Merge branch 'main' into feature/webhooks

Signed-off-by: Mark Rai <markraidc@gmail.com>

Author: markrai

CHANGELOG.md

@@ -1,8 +1,35 @@
 # Changelog
 
-> **Upgrades:** No breaking changes in **3.7.x** / **3.8.x** / **3.9.x** unless noted below.
+> **Upgrades:** No breaking changes in **3.7.x** / **3.8.x** / **3.9.x** / **3.10.x** unless noted below.
 
 
+## [3.10.0] - 2026-04-04
+
+### Features
+
+- **Event bus + SSE** — **`internal/eventbus`** fanout; **`PublishEvent`** on the server. Board refresh / members events go through the bus; **`sseBridge`** keeps the same SSE JSON as before.
+- **`todo.assigned`** — Published after commit from **`CreateTodo`** / **`UpdateTodo`** when assignee changes (non-anonymous temp boards). SSE uses reason **`todo_assigned`**; handlers skip duplicate **`todo_created`** / **`todo_updated`** refresh when **`AssignmentChanged`**.
+- **Webhooks (full mode)** — **`POST` / `GET` / `DELETE`** **`/api/webhooks`** (maintainer, session; **404** in anonymous mode). Migration **050**; optional HMAC **`X-Scrumboy-Signature`**; async queue + worker, retries, JSON envelope with event **`id`** (for idempotency). Dispatcher enqueues in a goroutine with a detached context so SSE is not blocked.
+
+### Fixes
+
+- **Shutdown** — HTTP **`Shutdown`** before cancelling the webhook worker.
+- **CreateTodo** — Same **`!isAnonymousBoard`** gate as **`UpdateTodo`** for assignment events.
+
+### Other
+
+- Tests: **`eventbus_regression_test.go`**. Docs: README webhooks section + TOC. Dep: **`github.com/google/uuid`**.
+
+---
+
+## [3.9.4] - 2026-04-04
+
+### Fixes
+
+- **OIDC / SSO - account linking for existing users** — When a user signs in with **Continue with SSO** and the IdP returns a **verified** email that already matches a **`users`** row (e.g. bootstrap owner or admin-created account from before OIDC), Scrumboy now **links** the **`(issuer, subject)`** identity in **`user_oidc_identities`** to that user instead of failing with a duplicate-email conflict. Local password hashes are unchanged; SSO and password login can both work for the same account when local auth remains enabled. Integration test **`TestOIDCAutoLinkExistingUser`** covers the full callback flow; the test **fake IdP** now relays **`nonce`** from authorize → token so end-to-end OIDC tests match real providers.
+
+---
+
 ## [3.9.3] - 2026-04-05
 
 ### Improvements
@@ -15,6 +42,14 @@
 
 ---
 
+## [3.9.2] - (no release)
+
+### Note
+
+- **Version number skipped in git** — There is no commit in this repository that sets **`internal/version/version.go`** to **3.9.2**, and no **`README`** / **`CHANGELOG`** reference to **3.9.2** before this note. After **3.9.1**, the next bump was **3.9.3** (commit **`2c5b576`**, *multiple UX enhancements…*). No separate user-facing changes are recorded under **3.9.2**; see **3.9.1** (OIDC **`dist/`** rebuild) and **3.9.3** (UX items above) for work in that window.
+
+---
+
 ## [3.9.1] - 2026-04-04
 
 ### Fixes

README.md

@@ -1,7 +1,7 @@
 <p align="center">
   <img width="372" src="internal/httpapi/web/githublogo.png" alt="scrumboy logo" />
   <br />
-  <img src="https://img.shields.io/badge/version-v3.9.3-blue" alt="version" />
+  <img src="https://img.shields.io/badge/version-v3.10.0-blue" alt="version" />
   <a href="LICENSE">
     <img src="https://img.shields.io/badge/license-AGPL--v3-orange" alt="license" />
   </a>
@@ -12,6 +12,34 @@
 
 <img width="2975" height="1078" alt="image" src="internal/httpapi/web/github_preview.jpg" />
 
