This commit implements CSRF token support for all session-based API
requests to fix the "CSRF token missing" and "CSRF token mismatch" errors
introduced after CSRF protection was added in commit 62c4cc84.
Changes:
- Created csrfService.ts utility for fetching and caching CSRF tokens
- Added getPostHeadersWithCsrf() helper to authUtils for async token injection
- Updated all service files (*Service.ts) to include CSRF tokens in POST/PUT/PATCH/DELETE requests
- Updated components with inline fetch calls to use getCsrfToken()
- Fixed CSRF middleware to use single lusca instance instead of creating new instances per request
- Improved generateToken() to use req.csrfToken() when available
- Added CalDAV path exemption to CSRF protection
Technical details:
- CSRF tokens are fetched from /api/csrf-token endpoint
- Tokens are cached and reused across requests to avoid unnecessary fetches
- Tokens are included in x-csrf-token header for state-changing requests
- Public endpoints (login, register) remain exempt from CSRF protection
- Bearer token authentication remains exempt from CSRF protection
Files modified:
- Backend: app.js, middleware/csrf.js
- Frontend: 13 service files, 8 component files
- New file: frontend/utils/csrfService.ts
This ensures all session-based requests properly include CSRF tokens while
maintaining support for API token authentication.
- Fix button text showing "Update Project" instead of "Create Project"
by checking for project.uid/id instead of just project existence
- Remove duplicate success toast (ProjectModal already shows one)
- Update both local and global projects store after creation
so new project appears in Projects view without refresh
Fixes#980
Fixes#812
When creating a "Monthly on weekday" recurring task, the selector would
jump back to Monday when trying to select Sunday. This was caused by using
the logical OR operator (||) instead of the nullish coalescing operator (??)
when handling the recurrence_weekday value.
Since Sunday is represented as 0, the || operator treated it as falsy and
defaulted to null/undefined, which then defaulted to 1 (Monday).
Changes:
- Replace || with ?? for recurrence_weekday in TaskRecurrenceCard.tsx
- Replace || with ?? for recurrence_weekday in TaskDetails.tsx
- Also fix recurrence_week_of_month and recurrence_month_day for consistency
* feat: add OIDC/SSO database schema and models (Phase 1)
Add database foundation for OpenID Connect authentication:
Database Migrations:
- Create oidc_identities table (links users to OIDC accounts)
- Create oidc_state_nonces table (OAuth state/nonce for CSRF protection)
- Create auth_audit_log table (security event logging)
- Make password_digest nullable in users table (allow OIDC-only users)
Models:
- OIDCIdentity: Links users to external OIDC providers
- OIDCStateNonce: Temporary OAuth state management
- AuthAuditLog: Authentication event audit trail
Changes:
- Updated User model to allow null password_digest
- Added model associations in models/index.js
- All migrations tested and verified
Related to #977
* feat: add OIDC core services (Phase 2)
- Install openid-client@^6.2.0 for OIDC protocol support
- Implement providerConfig.js for loading providers from .env
- Support single provider or numbered providers (OIDC_PROVIDER_1_*, etc.)
- Auto-provision and admin email domain configuration
- Provider caching for performance
- Implement stateManager.js for OAuth state/nonce management
- CSRF protection with 10-minute TTL
- One-time use state consumption
- Automatic cleanup of expired states
- Implement auditService.js for authentication event logging
- Track login success/failure, logout, OIDC linking/unlinking
- Store IP address, user agent, and metadata
- Support for event queries and retention cleanup
- Add comprehensive unit tests (60 tests, all passing)
- providerConfig: 36 tests for env parsing and validation
- stateManager: 12 tests for state lifecycle and security
- auditService: 12 tests for event logging and queries
Phase 2 completes the backend core services needed for OIDC authentication.
