fix(web): user settings styling

docs/docs/administration/postgres-standalone.md

@@ -88,7 +88,7 @@ The easiest option is to have both extensions installed during the migration:
 <details>
 <summary>Migration steps (automatic)</summary>
 1. Ensure you still have pgvecto.rs installed
-2. Install `pgvector` (`>= 0.7, < 0.9`). The easiest way to do this is on Debian/Ubuntu by adding the [PostgreSQL Apt repository][pg-apt] and then running `apt install postgresql-NN-pgvector`, where `NN` is your Postgres version (e.g., `16`)
+2. Install `pgvector` (`>= 0.7.0, < 1.0.0`). The easiest way to do this is on Debian/Ubuntu by adding the [PostgreSQL Apt repository][pg-apt] and then running `apt install postgresql-NN-pgvector`, where `NN` is your Postgres version (e.g., `16`)
 3. [Install VectorChord][vchord-install]
 4. Add `shared_preload_libraries= 'vchord.so, vectors.so'` to your `postgresql.conf`, making sure to include _both_ `vchord.so` and `vectors.so`. You may include other libraries here as well if needed
 5. Restart the Postgres database

mobile/android/app/src/main/AndroidManifest.xml

@@ -27,8 +27,7 @@
 
   <application android:label="Immich" android:name=".ImmichApp" android:usesCleartextTraffic="true"
     android:icon="@mipmap/ic_launcher" android:requestLegacyExternalStorage="true"
-    android:largeHeap="true" android:enableOnBackInvokedCallback="false" android:allowBackup="false"
-    android:networkSecurityConfig="@xml/network_security_config">
+    android:largeHeap="true" android:enableOnBackInvokedCallback="false" android:allowBackup="false">
 
     <profileable android:shell="true" />
 

mobile/android/app/src/main/kotlin/app/alextran/immich/HttpSSLOptionsPlugin.kt

@@ -0,0 +1,153 @@
+package app.alextran.immich
+
+import android.annotation.SuppressLint
+import android.content.Context
+import app.alextran.immich.core.SSLConfig
+import io.flutter.embedding.engine.plugins.FlutterPlugin
+import io.flutter.plugin.common.BinaryMessenger
+import io.flutter.plugin.common.MethodCall
+import io.flutter.plugin.common.MethodChannel
+import java.io.ByteArrayInputStream
+import java.net.InetSocketAddress
+import java.net.Socket
+import java.security.KeyStore
+import java.security.cert.X509Certificate
+import javax.net.ssl.HostnameVerifier
+import javax.net.ssl.HttpsURLConnection
+import javax.net.ssl.KeyManager
+import javax.net.ssl.KeyManagerFactory
+import javax.net.ssl.SSLContext
+import javax.net.ssl.SSLEngine
+import javax.net.ssl.SSLSession
+import javax.net.ssl.TrustManager
+import javax.net.ssl.TrustManagerFactory
+import javax.net.ssl.X509ExtendedTrustManager
+
+/**
+ * Android plugin for Dart `HttpSSLOptions`
+ */
+class HttpSSLOptionsPlugin : FlutterPlugin, MethodChannel.MethodCallHandler {
+  private var methodChannel: MethodChannel? = null
+
+  override fun onAttachedToEngine(binding: FlutterPlugin.FlutterPluginBinding) {
+    onAttachedToEngine(binding.applicationContext, binding.binaryMessenger)
+  }
+
+  private fun onAttachedToEngine(ctx: Context, messenger: BinaryMessenger) {
+    methodChannel = MethodChannel(messenger, "immich/httpSSLOptions")
+    methodChannel?.setMethodCallHandler(this)
+  }
+
+  override fun onDetachedFromEngine(binding: FlutterPlugin.FlutterPluginBinding) {
+    onDetachedFromEngine()
+  }
+
+  private fun onDetachedFromEngine() {
+    methodChannel?.setMethodCallHandler(null)
+    methodChannel = null
+  }
+
+  override fun onMethodCall(call: MethodCall, result: MethodChannel.Result) {
+    try {
+      when (call.method) {
+        "apply" -> {
+          val args = call.arguments<ArrayList<*>>()!!
+          val allowSelfSigned = args[0] as Boolean
+          val serverHost = args[1] as? String
+          val clientCertHash = (args[2] as? ByteArray)
+
+          var tm: Array<TrustManager>? = null
+          if (allowSelfSigned) {
+            tm = arrayOf(AllowSelfSignedTrustManager(serverHost))
+          }
+
+          var km: Array<KeyManager>? = null
+          if (clientCertHash != null) {
+            val cert = ByteArrayInputStream(clientCertHash)
+            val password = (args[3] as String).toCharArray()
+            val keyStore = KeyStore.getInstance("PKCS12")
+            keyStore.load(cert, password)
+            val keyManagerFactory =
+              KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm())
+            keyManagerFactory.init(keyStore, null)
+            km = keyManagerFactory.keyManagers
+          }
+
+          // Update shared SSL config for OkHttp and other HTTP clients
+          SSLConfig.apply(km, tm, allowSelfSigned, serverHost, clientCertHash?.contentHashCode() ?: 0)
+
+          val sslContext = SSLContext.getInstance("TLS")
+          sslContext.init(km, tm, null)
+          HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.socketFactory)
+
+          HttpsURLConnection.setDefaultHostnameVerifier(AllowSelfSignedHostnameVerifier(args[1] as? String))
+
+          result.success(true)
+        }
+
+        else -> result.notImplemented()
+      }
+    } catch (e: Throwable) {
+      result.error("error", e.message, null)
+    }
+  }
+
+  @SuppressLint("CustomX509TrustManager")
+  class AllowSelfSignedTrustManager(private val serverHost: String?) : X509ExtendedTrustManager() {
+    private val defaultTrustManager: X509ExtendedTrustManager = getDefaultTrustManager()
+
+    override fun checkClientTrusted(chain: Array<out X509Certificate>?, authType: String?) =
+      defaultTrustManager.checkClientTrusted(chain, authType)
+
+    override fun checkClientTrusted(
+      chain: Array<out X509Certificate>?, authType: String?, socket: Socket?
+    ) = defaultTrustManager.checkClientTrusted(chain, authType, socket)
+
+    override fun checkClientTrusted(
+      chain: Array<out X509Certificate>?, authType: String?, engine: SSLEngine?
+    ) = defaultTrustManager.checkClientTrusted(chain, authType, engine)
+
+    override fun checkServerTrusted(chain: Array<out X509Certificate>?, authType: String?) {
+      if (serverHost == null) return
+      defaultTrustManager.checkServerTrusted(chain, authType)
+    }
+
+    override fun checkServerTrusted(
+      chain: Array<out X509Certificate>?, authType: String?, socket: Socket?
+    ) {
+      if (serverHost == null) return
+      val socketAddress = socket?.remoteSocketAddress
+      if (socketAddress is InetSocketAddress && socketAddress.hostName == serverHost) return
+      defaultTrustManager.checkServerTrusted(chain, authType, socket)
+    }
+
+    override fun checkServerTrusted(
+      chain: Array<out X509Certificate>?, authType: String?, engine: SSLEngine?
+    ) {
+      if (serverHost == null || engine?.peerHost == serverHost) return
+      defaultTrustManager.checkServerTrusted(chain, authType, engine)
+    }
+
+    override fun getAcceptedIssuers(): Array<X509Certificate> = defaultTrustManager.acceptedIssuers
+
+    private fun getDefaultTrustManager(): X509ExtendedTrustManager {
+      val factory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
+      factory.init(null as KeyStore?)
+      return factory.trustManagers.filterIsInstance<X509ExtendedTrustManager>().first()
+    }
+  }
+
+  class AllowSelfSignedHostnameVerifier(private val serverHost: String?) : HostnameVerifier {
+    companion object {
+      private val _defaultHostnameVerifier = HttpsURLConnection.getDefaultHostnameVerifier()
+    }
+
+    override fun verify(hostname: String?, session: SSLSession?): Boolean {
+      if (serverHost == null || hostname == serverHost) {
+        return true
+      } else {
+        return _defaultHostnameVerifier.verify(hostname, session)
+      }
+    }
+  }
+}

mobile/android/app/src/main/kotlin/app/alextran/immich/MainActivity.kt

@@ -9,9 +9,7 @@ import app.alextran.immich.background.BackgroundWorkerFgHostApi
 import app.alextran.immich.background.BackgroundWorkerLockApi
 import app.alextran.immich.connectivity.ConnectivityApi
 import app.alextran.immich.connectivity.ConnectivityApiImpl
-import app.alextran.immich.core.HttpClientManager
 import app.alextran.immich.core.ImmichPlugin
-import app.alextran.immich.core.NetworkApiPlugin
 import app.alextran.immich.images.LocalImageApi
 import app.alextran.immich.images.LocalImagesImpl
 import app.alextran.immich.images.RemoteImageApi
@@ -30,9 +28,6 @@ class MainActivity : FlutterFragmentActivity() {
 
   companion object {
     fun registerPlugins(ctx: Context, flutterEngine: FlutterEngine) {
-      HttpClientManager.initialize(ctx)
-      flutterEngine.plugins.add(NetworkApiPlugin())
-
       val messenger = flutterEngine.dartExecutor.binaryMessenger
       val backgroundEngineLockImpl = BackgroundEngineLock(ctx)
       BackgroundWorkerLockApi.setUp(messenger, backgroundEngineLockImpl)
@@ -50,6 +45,7 @@ class MainActivity : FlutterFragmentActivity() {
       ConnectivityApi.setUp(messenger, ConnectivityApiImpl(ctx))
 
       flutterEngine.plugins.add(BackgroundServicePlugin())
+      flutterEngine.plugins.add(HttpSSLOptionsPlugin())
       flutterEngine.plugins.add(backgroundEngineLockImpl)
       flutterEngine.plugins.add(nativeSyncApiImpl)
     }

mobile/android/app/src/main/kotlin/app/alextran/immich/core/HttpClientManager.kt

@@ -1,138 +0,0 @@
-package app.alextran.immich.core
-
-import android.content.Context
-import app.alextran.immich.BuildConfig
-import okhttp3.Cache
-import okhttp3.ConnectionPool
-import okhttp3.Dispatcher
-import okhttp3.OkHttpClient
-import java.io.ByteArrayInputStream
-import java.io.File
-import java.net.Socket
-import java.security.KeyStore
-import java.security.Principal
-import java.security.PrivateKey
-import java.security.cert.X509Certificate
-import java.util.concurrent.TimeUnit
-import javax.net.ssl.SSLContext
-import javax.net.ssl.TrustManagerFactory
-import javax.net.ssl.X509KeyManager
-import javax.net.ssl.X509TrustManager
-
-const val CERT_ALIAS = "client_cert"
-const val USER_AGENT = "Immich_Android_${BuildConfig.VERSION_NAME}"
-
-/**
- * Manages a shared OkHttpClient with SSL configuration support.
- * The client is shared across all Dart isolates and native code.
- */
-object HttpClientManager {
-  private const val CACHE_SIZE_BYTES = 100L * 1024 * 1024  // 100MiB
-  private const val KEEP_ALIVE_CONNECTIONS = 10
-  private const val KEEP_ALIVE_DURATION_MINUTES = 5L
-  private const val MAX_REQUESTS_PER_HOST = 64
-
-  private var initialized = false
-  private val clientChangedListeners = mutableListOf<() -> Unit>()
-
-  private lateinit var client: OkHttpClient
-
-  private val keyStore =  KeyStore.getInstance("AndroidKeyStore").apply { load(null) }
-
-  val isMtls: Boolean get() = keyStore.containsAlias(CERT_ALIAS)
-
-  fun initialize(context: Context) {
-    if (initialized) return
-    synchronized(this) {
-      if (initialized) return
-
-      val cacheDir = File(File(context.cacheDir, "okhttp"), "api")
-      client = build(cacheDir)
-      initialized = true
-    }
-  }
-
-  fun setKeyEntry(clientData: ByteArray, password: CharArray) {
-    synchronized(this) {
-      val wasMtls = isMtls
-      val tmpKeyStore = KeyStore.getInstance("PKCS12").apply {
-        ByteArrayInputStream(clientData).use { stream -> load(stream, password) }
-      }
-      val tmpAlias = tmpKeyStore.aliases().asSequence().firstOrNull { tmpKeyStore.isKeyEntry(it) }
-        ?: throw IllegalArgumentException("No private key found in PKCS12")
-      val key = tmpKeyStore.getKey(tmpAlias, password)
-      val chain = tmpKeyStore.getCertificateChain(tmpAlias)
-
-      if (wasMtls) {
-        keyStore.deleteEntry(CERT_ALIAS)
-      }
-      keyStore.setKeyEntry(CERT_ALIAS, key, null, chain)
-      if (wasMtls != isMtls) {
-        clientChangedListeners.forEach { it() }
-      }
-    }
-  }
-
-  fun deleteKeyEntry() {
-    synchronized(this) {
-      if (!isMtls) {
-        return
-      }
-
-      keyStore.deleteEntry(CERT_ALIAS)
-      clientChangedListeners.forEach { it() }
-    }
-  }
-
-  @JvmStatic
-  fun getClient(): OkHttpClient {
-    return client
-  }
-
-  fun addClientChangedListener(listener: () -> Unit) {
-    synchronized(this) { clientChangedListeners.add(listener) }
-  }
-
-  private fun build(cacheDir: File): OkHttpClient {
-    val connectionPool = ConnectionPool(
-      maxIdleConnections = KEEP_ALIVE_CONNECTIONS,
-      keepAliveDuration = KEEP_ALIVE_DURATION_MINUTES,
-      timeUnit = TimeUnit.MINUTES
-    )
-
-    val managerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
-    managerFactory.init(null as KeyStore?)
-    val trustManager = managerFactory.trustManagers.filterIsInstance<X509TrustManager>().first()
-
-    val sslContext = SSLContext.getInstance("TLS")
-      .apply { init(arrayOf(DynamicKeyManager()), arrayOf(trustManager), null) }
-
-    return OkHttpClient.Builder()
-      .addInterceptor { chain ->
-        chain.proceed(chain.request().newBuilder().header("User-Agent", USER_AGENT).build())
-      }
-      .connectionPool(connectionPool)
-      .dispatcher(Dispatcher().apply { maxRequestsPerHost = MAX_REQUESTS_PER_HOST })
-      .cache(Cache(cacheDir.apply { mkdirs() }, CACHE_SIZE_BYTES))
-      .sslSocketFactory(sslContext.socketFactory, trustManager)
-      .build()
-  }
-
-  // Reads from the key store rather than taking a snapshot at initialization time
-  private class DynamicKeyManager : X509KeyManager {
-    override fun getClientAliases(keyType: String, issuers: Array<Principal>?): Array<String>? =
-      if (isMtls) arrayOf(CERT_ALIAS) else null
-
-    override fun chooseClientAlias(keyTypes: Array<String>, issuers: Array<Principal>?, socket: Socket?): String? =
-      if (isMtls) CERT_ALIAS else null
-
-    override fun getCertificateChain(alias: String): Array<X509Certificate>? =
-      keyStore.getCertificateChain(alias)?.map { it as X509Certificate }?.toTypedArray()
-
-    override fun getPrivateKey(alias: String): PrivateKey? =
-      keyStore.getKey(alias, null) as? PrivateKey
-
-    override fun getServerAliases(keyType: String, issuers: Array<Principal>?): Array<String>? = null
-    override fun chooseServerAlias(keyType: String, issuers: Array<Principal>?, socket: Socket?): String? = null
-  }
-}

