Commit Graph

206 Commits

Author SHA1 Message Date
kolaente 6ed684d708 fix(events): dispatch pending events in migration and export handlers
Refs #2315
2026-03-03 12:46:34 +01:00
kolaente 51f789bf5c fix(e2e): drain event handlers and stop browser between tests
Async event handlers (via Watermill) from the previous test can hold
SQLite connections, starving the next test's fixture setup PATCH request.

Three changes fix this:

1. Track in-flight event handler goroutines with a WaitGroup.
2. Call WaitForPendingHandlers() in the test endpoint before
   truncating/inserting data.
3. Navigate the browser to about:blank in fixture teardown to stop
   notification polling and other frontend requests between tests.
2026-03-03 10:41:19 +01:00
kolaente 89c17d3b23 feat(api): enforce password validation on reset and update flows
Add bcrypt_password validation to password reset and update endpoints:
- Add validation tag to PasswordReset.NewPassword struct field
- Add validation tag to UserPassword.NewPassword struct field
- Add c.Validate() calls in both handlers
- Fix off-by-one error in bcrypt_password validator (use <= 72 not < 72)

Password requirements: min 8 chars, max 72 bytes (bcrypt limit)
2026-02-25 13:44:56 +01:00
kolaente f3ac0574c0 fix(auth): use checked type assertions for all JWT claims 2026-02-25 13:01:00 +01:00
kolaente 329c07f24b fix(attachments): use mime.FormatMediaType for Content-Disposition header 2026-02-25 13:01:00 +01:00
kolaente 2f680d041c fix: address review comments on session lifecycle
- user_export.go: Remove defer s.Close() from checkExportRequest since
  it returns the session to callers. Callers now own the session
  lifecycle with their own defer s.Close(). Close session on all error
  paths within checkExportRequest.

- user_delete.go: Close the read session immediately after Find() before
  the per-user deletion loop, avoiding a long-lived transaction holding
  locks unnecessarily.

- user/delete.go: Remove double s.Close() in notifyUsersScheduledForDeletion
  by closing immediately after Find() instead of using both defer and
  explicit close.

- caldav_token.go: Return nil token on Commit() error to prevent callers
  from using an unpersisted token.
2026-02-25 11:03:02 +01:00
kolaente a6e6f252db refactor: remove redundant Begin() calls after NewSession auto-begins
Since NewSession() now auto-begins a transaction, explicit Begin()
calls are redundant (xorm's Begin() is a no-op when already in a
transaction). Removing them reduces confusion.

Special case: user_delete.go's loop previously called Begin/Commit
per user on a shared session. Restructured to create a new session
per user deletion so each gets its own transaction.
2026-02-25 11:03:02 +01:00
kolaente c9c250fb1c fix: add missing Commit() to write callers
After NewSession() auto-begins a transaction, callers that perform
writes must explicitly call Commit() for changes to persist. Without
this, writes are silently rolled back when Close() is called.

Affected callers:
- user deletion notification cron
- caldav token generation/deletion
- token cleanup cron
- mark-all-notifications-read endpoint
- saved filter view cron
- project background delete
- typesense reindex
- export cleanup cron
- task last-updated listener
- saved filter view listener
- SSO team cleanup cron
- migration status start/finish
- background set/remove handlers
- orphaned task position cleanup
- file creation
2026-02-25 11:03:02 +01:00
kolaente 8ee069a2a3 feat: add session-based auth with refresh token rotation
- Login creates a server-side session and sets an HttpOnly refresh
  token cookie alongside the short-lived JWT
- POST /user/token/refresh exchanges the cookie for a new JWT and
  rotates the refresh token atomically
- POST /user/logout destroys the session and clears the cookie
- POST /user/token restricted to link share tokens only
- Session list (GET) and delete (DELETE) routes for /user/sessions
- All user sessions invalidated on password change and reset
- CORS configured to allow credentials for cross-origin cookies
- JWT 401 responses use structured error code 11 for client detection
- Refresh token cookie name constants annotated for gosec G101
2026-02-25 10:30:25 +01:00
kolaente 1ccc8dce3a
fix: load file content before generating attachment preview
LoadFileByID() was called after the preview branch, so GetPreview()
received a nil io.Reader causing a panic in image.Decode.
2026-02-22 09:28:25 +01:00
kolaente d222d4502a fix: escape attachment download filename 2026-02-22 00:00:11 +01:00
kolaente c6370bb739 fix: fall back to application/octet-stream when the file has no mime type stored 2026-02-22 00:00:11 +01:00
kolaente 4915f535d0 fix: add Content-Disposition attachment header to task attachment downloads
Set Content-Disposition to "attachment" instead of "inline" so browsers
trigger a file download with the correct filename. Also move shared
response headers (Content-Type, Content-Length, Last-Modified) out of
the S3-specific branch so they apply to both storage backends.
2026-02-22 00:00:11 +01:00
renovate[bot] 9a61453e86
fix(deps): update module github.com/labstack/echo/v4 to v5 (#2131)
Closes https://github.com/go-vikunja/vikunja/pull/2133

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: kolaente <k@knt.li>
2026-01-24 20:38:32 +01:00
kolaente 39b4568bc5
refactor: centralize HTTP error handling (#2062)
This changes the error handling to a centralized HTTP error handler in `pkg/routes/error_handler.go` that converts all error types to proper HTTP responses. This simplifies the overall error handling because http handler now only need to return the error instead of calling HandleHTTPError as previously.
It also removes the duplication between handling errors with and without Sentry.

