chore: release v2.5.3

.github/workflows/test.yml

@@ -591,9 +591,9 @@ jobs:
       - name: Lint with ruff
         run: |
           uv run ruff check --output-format=github immich_ml
-      - name: Check black formatting
+      - name: Format with ruff
         run: |
-          uv run black --check immich_ml
+          uv run ruff format --check immich_ml
       - name: Run mypy type checking
         run: |
           uv run mypy --strict immich_ml/

CHANGELOG.md

@@ -0,0 +1,34 @@
+
+# v2.5.3
+
+## Highlights
+
+{{RELEASE HIGHLIGHTS}}
+
+As always, please consider supporting the project.
+
+🎉 Cheers! 🎉
+
+
+----
+
+And as always, bugs are fixed, and many other improvements also come with this release.
+
+<!-- Release notes generated using configuration in .github/release.yml at main -->
+
+## What's Changed
+### 🐛 Bug fixes
+* chore: remove random code snippet by @jrasm91 in https://github.com/immich-app/immich/pull/25677
+* fix: reset and unsaved change states in editor by @bwees in https://github.com/immich-app/immich/pull/25588
+* fix: no notification if release check is disabled by @jrasm91 in https://github.com/immich-app/immich/pull/25688
+* fix(mobile): hide latest version if disabled by @uhthomas in https://github.com/immich-app/immich/pull/25691
+* fix(web): enable asset viewer navigation across memory boundaries by @midzelis in https://github.com/immich-app/immich/pull/25741
+### 📚 Documentation
+* docs(openapi): Add descriptions to OpenAPI specification by @timonrieger in https://github.com/immich-app/immich/pull/25185
+* fix(docs): clarify supported vector version  by @mmomjian in https://github.com/immich-app/immich/pull/25753
+
+
+**Full Changelog**: https://github.com/immich-app/immich/compare/v2.5.2...v2.5.3
+
+---
+

cli/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@immich/cli",
-  "version": "2.5.2",
+  "version": "2.5.3",
   "description": "Command Line Interface (CLI) for Immich",
   "type": "module",
   "exports": "./dist/index.js",

docs/static/archived-versions.json

@@ -1,7 +1,7 @@
 [
   {
-    "label": "v2.5.2",
-    "url": "https://docs.v2.5.2.archive.immich.app"
+    "label": "v2.5.3",
+    "url": "https://docs.v2.5.3.archive.immich.app"
   },
   {
     "label": "v2.4.1",

e2e/package.json

@@ -1,6 +1,6 @@
 {
   "name": "immich-e2e",
-  "version": "2.5.2",
+  "version": "2.5.3",
   "description": "",
   "main": "index.js",
   "type": "module",

e2e/src/generators/memory.ts

@@ -0,0 +1,2 @@
+export { generateMemoriesFromTimeline, generateMemory } from './memory/model-objects';
+export type { MemoryConfig, MemoryYearConfig } from './memory/model-objects';

e2e/src/generators/memory/model-objects.ts

@@ -0,0 +1,84 @@
+import { faker } from '@faker-js/faker';
+import { MemoryType, type MemoryResponseDto, type OnThisDayDto } from '@immich/sdk';
+import { DateTime } from 'luxon';
+import { toAssetResponseDto } from 'src/generators/timeline/rest-response';
+import type { MockTimelineAsset } from 'src/generators/timeline/timeline-config';
+import { SeededRandom, selectRandomMultiple } from 'src/generators/timeline/utils';
+
+export type MemoryConfig = {
+  id?: string;
+  ownerId: string;
+  year: number;
+  memoryAt: string;
+  isSaved?: boolean;
+};
+
+export type MemoryYearConfig = {
+  year: number;
+  assetCount: number;
+};
+
+export function generateMemory(config: MemoryConfig, assets: MockTimelineAsset[]): MemoryResponseDto {
+  const now = new Date().toISOString();
+  const memoryId = config.id ?? faker.string.uuid();
+
+  return {
+    id: memoryId,
+    assets: assets.map((asset) => toAssetResponseDto(asset)),
+    data: { year: config.year } as OnThisDayDto,
+    memoryAt: config.memoryAt,
+    createdAt: now,
+    updatedAt: now,
+    isSaved: config.isSaved ?? false,
+    ownerId: config.ownerId,
+    type: MemoryType.OnThisDay,
+  };
+}
+
+export function generateMemoriesFromTimeline(
+  timelineAssets: MockTimelineAsset[],
+  ownerId: string,
+  memoryConfigs: MemoryYearConfig[],
+  seed: number = 42,
+): MemoryResponseDto[] {
+  const rng = new SeededRandom(seed);
+  const memories: MemoryResponseDto[] = [];
+  const usedAssetIds = new Set<string>();
+
+  for (const config of memoryConfigs) {
+    const yearAssets = timelineAssets.filter((asset) => {
+      const assetYear = DateTime.fromISO(asset.fileCreatedAt).year;
+      return assetYear === config.year && !usedAssetIds.has(asset.id);
+    });
+
+    if (yearAssets.length === 0) {
+      continue;
+    }
+
+    const countToSelect = Math.min(config.assetCount, yearAssets.length);
+    const selectedAssets = selectRandomMultiple(yearAssets, countToSelect, rng);
+
+    for (const asset of selectedAssets) {
+      usedAssetIds.add(asset.id);
+    }
+
+    selectedAssets.sort(
+      (a, b) => DateTime.fromISO(b.fileCreatedAt).diff(DateTime.fromISO(a.fileCreatedAt)).milliseconds,
+    );
+
+    const memoryAt = DateTime.now().set({ year: config.year }).toISO()!;
+
+    memories.push(
+      generateMemory(
+        {
+          ownerId,
+          year: config.year,
+          memoryAt,
+        },
+        selectedAssets,
+      ),
+    );
+  }
+
+  return memories;
+}

e2e/src/mock-network/memory-network.ts

@@ -0,0 +1,65 @@
+import type { MemoryResponseDto } from '@immich/sdk';
+import { BrowserContext } from '@playwright/test';
+
+export type MemoryChanges = {
+  memoryDeletions: string[];
+  assetRemovals: Map<string, string[]>;
+};
+
+export const setupMemoryMockApiRoutes = async (
+  context: BrowserContext,
+  memories: MemoryResponseDto[],
+  changes: MemoryChanges,
+) => {
+  await context.route('**/api/memories*', async (route, request) => {
+    const url = new URL(request.url());
+    const pathname = url.pathname;
+
+    if (pathname === '/api/memories' && request.method() === 'GET') {
+      const activeMemories = memories
+        .filter((memory) => !changes.memoryDeletions.includes(memory.id))
+        .map((memory) => {
+          const removedAssets = changes.assetRemovals.get(memory.id) ?? [];
+          return {
+            ...memory,
+            assets: memory.assets.filter((asset) => !removedAssets.includes(asset.id)),
+          };
+        })
+        .filter((memory) => memory.assets.length > 0);
+
+      return route.fulfill({
+        status: 200,
+        contentType: 'application/json',
+        json: activeMemories,
+      });
+    }
+
+    const memoryMatch = pathname.match(/\/api\/memories\/([^/]+)$/);
+    if (memoryMatch && request.method() === 'GET') {
+      const memoryId = memoryMatch[1];
+      const memory = memories.find((m) => m.id === memoryId);
+
+      if (!memory || changes.memoryDeletions.includes(memoryId)) {
+        return route.fulfill({ status: 404 });
+      }
+
+      const removedAssets = changes.assetRemovals.get(memoryId) ?? [];
+      return route.fulfill({
+        status: 200,
+        contentType: 'application/json',
+        json: {
+          ...memory,
+          assets: memory.assets.filter((asset) => !removedAssets.includes(asset.id)),
+        },
+      });
+    }
+
+    if (/\/api\/memories\/([^/]+)$/.test(pathname) && request.method() === 'DELETE') {
+      const memoryId = pathname.split('/').pop()!;
+      changes.memoryDeletions.push(memoryId);
+      return route.fulfill({ status: 204 });
+    }
+
+    await route.fallback();
+  });
+};

e2e/src/web/specs/memory/memory-viewer.ui-spec.ts

@@ -0,0 +1,289 @@
+import { faker } from '@faker-js/faker';
+import type { MemoryResponseDto } from '@immich/sdk';
+import { test } from '@playwright/test';
+import { generateMemoriesFromTimeline } from 'src/generators/memory';
+import {
+  Changes,
+  createDefaultTimelineConfig,
+  generateTimelineData,
+  TimelineAssetConfig,
+  TimelineData,
+} from 'src/generators/timeline';
+import { setupBaseMockApiRoutes } from 'src/mock-network/base-network';
+import { MemoryChanges, setupMemoryMockApiRoutes } from 'src/mock-network/memory-network';
+import { setupTimelineMockApiRoutes, TimelineTestContext } from 'src/mock-network/timeline-network';
+import { memoryAssetViewerUtils, memoryGalleryUtils, memoryViewerUtils } from 'src/web/specs/memory/utils';
+
+test.describe.configure({ mode: 'parallel' });
+
+test.describe('Memory Viewer - Gallery Asset Viewer Navigation', () => {
+  let adminUserId: string;
+  let timelineRestData: TimelineData;
+  let memories: MemoryResponseDto[];
+  const assets: TimelineAssetConfig[] = [];
+  const testContext = new TimelineTestContext();
+  const changes: Changes = {
+    albumAdditions: [],
+    assetDeletions: [],
+    assetArchivals: [],
+    assetFavorites: [],
+  };
+  const memoryChanges: MemoryChanges = {
+    memoryDeletions: [],
+    assetRemovals: new Map(),
+  };
+
+  test.beforeAll(async () => {
+    adminUserId = faker.string.uuid();
+    testContext.adminId = adminUserId;
+
+    timelineRestData = generateTimelineData({
+      ...createDefaultTimelineConfig(),
+      ownerId: adminUserId,
+    });
+
+    for (const timeBucket of timelineRestData.buckets.values()) {
+      assets.push(...timeBucket);
+    }
+
+    memories = generateMemoriesFromTimeline(
+      assets,
+      adminUserId,
+      [
+        { year: 2024, assetCount: 3 },
+        { year: 2023, assetCount: 2 },
+        { year: 2022, assetCount: 4 },
+      ],
+      42,
+    );
+  });
+
+  test.beforeEach(async ({ context }) => {
+    await setupBaseMockApiRoutes(context, adminUserId);
+    await setupTimelineMockApiRoutes(context, timelineRestData, changes, testContext);
+    await setupMemoryMockApiRoutes(context, memories, memoryChanges);
+  });
+
+  test.afterEach(() => {
+    testContext.slowBucket = false;
+    changes.albumAdditions = [];
+    changes.assetDeletions = [];
+    changes.assetArchivals = [];
+    changes.assetFavorites = [];
+    memoryChanges.memoryDeletions = [];
+    memoryChanges.assetRemovals.clear();
+  });
+
+  test.describe('Asset viewer navigation from gallery', () => {
+    test('shows both prev/next buttons for middle asset within a memory', async ({ page }) => {
+      const firstMemory = memories[0];
+      const middleAsset = firstMemory.assets[1];
+
+      await memoryViewerUtils.openMemoryPageWithAsset(page, middleAsset.id);
+      await memoryGalleryUtils.clickThumbnail(page, middleAsset.id);
+
+      await memoryAssetViewerUtils.waitForViewerOpen(page);
+      await memoryAssetViewerUtils.waitForAssetLoad(page, middleAsset);
+
+      await memoryAssetViewerUtils.expectPreviousButtonVisible(page);
+      await memoryAssetViewerUtils.expectNextButtonVisible(page);
+    });
+
+    test('shows next button when at last asset of first memory (next memory exists)', async ({ page }) => {
+      const firstMemory = memories[0];
+      const lastAssetOfFirstMemory = firstMemory.assets.at(-1)!;
+
+      await memoryViewerUtils.openMemoryPageWithAsset(page, lastAssetOfFirstMemory.id);
+      await memoryGalleryUtils.clickThumbnail(page, lastAssetOfFirstMemory.id);
+
+      await memoryAssetViewerUtils.waitForViewerOpen(page);
+      await memoryAssetViewerUtils.waitForAssetLoad(page, lastAssetOfFirstMemory);
+
+      await memoryAssetViewerUtils.expectNextButtonVisible(page);
+      await memoryAssetViewerUtils.expectPreviousButtonVisible(page);
+    });
+
+    test('shows prev button when at first asset of last memory (prev memory exists)', async ({ page }) => {
+      const lastMemory = memories.at(-1)!;
+      const firstAssetOfLastMemory = lastMemory.assets[0];
+
+      await memoryViewerUtils.openMemoryPageWithAsset(page, firstAssetOfLastMemory.id);
+      await memoryGalleryUtils.clickThumbnail(page, firstAssetOfLastMemory.id);
+
+      await memoryAssetViewerUtils.waitForViewerOpen(page);
+      await memoryAssetViewerUtils.waitForAssetLoad(page, firstAssetOfLastMemory);
+
+      await memoryAssetViewerUtils.expectPreviousButtonVisible(page);
+      await memoryAssetViewerUtils.expectNextButtonVisible(page);
+    });
+
+    test('can navigate from last asset of memory to first asset of next memory', async ({ page }) => {
+      const firstMemory = memories[0];
+      const secondMemory = memories[1];
+      const lastAssetOfFirst = firstMemory.assets.at(-1)!;
+      const firstAssetOfSecond = secondMemory.assets[0];
+
+      await memoryViewerUtils.openMemoryPageWithAsset(page, lastAssetOfFirst.id);
+      await memoryGalleryUtils.clickThumbnail(page, lastAssetOfFirst.id);
+
+      await memoryAssetViewerUtils.waitForViewerOpen(page);
+      await memoryAssetViewerUtils.waitForAssetLoad(page, lastAssetOfFirst);
+
+      await memoryAssetViewerUtils.clickNextButton(page);
+      await memoryAssetViewerUtils.waitForAssetLoad(page, firstAssetOfSecond);
+
+      await memoryAssetViewerUtils.expectCurrentAssetId(page, firstAssetOfSecond.id);
+    });
+
+    test('can navigate from first asset of memory to last asset of previous memory', async ({ page }) => {
+      const firstMemory = memories[0];
+      const secondMemory = memories[1];
+      const lastAssetOfFirst = firstMemory.assets.at(-1)!;
+      const firstAssetOfSecond = secondMemory.assets[0];
+
+      await memoryViewerUtils.openMemoryPageWithAsset(page, firstAssetOfSecond.id);
+      await memoryGalleryUtils.clickThumbnail(page, firstAssetOfSecond.id);
+
+      await memoryAssetViewerUtils.waitForViewerOpen(page);
+      await memoryAssetViewerUtils.waitForAssetLoad(page, firstAssetOfSecond);
+
+      await memoryAssetViewerUtils.clickPreviousButton(page);
+      await memoryAssetViewerUtils.waitForAssetLoad(page, lastAssetOfFirst);
+    });
+
+    test('hides prev button at very first asset (first memory, first asset, no prev memory)', async ({ page }) => {
+      const firstMemory = memories[0];
+      const veryFirstAsset = firstMemory.assets[0];
+
+      await memoryViewerUtils.openMemoryPageWithAsset(page, veryFirstAsset.id);
+      await memoryGalleryUtils.clickThumbnail(page, veryFirstAsset.id);
+
+      await memoryAssetViewerUtils.waitForViewerOpen(page);
+      await memoryAssetViewerUtils.waitForAssetLoad(page, veryFirstAsset);
+
+      await memoryAssetViewerUtils.expectPreviousButtonNotVisible(page);
+      await memoryAssetViewerUtils.expectNextButtonVisible(page);
+    });
+
+    test('hides next button at very last asset (last memory, last asset, no next memory)', async ({ page }) => {
+      const lastMemory = memories.at(-1)!;
+      const veryLastAsset = lastMemory.assets.at(-1)!;
+
+      await memoryViewerUtils.openMemoryPageWithAsset(page, veryLastAsset.id);
+      await memoryGalleryUtils.clickThumbnail(page, veryLastAsset.id);
+
+      await memoryAssetViewerUtils.waitForViewerOpen(page);
+      await memoryAssetViewerUtils.waitForAssetLoad(page, veryLastAsset);
+
+      await memoryAssetViewerUtils.expectNextButtonNotVisible(page);
+      await memoryAssetViewerUtils.expectPreviousButtonVisible(page);
+    });
+  });
+
+  test.describe('Keyboard navigation', () => {
+    test('ArrowLeft navigates to previous asset across memory boundary', async ({ page }) => {
+      const firstMemory = memories[0];
+      const secondMemory = memories[1];
+      const lastAssetOfFirst = firstMemory.assets.at(-1)!;
+      const firstAssetOfSecond = secondMemory.assets[0];
+
+      await memoryViewerUtils.openMemoryPageWithAsset(page, firstAssetOfSecond.id);
+      await memoryGalleryUtils.clickThumbnail(page, firstAssetOfSecond.id);
+
+      await memoryAssetViewerUtils.waitForViewerOpen(page);
+      await memoryAssetViewerUtils.waitForAssetLoad(page, firstAssetOfSecond);
+
+      await page.keyboard.press('ArrowLeft');
+      await memoryAssetViewerUtils.waitForAssetLoad(page, lastAssetOfFirst);
+    });
+
+    test('ArrowRight navigates to next asset across memory boundary', async ({ page }) => {
+      const firstMemory = memories[0];
+      const secondMemory = memories[1];
+      const lastAssetOfFirst = firstMemory.assets.at(-1)!;
+      const firstAssetOfSecond = secondMemory.assets[0];
+
+      await memoryViewerUtils.openMemoryPageWithAsset(page, lastAssetOfFirst.id);
+      await memoryGalleryUtils.clickThumbnail(page, lastAssetOfFirst.id);
+
+      await memoryAssetViewerUtils.waitForViewerOpen(page);
+      await memoryAssetViewerUtils.waitForAssetLoad(page, lastAssetOfFirst);
+
+      await page.keyboard.press('ArrowRight');
+      await memoryAssetViewerUtils.waitForAssetLoad(page, firstAssetOfSecond);
+    });
+  });
+});
+
+test.describe('Memory Viewer - Single Asset Memory Edge Cases', () => {
+  let adminUserId: string;
+  let timelineRestData: TimelineData;
+  let memories: MemoryResponseDto[];
+  const assets: TimelineAssetConfig[] = [];
+  const testContext = new TimelineTestContext();
+  const changes: Changes = {
+    albumAdditions: [],
+    assetDeletions: [],
+    assetArchivals: [],
+    assetFavorites: [],
+  };
+  const memoryChanges: MemoryChanges = {
+    memoryDeletions: [],
+    assetRemovals: new Map(),
+  };
+
+  test.beforeAll(async () => {
+    adminUserId = faker.string.uuid();
+    testContext.adminId = adminUserId;
+
+    timelineRestData = generateTimelineData({
+      ...createDefaultTimelineConfig(),
+      ownerId: adminUserId,
+    });
+
+    for (const timeBucket of timelineRestData.buckets.values()) {
+      assets.push(...timeBucket);
+    }
+
+    memories = generateMemoriesFromTimeline(
+      assets,
+      adminUserId,
+      [
+        { year: 2024, assetCount: 2 },
+        { year: 2023, assetCount: 1 },
+        { year: 2022, assetCount: 2 },
+      ],
+      123,
+    );
+  });
+
+  test.beforeEach(async ({ context }) => {
+    await setupBaseMockApiRoutes(context, adminUserId);
+    await setupTimelineMockApiRoutes(context, timelineRestData, changes, testContext);
+    await setupMemoryMockApiRoutes(context, memories, memoryChanges);
+  });
+
+  test.afterEach(() => {
+    testContext.slowBucket = false;
+    changes.albumAdditions = [];
+    changes.assetDeletions = [];
+    changes.assetArchivals = [];
+    changes.assetFavorites = [];
+    memoryChanges.memoryDeletions = [];
+    memoryChanges.assetRemovals.clear();
+  });
+
+  test('single asset memory shows both prev/next when surrounded by other memories', async ({ page }) => {
+    const singleAssetMemory = memories[1];
+    const singleAsset = singleAssetMemory.assets[0];
+
+    await memoryViewerUtils.openMemoryPageWithAsset(page, singleAsset.id);
+    await memoryGalleryUtils.clickThumbnail(page, singleAsset.id);
+
+    await memoryAssetViewerUtils.waitForViewerOpen(page);
+    await memoryAssetViewerUtils.waitForAssetLoad(page, singleAsset);
+
+    await memoryAssetViewerUtils.expectPreviousButtonVisible(page);
+    await memoryAssetViewerUtils.expectNextButtonVisible(page);
+  });
+});

