Commit Graph

93 Commits

Author SHA1 Message Date
kolaente d76c009808 fix(api/v2): map ValidationHTTPError to its HTTP status
translateDomainError only recognized web.HTTPErrorProcessor, so a
ValidationHTTPError from InvalidFieldError (e.g. an unknown webhook
event) leaked as a 500 instead of the 412 v1 returns. It carries the
status via GetHTTPCode() but cannot implement HTTPErrorProcessor because
the embedded web.HTTPError field shadows the method name. Add a
GetHTTPCode/GetCode branch so v2 surfaces the right status and preserves
the v1 numeric code on the body.
2026-06-06 19:50:41 +00:00
kolaente 6df0d6c8f5 feat(tasks): cap repeat_after at 10 years to harden repeating-task handler
Add MaxTaskRepeatAfterSeconds (10 years in seconds) and reject any
create/update that tries to store a value outside [0, cap] with a new
ErrInvalidTaskRepeatInterval (error code 4029). Defense-in-depth
alongside the arithmetic fix in addRepeatIntervalToTime: keeps stored
values well away from int64 overflow and bounds the range of inputs
a future refactor could trip over.
2026-04-09 16:07:48 +00:00
kolaente 71282dcffd feat: add OAuth 2.0 authorization code model and migration
Add the OAuthCode model for storing short-lived authorization codes
with PKCE challenges. Codes are hashed (SHA-256) before storage and
are single-use with a 10-minute expiry. Add the database migration
and OAuth-specific error types.
2026-03-27 23:05:04 +00:00
kolaente b3d0b2f697 feat: add Session model with CRUD, permissions, and cleanup cron
- Session struct with UUID primary key, hashed refresh token, device
  info, IP address, and last-active tracking
- Token generation via generateHashedToken (SHA-256, 128 random bytes)
- CreateSession, GetSessionByRefreshToken, GetSessionByID
- Atomic RotateRefreshToken with WHERE on old hash to prevent replays
- ReadAll scoped to authenticated user (link shares rejected)
- Delete scoped to owning user (link shares rejected)
- Hourly cleanup cron for expired sessions based on is_long_session
- ErrSessionNotFound error type with HTTP 404 mapping
2026-02-25 10:30:25 +01:00
kolaente 39b4568bc5
refactor: centralize HTTP error handling (#2062)
This changes the error handling to a centralized HTTP error handler in `pkg/routes/error_handler.go` that converts all error types to proper HTTP responses. This simplifies the overall error handling because http handler now only need to return the error instead of calling HandleHTTPError as previously.
It also removes the duplication between handling errors with and without Sentry.

🐰 Hop along, dear errors, no more wrapping today!
We've centralized handlers in a shiny new way,
From scattered to unified, the code flows so clean,
ValidationHTTPError marshals JSON supreme!
Direct propagation hops forward with glee,
A refactor so grand—what a sight to see! 🎉
2026-01-08 10:02:59 +00:00
kolaente a9adc3490d
fix(positions): detect and repair duplicate task positions automatically (#1998)
Relates to:
https://community.vikunja.io/t/reordering-not-possible-position-value-the-same-for-different-tasks/4078

Duplicate positions can occur due to race conditions or historical bugs, causing tasks to appear in the wrong order or jump around when the page is refreshed.

This change adds a `repair-task-positions` CLI command to detect and resolve task position conflicts, with dry-run preview option.
Also implemented automatic conflict detection and resolution to ensure
unique task positions.

🐰 Positions once conflicted, clustered tight,
But now we nudge them back into the light!
MinSpacing guards precision from decay,
While conflicts heal and duplicates give way. 
2025-12-20 19:38:28 +01:00
kolaente db123674a7
feat: share logic for bulk update (#1456)
This change refactors the bulk task update logic so that it updates all fields a single task update would update as well.

Could be improved in the future so that it is more efficient, instead of calling the update function repeatedly. Right now, this reduces the complexity by a lot and it should be fast enough for most cases using this.