mobile/android/app/src/main/kotlin/app/alextran/immich/core/Network.g.kt

@@ -1,205 +0,0 @@
-// Autogenerated from Pigeon (v26.0.2), do not edit directly.
-// See also: https://pub.dev/packages/pigeon
-@file:Suppress("UNCHECKED_CAST", "ArrayInDataClass")
-
-package app.alextran.immich.core
-
-import android.util.Log
-import io.flutter.plugin.common.BasicMessageChannel
-import io.flutter.plugin.common.BinaryMessenger
-import io.flutter.plugin.common.EventChannel
-import io.flutter.plugin.common.MessageCodec
-import io.flutter.plugin.common.StandardMethodCodec
-import io.flutter.plugin.common.StandardMessageCodec
-import java.io.ByteArrayOutputStream
-import java.nio.ByteBuffer
-private object NetworkPigeonUtils {
-
-  fun wrapResult(result: Any?): List<Any?> {
-    return listOf(result)
-  }
-
-  fun wrapError(exception: Throwable): List<Any?> {
-    return if (exception is FlutterError) {
-      listOf(
-        exception.code,
-        exception.message,
-        exception.details
-      )
-    } else {
-      listOf(
-        exception.javaClass.simpleName,
-        exception.toString(),
-        "Cause: " + exception.cause + ", Stacktrace: " + Log.getStackTraceString(exception)
-      )
-    }
-  }
-  fun deepEquals(a: Any?, b: Any?): Boolean {
-    if (a is ByteArray && b is ByteArray) {
-        return a.contentEquals(b)
-    }
-    if (a is IntArray && b is IntArray) {
-        return a.contentEquals(b)
-    }
-    if (a is LongArray && b is LongArray) {
-        return a.contentEquals(b)
-    }
-    if (a is DoubleArray && b is DoubleArray) {
-        return a.contentEquals(b)
-    }
-    if (a is Array<*> && b is Array<*>) {
-      return a.size == b.size &&
-          a.indices.all{ deepEquals(a[it], b[it]) }
-    }
-    if (a is List<*> && b is List<*>) {
-      return a.size == b.size &&
-          a.indices.all{ deepEquals(a[it], b[it]) }
-    }
-    if (a is Map<*, *> && b is Map<*, *>) {
-      return a.size == b.size && a.all {
-          (b as Map<Any?, Any?>).containsKey(it.key) &&
-          deepEquals(it.value, b[it.key])
-      }
-    }
-    return a == b
-  }
-      
-}
-
-/**
- * Error class for passing custom error details to Flutter via a thrown PlatformException.
- * @property code The error code.
- * @property message The error message.
- * @property details The error details. Must be a datatype supported by the api codec.
- */
-class FlutterError (
-  val code: String,
-  override val message: String? = null,
-  val details: Any? = null
-) : Throwable()
-
-/** Generated class from Pigeon that represents data sent in messages. */
-data class ClientCertData (
-  val data: ByteArray,
-  val password: String
-)
- {
-  companion object {
-    fun fromList(pigeonVar_list: List<Any?>): ClientCertData {
-      val data = pigeonVar_list[0] as ByteArray
-      val password = pigeonVar_list[1] as String
-      return ClientCertData(data, password)
-    }
-  }
-  fun toList(): List<Any?> {
-    return listOf(
-      data,
-      password,
-    )
-  }
-  override fun equals(other: Any?): Boolean {
-    if (other !is ClientCertData) {
-      return false
-    }
-    if (this === other) {
-      return true
-    }
-    return NetworkPigeonUtils.deepEquals(toList(), other.toList())  }
-
-  override fun hashCode(): Int = toList().hashCode()
-}
-private open class NetworkPigeonCodec : StandardMessageCodec() {
-  override fun readValueOfType(type: Byte, buffer: ByteBuffer): Any? {
-    return when (type) {
-      129.toByte() -> {
-        return (readValue(buffer) as? List<Any?>)?.let {
-          ClientCertData.fromList(it)
-        }
-      }
-      else -> super.readValueOfType(type, buffer)
-    }
-  }
-  override fun writeValue(stream: ByteArrayOutputStream, value: Any?)   {
-    when (value) {
-      is ClientCertData -> {
-        stream.write(129)
-        writeValue(stream, value.toList())
-      }
-      else -> super.writeValue(stream, value)
-    }
-  }
-}
-
-
-/** Generated interface from Pigeon that represents a handler of messages from Flutter. */
-interface NetworkApi {
-  fun addCertificate(clientData: ClientCertData, callback: (Result<Unit>) -> Unit)
-  fun selectCertificate(callback: (Result<ClientCertData>) -> Unit)
-  fun removeCertificate(callback: (Result<Unit>) -> Unit)
-
-  companion object {
-    /** The codec used by NetworkApi. */
-    val codec: MessageCodec<Any?> by lazy {
-      NetworkPigeonCodec()
-    }
-    /** Sets up an instance of `NetworkApi` to handle messages through the `binaryMessenger`. */
-    @JvmOverloads
-    fun setUp(binaryMessenger: BinaryMessenger, api: NetworkApi?, messageChannelSuffix: String = "") {
-      val separatedMessageChannelSuffix = if (messageChannelSuffix.isNotEmpty()) ".$messageChannelSuffix" else ""
-      run {
-        val channel = BasicMessageChannel<Any?>(binaryMessenger, "dev.flutter.pigeon.immich_mobile.NetworkApi.addCertificate$separatedMessageChannelSuffix", codec)
-        if (api != null) {
-          channel.setMessageHandler { message, reply ->
-            val args = message as List<Any?>
-            val clientDataArg = args[0] as ClientCertData
-            api.addCertificate(clientDataArg) { result: Result<Unit> ->
-              val error = result.exceptionOrNull()
-              if (error != null) {
-                reply.reply(NetworkPigeonUtils.wrapError(error))
-              } else {
-                reply.reply(NetworkPigeonUtils.wrapResult(null))
-              }
-            }
-          }
-        } else {
-          channel.setMessageHandler(null)
-        }
-      }
-      run {
-        val channel = BasicMessageChannel<Any?>(binaryMessenger, "dev.flutter.pigeon.immich_mobile.NetworkApi.selectCertificate$separatedMessageChannelSuffix", codec)
-        if (api != null) {
-          channel.setMessageHandler { _, reply ->
-            api.selectCertificate{ result: Result<ClientCertData> ->
-              val error = result.exceptionOrNull()
-              if (error != null) {
-                reply.reply(NetworkPigeonUtils.wrapError(error))
-              } else {
-                val data = result.getOrNull()
-                reply.reply(NetworkPigeonUtils.wrapResult(data))
-              }
-            }
-          }
-        } else {
-          channel.setMessageHandler(null)
-        }
-      }
-      run {
-        val channel = BasicMessageChannel<Any?>(binaryMessenger, "dev.flutter.pigeon.immich_mobile.NetworkApi.removeCertificate$separatedMessageChannelSuffix", codec)
-        if (api != null) {
-          channel.setMessageHandler { _, reply ->
-            api.removeCertificate{ result: Result<Unit> ->
-              val error = result.exceptionOrNull()
-              if (error != null) {
-                reply.reply(NetworkPigeonUtils.wrapError(error))
-              } else {
-                reply.reply(NetworkPigeonUtils.wrapResult(null))
-              }
-            }
-          }
-        } else {
-          channel.setMessageHandler(null)
-        }
-      }
-    }
-  }
-}

mobile/android/app/src/main/kotlin/app/alextran/immich/core/NetworkApiPlugin.kt

@@ -1,135 +0,0 @@
-package app.alextran.immich.core
-
-import android.app.Activity
-import android.content.Context
-import android.net.Uri
-import android.os.OperationCanceledException
-import androidx.activity.ComponentActivity
-import androidx.activity.result.ActivityResultLauncher
-import androidx.activity.result.contract.ActivityResultContracts
-import io.flutter.embedding.engine.plugins.FlutterPlugin
-import io.flutter.embedding.engine.plugins.activity.ActivityAware
-import io.flutter.embedding.engine.plugins.activity.ActivityPluginBinding
-
-class NetworkApiPlugin : FlutterPlugin, ActivityAware {
-  private var networkApi: NetworkApiImpl? = null
-
-
-  override fun onAttachedToEngine(binding: FlutterPlugin.FlutterPluginBinding) {
-    networkApi = NetworkApiImpl(binding.applicationContext)
-    NetworkApi.setUp(binding.binaryMessenger, networkApi)
-  }
-
-  override fun onDetachedFromEngine(binding: FlutterPlugin.FlutterPluginBinding) {
-    NetworkApi.setUp(binding.binaryMessenger, null)
-    networkApi = null
-  }
-
-  override fun onAttachedToActivity(binding: ActivityPluginBinding) {
-    networkApi?.onAttachedToActivity(binding)
-  }
-
-  override fun onDetachedFromActivityForConfigChanges() {
-    networkApi?.onDetachedFromActivityForConfigChanges()
-  }
-
-  override fun onReattachedToActivityForConfigChanges(binding: ActivityPluginBinding) {
-    networkApi?.onReattachedToActivityForConfigChanges(binding)
-  }
-
-  override fun onDetachedFromActivity() {
-    networkApi?.onDetachedFromActivity()
-  }
-}
-
-private class NetworkApiImpl(private val context: Context) : NetworkApi {
-  private var activity: Activity? = null
-  private var pendingCallback: ((Result<ClientCertData>) -> Unit)? = null
-  private var filePicker: ActivityResultLauncher<Array<String>>? = null
-
-  fun onAttachedToActivity(binding: ActivityPluginBinding) {
-    activity = binding.activity
-    (binding.activity as? ComponentActivity)?.let { componentActivity ->
-      filePicker = componentActivity.registerForActivityResult(
-        ActivityResultContracts.OpenDocument()
-      ) { uri -> uri?.let { handlePickedFile(it) } ?: pendingCallback?.invoke(Result.failure(OperationCanceledException())) }
-    }
-  }
-
-  fun onDetachedFromActivityForConfigChanges() {
-    activity = null
-  }
-
-  fun onReattachedToActivityForConfigChanges(binding: ActivityPluginBinding) {
-    activity = binding.activity
-  }
-
-  fun onDetachedFromActivity() {
-    activity = null
-  }
-
-  override fun addCertificate(clientData: ClientCertData, callback: (Result<Unit>) -> Unit) {
-    try {
-      HttpClientManager.setKeyEntry(clientData.data, clientData.password.toCharArray())
-      callback(Result.success(Unit))
-    } catch (e: Exception) {
-      callback(Result.failure(e))
-    }
-  }
-
-  override fun selectCertificate(callback: (Result<ClientCertData>) -> Unit) {
-    val picker = filePicker ?: return callback(Result.failure(IllegalStateException("No activity")))
-    pendingCallback = callback
-    picker.launch(arrayOf("application/x-pkcs12", "application/x-pem-file"))
-  }
-
-  override fun removeCertificate(callback: (Result<Unit>) -> Unit) {
-    HttpClientManager.deleteKeyEntry()
-    callback(Result.success(Unit))
-  }
-
-  private fun handlePickedFile(uri: Uri) {
-    val callback = pendingCallback ?: return
-    pendingCallback = null
-
-    try {
-      val data = context.contentResolver.openInputStream(uri)?.use { it.readBytes() }
-        ?: throw IllegalStateException("Could not read file")
-
-      val activity = activity ?: throw IllegalStateException("No activity")
-      promptForPassword(activity) { password ->
-        if (password == null) {
-          callback(Result.failure(OperationCanceledException()))
-          return@promptForPassword
-        }
-        try {
-          HttpClientManager.setKeyEntry(data, password.toCharArray())
-          callback(Result.success(ClientCertData(data, password)))
-        } catch (e: Exception) {
-          callback(Result.failure(e))
-        }
-      }
-    } catch (e: Exception) {
-      callback(Result.failure(e))
-    }
-  }
-
-  private fun promptForPassword(activity: Activity, callback: (String?) -> Unit) {
-    val builder = android.app.AlertDialog.Builder(activity)
-      .setTitle("Certificate Password")
-      .setMessage("Enter the password for this certificate")
-
-    val input = android.widget.EditText(activity).apply {
-      inputType = android.text.InputType.TYPE_CLASS_TEXT or android.text.InputType.TYPE_TEXT_VARIATION_PASSWORD
-    }
-
-    builder.setView(input)
-      .setPositiveButton("Import") { _, _ -> callback(input.text.toString()) }
-      .setNegativeButton("Cancel") { dialog, _ ->
-        dialog.cancel()
-        callback(null)
-      }
-      .setOnCancelListener { callback(null) }
-      .show()
-  }
-}