e2e/src/web/specs/memory/utils.ts

@@ -0,0 +1,123 @@
+import type { AssetResponseDto } from '@immich/sdk';
+import { expect, Page } from '@playwright/test';
+
+function getAssetIdFromUrl(url: URL): string | null {
+  const pathMatch = url.pathname.match(/\/memory\/photos\/([^/]+)/);
+  if (pathMatch) {
+    return pathMatch[1];
+  }
+  return url.searchParams.get('id');
+}
+
+export const memoryViewerUtils = {
+  locator(page: Page) {
+    return page.locator('#memory-viewer');
+  },
+
+  async waitForMemoryLoad(page: Page) {
+    await expect(this.locator(page)).toBeVisible();
+    await expect(page.locator('#memory-viewer img').first()).toBeVisible();
+  },
+
+  async openMemoryPage(page: Page) {
+    await page.goto('/memory');
+    await this.waitForMemoryLoad(page);
+  },
+
+  async openMemoryPageWithAsset(page: Page, assetId: string) {
+    await page.goto(`/memory?id=${assetId}`);
+    await this.waitForMemoryLoad(page);
+  },
+};
+
+export const memoryGalleryUtils = {
+  locator(page: Page) {
+    return page.locator('#gallery-memory');
+  },
+
+  thumbnailWithAssetId(page: Page, assetId: string) {
+    return page.locator(`#gallery-memory [data-thumbnail-focus-container][data-asset="${assetId}"]`);
+  },
+
+  async scrollToGallery(page: Page) {
+    const showGalleryButton = page.getByLabel('Show gallery');
+    if (await showGalleryButton.isVisible()) {
+      await showGalleryButton.click();
+    }
+    await expect(this.locator(page)).toBeInViewport();
+  },
+
+  async clickThumbnail(page: Page, assetId: string) {
+    await this.scrollToGallery(page);
+    await this.thumbnailWithAssetId(page, assetId).click();
+  },
+
+  async getAllThumbnails(page: Page) {
+    await this.scrollToGallery(page);
+    return page.locator('#gallery-memory [data-thumbnail-focus-container]');
+  },
+};
+
+export const memoryAssetViewerUtils = {
+  locator(page: Page) {
+    return page.locator('#immich-asset-viewer');
+  },
+
+  async waitForViewerOpen(page: Page) {
+    await expect(this.locator(page)).toBeVisible();
+  },
+
+  async waitForAssetLoad(page: Page, asset: AssetResponseDto) {
+    const viewer = this.locator(page);
+    const imgLocator = viewer.locator(`img[draggable="false"][src*="/api/assets/${asset.id}/thumbnail?size=preview"]`);
+    const videoLocator = viewer.locator(`video[poster*="/api/assets/${asset.id}/thumbnail?size=preview"]`);
+
+    await imgLocator.or(videoLocator).waitFor({ timeout: 10_000 });
+  },
+
+  nextButton(page: Page) {
+    return page.getByLabel('View next asset');
+  },
+
+  previousButton(page: Page) {
+    return page.getByLabel('View previous asset');
+  },
+
+  async expectNextButtonVisible(page: Page) {
+    await expect(this.nextButton(page)).toBeVisible();
+  },
+
+  async expectNextButtonNotVisible(page: Page) {
+    await expect(this.nextButton(page)).toHaveCount(0);
+  },
+
+  async expectPreviousButtonVisible(page: Page) {
+    await expect(this.previousButton(page)).toBeVisible();
+  },
+
+  async expectPreviousButtonNotVisible(page: Page) {
+    await expect(this.previousButton(page)).toHaveCount(0);
+  },
+
+  async clickNextButton(page: Page) {
+    await this.nextButton(page).click();
+  },
+
+  async clickPreviousButton(page: Page) {
+    await this.previousButton(page).click();
+  },
+
+  async closeViewer(page: Page) {
+    await page.keyboard.press('Escape');
+    await expect(this.locator(page)).not.toBeVisible();
+  },
+
+  getCurrentAssetId(page: Page): string | null {
+    const url = new URL(page.url());
+    return getAssetIdFromUrl(url);
+  },
+
+  async expectCurrentAssetId(page: Page, expectedAssetId: string) {
+    await expect.poll(() => this.getCurrentAssetId(page)).toBe(expectedAssetId);
+  },
+};

i18n/en.json

@@ -782,8 +782,6 @@
   "client_cert_import": "Import",
   "client_cert_import_success_msg": "Client certificate is imported",
   "client_cert_invalid_msg": "Invalid certificate file or wrong password",
-  "client_cert_password_message": "Enter the password for this certificate",
-  "client_cert_password_title": "Certificate Password",
   "client_cert_remove_msg": "Client certificate is removed",
   "client_cert_subtitle": "Supports PKCS12 (.p12, .pfx) format only. Certificate import/removal is available only before login",
   "client_cert_title": "SSL client certificate [EXPERIMENTAL]",

i18n/package.json

@@ -1,6 +1,6 @@
 {
   "name": "immich-i18n",
-  "version": "2.5.2",
+  "version": "2.5.3",
   "private": true,
   "scripts": {
     "format": "prettier --check .",

machine-learning/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "immich-ml"
-version = "2.5.2"
+version = "2.5.3"
 description = ""
 authors = [{ name = "Hau Tran", email = "alex.tran1502@gmail.com" }]
 requires-python = ">=3.11,<4.0"
@@ -41,7 +41,6 @@ types = [
     "types-ujson>=5.10.0.20240515",
 ]
 lint = [
-    "black>=23.3.0",
     "mypy>=1.3.0",
     "ruff>=0.0.272",
     { include-group = "types" },
@@ -93,9 +92,5 @@ target-version = "py311"
 select = ["E", "F", "I"]
 per-file-ignores = { "test_main.py" = ["F403"] }
 
-[tool.black]
-line-length = 120
-target-version = ['py311']
-
 [tool.pytest.ini_options]
 markers = ["providers", "ov_device_ids"]

machine-learning/uv.lock

@@ -85,43 +85,6 @@ wheels = [
     { url = "https://files.pythonhosted.org/packages/99/37/e8730c3587a65eb5645d4aba2d27aae48e8003614d6aaf15dda67f702f1f/bidict-0.23.1-py3-none-any.whl", hash = "sha256:5dae8d4d79b552a71cbabc7deb25dfe8ce710b17ff41711e13010ead2abfc3e5", size = 32764, upload-time = "2024-02-18T19:09:04.156Z" },
 ]
 
-[[package]]
-name = "black"
-version = "25.12.0"
-source = { registry = "https://pypi.org/simple" }
-dependencies = [
-    { name = "click" },
-    { name = "mypy-extensions" },
-    { name = "packaging" },
-    { name = "pathspec" },
-    { name = "platformdirs" },
-    { name = "pytokens" },
-]
-sdist = { url = "https://files.pythonhosted.org/packages/c4/d9/07b458a3f1c525ac392b5edc6b191ff140b596f9d77092429417a54e249d/black-25.12.0.tar.gz", hash = "sha256:8d3dd9cea14bff7ddc0eb243c811cdb1a011ebb4800a5f0335a01a68654796a7", size = 659264, upload-time = "2025-12-08T01:40:52.501Z" }
-wheels = [
-    { url = "https://files.pythonhosted.org/packages/60/ad/7ac0d0e1e0612788dbc48e62aef8a8e8feffac7eb3d787db4e43b8462fa8/black-25.12.0-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:d0cfa263e85caea2cff57d8f917f9f51adae8e20b610e2b23de35b5b11ce691a", size = 1877003, upload-time = "2025-12-08T01:43:29.967Z" },
-    { url = "https://files.pythonhosted.org/packages/e8/dd/a237e9f565f3617a88b49284b59cbca2a4f56ebe68676c1aad0ce36a54a7/black-25.12.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:1a2f578ae20c19c50a382286ba78bfbeafdf788579b053d8e4980afb079ab9be", size = 1712639, upload-time = "2025-12-08T01:52:46.756Z" },
-    { url = "https://files.pythonhosted.org/packages/12/80/e187079df1ea4c12a0c63282ddd8b81d5107db6d642f7d7b75a6bcd6fc21/black-25.12.0-cp311-cp311-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:d3e1b65634b0e471d07ff86ec338819e2ef860689859ef4501ab7ac290431f9b", size = 1758143, upload-time = "2025-12-08T01:45:29.137Z" },
-    { url = "https://files.pythonhosted.org/packages/93/b5/3096ccee4f29dc2c3aac57274326c4d2d929a77e629f695f544e159bfae4/black-25.12.0-cp311-cp311-win_amd64.whl", hash = "sha256:a3fa71e3b8dd9f7c6ac4d818345237dfb4175ed3bf37cd5a581dbc4c034f1ec5", size = 1420698, upload-time = "2025-12-08T01:45:53.379Z" },
-    { url = "https://files.pythonhosted.org/packages/7e/39/f81c0ffbc25ffbe61c7d0385bf277e62ffc3e52f5ee668d7369d9854fadf/black-25.12.0-cp311-cp311-win_arm64.whl", hash = "sha256:51e267458f7e650afed8445dc7edb3187143003d52a1b710c7321aef22aa9655", size = 1229317, upload-time = "2025-12-08T01:46:35.606Z" },
-    { url = "https://files.pythonhosted.org/packages/d1/bd/26083f805115db17fda9877b3c7321d08c647df39d0df4c4ca8f8450593e/black-25.12.0-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:31f96b7c98c1ddaeb07dc0f56c652e25bdedaac76d5b68a059d998b57c55594a", size = 1924178, upload-time = "2025-12-08T01:49:51.048Z" },
-    { url = "https://files.pythonhosted.org/packages/89/6b/ea00d6651561e2bdd9231c4177f4f2ae19cc13a0b0574f47602a7519b6ca/black-25.12.0-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:05dd459a19e218078a1f98178c13f861fe6a9a5f88fc969ca4d9b49eb1809783", size = 1742643, upload-time = "2025-12-08T01:49:59.09Z" },
-    { url = "https://files.pythonhosted.org/packages/6d/f3/360fa4182e36e9875fabcf3a9717db9d27a8d11870f21cff97725c54f35b/black-25.12.0-cp312-cp312-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:c1f68c5eff61f226934be6b5b80296cf6939e5d2f0c2f7d543ea08b204bfaf59", size = 1800158, upload-time = "2025-12-08T01:44:27.301Z" },
-    { url = "https://files.pythonhosted.org/packages/f8/08/2c64830cb6616278067e040acca21d4f79727b23077633953081c9445d61/black-25.12.0-cp312-cp312-win_amd64.whl", hash = "sha256:274f940c147ddab4442d316b27f9e332ca586d39c85ecf59ebdea82cc9ee8892", size = 1426197, upload-time = "2025-12-08T01:45:51.198Z" },
-    { url = "https://files.pythonhosted.org/packages/d4/60/a93f55fd9b9816b7432cf6842f0e3000fdd5b7869492a04b9011a133ee37/black-25.12.0-cp312-cp312-win_arm64.whl", hash = "sha256:169506ba91ef21e2e0591563deda7f00030cb466e747c4b09cb0a9dae5db2f43", size = 1237266, upload-time = "2025-12-08T01:45:10.556Z" },
-    { url = "https://files.pythonhosted.org/packages/c8/52/c551e36bc95495d2aa1a37d50566267aa47608c81a53f91daa809e03293f/black-25.12.0-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:a05ddeb656534c3e27a05a29196c962877c83fa5503db89e68857d1161ad08a5", size = 1923809, upload-time = "2025-12-08T01:46:55.126Z" },
-    { url = "https://files.pythonhosted.org/packages/a0/f7/aac9b014140ee56d247e707af8db0aae2e9efc28d4a8aba92d0abd7ae9d1/black-25.12.0-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:9ec77439ef3e34896995503865a85732c94396edcc739f302c5673a2315e1e7f", size = 1742384, upload-time = "2025-12-08T01:49:37.022Z" },
-    { url = "https://files.pythonhosted.org/packages/74/98/38aaa018b2ab06a863974c12b14a6266badc192b20603a81b738c47e902e/black-25.12.0-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:0e509c858adf63aa61d908061b52e580c40eae0dfa72415fa47ac01b12e29baf", size = 1798761, upload-time = "2025-12-08T01:46:05.386Z" },
-    { url = "https://files.pythonhosted.org/packages/16/3a/a8ac542125f61574a3f015b521ca83b47321ed19bb63fe6d7560f348bfe1/black-25.12.0-cp313-cp313-win_amd64.whl", hash = "sha256:252678f07f5bac4ff0d0e9b261fbb029fa530cfa206d0a636a34ab445ef8ca9d", size = 1429180, upload-time = "2025-12-08T01:45:34.903Z" },
-    { url = "https://files.pythonhosted.org/packages/e6/2d/bdc466a3db9145e946762d52cd55b1385509d9f9004fec1c97bdc8debbfb/black-25.12.0-cp313-cp313-win_arm64.whl", hash = "sha256:bc5b1c09fe3c931ddd20ee548511c64ebf964ada7e6f0763d443947fd1c603ce", size = 1239350, upload-time = "2025-12-08T01:46:09.458Z" },
-    { url = "https://files.pythonhosted.org/packages/35/46/1d8f2542210c502e2ae1060b2e09e47af6a5e5963cb78e22ec1a11170b28/black-25.12.0-cp314-cp314-macosx_10_15_x86_64.whl", hash = "sha256:0a0953b134f9335c2434864a643c842c44fba562155c738a2a37a4d61f00cad5", size = 1917015, upload-time = "2025-12-08T01:53:27.987Z" },
-    { url = "https://files.pythonhosted.org/packages/41/37/68accadf977672beb8e2c64e080f568c74159c1aaa6414b4cd2aef2d7906/black-25.12.0-cp314-cp314-macosx_11_0_arm64.whl", hash = "sha256:2355bbb6c3b76062870942d8cc450d4f8ac71f9c93c40122762c8784df49543f", size = 1741830, upload-time = "2025-12-08T01:54:36.861Z" },
-    { url = "https://files.pythonhosted.org/packages/ac/76/03608a9d8f0faad47a3af3a3c8c53af3367f6c0dd2d23a84710456c7ac56/black-25.12.0-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:9678bd991cc793e81d19aeeae57966ee02909877cb65838ccffef24c3ebac08f", size = 1791450, upload-time = "2025-12-08T01:44:52.581Z" },
-    { url = "https://files.pythonhosted.org/packages/06/99/b2a4bd7dfaea7964974f947e1c76d6886d65fe5d24f687df2d85406b2609/black-25.12.0-cp314-cp314-win_amd64.whl", hash = "sha256:97596189949a8aad13ad12fcbb4ae89330039b96ad6742e6f6b45e75ad5cfd83", size = 1452042, upload-time = "2025-12-08T01:46:13.188Z" },
-    { url = "https://files.pythonhosted.org/packages/b2/7c/d9825de75ae5dd7795d007681b752275ea85a1c5d83269b4b9c754c2aaab/black-25.12.0-cp314-cp314-win_arm64.whl", hash = "sha256:778285d9ea197f34704e3791ea9404cd6d07595745907dd2ce3da7a13627b29b", size = 1267446, upload-time = "2025-12-08T01:46:14.497Z" },
-    { url = "https://files.pythonhosted.org/packages/68/11/21331aed19145a952ad28fca2756a1433ee9308079bd03bd898e903a2e53/black-25.12.0-py3-none-any.whl", hash = "sha256:48ceb36c16dbc84062740049eef990bb2ce07598272e673c17d1a7720c71c828", size = 206191, upload-time = "2025-12-08T01:40:50.963Z" },
-]
-
 [[package]]
 name = "blinker"
 version = "1.7.0"
@@ -919,7 +882,7 @@ wheels = [
 
 [[package]]
 name = "immich-ml"
-version = "2.5.2"
+version = "2.5.3"
 source = { editable = "." }
 dependencies = [
     { name = "aiocache" },
@@ -961,7 +924,6 @@ rknn = [
 
 [package.dev-dependencies]
 dev = [
-    { name = "black" },
     { name = "httpx" },
     { name = "locust" },
     { name = "mypy" },
@@ -977,7 +939,6 @@ dev = [
     { name = "types-ujson" },
 ]
 lint = [
-    { name = "black" },
     { name = "mypy" },
     { name = "ruff" },
     { name = "types-pyyaml" },
@@ -1031,7 +992,6 @@ provides-extras = ["cpu", "cuda", "openvino", "armnn", "rknn", "rocm"]
 
 [package.metadata.requires-dev]
 dev = [
-    { name = "black", specifier = ">=23.3.0" },
     { name = "httpx", specifier = ">=0.24.1" },
     { name = "locust", specifier = ">=2.15.1" },
     { name = "mypy", specifier = ">=1.3.0" },
@@ -1047,7 +1007,6 @@ dev = [
     { name = "types-ujson", specifier = ">=5.10.0.20240515" },
 ]
 lint = [
-    { name = "black", specifier = ">=23.3.0" },
     { name = "mypy", specifier = ">=1.3.0" },
     { name = "ruff", specifier = ">=0.0.272" },
     { name = "types-pyyaml", specifier = ">=6.0.12.20241230" },
@@ -2232,15 +2191,6 @@ client = [
     { name = "websocket-client" },
 ]
 
-[[package]]
-name = "pytokens"
-version = "0.3.0"
-source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/4e/8d/a762be14dae1c3bf280202ba3172020b2b0b4c537f94427435f19c413b72/pytokens-0.3.0.tar.gz", hash = "sha256:2f932b14ed08de5fcf0b391ace2642f858f1394c0857202959000b68ed7a458a", size = 17644, upload-time = "2025-11-05T13:36:35.34Z" }
-wheels = [
-    { url = "https://files.pythonhosted.org/packages/84/25/d9db8be44e205a124f6c98bc0324b2bb149b7431c53877fc6d1038dddaf5/pytokens-0.3.0-py3-none-any.whl", hash = "sha256:95b2b5eaf832e469d141a378872480ede3f251a5a5041b8ec6e581d3ac71bbf3", size = 12195, upload-time = "2025-11-05T13:36:33.183Z" },
-]
-
 [[package]]
 name = "pywin32"
 version = "311"

mobile/android/app/build.gradle

@@ -131,7 +131,6 @@ dependencies {
   implementation "androidx.compose.ui:ui-tooling:$compose_version"
   implementation "androidx.compose.material3:material3:1.2.1"
   implementation "androidx.lifecycle:lifecycle-runtime-ktx:2.6.2"
-  implementation "com.google.android.material:material:1.12.0"
 }
 
 // This is uncommented in F-Droid build script

mobile/android/app/src/main/AndroidManifest.xml

@@ -27,8 +27,7 @@
 
   <application android:label="Immich" android:name=".ImmichApp" android:usesCleartextTraffic="true"
     android:icon="@mipmap/ic_launcher" android:requestLegacyExternalStorage="true"
-    android:largeHeap="true" android:enableOnBackInvokedCallback="false" android:allowBackup="false"
-    android:networkSecurityConfig="@xml/network_security_config">
+    android:largeHeap="true" android:enableOnBackInvokedCallback="false" android:allowBackup="false">
 
