From 0b2303db3e993079509c269605071fbcd611370e Mon Sep 17 00:00:00 2001
From: Tobia De Koninck <tobia.dekoninck@openanalytics.eu>
Date: Fri, 16 Jan 2026 16:25:28 +0100
Subject: [PATCH 01/27] Update copyright year in README.md

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index fa4d8be2..15aec9d2 100644
--- a/README.md
+++ b/README.md
@@ -16,7 +16,7 @@ It is the engine that powers a.o. [ShinyProxy](https://shinyproxy.io) but can be
 
 Learn more at <https://shinyproxy.io/> (in progress)
 
-**(c) Copyright Open Analytics NV, 2017-2025 - Apache License 2.0**
+**(c) Copyright Open Analytics NV, 2017-2026 - Apache License 2.0**
 
 ## Building from source
 

From 9b17969589ed9b4e9ab9e6f96888ad4610b8651a Mon Sep 17 00:00:00 2001
From: Tobia De Koninck <tobia.dekoninck@openanalytics.eu>
Date: Tue, 20 Jan 2026 10:01:34 +0100
Subject: [PATCH 02/27] Fix #36069: send (updated) OpenID tokens as headers

---
 pom.xml                                       |  2 +-
 .../impl/OpenIDAuthenticationBackend.java     | 63 ++++++++++++++++++-
 .../runtime/runtimevalues/HttpHeaders.java    |  6 +-
 .../util/ProxyMappingManager.java             |  2 +-
 4 files changed, 66 insertions(+), 7 deletions(-)

diff --git a/pom.xml b/pom.xml
index c9a76c4d..bb363814 100644
--- a/pom.xml
+++ b/pom.xml
@@ -5,7 +5,7 @@
 
     <groupId>eu.openanalytics</groupId>
     <artifactId>containerproxy</artifactId>
-    <version>1.2.3</version>
+    <version>1.3.0-SNAPSHOT</version>
     <name>ContainerProxy</name>
     <packaging>jar</packaging>
     <inceptionYear>2016</inceptionYear>
diff --git a/src/main/java/eu/openanalytics/containerproxy/auth/impl/OpenIDAuthenticationBackend.java b/src/main/java/eu/openanalytics/containerproxy/auth/impl/OpenIDAuthenticationBackend.java
index 558a46fe..45b93994 100644
--- a/src/main/java/eu/openanalytics/containerproxy/auth/impl/OpenIDAuthenticationBackend.java
+++ b/src/main/java/eu/openanalytics/containerproxy/auth/impl/OpenIDAuthenticationBackend.java
@@ -24,9 +24,12 @@
 import eu.openanalytics.containerproxy.auth.impl.msgraph.MicrosoftGraphGroupFetcher;
 import eu.openanalytics.containerproxy.auth.impl.oidc.AccessTokenDecoder;
 import eu.openanalytics.containerproxy.auth.impl.oidc.OpenIdReAuthorizeFilter;
+import eu.openanalytics.containerproxy.model.runtime.Proxy;
 import eu.openanalytics.containerproxy.spec.expression.SpecExpressionContext;
 import eu.openanalytics.containerproxy.spec.expression.SpecExpressionResolver;
 import eu.openanalytics.containerproxy.util.ContextPathHelper;
+import io.undertow.util.HeaderMap;
+import io.undertow.util.HttpString;
 import net.minidev.json.JSONArray;
 import net.minidev.json.parser.JSONParser;
 import net.minidev.json.parser.ParseException;
@@ -41,6 +44,7 @@
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
+import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
 import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService;
 import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest;
@@ -50,9 +54,11 @@
 import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestCustomizers;
 import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter;
 import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestResolver;
+import org.springframework.security.oauth2.core.OAuth2AccessToken;
 import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
 import org.springframework.security.oauth2.core.OAuth2Error;
 import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
+import org.springframework.security.oauth2.core.OAuth2RefreshToken;
 import org.springframework.security.oauth2.core.oidc.OidcIdToken;
 import org.springframework.security.oauth2.core.oidc.OidcUserInfo;
 import org.springframework.security.oauth2.core.oidc.StandardClaimAccessor;
@@ -83,11 +89,22 @@ public class OpenIDAuthenticationBackend implements IAuthenticationBackend {
     public static final String NAME = "openid";
 
     private static final String ENV_TOKEN_NAME = "SHINYPROXY_OIDC_ACCESS_TOKEN";
+    private static final String PROP_SEND_ACCESS_TOKEN_HEADER = "proxy.openid.add-access-token-header";
+    private static final String PROP_SEND_REFRESH_TOKEN_HEADER = "proxy.openid.add-refresh-token-header";
+    private static final String PROP_SEND_ID_TOKEN_HEADER = "proxy.openid.add-id-token-header";
+    private static final HttpString HEADER_ACCESS_TOKEN_NAME = new HttpString("X-SP-OpenId-Access-Token");
+    private static final HttpString HEADER_REFRESH_TOKEN_NAME = new HttpString("X-SP-OpenId-Refresh-Token");
+    private static final HttpString HEADER_ID_TOKEN_NAME = new HttpString("X-SP-OpenId-Id-Token");
+
     private static OAuth2AuthorizedClientService oAuth2AuthorizedClientService;
     private static AccessTokenDecoder accessTokenDecoder;
     private static final Logger log = LogManager.getLogger(OpenIDAuthenticationBackend.class);
-    @Inject
-    private Environment environment;
+
+    private static Boolean sendAccessTokenHeader = false;
+    private static Boolean sendRefreshTokenHeader = false;
+    private static Boolean sendIdTokenHeader = false;
+    private static Environment environment;
+
     @Inject
     private ClientRegistrationRepository clientRegistrationRepo;
     @Inject
@@ -180,7 +197,7 @@ public Set<GrantedAuthority> parseClaims(StandardClaimAccessor standardClaimAcce
         return mappedAuthorities;
     }
 
-    private static OAuth2AuthorizedClient refreshClient(String principalName) {
+    public static OAuth2AuthorizedClient refreshClient(String principalName) {
         return oAuth2AuthorizedClientService.loadAuthorizedClient(REG_ID, principalName);
     }
 
@@ -194,6 +211,14 @@ public void setOAuth2AuthorizedClientService(OAuth2AuthorizedClientService oAuth
         OpenIDAuthenticationBackend.oAuth2AuthorizedClientService = oAuth2AuthorizedClientService;
     }
 
+    @Autowired
+    public void setEnvironment(Environment environment) {
+        OpenIDAuthenticationBackend.environment = environment;
+        OpenIDAuthenticationBackend.sendAccessTokenHeader = environment.getProperty(PROP_SEND_ACCESS_TOKEN_HEADER, Boolean.class, false);
+        OpenIDAuthenticationBackend.sendRefreshTokenHeader = environment.getProperty(PROP_SEND_REFRESH_TOKEN_HEADER, Boolean.class, false);
+        OpenIDAuthenticationBackend.sendIdTokenHeader = environment.getProperty(PROP_SEND_ID_TOKEN_HEADER, Boolean.class, false);
+    }
+
     @Override
     public String getName() {
         return NAME;
@@ -350,6 +375,38 @@ public OidcUser loadUser(OidcUserRequest userRequest) throws OAuth2Authenticatio
         };
     }
 
+    public static HeaderMap addHeaders(Proxy proxy) {
+        HeaderMap result = new HeaderMap();
+        if (sendAccessTokenHeader || sendRefreshTokenHeader) {
+            OAuth2AuthorizedClient client = refreshClient(proxy.getUserId());
+            if (client != null) {
+                if (sendAccessTokenHeader) {
+                    OAuth2AccessToken accessToken = client.getAccessToken();
+                    if (accessToken != null) {
+                        result.put(HEADER_ACCESS_TOKEN_NAME, accessToken.getTokenValue());
+                    }
+                }
+                if (sendRefreshTokenHeader) {
+                    OAuth2RefreshToken refreshToken = client.getRefreshToken();
+                    if (refreshToken != null) {
+                        result.put(HEADER_REFRESH_TOKEN_NAME, refreshToken.getTokenValue());
+                    }
+                }
+            }
+        }
+        if (sendIdTokenHeader) {
+            Authentication auth = SecurityContextHolder.getContext().getAuthentication();
+            if (auth.getPrincipal() instanceof CustomNameOidcUser) {
+                OidcIdToken idToken = ((CustomNameOidcUser) auth.getPrincipal()).getIdToken();
+                if (idToken != null) {
+                    result.put(HEADER_ID_TOKEN_NAME, idToken.getTokenValue());
+                }
+            }
+        }
+
+        return result;
+    }
+
     public static class CustomNameOidcUser extends DefaultOidcUser {
 
         private static final long serialVersionUID = 7563253562760236634L;
diff --git a/src/main/java/eu/openanalytics/containerproxy/model/runtime/runtimevalues/HttpHeaders.java b/src/main/java/eu/openanalytics/containerproxy/model/runtime/runtimevalues/HttpHeaders.java
index 5320b4ca..d4df7e9c 100644
--- a/src/main/java/eu/openanalytics/containerproxy/model/runtime/runtimevalues/HttpHeaders.java
+++ b/src/main/java/eu/openanalytics/containerproxy/model/runtime/runtimevalues/HttpHeaders.java
@@ -22,12 +22,13 @@
 
 import com.fasterxml.jackson.annotation.JsonCreator;
 import com.fasterxml.jackson.annotation.JsonValue;
+import eu.openanalytics.containerproxy.auth.impl.OpenIDAuthenticationBackend;
+import eu.openanalytics.containerproxy.model.runtime.Proxy;
 import io.undertow.util.HeaderMap;
 import io.undertow.util.HttpString;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import java.nio.charset.CharsetEncoder;
 import java.nio.charset.StandardCharsets;
 import java.util.HashMap;
 import java.util.Map;
@@ -53,7 +54,8 @@ public HttpHeaders(Map<String, String> headers) {
         this.headers = filteredHeaders;
     }
 
-    public HeaderMap getUndertowHeaderMap() {
+    public HeaderMap getUndertowHeaderMap(Proxy proxy) {
+        undertowHeaderMap.putAll(OpenIDAuthenticationBackend.addHeaders(proxy));
         return undertowHeaderMap;
     }
 
diff --git a/src/main/java/eu/openanalytics/containerproxy/util/ProxyMappingManager.java b/src/main/java/eu/openanalytics/containerproxy/util/ProxyMappingManager.java
index 888058b8..4a13553a 100644
--- a/src/main/java/eu/openanalytics/containerproxy/util/ProxyMappingManager.java
+++ b/src/main/java/eu/openanalytics/containerproxy/util/ProxyMappingManager.java
@@ -258,7 +258,7 @@ public void dispatchAsync(Proxy proxy, String mapping, HttpServletRequest reques
 
         // add headers
         HttpHeaders headers = proxy.getRuntimeObject(HttpHeadersKey.inst);
-        exchange.getRequestHeaders().putAll(headers.getUndertowHeaderMap());
+        exchange.getRequestHeaders().putAll(headers.getUndertowHeaderMap(proxy));
 
         exchange.addResponseWrapper((f, exchange1) -> {
             proxyCacheHeadersService.addAppCacheHeaders(proxy, exchange1);

From 114a4c344597c3600ea7f931a2165dda9b61f164 Mon Sep 17 00:00:00 2001
From: Tobia De Koninck <tobia.dekoninck@openanalytics.eu>
Date: Tue, 2 Sep 2025 15:20:00 +0200
Subject: [PATCH 03/27] Fix #35503: add internationalization support

---
 .../ContainerProxyApplication.java            |  2 +
 .../containerproxy/ui/AuthController.java     | 11 +++-
 .../ui/TemplateResolverConfig.java            | 27 ++++++++
 .../util/CustomMessageSource.java             | 61 +++++++++++++++++++
 src/main/resources/cp_messages.properties     | 19 ++++++
 .../templates/app-access-denied.html          |  6 +-
 src/main/resources/templates/auth-error.html  | 11 ++--
 src/main/resources/templates/error.html       |  2 +-
 src/main/resources/templates/login.html       | 12 ++--
 .../resources/templates/logout-success.html   |  4 +-
 10 files changed, 134 insertions(+), 21 deletions(-)
 create mode 100644 src/main/java/eu/openanalytics/containerproxy/util/CustomMessageSource.java
 create mode 100644 src/main/resources/cp_messages.properties

diff --git a/src/main/java/eu/openanalytics/containerproxy/ContainerProxyApplication.java b/src/main/java/eu/openanalytics/containerproxy/ContainerProxyApplication.java
index 75f2496b..38b2d09a 100644
--- a/src/main/java/eu/openanalytics/containerproxy/ContainerProxyApplication.java
+++ b/src/main/java/eu/openanalytics/containerproxy/ContainerProxyApplication.java
@@ -63,6 +63,7 @@
 import org.springframework.session.security.SpringSessionBackedSessionRegistry;
 import org.springframework.session.web.http.DefaultCookieSerializer;
 import org.springframework.web.filter.FormContentFilter;
+import org.springframework.web.servlet.i18n.SessionLocaleResolver;
 
 import javax.annotation.PostConstruct;
 import javax.inject.Inject;
@@ -77,6 +78,7 @@
 import java.util.Arrays;
 import java.util.HashSet;
 import java.util.List;
+import java.util.Locale;
 import java.util.Properties;
 import java.util.Set;
 import java.util.concurrent.Executor;
diff --git a/src/main/java/eu/openanalytics/containerproxy/ui/AuthController.java b/src/main/java/eu/openanalytics/containerproxy/ui/AuthController.java
index 7d6d7d1f..98fcc886 100644
--- a/src/main/java/eu/openanalytics/containerproxy/ui/AuthController.java
+++ b/src/main/java/eu/openanalytics/containerproxy/ui/AuthController.java
@@ -27,6 +27,8 @@
 import eu.openanalytics.containerproxy.event.AuthFailedEvent;
 import jakarta.servlet.http.HttpServletRequest;
 import org.springframework.context.ApplicationEventPublisher;
+import org.springframework.context.MessageSource;
+import org.springframework.context.i18n.LocaleContextHolder;
 import org.springframework.core.env.Environment;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.ModelMap;
@@ -37,6 +39,7 @@
 import org.springframework.web.servlet.view.RedirectView;
 
 import javax.inject.Inject;
+import java.util.Locale;
 import java.util.Optional;
 
