Commit Graph

2567 Commits

Author SHA1 Message Date
kolaente a1fbc277be
fix(deps): patch follow-redirects and basic-ftp security vulnerabilities
Update follow-redirects to 1.16.0 (fixes auth header leak on cross-domain
redirects) and basic-ftp to 5.2.2 (fixes CRLF injection in FTP commands).
2026-04-14 20:49:42 +02:00
kolaente f208279dd2 test(editor): add e2e for emoji autocomplete 2026-04-14 13:48:49 +00:00
kolaente c0f05b6277 feat(editor): register emoji autocomplete extension 2026-04-14 13:48:49 +00:00
kolaente 7ab2804129 feat(editor): add emoji TipTap extension 2026-04-14 13:48:49 +00:00
kolaente 02d4dd1631 feat(editor): add emoji suggestion handler 2026-04-14 13:48:49 +00:00
kolaente 88136ed45e feat(editor): add EmojiList popup component 2026-04-14 13:48:49 +00:00
kolaente 542cab5ef6 feat(editor): add lazy emoji data loader and filter 2026-04-14 13:48:49 +00:00
kolaente 7227c59f5e test(e2e/kanban): seed the view only once with done_bucket_id 2026-04-14 11:32:14 +00:00
kolaente af6923524f test(e2e/kanban): cover recurring task drag to done bucket (#2618) 2026-04-14 11:32:14 +00:00
kolaente d389408618 test(kanban): cover moveTaskToBucket 2026-04-14 11:32:14 +00:00
kolaente 13c4aec461 fix(frontend/kanban): honor server bucket redirect on drag (#2618) 2026-04-14 11:32:14 +00:00
renovate[bot] c68649faf4 chore(deps): update dev-dependencies 2026-04-14 10:51:01 +00:00
Frederick [Bot] 8bde434676 chore(i18n): update translations via Crowdin 2026-04-14 01:29:51 +00:00
renovate[bot] a3ac01346a chore(deps): update dev-dependencies 2026-04-13 10:14:34 +00:00
Frederick [Bot] 5ef01965e5 chore(i18n): update translations via Crowdin 2026-04-13 01:48:06 +00:00
renovate[bot] 160495b84e chore(deps): update dependency stylelint to v17.7.0 2026-04-12 14:42:19 +00:00
kolaente f6693f81a2 test(e2e): cover quick add auto-attaching default reminders 2026-04-11 21:51:41 +00:00
kolaente 5afd066a13 feat(tasks): apply default reminders to quick-add tasks with due date
When a user has configured default reminders in their frontend settings,
those are cloned onto every task created via quick-add magic that has a
parsed due date. Tasks without a due date are silently skipped.

The buildDefaultRemindersForQuickAdd helper is exported as a pure
function so it can be unit-tested without stubbing the Pinia store.
2026-04-11 21:51:41 +00:00
kolaente 338d4d8b76 feat(settings): surface quick add default reminders in user settings
Adds the settings field next to the quick add magic mode select, hidden
when that mode is set to Disabled. Uses Reminders.vue directly with
allow-absolute=false and default-relative-to pinned to due date.
2026-04-11 21:51:41 +00:00
kolaente 6c9753328b feat(i18n): add strings for quick add default reminders 2026-04-11 21:51:41 +00:00
kolaente dc4b7a5510 refactor(reminders): make Reminders.vue take ITaskReminder[] directly
Reminders.vue only read three task fields (dueDate/startDate/endDate)
and wrote one back (reminders). The ITask coupling was accidental.

Flip the prop to ITaskReminder[] and pass defaultRelativeTo / allowAbsolute
as plain props. TaskDetailView now owns the due/start/end priority
computation and binds v-model="task.reminders" directly. This also lets
the settings page reuse Reminders.vue for configuring default reminders.
2026-04-11 21:51:41 +00:00
kolaente b61ad9d46a feat(reminders): add allowAbsolute prop to ReminderDetail
Adds an allowAbsolute prop to ReminderDetail that hides the 'Date and
time' option when set to false, and a lockRelativeTo prop on
ReminderPeriod that hides the relativeTo select and forces the chosen
value. ReminderDetail threads them together so that when absolute
reminders are disallowed, the Custom form can only produce reminders
that anchor to defaultRelativeTo.
2026-04-11 21:51:41 +00:00
kolaente e85f3fd84c feat(settings): add quickAddDefaultReminders field to frontend settings 2026-04-11 21:51:41 +00:00
kolaente c06a33fb63 test(e2e): mirror task id to index in TaskFactory
Multiple TaskFactory.create(1, {id: N, ...}, false) calls for the same
project were all defaulting to index=1 (from {increment} with count=1),
which collides on the newly added UNIQUE(project_id, index) constraint.
Mirror the numeric id override to index so each row stays unique and
matches the id == index convention used by raw seedTasks helpers.

