Change token endpoints and utils to return expires_in and refresh_token_expires_in as seconds-until-expiry (RFC 6749 §5.1) by computing (expiry - now).total_seconds() instead of returning epoch timestamps. Update docs examples and frontend type comments to reflect the new semantics. Also make token-exchange determine client_type from the X-Client-Type request header (with fallback/sanitization) because stored oauth_state.client_type can be missing for system browser flows.
Add guidance doc and prevent blocking the asyncio event loop by running synchronous client calls in a thread pool.
- Added .github/agents/se-gitops-ci-specialist.agent.md: DevOps/CI & GitOps specialist guidance for pipelines, debugging, and best practices.
- backend/app/garmin/activity_utils.py: import asyncio and wrap garminconnect_client.get_activities_by_date, get_activity_gear, and download_activity with await asyncio.to_thread to avoid blocking the event loop.
- backend/app/strava/activity_utils.py: import asyncio and run strava_client.get_activities and parse_activity via asyncio.to_thread (parse_activity performs blocking HTTP calls). Added explanatory comments.
These changes keep the async event loop responsive when using third-party synchronous libraries.
Expose refresh_token_expires_in across auth flows: add the field to the TokenExchangeResponse schema, compute and include refresh token expiry in token exchange and refresh endpoints (public identity provider router and auth router), update utils.complete_login to return it, and update developer docs/examples. This lets clients know the refresh token lifetime alongside access token info. #514
Add Copilot agent and rich instruction docs, and introduce configurable SSO redirect scheme handling.
- Add security reviewer agent (.github/agents/se-security-reviewer.agent.md) and multiple instruction files under .github/instructions/ (agents, github-actions-ci-cd-best-practices, security-and-owasp, prompt, etc.), and rename the frontend instruction file to javascript.instructions.md. Update copilot-instructions.md to reference the new guides.
- Add ALLOWED_REDIRECT_SCHEMES option to .env.example to allow configured custom URI schemes for mobile/system-browser SSO (with security notes). #539
- Update backend auth code and config to support and validate SSO redirect schemes (backend/app/auth/identity_providers/public_router.py, utils.py, backend/app/core/config.py) and adjust related tests and docs (tests, docs/developer-guide/authentication.md, docs/getting-started/advanced-started.md). #539
- Apply frontend updates to login/footer/components and package.json (frontend/app/src/*, frontend/app/package.json) and update pyproject.toml. #539
- Fix for #535
- Fix for #527
- Fix for #502
These changes add documentation and tooling for Copilot agents, improve SSO configurability for mobile flows, and wire through necessary backend, frontend, tests, and docs updates.
Bump API_VERSION to v0.17.5 and update project dependencies across backend and frontend. Updated backend dependency manifests (pyproject.toml / poetry.lock) and frontend package.json / package-lock.json; also adjusted FooterComponent.vue. After pulling, run `poetry install` and `npm install` and verify app functionality and compatibility with the updated packages.
Bump release to v0.17.4. Bump project versions (backend pyproject.toml and core config, frontend package.json/package-lock). Relax Users username validation to allow hyphen and underscore (pattern updated and description adjusted) #513. Refresh frontend dependencies in the lockfile (multiple package upgrades) and apply a small frontend component update (FooterComponent.vue).
Updated backend and frontend version numbers to 0.17.1. Upgraded several backend Python dependencies (markdown, packaging, pycparser, sqlalchemy) and frontend Rollup dependencies to their latest versions. Also updated the FooterComponent.vue to reflect the new version.
Changed the /logout endpoint to validate and extract session info from the refresh token instead of the access token. Updated authentication documentation to clarify differences between web and mobile endpoints, including logout and token usage.
Updated project version from 0.16.7 to 0.17.0 across backend and frontend. Upgraded backend dependency 'apprise' to 1.9.7 and updated several frontend dev dependencies including rollup, @typescript-eslint, baseline-browser-mapping, and data-urls. Renamed Alembic migration file to match new version.
Renamed all 'users_session' modules and tests to 'users_sessions' for consistency. Introduced 'users_privacy_settings.utils' with a utility for converting activity visibility to integer, and updated all relevant usages. Added API reference documentation files and updated mkdocs configuration to include new reference sections.
Backend now normalizes access_type to a string before password hashing and user creation, ensuring consistent handling. Frontend updates default gender and access_type values to string representations ('male', 'regular'), and adjusts password validation logic to use string values for access_type.
Refactor session creation and models to allow nullable refresh_token, enabling PKCE/SSO flows to create sessions before token exchange. Update related logic, validation, and tests to handle sessions without refresh tokens. Improve error handling and logging for authentication and token refresh endpoints. Update OAuth state lookup to ensure only unused states are accepted.
Introduce comprehensive test suites for user session and rotated refresh token functionality, including CRUD operations, model and schema validation, and utility functions. These tests improve coverage and reliability for session management and token rotation logic.
Modified authentication and token manager tests to assert on the new unified error message 'Unable to authenticate' and to check for HTTP 401 status with specific detail in insecure claim scenarios.
