Commit Graph

34 Commits

Author SHA1 Message Date
kolaente
75c9b753a8 fix: strip BasicAuth credentials from project webhook API responses 2026-03-23 16:35:47 +00:00
kolaente
e5a1c05771 refactor: use shared SSRF-safe HTTP client in webhook code 2026-03-23 16:34:22 +00:00
kolaente
212968cec4 chore(lint): suppress additional gosec false positives
Add #nosec comments for G703/G704 findings in db, doctor, webhooks,
gravatar, unsplash, and migration helper code.
2026-03-23 16:40:07 +01:00
kolaente
8d9bc3e65e feat(webhooks): add built-in SSRF protection using daenney/ssrf
Block webhook requests to non-globally-routable IP addresses by default.
Uses net.Dialer.Control hook to validate resolved IPs against IANA
Special Purpose Registries after DNS resolution, preventing DNS rebinding.

Configurable via webhooks.allownonroutableips (default: false).
2026-03-19 15:18:06 +01:00
kolaente
d4577c660f feat: add user_id to webhooks and user-directed event infrastructure
Add user_id column to webhooks table (nullable, for user-level webhooks
vs project-level). Extend webhook model, permissions, and listener to
support user-level webhooks that fire for user-directed events like
task reminders and overdue task notifications.

Add TasksOverdueEvent for dispatching overdue notifications via webhooks.
Update webhook permissions to handle both user-level and project-level
ownership. Add webhook test fixture and register webhooks table in test
fixture loader.
2026-03-08 19:45:53 +01:00
rhclayto
cf029cef0c feat: add option to send Basic Auth header with webhook requests (#2137)
Resolves https://github.com/go-vikunja/vikunja/issues/2136
Docs PR: https://github.com/go-vikunja/website/pull/284
2026-01-30 15:07:31 +01:00
kolaente
731b7c3001 fix: avoid mutating global http.DefaultClient in webhook proxy (#2145)
Fixes a bug where the webhook HTTP client was mutating `http.DefaultClient` (the global singleton), causing ALL HTTP requests in the application to use the webhook proxy. This broke OIDC authentication and other external HTTP calls when webhook proxy was configured.

Fixes #2144
2026-01-24 13:58:47 +01:00
kolaente
a81a3ee0e5 feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
kolaente
a8025a9e36 fix: guard invalid user lookups (#1034) 2025-06-26 21:58:47 +00:00
Dominik Pschenitschni
296577a875 fix: correct license header references (#882)
See originals:
- https://www.gnu.org/licenses/agpl-3.0.txt
- https://www.gnu.org/licenses/gpl-3.0.txt
2025-06-10 12:18:38 +02:00
kolaente
333e35e648 feat: add expand property to read one task 2025-01-24 11:20:23 +01:00
kolaente
c252c8f0cd fix: reset id before creating 2024-09-17 10:46:14 +02:00
kolaente
2063da9eec chore(web): move web handler package to Vikunja 2024-08-29 16:15:28 +02:00
kolaente
a6fccfb908 fix(webhook): log errors in webhook response 2024-06-03 13:11:44 +02:00
kolaente
57bd5aca80 fix(webhooks): send application/json header 2023-12-06 14:09:49 +01:00
kolaente
55d345e236 feat(webhooks): validate events and target url 2023-10-20 12:42:28 +02:00
kolaente
61cd08fa13 fix(webhooks): add created by user object when creating a webhook 2023-10-18 22:18:45 +02:00
kolaente
72366a5b27 feat(webhooks): add created by user object when returning all webhooks 2023-10-18 20:06:07 +02:00
kolaente
b4e3d8ee47 fix(webhooks): lint 2023-10-17 20:40:09 +02:00
kolaente
7a74e491da fix(webhooks): lint 2023-10-17 20:35:14 +02:00
kolaente
2c84cec044 docs(webhooks): add swagger docs for all webhook endpoints 2023-10-17 20:35:14 +02:00
kolaente
fc0029eed7 fix(webhooks): don't send the proxy auth header to the webhook target 2023-10-17 20:35:14 +02:00
kolaente
1b82f26d3e chore(webhooks): simplify registering webhook events 2023-10-17 20:35:13 +02:00
kolaente
ec4aa606e2 chore(webhooks): reuse webhook client 2023-10-17 20:35:13 +02:00
kolaente
831aa4a014 feat(webhooks): add support for webhook proxy 2023-10-17 20:35:13 +02:00
kolaente
b38360c9a5 feat(webhooks): add timeout config option 2023-10-17 20:35:13 +02:00
kolaente
34a92b759e feat(webhooks): add setting to enable webhooks 2023-10-17 20:35:13 +02:00
kolaente
a0d8b28813 feat(webhooks): add hmac signing 2023-10-17 20:35:13 +02:00
kolaente
4253d14367 chore(webhooks): remove WebhookEvent interface 2023-10-17 20:35:13 +02:00
kolaente
96ccf6b923 feat(webhooks): add route to get all available webhook events 2023-10-17 20:35:13 +02:00
kolaente
57de44694c feat(webhooks): add index on project id 2023-10-17 20:35:13 +02:00
kolaente
c5de41f183 feat(webhooks): add event listener to send webhook payload 2023-10-17 20:35:12 +02:00
kolaente
e5b8d8bd2d feat(webhooks): register task and project events as webhook 2023-10-17 20:35:12 +02:00
kolaente
ad7d485eb5 feat(webhooks): add basic crud actions for webhooks 2023-10-17 20:35:12 +02:00