vikunja/pkg/modules
kolaente d58dd7a7c6 fix(auth): enforce TOTP on OIDC callback for users with 2FA enabled
The OIDC callback handler previously issued a JWT without ever
checking TOTP state. For installations with EmailFallback (or
UsernameFallback) enabled, this allowed an attacker who could
authenticate at the IdP with a matching email to log in as a local
user with TOTP enrolled, bypassing the second factor entirely.

HandleCallback now runs enforceTOTPIfRequired after resolving the
user and before any team sync writes, returning 412/1017 when the
passcode is missing or invalid. Clients resubmit the OIDC flow with
the totp_passcode field populated.

Fixes GHSA-8jvc-mcx6-r4cg
2026-04-09 17:25:47 +00:00
..
auth fix(auth): enforce TOTP on OIDC callback for users with 2FA enabled 2026-04-09 17:25:47 +00:00
avatar fix: add timeouts to Gravatar, Unsplash, and SSRF-safe HTTP clients 2026-04-09 07:31:08 +00:00
background fix: add timeouts to Gravatar, Unsplash, and SSRF-safe HTTP clients 2026-04-09 07:31:08 +00:00
dump chore(lint): suppress known gosec false positives 2026-03-23 16:23:15 +01:00
keyvalue feat: add generic RememberValue[T] for type-safe keyvalue caching 2026-04-08 08:56:22 +00:00
migration test(todoist): serve attachment from local test server 2026-04-09 16:22:56 +00:00