Commit Graph

13372 Commits

Author SHA1 Message Date
kolaente cc39aa7f08 feat(plugins): add yaegi interpreter-based plugin loader
EvalPath-based loading of Go source directories with typed factory
functions for interface bridging (required by yaegi's wrapping model).

Supports all plugin capabilities: routes, events, and migrations.
Registers itself into the Manager via init() to avoid import cycles.
2026-03-30 20:44:46 +00:00
kolaente 665f1b848c feat(plugins): extract third-party symbols for yaegi
Generated symbol tables for echo and watermill, enabling yaegi plugins
to use HTTP routing and the event/message system.

Exclude pkg/yaegi_symbols/ from golangci-lint (generated code).
2026-03-30 20:44:46 +00:00
kolaente 8771059a7a feat(plugins): extract vikunja package symbols for yaegi
Generated symbol tables exposing vikunja internals to the yaegi
interpreter: models, events, db, user, log, and plugins packages.
2026-03-30 20:44:46 +00:00
kolaente 3db410933e feat(plugins): add plugin config options
Add configuration keys:
- plugins.enabled (default: false)
- plugins.dir (default: <rootpath>/plugins)
- plugins.loader (default: native, validated at startup)

Register yaegi loader via blank import in initialize package.
2026-03-30 20:44:46 +00:00
kolaente 1d354512e6 feat(plugins): add plugin system interfaces and manager
Add the core plugin system with four interfaces:
- Plugin: base lifecycle (Name, Version, Init, Shutdown)
- MigrationPlugin: database migrations
- AuthenticatedRouterPlugin: routes behind auth
- UnauthenticatedRouterPlugin: public routes

The Manager handles loading, initialization, shutdown, and route
registration. Includes native .so loader (marked deprecated) and
yaegi loader integration point.
2026-03-30 20:44:46 +00:00
renovate[bot] 167380a01e chore(deps): update dependency @typescript-eslint/parser to v8.58.0 2026-03-30 20:13:08 +00:00
kolaente 495f34f60e feat: show close-tab message after OAuth redirect
Show a "You can close this tab now" message after the OAuth
authorize page redirects to the desktop app, instead of leaving
a stale "Authenticating..." message in the browser tab.
2026-03-30 20:12:25 +00:00
kolaente a12002de6d feat: add server selection UI for desktop OAuth login
Add a server selection screen matching the mobile app UX with
Vikunja Cloud, Try the Demo, and Custom Server URL options.
Extract all desktop login logic into a dedicated DesktopLogin
component. Use the existing ApiConfig component for custom server
URL input. Skip loading server config on startup to avoid showing
motd/demo popups on the login screen.
2026-03-30 20:12:25 +00:00
kolaente dd7532a57a feat: add OAuth PKCE authentication flow to desktop app
Add a complete OAuth 2.0 PKCE flow for the Electron desktop app:

- Implement PKCE code generation and token exchange in Electron
- Register custom protocol handler (vikunja-desktop://) for deep links
- Handle deep link race conditions (buffered URLs, process.argv fallback)
- Prevent duplicate IPC listener accumulation on re-mount
- Preserve sub-paths in OAuth authorize URL for non-root deployments
- Add token refresh support using Electron's net module
2026-03-30 20:12:25 +00:00
kolaente 6566f98103 chore: add plans/ directory to .gitignore 2026-03-30 20:12:25 +00:00
renovate[bot] 1a3a18e42b chore(deps): update dependency @typescript-eslint/eslint-plugin to v8.58.0 2026-03-30 19:12:16 +00:00
dependabot[bot] ab12e08354 chore(deps): bump golang.org/x/image from 0.35.0 to 0.38.0
Bumps [golang.org/x/image](https://github.com/golang/image) from 0.35.0 to 0.38.0.
- [Commits](https://github.com/golang/image/compare/v0.35.0...v0.38.0)