+## Table of contents
+
+- [Quick Start](#quick-start)
+  - [Run with Docker](#run-with-docker)
+  - [Run from source](#run-from-source)
+- [Optional Configuration](#optional-configuration)
+  - [Environment variables](#environment-variables)
+  - [Encryption key (optional)](#encryption-key-optional)
+  - [OIDC / SSO login (optional)](#oidc--sso-login-optional)
+  - [TLS / HTTPS (optional)](#tls--https-optional)
+  - [Frontend build note](#frontend-build-note)
+- [Why Scrumboy?](#why-scrumboy)
+- [Who is this for?](#who-is-this-for)
+- [Modes](#modes)
+- [Features](#features)
+- [Integrations & API Access](#integrations--api-access)
+  - [MCP (JSON-RPC) for AI agents](#mcp-json-rpc-for-ai-agents)
+  - [Webhooks (outbound HTTP)](#webhooks-outbound-http)
+- [Config](#config)
+- [Roles](#roles)
+  - [System roles (instance-wide)](#system-roles-instance-wide)
+  - [Project roles (per project)](#project-roles-per-project)
+- [Export scope](#export-scope)
+- [Import modes](#import-modes)
+- [Code layout (reference)](#code-layout-reference)
+- [Documentation](#documentation)
+- [License and Contributions](#license-and-contributions)
+
 ## Quick Start
 
 Runs in seconds. No setup required.
@@ -117,6 +145,8 @@ Simplicity of a light Kanban, with the power of structured systems: Roles, sprin
 
 - Realtime SSE enabled boards for instant multi-user actions.
 
+- **Webhooks (API-only, full mode):** Register URLs per project so Scrumboy can POST JSON when subscribed domain events fire (e.g. `todo.assigned`). For your own automations—not in-app or browser notifications. See [Integrations](#integrations--api-access).
+
 - Customizable Tags: Users can inherit and customize tag colors.
 
 - Advanced filtering: Search todos based on text or tags.
@@ -218,6 +248,26 @@ This enables:
 - AI agents and MCP clients (use **`POST /mcp/rpc`** for JSON-RPC; **`POST /mcp`** remains available for the legacy `{ "tool", "input" }` envelope)
 - Scripting/integrations without login flows
 
+### Webhooks (outbound HTTP)
+
+Scrumboy can **POST JSON to URLs you register** when certain events occur. This is for **server-side integrations** (your script, gateway, queue worker, etc.). It does **not** add notifications inside the Scrumboy UI; live boards still update via **SSE** as before.
+
+- **Availability:** **Full mode only** (endpoints are disabled in anonymous mode).
+- **Who can configure:** Project **maintainers**, via the HTTP API only—there is **no settings screen** for webhooks yet.
+- **API:** `POST /api/webhooks` (create), `GET /api/webhooks` (list yours), `DELETE /api/webhooks/{id}` — same session cookie / CSRF header rules as other mutating `/api/*` calls.
+- **Events:** Subscribe to specific types (e.g. `todo.assigned`) or `*` for all delivered types. The set may grow over time; unused types in your list are harmless.
+- **Security:** Optional per-webhook **secret**; when set, requests include an `X-Scrumboy-Signature` header (`sha256=` HMAC of the raw JSON body).
+- **Semantics:** Best-effort delivery with retries on failure; not a durable external queue—design for idempotent receivers using the event `id` in the JSON body.
+
+Example create (replace cookie / project id / URL):
+
+```bash
+curl -b cookies.txt -X POST http://localhost:8080/api/webhooks \
+  -H "Content-Type: application/json" \
+  -H "X-Scrumboy: 1" \
+  -d '{"projectId":1,"url":"https://example.com/scrumboy-hook","events":["todo.assigned"],"secret":"optional-shared-secret"}'
+```
+
 