Fixes the e2e playwright seed failures in subtask-duplicates, list/table
filter/search, kanban filter/search, and overview specs.
2026-04-11 20:44:28 +00:00
kolaente 113b77e92f fix(modal): skip showModal if enabled flipped false before mount
Re-check props.enabled inside the dialogRef watcher. The watcher fires
once Vue mounts the <dialog>, but the caller may have flipped enabled
back to false between the openDialog() call and the mount flush. In that
case the prop state is disabled and we must not open the dialog.

Addresses augmentcode review on #2604.
2026-04-11 19:00:43 +00:00
kolaente e01a599418 fix(modal): clear stale data-closing flag when re-opened mid-close
If the modal is re-enabled within the 150ms close transition the
<dialog> element is still mounted and [open], so the dialogRef watcher
does not re-fire. Clear the leftover data-closing flag directly in
openDialog() so the dialog doesn't remain stuck at opacity 0.

Addresses augmentcode review on #2604.
2026-04-11 19:00:43 +00:00
kolaente e932ee759a fix(modal): open dialog reliably in electron desktop
Replace the nextTick-based showModal() call with a watch on the template
ref so the dialog is opened exactly when the <dialog> element mounts.
The previous implementation could silently skip showModal() if the mount
was deferred past the first nextTick, leaving the dialog in the DOM with
opacity: 0 and no click target. Observed in the Vikunja Desktop v2.3.0
Electron build where the search (quick actions) button was unresponsive.

Closes #2590
2026-04-11 19:00:43 +00:00
kolaente f29f985386 test(modal): cover open race for #2590 2026-04-11 19:00:43 +00:00
Frederick [Bot] 50d6926b56 chore(i18n): update translations via Crowdin 2026-04-11 01:20:45 +00:00
renovate[bot] df7a5c645c chore(deps): update dependency wait-on to v9.0.5 2026-04-10 22:57:21 +00:00
dependabot[bot] e8c20b1244 chore(deps): bump axios from 1.13.5 to 1.15.0 in /frontend
Bumps [axios](https://github.com/axios/axios) from 1.13.5 to 1.15.0.
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](https://github.com/axios/axios/compare/v1.13.5...v1.15.0)

---
updated-dependencies:
- dependency-name: axios
  dependency-version: 1.15.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-04-10 09:58:30 +00:00
kolaente 28b537837f
chore: v2.3.0 release preparations 2026-04-09 20:43:40 +02:00
kolaente b642b2a453 feat(auth): prompt for TOTP code in the OIDC callback flow
When the backend reports that 2FA is required (412/1017), the OIDC
callback view now shows a TOTP input and restarts the OIDC dance
with the typed passcode stashed in localStorage so it can be
submitted alongside a fresh authorization code.

Refs GHSA-8jvc-mcx6-r4cg
2026-04-09 17:25:47 +00:00
kolaente 546db0dc21 feat(auth): plumb totp passcode through openIdAuth action
Allows the OpenIdAuth view to resubmit the OIDC callback with a
TOTP passcode after a 412/1017 response from the backend.

Refs GHSA-8jvc-mcx6-r4cg
2026-04-09 17:25:47 +00:00
kolaente 27a88dd17a
fix(deps): bump basic-ftp override to 5.2.1 to patch CRLF injection
Resolves Dependabot alert #183 (high severity): basic-ftp 5.2.0 is
vulnerable to FTP command injection via CRLF. The package is pulled in
as a dev-only transitive dependency by @histoire/plugin-screenshot.
2026-04-09 15:34:00 +02:00
kolaente 8814cb37d8
fix(tasks): vertically center checkbox in project task row
The tooltip span wrapping the checkbox used the inherited line-height
(~24px), so the 18px inline-block checkbox sat on the baseline and
appeared misaligned with the task text. Making the span an inline-flex
container collapses it to the checkbox size and centers it properly.
2026-04-09 15:30:27 +02:00
kolaente a574d623b1 test: add e2e regression test for link share loop while logged in
Covers #2546: a logged-in user navigating to a public link share URL
used to bounce infinitely between /share/:hash/auth and the project
view, stranding the user on an empty NoAuthWrapper shell. Two distinct
issues in checkAuth() produced the same symptom:

  1. The 1-minute debounce skipped re-parsing the new link share JWT
     when the user was already authenticated.
  2. The "same user, skip setUser" fast path compared only `id`, so a
     logged-in user whose id collided with the link share's id kept
     the USER `info.value.type` and `authLinkShare` never flipped.