     <profileable android:shell="true" />
 

mobile/android/app/src/main/kotlin/app/alextran/immich/HttpSSLOptionsPlugin.kt

@@ -0,0 +1,153 @@
+package app.alextran.immich
+
+import android.annotation.SuppressLint
+import android.content.Context
+import app.alextran.immich.core.SSLConfig
+import io.flutter.embedding.engine.plugins.FlutterPlugin
+import io.flutter.plugin.common.BinaryMessenger
+import io.flutter.plugin.common.MethodCall
+import io.flutter.plugin.common.MethodChannel
+import java.io.ByteArrayInputStream
+import java.net.InetSocketAddress
+import java.net.Socket
+import java.security.KeyStore
+import java.security.cert.X509Certificate
+import javax.net.ssl.HostnameVerifier
+import javax.net.ssl.HttpsURLConnection
+import javax.net.ssl.KeyManager
+import javax.net.ssl.KeyManagerFactory
+import javax.net.ssl.SSLContext
+import javax.net.ssl.SSLEngine
+import javax.net.ssl.SSLSession
+import javax.net.ssl.TrustManager
+import javax.net.ssl.TrustManagerFactory
+import javax.net.ssl.X509ExtendedTrustManager
+
+/**
+ * Android plugin for Dart `HttpSSLOptions`
+ */
+class HttpSSLOptionsPlugin : FlutterPlugin, MethodChannel.MethodCallHandler {
+  private var methodChannel: MethodChannel? = null
+
+  override fun onAttachedToEngine(binding: FlutterPlugin.FlutterPluginBinding) {
+    onAttachedToEngine(binding.applicationContext, binding.binaryMessenger)
+  }
+
+  private fun onAttachedToEngine(ctx: Context, messenger: BinaryMessenger) {
+    methodChannel = MethodChannel(messenger, "immich/httpSSLOptions")
+    methodChannel?.setMethodCallHandler(this)
+  }
+
+  override fun onDetachedFromEngine(binding: FlutterPlugin.FlutterPluginBinding) {
+    onDetachedFromEngine()
+  }
+
+  private fun onDetachedFromEngine() {
+    methodChannel?.setMethodCallHandler(null)
+    methodChannel = null
+  }
+
+  override fun onMethodCall(call: MethodCall, result: MethodChannel.Result) {
+    try {
+      when (call.method) {
+        "apply" -> {
+          val args = call.arguments<ArrayList<*>>()!!
+          val allowSelfSigned = args[0] as Boolean
+          val serverHost = args[1] as? String
+          val clientCertHash = (args[2] as? ByteArray)
+
+          var tm: Array<TrustManager>? = null
+          if (allowSelfSigned) {
+            tm = arrayOf(AllowSelfSignedTrustManager(serverHost))
+          }
+
+          var km: Array<KeyManager>? = null
+          if (clientCertHash != null) {
+            val cert = ByteArrayInputStream(clientCertHash)
+            val password = (args[3] as String).toCharArray()
+            val keyStore = KeyStore.getInstance("PKCS12")
+            keyStore.load(cert, password)
+            val keyManagerFactory =
+              KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm())
+            keyManagerFactory.init(keyStore, null)
+            km = keyManagerFactory.keyManagers
+          }
+
+          // Update shared SSL config for OkHttp and other HTTP clients
+          SSLConfig.apply(km, tm, allowSelfSigned, serverHost, clientCertHash?.contentHashCode() ?: 0)
+
+          val sslContext = SSLContext.getInstance("TLS")
+          sslContext.init(km, tm, null)
+          HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.socketFactory)
+
+          HttpsURLConnection.setDefaultHostnameVerifier(AllowSelfSignedHostnameVerifier(args[1] as? String))
+
+          result.success(true)
+        }
+
+        else -> result.notImplemented()
+      }
+    } catch (e: Throwable) {
+      result.error("error", e.message, null)
+    }
+  }
+
+  @SuppressLint("CustomX509TrustManager")
+  class AllowSelfSignedTrustManager(private val serverHost: String?) : X509ExtendedTrustManager() {
+    private val defaultTrustManager: X509ExtendedTrustManager = getDefaultTrustManager()
+
+    override fun checkClientTrusted(chain: Array<out X509Certificate>?, authType: String?) =
+      defaultTrustManager.checkClientTrusted(chain, authType)
+
+    override fun checkClientTrusted(
+      chain: Array<out X509Certificate>?, authType: String?, socket: Socket?
+    ) = defaultTrustManager.checkClientTrusted(chain, authType, socket)
+
+    override fun checkClientTrusted(
+      chain: Array<out X509Certificate>?, authType: String?, engine: SSLEngine?
+    ) = defaultTrustManager.checkClientTrusted(chain, authType, engine)
+
+    override fun checkServerTrusted(chain: Array<out X509Certificate>?, authType: String?) {
+      if (serverHost == null) return
+      defaultTrustManager.checkServerTrusted(chain, authType)
+    }
+
+    override fun checkServerTrusted(
+      chain: Array<out X509Certificate>?, authType: String?, socket: Socket?
+    ) {
+      if (serverHost == null) return
+      val socketAddress = socket?.remoteSocketAddress
+      if (socketAddress is InetSocketAddress && socketAddress.hostName == serverHost) return
+      defaultTrustManager.checkServerTrusted(chain, authType, socket)
+    }
+
+    override fun checkServerTrusted(
+      chain: Array<out X509Certificate>?, authType: String?, engine: SSLEngine?
+    ) {
+      if (serverHost == null || engine?.peerHost == serverHost) return
+      defaultTrustManager.checkServerTrusted(chain, authType, engine)
+    }
+
+    override fun getAcceptedIssuers(): Array<X509Certificate> = defaultTrustManager.acceptedIssuers
+
+    private fun getDefaultTrustManager(): X509ExtendedTrustManager {
+      val factory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
+      factory.init(null as KeyStore?)
+      return factory.trustManagers.filterIsInstance<X509ExtendedTrustManager>().first()
+    }
+  }
+
+  class AllowSelfSignedHostnameVerifier(private val serverHost: String?) : HostnameVerifier {
+    companion object {
+      private val _defaultHostnameVerifier = HttpsURLConnection.getDefaultHostnameVerifier()
+    }
+
+    override fun verify(hostname: String?, session: SSLSession?): Boolean {
+      if (serverHost == null || hostname == serverHost) {
+        return true
+      } else {
+        return _defaultHostnameVerifier.verify(hostname, session)
+      }
+    }
+  }
+}

mobile/android/app/src/main/kotlin/app/alextran/immich/MainActivity.kt

@@ -9,9 +9,7 @@ import app.alextran.immich.background.BackgroundWorkerFgHostApi
 import app.alextran.immich.background.BackgroundWorkerLockApi
 import app.alextran.immich.connectivity.ConnectivityApi
 import app.alextran.immich.connectivity.ConnectivityApiImpl
-import app.alextran.immich.core.HttpClientManager
 import app.alextran.immich.core.ImmichPlugin
-import app.alextran.immich.core.NetworkApiPlugin
 import app.alextran.immich.images.LocalImageApi
 import app.alextran.immich.images.LocalImagesImpl
 import app.alextran.immich.images.RemoteImageApi
@@ -30,9 +28,6 @@ class MainActivity : FlutterFragmentActivity() {
 
   companion object {
     fun registerPlugins(ctx: Context, flutterEngine: FlutterEngine) {
-      HttpClientManager.initialize(ctx)
-      flutterEngine.plugins.add(NetworkApiPlugin())
-
       val messenger = flutterEngine.dartExecutor.binaryMessenger
       val backgroundEngineLockImpl = BackgroundEngineLock(ctx)
       BackgroundWorkerLockApi.setUp(messenger, backgroundEngineLockImpl)
@@ -50,6 +45,7 @@ class MainActivity : FlutterFragmentActivity() {
       ConnectivityApi.setUp(messenger, ConnectivityApiImpl(ctx))
 
       flutterEngine.plugins.add(BackgroundServicePlugin())
+      flutterEngine.plugins.add(HttpSSLOptionsPlugin())
       flutterEngine.plugins.add(backgroundEngineLockImpl)
       flutterEngine.plugins.add(nativeSyncApiImpl)
     }

mobile/android/app/src/main/kotlin/app/alextran/immich/core/HttpClientManager.kt

@@ -1,147 +0,0 @@
-package app.alextran.immich.core
-
-import android.content.Context
-import app.alextran.immich.BuildConfig
-import okhttp3.Cache
-import okhttp3.ConnectionPool
-import okhttp3.Dispatcher
-import okhttp3.OkHttpClient
-import java.io.ByteArrayInputStream
-import java.io.File
-import java.net.Socket
-import java.security.KeyStore
-import java.security.Principal
-import java.security.PrivateKey
-import java.security.cert.X509Certificate
-import java.util.concurrent.TimeUnit
-import javax.net.ssl.SSLContext
-import javax.net.ssl.TrustManagerFactory
-import javax.net.ssl.X509KeyManager
-import javax.net.ssl.X509TrustManager
-
-const val CERT_ALIAS = "client_cert"
-const val USER_AGENT = "Immich_Android_${BuildConfig.VERSION_NAME}"
-
-/**
- * Manages a shared OkHttpClient with SSL configuration support.
- */
-object HttpClientManager {
-  private const val CACHE_SIZE_BYTES = 100L * 1024 * 1024  // 100MiB
-  private const val KEEP_ALIVE_CONNECTIONS = 10
-  private const val KEEP_ALIVE_DURATION_MINUTES = 5L
-  private const val MAX_REQUESTS_PER_HOST = 64
-
-  private var initialized = false
-  private val clientChangedListeners = mutableListOf<() -> Unit>()
-
-  private lateinit var client: OkHttpClient
-
-  private val keyStore = KeyStore.getInstance("AndroidKeyStore").apply { load(null) }
-
-  val isMtls: Boolean get() = keyStore.containsAlias(CERT_ALIAS)
-
-  fun initialize(context: Context) {
-    if (initialized) return
-    synchronized(this) {
-      if (initialized) return
-
-      val cacheDir = File(File(context.cacheDir, "okhttp"), "api")
-      client = build(cacheDir)
-      initialized = true
-    }
-  }
-
-  fun setKeyEntry(clientData: ByteArray, password: CharArray) {
-    synchronized(this) {
-      val wasMtls = isMtls
-      val tmpKeyStore = KeyStore.getInstance("PKCS12").apply {
-        ByteArrayInputStream(clientData).use { stream -> load(stream, password) }
-      }
-      val tmpAlias = tmpKeyStore.aliases().asSequence().firstOrNull { tmpKeyStore.isKeyEntry(it) }
-        ?: throw IllegalArgumentException("No private key found in PKCS12")
-      val key = tmpKeyStore.getKey(tmpAlias, password)
-      val chain = tmpKeyStore.getCertificateChain(tmpAlias)
-
-      if (wasMtls) {
-        keyStore.deleteEntry(CERT_ALIAS)
-      }
-      keyStore.setKeyEntry(CERT_ALIAS, key, null, chain)
-      if (wasMtls != isMtls) {
-        clientChangedListeners.forEach { it() }
-      }
-    }
-  }
-
-  fun deleteKeyEntry() {
-    synchronized(this) {
-      if (!isMtls) {
-        return
-      }
-
-      keyStore.deleteEntry(CERT_ALIAS)
-      clientChangedListeners.forEach { it() }
-    }
-  }
-
-  @JvmStatic
-  fun getClient(): OkHttpClient {
-    return client
-  }
-
-  fun addClientChangedListener(listener: () -> Unit) {
-    synchronized(this) { clientChangedListeners.add(listener) }
-  }
-
-  private fun build(cacheDir: File): OkHttpClient {
-    val connectionPool = ConnectionPool(
-      maxIdleConnections = KEEP_ALIVE_CONNECTIONS,
-      keepAliveDuration = KEEP_ALIVE_DURATION_MINUTES,
-      timeUnit = TimeUnit.MINUTES
-    )
-
-    val managerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
-    managerFactory.init(null as KeyStore?)
-    val trustManager = managerFactory.trustManagers.filterIsInstance<X509TrustManager>().first()
-
-    val sslContext = SSLContext.getInstance("TLS")
-      .apply { init(arrayOf(DynamicKeyManager()), arrayOf(trustManager), null) }
-
-    return OkHttpClient.Builder()
-      .addInterceptor { chain ->
-        chain.proceed(chain.request().newBuilder().header("User-Agent", USER_AGENT).build())
-      }
-      .connectionPool(connectionPool)
-      .dispatcher(Dispatcher().apply { maxRequestsPerHost = MAX_REQUESTS_PER_HOST })
-      .cache(Cache(cacheDir.apply { mkdirs() }, CACHE_SIZE_BYTES))
-      .sslSocketFactory(sslContext.socketFactory, trustManager)
-      .build()
-  }
-
-  // Reads from the key store rather than taking a snapshot at initialization time
-  private class DynamicKeyManager : X509KeyManager {
-    override fun getClientAliases(keyType: String, issuers: Array<Principal>?): Array<String>? =
-      if (isMtls) arrayOf(CERT_ALIAS) else null
-
-    override fun chooseClientAlias(
-      keyTypes: Array<String>,
-      issuers: Array<Principal>?,
-      socket: Socket?
-    ): String? =
-      if (isMtls) CERT_ALIAS else null
-
-    override fun getCertificateChain(alias: String): Array<X509Certificate>? =
-      keyStore.getCertificateChain(alias)?.map { it as X509Certificate }?.toTypedArray()
-
-    override fun getPrivateKey(alias: String): PrivateKey? =
-      keyStore.getKey(alias, null) as? PrivateKey
-
-    override fun getServerAliases(keyType: String, issuers: Array<Principal>?): Array<String>? =
-      null
-
-    override fun chooseServerAlias(
-      keyType: String,
-      issuers: Array<Principal>?,
-      socket: Socket?
-    ): String? = null
-  }
-}

mobile/android/app/src/main/kotlin/app/alextran/immich/core/Network.g.kt

@@ -1,253 +0,0 @@
-// Autogenerated from Pigeon (v26.0.2), do not edit directly.
-// See also: https://pub.dev/packages/pigeon
-@file:Suppress("UNCHECKED_CAST", "ArrayInDataClass")
-
-package app.alextran.immich.core
-
-import android.util.Log
-import io.flutter.plugin.common.BasicMessageChannel
-import io.flutter.plugin.common.BinaryMessenger
-import io.flutter.plugin.common.EventChannel
-import io.flutter.plugin.common.MessageCodec
-import io.flutter.plugin.common.StandardMethodCodec
-import io.flutter.plugin.common.StandardMessageCodec
-import java.io.ByteArrayOutputStream
-import java.nio.ByteBuffer
-private object NetworkPigeonUtils {
-
-  fun wrapResult(result: Any?): List<Any?> {
-    return listOf(result)
-  }
-
-  fun wrapError(exception: Throwable): List<Any?> {
-    return if (exception is FlutterError) {
-      listOf(
-        exception.code,
-        exception.message,
-        exception.details
-      )
-    } else {
-      listOf(
-        exception.javaClass.simpleName,
-        exception.toString(),
-        "Cause: " + exception.cause + ", Stacktrace: " + Log.getStackTraceString(exception)
-      )
-    }
-  }
-  fun deepEquals(a: Any?, b: Any?): Boolean {
-    if (a is ByteArray && b is ByteArray) {
-        return a.contentEquals(b)
-    }
-    if (a is IntArray && b is IntArray) {
-        return a.contentEquals(b)
-    }
-    if (a is LongArray && b is LongArray) {
-        return a.contentEquals(b)
-    }
-    if (a is DoubleArray && b is DoubleArray) {
-        return a.contentEquals(b)
-    }
-    if (a is Array<*> && b is Array<*>) {
-      return a.size == b.size &&
-          a.indices.all{ deepEquals(a[it], b[it]) }
-    }
-    if (a is List<*> && b is List<*>) {
-      return a.size == b.size &&
-          a.indices.all{ deepEquals(a[it], b[it]) }
-    }
-    if (a is Map<*, *> && b is Map<*, *>) {
-      return a.size == b.size && a.all {
-          (b as Map<Any?, Any?>).containsKey(it.key) &&
-          deepEquals(it.value, b[it.key])
-      }
-    }
-    return a == b
-  }
-      
-}
-
-/**
- * Error class for passing custom error details to Flutter via a thrown PlatformException.
- * @property code The error code.
- * @property message The error message.
- * @property details The error details. Must be a datatype supported by the api codec.
- */
-class FlutterError (
-  val code: String,
-  override val message: String? = null,
-  val details: Any? = null
-) : Throwable()
-
-/** Generated class from Pigeon that represents data sent in messages. */
-data class ClientCertData (
-  val data: ByteArray,
-  val password: String
-)
- {
-  companion object {
-    fun fromList(pigeonVar_list: List<Any?>): ClientCertData {
-      val data = pigeonVar_list[0] as ByteArray
-      val password = pigeonVar_list[1] as String
-      return ClientCertData(data, password)
-    }
-  }
-  fun toList(): List<Any?> {
-    return listOf(
-      data,
-      password,
-    )
-  }
-  override fun equals(other: Any?): Boolean {
-    if (other !is ClientCertData) {
-      return false
-    }
-    if (this === other) {
-      return true
-    }
-    return NetworkPigeonUtils.deepEquals(toList(), other.toList())  }
-
-  override fun hashCode(): Int = toList().hashCode()
-}
-
-/** Generated class from Pigeon that represents data sent in messages. */
-data class ClientCertPrompt (
-  val title: String,
-  val message: String,
-  val cancel: String,
-  val confirm: String
-)
- {
-  companion object {
-    fun fromList(pigeonVar_list: List<Any?>): ClientCertPrompt {
-      val title = pigeonVar_list[0] as String
-      val message = pigeonVar_list[1] as String
-      val cancel = pigeonVar_list[2] as String
-      val confirm = pigeonVar_list[3] as String
-      return ClientCertPrompt(title, message, cancel, confirm)
-    }
-  }
-  fun toList(): List<Any?> {
-    return listOf(
-      title,
-      message,
-      cancel,
-      confirm,
-    )
-  }
-  override fun equals(other: Any?): Boolean {
-    if (other !is ClientCertPrompt) {
-      return false
-    }
-    if (this === other) {
-      return true
-    }
-    return NetworkPigeonUtils.deepEquals(toList(), other.toList())  }
-
-  override fun hashCode(): Int = toList().hashCode()
-}
-private open class NetworkPigeonCodec : StandardMessageCodec() {
-  override fun readValueOfType(type: Byte, buffer: ByteBuffer): Any? {
-    return when (type) {
-      129.toByte() -> {
-        return (readValue(buffer) as? List<Any?>)?.let {
-          ClientCertData.fromList(it)
-        }
-      }
-      130.toByte() -> {
-        return (readValue(buffer) as? List<Any?>)?.let {
-          ClientCertPrompt.fromList(it)
-        }
-      }
-      else -> super.readValueOfType(type, buffer)
-    }
-  }
-  override fun writeValue(stream: ByteArrayOutputStream, value: Any?)   {
-    when (value) {
-      is ClientCertData -> {
-        stream.write(129)
-        writeValue(stream, value.toList())
-      }
-      is ClientCertPrompt -> {
-        stream.write(130)
-        writeValue(stream, value.toList())
-      }
-      else -> super.writeValue(stream, value)
-    }
-  }
-}
-
-
-/** Generated interface from Pigeon that represents a handler of messages from Flutter. */
-interface NetworkApi {
-  fun addCertificate(clientData: ClientCertData, callback: (Result<Unit>) -> Unit)
-  fun selectCertificate(promptText: ClientCertPrompt, callback: (Result<ClientCertData>) -> Unit)
-  fun removeCertificate(callback: (Result<Unit>) -> Unit)
-
-  companion object {
-    /** The codec used by NetworkApi. */
-    val codec: MessageCodec<Any?> by lazy {
-      NetworkPigeonCodec()
-    }
-    /** Sets up an instance of `NetworkApi` to handle messages through the `binaryMessenger`. */
-    @JvmOverloads
-    fun setUp(binaryMessenger: BinaryMessenger, api: NetworkApi?, messageChannelSuffix: String = "") {
-      val separatedMessageChannelSuffix = if (messageChannelSuffix.isNotEmpty()) ".$messageChannelSuffix" else ""
-      run {
-        val channel = BasicMessageChannel<Any?>(binaryMessenger, "dev.flutter.pigeon.immich_mobile.NetworkApi.addCertificate$separatedMessageChannelSuffix", codec)
-        if (api != null) {
-          channel.setMessageHandler { message, reply ->
-            val args = message as List<Any?>
-            val clientDataArg = args[0] as ClientCertData
-            api.addCertificate(clientDataArg) { result: Result<Unit> ->
-              val error = result.exceptionOrNull()
-              if (error != null) {
-                reply.reply(NetworkPigeonUtils.wrapError(error))
-              } else {
-                reply.reply(NetworkPigeonUtils.wrapResult(null))
-              }
-            }
-          }
-        } else {
-          channel.setMessageHandler(null)
-        }
-      }
-      run {
-        val channel = BasicMessageChannel<Any?>(binaryMessenger, "dev.flutter.pigeon.immich_mobile.NetworkApi.selectCertificate$separatedMessageChannelSuffix", codec)
-        if (api != null) {
-          channel.setMessageHandler { message, reply ->
-            val args = message as List<Any?>
-            val promptTextArg = args[0] as ClientCertPrompt
-            api.selectCertificate(promptTextArg) { result: Result<ClientCertData> ->
-              val error = result.exceptionOrNull()
-              if (error != null) {
-                reply.reply(NetworkPigeonUtils.wrapError(error))
-              } else {
-                val data = result.getOrNull()
-                reply.reply(NetworkPigeonUtils.wrapResult(data))
-              }
-            }
-          }
-        } else {
-          channel.setMessageHandler(null)
-        }
-      }
-      run {
-        val channel = BasicMessageChannel<Any?>(binaryMessenger, "dev.flutter.pigeon.immich_mobile.NetworkApi.removeCertificate$separatedMessageChannelSuffix", codec)
-        if (api != null) {
-          channel.setMessageHandler { _, reply ->
-            api.removeCertificate{ result: Result<Unit> ->
-              val error = result.exceptionOrNull()
-              if (error != null) {
-                reply.reply(NetworkPigeonUtils.wrapError(error))
-              } else {
-                reply.reply(NetworkPigeonUtils.wrapResult(null))
-              }
-            }
-          }
-        } else {
-          channel.setMessageHandler(null)
-        }
-      }
-    }
-  }
-}

