* fix password reset grpc sending unparsed user agent (#1546)

Co-authored-by: Filip Ślęzak <[email protected]>

* Fixes pentest issue DG25-10 from 2025-09-02 (#1579)

* validate phone number during enrollment
* also check phone numbers in core API endpoints

* Do not display sensitive data from protos (#1580)

* Don't send empty strings when phone number is not provided (#1583)

* don't send empty strings when phone number is not providecleand
* use zod trim() instead of trimObjectStrings helper

* Fixes pentest issue DG25-17 from 2025-09-02 (#1581)

* fix open redirect pentest issue
* add tests and handling of get requests, allow redirects if url is allowed for the client
* compare the whole url, not just domain
* cargo clippy fixes
* wip fix openid flow tests
* fix panic in the contains_redirect_url method
* cleanup eprintln statements
* bring back the other openid flow test
* state-based fallback url in openid test

* ensure openid client names don't contain HTML (#1587)

* ensure login responses don't allow login enumeration (#1588)

* Fixes pentest issue DG25-24 from 2025-09-02 (#1585)

* put mail handler into a separate crate (#1590)

* put random & secret modules into a common crate

* move DB setup code to common crate

* move version to common crate

* move id types to common crate

* move AuthCode model into common crate

* move auth key model

* move biometric auth model

* move device login model

* remove unnecessary feature flags

* move global value macro

* move model error

* move server config

* move hex module

* move protos to a separate crate

* put mailer into a separate crate

* update query data

* remove commented out code

* add new crates

* update flake inputs

* move AsCsv trait

* fix failing test

* move claims struct

* Cleanup and revive OpenID login test (#1591)

* use default subject as fallback (#1593)

* Fixes pentest issue DG25-25 and DG25-20 from 2025-09-02 (#1574)

* Fixes pentest issue DG25-32 from 2025-09-02 (#1597)

* custom Debug implementation for Settings struct to avoid exposing license key in logs
* cargo update

* fix document links (#1599)

* fix links in readme

* fix frontend links

* bump version to 1.5.1

* sanitize branch name for docker cache

* don't log settings during partial update

* cargo fmt

---------

Co-authored-by: Aleksander <[email protected]>
Co-authored-by: Maciej Wójcik <[email protected]>
Co-authored-by: Maciek <[email protected]>
Co-authored-by: Filip Ślęzak <[email protected]>
Co-authored-by: Adam <[email protected]>