feat: add CalDAV source config to admin dashboard

Add source definition for aelis.caldav with server URL, username,
password, look-ahead days, and timezone fields.

Route per-user credentials through /api/sources/:id/credentials
instead of the admin provider config endpoint, controlled by a
perUserCredentials flag on the source definition.

Co-authored-by: Ona <no-reply@ona.com>

apps/admin-dashboard/src/components/source-config-panel.tsx

@@ -20,7 +20,13 @@ import {
 import { Separator } from "@/components/ui/separator"
 import { Switch } from "@/components/ui/switch"
 import { Tooltip, TooltipContent, TooltipTrigger } from "@/components/ui/tooltip"
-import { fetchSourceConfig, pushLocation, replaceSource, updateProviderConfig } from "@/lib/api"
+import {
+	fetchSourceConfig,
+	pushLocation,
+	replaceSource,
+	updateProviderConfig,
+	updateSourceCredentials,
+} from "@/lib/api"
 
 interface SourceConfigPanelProps {
 	source: SourceDefinition
@@ -83,7 +89,11 @@ export function SourceConfigPanel({ source, onUpdate }: SourceConfigPanelProps)
 				(v) => typeof v === "string" && v.length > 0,
 			)
 			if (hasCredentials) {
-				promises.push(updateProviderConfig(source.id, { credentials: credentialFields }))
+				if (source.perUserCredentials) {
+					promises.push(updateSourceCredentials(source.id, credentialFields))
+				} else {
+					promises.push(updateProviderConfig(source.id, { credentials: credentialFields }))
+				}
 			}
 
 			await Promise.all(promises)

apps/admin-dashboard/src/lib/api.ts

@@ -23,6 +23,8 @@ export interface SourceDefinition {
 	name: string
 	description: string
 	alwaysEnabled?: boolean
+	/** When true, secret fields are stored as per-user credentials via /api/sources/:id/credentials. */
+	perUserCredentials?: boolean
 	fields: Record<string, ConfigFieldDef>
 }
 
@@ -78,6 +80,44 @@ const sourceDefinitions: SourceDefinition[] = [
 			},
 		},
 	},
+	{
+		id: "aelis.caldav",
+		name: "CalDAV",
+		description: "Calendar events from any CalDAV server (Nextcloud, Radicale, Baikal, etc.).",
+		perUserCredentials: true,
+		fields: {
+			serverUrl: {
+				type: "string",
+				label: "Server URL",
+				required: true,
+				secret: false,
+				description: "CalDAV server URL (e.g. https://nextcloud.example.com/remote.php/dav)",
+			},
+			username: {
+				type: "string",
+				label: "Username",
+				required: true,
+				secret: false,
+			},
+			password: {
+				type: "string",
+				label: "Password",
+				required: true,
+				secret: true,
+			},
+			lookAheadDays: {
+				type: "number",
+				label: "Look-ahead Days",
+				defaultValue: 0,
+				description: "Number of additional days beyond today to fetch events for",
+			},
+			timeZone: {
+				type: "string",
+				label: "Timezone",
+				description: "IANA timezone for determining \"today\" (e.g. Europe/London). Defaults to UTC.",
+			},
+		},
+	},
 	{
 		id: "aelis.tfl",
 		name: "TfL",
@@ -164,6 +204,22 @@ export async function updateProviderConfig(
 	}
 }
 
+export async function updateSourceCredentials(
+	sourceId: string,
+	credentials: Record<string, unknown>,
+): Promise<void> {
+	const res = await fetch(`${serverBase()}/sources/${sourceId}/credentials`, {
+		method: "PUT",
+		headers: { "Content-Type": "application/json" },
+		credentials: "include",
+		body: JSON.stringify(credentials),
+	})
+	if (!res.ok) {
+		const data = (await res.json()) as { error?: string }
+		throw new Error(data.error ?? `Failed to update credentials: ${res.status}`)
+	}
+}
+
 export interface LocationInput {
 	lat: number
 	lng: number

