vikunja/pkg/user
kolaente 5f06e1dce5 fix: prevent TOTP passcode reuse within validity window
Store used TOTP passcodes in the keyvalue store after successful
validation. On subsequent validation attempts, check if the passcode
was already used for the same user and reject it with
ErrTOTPPasscodeUsed. This prevents replay attacks where an intercepted
TOTP code could be reused within its 30-second validity window.
2026-03-23 10:34:49 +00:00
..
caldav_token.go fix(caldav): eliminate nested db session in CalDAV auth 2026-03-03 10:41:19 +01:00
db.go feat: register Vikunja tables with db package at init 2026-03-04 15:37:54 +01:00
delete.go fix: address review comments on session lifecycle 2026-02-25 11:03:02 +01:00
error.go test: add failing test for TOTP passcode reuse prevention 2026-03-23 10:34:49 +00:00
events.go fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
listeners.go fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
main_test.go feat: move to slog for logging 2025-07-21 18:15:39 +02:00
notifications.go fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
test.go test: add TOTP fixture and load it in user test bootstrap 2026-03-23 10:34:49 +00:00
token.go fix(auth): correctly delete older password reset tokens in cron 2026-02-27 14:44:26 +01:00
totp.go fix: prevent TOTP passcode reuse within validity window 2026-03-23 10:34:49 +00:00
totp_test.go fix: prevent TOTP passcode reuse within validity window 2026-03-23 10:34:49 +00:00
update_email.go fix: eliminate nested database sessions to prevent table locks 2026-02-25 11:03:02 +01:00
update_email_test.go fix(user): persist status on email updates (#1084) 2025-08-04 14:07:00 +00:00
user.go feat: add StatusAccountLocked user status for TOTP lockouts 2026-03-20 11:23:21 +00:00
user_create.go fix(events): defer event dispatch for user creation and task positions 2026-03-03 12:46:34 +01:00
user_email_confirm.go fix: prevent email confirmation from re-enabling admin-disabled accounts 2026-03-20 11:23:21 +00:00
user_email_confirm_test.go fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
user_password_reset.go fix: reject password reset token requests for disabled users 2026-03-20 11:23:21 +00:00
user_test.go fix: update test expectations for new disabled user fixture 2026-03-20 11:23:21 +00:00
users_project.go feat: bypass discoverability settings for external team members 2026-03-04 20:32:11 +01:00
validator.go feat(api): enforce password validation on reset and update flows 2026-02-25 13:44:56 +01:00