Cleanup app tokens to get rid of lingering email requirement (#244)

Author: dkhalife

README.md

@@ -12,6 +12,7 @@ This repo started as a fork of [DoneTick](https://github.com/donetick/donetick)
 
 Task Wizard's primary goal is to allow users to own and protect their data and the following principles are ways to accomplish that:
 
+* **Zero PII storage** — the server never stores names, emails, or any personally identifiable information. Authentication is handled entirely by Microsoft Entra ID; the backend only persists an opaque directory/object ID pair to associate tasks with a user
 * All the user data sent by this frontend only ever goes to a single backend
 * 🔜 When data is stored, it is encrypted with a user key
 * The code is continuously scanned by a CI that runs CodeQL
@@ -30,9 +31,7 @@ Task Wizard's primary goal is to allow users to own and protect their data and t
 
 📧 Notifications for important deadlines you don't want to miss
 
-🗝️ Fine-grained access tokens for endless integration possibilities
-
-🌐 Authenticated CalDAV endpoint at `/dav/tasks` with app token as the password
+🌐 CalDAV endpoint at `/dav/tasks` with OAuth 2.0 Bearer token authentication
 
 ## ⌨️ Keyboard Shortcuts
 
@@ -54,8 +53,6 @@ To set up authentication:
 
 For development without Azure AD, set `entra.enabled` to `false` to enable dev bypass mode (all requests are treated as authenticated).
 
-App tokens (used for CalDAV and API integrations) are independently signed with `jwt.secret` and remain functional regardless of Entra configuration.
-
 ## 🚀 Installation
 
 ### 🚢 Using Docker Compose (recommended)
@@ -96,7 +93,7 @@ Make sure to replace `/path/to/host` with your preferred root directory for conf
 
 In the [config](./apiserver/config/) directory are a couple of starter configuration files for prod and dev environments. The server expects a config.yaml in the config directory and will load settings from it when started.
 
-**Note:** You can set `email.host`, `email.port`, `email.email`, `email.password`, `jwt.secret`, Entra ID settings, and database credentials using environment variables for improved security and flexibility. The server will fail to start if `jwt.secret` is left as `"secret"`, so be sure to set `TW_JWT_SECRET` or edit `config.yaml`.
+**Note:** You can set Entra ID settings and database credentials using environment variables for improved security and flexibility.
 
 ### Database Configuration
 
@@ -145,7 +142,6 @@ Configure Entra ID authentication with environment variables or `config.yaml`:
 - `TW_ENTRA_TENANT_ID` - Azure AD tenant ID
 - `TW_ENTRA_CLIENT_ID` - Azure AD application (client) ID
 - `TW_ENTRA_AUDIENCE` - Expected token audience
-- `TW_JWT_SECRET` - Secret for signing app tokens (must be changed from default)
 
 ### Configuration Reference
 
@@ -166,7 +162,6 @@ The configuration files are yaml mappings with the following values:
 | `entra.tenant_id`                        | (empty)                                             | The Azure AD tenant ID for authentication.                                  |
 | `entra.client_id`                        | (empty)                                             | The Azure AD application (client) ID.                                       |
 | `entra.audience`                         | (empty)                                             | The expected audience for Entra ID tokens.                                  |
-| `jwt.secret`                             | `"secret"`                                          | The secret key used for signing app tokens. **Must be changed from default or set `TW_JWT_SECRET`.** |
 | `server.host_name`                       | `localhost`                                         | The hostname to use for external links.                                     |
 | `server.port`                            | `2021`                                              | The port on which the server listens.                                       |
 | `server.read_timeout`                    | `2s`                                                | The maximum duration for reading the entire request.                        |
@@ -181,12 +176,7 @@ The configuration files are yaml mappings with the following values:
 | `scheduler_jobs.due_frequency`           | `5m`                                                | The interval for sending regular notifications.                             |
 | `scheduler_jobs.overdue_frequency`       | `24h`                                               | The interval for sending overdue notifications.                             |
 | `scheduler_jobs.notification_cleanup`    | `10m`                                               | The interval for cleaning up sent notifications.                            |
-| `scheduler_jobs.token_expiration_cleanup`| `24h`                                               | The interval for cleaning up expired tokens.                                |
-|`scheduler_jobs.token_expiration_reminder`| `72h`                                               | How long before an app token expiration to send a reminder for it.          |
-| `email.host`                             | (empty)                                             | The email server host.                                                      |
-| `email.port`                             | (empty)                                             | The email server port.                                                      |
-| `email.email`                            | (empty)                                             | The email address used for sending emails.                                  |
-| `email.password`                         | (empty)                                             | The password for authenticating with the email server.                      |
+
 
