Commit Graph

13239 Commits

Author SHA1 Message Date
kolaente 0f98c19ab6 fix: add TTL-based expiry and cleanup for used TOTP passcode entries
Store a unix timestamp instead of a boolean, and treat entries older
than 90 seconds as expired. A background goroutine lazily cleans up
expired keys after each successful validation to prevent unbounded
growth in the keyvalue store.
2026-03-23 10:34:49 +00:00
kolaente acafa6db10 fix: update TOTP reuse test to use user10 matching rebased fixture 2026-03-23 10:34:49 +00:00
kolaente 5f06e1dce5 fix: prevent TOTP passcode reuse within validity window
Store used TOTP passcodes in the keyvalue store after successful
validation. On subsequent validation attempts, check if the passcode
was already used for the same user and reject it with
ErrTOTPPasscodeUsed. This prevents replay attacks where an intercepted
TOTP code could be reused within its 30-second validity window.
2026-03-23 10:34:49 +00:00
kolaente 5591ca94ba test: add failing test for TOTP passcode reuse prevention
Add TestTOTPPasscodeCannotBeReused which verifies that a valid TOTP
passcode cannot be used twice within its validity window. Also add
ErrTOTPPasscodeUsed error type for the new behavior.
2026-03-23 10:34:49 +00:00
kolaente de58f630ee test: add TOTP fixture and load it in user test bootstrap
Add a TOTP fixture for user1 with a known secret to enable
testing TOTP validation logic. Update InitTests to load the
totp fixture alongside users and user_tokens.
2026-03-23 10:34:49 +00:00
renovate[bot] 8bf450b98f chore(deps): update dependency caniuse-lite to v1.0.30001781 2026-03-23 10:28:55 +00:00
Frederick [Bot] 1ebe913181 chore(i18n): update translations via Crowdin 2026-03-23 01:19:01 +00:00
Claude cb81cf1aa8 refactor: reorganize quick add magic into focused modules
Split the monolithic parseTaskText.ts into a parseTaskText/ directory with
separate files for types, prefixes, prefix parsing, priority parsing, repeat
parsing, date parsing, and text cleanup. Moved parseDate.ts from helpers/time/
into the module since it's only consumed by the task text parser. Barrel export
in index.ts maintains backward compatibility — no consumer import changes needed.

https://claude.ai/code/session_01Aeo1ZunQUGKbWx2watMFdW
2026-03-22 20:47:10 +00:00
MidoriKurage c760a9bf72 fix(caldav): Replace href with pathname from parseURL for api base
`parseURL` only return `href` for special protocols. CalDAV api base
will always be root path. Use `pathname` which will not be undefined.
2026-03-22 14:30:38 +00:00
Claude 0085772b63 fix: include kanban bucket move permission in tasks preset
The kanban task move endpoint (POST /projects/:project/views/:view/
buckets/:bucket/tasks) is registered under the projects group as
views_buckets_tasks. Without this permission, the tasks preset cannot
move tasks between kanban buckets.

https://claude.ai/code/session_01QDWqXJmjriYoAcvMD43vmx
2026-03-22 14:24:23 +00:00
Claude 652eb9bba3 fix: remove small class from preset label
https://claude.ai/code/session_01QDWqXJmjriYoAcvMD43vmx
2026-03-22 14:24:23 +00:00
Claude 68097cf700 feat: add quick presets for API token permission selection
Add preset buttons (Read Only, Task Management, Project Management, Full
Access) to the API token creation form so users don't have to manually
select every individual permission.

https://claude.ai/code/session_01QDWqXJmjriYoAcvMD43vmx
2026-03-22 14:24:23 +00:00
renovate[bot] 79f807f4c2 chore(deps): update dependency rollup to v4.60.0 2026-03-22 14:23:41 +00:00
Frederick [Bot] 1b246a0ff7 chore(i18n): update translations via Crowdin 2026-03-21 01:09:32 +00:00
kolaente b365be1881
chore: v2.2.0 release preparations 2026-03-20 13:40:18 +01:00
kolaente 1f2aef776c test: verify CalDAV token auth bypasses TOTP check
Add a CalDAV token fixture (kind=4) for user10 who has TOTP enabled,
and implement the previously-skipped test proving token-based auth
still works when TOTP is active.
2026-03-20 12:22:27 +00:00
kolaente 1ed813caf0 fix: update TOTP fixtures and tests to avoid conflicts with existing enrollment tests
- user10 gets enabled TOTP (for CalDAV 2FA test)
- user1 gets enrolled-but-not-enabled TOTP (for existing QR/settings tests)
- TOTP enrollment test uses user2 (no TOTP fixture) instead of user1
2026-03-20 12:22:27 +00:00
kolaente 659e73af05 fix: use user10 instead of user1 for TOTP fixture to avoid breaking login tests 2026-03-20 12:22:27 +00:00
kolaente cdf5d30a42 fix: reject CalDAV basic auth when TOTP is enabled 2026-03-20 12:22:27 +00:00
kolaente a66bda2f51 test: register totp fixture in test setup 2026-03-20 12:22:27 +00:00
kolaente bda16e770f test: add failing test for CalDAV 2FA bypass via basic auth 2026-03-20 12:22:27 +00:00
kolaente 27ef92b9bf test: add TOTP fixture data for user1 2026-03-20 12:22:27 +00:00
kolaente b7a1408098 fix: use require.Error instead of assert.Error for error assertions 2026-03-20 11:41:28 +00:00
kolaente 4b91e5efa1 refactor: rename checkProjectBackgroundWriteRights to checkProjectBackgroundWritePermissions 2026-03-20 11:41:28 +00:00
kolaente 49419619bd fix: only enforce task_id check when TaskID is provided
Internal callers (reactions) look up comments by ID without knowing
the task. The IDOR protection is still effective because ReadOne
always has TaskID set from the URL parameter.
2026-03-20 11:41:28 +00:00
kolaente f066eb3ea4 fix: require CanUpdate for project background deletion
RemoveProjectBackground previously used checkProjectBackgroundRights
which only checks CanRead, allowing read-only users to delete project
backgrounds. Added checkProjectBackgroundWriteRights that checks
CanUpdate and use it in RemoveProjectBackground.

