Change token endpoints and utils to return expires_in and refresh_token_expires_in as seconds-until-expiry (RFC 6749 §5.1) by computing (expiry - now).total_seconds() instead of returning epoch timestamps. Update docs examples and frontend type comments to reflect the new semantics. Also make token-exchange determine client_type from the X-Client-Type request header (with fallback/sanitization) because stored oauth_state.client_type can be missing for system browser flows.
Expose refresh_token_expires_in across auth flows: add the field to the TokenExchangeResponse schema, compute and include refresh token expiry in token exchange and refresh endpoints (public identity provider router and auth router), update utils.complete_login to return it, and update developer docs/examples. This lets clients know the refresh token lifetime alongside access token info. #514
Add Copilot agent and rich instruction docs, and introduce configurable SSO redirect scheme handling.
- Add security reviewer agent (.github/agents/se-security-reviewer.agent.md) and multiple instruction files under .github/instructions/ (agents, github-actions-ci-cd-best-practices, security-and-owasp, prompt, etc.), and rename the frontend instruction file to javascript.instructions.md. Update copilot-instructions.md to reference the new guides.
- Add ALLOWED_REDIRECT_SCHEMES option to .env.example to allow configured custom URI schemes for mobile/system-browser SSO (with security notes). #539
- Update backend auth code and config to support and validate SSO redirect schemes (backend/app/auth/identity_providers/public_router.py, utils.py, backend/app/core/config.py) and adjust related tests and docs (tests, docs/developer-guide/authentication.md, docs/getting-started/advanced-started.md). #539
- Apply frontend updates to login/footer/components and package.json (frontend/app/src/*, frontend/app/package.json) and update pyproject.toml. #539
- Fix for #535
- Fix for #527
- Fix for #502
These changes add documentation and tooling for Copilot agents, improve SSO configurability for mobile flows, and wire through necessary backend, frontend, tests, and docs updates.
Changed the /logout endpoint to validate and extract session info from the refresh token instead of the access token. Updated authentication documentation to clarify differences between web and mobile endpoints, including logout and token usage.
Implements PKCE support for mobile password authentication, allowing mobile clients to use a secure token exchange flow similar to OAuth/SSO. Updates authentication endpoints, schemas, and documentation to support PKCE parameters and session-based token exchange for mobile clients. Also standardizes Pydantic schema field defaults using the `default` argument for improved OpenAPI and client code generation.
Refactor units and currency fields in both backend and frontend from integer values to string enums (e.g., 'metric', 'imperial', 'euro', 'dollar', 'pound'). Update database migration, models, schemas, and all related frontend components and logic to use string values instead of numeric codes.
Deleted the MFA backup codes API router test file. Expanded the authentication developer guide to document MFA backup code usage, format, error responses, and related endpoints for status and regeneration.
Enhanced the Content-Security-Policy header to allow inline images, styles, scripts, and OpenStreetMap tiles to allow frontend static serving from FastAPI.
Major expansion of authentication documentation: clarified OAuth 2.1 hybrid token storage, CSRF protection, refresh token rotation, session management, progressive account lockout, and best practices for web and mobile clients.
Updated backend and frontend to use '/auth/login', '/auth/refresh', '/auth/mfa/verify', and '/auth/logout' endpoints instead of legacy paths. Adjusted CSRF middleware, route prefixes, tests, documentation, and service utilities to match the new endpoint structure for improved clarity and consistency.
Implements database-backed OAuth state management to support secure PKCE flows for mobile SSO. Adds new models, CRUD, and scheduled cleanup for OAuth state, updates identity provider login and callback flows to use server-side state, and introduces a token exchange endpoint for mobile clients. Updates session and rate limiting logic, and maintains backward compatibility for web clients using cookie-based state.
Expanded the authentication documentation with a detailed step-by-step guide for implementing OAuth/SSO in mobile applications using WebView. The new section covers prerequisites, provider discovery, WebView handling, token extraction, secure storage, authenticated API requests, and token refresh logic.
Updated authentication documentation to reflect new public and profile-based identity provider API routes. Also added support for displaying the PocketID icon in the identity provider list component.
Split the monolithic developer-guide.md into three focused documents: setup-dev-env.md, authentication.md, and supported-types.md. Updated mkdocs.yml navigation to reflect the new structure, improving documentation clarity and maintainability.