 # Config
 

internal/httpapi/oidc.go

@@ -66,12 +66,28 @@ func (s *Server) handleOIDCCallback(w http.ResponseWriter, r *http.Request) {
 		u, err = s.store.CreateUserOIDC(ctx, configuredIssuer, result.Issuer, result.Subject, result.Email, result.Name)
 		if err != nil {
 			if errors.Is(err, store.ErrConflict) {
-				s.logger.Printf("oidc: login aborted: email already in use by existing user (OIDC identity not linked), sub=%s", result.Subject)
+				// Email already belongs to a local-password user. Auto-link
+				// the OIDC identity so pre-existing users can log in via SSO
+				// without creating a duplicate account. The IdP email is
+				// already verified (HandleCallback enforces email_verified).
+				existing, lookupErr := s.store.GetUserByEmail(ctx, result.Email)
+				if lookupErr != nil {
+					s.logger.Printf("oidc: auto-link lookup failed for %s: %v", result.Email, lookupErr)
+					http.Redirect(w, r, "/?oidc_error=token", http.StatusFound)
+					return
+				}
+				if linkErr := s.store.LinkOIDCIdentity(ctx, existing.ID, result.Issuer, result.Subject, result.Email); linkErr != nil {
+					s.logger.Printf("oidc: auto-link failed for user %d: %v", existing.ID, linkErr)
+					http.Redirect(w, r, "/?oidc_error=token", http.StatusFound)
+					return
+				}
+				s.logger.Printf("oidc: auto-linked existing user %d (%s) to OIDC identity sub=%s", existing.ID, result.Email, result.Subject)
+				u = existing
 			} else {
 				s.logger.Printf("oidc: create user: %v", err)
+				http.Redirect(w, r, "/?oidc_error=token", http.StatusFound)
+				return
 			}
-			http.Redirect(w, r, "/?oidc_error=token", http.StatusFound)
-			return
 		}
 	}
 

internal/httpapi/oidc_test.go

@@ -11,6 +11,7 @@ import (
 	"net/url"
 	"path/filepath"
 	"strings"
+	"sync"
 	"testing"
 	"time"
 
@@ -34,6 +35,9 @@ type fakeIdP struct {
 	email      string
 	emailVer   bool
 	name       string
+
+	mu     sync.Mutex
+	nonces map[string]string // auth code → nonce
 }
 
 func newFakeIdP(t *testing.T) *fakeIdP {
@@ -91,10 +95,21 @@ func (f *fakeIdP) handleJWKS(w http.ResponseWriter, r *http.Request) {
 
 func (f *fakeIdP) handleAuthorize(w http.ResponseWriter, r *http.Request) {
 	state := r.URL.Query().Get("state")
+	nonce := r.URL.Query().Get("nonce")
 	redir := r.URL.Query().Get("redirect_uri")
+
+	code := "code-" + state[:8]
+
+	f.mu.Lock()
+	if f.nonces == nil {
+		f.nonces = make(map[string]string)
+	}
+	f.nonces[code] = nonce
+	f.mu.Unlock()
+
 	u, _ := url.Parse(redir)
 	q := u.Query()
-	q.Set("code", "test-auth-code")
+	q.Set("code", code)
 	q.Set("state", state)
 	u.RawQuery = q.Encode()
 	http.Redirect(w, r, u.String(), http.StatusFound)
@@ -110,10 +125,11 @@ func (f *fakeIdP) handleToken(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	nonce := r.FormValue("nonce")
-	if nonce == "" {
-		nonce = "fallback"
-	}
+	code := r.FormValue("code")
+	f.mu.Lock()
+	nonce := f.nonces[code]
+	delete(f.nonces, code)
+	f.mu.Unlock()
 
 	now := time.Now()
 	claims := map[string]any{
@@ -330,3 +346,112 @@ func TestOIDCCallbackInvalidState(t *testing.T) {
 	}
 }
 
