✨(all) add organizations, resources, channels, and infra migration (#34)

Add multi-tenant organization model populated from OIDC claims with org-scoped user discovery, CalDAV principal filtering, and cross-org isolation at the SabreDAV layer. Add bookable resource principals (rooms, equipment) with CalDAV auto-scheduling that handles conflict detection, auto-accept/decline, and org-scoped booking enforcement. Fixes #14. Replace CalendarSubscriptionToken with a unified Channel model supporting CalDAV integration tokens and iCal feed URLs, with encrypted token storage and role-based access control. Fixes #16. Migrate task queue from Celery to Dramatiq with async ICS import, progress tracking, and task status polling endpoint. Replace nginx with Caddy for both the reverse proxy and frontend static serving. Switch frontend package manager from yarn/pnpm to npm and upgrade Node to 24, Next.js to 16, TypeScript to 5.9. Harden security with fail-closed entitlements, RSVP rate limiting and token expiry, CalDAV proxy path validation blocking internal API routes, channel path scope enforcement, and ETag-based conflict prevention. Add frontend pages for resource management and integration channel CRUD, with resource booking in the event modal. Restructure CalDAV paths to /calendars/users/ and /calendars/resources/ with nested principal collections in SabreDAV.
2026-03-09 09:09:34 +01:00
parent cd2b15b3b5
commit 9c18f96090
176 changed files with 26903 additions and 12108 deletions
--- a/env.d/development/backend.defaults
+++ b/env.d/development/backend.defaults
@@ -17,11 +17,11 @@ PYTHONPATH=/app

 # Media
 STORAGES_STATICFILES_BACKEND=django.contrib.staticfiles.storage.StaticFilesStorage
-MEDIA_BASE_URL=http://localhost:8923
+MEDIA_BASE_URL=http://localhost:8933

-# OIDC - Keycloak on dedicated port 8925
+# OIDC - Keycloak on dedicated port 8935
 OIDC_OP_JWKS_ENDPOINT=http://keycloak:8080/realms/calendars/protocol/openid-connect/certs
-OIDC_OP_AUTHORIZATION_ENDPOINT=http://localhost:8925/realms/calendars/protocol/openid-connect/auth
+OIDC_OP_AUTHORIZATION_ENDPOINT=http://localhost:8935/realms/calendars/protocol/openid-connect/auth
 OIDC_OP_TOKEN_ENDPOINT=http://keycloak:8080/realms/calendars/protocol/openid-connect/token
 OIDC_OP_USER_ENDPOINT=http://keycloak:8080/realms/calendars/protocol/openid-connect/userinfo

@@ -30,15 +30,15 @@ OIDC_RP_CLIENT_SECRET=ThisIsAnExampleKeyForDevPurposeOnly
 OIDC_RP_SIGN_ALGO=RS256
 OIDC_RP_SCOPES="openid email"

-LOGIN_REDIRECT_URL=http://localhost:8920
-LOGIN_REDIRECT_URL_FAILURE=http://localhost:8920
-LOGOUT_REDIRECT_URL=http://localhost:8920
+LOGIN_REDIRECT_URL=http://localhost:8930
+LOGIN_REDIRECT_URL_FAILURE=http://localhost:8930
+LOGOUT_REDIRECT_URL=http://localhost:8930

-OIDC_REDIRECT_ALLOWED_HOSTS="http://localhost:8923,http://localhost:8920"
+OIDC_REDIRECT_ALLOWED_HOSTS="http://localhost:8933,http://localhost:8930"
 OIDC_AUTH_REQUEST_EXTRA_PARAMS={"acr_values": "eidas1"}

 # Resource Server Backend
-OIDC_OP_URL=http://localhost:8925/realms/calendars
+OIDC_OP_URL=http://localhost:8935/realms/calendars
 OIDC_OP_INTROSPECTION_ENDPOINT=http://keycloak:8080/realms/calendars/protocol/openid-connect/token/introspect
 OIDC_RESOURCE_SERVER_ENABLED=False
 OIDC_RS_CLIENT_ID=calendars
@@ -50,6 +50,7 @@ OIDC_RS_ALLOWED_AUDIENCES=""
 CALDAV_URL=http://caldav:80
 CALDAV_OUTBOUND_API_KEY=changeme-outbound-in-production
 CALDAV_INBOUND_API_KEY=changeme-inbound-in-production
+CALDAV_INTERNAL_API_KEY=changeme-internal-in-production
 # Internal URL for CalDAV scheduling callbacks (accessible from CalDAV container)
 CALDAV_CALLBACK_BASE_URL=http://backend-dev:8000