apps/aelis-backend/src/caldav/provider.test.ts

@@ -0,0 +1,85 @@
+import { describe, expect, test } from "bun:test"
+
+import { CalDavSourceProvider } from "./provider.ts"
+
+describe("CalDavSourceProvider", () => {
+	const provider = new CalDavSourceProvider()
+
+	test("sourceId is aelis.caldav", () => {
+		expect(provider.sourceId).toBe("aelis.caldav")
+	})
+
+	test("throws when credentials are null", async () => {
+		const config = { serverUrl: "https://caldav.icloud.com", username: "user@icloud.com" }
+		await expect(provider.feedSourceForUser("user-1", config, null)).rejects.toThrow(
+			"No CalDAV credentials configured",
+		)
+	})
+
+	test("throws when credentials are missing password", async () => {
+		const config = { serverUrl: "https://caldav.icloud.com", username: "user@icloud.com" }
+		await expect(provider.feedSourceForUser("user-1", config, {})).rejects.toThrow(
+			"password must be a string",
+		)
+	})
+
+	test("throws when config is missing serverUrl", async () => {
+		const credentials = { password: "app-specific-password" }
+		await expect(
+			provider.feedSourceForUser("user-1", { username: "user@icloud.com" }, credentials),
+		).rejects.toThrow("Invalid CalDAV config")
+	})
+
+	test("throws when config is missing username", async () => {
+		const credentials = { password: "app-specific-password" }
+		await expect(
+			provider.feedSourceForUser("user-1", { serverUrl: "https://caldav.icloud.com" }, credentials),
+		).rejects.toThrow("Invalid CalDAV config")
+	})
+
+	test("throws when config has extra keys", async () => {
+		const config = {
+			serverUrl: "https://caldav.icloud.com",
+			username: "user@icloud.com",
+			extra: true,
+		}
+		const credentials = { password: "app-specific-password" }
+		await expect(provider.feedSourceForUser("user-1", config, credentials)).rejects.toThrow(
+			"Invalid CalDAV config",
+		)
+	})
+
+	test("throws when credentials have extra keys", async () => {
+		const config = { serverUrl: "https://caldav.icloud.com", username: "user@icloud.com" }
+		const credentials = { password: "app-specific-password", extra: true }
+		await expect(provider.feedSourceForUser("user-1", config, credentials)).rejects.toThrow(
+			"extra must be removed",
+		)
+	})
+
+	test("returns CalDavSource with valid config and credentials", async () => {
+		const config = {
+			serverUrl: "https://caldav.icloud.com",
+			username: "user@icloud.com",
+			lookAheadDays: 3,
+			timeZone: "Europe/London",
+		}
+		const credentials = { password: "app-specific-password" }
+
+		const source = await provider.feedSourceForUser("user-1", config, credentials)
+		expect(source).toBeDefined()
+		expect(source.id).toBe("aelis.caldav")
+	})
+
+	test("returns CalDavSource with minimal config", async () => {
+		const config = {
+			serverUrl: "https://caldav.icloud.com",
+			username: "user@icloud.com",
+		}
+		const credentials = { password: "app-specific-password" }
+
+		const source = await provider.feedSourceForUser("user-1", config, credentials)
+		expect(source).toBeDefined()
+		expect(source.id).toBe("aelis.caldav")
+	})
+})

apps/aelis-backend/src/caldav/provider.ts

@@ -0,0 +1,53 @@
+import { CalDavSource } from "@aelis/source-caldav"
+import { type } from "arktype"
+
+import type { FeedSourceProvider } from "../session/feed-source-provider.ts"
+
+import { InvalidSourceCredentialsError } from "../sources/errors.ts"
+
+const caldavConfig = type({
+	"+": "reject",
+	serverUrl: "string",
+	username: "string",
+	"lookAheadDays?": "number",
+	"timeZone?": "string",
+})
+
+const caldavCredentials = type({
+	"+": "reject",
+	password: "string",
+})
+
+export class CalDavSourceProvider implements FeedSourceProvider {
+	readonly sourceId = "aelis.caldav"
+	readonly configSchema = caldavConfig
+
+	async feedSourceForUser(
+		_userId: string,
+		config: unknown,
+		credentials: unknown,
+	): Promise<CalDavSource> {
+		const parsed = caldavConfig(config)
+		if (parsed instanceof type.errors) {
+			throw new Error(`Invalid CalDAV config: ${parsed.summary}`)
+		}
+
+		if (!credentials) {
+			throw new InvalidSourceCredentialsError("aelis.caldav", "No CalDAV credentials configured")
+		}
+
+		const creds = caldavCredentials(credentials)
+		if (creds instanceof type.errors) {
+			throw new InvalidSourceCredentialsError("aelis.caldav", creds.summary)
+		}
+
+		return new CalDavSource({
+			serverUrl: parsed.serverUrl,
+			authMethod: "basic",
+			username: parsed.username,
+			password: creds.password,
+			lookAheadDays: parsed.lookAheadDays,
+			timeZone: parsed.timeZone,
+		})
+	}
+}

apps/aelis-backend/src/server.ts

@@ -6,6 +6,7 @@ import { createRequireAdmin } from "./auth/admin-middleware.ts"
 import { registerAuthHandlers } from "./auth/http.ts"
 import { createAuth } from "./auth/index.ts"
 import { createRequireSession } from "./auth/session-middleware.ts"
+import { CalDavSourceProvider } from "./caldav/provider.ts"
 import { createDatabase } from "./db/index.ts"
 import { registerFeedHttpHandlers } from "./engine/http.ts"
 import { createFeedEnhancer } from "./enhancement/enhance-feed.ts"
@@ -48,6 +49,7 @@ function main() {
 	const sessionManager = new UserSessionManager({
 		db,
 		providers: [
+			new CalDavSourceProvider(),
 			new LocationSourceProvider(),
 			new WeatherSourceProvider({
 				credentials: {