mobile/android/app/src/main/kotlin/app/alextran/immich/core/NetworkApiPlugin.kt

@@ -1,162 +0,0 @@
-package app.alextran.immich.core
-
-import android.app.Activity
-import android.content.Context
-import android.net.Uri
-import android.os.OperationCanceledException
-import android.text.InputType
-import android.view.ContextThemeWrapper
-import android.view.ViewGroup.LayoutParams.MATCH_PARENT
-import android.view.ViewGroup.LayoutParams.WRAP_CONTENT
-import android.widget.FrameLayout
-import android.widget.LinearLayout
-import androidx.activity.ComponentActivity
-import androidx.activity.result.ActivityResultLauncher
-import androidx.activity.result.contract.ActivityResultContracts
-import com.google.android.material.dialog.MaterialAlertDialogBuilder
-import com.google.android.material.textfield.TextInputEditText
-import com.google.android.material.textfield.TextInputLayout
-import io.flutter.embedding.engine.plugins.FlutterPlugin
-import io.flutter.embedding.engine.plugins.activity.ActivityAware
-import io.flutter.embedding.engine.plugins.activity.ActivityPluginBinding
-
-class NetworkApiPlugin : FlutterPlugin, ActivityAware {
-  private var networkApi: NetworkApiImpl? = null
-
-  override fun onAttachedToEngine(binding: FlutterPlugin.FlutterPluginBinding) {
-    networkApi = NetworkApiImpl(binding.applicationContext)
-    NetworkApi.setUp(binding.binaryMessenger, networkApi)
-  }
-
-  override fun onDetachedFromEngine(binding: FlutterPlugin.FlutterPluginBinding) {
-    NetworkApi.setUp(binding.binaryMessenger, null)
-    networkApi = null
-  }
-
-  override fun onAttachedToActivity(binding: ActivityPluginBinding) {
-    networkApi?.onAttachedToActivity(binding)
-  }
-
-  override fun onDetachedFromActivityForConfigChanges() {
-    networkApi?.onDetachedFromActivityForConfigChanges()
-  }
-
-  override fun onReattachedToActivityForConfigChanges(binding: ActivityPluginBinding) {
-    networkApi?.onReattachedToActivityForConfigChanges(binding)
-  }
-
-  override fun onDetachedFromActivity() {
-    networkApi?.onDetachedFromActivity()
-  }
-}
-
-private class NetworkApiImpl(private val context: Context) : NetworkApi {
-  private var activity: Activity? = null
-  private var pendingCallback: ((Result<ClientCertData>) -> Unit)? = null
-  private var filePicker: ActivityResultLauncher<Array<String>>? = null
-  private var promptText: ClientCertPrompt? = null
-
-  fun onAttachedToActivity(binding: ActivityPluginBinding) {
-    activity = binding.activity
-    (binding.activity as? ComponentActivity)?.let { componentActivity ->
-      filePicker = componentActivity.registerForActivityResult(
-        ActivityResultContracts.OpenDocument()
-      ) { uri -> uri?.let { handlePickedFile(it) } ?: pendingCallback?.invoke(Result.failure(OperationCanceledException())) }
-    }
-  }
-
-  fun onDetachedFromActivityForConfigChanges() {
-    activity = null
-  }
-
-  fun onReattachedToActivityForConfigChanges(binding: ActivityPluginBinding) {
-    activity = binding.activity
-  }
-
-  fun onDetachedFromActivity() {
-    activity = null
-  }
-
-  override fun addCertificate(clientData: ClientCertData, callback: (Result<Unit>) -> Unit) {
-    try {
-      HttpClientManager.setKeyEntry(clientData.data, clientData.password.toCharArray())
-      callback(Result.success(Unit))
-    } catch (e: Exception) {
-      callback(Result.failure(e))
-    }
-  }
-
-  override fun selectCertificate(promptText: ClientCertPrompt, callback: (Result<ClientCertData>) -> Unit) {
-    val picker = filePicker ?: return callback(Result.failure(IllegalStateException("No activity")))
-    pendingCallback = callback
-    this.promptText = promptText
-    picker.launch(arrayOf("application/x-pkcs12", "application/x-pem-file"))
-  }
-
-  override fun removeCertificate(callback: (Result<Unit>) -> Unit) {
-    HttpClientManager.deleteKeyEntry()
-    callback(Result.success(Unit))
-  }
-
-  private fun handlePickedFile(uri: Uri) {
-    val callback = pendingCallback ?: return
-    pendingCallback = null
-
-    try {
-      val data = context.contentResolver.openInputStream(uri)?.use { it.readBytes() }
-        ?: throw IllegalStateException("Could not read file")
-
-      val activity = activity ?: throw IllegalStateException("No activity")
-      promptForPassword(activity) { password ->
-        promptText = null
-        if (password == null) {
-          callback(Result.failure(OperationCanceledException()))
-          return@promptForPassword
-        }
-        try {
-          HttpClientManager.setKeyEntry(data, password.toCharArray())
-          callback(Result.success(ClientCertData(data, password)))
-        } catch (e: Exception) {
-          callback(Result.failure(e))
-        }
-      }
-    } catch (e: Exception) {
-      callback(Result.failure(e))
-    }
-  }
-
-  private fun promptForPassword(activity: Activity, callback: (String?) -> Unit) {
-    val themedContext = ContextThemeWrapper(activity, com.google.android.material.R.style.Theme_Material3_DayNight_Dialog)
-    val density = activity.resources.displayMetrics.density
-    val horizontalPadding = (24 * density).toInt()
-
-    val textInputLayout = TextInputLayout(themedContext).apply {
-      hint = "Password"
-      endIconMode = TextInputLayout.END_ICON_PASSWORD_TOGGLE
-      layoutParams = FrameLayout.LayoutParams(MATCH_PARENT, WRAP_CONTENT).apply {
-        setMargins(horizontalPadding, 0, horizontalPadding, 0)
-      }
-    }
-
-    val editText = TextInputEditText(textInputLayout.context).apply {
-      inputType = InputType.TYPE_CLASS_TEXT or InputType.TYPE_TEXT_VARIATION_PASSWORD
-      layoutParams = LinearLayout.LayoutParams(MATCH_PARENT, WRAP_CONTENT)
-    }
-    textInputLayout.addView(editText)
-
-    val container = FrameLayout(themedContext).apply { addView(textInputLayout) }
-
-    val text = promptText!!
-    MaterialAlertDialogBuilder(themedContext)
-      .setTitle(text.title)
-      .setMessage(text.message)
-      .setView(container)
-      .setPositiveButton(text.confirm) { _, _ -> callback(editText.text.toString()) }
-      .setNegativeButton(text.cancel) { dialog, _ ->
-        dialog.cancel()
-        callback(null)
-      }
-      .setOnCancelListener { callback(null) }
-      .show()
-  }
-}

mobile/android/app/src/main/kotlin/app/alextran/immich/core/SSLConfig.kt

@@ -0,0 +1,73 @@
+package app.alextran.immich.core
+
+import java.security.KeyStore
+import javax.net.ssl.KeyManager
+import javax.net.ssl.SSLContext
+import javax.net.ssl.SSLSocketFactory
+import javax.net.ssl.TrustManager
+import javax.net.ssl.TrustManagerFactory
+import javax.net.ssl.X509TrustManager
+
+/**
+ * Shared SSL configuration for OkHttp and HttpsURLConnection.
+ * Stores the SSLSocketFactory and X509TrustManager configured by HttpSSLOptionsPlugin.
+ */
+object SSLConfig {
+  var sslSocketFactory: SSLSocketFactory? = null
+    private set
+
+  var trustManager: X509TrustManager? = null
+    private set
+
+  var requiresCustomSSL: Boolean = false
+    private set
+
+  private val listeners = mutableListOf<() -> Unit>()
+  private var configHash: Int = 0
+
+  fun addListener(listener: () -> Unit) {
+    listeners.add(listener)
+  }
+
+  fun apply(
+    keyManagers: Array<KeyManager>?,
+    trustManagers: Array<TrustManager>?,
+    allowSelfSigned: Boolean,
+    serverHost: String?,
+    clientCertHash: Int
+  ) {
+    synchronized(this) {
+      val newHash = computeHash(allowSelfSigned, serverHost, clientCertHash)
+      val newRequiresCustomSSL = allowSelfSigned || keyManagers != null
+      if (newHash == configHash && sslSocketFactory != null && requiresCustomSSL == newRequiresCustomSSL) {
+        return  // Config unchanged, skip
+      }
+
+      val sslContext = SSLContext.getInstance("TLS")
+      sslContext.init(keyManagers, trustManagers, null)
+      sslSocketFactory = sslContext.socketFactory
+      trustManager = trustManagers?.filterIsInstance<X509TrustManager>()?.firstOrNull()
+        ?: getDefaultTrustManager()
+      requiresCustomSSL = newRequiresCustomSSL
+      configHash = newHash
+      notifyListeners()
+    }
+  }
+
+  private fun computeHash(allowSelfSigned: Boolean, serverHost: String?, clientCertHash: Int): Int {
+    var result = allowSelfSigned.hashCode()
+    result = 31 * result + (serverHost?.hashCode() ?: 0)
+    result = 31 * result + clientCertHash
+    return result
+  }
+
+  private fun notifyListeners() {
+    listeners.forEach { it() }
+  }
+
+  private fun getDefaultTrustManager(): X509TrustManager {
+    val factory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
+    factory.init(null as KeyStore?)
+    return factory.trustManagers.filterIsInstance<X509TrustManager>().first()
+  }
+}

mobile/android/app/src/main/kotlin/app/alextran/immich/images/RemoteImagesImpl.kt

@@ -3,15 +3,17 @@ package app.alextran.immich.images
 import android.content.Context
 import android.os.CancellationSignal
 import android.os.OperationCanceledException
+import app.alextran.immich.BuildConfig
 import app.alextran.immich.INITIAL_BUFFER_SIZE
 import app.alextran.immich.NativeBuffer
 import app.alextran.immich.NativeByteBuffer
-import app.alextran.immich.core.HttpClientManager
-import app.alextran.immich.core.USER_AGENT
+import app.alextran.immich.core.SSLConfig
 import kotlinx.coroutines.*
 import okhttp3.Cache
 import okhttp3.Call
 import okhttp3.Callback
+import okhttp3.ConnectionPool
+import okhttp3.Dispatcher
 import okhttp3.OkHttpClient
 import okhttp3.Request
 import okhttp3.Response
@@ -30,8 +32,15 @@ import java.nio.file.SimpleFileVisitor
 import java.nio.file.attribute.BasicFileAttributes
 import java.util.concurrent.ConcurrentHashMap
 import java.util.concurrent.Executors
+import java.util.concurrent.TimeUnit
+import javax.net.ssl.SSLSocketFactory
+import javax.net.ssl.X509TrustManager
 
 
+private const val USER_AGENT = "Immich_Android_${BuildConfig.VERSION_NAME}"
+private const val MAX_REQUESTS_PER_HOST = 64
+private const val KEEP_ALIVE_CONNECTIONS = 10
+private const val KEEP_ALIVE_DURATION_MINUTES = 5L
 private const val CACHE_SIZE_BYTES = 1024L * 1024 * 1024
 
 private class RemoteRequest(val cancellationSignal: CancellationSignal)
@@ -112,7 +121,7 @@ private object ImageFetcherManager {
       appContext = context.applicationContext
       cacheDir = context.cacheDir
       fetcher = build()
-      HttpClientManager.addClientChangedListener(::invalidate)
+      SSLConfig.addListener(::invalidate)
       initialized = true
     }
   }
@@ -134,14 +143,18 @@ private object ImageFetcherManager {
   private fun invalidate() {
     synchronized(this) {
       val oldFetcher = fetcher
+      if (oldFetcher is OkHttpImageFetcher && SSLConfig.requiresCustomSSL) {
+        fetcher = oldFetcher.reconfigure(SSLConfig.sslSocketFactory, SSLConfig.trustManager)
+        return
+      }
       fetcher = build()
       oldFetcher.drain()
     }
   }
 
   private fun build(): ImageFetcher {
-    return if (HttpClientManager.isMtls) {
-      OkHttpImageFetcher.create(cacheDir)
+    return if (SSLConfig.requiresCustomSSL) {
+      OkHttpImageFetcher.create(cacheDir, SSLConfig.sslSocketFactory, SSLConfig.trustManager)
     } else {
       CronetImageFetcher(appContext, cacheDir)
     }
@@ -367,17 +380,51 @@ private class OkHttpImageFetcher private constructor(
   private var draining = false
 
   companion object {
-    fun create(cacheDir: File): OkHttpImageFetcher {
+    fun create(
+      cacheDir: File,
+      sslSocketFactory: SSLSocketFactory?,
+      trustManager: X509TrustManager?,
+    ): OkHttpImageFetcher {
       val dir = File(cacheDir, "okhttp")
+      val connectionPool = ConnectionPool(
+        maxIdleConnections = KEEP_ALIVE_CONNECTIONS,
+        keepAliveDuration = KEEP_ALIVE_DURATION_MINUTES,
+        timeUnit = TimeUnit.MINUTES
+      )
 
-      val client = HttpClientManager.getClient().newBuilder()
+      val builder = OkHttpClient.Builder()
+        .addInterceptor { chain ->
+          chain.proceed(
+            chain.request().newBuilder()
+              .header("User-Agent", USER_AGENT)
+              .build()
+          )
+        }
+        .dispatcher(Dispatcher().apply { maxRequestsPerHost = MAX_REQUESTS_PER_HOST })
+        .connectionPool(connectionPool)
         .cache(Cache(File(dir, "thumbnails"), CACHE_SIZE_BYTES))
-        .build()
 
-      return OkHttpImageFetcher(client)
+      if (sslSocketFactory != null && trustManager != null) {
+        builder.sslSocketFactory(sslSocketFactory, trustManager)
+      }
+
+      return OkHttpImageFetcher(builder.build())
     }
   }
 
+  fun reconfigure(
+    sslSocketFactory: SSLSocketFactory?,
+    trustManager: X509TrustManager?,
+  ): OkHttpImageFetcher {
+    val builder = client.newBuilder()
+    if (sslSocketFactory != null && trustManager != null) {
+      builder.sslSocketFactory(sslSocketFactory, trustManager)
+    }
+    // Evict idle connections using old SSL config
+    client.connectionPool.evictAll()
+    return OkHttpImageFetcher(builder.build())
+  }
+
   private fun onComplete() {
     val shouldClose = synchronized(stateLock) {
       activeCount--
@@ -465,6 +512,7 @@ private class OkHttpImageFetcher private constructor(
       draining = true
       activeCount == 0
     }
+    client.connectionPool.evictAll()
     if (shouldClose) {
       client.cache?.close()
     }

mobile/android/app/src/main/res/xml/network_security_config.xml

@@ -1,9 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<network-security-config cleartextTrafficPermitted="true">
-    <base-config>
-        <trust-anchors>
-            <certificates src="system" />
-            <certificates src="user" />
-        </trust-anchors>
-    </base-config>
-</network-security-config>

mobile/android/fastlane/Fastfile

@@ -35,8 +35,8 @@ platform :android do
       task: 'bundle', 
       build_type: 'Release',
       properties: {
-        "android.injected.version.code" => 3033,
-        "android.injected.version.name" => "2.5.2",
+        "android.injected.version.code" => 3034,
+        "android.injected.version.name" => "2.5.3",
       }
     )
     upload_to_play_store(skip_upload_apk: true, skip_upload_images: true, skip_upload_screenshots: true, aab: '../build/app/outputs/bundle/release/app-release.aab')

mobile/ios/Podfile.lock

@@ -11,6 +11,40 @@ PODS:
     - FlutterMacOS
   - device_info_plus (0.0.1):
     - Flutter
+  - DKImagePickerController/Core (4.3.9):
+    - DKImagePickerController/ImageDataManager
+    - DKImagePickerController/Resource
+  - DKImagePickerController/ImageDataManager (4.3.9)
+  - DKImagePickerController/PhotoGallery (4.3.9):
+    - DKImagePickerController/Core
+    - DKPhotoGallery
+  - DKImagePickerController/Resource (4.3.9)
+  - DKPhotoGallery (0.0.19):
+    - DKPhotoGallery/Core (= 0.0.19)
+    - DKPhotoGallery/Model (= 0.0.19)
+    - DKPhotoGallery/Preview (= 0.0.19)
+    - DKPhotoGallery/Resource (= 0.0.19)
+    - SDWebImage
+    - SwiftyGif
+  - DKPhotoGallery/Core (0.0.19):
+    - DKPhotoGallery/Model
+    - DKPhotoGallery/Preview
+    - SDWebImage
+    - SwiftyGif
+  - DKPhotoGallery/Model (0.0.19):
+    - SDWebImage
+    - SwiftyGif
+  - DKPhotoGallery/Preview (0.0.19):
+    - DKPhotoGallery/Model
+    - DKPhotoGallery/Resource
+    - SDWebImage
+    - SwiftyGif
+  - DKPhotoGallery/Resource (0.0.19):
+    - SDWebImage
+    - SwiftyGif
+  - file_picker (0.0.1):
+    - DKImagePickerController/PhotoGallery
+    - Flutter
   - Flutter (1.0.0)
   - flutter_local_notifications (0.0.1):
     - Flutter
@@ -59,6 +93,9 @@ PODS:
     - Flutter
     - FlutterMacOS
   - SAMKeychain (1.5.3)
+  - SDWebImage (5.21.0):
+    - SDWebImage/Core (= 5.21.0)
+  - SDWebImage/Core (5.21.0)
   - share_handler_ios (0.0.14):
     - Flutter
     - share_handler_ios/share_handler_ios_models (= 0.0.14)
@@ -94,6 +131,7 @@ PODS:
     - sqlite3/fts5
     - sqlite3/perf-threadsafe
     - sqlite3/rtree
+  - SwiftyGif (5.4.5)
   - url_launcher_ios (0.0.1):
     - Flutter
   - wakelock_plus (0.0.1):
@@ -105,6 +143,7 @@ DEPENDENCIES:
   - connectivity_plus (from `.symlinks/plugins/connectivity_plus/ios`)
   - cupertino_http (from `.symlinks/plugins/cupertino_http/darwin`)
   - device_info_plus (from `.symlinks/plugins/device_info_plus/ios`)
+  - file_picker (from `.symlinks/plugins/file_picker/ios`)
   - Flutter (from `Flutter`)
   - flutter_local_notifications (from `.symlinks/plugins/flutter_local_notifications/ios`)
   - flutter_native_splash (from `.symlinks/plugins/flutter_native_splash/ios`)
@@ -137,9 +176,13 @@ DEPENDENCIES:
 
 SPEC REPOS:
   trunk:
+    - DKImagePickerController
+    - DKPhotoGallery
     - MapLibre
     - SAMKeychain
+    - SDWebImage
     - sqlite3
+    - SwiftyGif
 
