mirror of
https://github.com/johannesjo/super-productivity.git
synced 2026-07-17 16:37:43 +00:00
* feat(plugins): enable OAuth-based issue-provider plugins Generic, provider-agnostic plugin-framework hooks so an issue-provider plugin that needs an exact OAuth redirect can work without any built-in code: - OAuthFlowConfig.redirectUri: a plugin may declare an exact pre-registered callback; the host uses it for both the authorize request and token exchange. - The Electron loopback honors a plugin-requested fixed port and rejects with a clear message when that port is already in use. - Apply user-supplied clientId/clientSecret/redirectUri overrides onto a plugin's oauthConfig (bring-your-own OAuth app). - Fix: merging a partial pluginConfig update no longer drops omitted keys and deep-merges nested objects (e.g. twoWaySync). Split out of the Basecamp community-plugin work per PR #8507 feedback; contains no provider-specific code. * fix(plugins): address #8546 review - validate OAuthFlowConfig.redirectUri per platform (loopback / same-origin / app scheme) and fail fast instead of hanging; restrict desktop loopback to 127.0.0.1 - warn when a client secret is dropped on web/native (bring-your-own credentials) - validate the IPC loopback port to [1024,65535], register the error handler before listen(), and close the failed server - merge pluginConfig via generic recursion instead of a hardcoded twoWaySync case - nits: named token-store imports; fix stale prepareRedirectUri comment - tests: redirectUri validation, the web client-secret warning, and generic merge * fix(plugins): address #8546 round-2 review - loopback error handler calls cleanupServer() so a post-listen runtime error doesn't leave the server ref / 5-min timer dangling - share OAUTH_LOOPBACK_PORT_{MIN,MAX} between the renderer and Electron main so the bounds never drift; reject out-of-range (incl. 0/80/443) redirect ports early - drop _getElectronLoopbackPort and parse the already-validated redirectUri once - document that a bring-your-own clientSecret syncs via pluginConfig (override boundary) - skip __proto__/constructor/prototype keys in the pluginConfig merge (defense-in-depth) - test: prototype-pollution guard * fix(plugins): address #8546 round-3 review - reject native redirectUri overrides outright (closes CodeQL js/incomplete-url-scheme-check) via a pure, per-platform validateOAuthRedirectUri util (electron loopback / native reject / web same-origin) - gate bring-your-own OAuth credentials to the desktop loopback flow and warn (instead of silently dropping clientId) when set on web/native - namespace BYO under pluginConfig.oauthOverrides (was flat keys); document the convention on OAuthFlowConfig (public plugin API) - shallow top-level pluginConfig merge: drop the deep recursion + proto guard; nested objects (e.g. twoWaySync) are replaced wholesale, matching callers - pin the web redirect to /assets/oauth-callback.html via a shared constant so a same-origin wrong-path URI fails fast; note the desktop 127.0.0.1-only rule - companion tests for each * fix(plugins): strip desktop redirectUri on web/native OAuth flows A plugin-declared redirectUri is the desktop loopback override; keeping it on the web/native branches made a web/native-capable plugin throw at connect time (the loopback URI fails web/native redirectUri validation). Strip it on those branches so prepareRedirectUri falls through to the platform default. Document redirectUri as desktop-only in the plugin API and fix a misleading test name. * refactor(plugins): extract resolveEffectiveOAuthConfig and harden native fallthrough Move the platform client/secret/redirectUri selection out of the bridge into a pure, parameterized util so every branch is unit-testable (the IS_* platform consts are module-level and cannot be mocked in karma). Also strip clientSecret and redirectUri on the native fall-through — a native platform where the plugin ships no matching client id — keeping both strictly desktop-only. Optional hardening on top of the redirectUri fix; safe to drop independently. |
||
|---|---|---|
| .. | ||
| assets/icons | ||
| ipc-handlers | ||
| scripts | ||
| shared-with-frontend | ||
| task-widget | ||
| wayland-idle-helper | ||
| app-control.test.cjs | ||
| backup.ts | ||
| bundled-plugin-ids.test.cjs | ||
| clear-stale-idb-locks.ts | ||
| clipboard-image-handler.test.cjs | ||
| clipboard-image-handler.ts | ||
| common-const.test.cjs | ||
| common.const.ts | ||
| CONFIG.ts | ||
| debug.ts | ||
| electronAPI.d.ts | ||
| error-handler-with-frontend-inform.ts | ||
| file-path-guard.test.cjs | ||
| file-path-guard.ts | ||
| full-screen-blocker.ts | ||
| gpu-startup-guard.ts | ||
| idle-time-handler.ts | ||
| image-cache.test.cjs | ||
| image-cache.ts | ||
| indicator.test.cjs | ||
| indicator.ts | ||
| ipc-handler-wrapper.test.cjs | ||
| ipc-handler-wrapper.ts | ||
| ipc-handler.ts | ||
| jira.ts | ||
| local-file-sync.test.cjs | ||
| local-file-sync.ts | ||
| local-rest-api.ts | ||
| lockscreen.ts | ||
| main-window.ts | ||
| main.ts | ||
| navigation-guard.test.cjs | ||
| navigation-guard.ts | ||
| plugin-node-consent-store.test.cjs | ||
| plugin-node-consent-store.ts | ||
| plugin-node-executor.test.cjs | ||
| plugin-node-executor.ts | ||
| plugin-oauth.ts | ||
| preload.ts | ||
| protocol-handler.ts | ||
| proxy-agent.test.cjs | ||
| proxy-agent.ts | ||
| shared-state.ts | ||
| simple-store.test.cjs | ||
| simple-store.ts | ||
| start-app.ts | ||
| sync-path-resolver.test.cjs | ||
| sync-path-resolver.ts | ||
| task-widget.test.cjs | ||
| tsconfig.electron.json | ||
| various-shared.ts | ||