 @Controller
@@ -54,14 +57,18 @@ public class AuthController extends BaseController {
     @Inject
     private ApplicationEventPublisher applicationEventPublisher;
 
+    @Inject
+    protected MessageSource messageSource;
+
     @RequestMapping(value = "/login", method = RequestMethod.GET)
     public Object getLoginPage(@RequestParam Optional<String> error, ModelMap map) {
         prepareMap(map);
         if (error.isPresent()) {
+            Locale locale = LocaleContextHolder.getLocale();
             if (error.get().equals("expired")) {
-                map.put("error", "You took too long to login, please try again");
+                map.put("error", messageSource.getMessage("auth.simple.expired_error", null, locale));
             } else {
-                map.put("error", "Invalid user name or password");
+                map.put("error",  messageSource.getMessage("auth.simple.credentials_error", null, locale));
             }
         }
 
diff --git a/src/main/java/eu/openanalytics/containerproxy/ui/TemplateResolverConfig.java b/src/main/java/eu/openanalytics/containerproxy/ui/TemplateResolverConfig.java
index f438acc3..1911bcfe 100644
--- a/src/main/java/eu/openanalytics/containerproxy/ui/TemplateResolverConfig.java
+++ b/src/main/java/eu/openanalytics/containerproxy/ui/TemplateResolverConfig.java
@@ -29,10 +29,15 @@
 import org.springframework.core.io.ByteArrayResource;
 import org.springframework.core.io.Resource;
 import org.springframework.http.CacheControl;
+import org.springframework.web.servlet.LocaleResolver;
 import org.springframework.web.servlet.config.annotation.CorsRegistry;
+import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
 import org.springframework.web.servlet.config.annotation.PathMatchConfigurer;
 import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
+import org.springframework.web.servlet.i18n.CookieLocaleResolver;
+import org.springframework.web.servlet.i18n.LocaleChangeInterceptor;
+import org.springframework.web.servlet.i18n.SessionLocaleResolver;
 import org.springframework.web.servlet.resource.ResourceResolver;
 import org.springframework.web.servlet.resource.ResourceResolverChain;
 import org.thymeleaf.templateresolver.FileTemplateResolver;
@@ -42,6 +47,7 @@
 import java.io.IOException;
 import java.time.Duration;
 import java.util.List;
+import java.util.Locale;
 
 @Configuration
 public class TemplateResolverConfig implements WebMvcConfigurer {
@@ -118,6 +124,27 @@ public void configurePathMatch(PathMatchConfigurer configurer) {
         configurer.setUseTrailingSlashMatch(true);
     }
 
+    @Bean
+    public LocaleResolver localeResolver() {
+        CookieLocaleResolver slr = new CookieLocaleResolver();
+        // todo cookie secure
+        slr.setDefaultLocale(Locale.US);
+        return slr;
+    }
+
+    // TODO
+    @Bean
+    public LocaleChangeInterceptor localeChangeInterceptor() {
+        LocaleChangeInterceptor lci = new LocaleChangeInterceptor();
+        lci.setParamName("lang");
+        return lci;
+    }
+
+    @Override
+    public void addInterceptors(InterceptorRegistry registry) {
+        registry.addInterceptor(localeChangeInterceptor());
+    }
+
     /**
      * A resolver that loads the resource and returns the result as a @link ByteArrayResource.
      * Should be used in combination with @link ResourceChainRegistration where caching is enabled.
diff --git a/src/main/java/eu/openanalytics/containerproxy/util/CustomMessageSource.java b/src/main/java/eu/openanalytics/containerproxy/util/CustomMessageSource.java
new file mode 100644
index 00000000..45612d5c
--- /dev/null
+++ b/src/main/java/eu/openanalytics/containerproxy/util/CustomMessageSource.java
@@ -0,0 +1,61 @@
+/*
+ * ContainerProxy
+ *
+ * Copyright (C) 2016-2025 Open Analytics
+ *
+ * ===========================================================================
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Apache License as published by
+ * The Apache Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * Apache License for more details.
+ *
+ * You should have received a copy of the Apache License
+ * along with this program.  If not, see <http://www.apache.org/licenses/>
+ */
+package eu.openanalytics.containerproxy.util;
+
+import org.springframework.boot.autoconfigure.context.MessageSourceAutoConfiguration;
+import org.springframework.boot.autoconfigure.context.MessageSourceProperties;
+import org.springframework.boot.context.properties.EnableConfigurationProperties;
+import org.springframework.context.MessageSource;
+import org.springframework.context.MessageSourceResolvable;
+import org.springframework.context.NoSuchMessageException;
+import org.springframework.stereotype.Component;
+import org.thymeleaf.util.StringUtils;
+
+import javax.annotation.Nonnull;
+import java.util.Locale;
+
+@Component("messageSource")
+@EnableConfigurationProperties(MessageSourceProperties.class)
+public class CustomMessageSource implements MessageSource {
+
+    private MessageSource delegate;
+
+    public CustomMessageSource(MessageSourceProperties properties) {
+        MessageSourceAutoConfiguration autoConfiguration = new MessageSourceAutoConfiguration();
+        this.delegate = autoConfiguration.messageSource(properties);
+    }
+
+    @Override
+    public String getMessage(@Nonnull String code, Object[] args, String defaultMessage, @Nonnull Locale locale) {
+        return StringUtils.capitalize(delegate.getMessage(code, args, defaultMessage, locale));
+    }
+
+    @Override
+    public String getMessage(@Nonnull String code, Object[] args, @Nonnull Locale locale) throws NoSuchMessageException {
+        return StringUtils.capitalize(delegate.getMessage(code, args, locale));
+    }
+
+    @Override
+    public String getMessage(@Nonnull MessageSourceResolvable resolvable, @Nonnull Locale locale) throws NoSuchMessageException {
+        return StringUtils.capitalize(delegate.getMessage(resolvable, locale));
+    }
+
+}
diff --git a/src/main/resources/cp_messages.properties b/src/main/resources/cp_messages.properties
new file mode 100644
index 00000000..d431b1e3
--- /dev/null
+++ b/src/main/resources/cp_messages.properties
@@ -0,0 +1,19 @@
+app-access-denied.header=You do not have access to this application.
+app-access-denied.p1=Your account does not have the required roles or groups required for accessing this application.
+app-access-denied.p2=Please contact your administrator if you believe this is a mistake.
+auth-error.header=An error occurred during the authentication procedure.
+auth-error.link=Go back to the main page
+auth-error.message-admin-if=If you are an administrator of {0}
+auth-error.message-admin-text=this error page is typically shown because of an configuration error in the authentication setup. See the logs for more information.
+auth-error.message-user-if=If you are a user of {0}
+auth-error.message-user-text=please report this issue to your administrator and try to log out from your Identity Provider.
+auth.simple.button=Sign in
+auth.simple.header=Please sign in:
+auth.simple.password=password
+auth.simple.sign-in-error=Could not sign in!
+auth.simple.username=username
+error.link=Go back to the main page
+logout-success.header=You have been logged out successfully.
+logout-success.link=Login again
+auth.simple.expired_error=You took too long to login, please try again
+auth.simple.credentials_error=Invalid user name or password
diff --git a/src/main/resources/templates/app-access-denied.html b/src/main/resources/templates/app-access-denied.html
index 2d051afb..0a8d96b9 100644
--- a/src/main/resources/templates/app-access-denied.html
+++ b/src/main/resources/templates/app-access-denied.html
@@ -38,9 +38,9 @@
 
 <body>
 	<div class="container">
-		<h2>You do not have access to this application.</h2>
-		<p>Your account does not have the required roles or groups required for accessing this application.</p>
-		<p>Please contact your administrator if you believe this is a mistake.</p>
+		<h2 th:text="#{app-access-denied.header}"></h2>
+		<p th:text="#{app-access-denied.p1}"></p>
+		<p th:text="#{app-access-denied.p2}"></p>
 	</div>
 
 <style>
diff --git a/src/main/resources/templates/auth-error.html b/src/main/resources/templates/auth-error.html
index 28f1afde..b57c3311 100644
--- a/src/main/resources/templates/auth-error.html
+++ b/src/main/resources/templates/auth-error.html
@@ -40,13 +40,10 @@
 
     <body>
         <div class="container">
-            <h2>An error occurred during the authentication procedure.</h2>
-            <p><b>If you are a user of <span th:text="${application_name}"></span>:</b> please report this issue to your
-                administrator and try to log out from your Identity Provider.</p>
-            <p><b>If you are an administrator of <span th:text="${application_name}"></span>:</b> this error page is
-                typically shown because of an configuration error in the authentication setup. See the logs for more
-                information.</p>
-            <a th:href="${mainPage}">Go back to the main page</a>
+            <h2 th:text="#{auth-error.header}"></h2>
+            <p><b th:text="${#messages.msgWithParams('auth-error.message-user-if', application_name)}"></b>: <span th:text="#{auth-error.message-user-text}"></span></p>
+            <p><b th:text="${#messages.msgWithParams('auth-error.message-admin-if', application_name)}"></b>: <span th:text="#{auth-error.message-admin-text}"></span></p>
+            <a th:href="${mainPage}" th:text="#{auth-error.link}"></a>
         </div>
 
         <style>
diff --git a/src/main/resources/templates/error.html b/src/main/resources/templates/error.html
index f96be5c9..a29a89c0 100644
--- a/src/main/resources/templates/error.html
+++ b/src/main/resources/templates/error.html
@@ -39,7 +39,7 @@
         <div class="container">
             <h2 th:text="${shortError}"></h2>
             <p th:text="${description}"></p>
-            <a th:href="${mainPage}">Go back to the main page</a>
+            <a th:href="${mainPage}" th:text="#{error.link}"></a>
         </div>
 
         <style>
diff --git a/src/main/resources/templates/login.html b/src/main/resources/templates/login.html
index 28c89678..fde22b99 100644
--- a/src/main/resources/templates/login.html
+++ b/src/main/resources/templates/login.html
@@ -39,17 +39,17 @@
     <body>
         <div class="container">
             <form class="form-signin" method="POST" th:action="@{/login}">
-                <h2 class="form-signin-heading">Please sign in:</h2>
+                <h2 class="form-signin-heading" th:text="#{auth.simple.header}"></h2>
                 <div class="alert alert-danger" th:if="${error}">
-                    <strong>Could not sign in!</strong><br/><span th:text="${error}"></span>.
+                    <strong th:text="#{auth.simple.sign-in-error}">Could not sign in!</strong><br/><span th:text="${error}"></span>.
                 </div>
-                <label class="sr-only" for="username">Email address</label>
-                <input autofocus="autofocus" class="form-control" id="username" name="username" placeholder="User name"
+                <label class="sr-only" for="username">Username</label>
+                <input autofocus="autofocus" class="form-control" id="username" name="username" th:placeholder="#{auth.simple.username}"
                        required="required">
                 <label class="sr-only" for="password">Password</label>
-                <input class="form-control" id="password" name="password" placeholder="Password" required="required"
+                <input class="form-control" id="password" name="password" th:placeholder="#{auth.simple.password}" required="required"
                        type="password">
-                <button class="btn btn-lg btn-primary btn-block" type="submit">Sign in</button>
+                <button class="btn btn-lg btn-primary btn-block" type="submit" th:text="#{auth.simple.button}"></button>
             </form>
         </div>
     </body>
diff --git a/src/main/resources/templates/logout-success.html b/src/main/resources/templates/logout-success.html
index 2df828f7..d6ab4848 100644
--- a/src/main/resources/templates/logout-success.html
+++ b/src/main/resources/templates/logout-success.html
@@ -37,8 +37,8 @@
 
     <body>
         <div class="container">
-            <h2>You have been logged out successfully.</h2>
-            <p><a th:href="@{/}"><b>Login again</b></a></p>
+            <h2 th:text="#{logout-success.header}"></h2>
+            <p><a th:href="@{/}"><b th:text="#{logout-success.link}"></b></a></p>
         </div>
 
         <style>

From 494b6588b797506ffdc4ff47ff6387e2ddf23852 Mon Sep 17 00:00:00 2001
From: Tobia De Koninck <tobia.dekoninck@openanalytics.eu>
Date: Wed, 3 Sep 2025 09:46:26 +0000
Subject: [PATCH 04/27] Added translation using Weblate (Dutch)

---
 src/main/resources/cp_messages_nl.properties | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 src/main/resources/cp_messages_nl.properties

diff --git a/src/main/resources/cp_messages_nl.properties b/src/main/resources/cp_messages_nl.properties
new file mode 100644
index 00000000..8b137891
--- /dev/null
+++ b/src/main/resources/cp_messages_nl.properties
@@ -0,0 +1 @@
+

