Commit Graph

101 Commits

Author SHA1 Message Date
kolaente d604d8d443 test(api/v2): port full v1 TaskDuplicate coverage
Assert the specific domain error code (ErrCodeTaskDoesNotExist) on the
nonexistent-source-task case, matching v1's TestTaskDuplicate. v2 carries
the code as the numeric `code` field of the RFC 9457 problem+json body,
so the test now checks that field instead of only the 404 status.
2026-06-03 20:29:15 +00:00
kolaente c9f8b87263 test(api/v2): port full v1 avatar coverage to TestAvatar
Bring the v2 avatar webtest to 1:1 parity with the v1 avatar tests so
the v1 routes and tests can be removed without losing coverage:

- link-share auth path: a request authenticated as a link-share user
  (not a regular JWT) returns 200 + non-empty image bytes, porting
  v1's TestLinkShareAvatar.
- bot user: the botmarble provider path returns 200 + SVG bytes, a
  distinct rendering v1 never exercised; asserts the marble mask id so
  it cannot silently fall through to the default placeholder.
- non-numeric size: rejected with 422 (Huma's int64 query validation)
  rather than v1's 400 ErrInvalidModel, both being client errors that
  refuse the malformed input.
2026-06-03 19:58:27 +00:00
kolaente 984a2633cc docs(task-comments): trim comments to the non-obvious why
Cut narration a reader can infer from the code (envelope element type,
path-param binding, per-case test descriptions). Keep the non-obvious
rationale: IDOR scoping, RFC 9110 etag quoting, why the feature gate sits
in the registrar, and the author-only fixture crux.
2026-06-03 19:57:26 +00:00
kolaente 88832a3e8b test(api/v2): port full v1 task comment coverage (permission matrix, IDOR, search) 2026-06-03 19:57:26 +00:00
kolaente 4d404e376a test(api/v2): prove author-only comment restriction with a writer non-author
The Forbidden non-author update/delete cases used user6, who also lacks access
to task 1, so they only proved access denial, not the author-only restriction.
Add cases driven by testuser1 against comment 4 on task 16 (project 7): user1
has write access via team 3 but did not author the comment (user6 did), so a
403 there genuinely exercises the authorship branch. Keep the user6 cases as
the no-access negatives, relabelled for clarity.
2026-06-03 19:57:26 +00:00
kolaente 3271a1e1af feat(api/v2): add nested task comment CRUD
Add TaskComment CRUD on /api/v2 under /tasks/{task}/comments, mirroring
the project_views nested-resource shape. The resource is feature-gated by
config.ServiceEnableTaskComments, checked inside the registrar so it runs
after config has loaded. Self-registers via init()+AddRouteRegistrar; no
routes.go change. ReadAll exposes the order_by (asc/desc) query param.

Adds doc:/readOnly: tags to the shared TaskComment model fields and a
TestHumaTaskComment webtest covering list/read/create/update/delete plus
negatives (non-author forbidden, comment under the wrong task -> 404).
2026-06-03 19:57:26 +00:00
kolaente 67aca34124 test(api/v2): port full v1 admin projects coverage
Bring TestHumaAdminProjects to 1:1 parity with v1 TestAdmin_ListProjects
by asserting owner hydration ("username":"user1", never "owner":null)
and project field presence ("id":, "title":) on the response body, in
addition to the existing gate personas and ownership/archived visibility
cardinality checks.
2026-06-03 19:48:08 +00:00
kolaente 58bc03d712 test(api/v2): port full v1 project view coverage 2026-06-03 19:46:38 +00:00
kolaente 5c05a1a289 test(api/v2): port full v1 label coverage
Bring the merged v2 Label webtest (TestHumaLabel) to 1:1 parity with the
model-level matrix in pkg/models/label_test.go so the v2 HTTP surface
independently proves the full visibility/permission contract once v1's
routes and tests are removed.

Added scenarios:
- ReadAll asserts the EXACT visible set for user1 = {1,2,4,7,8}, with #3
  (other owner, unattached), #5 (other owner, inaccessible task) and #6
  (GHSA private fixture) explicitly absent — not just contains/not-contains.
- ReadOne: #3 forbidden (other owner, unattached); #6 forbidden (GHSA
  private); #4 ALLOWED (other owner but visible via an accessible task);
  #7 allowed (own, unattached); #8 allowed (own, only on inaccessible task).
- Update/Delete: #4 forbidden (GHSA-hj5c-mhh2-g7jq read-vs-write: readable
  but not writable by the non-owner); #3 forbidden; #6 forbidden.
- Create asserts hex-color normalization (#aabbcc -> aabbcc).

