Commit Graph

2536 Commits

Author SHA1 Message Date
kolaente 28b537837f
chore: v2.3.0 release preparations 2026-04-09 20:43:40 +02:00
kolaente b642b2a453 feat(auth): prompt for TOTP code in the OIDC callback flow
When the backend reports that 2FA is required (412/1017), the OIDC
callback view now shows a TOTP input and restarts the OIDC dance
with the typed passcode stashed in localStorage so it can be
submitted alongside a fresh authorization code.

Refs GHSA-8jvc-mcx6-r4cg
2026-04-09 17:25:47 +00:00
kolaente 546db0dc21 feat(auth): plumb totp passcode through openIdAuth action
Allows the OpenIdAuth view to resubmit the OIDC callback with a
TOTP passcode after a 412/1017 response from the backend.

Refs GHSA-8jvc-mcx6-r4cg
2026-04-09 17:25:47 +00:00
kolaente 27a88dd17a
fix(deps): bump basic-ftp override to 5.2.1 to patch CRLF injection
Resolves Dependabot alert #183 (high severity): basic-ftp 5.2.0 is
vulnerable to FTP command injection via CRLF. The package is pulled in
as a dev-only transitive dependency by @histoire/plugin-screenshot.
2026-04-09 15:34:00 +02:00
kolaente 8814cb37d8
fix(tasks): vertically center checkbox in project task row
The tooltip span wrapping the checkbox used the inherited line-height
(~24px), so the 18px inline-block checkbox sat on the baseline and
appeared misaligned with the task text. Making the span an inline-flex
container collapses it to the checkbox size and centers it properly.
2026-04-09 15:30:27 +02:00
kolaente a574d623b1 test: add e2e regression test for link share loop while logged in
Covers #2546: a logged-in user navigating to a public link share URL
used to bounce infinitely between /share/:hash/auth and the project
view, stranding the user on an empty NoAuthWrapper shell. Two distinct
issues in checkAuth() produced the same symptom:

  1. The 1-minute debounce skipped re-parsing the new link share JWT
     when the user was already authenticated.
  2. The "same user, skip setUser" fast path compared only `id`, so a
     logged-in user whose id collided with the link share's id kept
     the USER `info.value.type` and `authLinkShare` never flipped.

The test pins both the logged-in user and the link share to the same
numeric id so it exercises the collision path, which catches both
regressions at once.
2026-04-09 10:20:46 +00:00
kolaente 432c5f2817 fix: include type in checkAuth's same-user skip check
Users and link shares share the same numeric id space in JWTs. When a
logged-in user opened a link share whose id happened to match their own
user id, checkAuth() would see `info.value.id === jwtUser.id` and skip
`setUser()`, leaving `info.value.type` as USER even though the new token
was a LINK_SHARE. As a result, `authLinkShare` never flipped to true and
the router guard bounced between /share/:hash/auth and the project view,
stranding the user on an empty NoAuthWrapper shell.

Compare on type as well so USER→LINK_SHARE transitions always replace
the user object.

Refs #2546
2026-04-09 10:20:46 +00:00
kolaente 2000732e35 fix: skip refreshUserInfo for link share tokens to prevent logout loop 2026-04-09 10:20:46 +00:00
kolaente 1d3a234b05 fix: reset checkAuth debounce in linkShareAuth to prevent redirect loop
When a logged-in user opens a public link share, the 1-minute debounce
on checkAuth() caused it to skip re-parsing the new link share JWT.
This left authLinkShare as false, triggering an infinite redirect loop
in the router guard.

Fixes #2546
2026-04-09 10:20:46 +00:00
kolaente 91728c0273 test: wire up API URL for anonymous link share e2e tests
The anonymous link share tests don't use the authenticatedPage fixture
(which implicitly calls setupApiUrl via login()), so the browser was
falling back to the default `window.API_URL = '/api/v1'` baked into
index.html. That relative path resolved against the preview server port
and never reached the API, causing the tests to hang on the NoAuth
"Welcome Back" page waiting for elements that never rendered.

