Commit Graph

1306 Commits

Author SHA1 Message Date
kolaente a08667b669 feat(frontend): upgrade Tailwind CSS from v3 to v4
- Replace tailwindcss v3 with tailwindcss v4 + @tailwindcss/vite plugin
- Create dedicated tailwind.css entry with granular imports (skip preflight)
- Use CSS-first config with prefix(tw) instead of JS config
- Switch from PostCSS plugin to Vite plugin for better performance
- Update class prefix from tw- (dash) to tw: (colon) in all Vue files
- Remove @tailwind directives from global.scss
- Delete tailwind.config.js (replaced by CSS directives)
- Update stylelint at-rules for v4 directives
2026-03-03 11:46:18 +01:00
kolaente 1ba6a74383
fix(nav): project drag handle position
Resolves https://community.vikunja.io/t/color-ordering-menu-overlapping/4289
2026-03-02 11:38:45 +01:00
Weijie Zhao 7297682cad
fix: remove invalidateAvatarCache call that broke request deduplication (#2317)
When multiple avatar components mount with alternating sizes (e.g. 48
and 20), invalidateAvatarCache clears pending requests for ALL sizes of
the same user, causing each call to create a new HTTP request instead of
reusing the pending one.

I noticed this issue when I open a task with 20 comments, the avatar
requests make the service OOM.

<img width="733" height="551" alt="image"
src="https://github.com/user-attachments/assets/db45db31-294c-4363-ad27-38d454b5a6a2"
/>

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-03-02 09:18:20 +01:00
kolaente 15aa773212
fix(frontend): add horizontal overflow handling to tables on mobile
Wraps all tables that were missing overflow handling in a
`has-horizontal-overflow` div to prevent horizontal overflow on mobile
viewports.

Affected components:
- Sessions.vue
- ApiTokens.vue
- ProjectSettingsWebhooks.vue
- LinkSharing.vue
- UserTeam.vue
- EditTeam.vue
- ProjectSettingsViews.vue

Fixes https://github.com/go-vikunja/vikunja/issues/2331
2026-03-02 08:35:35 +01:00
Frederick [Bot] 6076384b1f chore(i18n): update translations via Crowdin 2026-03-01 01:21:13 +00:00
Frederick [Bot] 059958b839 chore(i18n): update translations via Crowdin 2026-02-27 01:10:46 +00:00
kolaente 838254bb51
feat(multiselect): add green plus icon and always-visible hint to create option
Make the "create new" option in multiselect dropdowns visually distinct
from regular search results by adding a green plus icon and making the
hint text always visible instead of only on hover.
2026-02-26 17:37:11 +01:00
kolaente c4ec7f032f
feat(checklist): show green progress circle when all checkboxes are done 2026-02-26 17:07:03 +01:00
kolaente 80759831ec
fix(editor): use overflow-wrap instead of word-break for text wrapping
word-break: break-all breaks text at any character, causing mid-word
breaks even when the word could fit on the next line. overflow-wrap:
break-word wraps at word boundaries first and only breaks mid-word
when a single word exceeds the container width.
2026-02-26 16:30:55 +01:00
kolaente a11d705571 feat(frontend): use Password component in password update settings
Replace FormField with Password component for new password input:
- Provides real-time validation feedback (8-72 char requirement)
- Remove redundant password confirmation field
- Disable save button when form is invalid (validation errors or empty fields)
2026-02-25 13:44:56 +01:00
kolaente 111ac9c726 fix: prevent XSS via innerHTML injection in link edit prompt
Replace innerHTML with DOM API calls in inputPrompt.ts. The oldValue
parameter (sourced from a link's href attribute in the TipTap editor)
was interpolated directly into an HTML string, allowing stored XSS if
an attacker crafted a malicious href. Using document.createElement and
setting .value as a property ensures the value is never parsed as HTML.
2026-02-25 12:01:57 +01:00
kolaente a42b4f37bd fix: prevent reflected HTML injection via filter URL parameter
TipTap's setContent() parses strings as HTML via DOMParser, allowing
crafted ?filter= URL parameters to inject SVG phishing buttons, anchor
tags, and formatted content into the trusted UI.

