Thread the request context through CheckUserCredentials so the
LoginFailedEvent carries IP, user agent and request id — without it,
failed logins were the one auth event useless for brute-force tracing.
All four callers have the request at hand.
Pull the business logic out of the v1 current-user account/settings handlers
into reusable functions so both v1 and the upcoming v2 handlers call one
implementation. No behavior change — the v1 handlers keep their HTTP-layer
quirks (input binding, validation, error mapping); only orchestration moves.
Homes are forced by the import graph:
- shared.GetAuthProviderName (new pkg/routes/api/shared, above openid+user so it
can combine both without a cycle; routes-only helper)
- user.ChangeUserEmail (CheckUserCredentials + UpdateEmail, both in user)
- models.ChangeUserPassword (needs models.DeleteAllUserSessions; user can't import models)
- models.UpdateUserGeneralSettings / UpdateUserAvatarProvider
(need avatar.FlushAllCaches; user can't import avatar)
The general settings get a single shared wire struct, models.UserGeneralSettings
(tagged for both swaggo/govalidator and Huma): it is the update request body and
the nested settings on GET /user for v1 (replacing v1's UserSettings) and v2.
ExtraSettingsLinks is readOnly — populated from the user on read, ignored on
write. A dedicated struct is required because user.User's settings fields are
json:"-" so they don't leak when it is embedded in other responses.
Refactor functions that created their own sessions when called from
within existing transactions, which caused "database table is locked"
errors in SQLite's shared-cache mode.
Changes:
- Add files.CreateWithSession() to reuse caller's session
- Refactor DeleteBackgroundFileIfExists() to accept session parameter
- Add variadic session parameter to notifications.Notify() and
Notifiable.ShouldNotify() interface
- Update all Notify callers (~17 sites) to pass their session through
- Use files.CreateWithSession in SaveBackgroundFile and NewAttachment
- Fix test code to commit sessions before assertions
Fix lint
Fix lint
Fix loading tasks with search
Fix loading lists
Fix loading task
Fix loading lists and namespaces
Fix tests
Fix user commands
Fix upload
Fix migration handlers
Fix all manual root handlers
Fix session in avatar
Fix session in list duplication & routes
Use sessions in migration code
Make sure the openid stuff uses a session
Add alias for db type in db package
Use sessions for file
Use a session for everything in users
Use a session for everything in users
Make sure to use a session everywhere in models
Create new session from db
Add session handling for user list
Add session handling for unsplash
Add session handling for teams and related
Add session handling for tasks and related entities
Add session handling for task reminders
Add session handling for task relations
Add session handling for task comments
Add session handling for task collections
Add session handling for task attachments
Add session handling for task assignees
Add session handling for saved filters
Add session handling for namespace and related types
Add session handling for namespace and related types
Add session handling for list users
Add session handling for list tests
Add session handling to list teams and related entities
Add session handling for link shares and related entities
Add session handling for labels and related entities
Add session handling for kanban and related entities
Add session handling for bulk task and related entities
Add session handling for lists and related entities
Add session configuration for web handler
Update web handler
Co-authored-by: kolaente <k@knt.li>
Reviewed-on: https://kolaente.dev/vikunja/api/pulls/750
Co-Authored-By: konrad <konrad@kola-entertainments.de>
Co-Committed-By: konrad <konrad@kola-entertainments.de>