Commit Graph

13348 Commits

Author SHA1 Message Date
kolaente 6207705928 feat: accept API tokens for CalDAV basic auth 2026-03-30 12:09:53 +00:00
kolaente ebec91b356 feat: add HasCaldavAccess method to APIToken 2026-03-30 12:09:53 +00:00
kolaente b0b7c52b15 feat: register caldav permission group for API tokens 2026-03-30 12:09:53 +00:00
renovate[bot] 1c0513de10 chore(deps): update dev-dependencies 2026-03-30 10:24:04 +00:00
kolaente 83bac15841
feat: rename ServiceJWTSecret to ServiceSecret with deprecation (#2502) 2026-03-30 12:07:01 +02:00
Frederick [Bot] fb8c937d77 chore(i18n): update translations via Crowdin 2026-03-29 01:25:40 +00:00
dependabot[bot] 21a450b21f chore(deps): bump serialize-javascript from 7.0.3 to 7.0.5 in /frontend
Bumps [serialize-javascript](https://github.com/yahoo/serialize-javascript) from 7.0.3 to 7.0.5.
- [Release notes](https://github.com/yahoo/serialize-javascript/releases)
- [Commits](https://github.com/yahoo/serialize-javascript/compare/v7.0.3...v7.0.5)

---
updated-dependencies:
- dependency-name: serialize-javascript
  dependency-version: 7.0.5
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-03-28 23:35:34 +00:00
Frederick [Bot] fa2dc8f918 [skip ci] Updated swagger docs 2026-03-28 23:53:53 +00:00
j-hugo 23415c57aa
docs: correct task comment endpoint description and title (#2498) 2026-03-29 00:43:58 +01:00
Frederick [Bot] ffb291c966 chore(i18n): update translations via Crowdin 2026-03-28 01:16:36 +00:00
renovate[bot] 8d958aef62 chore(deps): update dev-dependencies 2026-03-27 23:06:28 +00:00
surfingbytes 73eb8279ae chore: add .pnpm-store to .gitignore 2026-03-27 23:05:32 +00:00
kolaente 649043aceb test: add tests for OAuth 2.0 authorization flow
Add web tests covering the authorize endpoint, token exchange, PKCE
verification, single-use codes, and refresh token rotation. Add unit
tests for redirect URI validation and PKCE. Add E2E test for the full
browser-based authorization code flow with login redirect.

Extract setupApiUrl helper for E2E tests to avoid duplication.
2026-03-27 23:05:04 +00:00
kolaente 0471f8a729 feat: add frontend OAuth authorize route and component
Add /oauth/authorize frontend route with OAuthAuthorize.vue that
handles the OAuth authorization flow: validates required query params,
calls the API to generate an authorization code, and redirects to the
callback URI. Authentication is handled by the standard router guard.
2026-03-27 23:05:04 +00:00
kolaente e5987acf80 feat: register OAuth authorize and token routes
Add POST /api/v1/oauth/authorize (authenticated) and
POST /api/v1/oauth/token (unauthenticated) routes.
2026-03-27 23:05:04 +00:00
kolaente 7827ff64b9 feat: add OAuth 2.0 token endpoint
Add POST /api/v1/oauth/token supporting authorization_code and
refresh_token grant types. Validates PKCE, exchanges codes for
JWT access tokens with refresh token rotation. Uses the shared
RefreshSession helper for the refresh grant.
2026-03-27 23:05:04 +00:00
kolaente 8b379b7466 feat: add OAuth 2.0 authorize endpoint
Add POST /api/v1/oauth/authorize behind auth middleware. Validates
OAuth parameters (response_type, redirect_uri, PKCE), fetches the
authenticated user, creates an authorization code, and returns it
as JSON for the frontend to handle the redirect.
2026-03-27 23:05:04 +00:00
kolaente a6e7475153 feat: add OAuth client validation and PKCE verification
Add redirect URI validation that allowlists vikunja-* custom protocol
schemes, rejecting http/https and dangerous schemes like javascript:.
Add PKCE S256 verification following RFC 7636.
2026-03-27 23:05:04 +00:00
kolaente 71282dcffd feat: add OAuth 2.0 authorization code model and migration
Add the OAuthCode model for storing short-lived authorization codes
with PKCE challenges. Codes are hashed (SHA-256) before storage and
are single-use with a 10-minute expiry. Add the database migration
and OAuth-specific error types.
2026-03-27 23:05:04 +00:00
kolaente 7a258f67c7 refactor: extract shared RefreshSession helper
The cookie-based /user/token/refresh handler had session refresh logic
(lookup, expiry check, token rotation, user fetch, JWT generation)
that will be reused by the OAuth token endpoint. Extract it into
auth.RefreshSession() and rewrite RefreshToken to use it.
2026-03-27 23:05:04 +00:00
kolaente 39e16653aa fix: add ORDER BY to ListUsers query for deterministic ordering
The query had no ORDER BY clause, causing non-deterministic result
ordering on PostgreSQL where row order is not guaranteed.
2026-03-27 23:05:04 +00:00
Frederick [Bot] a2e19f8d38 chore(i18n): update translations via Crowdin 2026-03-27 01:22:35 +00:00
kolaente 112e486314 test: add test for deeply nested TickTick task ordering 2026-03-26 15:08:12 +00:00
kolaente 9b1c52e9e3 fix: sort TickTick tasks so parents come before children
TickTick CSV exports don't guarantee parent tasks appear before their
subtasks. When a child row came first, the shared migration pipeline
tried to create a title-less placeholder for the missing parent, which
failed with 'Task title cannot be empty'.