mobile/android/app/src/main/kotlin/app/alextran/immich/core/SSLConfig.kt

@@ -0,0 +1,73 @@
+package app.alextran.immich.core
+
+import java.security.KeyStore
+import javax.net.ssl.KeyManager
+import javax.net.ssl.SSLContext
+import javax.net.ssl.SSLSocketFactory
+import javax.net.ssl.TrustManager
+import javax.net.ssl.TrustManagerFactory
+import javax.net.ssl.X509TrustManager
+
+/**
+ * Shared SSL configuration for OkHttp and HttpsURLConnection.
+ * Stores the SSLSocketFactory and X509TrustManager configured by HttpSSLOptionsPlugin.
+ */
+object SSLConfig {
+  var sslSocketFactory: SSLSocketFactory? = null
+    private set
+
+  var trustManager: X509TrustManager? = null
+    private set
+
+  var requiresCustomSSL: Boolean = false
+    private set
+
+  private val listeners = mutableListOf<() -> Unit>()
+  private var configHash: Int = 0
+
+  fun addListener(listener: () -> Unit) {
+    listeners.add(listener)
+  }
+
+  fun apply(
+    keyManagers: Array<KeyManager>?,
+    trustManagers: Array<TrustManager>?,
+    allowSelfSigned: Boolean,
+    serverHost: String?,
+    clientCertHash: Int
+  ) {
+    synchronized(this) {
+      val newHash = computeHash(allowSelfSigned, serverHost, clientCertHash)
+      val newRequiresCustomSSL = allowSelfSigned || keyManagers != null
+      if (newHash == configHash && sslSocketFactory != null && requiresCustomSSL == newRequiresCustomSSL) {
+        return  // Config unchanged, skip
+      }
+
+      val sslContext = SSLContext.getInstance("TLS")
+      sslContext.init(keyManagers, trustManagers, null)
+      sslSocketFactory = sslContext.socketFactory
+      trustManager = trustManagers?.filterIsInstance<X509TrustManager>()?.firstOrNull()
+        ?: getDefaultTrustManager()
+      requiresCustomSSL = newRequiresCustomSSL
+      configHash = newHash
+      notifyListeners()
+    }
+  }
+
+  private fun computeHash(allowSelfSigned: Boolean, serverHost: String?, clientCertHash: Int): Int {
+    var result = allowSelfSigned.hashCode()
+    result = 31 * result + (serverHost?.hashCode() ?: 0)
+    result = 31 * result + clientCertHash
+    return result
+  }
+
+  private fun notifyListeners() {
+    listeners.forEach { it() }
+  }
+
+  private fun getDefaultTrustManager(): X509TrustManager {
+    val factory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
+    factory.init(null as KeyStore?)
+    return factory.trustManagers.filterIsInstance<X509TrustManager>().first()
+  }
+}

mobile/android/app/src/main/kotlin/app/alextran/immich/images/RemoteImagesImpl.kt

@@ -3,15 +3,17 @@ package app.alextran.immich.images
 import android.content.Context
 import android.os.CancellationSignal
 import android.os.OperationCanceledException
+import app.alextran.immich.BuildConfig
 import app.alextran.immich.INITIAL_BUFFER_SIZE
 import app.alextran.immich.NativeBuffer
 import app.alextran.immich.NativeByteBuffer
-import app.alextran.immich.core.HttpClientManager
-import app.alextran.immich.core.USER_AGENT
+import app.alextran.immich.core.SSLConfig
 import kotlinx.coroutines.*
 import okhttp3.Cache
 import okhttp3.Call
 import okhttp3.Callback
+import okhttp3.ConnectionPool
+import okhttp3.Dispatcher
 import okhttp3.OkHttpClient
 import okhttp3.Request
 import okhttp3.Response
@@ -31,8 +33,14 @@ import java.nio.file.attribute.BasicFileAttributes
 import java.util.concurrent.ConcurrentHashMap
 import java.util.concurrent.Executors
 import java.util.concurrent.TimeUnit
+import javax.net.ssl.SSLSocketFactory
+import javax.net.ssl.X509TrustManager
 
 
+private const val USER_AGENT = "Immich_Android_${BuildConfig.VERSION_NAME}"
+private const val MAX_REQUESTS_PER_HOST = 64
+private const val KEEP_ALIVE_CONNECTIONS = 10
+private const val KEEP_ALIVE_DURATION_MINUTES = 5L
 private const val CACHE_SIZE_BYTES = 1024L * 1024 * 1024
 
 private class RemoteRequest(val cancellationSignal: CancellationSignal)
@@ -113,9 +121,7 @@ private object ImageFetcherManager {
       appContext = context.applicationContext
       cacheDir = context.cacheDir
       fetcher = build()
-      // Listen to SharedHttpClientManager instead of SSLConfig directly.
-      // This ensures the shared client is already rebuilt when we invalidate.
-      HttpClientManager.addClientChangedListener(::invalidate)
+      SSLConfig.addListener(::invalidate)
       initialized = true
     }
   }
@@ -137,14 +143,18 @@ private object ImageFetcherManager {
   private fun invalidate() {
     synchronized(this) {
       val oldFetcher = fetcher
+      if (oldFetcher is OkHttpImageFetcher && SSLConfig.requiresCustomSSL) {
+        fetcher = oldFetcher.reconfigure(SSLConfig.sslSocketFactory, SSLConfig.trustManager)
+        return
+      }
       fetcher = build()
       oldFetcher.drain()
     }
   }
 
   private fun build(): ImageFetcher {
-    return if (HttpClientManager.isMtls) {
-      OkHttpImageFetcher.create(cacheDir)
+    return if (SSLConfig.requiresCustomSSL) {
+      OkHttpImageFetcher.create(cacheDir, SSLConfig.sslSocketFactory, SSLConfig.trustManager)
     } else {
       CronetImageFetcher(appContext, cacheDir)
     }
@@ -370,17 +380,51 @@ private class OkHttpImageFetcher private constructor(
   private var draining = false
 
   companion object {
-    fun create(cacheDir: File): OkHttpImageFetcher {
+    fun create(
+      cacheDir: File,
+      sslSocketFactory: SSLSocketFactory?,
+      trustManager: X509TrustManager?,
+    ): OkHttpImageFetcher {
       val dir = File(cacheDir, "okhttp")
+      val connectionPool = ConnectionPool(
+        maxIdleConnections = KEEP_ALIVE_CONNECTIONS,
+        keepAliveDuration = KEEP_ALIVE_DURATION_MINUTES,
+        timeUnit = TimeUnit.MINUTES
+      )
 
-      val client = HttpClientManager.getClient().newBuilder()
+      val builder = OkHttpClient.Builder()
+        .addInterceptor { chain ->
+          chain.proceed(
+            chain.request().newBuilder()
+              .header("User-Agent", USER_AGENT)
+              .build()
+          )
+        }
+        .dispatcher(Dispatcher().apply { maxRequestsPerHost = MAX_REQUESTS_PER_HOST })
+        .connectionPool(connectionPool)
         .cache(Cache(File(dir, "thumbnails"), CACHE_SIZE_BYTES))
-        .build()
 
-      return OkHttpImageFetcher(client)
+      if (sslSocketFactory != null && trustManager != null) {
+        builder.sslSocketFactory(sslSocketFactory, trustManager)
+      }
+
+      return OkHttpImageFetcher(builder.build())
     }
   }
 
+  fun reconfigure(
+    sslSocketFactory: SSLSocketFactory?,
+    trustManager: X509TrustManager?,
+  ): OkHttpImageFetcher {
+    val builder = client.newBuilder()
+    if (sslSocketFactory != null && trustManager != null) {
+      builder.sslSocketFactory(sslSocketFactory, trustManager)
+    }
+    // Evict idle connections using old SSL config
+    client.connectionPool.evictAll()
+    return OkHttpImageFetcher(builder.build())
+  }
+
   private fun onComplete() {
     val shouldClose = synchronized(stateLock) {
       activeCount--
@@ -468,6 +512,7 @@ private class OkHttpImageFetcher private constructor(
       draining = true
       activeCount == 0
     }
+    client.connectionPool.evictAll()
     if (shouldClose) {
       client.cache?.close()
     }

mobile/android/app/src/main/res/xml/network_security_config.xml

@@ -1,9 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<network-security-config cleartextTrafficPermitted="true">
-    <base-config>
-        <trust-anchors>
-            <certificates src="system" />
-            <certificates src="user" />
-        </trust-anchors>
-    </base-config>
-</network-security-config>

mobile/ios/Runner/AppDelegate.swift

@@ -15,7 +15,7 @@ import UIKit
   ) -> Bool {
     // Required for flutter_local_notification
     if #available(iOS 10.0, *) {
-      UNUserNotificationCenter.current().delegate = self as UNUserNotificationCenterDelegate
+      UNUserNotificationCenter.current().delegate = self as? UNUserNotificationCenterDelegate
     }
 
     GeneratedPluginRegistrant.register(with: self)

mobile/ios/Runner/Core/Network.g.swift

@@ -1,240 +0,0 @@
-// Autogenerated from Pigeon (v26.0.2), do not edit directly.
-// See also: https://pub.dev/packages/pigeon
-
-import Foundation
-
-#if os(iOS)
-  import Flutter
-#elseif os(macOS)
-  import FlutterMacOS
-#else
-  #error("Unsupported platform.")
-#endif
-
-private func wrapResult(_ result: Any?) -> [Any?] {
-  return [result]
-}
-
-private func wrapError(_ error: Any) -> [Any?] {
-  if let pigeonError = error as? PigeonError {
-    return [
-      pigeonError.code,
-      pigeonError.message,
-      pigeonError.details,
-    ]
-  }
-  if let flutterError = error as? FlutterError {
-    return [
-      flutterError.code,
-      flutterError.message,
-      flutterError.details,
-    ]
-  }
-  return [
-    "\(error)",
-    "\(type(of: error))",
-    "Stacktrace: \(Thread.callStackSymbols)",
-  ]
-}
-
-private func isNullish(_ value: Any?) -> Bool {
-  return value is NSNull || value == nil
-}
-
-private func nilOrValue<T>(_ value: Any?) -> T? {
-  if value is NSNull { return nil }
-  return value as! T?
-}
-
-func deepEqualsNetwork(_ lhs: Any?, _ rhs: Any?) -> Bool {
-  let cleanLhs = nilOrValue(lhs) as Any?
-  let cleanRhs = nilOrValue(rhs) as Any?
-  switch (cleanLhs, cleanRhs) {
-  case (nil, nil):
-    return true
-
-  case (nil, _), (_, nil):
-    return false
-
-  case is (Void, Void):
-    return true
-
-  case let (cleanLhsHashable, cleanRhsHashable) as (AnyHashable, AnyHashable):
-    return cleanLhsHashable == cleanRhsHashable
-
-  case let (cleanLhsArray, cleanRhsArray) as ([Any?], [Any?]):
-    guard cleanLhsArray.count == cleanRhsArray.count else { return false }
-    for (index, element) in cleanLhsArray.enumerated() {
-      if !deepEqualsNetwork(element, cleanRhsArray[index]) {
-        return false
-      }
-    }
-    return true
-
-  case let (cleanLhsDictionary, cleanRhsDictionary) as ([AnyHashable: Any?], [AnyHashable: Any?]):
-    guard cleanLhsDictionary.count == cleanRhsDictionary.count else { return false }
-    for (key, cleanLhsValue) in cleanLhsDictionary {
-      guard cleanRhsDictionary.index(forKey: key) != nil else { return false }
-      if !deepEqualsNetwork(cleanLhsValue, cleanRhsDictionary[key]!) {
-        return false
-      }
-    }
-    return true
-
-  default:
-    // Any other type shouldn't be able to be used with pigeon. File an issue if you find this to be untrue.
-    return false
-  }
-}
-
-func deepHashNetwork(value: Any?, hasher: inout Hasher) {
-  if let valueList = value as? [AnyHashable] {
-     for item in valueList { deepHashNetwork(value: item, hasher: &hasher) }
-     return
-  }
-
-  if let valueDict = value as? [AnyHashable: AnyHashable] {
-    for key in valueDict.keys { 
-      hasher.combine(key)
-      deepHashNetwork(value: valueDict[key]!, hasher: &hasher)
-    }
-    return
-  }
-
-  if let hashableValue = value as? AnyHashable {
-    hasher.combine(hashableValue.hashValue)
-  }
-
-  return hasher.combine(String(describing: value))
-}
-
-    
-
-/// Generated class from Pigeon that represents data sent in messages.
-struct ClientCertData: Hashable {
-  var data: FlutterStandardTypedData
-  var password: String
-
-
-  // swift-format-ignore: AlwaysUseLowerCamelCase
-  static func fromList(_ pigeonVar_list: [Any?]) -> ClientCertData? {
-    let data = pigeonVar_list[0] as! FlutterStandardTypedData
-    let password = pigeonVar_list[1] as! String
-
-    return ClientCertData(
-      data: data,
-      password: password
-    )
-  }
-  func toList() -> [Any?] {
-    return [
-      data,
-      password,
-    ]
-  }
-  static func == (lhs: ClientCertData, rhs: ClientCertData) -> Bool {
-    return deepEqualsNetwork(lhs.toList(), rhs.toList())  }
-  func hash(into hasher: inout Hasher) {
-    deepHashNetwork(value: toList(), hasher: &hasher)
-  }
-}
-
-private class NetworkPigeonCodecReader: FlutterStandardReader {
-  override func readValue(ofType type: UInt8) -> Any? {
-    switch type {
-    case 129:
-      return ClientCertData.fromList(self.readValue() as! [Any?])
-    default:
-      return super.readValue(ofType: type)
-    }
-  }
-}
-
-private class NetworkPigeonCodecWriter: FlutterStandardWriter {
-  override func writeValue(_ value: Any) {
-    if let value = value as? ClientCertData {
-      super.writeByte(129)
-      super.writeValue(value.toList())
-    } else {
-      super.writeValue(value)
-    }
-  }
-}
-
-private class NetworkPigeonCodecReaderWriter: FlutterStandardReaderWriter {
-  override func reader(with data: Data) -> FlutterStandardReader {
-    return NetworkPigeonCodecReader(data: data)
-  }
-
-  override func writer(with data: NSMutableData) -> FlutterStandardWriter {
-    return NetworkPigeonCodecWriter(data: data)
-  }
-}
-
-class NetworkPigeonCodec: FlutterStandardMessageCodec, @unchecked Sendable {
-  static let shared = NetworkPigeonCodec(readerWriter: NetworkPigeonCodecReaderWriter())
-}
-
-
-/// Generated protocol from Pigeon that represents a handler of messages from Flutter.
-protocol NetworkApi {
-  func addCertificate(clientData: ClientCertData, completion: @escaping (Result<Void, Error>) -> Void)
-  func selectCertificate(completion: @escaping (Result<ClientCertData, Error>) -> Void)
-  func removeCertificate(completion: @escaping (Result<Void, Error>) -> Void)
-}
-
-/// Generated setup class from Pigeon to handle messages through the `binaryMessenger`.
-class NetworkApiSetup {
-  static var codec: FlutterStandardMessageCodec { NetworkPigeonCodec.shared }
-  /// Sets up an instance of `NetworkApi` to handle messages through the `binaryMessenger`.
-  static func setUp(binaryMessenger: FlutterBinaryMessenger, api: NetworkApi?, messageChannelSuffix: String = "") {
-    let channelSuffix = messageChannelSuffix.count > 0 ? ".\(messageChannelSuffix)" : ""
-    let addCertificateChannel = FlutterBasicMessageChannel(name: "dev.flutter.pigeon.immich_mobile.NetworkApi.addCertificate\(channelSuffix)", binaryMessenger: binaryMessenger, codec: codec)
-    if let api = api {
-      addCertificateChannel.setMessageHandler { message, reply in
-        let args = message as! [Any?]
-        let clientDataArg = args[0] as! ClientCertData
-        api.addCertificate(clientData: clientDataArg) { result in
-          switch result {
-          case .success:
-            reply(wrapResult(nil))
-          case .failure(let error):
-            reply(wrapError(error))
-          }
-        }
-      }
-    } else {
-      addCertificateChannel.setMessageHandler(nil)
-    }
-    let selectCertificateChannel = FlutterBasicMessageChannel(name: "dev.flutter.pigeon.immich_mobile.NetworkApi.selectCertificate\(channelSuffix)", binaryMessenger: binaryMessenger, codec: codec)
-    if let api = api {
-      selectCertificateChannel.setMessageHandler { _, reply in
-        api.selectCertificate { result in
-          switch result {
-          case .success(let res):
-            reply(wrapResult(res))
-          case .failure(let error):
-            reply(wrapError(error))
-          }
-        }
-      }
-    } else {
-      selectCertificateChannel.setMessageHandler(nil)
-    }
-    let removeCertificateChannel = FlutterBasicMessageChannel(name: "dev.flutter.pigeon.immich_mobile.NetworkApi.removeCertificate\(channelSuffix)", binaryMessenger: binaryMessenger, codec: codec)
-    if let api = api {
-      removeCertificateChannel.setMessageHandler { _, reply in
-        api.removeCertificate { result in
-          switch result {
-          case .success:
-            reply(wrapResult(nil))
-          case .failure(let error):
-            reply(wrapError(error))
-          }
-        }
-      }
-    } else {
-      removeCertificateChannel.setMessageHandler(nil)
-    }
-  }
-}

