vikunja/pkg/user
kolaente 8ee069a2a3 feat: add session-based auth with refresh token rotation
- Login creates a server-side session and sets an HttpOnly refresh
  token cookie alongside the short-lived JWT
- POST /user/token/refresh exchanges the cookie for a new JWT and
  rotates the refresh token atomically
- POST /user/logout destroys the session and clears the cookie
- POST /user/token restricted to link share tokens only
- Session list (GET) and delete (DELETE) routes for /user/sessions
- All user sessions invalidated on password change and reset
- CORS configured to allow credentials for cross-origin cookies
- JWT 401 responses use structured error code 11 for client detection
- Refresh token cookie name constants annotated for gosec G101
2026-02-25 10:30:25 +01:00
..
caldav_token.go fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
db.go fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
delete.go refactor: schedule user deletion 2025-08-01 17:06:02 +02:00
error.go fix: 403 http error code on failed login (#1756) 2025-11-06 08:40:46 +01:00
events.go fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
listeners.go fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
main_test.go feat: move to slog for logging 2025-07-21 18:15:39 +02:00
notifications.go fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
test.go fix(user): persist status on email updates (#1084) 2025-08-04 14:07:00 +00:00
token.go fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
totp.go fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
update_email.go fix(user): persist status on email updates (#1084) 2025-08-04 14:07:00 +00:00
update_email_test.go fix(user): persist status on email updates (#1084) 2025-08-04 14:07:00 +00:00
user.go fix(auth): remove unnecessary fields from JWT token payloads 2026-02-08 21:30:07 +01:00
user_create.go fix(user): persist status on email updates (#1084) 2025-08-04 14:07:00 +00:00
user_email_confirm.go fix(user): persist status on email updates (#1084) 2025-08-04 14:07:00 +00:00
user_email_confirm_test.go fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
user_password_reset.go feat: add session-based auth with refresh token rotation 2026-02-25 10:30:25 +01:00
user_test.go feat: add session-based auth with refresh token rotation 2026-02-25 10:30:25 +01:00
users_project.go fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
validator.go feat(auth): require auth to fetch avatars (#930) 2025-06-14 13:12:41 +00:00