Resolves #1452
2025-09-10 16:40:59 +00:00
kolaente a81a3ee0e5
feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
Copilot 9712dbe2ab
fix: MySQL constraint violations returning HTTP 500 instead of 400 for task bucket duplicates (#1154)
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: kolaente <13721712+kolaente@users.noreply.github.com>
Co-authored-by: kolaente <k@knt.li>
2025-07-22 08:59:12 +00:00
Dominik Pschenitschni 296577a875
fix: correct license header references (#882)
See originals:
- https://www.gnu.org/licenses/agpl-3.0.txt
- https://www.gnu.org/licenses/gpl-3.0.txt
2025-06-10 12:18:38 +02:00
Dominik Pschenitschni 62f048767c
fix: correct unknown subscription entity typo (#883) 2025-06-10 12:18:07 +02:00
kolaente e287364b78
fix(team): do not allow leaving exernal teams 2025-03-20 17:13:51 +01:00
kolaente 9f5c761fd9 chore(auth): rename error 2025-03-18 16:36:00 +00:00
kolaente 61333c9b7f
fix: lint 2025-03-02 19:43:41 +01:00
Marc f4a0c0ef31 feat(auth): sso fallback mapping (#3068)
Reviewed-on: https://kolaente.dev/vikunja/vikunja/pulls/3068
Reviewed-by: konrad <k@knt.li>
Co-authored-by: Marc <marc88@free.fr>
Co-committed-by: Marc <marc88@free.fr>
2025-03-02 15:21:09 +00:00
kolaente 4e90c6bb78
chore(deps): update golangci-lint 2025-03-02 13:00:18 +01:00
kolaente 398d0c7ab5
fix: add missing error messages to translations 2025-02-21 17:27:52 +01:00
kolaente bc0c0b103f
feat: validate expand api parameter 2025-01-24 10:09:36 +01:00
kolaente 8d05b5cb01
fix(filters): return more details when the provided filter time zone is invalid 2024-09-30 08:42:16 +02:00
kolaente 4ff8815fe1
fix(subscriptions): cleanup and simplify fetching subscribers for tasks and projects logic
Vikunja now uses one recursive CTE and a few optimizations to fetch all subscribers for a task or project. This makes the relevant code easier to maintain and more performant.
2024-09-04 19:55:17 +02:00
kolaente 2063da9eec
chore(web): move web handler package to Vikunja 2024-08-29 16:15:28 +02:00
Dominik Pschenitschni bc5fd380e5 chore: improve error message 2024-07-21 11:03:20 +00:00
kolaente 8b90eb4a15
fix(views): integration tests 2024-03-19 00:47:51 +01:00
kolaente 398c9f1056
fix(views): return tasks in their buckets 2024-03-19 00:47:48 +01:00
kolaente 006f932dc4
feat(views)!: decouple bucket CRUD from projects 2024-03-19 00:47:47 +01:00
kolaente d1d07f462c
feat(views): sort tasks by their position relative to the view they're in 2024-03-19 00:47:46 +01:00
kolaente b39c5580c2
feat(views): add crud handlers and routes for views 2024-03-19 00:47:45 +01:00
kolaente a5c51d4b1e feat: emoji reactions for tasks and comments (#2196)
This PR adds reactions for tasks and comments, similar to what you can do on Gitea, GitHub, Slack and plenty of other tools.

Reviewed-on: https://kolaente.dev/vikunja/vikunja/pulls/2196
Co-authored-by: kolaente <k@knt.li>
Co-committed-by: kolaente <k@knt.li>
2024-03-12 19:25:58 +00:00
kolaente eebfee73d3
fix(filter): correctly filter for buckets 2024-03-09 19:06:35 +01:00
kolaente c6b682507a
feat(filter): add better error message when passing an invalid filter expression 2024-03-09 19:06:35 +01:00
waza-ari a3154e805c fix(auth): use (issuer, name) to check for uniqueness of oidc teams (#2152)
The change introduced in #2150 introduces a bug where a Team would be re-created every time a user logs in, as the check if a team already exists was based on both the unique `oidcID` and the `name`. This PR proposes to only base the check on the ID, as this should be unique.