mobile/ios/Runner/Core/NetworkApiImpl.swift

@@ -1,157 +0,0 @@
-import Foundation
-import UniformTypeIdentifiers
-
-enum ImportError: Error {
-  case noFile
-  case noViewController
-  case keychainError(OSStatus)
-  case cancelled
-}
-
-class NetworkApiImpl: NetworkApi {
-  weak var viewController: UIViewController?
-  private var activeImporter: CertImporter?
-  
-  init(viewController: UIViewController?) {
-    self.viewController = viewController
-  }
-  
-  func selectCertificate(completion: @escaping (Result<ClientCertData, any Error>) -> Void) {
-    let importer = CertImporter(completion: { [weak self] result in
-      self?.activeImporter = nil
-      completion(result.map { ClientCertData(data: FlutterStandardTypedData(bytes: $0.0), password: $0.1) })
-    }, viewController: viewController)
-    activeImporter = importer
-    importer.load()
-  }
-  
-  func removeCertificate(completion: @escaping (Result<Void, any Error>) -> Void) {
-    let status = clearCerts()
-    if status == errSecSuccess || status == errSecItemNotFound {
-      return completion(.success(()))
-    }
-    completion(.failure(ImportError.keychainError(status)))
-  }
-  
-  // TODO: remove this method once the app is fully transitioned to native clients
-  func addCertificate(clientData: ClientCertData, completion: @escaping (Result<Void, any Error>) -> Void) {
-    let status = importCert(clientData: clientData.data.data, password: clientData.password)
-    if status == errSecSuccess {
-      return completion(.success(()))
-    }
-    completion(.failure(ImportError.keychainError(status)))
-  }
-}
-
-private class CertImporter: NSObject, UIDocumentPickerDelegate {
-  private var completion: ((Result<(Data, String), Error>) -> Void)
-  private weak var viewController: UIViewController?
-  
-  init(completion: (@escaping (Result<(Data, String), Error>) -> Void), viewController: UIViewController?) {
-    self.completion = completion
-    self.viewController = viewController
-  }
-  
-  func load() {
-    guard let vc = viewController else { return completion(.failure(ImportError.noViewController)) }
-    let picker = UIDocumentPickerViewController(forOpeningContentTypes: [
-      UTType(filenameExtension: "p12")!,
-      UTType(filenameExtension: "pfx")!,
-    ])
-    picker.delegate = self
-    picker.allowsMultipleSelection = false
-    vc.present(picker, animated: true)
-  }
-  
-  func documentPicker(_ controller: UIDocumentPickerViewController, didPickDocumentsAt urls: [URL]) {
-    guard let url = urls.first else {
-      return completion(.failure(ImportError.noFile))
-    }
-    
-    Task { @MainActor in
-      do {
-        let data = try readSecurityScoped(url: url)
-        guard let password = await promptForPassword() else {
-          return completion(.failure(ImportError.cancelled))
-        }
-        let status = importCert(clientData: data, password: password)
-        if status != errSecSuccess {
-          return completion(.failure(ImportError.keychainError(status)))
-        }
-        
-        await URLSessionManager.shared.session.flush()
-        self.completion(.success((data, password)))
-      } catch {
-        completion(.failure(error))
-      }
-    }
-  }
-  
-  func documentPickerWasCancelled(_ controller: UIDocumentPickerViewController) {
-    completion(.failure(ImportError.cancelled))
-  }
-  
-  private func promptForPassword() async -> String? {
-    guard let vc = viewController else { return nil }
-    
-    return await withCheckedContinuation { continuation in
-      let alert = UIAlertController(
-        title: "Certificate Password",
-        message: "Enter the password for this certificate",
-        preferredStyle: .alert
-      )
-      
-      alert.addTextField { $0.isSecureTextEntry = true }
-      
-      alert.addAction(UIAlertAction(title: "Cancel", style: .cancel) { _ in
-        continuation.resume(returning: nil)
-      })
-      
-      alert.addAction(UIAlertAction(title: "Import", style: .default) { _ in
-        continuation.resume(returning: alert.textFields?.first?.text ?? "")
-      })
-      
-      vc.present(alert, animated: true)
-    }
-  }
-  
-  private func readSecurityScoped(url: URL) throws -> Data {
-    guard url.startAccessingSecurityScopedResource() else {
-      throw ImportError.noFile
-    }
-    defer { url.stopAccessingSecurityScopedResource() }
-    return try Data(contentsOf: url)
-  }
-}
-
-private func importCert(clientData: Data, password: String) -> OSStatus {
-  let options = [kSecImportExportPassphrase: password] as CFDictionary
-  var items: CFArray?
-  var status = SecPKCS12Import(clientData as CFData, options, &items)
-  
-  guard status == errSecSuccess,
-        let array = items as? [[String: Any]],
-        let first = array.first,
-        let identity = first[kSecImportItemIdentity as String] else {
-    return status
-  }
-  
-  clearCerts()
-  
-  var addQuery = [
-    kSecClass as String: kSecClassIdentity,
-    kSecValueRef as String: identity,
-    kSecAttrLabel as String: CLIENT_CERT_LABEL,
-    kSecAttrService as String: CLIENT_CERT_SERVICE,
-    kSecAttrAccessible as String: kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly,
-  ]
-  return SecItemAdd(addQuery as CFDictionary, nil)
-}
-
-@discardableResult private func clearCerts() -> OSStatus {
-  let deleteQuery: [String: Any] = [
-    kSecClass as String: kSecClassIdentity,
-    kSecAttrService as String: CLIENT_CERT_SERVICE,
-  ]
-  return SecItemDelete(deleteQuery as CFDictionary)
-}

mobile/ios/Runner/Core/URLSessionManager.swift

@@ -1,88 +0,0 @@
-import Foundation
-
-let CLIENT_CERT_SERVICE = "app.alextran.immich.mtls"
-let CLIENT_CERT_LABEL = "client_identity"
-
-/// Manages a shared URLSession with SSL configuration support.
-class URLSessionManager: NSObject {
-  static let shared = URLSessionManager()
-  
-  let session: URLSession
-  private let configuration = {
-    let config = URLSessionConfiguration.default
-    
-    let cacheDir = FileManager.default.urls(for: .cachesDirectory, in: .userDomainMask)
-      .first!
-      .appendingPathComponent("api", isDirectory: true)
-    try! FileManager.default.createDirectory(at: cacheDir, withIntermediateDirectories: true)
-    
-    config.urlCache = URLCache(
-      memoryCapacity: 0,
-      diskCapacity: 1024 * 1024 * 1024,
-      directory: cacheDir
-    )
-    
-    config.httpMaximumConnectionsPerHost = 64
-    config.timeoutIntervalForRequest = 60
-    config.timeoutIntervalForResource = 300
-    
-    let version = Bundle.main.object(forInfoDictionaryKey: "CFBundleShortVersionString") as? String ?? "unknown"
-    config.httpAdditionalHeaders = ["User-Agent": "Immich_iOS_\(version)"]
-    
-    return config
-  }()
-  
-  private override init() {
-    session = URLSession(configuration: configuration, delegate: URLSessionManagerDelegate(), delegateQueue: nil)
-    super.init()
-  }
-}
-
-class URLSessionManagerDelegate: NSObject, URLSessionTaskDelegate {
-  func urlSession(
-    _ session: URLSession,
-    didReceive challenge: URLAuthenticationChallenge,
-    completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void
-  ) {
-    handleChallenge(challenge, completionHandler: completionHandler)
-  }
-  
-  func urlSession(
-    _ session: URLSession,
-    task: URLSessionTask,
-    didReceive challenge: URLAuthenticationChallenge,
-    completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void
-  ) {
-    handleChallenge(challenge, completionHandler: completionHandler)
-  }
-  
-  func handleChallenge(
-    _ challenge: URLAuthenticationChallenge,
-    completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void
-  ) {
-    switch challenge.protectionSpace.authenticationMethod {
-    case NSURLAuthenticationMethodClientCertificate: handleClientCertificate(completion: completionHandler)
-    default: completionHandler(.performDefaultHandling, nil)
-    }
-  }
-  
-  private func handleClientCertificate(
-    completion: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void
-  ) {
-    let query: [String: Any] = [
-      kSecClass as String: kSecClassIdentity,
-      kSecAttrLabel as String: CLIENT_CERT_LABEL,
-      kSecReturnRef as String: true,
-    ]
-    
-    var item: CFTypeRef?
-    let status = SecItemCopyMatching(query as CFDictionary, &item)
-    if status == errSecSuccess, let identity = item {
-      let credential = URLCredential(identity: identity as! SecIdentity,
-                                     certificates: nil,
-                                     persistence: .forSession)
-      return completion(.useCredential, credential)
-    }
-    completion(.performDefaultHandling, nil)
-  }
-}

mobile/ios/Runner/Images/ImageProcessing.swift

@@ -1,7 +0,0 @@
-import Foundation
-
-enum ImageProcessing {
-  static let queue = DispatchQueue(label: "thumbnail.processing", qos: .userInitiated, attributes: .concurrent)
-  static let semaphore = DispatchSemaphore(value: ProcessInfo.processInfo.activeProcessorCount * 2)
-  static let cancelledResult = Result<[String: Int64]?, any Error>.success(nil)
-}

mobile/ios/Runner/Images/LocalImagesImpl.swift

@@ -34,6 +34,7 @@ class LocalImageApiImpl: LocalImageApi {
   private static let assetQueue = DispatchQueue(label: "thumbnail.assets", qos: .userInitiated)
   private static let requestQueue = DispatchQueue(label: "thumbnail.requests", qos: .userInitiated)
   private static let cancelQueue = DispatchQueue(label: "thumbnail.cancellation", qos: .default)
+  private static let processingQueue = DispatchQueue(label: "thumbnail.processing", qos: .userInteractive, attributes: .concurrent)
   
   private static var rgbaFormat = vImage_CGImageFormat(
     bitsPerComponent: 8,
@@ -43,6 +44,8 @@ class LocalImageApiImpl: LocalImageApi {
     renderingIntent: .defaultIntent
   )!
   private static var requests = [Int64: LocalImageRequest]()
+  private static let cancelledResult = Result<[String: Int64]?, any Error>.success(nil)
+  private static let concurrencySemaphore = DispatchSemaphore(value: ProcessInfo.processInfo.activeProcessorCount * 2)
   private static let assetCache = {
     let assetCache = NSCache<NSString, PHAsset>()
     assetCache.countLimit = 10000
@@ -50,7 +53,7 @@ class LocalImageApiImpl: LocalImageApi {
   }()
   
   func getThumbhash(thumbhash: String, completion: @escaping (Result<[String : Int64], any Error>) -> Void) {
-    ImageProcessing.queue.async {
+    Self.processingQueue.async {
       guard let data = Data(base64Encoded: thumbhash)
       else { return completion(.failure(PigeonError(code: "", message: "Invalid base64 string: \(thumbhash)", details: nil)))}
       
