997e2c44aa
start pre-4.8 cleanup
2026-03-12 23:02:12 -04:00
ea5b7546aa
refactor: address PR #3114 review feedback
...
- Use atomic getdel for pairing code exchange
- Add cascade="all, delete-orphan" to User.client_tokens
- Move generate/hash_client_token into AuthHandler as static methods
- Extract endpoint helpers to utils/client_tokens.py
2026-03-11 10:56:35 +09:00
e0b25fbc6c
feat(client-tokens): add client API tokens with QR pairing flow
...
Long-lived, revocable, scope-restricted tokens for external clients
(mobile apps, retro handhelds, third-party tools). Includes:
- Backend: model, migration, DB handler, auth integration (rmm_ prefix
routing in HybridAuthBackend), CRUD + pairing + exchange endpoints,
rate limiting, scope intersection enforcement, admin oversight
- Frontend: settings page with token management table, stepped
create/deliver dialog (config -> copy/pair), QR code with RomM logo,
admin token table, standalone /pair page for QR scan landing
- /pair page supports custom-scheme callbacks for app deep linking,
falls back to displaying code for manual entry
- 33 backend tests across 5 classes (CRUD, auth, isolation, pairing,
admin)
2026-03-11 10:56:35 +09:00
f6eb686559
fix tests
2026-03-10 08:38:43 -04:00
b9ea937373
Merge branch 'master' into fix-oauth-token-expiry-and-refresh-rotation
2026-03-10 08:51:44 +01:00
fd788684b9
fix: TOCTOU race condition allows duplicate refresh token use
2026-03-10 08:38:32 +01:00
02336974a6
Implemented greptile suggestions
2026-03-10 08:04:07 +01:00
8758cb31b7
Tried to fix everything the bot complained about and the failed pytests.
...
Three tests were also implemented to check initial implementation that now invalidates expired access and refresh tokens and also rotating refresh tokens.
Since I introduced wrapper functions for create_oauth_token to distinguish between access and refresh token there is no need to set the token type in the data dict, since the type is now enforced in the wrapper functions create_access_token and create_refresh_token.
By convention I renamed create_oauth_token to _create_oauth_token as it is considered a private helper function now.
2026-03-10 07:22:02 +01:00
2a7c86e304
Fix OIDC login downgrading existing user roles when no claims provided
...
Co-authored-by: pacnpal <183241239+pacnpal@users.noreply.github.com >
2026-03-09 18:26:49 +00:00
ad09babce8
fix: catch http exception on code 401 so api call with expired access token doesn't lead to internal server error
2026-03-09 18:29:28 +01:00
41f64eb42b
fix: oauth token invalidation on expiration date and rotating refresh token
2026-03-09 17:03:29 +01:00
e2ece6b938
run fmt
2026-03-08 22:54:58 -04:00
53b0b9021b
Switch invite token expiration unit from minutes to seconds
...
Co-authored-by: gantoine <3247106+gantoine@users.noreply.github.com >
2026-03-09 02:48:21 +00:00
5f309639af
Make invite token expiration configurable via env var and UI
...
Co-authored-by: gantoine <3247106+gantoine@users.noreply.github.com >
2026-03-09 01:43:53 +00:00
36eec298d1
Add device-based save synchronization
...
Implement device registration and save sync tracking to enable
multi-device save management with conflict detection.
- Device CRUD endpoints (POST/GET/PUT/DELETE /api/devices)
- Save sync state tracking per device
- Conflict detection on upload (409 when device has stale sync)
- Download sync tracking (optimistic and confirmed modes)
- Track/untrack saves per device
- DEVICES_READ/WRITE scopes for authorization
2026-01-18 16:50:44 +09:00
baddeea972
type ignore
2025-12-08 12:58:01 -05:00
85bf51d088
raise error is prefered username is none
2025-12-08 12:57:20 -05:00
50ddb42c25
[ROMM-2748] Add OIDC_USERNAME_ATTRIBUTE
2025-12-08 10:27:15 -05:00
f2774b9395
Merge pull request #2716 from rommapp/redis-backed-sessions
...