Keeps the existing ETag/304 and merge-patch subtests.
2026-06-03 19:38:57 +00:00
kolaente c0392e42ac test(api/v2): port full v1 team coverage (permission matrix, public discovery, exact cardinality, DB persistence) 2026-06-03 18:56:12 +00:00
kolaente cdb1db855b test(api/v2): cover include_public team surfacing and its config gate 2026-06-03 18:56:12 +00:00
kolaente dab6ac620d feat(api/v2): add team CRUD endpoints
Adds Team CRUD on /api/v2 mirroring the labels reference resource:
list, read, create, update, delete under /teams[/{id}].

- The list op exposes an include_public query param bound onto the
  model so Team.ReadAll can surface public teams (gated by the instance
  public-teams setting).
- Read ops emit an ETag and honor If-None-Match (304).
- Model fields gain doc: tags; server-controlled fields are marked
  readOnly:true.
- Self-registers via init()/AddRouteRegistrar; no routes.go change.
- New webtest TestHumaTeam (named to avoid clashing with the v1 model
  TestTeam) covers list/read/create/update/delete plus negatives
  (non-member 403, nonexistent 403/404) and ETag/304.
2026-06-03 18:56:12 +00:00
kolaente b18e051ab3 fix(api/v2): reject non-decodable images (e.g. SVG) on avatar upload with 400 2026-06-02 11:55:25 +00:00
kolaente 2f4e3ecb91 fix(api/v2): align avatar upload body limit with global overhead
MaxBodyBytes was set to exactly the configured max file size, but a
multipart request carries extra bytes (boundary, part headers) on top of
the file, so a file at the limit could be rejected by Huma before the
handler runs. Mirror the +2 MB overhead that Echo's global BodyLimit
middleware already allows so a max-sized avatar isn't rejected.
2026-06-02 11:55:25 +00:00
kolaente cfac0773d7 fix(api/v2): accept real image content-types on avatar upload
Browsers set a real image Content-Type (image/png, image/jpeg, ...) on
the multipart avatar part, while programmatic clients often send
application/octet-stream. The part contentType tag is an allow-list for
Huma's MimeTypeValidator, which runs before the handler; broaden it so
both cases are accepted instead of being rejected with a 422.

The byte-level mimetype.DetectReader check in the handler remains the
real security gate and is unchanged.

Extend the webtest with a case that sends a part declared as image/png
and asserts it reaches the handler successfully.
2026-06-02 11:55:25 +00:00
kolaente 782c17c01d feat(api/v2): upload user avatar via multipart
Add PUT /api/v2/user/settings/avatar, the first multipart/form-data file
upload on the Huma-backed v2 API. Reuses v1's byte-level mime validation
(mimetype.DetectReader) and storage (upload.StoreAvatarFile), modeling the
request as a huma.MultipartFormFiles input so it renders as multipart/form-data
in the OpenAPI spec instead of being read off the raw echo context.

Flips the user's avatar provider to "upload" on success. Authenticated (JWT).
2026-06-02 11:55:25 +00:00
kolaente a4a0af91ff feat(api/v2): serve user avatars
Add GET /api/v2/avatar/{username}, the v2 reference for a binary response
modeled in the OpenAPI spec. Reuses the v1 avatar provider logic (provider
lookup, size clamp to config.ServiceMaxAvatarSize, runtime content-type) and
returns raw image bytes via Huma's []byte body + dynamic Content-Type header
idiom, advertised in the spec as application/octet-stream.

The endpoint is authenticated under the global security like every other v2
route (an anonymous request gets a 401); it is not public.
2026-06-02 08:17:00 +00:00
kolaente 774d884f5c test(api/v2): assert admin project id via structured json 2026-06-02 07:38:08 +00:00
kolaente 17bef4f599 test(api/v2): defer license reset in admin webtest 2026-06-02 07:38:08 +00:00
kolaente 730932be13 test(api/v2): defer session close in admin webtest 2026-06-02 07:38:08 +00:00
kolaente 82ad23c135 feat(api/v2): gate admin routes by feature + instance admin
Add the admin + license gate for /api/v2 and ship the first gated
resource, GET /api/v2/admin/projects (AdminProjectList).

The gate reuses the existing v1 middleware functions unchanged —
RequireFeature(license.FeatureAdminPanel) and RequireInstanceAdmin(),
both of which serve 404 on failure. Rather than splitting the single
v2 Huma API into a separate gated sub-group (which would split the
OpenAPI spec and drop admin operations from /api/v2/openapi.json), the
gate is applied as a path-scoped Echo middleware on the shared /api/v2
group, firing only for /api/v2/admin/* and after the token middleware.
This preserves v1's 404-not-403 semantics and keeps admin routes in the
unified v2 spec and Scalar docs.

