Commit Graph

12795 Commits

Author SHA1 Message Date
Frederick [Bot] 1e2b861ea5 chore(i18n): update translations via Crowdin 2026-02-12 01:15:53 +00:00
renovate[bot] 016229faad chore(deps): update dev-dependencies 2026-02-11 22:37:26 +01:00
rhclayto b196c986cd
feat: use credentials when accessing PWA manifest (#2218) 2026-02-11 22:28:52 +01:00
renovate[bot] b25243ef62 chore(deps): update dependency happy-dom to v20.5.1 2026-02-11 22:24:47 +01:00
dependabot[bot] ba84ac2f70 chore(deps): bump axios from 1.13.2 to 1.13.5 in /frontend
Bumps [axios](https://github.com/axios/axios) from 1.13.2 to 1.13.5.
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](https://github.com/axios/axios/compare/v1.13.2...v1.13.5)

---
updated-dependencies:
- dependency-name: axios
  dependency-version: 1.13.5
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-11 12:36:11 +01:00
kolaente f4baaf8779 chore(lint): ignore revive var-naming for stdlib-conflicting package names 2026-02-11 09:56:20 +01:00
kolaente 82469618ca chore(ci): update golangci-lint from v2.6.0 to v2.9.0 2026-02-11 09:56:20 +01:00
kolaente a5bc019fe1 chore(renovate): group playwright npm package and docker image together 2026-02-11 09:56:20 +01:00
renovate[bot] 54c0b3a083 chore(deps): update mcr.microsoft.com/playwright docker tag to v1.58.2 2026-02-11 09:56:20 +01:00
renovate[bot] aec05b12eb chore(deps): update dev-dependencies 2026-02-11 09:56:20 +01:00
Frederick [Bot] be4fb77981 chore(i18n): update translations via Crowdin 2026-02-10 01:25:29 +00:00
kolaente c2a132d56d fix(build): add osusergo tag to plugin build
Applies the same osusergo build tag fix from a1d5b634b to the plugin
build to prevent SIGFPE crashes under systemd.
2026-02-09 16:18:49 +01:00
kolaente ed5dfa1ad4 fix(gantt): render done tasks with strikethrough and reduced opacity
The gantt chart rebuild lost the visual distinction for completed tasks.
Restore strikethrough on task labels and add reduced opacity on bars
for done tasks.

Regression introduced in the gantt chart rebuild in 5fc255cb3.

Resolves #2211
2026-02-09 15:28:48 +01:00
kolaente 5c022a0ab1 chore: v1.1.0 release preparations 2026-02-09 11:05:34 +01:00
kolaente dd0b82f00a fix(task): use DOMParser in task glance tooltip description preview
Replace innerHTML on a detached element with DOMParser for extracting
plain text from task descriptions.
2026-02-09 11:01:38 +01:00
Frederick [Bot] 3c2977b126 chore(i18n): update translations via Crowdin 2026-02-09 01:16:51 +00:00
kolaente c92dcf6351 chore(ci): add debugging around release signing 2026-02-08 22:23:23 +01:00
kolaente 1a4dd0269d fix(ci): move gpg setup to right before sign step
Siging seems to fail now, with no changes to the pipeline. This change
moves the setup to right before the signing, in case the build step
mangles with the gpg setup
2026-02-08 22:23:05 +01:00
kolaente e90cb2631d fix(auth): remove unnecessary fields from JWT token payloads
Remove email, name, emailRemindersEnabled, and isLocalUser from user JWT
claims, and isLocalUser from link share JWT claims. These fields are never
used from the token - the backend always fetches the full user from the
database by ID, and the frontend fetches user data from the /user API
endpoint immediately after login.

Also simplify GetUserFromClaims to only extract id and username, and
remove the now-unnecessary email override in the frontend's
refreshUserInfo.
2026-02-08 21:30:07 +01:00
kolaente 0e05d1cc9d
fix(log): write each log category to its own file (#2206)
Previously, `makeLogHandler()` hardcoded "standard" as the logfile name
passed to `getLogWriter()`, causing all log categories (`database`,
`http`, `events`, `mail`) to write to `standard.log` instead of their
own files.

Add a logfile parameter to `makeLogHandler()` so each caller specifies
its category name, producing `database.log`, `http.log`, `echo.log`,
`events.log`, and `mail.log` as expected.