Resolves go-vikunja/vikunja#2487
2026-03-26 15:08:12 +00:00
kolaente c49636430f test: add failing test for TickTick child-before-parent CSV order 2026-03-26 15:08:12 +00:00
surfingbytes 8e8ffac016
fix(caldav): add tags and sync token to collections (#2482)
Fixes #2401
2026-03-26 10:42:39 +00:00
renovate[bot] 9d8c6a0a72 chore(deps): update dev-dependencies 2026-03-26 09:02:42 +00:00
Miikka Kulmala b89b402bc2
feat: improve wording and UX around CalDAV tokens (#2476) 2026-03-26 10:02:04 +01:00
Frederick [Bot] 39238333dd chore(i18n): update translations via Crowdin 2026-03-26 01:22:26 +00:00
kolaente d207de82ef
fix(deps): override picomatch in desktop to fix ReDoS and method injection vulnerabilities
Adds pnpm override for picomatch >=4.0.4 in the desktop workspace
since pnpm update alone did not resolve the transitive dependency.
2026-03-25 23:34:01 +01:00
kolaente 98ac119f44
fix(deps): update yaml to fix stack overflow vulnerability
Updates yaml from 2.5.0 to 2.8.3 in the frontend workspace to
address stack overflow via deeply nested YAML collections.
2026-03-25 23:33:56 +01:00
kolaente d60e2f6685
fix(deps): update picomatch to fix ReDoS and method injection vulnerabilities
Updates picomatch to 2.3.2 and 4.0.4 in the frontend workspace to
address CVE for ReDoS via extglob quantifiers and method injection
in POSIX character classes.
2026-03-25 23:31:28 +01:00
kolaente 6bc1635a9f
chore(ci): update nix update PR message [skip ci] 2026-03-25 23:25:28 +01:00
kolaente cb07b6608c feat: add CI workflow to auto-update nixpkgs on release
Triggers on release publish or manual dispatch. Uses the nixpkgs
update infrastructure (maintainers/scripts/update.nix) to update
both vikunja and vikunja-desktop, then pushes to the go-vikunja
nixpkgs fork and opens a PR on NixOS/nixpkgs.

Skips early if an open update PR already exists.
2026-03-25 23:23:57 +01:00
kolaente 44d01a0f82 refactor: rename parseTaskText module to quickAddMagic
Rename the frontend parsing module from `parseTaskText` to `quickAddMagic`
for clarity. The module handles much more than text parsing — it's the
core of the quick add magic feature. This rename makes its purpose
immediately obvious and aligns with how the feature is referenced
throughout the UI and documentation.

