[PR #2308] feat: OAuth 2.0 authorization server for Flutter app #4056

New Issue

Open

opened 2026-03-22 15:00:24 -05:00 by GiteaMirror · 0 comments

GiteaMirror commented 2026-03-22 15:00:24 -05:00

Owner

Copy Link

📋 Pull Request Information

Original PR: https://github.com/go-vikunja/vikunja/pull/2308
Author: @kolaente
Created: 2/26/2026
Status: 🔄 Open

Base: main ← Head: feat-oauth-server

---

📝 Commits (10+)

• 0f4f373 feat: add OAuthCode model for OAuth 2.0 authorization codes
• 9811b54 feat: add database migration for oauth_codes table
• 634c04d feat: add OAuth server error types
• 0cce26e feat: add OAuth server client config and PKCE verification
• eb83aa7 feat: register OAuth authorize and token routes
• 862d56e feat: handle OAuth redirect parameter after login
• 10ac330 test: add web tests for OAuth 2.0 authorization flow
• 079729b chore: lint fixes for OAuth server implementation
• a806531 fix: check disabled account status in authorization code grant
• 38d5505 fix: use ServicePublicURL instead of Host header in buildAuthorizeURL

📊 Changes

18 files changed (+1434 additions, -6 deletions)

View changed files

📝 frontend/src/views/user/Login.vue (+19 -1)
📝 frontend/src/views/user/OpenIdAuth.vue (+18 -1)
➕ frontend/tests/e2e/user/oauth-authorize.spec.ts (+135 -0)
➕ pkg/db/fixtures/oauth_codes.yml (+2 -0)
➕ pkg/migration/20260226172819.go (+51 -0)
📝 pkg/models/error.go (+179 -0)
📝 pkg/models/models.go (+1 -0)
➕ pkg/models/oauth_codes.go (+99 -0)
📝 pkg/models/setup_tests.go (+1 -0)
📝 pkg/modules/auth/auth.go (+5 -4)
➕ pkg/modules/auth/oauth2server/authorize.go (+164 -0)
➕ pkg/modules/auth/oauth2server/client.go (+44 -0)
➕ pkg/modules/auth/oauth2server/client_test.go (+35 -0)
➕ pkg/modules/auth/oauth2server/pkce.go (+34 -0)
➕ pkg/modules/auth/oauth2server/pkce_test.go (+51 -0)
➕ pkg/modules/auth/oauth2server/token.go (+222 -0)
📝 pkg/routes/routes.go (+9 -0)
➕ pkg/webtests/oauth2_test.go (+365 -0)

📄 Description

Summary

This PR implements an OAuth 2.0 authorization server to enable the Flutter app to authenticate using the authorization code flow with PKCE.

Changes

Backend

• OAuthCode model (pkg/models/oauth_codes.go) - Stores authorization codes with PKCE challenge, user ID, and expiry
• Database migration (pkg/migration/20260226172819.go) - Creates oauth_codes table
• OAuth error types (pkg/models/error.go) - Added 7 error types (17001-17007) for OAuth-specific errors
• OAuth2 server package (pkg/modules/auth/oauth2server/):
  • client.go - Client validation (Flutter client ID: vikunja-flutter, redirect URI: vikunja://callback)
  • pkce.go - PKCE S256 verification
  • authorize.go - Authorization endpoint handler (GET /api/v1/oauth/authorize)
  • token.go - Token endpoint handler (POST /api/v1/oauth/token) with authorization_code and refresh_token grant types
• Route registration (pkg/routes/routes.go) - Registered OAuth endpoints

Frontend

• Login.vue and OpenIdAuth.vue - Handle OAuth redirect parameter after successful login

Tests

• Unit tests for client validation and PKCE verification
• Web tests (pkg/webtests/oauth2_test.go) - 11 integration test cases covering the full OAuth flow

OAuth Flow

1. Flutter app opens /api/v1/oauth/authorize with client_id, redirect_uri, response_type, code_challenge, code_challenge_method
2. If not logged in, redirects to login page with return URL
3. After login, redirects back to authorize endpoint
4. Authorize endpoint creates code and redirects to vikunja://callback with code
5. Flutter app exchanges code for tokens via POST /api/v1/oauth/token
6. Refresh tokens can be exchanged for new access/refresh token pairs

Security Features

• PKCE (S256) required for all authorization requests
• Single-use authorization codes (deleted on use)
• 10-minute code expiry
• Refresh token rotation
• Same-origin validation for OAuth redirects in frontend