 ## 🛠️ Development
 

apiserver/config/config.dev.yaml

@@ -2,10 +2,6 @@ database:
   type: sqlite
   migration: true
   path: task-wizard.db
-jwt:
-  secret: "s3cret"
-  session_time: 168h
-  max_refresh: 168h
 server:
   host_name: localhost
   port: 2021
@@ -22,12 +18,4 @@ server:
 scheduler_jobs:
   due_frequency: 1m
   overdue_frequency: 1m
-  password_reset_validity: 1m
-  token_expiration_reminder: 1m
   notification_cleanup: 10s
-  token_expiration_cleanup: 1h
-email:
-  host: 
-  port: 
-  email:  
-  password:

apiserver/config/config.go

@@ -10,10 +10,8 @@ import (
 type Config struct {
 	Database      DatabaseConfig  `mapstructure:"database" yaml:"database"`
 	Entra         EntraConfig     `mapstructure:"entra" yaml:"entra"`
-	Jwt           JwtConfig       `mapstructure:"jwt" yaml:"jwt"`
 	Server        ServerConfig    `mapstructure:"server" yaml:"server"`
 	SchedulerJobs SchedulerConfig `mapstructure:"scheduler_jobs" yaml:"scheduler_jobs"`
-	EmailConfig   EmailConfig     `mapstructure:"email" yaml:"email"`
 }
 
 type DatabaseConfig struct {
@@ -35,10 +33,6 @@ type EntraConfig struct {
 	Issuer   string `mapstructure:"issuer" yaml:"issuer"`
 }
 
-type JwtConfig struct {
-	Secret string `mapstructure:"secret" yaml:"secret"`
-}
-
 type ServerConfig struct {
 	HostName             string        `mapstructure:"host_name" yaml:"host_name"`
 	Port                 int           `mapstructure:"port" yaml:"port"`
@@ -54,18 +48,9 @@ type ServerConfig struct {
 }
 
 type SchedulerConfig struct {
-	DueFrequency            time.Duration `mapstructure:"due_frequency" yaml:"due_frequency" default:"5m"`
-	OverdueFrequency        time.Duration `mapstructure:"overdue_frequency" yaml:"overdue_frequency" default:"1d"`
-	TokenExpirationReminder time.Duration `mapstructure:"token_expiration_reminder" yaml:"token_expiration_reminder" default:"72h"`
-	NotificationCleanup     time.Duration `mapstructure:"notification_cleanup" yaml:"notification_cleanup" default:"10m"`
-	TokenExpirationCleanup  time.Duration `mapstructure:"token_expiration_cleanup" yaml:"token_expiration_cleanup" default:"24h"`
-}
-
-type EmailConfig struct {
-	Host     string `mapstructure:"host"`
-	Port     int    `mapstructure:"port"`
-	Email    string `mapstructure:"email"`
-	Password string `mapstructure:"password"`
+	DueFrequency        time.Duration `mapstructure:"due_frequency" yaml:"due_frequency" default:"5m"`
+	OverdueFrequency    time.Duration `mapstructure:"overdue_frequency" yaml:"overdue_frequency" default:"1d"`
+	NotificationCleanup time.Duration `mapstructure:"notification_cleanup" yaml:"notification_cleanup" default:"10m"`
 }
 
 func LoadConfig(configFile string) *Config {
@@ -90,11 +75,6 @@ func LoadConfig(configFile string) *Config {
 	_ = viper.BindEnv("entra.client_id", "TW_ENTRA_CLIENT_ID")
 	_ = viper.BindEnv("entra.audience", "TW_ENTRA_AUDIENCE")
 	_ = viper.BindEnv("entra.issuer", "TW_ENTRA_ISSUER")
-	_ = viper.BindEnv("jwt.secret", "TW_JWT_SECRET")
-	_ = viper.BindEnv("email.host", "TW_EMAIL_HOST")
-	_ = viper.BindEnv("email.port", "TW_EMAIL_PORT")
-	_ = viper.BindEnv("email.email", "TW_EMAIL_SENDER")
-	_ = viper.BindEnv("email.password", "TW_EMAIL_PASSWORD")
 	_ = viper.BindEnv("database.type", "TW_DATABASE_TYPE")
 	_ = viper.BindEnv("database.host", "TW_DATABASE_HOST")
 	_ = viper.BindEnv("database.port", "TW_DATABASE_PORT")
@@ -113,9 +93,5 @@ func LoadConfig(configFile string) *Config {
 		panic(err)
 	}
 
