Commit Graph

2120 Commits

Author SHA1 Message Date
kolaente f5385c574e feat(websocket): add notification event with XORM AfterInsert dispatch
Add NotificationCreatedEvent that fires automatically when a
DatabaseNotification is inserted, using XORM's AfterInsertProcessor
interface. The AfterInsert hook dispatches the event after the row
is persisted, without callers needing to manage DispatchOnCommit or
DispatchPending.

The WebSocket listener subscribes to this event, reloads the
notification from the database (ensuring accurate timestamps), and
pushes it to connected clients subscribed to the notification.created
event. Dispatch errors are logged rather than propagated since the
DB notification is already committed at that point.
2026-04-02 16:30:23 +00:00
kolaente 55ea5bd966 refactor(auth): extract shared token validation into auth package
Move JWT parsing (GetUserIDFromToken) and API token validation
(ValidateAPITokenString) into pkg/modules/auth so both HTTP middleware
and WebSocket auth use the same logic. This ensures consistent token
validity checks including expiry and user status (disabled/locked).

The HTTP API token middleware now delegates to the shared function,
removing duplicated lookup/expiry logic.
2026-04-02 16:30:23 +00:00
kolaente 0139e9a2ab feat(websocket): add HTTP upgrade handler and /api/v1/ws route
Add the WebSocket upgrade endpoint at /api/v1/ws with CORS origin
verification using the configured allowed origins. Includes nil hub
guard returning 503 if the WebSocket system hasn't been initialized.

Register the hub initialization in the app startup sequence and wire
the upgrade handler into the Echo router.
2026-04-02 16:30:23 +00:00
kolaente 9255fe07a9 feat(websocket): add message types, connection hub, and connection handler
Add the core WebSocket infrastructure:

- Message type definitions for the wire protocol (subscribe, unsubscribe,
  auth, error, push events)
- In-memory connection hub that tracks per-user connections and routes
  messages to subscribed clients
- Connection wrapper with auth-after-connect flow: connections start
  unauthenticated, client sends JWT as first message, only then can
  subscribe to event topics

Includes auth timeout (30s), shared cancellation context for read/write
loops, hub map cleanup on last connection removal, and proper error
delivery before closing on auth failure.
2026-04-02 16:30:23 +00:00
kolaente 6aa7217dad fix(caldav): skip tests for known CalDAV bugs and fix timing issues
Skip integration tests that document known bugs in Vikunja's CalDAV
implementation or the caldav-go library:
- Permission errors return 500 instead of 403/404
- Invalid VCALENDAR returns 500 instead of 400
- DELETE doesn't look up task by UID (silently fails)
- PROPFIND on nonexistent resource returns 207 not 404
- ETag format inconsistency between PROPFIND/REPORT/GET
- If-None-Match conditional requests not implemented
- Color field not included in CalDAV export
- RRULE (DAILY/WEEKLY/MONTHLY) not round-tripped
- DURATION not exported for VTODOs

