Commit Graph

13474 Commits

Author SHA1 Message Date
kolaente c6e79926f0 fix: add position conflict resolution for batch-inserted positions
Add resolvePositionConflictsAfterInsert() which checks newly inserted
task positions for duplicate position values within the same view and
resolves them using existing conflict resolution logic.
2026-04-03 17:26:55 +00:00
kolaente 88c2f0a289 fix(project): remove non-existent columns from UpdateProject column list
The UpdateProject function referenced done_bucket_id and default_bucket_id
in its column update list, but these columns belong to the project_views
table, not the projects table. This caused SQL errors when archiving or
updating a project on MySQL/PostgreSQL.

Also adds a test for archiving a non-archived project.

Fixes #2459
2026-04-03 16:59:05 +00:00
renovate[bot] ea54f3eb85 chore(deps): update dependency ws to v8.20.0 2026-04-03 16:57:34 +00:00
renovate[bot] b69564a77c chore(deps): pin dependencies 2026-04-03 16:16:07 +00:00
dependabot[bot] 6453953ba0 chore(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4
Bumps [github.com/go-jose/go-jose/v4](https://github.com/go-jose/go-jose) from 4.1.3 to 4.1.4.
- [Release notes](https://github.com/go-jose/go-jose/releases)
- [Commits](https://github.com/go-jose/go-jose/compare/v4.1.3...v4.1.4)

---
updated-dependencies:
- dependency-name: github.com/go-jose/go-jose/v4
  dependency-version: 4.1.4
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-04-03 16:15:46 +00:00
Frederick [Bot] f87f3e36e9 chore(i18n): update translations via Crowdin 2026-04-03 01:23:06 +00:00
kolaente e7b693c788 fix(tasks): include tasks with deleted parents in subtask-expanded queries
When expand[]=subtasks is used, the LEFT JOIN on task_relations filters
out same-project subtasks. If a parent task was deleted, the JOIN
produces NULL for parent_tasks.id/project_id, and since NULL != value
evaluates to NULL (not TRUE) in SQL, these tasks were incorrectly
excluded.

Add builder.IsNull{"parent_tasks.id"} to the OR condition so tasks
whose parent was deleted are still included in results.
2026-04-02 16:30:23 +00:00
kolaente 132187e451 fix(e2e): truncate bucket data in bucket-select tests
Truncate buckets, task_buckets, and task_relations before seeding to
prevent leftover data from previous tests causing false positives
(e.g., bucket selector appearing when it shouldn't).
2026-04-02 16:30:23 +00:00
kolaente 4cd79088d1 test: add WebSocket e2e tests
Add comprehensive end-to-end tests for the WebSocket system:

- Protocol tests: auth (valid/invalid token, timeout, double auth),
  subscriptions (valid/invalid event, auth required, unsubscribe),
  message delivery (notification on team add, doer exclusion,
  multi-connection)
- Frontend integration tests: notification badge update, dropdown
  rendering, and logout cleanup via browser-level Playwright tests
- Comment notification test: full flow where user B mentions user A
  in a task comment and user A receives real-time WebSocket notification

Includes ws test dependency, shared test helper utilities, and
cascade-truncation of notifications when truncating users to prevent
test pollution.
2026-04-02 16:30:23 +00:00
kolaente 09232ed880 feat(websocket): add frontend WebSocket support
Add useWebSocket composable with:
- Auto-connect on login, disconnect on logout
- Exponential backoff with ±25% jitter for reconnects
- Auth failure detection to prevent reconnect loops
- Trailing slash stripping from API_URL
- Overlapping reconnect prevention
- visibilityState check for fallback polling

Replace notification polling with real-time WebSocket push in the
Notifications component. Initial state is still loaded via REST on
mount, with fallback polling when WebSocket is disconnected. Incoming
notifications are deduplicated against already-loaded REST data.
Notifications are reloaded via REST on WS disconnect to catch missed
events.
2026-04-02 16:30:23 +00:00
kolaente f5385c574e feat(websocket): add notification event with XORM AfterInsert dispatch
Add NotificationCreatedEvent that fires automatically when a
DatabaseNotification is inserted, using XORM's AfterInsertProcessor
interface. The AfterInsert hook dispatches the event after the row
is persisted, without callers needing to manage DispatchOnCommit or
DispatchPending.