Adding a beforeEach that calls setupApiUrl() restores these tests.
2026-04-09 10:20:46 +00:00
renovate[bot] 4415485675 chore(deps): update dependency vitest to v4.1.4 2026-04-09 08:59:51 +00:00
kolaente e7bc5a31e4 docs(shortcuts): show platform-aware delete key in keyboard shortcuts panel 2026-04-09 08:07:48 +00:00
kolaente cee2babc58 feat(tasks): use platform-aware delete shortcut on task detail view 2026-04-09 08:07:48 +00:00
Frederick [Bot] 36cec5ccca chore(i18n): update translations via Crowdin 2026-04-09 01:16:09 +00:00
kolaente 10e7d2532e fix: derive workbox version from package.json at build time
Instead of hardcoding the workbox version string in the service worker,
read it from workbox-precaching/package.json via Vite's define option.
This ensures the service worker always references the correct workbox
version that is actually installed.

Resolves #2549
2026-04-08 08:42:11 +00:00
renovate[bot] e898c01e3d chore(deps): update dev-dependencies 2026-04-08 08:03:18 +00:00
Frederick [Bot] f528bcc276 chore(i18n): update translations via Crowdin 2026-04-08 01:25:14 +00:00
kolaente 3437f98dc3 feat(migration): add skip rows option to CSV import
Allow users to skip the first N data rows when importing CSV files.
This is useful when the CSV contains metadata rows before the actual
task data begins. Adds skip_rows to ImportConfig (backend) and a
number input in the parsing options UI (frontend).
2026-04-07 15:20:06 +00:00
Claude f555762def feat(migration): add generic CSV import with column mapping
Add a new CSV migration module that allows users to import tasks from
any CSV file with custom column mapping and parsing options.

Backend changes:
- New CSV migrator module with detection, preview, and import endpoints
- Auto-detection of delimiter, quote character, and date format
- Suggested column mappings based on column name patterns
- Transactional import using InsertFromStructure

Frontend changes:
- New CSV migration UI with two-step flow (upload -> mapping -> import)
- Column mapping selectors for all task attributes
- Live preview showing first 5 tasks with current mapping
- Parsing option controls for delimiter and date format

