feat: register OAuth authorize and token routes

Add POST /api/v1/oauth/authorize (authenticated) and
POST /api/v1/oauth/token (unauthenticated) routes.
This commit is contained in:
kolaente 2026-03-26 16:32:16 +01:00 committed by kolaente
parent 7827ff64b9
commit e5987acf80
1 changed files with 9 additions and 0 deletions

View File

@ -61,6 +61,7 @@ import (
"code.vikunja.io/api/pkg/config"
"code.vikunja.io/api/pkg/log"
"code.vikunja.io/api/pkg/models"
"code.vikunja.io/api/pkg/modules/auth/oauth2server"
"code.vikunja.io/api/pkg/modules/auth/openid"
"code.vikunja.io/api/pkg/modules/background"
backgroundHandler "code.vikunja.io/api/pkg/modules/background/handler"
@ -306,6 +307,7 @@ var unauthenticatedAPIPaths = map[string]bool{
"/api/v1/docs.json": true,
"/api/v1/docs": true,
"/api/v1/metrics": true,
"/api/v1/oauth/token": true,
}
// collectRoutesForAPITokens collects all routes for API token permission checking.
@ -379,6 +381,10 @@ func registerAPIRoutes(a *echo.Group) {
ur.POST("/auth/openid/:provider/callback", openid.HandleCallback)
}
// OAuth 2.0 token endpoint — unauthenticated because it validates
// credentials (authorization code or refresh token) itself.
ur.POST("/oauth/token", oauth2server.HandleToken)
// Testing
if config.ServiceTestingtoken.GetString() != "" {
n.PATCH("/test/:table", apiv1.HandleTesting)
@ -405,6 +411,9 @@ func registerAPIRoutes(a *echo.Group) {
a.POST("/token/test", apiv1.CheckToken)
a.GET("/routes", models.GetAvailableAPIRoutesForToken)
// OAuth 2.0 authorize endpoint — requires authentication.
a.POST("/oauth/authorize", oauth2server.HandleAuthorize)
// Avatar endpoint
a.GET("/avatar/:username", apiv1.GetAvatar)