From e60944182e552dca0bf8871659116872023485bb Mon Sep 17 00:00:00 2001
From: Tobia De Koninck <tobia.dekoninck@openanalytics.eu>
Date: Wed, 3 Sep 2025 09:47:28 +0000
Subject: [PATCH 05/27] Translated using Weblate (Dutch)

Currently translated at 100.0% (19 of 19 strings)

Translation: ShinyProxy/ContainerProxy
Translate-URL: https://weblate.openanalytics.eu/projects/shinyproxy/containerproxy/nl/
---
 src/main/resources/cp_messages_nl.properties | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/src/main/resources/cp_messages_nl.properties b/src/main/resources/cp_messages_nl.properties
index 8b137891..1fb23ddb 100644
--- a/src/main/resources/cp_messages_nl.properties
+++ b/src/main/resources/cp_messages_nl.properties
@@ -1 +1,19 @@
-
+app-access-denied.header=U heeft geen toegang tot deze applicatie.
+app-access-denied.p1=Uw account heeft niet de vereiste rollen of groepen om deze applicatie te kunnen gebruiken.
+app-access-denied.p2=Neem contact op met uw beheerder als u denkt dat dit een fout is.
+auth-error.header=Er is een fout opgetreden tijdens de authenticatieprocedure.
+auth-error.link=Ga terug naar de hoofdpagina
+auth-error.message-admin-if=Als u beheerder bent van {0}
+auth-error.message-admin-text=Deze foutpagina wordt meestal weergegeven vanwege een configuratiefout in de authenticatie-instellingen. Raadpleeg de logbestanden voor meer informatie.
+auth-error.message-user-if=Als u een gebruiker bent van {0}
+auth-error.message-user-text=Meld dit probleem aan uw beheerder en probeer uit te loggen bij uw identiteitsprovider.
+auth.simple.button=Aanmelden
+auth.simple.header=Meld u aan:
+auth.simple.password=paswoord
+auth.simple.sign-in-error=Kon u niet inloggen!
+auth.simple.username=gebruikersnaam
+error.link=Ga terug naar de hoofdpagina
+logout-success.header=U bent succesvol uitgelogd.
+logout-success.link=Opnieuw aanmelden
+auth.simple.expired_error=Het duurde te lang om aan te melden, probeer het opnieuw
+auth.simple.credentials_error=Ongeldige gebruikersnaam of wachtwoord

From 65128b4b50abe1f0c3bc887ed2b0786844cfe18a Mon Sep 17 00:00:00 2001
From: Tobia De Koninck <tobia.dekoninck@openanalytics.eu>
Date: Wed, 3 Sep 2025 11:36:14 +0200
Subject: [PATCH 06/27] Fix #35504: allow user to choose language

---
 .../ContainerProxyApplication.java            |  16 +++
 .../containerproxy/api/BaseController.java    |   5 +
 .../containerproxy/api/UserController.java    |  58 +++++++++
 .../containerproxy/api/dto/LanguageDto.java   |  25 ++++
 .../service/LanguageService.java              | 114 ++++++++++++++++++
 .../ui/TemplateResolverConfig.java            |  27 -----
 6 files changed, 218 insertions(+), 27 deletions(-)
 create mode 100644 src/main/java/eu/openanalytics/containerproxy/api/UserController.java
 create mode 100644 src/main/java/eu/openanalytics/containerproxy/api/dto/LanguageDto.java
 create mode 100644 src/main/java/eu/openanalytics/containerproxy/service/LanguageService.java

diff --git a/src/main/java/eu/openanalytics/containerproxy/ContainerProxyApplication.java b/src/main/java/eu/openanalytics/containerproxy/ContainerProxyApplication.java
index 38b2d09a..95253174 100644
--- a/src/main/java/eu/openanalytics/containerproxy/ContainerProxyApplication.java
+++ b/src/main/java/eu/openanalytics/containerproxy/ContainerProxyApplication.java
@@ -63,6 +63,8 @@
 import org.springframework.session.security.SpringSessionBackedSessionRegistry;
 import org.springframework.session.web.http.DefaultCookieSerializer;
 import org.springframework.web.filter.FormContentFilter;
+import org.springframework.web.servlet.LocaleResolver;
+import org.springframework.web.servlet.i18n.CookieLocaleResolver;
 import org.springframework.web.servlet.i18n.SessionLocaleResolver;
 
 import javax.annotation.PostConstruct;
@@ -210,6 +212,10 @@ public static Properties getDefaultProperties() {
         properties.put("springdoc.api-docs.enabled", false);
         properties.put("springdoc.swagger-ui.enabled", false);
 
+        // Internationalization
+        // ====================
+        properties.put("spring.messages.basename", "messages,cp_messages");
+
         return properties;
     }
 
@@ -421,4 +427,14 @@ public GroupedOpenApi groupOpenApi() {
             .build();
     }
 
+    @Bean
+    public LocaleResolver localeResolver() {
+        // not default language is configured, therefore the Accept header will determine the language if there is no cookie
+        CookieLocaleResolver cookieLocaleResolver = new CookieLocaleResolver("shinyproxy_language");
+        cookieLocaleResolver.setCookieSecure(secureCookiesEnabled);
+        cookieLocaleResolver.setCookieSameSite(sameSiteCookiePolicy);
+        cookieLocaleResolver.setCookieHttpOnly(true);
+        return cookieLocaleResolver;
+    }
+
 }
diff --git a/src/main/java/eu/openanalytics/containerproxy/api/BaseController.java b/src/main/java/eu/openanalytics/containerproxy/api/BaseController.java
index 2b3644b7..fbfacdb3 100644
--- a/src/main/java/eu/openanalytics/containerproxy/api/BaseController.java
+++ b/src/main/java/eu/openanalytics/containerproxy/api/BaseController.java
@@ -21,6 +21,7 @@
 package eu.openanalytics.containerproxy.api;
 
 import eu.openanalytics.containerproxy.service.IdentifierService;
+import eu.openanalytics.containerproxy.service.LanguageService;
 import eu.openanalytics.containerproxy.service.UserService;
 import eu.openanalytics.containerproxy.spec.expression.SpecExpressionContext;
 import eu.openanalytics.containerproxy.spec.expression.SpecExpressionResolver;
@@ -49,6 +50,9 @@ public class BaseController {
     @Inject
     private UserService userService;
 
+    @Inject
+    private LanguageService languageService;
+
     private String title;
     private boolean titleContainsExpression;
 
@@ -72,6 +76,7 @@ protected void prepareMap(ModelMap map) {
 
         map.put("request", httpServletRequest);
         map.put("response", httpServletResponse);
+        map.put("language", languageService.getAndUpdateLanguageOfUser(httpServletRequest, httpServletResponse));
     }
 
     private String getTitle(Authentication user, String serverName) {
diff --git a/src/main/java/eu/openanalytics/containerproxy/api/UserController.java b/src/main/java/eu/openanalytics/containerproxy/api/UserController.java
new file mode 100644
index 00000000..fdaa7ebd
--- /dev/null
+++ b/src/main/java/eu/openanalytics/containerproxy/api/UserController.java
@@ -0,0 +1,58 @@
+/*
+ * ContainerProxy
+ *
+ * Copyright (C) 2016-2025 Open Analytics
+ *
+ * ===========================================================================
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Apache License as published by
+ * The Apache Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * Apache License for more details.
+ *
+ * You should have received a copy of the Apache License
+ * along with this program.  If not, see <http://www.apache.org/licenses/>
+ */
+package eu.openanalytics.containerproxy.api;
+
+import eu.openanalytics.containerproxy.api.dto.ApiResponse;
+import eu.openanalytics.containerproxy.api.dto.LanguageDto;
+import eu.openanalytics.containerproxy.model.runtime.Proxy;
+import eu.openanalytics.containerproxy.service.LanguageService;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.springframework.http.MediaType;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+public class UserController extends BaseController {
+
+    private final LanguageService languageService;
+
+    public UserController(LanguageService languageService) {
+        this.languageService = languageService;
+    }
+
+    @RequestMapping(value = "/api/user/language", method = RequestMethod.PUT, produces = MediaType.APPLICATION_JSON_VALUE)
+    public ResponseEntity<ApiResponse<Proxy>> getProxy(@RequestBody LanguageDto body, HttpServletRequest request, HttpServletResponse response) {
+        try {
+            languageService.updateLanguageOfUser(request, response, body.language());
+        } catch (IllegalArgumentException e) {
+            return ApiResponse.fail(e.getMessage());
+        } catch (IllegalStateException e) {
+            return ApiResponse.error(e);
+        }
+
+        return ApiResponse.success();
+    }
+
+}
diff --git a/src/main/java/eu/openanalytics/containerproxy/api/dto/LanguageDto.java b/src/main/java/eu/openanalytics/containerproxy/api/dto/LanguageDto.java
new file mode 100644
index 00000000..1f9c0e6f
--- /dev/null
+++ b/src/main/java/eu/openanalytics/containerproxy/api/dto/LanguageDto.java
@@ -0,0 +1,25 @@
+/*
+ * ContainerProxy
+ *
+ * Copyright (C) 2016-2025 Open Analytics
+ *
+ * ===========================================================================
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Apache License as published by
+ * The Apache Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * Apache License for more details.
+ *
+ * You should have received a copy of the Apache License
+ * along with this program.  If not, see <http://www.apache.org/licenses/>
+ */
+package eu.openanalytics.containerproxy.api.dto;
+
+public record LanguageDto(String language) {
+
+}
diff --git a/src/main/java/eu/openanalytics/containerproxy/service/LanguageService.java b/src/main/java/eu/openanalytics/containerproxy/service/LanguageService.java
new file mode 100644
index 00000000..6bccb73b
--- /dev/null
+++ b/src/main/java/eu/openanalytics/containerproxy/service/LanguageService.java
@@ -0,0 +1,114 @@
+/*
+ * ContainerProxy
+ *
+ * Copyright (C) 2016-2025 Open Analytics
+ *
+ * ===========================================================================
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Apache License as published by
+ * The Apache Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * Apache License for more details.
+ *
+ * You should have received a copy of the Apache License
+ * along with this program.  If not, see <http://www.apache.org/licenses/>
+ */
+package eu.openanalytics.containerproxy.service;
+
+import eu.openanalytics.containerproxy.util.EnvironmentUtils;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.apache.commons.lang3.StringUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.context.i18n.LocaleContextHolder;
+import org.springframework.core.env.Environment;
+import org.springframework.stereotype.Service;
+import org.springframework.web.servlet.LocaleResolver;
+import org.springframework.web.servlet.support.RequestContextUtils;
+
+import java.util.HashMap;
+import java.util.List;
+import java.util.Locale;
+import java.util.Map;
+
+
+@Service
+public class LanguageService {
+
+    private static final String PROP_PROXY_AVAILABLE_LANGUAGES = "proxy.available-languages";
+    private static final Map<String, Language> DEFAULT_AVAILABLE_LANGUAGES = Map.of(
+        "en", new Language("en", "English"),
+        "nl", new Language("nl", "Dutch"),
+        "fr", new Language("fr", "French")
+    );
+    private static final String PROP_PROXY_FALLBACK_LANGUAGE = "proxy.fallback-language";
+    private static final String DEFAULT_FALLBACK_LANGUAGE = "en";
+
+    private final Map<String, Language> enabledLanguages;
+    private final String fallbackLanguage;
+    private final Logger logger = LoggerFactory.getLogger(getClass());
+
+    public LanguageService(Environment environment) {
+        enabledLanguages = readEnabledLanguages(environment);
+        fallbackLanguage = environment.getProperty(PROP_PROXY_FALLBACK_LANGUAGE, DEFAULT_FALLBACK_LANGUAGE);
+    }
+
+    public void updateLanguageOfUser(HttpServletRequest request, HttpServletResponse response, String language) {
+        if (StringUtils.isBlank(language)) {
+            throw new IllegalArgumentException("No language provided");
+        }
+
+        if (!enabledLanguages.containsKey(language)) {
+            throw new IllegalArgumentException("Requested language not enabled");
+        }
+
+        LocaleResolver localeResolver = RequestContextUtils.getLocaleResolver(request);
+        if (localeResolver == null) {
+            throw new IllegalStateException("Unable to change language");
+        }
+
+        localeResolver.setLocale(request, response, Locale.forLanguageTag(language));
+    }
+
+    public String getAndUpdateLanguageOfUser(HttpServletRequest request, HttpServletResponse response) {
+        String language = LocaleContextHolder.getLocale().getLanguage();
+        if (enabledLanguages.containsKey(language)) {
+            return language;
+        }
+        // language of user is not supported -> use fallback language
+        updateLanguageOfUser(request, response, fallbackLanguage);
+        return fallbackLanguage;
+    }
+
+    private Map<String, Language> readEnabledLanguages(Environment environment) {
+        List<String> configuredLanguages = EnvironmentUtils.readList(environment, PROP_PROXY_AVAILABLE_LANGUAGES);
+        if (configuredLanguages == null) {
+            return DEFAULT_AVAILABLE_LANGUAGES;
+        }
+        Map<String, Language> result = new HashMap<>();
+        for (String key : configuredLanguages) {
+            Language lang = DEFAULT_AVAILABLE_LANGUAGES.get(key);
+            if (lang != null) {
+                result.put(lang.key, lang);
+            } else {
+                logger.warn("Enabled language '{}' is not supported", key);
+            }
+        }
+        return result;
+    }
+
+    public Map<String, Language> getEnabledLanguages() {
+        return enabledLanguages;
+    }
+
+    public record Language(String key, String displayName) {
+
+    }
+
+}
diff --git a/src/main/java/eu/openanalytics/containerproxy/ui/TemplateResolverConfig.java b/src/main/java/eu/openanalytics/containerproxy/ui/TemplateResolverConfig.java
index 1911bcfe..f438acc3 100644
--- a/src/main/java/eu/openanalytics/containerproxy/ui/TemplateResolverConfig.java
+++ b/src/main/java/eu/openanalytics/containerproxy/ui/TemplateResolverConfig.java
@@ -29,15 +29,10 @@
 import org.springframework.core.io.ByteArrayResource;
 import org.springframework.core.io.Resource;
 import org.springframework.http.CacheControl;
-import org.springframework.web.servlet.LocaleResolver;
 import org.springframework.web.servlet.config.annotation.CorsRegistry;
-import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
 import org.springframework.web.servlet.config.annotation.PathMatchConfigurer;
 import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
-import org.springframework.web.servlet.i18n.CookieLocaleResolver;
-import org.springframework.web.servlet.i18n.LocaleChangeInterceptor;
-import org.springframework.web.servlet.i18n.SessionLocaleResolver;
 import org.springframework.web.servlet.resource.ResourceResolver;
 import org.springframework.web.servlet.resource.ResourceResolverChain;
 import org.thymeleaf.templateresolver.FileTemplateResolver;
@@ -47,7 +42,6 @@
 import java.io.IOException;
 import java.time.Duration;
 import java.util.List;
-import java.util.Locale;
 