🐰 Hop along, dear errors, no more wrapping today!
We've centralized handlers in a shiny new way,
From scattered to unified, the code flows so clean,
ValidationHTTPError marshals JSON supreme!
Direct propagation hops forward with glee,
A refactor so grand—what a sight to see! 🎉
2026-01-08 10:02:59 +00:00
kolaente fb7764d9f1
feat: format user mentions with display names in email notifications (#1930)
Email notifications now display user mentions with inline avatar images for improved visual recognition and easier identification. Mentions gracefully fall back to display names if avatars are unavailable.
2025-12-10 12:39:05 +01:00
kolaente 51512c1cb4
feat: migrate cypress e2e tests to playwright (#1739) 2025-11-27 16:34:48 +01:00
Weijie Zhao bc1368abcc
feat: add S3 file storage support (#1688) 2025-11-06 08:37:04 +01:00
kolaente 1b5a9dbdea refactor: use helper function to check user local 2025-09-04 18:09:21 +02:00
kolaente b8afdcf62d fix(user): do not reject 2fa for local users
https://github.com/go-vikunja/vikunja/issues/1402
2025-09-04 18:09:21 +02:00
kolaente bd74733632
fix: show pagination controls for task comments (#1413)
Resolves https://community.vikunja.io/t/task-comment-pagination-in-1-0-0-rc1/3988
2025-09-04 16:04:05 +00:00
kolaente a81a3ee0e5
feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
Copilot 7762d7746e
fix: make user data export download return 404 for nonexistent files (#1227) 2025-08-03 20:36:15 +00:00
kolaente ebaf4a0aa0 feat(settings): show extra settings links on user settings page 2025-08-03 13:25:32 +02:00
kolaente 4042f66efa
feat: show user export status in settings (#1200) 2025-07-30 15:50:26 +00:00
kolaente fcdcdcf46a feat: use keyvalue.Remember where it makes sense 2025-07-17 16:19:13 +02:00
Dominik Pschenitschni efff6955c5
fix: remove fmt output in token check 2025-07-03 17:09:41 +02:00
Dominik Pschenitschni 9efdde8f1a
docs: delete caldav token uses DELETE instead of GET 2025-07-03 17:06:20 +02:00
kolaente 3b05f7859f
fix(users): refresh initials avatar refresh after name change (#1047) 2025-06-30 16:20:54 +00:00
kolaente 99bc065272
feat(user): use name for initals avatar, not username
For external auth providers, the username might be randomly generated,
which results in a random initial - this is unexpected and confusing for
users.
2025-06-27 14:13:49 +02:00
kolaente 0ecbd9e1a3
feat(user): add avatar cache flushing (#1041) 2025-06-27 14:01:43 +02:00
Weijie Zhao a214d68a44
feat(auth): sync avatar from OpenID providers (#821) 2025-06-16 15:59:31 +02:00
Dominik Pschenitschni 296577a875
fix: correct license header references (#882)
See originals:
- https://www.gnu.org/licenses/agpl-3.0.txt
- https://www.gnu.org/licenses/gpl-3.0.txt
2025-06-10 12:18:38 +02:00
kolaente 44b3e46325
fix: return correct mimetype for openapi docs.json
Resolves https://github.com/go-vikunja/vikunja/issues/864
2025-06-04 16:12:46 +02:00
kolaente ca98b7da73
feat: add /token/test route
This new route returns 200 if a valid bearer token was presented. It does not return any information about the user.
2025-05-21 22:27:34 +02:00
kolaente 3e46457c03
fix: remove unused import 2025-05-15 09:54:15 +02:00
kolaente 13dfe78121
fix(project): correctly handle invalid project id error 2025-05-15 09:50:33 +02:00
renovate[bot] 4a75f7d4da
chore(deps): update golangci/golangci-lint-action action to v7 (#462)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: kolaente <k@knt.li>
2025-04-02 09:28:56 +02:00
kolaente 4e504c288e
fix(auth): hide two factor authentication when using non-local user
Resolves https://github.com/go-vikunja/vikunja/issues/431
2025-03-23 17:43:36 +01:00
kolaente e12ebfebed
feat(ldap): sync avatar from ldap 2025-03-18 18:28:54 +01:00
kolaente 26c7ceaed4
chore(avatar): decouple upload from web handler 2025-03-18 18:28:54 +01:00
kolaente 216df5bedc feat(ldap): make group sync configurable 2025-03-18 16:36:00 +00:00
kolaente e94c744477
fix(auth): return ldap as auth provider name when using it 2025-03-09 09:23:40 +01:00
kolaente c6cade3aeb
feat(i18n): automatically set language during registration 2025-03-02 13:21:24 +01:00
kolaente 90bf5ba81b chore(auth): refactor registration enabled setting in /info 2025-01-28 09:59:08 +00:00
kolaente 9dc351f5a4 feat(auth): show login form when only ldap is enabled 2025-01-28 09:59:08 +00:00
kolaente f01dd2ff52 feat(auth): make sure local auth and ldap can both work when configured at the same time 2025-01-28 09:59:08 +00:00
kolaente 38bb8de4f1 feat(auth): authenticate users via ldap 2025-01-28 09:59:08 +00:00
kolaente 090dd4b2f6
fix(user): do not allow changing name in settings when the user originates from an external auth provider
This improves the UX because it does not allow external users to change their name in Vikunja, since that change would be overridden once they log in again.

Resolves https://github.com/go-vikunja/vikunja/issues/357
2025-01-21 16:27:06 +01:00
kolaente 4556cfb057
fix(attachments): return error message when attachment upload is not multipart form request
Resolves https://vikunja.sentry.io/issues/6041469388/
2024-11-04 12:26:53 +01:00