vikunja/pkg/routes/api/v1
kolaente d435c50df3 fix(security): persist TOTP lockout across login rollback
The failed-TOTP handler shared the login request's xorm session, and the
login handler rolled that session back after a failed login. The status
change to StatusAccountLocked was silently discarded, so the account was
never locked regardless of how many failed TOTP attempts arrived.

HandleFailedTOTPAuth now opens its own session and commits independently
of the caller. The login handler rolls back its session before invoking
the handler so the lockout write can acquire a write lock on SQLite
shared-cache.

Also handles the Redis keyvalue backend returning the attempt counter as
a string instead of int64, which would have prevented the lockout path
from ever running on Redis.

See GHSA-fgfv-pv97-6cmj.
2026-04-09 16:08:26 +00:00
..
redoc refactor: use embed fs for redoc UI and update to latest version 2026-03-30 15:09:54 +00:00
avatar.go refactor(user): export IsErrUserStatusError for use across packages 2026-03-23 12:06:16 +00:00
docs.go refactor: use embed fs for redoc UI and update to latest version 2026-03-30 15:09:54 +00:00
info.go feat(migration): add generic CSV import with column mapping 2026-04-07 15:20:06 +00:00
link_sharing_auth.go fix(deps): update module github.com/labstack/echo/v4 to v5 (#2131) 2026-01-24 20:38:32 +01:00
login.go fix(security): persist TOTP lockout across login rollback 2026-04-09 16:08:26 +00:00
notifications.go fix: add missing Commit() to write callers 2026-02-25 11:03:02 +01:00
task_attachment.go refactor: replace afero with FileStorage interface 2026-03-20 10:59:44 +01:00
testing.go feat: add DELETE /test/all endpoint to truncate all tables 2026-04-05 09:48:09 +00:00
token_check.go fix(deps): update module github.com/labstack/echo/v4 to v5 (#2131) 2026-01-24 20:38:32 +01:00
user_caldav_token.go fix(deps): update module github.com/labstack/echo/v4 to v5 (#2131) 2026-01-24 20:38:32 +01:00
user_confirm_email.go fix(deps): update module github.com/labstack/echo/v4 to v5 (#2131) 2026-01-24 20:38:32 +01:00
user_deletion.go refactor: remove redundant Begin() calls after NewSession auto-begins 2026-02-25 11:03:02 +01:00
user_export.go fix: use file mime type instead of hardcoded application/zip in S3 export 2026-03-20 10:59:44 +01:00
user_list.go docs: update user search endpoint description for external team bypass 2026-03-04 20:32:11 +01:00
user_password_reset.go feat(api): enforce password validation on reset and update flows 2026-02-25 13:44:56 +01:00
user_register.go fix(deps): update module github.com/labstack/echo/v4 to v5 (#2131) 2026-01-24 20:38:32 +01:00
user_settings.go fix(deps): update module github.com/labstack/echo/v4 to v5 (#2131) 2026-01-24 20:38:32 +01:00
user_show.go fix(deps): update module github.com/labstack/echo/v4 to v5 (#2131) 2026-01-24 20:38:32 +01:00
user_totp.go fix: invalidate all sessions when enabling TOTP 2026-03-19 12:27:44 +01:00
user_update_email.go fix(deps): update module github.com/labstack/echo/v4 to v5 (#2131) 2026-01-24 20:38:32 +01:00
user_update_password.go feat(api): enforce password validation on reset and update flows 2026-02-25 13:44:56 +01:00
user_webhooks.go fix: strip BasicAuth credentials from user webhook API responses 2026-03-23 16:35:47 +00:00
webhooks.go fix(deps): update module github.com/labstack/echo/v4 to v5 (#2131) 2026-01-24 20:38:32 +01:00