[PR #2484] [MERGED] feat: allow API tokens with caldav permission for CalDAV auth #5668

New Issue

GiteaMirror · 2026-04-16T13:47:55-05:00

GiteaMirror commented

2026-04-16 13:47:55 -05:00

📋 Pull Request Information

Original PR: https://github.com/go-vikunja/vikunja/pull/2484
Author: @tink-bot
Created: 3/26/2026
Status: ✅ Merged
Merged: 3/30/2026
Merged by: @kolaente

Base: main ← Head: feat-caldav-api-tokens

📝 Commits (7)

0f57db6 feat: register caldav permission group for API tokens
6d50802 feat: add HasCaldavAccess method to APIToken
7fcb49e feat: accept API tokens for CalDAV basic auth
7ed105d test: add integration tests for CalDAV API token auth
8ae9142 test: verify caldav permission group appears in /routes
f7aef5a feat: add API token hint to CalDAV settings page
4e686f5 refactor: extract shared API token validation into ValidateTokenAndGetOwner

📊 Changes

10 files changed (+212 additions, -16 deletions)

View changed files

📝 frontend/src/i18n/lang/en.json (+2 -1)
📝 frontend/src/views/user/settings/Caldav.vue (+13 -0)
📝 pkg/db/fixtures/api_tokens.yml (+20 -0)
📝 pkg/models/api_routes.go (+6 -0)
📝 pkg/models/api_tokens.go (+40 -0)
📝 pkg/models/api_tokens_test.go (+30 -0)
📝 pkg/routes/api_tokens.go (+3 -15)
📝 pkg/routes/caldav/auth.go (+39 -0)
📝 pkg/webtests/api_tokens_test.go (+21 -0)
📝 pkg/webtests/caldav_test.go (+38 -0)

📄 Description

Allow API tokens with a caldav permission to authenticate CalDAV requests via HTTP Basic Auth, so users can use a single token type instead of needing separate CalDAV-specific tokens.

When a CalDAV Basic Auth password starts with tk_, it is validated as an API token with caldav:access permission. The tk_ prefix is unambiguous, so invalid API tokens fail fast without falling through to password/CalDAV-token auth. Existing CalDAV tokens and password auth continue to work unchanged.

The frontend CalDAV settings page now mentions API tokens as an alternative and links to the API token settings.

Test plan

Verify CalDAV client authentication works with an API token that has caldav:access permission
Verify CalDAV client authentication is rejected for API tokens without caldav permission
Verify existing CalDAV token and password auth still work

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/go-vikunja/vikunja/pull/2484 **Author:** [@tink-bot](https://github.com/tink-bot) **Created:** 3/26/2026 **Status:** ✅ Merged **Merged:** 3/30/2026 **Merged by:** [@kolaente](https://github.com/kolaente) **Base:** `main` ← **Head:** `feat-caldav-api-tokens` --- ### 📝 Commits (7) - [`0f57db6`](https://github.com/go-vikunja/vikunja/commit/0f57db667dbbec4659abc829d8bbf8fa6fd1a5c1) feat: register caldav permission group for API tokens - [`6d50802`](https://github.com/go-vikunja/vikunja/commit/6d508023cf843775786c76a2dbf0ee4ea491ca11) feat: add HasCaldavAccess method to APIToken - [`7fcb49e`](https://github.com/go-vikunja/vikunja/commit/7fcb49ed90e2c1b02c425cc241112a6e84b1e5eb) feat: accept API tokens for CalDAV basic auth - [`7ed105d`](https://github.com/go-vikunja/vikunja/commit/7ed105d695678d5b5d57188852ddf2df4d6964eb) test: add integration tests for CalDAV API token auth - [`8ae9142`](https://github.com/go-vikunja/vikunja/commit/8ae914219a24d821e50362f0fba6d5500dc6f6f8) test: verify caldav permission group appears in /routes - [`f7aef5a`](https://github.com/go-vikunja/vikunja/commit/f7aef5a399c01022f8669eda6f7c568827ea0fa7) feat: add API token hint to CalDAV settings page - [`4e686f5`](https://github.com/go-vikunja/vikunja/commit/4e686f518dcbd69311ec3cdc74b4236bf99ee7a7) refactor: extract shared API token validation into ValidateTokenAndGetOwner ### 📊 Changes **10 files changed** (+212 additions, -16 deletions) <details> <summary>View changed files</summary> 📝 `frontend/src/i18n/lang/en.json` (+2 -1) 📝 `frontend/src/views/user/settings/Caldav.vue` (+13 -0) 📝 `pkg/db/fixtures/api_tokens.yml` (+20 -0) 📝 `pkg/models/api_routes.go` (+6 -0) 📝 `pkg/models/api_tokens.go` (+40 -0) 📝 `pkg/models/api_tokens_test.go` (+30 -0) 📝 `pkg/routes/api_tokens.go` (+3 -15) 📝 `pkg/routes/caldav/auth.go` (+39 -0) 📝 `pkg/webtests/api_tokens_test.go` (+21 -0) 📝 `pkg/webtests/caldav_test.go` (+38 -0) </details> ### 📄 Description Allow API tokens with a `caldav` permission to authenticate CalDAV requests via HTTP Basic Auth, so users can use a single token type instead of needing separate CalDAV-specific tokens. When a CalDAV Basic Auth password starts with `tk_`, it is validated as an API token with `caldav:access` permission. The `tk_` prefix is unambiguous, so invalid API tokens fail fast without falling through to password/CalDAV-token auth. Existing CalDAV tokens and password auth continue to work unchanged. The frontend CalDAV settings page now mentions API tokens as an alternative and links to the API token settings. ## Test plan - Verify CalDAV client authentication works with an API token that has `caldav:access` permission - Verify CalDAV client authentication is rejected for API tokens without `caldav` permission - Verify existing CalDAV token and password auth still work --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-04-16 13:47:55 -05:00