@@ -68,16 +71,16 @@ class LocalImageApiImpl: LocalImageApi {
     let request = LocalImageRequest(callback: completion)
     let item = DispatchWorkItem {
       if request.isCancelled {
-        return completion(ImageProcessing.cancelledResult)
+        return completion(Self.cancelledResult)
       }
       
-      ImageProcessing.semaphore.wait()
+      Self.concurrencySemaphore.wait()
       defer {
-        ImageProcessing.semaphore.signal()
+        Self.concurrencySemaphore.signal()
       }
       
       if request.isCancelled {
-        return completion(ImageProcessing.cancelledResult)
+        return completion(Self.cancelledResult)
       }
       
       guard let asset = Self.requestAsset(assetId: assetId)
@@ -88,7 +91,7 @@ class LocalImageApiImpl: LocalImageApi {
       }
       
       if request.isCancelled {
-        return completion(ImageProcessing.cancelledResult)
+        return completion(Self.cancelledResult)
       }
       
       var image: UIImage?
@@ -113,7 +116,7 @@ class LocalImageApiImpl: LocalImageApi {
       }
       
       if request.isCancelled {
-        return completion(ImageProcessing.cancelledResult)
+        return completion(Self.cancelledResult)
       }
       
       do {
@@ -121,7 +124,7 @@ class LocalImageApiImpl: LocalImageApi {
         
         if request.isCancelled {
           buffer.free()
-          return completion(ImageProcessing.cancelledResult)
+          return completion(Self.cancelledResult)
         }
         
         request.callback(.success([
@@ -130,6 +133,7 @@ class LocalImageApiImpl: LocalImageApi {
           "height": Int64(buffer.height),
           "rowBytes": Int64(buffer.rowBytes)
         ]))
+        print("Successful response for \(requestId)")
         Self.remove(requestId: requestId)
       } catch {
         Self.remove(requestId: requestId)
@@ -139,7 +143,7 @@ class LocalImageApiImpl: LocalImageApi {
     
     request.workItem = item
     Self.add(requestId: requestId, request: request)
-    ImageProcessing.queue.async(execute: item)
+    Self.processingQueue.async(execute: item)
   }
   
   func cancelRequest(requestId: Int64) {
@@ -160,7 +164,7 @@ class LocalImageApiImpl: LocalImageApi {
       request.isCancelled = true
       guard let item = request.workItem else { return }
       if item.isCancelled {
-        cancelQueue.async { request.callback(ImageProcessing.cancelledResult) }
+        cancelQueue.async { request.callback(Self.cancelledResult) }
       }
     }
   }

mobile/ios/Runner/Images/RemoteImagesImpl.swift

@@ -7,18 +7,64 @@ class RemoteImageRequest {
   weak var task: URLSessionDataTask?
   let id: Int64
   var isCancelled = false
+  var data: CFMutableData?
   let completion: (Result<[String: Int64]?, any Error>) -> Void
-
+  
   init(id: Int64, task: URLSessionDataTask, completion: @escaping (Result<[String: Int64]?, any Error>) -> Void) {
     self.id = id
     self.task = task
+    self.data = nil
     self.completion = completion
   }
 }
 
 class RemoteImageApiImpl: NSObject, RemoteImageApi {
-  private static var lock = os_unfair_lock()
-  private static var requests = [Int64: RemoteImageRequest]()
+  private static let delegate = RemoteImageApiDelegate()
+  static let session = {
+    let cacheDir = FileManager.default.temporaryDirectory.appendingPathComponent("thumbnails", isDirectory: true)
+    let config = URLSessionConfiguration.default
+    config.requestCachePolicy = .returnCacheDataElseLoad
+    let version = Bundle.main.object(forInfoDictionaryKey: "CFBundleShortVersionString") as? String ?? "unknown"
+    config.httpAdditionalHeaders = ["User-Agent": "Immich_iOS_\(version)"]
+    try! FileManager.default.createDirectory(at: cacheDir, withIntermediateDirectories: true)
+    config.urlCache = URLCache(
+      memoryCapacity: 0,
+      diskCapacity: 1 << 30,
+      directory: cacheDir
+    )
+    config.httpMaximumConnectionsPerHost = 64
+    return URLSession(configuration: config, delegate: delegate, delegateQueue: nil)
+  }()
+  
+  func requestImage(url: String, headers: [String : String], requestId: Int64, completion: @escaping (Result<[String : Int64]?, any Error>) -> Void) {
+    var urlRequest = URLRequest(url: URL(string: url)!)
+    for (key, value) in headers {
+      urlRequest.setValue(value, forHTTPHeaderField: key)
+    }
+    let task = Self.session.dataTask(with: urlRequest)
+    
+    let imageRequest = RemoteImageRequest(id: requestId, task: task, completion: completion)
+    Self.delegate.add(taskId: task.taskIdentifier, request: imageRequest)
+    
+    task.resume()
+  }
+  
+  func cancelRequest(requestId: Int64) {
+    Self.delegate.cancel(requestId: requestId)
+  }
+  
+  func clearCache(completion: @escaping (Result<Int64, any Error>) -> Void) {
+    Task {
+      let cache = Self.session.configuration.urlCache!
+      let cacheSize = Int64(cache.currentDiskUsage)
+      cache.removeAllCachedResponses()
+      completion(.success(cacheSize))
+    }
+  }
+}
+
+class RemoteImageApiDelegate: NSObject, URLSessionDataDelegate {
+  private static let requestQueue = DispatchQueue(label: "thumbnail.requests", qos: .userInitiated, attributes: .concurrent)
   private static var rgbaFormat = vImage_CGImageFormat(
     bitsPerComponent: 8,
     bitsPerPixel: 32,
@@ -26,110 +72,115 @@ class RemoteImageApiImpl: NSObject, RemoteImageApi {
     bitmapInfo: CGBitmapInfo(rawValue: CGImageAlphaInfo.premultipliedLast.rawValue),
     renderingIntent: .perceptual
   )!
+  private static var requestByTaskId = [Int: RemoteImageRequest]()
+  private static var taskIdByRequestId = [Int64: Int]()
+  private static let cancelledResult = Result<[String: Int64]?, any Error>.success(nil)
   private static let decodeOptions = [
     kCGImageSourceShouldCache: false,
     kCGImageSourceShouldCacheImmediately: true,
     kCGImageSourceCreateThumbnailWithTransform: true,
     kCGImageSourceCreateThumbnailFromImageAlways: true
   ] as CFDictionary
-
-  func requestImage(url: String, headers: [String : String], requestId: Int64, completion: @escaping (Result<[String : Int64]?, any Error>) -> Void) {
-    var urlRequest = URLRequest(url: URL(string: url)!)
-    urlRequest.cachePolicy = .returnCacheDataElseLoad
-    for (key, value) in headers {
-      urlRequest.setValue(value, forHTTPHeaderField: key)
+  
+  func urlSession(
+    _ session: URLSession, dataTask: URLSessionDataTask,
+    didReceive response: URLResponse,
+    completionHandler: @escaping (URLSession.ResponseDisposition) -> Void
+  ) {
+    guard let request = get(taskId: dataTask.taskIdentifier)
+    else {
+      return completionHandler(.cancel)
     }
-
-    let task = URLSessionManager.shared.session.dataTask(with: urlRequest) { data, response, error in
-      Self.handleCompletion(requestId: requestId, data: data, response: response, error: error)
-    }
-
-    let request = RemoteImageRequest(id: requestId, task: task, completion: completion)
-
-    os_unfair_lock_lock(&Self.lock)
-    Self.requests[requestId] = request
-    os_unfair_lock_unlock(&Self.lock)
-
-    task.resume()
+    
+    let capacity = max(Int(response.expectedContentLength), 0)
+    request.data = CFDataCreateMutable(nil, capacity)
+    
+    completionHandler(.allow)
   }
-
-  private static func handleCompletion(requestId: Int64, data: Data?, response: URLResponse?, error: Error?) {
-    os_unfair_lock_lock(&Self.lock)
-    guard let request = requests[requestId] else {
-      return os_unfair_lock_unlock(&Self.lock)
+  
+  func urlSession(_ session: URLSession, dataTask: URLSessionDataTask,
+                  didReceive data: Data) {
+    guard let request = get(taskId: dataTask.taskIdentifier) else { return }
+    
+    data.withUnsafeBytes { bytes in
+      CFDataAppendBytes(request.data, bytes.bindMemory(to: UInt8.self).baseAddress, data.count)
     }
-    requests[requestId] = nil
-    os_unfair_lock_unlock(&Self.lock)
-
+  }
+  
+  func urlSession(_ session: URLSession, task: URLSessionTask,
+                  didCompleteWithError error: Error?) {
+    guard let request = get(taskId: task.taskIdentifier) else { return }
+        
+    defer { remove(taskId: task.taskIdentifier, requestId: request.id) }
+    
     if let error = error {
       if request.isCancelled || (error as NSError).code == NSURLErrorCancelled {
-        return request.completion(ImageProcessing.cancelledResult)
+        return request.completion(Self.cancelledResult)
       }
       return request.completion(.failure(error))
     }
-
+    
     if request.isCancelled {
-      return request.completion(ImageProcessing.cancelledResult)
+      return request.completion(Self.cancelledResult)
     }
-
-    guard let data = data else {
+    
+    guard let data = request.data else {
       return request.completion(.failure(PigeonError(code: "", message: "No data received", details: nil)))
     }
-
-    ImageProcessing.queue.async {
-      ImageProcessing.semaphore.wait()
-      defer { ImageProcessing.semaphore.signal() }
-
+    
+    guard let imageSource = CGImageSourceCreateWithData(data, nil),
+          let cgImage = CGImageSourceCreateThumbnailAtIndex(imageSource, 0, Self.decodeOptions) else {
+      return request.completion(.failure(PigeonError(code: "", message: "Failed to decode image for request", details: nil)))
+    }
+    
+    if request.isCancelled {
+      return request.completion(Self.cancelledResult)
+    }
+    
+    do {
+      let buffer = try vImage_Buffer(cgImage: cgImage, format: Self.rgbaFormat)
+      
       if request.isCancelled {
-        return request.completion(ImageProcessing.cancelledResult)
-      }
-
-      guard let imageSource = CGImageSourceCreateWithData(data as CFData, nil),
-            let cgImage = CGImageSourceCreateThumbnailAtIndex(imageSource, 0, decodeOptions) else {
-        return request.completion(.failure(PigeonError(code: "", message: "Failed to decode image for request", details: nil)))
-      }
-
-      if request.isCancelled {
-        return request.completion(ImageProcessing.cancelledResult)
-      }
-
-      do {
-        let buffer = try vImage_Buffer(cgImage: cgImage, format: rgbaFormat)
-
-        if request.isCancelled {
-          buffer.free()
-          return request.completion(ImageProcessing.cancelledResult)
-        }
-
-        request.completion(
-          .success([
-            "pointer": Int64(Int(bitPattern: buffer.data)),
-            "width": Int64(buffer.width),
-            "height": Int64(buffer.height),
-            "rowBytes": Int64(buffer.rowBytes),
-          ]))
-      } catch {
-        return request.completion(.failure(PigeonError(code: "", message: "Failed to convert image for request: \(error)", details: nil)))
+        buffer.free()
+        return request.completion(Self.cancelledResult)
       }
+      
+      request.completion(
+        .success([
+          "pointer": Int64(Int(bitPattern: buffer.data)),
+          "width": Int64(buffer.width),
+          "height": Int64(buffer.height),
+          "rowBytes": Int64(buffer.rowBytes),
+        ]))
+    } catch {
+      return request.completion(.failure(PigeonError(code: "", message: "Failed to convert image for request: \(error)", details: nil)))
     }
   }
-
-  func cancelRequest(requestId: Int64) {
-    os_unfair_lock_lock(&Self.lock)
-    let request = Self.requests[requestId]
-    os_unfair_lock_unlock(&Self.lock)
-
-    guard let request = request else { return }
+  
+  @inline(__always) func get(taskId: Int) -> RemoteImageRequest? {
+    Self.requestQueue.sync { Self.requestByTaskId[taskId] }
+  }
+  
+  @inline(__always) func add(taskId: Int, request: RemoteImageRequest) -> Void {
+    Self.requestQueue.async(flags: .barrier) {
+      Self.requestByTaskId[taskId] = request
+      Self.taskIdByRequestId[request.id] = taskId
+    }
+  }
+  
+  @inline(__always) func remove(taskId: Int, requestId: Int64) -> Void {
+    Self.requestQueue.async(flags: .barrier) {
+      Self.taskIdByRequestId[requestId] = nil
+      Self.requestByTaskId[taskId] = nil
+    }
+  }
+  
+  @inline(__always) func cancel(requestId: Int64) -> Void {
+    guard let request: RemoteImageRequest = (Self.requestQueue.sync {
+      guard let taskId = Self.taskIdByRequestId[requestId] else { return nil }
+      return Self.requestByTaskId[taskId]
+    }) else { return }
     request.isCancelled = true
     request.task?.cancel()
   }
-
-  func clearCache(completion: @escaping (Result<Int64, any Error>) -> Void) {
-    Task {
-      let cache = URLSessionManager.shared.session.configuration.urlCache!
-      let cacheSize = Int64(cache.currentDiskUsage)
-      cache.removeAllCachedResponses()
-      completion(.success(cacheSize))
-    }
-  }
 }

mobile/lib/domain/services/background_worker.service.dart

@@ -88,7 +88,7 @@ class BackgroundWorkerBgService extends BackgroundWorkerFlutterApi {
 