-	if config.Jwt.Secret == "secret" {
-		panic("JWT secret must be changed from the default 'secret'. Set TW_JWT_SECRET or update config.yaml")
-	}
-
 	return &config
 }

apiserver/config/config.yaml

@@ -8,8 +8,6 @@ entra:
   client_id: ""
   audience: ""
   issuer: ""
-jwt:
-  secret: "secret"
 server:
   host_name: example.com
   port: 2021
@@ -23,6 +21,4 @@ server:
 scheduler_jobs:
   due_frequency: 5m
   overdue_frequency: 24h
-  token_expiration_reminder: 72h
   notification_cleanup: 10m
-  token_expiration_cleanup: 24h

apiserver/config/config_test.go

@@ -32,12 +32,9 @@ entra:
   tenant_id: test-tenant
   client_id: test-client
   audience: api://test-client
-jwt:
-  secret: test-app-secret
 scheduler_jobs:
   due_frequency: 5m
   overdue_frequency: 24h
-  token_expiration_reminder: 72h
 `)
 
 	assert.NoError(t, err)
@@ -60,11 +57,8 @@ scheduler_jobs:
 	assert.Equal(t, "test-client", cfg.Entra.ClientID)
 	assert.Equal(t, "api://test-client", cfg.Entra.Audience)
 
-	assert.Equal(t, "test-app-secret", cfg.Jwt.Secret)
-
 	assert.Equal(t, 5*time.Minute, cfg.SchedulerJobs.DueFrequency)
 	assert.Equal(t, 24*time.Hour, cfg.SchedulerJobs.OverdueFrequency)
-	assert.Equal(t, 72*time.Hour, cfg.SchedulerJobs.TokenExpirationReminder)
 }
 
 func TestLoadConfig_PanicOnMissingFile(t *testing.T) {
@@ -90,22 +84,6 @@ func TestLoadConfig_PanicOnMissingFile(t *testing.T) {
 	})
 }
 
-func TestLoadConfig_PanicOnDefaultSecret(t *testing.T) {
-	_ = os.MkdirAll("./config", 0755)
-	f, err := os.Create("./config/config.yaml")
-	assert.NoError(t, err)
-	defer os.Remove("./config/config.yaml")
-	defer f.Close()
-
-	_, err = f.WriteString("server:\n  port: 1234\njwt:\n  secret: secret\n")
-	assert.NoError(t, err)
-
-	viper.Reset()
-	assert.Panics(t, func() {
-		_ = LoadConfig("./config/config.yaml")
-	})
-}
-
 func TestLoadConfig_EntraEnvOverride(t *testing.T) {
 	_ = os.MkdirAll("./config", 0755)
 	f, err := os.Create("./config/config.yaml")
@@ -118,8 +96,6 @@ func TestLoadConfig_EntraEnvOverride(t *testing.T) {
   tenant_id: file-tenant
   client_id: file-client
   audience: api://file-client
-jwt:
-  secret: file-secret
 server:
   port: 1234
 `)
@@ -129,7 +105,6 @@ server:
 	os.Setenv("TW_ENTRA_TENANT_ID", "env-tenant")
 	os.Setenv("TW_ENTRA_CLIENT_ID", "env-client")
 	os.Setenv("TW_ENTRA_AUDIENCE", "api://env-client")
-	os.Setenv("TW_JWT_SECRET", "env-secret")
 
 	viper.Reset()
 	cfg := LoadConfig("./config/config.yaml")
@@ -138,13 +113,11 @@ server:
 	assert.Equal(t, "env-tenant", cfg.Entra.TenantID)
 	assert.Equal(t, "env-client", cfg.Entra.ClientID)
 	assert.Equal(t, "api://env-client", cfg.Entra.Audience)
-	assert.Equal(t, "env-secret", cfg.Jwt.Secret)
 