AdminProjectList lists every project on the instance (archived
included), behind the gate. Adds doc:/readOnly: tags to the shared
Project model so it documents correctly as a v2 schema.

Tests in pkg/webtests/huma_admin_test.go (TestHumaAdminProjects) cover
all three personas: non-admin -> 404, admin without feature -> 404,
admin with feature -> 200 list, plus unauthenticated -> 401.
2026-06-02 07:38:08 +00:00
kolaente 738bcd0c77 fix(api/v2): scope project view delete to its parent project 2026-06-01 13:04:34 +00:00
kolaente 5ddc9d8ff0 feat(api/v2): add project view routes
Add ProjectView CRUD on /api/v2 under the nested path
/projects/{project}/views[/{view}], establishing the two-path-param
binding pattern for sub-resources. Mirrors the labels.go handler shape
and reuses handler.Do* so permission checks stay at the model layer.

Both {project} and {view} are bound on every operation; {project} is
threaded onto ProjectView.ProjectID (ReadOne resolves via
GetProjectViewByIDAndProject, which needs the parent id). List wraps the
[]*models.ProjectView slice in the shared Paginated envelope, read sends
an ETag for If-None-Match/304, and AutoPatch synthesises PATCH.

Also:
- Tag exposed ProjectView / ProjectViewBucketConfiguration / nested
  TaskCollection fields with doc: descriptions; mark server-controlled
  fields (id, project_id, created, updated) readOnly. Safe for v1.
- Give ProjectViewKind and BucketConfigurationModeKind a huma.SchemaProvider
  so the string-serialised enums reflect as string schemas instead of
  Huma's default integer schema (which rejected the string form with 422).

Routes registered in registerAPIRoutesV2 before EnableAutoPatch.
2026-06-01 13:04:34 +00:00
Tink 3d6608cac7
feat(api/v2): add task duplicate action (#2815) 2026-06-01 14:13:39 +02:00
kolaente 21194e61b0 test(api/v2): Label round-trip, ETag, PATCH, error shapes
Seven integration tests covering the Label pilot:

- Create_Read_Update_Delete — full round-trip through POST/GET/PUT/
  DELETE, asserts body + status at each step.
- List_ReturnsItems — GET /labels, asserts items[] is non-empty and
  contains a known fixture; this is the regression catcher for the
  generic-any silent-empty trap the spike hit.
- ForbiddenErrorShape — user1 reading user13's private label returns
  403 problem+json with the RFC 9457 type/title/status/detail shape.
- ValidationErrorShape — POST with empty title fails Huma's
  minLength:1 check with 422 problem+json + structured per-field
  errors locating `title`.
- ETagReturns304 — first GET captures ETag, second GET with
  If-None-Match returns 304.
- PATCHMergePatch — AutoPatch-synthesised PATCH with partial
  application/merge-patch+json body updates one field and leaves
  the others untouched; a follow-up GET confirms preservation.
- OpenAPISpecDescribesAllFive — the unauthenticated
  /api/v2/openapi.json surfaces GET+POST on /labels and GET+PUT+
  DELETE on /labels/{id}.
2026-05-31 12:56:57 +00:00
Rémi Lapeyre 069685f2a7
fix(caldav): return 404 when trying to access a project that cannot exist with CalDAV (#2796) 2026-05-28 08:14:52 +02:00
nithinvarma411 b6a02cb6a5 fix(assignees): resolve 500 error when reading task assignees 2026-05-26 18:59:33 +00:00
Tink bot 15badb382a test(api): cover positive project-identifier resolution
Adds back the by-identifier and case-insensitive-input cases now that
project identifiers are stored uppercase across the codebase.
2026-05-19 08:53:25 +00:00
Tink bot c6fa7991d6 fix(api): uppercase project identifier before by-index lookup
Switches the input normalisation from lower- to uppercase so identifiers
canonicalise the same way GitHub-style refs do (e.g. "PROJ-42"). The
positive identifier tests are dropped for now because the existing
fixtures store identifiers as lowercase ("test1") and the SQL comparison
remains case-sensitive — once the column-side case-insensitive match
lands, full coverage can be reinstated.
2026-05-19 08:53:25 +00:00
Tink bot 04148e14db feat(api): lowercase project identifier before by-index lookup
Normalises the input side so GitHub-style references like "TEST1-42" and
"test1-42" resolve to the same project. The SQL comparison itself remains
case-sensitive for now; case-insensitive matching on the column will be
addressed separately.
2026-05-19 08:53:25 +00:00
Tink bot 466d39e6de feat(api): accept project identifier in by-index task route
Allows GET /projects/{project}/tasks/by-index/{index} to resolve {project}
as either a numeric id or a project identifier (e.g. "PROJ"), so callers
can build GitHub-style task references like "PROJ-42" without first
looking up the project's numeric id. Pure-digit values remain interpreted
as ids, which makes identifiers consisting solely of digits unreachable
via this route.
2026-05-19 08:53:25 +00:00
kolaente 21ce33f8fd
feat(projects): always store identifiers as uppercase (#2775) 2026-05-19 10:35:43 +02:00
kolaente 3498dfe7fb test(admin): add webtests for /admin/* endpoints and share bypass 2026-04-20 18:55:06 +00:00
kolaente 8578fe3468 feat(api): add GET /projects/:project/tasks/by-index/:index endpoint 2026-04-11 20:44:28 +00:00
kolaente 75e1f72c6e fix(security): move reparent Admin gate into UpdateProject
GHSA-2vq4-854f-5c72 / CVE-2026-35595: the recursive permission CTE
cascades Admin from any owned ancestor, so a user with Write on a
shared project could reparent it under an attacker-owned root and
resolve as Admin on the moved project via the new parent.