Fixes https://github.com/go-vikunja/vikunja/issues/2177
2026-02-08 15:22:58 +00:00
kolaente b6974ffcfd
feat: add UNSIGNED-PAYLOAD config option for S3-compatible stores (#2205)
Adds `files.s3.disablesigning` config option that sends
`UNSIGNED-PAYLOAD` instead of computing SHA256 hashes for S3 request
signing which fixes `XAmzContentSHA256Mismatch` errors with
S3-compatible providers like Ceph RadosGW and Clever Cloud Cellar

Resolves https://github.com/go-vikunja/vikunja/issues/2181
2026-02-08 15:03:19 +00:00
kolaente eb369cf3ee fix: handle attachment upload errors with user-visible notifications 2026-02-08 15:48:04 +01:00
kolaente 7256a14194 fix: format attachment upload error messages as readable strings 2026-02-08 15:48:04 +01:00
kolaente ac3fd3e131 docs: add caveat about running go tests to agent instructions [skip ci] 2026-02-08 15:43:48 +01:00
kolaente bcfde14b14 fix(backgrounds): stream unsplash download to temp file instead of memory
Use a temp file instead of io.ReadAll to avoid buffering the entire
Unsplash image in RAM, which could cause OOM with large images or
high maxsize configuration.
2026-02-08 15:31:25 +01:00
kolaente 0d395a9e5d refactor(files): remove redundant seek operations in writeToStorage
Move the seek-to-start into the local file branch only and simplify
contentLengthFromReadSeeker to seek to end then back to 0 instead of
saving/restoring the original position. This reduces the S3 upload
path from 5 seek operations to 2.
2026-02-08 15:31:25 +01:00
kolaente 56a0ea44cf fix(backgrounds): avoid integer overflow in max size calculation
Keep maxSize as uint64 and cast safely when comparing with
resp.ContentLength to avoid potential integer overflow.
2026-02-08 15:31:25 +01:00
kolaente ea78e87147 fix(dump): limit copy size to prevent decompression bombs
Use io.CopyN with a max size limit when extracting files from zip
archives during restore to prevent potential DoS via decompression bombs.
2026-02-08 15:31:25 +01:00
kolaente 19f6e4b7c9 fix(backgrounds): enforce max file size for unsplash downloads
Check Content-Length and use io.LimitReader to prevent OOM from
unexpectedly large unsplash responses before buffering into memory.
2026-02-08 15:31:25 +01:00
kolaente 41b511b322 fix(files): seek to start before writing for consistent behavior
Both local and S3 backends now seek to position 0 before writing,
ensuring consistent behavior regardless of the reader's current offset.
2026-02-08 15:31:25 +01:00
kolaente ab705d7d21 fix(dump): stream files during restore to avoid memory pressure
Use a temporary file instead of io.ReadAll when restoring attachments
from a dump. This prevents loading entire files into memory, which could
cause OOM errors for large attachments during restore.
2026-02-08 15:31:25 +01:00
kolaente 82933a0836 test(files): update tests for io.ReadSeeker API
- Replace custom testfile structs with bytes.NewReader
- Remove readerOnly wrapper and non-seekable reader tests (no longer
  possible at the type level)
- Update S3 unit tests to remove temp file assertions
2026-02-08 15:31:25 +01:00
kolaente dbd74491c4 fix(files): update all callers to provide seekable readers for S3 uploads
Update all code paths that pass file content to the storage layer to
provide io.ReadSeeker instead of io.Reader:

- Avatar upload: use bytes.NewReader instead of bytes.Buffer
- Background upload handler: use bytes.NewReader instead of bytes.Buffer
- Unsplash background: buffer response body into bytes.NewReader
- Dump restore: buffer zip entry into bytes.NewReader
- Migration structure: pass bytes.NewReader directly instead of wrapping
  in io.NopCloser
- Task attachment: change NewAttachment parameter from io.ReadCloser to
  io.ReadSeeker
2026-02-08 15:31:25 +01:00
kolaente 728a3e4f7b fix(files): require io.ReadSeeker for S3 uploads, remove temp file fallback
The S3 upload path used temp files (vikunja-s3-upload-*) to buffer
non-seekable readers. In Docker containers with restrictive permissions,
these temp files could not be created, causing "permission denied"
errors for avatar and background image uploads.