Add redis-backed session middleware
2025-11-22 18:40:43 -05:00
ac43b0aa94
changes from bot review
2025-11-22 11:22:45 -05:00
615e3132e4
changes from bot review
2025-11-22 10:55:14 -05:00
27e02fa2a2
consume the token as soon as its read
2025-11-22 10:51:41 -05:00
ec6bb24662
Add new redis-backed session middleware
2025-11-22 10:47:59 -05:00
4f6442a6ad
catch typeerror in csrf token and return false
2025-11-18 16:56:10 -05:00
156d31b62a
Fix CSRF failure on first admin signup
2025-11-18 14:04:47 -05:00
91ad9f7b7f
fix trunk check issues
2025-11-18 10:12:58 -05:00
ee39fe1aba
changes from bot review
2025-11-18 10:09:00 -05:00
d1824bf894
manually fix tests
2025-11-18 00:00:49 -05:00
6a1a344ba2
add tests for middlewares
2025-11-17 23:40:00 -05:00
551ff72a8a
implement csrf middleware directly in repo
2025-11-17 21:12:29 -05:00
cb2015fc4d
fix: type error when role claim is null
2025-10-19 11:49:31 +02:00
154df816cf
only set algos on decode calls
2025-10-03 12:54:42 -04:00
d863ca9e90
Explicitly set supported algorithms on jwt encode/decode
2025-10-03 11:18:01 -04:00
ab06a321e0
Check if user is enabled before generating auth tokne
2025-10-03 09:34:40 -04:00
240f348f92
Add support for OIDC role claim
2025-09-29 22:27:10 +02:00
e4e3928d1b
misc: Apply import sorting
2025-09-04 11:17:00 -03:00
ba21cbc1e1
misc: Separate tests folder from backend code
...
Create separate `tests/` folder for all tests. This will also simplify
not copying tests code into the Docker image.
2025-08-08 12:49:13 -03:00
8ce943a514
use fastapi status
2025-08-02 22:17:07 -04:00
8061db40b2
fix tests and cleanup
2025-08-02 17:55:43 -04:00
9079954a3c
fix tests
2025-07-19 22:27:05 -04:00
d9f97ee510
replace assert with explicit checks
2025-07-19 22:17:57 -04:00
252722e3bc
misc: Apply pyupgrade changes for Python 3.12 compatibility
...
Command applied:
```
find ./backend/ -type f -name "*.py" -exec pyupgrade --py312-plus {} \;
```
2025-06-29 12:27:16 -03:00
7d27e368f1
feat: add SESSION_MAX_AGE_SECONDS configuration for session middleware
2025-06-13 12:54:31 +00:00
c709b8ae2e
fix: correct user creation logic in OpenIDHandler
2025-05-21 23:07:53 -05:00
0d09f510de
feat: implement invite link creation with role assignment and user registration
2025-05-13 22:28:46 +00:00
1c7f8fff88
feat: add InviteLink dialog and update invite link handling in user table
2025-05-13 17:52:33 +00:00
500ff5e67f
add: endpoint to generate invite link token
2025-05-13 17:40:07 +00:00
1103700d00
feat: implement one-time use for password reset tokens with Redis
2025-05-13 09:36:14 +00:00
d27f4d626b
feat: Reset forgotten password added
2025-05-13 09:35:53 +00:00
14761c2c83
refactor: enhance logging with highlighted output for improved readability
2025-05-09 09:05:59 +00:00
Georges-Antoine Assi
nendo
HydroSulphide
HydroSulphide
copilot-swe-agent[bot]
Georges-Antoine Assi
Tarow
Michon van Dooren
Michael Manganiello
zurdi
mjmfighter
zurdi