* feat: add OIDC/SSO database schema and models (Phase 1)
Add database foundation for OpenID Connect authentication:
Database Migrations:
- Create oidc_identities table (links users to OIDC accounts)
- Create oidc_state_nonces table (OAuth state/nonce for CSRF protection)
- Create auth_audit_log table (security event logging)
- Make password_digest nullable in users table (allow OIDC-only users)
Models:
- OIDCIdentity: Links users to external OIDC providers
- OIDCStateNonce: Temporary OAuth state management
- AuthAuditLog: Authentication event audit trail
Changes:
- Updated User model to allow null password_digest
- Added model associations in models/index.js
- All migrations tested and verified
Related to #977
* feat: add OIDC core services (Phase 2)
- Install openid-client@^6.2.0 for OIDC protocol support
- Implement providerConfig.js for loading providers from .env
- Support single provider or numbered providers (OIDC_PROVIDER_1_*, etc.)
- Auto-provision and admin email domain configuration
- Provider caching for performance
- Implement stateManager.js for OAuth state/nonce management
- CSRF protection with 10-minute TTL
- One-time use state consumption
- Automatic cleanup of expired states
- Implement auditService.js for authentication event logging
- Track login success/failure, logout, OIDC linking/unlinking
- Store IP address, user agent, and metadata
- Support for event queries and retention cleanup
- Add comprehensive unit tests (60 tests, all passing)
- providerConfig: 36 tests for env parsing and validation
- stateManager: 12 tests for state lifecycle and security
- auditService: 12 tests for event logging and queries
Phase 2 completes the backend core services needed for OIDC authentication.
* feat: implement OIDC authentication flow (Phase 3)
Core OIDC Flow (service.js):
- Provider discovery with issuer caching
- Authorization URL generation with state/nonce
- OAuth callback handling and token exchange
- ID token validation using openid-client
- Token refresh functionality
JIT User Provisioning (provisioningService.js):
- Auto-create users from OIDC claims
- Link existing email accounts to OIDC identities
- Admin role assignment based on email domain rules
- Automatic username generation from email
- Transaction-safe identity creation
Identity Management (oidcIdentityService.js):
- List user's linked OIDC identities
- Link additional providers to existing accounts
- Unlink identities with safety checks
- Prevent unlinking last auth method
- Update identity claims on login
HTTP Layer (controller.js + routes.js):
- GET /api/oidc/providers - List configured providers
- GET /api/oidc/auth/:slug - Initiate OIDC flow
- GET /api/oidc/callback/:slug - Handle OAuth callback
- POST /api/oidc/link/:slug - Link provider to current user
- DELETE /api/oidc/unlink/:id - Unlink identity
- GET /api/oidc/identities - Get user's identities
Integration:
- Register OIDC routes in Express app (public + authenticated)
- Update auth service to reject password login for OIDC-only users
- Audit logging for all OIDC operations
- Session creation on successful authentication
Security:
- State/nonce CSRF protection
- One-time use state consumption
- Transaction-safe user provisioning
- Foreign key constraints enforced
* feat: implement OIDC frontend login flow (Phase 4)
- Created OIDCProviderButtons component for SSO login options
- Created OIDCCallback component for OAuth callback handling
- Updated Login page to fetch and display OIDC providers
- Added /auth/callback/:provider route to App.tsx
- Added i18n translations for OIDC UI elements
- Downgraded openid-client to v5.7.0 (CommonJS compatibility)
- Fixed linting issues in backend OIDC modules
Phase 4 completes the frontend login flow for OIDC/SSO authentication.
Users can now see configured SSO providers on the login page.
* feat: implement OIDC account linking UI (Phase 5)
Add Connected Accounts section to Profile Security tab allowing users to:
- View linked OIDC provider accounts
- Link new SSO providers to their account
- Unlink OIDC identities with validation
- Prevent unlinking last authentication method
Backend changes:
- Add has_password virtual field to User model
- Include has_password in profile API response
- Track whether user has password set for validation
Frontend changes:
- Create oidcService for OIDC API operations
- Create ConnectedAccounts component with link/unlink flows
- Add confirmation dialog before unlinking accounts
- Validate that users cannot unlink their last auth method
- Show warning if user has no password set
- Integrate Connected Accounts into SecurityTab
User experience:
- View all linked SSO provider accounts with email and link date
- Link additional providers via "Link Provider" buttons
- Unlink with two-step confirmation to prevent accidents
- Clear error messages when unlinking would leave no auth method
- Warning message suggesting password setup for OIDC-only users
Fixes#977
* feat: complete OIDC documentation and UI improvements (Phase 6)
This commit completes Phase 6 of the OIDC/SSO implementation with comprehensive
documentation, bug fixes, and UI reorganization.
