Commit Graph

12762 Commits

Author SHA1 Message Date
kolaente 728a3e4f7b fix(files): require io.ReadSeeker for S3 uploads, remove temp file fallback
The S3 upload path used temp files (vikunja-s3-upload-*) to buffer
non-seekable readers. In Docker containers with restrictive permissions,
these temp files could not be created, causing "permission denied"
errors for avatar and background image uploads.

By changing the file storage API (Create, CreateWithMime,
CreateWithMimeAndSession, Save) to require io.ReadSeeker instead of
io.Reader, the temp file fallback is no longer needed and is removed.
This enforces at the type level that all callers provide seekable
readers, preventing this class of bug from recurring.

Closes go-vikunja/vikunja#2185
2026-02-08 15:31:25 +01:00
kolaente 7fce4694fa
refactor(db): extract testable ResolveDatabasePath function (#2193)
Add DatabasePathConfig struct and ResolveDatabasePath function that
takes all dependencies as parameters, making it easier to test path
resolution logic in isolation. Should also fix the reported cases.

Resolves #2189
2026-02-08 10:47:57 +00:00
kolaente 8830dc56ad chore(deps): update lodash to 4.17.23 2026-02-08 11:35:27 +01:00
kolaente 32ef651486 chore(deps): update node-tar 2026-02-08 11:32:53 +01:00
kolaente 5cb1787dd6 chore(deps): update @isaacs/brace-expansion to 5.0.1 2026-02-08 11:31:22 +01:00
kolaente cdca790325 fix: guard against undefined route.name in auth layout check
route.name can be undefined during initial route resolution or for
unnamed routes. Without this guard, AUTH_ROUTE_NAMES.has() would
return false and the authenticated layout could flash briefly.
2026-02-06 10:58:50 +01:00
kolaente e9a6abfe44 refactor: extract auth route names into shared constant
Move the list of authentication route names (login, register, password
reset, openid, link-share) into a shared constant in
src/constants/authRouteNames.ts. Use it in both App.vue (layout gate)
and router/index.ts (auth redirect guard) to keep them in sync.
2026-02-06 10:58:50 +01:00
kolaente 5d9f62cc93 fix: prevent auth layout swap while still on login/register route
The v-if in App.vue switches to the authenticated layout (navbar +
sidebar) as soon as authStore.authUser becomes truthy. But Vue's
reactivity flush runs before the await continuation in submit(), so
the layout swaps while the route is still /login, causing the login
form to flash inside the authenticated shell for ~250ms.

Fix by adding a route check: don't show the authenticated layout while
the current route is an auth page (login, register, password reset,
openid). The NoAuthWrapper stays visible until redirectIfSaved()
navigates away, then the authenticated layout renders cleanly.
2026-02-06 10:58:50 +01:00
kolaente 0e2ea5c42a fix: avoid clearing saved redirect in onBeforeMount to prevent race with submit
When Login.vue re-mounts inside the authenticated layout after a
successful login, its onBeforeMount hook fires again. If it calls
redirectIfSaved(), it clears the saved route from localStorage before
the submit() handler's redirectIfSaved() can use it, causing a redirect
to home instead of the saved route. Use router.push({name: 'home'})
directly since the only purpose here is to redirect already-authenticated
users away from the login page.
2026-02-06 10:58:50 +01:00
kolaente b3e95e9f4e test: add E2E test for login form flash regression 2026-02-06 10:58:50 +01:00
kolaente dcff454755 fix: redirect immediately after registration to prevent form flash in app shell 2026-02-06 10:58:50 +01:00
kolaente 8bccf21a81 fix: redirect immediately after login to prevent form flash in app shell 2026-02-06 10:58:50 +01:00
kolaente 77b8403c24 fix: iterate past rejected middle matches in matchDateAtBoundary()
When the first regex match is a rejected middle-of-text date, continue
searching for subsequent matches instead of returning null. This fixes
cases like "The 9/11 Report due 10/12" where 9/11 is rejected but
10/12 at the end should still be parsed.
2026-02-06 10:57:50 +01:00
kolaente 3f0bf71d30 fix: allow middle-of-text dates when followed by time expressions (#2195)
Reworked matchDateAtBoundary() to use a single regex pass instead of
two-pass start/end anchoring. Middle-of-text matches are now accepted
when followed by a time expression (at/@ prefix), so inputs like
"meeting 9/11 at 10:00" still parse correctly while "The 9/11 Report"
is rejected.
2026-02-06 10:57:50 +01:00
kolaente cee258edc3 refactor: remove unnecessary comment from getDateFromText() 2026-02-06 10:57:50 +01:00
kolaente 61448bb028 refactor: remove unnecessary flags parameter from matchDateAtBoundary() 2026-02-06 10:57:50 +01:00
kolaente c544886524 test: add positive boundary tests for date parsing (#2195) 2026-02-06 10:57:50 +01:00
kolaente 829b10bfd2 test: add dot-separated middle-of-text date false positive test (#2195) 2026-02-06 10:57:50 +01:00
kolaente a82efa01b5 fix: restrict numeric date regex matching to text boundaries (#2195) 2026-02-06 10:57:50 +01:00
kolaente 1013305fc6 feat: add matchDateAtBoundary() helper for position-aware date matching (#2195) 2026-02-06 10:57:50 +01:00
kolaente e9b10e67f3 test: add failing tests for middle-of-text date false positives (#2195) 2026-02-06 10:57:50 +01:00
kolaente ae3dd6923b fix(build): normalize comma-separated TAGS to prevent build failure 2026-02-05 23:57:28 +01:00
kolaente b741c2d891 fix: add touch CSS properties to list view for mobile drag-and-drop
Adds user-select, touch-action, and webkit-touch-callout CSS to the list
view's draggable task items, matching what KanbanCard.vue already has.