By changing the file storage API (Create, CreateWithMime,
CreateWithMimeAndSession, Save) to require io.ReadSeeker instead of
io.Reader, the temp file fallback is no longer needed and is removed.
This enforces at the type level that all callers provide seekable
readers, preventing this class of bug from recurring.

Closes go-vikunja/vikunja#2185
2026-02-08 15:31:25 +01:00
kolaente 7fce4694fa
refactor(db): extract testable ResolveDatabasePath function (#2193)
Add DatabasePathConfig struct and ResolveDatabasePath function that
takes all dependencies as parameters, making it easier to test path
resolution logic in isolation. Should also fix the reported cases.

Resolves #2189
2026-02-08 10:47:57 +00:00
kolaente 8830dc56ad chore(deps): update lodash to 4.17.23 2026-02-08 11:35:27 +01:00
kolaente 32ef651486 chore(deps): update node-tar 2026-02-08 11:32:53 +01:00
kolaente 5cb1787dd6 chore(deps): update @isaacs/brace-expansion to 5.0.1 2026-02-08 11:31:22 +01:00
kolaente cdca790325 fix: guard against undefined route.name in auth layout check
route.name can be undefined during initial route resolution or for
unnamed routes. Without this guard, AUTH_ROUTE_NAMES.has() would
return false and the authenticated layout could flash briefly.
2026-02-06 10:58:50 +01:00
kolaente e9a6abfe44 refactor: extract auth route names into shared constant
Move the list of authentication route names (login, register, password
reset, openid, link-share) into a shared constant in
src/constants/authRouteNames.ts. Use it in both App.vue (layout gate)
and router/index.ts (auth redirect guard) to keep them in sync.
2026-02-06 10:58:50 +01:00
kolaente 5d9f62cc93 fix: prevent auth layout swap while still on login/register route
The v-if in App.vue switches to the authenticated layout (navbar +
sidebar) as soon as authStore.authUser becomes truthy. But Vue's
reactivity flush runs before the await continuation in submit(), so
the layout swaps while the route is still /login, causing the login
form to flash inside the authenticated shell for ~250ms.

Fix by adding a route check: don't show the authenticated layout while
the current route is an auth page (login, register, password reset,
openid). The NoAuthWrapper stays visible until redirectIfSaved()
navigates away, then the authenticated layout renders cleanly.
2026-02-06 10:58:50 +01:00
kolaente 0e2ea5c42a fix: avoid clearing saved redirect in onBeforeMount to prevent race with submit
When Login.vue re-mounts inside the authenticated layout after a
successful login, its onBeforeMount hook fires again. If it calls
redirectIfSaved(), it clears the saved route from localStorage before
the submit() handler's redirectIfSaved() can use it, causing a redirect
to home instead of the saved route. Use router.push({name: 'home'})
directly since the only purpose here is to redirect already-authenticated
users away from the login page.
2026-02-06 10:58:50 +01:00
kolaente b3e95e9f4e test: add E2E test for login form flash regression 2026-02-06 10:58:50 +01:00
kolaente dcff454755 fix: redirect immediately after registration to prevent form flash in app shell 2026-02-06 10:58:50 +01:00
kolaente 8bccf21a81 fix: redirect immediately after login to prevent form flash in app shell 2026-02-06 10:58:50 +01:00
kolaente 77b8403c24 fix: iterate past rejected middle matches in matchDateAtBoundary()
When the first regex match is a rejected middle-of-text date, continue
searching for subsequent matches instead of returning null. This fixes
cases like "The 9/11 Report due 10/12" where 9/11 is rejected but
10/12 at the end should still be parsed.
2026-02-06 10:57:50 +01:00
kolaente 3f0bf71d30 fix: allow middle-of-text dates when followed by time expressions (#2195)
Reworked matchDateAtBoundary() to use a single regex pass instead of
two-pass start/end anchoring. Middle-of-text matches are now accepted
when followed by a time expression (at/@ prefix), so inputs like
"meeting 9/11 at 10:00" still parse correctly while "The 9/11 Report"
is rejected.
2026-02-06 10:57:50 +01:00
kolaente cee258edc3 refactor: remove unnecessary comment from getDateFromText() 2026-02-06 10:57:50 +01:00
kolaente 61448bb028 refactor: remove unnecessary flags parameter from matchDateAtBoundary() 2026-02-06 10:57:50 +01:00
kolaente c544886524 test: add positive boundary tests for date parsing (#2195) 2026-02-06 10:57:50 +01:00