No description
Find a file
Harbinger 9910d30fca
feat(sync): add OneDrive sync provider with PKCE auth (#7523)
* feat(sync): integrate onedrive with pkce and operation log sync

* fix(sync): add oauth state validation and token refresh concurrency control

* fix(sync): refactor onedrive oauth cleanup and reduce download API calls

- Replace setInterval-based OAuth state pruning with on-demand
  _pruneExpiredOAuthStates() to avoid background timer overhead
- Optimize downloadFile to read ETag from content response headers
  first, falling back to a metadata request only when needed (reduces
  API calls from 2 to 1 in the common case)
- Narrow OneDrive class interface from SyncProviderServiceInterface to
  FileSyncProvider for stronger type guarantees
- Accept optional devPath constructor parameter for non-production
  folder namespacing
- Extract isOneDriveClientIdRequired to a helper function in
  sync-form.const.ts for readability
- Change default OneDrive sync folder name to 'Super Productivity'

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix(sync): address PR #7523 review feedback for OneDrive sync

Critical fixes:
- Detect invalid_grant in token refresh responses and clear credentials
- Reset _tokenRefreshInFlightPromise in clearAuthCredentials to prevent
  stale refresh results from overwriting cleared state
- Re-read config before persisting refreshed tokens to avoid race with
  concurrent clearAuthCredentials calls

Important fixes:
- Extract OAuth state management to shared oauth-state.util.ts to fix
  circular dependency between OneDrive provider and callback handler
- Add 401 retry pattern (_is401Retry) matching Dropbox's approach:
  on 401, proactively refresh token and retry, only clear credentials
  if retry fails
- Remove unused auth status translation keys (AUTH_SUCCESS,
  BTN_AUTHENTICATE, BTN_REAUTHENTICATE, REAUTH_SUCCESS,
  STATUS_CONFIGURED, STATUS_NOT_CONFIGURED) and form props
- Remove unused requireAuth parameter from _cfgOrError

Minor fixes:
- Replace path-exposing log messages with structured logging
- Remove unused _formatHttpErrorDetails helper
- Return empty ETag fallback in getFileRev instead of throwing
- Add folder cache invalidation comment for path changes
- Add afterEach to restore global fetch in tests
- Add PKCE defence-in-depth comment in auth code dialog

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix(sync): use eslint-disable-next-line for @microsoft.graph.conflictBehavior

Replace spread+computed-property workaround with a plain property plus
an explicit eslint-disable-next-line comment. Clearer intent: the
naming violation is a Graph API requirement, not accidental.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix(sync): pre-save OneDrive form config in reauth() to prevent MissingCredentialsSPError

Re-auth was failing silently on Linux because getAuthHelper() reads
clientId from IndexedDB (privateCfg), but the form values were never
written before calling configuredAuthForSyncProviderIfNecessary().

- Extract shared BTN_REAUTHENTICATE and REAUTH_SUCCESS translation keys
- Add OneDrive to OAUTH_SYNC_PROVIDERS
- Pre-save form config in reauth() matching the existing save() flow

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix(sync): adapt TooManyRequestsAPIError to new constructor signature after rebase

* refactor(sync): migrate OneDrive provider to packages/sync-providers

Move OneDrive core logic into the shared sync-providers package,
matching the pattern used by Dropbox, WebDAV, and other providers.
The app-side code is now a thin adapter with a createOneDriveProvider()
factory function.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix(sync): re-throw MissingRefreshTokenAPIError from _requestOAuthToken catch block

The catch block in _requestOAuthToken was swallowing the
MissingRefreshTokenAPIError thrown after clearing credentials on
invalid_grant, causing it to fall through to a generic HttpNotOkAPIError
instead. Now re-throws MissingRefreshTokenAPIError explicitly.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix(sync): address PR #7523 second review critical and important items

- Replace _is401Retry instance field with per-call parameter to prevent
  concurrent 401 races (Critical #1)
- Fix _requestOAuthToken catch block to re-throw MissingRefreshTokenAPIError
  instead of swallowing it (Critical #2)
- Fix _parseOAuthCallback defaulting unknown provider to 'unknown' instead
  of 'dropbox' to prevent misrouting (Critical #3 + Important #6)
- Change conflictBehavior from 'replace' to 'fail' to prevent data loss
  if a file exists with the same name as the folder (Critical #4)
- Await in-flight token refresh promise in clearAuthCredentials before
  clearing, to close the refresh-during-clear race (Important #5)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix(sync): address PR #7523 review important and minor items