Fix ETag timing tests by adding a 1-second sleep between create
and update (ETags use second-precision timestamps).
2026-04-02 11:34:55 +00:00
kolaente ef85a22f99 fix(caldav): resolve lint issues in caldavtests package
- Remove unused helper functions (findResponse, assertMultistatusHasResponses, caldavRequestAsUser)
- Fix gofmt formatting
- Convert WriteString(fmt.Sprintf(...)) to fmt.Fprintf
- Fix unused parameter warnings
- Fix testifylint suggestions (assert.NotEmpty, assert.Positive)
- Add nolint:unparam for assertResponseStatus
2026-04-02 11:34:55 +00:00
kolaente 7e7d168e45 test(caldav): add VTODO field round-trip tests (RFC 5545 §3.6.2)
Adds comprehensive round-trip tests for VTODO properties:
- Core fields: SUMMARY, DESCRIPTION, DUE, DTSTART, PRIORITY, COMPLETED, STATUS, CATEGORIES
- VALARM: absolute, relative-to-start, relative-to-end triggers
- COLOR via X-APPLE-CALENDAR-COLOR
- RRULE: DAILY, WEEKLY, MONTHLY frequencies
- Priority mapping: all 9 CalDAV levels including lossy mappings
- DURATION and DTSTART+DUE interaction
2026-04-02 11:34:55 +00:00
kolaente 0ca7c0dd01 test(caldav): add relation and subtask tests (RFC 5545 §3.8.4.5) 2026-04-02 11:34:55 +00:00
kolaente 7830a9c3ea test(caldav): add client compatibility and bug reproduction tests 2026-04-02 11:34:55 +00:00
kolaente 160fc9c01f test(caldav): add sync semantics tests (ETag, CTag, conditional requests) 2026-04-02 11:34:55 +00:00
kolaente 738bfa33af test(caldav): add authentication and permission tests 2026-04-02 11:34:55 +00:00
kolaente fecd6d6a1d test(caldav): add CRUD operation tests (RFC 4791 §5.3.2) 2026-04-02 11:34:55 +00:00
kolaente c0a9356646 test(caldav): add REPORT query tests (RFC 4791 §7.8, §7.9) 2026-04-02 11:34:55 +00:00
kolaente 56ead32dca test(caldav): add discovery flow tests (RFC 6764, RFC 5397, RFC 4791) 2026-04-02 11:34:55 +00:00
kolaente ebedd312c1 test(caldav): add PROPFIND tests (RFC 4918 §9.1) 2026-04-02 11:34:55 +00:00
kolaente e2478e2fd6 test(caldav): add caldavtests package with infrastructure, helpers, and mage target
- Package skeleton with TestMain, setupTestEnv, and fixture users
- HTTP request helpers (PROPFIND, REPORT, GET, PUT, DELETE, OPTIONS)
- XML/iCal response parsers and assertion utilities
- VTodoBuilder for constructing test VTODO payloads
- Common PROPFIND/REPORT XML body constants
- Smoke test validating the infrastructure works end-to-end
- mage test:caldav command and CI matrix entry
2026-04-02 11:34:55 +00:00
Frederick [Bot] 88c8d7a73d chore(i18n): update translations via Crowdin 2026-04-01 01:44:10 +00:00
Claude fc9c21915d feat(auth): enforce OpenID Connect issuer uniqueness across providers
Detect when two configured OIDC providers resolve to the same issuer URL
at startup and halt with a fatal error, preventing team sync data
corruption caused by ambiguous (external_id, issuer) matching.

Also adds duplicate issuer detection to the doctor service diagnostics
and comprehensive tests with mock OIDC discovery servers.
2026-03-30 22:41:50 +00:00
kolaente 59abe1bd84 test(plugins): add yaegi plugin integration tests
- Smoke test: verify yaegi can load stdlib and vikunja symbols
- Loader test: load example plugin and verify Name/Version
- Routes test: verify plugin HTTP routes serve responses
- Events test: verify plugin event listener registration via Init()
2026-03-30 20:44:46 +00:00
kolaente cc39aa7f08 feat(plugins): add yaegi interpreter-based plugin loader
EvalPath-based loading of Go source directories with typed factory
functions for interface bridging (required by yaegi's wrapping model).

Supports all plugin capabilities: routes, events, and migrations.
Registers itself into the Manager via init() to avoid import cycles.
2026-03-30 20:44:46 +00:00
kolaente 665f1b848c feat(plugins): extract third-party symbols for yaegi
Generated symbol tables for echo and watermill, enabling yaegi plugins
to use HTTP routing and the event/message system.

Exclude pkg/yaegi_symbols/ from golangci-lint (generated code).
2026-03-30 20:44:46 +00:00
kolaente 8771059a7a feat(plugins): extract vikunja package symbols for yaegi
Generated symbol tables exposing vikunja internals to the yaegi
interpreter: models, events, db, user, log, and plugins packages.
2026-03-30 20:44:46 +00:00
kolaente 3db410933e feat(plugins): add plugin config options
Add configuration keys:
- plugins.enabled (default: false)
- plugins.dir (default: <rootpath>/plugins)
- plugins.loader (default: native, validated at startup)

Register yaegi loader via blank import in initialize package.
2026-03-30 20:44:46 +00:00
kolaente 1d354512e6 feat(plugins): add plugin system interfaces and manager
Add the core plugin system with four interfaces:
- Plugin: base lifecycle (Name, Version, Init, Shutdown)
- MigrationPlugin: database migrations
- AuthenticatedRouterPlugin: routes behind auth
- UnauthenticatedRouterPlugin: public routes