---
updated-dependencies:
- dependency-name: golang.org/x/image
  dependency-version: 0.38.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-03-30 16:37:27 +00:00
kolaente 111090d12c refactor: use embed fs for redoc UI and update to latest version
Move the redoc HTML template and JavaScript bundle out of the Go const
in docs.go into separate files under pkg/routes/api/v1/redoc/, using
Go's embed directive. Update redoc.standalone.js to the latest version.
The JS is now served on a separate route (/api/v1/docs/redoc.standalone.js)
to keep the HTML and JS cleanly separated.
2026-03-30 15:09:54 +00:00
Jacek Galowicz b2ddd2753c config: Expand environment variables in some.config.value.path.file inputs for better secret management 2026-03-30 14:22:39 +00:00
kolaente 6b225bb0ba test: add tests for API token expiry notifications and cron 2026-03-30 12:28:15 +00:00
kolaente 6dc46c1898 feat: add AssertNotSent helper to notification testing 2026-03-30 12:28:15 +00:00
kolaente 04f94a5801 feat: register API token expiry check cron on startup 2026-03-30 12:28:15 +00:00
kolaente f308584033 feat: add cron job for API token expiry notifications 2026-03-30 12:28:15 +00:00
kolaente 8ea0dd1610 feat: add API token expiry notification types 2026-03-30 12:28:15 +00:00
kolaente d3f9bb4ee8 feat: add i18n keys for API token expiry notifications 2026-03-30 12:28:15 +00:00
kolaente 9884d933fc refactor: extract shared API token validation into ValidateTokenAndGetOwner 2026-03-30 12:09:53 +00:00
kolaente c2cfcb4684 feat: add API token hint to CalDAV settings page 2026-03-30 12:09:53 +00:00
kolaente 390957b3f5 test: verify caldav permission group appears in /routes 2026-03-30 12:09:53 +00:00
kolaente 194bec8b9f test: add integration tests for CalDAV API token auth 2026-03-30 12:09:53 +00:00
kolaente 6207705928 feat: accept API tokens for CalDAV basic auth 2026-03-30 12:09:53 +00:00
kolaente ebec91b356 feat: add HasCaldavAccess method to APIToken 2026-03-30 12:09:53 +00:00
kolaente b0b7c52b15 feat: register caldav permission group for API tokens 2026-03-30 12:09:53 +00:00
renovate[bot] 1c0513de10 chore(deps): update dev-dependencies 2026-03-30 10:24:04 +00:00
kolaente 83bac15841
feat: rename ServiceJWTSecret to ServiceSecret with deprecation (#2502) 2026-03-30 12:07:01 +02:00
Frederick [Bot] fb8c937d77 chore(i18n): update translations via Crowdin 2026-03-29 01:25:40 +00:00
dependabot[bot] 21a450b21f chore(deps): bump serialize-javascript from 7.0.3 to 7.0.5 in /frontend
Bumps [serialize-javascript](https://github.com/yahoo/serialize-javascript) from 7.0.3 to 7.0.5.
- [Release notes](https://github.com/yahoo/serialize-javascript/releases)
- [Commits](https://github.com/yahoo/serialize-javascript/compare/v7.0.3...v7.0.5)

---
updated-dependencies:
- dependency-name: serialize-javascript
  dependency-version: 7.0.5
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-03-28 23:35:34 +00:00
Frederick [Bot] fa2dc8f918 [skip ci] Updated swagger docs 2026-03-28 23:53:53 +00:00
j-hugo 23415c57aa
docs: correct task comment endpoint description and title (#2498) 2026-03-29 00:43:58 +01:00
Frederick [Bot] ffb291c966 chore(i18n): update translations via Crowdin 2026-03-28 01:16:36 +00:00
renovate[bot] 8d958aef62 chore(deps): update dev-dependencies 2026-03-27 23:06:28 +00:00
surfingbytes 73eb8279ae chore: add .pnpm-store to .gitignore 2026-03-27 23:05:32 +00:00
kolaente 649043aceb test: add tests for OAuth 2.0 authorization flow
Add web tests covering the authorize endpoint, token exchange, PKCE
verification, single-use codes, and refresh token rotation. Add unit
tests for redirect URI validation and PKCE. Add E2E test for the full
browser-based authorization code flow with login redirect.