Use ProseMirror JSON document format instead of raw strings so the
filter value is always set as a text node, bypassing HTML parsing
entirely.
2026-02-25 12:01:57 +01:00
kolaente be1db018fe feat: add frontend session management with refresh tokens
- Session model, type interface, and API service
- Sessions settings page showing active sessions with device info,
  IP address, last active time, and current session indicator
- Auth store updated to use cookie-based refresh tokens for user
  sessions and JWT-based renewal for link shares
- refreshToken() uses Web Locks API to coordinate across browser
  tabs — only one tab performs the refresh, others adopt the result
- 401 response interceptor with automatic retry: detects expired JWT
  (error code 11), refreshes the token, and replays the request
- Interceptor gated to user JWTs only (link shares skip refresh)
- checkAuth() attempts cookie refresh when JWT is expired, allowing
  seamless session resumption after short TTL expiry
- Proactive token refresh on page focus/visibility via composable
- renewToken() tolerates refresh failures when JWT is still valid
2026-02-25 10:30:25 +01:00
kolaente 4325eae4d4
fix(tasks): show drag handle icon on mobile devices (#2286)
Resolves https://github.com/go-vikunja/vikunja/issues/2228
2026-02-24 14:37:33 +01:00
kolaente 7c04d44e2e
fix: wait for router before dismissing loading screen
The loading screen was dismissed as soon as auth check completed, but
before Vue Router's initial navigation finished. This caused route.name
to be undefined momentarily, making showAuthLayout evaluate to false
and briefly flashing the NoAuthWrapper (login shell) before the
authenticated layout appeared.

Wait for router.isReady() before setting ready = true so the loading
screen stays visible until the route is fully resolved.
2026-02-24 13:13:30 +01:00
kolaente f7a93e4ca3
fix: prevent cursor reset when typing in filter input (#2287)
Fixes #2268
2026-02-24 11:50:45 +00:00
kolaente 9e633b3e82 fix(task): disable Confirm button when no date is selected in absolute reminder picker
Prevents emitting a reminder with reminder=null/relativeTo=null when
the user clicks Confirm without selecting a date first.

Refs #2208
2026-02-24 11:57:39 +01:00
kolaente b65773eb8f fix(task): require explicit confirmation before saving reminders
Prevent reminders from being saved to the API until the user clicks
Confirm, matching the behavior of the due/start/end date pickers.

- Remove @update:modelValue handler on DatepickerInline so date/time
  changes only update local state
- Change Confirm button condition from showFormSwitch to activeForm so
  it renders even when defaultRelativeTo is null
- Add confirmAndClose function that handles both absolute and relative
  reminder forms
- Remove debounce (useDebounceFn) since saves are now user-initiated

Refs #2208
2026-02-24 11:57:39 +01:00
kolaente 56eb5d3740
fix: show tasks spanning entire gantt date range
Tasks whose start date is before and end date is after the visible
gantt range were not shown because the API filter only checked whether
individual date fields fell within the range. Add a fourth filter
clause to match tasks that fully encompass the visible date range.

Fixes go-vikunja/vikunja#2269
2026-02-24 11:51:13 +01:00
kolaente a13ecbd3cc
fix: prevent browser from caching API responses
Without explicit Cache-Control headers, browsers may heuristically cache
API JSON responses. This causes stale data to be served on normal page
refresh (F5) — for example, projects newly shared with a team not
appearing until the user performs a hard refresh (Ctrl+Shift+R).

Add Cache-Control: no-store to all API responses via middleware and
configure the service worker's NetworkOnly strategy to explicitly bypass
the browser HTTP cache for API requests.

Ref: https://community.vikunja.io/t/team-members-cannot-see-project/1876
2026-02-24 10:37:49 +01:00
Frederick [Bot] 19ccc3cb8e chore(i18n): update translations via Crowdin 2026-02-24 01:13:27 +00:00
kolaente 4cee2cf128 fix: reset throttle on logout so checkAuth clears auth state
logout() calls checkAuth() to clear the authenticated flag and user
info. But since checkAuth() likely ran within the last minute (on the
navigation that triggered logout), the now-working throttle would
return early, leaving authenticated=true in the store despite the
token being removed. This could cause Login.vue to redirect back
to home.

Resetting lastUserInfoRefresh to null before checkAuth() ensures
the logout flow always runs fully.
2026-02-21 23:08:24 +01:00
kolaente 65806df605 fix: keep token expiry in sync when skipping setUser from JWT
When the setUser call is skipped for an already-loaded user,
info.value.exp was never updated with the renewed token's expiry.
This caused useRenewTokenOnFocus to compute a stale expiresIn,
eventually forcing a logout even though the token was still valid.

Now we always update exp from the JWT, even when skipping the
full setUser call.
2026-02-21 23:08:24 +01:00
kolaente 1d420dd1dc fix: don't overwrite user info with incomplete JWT data on navigation
The JWT token only contains id, username, type, and exp — not the
display name. Previously, every route navigation called setUser() with
this incomplete data, causing the display name to flash to the username
before the API call completed and restored the full name.

Now we skip setUser() if a complete user object with the same ID is
already loaded.