Co-authored-by: Daniel Herrmann <daniel.herrmann1@gmail.com>
Reviewed-on: https://kolaente.dev/vikunja/vikunja/pulls/2152
Reviewed-by: konrad <k@knt.li>
Co-authored-by: waza-ari <daniel.herrmann@makerspace-darmstadt.de>
Co-committed-by: waza-ari <daniel.herrmann@makerspace-darmstadt.de>
2024-03-04 20:26:45 +00:00
viehlieb ed4da96ab1 feat: assign users to teams via OIDC claims (#1393)
This change adds the ability to sync teams via a custom openid claim. Vikunja will automatically create and delete teams as necessary, it will also add and remove users when they log in. These teams are fully managed by Vikunja and cannot be updated by a user.

Co-authored-by: kolaente <k@knt.li>
Reviewed-on: https://kolaente.dev/vikunja/vikunja/pulls/1393
Resolves https://kolaente.dev/vikunja/vikunja/issues/1279
Resolves https://github.com/go-vikunja/vikunja/issues/42
Resolves https://kolaente.dev/vikunja/vikunja/issues/950
Co-authored-by: viehlieb <pf@pragma-shift.net>
Co-committed-by: viehlieb <pf@pragma-shift.net>
2024-03-02 08:47:10 +00:00
kolaente 5ab9fb89bb
fix(tasks): check for cycles during creation of task relations and prevent them 2024-02-10 13:30:41 +01:00
kolaente 0ce110fa52
feat(metrics): add active link share logins 2023-12-03 15:12:43 +01:00
kolaente a1ea77f751
feat: accept hex values which start with a # 2023-10-24 16:12:22 +02:00
kolaente 55d345e236
feat(webhooks): validate events and target url 2023-10-20 12:42:28 +02:00
kolaente e3dac16398
feat(api tokens): check permissions when saving 2023-09-01 08:52:57 +02:00
kolaente c88cbaa973
feat(api tokens): properly hash tokens 2023-09-01 08:36:11 +02:00
kolaente e518fb1191
chore: remove year from copyright headers
Resolves https://kolaente.dev/vikunja/api/pulls/1483
2023-09-01 08:32:28 +02:00
kolaente ef94e0cf86
feat(projects): don't allow deleting or archiving the default project 2023-06-07 21:29:46 +02:00
kolaente 3b0935d033
docs: remove all traces of namespaces 2023-05-24 15:52:33 +02:00
kolaente 9011894a29
feat: check for cycles when creating or updating a project's parent 2023-05-24 15:52:33 +02:00
kolaente f2d943f5c4
fix: add missing error code 2023-05-24 15:52:33 +02:00
kolaente b482664d82
fix(projects): don't allow making a project child of itself 2023-05-24 15:52:32 +02:00
kolaente fef253312c
feat(projects): cleanup namespace leftovers 2023-05-24 15:51:54 +02:00
kolaente aa43127e52
fix: provide a proper error message when viewing a link share with an invalid token 2023-04-17 11:08:38 +02:00
cernst 3f5252dc24 feat: Add relative Reminders (#1427)
Partially resolves #1416

Co-authored-by: ce72 <christoph.ernst72@googlemail.com>
Reviewed-on: https://kolaente.dev/vikunja/api/pulls/1427
Reviewed-by: konrad <k@knt.li>
Co-authored-by: cernst <ce72@noreply.kolaente.de>
Co-committed-by: cernst <ce72@noreply.kolaente.de>
2023-03-27 20:07:06 +00:00
kolaente 349e6a5905
feat: rename lists to projects 2023-03-13 14:28:06 +01:00
kolaente 008908eb49
fix: make sure a user can only be assigned once to a task
See https://community.vikunja.io/t/task-can-be-assigned-twice-or-more-to-the-same-user/883
2022-10-06 18:22:19 +02:00
kolaente 631a265d2d
feat: add proper checks and errors to see if an attachment belongs to the task it's being used as cover image in 2022-10-05 15:12:29 +02:00