- Extract duplicate OneDrive pre-auth save block into
  _persistOneDriveFormCfgBeforeAuth() method (Important #7)
- Add GET probe in _ensureSyncFolderExists to skip per-segment
  creation when folder already exists (Important #9)
- Redact sensitive params (code, code_verifier, refresh_token,
  access_token) from token endpoint and Graph error bodies
  (Important #11)
- Remove targetPath from _mapAndThrow error messages to prevent
  logging user content (Important #12)
- Add OAuth state validation in manual paste flow for OneDrive
  (Important #13)
- Fix unknown provider routing in _parseOAuthCallback (Important #14)
- Guard Electron IPC listener against post-destroy emissions
  (Important #15)
- Remove dead authStatus Formly field from sync-form.const.ts (Minor)
- Simplify Headers builder in _ensureSyncFolderExists (Minor)
- Fix spec afterEach to restore original fetch instead of undefined
  (Minor)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix(sync): fix clearAuthCredentials race and add unit tests for OneDrive

Fix a race condition in clearAuthCredentials where _tokenRefreshInFlightPromise
was nulled AFTER awaiting, causing the invalid_grant handler's clearAuthCredentials
to wait on itself. Now captures the promise and nulls the field before awaiting.

Add 5 new unit tests covering critical code paths:
- 401 token refresh and retry
- 401 retry failure with credential clearing
- 400 invalid_grant credential clearing
- 412 precondition failed mapping
- Concurrent token refresh deduplication

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix(sync): address PR #7523 third review items

- Simplify clearAuthCredentials: null _tokenRefreshInFlightPromise without
  awaiting to avoid deadlock when called from inside the refresh IIFE
- Add superproductivity:// scheme validation in Electron OAuth listener
- Fix invalid_grant test to assert MissingRefreshTokenAPIError
- Fix folder cache test to match GET-probe optimization
- Set setComplete default in beforeEach

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* test(sync): fix OAuthCallbackHandler spec to expect 'unknown' provider

The _parseOAuthCallback now returns 'unknown' instead of 'dropbox' for
URLs without an explicit provider path segment.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix(sync): address PR #7523 fourth review items

- Handle generic 401 from token endpoint (clear creds + MissingRefreshTokenAPIError)
- Remove user-supplied paths from error constructors (rule 9 compliance)
- Soften clearAuthCredentials comment to reflect actual TOCTOU guarantee
- Tighten Electron scheme gate to match native path prefix
- Add scheme info to Electron rejection log
- Fix folder-cache test to assert GET probe count
- Remove redundant per-test setComplete stub

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix(sync): address PR #7523 fifth review items

- Scope invalid_grant/401 credential clearing to refresh_token grant only
  (bad auth code exchange no longer wipes existing credentials)
- Redact OAuth code/state from Electron protocol handler logs
- Add @sp/sync-providers/onedrive TS path alias to tsconfig files
- Default undefined sync config fields instead of overwriting with undefined
- Handle OneDrive in provider-switch branch (preserve encryptKey)
- Update sync-config test expectations to match default values

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix(sync): address PR #7523 sixth review items

- Use If-None-Match: * for null-rev uploads to prevent concurrent overwrite
- Guard in-flight refresh against stale credentials (match refreshToken/clientId/tenantId)
- Gate OneDrive provider option behind Electron/Native (web CORS unsupported)
- Don't clear credentials on transient token endpoint errors (429/5xx)
- Preserve null syncProvider instead of defaulting to WebDAV
- Hydrate full OneDrive privateCfg on provider switch
- Remove duplicate syncInterval/isManualSyncOnly Formly controls
- Revert non-English locale changes (zh.json, zh-tw.json)
- Redact URL fragments (#) in Electron protocol handler logs
- listFiles rethrows non-404 errors instead of swallowing all
- Update 401 test expectations for new rethrow behavior

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix(sync): guard credential clearing against stale concurrent refresh

Prevent a stale in-flight refresh from wiping newer credentials after
a concurrent re-auth. The refresh IIFE now throws a plain Error (not
MissingRefreshTokenAPIError) when it detects config drift, and all
clearAuthCredentials() call sites now verify the stored config still
matches before clearing. Also fix listFiles() to handle 404 from
_requestJson (which throws HttpNotOkAPIError, not RemoteFileNotFoundAPIError).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix(sync): address PR #7523 eighth review items

- Replace If-None-Match:* with @microsoft.graph.conflictBehavior=fail query param for upload create-only semantics
- Add identity change detection in _persistOneDriveFormCfgBeforeAuth to clear tokens when useCustomApp/clientId/tenantId change
- Extract _clearIfConfigMatches helper to guard credential clearing against stale concurrent refresh
- Restrict folder probe fallthrough to 404 only, propagate other errors
- Restore locale files from upstream master
- Centralize IS_ONEDRIVE_SUPPORTED in onedrive-auth-mode.const.ts, use in factory and form config