GiteaMirror closed this issue

2026-04-16 13:47:58 -05:00

Sign in to join this conversation.

Branches Tags

main

feat-v2-foundation

spike-huma-openapi3

claude/investigate-swagger3-support-nyyUa

feat-list-view-buckets

ci-mysql-8-test

codex/analyze-codebase-for-email-task-feature

feat-project-templates

csv-import-feature

claude/email-reply-comments-wpdcQ

fix-oidc-pkce-support

fix/overview-subtasks-expand

feat/bucket-select-task-detail

feat-soft-delete-projects

claude/review-bot-design-plan-cf5C3

claude/project-scoped-api-tokens-KTqR3

claude/explore-openclaw-integration-KQEzg

claude/project-scoped-api-tokens-yv5KS

fix-duplicate-close-button

feat-list-view-sorting

feat/official-vite-sentry-plugin

feat/highlight-overdue-tasks

feat/add-enter-key-form-submission-handling

feat/TipTap-nits

feat/update-caldavtimetotimestamp-parsing

feat-phosphor-icons

wip-plans

claude/investigate-issue-2173-llKme

fix-description-text-drag

feat-custom-keyboard-shortcuts

pr-1845-ci

codex/fix-drag-and-drop-behavior-inconsistency

copilot/add-clickable-labels-for-filtering

copilot/fix-issue-1786

playwright-migration

fix-kanban-repeating-wip

copilot/fix-1498

feature/replace-axios

codex/upgrade-to-tailwind-4.1.8-using-pnpm

codex/add-cypress-test-for-avatar-types

feature/biome

feature/oxc

codex/update-flexsearch-to-0.8.205

4r6ni9-codex/fix-deprecated-sass-@import-usage

codex/fix-deprecated-sass-@import-usage

codex/add-cypress-test-for-task-list-refresh-fix

codex/fix-quick-add-magic-not-adding-tasks

codex/fix-all-type-errors

codex/fix-mimetype-for-docs.json

feature/caldav-from-scratch

feature/gh-actions-hetzner

fix-ci

feat/new-logger

jyte-better-dev-config

feat/add-team-member-with-enter

fix/button-and-icon-types

fix/notifications-component-name-collision

feature/null-time

renovate/tailwindcss-4.x

feature/unplugin-vue-router

fix/deprecated-import

feature/zod-schema

renovate/golangci-golangci-lint-1.x

fix/tiptap-editor-reactive-destructuring

release/0.24

feat/improve-add-task

fix/saved-filter-search

feat/webp-and-avif-attachment-previews

feature/migrate-back-to-bulma

fix/sass-add-missing-list-import

feature/sticky-demo-bar

fix/gantt-view-switch

feature/typesense-position-join

feature/focus-visible

dependencies/golangci-lint

feature/better-filter-syntax

fix/tiptap-task-list

renovate/github.com-golang-jwt-jwt-v4-5.x

feature/hide-forbidden-related-tasks

renovate/golang-1.x

release/0.20

release/0.17

release/0.16

release/0.15

release/0.14

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/vikunja#5668