* feat: implement OIDC authentication flow (Phase 3)
Core OIDC Flow (service.js):
- Provider discovery with issuer caching
- Authorization URL generation with state/nonce
- OAuth callback handling and token exchange
- ID token validation using openid-client
- Token refresh functionality
JIT User Provisioning (provisioningService.js):
- Auto-create users from OIDC claims
- Link existing email accounts to OIDC identities
- Admin role assignment based on email domain rules
- Automatic username generation from email
- Transaction-safe identity creation
Identity Management (oidcIdentityService.js):
- List user's linked OIDC identities
- Link additional providers to existing accounts
- Unlink identities with safety checks
- Prevent unlinking last auth method
- Update identity claims on login
HTTP Layer (controller.js + routes.js):
- GET /api/oidc/providers - List configured providers
- GET /api/oidc/auth/:slug - Initiate OIDC flow
- GET /api/oidc/callback/:slug - Handle OAuth callback
- POST /api/oidc/link/:slug - Link provider to current user
- DELETE /api/oidc/unlink/:id - Unlink identity
- GET /api/oidc/identities - Get user's identities
Integration:
- Register OIDC routes in Express app (public + authenticated)
- Update auth service to reject password login for OIDC-only users
- Audit logging for all OIDC operations
- Session creation on successful authentication
Security:
- State/nonce CSRF protection
- One-time use state consumption
- Transaction-safe user provisioning
- Foreign key constraints enforced
* feat: implement OIDC frontend login flow (Phase 4)
- Created OIDCProviderButtons component for SSO login options
- Created OIDCCallback component for OAuth callback handling
- Updated Login page to fetch and display OIDC providers
- Added /auth/callback/:provider route to App.tsx
- Added i18n translations for OIDC UI elements
- Downgraded openid-client to v5.7.0 (CommonJS compatibility)
- Fixed linting issues in backend OIDC modules
Phase 4 completes the frontend login flow for OIDC/SSO authentication.
Users can now see configured SSO providers on the login page.
* feat: implement OIDC account linking UI (Phase 5)
Add Connected Accounts section to Profile Security tab allowing users to:
- View linked OIDC provider accounts
- Link new SSO providers to their account
- Unlink OIDC identities with validation
- Prevent unlinking last authentication method
Backend changes:
- Add has_password virtual field to User model
- Include has_password in profile API response
- Track whether user has password set for validation
Frontend changes:
- Create oidcService for OIDC API operations
- Create ConnectedAccounts component with link/unlink flows
- Add confirmation dialog before unlinking accounts
- Validate that users cannot unlink their last auth method
- Show warning if user has no password set
- Integrate Connected Accounts into SecurityTab
User experience:
- View all linked SSO provider accounts with email and link date
- Link additional providers via "Link Provider" buttons
- Unlink with two-step confirmation to prevent accidents
- Clear error messages when unlinking would leave no auth method
- Warning message suggesting password setup for OIDC-only users
Fixes#977
* feat: complete OIDC documentation and UI improvements (Phase 6)
This commit completes Phase 6 of the OIDC/SSO implementation with comprehensive
documentation, bug fixes, and UI reorganization.
Documentation:
- Add comprehensive user guide at docs/10-oidc-sso.md with:
- Setup guides for 6 major providers (Google, Okta, Keycloak, Authentik, PocketID, Azure AD)
- Configuration examples for single and multiple providers
- User features documentation (login, account linking, management)
- Advanced topics (auto-provisioning, admin role assignment, hybrid auth)
- Comprehensive troubleshooting section
- Security considerations and best practices
- Update README.md with OIDC/SSO section and quick setup examples
Internationalization:
- Add i18n support to OIDCProviderButtons component
- Add translation keys for all OIDC UI text
- Update English translations with "sign_in_with" key
Bug Fixes:
- Fix oidcService.ts to correctly unwrap API responses
- Backend returns {providers: [...]} and {identities: [...]}
- Frontend was expecting plain arrays, causing "map is not a function" error
- Fix initiateOIDCLink to properly handle POST response
UI Improvements:
- Move OIDC/SSO to dedicated tab in profile settings
- Create new OIDCTab component with green LinkIcon
- Remove ConnectedAccounts from SecurityTab
- Add OIDC tab between Security and API Keys tabs
- Update ProfileSettings with new tab configuration
- Security tab now focuses solely on password management
Testing:
- All linting passes
- All tests pass (82 suites, 1223 tests)
Related to #977
* feat: add OIDC/SSO translations for all 24 languages
Add i18n support for OIDC/SSO features across all supported languages:
- "Sign in with {{provider}}" button text
- "OIDC/SSO" tab label in profile settings
- OIDC authentication flow messages
Translations added for: Arabic, Bulgarian, Danish, German, Greek, Spanish,
Finnish, French, Indonesian, Italian, Japanese, Korean, Dutch, Norwegian,
Polish, Portuguese, Romanian, Russian, Slovenian, Swedish, Turkish,
Ukrainian, Vietnamese, and Chinese.
