vikunja/pkg
kolaente d435c50df3 fix(security): persist TOTP lockout across login rollback
The failed-TOTP handler shared the login request's xorm session, and the
login handler rolled that session back after a failed login. The status
change to StatusAccountLocked was silently discarded, so the account was
never locked regardless of how many failed TOTP attempts arrived.

HandleFailedTOTPAuth now opens its own session and commits independently
of the caller. The login handler rolls back its session before invoking
the handler so the lockout write can acquire a write lock on SQLite
shared-cache.

Also handles the Redis keyvalue backend returning the attempt counter as
a string instead of int64, which would have prevented the lockout path
from ever running on Redis.

See GHSA-fgfv-pv97-6cmj.
2026-04-09 16:08:26 +00:00
..
caldav fix(caldav): escape user-controlled strings per RFC 5545 in VCALENDAR output 2026-04-09 15:44:04 +00:00
caldavtests fix(caldav): skip tests for known CalDAV bugs and fix timing issues 2026-04-02 11:34:55 +00:00
cmd refactor(user): export IsErrUserStatusError for use across packages 2026-03-23 12:06:16 +00:00
config fix: add timeouts to Gravatar, Unsplash, and SSRF-safe HTTP clients 2026-04-09 07:31:08 +00:00
cron fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
db fix(labels): derive label max permission from accessible tasks only 2026-04-09 15:43:04 +00:00
doctor feat(auth): enforce OpenID Connect issuer uniqueness across providers 2026-03-30 22:41:50 +00:00
e2etests test(webhook): assert bad webhook is retried in no-duplicate test 2026-04-09 09:26:04 +00:00
events feat: add InitEventsForTesting and Unfake for real event dispatch in tests 2026-03-05 12:49:27 +01:00
files refactor: replace afero with FileStorage interface 2026-03-20 10:59:44 +01:00
health feat: introduce shared health check logic (#1073) 2025-07-02 21:01:41 +00:00
i18n chore(i18n): update translations via Crowdin 2026-04-08 01:25:14 +00:00
initialize feat(websocket): add HTTP upgrade handler and /api/v1/ws route 2026-04-02 16:30:23 +00:00
log fix(mail): guard log calls in GetMailDomain and fix hostname-dependent tests 2026-04-03 18:30:39 +00:00
mail fix(mail): guard log calls in GetMailDomain and fix hostname-dependent tests 2026-04-03 18:30:39 +00:00
metrics fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
migration feat: add OAuth 2.0 authorization code model and migration 2026-03-27 23:05:04 +00:00
models feat(tasks): cap repeat_after at 10 years to harden repeating-task handler 2026-04-09 16:07:48 +00:00
modules fix(notifications): escape markdown in user-controlled strings in email lines 2026-04-09 15:44:04 +00:00
notifications fix(notifications): escape markdown in user-controlled strings in email lines 2026-04-09 15:44:04 +00:00
plugins test(plugins): add yaegi plugin integration tests 2026-03-30 20:44:46 +00:00
red fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
routes fix(security): persist TOTP lockout across login rollback 2026-04-09 16:08:26 +00:00
swagger [skip ci] Updated swagger docs 2026-04-07 15:45:50 +00:00
user fix(security): persist TOTP lockout across login rollback 2026-04-09 16:08:26 +00:00
utils fix: add timeouts to Gravatar, Unsplash, and SSRF-safe HTTP clients 2026-04-09 07:31:08 +00:00
version fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
web feat(handlers): dispatch pending events after transaction commit 2026-03-03 12:46:34 +01:00
websocket feat(websocket): add notification event with XORM AfterInsert dispatch 2026-04-02 16:30:23 +00:00
webtests fix(caldav): enforce URL project match in GetResourcesByList 2026-04-09 16:07:32 +00:00
yaegi_symbols test(plugins): add yaegi plugin integration tests 2026-03-30 20:44:46 +00:00