[1.28.0]
Update ntfy to 2.25.0
Full Changelog
Generate access tokens, IDs, and magic-link tokens with a cryptographically secure RNG (crypto/rand) instead of a clock-seeded PRNG
Add password reset via emailed magic link, with a "Forgot password" link on the login page and a ntfy user reset-pass CLI command for admins
Rework email verification to use durable, single-use, expiring magic links instead of in-memory 6-digit codes, and add a "primary" email (used for account recovery and as the X-Email: yes target) with verified/unverified state in the account UI
You can now clear/read messages and delete messages with a GET request (#1771, thanks to @lemmi for reporting and to @wunter8 for implementing)
Add a reload button to the web app's action bar when running as an installed PWA, which clears the service worker caches and hard-refreshes the app
X-Email: yes (also true/1) now sends to your primary verified email regardless of the smtp-sender-verify setting (previously it was rejected unless verification was enabled); it requires being logged in with a verified address
Grant users full access to their own sync topic (st_...) so cross-device subscription sync works under auth-default-access: deny-all (#733, #1795, thanks to @lmorchard for the contribution)
Support HTTP (non-TLS) S3-compatible endpoints by preserving the endpoint scheme, e.g. for a local MinIO instance (#1794, #1734, thanks to @sskender for the contribution, and @Kernald for reporting)
Stop silently stripping spaces from passwords while typing in the web app's login, signup, and password-reset forms (#1246, thanks to @aldem for reporting)
Stop escaping <, >, and & as \u003c/\u003e/\u0026 in JSON responses (#1511, #1512, thanks to @wunter8 for the contribution)