Commit Graph

434 Commits

Author SHA1 Message Date
kolaente d64ca0c777 fix(admin): reload created user before returning in admin create handler
The admin create-user handler returned the in-memory newUser struct directly. On mail-enabled instances with skip_email_confirm=false, user.CreateUser persists the account as email-confirmation-required, but the returned struct still reflects the pre-persist status, so the admin API reported a misleading active status immediately after creation.
2026-04-20 18:55:06 +00:00
kolaente f90ebbf0f4 refactor(license): return typed feature slice for JSON encoding 2026-04-20 18:55:06 +00:00
kolaente d5f4928034 feat(admin): wire up /admin route group with all endpoints 2026-04-20 18:55:06 +00:00
kolaente 9ad9a1e987 refactor(register): use models.RegisterUser helper 2026-04-20 18:55:06 +00:00
kolaente 23c82bd5fa feat(frontend): expose isAdmin on current user and add config feature check 2026-04-20 18:55:06 +00:00
kolaente d32dcf3a78 feat(license): add runtime state snapshot and reload helpers 2026-04-20 18:55:06 +00:00
kolaente 803f625ed7 feat(admin): add create-user endpoint 2026-04-20 18:55:06 +00:00
kolaente 128c0abf59 feat(admin): add user status and delete endpoints with reassign owner 2026-04-20 18:55:06 +00:00
kolaente 4a7cb6a7bf feat(admin): add users/projects list endpoints and is_admin patch 2026-04-20 18:55:06 +00:00
kolaente e7fcbff827 feat(admin): add /admin route group and overview endpoint 2026-04-20 18:55:06 +00:00
kolaente ec1833dbeb feat(license): expose enabled_pro_features on /info 2026-04-20 18:55:06 +00:00
kolaente d208629909 feat(middleware): add RequireFeature and RequireSiteAdmin 404 gates 2026-04-20 18:55:06 +00:00
MidoriKurage 3a5ba17ca0 fix(api/docs): Use Base in redoc template 2026-04-20 14:26:49 +00:00
MidoriKurage e8615efe8e fix(api/docs): Make redoc load docs.json from public URL 2026-04-20 14:26:49 +00:00
kolaente 8578fe3468 feat(api): add GET /projects/:project/tasks/by-index/:index endpoint 2026-04-11 20:44:28 +00:00
kolaente d435c50df3 fix(security): persist TOTP lockout across login rollback
The failed-TOTP handler shared the login request's xorm session, and the
login handler rolled that session back after a failed login. The status
change to StatusAccountLocked was silently discarded, so the account was
never locked regardless of how many failed TOTP attempts arrived.

HandleFailedTOTPAuth now opens its own session and commits independently
of the caller. The login handler rolls back its session before invoking
the handler so the lockout write can acquire a write lock on SQLite
shared-cache.

Also handles the Redis keyvalue backend returning the attempt counter as
a string instead of int64, which would have prevented the lockout path
from ever running on Redis.

See GHSA-fgfv-pv97-6cmj.
2026-04-09 16:08:26 +00:00
kolaente 879462d717 fix(caldav): enforce URL project match in GetResourcesByList
Multiget REPORT requests would happily return tasks from projects
different from the one in the href, even though GetTasksByUIDs now
filters by access. Drop any returned task whose real project_id does
not match the project ID parsed from the href path segment.

Hardening for GHSA-48ch-p4gq-x46x.
2026-04-09 16:07:32 +00:00
kolaente 200b787c16 fix(caldav): reject GetResource when URL project mismatches task project
Even with the GetTasksByUIDs authz filter in place, a user with access
to multiple projects could read a task from project B by requesting it
under project A's URL. Enforce that the task's real project_id matches
the project ID parsed from the CalDAV URL path and 404 otherwise.

Adjusts the Delete Subtask test to use the correct URL project for
uid-caldav-test-child-task-2 (which lives in project 38, not 36);
the previous URL only worked because of the authz gap being closed.

Hardening for GHSA-48ch-p4gq-x46x.
2026-04-09 16:07:32 +00:00
Claude f555762def feat(migration): add generic CSV import with column mapping
Add a new CSV migration module that allows users to import tasks from
any CSV file with custom column mapping and parsing options.