Documentation:
- Add comprehensive user guide at docs/10-oidc-sso.md with:
- Setup guides for 6 major providers (Google, Okta, Keycloak, Authentik, PocketID, Azure AD)
- Configuration examples for single and multiple providers
- User features documentation (login, account linking, management)
- Advanced topics (auto-provisioning, admin role assignment, hybrid auth)
- Comprehensive troubleshooting section
- Security considerations and best practices
- Update README.md with OIDC/SSO section and quick setup examples
Internationalization:
- Add i18n support to OIDCProviderButtons component
- Add translation keys for all OIDC UI text
- Update English translations with "sign_in_with" key
Bug Fixes:
- Fix oidcService.ts to correctly unwrap API responses
- Backend returns {providers: [...]} and {identities: [...]}
- Frontend was expecting plain arrays, causing "map is not a function" error
- Fix initiateOIDCLink to properly handle POST response
UI Improvements:
- Move OIDC/SSO to dedicated tab in profile settings
- Create new OIDCTab component with green LinkIcon
- Remove ConnectedAccounts from SecurityTab
- Add OIDC tab between Security and API Keys tabs
- Update ProfileSettings with new tab configuration
- Security tab now focuses solely on password management
Testing:
- All linting passes
- All tests pass (82 suites, 1223 tests)
Related to #977
* feat: add OIDC/SSO translations for all 24 languages
Add i18n support for OIDC/SSO features across all supported languages:
- "Sign in with {{provider}}" button text
- "OIDC/SSO" tab label in profile settings
- OIDC authentication flow messages
Translations added for: Arabic, Bulgarian, Danish, German, Greek, Spanish,
Finnish, French, Indonesian, Italian, Japanese, Korean, Dutch, Norwegian,
Polish, Portuguese, Romanian, Russian, Slovenian, Swedish, Turkish,
Ukrainian, Vietnamese, and Chinese.
* fix: resolve 13 CodeQL security alerts
This commit addresses critical security vulnerabilities identified by CodeQL scanning:
**Security Configuration (2 fixes)**
- Fix insecure Helmet configuration - enable CSP and HSTS in production
- Fix clear text cookie transmission - enable secure cookies in production
**Path Injection (3 fixes)**
- Add path validation in users/controller.js to prevent arbitrary file deletion
- Add path validation in users/service.js for avatar operations
- Add path sanitization in attachment-utils.js deleteFileFromDisk function
**Cross-Site Scripting (1 fix)**
- Fix XSS vulnerability in GeneralTab.tsx avatar URL handling
- Add URL sanitization to prevent javascript: protocol attacks
**URL Security (2 fixes)**
- Fix double escaping in url/service.js HTML entity decoding
- Fix incomplete URL sanitization for YouTube domain validation
**Denial of Service (1 fix)**
- Add loop bound protection in inboxProcessingService.js (10k char limit)
**Rate Limiting (3 fixes)**
- Add rate limiting to auth routes (register, verify-email)
- Add rate limiting to task attachment upload/delete endpoints
- Add rate limiting to user avatar upload/delete endpoints
**GitHub Actions Security (1 fix)**
- Add explicit read-only permissions to CI workflow
Note: CSRF middleware (#10) requires frontend changes and is tracked separately.
Relates to PR #1008
* fix: allow test files in path validation for tests
* fix: format long condition in attachment-utils for Prettier compliance
Break the path validation condition across multiple lines to meet Prettier formatting requirements and fix CI linting failure.
* fix: resolve CodeQL security alerts
- Add rate limiting to OIDC authentication routes using authLimiter and authenticatedApiLimiter
- Implement CSRF protection middleware using csrf-sync (skips for API tokens and test environment)
- Add CSRF token endpoint at /api/csrf-token
- Fix incomplete URL scheme validation in GeneralTab to block all dangerous schemes (javascript:, data:, vbscript:, file:)
This addresses 5 high-severity CodeQL security vulnerabilities:
- Missing rate limiting on OIDC auth routes
- Missing CSRF middleware protection
- Incomplete URL sanitization in avatar handling
All 1223 tests passing.
* fix: implement CSRF protection with lusca for CodeQL compliance
Add CSRF protection using lusca.csrf (CodeQL's recommended library) to
protect session-based authentication while supporting hybrid auth patterns.
Implementation:
- Pre-check middleware marks exempt requests (test env, Bearer tokens)
- Lusca CSRF middleware applied with exemption flag check
- Session-based requests require valid x-csrf-token header
- Bearer token requests exempt (don't use cookies)
- Test environment exempt for test execution
This addresses CodeQL security alert js/missing-token-validation while
maintaining support for both cookie-based and token-based authentication.