   Future<void> init() async {
     try {
-      HttpSSLOptions.apply();
+      HttpSSLOptions.apply(applyNative: false);
 
       await Future.wait(
         [

mobile/lib/models/server_info/server_info.model.dart

@@ -20,7 +20,7 @@ enum VersionStatus {
 
 class ServerInfo {
   final ServerVersion serverVersion;
-  final ServerVersion? latestVersion;
+  final ServerVersion latestVersion;
   final ServerFeatures serverFeatures;
   final ServerConfig serverConfig;
   final ServerDiskInfo serverDiskInfo;

mobile/lib/platform/network_api.g.dart

@@ -1,181 +0,0 @@
-// Autogenerated from Pigeon (v26.0.2), do not edit directly.
-// See also: https://pub.dev/packages/pigeon
-// ignore_for_file: public_member_api_docs, non_constant_identifier_names, avoid_as, unused_import, unnecessary_parenthesis, prefer_null_aware_operators, omit_local_variable_types, unused_shown_name, unnecessary_import, no_leading_underscores_for_local_identifiers
-
-import 'dart:async';
-import 'dart:typed_data' show Float64List, Int32List, Int64List, Uint8List;
-
-import 'package:flutter/foundation.dart' show ReadBuffer, WriteBuffer;
-import 'package:flutter/services.dart';
-
-PlatformException _createConnectionError(String channelName) {
-  return PlatformException(
-    code: 'channel-error',
-    message: 'Unable to establish connection on channel: "$channelName".',
-  );
-}
-
-bool _deepEquals(Object? a, Object? b) {
-  if (a is List && b is List) {
-    return a.length == b.length && a.indexed.every(((int, dynamic) item) => _deepEquals(item.$2, b[item.$1]));
-  }
-  if (a is Map && b is Map) {
-    return a.length == b.length &&
-        a.entries.every(
-          (MapEntry<Object?, Object?> entry) =>
-              (b as Map<Object?, Object?>).containsKey(entry.key) && _deepEquals(entry.value, b[entry.key]),
-        );
-  }
-  return a == b;
-}
-
-class ClientCertData {
-  ClientCertData({required this.data, required this.password});
-
-  Uint8List data;
-
-  String password;
-
-  List<Object?> _toList() {
-    return <Object?>[data, password];
-  }
-
-  Object encode() {
-    return _toList();
-  }
-
-  static ClientCertData decode(Object result) {
-    result as List<Object?>;
-    return ClientCertData(data: result[0]! as Uint8List, password: result[1]! as String);
-  }
-
-  @override
-  // ignore: avoid_equals_and_hash_code_on_mutable_classes
-  bool operator ==(Object other) {
-    if (other is! ClientCertData || other.runtimeType != runtimeType) {
-      return false;
-    }
-    if (identical(this, other)) {
-      return true;
-    }
-    return _deepEquals(encode(), other.encode());
-  }
-
-  @override
-  // ignore: avoid_equals_and_hash_code_on_mutable_classes
-  int get hashCode => Object.hashAll(_toList());
-}
-
-class _PigeonCodec extends StandardMessageCodec {
-  const _PigeonCodec();
-  @override
-  void writeValue(WriteBuffer buffer, Object? value) {
-    if (value is int) {
-      buffer.putUint8(4);
-      buffer.putInt64(value);
-    } else if (value is ClientCertData) {
-      buffer.putUint8(129);
-      writeValue(buffer, value.encode());
-    } else {
-      super.writeValue(buffer, value);
-    }
-  }
-
-  @override
-  Object? readValueOfType(int type, ReadBuffer buffer) {
-    switch (type) {
-      case 129:
-        return ClientCertData.decode(readValue(buffer)!);
-      default:
-        return super.readValueOfType(type, buffer);
-    }
-  }
-}
-
-class NetworkApi {
-  /// Constructor for [NetworkApi].  The [binaryMessenger] named argument is
-  /// available for dependency injection.  If it is left null, the default
-  /// BinaryMessenger will be used which routes to the host platform.
-  NetworkApi({BinaryMessenger? binaryMessenger, String messageChannelSuffix = ''})
-    : pigeonVar_binaryMessenger = binaryMessenger,
-      pigeonVar_messageChannelSuffix = messageChannelSuffix.isNotEmpty ? '.$messageChannelSuffix' : '';
-  final BinaryMessenger? pigeonVar_binaryMessenger;
-
-  static const MessageCodec<Object?> pigeonChannelCodec = _PigeonCodec();
-
-  final String pigeonVar_messageChannelSuffix;
-
-  Future<void> addCertificate(ClientCertData clientData) async {
-    final String pigeonVar_channelName =
-        'dev.flutter.pigeon.immich_mobile.NetworkApi.addCertificate$pigeonVar_messageChannelSuffix';
-    final BasicMessageChannel<Object?> pigeonVar_channel = BasicMessageChannel<Object?>(
-      pigeonVar_channelName,
-      pigeonChannelCodec,
-      binaryMessenger: pigeonVar_binaryMessenger,
-    );
-    final Future<Object?> pigeonVar_sendFuture = pigeonVar_channel.send(<Object?>[clientData]);
-    final List<Object?>? pigeonVar_replyList = await pigeonVar_sendFuture as List<Object?>?;
-    if (pigeonVar_replyList == null) {
-      throw _createConnectionError(pigeonVar_channelName);
-    } else if (pigeonVar_replyList.length > 1) {
-      throw PlatformException(
-        code: pigeonVar_replyList[0]! as String,
-        message: pigeonVar_replyList[1] as String?,
-        details: pigeonVar_replyList[2],
-      );
-    } else {
-      return;
-    }
-  }
-
-  Future<ClientCertData> selectCertificate() async {
-    final String pigeonVar_channelName =
-        'dev.flutter.pigeon.immich_mobile.NetworkApi.selectCertificate$pigeonVar_messageChannelSuffix';
-    final BasicMessageChannel<Object?> pigeonVar_channel = BasicMessageChannel<Object?>(
-      pigeonVar_channelName,
-      pigeonChannelCodec,
-      binaryMessenger: pigeonVar_binaryMessenger,
-    );
-    final Future<Object?> pigeonVar_sendFuture = pigeonVar_channel.send(null);
-    final List<Object?>? pigeonVar_replyList = await pigeonVar_sendFuture as List<Object?>?;
-    if (pigeonVar_replyList == null) {
-      throw _createConnectionError(pigeonVar_channelName);
-    } else if (pigeonVar_replyList.length > 1) {
-      throw PlatformException(
-        code: pigeonVar_replyList[0]! as String,
-        message: pigeonVar_replyList[1] as String?,
-        details: pigeonVar_replyList[2],
-      );
-    } else if (pigeonVar_replyList[0] == null) {
-      throw PlatformException(
-        code: 'null-error',
-        message: 'Host platform returned null value for non-null return value.',
-      );
-    } else {
-      return (pigeonVar_replyList[0] as ClientCertData?)!;
-    }
-  }
-
-  Future<void> removeCertificate() async {
-    final String pigeonVar_channelName =
-        'dev.flutter.pigeon.immich_mobile.NetworkApi.removeCertificate$pigeonVar_messageChannelSuffix';
-    final BasicMessageChannel<Object?> pigeonVar_channel = BasicMessageChannel<Object?>(
-      pigeonVar_channelName,
-      pigeonChannelCodec,
-      binaryMessenger: pigeonVar_binaryMessenger,
-    );
-    final Future<Object?> pigeonVar_sendFuture = pigeonVar_channel.send(null);
-    final List<Object?>? pigeonVar_replyList = await pigeonVar_sendFuture as List<Object?>?;
-    if (pigeonVar_replyList == null) {
-      throw _createConnectionError(pigeonVar_channelName);
-    } else if (pigeonVar_replyList.length > 1) {
-      throw PlatformException(
-        code: pigeonVar_replyList[0]! as String,
-        message: pigeonVar_replyList[1] as String?,
-        details: pigeonVar_replyList[2],
-      );
-    } else {
-      return;
-    }
-  }
-}

mobile/lib/providers/infrastructure/platform.provider.dart

@@ -5,7 +5,6 @@ import 'package:immich_mobile/platform/background_worker_lock_api.g.dart';
 import 'package:immich_mobile/platform/connectivity_api.g.dart';
 import 'package:immich_mobile/platform/native_sync_api.g.dart';
 import 'package:immich_mobile/platform/local_image_api.g.dart';
-import 'package:immich_mobile/platform/network_api.g.dart';
 import 'package:immich_mobile/platform/remote_image_api.g.dart';
 
 final backgroundWorkerFgServiceProvider = Provider((_) => BackgroundWorkerFgService(BackgroundWorkerFgHostApi()));
@@ -21,5 +20,3 @@ final connectivityApiProvider = Provider<ConnectivityApi>((_) => ConnectivityApi
 final localImageApi = LocalImageApi();
 
 final remoteImageApi = RemoteImageApi();
-
-final networkApi = NetworkApi();

mobile/lib/providers/server_info.provider.dart

@@ -15,7 +15,7 @@ class ServerInfoNotifier extends StateNotifier<ServerInfo> {
     : super(
         const ServerInfo(
           serverVersion: ServerVersion(major: 0, minor: 0, patch: 0),
-          latestVersion: null,
+          latestVersion: ServerVersion(major: 0, minor: 0, patch: 0),
           serverFeatures: ServerFeatures(map: true, trash: true, oauthEnabled: false, passwordLogin: true),
           serverConfig: ServerConfig(
             trashDays: 30,
@@ -43,7 +43,7 @@ class ServerInfoNotifier extends StateNotifier<ServerInfo> {
     try {
       final serverVersion = await _serverInfoService.getServerVersion();
 
-      // using isClientOutOfDate since that will show to users regardless of if they are an admin
+      // using isClientOutOfDate since that will show to users reguardless of if they are an admin
       if (serverVersion == null) {
         state = state.copyWith(versionStatus: VersionStatus.error);
         return;
@@ -76,7 +76,7 @@ class ServerInfoNotifier extends StateNotifier<ServerInfo> {
     state = state.copyWith(versionStatus: VersionStatus.upToDate);
   }
 
-  handleReleaseInfo(ServerVersion serverVersion, ServerVersion? latestVersion) {
+  handleReleaseInfo(ServerVersion serverVersion, ServerVersion latestVersion) {
     // Update local server version
     _checkServerVersionMismatch(serverVersion, latestVersion: latestVersion);
   }

mobile/lib/utils/http_ssl_options.dart

@@ -1,20 +1,26 @@
 import 'dart:io';
 
+import 'package:flutter/services.dart';
 import 'package:immich_mobile/domain/models/store.model.dart';
 import 'package:immich_mobile/entities/store.entity.dart';
 import 'package:immich_mobile/services/app_settings.service.dart';
 import 'package:immich_mobile/utils/http_ssl_cert_override.dart';
+import 'package:logging/logging.dart';
 
 class HttpSSLOptions {
-  static void apply() {
+  static const MethodChannel _channel = MethodChannel('immich/httpSSLOptions');
+
+  static void apply({bool applyNative = true}) {
     AppSettingsEnum setting = AppSettingsEnum.allowSelfSignedSSLCert;
     bool allowSelfSignedSSLCert = Store.get(setting.storeKey as StoreKey<bool>, setting.defaultValue);
-    return _apply(allowSelfSignedSSLCert);
+    _apply(allowSelfSignedSSLCert, applyNative: applyNative);
   }
 
-  static void applyFromSettings(bool newValue) => _apply(newValue);
+  static void applyFromSettings(bool newValue) {
+    _apply(newValue);
+  }
 
-  static void _apply(bool allowSelfSignedSSLCert) {
+  static void _apply(bool allowSelfSignedSSLCert, {bool applyNative = true}) {
     String? serverHost;
     if (allowSelfSignedSSLCert && Store.tryGet(StoreKey.currentUser) != null) {
       serverHost = Uri.parse(Store.tryGet(StoreKey.serverEndpoint) ?? "").host;
@@ -23,5 +29,14 @@ class HttpSSLOptions {
     SSLClientCertStoreVal? clientCert = SSLClientCertStoreVal.load();
 
     HttpOverrides.global = HttpSSLCertOverride(allowSelfSignedSSLCert, serverHost, clientCert);
+
+    if (applyNative && Platform.isAndroid) {
+      _channel
+          .invokeMethod("apply", [allowSelfSignedSSLCert, serverHost, clientCert?.data, clientCert?.password])
+          .onError<PlatformException>((e, _) {
+            final log = Logger("HttpSSLOptions");
+            log.severe('Failed to set SSL options', e.message);
+          });
+    }
   }
 }

mobile/lib/utils/isolate.dart

@@ -54,7 +54,7 @@ Cancelable<T?> runInIsolateGentle<T>({
         Logger log = Logger("IsolateLogger");
 
         try {
-          HttpSSLOptions.apply();
+          HttpSSLOptions.apply(applyNative: false);
           result = await computation(ref);
         } on CanceledError {
           log.warning("Computation cancelled ${debugLabel == null ? '' : ' for $debugLabel'}");

mobile/lib/utils/migration.dart

@@ -23,8 +23,6 @@ import 'package:immich_mobile/infrastructure/entities/user.entity.dart';
 import 'package:immich_mobile/infrastructure/repositories/db.repository.dart';
 import 'package:immich_mobile/infrastructure/repositories/sync_stream.repository.dart';
 import 'package:immich_mobile/platform/native_sync_api.g.dart';
-import 'package:immich_mobile/platform/network_api.g.dart';
-import 'package:immich_mobile/providers/infrastructure/platform.provider.dart';
 import 'package:immich_mobile/services/app_settings.service.dart';
 import 'package:immich_mobile/utils/datetime_helpers.dart';
 import 'package:immich_mobile/utils/debug_print.dart';
@@ -34,7 +32,7 @@ import 'package:isar/isar.dart';
 // ignore: import_rule_photo_manager
 import 'package:photo_manager/photo_manager.dart';
 
