve",
+        "rspamd_ui_pw_set": "Rspamd UI jelszó sikeresen beállítva",
+        "settings_map_added": "Hozzáadott beállítási térkép bejegyzés",
+        "settings_map_removed": "Eltávolított beállítási térkép ID %s",
+        "sogo_profile_reset": "A SOGo profil a(z) %s felhasználóhoz visszaállítva",
+        "template_added": "Hozzáadott sablon %s",
+        "template_modified": "A(z) %s sablon módosításai mentve",
+        "template_removed": "A sablon ID %s törölve",
+        "tls_policy_map_entry_deleted": "TLS irányelv térkép ID %s törölve",
+        "tls_policy_map_entry_saved": "TLS irányelv térkép bejegyzés \"%s\" mentve",
+        "ui_texts": "A felhasználói felület szövegeinek módosításai mentve",
+        "verified_fido2_login": "FIDO2 bejelentkezés ellenőrizve",
+        "verified_totp_login": "TOTP bejelentkezés ellenőrizve",
+        "verified_webauthn_login": "WebAuthn bejelentkezés ellenőrizve",
+        "verified_yotp_login": "Yubico OTP bejelentkezés ellenőrizve",
+        "mailbox_renamed": "A postafiók átnevezve %s-ről %s-re"
     },
     "user": {
         "action": "Művelet",
@@ -449,15 +905,14 @@
         "spam_score_reset": "Szerver szerinti alapértelmezésre visszaállítás",
         "spamfilter": "Spam szűrő",
         "spamfilter_behavior": "Osztályozás",
-        "spamfilter_bl": "Feketelista",
-        "spamfilter_bl_desc": "A feketelistán szereplő email címek mindig spam-ként lesznek kezelve és vissza lesznek utasítva.  Joker karakter használható. A szűrő csak közvetlen aliasokra vonatkozik (alias egyetlen cél-postafiókkal), magára a postafiókra, illetve mindent elkapó aliasokra nem.",
+        "spamfilter_bl": "Tiltólista",
+        "spamfilter_bl_desc": "A tiltólistán szereplő email címek mindig spam-ként lesznek kezelve és vissza lesznek utasítva.  Joker karakter használható. A szűrő csak közvetlen aliasokra vonatkozik (alias egyetlen cél-postafiókkal), magára a postafiókra, illetve mindent elkapó aliasokra nem.",
         "spamfilter_default_score": "Alapértelmezett értékek",
         "spamfilter_green": "Zöld: ez az üzenet nem spam",
         "spamfilter_hint": "Az első érték az alacsony spam pontszámot, a második a magas spam pontszámot jelöli.",
         "spamfilter_red": "Vörös: Ez az üzenet spam, a szerver el fogja vetni.",
         "spamfilter_table_action": "Művelet",
         "spamfilter_table_add": "Tétel hozzáadása",
-        "spamfilter_table_empty": "Nincs megjeleníthető adat",
         "spamfilter_table_remove": "eltávolítás",
         "spamfilter_table_rule": "Szabály",
         "spamfilter_wl": "Engedélyezőlista",
@@ -482,15 +937,90 @@
         "waiting": "Várakozás",
         "week": "hét",
         "weekly": "heti",
-        "weeks": "hét"
+        "weeks": "hét",
+        "aliases_also_send_as": "Küldhet még mint felhasználó",
+        "aliases_send_as_all": "Ne ellenőrizze a küldő hozzáférését a következő tartomány(ok) és annak alias tartományai számára",
+        "app_hint": "Az alkalmazás jelszavak alternatív jelszavak az IMAP, SMTP, CalDAV, CardDAV és EAS bejelentkezéshez. A felhasználónév változatlan marad. A SOGo webmail nem érhető el az alkalmazás jelszavakon keresztül.",
+        "allowed_protocols": "Engedélyezett protokollok",
+        "apple_connection_profile_complete": "Ez a kapcsolati profil tartalmazza az IMAP és SMTP paramétereket, valamint a CalDAV (naptárak) és CardDAV (névjegyek) útvonalakat egy Apple eszközhöz.",
+        "apple_connection_profile_mailonly": "Ez a kapcsolati profil csak IMAP és SMTP konfigurációs paramétereket tartalmaz egy Apple eszközhöz.",
+        "apple_connection_profile_with_app_password": "Új alkalmazás jelszó generálódik és hozzáadódik a profilhoz, így nem kell jelszót megadni az eszköz beállításakor. Kérjük, ne ossza meg a fájlt, mivel teljes hozzáférést biztosít a postafiókjához.",
+        "attribute": "Attribútum",
+        "authentication": "Hitelesítés",
+        "change_password_hint_app_passwords": "Fiókodnak %d alkalmazás jelszava van, amelyek nem lesznek megváltoztatva. Ezek kezeléséhez menj az Alkalmazás jelszavak fülre.",
+        "clear_recent_successful_connections": "Sikeres kapcsolatok törlése",
+        "created_on": "Létrehozva",
+        "direct_aliases_desc": "A közvetlen alias címeket érintik a spam szűrő és a TLS irányelv beállításai.",
+        "direct_protocol_access": "Ennek a postafiók felhasználónak <b>közvetlen, külső hozzáférése</b> van a következő protokollokhoz és alkalmazásokhoz. Ezt a beállítást az adminisztrátor vezérli. Az alkalmazás jelszavak létrehozhatók, hogy hozzáférést biztosítsanak az egyedi protokollokhoz és alkalmazásokhoz.<br>A \"Webmail\" gomb egységes bejelentkezést biztosít a SOGo-ra, és mindig elérhető.",
+        "eas_reset_help": "Sok esetben a eszköz gyorsítótárának visszaállítása segít egy sérült ActiveSync profil helyreállításában.<br><b>Figyelem:</b> Minden elem újra letöltődik!",
+        "empty": "Nincs eredmény",
+        "from": "feladó",
+        "is_catch_all": "Catch-all a tartomány(ok)hoz",
+        "last_pw_change": "Utolsó jelszócsere",
+        "last_ui_login": "Utolsó UI bejelentkezés",
+        "login_history": "Bejelentkezési előzmények",
+        "mailbox": "Postafiók",
+        "mailbox_general": "Általános",
+        "mailbox_settings": "Beállítások",
+        "month": "hónap",
+        "months": "hónap",
+        "open_logs": "Naplók megnyitása",
+        "open_webmail_sso": "Webmail",
+        "overview": "Áttekintés",
+        "password_reset_info": "Ha nincs megadva e-mail a jelszó-helyreállításhoz, ez a funkció nem használható.",
+        "protocols": "Protokollok",
+        "pushover_evaluate_x_prio": "Magas prioritású levelek továbbítása [<code>X-Priority: 1</code>]",
+        "pushover_info": "A push értesítési beállítások az összes tiszta (nem-spam) levélre vonatkoznak, amelyeket a <b>%s</b> címre kézbesítettek, beleértve az aliasokat is (megosztott, nem megosztott, címkézett).",
+        "pushover_only_x_prio": "Csak a magas prioritású leveleket vegye figyelembe [<code>X-Priority: 1</code>]",
+        "pushover_sender_array": "A következő feladói e-mail címek figyelembe vétele <small>(vesszővel elválasztva)</small>",
+        "pushover_sender_regex": "Feladók egyeztetése a következő regex-szel",
+        "pushover_text": "Értesítési szöveg",
+        "pushover_title": "Értesítési cím",
+        "pushover_sound": "Hang",
+        "pushover_vars": "Ha nincs feladói szűrő meghatározva, minden e-mail figyelembe vételre kerül.<br>A Regex szűrők, valamint a pontos feladói ellenőrzések egyénileg definiálhatók, és sorban lesznek figyelembe véve. Nem függenek egymástól.<br>Használható változók a szöveghez és a címhez (kérjük, vegye figyelembe az adatvédelmi szabályzatokat)",
+        "pushover_verify": "Hitelesítő adatok ellenőrzése",
+        "pw_recovery_email": "Jelszó-helyreállítási e-mail",
+        "q_add_header": "Levélszemét mappa",
+        "q_all": "Összes kategória",
+        "q_reject": "Elutasítva",
+        "quarantine_category": "Karantén értesítési kategória",
+        "quarantine_category_info": "Az \"Elutasítva\" értesítési kategória magában foglalja azokat a leveleket, amelyeket elutasítottak, míg a \"Levélszemét mappa\" értesíti a felhasználót a levélszemét mappába helyezett levelekről.",
+        "recent_successful_connections": "Látott sikeres kapcsolatok",
+        "shared_aliases_desc": "A megosztott aliasokat nem érintik a felhasználóspecifikus beállítások, mint a spam szűrő vagy a titkosítási szabályzat. A megfelelő spam szűrőket csak egy adminisztrátor hozhatja létre tartományszintű szabályzatként.",
+        "sogo_profile_reset": "SOGo profil visszaállítása",
+        "sogo_profile_reset_help": "Ez tönkreteszi a felhasználó SOGo profilját, és <b>visszavonhatatlanul törli az összes névjegy- és naptáradatot</b>.",
+        "sogo_profile_reset_now": "Profil visszaállítása most",
+        "spamfilter_table_domain_policy": "n/a (tartományi szabályzat)",
+        "syncjob_check_log": "Napló ellenőrzése",
+        "syncjob_last_run_result": "Utolsó futás eredménye",
+        "syncjob_EX_OK": "Siker",
+        "syncjob_EXIT_CONNECTION_FAILURE": "Kapcsolati probléma",
+        "syncjob_EXIT_TLS_FAILURE": "Probléma a titkosított kapcsolattal",
+        "syncjob_EXIT_AUTHENTICATION_FAILURE": "Hitelesítési probléma",
+        "syncjob_EXIT_OVERQUOTA": "A cél postafiók túllépte a kvótát",
+        "syncjob_EXIT_CONNECTION_FAILURE_HOST1": "Nem lehet csatlakozni a távoli szerverhez",
+        "syncjob_EXIT_AUTHENTICATION_FAILURE_USER1": "Hibás felhasználónév vagy jelszó",
+        "text": "Szöveg",
+        "tfa_info": "A kétlépcsős hitelesítés segít megvédeni a fiókodat. Ha engedélyezed, alkalmazás jelszavakra lesz szükséged, hogy bejelentkezz olyan alkalmazásokba vagy szolgáltatásokba, amelyek nem támogatják a kétlépcsős hitelesítést (pl. levelező kliensek).",
+        "tls_policy_warning": "<strong>Figyelem:</strong> Ha titkosított levélátvitelt kényszerítesz ki, elveszíthetsz e-maileket.<br>Azok az üzenetek, amelyek nem felelnek meg a szabályzatnak, kemény hibával visszapattannak a levelezőrendszerből.<br>Ez az opció a fő e-mail címedre (bejelentkezési név), az alias tartományokból származó összes címre, valamint az alias címekre vonatkozik, amelyeknek <b>csak ez az egy postafiók</b> a célja.",
+        "value": "Érték",
+        "with_app_password": "alkalmazás jelszóval",
+        "year": "év",
+        "years": "év"
     },
     "warning": {
         "cannot_delete_self": "Bejelentkezett felhasználó nem törölhető.",
-        "ip_invalid": "Érvénytelen IP-cím átugorva: %s",
+        "ip_invalid": "Érvénytelen IP cím átugorva: %s",
         "no_active_admin": "Utolsó aktív admin felhasználó nem deaktiválható.",
         "quota_exceeded_scope": "Domain kvóta átlépve: csak korlátok nélküli postafiókok hozhatók létre ebben a domain-ben.",
-        "session_token": "Űrlap-token érvénytelen: Tokenek nem egyeznek",
-        "session_ua": "Űrlap-token érvénytelen: User-Agent hitelesítési probléma"
+        "session_token": "Űrlaptoken érvénytelen: Tokenek nem egyeznek",
+        "session_ua": "Űrlaptoken érvénytelen: User-Agent hitelesítési probléma",
+        "domain_added_sogo_failed": "A tartomány hozzáadva, de a SOGo újraindítása sikertelen, kérjük, ellenőrizze a szerver naplókat.",
+        "dovecot_restart_failed": "A Dovecot újraindítása sikertelen, kérjük, ellenőrizze a naplókat",
+        "fuzzy_learn_error": "Fuzzy hash tanulási hiba: %s",
+        "hash_not_found": "A hash nem található vagy már törölve lett",
+        "is_not_primary_alias": "Nem elsődleges alias %s kihagyva",
+        "mailbox_renamed_alias": "A postafiók át lett nevezve, de az alias nem lett automatikusan létrehozva. Kérjük, hozza létre kézzel: %s"
     },
     "acl": {
         "delimiter_action": "Elhatárolás",
@@ -516,15 +1046,24 @@
         "smtp_ip_access": "Az SMTP engedélyezett állomásainak módosítása",
         "sogo_profile_reset": "SOGo profil visszaállítása",
         "spam_alias": "Ideiglenes álnevek",
-        "spam_policy": "Fekete/Fehér lista",
+        "spam_policy": "Tiltó/engedélyezési lista",
         "spam_score": "Spam pontszám",
         "syncjobs": "Szinkronizálási feladatok",
         "tls_policy": "TLS szabályzat",
         "unlimited_quota": "Korlátlan kvóta a postafiókok számára",
-        "sogo_access": "A SOGo-hozzáférés kezelésének lehetővé tétele"
+        "sogo_access": "A SOGo-hozzáférés kezelésének lehetővé tétele",
+        "pw_reset": "Lehetővé teszi a mailcow felhasználói jelszavak visszaállítását"
     },
     "diagnostics": {
-        "dns_records": "DNS bejegyzések"
+        "dns_records": "DNS bejegyzések",
+        "cname_from_a": "Az A/AAAA rekordból származó érték. Ez addig támogatott, amíg a rekord a megfelelő erőforrásra mutat.",
+        "dns_records_24hours": "Kérjük, vegye figyelembe, hogy a DNS-ben végrehajtott változtatások akár 24 órát is igénybe vehetnek, amíg a jelenlegi állapotuk helyesen megjelenik ezen az oldalon. Ez a célja, hogy könnyen láthassa, hogyan kell konfigurálnia a DNS rekordokat, és ellenőrizze, hogy az összes rekordja helyesen van-e tárolva a DNS-ben.",
+        "dns_records_data": "Helyes adatok",
+        "dns_records_docs": "Kérjük, konzultáljon a <a target=\"_blank\" href=\"https://docs.mailcow.email/getstarted/prerequisite-dns\">dokumentációval</a> is.",
+        "dns_records_name": "Név",
+        "dns_records_status": "Jelenlegi állapot",
+        "dns_records_type": "Típus",
+        "optional": "Ez a rekord opcionális."
     },
     "add": {
         "username": "Felhasználónév",
@@ -588,6 +1127,15 @@
         "alias_domain": "Alias domain",
         "alias_domain_info": "<small>Csak érvényes tartománynevek (vesszővel elválasztva).</small>",
         "app_name": "Alkalmazás neve",
-        "app_passwd_protocols": "Engedélyezett protokollok az alkalmazás jelszavához"
+        "app_passwd_protocols": "Engedélyezett protokollok az alkalmazás jelszavához",
+        "automap": "Próbálja automatikusan feltérképezni a mappákat (\"Elküldött elemek\", \"Elküldött\" => \"Elküldött\" stb.)",
+        "multiple_bookings": "Több foglalás",
+        "quota_mb": "Kvóta (MiB)",
+        "relay_all": "Az összes címzett továbbítása",
+        "relay_all_info": "↪ Ha úgy döntesz, hogy <b>nem</b> továbbítod az összes címzettet, akkor minden egyes címzett számára, akit továbbítani kell, létre kell hoznod egy (\"vak\") postafiókot.",
+        "relay_domain": "Továbbítsa ezt a tartományt",
+        "relay_transport_info": "<div class=\"badge fs-6 bg-info\">Információ</div> Definiálhatsz szállítási térképeket ehhez a tartományhoz egyedi célállomásra. Ha nincs beállítva, egy MX lekérdezés történik.",
+        "relay_unknown_only": "Csak a nem létező postafiókok továbbítása. A létező postafiókok helyben lesznek kézbesítve.",
+        "relayhost_wrapped_tls_info": "Kérjük, <b>ne</b> használjon TLS-be csomagolt portokat (többnyire a 465-ös porton használatosak).<br>\r\nHasználjon bármilyen nem csomagolt portot és adjon ki STARTTLS-t. A TLS kikényszerítésére egy TLS irányelv hozható létre a \"TLS irányelv térképek\" alatt."
     }
 }

From 0997548d7f3e7aa004cbae3b1062332f53163c90 Mon Sep 17 00:00:00 2001
From: milkmaker <milkmaker@mailcow.de>
Date: Fri, 29 Aug 2025 22:38:06 +0200
Subject: [PATCH 315/378] Translations update from Weblate (#6699)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* [Web] Updated lang.de-de.json

Co-authored-by: Peter <magic@kthx.at>

* [Web] Updated lang.en-gb.json

Co-authored-by: Peter <magic@kthx.at>

* [Web] Updated lang.hu-hu.json

[Web] Language file updated by 'Cleanup translation files' addon

Co-authored-by: Peter <magic@kthx.at>
Co-authored-by: milkmaker <milkmaker@mailcow.de>

* [Web] Updated lang.si-si.json

Co-authored-by: Matjaž Tekavec <matjaz@moj-svet.si>

---------

Co-authored-by: Peter <magic@kthx.at>
Co-authored-by: Matjaž Tekavec <matjaz@moj-svet.si>
---
 data/web/lang/lang.de-de.json |  3 ++-
 data/web/lang/lang.en-gb.json |  2 +-
 data/web/lang/lang.hu-hu.json | 20 ++++++++++++--------
 data/web/lang/lang.si-si.json | 22 +++++++++++++++++++---
 4 files changed, 34 insertions(+), 13 deletions(-)

diff --git a/data/web/lang/lang.de-de.json b/data/web/lang/lang.de-de.json
index 55fc11ab4..93b908d6c 100644
--- a/data/web/lang/lang.de-de.json
+++ b/data/web/lang/lang.de-de.json
@@ -408,7 +408,8 @@
         "allowed_origins": "Access-Control-Allow-Origin",
         "logo_dark_label": "Invertiert für den Darkmode",
         "logo_normal_label": "Normal",
-        "user_link": "Nutzer-Link"
+        "user_link": "Nutzer-Link",
+        "filter": "Filter"
     },
     "danger": {
         "access_denied": "Zugriff verweigert oder unvollständige/ungültige Daten",
diff --git a/data/web/lang/lang.en-gb.json b/data/web/lang/lang.en-gb.json
index 4ee5675be..0af0e59b0 100644
--- a/data/web/lang/lang.en-gb.json
+++ b/data/web/lang/lang.en-gb.json
@@ -711,7 +711,7 @@
         "mta_sts": "MTA-STS",
         "mta_sts_info": "<a href='https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol#SMTP_MTA_Strict_Transport_Security' target='_blank'>MTA-STS</a> is a standard that enforces email delivery between mail servers to use TLS with valid certificates. <br>It is used when <a target='_blank' href='https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities'>DANE</a> is not possible due to missing or unsupported DNSSEC.<br><b>Note</b>: If the receiving domain supports DANE with DNSSEC, DANE is <b>always</b> preferred – MTA-STS only acts as a fallback.",
         "mta_sts_version": "Version",
-        "mta_sts_version_info": "Defines the version of the MTA-STS standard – currently only <code>STSv1</code> is valid." ,
+        "mta_sts_version_info": "Defines the version of the MTA-STS standard – currently only <code>STSv1</code> is valid.",
         "mta_sts_mode": "Mode",
         "mta_sts_mode_info": "There are three modes to choose from:<ul><li><em>testing</em> – policy is only monitored, violations have no impact.</li><li><em>enforce</em> – policy is strictly enforced, connections without valid TLS are rejected.</li><li><em>none</em> – policy is published but not applied.</li></ul>",
         "mta_sts_max_age": "Max age",
diff --git a/data/web/lang/lang.hu-hu.json b/data/web/lang/lang.hu-hu.json
index 6ec3ed68a..2f78d5b21 100644
--- a/data/web/lang/lang.hu-hu.json
+++ b/data/web/lang/lang.hu-hu.json
@@ -9,7 +9,7 @@
         "source": "Forrás",
         "spamfilter": "Spam szűrő",
         "subject": "Tárgy",
-        "sys_mails": "Rendszerüzenetek",
+        "sys_mails": "Rendszer e-mailek",
         "text": "Szöveg",
         "time": "Idő",
         "title": "Cím",
@@ -274,7 +274,6 @@
         "sal_level": "Moo szint",
         "service": "Szolgáltatás",
         "service_id": "Szolgáltatás azonosító",
-        "sys_mails": "Rendszer e-mailek",
         "task": "Feladat",
         "transport_maps": "Szállítási térképek",
         "transport_test_rcpt_info": "&#8226; Használja a null@hosted.mailcow.de címet a külföldi célra történő továbbítás teszteléséhez.",
@@ -295,7 +294,8 @@
         "user_link": "Felhasználói-link",
         "user_quicklink": "Gyorshivatkozás elrejtése a Felhasználói bejelentkezési oldalra",
         "validate_license_now": "GUID érvényesítése a licenszszerverrel szemben",
-        "yes": "&#10003;"
+        "yes": "&#10003;",
+        "success": "Siker"
     },
     "edit": {
         "active": "Aktív",
@@ -646,7 +646,6 @@
         "sogo_visible": "Alias látható a SOGo-ban",
         "sogo_visible_n": "Alias elrejtése a SOGo-ban",
         "sogo_visible_y": "Alias megjelenítése a SOGo-ban",
-        "sender": "Feladó",
         "syncjob_check_log": "Napló ellenőrzése",
         "syncjob_last_run_result": "Utolsó futás eredménye",
         "syncjob_EX_OK": "Siker",
@@ -1000,7 +999,6 @@
         "syncjob_EXIT_OVERQUOTA": "A cél postafiók túllépte a kvótát",
         "syncjob_EXIT_CONNECTION_FAILURE_HOST1": "Nem lehet csatlakozni a távoli szerverhez",
         "syncjob_EXIT_AUTHENTICATION_FAILURE_USER1": "Hibás felhasználónév vagy jelszó",
-        "text": "Szöveg",
         "tfa_info": "A kétlépcsős hitelesítés segít megvédeni a fiókodat. Ha engedélyezed, alkalmazás jelszavakra lesz szükséged, hogy bejelentkezz olyan alkalmazásokba vagy szolgáltatásokba, amelyek nem támogatják a kétlépcsős hitelesítést (pl. levelező kliensek).",
         "tls_policy_warning": "<strong>Figyelem:</strong> Ha titkosított levélátvitelt kényszerítesz ki, elveszíthetsz e-maileket.<br>Azok az üzenetek, amelyek nem felelnek meg a szabályzatnak, kemény hibával visszapattannak a levelezőrendszerből.<br>Ez az opció a fő e-mail címedre (bejelentkezési név), az alias tartományokból származó összes címre, valamint az alias címekre vonatkozik, amelyeknek <b>csak ez az egy postafiók</b> a célja.",
         "value": "Érték",
@@ -1019,8 +1017,7 @@
         "dovecot_restart_failed": "A Dovecot újraindítása sikertelen, kérjük, ellenőrizze a naplókat",
         "fuzzy_learn_error": "Fuzzy hash tanulási hiba: %s",
         "hash_not_found": "A hash nem található vagy már törölve lett",
-        "is_not_primary_alias": "Nem elsődleges alias %s kihagyva",
-        "mailbox_renamed_alias": "A postafiók át lett nevezve, de az alias nem lett automatikusan létrehozva. Kérjük, hozza létre kézzel: %s"
+        "is_not_primary_alias": "Nem elsődleges alias %s kihagyva"
     },
     "acl": {
         "delimiter_action": "Elhatárolás",
@@ -1136,6 +1133,13 @@
         "relay_domain": "Továbbítsa ezt a tartományt",
         "relay_transport_info": "<div class=\"badge fs-6 bg-info\">Információ</div> Definiálhatsz szállítási térképeket ehhez a tartományhoz egyedi célállomásra. Ha nincs beállítva, egy MX lekérdezés történik.",
         "relay_unknown_only": "Csak a nem létező postafiókok továbbítása. A létező postafiókok helyben lesznek kézbesítve.",
-        "relayhost_wrapped_tls_info": "Kérjük, <b>ne</b> használjon TLS-be csomagolt portokat (többnyire a 465-ös porton használatosak).<br>\r\nHasználjon bármilyen nem csomagolt portot és adjon ki STARTTLS-t. A TLS kikényszerítésére egy TLS irányelv hozható létre a \"TLS irányelv térképek\" alatt."
+        "relayhost_wrapped_tls_info": "Kérjük, <b>ne</b> használjon TLS-be csomagolt portokat (többnyire a 465-ös porton használatosak).<br>\r\nHasználjon bármilyen nem csomagolt portot és adjon ki STARTTLS-t. A TLS kikényszerítésére egy TLS irányelv hozható létre a \"TLS irányelv térképek\" alatt.",
+        "select": "Kérjük, válasszon...",
+        "select_domain": "Kérjük, először válasszon egy domaint",
+        "sieve_desc": "Rövid leírás",
+        "sieve_type": "Szűrő típusa",
+        "skipcrossduplicates": "Duplikált üzenetek átugrása mappák között (érkezési sorrendben)",
+        "subscribeall": "Feliratkozás minden mappára",
+        "syncjob": "Szinkronizálási feladat hozzáadása"
     }
 }
diff --git a/data/web/lang/lang.si-si.json b/data/web/lang/lang.si-si.json
index 35c4eaa96..56da00f74 100644
--- a/data/web/lang/lang.si-si.json
+++ b/data/web/lang/lang.si-si.json
@@ -550,7 +550,11 @@
         "recovery_email_failed": "E-poštnega sporočila za obnovitev ni bilo mogoče poslati. Obrnite se na skrbnika.",
         "required_data_missing": "Manjkajo zahtevani podatki %s",
         "reset_token_limit_exceeded": "Omejitev žetonov za ponastavitev je bila presežena. Poskusite znova pozneje.",
-        "to_invalid": "Polje za prejemnika ne sme biti prazno"
+        "to_invalid": "Polje za prejemnika ne sme biti prazno",
+        "max_age_invalid": "Najvišja starost %s je neveljavna",
+        "mode_invalid": "Način %s ni veljaven",
+        "mx_invalid": "Zapis MX %s je neveljaven",
+        "version_invalid": "Različica %s je neveljavna"
     },
     "debug": {
         "containers_info": "Informacije o vsebniku (containerju)",
@@ -761,7 +765,18 @@
         "mailbox_rename": "Preimenuj poštni predal",
         "mailbox_rename_agree": "Ustvaril/a sem varnostno kopijo.",
         "mailbox_rename_warning": "POMEMBNO! Pred preimenovanjem nabiralnika ustvarite varnostno kopijo.",
-        "sieve_desc": "Kratek opis"
+        "sieve_desc": "Kratek opis",
+        "mta_sts": "MTA-STS",
+        "mta_sts_info": "<a href='https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol#SMTP_MTA_Strict_Transport_Security' target='_blank'>MTA-STS</a> je standard, ki vsiljuje dostavo e-pošte med poštnimi strežniki z uporabo TLS z veljavnimi potrdili. <br>Uporablja se, kadar <a target='_blank' href='https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities'>DANE</a> ni mogoč zaradi manjkajočega ali nepodprtega DNSSEC.<br><b>Opomba</b>: Če prejemna domena podpira DANE z DNSSEC, je DANE <b>vedno</b> prednost – MTA-STS deluje le kot rezervna možnost.",
+        "mta_sts_version": "Različica",
+        "mta_sts_version_info": "Določa različico standarda MTA-STS – trenutno je veljavna samo različica <code>STSv1</code>.",
+        "mta_sts_mode": "Način",
+        "mta_sts_mode_info": "Na voljo so trije načini:<ul><li><em>testiranje</em> – pravilnik se samo spremlja, kršitve nimajo vpliva.</li><li><em>uveljavljanje</em> – pravilnik se strogo uveljavlja, povezave brez veljavnega TLS so zavrnjene.</li><li><em>brez</em> – pravilnik je objavljen, vendar se ne uporablja.</li></ul>",
+        "mta_sts_max_age": "Najvišja starost",
+        "mta_sts_max_age_info": "Čas v sekundah, ki ga lahko prejemni poštni strežniki shranijo v predpomnilnik, dokler se ne ponovno naloži.",
+        "mta_sts_mx": "MX strežnik",
+        "mta_sts_mx_info": "Omogoča pošiljanje samo na izrecno navedena imena gostiteljskih strežnikov poštnih strežnikov; pošiljajoči MTA preveri, ali se ime gostitelja DNS MX ujema s seznamom pravilnikov, in dovoljuje dostavo le z veljavnim potrdilom TLS (zaščita pred MITM).",
+        "mta_sts_mx_notice": "Določiti je mogoče več strežnikov MX (ločenih z vejicami)."
     },
     "footer": {
         "restart_container_info": "<b>Pomembno:</b> Ugoden ponovni zagon lahko traja nekaj časa, zato počakajte, da se konča.",
@@ -799,7 +814,8 @@
         "other_logins": "ali se prijavite s/z",
         "reset_password": "Ponastavi geslo",
         "request_reset_password": "Zahteva za spremembo gesla",
-        "username": "Uporabniško ime"
+        "username": "Uporabniško ime",
+        "email": "E-poštni naslov"
     },
     "mailbox": {
         "last_mail_login": "Zadnja prijava v e-pošto",

From 5361a4a4ee0e3c9a6434b3728b00e3f9bcf34f1f Mon Sep 17 00:00:00 2001
From: DerLinkman <niklas.meyer@servercow.de>
Date: Mon, 1 Sep 2025 12:32:27 +0200
Subject: [PATCH 316/378] updated sponsors in Readme.md

---
 README.md | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/README.md b/README.md
index 2aad841c2..40288f10e 100644
--- a/README.md
+++ b/README.md
@@ -23,9 +23,6 @@ A big thank you to everyone supporting us on GitHub Sponsors—your contribution
   <a href="https://www.maehdros.com/" target=_blank><img
     src="https://avatars.githubusercontent.com/u/173894712" height="58"
   /></a>
-  <a href="https://macarne.com/" target=_blank><img
-    src="https://avatars.githubusercontent.com/u/149550368?s=200&v=4" height="58"
-  /></a>
 
 ### 50$/Month Sponsors
   <a href="https://github.com/vnukhr" target=_blank><img

From dbde14401461f64b9ddf5c502223809e7e66cda5 Mon Sep 17 00:00:00 2001
From: milkmaker <milkmaker@mailcow.de>
Date: Wed, 3 Sep 2025 08:14:14 +0200
Subject: [PATCH 317/378] update postscreen_access.cidr (#6703)

---
 data/conf/postfix/postscreen_access.cidr | 13 ++++---------
 1 file changed, 4 insertions(+), 9 deletions(-)

diff --git a/data/conf/postfix/postscreen_access.cidr b/data/conf/postfix/postscreen_access.cidr
index 1783620dd..35fc1a802 100644
--- a/data/conf/postfix/postscreen_access.cidr
+++ b/data/conf/postfix/postscreen_access.cidr
@@ -1,6 +1,6 @@
-# Whitelist generated by Postwhite v3.4 on Do 28. Aug 14:05:16 CEST 2025
+# Whitelist generated by Postwhite v3.4 on Mon Sep  1 00:23:07 UTC 2025
 # https://github.com/stevejenkins/postwhite/
-# 2225 total rules
+# 2165 total rules
 2a00:1450:4000::/36	permit
 2a01:111:f400::/48	permit
 2a01:111:f403::/49	permit
@@ -55,7 +55,7 @@
 8.40.222.0/23	permit
 8.40.222.250/31	permit
 12.130.86.238	permit
-13.107.253.44	permit
+13.107.246.40	permit
 13.110.208.0/21	permit
 13.110.209.0/24	permit
 13.110.216.0/22	permit
@@ -686,8 +686,6 @@
 82.165.159.45	permit
 82.165.159.130	permit
 82.165.159.131	permit
-85.9.206.169	permit
-85.9.210.45	permit
 85.158.136.0/21	permit
 85.215.255.39	permit
 85.215.255.40	permit
@@ -736,7 +734,6 @@
 87.248.117.205	permit
 87.253.232.0/21	permit
 89.22.108.0/24	permit
-91.134.188.129	permit
 91.198.2.0/24	permit
 91.211.240.0/22	permit
 94.236.119.0/26	permit
@@ -1669,7 +1666,7 @@
 170.10.132.56/29	permit
 170.10.132.64/29	permit
 170.10.133.0/24	permit
-172.217.0.0/19	permit
+172.217.0.0/20	permit
 172.217.32.0/20	permit
 172.217.128.0/19	permit
 172.217.160.0/20	permit
@@ -1798,8 +1795,6 @@
 193.142.157.0/24	permit
 193.142.157.191	permit
 193.142.157.198	permit
-193.201.168.38	permit
-193.201.168.170/31	permit
 194.19.134.0/25	permit
 194.25.134.16/28	permit
 194.25.134.80/28	permit

From 34877ecf9c976f52ccff73311a1424021d4b2e68 Mon Sep 17 00:00:00 2001
From: DerLinkman <niklas.meyer@servercow.de>
Date: Wed, 3 Sep 2025 08:18:04 +0200
Subject: [PATCH 318/378] watchdog: added postfix-tlspol check (#6691)

---
 data/Dockerfiles/watchdog/watchdog.sh | 37 +++++++++++++++++++++++++++
 docker-compose.yml                    |  1 +
 2 files changed, 38 insertions(+)

diff --git a/data/Dockerfiles/watchdog/watchdog.sh b/data/Dockerfiles/watchdog/watchdog.sh
index a087ca5f1..558aaa197 100755
--- a/data/Dockerfiles/watchdog/watchdog.sh
+++ b/data/Dockerfiles/watchdog/watchdog.sh
@@ -450,6 +450,31 @@ postfix_checks() {
   return 1
 }
 
+postfix-tlspol_checks() {
+  err_count=0
+  diff_c=0
+  THRESHOLD=${POSTFIX_TLSPOL_THRESHOLD}
+  # Reduce error count by 2 after restarting an unhealthy container
+  trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
+  while [ ${err_count} -lt ${THRESHOLD} ]; do
+    touch /tmp/postfix-tlspol-mailcow; echo "$(tail -50 /tmp/postfix-tlspol-mailcow)" > /tmp/postfix-tlspol-mailcow
+    host_ip=$(get_container_ip postfix-tlspol-mailcow)
+    err_c_cur=${err_count}
+    /usr/lib/nagios/plugins/check_tcp -4 -H ${host_ip} -p 8642 2>> /tmp/postfix-tlspol-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
+    [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
+    [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
+    progress "Postfix TLS Policy companion" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
+    if [[ $? == 10 ]]; then
+      diff_c=0
+      sleep 1
+    else
+      diff_c=0
+      sleep $(( ( RANDOM % 60 ) + 20 ))
+    fi
+  done
+  return 1
+}
+
 clamd_checks() {
   err_count=0
   diff_c=0
@@ -927,6 +952,18 @@ PID=$!
 echo "Spawned mailq_checks with PID ${PID}"
 BACKGROUND_TASKS+=(${PID})
 
+(
+while true; do
+  if ! postfix-tlspol_checks; then
+    log_msg "Postfix TLS Policy hit error limit"
+    echo postfix-tlspol-mailcow > /tmp/com_pipe
+  fi
+done
+) &
+PID=$!
+echo "Spawned postfix-tlspol_checks with PID ${PID}"
+BACKGROUND_TASKS+=(${PID})
+
 (
 while true; do
   if ! dovecot_checks; then
diff --git a/docker-compose.yml b/docker-compose.yml
index ce33e3d93..0501e43fa 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -577,6 +577,7 @@ services:
         - MYSQL_REPLICATION_THRESHOLD=${MYSQL_REPLICATION_THRESHOLD:-1}
         - SOGO_THRESHOLD=${SOGO_THRESHOLD:-3}
         - POSTFIX_THRESHOLD=${POSTFIX_THRESHOLD:-8}
+        - POSTFIX_TLSPOL_THRESHOLD=${POSTFIX_TLSPOL_THRESHOLD:-8}
         - CLAMD_THRESHOLD=${CLAMD_THRESHOLD:-15}
         - DOVECOT_THRESHOLD=${DOVECOT_THRESHOLD:-12}
         - DOVECOT_REPL_THRESHOLD=${DOVECOT_REPL_THRESHOLD:-20}

From 81775ab4d59c4ee3bf2fa113a3388097164a3ca5 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Thu, 4 Sep 2025 18:02:11 +0200
Subject: [PATCH 319/378] chore(deps): update actions/stale action to v10
 (#6708)

Signed-off-by: milkmaker <milkmaker@mailcow.de>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 .github/workflows/close_old_issues_and_prs.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/close_old_issues_and_prs.yml b/.github/workflows/close_old_issues_and_prs.yml
index af5fd807d..91870fd1d 100644
--- a/.github/workflows/close_old_issues_and_prs.yml
+++ b/.github/workflows/close_old_issues_and_prs.yml
@@ -14,7 +14,7 @@ jobs:
       pull-requests: write
     steps:
       - name: Mark/Close Stale Issues and Pull Requests 🗑️
-        uses: actions/stale@v9.1.0
+        uses: actions/stale@v10.0.0
         with:
           repo-token: ${{ secrets.STALE_ACTION_PAT }}
           days-before-stale: 60

From 06db1d6a72ce65cd5e464eab7f2b1970da555b49 Mon Sep 17 00:00:00 2001
From: Dmitriy Alekseev <1865999+dragoangel@users.noreply.github.com>
Date: Fri, 5 Sep 2025 03:37:59 +0200
Subject: [PATCH 320/378] [Rspamd] Do not increment rate limit for emails from
 user to himself (#6706)

* [Rspamd] Do not increment rate limit for emails from user to himself

* Lowercase username and recipient address for comparison

Normalize username and recipient address comparison to lowercase.
---
 data/conf/rspamd/lua/rspamd.local.lua | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/data/conf/rspamd/lua/rspamd.local.lua b/data/conf/rspamd/lua/rspamd.local.lua
index 5fe66f75f..2bf328e5b 100644
--- a/data/conf/rspamd/lua/rspamd.local.lua
+++ b/data/conf/rspamd/lua/rspamd.local.lua
@@ -454,12 +454,18 @@ rspamd_config:register_symbol({
     local redis_params = rspamd_parse_redis_server('dyn_rl')
     local rspamd_logger = require "rspamd_logger"
     local envfrom = task:get_from(1)
+    local envrcpt = task:get_recipients(1) or {}
     local uname = task:get_user()
     if not envfrom or not uname then
       return false
     end
+
     local uname = uname:lower()
 
+    if #envrcpt == 1 and envrcpt[1].addr:lower() == uname then
+      return false
+    end
+
     local env_from_domain = envfrom[1].domain:lower() -- get smtp from domain in lower case
 
     local function redis_cb_user(err, data)

From f67c0530f56495d4b7a2c3b8816a8140c2f25586 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <75116288+FreddleSpl0it@users.noreply.github.com>
Date: Tue, 9 Sep 2025 10:37:54 +0200
Subject: [PATCH 321/378] [Rspamd][Web] Internal alias support

