Commit Graph

374 Commits

Author SHA1 Message Date
kolaente a6e6f252db refactor: remove redundant Begin() calls after NewSession auto-begins
Since NewSession() now auto-begins a transaction, explicit Begin()
calls are redundant (xorm's Begin() is a no-op when already in a
transaction). Removing them reduces confusion.

Special case: user_delete.go's loop previously called Begin/Commit
per user on a shared session. Restructured to create a new session
per user deletion so each gets its own transaction.
2026-02-25 11:03:02 +01:00
kolaente c9c250fb1c fix: add missing Commit() to write callers
After NewSession() auto-begins a transaction, callers that perform
writes must explicitly call Commit() for changes to persist. Without
this, writes are silently rolled back when Close() is called.

Affected callers:
- user deletion notification cron
- caldav token generation/deletion
- token cleanup cron
- mark-all-notifications-read endpoint
- saved filter view cron
- project background delete
- typesense reindex
- export cleanup cron
- task last-updated listener
- saved filter view listener
- SSO team cleanup cron
- migration status start/finish
- background set/remove handlers
- orphaned task position cleanup
- file creation
2026-02-25 11:03:02 +01:00
kolaente 8ee069a2a3 feat: add session-based auth with refresh token rotation
- Login creates a server-side session and sets an HttpOnly refresh
  token cookie alongside the short-lived JWT
- POST /user/token/refresh exchanges the cookie for a new JWT and
  rotates the refresh token atomically
- POST /user/logout destroys the session and clears the cookie
- POST /user/token restricted to link share tokens only
- Session list (GET) and delete (DELETE) routes for /user/sessions
- All user sessions invalidated on password change and reset
- CORS configured to allow credentials for cross-origin cookies
- JWT 401 responses use structured error code 11 for client detection
- Refresh token cookie name constants annotated for gosec G101
2026-02-25 10:30:25 +01:00
kolaente a13ecbd3cc
fix: prevent browser from caching API responses
Without explicit Cache-Control headers, browsers may heuristically cache
API JSON responses. This causes stale data to be served on normal page
refresh (F5) — for example, projects newly shared with a team not
appearing until the user performs a hard refresh (Ctrl+Shift+R).

Add Cache-Control: no-store to all API responses via middleware and
configure the service worker's NetworkOnly strategy to explicitly bypass
the browser HTTP cache for API requests.

Ref: https://community.vikunja.io/t/team-members-cannot-see-project/1876
2026-02-24 10:37:49 +01:00
kolaente 1ccc8dce3a
fix: load file content before generating attachment preview
LoadFileByID() was called after the preview branch, so GetPreview()
received a nil io.Reader causing a panic in image.Decode.
2026-02-22 09:28:25 +01:00
kolaente d222d4502a fix: escape attachment download filename 2026-02-22 00:00:11 +01:00
kolaente c6370bb739 fix: fall back to application/octet-stream when the file has no mime type stored 2026-02-22 00:00:11 +01:00
kolaente 4915f535d0 fix: add Content-Disposition attachment header to task attachment downloads
Set Content-Disposition to "attachment" instead of "inline" so browsers
trigger a file download with the correct filename. Also move shared
response headers (Content-Type, Content-Length, Last-Modified) out of
the S3-specific branch so they apply to both storage backends.
2026-02-22 00:00:11 +01:00
kolaente b21c9acb0d fix(routes): restore SPA routing after Echo v5 upgrade
In Echo v5, the 404 error for unmatched routes implements the
HTTPStatusCoder interface but is not a *HTTPError. This caused
the static middleware to fail to catch 404s and serve index.html
for SPA routes, leading to reloading SPA routes returning 404.

Caused by regression introduced in 9a61453e8.

Fixes #2149
Fixes #2152
2026-01-25 11:07:48 +01:00
renovate[bot] 9a61453e86
fix(deps): update module github.com/labstack/echo/v4 to v5 (#2131)
Closes https://github.com/go-vikunja/vikunja/pull/2133

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: kolaente <k@knt.li>
2026-01-24 20:38:32 +01:00
kolaente 39b4568bc5
refactor: centralize HTTP error handling (#2062)
This changes the error handling to a centralized HTTP error handler in `pkg/routes/error_handler.go` that converts all error types to proper HTTP responses. This simplifies the overall error handling because http handler now only need to return the error instead of calling HandleHTTPError as previously.
It also removes the duplication between handling errors with and without Sentry.

🐰 Hop along, dear errors, no more wrapping today!
We've centralized handlers in a shiny new way,
From scattered to unified, the code flows so clean,
ValidationHTTPError marshals JSON supreme!
Direct propagation hops forward with glee,
A refactor so grand—what a sight to see! 🎉
2026-01-08 10:02:59 +00:00
kolaente 0b3decd869
fix: ensure API consistency for /tasks and empty array responses (#1988)
- Renames the `/tasks/all` endpoint to `/tasks` for consistency with
other collection endpoints like `/projects` and `/labels`
- Returns `[]` instead of `null` for empty pagination results across all
list endpoints
- Updates the frontend service to use the new endpoint path
- Updates API token tests to use the new endpoint path

Fixes #1984
2025-12-15 15:34:13 +00:00
kolaente fb7764d9f1
feat: format user mentions with display names in email notifications (#1930)
Email notifications now display user mentions with inline avatar images for improved visual recognition and easier identification. Mentions gracefully fall back to display names if avatars are unavailable.
2025-12-10 12:39:05 +01:00
kolaente da0822c3f4 feat(caldav): add more error logging 2025-12-04 10:54:31 +01:00
kolaente 51512c1cb4
feat: migrate cypress e2e tests to playwright (#1739) 2025-11-27 16:34:48 +01:00
Mithilesh Gupta 7dddc5dfa2
feat: task unread tracking (#1857)
---------