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix(sync): address PR #7523 ninth review items

- Paginate listFiles via @odata.nextLink to avoid silent data loss
- Fix logger misuse (log -> normal with proper string message)
- Replace as any with OneDrivePrivateCfg in dialog-sync-cfg
- Throw NoRevAPIError when uploadFile response lacks eTag
- Omit undefined optional booleans from global config to prevent overwrite
- Move OneDrive dynamic import inside IS_ONEDRIVE_SUPPORTED gate
- Require state param for OneDrive full-URL paste (CSRF)
- Add id_token to sensitive keys for body redaction

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix(sync): add OneDrive type alias to electron tsconfig paths

The @sp/sync-providers/onedrive path alias was missing from
electron/tsconfig.electron.json, causing the Electron build to fail
with "Cannot find module '@sp/sync-providers/onedrive'". The alias was
already present in tsconfig.base.json but electron uses its own paths.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-26 15:31:06 +02:00
.air 18.4.2 2026-05-01 23:07:19 +02:00
.devcontainer chore: add git and testing tools out of the box in devcontainers 2025-05-12 11:13:06 +02:00
.github chore(deps)(deps): bump the github-actions-minor group with 8 updates (#7778) 2026-05-26 14:43:25 +02:00
.husky fix(build): auto-generate env.generated.ts on checkout via husky hook 2026-03-06 16:39:21 +01:00
.signpath/policies/super-productivity build: sign path setup 4 2026-01-28 12:51:50 +01:00
.vscode chore: add git and testing tools out of the box in devcontainers 2025-05-12 11:13:06 +02:00
android feat: migrate to capacitor 8 2026-05-23 20:42:00 +02:00
build 18.7.0 2026-05-23 12:53:32 +02:00
docs feat(plugins): Stage A keyed persistence with LWW (#7749) (#7763) 2026-05-23 22:23:17 +02:00
e2e test(e2e): dismiss devError native dialogs so sync tests don't hang 2026-05-23 23:13:09 +02:00
electron feat(sync): add OneDrive sync provider with PKCE auth (#7523) 2026-05-26 15:31:06 +02:00
eslint-local-rules docs(sync): consolidate sync docs + enforce the contributor model 2026-05-15 16:51:50 +02:00
fastlane/metadata/android build: update links to match our new organization 2026-01-05 14:45:06 +01:00
ios build(ios): drop unused remote-notification background mode 2026-05-24 01:23:23 +02:00
nginx refactor(e2e): migrate to production Dockerfile for E2E tests 2026-01-21 14:30:24 +01:00
packages feat(sync): add OneDrive sync provider with PKCE auth (#7523) 2026-05-26 15:31:06 +02:00
scripts refactor: replace PFLog with SyncLog/OpLog and remove obsolete migration scripts 2026-02-03 14:38:05 +01:00
snap/hooks fix(snap): add filesystem and desktop integration plugs 2026-01-17 12:44:30 +01:00
src feat(sync): add OneDrive sync provider with PKCE auth (#7523) 2026-05-26 15:31:06 +02:00
tools feat(sync): add OneDrive sync provider with PKCE auth (#7523) 2026-05-26 15:31:06 +02:00
.browserslistrc build: update browser support list 2025-08-13 19:47:44 +02:00
.dockerignore fix(docker): simplify env handling for Docker builds 2025-08-09 12:16:31 +02:00
.editorconfig chore: update gradle/java indent_size to 4 2024-09-29 09:40:49 +08:00
.env.example docs: change template of the .env file to include the mandatory unsplash key 2025-08-12 18:10:59 +02:00
.gitattributes chore: fix LF/CRLF for errant SCSS file (again) (#7117) 2026-04-09 19:42:54 +02:00
.gitignore refactor(sync): post-extraction review cleanup of @sp/sync-core and @sp/sync-providers (#7595) 2026-05-14 13:06:08 +02:00