---
 data/conf/rspamd/dynmaps/settings.php  | 38 ++++++++++++++++++++++++--
 data/web/inc/functions.mailbox.inc.php | 28 ++++++++++++-------
 data/web/inc/init_db.inc.php           |  1 +
 data/web/js/site/mailbox.js            |  9 ++++++
 data/web/lang/lang.de-de.json          |  5 ++++
 data/web/lang/lang.en-gb.json          |  5 ++++
 data/web/templates/edit/alias.twig     |  7 ++++-
 data/web/templates/modals/mailbox.twig |  9 ++++--
 8 files changed, 86 insertions(+), 16 deletions(-)

diff --git a/data/conf/rspamd/dynmaps/settings.php b/data/conf/rspamd/dynmaps/settings.php
index 274e9da28..1b0e6b6e4 100644
--- a/data/conf/rspamd/dynmaps/settings.php
+++ b/data/conf/rspamd/dynmaps/settings.php
@@ -56,7 +56,7 @@ function normalize_email($email) {
     $email = explode('@', $email);
     $email[0] = str_replace('.', '', $email[0]);
     $email = implode('@', $email);
-  } 
+  }
   $gm_alt = "@googlemail.com";
   if (substr_compare($email, $gm_alt, -strlen($gm_alt)) == 0) {
     $email = explode('@', $email);
@@ -114,7 +114,7 @@ function ucl_rcpts($object, $type) {
       $rcpt[] = str_replace('/', '\/', $row['address']);
     }
     // Aliases by alias domains
-    $stmt = $pdo->prepare("SELECT CONCAT(`local_part`, '@', `alias_domain`.`alias_domain`) AS `alias` FROM `mailbox` 
+    $stmt = $pdo->prepare("SELECT CONCAT(`local_part`, '@', `alias_domain`.`alias_domain`) AS `alias` FROM `mailbox`
       LEFT OUTER JOIN `alias_domain` ON `mailbox`.`domain` = `alias_domain`.`target_domain`
       WHERE `mailbox`.`username` = :object");
     $stmt->execute(array(
@@ -184,7 +184,7 @@ while ($row = array_shift($rows)) {
     rcpt = <?=json_encode($rcpt, JSON_UNESCAPED_SLASHES);?>;
 <?php
   }
-  $stmt = $pdo->prepare("SELECT `option`, `value` FROM `filterconf` 
+  $stmt = $pdo->prepare("SELECT `option`, `value` FROM `filterconf`
     WHERE (`option` = 'highspamlevel' OR `option` = 'lowspamlevel')
       AND `object`= :object");
   $stmt->execute(array(':object' => $row['object']));
@@ -468,4 +468,36 @@ while ($row = array_shift($rows)) {
 <?php
 }
 ?>
+
+<?php
+// Start internal aliases
+
+$stmt = $pdo->query("SELECT `id`, `address`, `domain` FROM `alias` WHERE `active` = '1' AND `internal` = '1'");
+$aliases = $stmt->fetchAll(PDO::FETCH_ASSOC);
+while ($alias = array_shift($aliases)) {
+  // build allowed_domains regex and add target domain and alias domains
+  $stmt = $pdo->prepare("SELECT `alias_domain` FROM `alias_domain` WHERE `active` = '1' AND `target_domain` = :target_domain");
+  $stmt->execute(array(':target_domain' => $alias['domain']));
+  $allowed_domains = $stmt->fetchAll(PDO::FETCH_ASSOC);
+  $allowed_domains = array_map(function($item) {
+    return str_replace('.', '\.', $item['alias_domain']);
+  }, $allowed_domains);
+  $allowed_domains[] = str_replace('.', '\.', $alias['domain']);
+  $allowed_domains = implode('|', $allowed_domains);
+?>
+  internal_alias_<?=$alias['id'];?> {
+    priority = 10;
+    rcpt = "<?=$alias['address'];?>";
+    from = "/^((?!.*@(<?=$allowed_domains;?>)).)*$/";
+    apply "default" {
+      MAILCOW_INTERNAL_ALIAS = 9999.0;
+    }
+    symbols [
+      "MAILCOW_INTERNAL_ALIAS"
+    ]
+  }
+<?php
+}
+?>
+
 }
diff --git a/data/web/inc/functions.mailbox.inc.php b/data/web/inc/functions.mailbox.inc.php
index a74d182cf..a0199fbdc 100644
--- a/data/web/inc/functions.mailbox.inc.php
+++ b/data/web/inc/functions.mailbox.inc.php
@@ -684,15 +684,16 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
           return true;
         break;
         case 'alias':
-          $addresses  = array_map('trim', preg_split( "/( |,|;|\n)/", $_data['address']));
-          $gotos      = array_map('trim', preg_split( "/( |,|;|\n)/", $_data['goto']));
-          $active = intval($_data['active']);
-          $sogo_visible = intval($_data['sogo_visible']);
-          $goto_null = intval($_data['goto_null']);
-          $goto_spam = intval($_data['goto_spam']);
-          $goto_ham = intval($_data['goto_ham']);
+          $addresses       = array_map('trim', preg_split( "/( |,|;|\n)/", $_data['address']));
+          $gotos           = array_map('trim', preg_split( "/( |,|;|\n)/", $_data['goto']));
+          $internal        = intval($_data['internal']);
+          $active          = intval($_data['active']);
+          $sogo_visible    = intval($_data['sogo_visible']);
+          $goto_null       = intval($_data['goto_null']);
+          $goto_spam       = intval($_data['goto_spam']);
+          $goto_ham        = intval($_data['goto_ham']);
           $private_comment = $_data['private_comment'];
-          $public_comment = $_data['public_comment'];
+          $public_comment  = $_data['public_comment'];
           if (strlen($private_comment) > 160 | strlen($public_comment) > 160){
             $_SESSION['return'][] = array(
               'type' => 'danger',
@@ -842,8 +843,8 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               );
               continue;
             }
-            $stmt = $pdo->prepare("INSERT INTO `alias` (`address`, `public_comment`, `private_comment`, `goto`, `domain`, `sogo_visible`, `active`)
-              VALUES (:address, :public_comment, :private_comment, :goto, :domain, :sogo_visible, :active)");
+            $stmt = $pdo->prepare("INSERT INTO `alias` (`address`, `public_comment`, `private_comment`, `goto`, `domain`, `sogo_visible`, `internal`, `active`)
+              VALUES (:address, :public_comment, :private_comment, :goto, :domain, :sogo_visible, :internal, :active)");
             if (!filter_var($address, FILTER_VALIDATE_EMAIL) === true) {
               $stmt->execute(array(
                 ':address' => '@'.$domain,
@@ -853,6 +854,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
                 ':goto' => $goto,
                 ':domain' => $domain,
                 ':sogo_visible' => $sogo_visible,
+                ':internal' => $internal,
                 ':active' => $active
               ));
             }
@@ -864,6 +866,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
                 ':goto' => $goto,
                 ':domain' => $domain,
                 ':sogo_visible' => $sogo_visible,
+                ':internal' => $internal,
                 ':active' => $active
               ));
             }
@@ -2481,6 +2484,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
           foreach ($ids as $id) {
             $is_now = mailbox('get', 'alias_details', $id);
             if (!empty($is_now)) {
+              $internal = (isset($_data['internal'])) ? intval($_data['internal']) : $is_now['internal'];
               $active = (isset($_data['active'])) ? intval($_data['active']) : $is_now['active'];
               $sogo_visible = (isset($_data['sogo_visible'])) ? intval($_data['sogo_visible']) : $is_now['sogo_visible'];
               $goto_null = (isset($_data['goto_null'])) ? intval($_data['goto_null']) : 0;
@@ -2666,6 +2670,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
                 `domain` = :domain,
                 `goto` = :goto,
                 `sogo_visible`= :sogo_visible,
+                `internal`= :internal,
                 `active`= :active
                   WHERE `id` = :id");
               $stmt->execute(array(
@@ -2675,6 +2680,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
                 ':domain' => $domain,
                 ':goto' => $goto,
                 ':sogo_visible' => $sogo_visible,
+                ':internal' => $internal,
                 ':active' => $active,
                 ':id' => $is_now['id']
               ));
@@ -4700,6 +4706,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             `address`,
             `public_comment`,
             `private_comment`,
+            `internal`,
             `active`,
             `sogo_visible`,
             `created`,
@@ -4730,6 +4737,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
           $aliasdata['goto'] = $row['goto'];
           $aliasdata['address'] = $row['address'];
           (!filter_var($aliasdata['address'], FILTER_VALIDATE_EMAIL)) ? $aliasdata['is_catch_all'] = 1 : $aliasdata['is_catch_all'] = 0;
+          $aliasdata['internal'] = $row['internal'];
           $aliasdata['active'] = $row['active'];
           $aliasdata['active_int'] = $row['active'];
           $aliasdata['sogo_visible'] = $row['sogo_visible'];
diff --git a/data/web/inc/init_db.inc.php b/data/web/inc/init_db.inc.php
index ecb87c380..1c4f0ebf2 100644
--- a/data/web/inc/init_db.inc.php
+++ b/data/web/inc/init_db.inc.php
@@ -184,6 +184,7 @@ function init_db_schema()
           "private_comment" => "TEXT",
           "public_comment" => "TEXT",
           "sogo_visible" => "TINYINT(1) NOT NULL DEFAULT '1'",
+          "internal" => "TINYINT(1) NOT NULL DEFAULT '0'",
           "active" => "TINYINT(1) NOT NULL DEFAULT '1'"
         ),
         "keys" => array(
diff --git a/data/web/js/site/mailbox.js b/data/web/js/site/mailbox.js
index 135ec764a..6a04eb241 100644
--- a/data/web/js/site/mailbox.js
+++ b/data/web/js/site/mailbox.js
@@ -1972,6 +1972,15 @@ jQuery(function($){
           data: 'private_comment',
           defaultContent: ''
         },
+        {
+          title: lang.internal,
+          data: 'internal',
+          defaultContent: '',
+          responsivePriority: 6,
+          render: function (data, type) {
+            return 1==data?'<i class="bi bi-check-lg"><span class="sorting-value">1</span></i>':0==data&&'<i class="bi bi-x-lg"><span class="sorting-value">0</span></i>';
+          }
+        },
         {
           title: lang.active,
           data: 'active',
diff --git a/data/web/lang/lang.de-de.json b/data/web/lang/lang.de-de.json
index 93b908d6c..b5f3f325d 100644
--- a/data/web/lang/lang.de-de.json
+++ b/data/web/lang/lang.de-de.json
@@ -71,6 +71,8 @@
         "goto_spam": "Nachrichten als <span class=\"text-danger\"><b>Spam</b></span> lernen",
         "hostname": "Host",
         "inactive": "Inaktiv",
+        "internal": "Intern",
+        "internal_info": "Interne Aliasse sind nur von der eigenen Domäne oder Alias-Domänen erreichbar.",
         "kind": "Art",
         "mailbox_quota_def": "Standard-Quota einer Mailbox",
         "mailbox_quota_m": "Max. Speicherplatz pro Mailbox (MiB)",
@@ -690,6 +692,8 @@
         "grant_types": "Grant-types",
         "hostname": "Servername",
         "inactive": "Inaktiv",
+        "internal": "Intern",
+        "internal_info": "Interne Aliasse sind nur von der eigenen Domäne oder Alias-Domänen erreichbar.",
         "kind": "Art",
         "last_modified": "Zuletzt geändert",
         "lookup_mx": "Ziel mit MX vergleichen (Regex, etwa <code>.*\\.google\\.com</code>, um alle Ziele mit MX *google.com zu routen)",
@@ -923,6 +927,7 @@
         "in_use": "Prozentualer Gebrauch",
         "inactive": "Inaktiv",
         "insert_preset": "Beispiel \"%s\" laden",
+        "internal": "Intern",
         "kind": "Art",
         "last_mail_login": "Letzter Mail-Login",
         "last_modified": "Zuletzt geändert",
diff --git a/data/web/lang/lang.en-gb.json b/data/web/lang/lang.en-gb.json
index 0af0e59b0..d46e4606c 100644
--- a/data/web/lang/lang.en-gb.json
+++ b/data/web/lang/lang.en-gb.json
@@ -71,6 +71,8 @@
         "goto_spam": "Learn as <span class=\"text-danger\"><b>spam</b></span>",
         "hostname": "Host",
         "inactive": "Inactive",
+        "internal": "Internal",
+        "internal_info": "Internal aliases are only accessible from the own domain or alias domains.",
         "kind": "Kind",
         "mailbox_quota_def": "Default mailbox quota",
         "mailbox_quota_m": "Max. quota per mailbox (MiB)",
@@ -690,6 +692,8 @@
         "grant_types": "Grant types",
         "hostname": "Hostname",
         "inactive": "Inactive",
+        "internal": "Internal",
+        "internal_info": "Internal aliases are only accessible from the own domain or alias domains.",
         "kind": "Kind",
         "last_modified": "Last modified",
         "lookup_mx": "Destination is a regular expression to match against MX name (<code>.*\\.google\\.com</code> to route all mail targeted to a MX ending in google.com over this hop)",
@@ -928,6 +932,7 @@
         "in_use": "In use (%)",
         "inactive": "Inactive",
         "insert_preset": "Insert example preset \"%s\"",
+        "internal": "Internal",
         "kind": "Kind",
         "last_mail_login": "Last mail login",
         "last_modified": "Last modified",
diff --git a/data/web/templates/edit/alias.twig b/data/web/templates/edit/alias.twig
index 48d19617b..64a6e706b 100644
--- a/data/web/templates/edit/alias.twig
+++ b/data/web/templates/edit/alias.twig
@@ -6,6 +6,7 @@
 <br>
 <form class="form-horizontal" data-id="editalias" role="form" method="post">
   <input type="hidden" value="0" name="active">
+  <input type="hidden" value="0" name="internal">
   {% if not skip_sogo %}
   <input type="hidden" value="0" name="sogo_visible">
   {% endif %}
@@ -33,8 +34,12 @@
       <div class="form-check">
         <label><input type="checkbox" class="form-check-input" value="1" name="sogo_visible"{% if result.sogo_visible == '1' %} checked{% endif %}> {{ lang.edit.sogo_visible }}</label>
       </div>
-      <p class="text-muted">{{ lang.edit.sogo_visible_info }}</p>
+      <small class="text-muted d-block mb-2">{{ lang.edit.sogo_visible_info }}</small>
       {% endif %}
+      <div class="form-check">
+        <label><input type="checkbox" class="form-check-input" value="1" name="internal"{% if result.internal == '1' %} checked{% endif %}> {{ lang.edit.internal }}</label>
+      </div>
+      <small class="text-muted d-block">{{ lang.edit.internal_info }}</small>
     </div>
   </div>
   <hr>
diff --git a/data/web/templates/modals/mailbox.twig b/data/web/templates/modals/mailbox.twig
index 0c164332b..1e8ee53fa 100644
--- a/data/web/templates/modals/mailbox.twig
+++ b/data/web/templates/modals/mailbox.twig
@@ -777,6 +777,7 @@
       <div class="modal-body">
         <form class="form-horizontal" data-cached-form="true" role="form" data-id="add_alias">
           <input type="hidden" value="0" name="active">
+          <input type="hidden" value="0" name="internal">
           <div class="row mb-2">
             <label class="control-label col-sm-2 text-sm-end" for="address">{{ lang.add.alias_address }}</label>
             <div class="col-sm-10">
@@ -803,11 +804,15 @@
               <div class="form-check">
                 <label><input type="checkbox" class="form-check-input" value="1" name="sogo_visible" checked> {{ lang.edit.sogo_visible }}</label>
               </div>
-              <p class="text-muted">{{ lang.edit.sogo_visible_info }}</p>
+              <small class="text-muted d-block mb-2">{{ lang.edit.sogo_visible_info }}</small>
               {% endif %}
+              <div class="form-check">
+                <label><input type="checkbox" class="form-check-input" value="1" name="internal"> {{ lang.add.internal }}</label>
+              </div>
+              <small class="text-muted d-block">{{ lang.edit.internal_info }}</small>
             </div>
           </div>
-          <div class="row mb-2">
+          <div class="row mb-4">
             <div class="offset-sm-2 col-sm-10">
               <div class="form-check">
                 <label><input type="checkbox" class="form-check-input" value="1" name="active" checked> {{ lang.add.active }}</label>

From 8d7235b5356f61e6a4a822b1bbeffba32b476e57 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <75116288+FreddleSpl0it@users.noreply.github.com>
Date: Tue, 9 Sep 2025 10:52:19 +0200
Subject: [PATCH 322/378] [RSPAMD] Add boundary if present when applying
 domain-wide footer

---
 data/conf/rspamd/lua/rspamd.local.lua | 32 +++++++++++++++------------
 1 file changed, 18 insertions(+), 14 deletions(-)

diff --git a/data/conf/rspamd/lua/rspamd.local.lua b/data/conf/rspamd/lua/rspamd.local.lua
index 2bf328e5b..9d0a58bcf 100644
--- a/data/conf/rspamd/lua/rspamd.local.lua
+++ b/data/conf/rspamd/lua/rspamd.local.lua
@@ -550,13 +550,13 @@ rspamd_config:register_symbol({
     -- determine newline type
     local function newline(task)
       local t = task:get_newlines_type()
-    
+
       if t == 'cr' then
         return '\r'
       elseif t == 'lf' then
         return '\n'
       end
-    
+
       return '\r\n'
     end
     -- retrieve footer
@@ -564,7 +564,7 @@ rspamd_config:register_symbol({
       if err or type(data) ~= 'string' then
         rspamd_logger.infox(rspamd_config, "domain wide footer request for user %s returned invalid or empty data (\"%s\") or error (\"%s\")", uname, data, err)
       else
-        
+
         -- parse json string
         local footer = cjson.decode(data)
         if not footer then
@@ -613,26 +613,30 @@ rspamd_config:register_symbol({
             if footer.plain and footer.plain ~= "" then
               footer.plain = lua_util.jinja_template(footer.plain, replacements, true)
             end
-  
+
             -- add footer
             local out = {}
             local rewrite = lua_mime.add_text_footer(task, footer.html, footer.plain) or {}
-        
+
             local seen_cte
             local newline_s = newline(task)
-        
+
             local function rewrite_ct_cb(name, hdr)
               if rewrite.need_rewrite_ct then
                 if name:lower() == 'content-type' then
-                  local nct = string.format('%s: %s/%s; charset=utf-8',
-                      'Content-Type', rewrite.new_ct.type, rewrite.new_ct.subtype)
+                  -- include boundary if present
+                  local boundary_part = rewrite.new_ct.boundary and
+                    string.format('; boundary="%s"', rewrite.new_ct.boundary) or ''
+                  local nct = string.format('%s: %s/%s; charset=utf-8%s',
+                      'Content-Type', rewrite.new_ct.type, rewrite.new_ct.subtype, boundary_part)
                   out[#out + 1] = nct
-                  -- update Content-Type header
+                  -- update Content-Type header (include boundary if present)
                   task:set_milter_reply({
                     remove_headers = {['Content-Type'] = 0},
                   })
                   task:set_milter_reply({
-                    add_headers = {['Content-Type'] = string.format('%s/%s; charset=utf-8', rewrite.new_ct.type, rewrite.new_ct.subtype)}
+                    add_headers = {['Content-Type'] = string.format('%s/%s; charset=utf-8%s',
+                      rewrite.new_ct.type, rewrite.new_ct.subtype, boundary_part)}
                   })
                   return
                 elseif name:lower() == 'content-transfer-encoding' then
@@ -651,16 +655,16 @@ rspamd_config:register_symbol({
               end
               out[#out + 1] = hdr.raw:gsub('\r?\n?$', '')
             end
-        
+
             task:headers_foreach(rewrite_ct_cb, {full = true})
-        
+
             if not seen_cte and rewrite.need_rewrite_ct then
               out[#out + 1] = string.format('%s: %s', 'Content-Transfer-Encoding', 'quoted-printable')
             end
-        
+
             -- End of headers
             out[#out + 1] = newline_s
-        
+
             if rewrite.out then
               for _,o in ipairs(rewrite.out) do
                 out[#out + 1] = o

From 1e192e14f4e16d7644a7efd5594e5c31f70a0fe4 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <75116288+FreddleSpl0it@users.noreply.github.com>
Date: Tue, 9 Sep 2025 11:09:09 +0200
Subject: [PATCH 323/378] [Web] Only include mailcow_info in JS when
 mailcow_cc_username is set

---
 data/web/templates/base.twig | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/data/web/templates/base.twig b/data/web/templates/base.twig
index 642d130a5..a8d0f6f39 100644
--- a/data/web/templates/base.twig
+++ b/data/web/templates/base.twig
@@ -166,6 +166,7 @@
   var lang_danger = {{ lang_danger|raw }};
   var docker_timeout = {{ docker_timeout|raw }} * 1000;
   var mailcow_cc_role = '{{ mailcow_cc_role }}';
+  {% if mailcow_cc_username %}
   var mailcow_info = {
     version_tag: '{{ mailcow_info.version_tag }}',
     last_version_tag: '{{ mailcow_info.last_version_tag }}',
@@ -175,6 +176,17 @@
     project_repo: '{{ mailcow_info.git_repo }}',
     branch: '{{ mailcow_info.mailcow_branch }}'
   };
+  {% else %}
+  var mailcow_info = {
+    version_tag: '',
+    last_version_tag: '',
+    updatedAt: '',
+    project_url: '',
+    project_owner: '',
+    project_repo: '',
+    branch: ''
+  };
+  {% endif %}
 
 $(window).scroll(function() {
   sessionStorage.scrollTop = $(this).scrollTop();

From 13f7f9830b056e1a1fe8aee51884323cb5bcebae Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <75116288+FreddleSpl0it@users.noreply.github.com>
Date: Tue, 9 Sep 2025 12:11:19 +0200
Subject: [PATCH 324/378] Prevent user login if protocol access has been
 disabled

---
 data/conf/dovecot/auth/mailcowauth.php |  8 ++++----
 data/web/inc/functions.auth.inc.php    | 16 ++++++++++++++++
 2 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/data/conf/dovecot/auth/mailcowauth.php b/data/conf/dovecot/auth/mailcowauth.php
index c625522ba..06c0bd995 100644
--- a/data/conf/dovecot/auth/mailcowauth.php
+++ b/data/conf/dovecot/auth/mailcowauth.php
@@ -86,7 +86,7 @@ if ($result === false){
     'remote_addr' => $post['real_rip']
   ));
   if ($result) {
-    error_log('MAILCOWAUTH: App auth for user ' . $post['username']);
+    error_log('MAILCOWAUTH: App auth for user ' . $post['username'] . " with service " . $post['service'] . " from IP " . $post['real_rip']);
     set_sasl_log($post['username'], $post['real_rip'], $post['service']);
   }
 }
@@ -94,9 +94,9 @@ if ($result === false){
   // Init Identity Provider
   $iam_provider = identity_provider('init');
   $iam_settings = identity_provider('get');
-  $result = user_login($post['username'], $post['password'], array('is_internal' => true));
+  $result = user_login($post['username'], $post['password'], array('is_internal' => true, 'service' => $post['service']));
   if ($result) {
-    error_log('MAILCOWAUTH: User auth for user ' . $post['username']);
+    error_log('MAILCOWAUTH: User auth for user ' . $post['username'] . " with service " . $post['service'] . " from IP " . $post['real_rip']);
     set_sasl_log($post['username'], $post['real_rip'], $post['service']);
   }
 }
@@ -105,7 +105,7 @@ if ($result) {
   http_response_code(200); // OK
   $return['success'] = true;
 } else {
-  error_log("MAILCOWAUTH: Login failed for user " . $post['username']);
+  error_log("MAILCOWAUTH: Login failed for user " . $post['username'] . " with service " . $post['service'] . " from IP " . $post['real_rip']);
   http_response_code(401); // Unauthorized
 }
 
diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php
index f1c70103e..059dd4cd9 100644
--- a/data/web/inc/functions.auth.inc.php
+++ b/data/web/inc/functions.auth.inc.php
@@ -193,6 +193,7 @@ function user_login($user, $pass, $extra = null){
   global $iam_settings;
 
   $is_internal = $extra['is_internal'];
+  $service = $extra['service'];
 
   if (!filter_var($user, FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $user))) {
     if (!$is_internal){
@@ -235,6 +236,14 @@ function user_login($user, $pass, $extra = null){
       $row = $stmt->fetch(PDO::FETCH_ASSOC);
 
       if (!empty($row)) {
+        // check if user has access to service (imap, smtp, pop3, sieve) if service is set
+        $row['attributes'] = json_decode($row['attributes'], true);
+        if (isset($service)) {
+          $key = strtolower($service) . "_access";
+          if (isset($row['attributes'][$key]) && $row['attributes'][$key] != '1') {
+            return false;
+          }
+        }
         return true;
       }
     }
@@ -242,7 +251,14 @@ function user_login($user, $pass, $extra = null){
     return false;
   }
 
+  // check if user has access to service (imap, smtp, pop3, sieve) if service is set
   $row['attributes'] = json_decode($row['attributes'], true);
+  if (isset($service)) {
+    $key = strtolower($service) . "_access";
+    if (isset($row['attributes'][$key]) && $row['attributes'][$key] != '1') {
+      return false;
+    }
+  }
   switch ($row['authsource']) {
     case 'keycloak':
       // user authsource is keycloak, try using via rest flow

From 8c8497d885b816397b36bc11470e11c459a6b98c Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <75116288+FreddleSpl0it@users.noreply.github.com>
Date: Tue, 9 Sep 2025 12:50:19 +0200
Subject: [PATCH 325/378] [Rspamd] only recreate external_services.conf file if
 it was deleted

---
 data/Dockerfiles/rspamd/docker-entrypoint.sh | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/data/Dockerfiles/rspamd/docker-entrypoint.sh b/data/Dockerfiles/rspamd/docker-entrypoint.sh
index 7385488b0..a764725cb 100755
--- a/data/Dockerfiles/rspamd/docker-entrypoint.sh
+++ b/data/Dockerfiles/rspamd/docker-entrypoint.sh
@@ -86,7 +86,8 @@ if [[ "${SKIP_OLEFY}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
     rm /etc/rspamd/local.d/external_services.conf
   fi
 else
-  cat <<EOF > /etc/rspamd/local.d/external_services.conf
+  if [[ ! -f /etc/rspamd/local.d/external_services.conf ]]; then
+    cat <<EOF > /etc/rspamd/local.d/external_services.conf
 oletools {
   # default olefy settings
   servers = "olefy:10055";
@@ -100,6 +101,7 @@ oletools {
   retransmits = 1;
 }
 EOF
+  fi
 fi
 
 # Provide additional lua modules

From 8cb25709aea2f715cbac5ba7fd89130181fd98ec Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <75116288+FreddleSpl0it@users.noreply.github.com>
Date: Wed, 10 Sep 2025 08:23:22 +0200
Subject: [PATCH 326/378] [Clamd] update to 1.71

---
 docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 0501e43fa..874933bf0 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -65,7 +65,7 @@ services:
             - redis
 
     clamd-mailcow:
-      image: ghcr.io/mailcow/clamd:1.70
+      image: ghcr.io/mailcow/clamd:1.71
       restart: always
       depends_on:
         unbound-mailcow:

From 1c438330c6c21f6b5b065aee65adef453b4dc4ce Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <75116288+FreddleSpl0it@users.noreply.github.com>
Date: Wed, 10 Sep 2025 10:14:37 +0200
Subject: [PATCH 327/378] [postfix-tlspol] build with NOOPT=1 for wider CPU
 compatibility

---
 data/Dockerfiles/postfix-tlspol/Dockerfile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/data/Dockerfiles/postfix-tlspol/Dockerfile b/data/Dockerfiles/postfix-tlspol/Dockerfile
index 95a035265..c32f86f57 100644
--- a/data/Dockerfiles/postfix-tlspol/Dockerfile
+++ b/data/Dockerfiles/postfix-tlspol/Dockerfile
@@ -3,6 +3,7 @@ WORKDIR /src
 
 ENV CGO_ENABLED=0 \
     GO111MODULE=on \
+		NOOPT=1 \
     VERSION=1.8.14
 
 RUN git clone --branch v${VERSION} https://github.com/Zuplu/postfix-tlspol && \

From 262fe04286cab6d9d1690699022ac19808cfe26c Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <75116288+FreddleSpl0it@users.noreply.github.com>
Date: Wed, 10 Sep 2025 11:17:34 +0200
Subject: [PATCH 328/378] change MAJOR_VERSIONS 2025-08 to 2025-09

---
 _modules/scripts/core.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/_modules/scripts/core.sh b/_modules/scripts/core.sh
index ab67f25c6..f71368d24 100644
--- a/_modules/scripts/core.sh
+++ b/_modules/scripts/core.sh
@@ -185,7 +185,7 @@ detect_major_update() {
     MAJOR_VERSIONS=(
       "2025-02"
       "2025-03"
-      "2025-08"
+      "2025-09"
     )
 
     current_version=""

From 94c1a6c4e1f8901e38e4562dd208cc026277fab8 Mon Sep 17 00:00:00 2001
From: DerLinkman <niklas.meyer@servercow.de>
Date: Wed, 10 Sep 2025 16:20:58 +0200
Subject: [PATCH 329/378] scripts:  ipv6_controller improvement + fix modules
 handling (#6722)

* Fix subscript handling for modules

* ipv6: detect case when link local is present

* v6-controller: removed fixed-cidr for docker 28+
---
 _modules/scripts/ipv6_controller.sh | 148 ++++++++++++++++++++--------
 generate_config.sh                  |  21 ++++
 helper-scripts/_cold-standby.sh     |   2 +-
 update.sh                           |  16 ++-
 4 files changed, 145 insertions(+), 42 deletions(-)

diff --git a/_modules/scripts/ipv6_controller.sh b/_modules/scripts/ipv6_controller.sh
index de5272048..1ff5eb198 100644
--- a/_modules/scripts/ipv6_controller.sh
+++ b/_modules/scripts/ipv6_controller.sh
@@ -5,14 +5,65 @@
 
 # 1) Check if the host supports IPv6
 get_ipv6_support() {
-  if grep -qs '^1' /proc/sys/net/ipv6/conf/all/disable_ipv6 2>/dev/null \
-    || ! ip -6 route show default &>/dev/null; then
+  # ---- helper: probe external IPv6 connectivity without DNS ----
+  _probe_ipv6_connectivity() {
+    # Use literal, always-on IPv6 echo responders (no DNS required)
+    local PROBE_IPS=("2001:4860:4860::8888" "2606:4700:4700::1111")
+    local ip rc=1
+
+    for ip in "${PROBE_IPS[@]}"; do
+      if command -v ping6 &>/dev/null; then
+        ping6 -c1 -W2 "$ip" &>/dev/null || ping6 -c1 -w2 "$ip" &>/dev/null
+        rc=$?
+      elif command -v ping &>/dev/null; then
+        ping -6 -c1 -W2 "$ip" &>/dev/null || ping -6 -c1 -w2 "$ip" &>/dev/null
+        rc=$?
+      else
+        rc=1
+      fi
+      [[ $rc -eq 0 ]] && return 0
+    done
+    return 1
+  }
+
+  if [[ ! -f /proc/net/if_inet6 ]] || grep -qs '^1' /proc/sys/net/ipv6/conf/all/disable_ipv6 2>/dev/null; then
     DETECTED_IPV6=false
-    echo -e "${YELLOW}IPv6 not detected on host – ${LIGHT_RED}disabling IPv6 support${YELLOW}.${NC}"
-  else
-    DETECTED_IPV6=true
-    echo -e "IPv6 detected on host – ${LIGHT_GREEN}leaving IPv6 support enabled${YELLOW}.${NC}"
+    echo -e "${YELLOW}IPv6 not detected on host – ${LIGHT_RED}IPv6 is administratively disabled${YELLOW}.${NC}"
+    return
   fi
+
+  if ip -6 route show default 2>/dev/null | grep -qE '^default'; then
+    echo -e "${YELLOW}Default IPv6 route found – testing external IPv6 connectivity...${NC}"
+    if _probe_ipv6_connectivity; then
+      DETECTED_IPV6=true
+      echo -e "IPv6 detected on host – ${LIGHT_GREEN}leaving IPv6 support enabled${YELLOW}.${NC}"
+    else
+      DETECTED_IPV6=false
+      echo -e "${YELLOW}Default IPv6 route present but external IPv6 connectivity failed – ${LIGHT_RED}disabling IPv6 support${YELLOW}.${NC}"
+    fi
+    return
+  fi
+
+  if ip -6 addr show scope global 2>/dev/null | grep -q 'inet6'; then
+    DETECTED_IPV6=false
+    echo -e "${YELLOW}Global IPv6 address present but no default route – ${LIGHT_RED}disabling IPv6 support${YELLOW}.${NC}"
+    return
+  fi
+
+  if ip -6 addr show scope link 2>/dev/null | grep -q 'inet6'; then
+    echo -e "${YELLOW}Only link-local IPv6 addresses found – testing external IPv6 connectivity...${NC}"
+    if _probe_ipv6_connectivity; then
+      DETECTED_IPV6=true
+      echo -e "External IPv6 connectivity available – ${LIGHT_GREEN}leaving IPv6 support enabled${YELLOW}.${NC}"
+    else
+      DETECTED_IPV6=false
+      echo -e "${YELLOW}Only link-local IPv6 present and no external connectivity – ${LIGHT_RED}disabling IPv6 support${YELLOW}.${NC}"
+    fi
+    return
+  fi
+
+  DETECTED_IPV6=false
+  echo -e "${YELLOW}IPv6 not detected on host – ${LIGHT_RED}disabling IPv6 support${YELLOW}.${NC}"
 }
 
 # 2) Ensure Docker daemon.json has (or create) the required IPv6 settings
@@ -21,7 +72,7 @@ docker_daemon_edit(){
   DOCKER_MAJOR=$(docker version --format '{{.Server.Version}}' 2>/dev/null | cut -d. -f1)
   MISSING=()
 
-  _has_kv() { grep -Eq "\"$1\"\s*:\s*$2" "$DOCKER_DAEMON_CONFIG" 2>/dev/null; }
+  _has_kv() { grep -Eq "\"$1\"[[:space:]]*:[[:space:]]*$2" "$DOCKER_DAEMON_CONFIG" 2>/dev/null; }
 
   if [[ -f "$DOCKER_DAEMON_CONFIG" ]]; then
 
@@ -38,12 +89,18 @@ docker_daemon_edit(){
     fi
 
     # Gather missing keys
-    ! _has_kv ipv6 true       && MISSING+=("ipv6: true")
-    ! grep -Eq '"fixed-cidr-v6"\s*:\s*".+"' "$DOCKER_DAEMON_CONFIG" \
-                              && MISSING+=('fixed-cidr-v6: "fd00:dead:beef:c0::/80"')
-    if [[ -n "$DOCKER_MAJOR" && "$DOCKER_MAJOR" -le 27 ]]; then
+    ! _has_kv ipv6 true && MISSING+=("ipv6: true")
+
+    # For Docker < 28, keep requiring fixed-cidr-v6 (default bridge needs it on old engines)
+    if [[ -n "$DOCKER_MAJOR" && "$DOCKER_MAJOR" -lt 28 ]]; then
+      ! grep -Eq '"fixed-cidr-v6"[[:space:]]*:[[:space:]]*".+"' "$DOCKER_DAEMON_CONFIG" \
+                                && MISSING+=('fixed-cidr-v6: "fd00:dead:beef:c0::/80"')
+    fi
+
+    # For Docker < 27, ip6tables needed and was tied to experimental in older releases
+    if [[ -n "$DOCKER_MAJOR" && "$DOCKER_MAJOR" -lt 27 ]]; then
       _has_kv ipv6 true && ! _has_kv ip6tables true && MISSING+=("ip6tables: true")
-      ! _has_kv experimental true                 && MISSING+=("experimental: true")
+      ! _has_kv experimental true && MISSING+=("experimental: true")
     fi
 
     # Fix if needed
@@ -60,9 +117,19 @@ docker_daemon_edit(){
         cp "$DOCKER_DAEMON_CONFIG" "${DOCKER_DAEMON_CONFIG}.bak"
         if command -v jq &>/dev/null; then
           TMP=$(mktemp)
-          JQ_FILTER='.ipv6 = true | .["fixed-cidr-v6"] = "fd00:dead:beef:c0::/80"'
-          [[ "$DOCKER_MAJOR" && "$DOCKER_MAJOR" -lt 27 ]] \
-            && JQ_FILTER+=' | .ip6tables = true | .experimental = true'
+          # Base filter: ensure ipv6 = true
+          JQ_FILTER='.ipv6 = true'
+
+          # Add fixed-cidr-v6 only for Docker < 28
+          if [[ -n "$DOCKER_MAJOR" && "$DOCKER_MAJOR" -lt 28 ]]; then
+            JQ_FILTER+=' | .["fixed-cidr-v6"] = (.["fixed-cidr-v6"] // "fd00:dead:beef:c0::/80")'
+          fi
+
+          # Add ip6tables/experimental only for Docker < 27
+          if [[ -n "$DOCKER_MAJOR" && "$DOCKER_MAJOR" -lt 27 ]]; then
+            JQ_FILTER+=' | .ip6tables = true | .experimental = true'
+          fi
+
           jq "$JQ_FILTER" "$DOCKER_DAEMON_CONFIG" >"$TMP" && mv "$TMP" "$DOCKER_DAEMON_CONFIG"
           echo -e "${LIGHT_GREEN}daemon.json updated. Restarting Docker...${NC}"
           (command -v systemctl &>/dev/null && systemctl restart docker) || service docker restart
@@ -97,12 +164,19 @@ docker_daemon_edit(){
   "experimental": true
 }
 EOF
-      else
+      elif [[ -n "$DOCKER_MAJOR" && "$DOCKER_MAJOR" -lt 28 ]]; then
         cat > "$DOCKER_DAEMON_CONFIG" <<EOF
 {
   "ipv6": true,
   "fixed-cidr-v6": "fd00:dead:beef:c0::/80"
 }
+EOF
+      else
+        # Docker 28+: ipv6 works without fixed-cidr-v6
+        cat > "$DOCKER_DAEMON_CONFIG" <<EOF
+{
+  "ipv6": true
+}
 EOF
       fi
       echo -e "${GREEN}Created $DOCKER_DAEMON_CONFIG with IPv6 settings.${NC}"
@@ -122,7 +196,7 @@ configure_ipv6() {
   # detect manual override if mailcow.conf is present
   if [[ -n "$MAILCOW_CONF" && -f "$MAILCOW_CONF" ]] && grep -q '^ENABLE_IPV6=' "$MAILCOW_CONF"; then
     MANUAL_SETTING=$(grep '^ENABLE_IPV6=' "$MAILCOW_CONF" | cut -d= -f2)
-  elif [[ -z "$MAILCOW_CONF" ]] && [[ ! -z "${ENABLE_IPV6:-}" ]]; then
+  elif [[ -z "$MAILCOW_CONF" ]] && [[ -n "${ENABLE_IPV6:-}" ]]; then
     MANUAL_SETTING="$ENABLE_IPV6"
   else
     MANUAL_SETTING=""
@@ -131,38 +205,34 @@ configure_ipv6() {
   get_ipv6_support
 
   # if user manually set it, check for mismatch
-  if [[ -n "$MANUAL_SETTING" ]]; then
-    if [[ "$MANUAL_SETTING" == "false" && "$DETECTED_IPV6" == "true" ]]; then
-      echo -e "${RED}ERROR: You have ENABLE_IPV6=false but your host and Docker support IPv6.${NC}"
-      echo -e "${RED}This can create an open relay. Please set ENABLE_IPV6=true in your mailcow.conf and re-run.${NC}"
-      exit 1
-    elif [[ "$MANUAL_SETTING" == "true" && "$DETECTED_IPV6" == "false" ]]; then
-      echo -e "${RED}ERROR: You have ENABLE_IPV6=true but your host does not support IPv6.${NC}"
-      echo -e "${RED}Please disable or fix your host/Docker IPv6 support, or set ENABLE_IPV6=false.${NC}"
-      exit 1
+  if [[ "$DETECTED_IPV6" != "true" ]]; then
+    if [[ -n "$MAILCOW_CONF" && -f "$MAILCOW_CONF" ]]; then
+      if grep -q '^ENABLE_IPV6=' "$MAILCOW_CONF"; then
+        sed -i 's/^ENABLE_IPV6=.*/ENABLE_IPV6=false/' "$MAILCOW_CONF"
+      else
+        echo "ENABLE_IPV6=false" >> "$MAILCOW_CONF"
+      fi
     else
-      return
+      export IPV6_BOOL=false
     fi
-  fi
-
-  # no manual override: proceed to set or export
-  if [[ "$DETECTED_IPV6" == "true" ]]; then
-    docker_daemon_edit
-  else
     echo "Skipping Docker IPv6 configuration because host does not support IPv6."
+    echo "Make sure to check if your docker daemon.json does not include \"enable_ipv6\": true if you do not want IPv6."
+    echo "IPv6 configuration complete: ENABLE_IPV6=false"
+    sleep 2
+    return
   fi
 
