vikunja/pkg/user
Claude 64c3f464ac
feat: add project-scoped API tokens
Add optional project scope to API tokens, allowing tokens to be restricted
to a specific project and optionally its sub-projects. This builds on the
existing API token system by adding two new fields: project_id and
include_sub_projects.

Key changes:
- Database migration adding project_id and include_sub_projects columns
- ProjectScopedAuth wrapper type implementing web.Auth with scope info
- AuthUnwrapper interface for transparent auth type unwrapping
- Scope enforcement in project/task permission checks and list queries
- Middleware resolves scoped project IDs (with recursive CTE for sub-projects)
- Frontend: project selector in token creation form, scope display in list
- Tests for scope resolution, permission enforcement, and token creation

https://claude.ai/code/session_015JjPNeSkwxYQNCeMf2PYTi
2026-03-22 11:28:40 +00:00
..
caldav_token.go fix(caldav): eliminate nested db session in CalDAV auth 2026-03-03 10:41:19 +01:00
db.go feat: register Vikunja tables with db package at init 2026-03-04 15:37:54 +01:00
delete.go fix: address review comments on session lifecycle 2026-02-25 11:03:02 +01:00
error.go fix: 403 http error code on failed login (#1756) 2025-11-06 08:40:46 +01:00
events.go fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
listeners.go fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
main_test.go feat: move to slog for logging 2025-07-21 18:15:39 +02:00
notifications.go fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
test.go fix(user): persist status on email updates (#1084) 2025-08-04 14:07:00 +00:00
token.go fix(auth): correctly delete older password reset tokens in cron 2026-02-27 14:44:26 +01:00
totp.go refactor: use StatusAccountLocked for TOTP lockouts 2026-03-20 11:23:21 +00:00
update_email.go fix: eliminate nested database sessions to prevent table locks 2026-02-25 11:03:02 +01:00
update_email_test.go fix(user): persist status on email updates (#1084) 2025-08-04 14:07:00 +00:00
user.go feat: add project-scoped API tokens 2026-03-22 11:28:40 +00:00
user_create.go fix(events): defer event dispatch for user creation and task positions 2026-03-03 12:46:34 +01:00
user_email_confirm.go fix: prevent email confirmation from re-enabling admin-disabled accounts 2026-03-20 11:23:21 +00:00
user_email_confirm_test.go fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
user_password_reset.go fix: reject password reset token requests for disabled users 2026-03-20 11:23:21 +00:00
user_test.go fix: update test expectations for new disabled user fixture 2026-03-20 11:23:21 +00:00
users_project.go feat: bypass discoverability settings for external team members 2026-03-04 20:32:11 +01:00
validator.go feat(api): enforce password validation on reset and update flows 2026-02-25 13:44:56 +01:00