✨ New Features
Sign in with a passkey (#955)
Thesis Management now supports passkey sign-in as an alternative to passwords. Instead of typing a username and password, you can authenticate with your device's built-in security: Face ID, Touch ID, Windows Hello, or a hardware security key.
What's new for you:
- A new login dialog lets you choose between Passkey and password sign-in, and the header now has a dedicated Passkey button.
- A gentle one-time prompt invites eligible users to set up a passkey after signing in. You can dismiss it with Maybe later or Never ask again.
- A new "Passkeys" section in Account Settings, where you can register new passkeys, see the ones you already have, and remove them at any time.
Passwords continue to work exactly as before, so using passkeys is entirely optional.
For operators: passkey behaviour is configured via the new PASSKEY_RP_ID, PASSKEY_RP_NAME, and PASSKEY_PROMPT_APPS environment variables (documented in the README); the defaults work out of the box.
Topics past their application deadline are now clearly marked "Expired" (#1089)
Previously a topic whose application deadline had already passed could still show up in the open topics list with an Apply button, only to reject the application on submit. This is now handled cleanly:
- Expired topics are hidden from the open topic listings, topic counts, and interview topic selection, so students only see topics they can actually apply to.
- The Apply button appears only for genuinely open topics — across the landing page, the topic detail page, topic cards, and the application flow. Draft and closed topics no longer show Apply either.
- On the Manage Topics page, expired topics carry an orange Expired badge, and supervisors can still open and edit them — for example to extend the deadline and bring a topic back to life.
- Automatic reject reminders keep working for applications that belong to expired topics.
A topic's "Expired" status is derived on the fly from its deadline, so no manual action or background job is involved.
🛠️ Development & Infrastructure
These changes are internal and have no visible effect on end users. They keep Thesis Management secure, maintainable, and easier to operate.
- Security: all known dependency vulnerabilities resolved. This release closes every open Dependabot alert by updating the affected libraries — DOMPurify 3.4.11, undici 7.28.0, http-proxy-middleware 4.1.1, and serialize-javascript 7.0.6 (#1120, #1122, #1124). These are build- and test-time dependencies with no production exposure, but they are kept current as a matter of hygiene.
- Codebase reorganized into feature modules (#1095): the server, web app, and tests were restructured from a layer-based layout (everything grouped by kind — controllers, services, entities, …) into feature-based packages (topic, application, thesis, interview, presentation, …). This is a purely structural, behaviour-preserving change that makes the code easier to navigate and maintain.
- Code style now enforced in CI (#1125): the server's Checkstyle rules now run on every build, and a few pre-existing style issues were cleaned up.
- Dependency & toolchain updates:
- Operational tweaks: the PostgreSQL image version is now set in one place via the
POSTGRES_IMAGE_TAGvariable (#1104), the Mailpit image was bumped to 1.30.2 (#1105), a supply-chain "cooldown" (minimumReleaseAge) was configured for Renovate (#1115), and the SBOM refresh workflow was fixed.
Full Changelog
v4.11.0...v4.11.1