-  # now write into mailcow.conf or export
+  docker_daemon_edit
+
   if [[ -n "$MAILCOW_CONF" && -f "$MAILCOW_CONF" ]]; then
-    LINE="ENABLE_IPV6=$DETECTED_IPV6"
     if grep -q '^ENABLE_IPV6=' "$MAILCOW_CONF"; then
-      sed -i "s/^ENABLE_IPV6=.*/$LINE/" "$MAILCOW_CONF"
+      sed -i 's/^ENABLE_IPV6=.*/ENABLE_IPV6=true/' "$MAILCOW_CONF"
     else
-      echo "$LINE" >> "$MAILCOW_CONF"
+      echo "ENABLE_IPV6=true" >> "$MAILCOW_CONF"
     fi
   else
-    export IPV6_BOOL="$DETECTED_IPV6"
+    export IPV6_BOOL=true
   fi
 
-  echo "IPv6 configuration complete: ENABLE_IPV6=$DETECTED_IPV6"
+  echo "IPv6 configuration complete: ENABLE_IPV6=true"
 }
\ No newline at end of file
diff --git a/generate_config.sh b/generate_config.sh
index 9610bf18d..2dba91d51 100755
--- a/generate_config.sh
+++ b/generate_config.sh
@@ -1,5 +1,26 @@
 #!/usr/bin/env bash
 
+# Ensure the script is run from the directory that contains a link of .env
+# Resolve the directory this script lives in for consistent behavior when invoked from elsewhere
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]:-$0}")" >/dev/null 2>&1 && pwd)"
+
+# Ensure script is executed in the mailcow installation directory by checking for a .env symlink that points to mailcow.conf
+if [ ! -L "${PWD}/.env" ]; then
+  echo -e "\e[33mPlease run this script from the mailcow installation directory.\e[0m"
+  echo -e "  \e[36mcd /path/to/mailcow && ./generate_config.sh\e[0m"
+  exit 1
+fi
+
+# Verify the .env symlink points to a mailcow.conf file
+env_target="$(readlink -f "${PWD}/.env" 2>/dev/null || true)"
+if [ -z "$env_target" ] || [ "$(basename "$env_target")" != "mailcow.conf" ]; then
+  echo -e "\e[31mThe found .env symlink does not point to a mailcow.conf file.\e[0m"
+  echo -e "\e[33mPlease create a symbolic link .env -> mailcow.conf inside the mailcow directory and run this script there.\e[0m"
+  echo -e "\e[33mNote: 'ln -s mailcow.conf .env' will create the symlink even if mailcow.conf does not yet exist.\e[0m"
+  echo -e "  \e[36mcd /path/to/mailcow && ln -s mailcow.conf .env && ./generate_config.sh\e[0m"
+  exit 1
+fi
+
 # Load mailcow Generic Scripts
 source _modules/scripts/core.sh
 source _modules/scripts/ipv6_controller.sh
diff --git a/helper-scripts/_cold-standby.sh b/helper-scripts/_cold-standby.sh
index bfda3ba94..f02436a95 100755
--- a/helper-scripts/_cold-standby.sh
+++ b/helper-scripts/_cold-standby.sh
@@ -293,7 +293,7 @@ if ! ssh -o StrictHostKeyChecking=no \
   -i "${REMOTE_SSH_KEY}" \
   ${REMOTE_SSH_HOST} \
   -p ${REMOTE_SSH_PORT} \
-  ${SCRIPT_DIR}/../update.sh -f --gc ; then
+  "cd \"${SCRIPT_DIR}/../\" && ./update.sh -f --gc" ; then
     >&2 echo -e "\e[31m[ERR]\e[0m - Could not cleanup old images on remote"
 fi
 
diff --git a/update.sh b/update.sh
index 89dec3e66..4ec0e7e40 100755
--- a/update.sh
+++ b/update.sh
@@ -3,6 +3,20 @@
 ############## Begin Function Section ##############
 
 SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+MAILCOW_CONF="${SCRIPT_DIR}/mailcow.conf"
+
+# Ensure the script is run from the directory that contains mailcow.conf
+if [ ! -f "${PWD}/mailcow.conf" ]; then
+  if [ -f "${SCRIPT_DIR}/mailcow.conf" ]; then
+    echo -e "\e[33mPlease run this script directly from the mailcow installation directory:\e[0m"
+    echo -e "  \e[36mcd ${SCRIPT_DIR} && ./update.sh\e[0m"
+    exit 1
+  else
+    echo -e "\e[31mmailcow.conf not found in current directory or script directory (\e[36m${SCRIPT_DIR}\e[31m).\e[0m"
+    echo -e "\e[33mRun this script directly from your mailcow installation directory.\e[0m"
+    exit 1
+  fi
+fi
 BRANCH="$(cd "${SCRIPT_DIR}" && git rev-parse --abbrev-ref HEAD)"
 
 MODULE_DIR="${SCRIPT_DIR}/_modules"
@@ -27,8 +41,6 @@ if [ "$(id -u)" -ne "0" ]; then
   exit 1
 fi
 
-SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-
 # Run pre-update-hook
 if [ -f "${SCRIPT_DIR}/pre_update_hook.sh" ]; then
   bash "${SCRIPT_DIR}/pre_update_hook.sh"

From 642ac6d02cac69eec7c323ca4b582b72ff73416d Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <75116288+FreddleSpl0it@users.noreply.github.com>
Date: Thu, 11 Sep 2025 10:34:35 +0200
Subject: [PATCH 330/378] [Web] remove unused bcc dest column from alias table

---
 data/web/js/site/mailbox.js | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/data/web/js/site/mailbox.js b/data/web/js/site/mailbox.js
index 6a04eb241..df61f8720 100644
--- a/data/web/js/site/mailbox.js
+++ b/data/web/js/site/mailbox.js
@@ -1949,11 +1949,6 @@ jQuery(function($){
           defaultContent: '',
           responsivePriority: 5,
         },
-        {
-          title: lang.bcc_destinations,
-          data: 'bcc_dest',
-          defaultContent: ''
-        },
         {
           title: lang.sogo_visible,
           data: 'sogo_visible',

From 0d900d4fc8559072c5365f374f6025ebe1961638 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <75116288+FreddleSpl0it@users.noreply.github.com>
Date: Thu, 11 Sep 2025 11:01:50 +0200
Subject: [PATCH 331/378] [SOGo] Drop deprecated `sogo_update_password` sql
 trigger if it still exists

---
 data/Dockerfiles/sogo/bootstrap-sogo.sh | 4 ++++
 docker-compose.yml                      | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/data/Dockerfiles/sogo/bootstrap-sogo.sh b/data/Dockerfiles/sogo/bootstrap-sogo.sh
index abd398b34..96d8a6919 100755
--- a/data/Dockerfiles/sogo/bootstrap-sogo.sh
+++ b/data/Dockerfiles/sogo/bootstrap-sogo.sh
@@ -24,6 +24,10 @@ while [[ "${DBV_NOW}" != "${DBV_NEW}" ]]; do
 done
 echo "DB schema is ${DBV_NOW}"
 
+if [[ "${MASTER}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
+  mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "DROP TRIGGER IF EXISTS sogo_update_password"
+fi
+
 # cat /dev/urandom seems to hang here occasionally and is not recommended anyway, better use openssl
 RAND_PASS=$(openssl rand -base64 16 | tr -dc _A-Z-a-z-0-9)
 
diff --git a/docker-compose.yml b/docker-compose.yml
index 874933bf0..215a196f9 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -200,7 +200,7 @@ services:
             - phpfpm
 
     sogo-mailcow:
-      image: ghcr.io/mailcow/sogo:1.134
+      image: ghcr.io/mailcow/sogo:1.135
       environment:
         - DBNAME=${DBNAME}
         - DBUSER=${DBUSER}

From 84e230de8f68705f8cf9b7ef20bc18525275bd35 Mon Sep 17 00:00:00 2001
From: patr_ <30580969+p-atr@users.noreply.github.com>
Date: Fri, 12 Sep 2025 11:17:18 +0200
Subject: [PATCH 332/378] [Nginx] fix: Disable IPv6 support in Nginx
 configuration (#6736)

Co-authored-by: patr_ <patbernh@gmail.com>
---
 data/conf/nginx/templates/nginx.conf.j2 | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/data/conf/nginx/templates/nginx.conf.j2 b/data/conf/nginx/templates/nginx.conf.j2
index d71d63e56..4b32ff15b 100644
--- a/data/conf/nginx/templates/nginx.conf.j2
+++ b/data/conf/nginx/templates/nginx.conf.j2
@@ -78,7 +78,7 @@ http {
         {%endif%}
         listen {{ HTTPS_PORT }}{% if NGINX_USE_PROXY_PROTOCOL %} proxy_protocol{%endif%} ssl;
 
-        {% if not DISABLE_IPv6 %}
+        {% if ENABLE_IPV6 %}
         {% if not HTTP_REDIRECT %}
         listen [::]:{{ HTTP_PORT }}{% if NGINX_USE_PROXY_PROTOCOL %} proxy_protocol{%endif%};
         {%endif%}
@@ -105,7 +105,7 @@ http {
         {%endif%}
         listen {{ HTTPS_PORT }}{% if NGINX_USE_PROXY_PROTOCOL %} proxy_protocol{%endif%} ssl;
 
-        {% if not DISABLE_IPv6 %}
+        {% if ENABLE_IPV6 %}
         {% if not HTTP_REDIRECT %}
         listen [::]:{{ HTTP_PORT }}{% if NGINX_USE_PROXY_PROTOCOL %} proxy_protocol{%endif%};
         {%endif%}
@@ -126,7 +126,7 @@ http {
     # rspamd dynmaps:
     server {
         listen 8081;
-        {% if not DISABLE_IPv6 %}
+        {% if ENABLE_IPV6 %}
         listen [::]:8081;
         {%endif%}
         index index.php index.html;
@@ -199,7 +199,7 @@ http {
         {%endif%}
         listen {{ HTTPS_PORT }}{% if NGINX_USE_PROXY_PROTOCOL %} proxy_protocol{%endif%} ssl;
 
-        {% if not DISABLE_IPv6 %}
+        {% if ENABLE_IPV6 %}
         {% if not HTTP_REDIRECT %}
         listen [::]:{{ HTTP_PORT }}{% if NGINX_USE_PROXY_PROTOCOL %} proxy_protocol{%endif%};
         {%endif%}

From eb26bcbc9417c6d0d2fa35db7ea5e648b48e016f Mon Sep 17 00:00:00 2001
From: milkmaker <milkmaker@mailcow.de>
Date: Sat, 13 Sep 2025 21:41:59 +0200
Subject: [PATCH 333/378] Translations update from Weblate (#6743)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* [Web] Updated lang.zh-cn.json

Co-authored-by: Easton Man <me@eastonman.com>

* [Web] Updated lang.si-si.json

[Web] Updated lang.si-si.json

Co-authored-by: Matjaž Tekavec <matjaz@moj-svet.si>
Co-authored-by: milkmaker <milkmaker@mailcow.de>

---------

Co-authored-by: Easton Man <me@eastonman.com>
Co-authored-by: Matjaž Tekavec <matjaz@moj-svet.si>
---
 data/web/lang/lang.si-si.json | 15 ++++++++++-----
 data/web/lang/lang.zh-cn.json | 23 ++++++++++++++++++-----
 2 files changed, 28 insertions(+), 10 deletions(-)

diff --git a/data/web/lang/lang.si-si.json b/data/web/lang/lang.si-si.json
index 56da00f74..95e23a5cb 100644
--- a/data/web/lang/lang.si-si.json
+++ b/data/web/lang/lang.si-si.json
@@ -109,7 +109,9 @@
         "relay_transport_info": "<div class=\"badge fs-6 bg-info\">Info</div> Definirate lahko preslikave transportov za cilj po meri za to domeno. Če ni nastavljena, se ustvari MX poizvedba.",
         "syncjob_hint": "Pozor! Gesla se morajo shraniti v golo besedilo!",
         "timeout2": "Časovna omejitev za povezavo do lokalnega gostitelja",
-        "dry": "Simuliraj sinhronizacijo"
+        "dry": "Simuliraj sinhronizacijo",
+        "internal": "Notranje",
+        "internal_info": "Notranji vzdevki so dostopni samo iz lastne domene ali vzdevkov domen."
     },
     "admin": {
         "access": "Dostop",
@@ -776,7 +778,9 @@
         "mta_sts_max_age_info": "Čas v sekundah, ki ga lahko prejemni poštni strežniki shranijo v predpomnilnik, dokler se ne ponovno naloži.",
         "mta_sts_mx": "MX strežnik",
         "mta_sts_mx_info": "Omogoča pošiljanje samo na izrecno navedena imena gostiteljskih strežnikov poštnih strežnikov; pošiljajoči MTA preveri, ali se ime gostitelja DNS MX ujema s seznamom pravilnikov, in dovoljuje dostavo le z veljavnim potrdilom TLS (zaščita pred MITM).",
-        "mta_sts_mx_notice": "Določiti je mogoče več strežnikov MX (ločenih z vejicami)."
+        "mta_sts_mx_notice": "Določiti je mogoče več strežnikov MX (ločenih z vejicami).",
+        "internal": "Notranje",
+        "internal_info": "Notranji vzdevki so dostopni samo iz lastne domene ali vzdevkov domen."
     },
     "footer": {
         "restart_container_info": "<b>Pomembno:</b> Ugoden ponovni zagon lahko traja nekaj časa, zato počakajte, da se konča.",
@@ -991,7 +995,8 @@
         "yes": "&#10003;",
         "weekly": "Tedensko",
         "sieve_info": "Na uporabnika lahko shranite več filtrov, vendar je lahko hkrati aktiven le en predfilter in en postfilter.<br>\nVsak filter bo obdelan v opisanem vrstnem redu. Niti neuspešen skript niti izdan ukaz »keep;« ne bosta ustavila obdelave nadaljnjih skript. Spremembe globalnih skriptov sita bodo sprožile ponovni zagon Dovecota.<br><br>Globalni predfilter sita &#8226; Predfilter &#8226; Uporabniški skripti &#8226; Postfilter &#8226; Globalni postfilter sita",
-        "tls_policy_maps_info": "Ta preslikava pravilnikov preglasi pravila odhodnega prenosa TLS neodvisno od uporabnikovih nastavitev pravilnikov TLS.<br>\n  Za več informacij preverite <a href=\"http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps\" target=\"_blank\">dokumentacijo »smtp_tls_policy_maps«</a>."
+        "tls_policy_maps_info": "Ta preslikava pravilnikov preglasi pravila odhodnega prenosa TLS neodvisno od uporabnikovih nastavitev pravilnikov TLS.<br>\n  Za več informacij preverite <a href=\"http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps\" target=\"_blank\">dokumentacijo »smtp_tls_policy_maps«</a>.",
+        "internal": "Notranje"
     },
     "fido2": {
         "known_ids": "Znani ID-ji",
@@ -1362,7 +1367,7 @@
         "spamfilter_default_score": "Privzete vrednosti",
         "spamfilter_green": "Zelena: to sporočilo ni neželena pošta",
         "spamfilter_hint": "Prva vrednost opisuje »nizko oceno neželene pošte«, druga pa »visoko oceno neželene pošte«.",
-        "spamfilter_red": "Rdeča: To sporočilo je neželena pošta in ga bo strežnik zavrnil.",
+        "spamfilter_red": "Rdeča: To sporočilo je neželena pošta in ga bo strežnik zavrnil",
         "spamfilter_table_action": "Dejanje",
         "spamfilter_table_add": "Dodaj element",
         "spamfilter_table_domain_policy": "ni na voljo (pravilnik domene)",
@@ -1407,7 +1412,7 @@
     "warning": {
         "cannot_delete_self": "Prijavljenega uporabnika ni mogoče izbrisati",
         "domain_added_sogo_failed": "Domena je bila dodana, vendar ponovni zagon SOGo ni uspel. Preverite dnevnike strežnika.",
-        "dovecot_restart_failed": "Dovecota ni uspelo znova zagnati, preverite dnevnike.",
+        "dovecot_restart_failed": "Dovecota ni uspelo znova zagnati, preverite dnevnike",
         "fuzzy_learn_error": "Napaka učenja mehkega zgoščevanja: %s",
         "hash_not_found": "Zgoščena vrednost ni bila najdena ali je bila že izbrisana",
         "ip_invalid": "Preskočen neveljaven IP: %s",
diff --git a/data/web/lang/lang.zh-cn.json b/data/web/lang/lang.zh-cn.json
index 3c46eb8a4..c2f9cdc35 100644
--- a/data/web/lang/lang.zh-cn.json
+++ b/data/web/lang/lang.zh-cn.json
@@ -109,7 +109,9 @@
         "username": "用户名",
         "validate": "验证",
         "validation_success": "验证成功",
-        "dry": "模拟同步（Dry run）"
+        "dry": "模拟同步（Dry run）",
+        "internal_info": "内部的别名只能在域内部或者别名域内部访问。",
+        "internal": "内部的"
     },
     "admin": {
         "access": "权限管理",
@@ -405,7 +407,9 @@
         "user_quicklink": "隐藏指向用户登陆页面的快捷链接",
         "admin_quicklink": "隐藏指向管理员登陆页面的快捷链接",
         "force_sso": "强制要求单点登录（SSO）",
-        "user_link": "自定义链接"
+        "user_link": "自定义链接",
+        "app_hide": "在登入界面隐藏",
+        "needs_restart": "需要重启"
     },
     "danger": {
         "access_denied": "访问被拒绝或者表单数据无效",
@@ -546,7 +550,11 @@
         "generic_server_error": "服务器错误。请联系您的管理员。",
         "authsource_in_use": "由于当前有一个或多个用户正在使用该身份提供者（IDP），因此无法更改或删除。",
         "iam_test_connection": "连接失败",
-        "required_data_missing": "缺少需要的 %s 数据"
+        "required_data_missing": "缺少需要的 %s 数据",
+        "max_age_invalid": "最大有效时间 %s 无效",
+        "mode_invalid": "模式 %s 无效",
+        "mx_invalid": "MX 记录 %s 无效",
+        "version_invalid": "版本 %s 无效"
     },
     "debug": {
         "chart_this_server": "图表 (此服务器)",
@@ -732,7 +740,11 @@
         "domain_footer_skip_replies": "在回信中忽略 footer",
         "footer_exclude": "从 footer 中排除",
         "last_modified": "上次修改时间",
-        "pushover_sound": "声音"
+        "pushover_sound": "声音",
+        "internal": "内部的",
+        "internal_info": "内部的别名只能在域内部或者别名域内部访问。",
+        "mta_sts": "邮件传输代理严格传输安全协议（MTA-STS）",
+        "mta_sts_version": "版本"
     },
     "fido2": {
         "confirm": "确认",
@@ -978,7 +990,8 @@
         "relay_unknown": "转发未知信箱",
         "templates": "模板",
         "template": "模板",
-        "iam": "身份提供者（IDP）"
+        "iam": "身份提供者（IDP）",
+        "internal": "内部的"
     },
     "oauth2": {
         "access_denied": "请作为邮箱所有者登录以使用 OAuth2 授权。",

From 2891bbf82ad35a1f8aa3d302c36c7e9e909ccba2 Mon Sep 17 00:00:00 2001
From: milkmaker <milkmaker@mailcow.de>
Date: Tue, 16 Sep 2025 18:24:12 +0200
Subject: [PATCH 334/378] Translations update from Weblate (#6749)

* [Web] Updated lang.cs-cz.json

Co-authored-by: Filip Hajny <filip@hajny.net>

* [Web] Updated lang.lv-lv.json

Co-authored-by: Edgars Andersons <Edgars+Mailcow+Weblate@gaitenis.id.lv>

---------

Co-authored-by: Filip Hajny <filip@hajny.net>
Co-authored-by: Edgars Andersons <Edgars+Mailcow+Weblate@gaitenis.id.lv>
---
 data/web/lang/lang.cs-cz.json |  44 ++++++++++---
 data/web/lang/lang.lv-lv.json | 112 +++++++++++++++++++++-------------
 2 files changed, 103 insertions(+), 53 deletions(-)

diff --git a/data/web/lang/lang.cs-cz.json b/data/web/lang/lang.cs-cz.json
index 9ef0304c8..b3068ab0f 100644
--- a/data/web/lang/lang.cs-cz.json
+++ b/data/web/lang/lang.cs-cz.json
@@ -24,7 +24,7 @@
         "sogo_access": "Správa přístupu do SOGo",
         "sogo_profile_reset": "Resetování profilu SOGo",
         "spam_alias": "Dočasné aliasy",
-        "spam_policy": "Blacklist/Whitelist",
+        "spam_policy": "Denylist/Allowlist",
         "spam_score": "Skóre spamu",
         "syncjobs": "Synchronizační úlohy",
         "tls_policy": "Pravidla TLS",
@@ -109,7 +109,9 @@
         "validate": "Ověřit",
         "validation_success": "Úspěšně ověřeno",
         "tags": "Štítky",
-        "dry": "Simulovat synchronizaci"
+        "dry": "Simulovat synchronizaci",
+        "internal": "Interní",
+        "internal_info": "Interní aliasy jsou přístupné jen z vlastních domén nebo jejich aliasů."
     },
     "admin": {
         "access": "Přístupy",
@@ -303,7 +305,7 @@
         "rspamd_global_filters": "Mapa globálních filtrů",
         "rspamd_global_filters_agree": "Budu opatrný!",
         "rspamd_global_filters_info": "Mapa globálních filtrů obsahuje jiné globální black- a whitelisty.",
-        "rspamd_global_filters_regex": "Názvy jsou dostatečným vysvětlením. Musí obsahovat jen platné regulární výrazy ve formátu \"/vyraz/parametry\" (e.g. <code>/.+@domena\\.tld/i</code>).<br>\r\n  Každý výraz bude podroben základní kontrole, přesto je možné Rspamd 'rozbít', nebude-li syntax zcela korektní.<br>\r\n  Rspamd se pokusí načíst mapu po každé změně. V případě potíží, <a href=\"\" data-toggle=\"modal\" data-container=\"rspamd-mailcow\" data-target=\"#RestartContainer\">restartujte Rspamd</a>, aby se konfigurace načetla explicitně.",
+        "rspamd_global_filters_regex": "Názvy stačí k vysvětlení. Položky musejí obsahovat jen platné regulární výrazy ve tvaru \"/vyraz/parametry\" (e.g. <code>/.+@domena\\.tld/i</code>).<br>\n  Každý výraz bude podroben základní kontrole, přesto je možné Rspamd 'rozbít', nebude-li syntax zcela korektní.<br>\n  Rspamd se pokusí po každé změně načíst mapu znovu. V případě potíží <a href=\"\" data-toggle=\"modal\" data-container=\"rspamd-mailcow\" data-target=\"#RestartContainer\">restartujte Rspamd</a>, aby se konfigurace načetla explicitně.",
         "rspamd_settings_map": "Nastavení Rspamd",
         "sal_level": "Úroveň 'Moo'",
         "save": "Uložit změny",
@@ -407,7 +409,9 @@
         "iam_extra_permission": "Aby vše fungovalo, musí mít mailcow klient v Keycloaku nastavený <code>servisní účet</code> a povolení <code>view-users</code>.",
         "iam_host": "Hostitel",
         "iam_host_info": "Zadejte jeden či více hostitelů, oddělte čárkou.",
-        "iam_import_users": "Importovat uživatele"
+        "iam_import_users": "Importovat uživatele",
+        "iam_auth_flow": "Proces autentizace",
+        "needs_restart": "potřebuje restart"
     },
     "danger": {
         "access_denied": "Přístup odepřen nebo jsou neplatná data ve formuláři",
@@ -548,7 +552,11 @@
         "img_size_exceeded": "Obrázek má větší než povolenou velikost souboru",
         "invalid_reset_token": "Neplatný resetovací token",
         "required_data_missing": "Chybí potřebný údaj %s",
-        "reset_token_limit_exceeded": "Byl překročen limit na reset tokeny. Zkuste to později."
+        "reset_token_limit_exceeded": "Byl překročen limit na reset tokeny. Zkuste to později.",
+        "max_age_invalid": "Maximální životnost %s není platná",
+        "mode_invalid": "Mód %s není platný",
+        "mx_invalid": "Záznam MX %s není platný",
+        "version_invalid": "Verze %s není platná"
     },
     "datatables": {
         "emptyTable": "Tabulka neobsahuje žádná data",
@@ -759,7 +767,20 @@
         "mailbox_rename_warning": "DŮLEŽITÉ! Vytvořte si zálohu schránky, než ji přejmenujete.",
         "mailbox_rename_alias": "Automaticky vytvořit alias",
         "mailbox_rename_title": "Nový název zdejší schránky",
-        "pushover": "Pushover"
+        "pushover": "Pushover",
+        "internal": "Interní",
+        "internal_info": "Interní aliasy jsou přístupné jen z vlastních domén nebo jejich aliasů.",
+        "mta_sts": "MTA-STS",
+        "mta_sts_info": "<a href='https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol#SMTP_MTA_Strict_Transport_Security' target='_blank'>MTA-STS</a> je standard, jenž říká poštovním serverům, aby komunikovaly pomocí TLS s platnými certifikáty. <br>Používá se, pokud není k dispozici <a target='_blank' href='https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities'>DANE</a>, např. chybí-li či není podporováno DNSSEC.<br><b>Pozn.</b>: Podporuje-li přijímající doména DANE a DNSSEC, bude <b>vždy</b> použito DANE; MTA-STS zůstane jako plán B.",
+        "mta_sts_version": "Verze",
+        "mta_sts_version_info": "Určuje verzi standardu MTA-STS – zatím je podporována jen <code>STSv1</code>.",
+        "mta_sts_mode": "Mód",
+        "mta_sts_mode_info": "K dispozici jsou tři módy:<ul><li><em>testing</em> – pravidlo se jen sleduje, porušení je bez následků.</li><li><em>enforce</em> – pravidlo je důsledně dodržováno, spojení bez platného TLS jsou odmítána.</li><li><em>none</em> – pravidlo je zveřejněno, ale neuplatňuje se.</li></ul>",
+        "mta_sts_max_age": "Maximální životnost",
+        "mta_sts_max_age_info": "Doba v sekundách, po niž poštovní servery mohou toho pravidlo držet v mezipaměti bez nutnosti obnovení.",
+        "mta_sts_mx": "Server MX",
+        "mta_sts_mx_info": "Dovoluje odesílání jen výslovně vypsaným poštovním serverům; odesílající server kontroluje, že server MX určený v DNS odpovídá pravidlu, a povolí doručení jen s platným certifikátem TLS (chrání přes útokem typu MITM).",
+        "mta_sts_mx_notice": "Lze zadat více serverů MX (oddělte čárkou)."
     },
     "fido2": {
         "confirm": "Potvrdit",
@@ -829,7 +850,8 @@
         "login_admintext": "Přihlášení správce",
         "login_user": "Přihlášení uživatele",
         "login_dadmin": "Přihlášení správce domény",
-        "login_admin": "Přihlášení správce"
+        "login_admin": "Přihlášení správce",
+        "email": "Mailová adresa"
     },
     "mailbox": {
         "action": "Akce",
@@ -861,7 +883,7 @@
         "bcc": "BCC",
         "bcc_destination": "Cíl kopie",
         "bcc_destinations": "Cíl kopií",
-        "bcc_info": "Skrytá kopie (mapa BCC) se používá pro tiché předávání kopií všech zpráv na jinou adresu. Mapa příjemců se použije, funguje-li je místní cíl jako adresát zprávy. Totéž platí pro mapy odesílatelů.\nMístní cíl se nedozví, selže-li doručení na cíl BCC.",
+        "bcc_info": "<br/>Skrytá kopie (mapa BCC) se používá pro tiché předávání kopií všech zpráv na jinou adresu. Mapa příjemců se použije, funguje-li je místní cíl jako adresát zprávy. Totéž platí pro mapy odesílatelů.<br/>\n  Místní cíl se nedozví, selže-li doručení na cíl BCC.",
         "bcc_local_dest": "Týká se",
         "bcc_map": "Skrytá kopie",
         "bcc_map_type": "Typ skryté kopie",
@@ -1005,7 +1027,8 @@
         "weekly": "Každý týden",
         "yes": "&#10003;",
         "relay_unknown": "Předávání neexistujících schránek",
-        "iam": "Poskytovatel identity"
+        "iam": "Poskytovatel identity",
+        "internal": "Interní"
     },
     "oauth2": {
         "access_denied": "K udělení přístupu se přihlašte jako vlastník mailové schránky.",
@@ -1082,7 +1105,8 @@
         "hold_mail_legend": "Podrží vybrané e-maily. (Zabrání dalším pokusům o doručení)",
         "show_message": "Zobrazit zprávu",
         "unhold_mail": "Uvolnit",
-        "unhold_mail_legend": "Uvolnit vybrané e-maily k doručení. (Pouze v případě předchozího podržení)"
+        "unhold_mail_legend": "Uvolnit vybrané e-maily k doručení. (Pouze v případě předchozího podržení)",
+        "unban": "odblokovat"
     },
     "ratelimit": {
         "disabled": "Vypnuto",
diff --git a/data/web/lang/lang.lv-lv.json b/data/web/lang/lang.lv-lv.json
index 2b433b8e8..86eb91a66 100644
--- a/data/web/lang/lang.lv-lv.json
+++ b/data/web/lang/lang.lv-lv.json
@@ -39,16 +39,16 @@
         "alias_domain_info": "<small>Tikai derīgi domēna vārdi (komatu atdalīti).</small>",
         "automap": "Mēģiniet automatizēt mapes (\"Nosūtītie vienumi\", \"Nosūtītie\" => \"Nosūtītie\" etc.)",
         "backup_mx_options": "Dublējuma MX iespējas",
-        "delete1": "Dzēst no avota, kad tas ir pabeigts",
+        "delete1": "Izdzēst no avota pēc pabeigšanas",
         "delete2": "Dzēsiet ziņojumus galamērķī, kas nav avotā",
-        "delete2duplicates": "Dzēst dublikātus galamērķī",
+        "delete2duplicates": "Izdzēst atkārtojošos vienumus galamērķī",
         "description": "Apraksts",
         "domain": "Domēns",
         "domain_quota_m": "Kopējā domēna kvota (MiB)",
         "enc_method": "Šifrēšanas metode",
         "exclude": "Izslēgt objektus (regex)",
         "full_name": "Pilns vārds",
-        "goto_null": "Klusām dzēst pastu",
+        "goto_null": "Klusām atmest pastu",
         "hostname": "Saimniekdators",
         "kind": "Veids",
         "mailbox_quota_m": "Maks. kvota pastkastei (MiB)",
@@ -77,12 +77,13 @@
         "target_domain": "Mērķa domēns",
         "username": "Lietotājvārds",
         "validate": "Apstiprināt",
-        "validation_success": "Apstiprināts veiksmīgi",
+        "validation_success": "Sekmīgi apstiprināts",
         "bcc_dest_format": "BCC galamērķim ir jābūt vienai derīgai e-pasta adresei.<br>Ja ir nepieciešams nosūtīt kopiju vairākām adresēm, jāizveido aizstājvārds un jāizmanto tas šeit.",
         "domain_matches_hostname": "Domēns %s atbilst saimniekdatora nosaukumam",
         "disable_login": "Neļaut pieteikšanos (ienākošais pasts joprojām tiks pieņemts)",
         "app_password": "Pievienot lietotnes paroli",
-        "app_passwd_protocols": "Atļautie lietotnes paroles protokoli"
+        "app_passwd_protocols": "Atļautie lietotnes paroles protokoli",
+        "goto_spam": "Apgūt kā <span class=\"text-danger\"><b>mēstuli</b></span>"
     },
     "admin": {
         "access": "Pieeja",
@@ -115,14 +116,14 @@
         "domain": "Domēns",
         "domain_admins": "Domēna administratori",
         "edit": "Labot",
-        "empty": "Nav rezultātu",
+        "empty": "Nav iznākuma",
         "f2b_ban_time": "Aizlieguma laiks (s)",
         "f2b_max_attempts": "Maks. piegājieni",
         "f2b_netban_ipv4": "IPv4 apakštīkla izmērs, lai piemērotu aizliegumu uz (8-32)",
         "f2b_netban_ipv6": "IPv6 apakštīkla izmērs, lai piemērotu aizliegumu uz (8-128)",
         "f2b_parameters": "Fail2ban parametri",
         "f2b_retry_window": "Atkārtošanas logs (s) priekš maks. piegājiena",
-        "f2b_whitelist": "Baltā saraksta tīkls/hosts",
+        "f2b_whitelist": "Atļautie tīkli/resursdatori",
         "filter_table": "Filtru tabula",
         "forwarding_hosts": "Hostu pārsūtīšana",
         "forwarding_hosts_add_hint": "Var norādīt vai nu IPv4/IPv6 adreses, tīklu ar CIDR apzīmējumu, saimniekdatoru nosaukumus (kas tiks atrisināti IP adresēs) vai arī domēna vārdus (kas tiks atrisināti IP adresēs, vaicājot SPF ierakstus, vai, ja tādu nav, MX ierakstus).",
@@ -181,7 +182,10 @@
         "rspamd_com_settings": "Iestatījuma nosaukums tiks izveidots automātiski. Lūgums zemāk skatīt priekšiestatījumu piemērus. Vairāk informācijas ir <a href=\"https://rspamd.com/doc/configuration/settings.html#settings-structure\" target=\"_blank\">Rspamd dokumentācijā</a>",
         "reset_password_vars": "<code>{{link}}</code> Izveidotā paroles atiestatīšanas saite<br><code>{{username}}</code> Lietotāja, kurš pieprasīja paroles atiestatīšanu, pastkastes nosaukums<br><code>{{username2}}</code> Atkopšanas pastkastes nosaukums<br><code>{{date}}</code> Paroles atiestatīšanas pieprasījuma veikšanas datums<br><code>{{token_lifetime}}</code> Pilnvaras derīgums minūtēs<br><code>{{hostname}}</code> mailcow saimniekdatora nosaukums",
         "ui_header_announcement_help": "Paziņojums ir redzams visiem lietotājiem, kuri ir pieteikušies, un pieteikšanās ekrānā saskarnē.",
-        "login_time": "Pieteikšanās laiks"
+        "login_time": "Pieteikšanās laiks",
+        "iam_version": "Versija",
+        "quarantine_max_age": "Lielākais pieļaujamais vecums dienās<br><small>Vērtībai jābūt vienādai ar vai lielākai par 1 dienu.</small>",
+        "quarantine_max_score": "Atmest paziņojumu, ja e-pasta ziņojuma mēstuļu novērtējums ir augstāks par šo vērtību:<br><small>Noklusējums ir 9999.0</small>"
     },
     "danger": {
         "access_denied": "Piekļuve liegta, vai nepareizi dati",
@@ -201,8 +205,8 @@
         "goto_empty": "Aizstājādresei jāsatur vismaz viena derīga mērķa adrese",
         "goto_invalid": "Goto adrese nepareiza",
         "imagick_exception": "Kļūda: Imagick izņēmums, lasot attēlu",
-        "img_invalid": "Nevar apstiprināt attēla failu",
-        "img_tmp_missing": "Nevar apstiprināt attēla failu: pagaidu failu nav atrasts",
+        "img_invalid": "Nevar apstiprināt attēla datni",
+        "img_tmp_missing": "Nevar apstiprināt attēla datni: pagaidu datne nav atrasta",
         "invalid_mime_type": "Nederīgs mime tips",
         "is_alias": "%s jau ir zināma kā aizstājadrese",
         "is_alias_or_mailbox": "%s jau ir zināms kā aizstājvārds, pastkaste vai aizstājadrese, kas ir izvērsta no aizstājdomēna.",
@@ -234,7 +238,10 @@
         "username_invalid": "Lietotājvārds nevar tikt izmantots",
         "validity_missing": "Lūdzu piešķiriet derīguma termiņu",
         "domain_cannot_match_hostname": "Domēns nevar atbilst saimniekdatora nosaukumam",
-        "app_passwd_id_invalid": "Lietotnes paroles Id %s ir nederīgs"
+        "app_passwd_id_invalid": "Lietotnes paroles Id %s ir nederīgs",
+        "img_dimensions_exceeded": "Attēls pārsniedz lielāko pieļaujamo attēla lielumu",
+        "img_size_exceeded": "Attēls pārsniedz lielāko pieļaujamo datnes lielumu",
+        "version_invalid": "Versija %s ir nederīga"
     },
     "diagnostics": {
         "cname_from_a": "Vērtība, kas iegūta no A/AAAA ieraksta. Tas tiek atbalstīts tik ilgi, kamēr ieraksts norāda uz pareizo resursu.",
@@ -251,9 +258,9 @@
         "alias": "Labot aizstājvārdu",
         "automap": "Mēģiniet automatizēt mapes (\"Nosūtītie vienumi\", \"Nosūtītie\" => \"Nosūtītie\" utt.)",
         "backup_mx_options": "Dublēt MX iespējas",
-        "delete1": "Dzēst no avota, kad pabeigts",
+        "delete1": "Izdzēst no avota pēc pabeigšanas",
         "delete2": "Dzēsiet ziņojumus galamērķī, kas nav avotā",
-        "delete2duplicates": "Dzēst dublikātus galamērķī",
+        "delete2duplicates": "Izdzēst atkārtojošos vienumus galamērķī",
         "description": "Apraksts",
         "domain": "Labot domēnu",
         "domain_admin": "Labot domēna administratoru",
@@ -273,7 +280,7 @@
         "max_aliases": "Lielākais aizstājvārdu skaits",
         "max_mailboxes": "Maks. iespējamās pastkastes",
         "max_quota": "Maks. kvota uz pastkasti (MiB)",
-        "maxage": "Lielākais ziņojumu, kuri tiks vaicāti attālajā serverī, vecums dienās<br><small>(0 = neņemt vērā vecumu)</small>",
+        "maxage": "Lielākais pieļaujamais ziņojumu, kuri tiks vaicāti attālajā serverī, vecums dienās<br><small>(0 = neņemt vērā vecumu)</small>",
         "maxbytespersecond": "Maks. baiti sekundē (0 ir vienāds ar neierobežotu skaitu)",
         "mins_interval": "Intervāls (min)",
         "multiple_bookings": "Vairāki rezervējumi",
@@ -292,8 +299,8 @@
         "sieve_type": "Filtra tips",
         "skipcrossduplicates": "Izlaist dublētus ziņojumus pa mapēm (pirmais nāk, pirmais kalpo)",
         "spam_alias": "Izveidot vai mainīt laika ierobežotas aizstājadreses",
-        "spam_policy": "Pievienot vai noņemt vienumus baltajā-/melnajā sarakstā",
-        "spam_score": "Iestatīt pielāgotu surogātpasta vērtējumu",
+        "spam_policy": "Pievienot vai noņemt vienumus atļautajā/liegumu sarakstā",
+        "spam_score": "Iestatīt pielāgotu mēstules vērtējumu",
         "subfolder2": "Sinhronizēt galamērķa apakšmapē<br><small>(tukšs = neizmantot apakšmapi)</small>",
         "syncjob": "Labot sinhronizācijas darbu",
         "target_address": "Mērķa adrese/s <small>(atdalītas ar komatu)</small>",
@@ -316,17 +323,21 @@
         "disable_login": "Neļaut pieteikšanos (ienākošais pasts joprojām tiks pieņemts)",
         "app_passwd_protocols": "Atļautie lietotnes paroles protokoli",
         "allowed_protocols": "Atļautie protokoli tiešai lietotāja piekļuvei (neietekmē lietotnes paroles protokolus)",
-        "app_passwd": "Lietotnes parole"
+        "app_passwd": "Lietotnes parole",
+        "mta_sts_version": "Versija",
+        "mta_sts_version_info": "Norāda MTA-STS standarta versiju – pašreiz ir derīga tikai <code>STSv1</code>.",
+        "sender_acl_disabled": "<span class=\"badge fs-6 bg-danger\">Sūtītāja pārbaude ir atspējota</span>"
     },
     "footer": {
         "cancel": "Atcelt",
-        "confirm_delete": "Apstiprināt dzēšanu",
-        "delete_now": "Dzēst tagad",
+        "confirm_delete": "Apstiprināt izdzēšanu",
+        "delete_now": "Izdzēst tagad",
         "delete_these_items": "Lūgums apstiprināt izmaiņas šim objekta Id",
         "loading": "Lūgums uzgaidīt...",
         "restart_container": "Restartēt konteineri",
         "restart_container_info": "<b>Svarīgi:</b> nesteidzīga pārsāknēšana var aizņemt ilgāku laiku. Lūgums uzgaidīt, līdz tā tiek pabeigta.",
-        "restart_now": "Pārsāknēt tagad"
+        "restart_now": "Pārsāknēt tagad",
+        "hibp_nok": "Sakrīt. Šī, iespējams, ir bīstama parole."
     },
     "header": {
         "administration": "Konfigurācija un informācija",
@@ -389,7 +400,7 @@
         "domain_quota_total": "Kopējais domēna ierobežojums",
         "domains": "Domēns",
         "edit": "Labot",
-        "empty": "Nav rezultātu",
+        "empty": "Nav iznākuma",
         "excludes": "Izslēdzot",
         "filter_table": "Filtra tabula",
         "filters": "Filtri",
@@ -448,13 +459,15 @@
         "add_alias_expand": "Izvērst aizstājvārdu pār aizstājdomēniem",
         "alias_domain_alias_hint": "Aizstājvārdi <b>netiek</b> automātiski piemēroti domēnu aizstājvārdiem. Aizstājadrese <code>my-alias@domain</code> <b>nenosedz</b> adresi <code>my-alias@alias-domain</code> (kur \"alias-domain\" ir iedomāts \"domain\" aizstājdomēns).<br>Lūgums izmantot sieta atlasi, lai pārvirzītu pastu uz ārēju pastkasti (skatīt cilti \"Atlasīšana\" vai izmantot SOGo -> Pārsūtītājs). \"Izvērst aizstājvārdu pār aizstājdomēniem\" ir izmantojams, lai automātiski pievienotu trūkstošos aiztājvārdus.",
         "alias_domain_backupmx": "Aizstājdomēns ir neaktīvs retranslācijas domēnam",
-        "disable_login": "Neļaut pieteikšanos (ienākošais pasts joprojām tiks pieņemts)"
+        "disable_login": "Neļaut pieteikšanos (ienākošais pasts joprojām tiks pieņemts)",
+        "sieve_preset_1": "Atmest e-pasta vēstules ar iespējami bīstamiem datņu veidiem",
+        "syncjob_last_run_result": "Pēdējās izpildes iznākums"
     },
     "quarantine": {
         "action": "Darbības",
         "atts": "Pielikumi",
-        "check_hash": "Meklēt faila hašu @ VT",
-        "empty": "Nav rezultātu",
+        "check_hash": "Meklēt datnes jaucējvērtību @ VT",
+        "empty": "Nav iznākuma",
         "qid": "Rspamd QID",
         "qitem": "Karantīnas vienumi",
         "quarantine": "Karantīna",
@@ -463,7 +476,7 @@
         "received": "Saņemtie",
         "recipients": "Adresāts",
         "release": "Atbrīvot",
-        "release_body": "Šim ziņojumam mēs esam pievienojuši jūsu ziņojumu kā eml failu.",
+        "release_body": "Mēs pievienojām Tavu ziņojumu kā .eml datni šim ziņojumam.",
         "release_subject": "Potenciāli kaitīgs karantīnas vienums %s",
         "remove": "Noņemt",
         "sender": "Sūtītājs (SMTP)",
@@ -473,8 +486,14 @@
         "text_plain_content": "Saturs (teksts/vienkāršs)",
         "toggle_all": "Pārslēgt visu",
         "disabled_by_config": "Pašreizējā sistēmas konfigurācija atspējo karantīnu. Lūgums iestatīt \"saglabāšanu katrai pastkastītei\" un \"lielākais pieļaujamais lielums\" karantīnas vienumiem.",
-        "qhandler_success": "Pieprasījums veiksmīgi nosūtīts sistēmai. Tagad var aizvērt logu.",
-        "qinfo": "Karantīnas sistēma datubāzē saglabās noraidīto pastu (sūtītājam <em>netiks</em> radīts iespaids par piegādātu pastu), kā arī pastu, kas tiek piegādāts kā kopija pastkastes mēstuļu mapē.\n  <br>\"Apgūt kā surogātpastu un izdzēst\" apgūs ziņojumu kā surogātpastu ar Bajesa teorēmu un aprēķinās arī nestriktas jaucējvērtības, lai nākotnē noraidītu līdzīgus ziņojumus.\n  <br>Lūgums apzināties, ka vairāku ziņojumu apgūšana var būt laikietilpīga atkarībā no sistēmas.<br>Melnā saraksta vienumi karantīnā netiek iekļauti."
+        "qhandler_success": "Pieprasījums sekmīgi nosūtīts sistēmai. Logu tagad var aizvērt.",
+        "qinfo": "Karantīnas sistēma datubāzē saglabās noraidīto pastu (sūtītājam <em>netiks</em> radīts iespaids par piegādātu pastu), kā arī pastu, kas tiek piegādāts kā kopija pastkastes mēstuļu mapē.\n  <br>\"Apgūt kā surogātpastu un izdzēst\" apgūs ziņojumu kā surogātpastu ar Bajesa teorēmu un aprēķinās arī nestriktas jaucējvērtības, lai nākotnē noraidītu līdzīgus ziņojumus.\n  <br>Lūgums apzināties, ka vairāku ziņojumu apgūšana var būt laikietilpīga atkarībā no sistēmas.<br>Lieguma saraksta vienumi karantīnā netiek iekļauti.",
+        "danger": "Bīstamība",
+        "notified": "Paziņots",
+        "refresh": "Atsvaidzināt",
+        "rspamd_result": "Rspamd iznākums",
+        "settings_info": "Lielākais pieļaujamais karantējamo vienumu daudzums: %s<br>Lielākais pieļaujamais e-pasta lielums: %s MiB",
+        "spam_score": "Novērtējums"
     },
     "queue": {
         "queue_manager": "Rindas pārvaldnieks",
@@ -505,8 +524,8 @@
         "f2b_modified": "Fail2ban parametru izmaiņas tika saglabātas",
         "forwarding_host_added": "Pāradresācijas hosts %s pievienotsd",
         "forwarding_host_removed": "Pāradresācijas hosts %s noņemts",
-        "item_deleted": "Vērtība %s veiksmīgi dzēsta",
-        "items_deleted": "Vērtība %s veiksmīgi dzēsta",
+        "item_deleted": "Vienums %s izdzēsts sekmīgi",
+        "items_deleted": "Vienums %s izdzēsts sekmīgi",
         "items_released": "Atlasītie vienumi tika izlaisti",
         "mailbox_added": "Pastkaste %s ir pievienota",
         "mailbox_modified": "Izmaiņas pastkastei %s ir saglabātas",
@@ -519,20 +538,21 @@
         "resource_modified": "Izmaiņas %s ir saglabātas",
         "resource_removed": "Resurs %s tika noņemts",
         "ui_texts": "Saglabāt UI izmaiņas tekstiem",
-        "upload_success": "Faila augšupielāde veiksmīga",
+        "upload_success": "Datne sekmīgi augšupielādēta",
         "verified_fido2_login": "Apliecināta FIDO2 pieteikšanās",
         "verified_webauthn_login": "Apliecināta WebAuthn pieteikšanās",
         "verified_totp_login": "Apliecināta TOTP pieteikšanās",
         "verified_yotp_login": "Apliecināta Yubico OTP pieteikšanās",
         "app_passwd_removed": "Noņemta lietotnes parole ar Id %s",
-        "app_passwd_added": "Pievienota jauna lietotnes parole"
+        "app_passwd_added": "Pievienota jauna lietotnes parole",
+        "f2b_banlist_refreshed": "Liegumu saraksta Id tika sekmīgi atsvaidzināts."
     },
     "tfa": {
         "api_register": "%s izmanto Yubico Cloud API. Lūdzu iegūstiet API atslēgu priekš Jūsu atslēgas<a href=\"https://upgrade.yubico.com/getapikey/\" target=\"_blank\">here</a>",
         "confirm": "Apstiprināt",
-        "confirm_totp_token": "Lūdzu apstipriniet Jūsu izmaiņas ievadot uzģenerēto tekstu",
+        "confirm_totp_token": "Lūgums apstiprināt savas izmaiņas ar izveidotās tekstvienības ievadīšanu",
         "delete_tfa": "Atspējot TFA",
-        "disable_tfa": "Atspējot TFA līdz nākamajai veiksmīgajai pieteikšanās reizei",
+        "disable_tfa": "Atspējot TFA līdz nākamajai sekmīgajai pieteikšanās reizei",
         "enter_qr_code": "TOTP kods, ja Tava ierīce nevar nolasīt kvadrātkodus",
         "key_id": "Jūsu YubiKey identifikators",
         "key_id_totp": "Identifikators Jūsu atslēgai",
@@ -544,7 +564,7 @@
         "totp": "Uz laiku bāzēta vienreizēja parole (Google Autentifikātors utt.)",
         "webauthn": "WebAuthn autentifikācija",
         "waiting_usb_auth": "<i>Gaida USB ierīci...</i><br><br>Lūdzu, tagad nospiežiet pogu uz Jūsu WebAuthn USB ierīces.",
-        "waiting_usb_register": "<i>Gaida USB ierīci...</i><br><br>Lūdzu augšā ievadiet Jūsu paroli un apstipriniet WebAuthn reģistrāciju nospiežot pogu uz Jūsu WebAuthn USB ierīces.",
+        "waiting_usb_register": "<i>Gaida USB ierīci...</i><br><br>Lūgums augstāk ievadīt savu paroli un apstiprināt reģistrēšanos ar USB ierīces pogas nospiešanu.",
         "yubi_otp": "Yubico OTP autentifikators",
         "authenticators": "Autentificētāji"
     },
@@ -589,7 +609,7 @@
         "new_password_repeat": "Paroles apstiprinājums (atkārtoti)",
         "no_active_filter": "Nav pieejami aktīvi filtri",
         "no_record": "Nav ieraksta",
-        "password_now": "Pašreizējā parole (Apstiprināt izmaiņas)",
+        "password_now": "Pašreizējā parole (apstiprināt izmaiņas)",
         "remove": "Noņemt",
         "running": "Darbojas",
         "save_changes": "Saglabāt izmaiņas",
@@ -599,11 +619,11 @@
         "spam_aliases": "Pagaidu e-pasta aizstājvārdi",
         "spamfilter": "Mēstuļu filtrs",
         "spamfilter_behavior": "Reitings",
-        "spamfilter_bl": "Melnais saraksts",
-        "spamfilter_bl_desc": "No melnajā sarakstā iekļautajām e-pasta adresēm saņemtās vēstules <b>vienmēr</b> tiks atzīmētas kā mēstules un noraidītas. Noraidītais pasts <b>netiks</b> ievietots karantīnā. Var izmantot aizstājzīmes. Atlasīšana tiek pielietota tikai tiešiem aizstājvārdiem (aizstājvārdiem ar vienu mērķa pastkasti), izņemot visu tverošos aizstājvārdus un pašu pastkasti.",
+        "spamfilter_bl": "Liegumu saraksts",
+        "spamfilter_bl_desc": "No lieguma sarakstā iekļautajām e-pasta adresēm saņemtās vēstules <b>vienmēr</b> tiks atzīmētas kā mēstules un noraidītas. Noraidītais pasts <b>netiks</b> ievietots karantīnā. Var izmantot aizstājzīmes. Atlasīšana tiek pielietota tikai tiešiem aizstājvārdiem (aizstājvārdiem ar vienu mērķa pastkasti), izņemot visu tverošos aizstājvārdus un pašu pastkasti.",
         "spamfilter_default_score": "Noklusējuma vērtības",
         "spamfilter_green": "Zaļš: šī nav mēstule",
-        "spamfilter_hint": "Pirmā vērtība norāda uz zemu \"Spam vērtējumu\" vērtējumu, otra vērtība par \"Augstu spam vērtējumu\".",
+        "spamfilter_hint": "Pirmā vērtība norāda uz zemu \"mēstules novērtējumu\", otrā atspoguļo \"augstu mēstules novērtējumu\".",
         "spamfilter_red": "Sarkans: Šī vēstule noteikti ir spams un tiek nekavējoties noraidīta",
         "spamfilter_table_action": "Darbība",
         "spamfilter_table_add": "Pievienot vienību",
@@ -611,8 +631,8 @@
         "spamfilter_table_empty": "Nav datu ko parādīt",
         "spamfilter_table_remove": "noņemt",
         "spamfilter_table_rule": "Noteikums",
-        "spamfilter_wl": "Baltais saraksts",
-        "spamfilter_wl_desc": "No baltā saraksta e-pasta adresēm saņemtās vēstules <b>nekad</b> netiks atzīmētas kā mēstules. Var tikt izmantotas aizstājzīmes. Atlase tiek piemērota tikai tiešiem aizstājvārdiem (aizstājvārdiem ar vienu mērķa pastkasti), izņemot visu tverošos aizstājvārdus un pašu pastkasti.",
+        "spamfilter_wl": "Atļautais saraksts",
+        "spamfilter_wl_desc": "No atļautā saraksta e-pasta adresēm saņemtās vēstules <b>nekad</b> netiks atzīmētas kā mēstules. Var tikt izmantotas aizstājzīmes. Atlase tiek piemērota tikai tiešiem aizstājvārdiem (aizstājvārdiem ar vienu mērķa pastkasti), izņemot visu tverošos aizstājvārdus un pašu pastkasti.",
         "spamfilter_yellow": "Dzeltens: šī vēstule visticamāk ir spams un tiks pārvietota uz Junk mapi",
         "status": "Status",
         "sync_jobs": "Sinhronizācijas uzdevumi",
@@ -644,15 +664,21 @@
         "change_password_hint_app_passwords": "Kontā ir %d lietotņu paroles, kas netiks mainītas. Lai pārvaldītu tās, jādodas uz cilni \"Lietotņu paroles\".",
         "with_app_password": "ar lietotnes paroli",
         "apple_connection_profile_with_app_password": "Jauna lietotnes parole ir izveidota un pievienota profilam, lai ierīces iestatīšanas laikā nebūtu nepieciešams ievadīt paroli. Lūgums nekopīgot datni, jo tā nodrošina pilnu piekļuvi pastkastei.",
-        "tfa_info": "Divpakāpju autentificēšanās palīdz aizsargāt kontu.Ja tā ir iespējota, var būt nepieciešamas lietotņu paroles, lai pieteiktos lietotnēs vai pakalpojumos, kas nenodrošina divpakāpju autentificēšanos (piem., e-pasta klienti).",
+        "tfa_info": "Divpakāpju autentificēšanās palīdz aizsargāt kontu.Ja tā ir iespējota, ir nepieciešamas lietotņu paroles, lai pieteiktos lietotnēs vai pakalpojumos, kas nenodrošina divpakāpju autentificēšanos (piem., e-pasta klienti).",
         "app_passwds": "Lietotņu paroles",
-        "create_app_passwd": "Izveidot lietotnes paroli"
+        "create_app_passwd": "Izveidot lietotnes paroli",
+        "empty": "Nav iznākuma",
+        "quarantine_notification_info": "Tiklīdz paziņojums ir nosūtīts, vienumi tiks atzīmēti kā \"paziņoti\", un par šo vienumu vairs netiks sūtīti paziņojumi.",
+        "sender_acl_disabled": "<span class=\"badge fs-6 bg-danger\">Sūtītāja pārbaude ir atspējota</span>",
+        "syncjob_last_run_result": "Pēdējās izpildes iznākums"
     },
     "datatables": {
         "paginate": {
             "first": "Pirmā",
             "last": "Pēdējā"
-        }
+        },
+        "emptyTable": "Tabulā nav datu",
+        "search": "Meklēt:"
     },
     "debug": {
         "last_modified": "Pēdējoreiz mainīts",

