vikunja/pkg/modules/auth
kolaente d58dd7a7c6 fix(auth): enforce TOTP on OIDC callback for users with 2FA enabled
The OIDC callback handler previously issued a JWT without ever
checking TOTP state. For installations with EmailFallback (or
UsernameFallback) enabled, this allowed an attacker who could
authenticate at the IdP with a matching email to log in as a local
user with TOTP enrolled, bypassing the second factor entirely.

HandleCallback now runs enforceTOTPIfRequired after resolving the
user and before any team sync writes, returning 412/1017 when the
passcode is missing or invalid. Clients resubmit the OIDC flow with
the totp_passcode field populated.

Fixes GHSA-8jvc-mcx6-r4cg
2026-04-09 17:25:47 +00:00
..
ldap fix(auth): skip profile updates for disabled LDAP users 2026-03-23 16:37:26 +00:00
oauth2server test: add tests for OAuth 2.0 authorization flow 2026-03-27 23:05:04 +00:00
openid fix(auth): enforce TOTP on OIDC callback for users with 2FA enabled 2026-04-09 17:25:47 +00:00
auth.go fix(security): validate link share JWTs against DB on every request 2026-04-09 15:38:07 +00:00