 EXTERNAL SOURCES:
   background_downloader:
@@ -152,6 +195,8 @@ EXTERNAL SOURCES:
     :path: ".symlinks/plugins/cupertino_http/darwin"
   device_info_plus:
     :path: ".symlinks/plugins/device_info_plus/ios"
+  file_picker:
+    :path: ".symlinks/plugins/file_picker/ios"
   Flutter:
     :path: Flutter
   flutter_local_notifications:
@@ -217,6 +262,9 @@ SPEC CHECKSUMS:
   connectivity_plus: cb623214f4e1f6ef8fe7403d580fdad517d2f7dd
   cupertino_http: 94ac07f5ff090b8effa6c5e2c47871d48ab7c86c
   device_info_plus: 21fcca2080fbcd348be798aa36c3e5ed849eefbe
+  DKImagePickerController: 946cec48c7873164274ecc4624d19e3da4c1ef3c
+  DKPhotoGallery: b3834fecb755ee09a593d7c9e389d8b5d6deed60
+  file_picker: a0560bc09d61de87f12d246fc47d2119e6ef37be
   Flutter: cabc95a1d2626b1b06e7179b784ebcf0c0cde467
   flutter_local_notifications: ad39620c743ea4c15127860f4b5641649a988100
   flutter_native_splash: c32d145d68aeda5502d5f543ee38c192065986cf
@@ -240,6 +288,7 @@ SPEC CHECKSUMS:
   permission_handler_apple: 4ed2196e43d0651e8ff7ca3483a069d469701f2d
   photo_manager: 1d80ae07a89a67dfbcae95953a1e5a24af7c3e62
   SAMKeychain: 483e1c9f32984d50ca961e26818a534283b4cd5c
+  SDWebImage: f84b0feeb08d2d11e6a9b843cb06d75ebf5b8868
   share_handler_ios: e2244e990f826b2c8eaa291ac3831569438ba0fb
   share_handler_ios_models: fc638c9b4330dc7f082586c92aee9dfa0b87b871
   share_plus: 50da8cb520a8f0f65671c6c6a99b3617ed10a58a
@@ -247,6 +296,7 @@ SPEC CHECKSUMS:
   sqflite_darwin: 20b2a3a3b70e43edae938624ce550a3cbf66a3d0
   sqlite3: fc1400008a9b3525f5914ed715a5d1af0b8f4983
   sqlite3_flutter_libs: f8fc13346870e73fe35ebf6dbb997fbcd156b241
+  SwiftyGif: 706c60cf65fa2bc5ee0313beece843c8eb8194d4
   url_launcher_ios: 694010445543906933d732453a59da0a173ae33d
   wakelock_plus: e29112ab3ef0b318e58cfa5c32326458be66b556
 

mobile/ios/Runner.xcodeproj/project.pbxproj

@@ -33,7 +33,6 @@
 		FE5499F42F1197D8006016CB /* RemoteImages.g.swift in Sources */ = {isa = PBXBuildFile; fileRef = FE5499F22F1197D8006016CB /* RemoteImages.g.swift */; };
 		FE5499F62F11980E006016CB /* LocalImagesImpl.swift in Sources */ = {isa = PBXBuildFile; fileRef = FE5499F52F11980E006016CB /* LocalImagesImpl.swift */; };
 		FE5499F82F1198E2006016CB /* RemoteImagesImpl.swift in Sources */ = {isa = PBXBuildFile; fileRef = FE5499F72F1198DE006016CB /* RemoteImagesImpl.swift */; };
-		FE5FE4AE2F30FBC000A71243 /* ImageProcessing.swift in Sources */ = {isa = PBXBuildFile; fileRef = FE5FE4AD2F30FBC000A71243 /* ImageProcessing.swift */; };
 		FEAFA8732E4D42F4001E47FE /* Thumbhash.swift in Sources */ = {isa = PBXBuildFile; fileRef = FEAFA8722E4D42F4001E47FE /* Thumbhash.swift */; };
 		FEE084F82EC172460045228E /* SQLiteData in Frameworks */ = {isa = PBXBuildFile; productRef = FEE084F72EC172460045228E /* SQLiteData */; };
 		FEE084FB2EC1725A0045228E /* RawStructuredFieldValues in Frameworks */ = {isa = PBXBuildFile; productRef = FEE084FA2EC1725A0045228E /* RawStructuredFieldValues */; };
@@ -125,7 +124,6 @@
 		FE5499F22F1197D8006016CB /* RemoteImages.g.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = RemoteImages.g.swift; sourceTree = "<group>"; };
 		FE5499F52F11980E006016CB /* LocalImagesImpl.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = LocalImagesImpl.swift; sourceTree = "<group>"; };
 		FE5499F72F1198DE006016CB /* RemoteImagesImpl.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = RemoteImagesImpl.swift; sourceTree = "<group>"; };
-		FE5FE4AD2F30FBC000A71243 /* ImageProcessing.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ImageProcessing.swift; sourceTree = "<group>"; };
 		FEAFA8722E4D42F4001E47FE /* Thumbhash.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = Thumbhash.swift; sourceTree = "<group>"; };
 /* End PBXFileReference section */
 
@@ -327,7 +325,6 @@
 		FED3B1952E253E9B0030FD97 /* Images */ = {
 			isa = PBXGroup;
 			children = (
-				FE5FE4AD2F30FBC000A71243 /* ImageProcessing.swift */,
 				FE5499F72F1198DE006016CB /* RemoteImagesImpl.swift */,
 				FE5499F52F11980E006016CB /* LocalImagesImpl.swift */,
 				FE5499F12F1197D8006016CB /* LocalImages.g.swift */,
@@ -612,7 +609,6 @@
 				FE5499F32F1197D8006016CB /* LocalImages.g.swift in Sources */,
 				FE5499F62F11980E006016CB /* LocalImagesImpl.swift in Sources */,
 				FE5499F42F1197D8006016CB /* RemoteImages.g.swift in Sources */,
-				FE5FE4AE2F30FBC000A71243 /* ImageProcessing.swift in Sources */,
 				B25D377A2E72CA15008B6CA7 /* Connectivity.g.swift in Sources */,
 				FE5499F82F1198E2006016CB /* RemoteImagesImpl.swift in Sources */,
 				FEAFA8732E4D42F4001E47FE /* Thumbhash.swift in Sources */,

mobile/ios/Runner/AppDelegate.swift

@@ -15,12 +15,12 @@ import UIKit
   ) -> Bool {
     // Required for flutter_local_notification
     if #available(iOS 10.0, *) {
-      UNUserNotificationCenter.current().delegate = self as UNUserNotificationCenterDelegate
+      UNUserNotificationCenter.current().delegate = self as? UNUserNotificationCenterDelegate
     }
 
     GeneratedPluginRegistrant.register(with: self)
     let controller: FlutterViewController = window?.rootViewController as! FlutterViewController
-    AppDelegate.registerPlugins(with: controller.engine, controller: controller)
+    AppDelegate.registerPlugins(with: controller.engine)
     BackgroundServicePlugin.register(with: self.registrar(forPlugin: "BackgroundServicePlugin")!)
 
     BackgroundServicePlugin.registerBackgroundProcessing()
@@ -51,13 +51,12 @@ import UIKit
     return super.application(application, didFinishLaunchingWithOptions: launchOptions)
   }
   
-  public static func registerPlugins(with engine: FlutterEngine, controller: FlutterViewController?) {
+  public static func registerPlugins(with engine: FlutterEngine) {
     NativeSyncApiImpl.register(with: engine.registrar(forPlugin: NativeSyncApiImpl.name)!)
     LocalImageApiSetup.setUp(binaryMessenger: engine.binaryMessenger, api: LocalImageApiImpl())
     RemoteImageApiSetup.setUp(binaryMessenger: engine.binaryMessenger, api: RemoteImageApiImpl())
     BackgroundWorkerFgHostApiSetup.setUp(binaryMessenger: engine.binaryMessenger, api: BackgroundWorkerApiImpl())
     ConnectivityApiSetup.setUp(binaryMessenger: engine.binaryMessenger, api: ConnectivityApiImpl())
-    NetworkApiSetup.setUp(binaryMessenger: engine.binaryMessenger, api: NetworkApiImpl(viewController: controller))
   }
   
   public static func cancelPlugins(with engine: FlutterEngine) {

mobile/ios/Runner/Background/BackgroundWorker.swift

@@ -95,7 +95,7 @@ class BackgroundWorker: BackgroundWorkerBgHostApi {
     // Register plugins in the new engine
     GeneratedPluginRegistrant.register(with: engine)
     // Register custom plugins
-    AppDelegate.registerPlugins(with: engine, controller: nil)
+    AppDelegate.registerPlugins(with: engine)
     flutterApi = BackgroundWorkerFlutterApi(binaryMessenger: engine.binaryMessenger)
     BackgroundWorkerBgHostApiSetup.setUp(binaryMessenger: engine.binaryMessenger, api: self)
     

mobile/ios/Runner/Core/Network.g.swift

@@ -1,284 +0,0 @@
-// Autogenerated from Pigeon (v26.0.2), do not edit directly.
-// See also: https://pub.dev/packages/pigeon
-
-import Foundation
-
-#if os(iOS)
-  import Flutter
-#elseif os(macOS)
-  import FlutterMacOS
-#else
-  #error("Unsupported platform.")
-#endif
-
-private func wrapResult(_ result: Any?) -> [Any?] {
-  return [result]
-}
-
-private func wrapError(_ error: Any) -> [Any?] {
-  if let pigeonError = error as? PigeonError {
-    return [
-      pigeonError.code,
-      pigeonError.message,
-      pigeonError.details,
-    ]
-  }
-  if let flutterError = error as? FlutterError {
-    return [
-      flutterError.code,
-      flutterError.message,
-      flutterError.details,
-    ]
-  }
-  return [
-    "\(error)",
-    "\(type(of: error))",
-    "Stacktrace: \(Thread.callStackSymbols)",
-  ]
-}
-
-private func isNullish(_ value: Any?) -> Bool {
-  return value is NSNull || value == nil
-}
-
-private func nilOrValue<T>(_ value: Any?) -> T? {
-  if value is NSNull { return nil }
-  return value as! T?
-}
-
-func deepEqualsNetwork(_ lhs: Any?, _ rhs: Any?) -> Bool {
-  let cleanLhs = nilOrValue(lhs) as Any?
-  let cleanRhs = nilOrValue(rhs) as Any?
-  switch (cleanLhs, cleanRhs) {
-  case (nil, nil):
-    return true
-
-  case (nil, _), (_, nil):
-    return false
-
-  case is (Void, Void):
-    return true
-
-  case let (cleanLhsHashable, cleanRhsHashable) as (AnyHashable, AnyHashable):
-    return cleanLhsHashable == cleanRhsHashable
-
-  case let (cleanLhsArray, cleanRhsArray) as ([Any?], [Any?]):
-    guard cleanLhsArray.count == cleanRhsArray.count else { return false }
-    for (index, element) in cleanLhsArray.enumerated() {
-      if !deepEqualsNetwork(element, cleanRhsArray[index]) {
-        return false
-      }
-    }
-    return true
-
-  case let (cleanLhsDictionary, cleanRhsDictionary) as ([AnyHashable: Any?], [AnyHashable: Any?]):
-    guard cleanLhsDictionary.count == cleanRhsDictionary.count else { return false }
-    for (key, cleanLhsValue) in cleanLhsDictionary {
-      guard cleanRhsDictionary.index(forKey: key) != nil else { return false }
-      if !deepEqualsNetwork(cleanLhsValue, cleanRhsDictionary[key]!) {
-        return false
-      }
-    }
-    return true
-
-  default:
-    // Any other type shouldn't be able to be used with pigeon. File an issue if you find this to be untrue.
-    return false
-  }
-}
-
-func deepHashNetwork(value: Any?, hasher: inout Hasher) {
-  if let valueList = value as? [AnyHashable] {
-     for item in valueList { deepHashNetwork(value: item, hasher: &hasher) }
-     return
-  }
-
-  if let valueDict = value as? [AnyHashable: AnyHashable] {
-    for key in valueDict.keys { 
-      hasher.combine(key)
-      deepHashNetwork(value: valueDict[key]!, hasher: &hasher)
-    }
-    return
-  }
-
-  if let hashableValue = value as? AnyHashable {
-    hasher.combine(hashableValue.hashValue)
-  }
-
-  return hasher.combine(String(describing: value))
-}
-
-    
-
-/// Generated class from Pigeon that represents data sent in messages.
-struct ClientCertData: Hashable {
-  var data: FlutterStandardTypedData
-  var password: String
-
-
-  // swift-format-ignore: AlwaysUseLowerCamelCase
-  static func fromList(_ pigeonVar_list: [Any?]) -> ClientCertData? {
-    let data = pigeonVar_list[0] as! FlutterStandardTypedData
-    let password = pigeonVar_list[1] as! String
-
-    return ClientCertData(
-      data: data,
-      password: password
-    )
-  }
-  func toList() -> [Any?] {
-    return [
-      data,
-      password,
-    ]
-  }
-  static func == (lhs: ClientCertData, rhs: ClientCertData) -> Bool {
-    return deepEqualsNetwork(lhs.toList(), rhs.toList())  }
-  func hash(into hasher: inout Hasher) {
-    deepHashNetwork(value: toList(), hasher: &hasher)
-  }
-}
-
-/// Generated class from Pigeon that represents data sent in messages.
-struct ClientCertPrompt: Hashable {
-  var title: String
-  var message: String
-  var cancel: String
-  var confirm: String
-
-
-  // swift-format-ignore: AlwaysUseLowerCamelCase
-  static func fromList(_ pigeonVar_list: [Any?]) -> ClientCertPrompt? {
-    let title = pigeonVar_list[0] as! String
-    let message = pigeonVar_list[1] as! String
-    let cancel = pigeonVar_list[2] as! String
-    let confirm = pigeonVar_list[3] as! String
-
-    return ClientCertPrompt(
-      title: title,
-      message: message,
-      cancel: cancel,
-      confirm: confirm
-    )
-  }
-  func toList() -> [Any?] {
-    return [
-      title,
-      message,
-      cancel,
-      confirm,
-    ]
-  }
-  static func == (lhs: ClientCertPrompt, rhs: ClientCertPrompt) -> Bool {
-    return deepEqualsNetwork(lhs.toList(), rhs.toList())  }
-  func hash(into hasher: inout Hasher) {
-    deepHashNetwork(value: toList(), hasher: &hasher)
-  }
-}
-
-private class NetworkPigeonCodecReader: FlutterStandardReader {
-  override func readValue(ofType type: UInt8) -> Any? {
-    switch type {
-    case 129:
-      return ClientCertData.fromList(self.readValue() as! [Any?])
-    case 130:
-      return ClientCertPrompt.fromList(self.readValue() as! [Any?])
-    default:
-      return super.readValue(ofType: type)
-    }
-  }
-}
-
-private class NetworkPigeonCodecWriter: FlutterStandardWriter {
-  override func writeValue(_ value: Any) {
-    if let value = value as? ClientCertData {
-      super.writeByte(129)
-      super.writeValue(value.toList())
-    } else if let value = value as? ClientCertPrompt {
-      super.writeByte(130)
-      super.writeValue(value.toList())
-    } else {
-      super.writeValue(value)
-    }
-  }
-}
-
-private class NetworkPigeonCodecReaderWriter: FlutterStandardReaderWriter {
-  override func reader(with data: Data) -> FlutterStandardReader {
-    return NetworkPigeonCodecReader(data: data)
-  }
-
-  override func writer(with data: NSMutableData) -> FlutterStandardWriter {
-    return NetworkPigeonCodecWriter(data: data)
-  }
-}
-
-class NetworkPigeonCodec: FlutterStandardMessageCodec, @unchecked Sendable {
-  static let shared = NetworkPigeonCodec(readerWriter: NetworkPigeonCodecReaderWriter())
-}
-
-
-/// Generated protocol from Pigeon that represents a handler of messages from Flutter.
-protocol NetworkApi {
-  func addCertificate(clientData: ClientCertData, completion: @escaping (Result<Void, Error>) -> Void)
-  func selectCertificate(promptText: ClientCertPrompt, completion: @escaping (Result<ClientCertData, Error>) -> Void)
-  func removeCertificate(completion: @escaping (Result<Void, Error>) -> Void)
-}
-
-/// Generated setup class from Pigeon to handle messages through the `binaryMessenger`.
-class NetworkApiSetup {
-  static var codec: FlutterStandardMessageCodec { NetworkPigeonCodec.shared }
-  /// Sets up an instance of `NetworkApi` to handle messages through the `binaryMessenger`.
-  static func setUp(binaryMessenger: FlutterBinaryMessenger, api: NetworkApi?, messageChannelSuffix: String = "") {
-    let channelSuffix = messageChannelSuffix.count > 0 ? ".\(messageChannelSuffix)" : ""
-    let addCertificateChannel = FlutterBasicMessageChannel(name: "dev.flutter.pigeon.immich_mobile.NetworkApi.addCertificate\(channelSuffix)", binaryMessenger: binaryMessenger, codec: codec)
-    if let api = api {
-      addCertificateChannel.setMessageHandler { message, reply in
-        let args = message as! [Any?]
-        let clientDataArg = args[0] as! ClientCertData
-        api.addCertificate(clientData: clientDataArg) { result in
-          switch result {
-          case .success:
-            reply(wrapResult(nil))
-          case .failure(let error):
-            reply(wrapError(error))
-          }
-        }
-      }
-    } else {
-      addCertificateChannel.setMessageHandler(nil)
-    }
-    let selectCertificateChannel = FlutterBasicMessageChannel(name: "dev.flutter.pigeon.immich_mobile.NetworkApi.selectCertificate\(channelSuffix)", binaryMessenger: binaryMessenger, codec: codec)
-    if let api = api {
-      selectCertificateChannel.setMessageHandler { message, reply in
-        let args = message as! [Any?]
-        let promptTextArg = args[0] as! ClientCertPrompt
-        api.selectCertificate(promptText: promptTextArg) { result in
-          switch result {
-          case .success(let res):
-            reply(wrapResult(res))
-          case .failure(let error):
-            reply(wrapError(error))
-          }
-        }
-      }
-    } else {
-      selectCertificateChannel.setMessageHandler(nil)
-    }
-    let removeCertificateChannel = FlutterBasicMessageChannel(name: "dev.flutter.pigeon.immich_mobile.NetworkApi.removeCertificate\(channelSuffix)", binaryMessenger: binaryMessenger, codec: codec)
-    if let api = api {
-      removeCertificateChannel.setMessageHandler { _, reply in
-        api.removeCertificate { result in
-          switch result {
-          case .success:
-            reply(wrapResult(nil))
-          case .failure(let error):
-            reply(wrapError(error))
-          }
-        }
-      }
-    } else {
-      removeCertificateChannel.setMessageHandler(nil)
-    }
-  }
-}

mobile/ios/Runner/Core/NetworkApiImpl.swift

@@ -1,157 +0,0 @@
-import Foundation
-import UniformTypeIdentifiers
-
-enum ImportError: Error {
-  case noFile
-  case noViewController
-  case keychainError(OSStatus)
-  case cancelled
-}
-
-class NetworkApiImpl: NetworkApi {
-  weak var viewController: UIViewController?
-  private var activeImporter: CertImporter?
-  
-  init(viewController: UIViewController?) {
-    self.viewController = viewController
-  }
-  
-  func selectCertificate(promptText: ClientCertPrompt, completion: @escaping (Result<ClientCertData, any Error>) -> Void) {
-    let importer = CertImporter(promptText: promptText, completion: { [weak self] result in
-      self?.activeImporter = nil
-      completion(result.map { ClientCertData(data: FlutterStandardTypedData(bytes: $0.0), password: $0.1) })
-    }, viewController: viewController)
-    activeImporter = importer
-    importer.load()
-  }
-  
-  func removeCertificate(completion: @escaping (Result<Void, any Error>) -> Void) {
-    let status = clearCerts()
-    if status == errSecSuccess || status == errSecItemNotFound {
-      return completion(.success(()))
-    }
-    completion(.failure(ImportError.keychainError(status)))
-  }
-  
-  func addCertificate(clientData: ClientCertData, completion: @escaping (Result<Void, any Error>) -> Void) {
-    let status = importCert(clientData: clientData.data.data, password: clientData.password)
-    if status == errSecSuccess {
-      return completion(.success(()))
-    }
-    completion(.failure(ImportError.keychainError(status)))
-  }
-}
-
-private class CertImporter: NSObject, UIDocumentPickerDelegate {
-  private let promptText: ClientCertPrompt
-  private var completion: ((Result<(Data, String), Error>) -> Void)
-  private weak var viewController: UIViewController?
-  
-  init(promptText: ClientCertPrompt, completion: (@escaping (Result<(Data, String), Error>) -> Void), viewController: UIViewController?) {
-    self.promptText = promptText
-    self.completion = completion
-    self.viewController = viewController
-  }
-  
-  func load() {
-    guard let vc = viewController else { return completion(.failure(ImportError.noViewController)) }
-    let picker = UIDocumentPickerViewController(forOpeningContentTypes: [
-      UTType(filenameExtension: "p12")!,
-      UTType(filenameExtension: "pfx")!,
-    ])
-    picker.delegate = self
-    picker.allowsMultipleSelection = false
-    vc.present(picker, animated: true)
-  }
-  
-  func documentPicker(_ controller: UIDocumentPickerViewController, didPickDocumentsAt urls: [URL]) {
-    guard let url = urls.first else {
-      return completion(.failure(ImportError.noFile))
-    }
-    
-    Task { @MainActor in
-      do {
-        let data = try readSecurityScoped(url: url)
-        guard let password = await promptForPassword() else {
-          return completion(.failure(ImportError.cancelled))
-        }
-        let status = importCert(clientData: data, password: password)
-        if status != errSecSuccess {
-          return completion(.failure(ImportError.keychainError(status)))
-        }
-        
-        await URLSessionManager.shared.session.flush()
-        self.completion(.success((data, password)))
-      } catch {
-        completion(.failure(error))
-      }
-    }
-  }
-  
-  func documentPickerWasCancelled(_ controller: UIDocumentPickerViewController) {
-    completion(.failure(ImportError.cancelled))
-  }
-  
-  private func promptForPassword() async -> String? {
-    guard let vc = viewController else { return nil }
-    
-    return await withCheckedContinuation { continuation in
-      let alert = UIAlertController(
-        title: promptText.title,
-        message: promptText.message,
-        preferredStyle: .alert
-      )
-      
-      alert.addTextField { $0.isSecureTextEntry = true }
-      
-      alert.addAction(UIAlertAction(title: promptText.cancel, style: .cancel) { _ in
-        continuation.resume(returning: nil)
-      })
-      
-      alert.addAction(UIAlertAction(title: promptText.confirm, style: .default) { _ in
-        continuation.resume(returning: alert.textFields?.first?.text ?? "")
-      })
-      
-      vc.present(alert, animated: true)
-    }
-  }
-  
-  private func readSecurityScoped(url: URL) throws -> Data {
-    guard url.startAccessingSecurityScopedResource() else {
-      throw ImportError.noFile
-    }
-    defer { url.stopAccessingSecurityScopedResource() }
-    return try Data(contentsOf: url)
-  }
-}
-
-private func importCert(clientData: Data, password: String) -> OSStatus {
-  let options = [kSecImportExportPassphrase: password] as CFDictionary
-  var items: CFArray?
-  let status = SecPKCS12Import(clientData as CFData, options, &items)
-  
-  guard status == errSecSuccess,
-        let array = items as? [[String: Any]],
-        let first = array.first,
-        let identity = first[kSecImportItemIdentity as String] else {
-    return status
-  }
-  
-  clearCerts()
-  
-  let addQuery: [String: Any] = [
-    kSecClass as String: kSecClassIdentity,
-    kSecValueRef as String: identity,
-    kSecAttrLabel as String: CLIENT_CERT_LABEL,
-    kSecAttrAccessible as String: kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly,
-  ]
-  return SecItemAdd(addQuery as CFDictionary, nil)
-}
-
-@discardableResult private func clearCerts() -> OSStatus {
-  let deleteQuery: [String: Any] = [
-    kSecClass as String: kSecClassIdentity,
-    kSecAttrLabel as String: CLIENT_CERT_LABEL,
-  ]
-  return SecItemDelete(deleteQuery as CFDictionary)
-}

