vikunja/pkg/routes
kolaente d435c50df3 fix(security): persist TOTP lockout across login rollback
The failed-TOTP handler shared the login request's xorm session, and the
login handler rolled that session back after a failed login. The status
change to StatusAccountLocked was silently discarded, so the account was
never locked regardless of how many failed TOTP attempts arrived.

HandleFailedTOTPAuth now opens its own session and commits independently
of the caller. The login handler rolls back its session before invoking
the handler so the lockout write can acquire a write lock on SQLite
shared-cache.

Also handles the Redis keyvalue backend returning the attempt counter as
a string instead of int64, which would have prevented the lockout path
from ever running on Redis.

See GHSA-fgfv-pv97-6cmj.
2026-04-09 16:08:26 +00:00
..
api/v1 fix(security): persist TOTP lockout across login rollback 2026-04-09 16:08:26 +00:00
caldav fix(caldav): enforce URL project match in GetResourcesByList 2026-04-09 16:07:32 +00:00
api_tokens.go refactor(auth): extract shared token validation into auth package 2026-04-02 16:30:23 +00:00
error_handler.go fix(deps): update module github.com/labstack/echo/v4 to v5 (#2131) 2026-01-24 20:38:32 +01:00
healthcheck.go fix(deps): update module github.com/labstack/echo/v4 to v5 (#2131) 2026-01-24 20:38:32 +01:00
metrics.go fix(deps): update module github.com/labstack/echo/v4 to v5 (#2131) 2026-01-24 20:38:32 +01:00
rate_limit.go fix(deps): update module github.com/labstack/echo/v4 to v5 (#2131) 2026-01-24 20:38:32 +01:00
routes.go feat(migration): add generic CSV import with column mapping 2026-04-07 15:20:06 +00:00
sentry_middleware.go fix(deps): update module github.com/labstack/echo/v4 to v5 (#2131) 2026-01-24 20:38:32 +01:00
static.go fix(routes): restore SPA routing after Echo v5 upgrade 2026-01-25 11:07:48 +01:00
validation.go fix(attachments): extend upload file size to form data (#1577) 2025-09-30 22:23:07 +00:00