* fix(mcp): Include subtasks in get_task API response
Add Subtasks association to the findTaskByIdentifier function
so that the get_task MCP API endpoint returns subtasks along
with the main task. This enables clients to access the full
task hierarchy in a single API call.
The serializeTask function already supported subtasks
serialization, so this change only required updating the
query includes to load the Subtasks relation with proper
ordering and Tag associations.
Fixes#1029
* fix(inbox): Fix tag/project autocomplete selection
Fixes#996
Previously, when creating a task from inbox with autocomplete suggestions,
the tag/project replacement would fail if there was regular text before
the hashtag or plus sign. This caused two issues:
1. When typing "#technical_writing" and creating a task, the tag wouldn't
be created or applied because the autocomplete wasn't replacing the input
2. When typing "#tech_" and selecting "technical_writing" from autocomplete,
a new tag "tech_" would be created instead of applying the existing tag
This was caused by an overly restrictive condition in handleTagSelect and
handleProjectSelect that prevented replacement when there was regular text
before the tag/project marker.
Changes:
- Removed the allowReplacement condition that blocked autocomplete when
regular text preceded the tag/project marker
- Simplified handleTagSelect and handleProjectSelect to always replace
partial input when a suggestion is selected
- Added a space after the selected tag/project for better UX
This commit implements CSRF token support for all session-based API
requests to fix the "CSRF token missing" and "CSRF token mismatch" errors
introduced after CSRF protection was added in commit 62c4cc84.
Changes:
- Created csrfService.ts utility for fetching and caching CSRF tokens
- Added getPostHeadersWithCsrf() helper to authUtils for async token injection
- Updated all service files (*Service.ts) to include CSRF tokens in POST/PUT/PATCH/DELETE requests
- Updated components with inline fetch calls to use getCsrfToken()
- Fixed CSRF middleware to use single lusca instance instead of creating new instances per request
- Improved generateToken() to use req.csrfToken() when available
- Added CalDAV path exemption to CSRF protection
Technical details:
- CSRF tokens are fetched from /api/csrf-token endpoint
- Tokens are cached and reused across requests to avoid unnecessary fetches
- Tokens are included in x-csrf-token header for state-changing requests
- Public endpoints (login, register) remain exempt from CSRF protection
- Bearer token authentication remains exempt from CSRF protection
Files modified:
- Backend: app.js, middleware/csrf.js
- Frontend: 13 service files, 8 component files
- New file: frontend/utils/csrfService.ts
This ensures all session-based requests properly include CSRF tokens while
maintaining support for API token authentication.