Ref: GHSA-564f-wx8x-878h
2026-03-20 11:41:28 +00:00
kolaente f60f3af70b test: add failing test for project background delete with read-only access
Proves that a user with read-only access to a project can delete its
background image. The test expects a 403 Forbidden but the operation
proceeds because RemoveProjectBackground only checks CanRead.

Adds fixture entry giving user 15 read-only access to project 35
(which has a background_file_id).

Ref: GHSA-564f-wx8x-878h
2026-03-20 11:41:28 +00:00
kolaente bc6d843ed4 fix: verify comment belongs to task in URL to prevent IDOR
Add task_id check to getTaskCommentSimple so that a comment can only
be loaded if it actually belongs to the task specified in the URL.
Previously, any valid comment ID could be read through any accessible
task endpoint.

Ref: GHSA-mr3j-p26x-72x4
2026-03-20 11:41:28 +00:00
kolaente 2da89258e5 test: add failing test for task comment IDOR
Proves that a user can read a comment from an inaccessible task by
supplying an accessible task ID in the URL. Comment 18 belongs to
task 34 (owned by user 13), but testuser1 can read it via task 1.

Ref: GHSA-mr3j-p26x-72x4
2026-03-20 11:41:28 +00:00
kolaente be0aaa7060 fix: adapt image preview DoS protection to new FileStorage interface
File.File is now io.ReadCloser (no Seek). Buffer the file bytes
once via io.ReadAll, then use bytes.NewReader for both DecodeConfig
and Decode. Test updated to use io.NopCloser instead of afero.
2026-03-20 11:34:41 +00:00
kolaente af61d0f1a0 fix: reject images exceeding 50M pixels before decode 2026-03-20 11:34:41 +00:00
kolaente f7592e2cfd test: add failing test for image preview with oversized dimensions 2026-03-20 11:34:41 +00:00
kolaente 82c24a826a fix(desktop): block same-window navigation to external origins 2026-03-20 11:30:09 +00:00
kolaente b9d4d5e4ac fix(desktop): validate URL schemes before shell.openExternal 2026-03-20 11:30:09 +00:00
kolaente 23de2197fd fix(desktop): disable nodeIntegration and enable contextIsolation/sandbox 2026-03-20 11:30:09 +00:00
kolaente 89923ebe70 fix: update test expectations for new disabled user fixture
- TestListUsers expects 17 users (was 16)
- TestCleanupOldTokens expects 3 old tokens deleted (was 2)
2026-03-20 11:23:21 +00:00
kolaente 049f4a6be4 fix: prevent email confirmation from re-enabling admin-disabled accounts 2026-03-20 11:23:21 +00:00
kolaente 2260d763b5 test: add web test for disabled user password reset rejection 2026-03-20 11:23:21 +00:00
kolaente 241b0e80b6 test: add tests for disabled user password reset prevention 2026-03-20 11:23:21 +00:00
kolaente 708ccab895 fix: reject password reset token requests for disabled users 2026-03-20 11:23:21 +00:00
kolaente d8570c603d fix: prevent password reset from re-enabling admin-disabled accounts 2026-03-20 11:23:21 +00:00
kolaente 4c80932b64 fix: block login for StatusAccountLocked users 2026-03-20 11:23:21 +00:00
kolaente 7792bf6cea refactor: use StatusAccountLocked for TOTP lockouts 2026-03-20 11:23:21 +00:00
kolaente f42a045bdc feat: add StatusAccountLocked user status for TOTP lockouts 2026-03-20 11:23:21 +00:00
kolaente ddd9ef5f22 style: fix alignment in config key declarations 2026-03-20 11:08:00 +00:00
kolaente 015a172c2a docs: document IP extraction and trusted proxy config options 2026-03-20 11:08:00 +00:00
kolaente a498dd6991 fix: configure Echo IPExtractor to prevent rate limit bypass via spoofed headers 2026-03-20 11:08:00 +00:00
kolaente 26324a740a feat: add service.ipextractionmethod and service.trustedproxies config options 2026-03-20 11:08:00 +00:00
kolaente 763d25ca18
feat(ci): enable merge queue trigger 2026-03-20 11:53:08 +01:00
kolaente 17eccd848f test: add FileStat assertion to validate storage path in attachment test 2026-03-20 10:59:44 +01:00