No logic changes — only directory/file renames and import updates.
2026-03-25 09:38:41 +00:00
kolaente 752ae42879 fix: support merge queue in issue-closed-comment workflow
When a PR is merged via merge queue, the issue close event has no
commit_id and no referenced event. Fall back to the GraphQL
closedByPullRequestsReferences field to find the closing PR.

Also simplifies the commit-to-PR lookup by using
listPullRequestsAssociatedWithCommit instead of iterating all PRs.
2026-03-25 10:20:36 +01:00
kolaente 13be01de9f test: update expected results for archived project propagation
Adjust test assertions to reflect that projects inheriting archived
state from parents are now correctly filtered out of ReadAll results,
task collections, and search results across all database backends.
2026-03-25 09:06:33 +00:00
kolaente e3045dfd00 fix: propagate is_archived from parent to child projects in ReadAll CTE
Replace the Go-side propagateArchivedState function with in-CTE
propagation. The recursive SELECT uses (ap.is_archived OR p.is_archived)
to inherit archived state from parent projects. The outer query uses
GROUP BY with MAX(CAST(is_archived AS int)) to handle projects
accessible via both direct permissions and parent traversal. When
getArchived=false, a HAVING clause filters out archived projects.

The is_archived filter is removed from getUserProjectsStatement so
archived parents enter the CTE and propagation works correctly.
2026-03-25 09:06:33 +00:00
kolaente dca041459f feat: show info when saved homepage filter is ignored for label browsing 2026-03-24 21:55:26 +00:00
kolaente fd4f7accc3 fix: ignore saved homepage filter when browsing by label 2026-03-24 21:55:26 +00:00
kolaente 7208c11556 feat: add translation for saved filter ignored message 2026-03-24 21:55:26 +00:00
kolaente 58d086d553
docs: rewrite CONTRIBUTING.md with setup, workflow, and style guides
Replace the one-liner redirect with a self-contained guide covering
development setup, testing, submitting changes, code style, translations,
and architecture overview.
2026-03-24 21:33:55 +01:00
kolaente 85678082f9 refactor: use xorm's TableInfo to resolve table names
Use engine.TableInfo(bean) instead of manually checking the TableName
interface and falling back to the mapper. This delegates all table name
resolution to xorm's own logic.
2026-03-24 15:33:26 +00:00
kolaente 1e0d29e090 fix: use custom TableName() for dump/restore table resolution
RegisteredTableNames() was using the xorm name mapper to derive table
names from Go struct type names, ignoring custom TableName() methods.
This caused `vikunja dump` to look for `database_notification` instead
of the actual table `notifications`, resulting in a fatal error.

Fixes go-vikunja/vikunja#2464
2026-03-24 15:33:26 +00:00
kolaente 6d2bf1f084 fix: resolve TDZ error on password update settings page
Move the watchEffect call after the validate function declaration
to fix "Cannot access 'c' before initialization" error that occurred
when visiting the password update page with validateInitially=true.

Fixes #2463
2026-03-24 15:17:32 +00:00
renovate[bot] 4b16d72e28 chore(deps): update dev-dependencies 2026-03-24 15:14:31 +00:00
Claude 121fd3c9f1 feat: use openid provider name instead of generic "OIDC" in synced team names
Teams synced from OpenID Connect providers were always named with "(OIDC)"
suffix (e.g., "DevTeam (OIDC)"). This changes it to use the configured
provider name instead (e.g., "DevTeam (Keycloak)"), making it easier to
identify which provider a team came from when multiple OIDC providers are
configured. Existing team names will be updated automatically on next user
login.

https://claude.ai/code/session_012LXXPvYe6i27WTcha1PL7A
2026-03-24 12:30:06 +00:00
Frederick [Bot] 74ecc6fffd chore(i18n): update translations via Crowdin 2026-03-24 01:11:44 +00:00
kolaente 772316b47f
chore: v2.2.2 release preparations 2026-03-23 21:49:15 +01:00
kolaente 74d1bddb3a fix: hide link sharing section in UI for non-admin users 2026-03-23 20:39:31 +00:00