 @Configuration
 public class TemplateResolverConfig implements WebMvcConfigurer {
@@ -124,27 +118,6 @@ public void configurePathMatch(PathMatchConfigurer configurer) {
         configurer.setUseTrailingSlashMatch(true);
     }
 
-    @Bean
-    public LocaleResolver localeResolver() {
-        CookieLocaleResolver slr = new CookieLocaleResolver();
-        // todo cookie secure
-        slr.setDefaultLocale(Locale.US);
-        return slr;
-    }
-
-    // TODO
-    @Bean
-    public LocaleChangeInterceptor localeChangeInterceptor() {
-        LocaleChangeInterceptor lci = new LocaleChangeInterceptor();
-        lci.setParamName("lang");
-        return lci;
-    }
-
-    @Override
-    public void addInterceptors(InterceptorRegistry registry) {
-        registry.addInterceptor(localeChangeInterceptor());
-    }
-
     /**
      * A resolver that loads the resource and returns the result as a @link ByteArrayResource.
      * Should be used in combination with @link ResourceChainRegistration where caching is enabled.

From 770f2e89391301bab326d8040d923aee4557e97e Mon Sep 17 00:00:00 2001
From: Tobia De Koninck <tobia.dekoninck@openanalytics.eu>
Date: Wed, 3 Sep 2025 12:05:47 +0200
Subject: [PATCH 07/27] Ref #35503: cleanup translations

---
 .pre-commit-config.yaml                      | 1 +
 src/main/resources/cp_messages.properties    | 6 +++---
 src/main/resources/cp_messages_nl.properties | 8 ++++----
 src/main/resources/templates/login.html      | 4 ++--
 4 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 8cd01ddd..f9ebf8c2 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -38,3 +38,4 @@ repos:
   rev: v1.35.8
   hooks:
     - id: typos
+      exclude: 'src/main/resources/cp_messages_.*'
diff --git a/src/main/resources/cp_messages.properties b/src/main/resources/cp_messages.properties
index d431b1e3..630b18ef 100644
--- a/src/main/resources/cp_messages.properties
+++ b/src/main/resources/cp_messages.properties
@@ -8,12 +8,12 @@ auth-error.message-admin-text=this error page is typically shown because of an c
 auth-error.message-user-if=If you are a user of {0}
 auth-error.message-user-text=please report this issue to your administrator and try to log out from your Identity Provider.
 auth.simple.button=Sign in
-auth.simple.header=Please sign in:
+auth.simple.header=Please sign in
 auth.simple.password=password
 auth.simple.sign-in-error=Could not sign in!
 auth.simple.username=username
 error.link=Go back to the main page
 logout-success.header=You have been logged out successfully.
 logout-success.link=Login again
-auth.simple.expired_error=You took too long to login, please try again
-auth.simple.credentials_error=Invalid user name or password
+auth.simple.expired_error=You took too long to login, please try again.
+auth.simple.credentials_error=Invalid user name or password.
diff --git a/src/main/resources/cp_messages_nl.properties b/src/main/resources/cp_messages_nl.properties
index 1fb23ddb..b7535fd5 100644
--- a/src/main/resources/cp_messages_nl.properties
+++ b/src/main/resources/cp_messages_nl.properties
@@ -8,12 +8,12 @@ auth-error.message-admin-text=Deze foutpagina wordt meestal weergegeven vanwege
 auth-error.message-user-if=Als u een gebruiker bent van {0}
 auth-error.message-user-text=Meld dit probleem aan uw beheerder en probeer uit te loggen bij uw identiteitsprovider.
 auth.simple.button=Aanmelden
-auth.simple.header=Meld u aan:
+auth.simple.header=Meld u aan
 auth.simple.password=paswoord
-auth.simple.sign-in-error=Kon u niet inloggen!
+auth.simple.sign-in-error=Aanmelden mislukt!
 auth.simple.username=gebruikersnaam
 error.link=Ga terug naar de hoofdpagina
 logout-success.header=U bent succesvol uitgelogd.
 logout-success.link=Opnieuw aanmelden
-auth.simple.expired_error=Het duurde te lang om aan te melden, probeer het opnieuw
-auth.simple.credentials_error=Ongeldige gebruikersnaam of wachtwoord
+auth.simple.expired_error=Het duurde te lang om aan te melden, probeer het opnieuw.
+auth.simple.credentials_error=Ongeldige gebruikersnaam of wachtwoord.
diff --git a/src/main/resources/templates/login.html b/src/main/resources/templates/login.html
index fde22b99..19ec33d2 100644
--- a/src/main/resources/templates/login.html
+++ b/src/main/resources/templates/login.html
@@ -39,9 +39,9 @@
     <body>
         <div class="container">
             <form class="form-signin" method="POST" th:action="@{/login}">
-                <h2 class="form-signin-heading" th:text="#{auth.simple.header}"></h2>
+                <h2 class="form-signin-heading" th:text="#{auth.simple.header} + ':'"></h2>
                 <div class="alert alert-danger" th:if="${error}">
-                    <strong th:text="#{auth.simple.sign-in-error}">Could not sign in!</strong><br/><span th:text="${error}"></span>.
+                    <strong th:text="#{auth.simple.sign-in-error}"></strong><br/><span th:text="${error}"></span>
                 </div>
                 <label class="sr-only" for="username">Username</label>
                 <input autofocus="autofocus" class="form-control" id="username" name="username" th:placeholder="#{auth.simple.username}"

From 6670e06717476faef8ab1e2464e1595af6a2a4d0 Mon Sep 17 00:00:00 2001
From: Tobia De Koninck <tobia.dekoninck@openanalytics.eu>
Date: Wed, 3 Sep 2025 11:38:53 +0000
Subject: [PATCH 08/27] Translated using Weblate (French)

Currently translated at 100.0% (19 of 19 strings)

Translation: ShinyProxy/ContainerProxy
Translate-URL: https://weblate.openanalytics.eu/projects/shinyproxy/containerproxy/fr/
---
 src/main/resources/cp_messages_fr.properties | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 src/main/resources/cp_messages_fr.properties

diff --git a/src/main/resources/cp_messages_fr.properties b/src/main/resources/cp_messages_fr.properties
new file mode 100644
index 00000000..39035e37
--- /dev/null
+++ b/src/main/resources/cp_messages_fr.properties
@@ -0,0 +1,19 @@
+app-access-denied.header=Vous n'avez pas accès à cette application.
+app-access-denied.p1=Votre compte ne dispose pas des rôles ou groupes requis pour accéder à cette application.
+app-access-denied.p2=Veuillez contacter votre administrateur si vous pensez qu'il s'agit d'une erreur.
+auth-error.header=Une erreur s'est produite pendant la procédure d'authentification.
+auth-error.link=Retour à la page principale
+auth-error.message-admin-if=Si vous êtes administrateur de {0}
+auth-error.message-admin-text=cette page d'erreur s'affiche généralement en raison d'une erreur de configuration dans les paramètres d'authentification. Consultez les journaux pour plus d'informations.
+auth-error.message-user-if=Si vous êtes un utilisateur de {0}
+auth-error.message-user-text=Veuillez signaler ce problème à votre administrateur et essayer de vous déconnecter de votre fournisseur d'identité.
+auth.simple.button=Se connecter
+auth.simple.header=Veuillez vous connecter
+auth.simple.password=mot de passe
+auth.simple.sign-in-error=Impossible de se connecter!
+auth.simple.username=nom d'utilisateur
+error.link=Retour à la page principale
+logout-success.header=Vous avez été déconnecté avec succès.
+logout-success.link=Se reconnecter
+auth.simple.expired_error=Vous avez mis trop de temps à vous connecter, veuillez réessayer.
+auth.simple.credentials_error=Nom d'utilisateur ou mot de passe invalide.

From c559e36a1010c0c4fb756f64a80f6118f746157d Mon Sep 17 00:00:00 2001
From: Tobia De Koninck <tobia.dekoninck@openanalytics.eu>
Date: Wed, 3 Sep 2025 14:13:33 +0200
Subject: [PATCH 09/27] Ref #35503: fixes for internationalization

---
 .../openanalytics/containerproxy/ContainerProxyApplication.java | 2 +-
 src/main/resources/cp_messages.properties                       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/main/java/eu/openanalytics/containerproxy/ContainerProxyApplication.java b/src/main/java/eu/openanalytics/containerproxy/ContainerProxyApplication.java
index 95253174..22c6a42d 100644
--- a/src/main/java/eu/openanalytics/containerproxy/ContainerProxyApplication.java
+++ b/src/main/java/eu/openanalytics/containerproxy/ContainerProxyApplication.java
@@ -429,7 +429,7 @@ public GroupedOpenApi groupOpenApi() {
 
     @Bean
     public LocaleResolver localeResolver() {
-        // not default language is configured, therefore the Accept header will determine the language if there is no cookie
+        // no default language is configured, therefore the Accept header will determine the language if there is no cookie
         CookieLocaleResolver cookieLocaleResolver = new CookieLocaleResolver("shinyproxy_language");
         cookieLocaleResolver.setCookieSecure(secureCookiesEnabled);
         cookieLocaleResolver.setCookieSameSite(sameSiteCookiePolicy);
diff --git a/src/main/resources/cp_messages.properties b/src/main/resources/cp_messages.properties
index 630b18ef..15ecfb93 100644
--- a/src/main/resources/cp_messages.properties
+++ b/src/main/resources/cp_messages.properties
@@ -16,4 +16,4 @@ error.link=Go back to the main page
 logout-success.header=You have been logged out successfully.
 logout-success.link=Login again
 auth.simple.expired_error=You took too long to login, please try again.
-auth.simple.credentials_error=Invalid user name or password.
+auth.simple.credentials_error=Invalid username or password.

From e130ac0e76f55296cd253e5ea14464ad9d94088c Mon Sep 17 00:00:00 2001
From: Anonymous <noreply@weblate.org>
Date: Wed, 3 Sep 2025 12:59:46 +0000
Subject: [PATCH 10/27] Translated using Weblate (Dutch)

Currently translated at 94.7% (18 of 19 strings)

Translation: ShinyProxy/ContainerProxy
Translate-URL: https://weblate.openanalytics.eu/projects/shinyproxy/containerproxy/nl/
---
 src/main/resources/cp_messages_nl.properties | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/main/resources/cp_messages_nl.properties b/src/main/resources/cp_messages_nl.properties
index b7535fd5..487a965d 100644
--- a/src/main/resources/cp_messages_nl.properties
+++ b/src/main/resources/cp_messages_nl.properties
@@ -8,6 +8,8 @@ auth-error.message-admin-text=Deze foutpagina wordt meestal weergegeven vanwege
 auth-error.message-user-if=Als u een gebruiker bent van {0}
 auth-error.message-user-text=Meld dit probleem aan uw beheerder en probeer uit te loggen bij uw identiteitsprovider.
 auth.simple.button=Aanmelden
+auth.simple.credentials_error=Ongeldige gebruikersnaam of wachtwoord.
+auth.simple.expired_error=Het duurde te lang om aan te melden, probeer het opnieuw.
 auth.simple.header=Meld u aan
 auth.simple.password=paswoord
 auth.simple.sign-in-error=Aanmelden mislukt!
@@ -15,5 +17,3 @@ auth.simple.username=gebruikersnaam
 error.link=Ga terug naar de hoofdpagina
 logout-success.header=U bent succesvol uitgelogd.
 logout-success.link=Opnieuw aanmelden
-auth.simple.expired_error=Het duurde te lang om aan te melden, probeer het opnieuw.
-auth.simple.credentials_error=Ongeldige gebruikersnaam of wachtwoord.