The Manager handles loading, initialization, shutdown, and route
registration. Includes native .so loader (marked deprecated) and
yaegi loader integration point.
2026-03-30 20:44:46 +00:00
kolaente 111090d12c refactor: use embed fs for redoc UI and update to latest version
Move the redoc HTML template and JavaScript bundle out of the Go const
in docs.go into separate files under pkg/routes/api/v1/redoc/, using
Go's embed directive. Update redoc.standalone.js to the latest version.
The JS is now served on a separate route (/api/v1/docs/redoc.standalone.js)
to keep the HTML and JS cleanly separated.
2026-03-30 15:09:54 +00:00
Jacek Galowicz b2ddd2753c config: Expand environment variables in some.config.value.path.file inputs for better secret management 2026-03-30 14:22:39 +00:00
kolaente 6b225bb0ba test: add tests for API token expiry notifications and cron 2026-03-30 12:28:15 +00:00
kolaente 6dc46c1898 feat: add AssertNotSent helper to notification testing 2026-03-30 12:28:15 +00:00
kolaente 04f94a5801 feat: register API token expiry check cron on startup 2026-03-30 12:28:15 +00:00
kolaente f308584033 feat: add cron job for API token expiry notifications 2026-03-30 12:28:15 +00:00
kolaente 8ea0dd1610 feat: add API token expiry notification types 2026-03-30 12:28:15 +00:00
kolaente d3f9bb4ee8 feat: add i18n keys for API token expiry notifications 2026-03-30 12:28:15 +00:00
kolaente 9884d933fc refactor: extract shared API token validation into ValidateTokenAndGetOwner 2026-03-30 12:09:53 +00:00
kolaente 390957b3f5 test: verify caldav permission group appears in /routes 2026-03-30 12:09:53 +00:00
kolaente 194bec8b9f test: add integration tests for CalDAV API token auth 2026-03-30 12:09:53 +00:00
kolaente 6207705928 feat: accept API tokens for CalDAV basic auth 2026-03-30 12:09:53 +00:00
kolaente ebec91b356 feat: add HasCaldavAccess method to APIToken 2026-03-30 12:09:53 +00:00
kolaente b0b7c52b15 feat: register caldav permission group for API tokens 2026-03-30 12:09:53 +00:00
kolaente 83bac15841
feat: rename ServiceJWTSecret to ServiceSecret with deprecation (#2502) 2026-03-30 12:07:01 +02:00
Frederick [Bot] fa2dc8f918 [skip ci] Updated swagger docs 2026-03-28 23:53:53 +00:00
j-hugo 23415c57aa
docs: correct task comment endpoint description and title (#2498) 2026-03-29 00:43:58 +01:00
kolaente 649043aceb test: add tests for OAuth 2.0 authorization flow
Add web tests covering the authorize endpoint, token exchange, PKCE
verification, single-use codes, and refresh token rotation. Add unit
tests for redirect URI validation and PKCE. Add E2E test for the full
browser-based authorization code flow with login redirect.

Extract setupApiUrl helper for E2E tests to avoid duplication.
2026-03-27 23:05:04 +00:00
kolaente e5987acf80 feat: register OAuth authorize and token routes
Add POST /api/v1/oauth/authorize (authenticated) and
POST /api/v1/oauth/token (unauthenticated) routes.
2026-03-27 23:05:04 +00:00
kolaente 7827ff64b9 feat: add OAuth 2.0 token endpoint
Add POST /api/v1/oauth/token supporting authorization_code and
refresh_token grant types. Validates PKCE, exchanges codes for
JWT access tokens with refresh token rotation. Uses the shared
RefreshSession helper for the refresh grant.
2026-03-27 23:05:04 +00:00
kolaente 8b379b7466 feat: add OAuth 2.0 authorize endpoint
Add POST /api/v1/oauth/authorize behind auth middleware. Validates
OAuth parameters (response_type, redirect_uri, PKCE), fetches the
authenticated user, creates an authorization code, and returns it
as JSON for the frontend to handle the redirect.
2026-03-27 23:05:04 +00:00
kolaente a6e7475153 feat: add OAuth client validation and PKCE verification
Add redirect URI validation that allowlists vikunja-* custom protocol
schemes, rejecting http/https and dangerous schemes like javascript:.
Add PKCE S256 verification following RFC 7636.
2026-03-27 23:05:04 +00:00
kolaente 71282dcffd feat: add OAuth 2.0 authorization code model and migration
Add the OAuthCode model for storing short-lived authorization codes
with PKCE challenges. Codes are hashed (SHA-256) before storage and
are single-use with a 10-minute expiry. Add the database migration
and OAuth-specific error types.
2026-03-27 23:05:04 +00:00
kolaente 7a258f67c7 refactor: extract shared RefreshSession helper
The cookie-based /user/token/refresh handler had session refresh logic
(lookup, expiry check, token rotation, user fetch, JWT generation)
that will be reused by the OAuth token endpoint. Extract it into
auth.RefreshSession() and rewrite RefreshToken to use it.
2026-03-27 23:05:04 +00:00
kolaente 39e16653aa fix: add ORDER BY to ListUsers query for deterministic ordering
The query had no ORDER BY clause, causing non-deterministic result
ordering on PostgreSQL where row order is not guaranteed.
2026-03-27 23:05:04 +00:00
kolaente 112e486314 test: add test for deeply nested TickTick task ordering 2026-03-26 15:08:12 +00:00