Port GET /user/settings/totp/qrcode to v2 as an image/jpeg blob, modeled in
the OpenAPI spec. Extract the qr-to-jpeg encoding into user.GetTOTPQrCodeAsJpegForUser
so v1 and v2 share it; refactor v1 onto it. The handler reuses the existing
local-account guard, rejecting non-local users with 412.
The failed-TOTP handler shared the login request's xorm session, and the
login handler rolled that session back after a failed login. The status
change to StatusAccountLocked was silently discarded, so the account was
never locked regardless of how many failed TOTP attempts arrived.
HandleFailedTOTPAuth now opens its own session and commits independently
of the caller. The login handler rolls back its session before invoking
the handler so the lockout write can acquire a write lock on SQLite
shared-cache.
Also handles the Redis keyvalue backend returning the attempt counter as
a string instead of int64, which would have prevented the lockout path
from ever running on Redis.
See GHSA-fgfv-pv97-6cmj.
Store a unix timestamp instead of a boolean, and treat entries older
than 90 seconds as expired. A background goroutine lazily cleans up
expired keys after each successful validation to prevent unbounded
growth in the keyvalue store.
Store used TOTP passcodes in the keyvalue store after successful
validation. On subsequent validation attempts, check if the passcode
was already used for the same user and reject it with
ErrTOTPPasscodeUsed. This prevents replay attacks where an intercepted
TOTP code could be reused within its 30-second validity window.
Refactor functions that created their own sessions when called from
within existing transactions, which caused "database table is locked"
errors in SQLite's shared-cache mode.
Changes:
- Add files.CreateWithSession() to reuse caller's session
- Refactor DeleteBackgroundFileIfExists() to accept session parameter
- Add variadic session parameter to notifications.Notify() and
Notifiable.ShouldNotify() interface
- Update all Notify callers (~17 sites) to pass their session through
- Use files.CreateWithSession in SaveBackgroundFile and NewAttachment
- Fix test code to commit sessions before assertions
Fix lint
Fix lint
Fix loading tasks with search
Fix loading lists
Fix loading task
Fix loading lists and namespaces
Fix tests
Fix user commands
Fix upload
Fix migration handlers
Fix all manual root handlers
Fix session in avatar
Fix session in list duplication & routes
Use sessions in migration code
Make sure the openid stuff uses a session
Add alias for db type in db package
Use sessions for file
Use a session for everything in users
Use a session for everything in users
Make sure to use a session everywhere in models
Create new session from db
Add session handling for user list
Add session handling for unsplash
Add session handling for teams and related
Add session handling for tasks and related entities
Add session handling for task reminders
Add session handling for task relations
Add session handling for task comments
Add session handling for task collections
Add session handling for task attachments
Add session handling for task assignees
Add session handling for saved filters
Add session handling for namespace and related types
Add session handling for namespace and related types
Add session handling for list users
Add session handling for list tests
Add session handling to list teams and related entities
Add session handling for link shares and related entities
Add session handling for labels and related entities
Add session handling for kanban and related entities
Add session handling for bulk task and related entities
Add session handling for lists and related entities
Add session configuration for web handler
Update web handler
Co-authored-by: kolaente <k@knt.li>
Reviewed-on: https://kolaente.dev/vikunja/api/pulls/750
Co-Authored-By: konrad <konrad@kola-entertainments.de>
Co-Committed-By: konrad <konrad@kola-entertainments.de>
Fix lint
Fix migration query for postgres
Fix migration statements
Add migration to make all int(11) fields bigint by default
Make all int(11) fields bigint by default
Co-authored-by: kolaente <k@knt.li>
Reviewed-on: https://kolaente.dev/vikunja/api/pulls/741
Co-Authored-By: konrad <konrad@kola-entertainments.de>
Co-Committed-By: konrad <konrad@kola-entertainments.de>
Increase golangci timeout
Fix installing golangci-lint in ci
Remove mage targets replaced by golangci
Run golint in ci
Add goheader linter
Enable & fix more linters
Fix lint issues
Add mage target to automagically fix issues found by golangci
golangci-lint run --fix
Add golangci config
Add golangci mage target
Co-authored-by: kolaente <k@knt.li>
Reviewed-on: https://kolaente.dev/vikunja/api/pulls/676
Co-Authored-By: konrad <konrad@kola-entertainments.de>
Co-Committed-By: konrad <konrad@kola-entertainments.de>
Fix user tests
Add swagger docs
Fix lint
Add totp check when logging in
Make totp enrollment work
Add migration for totp table
go mod vendor
Add routes for totp routes
Add route handler for totp routes
Add basic implementation to enroll a user in totp
Co-authored-by: kolaente <k@knt.li>
Reviewed-on: https://kolaente.dev/vikunja/api/pulls/383