.gitmodules chore: Update android submodule to use feat/platform-android-offline branch (for capacitor) 2024-09-12 09:49:41 +08:00
.gitpod.yml refactor: make prettier work for angular 2025-02-21 14:31:22 +01:00
.npmrc chore(deps): add cooldown for NPM and GH Actions to reduce supply chain attack risk (#7685) 2026-05-20 11:50:30 +02:00
.nvmrc feat: add .nvmrc file with Node.js v22.18.0 2025-08-13 19:47:44 +02:00
.prettierignore feat(sync): add Helm chart and WebSocket push for SuperSync (#6971) 2026-03-30 21:34:30 +02:00
.prettierrc.json refactor: make prettier work for angular 2025-02-21 14:31:22 +01:00
.stylelintrc.mjs build(stylelint): fix font-family-no-missing-generic-family-keyword 2025-01-04 13:49:50 +01:00
AGENTS.md docs: update AGENTS.md to include CLAUDE.md reference 2026-01-15 17:20:39 +01:00
angular.json refactor(sync-providers): extract local file provider 2026-05-13 11:36:19 +02:00
ARCHITECTURE-DECISIONS.md perf(sync): SuperSync server speed + correctness hardening (#7621) 2026-05-15 17:24:16 +02:00
capacitor.config.ts fix(android): restore IME inset handling via edge-to-edge plugin (#7765) 2026-05-26 13:27:56 +02:00
CLAUDE.md docs(sync): consolidate sync docs + enforce the contributor model 2026-05-15 16:51:50 +02:00
CONTRIBUTING.md docs(sync): consolidate sync docs + enforce the contributor model 2026-05-15 16:51:50 +02:00
docker-compose.e2e.fast.yaml fix(ci): fix WebDAV config path for hacdias/webdav v5 2026-02-16 11:07:52 +01:00
docker-compose.e2e.yaml fix(ci): fix WebDAV config path for hacdias/webdav v5 2026-02-16 11:07:52 +01:00
docker-compose.supersync.yaml fix(dev): update default SuperSync port to 1901 for local development 2026-01-24 21:14:57 +01:00
docker-compose.yaml fix(infra): close db-startup race in supersync e2e stack 2026-04-29 16:17:56 +02:00
docker-entrypoint.sh refactor(e2e): migrate to production Dockerfile for E2E tests 2026-01-21 14:30:24 +01:00
Dockerfile fix(docker): include sync packages in image build 2026-05-16 20:48:38 +02:00
Dockerfile.e2e.dev feat(e2e): add Docker-based E2E test isolation 2026-01-04 17:09:39 +01:00
Dockerfile.e2e.dev.fast build(e2e): add fast local Docker Compose setup for E2E tests 2026-01-09 18:00:24 +01:00
electron-builder.yaml build(electron): exclude uuidv7 and guard against future asar regressions 2026-05-13 21:22:59 +02:00
eslint.config.js docs(sync): consolidate sync docs + enforce the contributor model 2026-05-15 16:51:50 +02:00
funding.json chore(funding): drop broken repositoryUrl.wellKnown line 2026-05-14 17:21:39 +02:00
Gemfile 10.1.1 2024-11-06 19:44:38 +01:00
Gemfile.lock chore(deps): bump addressable in the bundler group across 1 directory (#7174) 2026-04-09 20:34:42 +02:00
LICENSE fix: typo in license 2019-01-29 18:21:51 +00:00
ngsw-config.json fix(pwa): avoid startup stalls during network changes 2026-05-14 12:41:09 +02:00
package-lock.json fix(android): restore IME inset handling via edge-to-edge plugin (#7765) 2026-05-26 13:27:56 +02:00
package.json fix(android): restore IME inset handling via edge-to-edge plugin (#7765) 2026-05-26 13:27:56 +02:00
README.md docs: update README to reflect state of wiki (#7450) 2026-05-01 20:56:15 +02:00
SECURITY.md build: update links to match our new organization 2026-01-05 14:45:06 +01:00
tsconfig.base.json feat(sync): add OneDrive sync provider with PKCE auth (#7523) 2026-05-26 15:31:06 +02:00
tsconfig.json build: try to get rid of inline compilation to js 2025-04-25 12:58:16 +02:00
webdav.yaml build: simplify docker setup and fix e2e 2025-07-18 20:00:10 +02:00

