Introduces restore_postgres.sh for Endurain's demo instance to automate restoring the Postgres database from a backup, cleaning logs, pruning Docker images, and restarting containers. Includes usage instructions for scheduling via cron.
Updated foreign key constraints in migration and model files to include ondelete="CASCADE" for idp_id, user_id, and token_family_id. This ensures related records are properly deleted when parent records are removed, improving data integrity and cleanup.
Updates session token exchange logic to clear the oauth_state_id reference and immediately delete the associated OAuth state per OAuth 2.1 best practices. Adjusts database migration and model to set foreign key ondelete to SET NULL, ensuring referential integrity. Also updates frontend components to use formatHrZoneLabel utility for heart rate zone chart labels.
Added a blank line for readability in the bare-metal installation guide and updated the navigation title in mkdocs.yml to 'Bare-Metal installation guide' for consistency.
Deleted the MFA backup codes API router test file. Expanded the authentication developer guide to document MFA backup code usage, format, error responses, and related endpoints for status and regeneration.
Removed the dedicated MFA backup codes router and integrated its endpoints into the profile router for better organization. Updated frontend to support viewing, generating, and managing MFA backup codes, including a new modal component, status display, and i18n translations. Adjusted backend validation and error handling for MFA codes to support both TOTP and backup codes.
Renamed get_user_garminconnect_activities_by_dates to get_user_strava_activities_by_dates and updated all references in backend code for clarity and correctness. This improves code readability and ensures the correct function is used for Strava activity retrieval. #445
Fix issue when model was not being showed #432
Session retrieval endpoints now return empty lists and log access attempts when ENVIRONMENT is set to 'demo'. Also, updated session cookie security to treat 'demo' like 'production', and clarified ENVIRONMENT options in documentation. Unused imports were removed from users/user/router.py.
Added instructions for updating to a new version of Endurain, including steps for stopping the service, removing old files, downloading the latest release, building the frontend, setting up the backend, and starting the service.
Added comprehensive unit tests for the identity_providers module, including CRUD operations, schema validation, and utility functions. Updated .gitignore to exclude deeper __pycache__ directories. Removed session test files and old __pycache__ files from the repository.
Added comprehensive unit tests for MFA backup codes CRUD, router, and utility functions, as well as for OAuth state CRUD and utility functions. Also fixed timezone handling in OAuth state expiry check. These tests improve coverage and reliability for authentication-related features.
Introduces database models, migration, API endpoints, and business logic for MFA backup codes as a fallback authentication method. Users can generate, view status, and consume backup codes; codes are securely hashed and invalidated upon use. Integrates backup code verification into MFA flows, updates user and profile logic, and ensures codes are managed on MFA enable/disable actions.
Updated identity provider service to use timezone-aware datetime comparisons for token age, refresh, and expiry checks. Added a function to delete OAuth state by ID and integrated OAuth state cleanup into session deletion to prevent orphaned records.
Adopts the OAuth 2.1 bootstrap pattern by not storing the CSRF token hash on initial login or token exchange, allowing the first /refresh call after a page reload to establish the CSRF binding. Updates CSRF validation logic to only require the CSRF token if provided, and documents the security model. Exempts the /refresh endpoint from CSRF middleware for the bootstrap scenario. Also ensures rotated refresh tokens are deleted when a session is deleted.
Enhanced the Content-Security-Policy header to allow inline images, styles, scripts, and OpenStreetMap tiles to allow frontend static serving from FastAPI.
Major expansion of authentication documentation: clarified OAuth 2.1 hybrid token storage, CSRF protection, refresh token rotation, session management, progressive account lockout, and best practices for web and mobile clients.
Adds a hashed CSRF token field to the users_sessions table and model, updates session creation and refresh logic to store and validate the CSRF token hash, and enforces CSRF validation for web clients during token refresh. Updates middleware to require CSRF headers for web clients, and adds comprehensive tests for CSRF middleware behavior. Also improves frontend fetch utility to prevent concurrent refresh token requests. Fix access token not validated on private /idp routes
Modified fetchWithRetry to remove 'auth/logout' from the list of endpoints that bypass retry on 401 errors to ensure proper session deletion on the DB. Updated comment to reflect the change.
Adds rotated refresh token tracking to detect and prevent token reuse attacks. Introduces new models, schemas, and utilities for storing and checking rotated tokens, and invalidates all sessions in a token family if reuse is detected. Updates session and authentication logic to support token families, rotation counts, and last rotation timestamps. Includes Alembic migration for new columns and tables, and schedules cleanup of expired rotated tokens. Also improves frontend logout to refresh tokens before logging out.
