v2.25.0

This release adds password reset via email, and reworks email verification to use durable, link-based magic links (replacing the old in-memory 6-digit codes). Email stays optional at signup; a user can reset their password only once they have a verified "primary" (recovery)email.

All of this work is probably not useful for self-hosters, but it hopefully will be useful for me, since I do have to reset accounts on a regular basis.

Security issues:

• Generate access tokens, IDs, and magic-link tokens with a cryptographically secure RNG (crypto/rand) instead of a clock-seeded PRNG

Features:

• Add password reset via emailed magic link, with a "Forgot password" link on the login page and a ntfy user reset-pass CLI command for admins
• Rework email verification to use durable, single-use, expiring magic links instead of in-memory 6-digit codes, and add a "primary" email (used for account recovery and as the X-Email: yes target) with verified/unverified state in the account UI
• You can now clear/read messages and delete messages with a GET request (#1771, thanks to @lemmi for reporting and to @wunter8 for implementing)
• Add a reload button to the web app's action bar when running as an installed PWA, which clears the service worker caches and hard-refreshes the app
• Add a "Back to app" link to the web app's login, signup, and password-reset pages (alongside the existing links), which previously had no way back to the app

Bug fixes + maintenance:

• X-Email: yes (also true/1) now sends to your primary verified email regardless of the smtp-sender-verify setting (previously it was rejected unless verification was enabled); it requires being logged in with a verified address
• Grant users full access to their own sync topic (st_...) so cross-device subscription sync works under auth-default-access: deny-all (#733, #1795, thanks to @lmorchard for the contribution)
• Support HTTP (non-TLS) S3-compatible endpoints by preserving the endpoint scheme, e.g. for a local MinIO instance (#1794, #1734, thanks to @sskender for the contribution, and @Kernald for reporting)
• Stop silently stripping spaces from passwords while typing in the web app's login, signup, and password-reset forms (#1246, thanks to @aldem for reporting)
• Update web app dependencies, including major-version upgrades to Vite (6 -> 8, now Rolldown-based), Material UI (5 -> 9), and Dexie (3 -> 4) (#1800, #1764, #1767, #1762, #1766, #1765, thanks Dependabot)
• Play notification sounds in the web app even when the Notification API is unavailable, e.g. over plain HTTP or in browsers without notification support (#1772, thanks to @mitya12342 for the contribution)
• Stop escaping <, >, and & as \u003c/\u003e/\u0026 in JSON responses (#1511, #1512, thanks to @wunter8 for the contribution)
• Fix the web app navbar not reflecting a topic reservation (lock icon, and "Reserve topic" -> "Change reservation"/"Remove reservation" menu) until a page reload, by persisting reservation and display-name changes onto already-subscribed topics during account sync
• Reduce the web app's initial bundle size by ~300 KB (~50 KB gzipped) by lazy-loading the emoji picker dataset and the Markdown renderer, and by importing Material UI icons individually