mobile/ios/Runner/Core/URLSessionManager.swift

@@ -1,87 +0,0 @@
-import Foundation
-
-let CLIENT_CERT_LABEL = "app.alextran.immich.client_identity"
-
-/// Manages a shared URLSession with SSL configuration support.
-class URLSessionManager: NSObject {
-  static let shared = URLSessionManager()
-  
-  let session: URLSession
-  private let configuration = {
-    let config = URLSessionConfiguration.default
-    
-    let cacheDir = FileManager.default.urls(for: .cachesDirectory, in: .userDomainMask)
-      .first!
-      .appendingPathComponent("api", isDirectory: true)
-    try! FileManager.default.createDirectory(at: cacheDir, withIntermediateDirectories: true)
-    
-    config.urlCache = URLCache(
-      memoryCapacity: 0,
-      diskCapacity: 1024 * 1024 * 1024,
-      directory: cacheDir
-    )
-    
-    config.httpMaximumConnectionsPerHost = 64
-    config.timeoutIntervalForRequest = 60
-    config.timeoutIntervalForResource = 300
-    
-    let version = Bundle.main.object(forInfoDictionaryKey: "CFBundleShortVersionString") as? String ?? "unknown"
-    config.httpAdditionalHeaders = ["User-Agent": "Immich_iOS_\(version)"]
-    
-    return config
-  }()
-  
-  private override init() {
-    session = URLSession(configuration: configuration, delegate: URLSessionManagerDelegate(), delegateQueue: nil)
-    super.init()
-  }
-}
-
-class URLSessionManagerDelegate: NSObject, URLSessionTaskDelegate {
-  func urlSession(
-    _ session: URLSession,
-    didReceive challenge: URLAuthenticationChallenge,
-    completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void
-  ) {
-    handleChallenge(challenge, completionHandler: completionHandler)
-  }
-  
-  func urlSession(
-    _ session: URLSession,
-    task: URLSessionTask,
-    didReceive challenge: URLAuthenticationChallenge,
-    completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void
-  ) {
-    handleChallenge(challenge, completionHandler: completionHandler)
-  }
-  
-  func handleChallenge(
-    _ challenge: URLAuthenticationChallenge,
-    completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void
-  ) {
-    switch challenge.protectionSpace.authenticationMethod {
-    case NSURLAuthenticationMethodClientCertificate: handleClientCertificate(completion: completionHandler)
-    default: completionHandler(.performDefaultHandling, nil)
-    }
-  }
-  
-  private func handleClientCertificate(
-    completion: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void
-  ) {
-    let query: [String: Any] = [
-      kSecClass as String: kSecClassIdentity,
-      kSecAttrLabel as String: CLIENT_CERT_LABEL,
-      kSecReturnRef as String: true,
-    ]
-    
-    var item: CFTypeRef?
-    let status = SecItemCopyMatching(query as CFDictionary, &item)
-    if status == errSecSuccess, let identity = item {
-      let credential = URLCredential(identity: identity as! SecIdentity,
-                                     certificates: nil,
-                                     persistence: .forSession)
-      return completion(.useCredential, credential)
-    }
-    completion(.performDefaultHandling, nil)
-  }
-}

mobile/ios/Runner/Images/ImageProcessing.swift

@@ -1,7 +0,0 @@
-import Foundation
-
-enum ImageProcessing {
-  static let queue = DispatchQueue(label: "thumbnail.processing", qos: .userInitiated, attributes: .concurrent)
-  static let semaphore = DispatchSemaphore(value: ProcessInfo.processInfo.activeProcessorCount * 2)
-  static let cancelledResult = Result<[String: Int64]?, any Error>.success(nil)
-}

mobile/ios/Runner/Images/LocalImagesImpl.swift

@@ -34,6 +34,7 @@ class LocalImageApiImpl: LocalImageApi {
   private static let assetQueue = DispatchQueue(label: "thumbnail.assets", qos: .userInitiated)
   private static let requestQueue = DispatchQueue(label: "thumbnail.requests", qos: .userInitiated)
   private static let cancelQueue = DispatchQueue(label: "thumbnail.cancellation", qos: .default)
+  private static let processingQueue = DispatchQueue(label: "thumbnail.processing", qos: .userInteractive, attributes: .concurrent)
   
   private static var rgbaFormat = vImage_CGImageFormat(
     bitsPerComponent: 8,
@@ -43,6 +44,8 @@ class LocalImageApiImpl: LocalImageApi {
     renderingIntent: .defaultIntent
   )!
   private static var requests = [Int64: LocalImageRequest]()
+  private static let cancelledResult = Result<[String: Int64]?, any Error>.success(nil)
+  private static let concurrencySemaphore = DispatchSemaphore(value: ProcessInfo.processInfo.activeProcessorCount * 2)
   private static let assetCache = {
     let assetCache = NSCache<NSString, PHAsset>()
     assetCache.countLimit = 10000
@@ -50,7 +53,7 @@ class LocalImageApiImpl: LocalImageApi {
   }()
   
   func getThumbhash(thumbhash: String, completion: @escaping (Result<[String : Int64], any Error>) -> Void) {
-    ImageProcessing.queue.async {
+    Self.processingQueue.async {
       guard let data = Data(base64Encoded: thumbhash)
       else { return completion(.failure(PigeonError(code: "", message: "Invalid base64 string: \(thumbhash)", details: nil)))}
       
@@ -68,16 +71,16 @@ class LocalImageApiImpl: LocalImageApi {
     let request = LocalImageRequest(callback: completion)
     let item = DispatchWorkItem {
       if request.isCancelled {
-        return completion(ImageProcessing.cancelledResult)
+        return completion(Self.cancelledResult)
       }
       
-      ImageProcessing.semaphore.wait()
+      Self.concurrencySemaphore.wait()
       defer {
-        ImageProcessing.semaphore.signal()
+        Self.concurrencySemaphore.signal()
       }
       
       if request.isCancelled {
-        return completion(ImageProcessing.cancelledResult)
+        return completion(Self.cancelledResult)
       }
       
       guard let asset = Self.requestAsset(assetId: assetId)
@@ -88,7 +91,7 @@ class LocalImageApiImpl: LocalImageApi {
       }
       
       if request.isCancelled {
-        return completion(ImageProcessing.cancelledResult)
+        return completion(Self.cancelledResult)
       }
       
       var image: UIImage?
@@ -103,7 +106,7 @@ class LocalImageApiImpl: LocalImageApi {
       )
       
       if request.isCancelled {
-        return completion(ImageProcessing.cancelledResult)
+        return completion(Self.cancelledResult)
       }
       
       guard let image = image,
@@ -113,7 +116,7 @@ class LocalImageApiImpl: LocalImageApi {
       }
       
       if request.isCancelled {
-        return completion(ImageProcessing.cancelledResult)
+        return completion(Self.cancelledResult)
       }
       
       do {
@@ -121,7 +124,7 @@ class LocalImageApiImpl: LocalImageApi {
         
         if request.isCancelled {
           buffer.free()
-          return completion(ImageProcessing.cancelledResult)
+          return completion(Self.cancelledResult)
         }
         
         request.callback(.success([
@@ -130,6 +133,7 @@ class LocalImageApiImpl: LocalImageApi {
           "height": Int64(buffer.height),
           "rowBytes": Int64(buffer.rowBytes)
         ]))
+        print("Successful response for \(requestId)")
         Self.remove(requestId: requestId)
       } catch {
         Self.remove(requestId: requestId)
@@ -139,7 +143,7 @@ class LocalImageApiImpl: LocalImageApi {
     
     request.workItem = item
     Self.add(requestId: requestId, request: request)
-    ImageProcessing.queue.async(execute: item)
+    Self.processingQueue.async(execute: item)
   }
   
   func cancelRequest(requestId: Int64) {
@@ -160,7 +164,7 @@ class LocalImageApiImpl: LocalImageApi {
       request.isCancelled = true
       guard let item = request.workItem else { return }
       if item.isCancelled {
-        cancelQueue.async { request.callback(ImageProcessing.cancelledResult) }
+        cancelQueue.async { request.callback(Self.cancelledResult) }
       }
     }
   }

mobile/ios/Runner/Images/RemoteImagesImpl.swift

@@ -7,18 +7,64 @@ class RemoteImageRequest {
   weak var task: URLSessionDataTask?
   let id: Int64
   var isCancelled = false
+  var data: CFMutableData?
   let completion: (Result<[String: Int64]?, any Error>) -> Void
   
   init(id: Int64, task: URLSessionDataTask, completion: @escaping (Result<[String: Int64]?, any Error>) -> Void) {
     self.id = id
     self.task = task
+    self.data = nil
     self.completion = completion
   }
 }
 
 class RemoteImageApiImpl: NSObject, RemoteImageApi {
-  private static var lock = os_unfair_lock()
-  private static var requests = [Int64: RemoteImageRequest]()
+  private static let delegate = RemoteImageApiDelegate()
+  static let session = {
+    let cacheDir = FileManager.default.temporaryDirectory.appendingPathComponent("thumbnails", isDirectory: true)
+    let config = URLSessionConfiguration.default
+    config.requestCachePolicy = .returnCacheDataElseLoad
+    let version = Bundle.main.object(forInfoDictionaryKey: "CFBundleShortVersionString") as? String ?? "unknown"
+    config.httpAdditionalHeaders = ["User-Agent": "Immich_iOS_\(version)"]
+    try! FileManager.default.createDirectory(at: cacheDir, withIntermediateDirectories: true)
+    config.urlCache = URLCache(
+      memoryCapacity: 0,
+      diskCapacity: 1 << 30,
+      directory: cacheDir
+    )
+    config.httpMaximumConnectionsPerHost = 64
+    return URLSession(configuration: config, delegate: delegate, delegateQueue: nil)
+  }()
+  
+  func requestImage(url: String, headers: [String : String], requestId: Int64, completion: @escaping (Result<[String : Int64]?, any Error>) -> Void) {
+    var urlRequest = URLRequest(url: URL(string: url)!)
+    for (key, value) in headers {
+      urlRequest.setValue(value, forHTTPHeaderField: key)
+    }
+    let task = Self.session.dataTask(with: urlRequest)
+    
+    let imageRequest = RemoteImageRequest(id: requestId, task: task, completion: completion)
+    Self.delegate.add(taskId: task.taskIdentifier, request: imageRequest)
+    
+    task.resume()
+  }
+  
+  func cancelRequest(requestId: Int64) {
+    Self.delegate.cancel(requestId: requestId)
+  }
+  
+  func clearCache(completion: @escaping (Result<Int64, any Error>) -> Void) {
+    Task {
+      let cache = Self.session.configuration.urlCache!
+      let cacheSize = Int64(cache.currentDiskUsage)
+      cache.removeAllCachedResponses()
+      completion(.success(cacheSize))
+    }
+  }
+}
+
+class RemoteImageApiDelegate: NSObject, URLSessionDataDelegate {
+  private static let requestQueue = DispatchQueue(label: "thumbnail.requests", qos: .userInitiated, attributes: .concurrent)
   private static var rgbaFormat = vImage_CGImageFormat(
     bitsPerComponent: 8,
     bitsPerPixel: 32,
@@ -26,6 +72,9 @@ class RemoteImageApiImpl: NSObject, RemoteImageApi {
     bitmapInfo: CGBitmapInfo(rawValue: CGImageAlphaInfo.premultipliedLast.rawValue),
     renderingIntent: .perceptual
   )!
+  private static var requestByTaskId = [Int: RemoteImageRequest]()
+  private static var taskIdByRequestId = [Int64: Int]()
+  private static let cancelledResult = Result<[String: Int64]?, any Error>.success(nil)
   private static let decodeOptions = [
     kCGImageSourceShouldCache: false,
     kCGImageSourceShouldCacheImmediately: true,
@@ -33,103 +82,105 @@ class RemoteImageApiImpl: NSObject, RemoteImageApi {
     kCGImageSourceCreateThumbnailFromImageAlways: true
   ] as CFDictionary
   
-  func requestImage(url: String, headers: [String : String], requestId: Int64, completion: @escaping (Result<[String : Int64]?, any Error>) -> Void) {
-    var urlRequest = URLRequest(url: URL(string: url)!)
-    urlRequest.cachePolicy = .returnCacheDataElseLoad
-    for (key, value) in headers {
-      urlRequest.setValue(value, forHTTPHeaderField: key)
+  func urlSession(
+    _ session: URLSession, dataTask: URLSessionDataTask,
+    didReceive response: URLResponse,
+    completionHandler: @escaping (URLSession.ResponseDisposition) -> Void
+  ) {
+    guard let request = get(taskId: dataTask.taskIdentifier)
+    else {
+      return completionHandler(.cancel)
     }
     
-    let task = URLSessionManager.shared.session.dataTask(with: urlRequest) { data, response, error in
-      Self.handleCompletion(requestId: requestId, data: data, response: response, error: error)
-    }
+    let capacity = max(Int(response.expectedContentLength), 0)
+    request.data = CFDataCreateMutable(nil, capacity)
     
-    let request = RemoteImageRequest(id: requestId, task: task, completion: completion)
-    
-    os_unfair_lock_lock(&Self.lock)
-    Self.requests[requestId] = request
-    os_unfair_lock_unlock(&Self.lock)
-    
-    task.resume()
+    completionHandler(.allow)
   }
   
-  private static func handleCompletion(requestId: Int64, data: Data?, response: URLResponse?, error: Error?) {
-    os_unfair_lock_lock(&Self.lock)
-    guard let request = requests[requestId] else {
-      return os_unfair_lock_unlock(&Self.lock)
+  func urlSession(_ session: URLSession, dataTask: URLSessionDataTask,
+                  didReceive data: Data) {
+    guard let request = get(taskId: dataTask.taskIdentifier) else { return }
+    
+    data.withUnsafeBytes { bytes in
+      CFDataAppendBytes(request.data, bytes.bindMemory(to: UInt8.self).baseAddress, data.count)
     }
-    requests[requestId] = nil
-    os_unfair_lock_unlock(&Self.lock)
+  }
+  
+  func urlSession(_ session: URLSession, task: URLSessionTask,
+                  didCompleteWithError error: Error?) {
+    guard let request = get(taskId: task.taskIdentifier) else { return }
+        
+    defer { remove(taskId: task.taskIdentifier, requestId: request.id) }
     
     if let error = error {
       if request.isCancelled || (error as NSError).code == NSURLErrorCancelled {
-        return request.completion(ImageProcessing.cancelledResult)
+        return request.completion(Self.cancelledResult)
       }
       return request.completion(.failure(error))
     }
     
     if request.isCancelled {
-      return request.completion(ImageProcessing.cancelledResult)
+      return request.completion(Self.cancelledResult)
     }
     
-    guard let data = data else {
+    guard let data = request.data else {
       return request.completion(.failure(PigeonError(code: "", message: "No data received", details: nil)))
     }
     
-    ImageProcessing.queue.async {
-      ImageProcessing.semaphore.wait()
-      defer { ImageProcessing.semaphore.signal() }
+    guard let imageSource = CGImageSourceCreateWithData(data, nil),
+          let cgImage = CGImageSourceCreateThumbnailAtIndex(imageSource, 0, Self.decodeOptions) else {
+      return request.completion(.failure(PigeonError(code: "", message: "Failed to decode image for request", details: nil)))
+    }
+    
+    if request.isCancelled {
+      return request.completion(Self.cancelledResult)
+    }
+    
+    do {
+      let buffer = try vImage_Buffer(cgImage: cgImage, format: Self.rgbaFormat)
       
       if request.isCancelled {
-        return request.completion(ImageProcessing.cancelledResult)
+        buffer.free()
+        return request.completion(Self.cancelledResult)
       }
       
-      guard let imageSource = CGImageSourceCreateWithData(data as CFData, nil),
-            let cgImage = CGImageSourceCreateThumbnailAtIndex(imageSource, 0, decodeOptions) else {
-        return request.completion(.failure(PigeonError(code: "", message: "Failed to decode image for request", details: nil)))
-      }
-      
-      if request.isCancelled {
-        return request.completion(ImageProcessing.cancelledResult)
-      }
-      
-      do {
-        let buffer = try vImage_Buffer(cgImage: cgImage, format: rgbaFormat)
-        
-        if request.isCancelled {
-          buffer.free()
-          return request.completion(ImageProcessing.cancelledResult)
-        }
-        
-        request.completion(
-          .success([
-            "pointer": Int64(Int(bitPattern: buffer.data)),
-            "width": Int64(buffer.width),
-            "height": Int64(buffer.height),
-            "rowBytes": Int64(buffer.rowBytes),
-          ]))
-      } catch {
-        return request.completion(.failure(PigeonError(code: "", message: "Failed to convert image for request: \(error)", details: nil)))
-      }
+      request.completion(
+        .success([
+          "pointer": Int64(Int(bitPattern: buffer.data)),
+          "width": Int64(buffer.width),
+          "height": Int64(buffer.height),
+          "rowBytes": Int64(buffer.rowBytes),
+        ]))
+    } catch {
+      return request.completion(.failure(PigeonError(code: "", message: "Failed to convert image for request: \(error)", details: nil)))
     }
   }
   
-  func cancelRequest(requestId: Int64) {
-    os_unfair_lock_lock(&Self.lock)
-    let request = Self.requests[requestId]
-    os_unfair_lock_unlock(&Self.lock)
-    
-    guard let request = request else { return }
+  @inline(__always) func get(taskId: Int) -> RemoteImageRequest? {
+    Self.requestQueue.sync { Self.requestByTaskId[taskId] }
+  }
+  
+  @inline(__always) func add(taskId: Int, request: RemoteImageRequest) -> Void {
+    Self.requestQueue.async(flags: .barrier) {
+      Self.requestByTaskId[taskId] = request
+      Self.taskIdByRequestId[request.id] = taskId
+    }
+  }
+  
+  @inline(__always) func remove(taskId: Int, requestId: Int64) -> Void {
+    Self.requestQueue.async(flags: .barrier) {
+      Self.taskIdByRequestId[requestId] = nil
+      Self.requestByTaskId[taskId] = nil
+    }
+  }
+  
+  @inline(__always) func cancel(requestId: Int64) -> Void {
+    guard let request: RemoteImageRequest = (Self.requestQueue.sync {
+      guard let taskId = Self.taskIdByRequestId[requestId] else { return nil }
+      return Self.requestByTaskId[taskId]
+    }) else { return }
     request.isCancelled = true
     request.task?.cancel()
   }
-  
-  func clearCache(completion: @escaping (Result<Int64, any Error>) -> Void) {
-    Task {
-      let cache = URLSessionManager.shared.session.configuration.urlCache!
-      let cacheSize = Int64(cache.currentDiskUsage)
-      cache.removeAllCachedResponses()
-      completion(.success(cacheSize))
-    }
-  }
 }

mobile/ios/Runner/Info.plist

@@ -80,7 +80,7 @@
 	<key>CFBundlePackageType</key>
 	<string>APPL</string>
 	<key>CFBundleShortVersionString</key>
-	<string>2.5.2</string>
+	<string>2.5.3</string>
 	<key>CFBundleSignature</key>
 	<string>????</string>
 	<key>CFBundleURLTypes</key>

mobile/lib/domain/services/background_worker.service.dart

@@ -88,7 +88,7 @@ class BackgroundWorkerBgService extends BackgroundWorkerFlutterApi {
 
