vikunja/pkg/modules/auth/openid
kolaente d58dd7a7c6 fix(auth): enforce TOTP on OIDC callback for users with 2FA enabled
The OIDC callback handler previously issued a JWT without ever
checking TOTP state. For installations with EmailFallback (or
UsernameFallback) enabled, this allowed an attacker who could
authenticate at the IdP with a matching email to log in as a local
user with TOTP enrolled, bypassing the second factor entirely.

HandleCallback now runs enforceTOTPIfRequired after resolving the
user and before any team sync writes, returning 412/1017 when the
passcode is missing or invalid. Clients resubmit the OIDC flow with
the totp_passcode field populated.

Fixes GHSA-8jvc-mcx6-r4cg
2026-04-09 17:25:47 +00:00
..
cron.go fix: add missing Commit() to write callers 2026-02-25 11:03:02 +01:00
main_test.go feat: move to slog for logging 2025-07-21 18:15:39 +02:00
openid.go fix(auth): enforce TOTP on OIDC callback for users with 2FA enabled 2026-04-09 17:25:47 +00:00
openid_test.go test(auth): add failing unit tests for OIDC TOTP enforcement 2026-04-09 17:25:47 +00:00
providers.go feat(auth): enforce OpenID Connect issuer uniqueness across providers 2026-03-30 22:41:50 +00:00
providers_test.go feat(auth): enforce OpenID Connect issuer uniqueness across providers 2026-03-30 22:41:50 +00:00