- Fix circular cache dependency in TrustHosts where handle() checked cache
before hosts() could populate it, causing host validation to never activate
- Validate both Host and X-Forwarded-Host headers against trusted hosts list
(X-Forwarded-Host is checked before TrustProxies applies it to the request)
- Use base_url() instead of url() for password reset link generation so the
URL is derived from server-side config (FQDN / public IP) instead of the
request context
- Strip port from X-Forwarded-Host before matching (e.g. host:443 → host)
- Add tests for host validation, cache population, and reset URL generation
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- fix(email): transactional emails are all not sent if `Use system wide (transactional) email settings` is disabled and no other email provide is setup on the Notifications page
- fix(email): no emails are sent if SMTP username and SMTP password are empty (which is the case in dev for example)
- fix(email): Wrong test email notification is used, causing the transactional email test notification to fail if no email provider is set up on the Notifications page.
- Replace `! $type` checks with `blank($type)` for consistency
- Modify email settings configuration to handle null/disabled states
- Ensure proper fallback and configuration of email providers