   Future<void> init() async {
     try {
-      HttpSSLOptions.apply();
+      HttpSSLOptions.apply(applyNative: false);
 
       await Future.wait(
         [

mobile/lib/platform/network_api.g.dart

@@ -1,232 +0,0 @@
-// Autogenerated from Pigeon (v26.0.2), do not edit directly.
-// See also: https://pub.dev/packages/pigeon
-// ignore_for_file: public_member_api_docs, non_constant_identifier_names, avoid_as, unused_import, unnecessary_parenthesis, prefer_null_aware_operators, omit_local_variable_types, unused_shown_name, unnecessary_import, no_leading_underscores_for_local_identifiers
-
-import 'dart:async';
-import 'dart:typed_data' show Float64List, Int32List, Int64List, Uint8List;
-
-import 'package:flutter/foundation.dart' show ReadBuffer, WriteBuffer;
-import 'package:flutter/services.dart';
-
-PlatformException _createConnectionError(String channelName) {
-  return PlatformException(
-    code: 'channel-error',
-    message: 'Unable to establish connection on channel: "$channelName".',
-  );
-}
-
-bool _deepEquals(Object? a, Object? b) {
-  if (a is List && b is List) {
-    return a.length == b.length && a.indexed.every(((int, dynamic) item) => _deepEquals(item.$2, b[item.$1]));
-  }
-  if (a is Map && b is Map) {
-    return a.length == b.length &&
-        a.entries.every(
-          (MapEntry<Object?, Object?> entry) =>
-              (b as Map<Object?, Object?>).containsKey(entry.key) && _deepEquals(entry.value, b[entry.key]),
-        );
-  }
-  return a == b;
-}
-
-class ClientCertData {
-  ClientCertData({required this.data, required this.password});
-
-  Uint8List data;
-
-  String password;
-
-  List<Object?> _toList() {
-    return <Object?>[data, password];
-  }
-
-  Object encode() {
-    return _toList();
-  }
-
-  static ClientCertData decode(Object result) {
-    result as List<Object?>;
-    return ClientCertData(data: result[0]! as Uint8List, password: result[1]! as String);
-  }
-
-  @override
-  // ignore: avoid_equals_and_hash_code_on_mutable_classes
-  bool operator ==(Object other) {
-    if (other is! ClientCertData || other.runtimeType != runtimeType) {
-      return false;
-    }
-    if (identical(this, other)) {
-      return true;
-    }
-    return _deepEquals(encode(), other.encode());
-  }
-
-  @override
-  // ignore: avoid_equals_and_hash_code_on_mutable_classes
-  int get hashCode => Object.hashAll(_toList());
-}
-
-class ClientCertPrompt {
-  ClientCertPrompt({required this.title, required this.message, required this.cancel, required this.confirm});
-
-  String title;
-
-  String message;
-
-  String cancel;
-
-  String confirm;
-
-  List<Object?> _toList() {
-    return <Object?>[title, message, cancel, confirm];
-  }
-
-  Object encode() {
-    return _toList();
-  }
-
-  static ClientCertPrompt decode(Object result) {
-    result as List<Object?>;
-    return ClientCertPrompt(
-      title: result[0]! as String,
-      message: result[1]! as String,
-      cancel: result[2]! as String,
-      confirm: result[3]! as String,
-    );
-  }
-
-  @override
-  // ignore: avoid_equals_and_hash_code_on_mutable_classes
-  bool operator ==(Object other) {
-    if (other is! ClientCertPrompt || other.runtimeType != runtimeType) {
-      return false;
-    }
-    if (identical(this, other)) {
-      return true;
-    }
-    return _deepEquals(encode(), other.encode());
-  }
-
-  @override
-  // ignore: avoid_equals_and_hash_code_on_mutable_classes
-  int get hashCode => Object.hashAll(_toList());
-}
-
-class _PigeonCodec extends StandardMessageCodec {
-  const _PigeonCodec();
-  @override
-  void writeValue(WriteBuffer buffer, Object? value) {
-    if (value is int) {
-      buffer.putUint8(4);
-      buffer.putInt64(value);
-    } else if (value is ClientCertData) {
-      buffer.putUint8(129);
-      writeValue(buffer, value.encode());
-    } else if (value is ClientCertPrompt) {
-      buffer.putUint8(130);
-      writeValue(buffer, value.encode());
-    } else {
-      super.writeValue(buffer, value);
-    }
-  }
-
-  @override
-  Object? readValueOfType(int type, ReadBuffer buffer) {
-    switch (type) {
-      case 129:
-        return ClientCertData.decode(readValue(buffer)!);
-      case 130:
-        return ClientCertPrompt.decode(readValue(buffer)!);
-      default:
-        return super.readValueOfType(type, buffer);
-    }
-  }
-}
-
-class NetworkApi {
-  /// Constructor for [NetworkApi].  The [binaryMessenger] named argument is
-  /// available for dependency injection.  If it is left null, the default
-  /// BinaryMessenger will be used which routes to the host platform.
-  NetworkApi({BinaryMessenger? binaryMessenger, String messageChannelSuffix = ''})
-    : pigeonVar_binaryMessenger = binaryMessenger,
-      pigeonVar_messageChannelSuffix = messageChannelSuffix.isNotEmpty ? '.$messageChannelSuffix' : '';
-  final BinaryMessenger? pigeonVar_binaryMessenger;
-
-  static const MessageCodec<Object?> pigeonChannelCodec = _PigeonCodec();
-
-  final String pigeonVar_messageChannelSuffix;
-
-  Future<void> addCertificate(ClientCertData clientData) async {
-    final String pigeonVar_channelName =
-        'dev.flutter.pigeon.immich_mobile.NetworkApi.addCertificate$pigeonVar_messageChannelSuffix';
-    final BasicMessageChannel<Object?> pigeonVar_channel = BasicMessageChannel<Object?>(
-      pigeonVar_channelName,
-      pigeonChannelCodec,
-      binaryMessenger: pigeonVar_binaryMessenger,
-    );
-    final Future<Object?> pigeonVar_sendFuture = pigeonVar_channel.send(<Object?>[clientData]);
-    final List<Object?>? pigeonVar_replyList = await pigeonVar_sendFuture as List<Object?>?;
-    if (pigeonVar_replyList == null) {
-      throw _createConnectionError(pigeonVar_channelName);
-    } else if (pigeonVar_replyList.length > 1) {
-      throw PlatformException(
-        code: pigeonVar_replyList[0]! as String,
-        message: pigeonVar_replyList[1] as String?,
-        details: pigeonVar_replyList[2],
-      );
-    } else {
-      return;
-    }
-  }
-
-  Future<ClientCertData> selectCertificate(ClientCertPrompt promptText) async {
-    final String pigeonVar_channelName =
-        'dev.flutter.pigeon.immich_mobile.NetworkApi.selectCertificate$pigeonVar_messageChannelSuffix';
-    final BasicMessageChannel<Object?> pigeonVar_channel = BasicMessageChannel<Object?>(
-      pigeonVar_channelName,
-      pigeonChannelCodec,
-      binaryMessenger: pigeonVar_binaryMessenger,
-    );
-    final Future<Object?> pigeonVar_sendFuture = pigeonVar_channel.send(<Object?>[promptText]);
-    final List<Object?>? pigeonVar_replyList = await pigeonVar_sendFuture as List<Object?>?;
-    if (pigeonVar_replyList == null) {
-      throw _createConnectionError(pigeonVar_channelName);
-    } else if (pigeonVar_replyList.length > 1) {
-      throw PlatformException(
-        code: pigeonVar_replyList[0]! as String,
-        message: pigeonVar_replyList[1] as String?,
-        details: pigeonVar_replyList[2],
-      );
-    } else if (pigeonVar_replyList[0] == null) {
-      throw PlatformException(
-        code: 'null-error',
-        message: 'Host platform returned null value for non-null return value.',
-      );
-    } else {
-      return (pigeonVar_replyList[0] as ClientCertData?)!;
-    }
-  }
-
-  Future<void> removeCertificate() async {
-    final String pigeonVar_channelName =
-        'dev.flutter.pigeon.immich_mobile.NetworkApi.removeCertificate$pigeonVar_messageChannelSuffix';
-    final BasicMessageChannel<Object?> pigeonVar_channel = BasicMessageChannel<Object?>(
-      pigeonVar_channelName,
-      pigeonChannelCodec,
-      binaryMessenger: pigeonVar_binaryMessenger,
-    );
-    final Future<Object?> pigeonVar_sendFuture = pigeonVar_channel.send(null);
-    final List<Object?>? pigeonVar_replyList = await pigeonVar_sendFuture as List<Object?>?;
-    if (pigeonVar_replyList == null) {
-      throw _createConnectionError(pigeonVar_channelName);
-    } else if (pigeonVar_replyList.length > 1) {
-      throw PlatformException(
-        code: pigeonVar_replyList[0]! as String,
-        message: pigeonVar_replyList[1] as String?,
-        details: pigeonVar_replyList[2],
-      );
-    } else {
-      return;
-    }
-  }
-}

mobile/lib/providers/infrastructure/platform.provider.dart

@@ -5,7 +5,6 @@ import 'package:immich_mobile/platform/background_worker_lock_api.g.dart';
 import 'package:immich_mobile/platform/connectivity_api.g.dart';
 import 'package:immich_mobile/platform/native_sync_api.g.dart';
 import 'package:immich_mobile/platform/local_image_api.g.dart';
-import 'package:immich_mobile/platform/network_api.g.dart';
 import 'package:immich_mobile/platform/remote_image_api.g.dart';
 
 final backgroundWorkerFgServiceProvider = Provider((_) => BackgroundWorkerFgService(BackgroundWorkerFgHostApi()));
@@ -21,5 +20,3 @@ final connectivityApiProvider = Provider<ConnectivityApi>((_) => ConnectivityApi
 final localImageApi = LocalImageApi();
 
 final remoteImageApi = RemoteImageApi();
-
-final networkApi = NetworkApi();

mobile/lib/utils/http_ssl_options.dart

@@ -1,20 +1,26 @@
 import 'dart:io';
 
+import 'package:flutter/services.dart';
 import 'package:immich_mobile/domain/models/store.model.dart';
 import 'package:immich_mobile/entities/store.entity.dart';
 import 'package:immich_mobile/services/app_settings.service.dart';
 import 'package:immich_mobile/utils/http_ssl_cert_override.dart';
+import 'package:logging/logging.dart';
 
 class HttpSSLOptions {
-  static void apply() {
+  static const MethodChannel _channel = MethodChannel('immich/httpSSLOptions');
+
+  static void apply({bool applyNative = true}) {
     AppSettingsEnum setting = AppSettingsEnum.allowSelfSignedSSLCert;
     bool allowSelfSignedSSLCert = Store.get(setting.storeKey as StoreKey<bool>, setting.defaultValue);
-    return _apply(allowSelfSignedSSLCert);
+    _apply(allowSelfSignedSSLCert, applyNative: applyNative);
   }
 
-  static void applyFromSettings(bool newValue) => _apply(newValue);
+  static void applyFromSettings(bool newValue) {
+    _apply(newValue);
+  }
 
-  static void _apply(bool allowSelfSignedSSLCert) {
+  static void _apply(bool allowSelfSignedSSLCert, {bool applyNative = true}) {
     String? serverHost;
     if (allowSelfSignedSSLCert && Store.tryGet(StoreKey.currentUser) != null) {
       serverHost = Uri.parse(Store.tryGet(StoreKey.serverEndpoint) ?? "").host;
@@ -23,5 +29,14 @@ class HttpSSLOptions {
     SSLClientCertStoreVal? clientCert = SSLClientCertStoreVal.load();
 
     HttpOverrides.global = HttpSSLCertOverride(allowSelfSignedSSLCert, serverHost, clientCert);
+
+    if (applyNative && Platform.isAndroid) {
+      _channel
+          .invokeMethod("apply", [allowSelfSignedSSLCert, serverHost, clientCert?.data, clientCert?.password])
+          .onError<PlatformException>((e, _) {
+            final log = Logger("HttpSSLOptions");
+            log.severe('Failed to set SSL options', e.message);
+          });
+    }
   }
 }

mobile/lib/utils/isolate.dart

@@ -54,7 +54,7 @@ Cancelable<T?> runInIsolateGentle<T>({
         Logger log = Logger("IsolateLogger");
 
         try {
-          HttpSSLOptions.apply();
+          HttpSSLOptions.apply(applyNative: false);
           result = await computation(ref);
         } on CanceledError {
           log.warning("Computation cancelled ${debugLabel == null ? '' : ' for $debugLabel'}");

mobile/lib/utils/migration.dart

@@ -23,8 +23,6 @@ import 'package:immich_mobile/infrastructure/entities/user.entity.dart';
 import 'package:immich_mobile/infrastructure/repositories/db.repository.dart';
 import 'package:immich_mobile/infrastructure/repositories/sync_stream.repository.dart';
 import 'package:immich_mobile/platform/native_sync_api.g.dart';
-import 'package:immich_mobile/platform/network_api.g.dart';
-import 'package:immich_mobile/providers/infrastructure/platform.provider.dart';
 import 'package:immich_mobile/services/app_settings.service.dart';
 import 'package:immich_mobile/utils/datetime_helpers.dart';
 import 'package:immich_mobile/utils/debug_print.dart';
@@ -34,7 +32,7 @@ import 'package:isar/isar.dart';
 // ignore: import_rule_photo_manager
 import 'package:photo_manager/photo_manager.dart';
 
-const int targetVersion = 21;
+const int targetVersion = 20;
 
 Future<void> migrateDatabaseIfNeeded(Isar db, Drift drift) async {
   final hasVersion = Store.tryGet(StoreKey.version) != null;
@@ -93,13 +91,6 @@ Future<void> migrateDatabaseIfNeeded(Isar db, Drift drift) async {
     await _syncLocalAlbumIsIosSharedAlbum(drift);
   }
 
-  if (version < 21) {
-    final certData = SSLClientCertStoreVal.load();
-    if (certData != null) {
-      await networkApi.addCertificate(ClientCertData(data: certData.data, password: certData.password ?? ""));
-    }
-  }
-
   if (targetVersion >= 12) {
     await Store.put(StoreKey.version, targetVersion);
     return;

mobile/lib/widgets/settings/ssl_client_cert_settings.dart

@@ -1,13 +1,14 @@
+import 'dart:io';
+
 import 'package:easy_localization/easy_localization.dart';
+import 'package:file_picker/file_picker.dart';
 import 'package:flutter/material.dart';
 import 'package:flutter/services.dart';
 import 'package:immich_mobile/entities/store.entity.dart';
 import 'package:immich_mobile/extensions/build_context_extensions.dart';
 import 'package:immich_mobile/extensions/theme_extensions.dart';
-import 'package:immich_mobile/platform/network_api.g.dart';
-import 'package:immich_mobile/providers/infrastructure/platform.provider.dart';
+import 'package:immich_mobile/utils/http_ssl_cert_override.dart';
 import 'package:immich_mobile/utils/http_ssl_options.dart';
-import 'package:logging/logging.dart';
 
 class SslClientCertSettings extends StatefulWidget {
   const SslClientCertSettings({super.key, required this.isLoggedIn});
@@ -19,12 +20,10 @@ class SslClientCertSettings extends StatefulWidget {
 }
 
 class _SslClientCertSettingsState extends State<SslClientCertSettings> {
-  final _log = Logger("SslClientCertSettings");
+  _SslClientCertSettingsState() : isCertExist = SSLClientCertStoreVal.load() != null;
 
   bool isCertExist;
 
-  _SslClientCertSettingsState() : isCertExist = SSLClientCertStoreVal.load() != null;
-
   @override
   Widget build(BuildContext context) {
     return ListTile(
@@ -42,12 +41,16 @@ class _SslClientCertSettingsState extends State<SslClientCertSettings> {
           const SizedBox(height: 6),
           Row(
             mainAxisSize: MainAxisSize.max,
-            mainAxisAlignment: MainAxisAlignment.spaceEvenly,
+            mainAxisAlignment: MainAxisAlignment.center,
             crossAxisAlignment: CrossAxisAlignment.center,
             children: [
-              ElevatedButton(onPressed: widget.isLoggedIn ? null : importCert, child: Text("client_cert_import".tr())),
               ElevatedButton(
-                onPressed: widget.isLoggedIn || !isCertExist ? null : removeCert,
+                onPressed: widget.isLoggedIn ? null : () => importCert(context),
+                child: Text("client_cert_import".tr()),
+              ),
+              const SizedBox(width: 15),
+              ElevatedButton(
+                onPressed: widget.isLoggedIn || !isCertExist ? null : () async => await removeCert(context),
                 child: Text("remove".tr()),
               ),
             ],
@@ -57,48 +60,71 @@ class _SslClientCertSettingsState extends State<SslClientCertSettings> {
     );
   }
 
-  void showMessage(String message) {
-    context.showSnackBar(
-      SnackBar(
-        duration: const Duration(seconds: 3),
-        content: Text(message, style: context.textTheme.bodyLarge?.copyWith(color: context.primaryColor)),
+  void showMessage(BuildContext context, String message) {
+    showDialog(
+      context: context,
+      builder: (ctx) => AlertDialog(
+        content: Text(message),
+        actions: [TextButton(onPressed: () => ctx.pop(), child: Text("client_cert_dialog_msg_confirm".tr()))],
       ),
     );
   }
 
-  Future<void> importCert() async {
-    try {
-      final styling = ClientCertPrompt(
-        title: "client_cert_password_title".tr(),
-        message: "client_cert_password_message".tr(),
-        cancel: "cancel".tr(),
-        confirm: "confirm".tr(),
-      );
-      final cert = await networkApi.selectCertificate(styling);
-      await SSLClientCertStoreVal(cert.data, cert.password).save();
-      HttpSSLOptions.apply();
-      setState(() => isCertExist = true);
-      showMessage("client_cert_import_success_msg".tr());
-    } catch (e) {
-      if (_isCancellation(e)) return;
-      _log.severe("Error importing client cert", e);
-      showMessage("client_cert_invalid_msg".tr());
+  Future<void> storeCert(BuildContext context, Uint8List data, String? password) async {
+    if (password != null && password.isEmpty) {
+      password = null;
+    }
+    final cert = SSLClientCertStoreVal(data, password);
+    // Test whether the certificate is valid
+    final isCertValid = HttpSSLCertOverride.setClientCert(SecurityContext(withTrustedRoots: true), cert);
+    if (!isCertValid) {
+      showMessage(context, "client_cert_invalid_msg".tr());
+      return;
+    }
+    await cert.save();
+    HttpSSLOptions.apply();
+    setState(() => isCertExist = true);
+    showMessage(context, "client_cert_import_success_msg".tr());
+  }
+
+  void setPassword(BuildContext context, Uint8List data) {
+    final password = TextEditingController();
+    showDialog(
+      context: context,
+      barrierDismissible: false,
+      builder: (ctx) => AlertDialog(
+        content: TextField(
+          controller: password,
+          obscureText: true,
+          obscuringCharacter: "*",
+          decoration: InputDecoration(hintText: "client_cert_enter_password".tr()),
+        ),
+        actions: [
+          TextButton(
+            onPressed: () async => {ctx.pop(), await storeCert(context, data, password.text)},
+            child: Text("client_cert_dialog_msg_confirm".tr()),
+          ),
+        ],
+      ),
+    );
+  }
+
+  Future<void> importCert(BuildContext ctx) async {
+    FilePickerResult? res = await FilePicker.platform.pickFiles(
+      type: FileType.custom,
+      allowedExtensions: ['p12', 'pfx'],
+    );
+    if (res != null) {
+      File file = File(res.files.single.path!);
+      final bytes = await file.readAsBytes();
+      setPassword(ctx, bytes);
     }
   }
 