 	os.Unsetenv("TW_ENTRA_ENABLED")
 	os.Unsetenv("TW_ENTRA_TENANT_ID")
 	os.Unsetenv("TW_ENTRA_CLIENT_ID")
 	os.Unsetenv("TW_ENTRA_AUDIENCE")
-	os.Unsetenv("TW_JWT_SECRET")
 }
 
 func TestLoadConfig_EnvFile(t *testing.T) {
@@ -153,7 +126,7 @@ func TestLoadConfig_EnvFile(t *testing.T) {
 	defer os.Remove("envconfig.yaml")
 	defer f.Close()
 
-	_, err = f.WriteString("server:\n  port: 4444\njwt:\n  secret: test-secret\n")
+	_, err = f.WriteString("server:\n  port: 4444\n")
 	assert.NoError(t, err)
 
 	os.Setenv("TW_CONFIG_FILE", "envconfig.yaml")
@@ -168,14 +141,14 @@ func TestLoadConfig_CLIOverridesEnv(t *testing.T) {
 	assert.NoError(t, err)
 	defer os.Remove("env.yaml")
 	defer f1.Close()
-	_, err = f1.WriteString("server:\n  port: 3333\njwt:\n  secret: test-secret\n")
+	_, err = f1.WriteString("server:\n  port: 3333\n")
 	assert.NoError(t, err)
 
 	f2, err := os.Create("cli.yaml")
 	assert.NoError(t, err)
 	defer os.Remove("cli.yaml")
 	defer f2.Close()
-	_, err = f2.WriteString("server:\n  port: 2222\njwt:\n  secret: test-secret\n")
+	_, err = f2.WriteString("server:\n  port: 2222\n")
 	assert.NoError(t, err)
 
 	os.Setenv("TW_CONFIG_FILE", "env.yaml")
@@ -197,8 +170,6 @@ func TestLoadConfig_DatabaseEnvOverride(t *testing.T) {
   path: /config/task-wizard.db
 server:
   port: 1234
-jwt:
-  secret: test-secret
 `)
 	assert.NoError(t, err)
 
@@ -244,8 +215,6 @@ func TestLoadConfig_MySQLConfig(t *testing.T) {
   migration: true
 server:
   port: 1234
-jwt:
-  secret: test-secret
 `)
 	assert.NoError(t, err)
 

apiserver/go.mod

@@ -18,7 +18,6 @@ require (
 require (
 	github.com/coreos/go-oidc/v3 v3.17.0
 	github.com/stretchr/testify v1.10.0
-	github.com/wneessen/go-mail v0.7.2
 	gorm.io/driver/mysql v1.6.0
 )
 
@@ -47,7 +46,6 @@ require (
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/go-playground/validator/v10 v10.20.0 // indirect
 	github.com/goccy/go-json v0.10.3 // indirect
-	github.com/golang-jwt/jwt/v4 v4.5.2
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect

apiserver/go.sum

@@ -46,8 +46,6 @@ github.com/go-sql-driver/mysql v1.8.1 h1:LedoTUt/eveggdHS9qUFC1EFSa8bU2+1pZjSRpv
 github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg=
 github.com/goccy/go-json v0.10.3 h1:KZ5WoDbxAIgm2HNbYckL0se1fHD6rz5j4ywS6ebzDqA=
 github.com/goccy/go-json v0.10.3/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
-github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
-github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
@@ -134,8 +132,6 @@ github.com/ugorji/go/codec v1.2.12 h1:9LC83zGrHhuUA9l16C9AHXAqEV/2wBQ4nkvumAE65E
 github.com/ugorji/go/codec v1.2.12/go.mod h1:UNopzCgEMSXjBc6AOMqYvWC1ktqTAfzJZUZgYf6w6lg=
 github.com/ulule/limiter/v3 v3.11.2 h1:P4yOrxoEMJbOTfRJR2OzjL90oflzYPPmWg+dvwN2tHA=
 github.com/ulule/limiter/v3 v3.11.2/go.mod h1:QG5GnFOCV+k7lrL5Y8kgEeeflPH3+Cviqlqa8SVSQxI=
-github.com/wneessen/go-mail v0.7.2 h1:xxPnhZ6IZLSgxShebmZ6DPKh1b6OJcoHfzy7UjOkzS8=
-github.com/wneessen/go-mail v0.7.2/go.mod h1:+TkW6QP3EVkgTEqHtVmnAE/1MRhmzb8Y9/W3pweuS+k=
 go.uber.org/dig v1.17.1 h1:Tga8Lz8PcYNsWsyHMZ1Vm0OQOUaJNDyvPImgbAu9YSc=
 go.uber.org/dig v1.17.1/go.mod h1:Us0rSJiThwCv2GteUN0Q7OKvU7n5J4dxZ9JKUXozFdE=
 go.uber.org/fx v1.22.0 h1:pApUK7yL0OUHMd8vkunWSlLxZVFFk70jR2nKde8X2NM=