Backend changes:
- New CSV migrator module with detection, preview, and import endpoints
- Auto-detection of delimiter, quote character, and date format
- Suggested column mappings based on column name patterns
- Transactional import using InsertFromStructure

Frontend changes:
- New CSV migration UI with two-step flow (upload -> mapping -> import)
- Column mapping selectors for all task attributes
- Live preview showing first 5 tasks with current mapping
- Parsing option controls for delimiter and date format

The CSV migrator creates a parent "Imported from CSV" project with
child projects based on the project column if provided, or a default
"Tasks" project for tasks without a specified project.
2026-04-07 15:20:06 +00:00
kolaente 1a1fd780ec feat(migration): add WeKan to migration page with logo
Register WeKan in the AvailableMigrators list and add the frontend
migrator entry with the WeKan logo, referenced as "WeKan ®".
2026-04-07 12:05:47 +00:00
kolaente 64aa7a9e75 feat(migration): register WeKan migration routes 2026-04-07 12:05:47 +00:00
kolaente e9a26b9088 feat: add DELETE /test/all endpoint to truncate all tables 2026-04-05 09:48:09 +00:00
kolaente 4cd79088d1 test: add WebSocket e2e tests
Add comprehensive end-to-end tests for the WebSocket system:

- Protocol tests: auth (valid/invalid token, timeout, double auth),
  subscriptions (valid/invalid event, auth required, unsubscribe),
  message delivery (notification on team add, doer exclusion,
  multi-connection)
- Frontend integration tests: notification badge update, dropdown
  rendering, and logout cleanup via browser-level Playwright tests
- Comment notification test: full flow where user B mentions user A
  in a task comment and user A receives real-time WebSocket notification

Includes ws test dependency, shared test helper utilities, and
cascade-truncation of notifications when truncating users to prevent
test pollution.
2026-04-02 16:30:23 +00:00
kolaente 55ea5bd966 refactor(auth): extract shared token validation into auth package
Move JWT parsing (GetUserIDFromToken) and API token validation
(ValidateAPITokenString) into pkg/modules/auth so both HTTP middleware
and WebSocket auth use the same logic. This ensures consistent token
validity checks including expiry and user status (disabled/locked).

The HTTP API token middleware now delegates to the shared function,
removing duplicated lookup/expiry logic.
2026-04-02 16:30:23 +00:00
kolaente 0139e9a2ab feat(websocket): add HTTP upgrade handler and /api/v1/ws route
Add the WebSocket upgrade endpoint at /api/v1/ws with CORS origin
verification using the configured allowed origins. Includes nil hub
guard returning 503 if the WebSocket system hasn't been initialized.

Register the hub initialization in the app startup sequence and wire
the upgrade handler into the Echo router.
2026-04-02 16:30:23 +00:00
kolaente 111090d12c refactor: use embed fs for redoc UI and update to latest version
Move the redoc HTML template and JavaScript bundle out of the Go const
in docs.go into separate files under pkg/routes/api/v1/redoc/, using
Go's embed directive. Update redoc.standalone.js to the latest version.
The JS is now served on a separate route (/api/v1/docs/redoc.standalone.js)
to keep the HTML and JS cleanly separated.
2026-03-30 15:09:54 +00:00
kolaente 9884d933fc refactor: extract shared API token validation into ValidateTokenAndGetOwner 2026-03-30 12:09:53 +00:00
kolaente 6207705928 feat: accept API tokens for CalDAV basic auth 2026-03-30 12:09:53 +00:00
kolaente 83bac15841
feat: rename ServiceJWTSecret to ServiceSecret with deprecation (#2502) 2026-03-30 12:07:01 +02:00
kolaente e5987acf80 feat: register OAuth authorize and token routes
Add POST /api/v1/oauth/authorize (authenticated) and
POST /api/v1/oauth/token (unauthenticated) routes.
2026-03-27 23:05:04 +00:00
kolaente 7a258f67c7 refactor: extract shared RefreshSession helper
The cookie-based /user/token/refresh handler had session refresh logic
(lookup, expiry check, token rotation, user fetch, JWT generation)
that will be reused by the OAuth token endpoint. Extract it into
auth.RefreshSession() and rewrite RefreshToken to use it.
2026-03-27 23:05:04 +00:00
surfingbytes 8e8ffac016
fix(caldav): add tags and sync token to collections (#2482)
Fixes #2401
2026-03-26 10:42:39 +00:00
kolaente 6aef5aff62 fix: strip BasicAuth credentials from user webhook API responses 2026-03-23 16:35:47 +00:00
kolaente 8409bdb120 refactor(user): export IsErrUserStatusError for use across packages
Make isErrUserStatusError public and replace all verbose
!IsErrAccountDisabled(err) && !IsErrAccountLocked(err) checks
with the shorter IsErrUserStatusError(err) call.
2026-03-23 12:06:16 +00:00
kolaente cd6148511a fix(auth): reject disabled/locked users in API token middleware
checkAPITokenAndPutItInContext now returns 401 Unauthorized when the
token owner's account is disabled or locked, instead of a 500 error.
Also fixes the API token test to match the actual middleware behavior.
2026-03-23 12:06:16 +00:00
kolaente 8b614a4cb3 test: verify disabled user is rejected via CalDAV auth
Also fix BasicAuth to check for status errors from checkUserCaldavTokens
before falling through to password-based auth.
2026-03-23 12:06:16 +00:00
kolaente ea4ba18def fix(user): handle status errors across the codebase, remove redundant checks 2026-03-23 12:06:16 +00:00
kolaente cdf5d30a42 fix: reject CalDAV basic auth when TOTP is enabled 2026-03-20 12:22:27 +00:00
kolaente 4c80932b64 fix: block login for StatusAccountLocked users 2026-03-20 11:23:21 +00:00
kolaente a498dd6991 fix: configure Echo IPExtractor to prevent rate limit bypass via spoofed headers 2026-03-20 11:08:00 +00:00
kolaente 4cd63f93a4 fix: use file mime type instead of hardcoded application/zip in S3 export 2026-03-20 10:59:44 +01:00
kolaente 0e1f44e57e refactor: replace afero with FileStorage interface
Replace the github.com/spf13/afero dependency with a purpose-built
FileStorage interface (Open, Write, Stat, Remove, MkdirAll) with three
implementations: localStorage (with basePath), s3Storage (with key
prefix), and memStorage (for tests).