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/go-vikunja/vikunja/pull/2308 **Author:** [@kolaente](https://github.com/kolaente) **Created:** 2/26/2026 **Status:** 🔄 Open **Base:** `main` ← **Head:** `feat-oauth-server` --- ### 📝 Commits (10+) - [`0f4f373`](https://github.com/go-vikunja/vikunja/commit/0f4f373de759660c5ab0ce01ebd76a48b32db646) feat: add OAuthCode model for OAuth 2.0 authorization codes - [`9811b54`](https://github.com/go-vikunja/vikunja/commit/9811b54625481c03c7bc4108eeabcbaa488b3d34) feat: add database migration for oauth_codes table - [`634c04d`](https://github.com/go-vikunja/vikunja/commit/634c04d079e900aca9f48ffe5dfeeff8fae4f9ae) feat: add OAuth server error types - [`0cce26e`](https://github.com/go-vikunja/vikunja/commit/0cce26ededfd5c8dd649abe465e0b8320278442b) feat: add OAuth server client config and PKCE verification - [`eb83aa7`](https://github.com/go-vikunja/vikunja/commit/eb83aa76c9ed926105f58c62e5c8e4cae3d13dfe) feat: register OAuth authorize and token routes - [`862d56e`](https://github.com/go-vikunja/vikunja/commit/862d56e19e8f3a4f8b69e96777f621a3a1f8e254) feat: handle OAuth redirect parameter after login - [`10ac330`](https://github.com/go-vikunja/vikunja/commit/10ac330459f10892f2fddb2236cc1731a9713543) test: add web tests for OAuth 2.0 authorization flow - [`079729b`](https://github.com/go-vikunja/vikunja/commit/079729bf47478b202f2db7769094b6237bd3572c) chore: lint fixes for OAuth server implementation - [`a806531`](https://github.com/go-vikunja/vikunja/commit/a806531a298d401e9693764f935f3fa66b3d77bf) fix: check disabled account status in authorization code grant - [`38d5505`](https://github.com/go-vikunja/vikunja/commit/38d5505f5ead24f65135863b7bab51b7f3622964) fix: use ServicePublicURL instead of Host header in buildAuthorizeURL ### 📊 Changes **18 files changed** (+1434 additions, -6 deletions) <details> <summary>View changed files</summary> 📝 `frontend/src/views/user/Login.vue` (+19 -1) 📝 `frontend/src/views/user/OpenIdAuth.vue` (+18 -1) ➕ `frontend/tests/e2e/user/oauth-authorize.spec.ts` (+135 -0) ➕ `pkg/db/fixtures/oauth_codes.yml` (+2 -0) ➕ `pkg/migration/20260226172819.go` (+51 -0) 📝 `pkg/models/error.go` (+179 -0) 📝 `pkg/models/models.go` (+1 -0) ➕ `pkg/models/oauth_codes.go` (+99 -0) 📝 `pkg/models/setup_tests.go` (+1 -0) 📝 `pkg/modules/auth/auth.go` (+5 -4) ➕ `pkg/modules/auth/oauth2server/authorize.go` (+164 -0) ➕ `pkg/modules/auth/oauth2server/client.go` (+44 -0) ➕ `pkg/modules/auth/oauth2server/client_test.go` (+35 -0) ➕ `pkg/modules/auth/oauth2server/pkce.go` (+34 -0) ➕ `pkg/modules/auth/oauth2server/pkce_test.go` (+51 -0) ➕ `pkg/modules/auth/oauth2server/token.go` (+222 -0) 📝 `pkg/routes/routes.go` (+9 -0) ➕ `pkg/webtests/oauth2_test.go` (+365 -0) </details> ### 📄 Description ## Summary This PR implements an OAuth 2.0 authorization server to enable the Flutter app to authenticate using the authorization code flow with PKCE. ## Changes ### Backend - OAuthCode model (pkg/models/oauth_codes.go) - Stores authorization codes with PKCE challenge, user ID, and expiry - Database migration (pkg/migration/20260226172819.go) - Creates oauth_codes table - OAuth error types (pkg/models/error.go) - Added 7 error types (17001-17007) for OAuth-specific errors - OAuth2 server package (pkg/modules/auth/oauth2server/): - client.go - Client validation (Flutter client ID: vikunja-flutter, redirect URI: vikunja://callback) - pkce.go - PKCE S256 verification - authorize.go - Authorization endpoint handler (GET /api/v1/oauth/authorize) - token.go - Token endpoint handler (POST /api/v1/oauth/token) with authorization_code and refresh_token grant types - Route registration (pkg/routes/routes.go) - Registered OAuth endpoints ### Frontend - Login.vue and OpenIdAuth.vue - Handle OAuth redirect parameter after successful login ### Tests - Unit tests for client validation and PKCE verification - Web tests (pkg/webtests/oauth2_test.go) - 11 integration test cases covering the full OAuth flow ## OAuth Flow 1. Flutter app opens /api/v1/oauth/authorize with client_id, redirect_uri, response_type, code_challenge, code_challenge_method 2. If not logged in, redirects to login page with return URL 3. After login, redirects back to authorize endpoint 4. Authorize endpoint creates code and redirects to vikunja://callback with code 5. Flutter app exchanges code for tokens via POST /api/v1/oauth/token 6. Refresh tokens can be exchanged for new access/refresh token pairs ## Security Features - PKCE (S256) required for all authorization requests - Single-use authorization codes (deleted on use) - 10-minute code expiry - Refresh token rotation - Same-origin validation for OAuth redirects in frontend --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