Banner

An advanced todo list app with timeboxing & time tracking capabilities that supports importing tasks from your calendar, Jira, GitHub and others

🌐 Open Web App or 💻 Download


MIT license   GitHub Discussions

Reddit Community   Super Productivity on Mastodon   Tweet

animated

💻 Downloads & Install

Get it on Flathub Get it from the Snap Store English badge Play Store Badge F-Droid Badge Obtanium Badge App Store Badge

For all current downloads, package links, and platform-specific notes: check the wiki.
Get it on GitHub


Ukraine Flag
Humanitarian Aid for Ukraine
Support humanitarian relief via the official National Bank of Ukraine account.


✔️ Features

  • Keep organized and focused! Plan and categorize your tasks using sub-tasks, projects and tags and color code them as needed.
  • Use timeboxing and track your time. Create time sheets and work summaries in a breeze to easily export them to your company's time tracking system.
  • Helps you to establish healthy & productive habits:
    • A break reminder reminds you when it's time to step away.
    • The anti-procrastination feature helps you gain perspective when you really need to.
    • Need some extra focus? A Pomodoro timer is also always at hand.
    • Collect personal metrics to see, which of your work routines need adjustments.
  • Integrate with Jira, Trello, GitHub, GitLab, Gitea, OpenProject, Linear, ClickUp and Azure DevOps. Auto import tasks assigned to you, plan the details locally, automatically create work logs, and get notified immediately, when something changes.
  • Basic CalDAV integration.
  • Back up and synchronize your data across multiple devices with Dropbox and WebDAV support
  • Attach context information to tasks and projects. Create notes, attach files or create project-level bookmarks for links, files, and even commands.
  • Super Productivity respects your privacy and does NOT collect any data and there are no user accounts or registration. You decide where you store your data!
  • It's free and open source and always will be.

And much more!

Work View with global links

Note

The web version has some limitations: See the Web App vs Desktop comparison for more details.

📖 Documentation and Guides

Getting Started

Starting Point in Wiki:
First stepsReferenceHow-To

Productivity Tips:
Keyboard ShortcutsShort Syntax

Need Help?
Visit the discussions page

See the bottom of the README for more information on the documentation.

Advanced Topics

Here are some other topics covered in the official wiki:

Development:
Run dev serverPackage the appBuild for AndroidRun with Docker

Data Management:
User DataIssue ProvidersSync Providers

Customization:
PluginsThemes

APIs:
Sync ServerPluginsREST

Community

The development of Super Productivity is driven by a wonderful community of users and contributors. Thank you all so much for your support!

👀 Check out our awesome curated list of community-created resources about Super Productivity

♥️ Contributing

If you want to get involved, please check out the CONTRIBUTING.md

There are several ways to help.

  1. Spread the word: More users mean more people testing and contributing to the app which in turn means better stability and possibly more and better features. You can vote for Super Productivity on Slant, Product Hunt, Softpedia or on AlternativeTo, you can tweet about it, share it on LinkedIn, reddit or any of your favorite social media platforms. Every little bit helps!

  2. Provide a Pull Request: Here is a list of the most popular community requests and here some info on how to run the development build (wiki). Please make sure that you're following the commit message format and to also include the issue number in your commit message, if you're fixing a particular issue (e.g.: feat: add nice feature #31).

  3. Answer questions: You know the answer to another user's problem? Share your knowledge!

  4. Provide your opinion: Some community suggestions are controversial. Your input might be helpful and if it is just an up- or down-vote.

  5. Provide a more refined UI spec for existing feature requests

  6. Report bugs

  7. Make a feature or improvement request: Something can be done better? Something essential missing? Let us know!

  8. Translations, Icons, etc.: You don't have to be a programmer to help; learn how to contribute translations!

  1. Sponsor the project

  2. Create custom plugins or custom themes

Special Thanks to our Sponsors!!!

Recently support for Super Productivity has been growing! A big thank you to all our sponsors, especially the ones below!

  • Agentic AI Quality Engineering via:  TestMu AI

(If you are, intend to or have been a sponsor and want to be shown here, please let me know!)

Code Signing

Windows binaries are signed. Free code signing is provided by SignPath.io, certificate by SignPath Foundation.

Documentation: Manual versus Automated

There are two wikis: the official one hosted in by GitHub autonomously generated variant using DeepWiki.com. The manually curated version is a more stable and approachable resource designed to help you understand the app from a more human-focused perspective whereas DeepWiki is optimized for explaining the code itself with little regard for context beyond that.

Official Wiki

It is preferable to maintain local documentation rather than rely on an external service. It also preferable that the documentation is updated in tandem with the code changes as demonstrated in this commit.

Changes to files within ./docs/wiki are linted in CI before being automatically sync'd to the repository's official Wiki hosted by GitHub.

Migrating to Docusaurus is a long-term goal once the content and structure of the wiki has matured and the remaining "legacy docs" have either been reworked or removed. There are some automations in development to help reduce the difference between the published docs and the state of the code while retaining a human-in-the-loop.

DeepWiki.com

If you have very specific questions about how the code works or why a bug might be producing a particular message it might be useful to Ask DeepWiki . It can help "cite your sources" when discussing functionality and code that you don't fully understand as part of feature requests or bug reports.

This automated reference does come with some significant drawbacks:

  1. Intent: Describes what code does, not why decisions or tradeoffs were made.
  2. Staleness: Will *always* lag behind the code.
  3. Code-Focused: Does not provide guides or conceptual explanations.
  4. Cost: Potential future cost and higher resource usage than static docs.