Introduces SQLAlchemy relationships between OAuthState, User, and IdentityProvider models to enable easier navigation and cascading deletes. Updates the Alembic migration to add ON DELETE CASCADE to relevant foreign keys and improves column comments for clarity.
Updated backend and frontend to use '/auth/login', '/auth/refresh', '/auth/mfa/verify', and '/auth/logout' endpoints instead of legacy paths. Adjusted CSRF middleware, route prefixes, tests, documentation, and service utilities to match the new endpoint structure for improved clarity and consistency.
Implements optional session idle and absolute timeout logic, including new environment variables for configuration. Adds last_activity_at to sessions, enforces timeouts on token refresh, and introduces a scheduler job to clean up idle sessions. Also introduces progressive lockout for failed logins and updates documentation and examples accordingly.
Introduced SecurityHeadersMiddleware to add essential security headers (e.g., X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy, and Content-Security-Policy) to all HTTP responses. Registered the middleware in main.py to enhance protection against common web vulnerabilities.
This update enforces PKCE for all OAuth flows, removes legacy cookie-based state, and unifies token handling for both web and mobile clients to comply with OAuth 2.1. It introduces a progressive lockout mechanism for MFA to prevent brute-force attacks, updates CSRF middleware to require only the header, and ensures refresh tokens are set as httpOnly cookies with SameSite=Strict. The frontend is updated to restore tokens on app initialization and handle SSO token exchange failures. Various backend endpoints and utilities are refactored for clarity, security, and consistency.
Reordered parameters in get_oauth_state_by_id for consistency and updated its usage in identity provider service. Also removed timezone awareness from datetime comparison to prevent potential issues.
Implements database-backed OAuth state management to support secure PKCE flows for mobile SSO. Adds new models, CRUD, and scheduled cleanup for OAuth state, updates identity provider login and callback flows to use server-side state, and introduces a token exchange endpoint for mobile clients. Updates session and rate limiting logic, and maintains backward compatibility for web clients using cookie-based state.
Expanded the authentication documentation with a detailed step-by-step guide for implementing OAuth/SSO in mobile applications using WebView. The new section covers prerequisites, provider discovery, WebView handling, token extraction, secure storage, authenticated API requests, and token refresh logic.
Updated authentication documentation to reflect new public and profile-based identity provider API routes. Also added support for displaying the PocketID icon in the identity provider list component.
Introduced details about the public demo environment, including URL, credentials, and reset schedule, to the README, and documentation index. This helps users try Endurain before installation and clarifies demo limitations.
Replaces the old 'Single-sign-on' doc with a new, comprehensive 'single-sign-on.md' covering SSO setup for multiple providers, troubleshooting, and security. Updates mkdocs.yml to reference the new file, enhance navigation, and enable additional markdown extensions and icons for improved documentation formatting.
Split the monolithic developer-guide.md into three focused documents: setup-dev-env.md, authentication.md, and supported-types.md. Updated mkdocs.yml navigation to reflect the new structure, improving documentation clarity and maintainability.
This is a set of documentation instructions to set up SSO using either Pocket ID or Tailscale as the SSO provider. It provides the steps needed within the provider as well as how to complete the "Identity Providers" custom form within Endurain.
Updated poetry.lock and package-lock.json to reflect new versions of dependencies. This includes upgrades for apprise, authlib, and coverage in the backend, as well as changes in frontend dependencies.
Introduces Pocket ID as a new OIDC provider option in both backend and frontend. Adds Pocket ID template to backend, updates provider selection and icon handling in the frontend, and includes the Pocket ID logo asset. Also bumps version numbers to 0.16.3 across backend and frontend.
- Export formatDuration function from chartUtils.js
- Add formatHrZoneLabel utility function to eliminate duplication
- Use computed properties for HR chart data to avoid repeated calculations
- Fix PEP8 line length violations (79 chars for code, 72 for comments)
- Format backend code with proper line breaks for readability
- Backend: Calculate time_seconds for each HR zone based on waypoint ratio
- Frontend: Display both percentage and time (e.g., '25% (15m)') in HR zone charts
- Update BarChartComponent to support timeSeconds prop
- Use activity total_timer_time for accurate time calculation
Replaced all references to 'joaovitoriasilva/endurain' with 'endurain-project/endurain' across documentation, templates, Docker examples, and code. Updated badge URLs, Docker image paths, and author email in backend metadata to reflect the new organization. This ensures consistency and correct attribution following the repository migration.