The WebSocket listener subscribes to this event, reloads the
notification from the database (ensuring accurate timestamps), and
pushes it to connected clients subscribed to the notification.created
event. Dispatch errors are logged rather than propagated since the
DB notification is already committed at that point.
2026-04-02 16:30:23 +00:00
kolaente 55ea5bd966 refactor(auth): extract shared token validation into auth package
Move JWT parsing (GetUserIDFromToken) and API token validation
(ValidateAPITokenString) into pkg/modules/auth so both HTTP middleware
and WebSocket auth use the same logic. This ensures consistent token
validity checks including expiry and user status (disabled/locked).

The HTTP API token middleware now delegates to the shared function,
removing duplicated lookup/expiry logic.
2026-04-02 16:30:23 +00:00
kolaente 0139e9a2ab feat(websocket): add HTTP upgrade handler and /api/v1/ws route
Add the WebSocket upgrade endpoint at /api/v1/ws with CORS origin
verification using the configured allowed origins. Includes nil hub
guard returning 503 if the WebSocket system hasn't been initialized.

Register the hub initialization in the app startup sequence and wire
the upgrade handler into the Echo router.
2026-04-02 16:30:23 +00:00
kolaente 9255fe07a9 feat(websocket): add message types, connection hub, and connection handler
Add the core WebSocket infrastructure:

- Message type definitions for the wire protocol (subscribe, unsubscribe,
  auth, error, push events)
- In-memory connection hub that tracks per-user connections and routes
  messages to subscribed clients
- Connection wrapper with auth-after-connect flow: connections start
  unauthenticated, client sends JWT as first message, only then can
  subscribe to event topics

Includes auth timeout (30s), shared cancellation context for read/write
loops, hub map cleanup on last connection removal, and proper error
delivery before closing on auth failure.
2026-04-02 16:30:23 +00:00
kolaente 4f9355c915 feat(websocket): add coder/websocket dependency 2026-04-02 16:30:23 +00:00
kolaente 6aa7217dad fix(caldav): skip tests for known CalDAV bugs and fix timing issues
Skip integration tests that document known bugs in Vikunja's CalDAV
implementation or the caldav-go library:
- Permission errors return 500 instead of 403/404
- Invalid VCALENDAR returns 500 instead of 400
- DELETE doesn't look up task by UID (silently fails)
- PROPFIND on nonexistent resource returns 207 not 404
- ETag format inconsistency between PROPFIND/REPORT/GET
- If-None-Match conditional requests not implemented
- Color field not included in CalDAV export
- RRULE (DAILY/WEEKLY/MONTHLY) not round-tripped
- DURATION not exported for VTODOs