From 8562c26a4f1a685b8a72d01d5099412026a553e1 Mon Sep 17 00:00:00 2001
From: Anonymous <noreply@weblate.org>
Date: Wed, 3 Sep 2025 12:59:46 +0000
Subject: [PATCH 11/27] Translated using Weblate (French)

Currently translated at 94.7% (18 of 19 strings)

Translation: ShinyProxy/ContainerProxy
Translate-URL: https://weblate.openanalytics.eu/projects/shinyproxy/containerproxy/fr/
---
 src/main/resources/cp_messages_fr.properties | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/main/resources/cp_messages_fr.properties b/src/main/resources/cp_messages_fr.properties
index 39035e37..c4df12ee 100644
--- a/src/main/resources/cp_messages_fr.properties
+++ b/src/main/resources/cp_messages_fr.properties
@@ -8,6 +8,8 @@ auth-error.message-admin-text=cette page d'erreur s'affiche généralement en ra
 auth-error.message-user-if=Si vous êtes un utilisateur de {0}
 auth-error.message-user-text=Veuillez signaler ce problème à votre administrateur et essayer de vous déconnecter de votre fournisseur d'identité.
 auth.simple.button=Se connecter
+auth.simple.credentials_error=Nom d'utilisateur ou mot de passe invalide.
+auth.simple.expired_error=Vous avez mis trop de temps à vous connecter, veuillez réessayer.
 auth.simple.header=Veuillez vous connecter
 auth.simple.password=mot de passe
 auth.simple.sign-in-error=Impossible de se connecter!
@@ -15,5 +17,3 @@ auth.simple.username=nom d'utilisateur
 error.link=Retour à la page principale
 logout-success.header=Vous avez été déconnecté avec succès.
 logout-success.link=Se reconnecter
-auth.simple.expired_error=Vous avez mis trop de temps à vous connecter, veuillez réessayer.
-auth.simple.credentials_error=Nom d'utilisateur ou mot de passe invalide.

From 56578039e6e5ea056627737df4b295dc1cb2cb2c Mon Sep 17 00:00:00 2001
From: Tobia De Koninck <tobia.dekoninck@openanalytics.eu>
Date: Wed, 3 Sep 2025 14:45:18 +0000
Subject: [PATCH 12/27] Added translation using Weblate (Spanish)

---
 src/main/resources/cp_messages_es.properties | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 src/main/resources/cp_messages_es.properties

diff --git a/src/main/resources/cp_messages_es.properties b/src/main/resources/cp_messages_es.properties
new file mode 100644
index 00000000..e69de29b

From f5911eb41280c9f79f639d158e49ea8e86893d28 Mon Sep 17 00:00:00 2001
From: Tobia De Koninck <tobia.dekoninck@openanalytics.eu>
Date: Wed, 3 Sep 2025 14:46:34 +0000
Subject: [PATCH 13/27] Translated using Weblate (Spanish)

Currently translated at 100.0% (19 of 19 strings)

Translation: ShinyProxy/ContainerProxy
Translate-URL: https://weblate.openanalytics.eu/projects/shinyproxy/containerproxy/es/
---
 src/main/resources/cp_messages_es.properties | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/src/main/resources/cp_messages_es.properties b/src/main/resources/cp_messages_es.properties
index e69de29b..2af550cc 100644
--- a/src/main/resources/cp_messages_es.properties
+++ b/src/main/resources/cp_messages_es.properties
@@ -0,0 +1,19 @@
+app-access-denied.header=No tienes acceso a esta aplicación.
+app-access-denied.p1=Tu cuenta no tiene los roles o grupos necesarios para acceder a esta aplicación.
+app-access-denied.p2=Si cree que se trata de un error, póngase en contacto con su administrador.
+auth-error.header=Se ha producido un error durante el procedimiento de autenticación.
+auth-error.link=Volver a la página principal
+auth-error.message-admin-if=Si eres administrador de {0}
+auth-error.message-admin-text=Esta página de error suele aparecer debido a un error de configuración autenticación. Consulte los registros para obtener más información.
+auth-error.message-user-if=Si eres usuario de {0}
+auth-error.message-user-text=Por favor, informe de este problema a su administrador e intente cerrar sesión en su proveedor de identidad.
+auth.simple.button=Iniciar sesión
+auth.simple.credentials_error=Nombre de usuario o contraseña no válidos.
+auth.simple.expired_error=Has tardado demasiado en iniciar sesión, por favor, vuelve a intentarlo.
+auth.simple.header=Por favor, inicia sesión
+auth.simple.password=contraseña
+auth.simple.sign-in-error=¡No se pudo iniciar sesión!
+auth.simple.username=nombre de usuario
+error.link=Volver a la página principal
+logout-success.header=Ha cerrado sesión correctamente.
+logout-success.link=Inicie sesión de nuevo

From de128aa6bf222feb2f91ba4d498f82b691deadf0 Mon Sep 17 00:00:00 2001
From: Tobia De Koninck <tobia.dekoninck@openanalytics.eu>
Date: Mon, 10 Nov 2025 15:02:04 +0000
Subject: [PATCH 14/27] Translated using Weblate (French)

Currently translated at 100.0% (19 of 19 strings)

Translation: ShinyProxy/ContainerProxy
Translate-URL: https://weblate.openanalytics.eu/projects/shinyproxy/containerproxy/fr/
---
 src/main/resources/cp_messages_fr.properties | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/src/main/resources/cp_messages_fr.properties b/src/main/resources/cp_messages_fr.properties
index c4df12ee..f6987c7b 100644
--- a/src/main/resources/cp_messages_fr.properties
+++ b/src/main/resources/cp_messages_fr.properties
@@ -1,19 +1,19 @@
-app-access-denied.header=Vous n'avez pas accès à cette application.
+app-access-denied.header=Vous n''avez pas accès à cette application.
 app-access-denied.p1=Votre compte ne dispose pas des rôles ou groupes requis pour accéder à cette application.
-app-access-denied.p2=Veuillez contacter votre administrateur si vous pensez qu'il s'agit d'une erreur.
+app-access-denied.p2=Veuillez contacter votre administrateur si vous pensez qu''il s''agit d''une erreur.
 auth-error.header=Une erreur s'est produite pendant la procédure d'authentification.
 auth-error.link=Retour à la page principale
 auth-error.message-admin-if=Si vous êtes administrateur de {0}
-auth-error.message-admin-text=cette page d'erreur s'affiche généralement en raison d'une erreur de configuration dans les paramètres d'authentification. Consultez les journaux pour plus d'informations.
+auth-error.message-admin-text=cette page d''erreur s''affiche généralement en raison d''une erreur de configuration dans les paramètres d''authentification. Consultez les journaux pour plus d''informations.
 auth-error.message-user-if=Si vous êtes un utilisateur de {0}
-auth-error.message-user-text=Veuillez signaler ce problème à votre administrateur et essayer de vous déconnecter de votre fournisseur d'identité.
+auth-error.message-user-text=Veuillez signaler ce problème à votre administrateur et essayer de vous déconnecter de votre fournisseur d''identité.
 auth.simple.button=Se connecter
-auth.simple.credentials_error=Nom d'utilisateur ou mot de passe invalide.
+auth.simple.credentials_error=Nom d''utilisateur ou mot de passe invalide.
 auth.simple.expired_error=Vous avez mis trop de temps à vous connecter, veuillez réessayer.
 auth.simple.header=Veuillez vous connecter
 auth.simple.password=mot de passe
-auth.simple.sign-in-error=Impossible de se connecter!
-auth.simple.username=nom d'utilisateur
+auth.simple.sign-in-error=Impossible de se connecter !
+auth.simple.username=nom d''utilisateur
 error.link=Retour à la page principale
 logout-success.header=Vous avez été déconnecté avec succès.
 logout-success.link=Se reconnecter

From f07b11946719bf5ea419c314c7820a8f496fe846 Mon Sep 17 00:00:00 2001
From: Tobia De Koninck <tobia.dekoninck@openanalytics.eu>
Date: Mon, 10 Nov 2025 16:19:56 +0100
Subject: [PATCH 15/27] Always use MessageFormat

---
 .../openanalytics/containerproxy/ContainerProxyApplication.java | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/main/java/eu/openanalytics/containerproxy/ContainerProxyApplication.java b/src/main/java/eu/openanalytics/containerproxy/ContainerProxyApplication.java
index 22c6a42d..6d1069ef 100644
--- a/src/main/java/eu/openanalytics/containerproxy/ContainerProxyApplication.java
+++ b/src/main/java/eu/openanalytics/containerproxy/ContainerProxyApplication.java
@@ -215,6 +215,8 @@ public static Properties getDefaultProperties() {
         // Internationalization
         // ====================
         properties.put("spring.messages.basename", "messages,cp_messages");
+        // use MessageFormat for all messages: single quotes must be escaped in every message
+        properties.put("spring.messages.always-use-message-format", "true");
 
         return properties;
     }

From 016cc557d0efb438b967e48576bfa0808e674e09 Mon Sep 17 00:00:00 2001
From: Tobia De Koninck <tobia.dekoninck@openanalytics.eu>
Date: Mon, 10 Nov 2025 16:22:37 +0100
Subject: [PATCH 16/27] Add Spanish

---
 .../openanalytics/containerproxy/service/LanguageService.java  | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/main/java/eu/openanalytics/containerproxy/service/LanguageService.java b/src/main/java/eu/openanalytics/containerproxy/service/LanguageService.java
index 6bccb73b..7ddc6ea2 100644
--- a/src/main/java/eu/openanalytics/containerproxy/service/LanguageService.java
+++ b/src/main/java/eu/openanalytics/containerproxy/service/LanguageService.java
@@ -45,7 +45,8 @@ public class LanguageService {
     private static final Map<String, Language> DEFAULT_AVAILABLE_LANGUAGES = Map.of(
         "en", new Language("en", "English"),
         "nl", new Language("nl", "Dutch"),
-        "fr", new Language("fr", "French")
+        "fr", new Language("fr", "French"),
+        "es", new Language("es", "Spanish")
     );
     private static final String PROP_PROXY_FALLBACK_LANGUAGE = "proxy.fallback-language";
     private static final String DEFAULT_FALLBACK_LANGUAGE = "en";

From 949f211c5682adc1af303a735e81e9edc79ea0e9 Mon Sep 17 00:00:00 2001
From: Tobia De Koninck <tobia.dekoninck@openanalytics.eu>
Date: Wed, 14 Jan 2026 16:11:09 +0100
Subject: [PATCH 17/27] Update license headers and rename directory

---
 .../eu/openanalytics/containerproxy/api/UserController.java     | 2 +-
 .../eu/openanalytics/containerproxy/api/dto/LanguageDto.java    | 2 +-
 .../openanalytics/containerproxy/service/LanguageService.java   | 2 +-
 .../service/{hearbeat => heartbeat}/ActiveProxiesService.java   | 0
 .../service/{hearbeat => heartbeat}/HeartbeatService.java       | 0
 .../service/{hearbeat => heartbeat}/IHeartbeatProcessor.java    | 0
 .../{hearbeat => heartbeat}/SessionReActivatorService.java      | 0
 .../{hearbeat => heartbeat}/WebSocketCounterService.java        | 0
 .../openanalytics/containerproxy/util/CustomMessageSource.java  | 2 +-
 9 files changed, 4 insertions(+), 4 deletions(-)
 rename src/main/java/eu/openanalytics/containerproxy/service/{hearbeat => heartbeat}/ActiveProxiesService.java (100%)
 rename src/main/java/eu/openanalytics/containerproxy/service/{hearbeat => heartbeat}/HeartbeatService.java (100%)
 rename src/main/java/eu/openanalytics/containerproxy/service/{hearbeat => heartbeat}/IHeartbeatProcessor.java (100%)
 rename src/main/java/eu/openanalytics/containerproxy/service/{hearbeat => heartbeat}/SessionReActivatorService.java (100%)
 rename src/main/java/eu/openanalytics/containerproxy/service/{hearbeat => heartbeat}/WebSocketCounterService.java (100%)