Refactored user session and rotated refresh token modules for improved maintainability and consistency. Introduced explicit __init__.py exports, switched to SQLAlchemy 2.0 style models, added and improved Pydantic schemas, and replaced raw SQLAlchemy queries with select/delete statements. Added core_decorators.handle_db_errors for error handling, improved docstrings, and updated API router response models. This refactor also enhances type safety, code clarity, and aligns with modern FastAPI/SQLAlchemy best practices.
Moved all session-related files and imports from 'session' to 'users/users_session' to improve code organization and clarity. Updated all references throughout the codebase and tests to use the new namespace.
Updated refresh token reuse detection to use HMAC-SHA256 with the server secret for deterministic and secure token hashing and lookup. Refactored related utility functions and updated their usage in the auth router. Also reduced the scheduler interval for cleaning up expired rotated tokens from 5 to 1 minute.
Added explicit HTTP 401 exception for insecure token claims in TokenManager. Updated error messages in authenticate_user to use a generic authentication failure message for both username and password errors, enhancing security and impersonation
Updated tests to use string values for enums (Units, Currency, ActivityVisibility) instead of integers, reflecting schema changes. Changed model relationship attribute checks from 'user' to 'users' across health, gear, goals, identity provider, integrations, and privacy settings tests. Adjusted assertions and test data to match new enum and relationship conventions.
Introduces a rate limit for signup attempts to prevent account creation abuse. Improves user creation error handling by providing a more generic error message to reduce information leakage. Also includes minor refactoring and logging improvements in session and identity provider logic. Dependency updates for backend and frontend packages are included.
Implements PKCE support for mobile password authentication, allowing mobile clients to use a secure token exchange flow similar to OAuth/SSO. Updates authentication endpoints, schemas, and documentation to support PKCE parameters and session-based token exchange for mobile clients. Also standardizes Pydantic schema field defaults using the `default` argument for improved OpenAPI and client code generation.
Refactored all imports, relationships, and references from 'user' to 'users' across backend modules for consistency. Updated model relationship names, schemas, and CRUD/service calls to use the plural form, and adjusted migration and utility logic accordingly.
Refactor backend and frontend to use string values ('public', 'followers', 'private') for default_activity_visibility instead of integers. Updates database migration, models, schemas, and all related frontend components and stores to reflect this change.
Refactor units and currency fields in both backend and frontend from integer values to string enums (e.g., 'metric', 'imperial', 'euro', 'dollar', 'pound'). Update database migration, models, schemas, and all related frontend components and logic to use string values instead of numeric codes.
Refactored user-related enums (gender, access_type, first_day_of_week) in the backend and frontend from integer values to string values for improved clarity and maintainability. Updated Alembic migration to convert existing data, adjusted SQLAlchemy models, Pydantic schemas, and all related logic and UI components to use string-based enums. This change affects user creation, editing, display, and authentication logic throughout the application.
Centralizes file saving logic with a new `save_file` utility, updates all usages related to user to use the new function, and ensures image validation is consistently applied. The import service now properly converts string numeric fields to floats/ints, removes database IDs from imported objects, and uses async file saving for all imported files. Also updates frontend gear fetching logic and upgrades several dependencies.
Refactored identity provider user info sync to update user fields only if changes are detected and to handle email conflicts gracefully. Updated user creation to use actual server settings. Enhanced import service to validate existence of identity providers before linking, preventing errors when providers are missing.
Move MFASecretStore to own file for segregation of concerns. Refactors and documents profile-related modules, improves API endpoint consistency (status codes, response models), and updates MFA enable/disable endpoints to use PUT. Updates frontend components and services to match new event and API conventions, adds Strava state management, and synchronizes sidebar section state with URL query parameters for better navigation and UX.
Added comprehensive docstrings to routers and dependencies for better API documentation and clarity. Updated __init__.py to explicitly export CRUD functions, schemas, models, enums, and utilities. Minor refactoring in routers to improve type hints, argument naming, and return values for consistency.
The create_user endpoint now returns the created user object directly instead of formatting the birthdate. The unused format_user_birthdate utility function has been removed for code simplification.
Updated the read_users_me endpoint to construct the UserMe response using model_validate and model_copy, ensuring integration and privacy settings are included in the response. This approach improves clarity and maintainability by avoiding direct mutation of the user model.
Enhanced the handle_db_errors decorator to automatically rollback the session on SQLAlchemy errors. Updated related CRUD and test files to use the new error handling and session rollback logic. Refactored test mocks to use scalar_one and get_server_settings_or_404, and fixed test coverage for user default gear creation and user authentication. Also updated frontend user edit modal to handle external_auth_count after edit.
Centralizes file upload logic in a new core.file_uploads module with security validation and async I/O. Refactors user and server settings image upload endpoints to use the new handler, and updates user photo CRUD operations to be asynchronous. Replaces direct file system operations with async equivalents, improves error handling, and updates related frontend logic to match new API responses. Also standardizes server settings access to use get_server_settings_or_404 and makes several migration and CRUD functions async for consistency.