+// newTestOIDCServerWithStore is like newTestOIDCServer but also returns the
+// store so tests can pre-create local users before exercising the OIDC flow.
+func newTestOIDCServerWithStore(t *testing.T, idp *fakeIdP) (*httptest.Server, *store.Store, func()) {
+	t.Helper()
+
+	dir := t.TempDir()
+	sqlDB, err := db.Open(filepath.Join(dir, "app.db"), db.Options{
+		BusyTimeout: 5000,
+		JournalMode: "WAL",
+		Synchronous: "FULL",
+	})
+	if err != nil {
+		t.Fatalf("open db: %v", err)
+	}
+	if err := migrate.Apply(context.Background(), sqlDB); err != nil {
+		_ = sqlDB.Close()
+		t.Fatalf("migrate: %v", err)
+	}
+
+	st := store.New(sqlDB, nil)
+
+	oidcSvc := oidc.New(oidc.Config{
+		IssuerCanonical: idp.issuer,
+		ClientID:        idp.clientID,
+		ClientSecret:    "test-secret",
+		RedirectURL:     "http://placeholder/api/auth/oidc/callback",
+	})
+
+	srv := NewServer(st, Options{
+		MaxRequestBody: 1 << 20,
+		ScrumboyMode:   "full",
+		OIDCService:    oidcSvc,
+	})
+	ts := httptest.NewServer(srv)
+
+	oidcSvc2 := oidc.New(oidc.Config{
+		IssuerCanonical: idp.issuer,
+		ClientID:        idp.clientID,
+		ClientSecret:    "test-secret",
+		RedirectURL:     ts.URL + "/api/auth/oidc/callback",
+	})
+	srv.oidcService = oidcSvc2
+
+	return ts, st, func() {
+		ts.Close()
+		_ = sqlDB.Close()
+	}
+}
+
+// TestOIDCAutoLinkExistingUser verifies that when a pre-existing local-password
+// user tries OIDC login with a matching verified email, the identity is
+// auto-linked and login succeeds (instead of failing with a conflict error).
+func TestOIDCAutoLinkExistingUser(t *testing.T) {
+	idp := newFakeIdP(t)
+	defer idp.close()
+
+	ts, st, cleanup := newTestOIDCServerWithStore(t, idp)
+	defer cleanup()
+
+	ctx := context.Background()
+
+	// Bootstrap the owner with the same email the IdP will provide.
+	_, err := st.BootstrapUser(ctx, idp.email, "Password123!", "Alice Local")
+	if err != nil {
+		t.Fatalf("bootstrap: %v", err)
+	}
+
+	// Follow the full OIDC flow: login redirect → IdP authorize → callback.
+	jar, _ := cookiejar.New(nil)
+	client := &http.Client{Jar: jar}
+
+	resp, err := client.Get(ts.URL + "/api/auth/oidc/login?return_to=/")
+	if err != nil {
+		t.Fatalf("oidc login: %v", err)
+	}
+	resp.Body.Close()
+
+	// After the full redirect chain the user should land on "/" with a session
+	// cookie, NOT on "/?oidc_error=token".
+	finalURL := resp.Request.URL.String()
+	if strings.Contains(finalURL, "oidc_error") {
+		t.Fatalf("expected successful login, got redirect to %s", finalURL)
+	}
+
+	// Verify the session is live: GET /api/auth/status should return the user.
+	var status map[string]any
+	doJSON(t, client, "GET", ts.URL+"/api/auth/status", nil, &status)
+	user, ok := status["user"].(map[string]any)
+	if !ok || user == nil {
+		t.Fatalf("expected authenticated user in status, got %v", status)
+	}
+	if user["email"] != idp.email {
+		t.Errorf("expected email=%s, got %v", idp.email, user["email"])
+	}
+
+	// A second OIDC login with the same identity should succeed (identity
+	// already linked, no conflict).
+	jar2, _ := cookiejar.New(nil)
+	client2 := &http.Client{Jar: jar2}
+	resp2, err := client2.Get(ts.URL + "/api/auth/oidc/login?return_to=/")
+	if err != nil {
+		t.Fatalf("second oidc login: %v", err)
+	}
+	resp2.Body.Close()
+	if strings.Contains(resp2.Request.URL.String(), "oidc_error") {
+		t.Fatalf("second login failed: %s", resp2.Request.URL.String())
+	}
+}
+

internal/httpapi/server.go

@@ -83,6 +83,8 @@ type storeAPI interface {
 	RevokeUserAPIToken(ctx context.Context, userID, tokenID int64) error
 
 	GetUserByOIDCIdentity(ctx context.Context, issuer, subject string) (store.User, error)
+	GetUserByEmail(ctx context.Context, email string) (store.User, error)
+	LinkOIDCIdentity(ctx context.Context, userID int64, issuer, subject, email string) error
 	CreateUserOIDC(ctx context.Context, configuredIssuer, issuer, subject, email, name string) (store.User, error)
 
 	ListProjects(ctx context.Context) ([]store.ProjectListEntry, error)