The CSV migrator creates a parent "Imported from CSV" project with
child projects based on the project column if provided, or a default
"Tasks" project for tasks without a specified project.
2026-04-07 15:20:06 +00:00
surfingbytes 84f4c16425
feat(user): add option to hide last viewed projects on overview page (#2429) 2026-04-07 16:56:13 +02:00
kolaente 8a8d187065 chore(frontend): deduplicate pnpm dependencies 2026-04-07 14:22:04 +00:00
renovate[bot] 11299d773f chore(deps): update dependency vitest to v4.1.3 2026-04-07 13:43:01 +00:00
kolaente 20249ee68c style(sort): position popup aligned to header right edge 2026-04-07 13:41:13 +00:00
kolaente 326427a242 feat(sort): persist sort selection to URL query parameter
Syncs the sort choice to a ?sort=field:order URL parameter so it
survives page refreshes and can be shared. The default position sort
is omitted from the URL to keep links clean.
2026-04-07 13:41:13 +00:00
kolaente 408e5b347c feat(sort): add sorting popup for list view 2026-04-07 13:41:13 +00:00
kolaente b20df2ef63
fix(deps): update brace-expansion to 5.0.5
Fixes zero-step sequence causing process hang and memory
exhaustion (Dependabot #168).
2026-04-07 15:39:33 +02:00
kolaente efc9b41349
fix(deps): update lodash to 4.18.1
Fixes code injection via _.template (Dependabot #176, #178) and
prototype pollution via _.unset/_.omit (Dependabot #175, #177).
2026-04-07 15:38:52 +02:00
kolaente f40eddd4e3
fix(deps): update defu to 6.1.7
Fixes prototype pollution via __proto__ key (Dependabot #180).
2026-04-07 15:38:17 +02:00
kolaente 34480ef513 fix(migration): center and style migrator logos on migration page
Use inline-flex layout to center logos with titles below. Constrain
logo size with max-block-size and use logical CSS properties.
2026-04-07 12:05:47 +00:00
kolaente 1a1fd780ec feat(migration): add WeKan to migration page with logo
Register WeKan in the AvailableMigrators list and add the frontend
migrator entry with the WeKan logo, referenced as "WeKan ®".
2026-04-07 12:05:47 +00:00
renovate[bot] 33886d2e3c chore(deps): update dev-dependencies 2026-04-06 16:23:31 +00:00
Frederick [Bot] 41a5087198 chore(i18n): update translations via Crowdin 2026-04-06 01:26:55 +00:00
kolaente 4b3b5bb87c docs(helpers): explain djb2 seed constant in stringHash 2026-04-05 12:24:45 +00:00
kolaente 65b6e55252 test(e2e): relax home greeting assertions for rotating pool 2026-04-05 12:24:45 +00:00
kolaente b9c41e0cbf feat(home): rotate greetings from a deterministic per-user daily pool 2026-04-05 12:24:45 +00:00
kolaente fad432a072 i18n: add rotating home greeting variants 2026-04-05 12:24:45 +00:00
kolaente b0bc41291e feat(helpers): add deterministic stringHash for stable daily selection 2026-04-05 12:24:45 +00:00
kolaente d45ae31d8c fix(gantt): preserve query parameters when closing task modal
When closing a task modal opened from the Gantt view, the date range
query parameters were lost because closeModal() reconstructed the
route with only projectId and viewId. Now preserves query parameters
from the backdrop view.
2026-04-05 11:31:37 +00:00
kolaente 642134d16f test(gantt): add e2e test for date range preservation after task modal close
Verifies that opening and closing a task modal on the Gantt view
does not lose the date range query parameters.
2026-04-05 11:31:37 +00:00
kolaente d152fa8475 fix(gantt): use reactive date range in Flatpickr config to prevent reset on task update
Replace static initialDateRange snapshot with reactive filters.value
references inside the computed flatPickerConfig. This ensures the
Flatpickr defaultDate always reflects the current user-selected range
instead of the mount-time values.

Ref #2462
2026-04-05 11:31:37 +00:00
kolaente 297c0c1d8b fix(e2e): seed project in empty-tasks overview test
With truncateAll wiping all tables, the test user has no projects,
so ShowTasks never renders and tasksLoaded stays false — meaning
ImportHint (which is gated on tasksLoaded) never appears. Seed a
project with default views so the empty-state hint is visible.
2026-04-05 09:48:09 +00:00
kolaente adcc74b056 fix: make apiContext auto-fixture and fix remaining view ID conflicts 2026-04-05 09:48:09 +00:00
kolaente 4888b1d8ca fix: move truncateAll to apiContext fixture and fix view ID conflicts 2026-04-05 09:48:09 +00:00
kolaente aa1202fea8 chore: remove redundant truncate calls now that all tables are wiped before each test 2026-04-05 09:48:09 +00:00
kolaente 2ee8ad4109 feat: truncate all tables before each e2e test for clean isolation 2026-04-05 09:48:09 +00:00
kolaente f477da48ec feat: add Factory.truncateAll() helper for e2e tests 2026-04-05 09:48:09 +00:00
kolaente 0834d19f9c
feat: remove flexsearch dependency and replace with simple string filtering (#2542) 2026-04-04 21:41:25 +02:00
kolaente f5752b97e9
feat: add inline PDF viewer for task attachments (#2541) 2026-04-04 21:25:54 +02:00
renovate[bot] 33d607714d chore(deps): update dependency caniuse-lite to v1.0.30001785 2026-04-04 18:38:07 +00:00
kolaente 841b458a5f fix: pass saved filter context to subtask visibility check
When viewing tasks through a saved filter, pass isFilteredView=true
to shouldShowTaskInListView so subtasks are not incorrectly hidden.

Ref: #2494
2026-04-03 19:25:46 +00:00