Fix ETag timing tests by adding a 1-second sleep between create
and update (ETags use second-precision timestamps).
2026-04-02 11:34:55 +00:00
kolaente 9839e8989d ci: move caldav and e2e-api tests to dedicated CI jobs
Split caldav and e2e-api tests out of the test-api matrix into their
own standalone jobs running only with sqlite-in-memory. This reduces
the matrix size (no longer 5 DBs × 4 test types = 20 jobs) and avoids
spinning up unnecessary database services for tests that only need
in-memory SQLite.
2026-04-02 11:34:55 +00:00
kolaente ef85a22f99 fix(caldav): resolve lint issues in caldavtests package
- Remove unused helper functions (findResponse, assertMultistatusHasResponses, caldavRequestAsUser)
- Fix gofmt formatting
- Convert WriteString(fmt.Sprintf(...)) to fmt.Fprintf
- Fix unused parameter warnings
- Fix testifylint suggestions (assert.NotEmpty, assert.Positive)
- Add nolint:unparam for assertResponseStatus
2026-04-02 11:34:55 +00:00
kolaente 7e7d168e45 test(caldav): add VTODO field round-trip tests (RFC 5545 §3.6.2)
Adds comprehensive round-trip tests for VTODO properties:
- Core fields: SUMMARY, DESCRIPTION, DUE, DTSTART, PRIORITY, COMPLETED, STATUS, CATEGORIES
- VALARM: absolute, relative-to-start, relative-to-end triggers
- COLOR via X-APPLE-CALENDAR-COLOR
- RRULE: DAILY, WEEKLY, MONTHLY frequencies
- Priority mapping: all 9 CalDAV levels including lossy mappings
- DURATION and DTSTART+DUE interaction
2026-04-02 11:34:55 +00:00
kolaente 0ca7c0dd01 test(caldav): add relation and subtask tests (RFC 5545 §3.8.4.5) 2026-04-02 11:34:55 +00:00
kolaente 7830a9c3ea test(caldav): add client compatibility and bug reproduction tests 2026-04-02 11:34:55 +00:00
kolaente 160fc9c01f test(caldav): add sync semantics tests (ETag, CTag, conditional requests) 2026-04-02 11:34:55 +00:00
kolaente 738bfa33af test(caldav): add authentication and permission tests 2026-04-02 11:34:55 +00:00
kolaente fecd6d6a1d test(caldav): add CRUD operation tests (RFC 4791 §5.3.2) 2026-04-02 11:34:55 +00:00
kolaente c0a9356646 test(caldav): add REPORT query tests (RFC 4791 §7.8, §7.9) 2026-04-02 11:34:55 +00:00
kolaente 56ead32dca test(caldav): add discovery flow tests (RFC 6764, RFC 5397, RFC 4791) 2026-04-02 11:34:55 +00:00
kolaente ebedd312c1 test(caldav): add PROPFIND tests (RFC 4918 §9.1) 2026-04-02 11:34:55 +00:00
kolaente e2478e2fd6 test(caldav): add caldavtests package with infrastructure, helpers, and mage target
- Package skeleton with TestMain, setupTestEnv, and fixture users
- HTTP request helpers (PROPFIND, REPORT, GET, PUT, DELETE, OPTIONS)
- XML/iCal response parsers and assertion utilities
- VTodoBuilder for constructing test VTODO payloads
- Common PROPFIND/REPORT XML body constants
- Smoke test validating the infrastructure works end-to-end
- mage test:caldav command and CI matrix entry
2026-04-02 11:34:55 +00:00
Lars de Ridder cb4f92980b
feat(task): allow changing bucket from task detail view (#2233) 2026-04-02 12:18:34 +02:00
renovate[bot] d73222e4a7 chore(deps): update dependency esbuild to v0.27.5 2026-04-02 08:23:19 +00:00
kolaente cef03cb2a0 refactor: replace Modal div-based implementation with native dialog element
Replace the custom div-based Modal with the native HTML <dialog> element
using showModal()/close() API. Uses CSS opacity transitions with a
data-closing attribute for Firefox-compatible close animations, Teleport
to body, and focus save/restore. Updates E2E test selectors and fixes
QuickAddOverlay selectors for the new dialog structure.
2026-04-01 22:27:13 +00:00
kolaente bc1a9008a7 feat(desktop): configurable shortcut, --quick-entry CLI arg, show-main-window IPC
Add shortcut management: register/unregister shortcuts dynamically
via IPC from the frontend settings. Add --quick-entry CLI argument