-const int targetVersion = 21;
+const int targetVersion = 20;
 
 Future<void> migrateDatabaseIfNeeded(Isar db, Drift drift) async {
   final hasVersion = Store.tryGet(StoreKey.version) != null;
@@ -93,13 +91,6 @@ Future<void> migrateDatabaseIfNeeded(Isar db, Drift drift) async {
     await _syncLocalAlbumIsIosSharedAlbum(drift);
   }
 
-  if (version < 21) {
-    final certData = SSLClientCertStoreVal.load();
-    if (certData != null) {
-      await networkApi.addCertificate(ClientCertData(data: certData.data, password: certData.password ?? ""));
-    }
-  }
-
   if (targetVersion >= 12) {
     await Store.put(StoreKey.version, targetVersion);
     return;

mobile/lib/widgets/common/app_bar_dialog/app_bar_server_info.dart

@@ -170,52 +170,50 @@ class AppBarServerInfo extends HookConsumerWidget {
                   ),
                 ],
               ),
-              if (serverInfoState.latestVersion != null) ...[
-                const Padding(padding: EdgeInsets.symmetric(horizontal: 10), child: Divider(thickness: 1)),
-                Row(
-                  mainAxisAlignment: MainAxisAlignment.spaceBetween,
-                  children: [
-                    Expanded(
-                      child: Padding(
-                        padding: const EdgeInsets.only(left: 10.0),
-                        child: Row(
-                          children: [
-                            if (serverInfoState.versionStatus == VersionStatus.serverOutOfDate)
-                              const Padding(
-                                padding: EdgeInsets.only(right: 5.0),
-                                child: Icon(Icons.info, color: Color.fromARGB(255, 243, 188, 106), size: 12),
-                              ),
-                            Text(
-                              "latest_version".tr(),
-                              style: TextStyle(
-                                fontSize: titleFontSize,
-                                color: context.textTheme.labelSmall?.color,
-                                fontWeight: FontWeight.w500,
-                              ),
+              const Padding(padding: EdgeInsets.symmetric(horizontal: 10), child: Divider(thickness: 1)),
+              Row(
+                mainAxisAlignment: MainAxisAlignment.spaceBetween,
+                children: [
+                  Expanded(
+                    child: Padding(
+                      padding: const EdgeInsets.only(left: 10.0),
+                      child: Row(
+                        children: [
+                          if (serverInfoState.versionStatus == VersionStatus.serverOutOfDate)
+                            const Padding(
+                              padding: EdgeInsets.only(right: 5.0),
+                              child: Icon(Icons.info, color: Color.fromARGB(255, 243, 188, 106), size: 12),
+                            ),
+                          Text(
+                            "latest_version".tr(),
+                            style: TextStyle(
+                              fontSize: titleFontSize,
+                              color: context.textTheme.labelSmall?.color,
+                              fontWeight: FontWeight.w500,
                             ),
-                          ],
-                        ),
-                      ),
-                    ),
-                    Expanded(
-                      flex: 0,
-                      child: Padding(
-                        padding: const EdgeInsets.only(right: 10.0),
-                        child: Text(
-                          serverInfoState.latestVersion!.major > 0
-                              ? "${serverInfoState.latestVersion!.major}.${serverInfoState.latestVersion!.minor}.${serverInfoState.latestVersion!.patch}"
-                              : "--",
-                          style: TextStyle(
-                            fontSize: contentFontSize,
-                            color: context.colorScheme.onSurfaceSecondary,
-                            fontWeight: FontWeight.bold,
                           ),
+                        ],
+                      ),
+                    ),
+                  ),
+                  Expanded(
+                    flex: 0,
+                    child: Padding(
+                      padding: const EdgeInsets.only(right: 10.0),
+                      child: Text(
+                        serverInfoState.latestVersion.major > 0
+                            ? "${serverInfoState.latestVersion.major}.${serverInfoState.latestVersion.minor}.${serverInfoState.latestVersion.patch}"
+                            : "--",
+                        style: TextStyle(
+                          fontSize: contentFontSize,
+                          color: context.colorScheme.onSurfaceSecondary,
+                          fontWeight: FontWeight.bold,
                         ),
                       ),
                     ),
-                  ],
-                ),
-              ],
+                  ),
+                ],
+              ),
             ],
           ),
         ),

mobile/lib/widgets/settings/ssl_client_cert_settings.dart

@@ -1,12 +1,14 @@
+import 'dart:io';
+
 import 'package:easy_localization/easy_localization.dart';
+import 'package:file_picker/file_picker.dart';
 import 'package:flutter/material.dart';
 import 'package:flutter/services.dart';
 import 'package:immich_mobile/entities/store.entity.dart';
 import 'package:immich_mobile/extensions/build_context_extensions.dart';
 import 'package:immich_mobile/extensions/theme_extensions.dart';
-import 'package:immich_mobile/providers/infrastructure/platform.provider.dart';
+import 'package:immich_mobile/utils/http_ssl_cert_override.dart';
 import 'package:immich_mobile/utils/http_ssl_options.dart';
-import 'package:logging/logging.dart';
 
 class SslClientCertSettings extends StatefulWidget {
   const SslClientCertSettings({super.key, required this.isLoggedIn});
@@ -18,12 +20,10 @@ class SslClientCertSettings extends StatefulWidget {
 }
 
 class _SslClientCertSettingsState extends State<SslClientCertSettings> {
-  final _log = Logger("SslClientCertSettings");
+  _SslClientCertSettingsState() : isCertExist = SSLClientCertStoreVal.load() != null;
 
   bool isCertExist;
 
-  _SslClientCertSettingsState() : isCertExist = SSLClientCertStoreVal.load() != null;
-
   @override
   Widget build(BuildContext context) {
     return ListTile(
@@ -41,12 +41,16 @@ class _SslClientCertSettingsState extends State<SslClientCertSettings> {
           const SizedBox(height: 6),
           Row(
             mainAxisSize: MainAxisSize.max,
-            mainAxisAlignment: MainAxisAlignment.spaceEvenly,
+            mainAxisAlignment: MainAxisAlignment.center,
             crossAxisAlignment: CrossAxisAlignment.center,
             children: [
-              ElevatedButton(onPressed: widget.isLoggedIn ? null : importCert, child: Text("client_cert_import".tr())),
               ElevatedButton(
-                onPressed: widget.isLoggedIn || !isCertExist ? null : removeCert,
+                onPressed: widget.isLoggedIn ? null : () => importCert(context),
+                child: Text("client_cert_import".tr()),
+              ),
+              const SizedBox(width: 15),
+              ElevatedButton(
+                onPressed: widget.isLoggedIn || !isCertExist ? null : () async => await removeCert(context),
                 child: Text("remove".tr()),
               ),
             ],
@@ -56,42 +60,71 @@ class _SslClientCertSettingsState extends State<SslClientCertSettings> {
     );
   }
 
-  void showMessage(String message) {
-    context.showSnackBar(
-      SnackBar(
-        duration: const Duration(seconds: 3),
-        content: Text(message, style: context.textTheme.bodyLarge?.copyWith(color: context.primaryColor)),
+  void showMessage(BuildContext context, String message) {
+    showDialog(
+      context: context,
+      builder: (ctx) => AlertDialog(
+        content: Text(message),
+        actions: [TextButton(onPressed: () => ctx.pop(), child: Text("client_cert_dialog_msg_confirm".tr()))],
       ),
     );
   }
 
-  Future<void> importCert() async {
-    try {
-      final cert = await networkApi.selectCertificate();
-      await SSLClientCertStoreVal(cert.data, cert.password).save();
-      HttpSSLOptions.apply();
-      setState(() => isCertExist = true);
-      showMessage("client_cert_import_success_msg".tr());
-    } catch (e) {
-      if (_isCancellation(e)) return;
-      _log.severe("Error importing client cert", e);
-      showMessage("client_cert_invalid_msg".tr());
+  Future<void> storeCert(BuildContext context, Uint8List data, String? password) async {
+    if (password != null && password.isEmpty) {
+      password = null;
+    }
+    final cert = SSLClientCertStoreVal(data, password);
+    // Test whether the certificate is valid
+    final isCertValid = HttpSSLCertOverride.setClientCert(SecurityContext(withTrustedRoots: true), cert);
+    if (!isCertValid) {
+      showMessage(context, "client_cert_invalid_msg".tr());
+      return;
+    }
+    await cert.save();
+    HttpSSLOptions.apply();
+    setState(() => isCertExist = true);
+    showMessage(context, "client_cert_import_success_msg".tr());
+  }
+
+  void setPassword(BuildContext context, Uint8List data) {
+    final password = TextEditingController();
+    showDialog(
+      context: context,
+      barrierDismissible: false,
+      builder: (ctx) => AlertDialog(
+        content: TextField(
+          controller: password,
+          obscureText: true,
+          obscuringCharacter: "*",
+          decoration: InputDecoration(hintText: "client_cert_enter_password".tr()),
+        ),
+        actions: [
+          TextButton(
+            onPressed: () async => {ctx.pop(), await storeCert(context, data, password.text)},
+            child: Text("client_cert_dialog_msg_confirm".tr()),
+          ),
+        ],
+      ),
+    );
+  }
+
+  Future<void> importCert(BuildContext ctx) async {
+    FilePickerResult? res = await FilePicker.platform.pickFiles(
+      type: FileType.custom,
+      allowedExtensions: ['p12', 'pfx'],
+    );
+    if (res != null) {
+      File file = File(res.files.single.path!);
+      final bytes = await file.readAsBytes();
+      setPassword(ctx, bytes);
     }
   }
 
-  Future<void> removeCert() async {
-    try {
-      await networkApi.removeCertificate();
-      await SSLClientCertStoreVal.delete();
-      HttpSSLOptions.apply();
-      setState(() => isCertExist = false);
-      showMessage("client_cert_remove_msg".tr());
-    } catch (e) {
-      if (_isCancellation(e)) return;
-      _log.severe("Error removing client cert", e);
-      showMessage("client_cert_invalid_msg".tr());
-    }
+  Future<void> removeCert(BuildContext context) async {
+    await SSLClientCertStoreVal.delete();
+    HttpSSLOptions.apply();
+    setState(() => isCertExist = false);
+    showMessage(context, "client_cert_remove_msg".tr());
   }
-
-  bool _isCancellation(Object e) => e is PlatformException && e.code.toLowerCase().contains("cancel");
 }

mobile/makefile

@@ -12,14 +12,12 @@ pigeon:
 	dart run pigeon --input pigeon/background_worker_api.dart
 	dart run pigeon --input pigeon/background_worker_lock_api.dart
 	dart run pigeon --input pigeon/connectivity_api.dart
-	dart run pigeon --input pigeon/network_api.dart
 	dart format lib/platform/native_sync_api.g.dart
 	dart format lib/platform/local_image_api.g.dart
 	dart format lib/platform/remote_image_api.g.dart
 	dart format lib/platform/background_worker_api.g.dart
 	dart format lib/platform/background_worker_lock_api.g.dart
 	dart format lib/platform/connectivity_api.g.dart
-	dart format lib/platform/network_api.g.dart
 
 watch:
 	dart run build_runner watch --delete-conflicting-outputs

mobile/pigeon/network_api.dart

@@ -1,32 +0,0 @@
-import 'package:pigeon/pigeon.dart';
-
-class ClientCertData {
-  Uint8List data;
-  String password;
-
-  ClientCertData(this.data, this.password);
-}
-
-@ConfigurePigeon(
-  PigeonOptions(
-    dartOut: 'lib/platform/network_api.g.dart',
-    swiftOut: 'ios/Runner/Core/Network.g.swift',
-    swiftOptions: SwiftOptions(includeErrorClass: false),
-    kotlinOut:
-        'android/app/src/main/kotlin/app/alextran/immich/core/Network.g.kt',
-    kotlinOptions: KotlinOptions(package: 'app.alextran.immich.core', includeErrorClass: true),
-    dartOptions: DartOptions(),
-    dartPackageName: 'immich_mobile',
-  ),
-)
-@HostApi()
-abstract class NetworkApi {
-  @async
-  void addCertificate(ClientCertData clientData);
-
-  @async
-  ClientCertData selectCertificate();
-
-  @async
-  void removeCertificate();
-}

mobile/pubspec.lock

@@ -538,6 +538,14 @@ packages:
       url: "https://pub.dev"
     source: hosted
     version: "7.0.1"
+  file_picker:
+    dependency: "direct main"
+    description:
+      name: file_picker
+      sha256: ab13ae8ef5580a411c458d6207b6774a6c237d77ac37011b13994879f68a8810
+      url: "https://pub.dev"
+    source: hosted
+    version: "8.3.7"
   file_selector_linux:
     dependency: transitive
     description:
@@ -1241,10 +1249,10 @@ packages:
     dependency: transitive
     description:
       name: meta
-      sha256: "23f08335362185a5ea2ad3a4e597f1375e78bce8a040df5c600c8d3552ef2394"
+      sha256: e3641ec5d63ebf0d9b41bd43201a66e3fc79a65db5f61fc181f04cd27aab950c
       url: "https://pub.dev"
     source: hosted
-    version: "1.17.0"
+    version: "1.16.0"
   mime:
     dependency: transitive
     description:
@@ -1934,10 +1942,10 @@ packages:
     dependency: transitive
     description:
       name: test_api
-      sha256: ab2726c1a94d3176a45960b6234466ec367179b87dd74f1611adb1f3b5fb9d55
+      sha256: "522f00f556e73044315fa4585ec3270f1808a4b186c936e612cab0b565ff1e00"
       url: "https://pub.dev"
     source: hosted
-    version: "0.7.7"
+    version: "0.7.6"
   thumbhash:
     dependency: "direct main"
     description:

mobile/pubspec.yaml

@@ -26,6 +26,7 @@ dependencies:
   dynamic_color: ^1.8.1
   easy_localization: ^3.0.8
   ffi: ^2.1.4
+  file_picker: ^8.0.0+1
   flutter:
     sdk: flutter
   flutter_cache_manager: ^3.4.1

web/src/lib/components/user-settings-page/PinCodeChangeForm.svelte

@@ -5,7 +5,6 @@
   import { changePinCode } from '@immich/sdk';
   import { Button, Heading, modalManager, Text, toastManager } from '@immich/ui';
   import { t } from 'svelte-i18n';
-  import { fade } from 'svelte/transition';
 
   let currentPinCode = $state('');
   let newPinCode = $state('');
@@ -38,27 +37,23 @@
   };
 </script>
 