apiserver/internal/apis/caldav.go

@@ -10,6 +10,7 @@ import (
 	"strconv"
 	"strings"
 
+	"dkhalife.com/tasks/core/config"
 	authMW "dkhalife.com/tasks/core/internal/middleware/auth"
 	models "dkhalife.com/tasks/core/internal/models"
 	cRepo "dkhalife.com/tasks/core/internal/repos/caldav"
@@ -18,7 +19,6 @@ import (
 	"dkhalife.com/tasks/core/internal/services/logging"
 	"dkhalife.com/tasks/core/internal/utils/auth"
 	"dkhalife.com/tasks/core/internal/utils/caldav"
-	middleware "dkhalife.com/tasks/core/internal/utils/middleware"
 	"dkhalife.com/tasks/core/internal/ws"
 	"github.com/gin-gonic/gin"
 	"go.uber.org/zap"
@@ -29,14 +29,16 @@ type CalDAVAPIHandler struct {
 	cRepo *cRepo.CalDavRepository
 	nRepo *nRepo.NotificationRepository
 	ws    *ws.WSServer
+	cfg   *config.Config
 }
 
-func CalDAVAPI(tRepo *tRepo.TaskRepository, cRepo *cRepo.CalDavRepository, nRepo *nRepo.NotificationRepository, wsServer *ws.WSServer) *CalDAVAPIHandler {
+func CalDAVAPI(tRepo *tRepo.TaskRepository, cRepo *cRepo.CalDavRepository, nRepo *nRepo.NotificationRepository, wsServer *ws.WSServer, cfg *config.Config) *CalDAVAPIHandler {
 	return &CalDAVAPIHandler{
 		tRepo: tRepo,
 		cRepo: cRepo,
 		nRepo: nRepo,
 		ws:    wsServer,
+		cfg:   cfg,
 	}
 }
 
@@ -321,9 +323,31 @@ func (h *CalDAVAPIHandler) handleRootRedirect(c *gin.Context) {
 	}
 }
 
+func (h *CalDAVAPIHandler) handleOAuthDiscovery(c *gin.Context) {
+	if !h.cfg.Entra.Enabled {
+		c.JSON(http.StatusNotFound, gin.H{"error": "OAuth is not configured"})
+		return
+	}
+
+	base := "https://login.microsoftonline.com/" + h.cfg.Entra.TenantID + "/oauth2/v2.0"
+	c.JSON(http.StatusOK, gin.H{
+		"authorization_endpoint": base + "/authorize",
+		"token_endpoint":         base + "/token",
+		"client_id":              h.cfg.Entra.ClientID,
+		"scopes": []string{
+			string(models.ApiTokenScopeDavRead),
+			string(models.ApiTokenScopeDavWrite),
+		},
+	})
+}
+
 func CalDAVRoutes(router *gin.Engine, h *CalDAVAPIHandler, auth *authMW.AuthMiddleware) {
+	if !h.cfg.Entra.Enabled {
+		return
+	}
+
 	davRoutes := router.Group("dav")
-	davRoutes.Use(middleware.BasicAuthToJWTAdapter())
+	davRoutes.GET("/.well-known/oauth", h.handleOAuthDiscovery)
 	davRoutes.Use(auth.MiddlewareFunc())
 	{
 		davRoutes.HEAD("/tasks/*path", authMW.ScopeMiddleware(models.ApiTokenScopeDavRead), h.handleHead)