Fixes https://github.com/go-vikunja/vikunja/issues/2270
2026-02-21 23:08:24 +01:00
kolaente a11cde1afc fix: correct broken throttle in checkAuth that never triggered
The throttle checked `lastUserInfoRefresh > now + 1 minute` which is
never true since lastUserInfoRefresh is set to the current time.
Changed to `now - 1 minute` so the check actually prevents redundant
API calls within a one-minute window.
2026-02-21 23:08:24 +01:00
kolaente 1dc625f9e8 test: add unit tests for getDisplayName 2026-02-21 23:08:24 +01:00
Frederick [Bot] 05ff67b681 chore(i18n): update translations via Crowdin 2026-02-21 01:09:54 +00:00
Massimo Nadalin 8fd256a5d9
feat: clickable task notifications (#2258)
Make task-related notifications clickable, allowing users to directly
open the corresponding task.
2026-02-20 22:34:53 +00:00
Frederick [Bot] a8d3594ceb chore(i18n): update translations via Crowdin 2026-02-20 01:12:20 +00:00
kolaente bc2f7e5840
fix: break long continuous strings in editor to prevent overflow
Fixes https://github.com/go-vikunja/vikunja/issues/2266
2026-02-19 16:11:43 +01:00
kolaente df05c51457
fix: clamp gantt bar title position when task starts before visible range
Resolves go-vikunja/vikunja#149
2026-02-19 16:08:52 +01:00
kolaente 7862651b12
fix: don't show export ready message when no export exists
The API returns an empty object {} with 200 status when no export
exists. This truthy value was being set as exportInfo, causing the
"ready for download" message and button to render with a blank date.
2026-02-19 16:01:32 +01:00
William Guinaudie bf8138ec3c
feat: add discard and reload confirmation modal (#2154) 2026-02-19 14:27:27 +01:00
kolaente 6555595a5c feat(comments): add sort order toggle for task comments
Allow users to switch between oldest-first and newest-first comment
ordering via a toggle button in the comments heading. The preference is
persisted as a frontend setting (commentSortOrder) and passed to the API
as the order_by query parameter so pagination works correctly.

When all comments fit on a single page, toggling reverses them
client-side to avoid an extra API call. New comments are inserted at the
correct position based on the active sort order, and in newest-first
mode the view scrolls to the top after adding a comment.

Link-share users fall back to a local (non-persisted) sort order since
they cannot save user settings.
2026-02-19 14:20:52 +01:00
kolaente 50d7458519 feat(attachments): open file picker directly from sidebar button
Clicking the sidebar "Attachments" button (or pressing `f`) now opens
the browser file picker directly, eliminating the redundant two-step
flow of first revealing the section and then clicking upload.
2026-02-19 12:56:46 +01:00
kolaente 362962e81e fix(gantt): only persist dates that actually exist on partial-date tasks
Previously drag/resize always set both startDate and endDate, which
would persist the synthetic 7-day span and convert an open-ended task
into a fully-dated one. Now only the date fields that originally exist
on the task are updated.
2026-02-18 23:04:21 +01:00
kolaente ceb62c63d3 refactor(gantt): extract GanttBarDateType as reusable type 2026-02-18 23:04:21 +01:00
kolaente 6f8be0905f fix(gantt): sync task updates from detail view back to gantt chart
The Gantt chart maintains its own local task map, separate from the
Pinia task store. When a task is edited in the detail modal, the
update was not propagated to the Gantt's map. Add a lastUpdatedTask
signal to the task store and watch it in useGanttTaskList.
2026-02-18 23:04:21 +01:00
kolaente 6d6a1deba4 feat(gantt): right-align text for endOnly partial-date bars 2026-02-18 23:04:21 +01:00
kolaente 2bf99cf2d0 chore: fix lint issue from gantt partial dates feature 2026-02-18 23:04:21 +01:00
kolaente 65f92ac8d3 feat(gantt): update drag/resize to handle partial-date task updates 2026-02-18 23:04:21 +01:00
kolaente 29e77b44e1 feat(gantt): add i18n strings for partial-date accessibility 2026-02-18 23:04:21 +01:00
kolaente 5e69ee43fd feat(gantt): update API filter to fetch tasks with due_date or end_date 2026-02-18 23:04:21 +01:00
kolaente 941c4f10d7 feat(gantt): render partial-date bars with gradient fade effect 2026-02-18 23:04:21 +01:00
kolaente 6b5ab85d40 feat(gantt): handle tasks with partial dates in transformation and filtering 2026-02-18 23:04:21 +01:00
kolaente eefa48052b feat(gantt): add dateType field to GanttBarModel meta 2026-02-18 23:04:21 +01:00
Ian Driver 48074d2358
feat: add optional project column to table view (#2182)
Adds a Project column to the table view, useful when viewing tasks
across multiple projects (e.g. in saved filters).

Disabled by default to keep the current behavior.

Co-authored-by: 2ZZ <ian@driv3r.uk>
2026-02-18 15:29:51 +00:00
Martin Lindvik e3695c17c6
feat: add Swedish for language selection (#2248)
The Swedish translations were finished on crowdin recently but I noticed
that the language selection was still missing so I went ahead and added
it.
2026-02-17 14:32:01 +00:00
kolaente 17360a820c
fix: correct indentation in API tokens table after thead/tbody wrap 2026-02-16 11:45:45 +01:00
kolaente b66b75f5be
fix: wrap API tokens table rows in thead and tbody elements 2026-02-16 10:52:51 +01:00