- Login creates a server-side session and sets an HttpOnly refresh token cookie alongside the short-lived JWT - POST /user/token/refresh exchanges the cookie for a new JWT and rotates the refresh token atomically - POST /user/logout destroys the session and clears the cookie - POST /user/token restricted to link share tokens only - Session list (GET) and delete (DELETE) routes for /user/sessions - All user sessions invalidated on password change and reset - CORS configured to allow credentials for cross-origin cookies - JWT 401 responses use structured error code 11 for client detection - Refresh token cookie name constants annotated for gosec G101 |
||
|---|---|---|
| .. | ||
| api/v1 | ||
| caldav | ||
| api_tokens.go | ||
| error_handler.go | ||
| healthcheck.go | ||
| metrics.go | ||
| rate_limit.go | ||
| routes.go | ||
| sentry_middleware.go | ||
| static.go | ||
| validation.go | ||