From 260906e3501048bb6909a0d8329926e17cf2377f Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <75116288+FreddleSpl0it@users.noreply.github.com>
Date: Mon, 22 Sep 2025 12:28:09 +0200
Subject: [PATCH 335/378] [SOGo][Web] Enable SOGo URL Encryption

---
 data/Dockerfiles/sogo/bootstrap-sogo.sh | 4 ++++
 data/web/inc/triggers.user.inc.php      | 4 ++--
 data/web/sogo-auth.php                  | 5 +----
 docker-compose.yml                      | 2 +-
 4 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/data/Dockerfiles/sogo/bootstrap-sogo.sh b/data/Dockerfiles/sogo/bootstrap-sogo.sh
index 96d8a6919..ad667fca6 100755
--- a/data/Dockerfiles/sogo/bootstrap-sogo.sh
+++ b/data/Dockerfiles/sogo/bootstrap-sogo.sh
@@ -50,6 +50,10 @@ cat <<EOF > /var/lib/sogo/GNUstep/Defaults/sogod.plist
     <string>YES</string>
     <key>SOGoEncryptionKey</key>
     <string>${RAND_PASS}</string>
+    <key>SOGoURLEncryptionEnabled</key>
+    <string>YES</string>
+    <key>SOGoURLEncryptionPassphrase</key>
+    <string>${RAND_PASS}</string>
     <key>OCSAdminURL</key>
     <string>mysql://${DBUSER}:${DBPASS}@%2Fvar%2Frun%2Fmysqld%2Fmysqld.sock/${DBNAME}/sogo_admin</string>
     <key>OCSCacheFolderURL</key>
diff --git a/data/web/inc/triggers.user.inc.php b/data/web/inc/triggers.user.inc.php
index 4dee75a37..36176c694 100644
--- a/data/web/inc/triggers.user.inc.php
+++ b/data/web/inc/triggers.user.inc.php
@@ -80,7 +80,7 @@ if (isset($_POST["verify_tfa_login"])) {
             intval($user_details['attributes']['force_pw_update']) != 1 &&
             getenv('SKIP_SOGO') != "y" &&
             !$is_dual) {
-          header("Location: /SOGo/so/{$_SESSION['mailcow_cc_username']}");
+          header("Location: /SOGo/so/");
           die();
         } else {
           header("Location: /user");
@@ -146,7 +146,7 @@ if (isset($_POST["login_user"]) && isset($_POST["pass_user"])) {
         intval($user_details['attributes']['force_pw_update']) != 1 &&
         getenv('SKIP_SOGO') != "y" &&
         !$is_dual) {
-      header("Location: /SOGo/so/{$login_user}");
+      header("Location: /SOGo/so/");
       die();
     } else {
       header("Location: /user");
diff --git a/data/web/sogo-auth.php b/data/web/sogo-auth.php
index 00709fe5f..962627baf 100644
--- a/data/web/sogo-auth.php
+++ b/data/web/sogo-auth.php
@@ -64,7 +64,7 @@ elseif (isset($_GET['login'])) {
           ':remote_addr' => ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR'])
         ));
         // redirect to sogo (sogo will get the correct credentials via nginx auth_request
-        header("Location: /SOGo/so/{$login}");
+        header("Location: /SOGo/so/");
         exit;
       }
     }
@@ -81,10 +81,7 @@ elseif (isset($_SERVER['HTTP_X_ORIGINAL_URI']) && strcasecmp(substr($_SERVER['HT
   }
   require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/sessions.inc.php';
 
-  // extract email address from "/SOGo/so/user@domain/xy"
-  $url_parts = explode("/", $_SERVER['HTTP_X_ORIGINAL_URI']);
   $email_list = array(
-      $url_parts[3],                                // Requested mailbox
       ($_SESSION['mailcow_cc_username'] ?? ''),     // Current user
       ($_SESSION["dual-login"]["username"] ?? ''),  // Dual login user
   );
diff --git a/docker-compose.yml b/docker-compose.yml
index 215a196f9..eab49fd69 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -200,7 +200,7 @@ services:
             - phpfpm
 
     sogo-mailcow:
-      image: ghcr.io/mailcow/sogo:1.135
+      image: ghcr.io/mailcow/sogo:1.136
       environment:
         - DBNAME=${DBNAME}
         - DBUSER=${DBUSER}

From 610609378f2138aac35abd23db8063fdc63d7ef1 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <75116288+FreddleSpl0it@users.noreply.github.com>
Date: Mon, 22 Sep 2025 12:58:05 +0200
Subject: [PATCH 336/378] [SOGo][Web] Set URL encryption key in mailcow.conf

---
 _modules/scripts/new_options.sh         | 11 ++++++-----
 data/Dockerfiles/sogo/bootstrap-sogo.sh |  2 +-
 docker-compose.yml                      |  1 +
 generate_config.sh                      |  4 ++++
 4 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/_modules/scripts/new_options.sh b/_modules/scripts/new_options.sh
index a3f47dc61..30c747b70 100644
--- a/_modules/scripts/new_options.sh
+++ b/_modules/scripts/new_options.sh
@@ -43,6 +43,7 @@ adapt_new_options() {
   "ALLOW_ADMIN_EMAIL_LOGIN"
   "SKIP_HTTP_VERIFICATION"
   "SOGO_EXPIRE_SESSION"
+  "SOGO_URL_ENCRYPTION_KEY"
   "REDIS_PORT"
   "REDISPASS"
   "DOVECOT_MASTER_USER"
@@ -94,7 +95,6 @@ adapt_new_options() {
             echo '# Max log lines per service to keep in Redis logs' >> mailcow.conf
             echo "LOG_LINES=9999" >> mailcow.conf
             ;;
-        
         IPV4_NETWORK)
             echo '# Internal IPv4 /24 subnet, format n.n.n. (expands to n.n.n.0/24)' >> mailcow.conf
             echo "IPV4_NETWORK=172.22.1" >> mailcow.conf
@@ -276,21 +276,22 @@ adapt_new_options() {
             echo '# A COMPLETE DOCKER STACK REBUILD (compose down && compose up -d) IS NEEDED TO APPLY THIS.' >> mailcow.conf
             echo ENABLE_IPV6=${IPV6_BOOL} >> mailcow.conf
             ;;
-    
         SKIP_CLAMD)
             echo '# Skip ClamAV (clamd-mailcow) anti-virus (Rspamd will auto-detect a missing ClamAV container) - y/n' >> mailcow.conf
             echo 'SKIP_CLAMD=n' >> mailcow.conf
             ;;
-
         SKIP_OLEFY)
             echo '# Skip Olefy (olefy-mailcow) anti-virus for Office documents (Rspamd will auto-detect a missing Olefy container) - y/n' >> mailcow.conf
             echo 'SKIP_OLEFY=n' >> mailcow.conf
             ;;
-        
         REDISPASS)
             echo "REDISPASS=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2>/dev/null | head -c 28)" >> mailcow.conf
             ;;
-                  
+        SOGO_URL_ENCRYPTION_KEY)
+            echo '# SOGo URL encryption key (exactly 16 characters, limited to A–Z, a–z, 0–9)' >> mailcow.conf
+            echo '# This key is used to encrypt email addresses within SOGo URLs' >> mailcow.conf
+            echo "SOGO_URL_ENCRYPTION_KEY=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2>/dev/null | head -c 16)" >> mailcow.conf
+            ;;
         *)
             echo "${option}=" >> mailcow.conf
             ;;
diff --git a/data/Dockerfiles/sogo/bootstrap-sogo.sh b/data/Dockerfiles/sogo/bootstrap-sogo.sh
index ad667fca6..af7d2a4db 100755
--- a/data/Dockerfiles/sogo/bootstrap-sogo.sh
+++ b/data/Dockerfiles/sogo/bootstrap-sogo.sh
@@ -53,7 +53,7 @@ cat <<EOF > /var/lib/sogo/GNUstep/Defaults/sogod.plist
     <key>SOGoURLEncryptionEnabled</key>
     <string>YES</string>
     <key>SOGoURLEncryptionPassphrase</key>
-    <string>${RAND_PASS}</string>
+    <string>${SOGO_URL_ENCRYPTION_KEY}</string>
     <key>OCSAdminURL</key>
     <string>mysql://${DBUSER}:${DBPASS}@%2Fvar%2Frun%2Fmysqld%2Fmysqld.sock/${DBNAME}/sogo_admin</string>
     <key>OCSCacheFolderURL</key>
diff --git a/docker-compose.yml b/docker-compose.yml
index eab49fd69..a0cf85e6a 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -213,6 +213,7 @@ services:
         - ALLOW_ADMIN_EMAIL_LOGIN=${ALLOW_ADMIN_EMAIL_LOGIN:-n}
         - IPV4_NETWORK=${IPV4_NETWORK:-172.22.1}
         - SOGO_EXPIRE_SESSION=${SOGO_EXPIRE_SESSION:-480}
+        - SOGO_URL_ENCRYPTION_KEY=${SOGO_URL_ENCRYPTION_KEY:-SOGoSuperSecret0}
         - SKIP_SOGO=${SKIP_SOGO:-n}
         - MASTER=${MASTER:-y}
         - REDIS_SLAVEOF_IP=${REDIS_SLAVEOF_IP:-}
diff --git a/generate_config.sh b/generate_config.sh
index 2dba91d51..9a0bd132b 100755
--- a/generate_config.sh
+++ b/generate_config.sh
@@ -436,6 +436,10 @@ MAILDIR_SUB=Maildir
 # SOGo session timeout in minutes
 SOGO_EXPIRE_SESSION=480
 
+# SOGo URL encryption key (exactly 16 characters, limited to A–Z, a–z, 0–9)
+# This key is used to encrypt email addresses within SOGo URLs
+SOGO_URL_ENCRYPTION_KEY=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2>/dev/null | head -c 16)
+
 # DOVECOT_MASTER_USER and DOVECOT_MASTER_PASS must both be provided. No special chars.
 # Empty by default to auto-generate master user and password on start.
 # User expands to DOVECOT_MASTER_USER@mailcow.local

From a36485f0f1fe7ac2599a7c49b3604282b0391d90 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <75116288+FreddleSpl0it@users.noreply.github.com>
Date: Mon, 22 Sep 2025 13:55:18 +0200
Subject: [PATCH 337/378] [Web] Allow wildcard subdomains for MTA-STS

---
 data/web/inc/functions.inc.php         | 12 +++++++++++-
 data/web/inc/functions.mailbox.inc.php |  4 ++--
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index 55329e73a..2631f1214 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -1107,11 +1107,21 @@ function user_get_alias_details($username) {
   }
   return $data;
 }
-function is_valid_domain_name($domain_name) {
+function is_valid_domain_name($domain_name, $options = array()) {
   if (empty($domain_name)) {
     return false;
   }
+
+  // Convert domain name to ASCII for validation
   $domain_name = idn_to_ascii($domain_name, 0, INTL_IDNA_VARIANT_UTS46);
+
+  // Remove '*.' if wildcard subdomains are allowed
+  if (isset($options['allow_wildcard']) &&
+      $options['allow_wildcard'] == true &&
+      strpos($domain_name, '*.') === 0) {
+    $domain_name = substr($domain_name, 2);
+  }
+
   return (preg_match("/^([a-z\d](-*[a-z\d])*)(\.([a-z\d](-*[a-z\d])*))*$/i", $domain_name)
        && preg_match("/^.{1,253}$/", $domain_name)
        && preg_match("/^[^\.]{1,63}(\.[^\.]{1,63})*$/", $domain_name));
diff --git a/data/web/inc/functions.mailbox.inc.php b/data/web/inc/functions.mailbox.inc.php
index a0199fbdc..7638c9bbf 100644
--- a/data/web/inc/functions.mailbox.inc.php
+++ b/data/web/inc/functions.mailbox.inc.php
@@ -1446,7 +1446,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
           }
           foreach ($mx as $index => $mx_domain) {
             $mx_domain = idn_to_ascii(strtolower(trim($mx_domain)), 0, INTL_IDNA_VARIANT_UTS46);
-            if (!is_valid_domain_name($mx_domain)) {
+            if (!is_valid_domain_name($mx_domain, array('allow_wildcard' => true))) {
               $_SESSION['return'][] = array(
                 'type' => 'danger',
                 'log' => array(__FUNCTION__, $_action, $_type, $_data, $_attr),
@@ -3897,7 +3897,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             foreach ($mx as $index => $mx_domain) {
               $mx_domain = idn_to_ascii(strtolower(trim($mx_domain)), 0, INTL_IDNA_VARIANT_UTS46);
               $invalid_mx = false;
-              if (!is_valid_domain_name($mx_domain)) {
+              if (!is_valid_domain_name($mx_domain, array('allow_wildcard' => true))) {
                 $invalid_mx = $mx_domain;
                 break;
               }

From 4b2862cb3c2e8825620989aac42a735d16fe4313 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <75116288+FreddleSpl0it@users.noreply.github.com>
Date: Mon, 22 Sep 2025 14:07:17 +0200
Subject: [PATCH 338/378] [Web] Remove Port from HTTP_HOST

---
 data/web/mta-sts.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/data/web/mta-sts.php b/data/web/mta-sts.php
index 51c39eb2f..650b8b583 100644
--- a/data/web/mta-sts.php
+++ b/data/web/mta-sts.php
@@ -6,7 +6,8 @@ if (!isset($_SERVER['HTTP_HOST']) || strpos($_SERVER['HTTP_HOST'], 'mta-sts.') !
   exit;
 }
 
-$domain = str_replace('mta-sts.', '', $_SERVER['HTTP_HOST']);
+$host = preg_replace('/:[0-9]+$/', '', $_SERVER['HTTP_HOST']);
+$domain = str_replace('mta-sts.', '', $host);
 $mta_sts = mailbox('get', 'mta_sts', $domain);
 
 if (count($mta_sts) == 0 ||

From 9940c503a2f9410cf802ed4a014699349c738099 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <75116288+FreddleSpl0it@users.noreply.github.com>
Date: Mon, 22 Sep 2025 14:16:42 +0200
Subject: [PATCH 339/378] [Nginx] do not invert ENABLE_IPV6

---
 data/Dockerfiles/nginx/bootstrap.py | 2 +-
 docker-compose.yml                  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/data/Dockerfiles/nginx/bootstrap.py b/data/Dockerfiles/nginx/bootstrap.py
index d2d01c0b9..97ce7a4e1 100644
--- a/data/Dockerfiles/nginx/bootstrap.py
+++ b/data/Dockerfiles/nginx/bootstrap.py
@@ -10,7 +10,7 @@ def includes_conf(env, template_vars):
   server_name_config = f"server_name {template_vars['MAILCOW_HOSTNAME']} autodiscover.* autoconfig.* {' '.join(template_vars['ADDITIONAL_SERVER_NAMES'])};"
   listen_plain_config = f"listen {template_vars['HTTP_PORT']};"
   listen_ssl_config = f"listen {template_vars['HTTPS_PORT']};"
-  if not template_vars['ENABLE_IPV6']:
+  if template_vars['ENABLE_IPV6']:
     listen_plain_config += f"\nlisten [::]:{template_vars['HTTP_PORT']};"
     listen_ssl_config += f"\nlisten [::]:{template_vars['HTTPS_PORT']} ssl;"
   listen_ssl_config += "\nhttp2 on;"
diff --git a/docker-compose.yml b/docker-compose.yml
index a0cf85e6a..86a4f401a 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -419,7 +419,7 @@ services:
         - php-fpm-mailcow
         - sogo-mailcow
         - rspamd-mailcow
-      image: ghcr.io/mailcow/nginx:1.04
+      image: ghcr.io/mailcow/nginx:1.05
       dns:
         - ${IPV4_NETWORK:-172.22.1}.254
       environment:

From ed4dcff63b67366ca3974ec3b048bb2299d16c06 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <75116288+FreddleSpl0it@users.noreply.github.com>
Date: Mon, 22 Sep 2025 14:42:14 +0200
Subject: [PATCH 340/378] [Web] allow "*" as wildcard domain

---
 data/web/inc/functions.inc.php | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index 2631f1214..bb2d35ea3 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -1115,11 +1115,15 @@ function is_valid_domain_name($domain_name, $options = array()) {
   // Convert domain name to ASCII for validation
   $domain_name = idn_to_ascii($domain_name, 0, INTL_IDNA_VARIANT_UTS46);
 
-  // Remove '*.' if wildcard subdomains are allowed
-  if (isset($options['allow_wildcard']) &&
-      $options['allow_wildcard'] == true &&
-      strpos($domain_name, '*.') === 0) {
-    $domain_name = substr($domain_name, 2);
+  if (isset($options['allow_wildcard']) && $options['allow_wildcard'] == true) {
+    // Remove '*.' if wildcard domains are allowed
+    if (strpos($domain_name, '*.') === 0) {
+      $domain_name = substr($domain_name, 2);
+    }
+    // Allow '*' as wildcard domain
+    if ($domain_name === "*") {
+      return true;
+    }
   }
 
   return (preg_match("/^([a-z\d](-*[a-z\d])*)(\.([a-z\d](-*[a-z\d])*))*$/i", $domain_name)

From 383b5affb52cd20a87cdfd6235df7e51d4ad31b1 Mon Sep 17 00:00:00 2001
From: Patrik Kernstock <patrik@kernstock.net>
Date: Mon, 22 Sep 2025 19:49:31 +0200
Subject: [PATCH 341/378] More clearer message to install required tool

---
 _modules/scripts/core.sh | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/_modules/scripts/core.sh b/_modules/scripts/core.sh
index f71368d24..e86c2afc9 100644
--- a/_modules/scripts/core.sh
+++ b/_modules/scripts/core.sh
@@ -17,7 +17,12 @@ caller="${BASH_SOURCE[1]##*/}"
 
 get_installed_tools(){
     for bin in openssl curl docker git awk sha1sum grep cut jq; do
-        if [[ -z $(command -v ${bin}) ]]; then echo "Cannot find ${bin}, exiting..."; exit 1; fi
+        if [[ -z $(command -v ${bin}) ]]; then
+          echo "Error: Cannot find command '${bin}'. Cannot proceed."
+          echo "Solution: Please install accordingly and re-run the script."
+          echo "Exiting..."
+          exit 1
+        fi
     done
 
     if grep --help 2>&1 | head -n 1 | grep -q -i "busybox"; then echo -e "${LIGHT_RED}BusyBox grep detected, please install gnu grep, \"apk add --no-cache --upgrade grep\"${NC}"; exit 1; fi
@@ -221,4 +226,4 @@ detect_major_update() {
       fi
     fi
   fi
-}
\ No newline at end of file
+}

From f2c4697ca3df548c6f56b5d2bf686c78bba8c573 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20=F0=9F=A6=84?=
 <43847817+codiflow@users.noreply.github.com>
Date: Mon, 22 Sep 2025 23:45:54 +0200
Subject: [PATCH 342/378] Fixed typo in lang de-de (#6765)

---
 data/web/lang/lang.de-de.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/web/lang/lang.de-de.json b/data/web/lang/lang.de-de.json
index b5f3f325d..dbc6b2f93 100644
--- a/data/web/lang/lang.de-de.json
+++ b/data/web/lang/lang.de-de.json
@@ -1100,7 +1100,7 @@
         "legend": "Funktionen der Mailqueue Aktionen:",
         "ays": "Soll die derzeitige Queue wirklich komplett bereinigt werden?",
         "deliver_mail": "Ausliefern",
-        "deliver_mail_legend": "Versucht eine erneute Zustellung der ausgwählten Mails.",
+        "deliver_mail_legend": "Versucht eine erneute Zustellung der ausgewählten Mails.",
         "hold_mail": "Zurückhalten",
         "hold_mail_legend": "Hält die ausgewählten Mails zurück. (Verhindert weitere Zustellversuche)",
         "queue_manager": "Queue Manager",

From 28985973eb746ea5486aa5377fd426ce7a5f5ab1 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <75116288+FreddleSpl0it@users.noreply.github.com>
Date: Tue, 23 Sep 2025 10:07:33 +0200
Subject: [PATCH 343/378] [Web] Revert - allow "*" as wildcard domain

---
 data/web/inc/functions.inc.php | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index bb2d35ea3..5ac72ed24 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -1116,14 +1116,10 @@ function is_valid_domain_name($domain_name, $options = array()) {
   $domain_name = idn_to_ascii($domain_name, 0, INTL_IDNA_VARIANT_UTS46);
 
   if (isset($options['allow_wildcard']) && $options['allow_wildcard'] == true) {
-    // Remove '*.' if wildcard domains are allowed
+    // Remove '*.' if wildcard subdomains are allowed
     if (strpos($domain_name, '*.') === 0) {
       $domain_name = substr($domain_name, 2);
     }
-    // Allow '*' as wildcard domain
-    if ($domain_name === "*") {
-      return true;
-    }
   }
 
   return (preg_match("/^([a-z\d](-*[a-z\d])*)(\.([a-z\d](-*[a-z\d])*))*$/i", $domain_name)

From 4440bd46adc73cd9be69f5f5716dbec4c92c7b73 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <75116288+FreddleSpl0it@users.noreply.github.com>
Date: Tue, 23 Sep 2025 12:24:25 +0200
Subject: [PATCH 344/378] [Web] set cookie SameSite attribute to Lax

---
 data/web/inc/sessions.inc.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/data/web/inc/sessions.inc.php b/data/web/inc/sessions.inc.php
index bbc08cf13..1bb29d410 100644
--- a/data/web/inc/sessions.inc.php
+++ b/data/web/inc/sessions.inc.php
@@ -2,6 +2,7 @@
 // Start session
 if (session_status() !== PHP_SESSION_ACTIVE) {
   ini_set("session.cookie_httponly", 1);
+  ini_set("session.cookie_samesite", "Lax");
   ini_set('session.gc_maxlifetime', $SESSION_LIFETIME);
 }
 

From 8ead77083ff5ac58ab640f9fa9a8d58fec10b617 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <75116288+FreddleSpl0it@users.noreply.github.com>
Date: Tue, 23 Sep 2025 12:39:48 +0200
Subject: [PATCH 345/378] [Web] Rename PHP Cookie to MCSESSID

---
 data/web/inc/sessions.inc.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/data/web/inc/sessions.inc.php b/data/web/inc/sessions.inc.php
index 1bb29d410..68b3d5585 100644
--- a/data/web/inc/sessions.inc.php
+++ b/data/web/inc/sessions.inc.php
@@ -1,6 +1,7 @@
 <?php
 // Start session
 if (session_status() !== PHP_SESSION_ACTIVE) {
+  session_name('MCSESSID');
   ini_set("session.cookie_httponly", 1);
   ini_set("session.cookie_samesite", "Lax");
   ini_set('session.gc_maxlifetime', $SESSION_LIFETIME);