-  Future<void> removeCert() async {
-    try {
-      await networkApi.removeCertificate();
-      await SSLClientCertStoreVal.delete();
-      HttpSSLOptions.apply();
-      setState(() => isCertExist = false);
-      showMessage("client_cert_remove_msg".tr());
-    } catch (e) {
-      if (_isCancellation(e)) return;
-      _log.severe("Error removing client cert", e);
-      showMessage("client_cert_invalid_msg".tr());
-    }
+  Future<void> removeCert(BuildContext context) async {
+    await SSLClientCertStoreVal.delete();
+    HttpSSLOptions.apply();
+    setState(() => isCertExist = false);
+    showMessage(context, "client_cert_remove_msg".tr());
   }
-
-  bool _isCancellation(Object e) => e is PlatformException && e.code.toLowerCase().contains("cancel");
 }

mobile/makefile

@@ -12,14 +12,12 @@ pigeon:
 	dart run pigeon --input pigeon/background_worker_api.dart
 	dart run pigeon --input pigeon/background_worker_lock_api.dart
 	dart run pigeon --input pigeon/connectivity_api.dart
-	dart run pigeon --input pigeon/network_api.dart
 	dart format lib/platform/native_sync_api.g.dart
 	dart format lib/platform/local_image_api.g.dart
 	dart format lib/platform/remote_image_api.g.dart
 	dart format lib/platform/background_worker_api.g.dart
 	dart format lib/platform/background_worker_lock_api.g.dart
 	dart format lib/platform/connectivity_api.g.dart
-	dart format lib/platform/network_api.g.dart
 
 watch:
 	dart run build_runner watch --delete-conflicting-outputs

mobile/openapi/README.md

@@ -3,7 +3,7 @@ Immich API
 
 This Dart package is automatically generated by the [OpenAPI Generator](https://openapi-generator.tech) project:
 
-- API version: 2.5.2
+- API version: 2.5.3
 - Generator version: 7.8.0
 - Build package: org.openapitools.codegen.languages.DartClientCodegen
 

mobile/pigeon/network_api.dart

@@ -1,41 +0,0 @@
-import 'package:pigeon/pigeon.dart';
-
-class ClientCertData {
-  Uint8List data;
-  String password;
-
-  ClientCertData(this.data, this.password);
-}
-
-class ClientCertPrompt {
-  String title;
-  String message;
-  String cancel;
-  String confirm;
-
-  ClientCertPrompt(this.title, this.message, this.cancel, this.confirm);
-}
-
-@ConfigurePigeon(
-  PigeonOptions(
-    dartOut: 'lib/platform/network_api.g.dart',
-    swiftOut: 'ios/Runner/Core/Network.g.swift',
-    swiftOptions: SwiftOptions(includeErrorClass: false),
-    kotlinOut:
-        'android/app/src/main/kotlin/app/alextran/immich/core/Network.g.kt',
-    kotlinOptions: KotlinOptions(package: 'app.alextran.immich.core', includeErrorClass: true),
-    dartOptions: DartOptions(),
-    dartPackageName: 'immich_mobile',
-  ),
-)
-@HostApi()
-abstract class NetworkApi {
-  @async
-  void addCertificate(ClientCertData clientData);
-
-  @async
-  ClientCertData selectCertificate(ClientCertPrompt promptText);
-
-  @async
-  void removeCertificate();
-}

mobile/pubspec.lock

@@ -538,6 +538,14 @@ packages:
       url: "https://pub.dev"
     source: hosted
     version: "7.0.1"
+  file_picker:
+    dependency: "direct main"
+    description:
+      name: file_picker
+      sha256: ab13ae8ef5580a411c458d6207b6774a6c237d77ac37011b13994879f68a8810
+      url: "https://pub.dev"
+    source: hosted
+    version: "8.3.7"
   file_selector_linux:
     dependency: transitive
     description:
@@ -1241,10 +1249,10 @@ packages:
     dependency: transitive
     description:
       name: meta
-      sha256: "23f08335362185a5ea2ad3a4e597f1375e78bce8a040df5c600c8d3552ef2394"
+      sha256: e3641ec5d63ebf0d9b41bd43201a66e3fc79a65db5f61fc181f04cd27aab950c
       url: "https://pub.dev"
     source: hosted
-    version: "1.17.0"
+    version: "1.16.0"
   mime:
     dependency: transitive
     description:
@@ -1934,10 +1942,10 @@ packages:
     dependency: transitive
     description:
       name: test_api
-      sha256: ab2726c1a94d3176a45960b6234466ec367179b87dd74f1611adb1f3b5fb9d55
+      sha256: "522f00f556e73044315fa4585ec3270f1808a4b186c936e612cab0b565ff1e00"
       url: "https://pub.dev"
     source: hosted
-    version: "0.7.7"
+    version: "0.7.6"
   thumbhash:
     dependency: "direct main"
     description:

mobile/pubspec.yaml

@@ -2,7 +2,7 @@ name: immich_mobile
 description: Immich - selfhosted backup media file on mobile phone
 
 publish_to: 'none'
-version: 2.5.2+3033
+version: 2.5.3+3034
 
 environment:
   sdk: '>=3.8.0 <4.0.0'
@@ -26,6 +26,7 @@ dependencies:
   dynamic_color: ^1.8.1
   easy_localization: ^3.0.8
   ffi: ^2.1.4
+  file_picker: ^8.0.0+1
   flutter:
     sdk: flutter
   flutter_cache_manager: ^3.4.1

open-api/immich-openapi-specs.json

@@ -15057,7 +15057,7 @@
   "info": {
     "title": "Immich",
     "description": "Immich API",
-    "version": "2.5.2",
+    "version": "2.5.3",
     "contact": {}
   },
   "tags": [

open-api/typescript-sdk/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@immich/sdk",
-  "version": "2.5.2",
+  "version": "2.5.3",
   "description": "Auto-generated TypeScript SDK for the Immich API",
   "type": "module",
   "main": "./build/index.js",

open-api/typescript-sdk/src/fetch-client.ts

@@ -1,6 +1,6 @@
 /**
  * Immich
- * 2.5.2
+ * 2.5.3
  * DO NOT MODIFY - This file has been generated using oazapfts.
  * See https://www.npmjs.com/package/oazapfts
  */

package.json

@@ -1,6 +1,6 @@
 {
   "name": "immich-monorepo",
-  "version": "2.5.2",
+  "version": "2.5.3",
   "description": "Monorepo for Immich",
   "private": true,
   "packageManager": "pnpm@10.28.0+sha512.05df71d1421f21399e053fde567cea34d446fa02c76571441bfc1c7956e98e363088982d940465fd34480d4d90a0668bc12362f8aa88000a64e83d0b0e47be48",

server/package.json

@@ -1,6 +1,6 @@
 {
   "name": "immich",
-  "version": "2.5.2",
+  "version": "2.5.3",
   "description": "",
   "author": "",
   "private": true,

web/package.json

@@ -1,6 +1,6 @@
 {
   "name": "immich-web",
-  "version": "2.5.2",
+  "version": "2.5.3",
   "license": "GNU Affero General Public License version 3",
   "type": "module",
   "scripts": {

web/src/lib/components/memory-page/memory-viewer.svelte

@@ -68,7 +68,11 @@
   let currentMemoryAssetFull = $derived.by(async () =>
     current?.asset ? await getAssetInfo({ ...authManager.params, id: current.asset.id }) : undefined,
   );
-  let currentTimelineAssets = $derived(current?.memory.assets || []);
+  let currentTimelineAssets = $derived([
+    ...(current?.previousMemory?.assets ?? []),
+    ...(current?.memory.assets ?? []),
+    ...(current?.nextMemory?.assets ?? []),
+  ]);
 
   let isSaved = $derived(current?.memory.isSaved);
   let viewerHeight = $state(0);

web/src/lib/components/user-settings-page/PinCodeChangeForm.svelte

@@ -5,7 +5,6 @@
   import { changePinCode } from '@immich/sdk';
   import { Button, Heading, modalManager, Text, toastManager } from '@immich/ui';
   import { t } from 'svelte-i18n';
-  import { fade } from 'svelte/transition';
 
   let currentPinCode = $state('');
   let newPinCode = $state('');
@@ -38,27 +37,23 @@
   };
 </script>
 
-<section class="my-4">
-  <div in:fade={{ duration: 200 }}>
-    <form autocomplete="off" onsubmit={handleSubmit} class="mt-6">
-      <div class="flex flex-col gap-6 place-items-center place-content-center">
-        <Heading>{$t('change_pin_code')}</Heading>
-        <PinCodeInput label={$t('current_pin_code')} bind:value={currentPinCode} tabindexStart={1} pinLength={6} />
-        <PinCodeInput label={$t('new_pin_code')} bind:value={newPinCode} tabindexStart={7} pinLength={6} />
-        <PinCodeInput label={$t('confirm_new_pin_code')} bind:value={confirmPinCode} tabindexStart={13} pinLength={6} />
-        <button type="button" onclick={() => modalManager.show(PinCodeResetModal, {})}>
-          <Text color="muted" class="underline" size="small">{$t('forgot_pin_code_question')}</Text>
-        </button>
-      </div>
-
-      <div class="flex justify-end gap-2 mt-4">
-        <Button shape="round" color="secondary" type="button" size="small" onclick={resetForm}>
-          {$t('clear')}
-        </Button>
-        <Button shape="round" type="submit" size="small" loading={isLoading} disabled={!canSubmit}>
-          {$t('save')}
-        </Button>
-      </div>
-    </form>
+<form autocomplete="off" onsubmit={handleSubmit}>
+  <div class="flex flex-col gap-6 place-items-center place-content-center">
+    <Heading>{$t('change_pin_code')}</Heading>
+    <PinCodeInput label={$t('current_pin_code')} bind:value={currentPinCode} tabindexStart={1} pinLength={6} />
+    <PinCodeInput label={$t('new_pin_code')} bind:value={newPinCode} tabindexStart={7} pinLength={6} />
+    <PinCodeInput label={$t('confirm_new_pin_code')} bind:value={confirmPinCode} tabindexStart={13} pinLength={6} />
+    <button type="button" onclick={() => modalManager.show(PinCodeResetModal, {})}>
+      <Text color="muted" class="underline" size="small">{$t('forgot_pin_code_question')}</Text>
+    </button>
   </div>
-</section>
+
+  <div class="flex justify-end gap-2 mt-4">
+    <Button shape="round" color="secondary" type="button" size="small" onclick={resetForm}>
+      {$t('clear')}
+    </Button>
+    <Button shape="round" type="submit" size="small" loading={isLoading} disabled={!canSubmit}>
+      {$t('save')}
+    </Button>
+  </div>
+</form>

web/src/lib/components/user-settings-page/PinCodeSettings.svelte

@@ -20,7 +20,7 @@
 
 <OnEvents {onUserPinCodeReset} />
 
-<section>
+<section class="my-4 sm:ms-8">
   {#if hasPinCode}
     <div in:fade={{ duration: 200 }}>
       <PinCodeChangeForm />

web/src/lib/components/user-settings-page/app-settings.svelte

@@ -59,7 +59,7 @@
 
 <section class="my-4">
   <div in:fade={{ duration: 500 }}>
-    <div class="ms-8 mt-4 flex flex-col gap-6">
+    <div class="sm:ms-8 flex flex-col gap-6">
       <Field label={$t('theme_selection')} description={$t('theme_selection_description')}>
         <Switch checked={themeManager.theme.system} onCheckedChange={(checked) => themeManager.setSystem(checked)} />
       </Field>

web/src/lib/components/user-settings-page/change-password-settings.svelte

@@ -23,7 +23,7 @@
 <section class="my-4">
   <div in:fade={{ duration: 500 }}>
     <form autocomplete="off" {onsubmit}>
-      <div class="ms-4 mt-4 flex flex-col gap-4">
+      <div class="sm:ms-8 flex flex-col gap-4">
         <Field label={$t('password')} required>
           <PasswordInput bind:value={password} autocomplete="current-password" />
         </Field>

web/src/lib/components/user-settings-page/device-list.svelte

@@ -3,6 +3,7 @@
   import { deleteAllSessions, deleteSession, getSessions, type SessionResponseDto } from '@immich/sdk';
   import { Button, modalManager, Text, toastManager } from '@immich/ui';
   import { t } from 'svelte-i18n';
+  import { fade } from 'svelte/transition';
   import DeviceCard from './device-card.svelte';
 
   interface Props {
@@ -50,33 +51,39 @@
 </script>
 
 <section class="my-4">
-  {#if currentSession}
-    <div class="mb-6">
-      <Text class="mb-2" fontWeight="medium" size="tiny" color="primary">
-        {$t('current_device')}
-      </Text>
-      <DeviceCard session={currentSession} />
-    </div>
-  {/if}
-  {#if otherSessions.length > 0}
-    <div class="mb-6">
-      <Text class="mb-2" fontWeight="medium" size="tiny" color="primary">
-        {$t('other_devices')}
-      </Text>
-      {#each otherSessions as session, index (session.id)}
-        <DeviceCard {session} onDelete={() => handleDelete(session)} />
-        {#if index !== otherSessions.length - 1}
-          <hr class="my-3" />
-        {/if}
-      {/each}
-    </div>
+  <div in:fade={{ duration: 500 }}>
+    <div class="sm:ms-8 flex flex-col gap-4">
+      {#if currentSession}
+        <div class="mb-6">
+          <Text class="mb-2" fontWeight="medium" size="tiny" color="primary">
+            {$t('current_device')}
+          </Text>
+          <DeviceCard session={currentSession} />
+        </div>
+      {/if}
+      {#if otherSessions.length > 0}
+        <div class="mb-6">
+          <Text class="mb-2" fontWeight="medium" size="tiny" color="primary">
+            {$t('other_devices')}
+          </Text>
+          {#each otherSessions as session, index (session.id)}
+            <DeviceCard {session} onDelete={() => handleDelete(session)} />
+            {#if index !== otherSessions.length - 1}
+              <hr class="my-3" />
+            {/if}
+          {/each}
+        </div>
 
-    <div class="my-3">
-      <hr />
-    </div>
+        <div class="my-3">
+          <hr />
+        </div>
 
-    <div class="flex justify-end">
-      <Button shape="round" color="danger" size="small" onclick={handleDeleteAll}>{$t('log_out_all_devices')}</Button>
+        <div class="flex justify-end">
+          <Button shape="round" color="danger" size="small" onclick={handleDeleteAll}
+            >{$t('log_out_all_devices')}</Button
+          >
+        </div>
+      {/if}
     </div>
-  {/if}
+  </div>
 </section>

web/src/lib/components/user-settings-page/download-settings.svelte

@@ -39,7 +39,7 @@
 <section class="my-4">
   <div in:fade={{ duration: 500 }}>
     <form autocomplete="off" {onsubmit}>
-      <div class="ms-4 mt-4 flex flex-col gap-4">
+      <div class="sm:ms-8 flex flex-col gap-4">
         <SettingInputField
           inputType={SettingInputFieldType.NUMBER}
           label={$t('archive_size')}

web/src/lib/components/user-settings-page/feature-settings.svelte

@@ -67,9 +67,9 @@
 <section class="my-4">
   <div in:fade={{ duration: 500 }}>
     <form autocomplete="off" {onsubmit}>
-      <div class="ms-4 mt-4 flex flex-col">
+      <div class="sm:ms-4 md:ms-8 flex flex-col">
         <SettingAccordion key="albums" title={$t('albums')} subtitle={$t('albums_feature_description')}>
-          <div class="ms-4 mt-6 flex flex-col gap-4">
+          <div class="sm:ms-4 mt-4 flex flex-col gap-4">
             <Field label={$t('albums_default_sort_order')} description={$t('albums_default_sort_order_description')}>
               <Select
                 options={[
@@ -83,7 +83,7 @@
         </SettingAccordion>
 
         <SettingAccordion key="folders" title={$t('folders')} subtitle={$t('folders_feature_description')}>
-          <div class="ms-4 mt-6 flex flex-col gap-4">
+          <div class="sm:ms-4 mt-4 flex flex-col gap-4">
             <Field label={$t('enable')}>
               <Switch bind:checked={foldersEnabled} />
             </Field>
@@ -97,7 +97,7 @@
         </SettingAccordion>
 
         <SettingAccordion key="memories" title={$t('time_based_memories')} subtitle={$t('photos_from_previous_years')}>
-          <div class="ms-4 mt-6 flex flex-col gap-4">
+          <div class="sm:ms-4 mt-4 flex flex-col gap-4">
             <Field label={$t('enable')}>
               <Switch bind:checked={memoriesEnabled} />
             </Field>
@@ -109,7 +109,7 @@
         </SettingAccordion>
 
         <SettingAccordion key="people" title={$t('people')} subtitle={$t('people_feature_description')}>
-          <div class="ms-4 mt-6 flex flex-col gap-4">
+          <div class="sm:ms-4 mt-4 flex flex-col gap-4">
             <Field label={$t('enable')}>
               <Switch bind:checked={peopleEnabled} />
             </Field>
@@ -123,7 +123,7 @@
         </SettingAccordion>
 
         <SettingAccordion key="rating" title={$t('rating')} subtitle={$t('rating_description')}>
-          <div class="ms-4 mt-6 flex flex-col gap-4">
+          <div class="sm:ms-4 mt-4 flex flex-col gap-4">
             <Field label={$t('enable')}>
               <Switch bind:checked={ratingsEnabled} />
             </Field>
@@ -131,7 +131,7 @@
         </SettingAccordion>
 
         <SettingAccordion key="shared-links" title={$t('shared_links')} subtitle={$t('shared_links_description')}>
-          <div class="ms-4 mt-6 flex flex-col gap-4">
+          <div class="sm:ms-4 mt-4 flex flex-col gap-4">
             <Field label={$t('enable')}>
               <Switch bind:checked={sharedLinksEnabled} />
             </Field>
@@ -145,7 +145,7 @@
         </SettingAccordion>
 
         <SettingAccordion key="tags" title={$t('tags')} subtitle={$t('tag_feature_description')}>
-          <div class="ms-4 mt-6 flex flex-col gap-4">
+          <div class="sm:ms-4 mt-4 flex flex-col gap-4">
             <Field label={$t('enable')}>
               <Switch bind:checked={tagsEnabled} />
             </Field>
@@ -159,7 +159,7 @@
         </SettingAccordion>
 
         <SettingAccordion key="cast" title={$t('cast')} subtitle={$t('cast_description')}>
-          <div class="ms-4 mt-6 flex flex-col gap-4">
+          <div class="sm:ms-4 mt-4 flex flex-col gap-4">
             <Field label={$t('gcast_enabled')} description={$t('gcast_enabled_description')}>
               <Switch bind:checked={gCastEnabled} />
             </Field>

web/src/lib/components/user-settings-page/notifications-settings.svelte

@@ -42,7 +42,7 @@
 <section class="my-4">
   <div in:fade={{ duration: 500 }}>
     <form autocomplete="off" {onsubmit}>
-      <div class="ms-4 mt-4 flex flex-col gap-6">
+      <div class="sm:ms-8 flex flex-col gap-6">
         <Field label={$t('enable')} description={$t('notification_toggle_setting_description')}>
           <Switch bind:checked={emailNotificationsEnabled} />
         </Field>

web/src/lib/components/user-settings-page/oauth-settings.svelte

@@ -45,7 +45,7 @@
 
 <section class="my-4">
   <div in:fade={{ duration: 500 }}>
-    <div class="flex justify-end">
+    <div class="sm:ms-8 flex justify-end">
       {#if loading}
         <div class="flex place-content-center place-items-center">
           <LoadingSpinner />

web/src/lib/components/user-settings-page/user-api-key-list.svelte

@@ -33,7 +33,7 @@
 <OnEvents {onApiKeyCreate} {onApiKeyUpdate} {onApiKeyDelete} />
 
 <section class="my-4">
-  <div class="flex flex-col gap-2" in:fade={{ duration: 500 }}>
+  <div class="sm:ms-8 flex flex-col gap-2" in:fade={{ duration: 500 }}>
     <div class="mb-2 flex justify-end">
       <Button leadingIcon={Create.icon} shape="round" size="small" onclick={() => Create.onAction(Create)}>
         {Create.title}

web/src/lib/components/user-settings-page/user-profile-settings.svelte

@@ -33,7 +33,7 @@
 <section class="my-4">
   <div in:fade={{ duration: 500 }}>
     <form autocomplete="off" onsubmit={preventDefault(bubble('submit'))}>
-      <div class="ms-4 mt-4 flex flex-col gap-4">
+      <div class="sm:ms-8 flex flex-col gap-4">
         <Field label={$t('user_id')} disabled>
           <Input bind:value={editedUser.id} />
         </Field>

web/src/lib/components/user-settings-page/user-purchase-settings.svelte

@@ -105,7 +105,7 @@
 </script>
 
 <section class="my-4">
-  <div in:fade={{ duration: 500 }}>
+  <div class="sm:ms-8" in:fade={{ duration: 500 }}>
     {#if $isPurchased}
       <!-- BADGE TOGGLE -->
       <div class="mb-4">

web/src/lib/components/user-settings-page/user-usage-statistic.svelte

@@ -65,7 +65,7 @@
   </TableRow>
 {/snippet}
 
-<section class="my-6 w-full">
+<section class="my-4 w-full">
   <Heading size="tiny">{$t('photos_and_videos')}</Heading>
   <Table striped spacing="small" class="mt-4" size="small">
     <TableHeader>