Each implementation owns its base path — callers pass only file IDs.
Delete s3fs.go, change File.File from afero.File to io.ReadCloser,
and fix duplication flows to buffer content for seeking.
2026-03-20 10:59:44 +01:00
maggch b0ede53c05 fix: handle S3 backend in user export download
http.ServeContent requires io.ReadSeeker which S3 files don't support.
Add S3 branch using io.Copy with explicit headers, matching the pattern
already used in task attachment downloads.

Refs: #2347

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-03-20 10:59:44 +01:00
Henry Cole e7f1e99878
fix(caldav): use /dav/projects/ as home to make iOS/MacOS reminders work (#2417)
Resolves issue #475 by modifying CalDAV discovery so Apple Reminders can
use /dav/projects/ as the home set without exposing that synthetic path
as a real task list, preserving the existing principal-based flow. This
is because Apple Reminders defaults back to the /dav/projects/ URL,
rather than accepting the /dav/principals/username/ URL specified in
Vikunja.

Resolves #475
2026-03-20 09:33:56 +00:00
kolaente 3bc0093686 fix: invalidate all sessions when enabling TOTP
When a user enables two factor authentication, all existing sessions are
now invalidated, requiring re-authentication. This prevents pre-existing
sessions from bypassing 2FA. The frontend now shows a notice explaining
the logout before the user confirms, and properly logs out after enabling.

Ref: GHSA-pgc7-cmvg-mvp4
2026-03-19 12:27:44 +01:00
Tink ada2ebab9e
fix: preserve CalDAV inverse relations when parent has no RELATED-TO (#2389)
- Fixes `removeStaleRelations` in CalDAV storage provider to only remove
relations of kinds explicitly declared in the incoming VTODO's
`RELATED-TO` properties
- When a VTODO has no `RELATED-TO` at all (e.g., a parent task from
Tasks.org), no relations are removed — they were auto-created as
inverses by child tasks
- When a VTODO declares specific relation kinds (e.g.,
`RELATED-TO;RELTYPE=PARENT`), only relations of that kind are checked
for staleness; other kinds (like auto-created `subtask` inverses) are
preserved

Fixes #2383

---------

Co-authored-by: kolaente <k@knt.li>
2026-03-11 09:40:09 +01:00
kolaente 47a0775c73 feat: add API routes for user-level webhooks
Add CRUD endpoints for user-level webhooks under /user/settings/webhooks.
Users can create webhooks that fire on user-directed events (task.reminder.fired,
task.overdue, tasks.overdue). Includes proper permission checks via
canDoWebhook which loads webhook ownership from DB.
2026-03-08 19:45:53 +01:00
kolaente f9cb0a2de1 fix: include remote IP address in HTTP request logs 2026-03-04 23:47:40 +01:00
kolaente b5086febc7 docs: update user search endpoint description for external team bypass 2026-03-04 20:32:11 +01:00
Weijie Zhao 54d977532e
fix: allow browser caching for file downloads (#2349) 2026-03-04 17:43:03 +01:00