Require Admin on both the moved project and the new parent whenever
parent_project_id is set to a non-zero value that differs from the
stored value. The gate lives in UpdateProject rather than CanUpdate
because CanUpdate is reused by permission-check-only callers
(buckets, webhooks, task ops) that pass stub &Project{ID:...} values
with ParentProjectID=0 and never commit a reparent — gating there
would spuriously trip the check for every such call.

Only non-zero ParentProjectID is gated: the generic update handler
binds a fresh struct, so an omitted parent_project_id is
indistinguishable from an explicit 0. Detach-to-root via the generic
endpoint is therefore out of scope for this fix and is tracked as a
follow-up (needs a pointer field to disambiguate).
2026-04-09 16:47:35 +00:00
kolaente 6ca0151d02 test(webtests): add end-to-end TOTP lockout test
Drives the login endpoint through 11 failed TOTP attempts against user10
and asserts the account ends up locked in the database, then verifies a
subsequent login with a valid TOTP code is rejected with
ErrCodeAccountLocked. Exercises the GHSA-fgfv-pv97-6cmj regression
against the real handler path.
2026-04-09 16:08:26 +00:00
kolaente 879462d717 fix(caldav): enforce URL project match in GetResourcesByList
Multiget REPORT requests would happily return tasks from projects
different from the one in the href, even though GetTasksByUIDs now
filters by access. Drop any returned task whose real project_id does
not match the project ID parsed from the href path segment.

Hardening for GHSA-48ch-p4gq-x46x.
2026-04-09 16:07:32 +00:00
kolaente 200b787c16 fix(caldav): reject GetResource when URL project mismatches task project
Even with the GetTasksByUIDs authz filter in place, a user with access
to multiple projects could read a task from project B by requesting it
under project A's URL. Enforce that the task's real project_id matches
the project ID parsed from the CalDAV URL path and 404 otherwise.

Adjusts the Delete Subtask test to use the correct URL project for
uid-caldav-test-child-task-2 (which lives in project 38, not 36);
the previous URL only worked because of the authz gap being closed.

Hardening for GHSA-48ch-p4gq-x46x.
2026-04-09 16:07:32 +00:00
kolaente 379d8a5c19 test(security): webtest that a deleted link share rejects its still-valid JWT
End-to-end regression test for GHSA-96q5-xm3p-7m84 / CVE-2026-35594: mints
a JWT for a link share via the real helper, then deletes the share row and
invokes the real ReadAllWeb handler to prove the full request path (not
just the unit-tested GetLinkShareFromClaims) surfaces the revocation.

Also fixes a pre-existing stale literal in the TestLinkSharing test fixture
struct: linkshareRead declared Hash="test1" while the actual fixture row
id=1 uses Hash="test". The old code never looked at the DB so the mismatch
went unnoticed; after the fix it would cause every link-share webtest that
used linkshareRead to fail hash validation.
2026-04-09 15:38:07 +00:00
kolaente 6a0f39b252 fix(security): enforce HTTP method and path in scoped API token matcher
CanDoAPIRoute's non-CRUD fallback branch compared a path-derived
permission name to the token's permission strings without checking
the request method. A token with projects.background (registered for
GET /projects/:project/background) could therefore invoke DELETE on
the same path. The same method-confusion affected the whole
/projects/:project/views/:view/buckets[/:bucket] cluster, where a
token with projects.views_buckets (registered for GET) authorized
PUT, POST, and DELETE on any accessible view's buckets.