From 011edd5ac9b6cdd73b9b01a4cc9528fa6b92e6e9 Mon Sep 17 00:00:00 2001
From: milkmaker <milkmaker@mailcow.de>
Date: Wed, 24 Sep 2025 17:36:09 +0200
Subject: [PATCH 346/378] [Web] Updated lang.si-si.json (#6771)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Matjaž Tekavec <matjaz@moj-svet.si>
---
 data/web/lang/lang.si-si.json | 108 +++++++++++++++++-----------------
 1 file changed, 54 insertions(+), 54 deletions(-)

diff --git a/data/web/lang/lang.si-si.json b/data/web/lang/lang.si-si.json
index 95e23a5cb..0b6626127 100644
--- a/data/web/lang/lang.si-si.json
+++ b/data/web/lang/lang.si-si.json
@@ -42,7 +42,7 @@
         "app_name": "Ime aplikacije",
         "app_password": "Dodaj geslo aplikacije",
         "app_passwd_protocols": "Dovoljeni protokoli za geslo aplikacije",
-        "automap": "Poskusi samodejno preslikati mape (\"Sent items\", \"Sent\" => \"Poslano\" ipd.)",
+        "automap": "Poskusi samodejno preslikati mape (\"Poslani elementi\", \"Poslano\" => \"Poslano\" ipd.)",
         "backup_mx_options": "Možnosti posredovanja (relay)",
         "comment_info": "Zasebni komentarji niso vidni uporabnikom, javni komentarji pa so prikazani kot opis, ko se z miško postavimo nad uporabnika v pregledu",
         "custom_params": "Parametri po meri",
@@ -152,7 +152,7 @@
         "customize": "Prilagodi",
         "destination": "Cilj",
         "dkim_add_key": "Dodaj ARC/DKIM ključ",
-        "dkim_domains_selector": "Izbira",
+        "dkim_domains_selector": "Izbirnik",
         "dkim_domains_wo_keys": "Izberi domene z manjkajočimi ključi",
         "dkim_from": "Od",
         "dkim_from_title": "Izvorna domena od katere prekopiram podatke",
@@ -178,8 +178,8 @@
         "f2b_filter": "Regex filtri",
         "f2b_max_attempts": "Največ poskusov",
         "f2b_max_ban_time": "Maksimalno trajanje blokade (s)",
-        "f2b_netban_ipv4": "velikost subneta IPv4 za blokiranje (8-32)",
-        "f2b_netban_ipv6": "Velikost subneta IPv6 za blokiranje (8-128)",
+        "f2b_netban_ipv4": "velikost podomrežja IPv4 za blokiranje (8-32)",
+        "f2b_netban_ipv6": "Velikost podomrežja IPv6 za blokiranje (8-128)",
         "f2b_parameters": "Fail2ban parametri",
         "f2b_regex_info": "Upoštevajo se dnevniki SOGo, Postfix, Dovecot, PHP-FPM.",
         "f2b_retry_window": "Upoštevan čas (s) za največ poskusov",
@@ -189,41 +189,41 @@
         "generate": "ustvari",
         "guid": "GUID - enolični ID instance",
         "guid_and_license": "GUID & licenca",
-        "hash_remove_info": "Odstranitev hasha za omejitev (če obstaja) bo povsem ponastavilo njen števec.<br>\n  Vsak hash je prikazan z individualno barvo.",
-        "help_text": "Zamenjaj tekst za pomoč pod masko za prijavo (HTML je dovoljen)",
+        "hash_remove_info": "Odstranitev zgoščene vrednosti za omejitev (če obstaja) bo povsem ponastavilo njen števec.<br>\n  Vsaka zgoščena vrednost je prikazana z individualno barvo.",
+        "help_text": "Preglasi besedilo za pomoč pod masko za prijavo (HTML je dovoljen)",
         "host": "Gostitelj",
         "html": "HTML",
         "import": "Uvozi",
         "import_private_key": "Uvozi zasebni ključ",
-        "in_use_by": "V uporabi",
+        "in_use_by": "V uporabi od",
         "inactive": "Neaktivno",
         "include_exclude": "Vključi/Izključi",
         "include_exclude_info": "Privzeto - če ni izbire - so vključeni <b>vsi poštni predali</b>",
         "includes": "Vključi te prejemnike",
-        "ip_check": "Kontrola IP",
-        "ip_check_disabled": "Kontrola IP je onemogočena. Lahko jo omogočite pod <br/> <strong>Sistem > Konfiguracija > Možnosti > Prilagodi</strong>",
-        "ip_check_opt_in": "Opt-in za uporabo zunanje storitve <strong>ipv4.mailcow.email</strong> in <strong>ipv6.mailcow.email</strong> za razreševanje zunanjih IP.",
-        "is_mx_based": "Glede na MX",
-        "last_applied": "Nazadnje aplicirano",
+        "ip_check": "Preverjanje IP-ja",
+        "ip_check_disabled": "Preverjanje IP-ja je onemogočeno. Lahko ga omogočite pod <br/> <strong>Sistem > Konfiguracija > Možnosti > Prilagodi</strong>",
+        "ip_check_opt_in": "Prijavite se za uporabo storitev tretjih oseb <strong>ipv4.mailcow.email</strong> in <strong>ipv6.mailcow.email</strong> za razreševanje zunanjih IP naslovov.",
+        "is_mx_based": "Glede na MX zapis",
+        "last_applied": "Nazadnje uporabljeno",
         "link": "Povezava",
         "loading": "Prosim počakajte...",
         "login_time": "Čas prijave",
-        "logo_info": "Vaša slika bo pomanjšana na velikost 40px za zgornjo navigacijo in največjo velikost 250px za začetno stran. Zelo priporočena je uporaba grafike brez izgube kakovosti ob spremembi velikosti.",
+        "logo_info": "Vaša slika bo pomanjšana na višino 40 slikovnih pik za zgornjo navigacijsko vrstico in na največjo širino 250 slikovnih pik za začetno stran. Zelo priporočljiva je skalabilna grafika.",
         "message": "Sporočilo",
         "message_size": "Velikost sporočila",
         "nexthop": "Naslednji skok",
         "no": "&#10005;",
         "no_active_bans": "Ni aktivnih blokad",
-        "no_new_rows": "Ni dodatnih vrstic",
+        "no_new_rows": "Nadaljnjih vrstic ni na voljo",
         "no_record": "Ni zapisa",
         "oauth2_apps": "OAuth2 aplikacije",
         "oauth2_add_client": "Dodaj OAuth2 klienta",
-        "oauth2_client_id": "ID klienta",
-        "oauth2_client_secret": "Skrivnost (secret)",
+        "oauth2_client_id": "ID odjemalca",
+        "oauth2_client_secret": "Skrivnost odjemalca",
         "oauth2_redirect_uri": "URI za preusmeritev",
-        "oauth2_renew_secret": "Generiraj nov client secret",
-        "oauth2_revoke_tokens": "Zavrni vse tokene klientov",
-        "optional": "opcijsko",
+        "oauth2_renew_secret": "Generiraj novo skrivnost odjemalca",
+        "oauth2_revoke_tokens": "Prekliči vse žetone odjemalca",
+        "optional": "neobvezno",
         "options": "Možnosti",
         "password": "Geslo",
         "password_length": "Dolžina gesla",
@@ -238,21 +238,21 @@
         "private_key": "Zasebni ključ",
         "quarantine": "Karantena",
         "quarantine_bcc": "Pošlji kopijo vseh obvestil (BCC) temu prejemniku:<br><small>Pustite prazno za izklop te funkcije. <b>Nepodpisana, nepreverjena pošta. Uporabljalo naj bi se samo za interno dostavo.</b></small>",
-        "quarantine_exclude_domains": "Izključi domene in alias-domene",
-        "quarantine_max_age": "Maksimalna starost v dnevnih<br><small>Vrednost mora biti večja ali enaka 1 dnevu</small>",
-        "quarantine_max_score": "Opusti obvestilo, če je ocena spama večja od te vrednosti:<br><small>Privzeto 9999.0</small>",
-        "quarantine_max_size": "Največja velikost v MiB (Večji elementi so zavrženi):<br><small>0 <b>ne</b> pomeni neomejeno.</small>",
-        "quarantine_notification_html": "Predloga sporočila za obvestilo:<br><small>Pustite prazno za obnovitev privzete predloge.</small>",
-        "quarantine_notification_sender": "Pošiljatelj obvestila",
-        "quarantine_notification_subject": "Naslov obvestila",
-        "quarantine_release_format": "Oblika sproščenih elementov",
+        "quarantine_exclude_domains": "Izključi domene in vzdevke domen",
+        "quarantine_max_age": "Najvišja starost v dneh<br><small>Vrednost mora biti enaka ali večja od 1 dneva.</small>",
+        "quarantine_max_score": "Zavrzi obvestilo, če je ocena neželene pošte višja od te vrednosti:<br><small>Privzeto 9999,0</small>",
+        "quarantine_max_size": "Največja velikost v MiB (večji elementi so zavrženi):<br><small>0 <b>ne</b> pomeni neomejeno.</small>",
+        "quarantine_notification_html": "Predloga za obvestilo po e-pošti:<br><small>Pustite prazno, če želite obnoviti privzeto predlogo.</small>",
+        "quarantine_notification_sender": "Pošiljatelj obvestil po e-pošti",
+        "quarantine_notification_subject": "Zadeva e-poštnega obvestila",
+        "quarantine_release_format": "Oblika izdanih elementov",
         "quarantine_release_format_att": "Kot priponka",
-        "quarantine_release_format_raw": "Nespremenjen original",
-        "quarantine_retention_size": "Število zadržanj na poštni predal: <br><small>0 pomeni <b>neaktivno</b>,</small>",
+        "quarantine_release_format_raw": "Nespremenjen izvirnik",
+        "quarantine_retention_size": "Hrambe na poštni predal:<br><small>0 pomeni <b>neaktivno</b>.</small>",
         "quota_notification_sender": "Pošiljatelj obvestila",
         "quota_notification_subject": "Predmet obvestila",
-        "quota_notifications": "Obvestila o omejitvi",
-        "quota_notifications_info": "Obvestila o omejitvi so poslana uporabnikom enkrat, ko presežejo 80% in enkrat ko presežejo 95% zasedenosti.",
+        "quota_notifications": "Obvestila o kvotah",
+        "quota_notifications_info": "Obvestila o kvoti se uporabnikom pošljejo enkrat, ko presežejo 80 % in enkrat, ko presežejo 95 % porabe.",
         "queue_unban": "odblokiraj",
         "r_active": "Aktivne omejitve",
         "r_inactive": "Neaktivne omejitve",
@@ -268,8 +268,8 @@
         "remove": "Odstrani",
         "remove_row": "Odstrani vrstico",
         "reset_default": "Ponastavi na privzeto",
-        "reset_limit": "Odstrani hash",
-        "routing": "Routing",
+        "reset_limit": "Odstrani zgoščeno vrednost",
+        "routing": "Usmerjanje",
         "rsetting_add_rule": "Dodaj pravilo",
         "rsetting_content": "Vsebina pravila",
         "rsetting_desc": "Kratek opis",
@@ -277,10 +277,10 @@
         "rsetting_none": "Ni pravil na voljo",
         "rsettings_insert_preset": "Vstavi prednastavljen primer \"%s\"",
         "rsettings_preset_1": "Onemogoči vse razen DKIM in omejitve za prijavljene uporabnike",
-        "rsettings_preset_2": "Postmasterji želijo spam",
-        "rsettings_preset_3": "Dovoli samo specifične pošiljatelje za poštni predal (npr. uporaba samo kot interni poštni predal)",
+        "rsettings_preset_2": "Poštni upravitelji želijo neželeno pošto",
+        "rsettings_preset_3": "Dovoli samo določene pošiljatelje za poštni predal (tj. uporabo samo kot notranji poštni predal)",
         "rsettings_preset_4": "Onemogoči Rspamd za domeno",
-        "rspamd_com_settings": "Ime nastavitve bo samodejno generirano. Prosim oglejte si primere nastavitev spodaj. Za več informacij si oglejte <a href=\"https://rspamd.com/doc/configuration/settings.html#settings-structure\" target=\"_blank\">dokumentacijo Rspamd</a>",
+        "rspamd_com_settings": "Ime nastavitve bo samodejno ustvarjeno, oglejte si spodnje primere prednastavitev. Za več podrobnosti glejte <a href=\"https://rspamd.com/doc/configuration/settings.html#settings-structure\" target=\"_blank\">dokumentacijo Rspamd</a>",
         "rspamd_global_filters": "Globalne preslikave filtrov",
         "rspamd_global_filters_agree": "Previden bom!",
         "rspamd_global_filters_info": "Globalni filtri vsebujejo različne vrste globalnih seznamov zavrnjenih in dovoljenih vsebin.",
@@ -295,30 +295,30 @@
         "f2b_list_info": "Gostitelj ali omrežje na seznamu zavrnjenih bo vedno imelo prednost pred entiteto na seznamu dovoljenih. <b>Posodobitve seznama bodo trajale nekaj sekund, da se uporabijo.</b>",
         "forwarding_hosts": "Gostitelji za posredovanje",
         "forwarding_hosts_add_hint": "Lahko vpišete IPv4/IPv6 naslove, mreže v CIDR obliki, imena gostiteljev (kateri se prevedejo v IP naslove) ali imena domen (katera se prevedejo v IP naslove glede na poizvedbo po SPF zapisih, v primeru manjkajočih zapisov pa MX zapisih).",
-        "forwarding_hosts_hint": "Dohodna sporočila so brezpogojno sprejeta od katerih koli gostiteljev v tem seznamu. Ti gostitelji se ne bodo preverjali po DNSBL seznamih in ne bodo dodani v greyliste. Prejeti spam s teh gostiteljev ni nikoli zavrnjen, opcijsko pa se lahko premakne v mapo neželene pošte. Najpogostejša uporaba za to je navedba poštnih strežnikov, iz katerih ste nastavili pravilo za posredovanje pošte na vaš mailcow strežnik.",
-        "license_info": "Licenca ni zahtevana, a pomaga pri nadaljnjem razvoju. <br><a href=\"https://www.servercow.de/mailcow?lang=en#sal\" target=\"_blank\" alt=\"Naročilo SAL\">Registrirajte svoj GUID tukaj</a> ali <a href=\"https://www.servercow.de/mailcow?lang=en#support\" target=\"_blank\" alt=\"Naročilo podpora\">Kupite podporo za svojo namestitev Mailcow.</a>",
-        "lookup_mx": "Cilj je regular expression za ujemanje MX zapisov (<code>.*\\.google\\.com</code> za usmeritev vse pošte na MX, ki se konča z google.com, preko tega skoka)",
+        "forwarding_hosts_hint": "Dohodna sporočila so brezpogojno sprejeta od katerih koli gostiteljev v tem seznamu. Ti gostitelji se ne bodo preverjali po DNSBL seznamih in ne bodo dodani v listo sivih. Prejeta neželena pošta s teh gostiteljev ni nikoli zavrnjena, opcijsko pa se lahko premakne v mapo neželene pošte. Najpogostejša uporaba za to je navedba poštnih strežnikov, iz katerih ste nastavili pravilo za posredovanje pošte na vaš mailcow strežnik.",
+        "license_info": "Licenca ni zahtevana, a pomaga pri nadaljnjem razvoju. <br><a href=\"https://www.servercow.de/mailcow?lang=en#sal\" target=\"_blank\" alt=\"Naročilo SAL\">Registrirajte svoj GUID tukaj</a> ali <a href=\"https://www.servercow.de/mailcow?lang=en#support\" target=\"_blank\" alt=\"Naročilo podpore\">Kupite podporo za svojo namestitev Mailcow.</a>",
+        "lookup_mx": "Cilj je regularni izraz, ki se ujema z imenom MX (<code>.*\\.google\\.com</code> za usmerjanje vse pošte, usmerjene na MX, ki se konča na google.com, prek tega skoka).",
         "main_name": "Naziv \"mailcow UI\"",
         "merged_vars_hint": "Sive vrstice so združene iz <code>vars.(local.)inc.php</code> in jih ni mogoče spremeniti.",
-        "oauth2_info": "OAuth2 implementacija omogoča grant vrste \"Authorization code\" in izdaja refresh tokene.<br>\nStrežnik prav tako izda nove refresh tokene, ko je bil refresh token uporabljen<br><br>\n&#8226; Privzeti obseg je <i>profile</i>. Samo uporabniki poštnih predalov se lahko prijavijo s pomočjo OAuth2. Če parameter obsega ni vnesen, se nastavi na <i>profile</i>.<br>\n&#8226; Parameter <i>state</i> mora biti poslan s strani klienta kot del zahtevka za avtorizacijo .<br><br>\nPoti za OAuth2 API: <br>\n<ul>\n  <li>Endpoint za avtorizacijo: <code>/oauth/authorize</code></li>\n  <li>Endpoint za tokene: <code>/oauth/token</code></li>\n  <li>Stran vira: <code>/oauth/profile</code></li>\n</ul>\nPonovno generiranje client secret ne bo razveljavilo obstoječih avtorizacijskih kod, ne bodo pa mogle obnoviti svoje tokene.<br><br>\nZavrnitev client tokenov bo povzročilo tekojčno prekinitev aktivnih sej. Vsi klienti se bodo morali ponovno prijaviti.",
-        "quarantine_redirect": "<b>Preusmeri vsa obvestila</b> k temu prejemniku:<br><small>Pustite prazno, da onemogočite. <b>Nepodpisana, nepreverjena pošta. Uporabljalo bi se naj samo za interno dostavo.</b></small>",
+        "oauth2_info": "Implementacija OAuth2 podpira vrsto odobritve »Avtorizacijska koda« in izda osvežilne žetone.<br>\nStrežnik samodejno izda tudi nove osvežilne žetone, ko je žeton za osvežitev uporabljen.<br><br>\n&#8226; Privzeti obseg je <i>profile</i>. Prek OAuth2 je mogoče overiti samo uporabnike poštnega predala. Če parameter obsega izpustite, se vrne na <i>profile</i>.<br>\n&#8226; Parameter <i>state</i> mora odjemalec poslati kot del zahteve za avtorizacijo.<br><br>\nPoti za zahteve do API-ja OAuth2: <br>\n<ul>\n<li>Končna točka avtorizacije: <code>/oauth/authorize</code></li>\n<li>Končna točka žetona: <code>/oauth/token</code></li>\n<li>Stran z viri: <code>/oauth/profile</code></li>\n</ul>\nPonovno ustvarjanje skrivnosti odjemalca ne bo poteklo obstoječih kod za avtorizacijo, vendar ne bo obnovilo žetona.<br><br>\nPreklic žetonov odjemalca bo povzročil takojšnjo prekinitev vseh aktivnih sej. Vse stranke se morajo ponovno overiti.",
+        "quarantine_redirect": "<b>Preusmerite vsa obvestila</b> temu prejemniku:<br><small>Pustite prazno, če želite onemogočiti. <b>Nepodpisana, nepreverjena pošta. Dostavljeno samo interno.</b></small>",
         "quota_notification_html": "Predloga sporočila za obvestilo:<br><small>Pustite prazno za obnovitev privzete predloge.</small>",
-        "quota_notifications_vars": "{{percent}} pomeni trenutna omejitev uporabnika<br>{{username}} je ime poštnega predala",
-        "r_info": "Sivi/onemogočeni elementi v seznamu aktivnih omejitev niso znane kot veljavne omejitve za mailcow in ne morejo biti premaknjene. Neznane omejitve bodo kljub temu nastavljene po vrstnem redu pojavitve. <br>Nove elemente lahko dodate v <code>inc/vars.local.inc.php</code> da jih lahko vklopite ali izklopite.",
-        "relayhosts_hint": "Določite transporte glede na pošiljatelja, da jih lahko izberete v konfiguraciji domene.<br>\nTransportni servis je vedno \"smtp:\" in bo poskušal s TLS ko bo na voljo. Wrapped TLS (SMTPS) ni podprto. Upošteva se uporabnikova politika odhodnega TLS.<br>\nVpliva na izbrane domene vključno z alias domenami.",
-        "transport_dest_format": "Regex ali sintaksa: example.org, .example.org, *, box@example.org (več vrednosti ločite z vejico)",
-        "transport_test_rcpt_info": "&#8226; Uporabite null@hosted.mailcow.de za testiranje relaya na drugo destinacijo.",
-        "rspamd_global_filters_regex": "Njihovi nazivi pojasnijo njihov namen. Vsa vsebina mora imeti veljaven regular expression v obliki \"/pattern/options\" (npr. <code>/.+@domain\\.tld/i</code>).<br>\nČeprav se v vsaki vrstici regexa izvedejo osnovni pregledi, je lahko funkcionalnost programa Rspamd motena, če sintaksa ni pravilna.<br>\nRspamd bo poskušal prebrati vsebino preslikave, ko bo spremenjena. Če imate težave, <a href=\"\" data-toggle=\"modal\" data-container=\"rspamd-mailcow\" data-target=\"#RestartContainer\">ponovno zaženite Rspamd</a>, da prisilite ponovno nalaganje preslikav.<br> Elementi na seznamu zavrnjenih so izključeni iz karantene.",
+        "quota_notifications_vars": "{{percent}} je enako trenutni kvoti uporabnika<br>{{username}} je ime poštnega predala",
+        "r_info": "Sivi/onemogočeni elementi v seznamu aktivnih omejitev niso znane kot veljavne omejitve za mailcow in ne morejo biti premaknjene. Neznane omejitve bodo kljub temu nastavljene po vrstnem redu pojavljanja. <br>Nove elemente lahko dodate v <code>inc/vars.local.inc.php</code> da jih lahko vklopite ali izklopite.",
+        "relayhosts_hint": "Določite transporte, odvisne od pošiljatelja, da jih boste lahko izbrali v pogovornem oknu za konfiguracijo domen.<br>\n  Transportna storitev je vedno »smtp:« in bo zato poskusila s TLS, ko bo ponujena. Zaviti TLS (SMTPS) ni podprt. Upošteva se individualna nastavitev pravilnika za odhodni TLS uporabnika.<br>\n  Vpliva na izbrane domene, vključno z vzdevki domen.",
+        "transport_dest_format": "Regex ali sintaksa: example.org, .example.org, *, box@example.org (več vrednosti je lahko ločenih z vejicami)",
+        "transport_test_rcpt_info": "&#8226; Za preizkus posredovanja v tujino uporabite null@hosted.mailcow.de.",
+        "rspamd_global_filters_regex": "Njihova imena pojasnjujejo njihov namen. Vsa vsebina mora vsebovati veljaven regularni izraz v obliki »/vzorec/možnosti« (npr. <code>/.+@domena\\.tld/i</code>).<br>\n  Čeprav se v vsaki vrstici regularnega izraza izvajajo osnovna preverjanja, je lahko funkcionalnost Rspamdsa pokvarjena, če sintakse ne prebere pravilno.<br>\n  Rspamd bo poskušal prebrati vsebino zemljevida, ko se bo spremenila. Če pride do težav, <a href=\"\" data-toggle=\"modal\" data-container=\"rspamd-mailcow\" data-target=\"#RestartContainer\">znova zaženite Rspamd</a>, da uveljavite ponovno nalaganje zemljevida.<br>Elementi na seznamu zavrnjenih so izključeni iz karantene.",
         "rspamd_settings_map": "Preslikava nastavitev Rspamd",
         "sal_level": "Moo stopnja",
         "save": "Shrani spremembe",
         "search_domain_da": "Išči domene",
         "send": "Pošlji",
         "sender": "Pošiljatelj",
-        "service": "Servis",
-        "service_id": "ID servisa",
+        "service": "Storitev",
+        "service_id": "ID storitve",
         "source": "Vir",
-        "spamfilter": "Spam filter",
+        "spamfilter": "Filter neželene pošte",
         "subject": "Predmet",
         "success": "Uspešno",
         "sys_mails": "Sistemska pošta",
@@ -328,7 +328,7 @@
         "title_name": "Naziv spletnega mesta \"mailcow UI\"",
         "to_top": "Nazaj na vrh",
         "transport_maps": "Preslikave transportov",
-        "transports_hint": "&#8226; Vpis preslikave transporta <b>nadredi</b> preslikavo transporta odvisno od pošiljatelja.<br>\n&#8226; Preferenčno se uporabljajo transporti glede na MX zapise.<br>\n&#8226; Izhodne TLS politike na uporabnika so ignorirane in se lahko vsilijo samo s preslikavami TLS politik.<br>\n&#8226; Transportni servis za definirane transporte je vedno \"smtp:\" in bo posledično poskušal TLS ko bo ponujeno. Wrapped TLS (SMTPS) ni podprto.<br>\n&#8226; Naslovi, ki se ujemajo z \"/localhost$/\" bodo vedno preneseni preko \"local:\", in zato destinacija \"*\" ne bo vplivala na te naslove.<br>\n&#8226; Za določitev poverilnic za naslednji skok (npr. \"[host]:25\"), Postfix <b>vedno</b> preveri \"host\" preden išče \"[host]:25\". Zaradi takšnega obnašanja je nemogoče hkrati uporabiti \"host\" in \"[host]:25\".",
+        "transports_hint": "&#8226; Vnos preslikave transporta <b>preglasi</b> preslikavo transporta, ki je odvisen od pošiljatelja.<br>\n&#8226; Po možnosti se uporabljajo transporti, ki temeljijo na MX.<br>\n&#8226; Nastavitve pravilnika TLS za odhodne uporabnike se prezrejo in jih je mogoče uveljaviti le z vnosi v zemljevidu pravilnika TLS.<br>\n&#8226; Storitev transporta za definirane transporte je vedno »smtp:« in bo zato poskusila s TLS, ko bo ponujena. Zaviti TLS (SMTPS) ni podprt.<br>\n&#8226; Naslovi, ki se ujemajo z \"/localhost$/\" bodo vedno preneseni preko \"local:\", in zato cilj \"*\" ne bo veljal za te naslove.<br>\n&#8226; Za določitev poverilnic za zgledni naslednji skok \"[host]:25\", Postfix <b>vedno</b> poišče \"host\" preden poišče \"[host]:25\". Zaradi tega vedenja je nemogoče hkrati uporabljati \"host\" in \"[host]:25\".",
         "ui_footer": "Noga (HTML dovoljen)",
         "ui_header_announcement": "Obvestila",
         "ui_header_announcement_active": "Nastavi obvestilo kot aktivno",
@@ -340,7 +340,7 @@
         "ui_header_announcement_type_info": "Info",
         "ui_header_announcement_type_warning": "Pomembno",
         "ui_texts": "Oznake in besedila UI",
-        "unban_pending": "unban v postopku",
+        "unban_pending": "odblokada v teku",
         "unchanged_if_empty": "Če je nespremenjeno, pustite prazno",
         "upload": "Naloži",
         "username": "Uporabniško ime",
@@ -395,7 +395,7 @@
         "iam_token_url": "Končna točka žetona",
         "iam_userinfo_url": "Končna točka z uporabniškimi podatki",
         "iam_username_field": "Polje z uporabniškim imenom",
-        "iam_binddn": "Povezava DN",
+        "iam_binddn": "Vezava DN",
         "iam_use_ssl": "Uporabi SSL",
         "iam_use_tls": "Uporabi StartTLS",
         "iam_version": "Različica",
@@ -559,7 +559,7 @@
         "version_invalid": "Različica %s je neveljavna"
     },
     "debug": {
-        "containers_info": "Informacije o vsebniku (containerju)",
+        "containers_info": "Informacije o zabojniku",
         "architecture": "Arhitektura",
         "chart_this_server": "Diagram (ta strežnik)",
         "container_running": "Aktiven",

From c915bf2ee20aa54482b2701f0e8220ea02f14ebe Mon Sep 17 00:00:00 2001
From: Patrik Kernstock <patrik@kernstock.net>
Date: Wed, 24 Sep 2025 19:06:47 +0200
Subject: [PATCH 347/378] Add docs link to get_installed_tools() message

---
 _modules/scripts/core.sh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/_modules/scripts/core.sh b/_modules/scripts/core.sh
index e86c2afc9..f776c6212 100644
--- a/_modules/scripts/core.sh
+++ b/_modules/scripts/core.sh
@@ -19,7 +19,8 @@ get_installed_tools(){
     for bin in openssl curl docker git awk sha1sum grep cut jq; do
         if [[ -z $(command -v ${bin}) ]]; then
           echo "Error: Cannot find command '${bin}'. Cannot proceed."
-          echo "Solution: Please install accordingly and re-run the script."
+          echo "Solution: Please review system requirements and install requirements. Then, re-run the script."
+          echo "See System Requirements: https://docs.mailcow.email/getstarted/install/"
           echo "Exiting..."
           exit 1
         fi

From 7028619742d2f8c962e7fcef269936511fdc7eb9 Mon Sep 17 00:00:00 2001
From: Patrik Kernstock <patrik@kernstock.net>
Date: Wed, 24 Sep 2025 21:17:29 +0200
Subject: [PATCH 348/378] Update GitHub's issue template

---
 .github/ISSUE_TEMPLATE/Bug_report.yml | 77 ++++++++++++++-------------
 1 file changed, 41 insertions(+), 36 deletions(-)

diff --git a/.github/ISSUE_TEMPLATE/Bug_report.yml b/.github/ISSUE_TEMPLATE/Bug_report.yml
index afa1a27f8..df2acdb6b 100644
--- a/.github/ISSUE_TEMPLATE/Bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/Bug_report.yml
@@ -11,22 +11,35 @@ body:
         required: true
   - type: checkboxes
     attributes:
-      label: I've found a bug and checked that ...
-      description: Prior to placing the issue, please check following:** *(fill out each checkbox with an `X` once done)*
+      label: Checklist prior issue creation
+      description: Prior to creating the issue...
       options:
-      - label: ... I understand that not following the below instructions will result in immediate closure and/or deletion of my issue.
-        required: true
-      - label: ... I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
-        required: true
-      - label: ... I have understood that answers are voluntary and community-driven, and not commercial support.
-        required: true
-      - label: ... I have verified that my issue has not been already answered in the past. I also checked previous [issues](https://github.com/mailcow/mailcow-dockerized/issues).
-        required: true
+        - label: I understand that failure to follow below instructions may cause this issue to be closed.
+          required: true
+        - label: I understand that vague, incomplete or inaccurate information may cause this issue to be closed.
+          required: true
+        - label: I understand that this form is intended solely for reporting software bugs and not for support-related inquiries.
+          required: true
+        - label: I understand that all responses are voluntary and community-driven, and do not constitute commercial support.
+          required: true
+        - label: I confirm that I have reviewed previous [issues](https://github.com/mailcow/mailcow-dockerized/issues) to ensure this matter has not already been addressed.
+          required: true
+        - label: I confirm that my environment meets all [prerequisite requirements](https://docs.mailcow.email/getstarted/prerequisite-system/) as specified in the official documentation.
+          required: true
   - type: textarea
     attributes:
       label: Description
-      description: Please provide a brief description of the bug in 1-2 sentences. If applicable, add screenshots to help explain your problem. Very useful for bugs in mailcow UI.
-      render: plain text
+      description: Please provide a brief description of the bug. If applicable, add screenshots to help explain your problem. (Very useful for bugs in mailcow UI.)
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: "Steps to reproduce:"
+      description: "Please describe the steps to reproduce the bug. Screenshots can be added, if helpful."
+      placeholder: |-
+        1. ...
+        2. ...
+        3. ...
     validations:
       required: true
   - type: textarea
@@ -36,45 +49,36 @@ body:
       render: plain text
     validations:
       required: true
-  - type: textarea
-    attributes:
-      label: "Steps to reproduce:"
-      description: "Please describe the steps to reproduce the bug. Screenshots can be added, if helpful."
-      render: plain text
-      placeholder: |-
-        1. ...
-        2. ...
-        3. ...
-    validations:
-      required: true
   - type: markdown
     attributes:
       value: |
         ## System information
-        ### In this stage we would kindly ask you to attach general system information about your setup.
+        In this stage we would kindly ask you to attach general system information about your setup.
   - type: dropdown
     attributes:
       label: "Which branch are you using?"
-      description: "#### `git rev-parse --abbrev-ref HEAD`"
+      description: "#### Run: `git rev-parse --abbrev-ref HEAD`"
       multiple: false
       options:
-        - master
+        - master (stable)
+        - staging
         - nightly
     validations:
       required: true
   - type: dropdown
     attributes:
       label: "Which architecture are you using?"
-      description: "#### `uname -m`"
+      description: "#### Run: `uname -m`"
       multiple: false
       options:
-        - x86
+        - x86_64
         - ARM64 (aarch64)
     validations:
       required: true
   - type: input
     attributes:
       label: "Operating System:"
+      description: "#### Run: `lsb_release -ds`"
       placeholder: "e.g. Ubuntu 22.04 LTS"
     validations:
       required: true
@@ -93,43 +97,44 @@ body:
   - type: input
     attributes:
       label: "Virtualization technology:"
-      placeholder: "KVM, VMware, Xen, etc - **LXC and OpenVZ are not supported**"
+      description: "LXC and OpenVZ are not supported!"
+      placeholder: "KVM, VMware ESXi, Xen, etc"
     validations:
       required: true
   - type: input
     attributes:
       label: "Docker version:"
-      description: "#### `docker version`"
+      description: "#### Run: `docker version`"
       placeholder: "20.10.21"
     validations:
       required: true
   - type: input
     attributes:
       label: "docker-compose version or docker compose version:"
-      description: "#### `docker-compose version` or `docker compose version`"
+      description: "#### Run: `docker-compose version` or `docker compose version`"
       placeholder: "v2.12.2"
     validations:
       required: true
   - type: input
     attributes:
       label: "mailcow version:"
-      description: "#### ```git describe --tags `git rev-list --tags --max-count=1` ```"
-      placeholder: "2022-08"
+      description: "#### Run: ```git describe --tags `git rev-list --tags --max-count=1` ```"
+      placeholder: "2022-08x"
     validations:
       required: true
   - type: input
     attributes:
       label: "Reverse proxy:"
-      placeholder: "e.g. Nginx/Traefik"
+      placeholder: "e.g. nginx/Traefik, or none"
     validations:
       required: true
   - type: textarea
     attributes:
       label: "Logs of git diff:"
-      description: "#### Output of `git diff origin/master`, any other changes to the code? If so, **please post them**:"
+      description: "#### Output of `git diff origin/master`, any other changes to the code? Sanitize if needed. If so, **please post them**:"
       render: plain text
     validations:
-      required: true
+      required: false
   - type: textarea
     attributes:
       label: "Logs of iptables -L -vn:"

From eabd22188b8c58fec533ef815fca59ddd676c121 Mon Sep 17 00:00:00 2001
From: Patrik Kernstock <patrik@kernstock.net>
Date: Wed, 24 Sep 2025 21:20:48 +0200
Subject: [PATCH 349/378] Re-intend checkboxes

---
 .github/ISSUE_TEMPLATE/Bug_report.yml | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/.github/ISSUE_TEMPLATE/Bug_report.yml b/.github/ISSUE_TEMPLATE/Bug_report.yml
index df2acdb6b..f6fb7d280 100644
--- a/.github/ISSUE_TEMPLATE/Bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/Bug_report.yml
@@ -14,18 +14,18 @@ body:
       label: Checklist prior issue creation
       description: Prior to creating the issue...
       options:
-        - label: I understand that failure to follow below instructions may cause this issue to be closed.
-          required: true
-        - label: I understand that vague, incomplete or inaccurate information may cause this issue to be closed.
-          required: true
-        - label: I understand that this form is intended solely for reporting software bugs and not for support-related inquiries.
-          required: true
-        - label: I understand that all responses are voluntary and community-driven, and do not constitute commercial support.
-          required: true
-        - label: I confirm that I have reviewed previous [issues](https://github.com/mailcow/mailcow-dockerized/issues) to ensure this matter has not already been addressed.
-          required: true
-        - label: I confirm that my environment meets all [prerequisite requirements](https://docs.mailcow.email/getstarted/prerequisite-system/) as specified in the official documentation.
-          required: true
+      - label: I understand that failure to follow below instructions may cause this issue to be closed.
+        required: true
+      - label: I understand that vague, incomplete or inaccurate information may cause this issue to be closed.
+        required: true
+      - label: I understand that this form is intended solely for reporting software bugs and not for support-related inquiries.
+        required: true
+      - label: I understand that all responses are voluntary and community-driven, and do not constitute commercial support.
+        required: true
+      - label: I confirm that I have reviewed previous [issues](https://github.com/mailcow/mailcow-dockerized/issues) to ensure this matter has not already been addressed.
+        required: true
+      - label: I confirm that my environment meets all [prerequisite requirements](https://docs.mailcow.email/getstarted/prerequisite-system/) as specified in the official documentation.
+        required: true
   - type: textarea
     attributes:
       label: Description

From 171c591da42a83bd9bd053ff8b1f15be1b10b231 Mon Sep 17 00:00:00 2001
From: Patrik Kernstock <patrik@kernstock.net>
Date: Fri, 26 Sep 2025 01:14:23 +0200
Subject: [PATCH 350/378] Enable REDIRECT_HTTP=y by default

---
 generate_config.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/generate_config.sh b/generate_config.sh
index 9a0bd132b..3711c1138 100755
--- a/generate_config.sh
+++ b/generate_config.sh
@@ -218,7 +218,7 @@ HTTPS_PORT=443
 HTTPS_BIND=
 
 # Redirect HTTP connections to HTTPS - y/n
-HTTP_REDIRECT=n
+HTTP_REDIRECT=y
 
 # ------------------------------
 # Other bindings

From 5f4a4fd759b0ad3671e59b092cb2a2f571c4cb53 Mon Sep 17 00:00:00 2001
From: Patrik Kernstock <patrik@kernstock.net>
Date: Fri, 26 Sep 2025 01:14:33 +0200
Subject: [PATCH 351/378] Removed new lines for consistency

---
 generate_config.sh | 33 +--------------------------------
 1 file changed, 1 insertion(+), 32 deletions(-)

diff --git a/generate_config.sh b/generate_config.sh
index 3711c1138..6b193f84d 100755
--- a/generate_config.sh
+++ b/generate_config.sh
@@ -172,7 +172,6 @@ cat << EOF > mailcow.conf
 # example.org is _not_ a valid hostname, use a fqdn here.
 # Default admin user is "admin"
 # Default password is "moohoo"
-
 MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
 
 # Password hash algorithm
@@ -183,19 +182,16 @@ MAILCOW_PASS_SCHEME=BLF-CRYPT
 # ------------------------------
 # SQL database configuration
 # ------------------------------
-
 DBNAME=mailcow
 DBUSER=mailcow
 
 # Please use long, random alphanumeric strings (A-Za-z0-9)
-
 DBPASS=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2> /dev/null | head -c 28)
 DBROOT=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2> /dev/null | head -c 28)
 
 # ------------------------------
 # REDIS configuration
 # ------------------------------
-
 REDISPASS=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2> /dev/null | head -c 28)
 
 # ------------------------------
@@ -210,7 +206,6 @@ REDISPASS=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2> /dev/null | head -c 28)
 # Example: HTTP_BIND=1.2.3.4
 # For IPv4 leave it as it is: HTTP_BIND= & HTTPS_PORT=
 # For IPv6 see https://docs.mailcow.email/post_installation/firststeps-ip_bindings/
-
 HTTP_PORT=80
 HTTP_BIND=
 
@@ -225,7 +220,6 @@ HTTP_REDIRECT=y
 # ------------------------------
 # You should leave that alone
 # Format: 11.22.33.44:25 or 12.34.56.78:465 etc.
-
 SMTP_PORT=25
 SMTPS_PORT=465
 SUBMISSION_PORT=587
@@ -241,12 +235,10 @@ REDIS_PORT=127.0.0.1:7654
 # Your timezone
 # See https://en.wikipedia.org/wiki/List_of_tz_database_time_zones for a list of timezones
 # Use the column named 'TZ identifier' + pay attention for the column named 'Notes'
-
 TZ=${MAILCOW_TZ}
 
 # Fixed project name
 # Please use lowercase letters only
-
 COMPOSE_PROJECT_NAME=mailcowdockerized
 
 # Used Docker Compose version
@@ -254,7 +246,6 @@ COMPOSE_PROJECT_NAME=mailcowdockerized
 # For more informations take a look at the mailcow docs regarding the configuration options.
 # Normally this should be untouched but if you decided to use either of those you can switch it manually here.
 # Please be aware that at least one of those variants should be installed on your machine or mailcow will fail.
-
 DOCKER_COMPOSE_VERSION=${COMPOSE_VERSION}
 
 # Set this to "allow" to enable the anyone pseudo user. Disabled by default.
@@ -267,7 +258,6 @@ ACL_ANYONE=disallow
 # Deleted domains and mailboxes are moved to /var/vmail/_garbage/timestamp_sanitizedstring
 # How long should objects remain in the garbage until they are being deleted? (value in minutes)
 # Check interval is hourly
-
 MAILDIR_GC_TIME=7200
 
 # Additional SAN for the certificate
@@ -282,8 +272,6 @@ MAILDIR_GC_TIME=7200
 #ADDITIONAL_SAN=srv1.example.net
 # ...or combine wildcard and static names:
 #ADDITIONAL_SAN=imap.*,srv1.example.com
-#
-
 ADDITIONAL_SAN=
 
 # Obtain certificates for autodiscover.* and autoconfig.* domains.
@@ -300,11 +288,9 @@ AUTODISCOVER_SAN=y
 # If the server name does not match a known site, Nginx decides by best-guess and may redirect users to the wrong web root.
 # You can understand this as server_name directive in Nginx.
 # Comma separated list without spaces! Example: ADDITIONAL_SERVER_NAMES=a.b.c,d.e.f
-
 ADDITIONAL_SERVER_NAMES=
 
 # Skip running ACME (acme-mailcow, Let's Encrypt certs) - y/n
-
 SKIP_LETS_ENCRYPT=n
 
 # Create seperate certificates for all domains - y/n
@@ -313,52 +299,41 @@ SKIP_LETS_ENCRYPT=n
 ENABLE_SSL_SNI=n
 
 # Skip IPv4 check in ACME container - y/n
-
 SKIP_IP_CHECK=n
 
 # Skip HTTP verification in ACME container - y/n
-
 SKIP_HTTP_VERIFICATION=n
 
 # Skip Unbound (DNS Resolver) Healthchecks (NOT Recommended!) - y/n
-
 SKIP_UNBOUND_HEALTHCHECK=n
 
 # Skip ClamAV (clamd-mailcow) anti-virus (Rspamd will auto-detect a missing ClamAV container) - y/n
-
 SKIP_CLAMD=${SKIP_CLAMD}
 
 # Skip Olefy (olefy-mailcow) anti-virus for Office documents (Rspamd will auto-detect a missing Olefy container) - y/n
-
 SKIP_OLEFY=n
 