* fix: resolve 13 CodeQL security alerts
This commit addresses critical security vulnerabilities identified by CodeQL scanning:
**Security Configuration (2 fixes)**
- Fix insecure Helmet configuration - enable CSP and HSTS in production
- Fix clear text cookie transmission - enable secure cookies in production
**Path Injection (3 fixes)**
- Add path validation in users/controller.js to prevent arbitrary file deletion
- Add path validation in users/service.js for avatar operations
- Add path sanitization in attachment-utils.js deleteFileFromDisk function
**Cross-Site Scripting (1 fix)**
- Fix XSS vulnerability in GeneralTab.tsx avatar URL handling
- Add URL sanitization to prevent javascript: protocol attacks
**URL Security (2 fixes)**
- Fix double escaping in url/service.js HTML entity decoding
- Fix incomplete URL sanitization for YouTube domain validation
**Denial of Service (1 fix)**
- Add loop bound protection in inboxProcessingService.js (10k char limit)
**Rate Limiting (3 fixes)**
- Add rate limiting to auth routes (register, verify-email)
- Add rate limiting to task attachment upload/delete endpoints
- Add rate limiting to user avatar upload/delete endpoints
**GitHub Actions Security (1 fix)**
- Add explicit read-only permissions to CI workflow
Note: CSRF middleware (#10) requires frontend changes and is tracked separately.
Relates to PR #1008
* fix: allow test files in path validation for tests
* fix: format long condition in attachment-utils for Prettier compliance
Break the path validation condition across multiple lines to meet Prettier formatting requirements and fix CI linting failure.
* fix: resolve CodeQL security alerts
- Add rate limiting to OIDC authentication routes using authLimiter and authenticatedApiLimiter
- Implement CSRF protection middleware using csrf-sync (skips for API tokens and test environment)
- Add CSRF token endpoint at /api/csrf-token
- Fix incomplete URL scheme validation in GeneralTab to block all dangerous schemes (javascript:, data:, vbscript:, file:)
This addresses 5 high-severity CodeQL security vulnerabilities:
- Missing rate limiting on OIDC auth routes
- Missing CSRF middleware protection
- Incomplete URL sanitization in avatar handling
All 1223 tests passing.
* fix: implement CSRF protection with lusca for CodeQL compliance
Add CSRF protection using lusca.csrf (CodeQL's recommended library) to
protect session-based authentication while supporting hybrid auth patterns.
Implementation:
- Pre-check middleware marks exempt requests (test env, Bearer tokens)
- Lusca CSRF middleware applied with exemption flag check
- Session-based requests require valid x-csrf-token header
- Bearer token requests exempt (don't use cookies)
- Test environment exempt for test execution
This addresses CodeQL security alert js/missing-token-validation while
maintaining support for both cookie-based and token-based authentication.
Related: #977 (OIDC/SSO authentication feature)
This commit addresses a critical bug where subtasks would disappear when
updating the parent task (e.g., assigning tags). The issue had multiple
potential causes:
1. Backend vulnerability: The updateSubtasks() function would delete all
subtasks if an empty array was sent, treating it as "delete everything
not in this list"
2. Frontend state management: After reloading a task, subtasks weren't
being preserved if the backend response didn't include them
3. Unclear error messages: "Invalid parent task" errors didn't provide
enough context for debugging
Changes:
- Added defensive logging in updateSubtasks() to warn when all subtasks
are being deleted with an empty array
- Enhanced validateParentTaskAccess() error messages to provide detailed
diagnostics (task not found vs. permission issues vs. wrong user)
- Updated handleTagsUpdate() in TaskDetails to explicitly preserve
subtasks when reloading task after tag updates
This fix is defensive in nature and adds better observability for
diagnosing similar issues in the future.
Fixes issue reported by user where subtasks disappeared after assigning
tags to parent task, and "Invalid parent task" errors occurred when
trying to update the orphaned subtasks.
* Fix critical bug causing subtasks to disappear when updating parent task
This fixes a serious bug where updating tags, priority, status, or due_date
on a parent task would inadvertently delete all its subtasks.
Root Cause:
1. Backend serializer returns `subtasks: []` when Subtasks association is not loaded
2. Frontend was spreading entire task object when updating, sending `subtasks: []`
3. Backend updateSubtasks() interpreted empty array as "delete all subtasks"
Solution:
Remove object spreading from updateTask calls. Only send the specific fields
being updated, not the entire task object.