The matcher also leaked CRUD permissions between parent and nested
sub-resource groups. When the request targeted a nested CRUD resource
(e.g. projects_teams, projects_shares, projects_users, projects_views,
projects_webhooks, projects_views_tasks, tasks_assignees, tasks_labels,
tasks_comments, tasks_relations, tasks_attachments, teams_members),
the matcher fell back from the specific group to the parent's permission
list but then looked the permission name up inside the sub-resource's
RouteDetail map. The effect was that a token holding only projects.read_all
also authorized GET on every nested projects_* list endpoint, and the
same held for create/update/delete and for the tasks.* family.

Rewrite the matcher to iterate the token's own permissions and accept
only when the stored RouteDetail's (Path, Method) matches the request.
This removes all the path-derived group guessing and makes the stored
detail the single source of truth. Preserve the tasks.read_all quirk
(one permission, two list endpoints) as an explicit two-path allowlist
inside the loop.

Extract a GetAPITokenRoutes accessor so the new property-based webtest
can consume the same snapshot served by GET /api/v1/routes.

Add TestAPITokenMethodMatching in pkg/webtests: using the live echo
router and the live apiTokenRoutes map, it iterates every advertised
permission against every registered route and asserts the matcher
accepts iff the stored (Path, Method) matches. Any future collision
introduced by a new non-CRUD route on a shared path will be caught.

After this change, previously-dead permissions like
projects.background_delete, projects.views_buckets_{put,post,delete},
other.avatar, other.ws and caldav.access start working as their UI
labels imply. Tokens that relied on the over-broad background /
views_buckets grants, or on cross-cluster CRUD bleed-through, will
lose the extra access - that is the fix.

Refs: GHSA-v479-vf79-mg83
2026-04-09 15:17:20 +00:00
kolaente 76790348f7 test: verify background removal preserves project title
Regression test for #2552. Deletes the background of project 35 (owned by
testuser6) and then fetches the project to confirm the title is still
'Test35 with background'.
2026-04-08 09:07:15 +00:00
kolaente 88c2f0a289 fix(project): remove non-existent columns from UpdateProject column list
The UpdateProject function referenced done_bucket_id and default_bucket_id
in its column update list, but these columns belong to the project_views
table, not the projects table. This caused SQL errors when archiving or
updating a project on MySQL/PostgreSQL.

Also adds a test for archiving a non-archived project.

Fixes #2459
2026-04-03 16:59:05 +00:00
kolaente 390957b3f5 test: verify caldav permission group appears in /routes 2026-03-30 12:09:53 +00:00
kolaente 194bec8b9f test: add integration tests for CalDAV API token auth 2026-03-30 12:09:53 +00:00
kolaente 83bac15841
feat: rename ServiceJWTSecret to ServiceSecret with deprecation (#2502) 2026-03-30 12:07:01 +02:00
kolaente 649043aceb test: add tests for OAuth 2.0 authorization flow
Add web tests covering the authorize endpoint, token exchange, PKCE
verification, single-use codes, and refresh token rotation. Add unit
tests for redirect URI validation and PKCE. Add E2E test for the full
browser-based authorization code flow with login redirect.

Extract setupApiUrl helper for E2E tests to avoid duplication.
2026-03-27 23:05:04 +00:00
surfingbytes 8e8ffac016
fix(caldav): add tags and sync token to collections (#2482)
Fixes #2401
2026-03-26 10:42:39 +00:00
kolaente 13be01de9f test: update expected results for archived project propagation
Adjust test assertions to reflect that projects inheriting archived
state from parents are now correctly filtered out of ReadAll results,
task collections, and search results across all database backends.
2026-03-25 09:06:33 +00:00
kolaente 0b04768d83 test(auth): add comprehensive disabled/locked user auth tests
Add locked user fixture (user18, status=3) and test that both disabled
and locked users are rejected across all auth paths: API tokens,
CalDAV basic auth, CheckUserCredentials.

Ref: GHSA-94xm-jj8x-3cr4
2026-03-23 16:37:26 +00:00
kolaente 751ab2c635 test: add failing test for webhook BasicAuth credential exposure 2026-03-23 16:35:47 +00:00