Extract setupApiUrl helper for E2E tests to avoid duplication.
2026-03-27 23:05:04 +00:00
kolaente 0471f8a729 feat: add frontend OAuth authorize route and component
Add /oauth/authorize frontend route with OAuthAuthorize.vue that
handles the OAuth authorization flow: validates required query params,
calls the API to generate an authorization code, and redirects to the
callback URI. Authentication is handled by the standard router guard.
2026-03-27 23:05:04 +00:00
kolaente e5987acf80 feat: register OAuth authorize and token routes
Add POST /api/v1/oauth/authorize (authenticated) and
POST /api/v1/oauth/token (unauthenticated) routes.
2026-03-27 23:05:04 +00:00
kolaente 7827ff64b9 feat: add OAuth 2.0 token endpoint
Add POST /api/v1/oauth/token supporting authorization_code and
refresh_token grant types. Validates PKCE, exchanges codes for
JWT access tokens with refresh token rotation. Uses the shared
RefreshSession helper for the refresh grant.
2026-03-27 23:05:04 +00:00
kolaente 8b379b7466 feat: add OAuth 2.0 authorize endpoint
Add POST /api/v1/oauth/authorize behind auth middleware. Validates
OAuth parameters (response_type, redirect_uri, PKCE), fetches the
authenticated user, creates an authorization code, and returns it
as JSON for the frontend to handle the redirect.
2026-03-27 23:05:04 +00:00
kolaente a6e7475153 feat: add OAuth client validation and PKCE verification
Add redirect URI validation that allowlists vikunja-* custom protocol
schemes, rejecting http/https and dangerous schemes like javascript:.
Add PKCE S256 verification following RFC 7636.
2026-03-27 23:05:04 +00:00
kolaente 71282dcffd feat: add OAuth 2.0 authorization code model and migration
Add the OAuthCode model for storing short-lived authorization codes
with PKCE challenges. Codes are hashed (SHA-256) before storage and
are single-use with a 10-minute expiry. Add the database migration
and OAuth-specific error types.
2026-03-27 23:05:04 +00:00
kolaente 7a258f67c7 refactor: extract shared RefreshSession helper
The cookie-based /user/token/refresh handler had session refresh logic
(lookup, expiry check, token rotation, user fetch, JWT generation)
that will be reused by the OAuth token endpoint. Extract it into
auth.RefreshSession() and rewrite RefreshToken to use it.
2026-03-27 23:05:04 +00:00
kolaente 39e16653aa fix: add ORDER BY to ListUsers query for deterministic ordering
The query had no ORDER BY clause, causing non-deterministic result
ordering on PostgreSQL where row order is not guaranteed.
2026-03-27 23:05:04 +00:00
Frederick [Bot] a2e19f8d38 chore(i18n): update translations via Crowdin 2026-03-27 01:22:35 +00:00
kolaente 112e486314 test: add test for deeply nested TickTick task ordering 2026-03-26 15:08:12 +00:00
kolaente 9b1c52e9e3 fix: sort TickTick tasks so parents come before children
TickTick CSV exports don't guarantee parent tasks appear before their
subtasks. When a child row came first, the shared migration pipeline
tried to create a title-less placeholder for the missing parent, which
failed with 'Task title cannot be empty'.

Resolves go-vikunja/vikunja#2487
2026-03-26 15:08:12 +00:00
kolaente c49636430f test: add failing test for TickTick child-before-parent CSV order 2026-03-26 15:08:12 +00:00
surfingbytes 8e8ffac016
fix(caldav): add tags and sync token to collections (#2482)
Fixes #2401
2026-03-26 10:42:39 +00:00