Related: #977 (OIDC/SSO authentication feature)
The Inbox model was imported as `Inbox` but the model is exported
from models/index as `InboxItem`, causing `add_to_inbox` and
`list_inbox` to throw "Cannot read properties of undefined (reading
'create'/'findAll')" at runtime.
Fixes#997
- Add Task.STATUS.CANCELLED to exclusion list in fetchOverdueTasks()
- Add Task.STATUS.CANCELLED to exclusion list in fetchTasksDueToday()
- Cancelled tasks now properly filtered out from Today page sections
- All existing tests pass
* fix: correct bi-weekly recurring task scheduling for multi-day patterns
Fixes#1004
Previously, when a recurring task was set to repeat every N weeks (where N > 1)
on multiple weekdays that span a week boundary (e.g., Saturday + Sunday), the
algorithm incorrectly calculated the next occurrence dates.
The issue was in the calculateWeeklyRecurrence function, which didn't properly
determine when to add the interval skip for multi-weekday patterns. It would:
- Correctly handle Sat -> Sun (adjacent days, same cycle)
- Incorrectly handle Sun -> Sat (should skip weeks, but didn't)
This fix improves the logic to:
1. Detect when the current day is the last weekday in the pattern cycle
2. Account for Sunday (day 0) wrapping around in the day-of-week numbering
3. Only add interval skips when truly moving to a new cycle, not when moving
between weekdays within the same cycle
Test coverage added for:
- Bi-weekly Saturday + Sunday pattern (the reported bug)
- Starting from different days in the pattern
- Bi-weekly Tuesday + Thursday pattern
- Tri-weekly Friday + Saturday + Sunday pattern
* docs: update MEMORY.md with GitHub template requirements
- Add detailed PR template requirements and structure
- Expand bug report template requirements with all fields
- Update last modified date
This commit addresses a critical bug where subtasks would disappear when
updating the parent task (e.g., assigning tags). The issue had multiple
potential causes:
1. Backend vulnerability: The updateSubtasks() function would delete all
subtasks if an empty array was sent, treating it as "delete everything
not in this list"
2. Frontend state management: After reloading a task, subtasks weren't
being preserved if the backend response didn't include them
3. Unclear error messages: "Invalid parent task" errors didn't provide
enough context for debugging
Changes:
- Added defensive logging in updateSubtasks() to warn when all subtasks
are being deleted with an empty array
- Enhanced validateParentTaskAccess() error messages to provide detailed
diagnostics (task not found vs. permission issues vs. wrong user)
- Updated handleTagsUpdate() in TaskDetails to explicitly preserve
subtasks when reloading task after tag updates
This fix is defensive in nature and adds better observability for
diagnosing similar issues in the future.
Fixes issue reported by user where subtasks disappeared after assigning
tags to parent task, and "Invalid parent task" errors occurred when
trying to update the orphaned subtasks.
Fix calculateInitialDueDate() to properly handle recurrence_weekdays array
when creating or updating weekly recurring tasks with multiple weekdays.
Previously, the function only checked for recurrence_weekday (singular) and
ignored recurrence_weekdays (plural array), causing tasks with multiple
weekdays to incorrectly get today's date instead of the next occurrence.
Changes:
- Add support for recurrence_weekdays array in calculateInitialDueDate()
- Fix buildUpdateAttributes() to pass recurrence_weekdays parameter
- Add 8 unit tests covering multiple weekdays scenarios
- Add 3 integration tests for API CREATE and UPDATE operations
- Maintain backward compatibility with single recurrence_weekday
The fix mirrors the proven logic from calculateWeeklyRecurrence() in
recurringTaskService.js and properly handles edge cases like unsorted
arrays, wrapping to next week, and JSON string parsing.
Fixes#974
* Fix Today page task completion issues
- Fix completed task border color staying as priority color
- Add isInCompletedSection prop to TaskItem for explicit completed state
- Tasks in completed section now always show green border regardless of priority
- Fixes race condition where status wasn't updated during optimistic UI update
- Fix completed task reappearing after unmarking and page refresh
- Add defensive check in backend to force clear completed_at when status is not DONE
- Add development logging in tasksService for debugging completion toggle
- Ensures database state is consistent even if handleCompletionStatus doesn't clear it
- Update TaskList and TasksToday components to pass isInCompletedSection prop
- Explicitly marks tasks rendered in the completed section
- Prevents border color flickering during state transitions
* Add comprehensive logging to debug completion issues
* Fix duplicate API requests causing completion state issues
- Separate state update logic from API call in handleTaskUpdate
- Create new updateTaskInState function for state-only updates
- Pass onTaskCompletionToggle to completed section to avoid duplicate calls
- This fixes the persistence issue where unmarked tasks came back after refresh
- Completion toggles now only make ONE API call instead of two
* Add debug logging to updateTaskInState
* Fix recurring task initial due date calculation to match recurrence pattern
Resolves#963
When creating a recurring task without an explicit due date, the system
was incorrectly setting it to "today" regardless of the recurrence pattern.