Without these properties, the browser's native long-press text selection
fires before SortableJS's 1-second touch delay expires, preventing drag
from ever starting on mobile devices.

Ref: https://community.vikunja.io/t/missing-positioning-option-in-list-view/4278
2026-02-05 23:51:38 +01:00
kolaente a1d5b634b9 fix(build): add osusergo tag to prevent SIGFPE crash under systemd
When running Vikunja as a systemd service without HOME set, the AWS SDK's
init() function calls os/user.Current() which uses CGO's getpwuid_r().
This can cause a SIGFPE crash in certain restricted environments.

Adding the osusergo build tag forces Go to use its pure implementation
that parses /etc/passwd directly, avoiding the problematic CGO call.

Fixes #2170
2026-02-05 23:38:25 +01:00
Frederick [Bot] 1ddb4f1438 chore(i18n): update translations via Crowdin 2026-02-03 01:15:10 +00:00
kolaente acbf751ba0
feat(doctor): add user namespace detection and improved storage diagnostics (#2180)
This PR adds support for detecting and handling Linux user namespaces (commonly used in rootless Docker containers) and improves error diagnostics when file storage validation fails.

Docs PR: https://github.com/go-vikunja/website/pull/289

---------

Co-authored-by: Claude <noreply@anthropic.com>
2026-02-01 11:57:35 +01:00
Frederick [Bot] 2becfcc597 chore(i18n): update translations via Crowdin 2026-01-31 01:08:04 +00:00
Frederick [Bot] e6e7b26a6e [skip ci] Updated swagger docs 2026-01-30 14:14:52 +00:00
rhclayto cf029cef0c
feat: add option to send Basic Auth header with webhook requests (#2137)
Resolves https://github.com/go-vikunja/vikunja/issues/2136
Docs PR: https://github.com/go-vikunja/website/pull/284
2026-01-30 15:07:31 +01:00
kolaente a89b1bed85
feat(doctor): add detailed file diagnostics for local storage (#2179)
When using local file storage, the doctor command now reports:
- Whether the files directory exists
- Directory permissions (octal mode)
- Directory owner and group with uid/gid (Unix)
- Ownership mismatch warning if Vikunja runs as a different user
- Total number of stored files and their combined size

---------

Co-authored-by: Claude <noreply@anthropic.com>
2026-01-30 10:23:39 +00:00
Frederick [Bot] f7503c0bfe chore(i18n): update translations via Crowdin 2026-01-29 01:11:11 +00:00
kolaente e4b99dd31f
fix(nav): show shared sub-projects in sidebar when the parent is inaccessible (#2176)
Fixes #2175
2026-01-28 16:09:46 +00:00
kolaente 6087d7454c docs(agents): include go tips [skip ci] 2026-01-27 22:16:22 +01:00
kolaente 3ba5192b1b chore: v1.0.0 release preparations 2026-01-27 18:17:33 +01:00
kolaente e5da54e58a fix(editor): prevent crash when exiting edit mode in tiptap
Use v-show instead of v-if for EditorToolbar and BubbleMenu to avoid
a race condition between Vue's DOM reconciliation and tiptap's internal
DOM manipulation during unmount. This fixes the "Cannot read properties
of null (reading 'insertBefore')" error that occurred when saving a
task description.

