The e2e suite bypasses the OAuth flow via --token, so the callback handler's error branches had zero coverage. Eight tests appended to oauth_test.go drive the handler directly: - happy path: code+state arrive on the channel; response is HTML - authz-server error path: ?error=access_denied&error_description=… bubbles up as a non-nil err containing the description (not the code) - only-code fallback: when error_description is missing, the error message falls back to the error code - empty code: handler captures it; waitForCallback's job to reject - non-GET method: 405 with Allow: GET, nothing pushed to channel (defense against forged POST from a same-origin page) - wrong path: 404, nothing pushed - HTML-escaping: an error containing <script>…</script> renders as <script> — XSS regression guard - nil-err success page: 200 with 'veans is authorized' Plus generateState shape coverage (length, charset, uniqueness) to match the existing TestGeneratePKCE_*. Sanity-checked the XSS test by deleting the html.EscapeString call — it fails with raw <script> in the body. Restored. |
||
|---|---|---|
| .claude | ||
| .github | ||
| .vscode | ||
| .zed | ||
| build | ||
| contrib | ||
| desktop | ||
| examples/plugins/example | ||
| frontend | ||
| pkg | ||
| rest | ||
| veans | ||
| .devcontainer.json | ||
| .dockerignore | ||
| .editorconfig | ||
| .envrc | ||
| .gitignore | ||
| .golangci.yml | ||
| .opensourcefinder-verify | ||
| AGENTS.md | ||
| CHANGELOG.md | ||
| CLAUDE.md | ||
| CONTRIBUTING.md | ||
| CRUSH.md | ||
| Dockerfile | ||
| LICENSE | ||
| README.md | ||
| cliff.toml | ||
| code-header-template.txt | ||
| conductor.json | ||
| config-raw.json | ||
| crowdin.yml | ||
| devenv.lock | ||
| devenv.nix | ||
| devenv.yaml | ||
| go.mod | ||
| go.sum | ||
| magefile.go | ||
| main.go | ||
| mise.toml | ||
| nfpm.yaml | ||
| publiccode.yml | ||
| renovate.json | ||
| tsconfig.json | ||
| vikunja.initd | ||
| vikunja.service | ||
README.md
Vikunja
The Todo-app to organize your life.
If Vikunja is useful to you, please consider buying me a coffee, sponsoring me on GitHub or buying a sticker pack. I'm also offering a hosted version of Vikunja if you want a hassle-free solution for yourself or your team.
Table of contents
Security Reports
If you find any security-related issues you don't want to disclose publicly, please use the contact information on our website.
Features
See the features page on our website for a more exhaustive list or try it on try.vikunja.io!
Docs
All docs can be found on the Vikunja home page.
Roadmap
See the roadmap (hosted on Vikunja!) for more!
Contributing
Please check out the contribution guidelines on the website.
License
Most of this repository is licensed under AGPL‑3.0‑or‑later.
The contents of desktop/ are licensed under
GPL‑3.0‑or‑later.
Unsplash Images
Background images from Unsplash are distributed under the Unsplash License. The license requires giving credit to the photographer and Unsplash. See Unsplash’s terms for more information.