vikunja/.github/workflows
Tink bot 35aa486eb5 feat(veans): use OAuth 2.0 Authorization Code + PKCE as default auth
Vikunja's built-in OAuth server (Vikunja 2.3+) does not require client
registration and accepts arbitrary client_ids — it just enforces PKCE
(S256) and constrains redirect URIs to the vikunja- scheme. Earlier I
deferred OAuth on the assumption it needed a registered client; that
was wrong, and the docs make the path much smoother than POST /login.

The custom-scheme constraint (no http:// loopback) is side-stepped by
manual paste-back: veans prints the authorize URL, the user signs in,
their browser fails to open vikunja-veans-cli://callback?code=... and
shows an error, the user copies the URL from the address bar and
pastes it back. CLI extracts code + state, verifies state for CSRF,
exchanges via POST /api/v1/oauth/token (JSON body — Vikunja rejects
form-encoded), and returns the access token.

Resolution order in AcquireHumanToken:
  1. --token (paste-in JWT or personal API token; SSO/OIDC users)
  2. --use-password / --username + --password (POST /login)
  3. OAuth flow (interactive default)

login command supports the same --use-password / --token escape hatches
for token rotation on instances with OAuth disabled.

Includes unit tests for the PKCE generator (verifier shape per RFC 7636,
challenge = SHA256(verifier) base64url-no-pad), authorize-URL
construction, and the lenient callback parser (full URL / query-only /
bare code).
2026-05-27 08:21:57 +00:00
..
auto-label.prompt.md ci: add AI-powered auto-labeling for new issues and PRs 2026-04-11 17:45:36 +02:00
auto-label.yml fix(ci): use working model 2026-04-11 17:55:47 +02:00
ci.yml feat(ci): enable merge queue trigger 2026-03-20 11:53:08 +01:00
crowdin.yml fix(ci): commit newly added Crowdin translation files 2026-05-18 17:57:21 +00:00
dependency-diff.yml feat: add dependency diff and provenance GitHub Action for PRs 2026-02-17 12:00:31 +01:00
issue-closed-comment.yml fix: support merge queue in issue-closed-comment workflow 2026-03-25 10:20:36 +01:00
nixpkgs-update.yml fix(ci): skip interactive prompt in nixpkgs update workflow 2026-04-11 15:00:42 +00:00
preview.yml fix(ci): use actual docker meta tags for preview comment SHA links 2026-04-07 15:05:48 +00:00
release.yml feat(ci): sign archlinux packages with GPG for pacman verification 2026-04-14 19:35:23 +02:00
stale-waiting-for-reply.yml chore: update stale workflow 2026-04-29 09:10:09 +02:00
test.yml feat(veans): use OAuth 2.0 Authorization Code + PKCE as default auth 2026-05-27 08:21:57 +00:00