Adds regression test to verify the fix.

Upstream issue: https://github.com/ueberdosis/tiptap/issues/7342
Fixes: https://github.com/go-vikunja/vikunja/issues/1770
2026-01-27 14:03:02 +01:00
renovate[bot] f216fea2b3 fix(deps): update tiptap to v3.17.0 2026-01-27 14:03:02 +01:00
XiangCany d238385199
fix(files): make sure base directory exists when using local file system (#2166)
Resolves  #2162
2026-01-27 13:11:44 +01:00
kolaente 3aa1e90d7f
feat: add vikunja doctor command for diagnostic checks (#2165)
Add a new `vikunja doctor` CLI command that performs diagnostic checks.

Checks performed:

- **System**: Version, Go version, OS/arch, running user, working
directory
- **Configuration**: Config file path, public URL, JWT secret, CORS
origins
- **Database**: Connection test, server version
(SQLite/MySQL/PostgreSQL)
- **Files**: Storage path, writability, disk space (Unix only)
- **Optional services** (when enabled):
  - Redis: Connection ping
  - Typesense: Health endpoint
  - Mailer: SMTP connection
  - LDAP: Bind authentication test
  - OpenID Connect: Discovery endpoint for each configured provider
2026-01-27 09:12:31 +00:00
kolaente d61caab168 feat: add required checkbox to confirm issue search before submission
Adds a pre-submission checklist to both bug report and feature request
templates requiring users to confirm they have searched for existing
issues before opening a new one.
2026-01-27 08:54:22 +01:00
kolaente 28593e6460
fix: use dark shadows for email template in dark mode (#2155) 2026-01-26 15:46:44 +01:00
kolaente 72a928dcce chore: use correct repo and issue url 2026-01-26 12:21:24 +01:00
renovate[bot] 662f3a1ea8
chore(deps): update dev-dependencies (major) (#1375) 2026-01-25 21:54:47 +01:00
renovate[bot] 5b0960e5e7
fix(deps): update module github.com/redis/go-redis/v9 to v9.17.3 (#2153)
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
|
[github.com/redis/go-redis/v9](https://redirect.github.com/redis/go-redis)
| `v9.17.2` → `v9.17.3` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fredis%2fgo-redis%2fv9/v9.17.3?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fredis%2fgo-redis%2fv9/v9.17.2/v9.17.3?slim=true)
|

---

### Release Notes

<details>
<summary>redis/go-redis (github.com/redis/go-redis/v9)</summary>

###
[`v9.17.3`](https://redirect.github.com/redis/go-redis/releases/tag/v9.17.3):
9.17.3

[Compare
Source](https://redirect.github.com/redis/go-redis/compare/v9.17.2...v9.17.3)

#### 🐛 Bug Fixes

- **Connection Pool**: Fixed zombie `wantConn` elements accumulation in
`wantConnQueue` that could cause resource leaks in high concurrency
scenarios with dial failures
([#&#8203;3680](https://redirect.github.com/redis/go-redis/pull/3680))
by [@&#8203;cyningsun](https://redirect.github.com/cyningsun)
- **Stream Commands**: Fixed `XADD` and `XTRIM` commands to use exact
threshold (`=`) when `Approx` is false, ensuring precise stream trimming
behavior
([#&#8203;3684](https://redirect.github.com/redis/go-redis/pull/3684))
by [@&#8203;ndyakov](https://redirect.github.com/ndyakov)
- **Connection Pool**: Added `ConnMaxLifetimeJitter` configuration to
distribute connection expiration times and prevent the thundering herd
problem when many connections expire simultaneously
([#&#8203;3666](https://redirect.github.com/redis/go-redis/pull/3666))
by [@&#8203;cyningsun](https://redirect.github.com/cyningsun)
- **Client Options**: Added `DialerRetries` and `DialerRetryTimeout`
fields to `ClusterOptions`, `RingOptions`, and `FailoverOptions` to
allow configuring connection retry behavior for cluster, ring, and
sentinel clients
([#&#8203;3686](https://redirect.github.com/redis/go-redis/pull/3686))
by
[@&#8203;naveenchander30](https://redirect.github.com/naveenchander30)

#### Contributors

We'd like to thank all the contributors who worked on this release!