GiteaMirror added the pull-request label 2026-03-22 15:00:24 -05:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

renovate/dev-dependencies

claude/analyze-beans-project-9VxoS

feat-huma-api-v2-migration

feat-v2-foundation

spike-huma-openapi3

claude/investigate-swagger3-support-nyyUa

feat-list-view-buckets

ci-mysql-8-test

codex/analyze-codebase-for-email-task-feature

feat-project-templates

csv-import-feature

claude/email-reply-comments-wpdcQ

fix-oidc-pkce-support

fix/overview-subtasks-expand

feat/bucket-select-task-detail

feat-soft-delete-projects

claude/review-bot-design-plan-cf5C3

claude/project-scoped-api-tokens-KTqR3

claude/explore-openclaw-integration-KQEzg

claude/project-scoped-api-tokens-yv5KS

fix-duplicate-close-button

feat-list-view-sorting

feat/official-vite-sentry-plugin

feat/highlight-overdue-tasks

feat/add-enter-key-form-submission-handling

feat/TipTap-nits

feat/update-caldavtimetotimestamp-parsing

feat-phosphor-icons

wip-plans

claude/investigate-issue-2173-llKme

fix-description-text-drag

feat-custom-keyboard-shortcuts

pr-1845-ci

codex/fix-drag-and-drop-behavior-inconsistency

copilot/add-clickable-labels-for-filtering

copilot/fix-issue-1786

playwright-migration

fix-kanban-repeating-wip

copilot/fix-1498

feature/replace-axios

codex/upgrade-to-tailwind-4.1.8-using-pnpm

codex/add-cypress-test-for-avatar-types

feature/biome

feature/oxc

codex/update-flexsearch-to-0.8.205

4r6ni9-codex/fix-deprecated-sass-@import-usage

codex/fix-deprecated-sass-@import-usage

codex/add-cypress-test-for-task-list-refresh-fix

codex/fix-quick-add-magic-not-adding-tasks

codex/fix-all-type-errors

codex/fix-mimetype-for-docs.json

feature/caldav-from-scratch

feature/gh-actions-hetzner

fix-ci

feat/new-logger

jyte-better-dev-config

feat/add-team-member-with-enter

fix/button-and-icon-types

fix/notifications-component-name-collision

feature/null-time

renovate/tailwindcss-4.x

feature/unplugin-vue-router

fix/deprecated-import

feature/zod-schema

renovate/golangci-golangci-lint-1.x

fix/tiptap-editor-reactive-destructuring

release/0.24

feat/improve-add-task

fix/saved-filter-search

feat/webp-and-avif-attachment-previews

feature/migrate-back-to-bulma

fix/sass-add-missing-list-import

feature/sticky-demo-bar

fix/gantt-view-switch

feature/typesense-position-join

feature/focus-visible

dependencies/golangci-lint

feature/better-filter-syntax

fix/tiptap-task-list

renovate/github.com-golang-jwt-jwt-v4-5.x

feature/hide-forbidden-related-tasks

renovate/golang-1.x

release/0.20

release/0.17

release/0.16

release/0.15

release/0.14

v2.3.0

v2.2.2

v2.2.1

v2.2.0

v2.1.0

v2.0.0

v1.1.0

v1.0.0

v1.0.0-rc4

v1.0.0-rc3

v1.0.0-rc2

v1.0.0-rc1

v1.0.0-rc0

v0.24.6

v0.24.5

v0.24.4

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.0

v0.22.1

v0.22.0

0.21.0

v0.21.0

v0.20.4

v0.20.5

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.2

v0.19.1

v0.19.0

vue3

v0.18.1

v0.18.0

v0.17.1

v0.17.0

v0.16.1

v0.16.0

v0.15.1

v0.15.0

v0.14.1

v0.14.0

v0.13.1

v0.13

v0.12

v0.11

v0.10

v0.9

v0.8

v0.7

v0.6

v0.5

v0.4

v0.3

v0.2

v0.1

Labels

Clear labels

area/api

area/attachments

area/auth

area/avatars

area/backup-restore

area/caldav

area/calendar-view

area/comments

area/config

area/database

area/desktop

area/docker

area/email

area/favorites

area/filters

area/frontend

area/gantt

area/i18n

area/import-export

area/internal-code

area/kanban

area/labels

area/list-view

area/mobile

area/notifications

area/permissions

area/projects

area/pwa

area/recurring-tasks

area/reminders

area/search

area/shortcuts

area/subtasks

area/sync

area/table-view

area/task-editor

area/task-metadata

area/task-relations

area/teams

area/theming

area/time-tracking

area/typesense

area/views

area/webhooks

bug

changes requested

concern/accessibility

concern/performance

concern/regression

concern/ux

confirmed

db/mysql

dependencies

enhancement

good first issue

help wanted

integration/inbound

integration/outbound

kind/bug

kind/feature

needs reproduction

pull-request

Mirrored from GitHub Pull Request

question

security

support

upstream issue

waiting for reply

wontfix

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/vikunja#4056