diff --git a/src/main/java/eu/openanalytics/containerproxy/api/UserController.java b/src/main/java/eu/openanalytics/containerproxy/api/UserController.java
index fdaa7ebd..3967f31d 100644
--- a/src/main/java/eu/openanalytics/containerproxy/api/UserController.java
+++ b/src/main/java/eu/openanalytics/containerproxy/api/UserController.java
@@ -1,7 +1,7 @@
 /*
  * ContainerProxy
  *
- * Copyright (C) 2016-2025 Open Analytics
+ * Copyright (C) 2016-2026 Open Analytics
  *
  * ===========================================================================
  *
diff --git a/src/main/java/eu/openanalytics/containerproxy/api/dto/LanguageDto.java b/src/main/java/eu/openanalytics/containerproxy/api/dto/LanguageDto.java
index 1f9c0e6f..1a4e522b 100644
--- a/src/main/java/eu/openanalytics/containerproxy/api/dto/LanguageDto.java
+++ b/src/main/java/eu/openanalytics/containerproxy/api/dto/LanguageDto.java
@@ -1,7 +1,7 @@
 /*
  * ContainerProxy
  *
- * Copyright (C) 2016-2025 Open Analytics
+ * Copyright (C) 2016-2026 Open Analytics
  *
  * ===========================================================================
  *
diff --git a/src/main/java/eu/openanalytics/containerproxy/service/LanguageService.java b/src/main/java/eu/openanalytics/containerproxy/service/LanguageService.java
index 7ddc6ea2..efc913cd 100644
--- a/src/main/java/eu/openanalytics/containerproxy/service/LanguageService.java
+++ b/src/main/java/eu/openanalytics/containerproxy/service/LanguageService.java
@@ -1,7 +1,7 @@
 /*
  * ContainerProxy
  *
- * Copyright (C) 2016-2025 Open Analytics
+ * Copyright (C) 2016-2026 Open Analytics
  *
  * ===========================================================================
  *
diff --git a/src/main/java/eu/openanalytics/containerproxy/service/hearbeat/ActiveProxiesService.java b/src/main/java/eu/openanalytics/containerproxy/service/heartbeat/ActiveProxiesService.java
similarity index 100%
rename from src/main/java/eu/openanalytics/containerproxy/service/hearbeat/ActiveProxiesService.java
rename to src/main/java/eu/openanalytics/containerproxy/service/heartbeat/ActiveProxiesService.java
diff --git a/src/main/java/eu/openanalytics/containerproxy/service/hearbeat/HeartbeatService.java b/src/main/java/eu/openanalytics/containerproxy/service/heartbeat/HeartbeatService.java
similarity index 100%
rename from src/main/java/eu/openanalytics/containerproxy/service/hearbeat/HeartbeatService.java
rename to src/main/java/eu/openanalytics/containerproxy/service/heartbeat/HeartbeatService.java
diff --git a/src/main/java/eu/openanalytics/containerproxy/service/hearbeat/IHeartbeatProcessor.java b/src/main/java/eu/openanalytics/containerproxy/service/heartbeat/IHeartbeatProcessor.java
similarity index 100%
rename from src/main/java/eu/openanalytics/containerproxy/service/hearbeat/IHeartbeatProcessor.java
rename to src/main/java/eu/openanalytics/containerproxy/service/heartbeat/IHeartbeatProcessor.java
diff --git a/src/main/java/eu/openanalytics/containerproxy/service/hearbeat/SessionReActivatorService.java b/src/main/java/eu/openanalytics/containerproxy/service/heartbeat/SessionReActivatorService.java
similarity index 100%
rename from src/main/java/eu/openanalytics/containerproxy/service/hearbeat/SessionReActivatorService.java
rename to src/main/java/eu/openanalytics/containerproxy/service/heartbeat/SessionReActivatorService.java
diff --git a/src/main/java/eu/openanalytics/containerproxy/service/hearbeat/WebSocketCounterService.java b/src/main/java/eu/openanalytics/containerproxy/service/heartbeat/WebSocketCounterService.java
similarity index 100%
rename from src/main/java/eu/openanalytics/containerproxy/service/hearbeat/WebSocketCounterService.java
rename to src/main/java/eu/openanalytics/containerproxy/service/heartbeat/WebSocketCounterService.java
diff --git a/src/main/java/eu/openanalytics/containerproxy/util/CustomMessageSource.java b/src/main/java/eu/openanalytics/containerproxy/util/CustomMessageSource.java
index 45612d5c..f9e1bbe1 100644
--- a/src/main/java/eu/openanalytics/containerproxy/util/CustomMessageSource.java
+++ b/src/main/java/eu/openanalytics/containerproxy/util/CustomMessageSource.java
@@ -1,7 +1,7 @@
 /*
  * ContainerProxy
  *
- * Copyright (C) 2016-2025 Open Analytics
+ * Copyright (C) 2016-2026 Open Analytics
  *
  * ===========================================================================
  *

From 5cf4e86dcbd9b776d56804a65065a5aa53d97d45 Mon Sep 17 00:00:00 2001
From: Tobia De Koninck <tobia.dekoninck@openanalytics.eu>
Date: Tue, 20 Jan 2026 10:18:15 +0100
Subject: [PATCH 18/27] Fix #35505: send lang as header

---
 .../model/runtime/runtimevalues/HttpHeaders.java       |  2 ++
 .../containerproxy/service/LanguageService.java        | 10 ++++++++++
 2 files changed, 12 insertions(+)

diff --git a/src/main/java/eu/openanalytics/containerproxy/model/runtime/runtimevalues/HttpHeaders.java b/src/main/java/eu/openanalytics/containerproxy/model/runtime/runtimevalues/HttpHeaders.java
index d4df7e9c..e27afce8 100644
--- a/src/main/java/eu/openanalytics/containerproxy/model/runtime/runtimevalues/HttpHeaders.java
+++ b/src/main/java/eu/openanalytics/containerproxy/model/runtime/runtimevalues/HttpHeaders.java
@@ -24,6 +24,7 @@
 import com.fasterxml.jackson.annotation.JsonValue;
 import eu.openanalytics.containerproxy.auth.impl.OpenIDAuthenticationBackend;
 import eu.openanalytics.containerproxy.model.runtime.Proxy;
+import eu.openanalytics.containerproxy.service.LanguageService;
 import io.undertow.util.HeaderMap;
 import io.undertow.util.HttpString;
 import org.slf4j.Logger;
@@ -56,6 +57,7 @@ public HttpHeaders(Map<String, String> headers) {
 
     public HeaderMap getUndertowHeaderMap(Proxy proxy) {
         undertowHeaderMap.putAll(OpenIDAuthenticationBackend.addHeaders(proxy));
+        undertowHeaderMap.putAll(LanguageService.addHeaders());
         return undertowHeaderMap;
     }
 
diff --git a/src/main/java/eu/openanalytics/containerproxy/service/LanguageService.java b/src/main/java/eu/openanalytics/containerproxy/service/LanguageService.java
index efc913cd..495faa84 100644
--- a/src/main/java/eu/openanalytics/containerproxy/service/LanguageService.java
+++ b/src/main/java/eu/openanalytics/containerproxy/service/LanguageService.java
@@ -21,6 +21,8 @@
 package eu.openanalytics.containerproxy.service;
 
 import eu.openanalytics.containerproxy.util.EnvironmentUtils;
+import io.undertow.util.HeaderMap;
+import io.undertow.util.HttpString;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import org.apache.commons.lang3.StringUtils;
@@ -42,6 +44,7 @@
 public class LanguageService {
 
     private static final String PROP_PROXY_AVAILABLE_LANGUAGES = "proxy.available-languages";
+    private static final HttpString HEADER_LANGUAGE_NAME = new HttpString("X-SP-Language");
     private static final Map<String, Language> DEFAULT_AVAILABLE_LANGUAGES = Map.of(
         "en", new Language("en", "English"),
         "nl", new Language("nl", "Dutch"),
@@ -112,4 +115,11 @@ public record Language(String key, String displayName) {
 
     }
 
+    public static HeaderMap addHeaders() {
+        HeaderMap result = new HeaderMap();
+        String language = LocaleContextHolder.getLocale().getLanguage();
+        result.add(HEADER_LANGUAGE_NAME, language);
+        return result;
+    }
+
 }

From 503fa36ebbefce7f5e8ecdd9e43756ab0212b311 Mon Sep 17 00:00:00 2001
From: Tobia De Koninck <tobia.dekoninck@openanalytics.eu>
Date: Tue, 20 Jan 2026 11:00:48 +0100
Subject: [PATCH 19/27] Fix #35505: send lang as env var

---
 .../runtime/runtimevalues/LanguageKey.java    | 49 +++++++++++++++++++
 .../RuntimeValueKeyRegistry.java              |  1 +
 .../containerproxy/service/ProxyService.java  |  3 ++
 3 files changed, 53 insertions(+)
 create mode 100644 src/main/java/eu/openanalytics/containerproxy/model/runtime/runtimevalues/LanguageKey.java

diff --git a/src/main/java/eu/openanalytics/containerproxy/model/runtime/runtimevalues/LanguageKey.java b/src/main/java/eu/openanalytics/containerproxy/model/runtime/runtimevalues/LanguageKey.java
new file mode 100644
index 00000000..9f5b3696
--- /dev/null
+++ b/src/main/java/eu/openanalytics/containerproxy/model/runtime/runtimevalues/LanguageKey.java
@@ -0,0 +1,49 @@
+/*
+ * ContainerProxy
+ *
+ * Copyright (C) 2016-2026 Open Analytics
+ *
+ * ===========================================================================
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Apache License as published by
+ * The Apache Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * Apache License for more details.
+ *
+ * You should have received a copy of the Apache License
+ * along with this program.  If not, see <http://www.apache.org/licenses/>
+ */
+package eu.openanalytics.containerproxy.model.runtime.runtimevalues;
+
+public class LanguageKey extends RuntimeValueKey<String> {
+
+    public static final LanguageKey inst = new LanguageKey();
+
+    private LanguageKey() {
+        super("openanalytics.eu/sp-language",
+            "SHINYPROXY_LANGUAGE",
+            false,
+            true,
+            true,
+            false, // no need to expose in API
+            true,
+            false,
+            String.class);
+    }
+
+    @Override
+    public String deserializeFromString(String value) {
+        return value;
+    }
+
+    @Override
+    public String serializeToString(String value) {
+        return value;
+    }
+
+}
diff --git a/src/main/java/eu/openanalytics/containerproxy/model/runtime/runtimevalues/RuntimeValueKeyRegistry.java b/src/main/java/eu/openanalytics/containerproxy/model/runtime/runtimevalues/RuntimeValueKeyRegistry.java
index 43e18fb2..b4519dc7 100644
--- a/src/main/java/eu/openanalytics/containerproxy/model/runtime/runtimevalues/RuntimeValueKeyRegistry.java
+++ b/src/main/java/eu/openanalytics/containerproxy/model/runtime/runtimevalues/RuntimeValueKeyRegistry.java
@@ -53,6 +53,7 @@ public class RuntimeValueKeyRegistry {
         addRuntimeValueKey(HttpHeadersKey.inst);
         addRuntimeValueKey(TargetIdKey.inst);
         addRuntimeValueKey(CacheHeadersModeKey.inst);
+        addRuntimeValueKey(LanguageKey.inst);
     }
 
     public static void addRuntimeValueKey(RuntimeValueKey<?> key) {
diff --git a/src/main/java/eu/openanalytics/containerproxy/service/ProxyService.java b/src/main/java/eu/openanalytics/containerproxy/service/ProxyService.java
index 3d630704..d5e0956e 100644
--- a/src/main/java/eu/openanalytics/containerproxy/service/ProxyService.java
+++ b/src/main/java/eu/openanalytics/containerproxy/service/ProxyService.java
@@ -37,6 +37,7 @@
 import eu.openanalytics.containerproxy.model.runtime.ProxyStartupLog;
 import eu.openanalytics.containerproxy.model.runtime.ProxyStatus;
 import eu.openanalytics.containerproxy.model.runtime.ProxyStopReason;
+import eu.openanalytics.containerproxy.model.runtime.runtimevalues.LanguageKey;
 import eu.openanalytics.containerproxy.model.runtime.runtimevalues.RuntimeValue;
 import eu.openanalytics.containerproxy.model.spec.ContainerSpec;
 import eu.openanalytics.containerproxy.model.spec.ProxySpec;
@@ -49,6 +50,7 @@
 import org.slf4j.LoggerFactory;
 import org.springframework.context.ApplicationEventPublisher;
 import org.springframework.context.annotation.Lazy;
+import org.springframework.context.i18n.LocaleContextHolder;
 import org.springframework.core.env.Environment;
 import org.springframework.data.util.Pair;
 import org.springframework.security.access.AccessDeniedException;
@@ -318,6 +320,7 @@ public Command startProxy(Authentication user, ProxySpec spec, List<RuntimeValue
             if (runtimeValues != null) {
                 proxyBuilder.addRuntimeValues(runtimeValues);
             }
+            proxyBuilder.addRuntimeValue(new RuntimeValue(LanguageKey.inst, LocaleContextHolder.getLocale().getLanguage()), true);
 
             Proxy currentProxy = runtimeValueService.processParameters(user, spec, parameters, proxyBuilder.build());
             proxyStore.addProxy(currentProxy);

From 8c901e3f2c3abe67f848d23b83212ebb3abff079 Mon Sep 17 00:00:00 2001
From: Tobia De Koninck <tobia.dekoninck@openanalytics.eu>
Date: Tue, 20 Jan 2026 15:14:55 +0100
Subject: [PATCH 20/27] Fix #35506: allow to override lang strings

---
 .../ContainerProxyApplication.java            |  6 --
 .../util/CustomMessageSource.java             | 92 +++++++++++++++----
 2 files changed, 72 insertions(+), 26 deletions(-)

diff --git a/src/main/java/eu/openanalytics/containerproxy/ContainerProxyApplication.java b/src/main/java/eu/openanalytics/containerproxy/ContainerProxyApplication.java
index 6d1069ef..a01de97d 100644
--- a/src/main/java/eu/openanalytics/containerproxy/ContainerProxyApplication.java
+++ b/src/main/java/eu/openanalytics/containerproxy/ContainerProxyApplication.java
@@ -212,12 +212,6 @@ public static Properties getDefaultProperties() {
         properties.put("springdoc.api-docs.enabled", false);
         properties.put("springdoc.swagger-ui.enabled", false);
 
-        // Internationalization
-        // ====================
-        properties.put("spring.messages.basename", "messages,cp_messages");
-        // use MessageFormat for all messages: single quotes must be escaped in every message
-        properties.put("spring.messages.always-use-message-format", "true");
-
         return properties;
     }
 
diff --git a/src/main/java/eu/openanalytics/containerproxy/util/CustomMessageSource.java b/src/main/java/eu/openanalytics/containerproxy/util/CustomMessageSource.java
index f9e1bbe1..597309ce 100644
--- a/src/main/java/eu/openanalytics/containerproxy/util/CustomMessageSource.java
+++ b/src/main/java/eu/openanalytics/containerproxy/util/CustomMessageSource.java
@@ -20,42 +20,94 @@
  */
 package eu.openanalytics.containerproxy.util;
 