The test pins both the logged-in user and the link share to the same
numeric id so it exercises the collision path, which catches both
regressions at once.
2026-04-09 10:20:46 +00:00
kolaente 432c5f2817 fix: include type in checkAuth's same-user skip check
Users and link shares share the same numeric id space in JWTs. When a
logged-in user opened a link share whose id happened to match their own
user id, checkAuth() would see `info.value.id === jwtUser.id` and skip
`setUser()`, leaving `info.value.type` as USER even though the new token
was a LINK_SHARE. As a result, `authLinkShare` never flipped to true and
the router guard bounced between /share/:hash/auth and the project view,
stranding the user on an empty NoAuthWrapper shell.

Compare on type as well so USER→LINK_SHARE transitions always replace
the user object.

Refs #2546
2026-04-09 10:20:46 +00:00
kolaente 2000732e35 fix: skip refreshUserInfo for link share tokens to prevent logout loop 2026-04-09 10:20:46 +00:00
kolaente 1d3a234b05 fix: reset checkAuth debounce in linkShareAuth to prevent redirect loop
When a logged-in user opens a public link share, the 1-minute debounce
on checkAuth() caused it to skip re-parsing the new link share JWT.
This left authLinkShare as false, triggering an infinite redirect loop
in the router guard.

Fixes #2546
2026-04-09 10:20:46 +00:00
kolaente 91728c0273 test: wire up API URL for anonymous link share e2e tests
The anonymous link share tests don't use the authenticatedPage fixture
(which implicitly calls setupApiUrl via login()), so the browser was
falling back to the default `window.API_URL = '/api/v1'` baked into
index.html. That relative path resolved against the preview server port
and never reached the API, causing the tests to hang on the NoAuth
"Welcome Back" page waiting for elements that never rendered.

Adding a beforeEach that calls setupApiUrl() restores these tests.
2026-04-09 10:20:46 +00:00
renovate[bot] 4415485675 chore(deps): update dependency vitest to v4.1.4 2026-04-09 08:59:51 +00:00
kolaente e7bc5a31e4 docs(shortcuts): show platform-aware delete key in keyboard shortcuts panel 2026-04-09 08:07:48 +00:00
kolaente cee2babc58 feat(tasks): use platform-aware delete shortcut on task detail view 2026-04-09 08:07:48 +00:00
Frederick [Bot] 36cec5ccca chore(i18n): update translations via Crowdin 2026-04-09 01:16:09 +00:00
kolaente 10e7d2532e fix: derive workbox version from package.json at build time
Instead of hardcoding the workbox version string in the service worker,
read it from workbox-precaching/package.json via Vite's define option.
This ensures the service worker always references the correct workbox
version that is actually installed.

Resolves #2549
2026-04-08 08:42:11 +00:00
renovate[bot] e898c01e3d chore(deps): update dev-dependencies 2026-04-08 08:03:18 +00:00
Frederick [Bot] f528bcc276 chore(i18n): update translations via Crowdin 2026-04-08 01:25:14 +00:00
kolaente 3437f98dc3 feat(migration): add skip rows option to CSV import
Allow users to skip the first N data rows when importing CSV files.
This is useful when the CSV contains metadata rows before the actual
task data begins. Adds skip_rows to ImportConfig (backend) and a
number input in the parsing options UI (frontend).
2026-04-07 15:20:06 +00:00
Claude f555762def feat(migration): add generic CSV import with column mapping
Add a new CSV migration module that allows users to import tasks from
any CSV file with custom column mapping and parsing options.

Backend changes:
- New CSV migrator module with detection, preview, and import endpoints
- Auto-detection of delimiter, quote character, and date format
- Suggested column mappings based on column name patterns
- Transactional import using InsertFromStructure

Frontend changes:
- New CSV migration UI with two-step flow (upload -> mapping -> import)
- Column mapping selectors for all task attributes
- Live preview showing first 5 tasks with current mapping
- Parsing option controls for delimiter and date format

The CSV migrator creates a parent "Imported from CSV" project with
child projects based on the project column if provided, or a default
"Tasks" project for tasks without a specified project.
2026-04-07 15:20:06 +00:00