Merge branch 'main' into release/1.37

* main:
  chore(analytics): clean up query and the frontend respecting the changes
  chore(deps): bump stackhawk/hawkscan-action from 2.1.2 to 2.1.3 (#2762)
  chore(deps): bump golang in /build (#2759)
  chore(deps-dev): bump @types/uuid from 9.0.7 to 9.0.8 in /ui (#2766)
  chore(deps-dev): bump @playwright/test from 1.41.1 to 1.41.2 in /ui (#2765)
  chore(deps): bump @heroicons/react from 2.0.18 to 2.1.1 in /ui (#2763)
  chore(deps-dev): bump @types/react from 18.2.48 to 18.2.55 in /ui (#2761)
  chore(deps-dev): bump prettier from 3.2.4 to 3.2.5 in /ui (#2760)
  fix(ui): increase z index for Slideover and Modal (#2758)
  chore(ui): set seconds to 0 for input values on request
  fix: csp headers for formbricks (#2757)
  chore: address comments on format
  chore: fix spelling
  feat(analytics): add live updates with play/pause button
  chore: changelog for 1.37 release (#2754)

.github/workflows/nightly.yml

@@ -170,6 +170,6 @@ jobs:
           cmd: yq -i '.app.env = "Nightly"' stackhawk.yml
 
       - name: Run HawkScan
-        uses: stackhawk/hawkscan-action@v2.1.2
+        uses: stackhawk/hawkscan-action@v2.1.3
         with:
           apiKey: ${{ secrets.HAWK_API_KEY }}

build/Dockerfile.uffizzi

@@ -1,4 +1,4 @@
-FROM golang:1.21-alpine3.18
+FROM golang:1.22-alpine3.18
 
 WORKDIR /flipt
 

internal/cmd/http.go

@@ -99,10 +99,10 @@ func NewHTTPServer(
 		logger.Debug("CORS enabled", zap.Strings("allowed_origins", cfg.Cors.AllowedOrigins))
 	}
 
-	// TODO: replace with more robust 'mode' detection
-	if !info.IsDevelopment() {
-		r.Use(middleware.SetHeader("X-Content-Type-Options", "nosniff"))
-		r.Use(middleware.SetHeader("Content-Security-Policy", "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src * data:; frame-ancestors 'none';"))
+	// set additional headers enabling the UI to be served securely
+	// ie: Content-Security-Policy, X-Content-Type-Options, etc.
+	for k, v := range ui.AdditionalHeaders() {
+		r.Use(middleware.SetHeader(k, v))
 	}
 
 	r.Use(middleware.RequestID)

internal/server/analytics/clickhouse/client.go

@@ -109,18 +109,19 @@ func (c *Client) GetFlagEvaluationsCount(ctx context.Context, req *analytics.Get
 	rows, err := c.Conn.QueryContext(ctx, fmt.Sprintf(`
 		SELECT
 			sum(value) AS value,
-			toStartOfInterval(timestamp, INTERVAL %d %s) AS timestamp
-		FROM %s WHERE namespace_key = ? AND flag_key = ? AND timestamp >= toDateTime('%s', 'UTC') AND timestamp < toDateTime('%s', 'UTC')
+			toStartOfInterval(timestamp, INTERVAL %[4]d %[5]s) AS timestamp
+		FROM %[1]s
+		WHERE
+			namespace_key = ? AND flag_key = ? AND
+			timestamp >= toStartOfInterval(toDateTime('%[2]s', 'UTC'),  INTERVAL %[4]d %[5]s) AND
+			timestamp < timestamp_add(toStartOfInterval(toDateTime('%[3]s', 'UTC'), INTERVAL %[4]d %[5]s), INTERVAL %[4]d %[5]s)
 		GROUP BY timestamp
-		ORDER BY timestamp ASC WITH FILL FROM toDateTime('%s', 'UTC') TO toDateTime('%s', 'UTC') STEP INTERVAL %d %s
-		`,
-		step.intervalValue,
-		step.intervalStep,
+		ORDER BY timestamp ASC
+		WITH FILL FROM toStartOfInterval(toDateTime('%[2]s', 'UTC'),  INTERVAL %[4]d %[5]s) TO timestamp_add(toStartOfInterval(toDateTime('%[3]s', 'UTC'), INTERVAL %[4]d %[5]s), INTERVAL %[4]d %[5]s) STEP INTERVAL %[4]d %[5]s
+	`,
 		counterAnalyticsTable,
 		fromTime.UTC().Format(time.DateTime),
 		toTime.UTC().Format(time.DateTime),
-		fromTime.UTC().Format(time.DateTime),
-		time.Now().UTC().Format(time.DateTime),
 		step.intervalValue,
 		step.intervalStep,
 	),

ui/dev.go

@@ -21,3 +21,7 @@ func FS() (fs.FS, error) {
 		},
 	}, nil
 }
+
+func AdditionalHeaders() map[string]string {
+	return map[string]string{}
+}

ui/embed.go

@@ -20,3 +20,10 @@ func FS() (fs.FS, error) {
 
 	return u, nil
 }
+
+func AdditionalHeaders() map[string]string {
+	return map[string]string{
+		"X-Content-Type-Options":  "nosniff",
+		"Content-Security-Policy": "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src * data:; frame-ancestors 'none'; connect-src 'self' https://app.formbricks.com; script-src-elem 'self' https://unpkg.com;",
+	}
+}

ui/package.json

@@ -23,7 +23,7 @@
     "@fortawesome/free-solid-svg-icons": "^6.5.1",
     "@fortawesome/react-fontawesome": "^0.2.0",
     "@headlessui/react": "^1.7.18",
-    "@heroicons/react": "^2.0.18",
+    "@heroicons/react": "^2.1.1",
     "@loadable/component": "^5.16.3",
     "@reduxjs/toolkit": "^2.0.1",
     "@tanstack/react-table": "^8.11.8",
@@ -48,17 +48,17 @@
   },
   "devDependencies": {
     "@babel/preset-typescript": "^7.23.3",
-    "@playwright/test": "^1.41.1",
+    "@playwright/test": "^1.41.2",
     "@tailwindcss/forms": "^0.5.7",
     "@types/jest": "^29.5.12",
     "@types/loadable__component": "^5.13.8",
     "@types/node": "^18.19.10",
-    "@types/react": "^18.2.48",
+    "@types/react": "^18.2.55",
     "@types/react-dom": "^18.2.18",
     "@types/react-helmet": "^6.1.11",
     "@types/react-redux": "^7.1.33",
     "@types/react-router-dom": "^5.3.3",
-    "@types/uuid": "^9.0.7",
+    "@types/uuid": "^9.0.8",
     "@typescript-eslint/eslint-plugin": "^5.62.0",
     "@typescript-eslint/parser": "^5.62.0",
     "@vitejs/plugin-react": "^4.2.1",
@@ -85,7 +85,7 @@
     "package-changed": "^3.0.0",
     "playwright": "^1.41.1",
     "postcss": "^8.4.33",
-    "prettier": "^3.2.4",
+    "prettier": "^3.2.5",
     "prettier-plugin-organize-imports": "^3.2.4",
     "prettier-plugin-tailwindcss": "^0.5.11",
     "tailwindcss": "^3.4.1",