-<section class="my-4">
-  <div in:fade={{ duration: 200 }}>
-    <form autocomplete="off" onsubmit={handleSubmit} class="mt-6">
-      <div class="flex flex-col gap-6 place-items-center place-content-center">
-        <Heading>{$t('change_pin_code')}</Heading>
-        <PinCodeInput label={$t('current_pin_code')} bind:value={currentPinCode} tabindexStart={1} pinLength={6} />
-        <PinCodeInput label={$t('new_pin_code')} bind:value={newPinCode} tabindexStart={7} pinLength={6} />
-        <PinCodeInput label={$t('confirm_new_pin_code')} bind:value={confirmPinCode} tabindexStart={13} pinLength={6} />
-        <button type="button" onclick={() => modalManager.show(PinCodeResetModal, {})}>
-          <Text color="muted" class="underline" size="small">{$t('forgot_pin_code_question')}</Text>
-        </button>
-      </div>
-
-      <div class="flex justify-end gap-2 mt-4">
-        <Button shape="round" color="secondary" type="button" size="small" onclick={resetForm}>
-          {$t('clear')}
-        </Button>
-        <Button shape="round" type="submit" size="small" loading={isLoading} disabled={!canSubmit}>
-          {$t('save')}
-        </Button>
-      </div>
-    </form>
+<form autocomplete="off" onsubmit={handleSubmit}>
+  <div class="flex flex-col gap-6 place-items-center place-content-center">
+    <Heading>{$t('change_pin_code')}</Heading>
+    <PinCodeInput label={$t('current_pin_code')} bind:value={currentPinCode} tabindexStart={1} pinLength={6} />
+    <PinCodeInput label={$t('new_pin_code')} bind:value={newPinCode} tabindexStart={7} pinLength={6} />
+    <PinCodeInput label={$t('confirm_new_pin_code')} bind:value={confirmPinCode} tabindexStart={13} pinLength={6} />
+    <button type="button" onclick={() => modalManager.show(PinCodeResetModal, {})}>
+      <Text color="muted" class="underline" size="small">{$t('forgot_pin_code_question')}</Text>
+    </button>
   </div>
-</section>
+
+  <div class="flex justify-end gap-2 mt-4">
+    <Button shape="round" color="secondary" type="button" size="small" onclick={resetForm}>
+      {$t('clear')}
+    </Button>
+    <Button shape="round" type="submit" size="small" loading={isLoading} disabled={!canSubmit}>
+      {$t('save')}
+    </Button>
+  </div>
+</form>

web/src/lib/components/user-settings-page/PinCodeSettings.svelte

@@ -20,7 +20,7 @@
 
 <OnEvents {onUserPinCodeReset} />
 
-<section>
+<section class="my-4 sm:ms-8">
   {#if hasPinCode}
     <div in:fade={{ duration: 200 }}>
       <PinCodeChangeForm />

web/src/lib/components/user-settings-page/app-settings.svelte

@@ -59,7 +59,7 @@
 
 <section class="my-4">
   <div in:fade={{ duration: 500 }}>
-    <div class="ms-8 mt-4 flex flex-col gap-6">
+    <div class="sm:ms-8 flex flex-col gap-6">
       <Field label={$t('theme_selection')} description={$t('theme_selection_description')}>
         <Switch checked={themeManager.theme.system} onCheckedChange={(checked) => themeManager.setSystem(checked)} />
       </Field>

web/src/lib/components/user-settings-page/change-password-settings.svelte

@@ -23,7 +23,7 @@
 <section class="my-4">
   <div in:fade={{ duration: 500 }}>
     <form autocomplete="off" {onsubmit}>
-      <div class="ms-4 mt-4 flex flex-col gap-4">
+      <div class="sm:ms-8 flex flex-col gap-4">
         <Field label={$t('password')} required>
           <PasswordInput bind:value={password} autocomplete="current-password" />
         </Field>

web/src/lib/components/user-settings-page/device-list.svelte

@@ -3,6 +3,7 @@
   import { deleteAllSessions, deleteSession, getSessions, type SessionResponseDto } from '@immich/sdk';
   import { Button, modalManager, Text, toastManager } from '@immich/ui';
   import { t } from 'svelte-i18n';
+  import { fade } from 'svelte/transition';
   import DeviceCard from './device-card.svelte';
 
   interface Props {
@@ -50,33 +51,39 @@
 </script>
 
 <section class="my-4">
-  {#if currentSession}
-    <div class="mb-6">
-      <Text class="mb-2" fontWeight="medium" size="tiny" color="primary">
-        {$t('current_device')}
-      </Text>
-      <DeviceCard session={currentSession} />
-    </div>
-  {/if}
-  {#if otherSessions.length > 0}
-    <div class="mb-6">
-      <Text class="mb-2" fontWeight="medium" size="tiny" color="primary">
-        {$t('other_devices')}
-      </Text>
-      {#each otherSessions as session, index (session.id)}
-        <DeviceCard {session} onDelete={() => handleDelete(session)} />
-        {#if index !== otherSessions.length - 1}
-          <hr class="my-3" />
-        {/if}
-      {/each}
-    </div>
+  <div in:fade={{ duration: 500 }}>
+    <div class="sm:ms-8 flex flex-col gap-4">
+      {#if currentSession}
+        <div class="mb-6">
+          <Text class="mb-2" fontWeight="medium" size="tiny" color="primary">
+            {$t('current_device')}
+          </Text>
+          <DeviceCard session={currentSession} />
+        </div>
+      {/if}
+      {#if otherSessions.length > 0}
+        <div class="mb-6">
+          <Text class="mb-2" fontWeight="medium" size="tiny" color="primary">
+            {$t('other_devices')}
+          </Text>
+          {#each otherSessions as session, index (session.id)}
+            <DeviceCard {session} onDelete={() => handleDelete(session)} />
+            {#if index !== otherSessions.length - 1}
+              <hr class="my-3" />
+            {/if}
+          {/each}
+        </div>
 
-    <div class="my-3">
-      <hr />
-    </div>
+        <div class="my-3">
+          <hr />
+        </div>
 
-    <div class="flex justify-end">
-      <Button shape="round" color="danger" size="small" onclick={handleDeleteAll}>{$t('log_out_all_devices')}</Button>
+        <div class="flex justify-end">
+          <Button shape="round" color="danger" size="small" onclick={handleDeleteAll}
+            >{$t('log_out_all_devices')}</Button
+          >
+        </div>
+      {/if}
     </div>
-  {/if}
+  </div>
 </section>

web/src/lib/components/user-settings-page/download-settings.svelte

@@ -39,7 +39,7 @@
 <section class="my-4">
   <div in:fade={{ duration: 500 }}>
     <form autocomplete="off" {onsubmit}>
-      <div class="ms-4 mt-4 flex flex-col gap-4">
+      <div class="sm:ms-8 flex flex-col gap-4">
         <SettingInputField
           inputType={SettingInputFieldType.NUMBER}
           label={$t('archive_size')}

web/src/lib/components/user-settings-page/feature-settings.svelte

@@ -67,9 +67,9 @@
 <section class="my-4">
   <div in:fade={{ duration: 500 }}>
     <form autocomplete="off" {onsubmit}>
-      <div class="ms-4 mt-4 flex flex-col">
+      <div class="sm:ms-4 md:ms-8 flex flex-col">
         <SettingAccordion key="albums" title={$t('albums')} subtitle={$t('albums_feature_description')}>
-          <div class="ms-4 mt-6 flex flex-col gap-4">
+          <div class="sm:ms-4 mt-4 flex flex-col gap-4">
             <Field label={$t('albums_default_sort_order')} description={$t('albums_default_sort_order_description')}>
               <Select
                 options={[
@@ -83,7 +83,7 @@
         </SettingAccordion>
 
         <SettingAccordion key="folders" title={$t('folders')} subtitle={$t('folders_feature_description')}>
-          <div class="ms-4 mt-6 flex flex-col gap-4">
+          <div class="sm:ms-4 mt-4 flex flex-col gap-4">
             <Field label={$t('enable')}>
               <Switch bind:checked={foldersEnabled} />
             </Field>
@@ -97,7 +97,7 @@
         </SettingAccordion>
 
         <SettingAccordion key="memories" title={$t('time_based_memories')} subtitle={$t('photos_from_previous_years')}>
-          <div class="ms-4 mt-6 flex flex-col gap-4">
+          <div class="sm:ms-4 mt-4 flex flex-col gap-4">
             <Field label={$t('enable')}>
               <Switch bind:checked={memoriesEnabled} />
             </Field>
@@ -109,7 +109,7 @@
         </SettingAccordion>
 
         <SettingAccordion key="people" title={$t('people')} subtitle={$t('people_feature_description')}>
-          <div class="ms-4 mt-6 flex flex-col gap-4">
+          <div class="sm:ms-4 mt-4 flex flex-col gap-4">
             <Field label={$t('enable')}>
               <Switch bind:checked={peopleEnabled} />
             </Field>
@@ -123,7 +123,7 @@
         </SettingAccordion>
 
         <SettingAccordion key="rating" title={$t('rating')} subtitle={$t('rating_description')}>
-          <div class="ms-4 mt-6 flex flex-col gap-4">
+          <div class="sm:ms-4 mt-4 flex flex-col gap-4">
             <Field label={$t('enable')}>
               <Switch bind:checked={ratingsEnabled} />
             </Field>
@@ -131,7 +131,7 @@
         </SettingAccordion>
 
         <SettingAccordion key="shared-links" title={$t('shared_links')} subtitle={$t('shared_links_description')}>
-          <div class="ms-4 mt-6 flex flex-col gap-4">
+          <div class="sm:ms-4 mt-4 flex flex-col gap-4">
             <Field label={$t('enable')}>
               <Switch bind:checked={sharedLinksEnabled} />
             </Field>
@@ -145,7 +145,7 @@
         </SettingAccordion>
 
         <SettingAccordion key="tags" title={$t('tags')} subtitle={$t('tag_feature_description')}>
-          <div class="ms-4 mt-6 flex flex-col gap-4">
+          <div class="sm:ms-4 mt-4 flex flex-col gap-4">
             <Field label={$t('enable')}>
               <Switch bind:checked={tagsEnabled} />
             </Field>
@@ -159,7 +159,7 @@
         </SettingAccordion>
 
         <SettingAccordion key="cast" title={$t('cast')} subtitle={$t('cast_description')}>
-          <div class="ms-4 mt-6 flex flex-col gap-4">
+          <div class="sm:ms-4 mt-4 flex flex-col gap-4">
             <Field label={$t('gcast_enabled')} description={$t('gcast_enabled_description')}>
               <Switch bind:checked={gCastEnabled} />
             </Field>

web/src/lib/components/user-settings-page/notifications-settings.svelte

@@ -42,7 +42,7 @@
 <section class="my-4">
   <div in:fade={{ duration: 500 }}>
     <form autocomplete="off" {onsubmit}>
-      <div class="ms-4 mt-4 flex flex-col gap-6">
+      <div class="sm:ms-8 flex flex-col gap-6">
         <Field label={$t('enable')} description={$t('notification_toggle_setting_description')}>
           <Switch bind:checked={emailNotificationsEnabled} />
         </Field>

web/src/lib/components/user-settings-page/oauth-settings.svelte

@@ -45,7 +45,7 @@
 
 <section class="my-4">
   <div in:fade={{ duration: 500 }}>
-    <div class="flex justify-end">
+    <div class="sm:ms-8 flex justify-end">
       {#if loading}
         <div class="flex place-content-center place-items-center">
           <LoadingSpinner />

web/src/lib/components/user-settings-page/user-api-key-list.svelte

@@ -33,7 +33,7 @@
 <OnEvents {onApiKeyCreate} {onApiKeyUpdate} {onApiKeyDelete} />
 
 <section class="my-4">
-  <div class="flex flex-col gap-2" in:fade={{ duration: 500 }}>
+  <div class="sm:ms-8 flex flex-col gap-2" in:fade={{ duration: 500 }}>
     <div class="mb-2 flex justify-end">
       <Button leadingIcon={Create.icon} shape="round" size="small" onclick={() => Create.onAction(Create)}>
         {Create.title}

web/src/lib/components/user-settings-page/user-profile-settings.svelte

@@ -33,7 +33,7 @@
 <section class="my-4">
   <div in:fade={{ duration: 500 }}>
     <form autocomplete="off" onsubmit={preventDefault(bubble('submit'))}>
-      <div class="ms-4 mt-4 flex flex-col gap-4">
+      <div class="sm:ms-8 flex flex-col gap-4">
         <Field label={$t('user_id')} disabled>
           <Input bind:value={editedUser.id} />
         </Field>

web/src/lib/components/user-settings-page/user-purchase-settings.svelte

@@ -105,7 +105,7 @@
 </script>
 
 <section class="my-4">
-  <div in:fade={{ duration: 500 }}>
+  <div class="sm:ms-8" in:fade={{ duration: 500 }}>
     {#if $isPurchased}
       <!-- BADGE TOGGLE -->
       <div class="mb-4">

web/src/lib/components/user-settings-page/user-usage-statistic.svelte

@@ -65,7 +65,7 @@
   </TableRow>
 {/snippet}
 
-<section class="my-6 w-full">
+<section class="my-4 w-full">
   <Heading size="tiny">{$t('photos_and_videos')}</Heading>
   <Table striped spacing="small" class="mt-4" size="small">
     <TableHeader>