diff --git a/README.md b/README.md index db33f82..ce54b39 100644 --- a/README.md +++ b/README.md @@ -4,18 +4,20 @@ A self-hosted, multi-user life administration app with a dark-themed UI and role ## Features -- **Multi-user RBAC** - Admin and standard user roles, per-user data isolation, admin portal with IAM, system config, and audit logs -- **Dashboard** - Contextual greeting, week timeline, stat cards, upcoming events, weather widget, day briefing -- **Todos** - Task management with priorities, due dates, recurrence, and grouped sections (overdue/today/upcoming) -- **Calendar** - Multi-calendar system with month/week/day views, recurring events, drag-and-drop, event templates -- **Projects** - Project boards with kanban view, nested tasks/subtasks, comments, progress tracking -- **Reminders** - Time-based reminders with snooze, dismiss, recurrence, and real-time alert notifications (dashboard banner + toasts) -- **People** - Contact directory with avatar initials, favourites, birthday tracking, category filtering -- **Locations** - Location management with OSM search integration, category filtering, frequent locations -- **Weather** - Dashboard weather widget with temperature, conditions, and contextual rain warnings -- **Settings** - Accent color picker (8 presets), first day of week, weather city, ntfy push notifications, TOTP two-factor auth, auto-lock, password management -- **Notifications** - ntfy push notifications for reminders (configurable per-user) -- **Admin Portal** - User management (create, delete, activate/deactivate, role assignment, password reset), system configuration (open registration, MFA enforcement), audit log viewer +- **Multi-user RBAC** — Admin and standard user roles, per-user data isolation, admin portal with IAM, system config, and audit logs +- **Dashboard** — Contextual greeting, week timeline, stat cards, upcoming events, weather widget, day briefing +- **Todos** — Task management with priorities, due dates, recurrence, and grouped sections (overdue/today/upcoming) +- **Calendar** — Multi-calendar system with month/week/day views, recurring events, drag-and-drop, event templates, shared calendars with permission-based access +- **Shared Calendars** — Invite connections to calendars with granular permissions (read-only, create/modify, full access). Event locking prevents concurrent edits. Near-real-time sync via 5s polling +- **Event Invitations** — Invite connections to individual events with RSVP (accept/tentative/decline), per-occurrence status overrides for recurring events, display calendar assignment, and optional edit access via can_modify toggle +- **Projects** — Project boards with kanban view, nested tasks/subtasks, comments, progress tracking +- **Reminders** — Time-based reminders with snooze, dismiss, recurrence, and real-time alert notifications (dashboard banner + toasts) +- **People & Connections** — Contact directory with avatar initials, favourites, birthday tracking. Social connections via umbral name search with bidirectional Person records on accept +- **Locations** — Location management with OSM search integration, category filtering, frequent locations +- **Weather** — Dashboard weather widget with temperature, conditions, and contextual rain warnings +- **Settings** — Accent color picker (8 presets), first day of week, weather city, ntfy push notifications, TOTP two-factor auth, auto-lock, password management +- **Notifications** — In-app notification centre with toast popups, plus ntfy push notifications for reminders (configurable per-user) +- **Admin Portal** — User management (create, delete, activate/deactivate, role assignment, password reset), system configuration (open registration, MFA enforcement), audit log viewer ## Tech Stack @@ -26,7 +28,7 @@ A self-hosted, multi-user life administration app with a dark-themed UI and role | Fonts | Sora (headings), DM Sans (body) via Google Fonts | | State | TanStack Query v5, React Router v6 | | Backend | FastAPI, Python 3.12, Pydantic v2 | -| Database | PostgreSQL 16, SQLAlchemy 2.0 (async), Alembic (37 migrations) | +| Database | PostgreSQL 16, SQLAlchemy 2.0 (async), Alembic (56 migrations) | | Auth | Argon2id hashing, DB-backed sessions (signed httpOnly cookies), TOTP MFA, CSRF middleware, role-based access control | | Scheduler | APScheduler (async) for ntfy notification dispatch | | Deployment | Docker Compose (3 services), Nginx reverse proxy | @@ -129,6 +131,8 @@ A self-hosted, multi-user life administration app with a dark-themed UI and role - **Argon2id password hashing** with transparent bcrypt migration on first login - **DB-backed sessions** — revocable, with signed itsdangerous httpOnly cookies, 7-day sliding window with 30-day hard ceiling - **Optional TOTP MFA** — authenticator app support with backup codes, admin-enforced MFA for new users +- **Invited editor field allowlist** — can_modify invitees