 # Skip SOGo: Will disable SOGo integration and therefore webmail, DAV protocols and ActiveSync support (experimental, unsupported, not fully implemented) - y/n
-
 SKIP_SOGO=n
 
 # Skip FTS (Fulltext Search) for Dovecot on low-memory, low-threaded systems or if you simply want to disable it.
 # Dovecot inside mailcow use Flatcurve as FTS Backend.
-
 SKIP_FTS=n
 
 # Dovecot Indexing (FTS) Process maximum heap size in MB, there is no recommendation, please see Dovecot docs.
 # Flatcurve (Xapian backend) is used as the FTS Indexer. It is supposed to be efficient in CPU and RAM consumption.
 # However: Please always monitor your Resource consumption!
-
 FTS_HEAP=128
 
 # Controls how many processes the Dovecot indexing process can spawn at max.
 # Too many indexing processes can use a lot of CPU and Disk I/O.
 # Please visit: https://doc.dovecot.org/configuration_manual/service_configuration/#indexer-worker for more informations
-
 FTS_PROCS=1
 
 # Allow admins to log into SOGo as email user (without any password)
-
 ALLOW_ADMIN_EMAIL_LOGIN=n
 
 # Enable watchdog (watchdog-mailcow) to restart unhealthy containers
-
 USE_WATCHDOG=y
 
 # Send watchdog notifications by mail (sent from watchdog@MAILCOW_HOSTNAME)
@@ -367,7 +342,6 @@ USE_WATCHDOG=y
 # 2. Mails are sent unsigned (no DKIM)
 # 3. If you use DMARC, create a separate DMARC policy ("v=DMARC1; p=none;" in _dmarc.MAILCOW_HOSTNAME)
 # Multiple rcpts allowed, NO quotation marks, NO spaces
-
 #WATCHDOG_NOTIFY_EMAIL=a@example.com,b@example.com,c@example.com
 #WATCHDOG_NOTIFY_EMAIL=
 
@@ -398,25 +372,20 @@ WATCHDOG_EXTERNAL_CHECKS=n
 WATCHDOG_VERBOSE=n
 
 # Max log lines per service to keep in Redis logs
-
 LOG_LINES=9999
 
 # Internal IPv4 /24 subnet, format n.n.n (expands to n.n.n.0/24)
 # Use private IPv4 addresses only, see https://en.wikipedia.org/wiki/Private_network#Private_IPv4_addresses
-
 IPV4_NETWORK=172.22.1
 
 # Internal IPv6 subnet in fc00::/7
 # Use private IPv6 addresses only, see https://en.wikipedia.org/wiki/Private_network#Private_IPv6_addresses
-
 IPV6_NETWORK=fd4d:6169:6c63:6f77::/64
 
 # Use this IPv4 for outgoing connections (SNAT)
-
 #SNAT_TO_SOURCE=
 
 # Use this IPv6 for outgoing connections (SNAT)
-
 #SNAT6_TO_SOURCE=
 
 # Create or override an API key for the web UI
@@ -545,4 +514,4 @@ else
   echo '  $MAILCOW_UPDATEDAT='$(date +%s)';' >> data/web/inc/app_info.inc.php
   echo '?>' >> data/web/inc/app_info.inc.php
   echo -e "\e[33mCannot determine current git repository version...\e[0m"
-fi
\ No newline at end of file
+fi

From 8978a9ad7903b42533d3bfd2e9a1e9f273026f10 Mon Sep 17 00:00:00 2001
From: Patrik Kernstock <patrik@kernstock.net>
Date: Fri, 26 Sep 2025 02:13:22 +0200
Subject: [PATCH 352/378] Remove debug console.log() lines

---
 data/web/js/site/admin.js     |  1 -
 data/web/js/site/dashboard.js | 11 ++---------
 data/web/js/site/edit.js      |  1 -
 data/web/js/site/user.js      |  5 -----
 4 files changed, 2 insertions(+), 16 deletions(-)

diff --git a/data/web/js/site/admin.js b/data/web/js/site/admin.js
index f4258ff48..009a27fbb 100644
--- a/data/web/js/site/admin.js
+++ b/data/web/js/site/admin.js
@@ -715,7 +715,6 @@ jQuery(function($){
     $('.app_hide').off('change');
     $('.app_hide').on('change', function (e) {
       var value = $(this).is(':checked') ? '1' : '0';
-      console.log(value)
       $(this).parent().children(':first-child').val(value);
     })
   }
diff --git a/data/web/js/site/dashboard.js b/data/web/js/site/dashboard.js
index 182a09a5b..32c04b518 100644
--- a/data/web/js/site/dashboard.js
+++ b/data/web/js/site/dashboard.js
@@ -47,8 +47,6 @@ $(document).ready(function() {
     window.fetch("/api/v1/get/status/host/ip", { method:'GET', cache:'no-cache' }).then(function(response) {
       return response.json();
     }).then(function(data) {
-      console.log(data);
-
       // display host ips
       if (data.ipv4)
         $("#host_ipv4").text(data.ipv4);
@@ -1007,7 +1005,7 @@ jQuery(function($){
               "data-order": cellData.sortBy,
               "data-sort": cellData.sortBy
             });
-          },    
+          },
           render: function (data) {
             return data.value;
           }
@@ -1032,7 +1030,7 @@ jQuery(function($){
               "data-order": cellData.sortBy,
               "data-sort": cellData.sortBy
             });
-          },    
+          },
           render: function (data) {
             return data.value;
           }
@@ -1347,9 +1345,6 @@ function update_stats(timeout=5){
 
   window.fetch("/api/v1/get/status/host", {method:'GET',cache:'no-cache'}).then(function(response) {
     return response.json();
-  }).then(function(data) {
-    console.log(data);
-
     if (data){
       // display table data
       $("#host_date").text(data.system_time);
@@ -1399,8 +1394,6 @@ function update_container_stats(timeout=5){
         var diskIOCtx = Chart.getChart(container + "_DiskIOChart");
         var netIOCtx = Chart.getChart(container + "_NetIOChart");
 
-        console.log(container);
-        console.log(data);
         prev_stats = null;
         if (data.length >= 2){
           prev_stats = data[data.length -2];
diff --git a/data/web/js/site/edit.js b/data/web/js/site/edit.js
index f9fe707c6..308ec8c13 100644
--- a/data/web/js/site/edit.js
+++ b/data/web/js/site/edit.js
@@ -66,7 +66,6 @@ $(document).ready(function() {
   // load tags
   if ($('#tags').length){
     var tagsEl = $('#tags').parent().find('.tag-values')[0];
-    console.log($(tagsEl).val())
     var tags = JSON.parse($(tagsEl).val());
     $(tagsEl).val("");
 
diff --git a/data/web/js/site/user.js b/data/web/js/site/user.js
index 1d227469a..d7625151d 100644
--- a/data/web/js/site/user.js
+++ b/data/web/js/site/user.js
@@ -169,7 +169,6 @@ jQuery(function($){
         type: "GET",
         url: "/api/v1/get/time_limited_aliases",
         dataSrc: function(data){
-          console.log(data);
           $.each(data, function (i, item) {
             if (acl_data.spam_alias === 1) {
               item.action = '<div class="btn-group">' +
@@ -262,7 +261,6 @@ jQuery(function($){
         type: "GET",
         url: '/api/v1/get/syncjobs/' + encodeURIComponent(mailcow_cc_username) + '/no_log',
         dataSrc: function(data){
-          console.log(data);
           $.each(data, function (i, item) {
             item.user1 = escapeHtml(item.user1);
             item.log = '<a href="#syncjobLogModal" data-bs-toggle="modal" data-syncjob-id="' + item.id + '">' + lang.open_logs + '</a>'
@@ -418,7 +416,6 @@ jQuery(function($){
         type: "GET",
         url: '/api/v1/get/app-passwd/all',
         dataSrc: function(data){
-          console.log(data);
           $.each(data, function (i, item) {
             item.name = escapeHtml(item.name)
             item.protocols = []
@@ -514,7 +511,6 @@ jQuery(function($){
         type: "GET",
         url: '/api/v1/get/policy_wl_mailbox',
         dataSrc: function(data){
-          console.log(data);
           $.each(data, function (i, item) {
             if (validateEmail(item.object)) {
               item.chkbox = '<input type="checkbox" class="form-check-input" data-id="policy_wl_mailbox" name="multi_select" value="' + item.prefid + '" />';
@@ -585,7 +581,6 @@ jQuery(function($){
         type: "GET",
         url: '/api/v1/get/policy_bl_mailbox',
         dataSrc: function(data){
-          console.log(data);
           $.each(data, function (i, item) {
             if (validateEmail(item.object)) {
               item.chkbox = '<input type="checkbox" class="form-check-input" data-id="policy_bl_mailbox" name="multi_select" value="' + item.prefid + '" />';

From 5b1b49a418a711c2be040b191a4b91f7be4e7b54 Mon Sep 17 00:00:00 2001
From: Patrik Kernstock <patrik@kernstock.net>
Date: Fri, 26 Sep 2025 02:37:02 +0200
Subject: [PATCH 353/378] Fixed password complexity check for AppPasswords

---
 data/web/inc/functions.app_passwd.inc.php | 48 +++++------------------
 1 file changed, 10 insertions(+), 38 deletions(-)

diff --git a/data/web/inc/functions.app_passwd.inc.php b/data/web/inc/functions.app_passwd.inc.php
index b493fc914..161d4d1cd 100644
--- a/data/web/inc/functions.app_passwd.inc.php
+++ b/data/web/inc/functions.app_passwd.inc.php
@@ -1,7 +1,7 @@
 <?php
 function app_passwd($_action, $_data = null) {
-	global $pdo;
-	global $lang;
+  global $pdo;
+  global $lang;
   $_data_log = $_data;
   !isset($_data_log['app_passwd']) ?: $_data_log['app_passwd'] = '*';
   !isset($_data_log['app_passwd2']) ?: $_data_log['app_passwd2'] = '*';
@@ -43,20 +43,7 @@ function app_passwd($_action, $_data = null) {
         );
         return false;
       }
-      if (!preg_match('/' . $GLOBALS['PASSWD_REGEP'] . '/', $password)) {
-        $_SESSION['return'][] = array(
-          'type' => 'danger',
-          'log' => array(__FUNCTION__, $_action, $_data_log),
-          'msg' => 'password_complexity'
-        );
-        return false;
-      }
-      if ($password != $password2) {
-        $_SESSION['return'][] = array(
-          'type' => 'danger',
-          'log' => array(__FUNCTION__, $_action, $_data_log),
-          'msg' => 'password_mismatch'
-        );
+      if (password_check($password, $password2) !== true) {
         return false;
       }
       $password_hashed = hash_password($password);
@@ -88,7 +75,7 @@ function app_passwd($_action, $_data = null) {
         'log' => array(__FUNCTION__, $_action, $_data_log),
         'msg' => 'app_passwd_added'
       );
-    break;
+      break;
     case 'edit':
       $ids = (array)$_data['id'];
       foreach ($ids as $id) {
@@ -126,20 +113,7 @@ function app_passwd($_action, $_data = null) {
         }
         $app_name = htmlspecialchars(trim($app_name));
         if (!empty($password) && !empty($password2)) {
-          if (!preg_match('/' . $GLOBALS['PASSWD_REGEP'] . '/', $password)) {
-            $_SESSION['return'][] = array(
-              'type' => 'danger',
-              'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
-              'msg' => 'password_complexity'
-            );
-            continue;
-          }
-          if ($password != $password2) {
-            $_SESSION['return'][] = array(
-              'type' => 'danger',
-              'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
-              'msg' => 'password_mismatch'
-            );
+          if (password_check($password, $password2) !== true) {
             continue;
           }
           $password_hashed = hash_password($password);
@@ -182,7 +156,7 @@ function app_passwd($_action, $_data = null) {
           'msg' => array('object_modified', htmlspecialchars(implode(', ', $ids)))
         );
       }
-    break;
+      break;
     case 'delete':
       $ids = (array)$_data['id'];
       foreach ($ids as $id) {
@@ -213,19 +187,17 @@ function app_passwd($_action, $_data = null) {
           'msg' => array('app_passwd_removed', htmlspecialchars($id))
         );
       }
-    break;
+      break;
     case 'get':
       $app_passwds = array();
       $stmt = $pdo->prepare("SELECT `id`, `name` FROM `app_passwd` WHERE `mailbox` = :username");
       $stmt->execute(array(':username' => $username));
       $app_passwds = $stmt->fetchAll(PDO::FETCH_ASSOC);
       return $app_passwds;
-    break;
+      break;
     case 'details':
       $app_passwd_data = array();
-      $stmt = $pdo->prepare("SELECT *
-          FROM `app_passwd`
-            WHERE `id` = :id");
+      $stmt = $pdo->prepare("SELECT * FROM `app_passwd` WHERE `id` = :id");
       $stmt->execute(array(':id' => $_data));
       $app_passwd_data = $stmt->fetch(PDO::FETCH_ASSOC);
       if (empty($app_passwd_data)) {
@@ -237,6 +209,6 @@ function app_passwd($_action, $_data = null) {
       }
       $app_passwd_data['name'] = htmlspecialchars(trim($app_passwd_data['name']));
       return $app_passwd_data;
-    break;
+      break;
   }
 }

From ce219668cf066309cc7978613975eb3189f23cc2 Mon Sep 17 00:00:00 2001
From: Patrik Kernstock <patrik@kernstock.net>
Date: Fri, 26 Sep 2025 03:37:49 +0200
Subject: [PATCH 354/378] Rename AppPasswds fields uniquely like 'add'

---
 data/web/inc/functions.app_passwd.inc.php | 4 ++--
 data/web/templates/edit/app-passwd.twig   | 8 ++++----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/data/web/inc/functions.app_passwd.inc.php b/data/web/inc/functions.app_passwd.inc.php
index b493fc914..51b7c33b3 100644
--- a/data/web/inc/functions.app_passwd.inc.php
+++ b/data/web/inc/functions.app_passwd.inc.php
@@ -95,8 +95,8 @@ function app_passwd($_action, $_data = null) {
         $is_now = app_passwd('details', $id);
         if (!empty($is_now)) {
           $app_name = (!empty($_data['app_name'])) ? $_data['app_name'] : $is_now['name'];
-          $password = (!empty($_data['password'])) ? $_data['password'] : null;
-          $password2 = (!empty($_data['password2'])) ? $_data['password2'] : null;
+          $password = (!empty($_data['app_passwd'])) ? $_data['app_passwd'] : null;
+          $password2 = (!empty($_data['app_passwd2'])) ? $_data['app_passwd2'] : null;
           if (isset($_data['protocols'])) {
             $protocols = (array)$_data['protocols'];
             $imap_access = (in_array('imap_access', $protocols)) ? 1 : 0;
diff --git a/data/web/templates/edit/app-passwd.twig b/data/web/templates/edit/app-passwd.twig
index 46dc648db..efab8876b 100644
--- a/data/web/templates/edit/app-passwd.twig
+++ b/data/web/templates/edit/app-passwd.twig
@@ -13,15 +13,15 @@
     </div>
   </div>
   <div class="row mb-2">
-    <label class="control-label col-sm-2" for="password">{{ lang.edit.password }} (<a href="#" class="generate_password">{{ lang.edit.generate }}</a>)</label>
+    <label class="control-label col-sm-2" for="app_passwd">{{ lang.edit.password }} (<a href="#" class="generate_password">{{ lang.edit.generate }}</a>)</label>
     <div class="col-sm-10">
-      <input type="password" data-pwgen-field="true" data-hibp="true" class="form-control" name="password" placeholder="" autocomplete="new-password">
+      <input type="password" data-pwgen-field="true" data-hibp="true" class="form-control" name="app_passwd" placeholder="" autocomplete="new-password">
     </div>
   </div>
   <div class="row mb-4">
-    <label class="control-label col-sm-2" for="password2">{{ lang.edit.password_repeat }}</label>
+    <label class="control-label col-sm-2" for="app_passwd2">{{ lang.edit.password_repeat }}</label>
     <div class="col-sm-10">
-      <input type="password" data-pwgen-field="true" class="form-control" name="password2" autocomplete="new-password">
+      <input type="password" data-pwgen-field="true" class="form-control" name="app_passwd2" autocomplete="new-password">
     </div>
   </div>
   <div class="row mb-2">

From 5c5287ca21da04d9efa5058b200aa3df6aeb8305 Mon Sep 17 00:00:00 2001
From: Patrik Kernstock <patrik@kernstock.net>
Date: Fri, 26 Sep 2025 04:04:45 +0200
Subject: [PATCH 355/378] Fixed wrong footer escaping

---
 data/web/js/build/013-mailcow.js | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/data/web/js/build/013-mailcow.js b/data/web/js/build/013-mailcow.js
index f09098310..53e48d60a 100644
--- a/data/web/js/build/013-mailcow.js
+++ b/data/web/js/build/013-mailcow.js
@@ -22,8 +22,8 @@ $(document).ready(function() {
     $.notify({message: msg},{z_index: 20000, delay: auto_hide, type: type,placement: {from: "bottom",align: "right"},animate: {enter: 'animated fadeInUp',exit: 'animated fadeOutDown'}});
   }
 
-  $(".generate_password").click(async function( event ) {   
-    try { 
+  $(".generate_password").click(async function( event ) {
+    try {
       var password_policy = await window.fetch("/api/v1/get/passwordpolicy", { method:'GET', cache:'no-cache' });
       var password_policy = await password_policy.json();
       random_passwd_length = password_policy.length;
@@ -48,7 +48,7 @@ $(document).ready(function() {
     })
   }
   $(".rot-enc").html(function(){
-    return str_rot13($(this).html())
+    return str_rot13($(this).text())
   });
   // https://stackoverflow.com/questions/4399005/implementing-jquerys-shake-effect-with-animate
   function shake(div,interval,distance,times) {
@@ -125,7 +125,7 @@ $(document).ready(function() {
         }
       });
   })();
-  
+
   // responsive tabs, scroll to opened tab
   $(document).on("shown.bs.collapse shown.bs.tab", function (e) {
 	  var target = $(e.target);
@@ -409,4 +409,4 @@ function copyToClipboard(id) {
   // only works with https connections
   navigator.clipboard.writeText(copyText.value);
   mailcow_alert_box(lang.copy_to_clipboard, "success");
-}
\ No newline at end of file
+}

From 8abe74a5622a71d5ba2691e0e7c0d1067dea3ccc Mon Sep 17 00:00:00 2001
From: milkmaker <milkmaker@mailcow.de>
Date: Fri, 26 Sep 2025 10:57:32 +0200
Subject: [PATCH 356/378] [Web] Updated lang.si-si.json (#6785)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Matjaž Tekavec <matjaz@moj-svet.si>
---
 data/web/lang/lang.si-si.json | 42 +++++++++++++++++------------------
 1 file changed, 21 insertions(+), 21 deletions(-)

diff --git a/data/web/lang/lang.si-si.json b/data/web/lang/lang.si-si.json
index 0b6626127..e54c3b11f 100644
--- a/data/web/lang/lang.si-si.json
+++ b/data/web/lang/lang.si-si.json
@@ -414,9 +414,9 @@
         "needs_restart": "potreben je ponovni zagon"
     },
     "danger": {
-        "alias_goto_identical": "Alias in goto naslov morata biti identična",
-        "aliasd_targetd_identical": "Alias domena ne sme biti enaka ciljni domeni: %s",
-        "bcc_exists": "BCC preslikava obstaja za vrsto %s",
+        "alias_goto_identical": "Vzdevek in ciljni naslov se ne smeta ujemati.",
+        "aliasd_targetd_identical": "Vzdevek domene ne sme biti enak ciljni domeni: %s",
+        "bcc_exists": "Za tip %s obstaja BCC preslikava %s",
         "dkim_domain_or_sel_exists": "DKIM ključ za \"%s\" obstaja in ne bo prepisan",
         "domain_quota_m_in_use": "Kvota domene mora biti večja ali enaka %s MiB",
         "extra_acl_invalid_domain": "Zunanji pošiljatelj \"%s\" uporablja neveljavno domeno",
@@ -425,42 +425,42 @@
         "invalid_nexthop": "Oblika naslednjega skoka ni veljavna",
         "invalid_nexthop_authenticated": "Naslednji skok obstaja z drugačnimi poverilnicami. Prosim najprej posodobite obstoječe poverilnice za ta naslednji skok.",
         "demo_mode_enabled": "Demo način je omogočen",
-        "access_denied": "Dostop zavrnjen ali pa so podatki obrazca napačni",
-        "alias_domain_invalid": "Alias domena %s ni veljavna",
-        "alias_empty": "Alias naslov ne sme biti prazen",
-        "alias_invalid": "Alias naslov %s ni veljaven",
-        "aliases_in_use": "Max. aliasov mora biti večje ali enako %d",
-        "app_name_empty": "Naziv aplikacije ne more biti prazno",
-        "app_passwd_id_invalid": "ID gesla aplikacije %s je neveljaven",
-        "bcc_empty": "BCC cilj ne more biti prazen",
-        "bcc_must_be_email": "BCC cilj %s ni veljaven e-poštni naslov",
+        "access_denied": "Dostop zavrnjen ali neveljavni podatki obrazca",
+        "alias_domain_invalid": "Vzdevek domene %s ni veljaven",
+        "alias_empty": "Naslov vzdevka ne sme biti prazen",
+        "alias_invalid": "Naslov vzdevka %s ni veljaven",
+        "aliases_in_use": "Največje število vzdevkov mora biti večje ali enako %d",
+        "app_name_empty": "Ime aplikacije ne sme biti prazno",
+        "app_passwd_id_invalid": "ID gesla za aplikacijo %s neveljaven",
+        "bcc_empty": "Polje za prejemnika BCC ne sme biti prazno",
+        "bcc_must_be_email": "Cilj BCC %s ni veljaven e-poštni naslov",
         "comment_too_long": "Komentar je predolg, dovoljeno je največ 160 znakov",
         "defquota_empty": "Privzeta kvota na poštni predal ne more biti 0.",
-        "description_invalid": "Opis resursa za %s ni veljaven",
+        "description_invalid": "Opis vira za %s je neveljaven",
         "dkim_domain_or_sel_invalid": "Domena ali izbirnik DKIM ni veljaven: %s",
         "domain_cannot_match_hostname": "Domena se ne more ujemati z imenom gostitelja",
         "domain_exists": "Domena %s že obstaja",
-        "domain_invalid": "Manjka ali napačno ime domene",
-        "domain_not_empty": "Ne morem odstraniti ne-prazno domeno %s",
+        "domain_invalid": "Ime domene je prazno ali neveljavno",
+        "domain_not_empty": "Neprazne domene %s ni mogoče odstraniti",
         "domain_not_found": "Domene %s ni bilo mogoče najti",
         "extended_sender_acl_denied": "manjka ACL za določitev naslovov zunanjih pošiljateljev",
         "extra_acl_invalid": "Naslov zunanjega pošiljatelja \"%s\" ni veljaven",
         "fido2_verification_failed": "Preverjanje FIDO2 ni uspelo: %s",
-        "file_open_error": "Datoteka ne more biti odprta za urejanje",
+        "file_open_error": "Datoteke ni mogoče odpreti za pisanje",
         "filter_type": "Napačna vrsta filtra",
-        "from_invalid": "Pošiljatelj ne sme biti prazno",
+        "from_invalid": "Polje za pošiljatelja ne sme biti prazno",
         "global_filter_write_error": "Ni mogoče zapisati datoteke filtra: %s",
         "global_map_invalid": "ID globalne preslikave %s ni veljaven",
-        "goto_empty": "Alias naslov mora vsebovati vsaj en veljaven goto naslov",
-        "goto_invalid": "Goto naslov %s ni veljaven",
+        "goto_empty": "Naslov vzdevka mora vsebovati vsaj en veljaven ciljni naslov",
+        "goto_invalid": "Ciljni naslov %s ni veljaven",
         "ham_learn_error": "Napaka pri učenju Ham: %s",
-        "imagick_exception": "Napaka: Imagick napaka pri branju slike",
+        "imagick_exception": "Napaka: Izjema Imagick med branjem slike",
         "img_invalid": "Ni možno preveriti slikovne datoteke",
         "invalid_bcc_map_type": "Neveljavna vrsta preslikave BCC",
         "invalid_destination": "Ciljna oblika \"%s\" ni veljavna",
         "invalid_filter_type": "Neveljavna vrsta filtra",
         "invalid_host": "Naveden je neveljaven gostitelj (host): %s",
-        "invalid_mime_type": "Neveljaven mime type",
+        "invalid_mime_type": "Neveljavna vrsta MIME",
         "max_quota_in_use": "Kvota poštnega predala mora biti večja ali enaka %d MB",
         "password_complexity": "Geslo ne ustreza varnostni politiki",
         "pushover_credentials_missing": "Manjka Pushover token ali ključ",

From 702ed85dfd0747216da1b74fb535e58f8c19ca40 Mon Sep 17 00:00:00 2001
From: Patrik Kernstock <patrik@kernstock.net>
Date: Fri, 26 Sep 2025 14:41:19 +0200
Subject: [PATCH 357/378] Fixed footer escaping

---
 data/web/inc/header.inc.php      | 6 +++++-
 data/web/js/build/013-mailcow.js | 6 +++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/data/web/inc/header.inc.php b/data/web/inc/header.inc.php
index 9ab2ad174..d2ce6f3d0 100644
--- a/data/web/inc/header.inc.php
+++ b/data/web/inc/header.inc.php
@@ -62,7 +62,11 @@ if ($app_links_processed){
   }
 }
 
-
+// Workaround to get text with <br> straight to twig.
+// Using "nl2br" doesn't work with Twig as it would escape everything by default.
+if (isset($UI_TEXTS["ui_footer"])) {
+  $UI_TEXTS["ui_footer"] = nl2br($UI_TEXTS["ui_footer"]);
+}
 
 $globalVariables = [
   'mailcow_hostname' => getenv('MAILCOW_HOSTNAME'),
diff --git a/data/web/js/build/013-mailcow.js b/data/web/js/build/013-mailcow.js
index 53e48d60a..d897f23ea 100644
--- a/data/web/js/build/013-mailcow.js
+++ b/data/web/js/build/013-mailcow.js
@@ -48,7 +48,11 @@ $(document).ready(function() {
     })
   }
   $(".rot-enc").html(function(){
-    return str_rot13($(this).text())
+    footer_html = $(this).html();
+    footer_html = footer_html.replace(/&lt;/g, '<').replace(/&gt;/g, '>')
+                             .replace(/&amp;/g, '&').replace(/&nzc;/g, '&')
+                             .replace(/&quot;/g, '"').replace(/&#x27;/g, "'");
+    return str_rot13(footer_html)
   });
   // https://stackoverflow.com/questions/4399005/implementing-jquerys-shake-effect-with-animate
   function shake(div,interval,distance,times) {

From d06d23bbaf528f5edfb26d32d3d693b8005fc81e Mon Sep 17 00:00:00 2001
From: Patrik Kernstock <patrik@kernstock.net>
Date: Fri, 26 Sep 2025 14:58:04 +0200
Subject: [PATCH 358/378] Fix several SQL statements

---
 data/conf/rspamd/dynmaps/aliasexp.php       | 2 +-
 data/conf/rspamd/meta_exporter/pipe.php     | 2 +-
 data/conf/rspamd/meta_exporter/pushover.php | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/data/conf/rspamd/dynmaps/aliasexp.php b/data/conf/rspamd/dynmaps/aliasexp.php
index 824037cf1..814c0d38c 100644
--- a/data/conf/rspamd/dynmaps/aliasexp.php
+++ b/data/conf/rspamd/dynmaps/aliasexp.php
@@ -133,7 +133,7 @@ try {
             error_log("ALIAS EXPANDER: http pipe: goto address " . $goto . " is an alias branch for " . $goto_branch . PHP_EOL);
             $goto_branch_array = explode(',', $goto_branch);
           } else {
-            $stmt = $pdo->prepare("SELECT `target_domain` FROM `alias_domain` WHERE `alias_domain` = :domain AND `active` AND '1'");
+            $stmt = $pdo->prepare("SELECT `target_domain` FROM `alias_domain` WHERE `alias_domain` = :domain AND `active` = '1'");
             $stmt->execute(array(':domain' => $parsed_goto['domain']));
             $goto_branch = $stmt->fetch(PDO::FETCH_ASSOC)['target_domain'];
             if ($goto_branch) {
diff --git a/data/conf/rspamd/meta_exporter/pipe.php b/data/conf/rspamd/meta_exporter/pipe.php
index bd5d875bd..003639b08 100644
--- a/data/conf/rspamd/meta_exporter/pipe.php
+++ b/data/conf/rspamd/meta_exporter/pipe.php
@@ -182,7 +182,7 @@ foreach (json_decode($rcpts, true) as $rcpt) {
               error_log("RCPT RESOVLER: http pipe: goto address " . $goto . " is an alias branch for " . $goto_branch . PHP_EOL);
               $goto_branch_array = explode(',', $goto_branch);
             } else {
-              $stmt = $pdo->prepare("SELECT `target_domain` FROM `alias_domain` WHERE `alias_domain` = :domain AND `active` AND '1'");
+              $stmt = $pdo->prepare("SELECT `target_domain` FROM `alias_domain` WHERE `alias_domain` = :domain AND `active` = '1'");
               $stmt->execute(array(':domain' => $parsed_goto['domain']));
               $goto_branch = $stmt->fetch(PDO::FETCH_ASSOC)['target_domain'];
               if ($goto_branch) {
diff --git a/data/conf/rspamd/meta_exporter/pushover.php b/data/conf/rspamd/meta_exporter/pushover.php
index af1b21ebc..efe5fdd52 100644
--- a/data/conf/rspamd/meta_exporter/pushover.php
+++ b/data/conf/rspamd/meta_exporter/pushover.php
@@ -167,7 +167,7 @@ foreach (json_decode($rcpts, true) as $rcpt) {
               error_log("RCPT RESOVLER: http pipe: goto address " . $goto . " is an alias branch for " . $goto_branch . PHP_EOL);
               $goto_branch_array = explode(',', $goto_branch);
             } else {
-              $stmt = $pdo->prepare("SELECT `target_domain` FROM `alias_domain` WHERE `alias_domain` = :domain AND `active` AND '1'");
+              $stmt = $pdo->prepare("SELECT `target_domain` FROM `alias_domain` WHERE `alias_domain` = :domain AND `active` = '1'");
               $stmt->execute(array(':domain' => $parsed_goto['domain']));
               $goto_branch = $stmt->fetch(PDO::FETCH_ASSOC)['target_domain'];
               if ($goto_branch) {

From 85ca197615a490b7ad1bb2a418ad3fec2a734ef4 Mon Sep 17 00:00:00 2001
From: Patrik Kernstock <patrik@kernstock.net>
Date: Fri, 26 Sep 2025 16:50:58 +0200
Subject: [PATCH 359/378] Hide relayhosts when ACL does not allow

---
 data/web/templates/edit/domain.twig  | 4 +++-
 data/web/templates/edit/mailbox.twig | 2 ++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/data/web/templates/edit/domain.twig b/data/web/templates/edit/domain.twig
index 774b30996..8bd7ab253 100644
--- a/data/web/templates/edit/domain.twig
+++ b/data/web/templates/edit/domain.twig
@@ -58,6 +58,7 @@
                       </div>
                     </div>
                   </div>
+                  {% if acl.domain_relayhost == '1' %}
                   <div class="row mb-2">
                     <label class="control-label col-sm-2" for="relayhost">{{ lang.edit.relayhost }}</label>
                     <div class="col-sm-10">
@@ -76,6 +77,7 @@
                       </select>
                     </div>
                   </div>
+                  {% endif %}
                   {% if mailcow_cc_role == 'admin' %}
                   <div class="row mb-2">
                     <label class="control-label col-sm-2" for="aliases">{{ lang.edit.max_aliases }}</label>
@@ -293,7 +295,7 @@
                   <input type="hidden" value="0" name="active">
                   <input type="hidden" value="{{ domain }}" name="domain">
                   <div class="row mb-2">
-                    <label class="control-label col-sm-2" for="version"> 
+                    <label class="control-label col-sm-2" for="version">
                       <i style="font-size: 16px; cursor: pointer;" class="bi bi-patch-question-fill m-2 ms-0" data-bs-toggle="tooltip" data-bs-html="true" data-bs-placement="bottom" title="{{ lang.edit.mta_sts_version_info|raw }}"></i>
                       {{ lang.edit.mta_sts_version }}
                     </label>
diff --git a/data/web/templates/edit/mailbox.twig b/data/web/templates/edit/mailbox.twig
index 12c1f3b93..bb8971a07 100644
--- a/data/web/templates/edit/mailbox.twig
+++ b/data/web/templates/edit/mailbox.twig
@@ -114,6 +114,7 @@
                       <small class="text-muted d-block">{{ lang.edit.sender_acl_info|raw }}</small>
                     </div>
                   </div>
+                  {% if acl.mailbox_relayhost == '1' %}
                   <div class="row mb-2">
                     <label class="control-label col-sm-2" for="relayhost">{{ lang.edit.relayhost }}</label>
                     <div class="col-sm-10">
@@ -134,6 +135,7 @@
                       <small class="text-muted d-block mb-4">{{ lang.edit.mailbox_relayhost_info }}</small>
                     </div>
                   </div>
+                  {% endif %}
                   <div class="row mb-2">
                     <label class="control-label col-sm-2">{{ lang.user.tag_handling }}</label>
                     <div class="col-sm-10">

From ff43799763fd563a38585a693dda62702b97d78b Mon Sep 17 00:00:00 2001
From: Patrik Kernstock <patrik@kernstock.net>
Date: Fri, 26 Sep 2025 17:02:22 +0200
Subject: [PATCH 360/378] Show "Never" by default if no last-modified date

---
 data/web/templates/edit/domain.twig  | 4 ++--
 data/web/templates/edit/mailbox.twig | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/data/web/templates/edit/domain.twig b/data/web/templates/edit/domain.twig
index 774b30996..dbc62a774 100644
--- a/data/web/templates/edit/domain.twig
+++ b/data/web/templates/edit/domain.twig
@@ -147,7 +147,7 @@
                   <div class="row">
                     <div class="offset-sm-2 col-sm-10">
                       <small class="fst-italic d-block">{{ lang.edit.created_on }}: {{ result.created }}</small>
-                      <small class="fst-italic d-block">{{ lang.edit.last_modified }}: {{ result.modified }}</small>
+                      <small class="fst-italic d-block">{{ lang.edit.last_modified }}: {{ result.modified|default(lang.user.never) }}</small>
                     </div>
                   </div>
                 </form>
@@ -293,7 +293,7 @@
                   <input type="hidden" value="0" name="active">
                   <input type="hidden" value="{{ domain }}" name="domain">
                   <div class="row mb-2">
-                    <label class="control-label col-sm-2" for="version"> 
+                    <label class="control-label col-sm-2" for="version">
                       <i style="font-size: 16px; cursor: pointer;" class="bi bi-patch-question-fill m-2 ms-0" data-bs-toggle="tooltip" data-bs-html="true" data-bs-placement="bottom" title="{{ lang.edit.mta_sts_version_info|raw }}"></i>
                       {{ lang.edit.mta_sts_version }}
                     </label>
diff --git a/data/web/templates/edit/mailbox.twig b/data/web/templates/edit/mailbox.twig
index 12c1f3b93..1ca846512 100644
--- a/data/web/templates/edit/mailbox.twig
+++ b/data/web/templates/edit/mailbox.twig
@@ -325,7 +325,7 @@
                   <div class="row">
                     <div class="offset-sm-2 col-sm-10">
                       <small class="fst-italic d-block">{{ lang.edit.created_on }}: {{ result.created }}</small>
-                      <small class="fst-italic d-block">{{ lang.edit.last_modified }}: {{ result.modified }}</small>
+                      <small class="fst-italic d-block">{{ lang.edit.last_modified }}: {{ result.modified|default(lang.user.never) }}</small>
                     </div>
                   </div>
                 </form>

From 20f04ecf6b764f43fc0a2116fdad6f9630f9ed1f Mon Sep 17 00:00:00 2001
From: Patrik Kernstock <patrik@kernstock.net>
Date: Fri, 26 Sep 2025 17:13:24 +0200
Subject: [PATCH 361/378] Make domain description field readonly when no ACL

---
 data/web/templates/edit/domain.twig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/web/templates/edit/domain.twig b/data/web/templates/edit/domain.twig
index 774b30996..0f90080bb 100644
--- a/data/web/templates/edit/domain.twig
+++ b/data/web/templates/edit/domain.twig
@@ -39,7 +39,7 @@
                   <div class="row mb-2" data-acl="{{ acl.domain_desc }}">
                     <label class="control-label col-sm-2" for="description">{{ lang.edit.description }}</label>
                     <div class="col-sm-10">
-                      <input type="text" class="form-control" name="description" value="{{ result.description }}">
+                      <input type="text" class="form-control" name="description" value="{{ result.description }}"{% if acl.domain_desc == '0' %} readonly{% endif %}>
                     </div>
                   </div>
                   <div class="row mb-4">