This caused issues where:
- Monthly tasks set to recur on a specific day (e.g., 28th) would show the
wrong due date (today/yesterday instead of the 28th)
- Tasks wouldn't appear correctly in the Upcoming view
- The base due_date didn't match the recurrence_month_day setting
Changes:
- Add calculateInitialDueDate() helper to compute correct first occurrence
- For monthly recurrence with specific day: calculate next occurrence of that day
- For weekly recurrence with specific weekday: calculate next occurrence of that weekday
- For other types (daily, etc.): maintain current behavior (use today)
- Apply same logic to both task creation and updates
Tests:
- Add comprehensive test suite (9 new tests) covering:
- Monthly recurrence with future day in current month
- Monthly recurrence with past day (should use next month)
- Weekly recurrence with specific weekday
- Daily recurrence (should still default to today)
- Edge cases (31st of month, explicitly provided dates)
- Task updates adding recurrence
All 54 recurring task tests pass.
* Fix UTC timezone bug in recurring task expansion and add comprehensive tests
- Fix expandRecurringTasks() to use setUTCHours instead of setHours
- Add 42 unit tests for recurringTaskService UTC consistency
- Add 24 DST transition tests (spring forward/fall back)
- Verify no occurrence skips or duplicates during DST
- Test month-end handling, leap years, and timezone boundaries
Resolves#960
The update_project endpoint now properly handles clearing nullable fields
(due_date_at, area_id, priority, image_url) when set to null or empty string.
Previously, sending an empty string would not clear the field. Now empty
strings are explicitly converted to null for database consistency.
Changes:
- Convert empty strings to null for nullable fields in project update
- Add tests for clearing due_date_at with null and empty string
- Apply same fix to area_id, priority, and image_url for consistency
* Fix Telegram notification spam with channel-level rate limiting
Addresses issue #950 where Telegram notifications were sent excessively
(96-288 messages per day per task) due to the delete-and-recreate pattern
added in commit 105a913a to fix navbar notification pile-up.
Changes:
- Add channel_sent_at JSON field to notifications table to track when
each channel (telegram, email, push) was last sent
- Add helper methods to notification model:
- markChannelAsSent(channel): Records send timestamp
- wasChannelRecentlySent(channel, threshold): Checks if sent within 24h
- Modify sendTelegramNotification() to check rate limit before sending
- Update service layer (dueTaskService, deferredTaskService,
dueProjectService) to preserve channel_sent_at when recreating
notifications
- Add comprehensive unit and integration tests (20 tests, all passing)
Impact:
- Reduces Telegram notifications from 96-288/day to 1/day per item
- Preserves in-app notification refresh behavior (every 5-15 min)
- Maintains navbar pile-up fix from original commit
- Rate limit configurable (default: 24 hours)
Fixes#950
* Fix linting and formatting issues
* Fix integration test that was trying to access private function
* Fix prettier formatting in integration test
* Fix notification deduplication to prevent pile-up in navbar (#944)
When tasks/projects remained pending for multiple days, duplicate
notifications accumulated in the navbar instead of showing only the
most recent one.
Updated notification services to properly handle existing notifications:
- Delete unread notifications before creating new ones
- Respect dismissed notifications (don't recreate)
- Respect read notifications (don't duplicate)
Changes:
- Updated dueTaskService, deferredTaskService, and dueProjectService
- Added comprehensive unit tests with 8 test cases
Fixes#944
* Fix lint errors and add GitHub bug template reminder to docs
* fixup! Fix date format inconsistency in Defer Until field
* fixup! fixup! Fix date format inconsistency in Defer Until field
* fixup! fixup! fixup! Fix date format inconsistency in Defer Until field
Added proper ordering configuration (separate: true and order clause)
to subtask queries in query-builders.js. This ensures subtasks are
always returned in the correct order based on the 'order' field and
'created_at' timestamp, preventing the intermittent reordering bug
that occurred after checking subtasks as complete and reloading.
Fixes#921
* Add projects with due dates to upcoming view
Fetch and include projects with due_date_at in the upcoming range
when type=upcoming is requested. Projects are filtered by ownership
or permissions and exclude completed/archived projects.
Part of #925
* Display upcoming projects in Upcoming view
Add UI to show projects with due dates in the Upcoming view.
Projects are displayed in a separate section below tasks with
links to project details and formatted due dates.
Fixes#925
* Fix prettier formatting errors
Recurring task templates had their names replaced with the recurrence
type label (e.g. "Weekly") in search results, making them unrecognizable.
Skip the display name transform when serializing tasks for search.