restricted to content fields only (title, description, time, color, location); calendar moves, recurring series changes, and deletions blocked server-side +- **5 penetration tests passed** — RBAC, header hardening, SSRF, shared calendars, event invitations; 0 exploitable findings ### Production Hardening @@ -163,9 +167,11 @@ All endpoints require authentication (signed session cookie) except auth routes | `/api/auth/*` | Login, logout, setup, register, status, password change, TOTP MFA | | `/api/admin/*` | User management, system config, audit logs (admin only) | | `/api/todos/*` | Todos CRUD + toggle completion | -| `/api/events/*` | Calendar events CRUD (incl. recurring) | +| `/api/events/*` | Calendar events CRUD (incl. recurring) + event invitations | +| `/api/event-invitations/*` | Invitation responses, per-occurrence overrides, can_modify toggle, leave | | `/api/event-templates/*` | Event templates CRUD | | `/api/calendars/*` | User calendars CRUD + visibility | +| `/api/shared-calendars/*` | Shared calendar management, invitations, permissions, event locking | | `/api/reminders/*` | Reminders CRUD + dismiss + snooze + due alerts | | `/api/projects/*` | Projects + nested tasks + comments CRUD | | `/api/people/*` | People CRUD | @@ -174,6 +180,8 @@ All endpoints require authentication (signed session cookie) except auth routes | `/api/dashboard` | Dashboard aggregation | | `/api/upcoming` | Unified upcoming items feed | | `/api/weather/*` | Weather data proxy | +| `/api/connections/*` | Social connections (search, request, respond, manage) | +| `/api/notifications/*` | In-app notifications (list, read, delete) | API documentation is available at `/api/docs` (Swagger UI) when `ENVIRONMENT=development`. @@ -215,15 +223,15 @@ umbra/ │ ├── Dockerfile │ ├── requirements.txt │ ├── alembic.ini -│ ├── alembic/versions/ # 37 migrations (001–037) +│ ├── alembic/versions/ # 56 migrations (001–056) │ └── app/ │ ├── main.py # FastAPI app, CSRF middleware, router registration, health endpoint │ ├── config.py # Pydantic BaseSettings (DATABASE_URL, SECRET_KEY, CORS, etc.) │ ├── database.py # Async SQLAlchemy engine + session factory -│ ├── models/ # 18 SQLAlchemy ORM models (incl. User, UserSession, SystemConfig, AuditLog) -│ ├── schemas/ # 13 Pydantic v2 request/response schema modules (incl. admin) -│ ├── routers/ # 14 API route handlers (incl. auth, admin, totp) -│ ├── services/ # Auth (Argon2id), recurrence, TOTP, ntfy, audit +│ ├── models/ # 20 SQLAlchemy ORM models (incl. User, UserSession, EventInvitation, CalendarMember) +│ ├── schemas/ # 14 Pydantic v2 request/response schema modules +│ ├── routers/ # 16 API route handlers (incl. auth, admin, event_invitations, shared_calendars) +│ ├── services/ # Auth (Argon2id), recurrence, TOTP, ntfy, audit, calendar_sharing, event_invitation, notification │ └── jobs/ # APScheduler notification dispatch └── frontend/ ├── Dockerfile @@ -233,20 +241,22 @@ umbra/ └── src/ ├── App.tsx # Routes, ProtectedRoute, AdminRoute auth guards ├── lib/ # api.ts (axios + 401 interceptor), date-utils.ts, utils.ts - ├── hooks/ # useAuth, useAdmin, useSettings, useTheme, useCalendars, useConfirmAction, useCategoryOrder, useTableVisibility + ├── hooks/ # useAuth, useAdmin, useSettings, useTheme, useCalendars, useConfirmAction, useConnections, useNotifications, useEventInvitations ├── types/ # TypeScript interfaces └── components/ - ├── ui/ # 17 base components (Button, Dialog, Sheet, Card, Input, Select, Switch, etc.) + ├── ui/ # 18 base components (Button, Dialog, Sheet, Card, Input, Select, Switch, DatePicker, ...) ├── shared/ # EntityTable, EntityDetailPanel, CategoryFilterBar, CategoryAutocomplete, CopyableField ├── layout/ # AppLayout, Sidebar, LockOverlay ├── auth/ # LockScreen, AmbientBackground - ├── admin/ # AdminPortal, IAMPage, ConfigPage, AdminDashboardPage, CreateUserDialog, UserActionsMenu, UserDetailSection + ├── admin/ # AdminPortal, IAMPage, ConfigPage, AdminDashboardPage, CreateUserDialog, UserActionsMenu ├── dashboard/ # DashboardPage + 8 widgets - ├── calendar/ # CalendarPage, CalendarSidebar, CalendarForm, EventForm, TemplateForm - ├── todos/ # TodosPage, TodoList, TodoItem, TodoForm + ├── calendar/ # CalendarPage, CalendarSidebar, EventDetailPanel, InviteeSection, LeaveEventDialog, CalendarForm, EventForm, TemplateForm + ├── todos/ # TodosPage, TodoList, TodoItem, TodoForm, TodoDetailPanel ├── reminders/ # RemindersPage, ReminderList, ReminderItem, ReminderForm, SnoozeDropdown, AlertBanner ├── projects/ # ProjectsPage, ProjectCard, ProjectDetail, ProjectForm, KanbanBoard, TaskRow, TaskForm, TaskDetailPanel ├── people/ # PeoplePage, PersonForm + ├── connections/ # ConnectionSearch, ConnectionRequestCard, ConnectionsTab + ├── notifications/ # NotificationsPage, NotificationToaster ├── locations/ # LocationsPage, LocationForm └── settings/ # SettingsPage, NtfySettingsSection, TotpSetupSection ```