-import org.springframework.boot.autoconfigure.context.MessageSourceAutoConfiguration;
-import org.springframework.boot.autoconfigure.context.MessageSourceProperties;
-import org.springframework.boot.context.properties.EnableConfigurationProperties;
-import org.springframework.context.MessageSource;
-import org.springframework.context.MessageSourceResolvable;
-import org.springframework.context.NoSuchMessageException;
+import eu.openanalytics.containerproxy.service.LanguageService;
+import org.apache.commons.lang3.StringUtils;
+import org.jspecify.annotations.Nullable;
+import org.springframework.boot.context.properties.bind.Bindable;
+import org.springframework.boot.context.properties.bind.Binder;
+import org.springframework.context.support.AbstractMessageSource;
+import org.springframework.context.support.ResourceBundleMessageSource;
+import org.springframework.core.env.Environment;
 import org.springframework.stereotype.Component;
-import org.thymeleaf.util.StringUtils;
 
 import javax.annotation.Nonnull;
+import java.text.MessageFormat;
+import java.util.HashMap;
 import java.util.Locale;
+import java.util.Map;
+import java.util.ResourceBundle;
+import java.util.stream.Collectors;
 
 @Component("messageSource")
-@EnableConfigurationProperties(MessageSourceProperties.class)
-public class CustomMessageSource implements MessageSource {
+public class CustomMessageSource extends AbstractMessageSource {
 
-    private MessageSource delegate;
+    private static final String PROP_PROXY_TRANSLATION_OVERRIDES = "proxy.translation-overrides";
+    private final Map<String, Map<String, String>> translationOverrides = new HashMap<>();
+    private final Map<String, Map<String, MessageFormat>> translationOverridesMessageFormat = new HashMap<>();
 
-    public CustomMessageSource(MessageSourceProperties properties) {
-        MessageSourceAutoConfiguration autoConfiguration = new MessageSourceAutoConfiguration();
-        this.delegate = autoConfiguration.messageSource(properties);
+    public CustomMessageSource(Environment environment, LanguageService languageService) {
+        ResourceBundleMessageSource parentMessageSource = new CapitalizedMessageSource();
+        parentMessageSource.setBasenames("messages", "cp_messages");
+        parentMessageSource.setAlwaysUseMessageFormat(true);
+        setParentMessageSource(parentMessageSource);
+
+        // read overridden translations from config file
+        for (String language : languageService.getEnabledLanguages().keySet()) {
+            Map<String, String> messages = getTranslationOverrides(environment, language);
+            translationOverrides.put(language, messages);
+            translationOverridesMessageFormat.put(language, convertToMessageFormat(messages, language));
+        }
     }
 
     @Override
-    public String getMessage(@Nonnull String code, Object[] args, String defaultMessage, @Nonnull Locale locale) {
-        return StringUtils.capitalize(delegate.getMessage(code, args, defaultMessage, locale));
+    protected @Nullable String resolveCodeWithoutArguments(@Nonnull String code, @Nonnull Locale locale) {
+        if (translationOverrides.containsKey(locale.getLanguage())) {
+            return translationOverrides.get(locale.getLanguage()).get(code);
+        }
+        return null;
     }
 
     @Override
-    public String getMessage(@Nonnull String code, Object[] args, @Nonnull Locale locale) throws NoSuchMessageException {
-        return StringUtils.capitalize(delegate.getMessage(code, args, locale));
+    protected @Nullable MessageFormat resolveCode(@Nonnull String code, @Nonnull Locale locale) {
+        if (translationOverrides.containsKey(locale.getLanguage())) {
+            return translationOverridesMessageFormat.get(locale.getLanguage()).get(code);
+        }
+        return null;
     }
 
-    @Override
-    public String getMessage(@Nonnull MessageSourceResolvable resolvable, @Nonnull Locale locale) throws NoSuchMessageException {
-        return StringUtils.capitalize(delegate.getMessage(resolvable, locale));
+    private Map<String, String> getTranslationOverrides(Environment environment, String language) {
+        return Binder.get(environment)
+            .bind(PROP_PROXY_TRANSLATION_OVERRIDES + "." + language, Bindable.mapOf(String.class, String.class))
+            .orElse(new HashMap<>());
+    }
+
+    private Map<String, MessageFormat> convertToMessageFormat(Map<String, String> messages, String language) {
+        Locale locale = Locale.forLanguageTag(language);
+        return messages.entrySet().stream().collect(Collectors.toMap(
+            Map.Entry::getKey,
+            e -> new MessageFormat(StringUtils.capitalize(e.getValue()), locale))
+        );
+    }
+
+    private static class CapitalizedMessageSource extends ResourceBundleMessageSource {
+
+        /**
+         * Capitalizes the first letter of each string. Because this low-level method
+         * is overridden, the strings are still properly cached.
+         *
+         * @param bundle the ResourceBundle to perform the lookup in
+         * @param key    the key to look up
+         * @return the associated value, or {@code null} if none
+         */
+        @Override
+        protected @Nullable String getStringOrNull(@Nonnull ResourceBundle bundle, @Nonnull String key) {
+            String result = super.getStringOrNull(bundle, key);
+            if (result != null) {
+                return StringUtils.capitalize(result);
+            }
+            return null;
+        }
+
     }
 
 }

From c4d18d920f5b00d0658c0d858908402501b8c861 Mon Sep 17 00:00:00 2001
From: Tobia De Koninck <tobia.dekoninck@openanalytics.eu>
Date: Mon, 26 Jan 2026 12:39:19 +0100
Subject: [PATCH 21/27] Fix return type

---
 .../eu/openanalytics/containerproxy/api/UserController.java    | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/main/java/eu/openanalytics/containerproxy/api/UserController.java b/src/main/java/eu/openanalytics/containerproxy/api/UserController.java
index 3967f31d..461cc566 100644
--- a/src/main/java/eu/openanalytics/containerproxy/api/UserController.java
+++ b/src/main/java/eu/openanalytics/containerproxy/api/UserController.java
@@ -22,7 +22,6 @@
 
 import eu.openanalytics.containerproxy.api.dto.ApiResponse;
 import eu.openanalytics.containerproxy.api.dto.LanguageDto;
-import eu.openanalytics.containerproxy.model.runtime.Proxy;
 import eu.openanalytics.containerproxy.service.LanguageService;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
@@ -43,7 +42,7 @@ public UserController(LanguageService languageService) {
     }
 
     @RequestMapping(value = "/api/user/language", method = RequestMethod.PUT, produces = MediaType.APPLICATION_JSON_VALUE)
-    public ResponseEntity<ApiResponse<Proxy>> getProxy(@RequestBody LanguageDto body, HttpServletRequest request, HttpServletResponse response) {
+    public ResponseEntity<ApiResponse<Void>> updateUserLanguage(@RequestBody LanguageDto body, HttpServletRequest request, HttpServletResponse response) {
         try {
             languageService.updateLanguageOfUser(request, response, body.language());
         } catch (IllegalArgumentException e) {

From 03d19f08da535da4285649f1ed33249c20a7d4a1 Mon Sep 17 00:00:00 2001
From: Tobia De Koninck <tobia.dekoninck@openanalytics.eu>
Date: Mon, 26 Jan 2026 14:27:25 +0100
Subject: [PATCH 22/27] Fix #36178: show node name in admin panel

---
 .../backend/docker/DockerSwarmBackend.java    |  2 +
 .../backend/kubernetes/KubernetesBackend.java |  2 +
 .../runtime/runtimevalues/NodeNameKey.java    | 49 +++++++++++++++++++
 .../RuntimeValueKeyRegistry.java              |  1 +
 4 files changed, 54 insertions(+)
 create mode 100644 src/main/java/eu/openanalytics/containerproxy/model/runtime/runtimevalues/NodeNameKey.java

diff --git a/src/main/java/eu/openanalytics/containerproxy/backend/docker/DockerSwarmBackend.java b/src/main/java/eu/openanalytics/containerproxy/backend/docker/DockerSwarmBackend.java
index cf14a2e2..b461834d 100644
--- a/src/main/java/eu/openanalytics/containerproxy/backend/docker/DockerSwarmBackend.java
+++ b/src/main/java/eu/openanalytics/containerproxy/backend/docker/DockerSwarmBackend.java
@@ -32,6 +32,7 @@
 import eu.openanalytics.containerproxy.model.runtime.runtimevalues.BackendContainerNameKey;
 import eu.openanalytics.containerproxy.model.runtime.runtimevalues.ContainerImageKey;
 import eu.openanalytics.containerproxy.model.runtime.runtimevalues.InstanceIdKey;
+import eu.openanalytics.containerproxy.model.runtime.runtimevalues.NodeNameKey;
 import eu.openanalytics.containerproxy.model.runtime.runtimevalues.RuntimeValue;
 import eu.openanalytics.containerproxy.model.runtime.runtimevalues.RuntimeValueKey;
 import eu.openanalytics.containerproxy.model.runtime.runtimevalues.UserIdKey;
@@ -220,6 +221,7 @@ public Proxy startContainer(Authentication user, Container initialContainer, Con
                     .stream().findAny().orElseThrow(() -> new IllegalStateException("Swarm service has no tasks"));
                 if (serviceTask.status().containerStatus() != null && serviceTask.status().state().equals("running")) {
                     rContainerBuilder.id(serviceTask.status().containerStatus().containerId());
+                    rContainerBuilder.addRuntimeValue(new RuntimeValue(NodeNameKey.inst, serviceTask.nodeId()), false);
                     return Retrying.SUCCESS;
                 } else if (!STARTING_STATES.contains(serviceTask.status().state())) {
                     slog.warn(proxy, "Docker Swarm container failed: container not running, state reported by docker: " + toJson(serviceTask.status()));
diff --git a/src/main/java/eu/openanalytics/containerproxy/backend/kubernetes/KubernetesBackend.java b/src/main/java/eu/openanalytics/containerproxy/backend/kubernetes/KubernetesBackend.java
index c157e709..12298718 100644
--- a/src/main/java/eu/openanalytics/containerproxy/backend/kubernetes/KubernetesBackend.java
+++ b/src/main/java/eu/openanalytics/containerproxy/backend/kubernetes/KubernetesBackend.java
@@ -38,6 +38,7 @@
 import eu.openanalytics.containerproxy.model.runtime.runtimevalues.ContainerImageKey;
 import eu.openanalytics.containerproxy.model.runtime.runtimevalues.ContainerIndexKey;
 import eu.openanalytics.containerproxy.model.runtime.runtimevalues.InstanceIdKey;
+import eu.openanalytics.containerproxy.model.runtime.runtimevalues.NodeNameKey;
 import eu.openanalytics.containerproxy.model.runtime.runtimevalues.ProxiedAppKey;
 import eu.openanalytics.containerproxy.model.runtime.runtimevalues.ProxyIdKey;
 import eu.openanalytics.containerproxy.model.runtime.runtimevalues.RuntimeValue;
@@ -398,6 +399,7 @@ public Proxy startContainer(Authentication user, Container initialContainer, Con
             Pod pod = kubeClient.resource(startedPod).get();
 
             parseKubernetesEvents(spec.getIndex(), pod, proxyStartupLogBuilder);
+            rContainerBuilder.addRuntimeValue(new RuntimeValue(NodeNameKey.inst, pod.getSpec().getNodeName()), false);
 
             Service service;
             Map<Integer, Integer> portBindings = new HashMap<>();
diff --git a/src/main/java/eu/openanalytics/containerproxy/model/runtime/runtimevalues/NodeNameKey.java b/src/main/java/eu/openanalytics/containerproxy/model/runtime/runtimevalues/NodeNameKey.java
new file mode 100644
index 00000000..69f905de
--- /dev/null
+++ b/src/main/java/eu/openanalytics/containerproxy/model/runtime/runtimevalues/NodeNameKey.java
@@ -0,0 +1,49 @@
+/*
+ * ContainerProxy
+ *
+ * Copyright (C) 2016-2026 Open Analytics
+ *
+ * ===========================================================================
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Apache License as published by
+ * The Apache Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * Apache License for more details.
+ *
+ * You should have received a copy of the Apache License
+ * along with this program.  If not, see <http://www.apache.org/licenses/>
+ */
+package eu.openanalytics.containerproxy.model.runtime.runtimevalues;
+
+public class NodeNameKey extends RuntimeValueKey<String> {
+
+    public final static NodeNameKey inst = new NodeNameKey();
+
+    private NodeNameKey() {
+        super("openanalytics.eu/sp-node-name",
+            "SHINYPROXY_NODE_NAME",
+            false,
+            false,
+            false,
+            false, // important: may not be exposed in API for security
+            false,
+            true,
+            String.class);
+    }
+
+    @Override
+    public String deserializeFromString(String value) {
+        return value;
+    }
+
+    @Override
+    public String serializeToString(String value) {
+        return value;
+    }
+
+}
diff --git a/src/main/java/eu/openanalytics/containerproxy/model/runtime/runtimevalues/RuntimeValueKeyRegistry.java b/src/main/java/eu/openanalytics/containerproxy/model/runtime/runtimevalues/RuntimeValueKeyRegistry.java
index b4519dc7..f120c203 100644
--- a/src/main/java/eu/openanalytics/containerproxy/model/runtime/runtimevalues/RuntimeValueKeyRegistry.java
+++ b/src/main/java/eu/openanalytics/containerproxy/model/runtime/runtimevalues/RuntimeValueKeyRegistry.java
@@ -54,6 +54,7 @@ public class RuntimeValueKeyRegistry {
         addRuntimeValueKey(TargetIdKey.inst);
         addRuntimeValueKey(CacheHeadersModeKey.inst);
         addRuntimeValueKey(LanguageKey.inst);
+        addRuntimeValueKey(NodeNameKey.inst);
     }
 
     public static void addRuntimeValueKey(RuntimeValueKey<?> key) {

From 1b925672f090e46dae3e7aa8c053a9957716d447 Mon Sep 17 00:00:00 2001
From: Tobia De Koninck <tobia.dekoninck@openanalytics.eu>
Date: Tue, 27 Jan 2026 16:03:50 +0100
Subject: [PATCH 23/27] Ref #35506: fix translation encoding