to show quick entry on launch or toggle it when a second instance
is started. Add show-main-window IPC handler for Ctrl+Enter task
open flow.
2026-04-01 21:38:38 +00:00
kolaente bc47826690 feat(frontend): add configurable quick entry shortcut setting
Add desktopQuickEntryShortcut to frontend settings with a Desktop
App section in General settings, only visible when running in the
Electron app. The setting syncs to the desktop main process via
IPC whenever settings are loaded or saved.
2026-04-01 21:38:38 +00:00
kolaente c8349df8b6 feat(desktop): open task in main window with Ctrl/Cmd+Enter
When creating a task via quick entry, pressing Ctrl+Enter (or
Cmd+Enter on macOS) creates the task and opens it in the main
Vikunja window. Adds show-main-window IPC to bring the main
window to focus.
2026-04-01 21:38:38 +00:00
kolaente 37389d6bdb feat(desktop): add quick entry window, global shortcut, and system tray 2026-04-01 21:38:38 +00:00
kolaente 92cc070b1e feat(frontend): listen for cross-window task creation via BroadcastChannel 2026-04-01 21:38:38 +00:00
kolaente 8dc96d61bd feat(frontend): adapt QuickActions for quick-add mode behavior 2026-04-01 21:38:38 +00:00
kolaente 9072ca84d5 feat(frontend): route quick-add mode to QuickAddOverlay in App.vue 2026-04-01 21:38:38 +00:00
kolaente ff4e84a800 feat(frontend): add QuickAddOverlay component for quick-entry window 2026-04-01 21:38:38 +00:00
kolaente d72a3a8c0d feat(frontend): add useQuickAddMode composable for quick-add detection 2026-04-01 21:38:38 +00:00
kolaente 20a8ce6858 feat(desktop): add preload script for quick entry window 2026-04-01 21:38:38 +00:00
kolaente 831e4f29d1
feat: update application icons for desktop build (#2516) 2026-04-01 23:38:02 +02:00
kolaente af7eaa9aea
fix(desktop): use stored URL instead of window.API_URL in template
window is not accessible as a global in Vue templates, causing
"Cannot read properties of undefined (reading 'API_URL')" when
clicking sign in on the desktop app.
2026-04-01 20:53:29 +02:00
kolaente eeb9caf87b
chore(desktop): add dev command to build and copy 2026-04-01 20:47:12 +02:00
kolaente 01bc76d1c6 fix(deps): resolve dependabot security alerts
Update vulnerable transitive dependencies:
- @xmldom/xmldom 0.8.10 → 0.8.12 (XML injection via CDATA serialization)
- path-to-regexp 8.3.0 → 8.4.1 (ReDoS and DoS via sequential optional groups)
- brace-expansion 5.0.2 → 5.0.5 (zero-step sequence hang/memory exhaustion)
2026-04-01 12:46:11 +00:00
renovate[bot] 59ebfa3b2c chore(deps): update dependency caniuse-lite to v1.0.30001784 2026-04-01 09:17:36 +00:00
Frederick [Bot] 88c8d7a73d chore(i18n): update translations via Crowdin 2026-04-01 01:44:10 +00:00
kolaente cdd46c0d6c fix: add proper autocomplete and name attributes to email update form
Adds name="email" to the email field and fixes the password field's
autocomplete from the invalid "password" to "current-password", also
adding name="current-password". This helps password managers correctly
identify the form as a settings change rather than a login form,
preventing them from autofilling the username into the email field.

Closes go-vikunja/vikunja#2512
2026-03-31 21:57:12 +00:00
renovate[bot] 020aa899f8 chore(deps): update dependency browserslist to v4.28.2 2026-03-31 21:21:12 +00:00
Claude fc9c21915d feat(auth): enforce OpenID Connect issuer uniqueness across providers
Detect when two configured OIDC providers resolve to the same issuer URL
at startup and halt with a fatal error, preventing team sync data
corruption caused by ambiguous (external_id, issuer) matching.

Also adds duplicate issuer detection to the doctor service diagnostics
and comprehensive tests with mock OIDC discovery servers.
2026-03-30 22:41:50 +00:00