From 46f05819368d88938aa121b8a813f2eed09632f3 Mon Sep 17 00:00:00 2001
From: milkmaker <milkmaker@mailcow.de>
Date: Fri, 26 Sep 2025 19:14:07 +0200
Subject: [PATCH 362/378] [Web] Updated lang.si-si.json (#6790)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Matjaž Tekavec <matjaz@moj-svet.si>
---
 data/web/lang/lang.si-si.json | 48 +++++++++++++++++------------------
 1 file changed, 24 insertions(+), 24 deletions(-)

diff --git a/data/web/lang/lang.si-si.json b/data/web/lang/lang.si-si.json
index e54c3b11f..ecc2d5f24 100644
--- a/data/web/lang/lang.si-si.json
+++ b/data/web/lang/lang.si-si.json
@@ -463,33 +463,33 @@
         "invalid_mime_type": "Neveljavna vrsta MIME",
         "max_quota_in_use": "Kvota poštnega predala mora biti večja ali enaka %d MB",
         "password_complexity": "Geslo ne ustreza varnostni politiki",
-        "pushover_credentials_missing": "Manjka Pushover token ali ključ",
+        "pushover_credentials_missing": "Manjka žeton in/ali ključ Pushover",
         "release_send_failed": "Sporočila ni bilo mogoče sprostiti: %s",
-        "tls_policy_map_dest_invalid": "Cilj politike ni veljaven",
+        "tls_policy_map_dest_invalid": "Cilj pravilnika je neveljaven",
         "webauthn_authenticator_failed": "Izbrani avtentikator ni bil najden",
         "reset_f2b_regex": "Regex filter ni bilo možno ponastaviti v ustreznem času. Prosim poskusite ponovno ali počakajte nekaj sekund in ponovno naložite stran.",
         "target_domain_invalid": "Ciljna domena %s ni veljavna",
-        "validity_missing": "Prosim nastavite obdobje veljavnosti",
+        "validity_missing": "Prosim določite obdobje veljavnosti",
         "invalid_recipient_map_old": "Naveden neveljaven izvirni prejemnik: %s",
-        "ip_list_empty": "Seznam dovoljenih IPjev ne sme biti prazen",
-        "is_alias": "%s je že znan kot alias naslov",
-        "is_alias_or_mailbox": "%s je že znan kot alias, poštni naslov, ali alias izveden iz alias domene.",
-        "is_spam_alias": "%s že obstaja kot začasen alias (spam alias naslov)",
+        "ip_list_empty": "Seznam dovoljenih IP-jev ne sme biti prazen",
+        "is_alias": "%s je že znan kot naslov vzdevka",
+        "is_alias_or_mailbox": "%s je že znan kot vzdevek, poštni predal ali naslov vzdevka, razširjen iz vzdevka domene.",
+        "is_spam_alias": "%s je že znan kot začasni vzdevek (neželeni vzdevek)",
         "last_key": "Zadnji ključ ne more biti izbrisan, prosim raje deaktivirajte dvofaktorsko avtentikacijo (TFA).",
         "login_failed": "Prijava ni uspela",
         "mailbox_defquota_exceeds_mailbox_maxquota": "Privzeta kvota presega najvišjo omejitev",
         "mailbox_invalid": "Ime poštnega predala ni veljavno",
-        "mailbox_quota_exceeded": "Kvota presega omejitev domene (maksimalno %d MB)",
+        "mailbox_quota_exceeded": "Kvota presega omejitev domene (največ %d MB)",
         "mailbox_quota_exceeds_domain_quota": "Najvišja kvota presega omejitev domene",
         "mailbox_quota_left_exceeded": "Ni dovolj prostora (preostali prostor: %d MB)",
         "mailboxes_in_use": "Največje število poštnih predalov mora biti večje ali enako %d",
         "malformed_username": "Nepravilno oblikovano uporabniško ime",
         "map_content_empty": "Preslikava vsebine ne more biti prazna",
-        "max_alias_exceeded": "Preseženo največje število aliasov",
+        "max_alias_exceeded": "Preseženo največje število vzdevkov",
         "max_mailbox_exceeded": "Preseženo največje število poštnih predalov (%d od %d)",
         "maxquota_empty": "Največja kvota na poštni predal ne more biti 0.",
         "mysql_error": "Napaka MySQL: %s",
-        "network_host_invalid": "Nepravilno omrežje ali gostitel: %s",
+        "network_host_invalid": "Nepravilno omrežje ali gostitelj: %s",
         "next_hop_interferes": "% moti naslednji skok %s",
         "next_hop_interferes_any": "Obstoječi naslednji skok moti %s",
         "nginx_reload_failed": "Ponovni zagon Nginx ni uspel: %s",
@@ -502,30 +502,30 @@
         "policy_list_from_invalid": "Zapis ima nepravilno obliko",
         "private_key_error": "Napaka zasebnega ključa: %s",
         "pushover_key": "Pushover ključ ni v pravilni obliki",
-        "pushover_token": "Pushover token ni v pravilni obliki",
-        "quota_not_0_not_numeric": "Quota mora biti število in večje ali enako 0",
+        "pushover_token": "Pushover žeton ni v pravilni obliki",
+        "quota_not_0_not_numeric": "Kvota mora biti numerična in >= 0",
         "recipient_map_entry_exists": "Preslikava prejemnika \"%s\" že obstaja",
         "redis_error": "Napaka Redis: %s",
         "relayhost_invalid": "Vnos preslikave %s ni pravilen",
-        "resource_invalid": "Ime vira je neveljavno",
-        "rl_timeframe": "Časovni okvir za rate limit je nepravilen",
+        "resource_invalid": "Ime vira %s je neveljavno",
+        "rl_timeframe": "Časovni okvir omejitve je nepravilen",
         "rspamd_ui_pw_length": "Rspamd UI geslo mora biti dolgo vsaj 6 znakov",
-        "script_empty": "Script ne more biti prazen",
+        "script_empty": "Skripta ne sme biti prazna",
         "sender_acl_invalid": "Vrednost ACL pošiljatelja %s ni veljavna",
         "set_acl_failed": "Ni uspelo nastaviti ACL",
         "settings_map_invalid": "ID preslikave nastavitev %s ni veljaven",
-        "sieve_error": "Napaka Sieve parserja: %s",
-        "spam_learn_error": "Napaka pri učenju spama: %s",
-        "subject_empty": "Predmet ne sme biti prazno",
+        "sieve_error": "Napaka Sieve razčlenjevalnika: %s",
+        "spam_learn_error": "Napaka pri učenju neželene pošte: %s",
+        "subject_empty": "Zadeva ne sme biti prazna",
         "targetd_not_found": "Ciljna domena %s ni bila najdena",
-        "targetd_relay_domain": "Ciljna domena %s je relay domena",
+        "targetd_relay_domain": "Ciljna domena %s je posredovalna domena",
         "template_exists": "Predloga %s že obstaja",
         "template_id_invalid": "ID predloge %s ni veljaven",
         "template_name_invalid": "Ime predloge ni veljavno",
         "text_empty": "Besedilo ne sme biti prazno",
-        "tfa_token_invalid": "Neveljaven token TFA",
-        "tls_policy_map_entry_exists": "Vpis preslikave TLS \"%s\" že obstaja",
-        "tls_policy_map_parameter_invalid": "Parameter politike ni pravilen",
+        "tfa_token_invalid": "Neveljaven TFA žeton",
+        "tls_policy_map_entry_exists": "Vnos pravilnika preslikave TLS \"%s\" obstaja",
+        "tls_policy_map_parameter_invalid": "Parameter pravilnika je neveljaven",
         "totp_verification_failed": "Neuspešno preverjanje TOTP",
         "transport_dest_exists": "Cilj transporta \"%s\" že obstaja",
         "webauthn_verification_failed": "Preverjanje WebAuthn ni uspelo: %s",
@@ -573,7 +573,7 @@
         "external_logs": "Zunanji dnevniki",
         "last_modified": "Nazadnje spremenjeno",
         "history_all_servers": "Zgodovina (vsi strežniki)",
-        "in_memory_logs": "In-memory dnevniki",
+        "in_memory_logs": "Dnevniki v pomnilniku",
         "service": "Servis",
         "show_ip": "Prikaži javni IP",
         "size": "Velikost",
@@ -600,7 +600,7 @@
         "infoFiltered": "(filtrirano od _MAX_ skupaj zapisov)",
         "collapse_all": "Strni vse",
         "decimal": ",",
-        "emptyTable": "Ni podatkov",
+        "emptyTable": "V tabeli ni na voljo podatkov",
         "expand_all": "Razširi vse",
         "info": "Prikazano _START_ do _END_ od _TOTAL_ zapisov",
         "infoEmpty": "Prikazano 0 do 0 od 0 zapisov",

From 4e0f435d12c8a2990bbe5494ae6b2dca7a6fe485 Mon Sep 17 00:00:00 2001
From: milkmaker <milkmaker@mailcow.de>
Date: Sun, 28 Sep 2025 15:12:14 +0200
Subject: [PATCH 363/378] [Web] Updated lang.si-si.json (#6793)

---
 data/web/lang/lang.si-si.json | 84 +++++++++++++++++------------------
 1 file changed, 42 insertions(+), 42 deletions(-)

diff --git a/data/web/lang/lang.si-si.json b/data/web/lang/lang.si-si.json
index ecc2d5f24..b523ac8bd 100644
--- a/data/web/lang/lang.si-si.json
+++ b/data/web/lang/lang.si-si.json
@@ -574,22 +574,22 @@
         "last_modified": "Nazadnje spremenjeno",
         "history_all_servers": "Zgodovina (vsi strežniki)",
         "in_memory_logs": "Dnevniki v pomnilniku",
-        "service": "Servis",
+        "service": "Storitev",
         "show_ip": "Prikaži javni IP",
         "size": "Velikost",
         "started_at": "Zagnano ob",
         "started_on": "Zagnano na",
         "static_logs": "Statični dnevniki",
         "success": "Uspešno",
-        "system_containers": "Sistem in Containerji",
+        "system_containers": "Sistem in zabojniki",
         "timezone": "Časovni pas",
         "uptime": "Čas delovanja",
         "update_available": "Posodobitev je na voljo",
         "no_update_available": "Sistem je na najnovejši verziji",
         "update_failed": "Ni mogoče preveriti za posodobitve",
         "username": "Uporabniško ime",
-        "wip": "Trenutno v delu",
-        "log_info": "<p>mailcow <b>in-memory dnevniki</b> se zbirajo v Redis seznamih in se vsako minuto omejijo na LOG_LINES (%d) da se zmanjša obremenitev.\n  <br>In-memory dnevniki niso namenjeni trajnemu shranjevanju. Vse aplikacije, ki beležijo dnevnike in-memory, tudi beležijo v Docker daemon in posledično v privzeti gonilnik za dnevnik.\n  <br>In-memory dnevniki se naj uporabljajo za odpravljanje manjših napak s containerji.</p>\n  <p><b>Eksterni dnevniki</b> se zbirajo preko API-ja posamezne aplikacije.</p>\n  <p><b>Statični dnevniki</b> so večinoma dnevniki aktivnosti, ki se ne beležijo v Dockerd, a jih je vseeno treba hraniti (razen API dnevnikov).</p>",
+        "wip": "Trenutno delo v teku",
+        "log_info": "<p>Dnevniki v pomnilniku mailcow se zbirajo na seznamih Redis in vsako minuto skrajšajo na LOG_LINES (%d), da se zmanjša preobremenitev.\n  <br>Dnevniki v pomnilniku niso namenjeni trajnemu beleženju. Vse aplikacije, ki se beležijo v pomnilnik, se beležijo tudi v Dockerjev demon in s tem v privzeti gonilnik beleženja.</p>\n  </p>Vrsta dnevnika v pomnilniku se mora uporabljati za odpravljanje manjših težav s kontejnerji.</p>\n  <p><b>Zunanji dnevniki</b> se zbirajo prek API-ja dane aplikacije.</p>\n  <p><b>Statični dnevniki</b> so večinoma dnevniki dejavnosti, ki se ne beležijo v Dockerd, vendar morajo biti še vedno trajni (razen dnevnikov API-ja).</p>",
         "login_time": "Čas",
         "logs": "Dnevniki",
         "memory": "Spomin",
@@ -622,9 +622,9 @@
         }
     },
     "diagnostics": {
-        "cname_from_a": "Vrednost pridobljena iz A/AAAA zapisa. To je podprto, če zapis kaže na pravilen resurs.",
+        "cname_from_a": "Vrednost, izpeljana iz zapisa A/AAAA. To je podprto, če zapis kaže na pravilen vir.",
         "dns_records": "DNS zapisi",
-        "dns_records_24hours": "Prosim upoštevajte, da lahko traja do 24 ur da se spremembe v DNS pravilno prikažejo na tej strani. Namen je da lahko enostavno vidite, kako konfigurirati svoje DNS zapise in preverite ali so vaši zapisi pravilno shranjeni v DNS.",
+        "dns_records_24hours": "Upoštevajte, da se lahko spremembe DNS-a pravilno odražajo na tej strani v 24 urah. Namenjena je temu, da si preprosto ogledate, kako konfigurirati zapise DNS, in preverite, ali so vsi vaši zapisi pravilno shranjeni v DNS-u.",
         "dns_records_data": "Pravilni podatki",
         "dns_records_docs": "Prosim preverite tudi <a target=\"_blank\" href=\"https://docs.mailcow.email/getstarted/prerequisite-dns\">dokumentacijo</a>.",
         "dns_records_name": "Ime",
@@ -635,60 +635,60 @@
     "edit": {
         "acl": "ACL (Dovoljenje)",
         "active": "Aktivno",
-        "allow_from_smtp": "Dovoli samo tem IP naslovom da uporabijo <b>SMTP</b>",
-        "bcc_dest_format": "Cilj BCC mora biti en veljaven email naslov.<br>Če morate poslati kopijo na več naslovov, ustvarite alias in ga uporabite tukaj.",
-        "automap": "Poskušaj samodejno preslikati mape (\"Sent items\", \"Sent\" => \"Poslano\" ipd.)",
+        "allow_from_smtp": "Dovoli samo tem IP naslovom uporabo <b>SMTP</b>",
+        "bcc_dest_format": "Ciljna stran za polje SKP (BCC) mora biti en veljaven e-poštni naslov.<br>Če morate kopijo poslati na več naslovov, ustvarite vzdevek in ga uporabite tukaj.",
+        "automap": "Poskusite samodejno preslikati mape (\"Poslani predmeti\", \"Poslano\" => \"Poslano\" itd.)",
         "admin": "Uredi skrbnika",
         "domain_footer_info_vars": {
-            "custom": "{= foo =}         - Če ima poštni predal atribut po meri \"foo\" z vrednostjo \"bar\", spremenljivka vrne \"bar\"",
-            "auth_user": "{= auth_user =}   - Prijavljeno uporabniško ime, ki ga določi MTA",
-            "from_user": "{= from_user =}   - leva stran email naslova uporabnika, npr. za \"moo@mailcow.tld\" vrne \"moo\"",
-            "from_name": "{= from_name =}   - Prikazno ime, npr. za \"Mailcow &lt;moo@mailcow.tld&gt;\" vrne \"Mailcow\"",
-            "from_addr": "{= from_addr =}   - e-poštni naslov \"Od\"",
-            "from_domain": "{= from_domain =} - domena e-poštnega naslova \"Od\""
+            "custom": "{= foo =}         - Če ima poštni predal atribut po meri \"foo\" z vrednostjo \"bar\", vrne \"bar\"",
+            "auth_user": "{= auth_user =}    - Preverjeno uporabniško ime, ki ga določi MTA",
+            "from_user": "{= from_user =}    - Iz uporabniškega dela ovojnice, npr. za \"moo@mailcow.tld\" vrne \"moo\"",
+            "from_name": "{= from_name =}    - Iz imena ovojnice, npr. za \"Mailcow &lt;moo@mailcow.tld&gt;\" vrne \"Mailcow\"",
+            "from_addr": "{= from_addr =}    - Del ovojnice z naslovom od",
+            "from_domain": "{= from_domain =} - Iz domenskega dela ovojnice"
         },
-        "dont_check_sender_acl": "Onemogoči kontrolo pošiljatelja za domeno %s (+ alias domene)",
+        "dont_check_sender_acl": "Onemogoči preverjanje pošiljatelja za domeno %s (+ vzdevki domen)",
         "pushover_title": "Naslov obvestila",
         "domains": "Domene",
-        "extended_sender_acl_info": "Če je DKIM domenski ključ na voljo, ga uvozite.<br>\n  Ne pozabite dodati ta strežnik k ustreznemu SPF TXT zapisu.<br>\n  Kadar koli je domena ali alias domena dodana k tem strežniku, ki se prekriva z zunanjim naslovom, je zunanji naslov odstranjen.<br>\n  uporabite @domain.tld da dovolite pošiljanje kot *@domain.tld.",
-        "lookup_mx": "Cilj je regular expression za ujemanje MX zapisov (<code>.*\\.google\\.com</code> za usmeritev vse pošte na MX, ki se konča z google.com, preko tega skoka)",
-        "maxbytespersecond": "Največ bytov na sekundo <br><small>(0 = neomejeno)</small>",
+        "extended_sender_acl_info": "Uvoziti je treba ključ domene DKIM, če je na voljo.<br>\n  Ne pozabite dodati tega strežnika v ustrezni zapis SPF TXT.<br>\n  Kadar koli je temu strežniku dodana domena ali vzdevek domene, ki se prekriva z zunanjim naslovom, se zunanji naslov odstrani.<br>\n  Uporabite @domain.tld, da omogočite pošiljanje kot *@domain.tld.",
+        "lookup_mx": "Cilj je regularni izraz, ki se ujema z imenom MX (<code>.*\\.google\\.com</code> za usmerjanje vse pošte, usmerjene na MX, ki se konča na google.com, prek tega skoka).",
+        "maxbytespersecond": "Največ bajtov na sekundo <br><small>(0 = neomejeno)</small>",
         "pushover_sender_array": "Upoštevaj samo sledeče e-poštne naslove pošiljateljev <small>(ločeni z vejico)</small>",
-        "mbox_rl_info": "Ta omejitev velja za SASL uporabniško ime, preverja se ujemanje s katerim koli \"from\" naslovom, ki ga uporablja prijavljeni uporabnik. Omejitev pošiljanja za poštni predal preglasi pravilo omejitve za domeno.",
+        "mbox_rl_info": "Ta omejitev se uporabi za prijavno ime SASL in se ujema z naslovom \"od\", ki ga uporablja prijavljeni uporabnik. Omejitev poštnega nabiralnika preglasi omejitev za celotno domeno.",
         "kind": "Tip",
         "client_secret": "Skrivnost odjemalca",
         "comment_info": "Zasebni komentar ni viden uporabniku, javni komentar pa se prikaže kot opis orodja, ko nanj v pregledu uporabnika zadržite miško",
         "created_on": "Ustvarjeno",
         "custom_attributes": "Atributi po meri",
-        "delete1": "Izbriši na viru, ko je končano",
-        "delete2": "Izbriši sporočila na cilju, ki ne obstajajo na viru",
+        "delete1": "Izbriši iz vira, ko je končano",
+        "delete2": "Izbriši sporočila na cilju, ki niso na izvoru",
         "delete2duplicates": "Izbriši dvojnike na cilju",
         "delete_ays": "Prosim potrdite proces izbrisa.",
         "description": "Opis",
         "disable_login": "Onemogoči prijavo (dohodna pošta je še vedno sprejeta)",
         "domain": "Uredi domeno",
-        "domain_admin": "Uredi domenskega skrbnika",
+        "domain_admin": "Uredi skrbnika domene",
         "domain_footer": "Noga za celo domeno",
         "domain_footer_html": "HTML noga",
-        "pushover_vars": "Če ni definiran noben filter pošiljatelja, bodo upoštevana vsa sporočila.<br>Regex filtre in natančna preverjanja pošiljateljev je mogoče definirati posamezno in bodo obravnavani v nadaljevanju. Niso odvisni drug od drugega.<br>Uporabne spremenljivke za besedilo in naslov (prosimo, upoštevajte politike varstva podatkov)",
+        "pushover_vars": "Če filter pošiljatelja ni definiran, bodo upoštevana vsa e-poštna sporočila.<br>Filtre regularnih izrazov in natančna preverjanja pošiljateljev je mogoče definirati posamično in bodo obravnavana zaporedno. Niso odvisna drug od drugega.<br>Uporabne spremenljivke za besedilo in naslov (upoštevajte pravilnike o varstvu podatkov)",
         "pushover_verify": "Preveri poverilnice",
         "quota_mb": "Omejitev (MiB)",
-        "quota_warning_bcc": "BCC za sporočilo z opozorilom omejitve",
+        "quota_warning_bcc": "Opozorilo o kvoti BCC",
         "quota_warning_bcc_info": "Opozorila bodo poslana kot ločene kopije naslednjim prejemnikom. Zadevi bo v oklepaju dodano ustrezno uporabniško ime, na primer: <code>Opozorilo o kvoti (uporabnik@example.com)</code>.",
         "ratelimit": "Omejitev pošiljanja",
         "advanced_settings": "Napredne nastavitve",
-        "allow_from_smtp_info": "Pustite prazno da dovolite vse pošiljatelje.<br>IPv4/IPv6 naslovi in omrežja.",
+        "allow_from_smtp_info": "Pustite prazno, da dovolite vse pošiljatelje.<br>Naslovi in omrežja IPv4/IPv6.",
         "allowed_protocols": "Dovoljeni protokoli za neposreden dostop uporabnikov (ne vpliva na protokole za gesla aplikacij)",
         "app_name": "Ime aplikacije",
         "app_passwd": "Geslo aplikacije",
         "app_passwd_protocols": "Dovoljeni protokoli za geslo aplikacije",
-        "backup_mx_options": "Možnosti posredovanja (relay)",
-        "client_id": "Client ID",
-        "domain_footer_info": "Noge za celo domeno so dodane k vsem izhodnim e-poštnim sporočilom v tej domeni.<br> V nogi se lahko uporabijo sledeče spremenljivke:",
-        "domain_footer_plain": "PLAIN noga",
-        "domain_footer_skip_replies": "Ne dodajaj noge v odgovorih na e-poštna sporočila",
-        "domain_quota": "Omejitev (kvota) domene",
-        "edit_alias_domain": "Uredi alias domeno",
+        "backup_mx_options": "Možnosti posredovanja",
+        "client_id": "ID odjemalca",
+        "domain_footer_info": "Noge za celotno domeno so dodane vsem odhodnim e-poštnim sporočilom, povezanim z naslovom znotraj te domene. <br> Za nogo se lahko uporabijo naslednje spremenljivke:",
+        "domain_footer_plain": "NAVADNA noga",
+        "domain_footer_skip_replies": "Prezri nogo v odgovorih na e-poštna sporočila",
+        "domain_quota": "Kvota domene",
+        "edit_alias_domain": "Uredi vzdevek domene",
         "exclude": "Izključi objekte (regex)",
         "extended_sender_acl": "Naslovi zunanjih pošiljateljev",
         "force_pw_update": "Obvezna zamenjava gesla ob naslednji prijavi",
@@ -697,18 +697,18 @@
         "full_name": "Polno ime",
         "gal": "Globalni seznam naslovov (GAL)",
         "gal_info": "GAL vsebuje vse objekte v domeni in jih uporabniki ne morejo urejati. Če je onemogočeno, ni podatkov o o zasedenosti objekta! <b>Ponovno zaženite SOGo za uveljavitev sprememb.</b>",
-        "generate": "generiraj",
+        "generate": "ustvari",
         "grant_types": "Vrste dovoljenj",
         "hostname": "Ime gostitelja",
         "inactive": "Neaktivno",
         "last_modified": "Nazadnje spremenjeno",
         "mailbox": "Uredi poštni predal",
-        "mailbox_quota_def": "Privzeta omejitev/kvota za poštni predal",
-        "mailbox_relayhost_info": "Velja samo za poštni predal in neposredne aliase. Ne prepiše domenskega relay gostitelja.",
-        "max_aliases": "Največ aliasov",
-        "max_mailboxes": "Največ možnih poštnih predalov",
-        "max_quota": "Največja omejitev/kvota na poštni predal (MiB)",
-        "maxage": "Največja starost sporočil (v dnevih), po katerih bo poizvedeno iz oddaljenega vira <br><small>(0 = ne omejuj)</small>",
+        "mailbox_quota_def": "Privzeta kvota nabiralnika",
+        "mailbox_relayhost_info": "Uporablja se samo za poštni nabiralnik in neposredne vzdevke, preglasi gostitelja posredovalne domene.",
+        "max_aliases": "Največje število vzdevkov",
+        "max_mailboxes": "Največje možno število poštnih predalov",
+        "max_quota": "Največja kvota na poštni predal (MiB)",
+        "maxage": "Najvišja starost sporočil v dnevih, ki bodo prebrana z oddaljenega strežnika<br><small>(0 = prezri starost)</small>",
         "mins_interval": "Interval (min)",
         "multiple_bookings": "Več rezervacij",
         "none_inherit": "Brez / podeduj",
@@ -726,7 +726,7 @@
         "pushover_text": "Besedilo obvestila",
         "pushover_sound": "Zvok",
         "encryption": "Šifriranje",
-        "alias": "Uredi alias",
+        "alias": "Uredi vzdevek",
         "relayhost": "Prenosi, odvisni od pošiljatelja",
         "mailbox_rename_alias": "Samodejno ustvari vzdevek",
         "sender_acl_info": "Če lahko uporabnik poštnega predala A pošilja kot uporabnik poštnega predala B, se naslov pošiljatelja v SOGo ne prikaže samodejno kot izbirno polje \"od\".<br>\n  Uporabnik poštnega predala B mora v SOGo ustvariti pooblastilo, da lahko uporabnik poštnega predala A izbere svoj naslov kot pošiljatelja. Če želite pooblastiti poštni predal v SOGo, uporabite meni (tri pike) desno od imena vašega poštnega predala v zgornjem levem kotu v pogledu pošte. To vedenje ne velja za vzdevke.",
@@ -775,7 +775,7 @@
         "mta_sts_mode": "Način",
         "mta_sts_mode_info": "Na voljo so trije načini:<ul><li><em>testiranje</em> – pravilnik se samo spremlja, kršitve nimajo vpliva.</li><li><em>uveljavljanje</em> – pravilnik se strogo uveljavlja, povezave brez veljavnega TLS so zavrnjene.</li><li><em>brez</em> – pravilnik je objavljen, vendar se ne uporablja.</li></ul>",
         "mta_sts_max_age": "Najvišja starost",
-        "mta_sts_max_age_info": "Čas v sekundah, ki ga lahko prejemni poštni strežniki shranijo v predpomnilnik, dokler se ne ponovno naloži.",
+        "mta_sts_max_age_info": "Čas v sekundah, ki ga lahko prejemni poštni strežniki shranijo v predpomnilnik, dokler se ne naloži ponovno.",
         "mta_sts_mx": "MX strežnik",
         "mta_sts_mx_info": "Omogoča pošiljanje samo na izrecno navedena imena gostiteljskih strežnikov poštnih strežnikov; pošiljajoči MTA preveri, ali se ime gostitelja DNS MX ujema s seznamom pravilnikov, in dovoljuje dostavo le z veljavnim potrdilom TLS (zaščita pred MITM).",
         "mta_sts_mx_notice": "Določiti je mogoče več strežnikov MX (ločenih z vejicami).",

From c51a769aecd3e7dff38662d97c72572bf1a5fd74 Mon Sep 17 00:00:00 2001
From: milkmaker <milkmaker@mailcow.de>
Date: Mon, 29 Sep 2025 18:10:39 +0200
Subject: [PATCH 364/378] [Web] Updated lang.si-si.json (#6794)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Matjaž Tekavec <matjaz@moj-svet.si>
---
 data/web/lang/lang.si-si.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/data/web/lang/lang.si-si.json b/data/web/lang/lang.si-si.json
index b523ac8bd..4b1c78fae 100644
--- a/data/web/lang/lang.si-si.json
+++ b/data/web/lang/lang.si-si.json
@@ -749,7 +749,7 @@
         "sogo_access": "Neposredno posredovanje na SOGo",
         "sogo_access_info": "Po prijavi je uporabnik samodejno preusmerjen na SOGo.",
         "sogo_visible": "Vzdevek je viden v SOGo",
-        "sogo_visible_info": "Ta možnost vpliva samo na objekte, ki jih je mogoče prikazati v SOGo (naslovi aliasov v skupni rabi ali brez nje, ki kažejo na vsaj en lokalni poštni predal). Če je skrita, vzdevek ne bo prikazan kot izbirni pošiljatelj v SOGo.",
+        "sogo_visible_info": "Ta možnost vpliva samo na objekte, ki jih je mogoče prikazati v SOGo (naslovi vzdevkov v skupni rabi ali brez nje, ki kažejo na vsaj en lokalni poštni predal). Če je skrita, vzdevek ne bo prikazan kot izbirni pošiljatelj v SOGo.",
         "spam_alias": "Ustvarjanje ali spreminjanje časovno omejenih vzdevkovnih naslovov",
         "spam_filter": "Filter neželene pošte",
         "spam_policy": "Dodajanje ali odstranjevanje elementov na seznam dovoljenih/zavrnjenih",
@@ -783,7 +783,7 @@
         "internal_info": "Notranji vzdevki so dostopni samo iz lastne domene ali vzdevkov domen."
     },
     "footer": {
-        "restart_container_info": "<b>Pomembno:</b> Ugoden ponovni zagon lahko traja nekaj časa, zato počakajte, da se konča.",
+        "restart_container_info": "<b>Pomembno:</b> Eleganten ponovni zagon lahko traja nekaj časa, zato počakajte, da se konča.",
         "delete_these_items": "Prosimo, potrdite spremembe naslednjega ID-ja objekta",
         "confirm_delete": "Potrdi brisanje",
         "delete_now": "Izbriši zdaj",

From 796e131c3af59fb36714818b2e03cbf5f60d9e0c Mon Sep 17 00:00:00 2001
From: milkmaker <milkmaker@mailcow.de>
Date: Wed, 1 Oct 2025 11:14:57 +0200
Subject: [PATCH 365/378] update postscreen_access.cidr (#6801)

---
 data/conf/postfix/postscreen_access.cidr | 42 +++++++++++-------------
 1 file changed, 19 insertions(+), 23 deletions(-)

diff --git a/data/conf/postfix/postscreen_access.cidr b/data/conf/postfix/postscreen_access.cidr
index 35fc1a802..9249520bc 100644
--- a/data/conf/postfix/postscreen_access.cidr
+++ b/data/conf/postfix/postscreen_access.cidr
@@ -1,12 +1,13 @@
-# Whitelist generated by Postwhite v3.4 on Mon Sep  1 00:23:07 UTC 2025
+# Whitelist generated by Postwhite v3.4 on Wed Oct  1 00:21:33 UTC 2025
 # https://github.com/stevejenkins/postwhite/
-# 2165 total rules
+# 2216 total rules
 2a00:1450:4000::/36	permit
 2a01:111:f400::/48	permit
-2a01:111:f403::/49	permit
-2a01:111:f403:8000::/50	permit
+2a01:111:f403:2800::/53	permit
 2a01:111:f403:8000::/51	permit
+2a01:111:f403::/49	permit
 2a01:111:f403:c000::/51	permit
+2a01:111:f403:d000::/53	permit
 2a01:111:f403:f000::/52	permit
 2a01:238:20a:202:5370::1	permit
 2a01:238:20a:202:5372::1	permit
@@ -55,7 +56,8 @@
 8.40.222.0/23	permit
 8.40.222.250/31	permit
 12.130.86.238	permit
-13.107.246.40	permit
+13.107.213.41	permit
+13.107.246.41	permit
 13.110.208.0/21	permit
 13.110.209.0/24	permit
 13.110.216.0/22	permit
@@ -174,6 +176,7 @@
 35.161.32.253	permit
 35.162.73.231	permit
 35.167.93.243	permit
+35.174.145.124	permit
 35.176.132.251	permit
 35.205.92.9	permit
 35.228.216.85	permit
@@ -183,7 +186,6 @@
 37.218.249.47	permit
 37.218.251.62	permit
 39.156.163.64/29	permit
-40.90.65.81	permit
 40.92.0.0/15	permit
 40.92.0.0/16	permit
 40.107.0.0/16	permit
@@ -271,9 +273,6 @@
 50.56.130.221	permit
 50.56.130.222	permit
 50.112.246.219	permit
-51.77.79.158	permit
-51.83.17.38	permit
-51.89.119.103	permit
 52.1.14.157	permit
 52.5.230.59	permit
 52.6.74.205	permit
@@ -324,8 +323,6 @@
 52.234.172.96/28	permit
 52.235.253.128	permit
 52.236.28.240/28	permit
-54.36.149.183	permit
-54.38.221.122	permit
 54.90.148.255	permit
 54.165.19.38	permit
 54.174.52.0/24	permit
@@ -686,6 +683,8 @@
 82.165.159.45	permit
 82.165.159.130	permit
 82.165.159.131	permit
+85.9.206.169	permit
+85.9.210.45	permit
 85.158.136.0/21	permit
 85.215.255.39	permit
 85.215.255.40	permit
@@ -1234,16 +1233,14 @@
 99.83.190.102	permit
 103.9.96.0/22	permit
 103.28.42.0/24	permit
-103.122.78.238	permit
+103.84.217.238	permit
+103.89.75.238	permit
 103.151.192.0/23	permit
 103.168.172.128/27	permit
 103.237.104.0/22	permit
 104.43.243.237	permit
 104.44.112.128/25	permit
 104.47.0.0/17	permit
-104.47.20.0/23	permit
-104.47.75.0/24	permit
-104.47.108.0/23	permit
 104.130.96.0/28	permit
 104.130.122.0/23	permit
 106.10.144.64/27	permit
@@ -1378,7 +1375,6 @@
 108.174.6.215	permit
 108.175.18.45	permit
 108.175.30.45	permit
-108.177.96.0/20	permit
 108.179.144.0/20	permit
 109.224.244.0/24	permit
 109.237.142.0/24	permit
@@ -1544,6 +1540,7 @@
 148.105.0.0/16	permit
 148.105.8.0/21	permit
 149.72.0.0/16	permit
+149.72.234.184	permit
 149.72.248.236	permit
 149.97.173.180	permit
 150.230.98.160	permit
@@ -1599,6 +1596,7 @@
 159.183.0.0/16	permit
 159.183.68.71	permit
 159.183.79.38	permit
+159.183.129.172	permit
 160.1.62.192	permit
 161.38.192.0/20	permit
 161.38.204.0/22	permit
@@ -1616,6 +1614,7 @@
 163.114.134.16	permit
 163.114.135.16	permit
 163.116.128.0/17	permit
+163.192.116.87	permit
 164.152.23.32	permit
 164.152.25.241	permit
 164.177.132.168/30	permit
@@ -1655,6 +1654,7 @@
 169.148.131.0/24	permit
 169.148.138.0/24	permit
 169.148.142.10	permit
+169.148.142.33	permit
 169.148.144.0/25	permit
 169.148.144.10	permit
 169.148.146.0/23	permit
@@ -1666,11 +1666,7 @@
 170.10.132.56/29	permit
 170.10.132.64/29	permit
 170.10.133.0/24	permit
-172.217.0.0/20	permit
 172.217.32.0/20	permit
-172.217.128.0/19	permit
-172.217.160.0/20	permit
-172.217.192.0/19	permit
 172.253.56.0/21	permit
 172.253.112.0/20	permit
 173.0.84.0/29	permit
@@ -2209,17 +2205,17 @@
 2607:13c0:0002:0000:0000:0000:0000:1000/116	permit
 2607:13c0:0004:0000:0000:0000:0000:0000/116	permit
 2607:f8b0:4000::/36	permit
-2620:109:c003:104::215	permit
 2620:109:c003:104::/64	permit
-2620:109:c006:104::215	permit
+2620:109:c003:104::215	permit
 2620:109:c006:104::/64	permit
+2620:109:c006:104::215	permit
 2620:109:c00d:104::/64	permit
 2620:10d:c090:400::8:1	permit
 2620:10d:c091:400::8:1	permit
 2620:10d:c09b:400::8:1	permit
 2620:10d:c09c:400::8:1	permit
-2620:119:50c0:207::215	permit
 2620:119:50c0:207::/64	permit
+2620:119:50c0:207::215	permit
 2800:3f0:4000::/36	permit
 49.12.4.251 permit # checks.mailcow.email
 2a01:4f8:c17:7906::10 permit # checks.mailcow.email

From 3cc28af607194eda0a624413c7be2b168e0a5ba8 Mon Sep 17 00:00:00 2001
From: sdsys-ch <100968265+sdsys-ch@users.noreply.github.com>
Date: Thu, 2 Oct 2025 09:21:26 +0200
Subject: [PATCH 366/378] [Helper] Fix cold-standby script to support digits
 and override files (#6800)

This commit fixes two bugs in the cold-standby script:

1. Support digits in COMPOSE_PROJECT_NAME
   The script was stripping digits from COMPOSE_PROJECT_NAME, while
   backup_and_restore.sh (fixed in a71d991c) correctly supports them.
   Added '0-9' to the tr character set to align behavior.

2. Support docker-compose.override.yml on remote
   Lines 172 and 287 explicitly used '-f docker-compose.yml' which
   causes Docker Compose to ignore docker-compose.override.yml even
   when present. Changed to 'cd && compose' pattern (matching line 296)
   to auto-discover override files.

   Impact: Users with custom volumes/services in override file would
   experience silent failures - volumes not created, images not pulled,
   data syncing to wrong locations.

Both fixes ensure cold-standby works correctly with standard Docker
Compose conventions and user customizations.