---
 .../openanalytics/containerproxy/util/CustomMessageSource.java  | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/main/java/eu/openanalytics/containerproxy/util/CustomMessageSource.java b/src/main/java/eu/openanalytics/containerproxy/util/CustomMessageSource.java
index 597309ce..f6e8d1ad 100644
--- a/src/main/java/eu/openanalytics/containerproxy/util/CustomMessageSource.java
+++ b/src/main/java/eu/openanalytics/containerproxy/util/CustomMessageSource.java
@@ -31,6 +31,7 @@
 import org.springframework.stereotype.Component;
 
 import javax.annotation.Nonnull;
+import java.nio.charset.StandardCharsets;
 import java.text.MessageFormat;
 import java.util.HashMap;
 import java.util.Locale;
@@ -49,6 +50,7 @@ public CustomMessageSource(Environment environment, LanguageService languageServ
         ResourceBundleMessageSource parentMessageSource = new CapitalizedMessageSource();
         parentMessageSource.setBasenames("messages", "cp_messages");
         parentMessageSource.setAlwaysUseMessageFormat(true);
+        parentMessageSource.setDefaultEncoding(StandardCharsets.UTF_8.name());
         setParentMessageSource(parentMessageSource);
 
         // read overridden translations from config file

From 52c62ab6fe4597c3d872531f12cd90e08a7a75b0 Mon Sep 17 00:00:00 2001
From: Tobia De Koninck <tobia.dekoninck@openanalytics.eu>
Date: Tue, 3 Mar 2026 15:42:03 +0100
Subject: [PATCH 24/27] Fix #36445: make auth-success page work independently
 of scheme

---
 .../eu/openanalytics/containerproxy/ui/AuthController.java   | 5 +++--
 src/main/resources/templates/auth-success.html               | 5 +++--
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/main/java/eu/openanalytics/containerproxy/ui/AuthController.java b/src/main/java/eu/openanalytics/containerproxy/ui/AuthController.java
index 98fcc886..8a66483a 100644
--- a/src/main/java/eu/openanalytics/containerproxy/ui/AuthController.java
+++ b/src/main/java/eu/openanalytics/containerproxy/ui/AuthController.java
@@ -84,14 +84,15 @@ public Object getLoginPage(@RequestParam Optional<String> error, ModelMap map) {
     @RequestMapping(value = AUTH_SUCCESS_URL, method = RequestMethod.GET)
     public String authSuccess(ModelMap map, HttpServletRequest request) {
         prepareMap(map);
-        map.put("url", ServletUriComponentsBuilder.fromCurrentContextPath().path("/").build().toUriString()); // default url
+        // protocol is added to the url on the client-side
+        map.put("url", ServletUriComponentsBuilder.fromCurrentContextPath().path("/").build().toUriString().replace("https://", "//").replace("http://", "//")); // default url
 
         Object redirectUrl = request.getSession().getAttribute(AUTH_SUCCESS_URL_SESSION_ATTR);
         if (redirectUrl instanceof String sRedirectUrl) {
             request.getSession().removeAttribute(AUTH_SUCCESS_URL_SESSION_ATTR);
             // sanity check: does the redirect url start with the url of this current request
             if (sRedirectUrl.startsWith(ServletUriComponentsBuilder.fromCurrentContextPath().build().toUriString())) {
-                map.put("url", redirectUrl);
+                map.put("url", sRedirectUrl.replace("https://", "//").replace("http://", "//"));
             }
         }
         return "auth-success";
diff --git a/src/main/resources/templates/auth-success.html b/src/main/resources/templates/auth-success.html
index 4b131f90..6301b94d 100644
--- a/src/main/resources/templates/auth-success.html
+++ b/src/main/resources/templates/auth-success.html
@@ -30,8 +30,9 @@
         <script th:inline="javascript" type="text/javascript">
             history.forward();
             history.pushState({}, "", new URL(location));
-            history.pushState({}, "", new URL([[${url}]]));
-            window.location.href = [[${url}]];
+            const fullUrl = location.protocol + [[${url}]];
+            history.pushState({}, "", new URL(fullUrl));
+            window.location.href = fullUrl;
         </script>
         <script>
             console.log("This page should redirect you to the main ShinyProxy page after authentication.");

From a8c29fef13521787607e88cc4bdbc74936889d97 Mon Sep 17 00:00:00 2001
From: Tobia De Koninck <tobia.dekoninck@openanalytics.eu>
Date: Tue, 10 Mar 2026 08:25:46 +0000
Subject: [PATCH 25/27] Fix #36461: allow to force redirects to use https (!78)

Reviewed-on: https://scm.openanalytics.eu/git/containerproxy/pulls/78
---
 .../containerproxy/ContainerProxyApplication.java   | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/main/java/eu/openanalytics/containerproxy/ContainerProxyApplication.java b/src/main/java/eu/openanalytics/containerproxy/ContainerProxyApplication.java
index a01de97d..143f3fa0 100644
--- a/src/main/java/eu/openanalytics/containerproxy/ContainerProxyApplication.java
+++ b/src/main/java/eu/openanalytics/containerproxy/ContainerProxyApplication.java
@@ -65,7 +65,6 @@
 import org.springframework.web.filter.FormContentFilter;
 import org.springframework.web.servlet.LocaleResolver;
 import org.springframework.web.servlet.i18n.CookieLocaleResolver;
-import org.springframework.web.servlet.i18n.SessionLocaleResolver;
 
 import javax.annotation.PostConstruct;
 import javax.inject.Inject;
@@ -80,7 +79,6 @@
 import java.util.Arrays;
 import java.util.HashSet;
 import java.util.List;
-import java.util.Locale;
 import java.util.Properties;
 import java.util.Set;
 import java.util.concurrent.Executor;
@@ -103,6 +101,8 @@ public class ContainerProxyApplication {
     private static final String SAME_SITE_COOKIE_DEFAULT_VALUE = "Lax";
     private static final String PROP_SERVER_SECURE_COOKIES = "server.secure-cookies";
     private static final Boolean SECURE_COOKIES_DEFAULT_VALUE = false;
+    private static final String PROP_FORCE_HTTPS_IN_REDIRECTS = "proxy.force-https-in-redirects";
+    private static final Boolean FORCE_HTTPS_IN_REDIRECTS_DEFAULT_VALUE = false;
     private static final Path TERMINATION_LOG_FILE = Path.of("/dev/termination-log");
     private static Boolean logAsJson = false;
     public static Boolean secureCookiesEnabled;
@@ -336,6 +336,15 @@ public UndertowServletWebServerFactory servletContainer() {
                 info.setSessionManagerFactory(sessionManagerFactory);
             }
             info.setResourceManager(EMPTY_RESOURCE_MANAGER);
+            if (environment.getProperty(PROP_FORCE_HTTPS_IN_REDIRECTS, Boolean.class, FORCE_HTTPS_IN_REDIRECTS_DEFAULT_VALUE)) {
+                log.debug("Enforcing redirects to always use https.");
+                info.addInitialHandlerChainWrapper(handler ->
+                    exchange -> {
+                        exchange.setRequestScheme("https");
+                        handler.handleRequest(exchange);
+                    }
+                );
+            }
         });
         try {
             factory.setAddress(InetAddress.getByName(environment.getProperty("proxy.bind-address", "0.0.0.0")));

From 71292e88fb4098952714a10c5010fe77f46b21ed Mon Sep 17 00:00:00 2001
From: Tobia De Koninck <tobia.dekoninck@openanalytics.eu>
Date: Fri, 3 Apr 2026 11:48:58 +0200
Subject: [PATCH 26/27] Fix #36577: add API endpoint to get current user

---
 .../security/WebSecurityConfig.java           |  1 +
 .../containerproxy/ui/AuthController.java     | 30 ++++++++++++++++++-
 2 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/src/main/java/eu/openanalytics/containerproxy/security/WebSecurityConfig.java b/src/main/java/eu/openanalytics/containerproxy/security/WebSecurityConfig.java
index 71b389d9..5c624244 100644
--- a/src/main/java/eu/openanalytics/containerproxy/security/WebSecurityConfig.java
+++ b/src/main/java/eu/openanalytics/containerproxy/security/WebSecurityConfig.java
@@ -213,6 +213,7 @@ public void handle(HttpServletRequest request, HttpServletResponse response, Acc
             .permitAll()
             .requestMatchers(
                 new MvcRequestMatcher(handlerMappingIntrospector, "/login"),
+                new MvcRequestMatcher(handlerMappingIntrospector, "/user/me"),
                 new MvcRequestMatcher(handlerMappingIntrospector, "/signin/**"),
                 new MvcRequestMatcher(handlerMappingIntrospector, "/auth-error"),
                 new MvcRequestMatcher(handlerMappingIntrospector, "/error"),
diff --git a/src/main/java/eu/openanalytics/containerproxy/ui/AuthController.java b/src/main/java/eu/openanalytics/containerproxy/ui/AuthController.java
index 8a66483a..f9dd91df 100644
--- a/src/main/java/eu/openanalytics/containerproxy/ui/AuthController.java
+++ b/src/main/java/eu/openanalytics/containerproxy/ui/AuthController.java
@@ -21,6 +21,7 @@
 package eu.openanalytics.containerproxy.ui;
 
 import eu.openanalytics.containerproxy.api.BaseController;
+import eu.openanalytics.containerproxy.api.dto.ApiResponse;
 import eu.openanalytics.containerproxy.auth.IAuthenticationBackend;
 import eu.openanalytics.containerproxy.auth.impl.OpenIDAuthenticationBackend;
 import eu.openanalytics.containerproxy.auth.impl.SAMLAuthenticationBackend;
@@ -30,16 +31,24 @@
 import org.springframework.context.MessageSource;
 import org.springframework.context.i18n.LocaleContextHolder;
 import org.springframework.core.env.Environment;
+import org.springframework.http.MediaType;
+import org.springframework.http.ResponseEntity;
+import org.springframework.security.authentication.AnonymousAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.ModelMap;
+import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.servlet.support.ServletUriComponentsBuilder;
 import org.springframework.web.servlet.view.RedirectView;
 
 import javax.inject.Inject;
 import java.util.Locale;
+import java.util.Map;
 import java.util.Optional;
 
 @Controller
@@ -68,7 +77,7 @@ public Object getLoginPage(@RequestParam Optional<String> error, ModelMap map) {
             if (error.get().equals("expired")) {
                 map.put("error", messageSource.getMessage("auth.simple.expired_error", null, locale));
             } else {
-                map.put("error",  messageSource.getMessage("auth.simple.credentials_error", null, locale));
+                map.put("error", messageSource.getMessage("auth.simple.credentials_error", null, locale));
             }
         }
 
@@ -119,4 +128,23 @@ public String getLogoutSuccessPage(ModelMap map) {
         return "logout-success";
     }
 
+
+    @ResponseBody
+    @GetMapping(value = "/user/me", produces = MediaType.APPLICATION_JSON_VALUE)
+    public ResponseEntity<ApiResponse<Map<String, Object>>> getUserMetadata() {
+        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+        boolean isLoggedIn = authentication != null && !(authentication instanceof AnonymousAuthenticationToken) && authentication.isAuthenticated();
+        if (!isLoggedIn) {
+            return ApiResponse.success(
+                Map.of("authenticated", false)
+            );
+        }
+        return ApiResponse.success(
+            Map.of(
+                "authenticated", true,
+                "username", authentication.getName()
+            )
+        );
+    }
+
 }

From e3c92aad0ba49afd03b5d61310b4986290978037 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 6 May 2026 15:38:43 +0000
Subject: [PATCH 27/27] Bump org.postgresql:postgresql from 42.7.8 to 42.7.11

Bumps [org.postgresql:postgresql](https://github.com/pgjdbc/pgjdbc) from 42.7.8 to 42.7.11.
- [Release notes](https://github.com/pgjdbc/pgjdbc/releases)
- [Changelog](https://github.com/pgjdbc/pgjdbc/blob/master/CHANGELOG.md)
- [Commits](https://github.com/pgjdbc/pgjdbc/compare/REL42.7.8...REL42.7.11)

---
updated-dependencies:
- dependency-name: org.postgresql:postgresql
  dependency-version: 42.7.11
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index af354ea5..7b615440 100644
--- a/pom.xml
+++ b/pom.xml
@@ -34,7 +34,7 @@
         <docker-client.version>7.0.8-OA-5</docker-client.version>
         <javax-annotation-api.version>1.3.2</javax-annotation-api.version>
         <monetdb-jdbc.version>12.0</monetdb-jdbc.version>
-        <postgresql.version>42.7.8</postgresql.version>
+        <postgresql.version>42.7.11</postgresql.version>
         <fabric8-client.version>7.6.1</fabric8-client.version>
         <jquery.version>3.7.1</jquery.version>
         <fontawesome.version>4.7.0</fontawesome.version>