Co-authored-by: Mithilesh Gupta <guptamithilesh@protonmail.com>
Co-authored-by: kolaente <k@knt.li>
2025-11-27 15:14:42 +01:00
kolaente dcfd096588
feat: allow setting dark custom logo
Resolves https://github.com/go-vikunja/vikunja/issues/1799
2025-11-12 21:07:01 +01:00
Weijie Zhao bc1368abcc
feat: add S3 file storage support (#1688) 2025-11-06 08:37:04 +01:00
kolaente ec89b08fd5
fix(attachments): extend upload file size to form data (#1577)
Resolves https://github.com/go-vikunja/vikunja/issues/1494
2025-09-30 22:23:07 +00:00
kolaente 31c1f98270
fix(caldav): remove METHOD:PUBLISH from caldav exports (#1576) 2025-09-30 18:16:07 +00:00
kolaente 1b5a9dbdea refactor: use helper function to check user local 2025-09-04 18:09:21 +02:00
kolaente b8afdcf62d fix(user): do not reject 2fa for local users
https://github.com/go-vikunja/vikunja/issues/1402
2025-09-04 18:09:21 +02:00
kolaente bd74733632
fix: show pagination controls for task comments (#1413)
Resolves https://community.vikunja.io/t/task-comment-pagination-in-1-0-0-rc1/3988
2025-09-04 16:04:05 +00:00
kolaente a81a3ee0e5
feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
Copilot 7762d7746e
fix: make user data export download return 404 for nonexistent files (#1227) 2025-08-03 20:36:15 +00:00
kolaente ebaf4a0aa0 feat(settings): show extra settings links on user settings page 2025-08-03 13:25:32 +02:00
kolaente e5c860afec feat(plugins): allow plugins to register routes 2025-08-01 17:06:02 +02:00
kolaente 4042f66efa
feat: show user export status in settings (#1200) 2025-07-30 15:50:26 +00:00
kolaente 388af80ece
fix: log correct response status 2025-07-28 13:27:12 +02:00
kolaente 62200f6e0f feat!: remove echo log options - unify with general http logging 2025-07-21 18:15:39 +02:00
kolaente ca83ad1f98 feat: move to slog for logging 2025-07-21 18:15:39 +02:00
kolaente fcdcdcf46a feat: use keyvalue.Remember where it makes sense 2025-07-17 16:19:13 +02:00
kolaente 42534cdd79
fix: don't panic when using api token when not correctly put into context (#1119) 2025-07-15 21:26:28 +00:00
Vlad Yarotsky d4347f00f6
fix(caldav): make CalDAV REPORT request properly respond with VTODO objects (#1116) 2025-07-14 21:57:55 +00:00
Dominik Pschenitschni efff6955c5
fix: remove fmt output in token check 2025-07-03 17:09:41 +02:00
Dominik Pschenitschni 9efdde8f1a
docs: delete caldav token uses DELETE instead of GET 2025-07-03 17:06:20 +02:00
kolaente 4d36771362
feat: introduce shared health check logic (#1073) 2025-07-02 21:01:41 +00:00
Dominik Pschenitschni d48d88d442 fix: comment typo and misspellings 2025-07-02 17:46:21 +02:00
kolaente 3b05f7859f
fix(users): refresh initials avatar refresh after name change (#1047) 2025-06-30 16:20:54 +00:00
kolaente 99bc065272
feat(user): use name for initals avatar, not username
For external auth providers, the username might be randomly generated,
which results in a random initial - this is unexpected and confusing for
users.
2025-06-27 14:13:49 +02:00
kolaente 0ecbd9e1a3
feat(user): add avatar cache flushing (#1041) 2025-06-27 14:01:43 +02:00
Weijie Zhao a214d68a44
feat(auth): sync avatar from OpenID providers (#821) 2025-06-16 15:59:31 +02:00
kolaente 59a0b9c40d
feat(auth): require auth to fetch avatars (#930) 2025-06-14 13:12:41 +00:00
kolaente 842e7f524b
fix: always add public url to allowed cors origins
This fixes a bug where it was not possible to do anything because the public url was not allowed by default for CORS requests.

Regression from 433b8b9115

Resolves https://github.com/go-vikunja/vikunja/issues/916
2025-06-11 14:29:38 +02:00
Dominik Pschenitschni 296577a875
fix: correct license header references (#882)
See originals:
- https://www.gnu.org/licenses/agpl-3.0.txt
- https://www.gnu.org/licenses/gpl-3.0.txt
2025-06-10 12:18:38 +02:00
kolaente 44b3e46325
fix: return correct mimetype for openapi docs.json
Resolves https://github.com/go-vikunja/vikunja/issues/864
2025-06-04 16:12:46 +02:00
kolaente ca98b7da73
feat: add /token/test route
This new route returns 200 if a valid bearer token was presented. It does not return any information about the user.
2025-05-21 22:27:34 +02:00
kolaente 3e46457c03
fix: remove unused import 2025-05-15 09:54:15 +02:00
kolaente 13dfe78121
fix(project): correctly handle invalid project id error 2025-05-15 09:50:33 +02:00
renovate[bot] 4a75f7d4da
chore(deps): update golangci/golangci-lint-action action to v7 (#462)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: kolaente <k@knt.li>
2025-04-02 09:28:56 +02:00