[@&#8203;cyningsun](https://redirect.github.com/cyningsun),
[@&#8203;naveenchander30](https://redirect.github.com/naveenchander30),
and [@&#8203;ndyakov](https://redirect.github.com/ndyakov)

***

**Full Changelog**:
<https://github.com/redis/go-redis/compare/v9.17.2...v9.17.3>

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/go-vikunja/vikunja).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45Mi4xIiwidXBkYXRlZEluVmVyIjoiNDIuOTIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-01-25 15:41:10 +01:00
kolaente b21c9acb0d fix(routes): restore SPA routing after Echo v5 upgrade
In Echo v5, the 404 error for unmatched routes implements the
HTTPStatusCoder interface but is not a *HTTPError. This caused
the static middleware to fail to catch 404s and serve index.html
for SPA routes, leading to reloading SPA routes returning 404.

Caused by regression introduced in 9a61453e8.

Fixes #2149
Fixes #2152
2026-01-25 11:07:48 +01:00
renovate[bot] 233908b30b
chore(deps): update dependency sass-embedded to v1.97.3 (#2150)
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [sass-embedded](https://redirect.github.com/sass/embedded-host-node) |
[`1.97.2` →
`1.97.3`](https://renovatebot.com/diffs/npm/sass-embedded/1.97.2/1.97.3)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/sass-embedded/1.97.3?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/sass-embedded/1.97.2/1.97.3?slim=true)
|

---

### Release Notes

<details>
<summary>sass/embedded-host-node (sass-embedded)</summary>

###
[`v1.97.3`](https://redirect.github.com/sass/embedded-host-node/blob/HEAD/CHANGELOG.md#1973)

[Compare
Source](https://redirect.github.com/sass/embedded-host-node/compare/1.97.2...1.97.3)

- Fix a bug where nesting an at-rule within multiple style rules in
plain CSS
  could cause outer style rules to be omitted.

</details>

---

### Configuration

📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3
* * * ) (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/go-vikunja/vikunja).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45Mi4xIiwidXBkYXRlZEluVmVyIjoiNDIuOTIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-01-25 08:59:41 +01:00
kolaente 375eb37cf3 chore: v1.0.0-rc4 release preparations 2026-01-24 21:11:50 +01:00
kolaente ee4b5a63f4 feat(dev): add mage command to release 2026-01-24 20:41:21 +01:00
renovate[bot] 9a61453e86
fix(deps): update module github.com/labstack/echo/v4 to v5 (#2131)
Closes https://github.com/go-vikunja/vikunja/pull/2133

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: kolaente <k@knt.li>
2026-01-24 20:38:32 +01:00
renovate[bot] 83474b76d3
fix(deps): update dependency @sentry/vue to v10.36.0 (#2147)
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
|
[@sentry/vue](https://redirect.github.com/getsentry/sentry-javascript/tree/master/packages/vue)
([source](https://redirect.github.com/getsentry/sentry-javascript)) |
[`10.35.0` →
`10.36.0`](https://renovatebot.com/diffs/npm/@sentry%2fvue/10.35.0/10.36.0)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@sentry%2fvue/10.36.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@sentry%2fvue/10.35.0/10.36.0?slim=true)
|

---

### Release Notes

<details>
<summary>getsentry/sentry-javascript (@&#8203;sentry/vue)</summary>

###
[`v10.36.0`](https://redirect.github.com/getsentry/sentry-javascript/compare/10.35.0...10.36.0)

[Compare
Source](https://redirect.github.com/getsentry/sentry-javascript/compare/10.35.0...10.36.0)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/go-vikunja/vikunja).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45Mi4xIiwidXBkYXRlZEluVmVyIjoiNDIuOTIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-01-24 19:30:26 +01:00
kolaente ff01f8e859
feat(api-tokens): support title and scopes query parameters (#2143)
This allows external integrations to link directly to the API token creation page with pre-selected title and permission scopes. URLs can now use `?title=Name&scopes=group:perm,group:perm` format to pre-populate the form.

Example URL:
```
/user/settings/api-tokens?title=My%20Integration&scopes=tasks:create,tasks:delete,projects:read_all
```
2026-01-24 18:08:23 +00:00