mirror of
https://github.com/johannesjo/super-productivity.git
synced 2026-07-18 00:46:45 +00:00
* feat(plugins): enable OAuth-based issue-provider plugins Generic, provider-agnostic plugin-framework hooks so an issue-provider plugin that needs an exact OAuth redirect can work without any built-in code: - OAuthFlowConfig.redirectUri: a plugin may declare an exact pre-registered callback; the host uses it for both the authorize request and token exchange. - The Electron loopback honors a plugin-requested fixed port and rejects with a clear message when that port is already in use. - Apply user-supplied clientId/clientSecret/redirectUri overrides onto a plugin's oauthConfig (bring-your-own OAuth app). - Fix: merging a partial pluginConfig update no longer drops omitted keys and deep-merges nested objects (e.g. twoWaySync). Split out of the Basecamp community-plugin work per PR #8507 feedback; contains no provider-specific code. * fix(plugins): address #8546 review - validate OAuthFlowConfig.redirectUri per platform (loopback / same-origin / app scheme) and fail fast instead of hanging; restrict desktop loopback to 127.0.0.1 - warn when a client secret is dropped on web/native (bring-your-own credentials) - validate the IPC loopback port to [1024,65535], register the error handler before listen(), and close the failed server - merge pluginConfig via generic recursion instead of a hardcoded twoWaySync case - nits: named token-store imports; fix stale prepareRedirectUri comment - tests: redirectUri validation, the web client-secret warning, and generic merge * fix(plugins): address #8546 round-2 review - loopback error handler calls cleanupServer() so a post-listen runtime error doesn't leave the server ref / 5-min timer dangling - share OAUTH_LOOPBACK_PORT_{MIN,MAX} between the renderer and Electron main so the bounds never drift; reject out-of-range (incl. 0/80/443) redirect ports early - drop _getElectronLoopbackPort and parse the already-validated redirectUri once - document that a bring-your-own clientSecret syncs via pluginConfig (override boundary) - skip __proto__/constructor/prototype keys in the pluginConfig merge (defense-in-depth) - test: prototype-pollution guard * fix(plugins): address #8546 round-3 review - reject native redirectUri overrides outright (closes CodeQL js/incomplete-url-scheme-check) via a pure, per-platform validateOAuthRedirectUri util (electron loopback / native reject / web same-origin) - gate bring-your-own OAuth credentials to the desktop loopback flow and warn (instead of silently dropping clientId) when set on web/native - namespace BYO under pluginConfig.oauthOverrides (was flat keys); document the convention on OAuthFlowConfig (public plugin API) - shallow top-level pluginConfig merge: drop the deep recursion + proto guard; nested objects (e.g. twoWaySync) are replaced wholesale, matching callers - pin the web redirect to /assets/oauth-callback.html via a shared constant so a same-origin wrong-path URI fails fast; note the desktop 127.0.0.1-only rule - companion tests for each * fix(plugins): strip desktop redirectUri on web/native OAuth flows A plugin-declared redirectUri is the desktop loopback override; keeping it on the web/native branches made a web/native-capable plugin throw at connect time (the loopback URI fails web/native redirectUri validation). Strip it on those branches so prepareRedirectUri falls through to the platform default. Document redirectUri as desktop-only in the plugin API and fix a misleading test name. * refactor(plugins): extract resolveEffectiveOAuthConfig and harden native fallthrough Move the platform client/secret/redirectUri selection out of the bridge into a pure, parameterized util so every branch is unit-testable (the IS_* platform consts are module-level and cannot be mocked in karma). Also strip clientSecret and redirectUri on the native fall-through — a native platform where the plugin ships no matching client id — keeping both strictly desktop-only. Optional hardening on top of the redirectUri fix; safe to drop independently. |
||
|---|---|---|
| .. | ||
| plugin-api | ||
| plugin-dev | ||
| shared-schema | ||
| super-sync-server | ||
| sync-core | ||
| sync-providers | ||
| vite-plugin | ||
| build-packages.js | ||
| README.md | ||
Super Productivity Packages
This directory contains plugin packages and the plugin API for Super Productivity.
Structure
plugin-api/- TypeScript definitions for the plugin APIplugin-dev/- Plugin development examples and toolsapi-test-plugin/- Basic API test pluginprocrastination-buster/- Example SolidJS-based pluginyesterday-tasks-plugin/- Simple plugin showing yesterday's tasksboilerplate-solid-js/- Template for creating new SolidJS plugins (not built)sync-md/- Markdown sync plugin (not built)
Building Packages
All packages are built automatically when running the main build process:
npm run build:packages
This command:
- Builds the plugin-api TypeScript definitions
- Builds plugins that require compilation (e.g., procrastination-buster)
- Copies plugin files to
src/assets/for inclusion in the app
Development
To work on a specific plugin:
cd plugin-dev/[plugin-name]
npm install
npm run dev
Adding a New Plugin
- Create a new directory in
plugin-dev/ - Add the plugin configuration to
/packages/build-packages.js - Run
npm run build:packagesto test the build
Notes
- The
boilerplate-solid-jsandsync-mdplugins are development templates and are not included in production builds - Plugin files are automatically copied to
src/assets/during the build process - The build script handles dependency installation automatically