Fixes the issue reported where assigning tags to a task caused subtasks to vanish.
Related: #TBD (GitHub issue to be created)
* fix: upgrade dependencies to resolve security vulnerabilities
- jest-environment-jsdom: 29.0.0 → 30.3.0
- nodemailer: 7.0.10 → 8.0.4
- sqlite3: 5.1.7 → 6.0.1
All npm audit vulnerabilities resolved (20 high/critical → 0).
Tests passing (1157 pass, 1 pre-existing failure unrelated to upgrades).
* Fix project name overflow and add validation
This commit addresses issue #971 by implementing both UI fixes and
validation to prevent excessively long project names.
Changes:
1. Add word-break and line-clamp to ProjectBanner.tsx to handle
overflow gracefully with line-clamp-3 for names
2. Add frontend validation in ProjectModal.tsx limiting names to
6 words maximum
3. Add backend validation in project.js model with custom wordCount
validator
4. Show user-friendly error messages when validation fails
This ensures project names remain concise and UI-friendly while
preventing the extreme overflow cases that were possible before.
Fixes#971
* Add overflow-hidden to make line-clamp work properly
The line-clamp utility requires explicit overflow-hidden to function
correctly. Without it, the text continues to display in full rather
than being truncated with ellipsis.
* Fix line-clamp using inline CSS styles
Tailwind's line-clamp utilities weren't working, so switched to using
inline styles with the standard CSS approach:
- display: -webkit-box
- -webkit-line-clamp: 3
- -webkit-box-orient: vertical
This ensures the text truncation works reliably across browsers.
* Use Tailwind line-clamp utilities (already defined in CSS)
The project already has line-clamp-1/2/3 utilities properly defined
in tailwind.css with all the necessary webkit properties. Simplified
the component to use these existing utilities instead of inline styles.
* Add dedicated CSS classes with !important for line-clamp
Created custom project-name-clamp and project-desc-clamp classes
with !important flags to ensure they override any conflicting styles.
This should finally fix the text truncation issue.
* Use component-scoped styles for line-clamp
Adding inline style tag in the component to ensure the line-clamp
CSS is definitely loaded and applied. This bypasses any potential
issues with external CSS compilation or loading order.
* Change project name line-clamp from 3 to 2 lines
Limiting project name display to 2 lines with ellipsis for better
visual density and cleaner appearance.
* Increase line-height for project name in banner
Added line-height: 1.3 to project name for better readability
and visual spacing between lines.
* Fix Today page task completion issues
- Fix completed task border color staying as priority color
- Add isInCompletedSection prop to TaskItem for explicit completed state
- Tasks in completed section now always show green border regardless of priority
- Fixes race condition where status wasn't updated during optimistic UI update
- Fix completed task reappearing after unmarking and page refresh
- Add defensive check in backend to force clear completed_at when status is not DONE
- Add development logging in tasksService for debugging completion toggle
- Ensures database state is consistent even if handleCompletionStatus doesn't clear it
- Update TaskList and TasksToday components to pass isInCompletedSection prop
- Explicitly marks tasks rendered in the completed section
- Prevents border color flickering during state transitions
* Add comprehensive logging to debug completion issues
* Fix duplicate API requests causing completion state issues
- Separate state update logic from API call in handleTaskUpdate
- Create new updateTaskInState function for state-only updates
- Pass onTaskCompletionToggle to completed section to avoid duplicate calls
- This fixes the persistence issue where unmarked tasks came back after refresh
- Completion toggles now only make ONE API call instead of two
* Add debug logging to updateTaskInState
* Fix visual overlap between subtasks icon and status dropdown
Increased right padding from pr-44 to pr-48 in TaskHeader desktop view
to prevent the subtasks toggle button from overlapping with the expanded
status dropdown icon.
Fixes#957
* Improve fix for subtasks icon and status dropdown overlap
- Removed flex-1 from task name container to prevent unnecessary expansion
- Wrapped SubtasksToggleButton in flex-shrink-0 div to maintain its width
- Increased right padding from pr-48 to pr-56 for better spacing
- This prevents the subtasks icon from overlapping with the status dropdown
Fixes#957
* Fix subtasks icon placement to be adjacent to task name
Moved SubtasksToggleButton to be directly after the task name within
the same flex container, instead of in a separate container. This positions
the icon immediately next to the task name on the left, rather than being
pushed to the right where it overlaps with the status dropdown.