Co-authored-by: Christophe Neuerburg <c.neuerburg@sdsys.ch>
---
 helper-scripts/_cold-standby.sh | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/helper-scripts/_cold-standby.sh b/helper-scripts/_cold-standby.sh
index f02436a95..d4c3d0cf2 100755
--- a/helper-scripts/_cold-standby.sh
+++ b/helper-scripts/_cold-standby.sh
@@ -117,7 +117,7 @@ fi
 SCRIPT_DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
 source "${SCRIPT_DIR}/../mailcow.conf"
 COMPOSE_FILE="${SCRIPT_DIR}/../docker-compose.yml"
-CMPS_PRJ=$(echo ${COMPOSE_PROJECT_NAME} | tr -cd 'A-Za-z-_')
+CMPS_PRJ=$(echo ${COMPOSE_PROJECT_NAME} | tr -cd '0-9A-Za-z-_')
 SQLIMAGE=$(grep -iEo '(mysql|mariadb)\:.+' "${COMPOSE_FILE}")
 
 preflight_local_checks
@@ -169,7 +169,7 @@ if ! ssh -o StrictHostKeyChecking=no \
   -i "${REMOTE_SSH_KEY}" \
   ${REMOTE_SSH_HOST} \
   -p ${REMOTE_SSH_PORT} \
-  ${COMPOSE_COMMAND} -f "${SCRIPT_DIR}/../docker-compose.yml" create 2>&1 ; then
+  "cd \"${SCRIPT_DIR}/../\" && ${COMPOSE_COMMAND} create 2>&1" ; then
     >&2 echo -e "\e[31m[ERR]\e[0m - Could not create networks, volumes and containers on remote"
 fi
 
@@ -284,7 +284,7 @@ echo "OK"
     -i "${REMOTE_SSH_KEY}" \
     ${REMOTE_SSH_HOST} \
     -p ${REMOTE_SSH_PORT} \
-    ${COMPOSE_COMMAND} -f "${SCRIPT_DIR}/../docker-compose.yml" pull --quiet 2>&1 ; then
+    "cd \"${SCRIPT_DIR}/../\" && ${COMPOSE_COMMAND} pull --quiet 2>&1" ; then
       >&2 echo -e "\e[31m[ERR]\e[0m - Could not pull images on remote"
   fi
 

From 871c422ec1cc1afaaba73b40eac5061623fd83fb Mon Sep 17 00:00:00 2001
From: Jonas <jonasc@users.noreply.github.com>
Date: Thu, 2 Oct 2025 09:22:35 +0200
Subject: [PATCH 367/378] Fix typos in config (#6792)

Co-authored-by: DerLinkman <niklas.meyer@servercow.de>
---
 generate_config.sh | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/generate_config.sh b/generate_config.sh
index 6b193f84d..393d2fced 100755
--- a/generate_config.sh
+++ b/generate_config.sh
@@ -243,14 +243,14 @@ COMPOSE_PROJECT_NAME=mailcowdockerized
 
 # Used Docker Compose version
 # Switch here between native (compose plugin) and standalone
-# For more informations take a look at the mailcow docs regarding the configuration options.
+# For more information take a look at the mailcow docs regarding the configuration options.
 # Normally this should be untouched but if you decided to use either of those you can switch it manually here.
 # Please be aware that at least one of those variants should be installed on your machine or mailcow will fail.
 DOCKER_COMPOSE_VERSION=${COMPOSE_VERSION}
 
 # Set this to "allow" to enable the anyone pseudo user. Disabled by default.
 # When enabled, ACL can be created, that apply to "All authenticated users"
-# This should probably only be activated on mail hosts, that are used exclusivly by one organisation.
+# This should probably only be activated on mail hosts, that are used exclusively by one organisation.
 # Otherwise a user might share data with too many other users.
 ACL_ANYONE=disallow
 
@@ -293,7 +293,7 @@ ADDITIONAL_SERVER_NAMES=
 # Skip running ACME (acme-mailcow, Let's Encrypt certs) - y/n
 SKIP_LETS_ENCRYPT=n
 
-# Create seperate certificates for all domains - y/n
+# Create separate certificates for all domains - y/n
 # this will allow adding more than 100 domains, but some email clients will not be able to connect with alternative hostnames
 # see https://doc.dovecot.org/admin_manual/ssl/sni_support
 ENABLE_SSL_SNI=n
@@ -327,7 +327,7 @@ FTS_HEAP=128
 
 # Controls how many processes the Dovecot indexing process can spawn at max.
 # Too many indexing processes can use a lot of CPU and Disk I/O.
-# Please visit: https://doc.dovecot.org/configuration_manual/service_configuration/#indexer-worker for more informations
+# Please visit: https://doc.dovecot.org/configuration_manual/service_configuration/#indexer-worker for more information
 FTS_PROCS=1
 
 # Allow admins to log into SOGo as email user (without any password)

From c217be06c6ced586976e4e900701c84d51f6e35c Mon Sep 17 00:00:00 2001
From: Colin Kubon <colin1207@gmx.net>
Date: Thu, 2 Oct 2025 09:24:06 +0200
Subject: [PATCH 368/378] scripts: make sure /etc/docker exists (#6791)

---
 _modules/scripts/ipv6_controller.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/_modules/scripts/ipv6_controller.sh b/_modules/scripts/ipv6_controller.sh
index 1ff5eb198..a025ee178 100644
--- a/_modules/scripts/ipv6_controller.sh
+++ b/_modules/scripts/ipv6_controller.sh
@@ -155,6 +155,7 @@ docker_daemon_edit(){
     fi
 
     if [[ $ans =~ ^[Yy]$ ]]; then
+      mkdir -p "$(dirname "$DOCKER_DAEMON_CONFIG")"
       if [[ -n "$DOCKER_MAJOR" && "$DOCKER_MAJOR" -lt 27 ]]; then
         cat > "$DOCKER_DAEMON_CONFIG" <<EOF
 {

From 721ee2394ec991c68c96ab484be3e851c0dc2a02 Mon Sep 17 00:00:00 2001
From: Valentin Brandl <mail+github@vbrandl.net>
Date: Fri, 3 Oct 2025 19:03:03 +0200
Subject: [PATCH 369/378] Update variable name for prometheus-exporter security
 token (#6776)

* update variable name for prometheus-exporter security token

* update `MAILCOW_EXPORTER_TOKEN_DISABLE` variable name
---
 .../PROMETHEUS_EXPORTER/docker-compose.override.yml           | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/helper-scripts/docker-compose.override.yml.d/PROMETHEUS_EXPORTER/docker-compose.override.yml b/helper-scripts/docker-compose.override.yml.d/PROMETHEUS_EXPORTER/docker-compose.override.yml
index 6fd4e8e08..26532bc39 100644
--- a/helper-scripts/docker-compose.override.yml.d/PROMETHEUS_EXPORTER/docker-compose.override.yml
+++ b/helper-scripts/docker-compose.override.yml.d/PROMETHEUS_EXPORTER/docker-compose.override.yml
@@ -7,8 +7,8 @@ services:
       environment:
         MAILCOW_EXPORTER_HOST: "<your-mail-domain>" # Replace with your Mailcow hostname
         MAILCOW_EXPORTER_API_KEY: "<your-API-Key>" # Replace with your API key
-        MAILCOW_EXPORTER_TOKEN: "<your-secure-token>" # Replace with your secure key
-        # MAILCOW_EXPORTER_TOKEN_DISABLE: "true" # Uncomment only if it is safe to disable token authentication (e.g., internal network only)
+        MAILCOW_EXPORTER_SECURITY_TOKEN: "<your-secure-token>" # Replace with your secure key
+        # MAILCOW_EXPORTER_SECURITY_DISABLE_ACCESS_PROTECTION: "true" # Uncomment only if it is safe to disable token authentication (e.g., internal network only)
       dns:
         - ${IPV4_NETWORK:-172.22.1}.254
       networks:

From fd088cb504027c9f3ca8472b02b2dd3dff751a91 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Sat, 4 Oct 2025 14:13:48 +0200
Subject: [PATCH 370/378] chore(deps): update actions/stale action to v10.1.0
 (#6806)

---
 .github/workflows/close_old_issues_and_prs.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/close_old_issues_and_prs.yml b/.github/workflows/close_old_issues_and_prs.yml
index 91870fd1d..85094394a 100644
--- a/.github/workflows/close_old_issues_and_prs.yml
+++ b/.github/workflows/close_old_issues_and_prs.yml
@@ -14,7 +14,7 @@ jobs:
       pull-requests: write
     steps:
       - name: Mark/Close Stale Issues and Pull Requests 🗑️
-        uses: actions/stale@v10.0.0
+        uses: actions/stale@v10.1.0
         with:
           repo-token: ${{ secrets.STALE_ACTION_PAT }}
           days-before-stale: 60

From 922d173540a109def012aa4b1530a6a813791e9c Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <75116288+FreddleSpl0it@users.noreply.github.com>
Date: Mon, 6 Oct 2025 10:58:35 +0200
Subject: [PATCH 371/378] [Web] include hostname in default website title

---
 data/web/inc/functions.customize.inc.php | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/data/web/inc/functions.customize.inc.php b/data/web/inc/functions.customize.inc.php
index 56527ff96..b396eec21 100644
--- a/data/web/inc/functions.customize.inc.php
+++ b/data/web/inc/functions.customize.inc.php
@@ -325,8 +325,10 @@ function customize($_action, $_item, $_data = null) {
         break;
         case 'ui_texts':
           try {
-            $data['title_name'] = ($title_name = $redis->get('TITLE_NAME')) ? $title_name : 'mailcow UI';
-            $data['main_name'] = ($main_name = $redis->get('MAIN_NAME')) ? $main_name : 'mailcow UI';
+            $mailcow_hostname = strtolower(getenv("MAILCOW_HOSTNAME"));
+
+            $data['title_name'] = ($title_name = $redis->get('TITLE_NAME')) ? $title_name : "$mailcow_hostname - mail UI";
+            $data['main_name'] = ($main_name = $redis->get('MAIN_NAME')) ? $main_name : "$mailcow_hostname - mail UI";
             $data['apps_name'] = ($apps_name = $redis->get('APPS_NAME')) ? $apps_name : $lang['header']['apps'];
             $data['help_text'] = ($help_text = $redis->get('HELP_TEXT')) ? $help_text : false;
             if (!empty($redis->get('UI_IMPRESS'))) {

From 1ef014907625d39232ab6df6145419d7b3af32c4 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <75116288+FreddleSpl0it@users.noreply.github.com>
Date: Mon, 6 Oct 2025 11:00:03 +0200
Subject: [PATCH 372/378] [Web] make SameSite policy and cookie name
 configurable via vars.local.inc

---
 data/web/inc/sessions.inc.php | 4 ++--
 data/web/inc/vars.inc.php     | 7 +++++++
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/data/web/inc/sessions.inc.php b/data/web/inc/sessions.inc.php
index 68b3d5585..8f3192d70 100644
--- a/data/web/inc/sessions.inc.php
+++ b/data/web/inc/sessions.inc.php
@@ -1,9 +1,9 @@
 <?php
 // Start session
 if (session_status() !== PHP_SESSION_ACTIVE) {
-  session_name('MCSESSID');
+  session_name($SESSION_NAME);
   ini_set("session.cookie_httponly", 1);
-  ini_set("session.cookie_samesite", "Lax");
+  ini_set("session.cookie_samesite", $SESSION_SAMESITE_POLICY);
   ini_set('session.gc_maxlifetime', $SESSION_LIFETIME);
 }
 
diff --git a/data/web/inc/vars.inc.php b/data/web/inc/vars.inc.php
index 568105308..a24752a6d 100644
--- a/data/web/inc/vars.inc.php
+++ b/data/web/inc/vars.inc.php
@@ -153,6 +153,13 @@ $LOG_PAGINATION_SIZE = 50;
 // Session lifetime in seconds
 $SESSION_LIFETIME = 10800;
 
+// Session SameSite Policy
+// Use "None", "Lax" or "Strict"
+$SESSION_SAMESITE_POLICY = "Lax";
+
+// Name of the session cookie
+$SESSION_NAME = "MCSESSID";
+
 // Label for OTP devices
 $OTP_LABEL = "mailcow UI";
 

From c2948735f233eec177dd4aab194f71956f1b8661 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <75116288+FreddleSpl0it@users.noreply.github.com>
Date: Tue, 7 Oct 2025 10:18:07 +0200
Subject: [PATCH 373/378] [Web] clear old app_passwd log entries

---
 data/web/inc/init_db.inc.php | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/data/web/inc/init_db.inc.php b/data/web/inc/init_db.inc.php
index 1c4f0ebf2..83b27fbe1 100644
--- a/data/web/inc/init_db.inc.php
+++ b/data/web/inc/init_db.inc.php
@@ -4,7 +4,7 @@ function init_db_schema()
   try {
     global $pdo;
 
-    $db_version = "19082025_1436";
+    $db_version = "07102025_1015";
 
     $stmt = $pdo->query("SHOW TABLES LIKE 'versions'");
     $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
@@ -1337,6 +1337,14 @@ function init_db_schema()
       $pdo->query($create);
     }
 
+    // Clear old app_passwd log entries
+    if ($db_version == "07102025_1015") {
+      $pdo->query("DELETE FROM logs
+        WHERE JSON_EXTRACT(`call`, '$[0]') = 'app_passwd'
+          AND JSON_EXTRACT(`call`, '$[1]') = 'edit'
+          AND role != 'unauthenticated';");
+    }
+
     // Mitigate imapsync argument injection issue
     $pdo->query("UPDATE `imapsync` SET `custom_params` = ''
       WHERE `custom_params` LIKE '%pipemess%'

From 455ef084b4a4af4173b471d671a1d77b397aefe2 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <75116288+FreddleSpl0it@users.noreply.github.com>
Date: Tue, 7 Oct 2025 10:37:44 +0200
Subject: [PATCH 374/378] [Web] clear old app_passwd log entries

---
 data/web/inc/init_db.inc.php | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/data/web/inc/init_db.inc.php b/data/web/inc/init_db.inc.php
index 83b27fbe1..b8ab85253 100644
--- a/data/web/inc/init_db.inc.php
+++ b/data/web/inc/init_db.inc.php
@@ -1338,12 +1338,12 @@ function init_db_schema()
     }
 
     // Clear old app_passwd log entries
-    if ($db_version == "07102025_1015") {
-      $pdo->query("DELETE FROM logs
-        WHERE JSON_EXTRACT(`call`, '$[0]') = 'app_passwd'
-          AND JSON_EXTRACT(`call`, '$[1]') = 'edit'
-          AND role != 'unauthenticated';");
-    }
+    $pdo->exec("DELETE FROM logs
+      WHERE role != 'unauthenticated'
+        AND JSON_EXTRACT(`call`, '$[0]') = 'app_passwd'
+        AND JSON_EXTRACT(`call`, '$[1]') = 'edit'
+        AND (JSON_CONTAINS_PATH(`call`, 'one', '$[2].password')
+          OR JSON_CONTAINS_PATH(`call`, 'one', '$[2].password2'));");
 
     // Mitigate imapsync argument injection issue
     $pdo->query("UPDATE `imapsync` SET `custom_params` = ''

From df4d3bb6e0ed5fb81e9053487e1ff12d5205b0e6 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <75116288+FreddleSpl0it@users.noreply.github.com>
Date: Tue, 7 Oct 2025 11:41:57 +0200
Subject: [PATCH 375/378] [Web] Fix dashboard host stats

---
 data/web/js/site/dashboard.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/data/web/js/site/dashboard.js b/data/web/js/site/dashboard.js
index 32c04b518..760e878f1 100644
--- a/data/web/js/site/dashboard.js
+++ b/data/web/js/site/dashboard.js
@@ -1345,6 +1345,7 @@ function update_stats(timeout=5){
 
   window.fetch("/api/v1/get/status/host", {method:'GET',cache:'no-cache'}).then(function(response) {
     return response.json();
+  }).then(function(data) {
     if (data){
       // display table data
       $("#host_date").text(data.system_time);

From 417835dea83ca5abb57542d1f5ae49811781e694 Mon Sep 17 00:00:00 2001
From: DerLinkman <niklas.meyer@servercow.de>
Date: Thu, 9 Oct 2025 16:37:05 +0200
Subject: [PATCH 376/378] netfilter: improve logging and mark iptables-legacy
 as deprecated

---
 .../netfilter/docker-entrypoint.sh            |  2 +-
 data/Dockerfiles/netfilter/main.py            |  5 ++++
 data/Dockerfiles/netfilter/modules/Logger.py  | 26 ++++++++++++++-----
 docker-compose.yml                            |  2 +-
 4 files changed, 26 insertions(+), 9 deletions(-)

diff --git a/data/Dockerfiles/netfilter/docker-entrypoint.sh b/data/Dockerfiles/netfilter/docker-entrypoint.sh
index 47370a1fe..98cab0a72 100755
--- a/data/Dockerfiles/netfilter/docker-entrypoint.sh
+++ b/data/Dockerfiles/netfilter/docker-entrypoint.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 
-backend=iptables
+backend=nftables
 
 nft list table ip filter &>/dev/null
 nftables_found=$?
diff --git a/data/Dockerfiles/netfilter/main.py b/data/Dockerfiles/netfilter/main.py
index 2232d0d1d..5b718a94b 100644
--- a/data/Dockerfiles/netfilter/main.py
+++ b/data/Dockerfiles/netfilter/main.py
@@ -449,6 +449,11 @@ if __name__ == '__main__':
     tables = NFTables(chain_name, logger)
   else:
     logger.logInfo('Using IPTables backend')
+    logger.logWarn(
+        "DEPRECATION: iptables-legacy is deprecated and will be removed in future releases. "
+        "Please switch to nftables on your host to ensure complete compatibility."
+    )
+    time.sleep(5)
     tables = IPTables(chain_name, logger)
 
   clear()
diff --git a/data/Dockerfiles/netfilter/modules/Logger.py b/data/Dockerfiles/netfilter/modules/Logger.py
index 0ba2f42ad..b5114539b 100644
--- a/data/Dockerfiles/netfilter/modules/Logger.py
+++ b/data/Dockerfiles/netfilter/modules/Logger.py
@@ -1,5 +1,6 @@
 import time
 import json
+import datetime
 
 class Logger:
   def __init__(self):
@@ -8,17 +9,28 @@ class Logger:
   def set_redis(self, redis):
     self.r = redis
 
+  def _format_timestamp(self):
+    # Local time with milliseconds
+    return datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")
+
   def log(self, priority, message):
-    tolog = {}
-    tolog['time'] = int(round(time.time()))
-    tolog['priority'] = priority
-    tolog['message'] = message
-    print(message)
+    # build redis-friendly dict
+    tolog = {
+      'time': int(round(time.time())),  # keep raw timestamp for Redis
+      'priority': priority,
+      'message': message
+    }
+
+    # print human-readable message with timestamp
+    ts = self._format_timestamp()
+    print(f"{ts} {priority.upper()}: {message}", flush=True)
+
+    # also push JSON to Redis if connected
     if self.r is not None:
       try:
         self.r.lpush('NETFILTER_LOG', json.dumps(tolog, ensure_ascii=False))
       except Exception as ex:
-        print('Failed logging to redis: %s'  % (ex))
+        print(f'{ts} WARN: Failed logging to redis: {ex}', flush=True)
 
   def logWarn(self, message):
     self.log('warn', message)
@@ -27,4 +39,4 @@ class Logger:
     self.log('crit', message)
 
   def logInfo(self, message):
-    self.log('info', message)
+    self.log('info', message)
\ No newline at end of file
diff --git a/docker-compose.yml b/docker-compose.yml
index 86a4f401a..adff3931e 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -502,7 +502,7 @@ services:
             - acme
 
     netfilter-mailcow:
-      image: ghcr.io/mailcow/netfilter:1.62
+      image: ghcr.io/mailcow/netfilter:1.63
       stop_grace_period: 30s
       restart: always
       privileged: true

From 7de70322d606ed8acf273780c52c4794404d1db3 Mon Sep 17 00:00:00 2001
From: Olavo Rocha Neto <olavo@exodus.eti.br>
Date: Thu, 9 Oct 2025 14:36:36 -0300
Subject: [PATCH 377/378] Update pt-br lang (#6803)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* [Web] Updated lang.si-si.json

Co-authored-by: Matjaž Tekavec <matjaz@moj-svet.si>

* Update pt-br lang

* Complimentary adjustments

* Revert "[Web] Updated lang.si-si.json"

This reverts commit b23848e0f20d6fdb86d75bc97171303e3d64e7bc.

---------

Co-authored-by: milkmaker <milkmaker@mailcow.de>
Co-authored-by: Matjaž Tekavec <matjaz@moj-svet.si>
---
 data/web/lang/lang.pt-br.json | 120 +++++++++++++++++++++++++++++-----
 1 file changed, 105 insertions(+), 15 deletions(-)

diff --git a/data/web/lang/lang.pt-br.json b/data/web/lang/lang.pt-br.json
index f9c08ef02..b01d97656 100644
--- a/data/web/lang/lang.pt-br.json
+++ b/data/web/lang/lang.pt-br.json
@@ -1,7 +1,7 @@
 {
     "acl": {
-        "alias_domains": "Adicionar domínios alias",
-        "app_passwds": "Gerenciar senhas de aplicativos",
+        "alias_domains": "Adicionar alias de domínios",
+        "app_passwds": "Gerenciar senhas de app",
         "bcc_maps": "Mapas BCC",
         "delimiter_action": "Ação delimitadora",
         "domain_desc": "Alterar descrição do domínio",
@@ -9,7 +9,7 @@
         "eas_reset": "Redefinir dispositivos EAS",
         "extend_sender_acl": "Permitir estender a ACL do remetente por endereços externos",
         "filters": "Filtros",
-        "login_as": "Faça login como usuário da mailbox",
+        "login_as": "Fazer login como usuário da mailbox",
         "mailbox_relayhost": "Alterar relayhost para uma mailbox",
         "prohibited": "Proibido pela ACL",
         "protocol_access": "Alterar o acesso ao protocolo",
@@ -109,7 +109,9 @@
         "username": "Nome de usuário",
         "validate": "Validar",
         "validation_success": "Validado com sucesso",
-        "dry": "Simular sincronização"
+        "dry": "Simular sincronização",
+        "internal": "Interno",
+        "internal_info": "Aliases internos são acessíveis apenas a partir do próprio domínio ou alias de domínio."
     },
     "admin": {
         "access": "Acesso",
@@ -364,7 +366,52 @@
         "iam_client_secret": "Senha de cliente",
         "iam_auth_flow": "Fluxo de autenticação",
         "iam_client_scopes": "Escopo do cliente",
-        "iam_default_template": "Template Padrão"
+        "iam_default_template": "Template Padrão",
+        "admin_quicklink": "Ocultar link rápido para página de login do administrador",
+        "app_hide": "Ocultar para login",
+        "login_page": "Página de login",
+        "domainadmin_quicklink": "Ocultar link rápido para página de login do administrador de domínio",
+        "filter": "Filtro",
+        "force_sso_text": "Se um provedor OIDC externo for configurado, esta opção oculta os formulários de login padrão do mailcow e mostra apenas o botão de single sign-on",
+        "force_sso": "Desabilitar login do mailcow e mostrar apenas single sign-on",
+        "iam": "Provedor de identidade",
+        "iam_attribute_field": "Campo de atributo",
+        "iam_authorize_url": "Endpoint de autorização",
+        "iam_auth_flow_info": "Além do fluxo de código de autorização (fluxo padrão no Keycloak), que é usado para login de single sign-on, o mailcow também suporta fluxo de autenticação com credenciais diretas. O fluxo Mailpassword tenta validar as credenciais do usuário usando a API REST do administrador do Keycloak. O mailcow recupera a senha hash do atributo <code>mailcow_password</code>, que é mapeado no Keycloak.",
+        "iam_basedn": "DN base",
+        "iam_default_template_description": "Se nenhum template for atribuído a um usuário, o template padrão será usado para criar a caixa de correio, mas não para atualizar a caixa de correio.",
+        "iam_description": "Configure um provedor externo para autenticação<br>As caixas de correio dos usuários serão criadas automaticamente no primeiro login, desde que um mapeamento de atributos tenha sido definido.",
+        "iam_extra_permission": "Para que as configurações a seguir funcionem, o cliente mailcow no Keycloak precisa de uma <code>conta de serviço</code> e a permissão para <code>visualizar usuários</code>.",
+        "iam_host": "Host",
+        "iam_host_info": "Digite um ou mais hosts LDAP, separados por vírgulas.",
+        "iam_import_users": "Importar usuários",
+        "iam_login_provisioning": "Criar usuários automaticamente no login",
+        "iam_mapping": "Mapeamento de atributos",
+        "iam_bindpass": "Senha de vinculação",
+        "iam_periodic_full_sync": "Sincronização completa periódica",
+        "iam_port": "Porta",
+        "iam_realm": "Realm",
+        "iam_redirect_url": "URL de redirecionamento",
+        "iam_rest_flow": "Fluxo Mailpassword",
+        "iam_server_url": "URL do servidor",
+        "iam_sso": "Single sign-on",
+        "iam_sync_interval": "Intervalo de sincronização/importação (min)",
+        "iam_test_connection": "Testar conexão",
+        "iam_token_url": "Endpoint de token",
+        "iam_userinfo_url": "Endpoint de informações do usuário",
+        "iam_username_field": "Campo de nome de usuário",
+        "iam_binddn": "DN de vinculação",
+        "iam_use_ssl": "Usar SSL",
+        "iam_use_ssl_info": "Se habilitar SSL e a porta estiver definida como 389, ela será automaticamente substituída para usar 636.",
+        "iam_use_tls": "Usar StartTLS",
+        "iam_use_tls_info": "Se habilitar TLS, você deve usar a porta padrão para seu servidor LDAP (389). Portas SSL não podem ser usadas.",
+        "iam_version": "Versão",
+        "ignore_ssl_error": "Ignorar erros SSL",
+        "needs_restart": "precisa reiniciar",
+        "quicklink_text": "Mostrar ou ocultar links rápidos para outras páginas de login abaixo do formulário de login",
+        "task": "Tarefa",
+        "user_link": "Link do usuário",
+        "user_quicklink": "Ocultar link rápido para página de login do usuário"
     },
     "danger": {
         "access_denied": "Acesso negado ou dados de formulário inválidos",
@@ -501,7 +548,15 @@
         "username_invalid": "O nome de usuário %s não pode ser usado",
         "validity_missing": "Por favor, atribua um período de validade",
         "value_missing": "Forneça todos os valores",
-        "yotp_verification_failed": "Falha na verificação do Yubico OTP: %s"
+        "yotp_verification_failed": "Falha na verificação do Yubico OTP: %s",
+        "authsource_in_use": "O provedor de identidade não pode ser alterado ou excluído pois está sendo usado por um ou mais usuários.",
+        "generic_server_error": "Ocorreu um erro inesperado no servidor. Entre em contato com seu administrador.",
+        "iam_test_connection": "Falha na conexão",
+        "max_age_invalid": "Idade máxima %s é inválida",
+        "mode_invalid": "Modo %s é inválido",
+        "mx_invalid": "Registro MX %s é inválido",
+        "required_data_missing": "Dados obrigatórios %s estão ausentes",
+        "version_invalid": "Versão %s é inválida"
     },
     "datatables": {
         "collapse_all": "Recolher tudo",
@@ -708,7 +763,25 @@
         "title": "Editar objeto",
         "unchanged_if_empty": "Se inalterado, deixe em branco",
         "username": "Nome de usuário",
-        "validate_save": "Valide e salve"
+        "validate_save": "Validar e salvar",
+        "internal": "Interno",
+        "internal_info": "Aliases internos são acessíveis apenas a partir do próprio domínio ou domínios alias.",
+        "mailbox_rename": "Renomear caixa de correio",
+        "mailbox_rename_agree": "Eu criei um backup.",
+        "mailbox_rename_warning": "IMPORTANTE! Crie um backup antes de renomear a caixa de correio.",
+        "mailbox_rename_alias": "Criar alias automaticamente",
+        "mailbox_rename_title": "Novo nome da caixa de correio local",
+        "mta_sts": "MTA-STS",
+        "mta_sts_info": "<a href='https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol#SMTP_MTA_Strict_Transport_Security' target='_blank'>MTA-STS</a> é um padrão que força a entrega de email entre servidores de email para usar TLS com certificados válidos. <br>É usado quando <a target='_blank' href='https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities'>DANE</a> não é possível devido ao DNSSEC ausente ou não suportado.<br><b>Nota</b>: Se o domínio de recepção suporta DANE com DNSSEC, DANE é <b>sempre</b> preferido – MTA-STS atua apenas como fallback.",
+        "mta_sts_version": "Versão",
+        "mta_sts_version_info": "Define a versão do padrão MTA-STS – atualmente apenas <code>STSv1</code> é válido.",
+        "mta_sts_mode": "Modo",
+        "mta_sts_mode_info": "Há três modos para escolher:<ul><li><em>testing</em> – política é apenas monitorada, violações não têm impacto.</li><li><em>enforce</em> – política é rigorosamente aplicada, conexões sem TLS válido são rejeitadas.</li><li><em>none</em> – política é publicada mas não aplicada.</li></ul>",
+        "mta_sts_max_age": "Idade máxima",
+        "mta_sts_max_age_info": "Tempo em segundos que servidores de email de recepção podem armazenar esta política em cache até buscar novamente.",
+        "mta_sts_mx": "Servidor MX",
+        "mta_sts_mx_info": "Permite envio apenas para nomes de host de servidor de email explicitamente listados; o MTA de envio verifica se o nome do host DNS MX corresponde à lista de políticas e permite entrega apenas com certificado TLS válido (protege contra MITM).",
+        "mta_sts_mx_notice": "Múltiplos servidores MX podem ser especificados (separados por vírgulas)."
     },
     "fido2": {
         "confirm": "Confirme",
@@ -771,7 +844,15 @@
         "password": "Senha",
         "reset_password": "Recuperar a senha",
         "request_reset_password": "Solicitar troca de senha",
-        "username": "Nome de usuário"
+        "username": "Nome de usuário",
+        "login_linkstext": "Login incorreto?",
+        "login_usertext": "Entrar como usuário",
+        "login_domainadmintext": "Entrar como administrador de domínio",
+        "login_admintext": "Entrar como administrador",
+        "login_user": "Login de usuário",
+        "login_dadmin": "Login como administrador de domínio",
+        "login_admin": "Login como administrador",
+        "email": "Endereço de email"
     },
     "mailbox": {
         "action": "Ação",
@@ -946,7 +1027,9 @@
         "username": "Nome de usuário",
         "waiting": "Esperando",
         "weekly": "Semanalmente",
-        "yes": "✓"
+        "yes": "✓",
+        "iam": "Provedor de Identidade",
+        "internal": "Interno"
     },
     "oauth2": {
         "access_denied": "Faça login como proprietário da mailbox para conceder acesso via OAuth2.",
@@ -961,8 +1044,8 @@
         "action": "Ação",
         "atts": "Anexos",
         "check_hash": "Arquivo de pesquisa hash @ VT",
-        "confirm": "Confirme",
-        "confirm_delete": "Confirme a exclusão desse elemento.",
+        "confirm": "Confirmar",
+        "confirm_delete": "Confirmar exclusão desse elemento.",
         "danger": "Perigo",
         "deliver_inbox": "Entregar na caixa de entrada",
         "disabled_by_config": "A configuração atual do sistema desativa a funcionalidade de quarentena. Defina “retenções por mailbox” e um “tamanho máximo” para os elementos de quarentena.",
@@ -1123,12 +1206,15 @@
         "verified_fido2_login": "Login FIDO2 verificado",
         "verified_totp_login": "Login TOTP verificado",
         "verified_webauthn_login": "Login verificado do WebAuthn",
-        "verified_yotp_login": "Login OTP verificado do Yubico"
+        "verified_yotp_login": "Login OTP verificado do Yubico",
+        "custom_login_modified": "Personalização de login foi salva com sucesso",
+        "iam_test_connection": "Conexão bem-sucedida",
+        "mailbox_renamed": "Caixa de correio foi renomeada de %s para %s"
     },
     "tfa": {
         "authenticators": "Autenticadores",
         "api_register": "%s usa a API Yubico Cloud. Obtenha uma chave de API para sua chave <a href=\"https://upgrade.yubico.com/getapikey/\" target=\"_blank\">aqui</a>",
-        "confirm": "Confirme",
+        "confirm": "Confirmar",
         "confirm_totp_token": "Confirme suas alterações inserindo o token gerado",
         "delete_tfa": "Desativar o TFA",
         "disable_tfa": "Desative o TFA até o próximo login bem-sucedido",
@@ -1141,7 +1227,7 @@
         "reload_retry": "- (recarregue o navegador se o erro persistir)",
         "scan_qr_code": "Escaneie o código a seguir com seu aplicativo autenticador ou insira o código manualmente.",
         "select": "Por favor, selecione",
-        "set_tfa": "Defina o método de autenticação de dois fatores",
+        "set_tfa": "Método de autenticação de dois fatores",
         "start_webauthn_validation": "Iniciar validação",
         "tfa": "Autenticação de dois fatores",
         "tfa_token_invalid": "Token TFA inválido",
@@ -1318,7 +1404,11 @@
         "weeks": "semanas",
         "with_app_password": "com senha do aplicativo",
         "year": "ano",
-        "years": "anos"
+        "years": "anos",
+        "authentication": "Autenticação",
+        "overview": "Visão geral",
+        "protocols": "Protocolos",
+        "tfa_info": "A autenticação de dois fatores ajuda a proteger sua conta. Se você habilitá-la, precisará de senhas de aplicativo para fazer login em aplicativos ou serviços que não suportam autenticação de dois fatores (por exemplo, clientes de email)."
     },
     "warning": {
         "cannot_delete_self": "Não é possível excluir o usuário conectado",

From 79cf0abc6e264d6ce461646932a6f2d481f71cec Mon Sep 17 00:00:00 2001
From: milkmaker <milkmaker@mailcow.de>
Date: Thu, 9 Oct 2025 19:54:12 +0200
Subject: [PATCH 378/378] [Web] Updated lang.zh-cn.json (#6826)

Co-authored-by: Easton Man <me@eastonman.com>
---
 data/web/lang/lang.zh-cn.json | 43 ++++++++++++++++++++++-------------
 1 file changed, 27 insertions(+), 16 deletions(-)

diff --git a/data/web/lang/lang.zh-cn.json b/data/web/lang/lang.zh-cn.json
index c2f9cdc35..94473a405 100644
--- a/data/web/lang/lang.zh-cn.json
+++ b/data/web/lang/lang.zh-cn.json
@@ -24,7 +24,7 @@
         "sogo_access": "允许管理 SOGo 访问权限",
         "sogo_profile_reset": "重置 SOGo 个人资料",
         "spam_alias": "临时别名",
-        "spam_policy": "黑名单/白名单",
+        "spam_policy": "阻止名单/允许名单",
         "spam_score": "垃圾邮件分数",
         "syncjobs": "同步任务",
         "tls_policy": "TLS 策略",
@@ -149,7 +149,7 @@
         "arrival_time": "到达时间 (服务器时间)",
         "authed_user": "已认证用户",
         "ays": "确定继续操作?",
-        "ban_list_info": "以下为被封禁的 IP 列表: <b>网络 (剩余封禁时间) - [操作]</b>。<br />被取消封禁的 IP 将会在几秒之内从封禁列表中移除<br />红色标签表示因黑名单而导致的永久封禁。",
+        "ban_list_info": "以下为被封禁的 IP 列表: <b>网络 (剩余封禁时间) - [操作]</b>。<br />被取消封禁的 IP 将会在几秒之内从封禁列表中移除<br />红色标签表示因阻止名单而导致的永久封禁。",
         "change_logo": "更改 Logo",
         "configuration": "配置",
         "convert_html_to_text": "将 HTML 转换为纯文本内容",
@@ -181,16 +181,16 @@
         "empty": "结果为空",
         "excludes": "除了",
         "f2b_ban_time": "封禁时间 (秒)",
-        "f2b_blacklist": "网络/主机黑名单",
+        "f2b_blacklist": "网络/主机阻止名单",
         "f2b_filter": "正则表达式过滤器",
-        "f2b_list_info": "黑名单的优先级总是高于白名单。 <b>列表更新将会在几秒之后完成。</b>",
+        "f2b_list_info": "阻止名单的优先级总是高于允许名单。 <b>列表更新将会在几秒之后完成。</b>",
         "f2b_max_attempts": "最多尝试次数",
         "f2b_netban_ipv4": "应用封禁的 IPv4 子网大小 (8-32)",
         "f2b_netban_ipv6": "应用封禁的 IPv6 子网大小 (8-128)",
         "f2b_parameters": "Fail2ban 参数",
         "f2b_regex_info": "将会过滤这些应用的日志: SOGo，Postfix，Dovecot 和 PHP-FPM。",
         "f2b_retry_window": "最多尝试次数重试窗口 (秒)",
-        "f2b_whitelist": "网络/主机白名单",
+        "f2b_whitelist": "网络/主机允许名单",
         "filter_table": "筛选表格",
         "forwarding_hosts": "转发主机",
         "forwarding_hosts_add_hint": "你可以指定 IPv4/IPv6 地址、CIDR 表示的网络、主机名 (解析为 IP 地址)，或者邮箱域名 (查询 SPF 记录或 MX 记录并解析为 IP 地址)。",
@@ -298,8 +298,8 @@
         "rspamd_com_settings": "设置名称将会自动生成，请看参考下方的示例预设。查看<a href=\"https://rspamd.com/doc/configuration/settings.html#settings-structure\" target=\"_blank\">Rspamd 文档</a>以了解更多的细节",
         "rspamd_global_filters": "全局过滤规则",
         "rspamd_global_filters_agree": "我会小心谨慎的!",
-        "rspamd_global_filters_info": "全局过滤规则包含了不同类型的全局黑名单和白名单。",
-        "rspamd_global_filters_regex": "它们的名字解释了它们的用途。所有内容必须包含 \"/pattern/options\" 格式的合法表达式 (例如 <code>/.+@domain\\.tld/i</code>)。<br>\r\n 因为仅对正则表达式执行了基本的检查，Rspamd 的功能仍可能因正则表达式语法问题出现错误。<br>\r\n  Rspamd 会在规则更改后读取其内容。 如果你遇到了问题，<a href=\"\" data-toggle=\"modal\" data-container=\"rspamd-mailcow\" data-target=\"#RestartContainer\">重启 Rspamd</a> 以强制重载规则。<br>黑名单中的项目会被系统排除。",
+        "rspamd_global_filters_info": "全局过滤规则包含了不同类型的全局阻止名单和允许名单。",
+        "rspamd_global_filters_regex": "它们的名字解释了它们的用途。所有内容必须包含 \"/pattern/options\" 格式的合法表达式 (例如 <code>/.+@domain\\.tld/i</code>)。<br>\n 因为仅对正则表达式执行了基本的检查，Rspamd 的功能仍可能因正则表达式语法问题出现错误。<br>\n  Rspamd 会在规则更改后读取其内容。 如果你遇到了问题，<a href=\"\" data-toggle=\"modal\" data-container=\"rspamd-mailcow\" data-target=\"#RestartContainer\">重启 Rspamd</a> 以强制重载规则。<br>阻止名单中的项目会被系统排除。",
         "rspamd_settings_map": "Rspamd 设置",
         "sal_level": "Moo 等级",
         "save": "保存更改",
@@ -409,7 +409,8 @@
         "force_sso": "强制要求单点登录（SSO）",
         "user_link": "自定义链接",
         "app_hide": "在登入界面隐藏",
-        "needs_restart": "需要重启"
+        "needs_restart": "需要重启",
+        "iam_use_tls_info": "如果使用了 TLS，必须使用 LDAP 服务器的默认端口（389）。SSL 的端口不能使用。"
     },
     "danger": {
         "access_denied": "访问被拒绝或者表单数据无效",
@@ -744,7 +745,16 @@
         "internal": "内部的",
         "internal_info": "内部的别名只能在域内部或者别名域内部访问。",
         "mta_sts": "邮件传输代理严格传输安全协议（MTA-STS）",
-        "mta_sts_version": "版本"
+        "mta_sts_version": "版本",
+        "mta_sts_info": "<a href='https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol#SMTP_MTA_Strict_Transport_Security' target='_blank'>MTA-STS</a> 是一项 MTA 标准，它强制要求 MTA 间传输必须使用 TLS 和有效的证书。<br>当因没有 DNSSEC 而无法使用 <a target='_blank' href='https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities'>DANE</a> 时，该标准将被启用。<br><b>注意</b>：若收件域支持基于 DNSSEC 的 DANE 协议，则系统将<b>始终</b>优先采用 DANE —— MTA-STS 仅作为备用机制存在。",
+        "mta_sts_version_info": "定义 MTA-STS 标准的版本——当前仅 <code>STSv1</code> 为有效版本。",
+        "mta_sts_mode": "模式",
+        "mta_sts_mode_info": "提供三种可选模式：<ul><li><em>测试模式</em>——仅监控策略执行情况，违反策略不会产生实际影响。</li><li><em>强制模式</em>——严格执行策略，拒绝所有未使用有效 TLS 加密的连接。</li><li><em>禁用模式</em>——发布策略但不生效。</li></ul>",
+        "mta_sts_max_age": "最长有效期",
+        "mta_sts_max_age_info": "接收方邮件服务器可缓存该策略的时长（秒），超出后需重新获取策略。",
+        "mta_sts_mx": "MX 服务器",
+        "mta_sts_mx_info": "仅允许向明确列出的邮件服务器发送邮件；发送方 MTA 会验证 DNS MX 记录的主机名是否与策略列表匹配，并仅允许携带有效 TLS 证书的投递（可防范中间人攻击）。",
+        "mta_sts_mx_notice": "可配置多个 MX 服务器（以逗号分隔）。"
     },
     "fido2": {
         "confirm": "确认",
@@ -814,7 +824,8 @@
         "login_linkstext": "不是正确的登陆页面？",
         "login_usertext": "以用户身份登陆",
         "login_domainadmintext": "以域管理员身份登陆",
-        "login_admintext": "以管理员身份登陆"
+        "login_admintext": "以管理员身份登陆",
+        "email": "邮箱地址"
     },
     "mailbox": {
         "action": "操作",
@@ -920,7 +931,7 @@
         "recipient_map_new": "新收件人",
         "recipient_map_new_info": "收件人映射的目标必须为合法的邮件地址或域名。",
         "recipient_map_old": "原收件人",
-        "recipient_map_old_info": "原收件人必须为合法的邮箱地址。",
+        "recipient_map_old_info": "原收件人必须为合法的邮箱地址或域名。",
         "recipient_maps": "收件人映射",
         "relay_all": "中继所有收件人",
         "remove": "删除",
@@ -1023,7 +1034,7 @@
         "notified": "已发送通知",
         "qhandler_success": "已成功向系统发送请求，现在你可以关闭这个窗口了。",
         "qid": "Rspamd 队列ID（QID）",
-        "qinfo": "隔离系统会把已被拒绝接收的邮件以及作为拷贝发送到垃圾箱的邮件保存到数据库中 (发件人<em>不</em>会知道)。\r\n  <br>\"学习为垃圾并删除\" 会根据贝叶斯定理将消息作为垃圾学习并计算其模糊特征以拒绝未来收到相似消息。\r\n  <br>请注意，这取决于你的系统资源，学习多个消息可能会花费较长时间。<br>黑名单中项目会被隔离系统排除。",
+        "qinfo": "隔离系统会把已被拒绝接收的邮件以及作为拷贝发送到垃圾箱的邮件保存到数据库中 (发件人<em>不</em>会知道)。\n  <br>\"学习为垃圾并删除\" 会根据贝叶斯定理将消息作为垃圾学习并计算其模糊特征以拒绝未来收到相似消息。\n  <br>请注意，这取决于你的系统资源，学习多个消息可能会花费较长时间。<br>阻止名单中项目会被隔离系统排除。",
         "qitem": "隔离项目",
         "quarantine": "隔离",
         "quick_actions": "操作",
@@ -1314,8 +1325,8 @@
         "spam_score_reset": "重置为服务器默认值",
         "spamfilter": "垃圾邮件过滤器",
         "spamfilter_behavior": "分数",
-        "spamfilter_bl": "黑名单",
-        "spamfilter_bl_desc": "黑名单中地址<b>总是会</b>被标记为垃圾邮件。被拒绝的邮件<b>不会</b>进入隔离区。此处可以使用通配符 \"*\"。此过滤器也会应用到直接别名 (只指向一个目标邮箱)，但不会应用到\"接收所有\"别名和邮箱地址本身。",
+        "spamfilter_bl": "阻止名单",
+        "spamfilter_bl_desc": "阻止名单中地址<b>总是会</b>被标记为垃圾邮件。被拒绝的邮件<b>不会</b>进入隔离区。此处可以使用通配符 \"*\"。此过滤器也会应用到直接别名 (只指向一个目标邮箱)，但不会应用到\"接收所有\"别名和邮箱地址本身。",
         "spamfilter_default_score": "默认值",
         "spamfilter_green": "绿色: 此消息不是垃圾邮件",
         "spamfilter_hint": "第一个值表示\"低垃圾邮件分数\"，第二个值表示\"高垃圾邮件分数\"。",
@@ -1326,8 +1337,8 @@
         "spamfilter_table_empty": "数据为空",
         "spamfilter_table_remove": "删除",
         "spamfilter_table_rule": "规则",
-        "spamfilter_wl": "白名单",
-        "spamfilter_wl_desc": "白名单中地址<b>永远不会</b>被标记为垃圾邮件。此处可以使用通配符 \"*\"。此过滤器也会应用到直接别名 (只指向一个目标邮箱)，但不会应用到\"接收所有\"别名和邮箱地址本身。",
+        "spamfilter_wl": "允许名单",
+        "spamfilter_wl_desc": "允许名单中地址<b>永远不会</b>被标记为垃圾邮件。此处可以使用通配符 \"*\"。此过滤器也会应用到直接别名 (只指向一个目标邮箱)，但不会应用到\"接收所有\"别名和邮箱地址本身。",
         "spamfilter_yellow": "黄色: 此为垃圾邮件，会被标记为垃圾邮件并且移入垃圾邮件文件夹",
         "status": "状态",
         "sync_jobs": "同步任务",