Fixes#957
* Fix date format inconsistency in Task detail screen (#938)
Replace browser-dependent toLocaleDateString() with explicit country-based
date formatting to ensure consistent date formats based on user's timezone.
Problem:
- User with English language + Greek timezone saw MM/DD/YYYY format
- Expected DD/MM/YYYY format based on timezone/country
- Browser's Intl.DateTimeFormat had incomplete locale support for
combined locales like "en-GR"
Solution:
- Add country-to-format mapping in dateUtils.ts (60+ countries)
- New formatDateByCountry() for dates (DD/MM/YYYY, MM/DD/YYYY, YYYY/MM/DD)
- New formatDateTimeByCountry() for datetimes with 24h time
- Update TaskDueDateCard and TaskDeferUntilCard to use new functions
- Uses date-fns for consistent cross-browser formatting
Testing:
- Added 40 comprehensive test cases covering all format types
- Verified with Greece (DD/MM), US (MM/DD), Japan (YYYY/MM/DD)
- All tests passing
Fixes#938
* chore: remove unused import in dateUtils.ts
Both Navbar.tsx and Login.tsx hardcode absolute paths for the logo
images ('/wide-logo-light.png', '/wide-logo-dark.png'). This breaks
when tududi is served behind a reverse proxy with a subpath, such as
Home Assistant ingress.
The getAssetPath() helper from config/paths already handles base path
detection (including HA ingress auto-detection), and Login.tsx already
uses it for the login graphic. This commit applies the same pattern to
the logo images.
Changes:
- Navbar.tsx: add getAssetPath to import, use it for logo src
- Login.tsx: use getAssetPath for logo src (was already imported)
Fixes#938
The Defer Until field was using i18n.language directly instead of
resolveUserLocale(), causing it to display dates in MM/DD/YYYY format
(US default) regardless of timezone setting.
Now uses the same locale resolution pattern as the Due Date field,
which combines language with timezone-derived country code (e.g.,
"en" + Greek timezone → "en-GR" → DD/MM/YYYY format).
Changes:
- Import useMemo and resolveUserLocale
- Add displayLocale memo to resolve timezone-aware locale
- Use displayLocale instead of i18n.language in toLocaleString()
Remove isSidebarOpen from the useEffect dependency array and from the
API request parameters in Tasks.tsx. The sidebar visibility state has no
bearing on which tasks should be fetched, so toggling it should not
trigger a data re-fetch.
The toggle handler required onSubtaskUpdate callback to make the API
call, but TaskSubtasksCard never provided it. Extract a shared handler
that calls toggleTaskCompletion for persisted subtasks regardless of
whether onSubtaskUpdate is provided, falling back to updating local
state via onSubtasksChange.
When toggling subtask completion in TaskSubtasksSection, the toggle handler
required onSubtaskUpdate callback to make the API call. Components like
TaskSubtasksCard don't pass this callback, so toggling fell through to the
local-only state update path, never sending a network request.
Add an intermediate code path: when the subtask is persisted but
onSubtaskUpdate is not provided, call toggleTaskCompletion() directly
to persist the change, then update local state.
Fixes#920
The SubtasksToggleButton was placed inside the same flex container as
the task name with truncate, causing it to be squeezed to zero width.
Wrap the task name in an inner flex container (matching the upcoming
view layout) so the button stays visible.
* Add projects with due dates to upcoming view
Fetch and include projects with due_date_at in the upcoming range
when type=upcoming is requested. Projects are filtered by ownership
or permissions and exclude completed/archived projects.
Part of #925
* Display upcoming projects in Upcoming view
Add UI to show projects with due dates in the Upcoming view.
Projects are displayed in a separate section below tasks with
links to project details and formatted due dates.
Fixes#925
* Fix prettier formatting errors
Transform project data in createNote to match updateNote behavior.
This ensures project_uid is properly extracted from nested project
object when creating notes with project associations.
Fixes#926
Date fields in the task edit page used i18n.language (e.g. "en") to
determine date format, giving MM/DD for English even when the user's
timezone indicates a DD/MM region (e.g. Europe/Athens).
Enhance resolveUserLocale to derive the country from the user's
timezone and combine it with the language (e.g. "en" + "GR" = "en-GR")
so date formatting follows regional conventions.
