vikunja/pkg
kolaente e025209e3c fix(security): validate link share JWTs against DB on every request
Previously GetLinkShareFromClaims built a *LinkSharing entirely from JWT
claims with no DB interaction, so deleted shares and permission downgrades
took up to 72h (the JWT TTL) to take effect. The permission and sharedByID
claims were trusted blindly.

GetLinkShareFromClaims now takes an *xorm.Session, looks up the share via
GetLinkShareByID, verifies the hash claim against the DB row, and returns
ErrLinkShareTokenInvalid when the row is missing or the hash mismatches.
The permission and sharedByID claims are discarded; the DB row is
authoritative. GetAuthFromClaims opens a read session for the link-share
branch, mirroring the existing API-token branch.

Token creation and the JWT format are unchanged, so already-issued tokens
keep working except when the underlying share has been deleted or its hash
no longer matches.

Fixes GHSA-96q5-xm3p-7m84 / CVE-2026-35594.
2026-04-09 15:38:07 +00:00
..
caldav fix(caldav): parse timestamps in configured timezone 2026-03-03 12:18:48 +01:00
caldavtests fix(caldav): skip tests for known CalDAV bugs and fix timing issues 2026-04-02 11:34:55 +00:00
cmd refactor(user): export IsErrUserStatusError for use across packages 2026-03-23 12:06:16 +00:00
config fix: add timeouts to Gravatar, Unsplash, and SSRF-safe HTTP clients 2026-04-09 07:31:08 +00:00
cron fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
db test: add tests for SSO avatar provider reset on empty picture URL 2026-04-08 09:49:14 +00:00
doctor feat(auth): enforce OpenID Connect issuer uniqueness across providers 2026-03-30 22:41:50 +00:00
e2etests test(webhook): assert bad webhook is retried in no-duplicate test 2026-04-09 09:26:04 +00:00
events feat: add InitEventsForTesting and Unfake for real event dispatch in tests 2026-03-05 12:49:27 +01:00
files refactor: replace afero with FileStorage interface 2026-03-20 10:59:44 +01:00
health feat: introduce shared health check logic (#1073) 2025-07-02 21:01:41 +00:00
i18n chore(i18n): update translations via Crowdin 2026-04-08 01:25:14 +00:00
initialize feat(websocket): add HTTP upgrade handler and /api/v1/ws route 2026-04-02 16:30:23 +00:00
log fix(mail): guard log calls in GetMailDomain and fix hostname-dependent tests 2026-04-03 18:30:39 +00:00
mail fix(mail): guard log calls in GetMailDomain and fix hostname-dependent tests 2026-04-03 18:30:39 +00:00
metrics fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
migration feat: add OAuth 2.0 authorization code model and migration 2026-03-27 23:05:04 +00:00
models fix(security): validate link share JWTs against DB on every request 2026-04-09 15:38:07 +00:00
modules fix(security): validate link share JWTs against DB on every request 2026-04-09 15:38:07 +00:00
notifications feat(websocket): add notification event with XORM AfterInsert dispatch 2026-04-02 16:30:23 +00:00
plugins test(plugins): add yaegi plugin integration tests 2026-03-30 20:44:46 +00:00
red fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
routes feat(migration): add generic CSV import with column mapping 2026-04-07 15:20:06 +00:00
swagger [skip ci] Updated swagger docs 2026-04-07 15:45:50 +00:00
user fix: add ORDER BY to ListUsers query for deterministic ordering 2026-03-27 23:05:04 +00:00
utils fix: add timeouts to Gravatar, Unsplash, and SSRF-safe HTTP clients 2026-04-09 07:31:08 +00:00
version fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
web feat(handlers): dispatch pending events after transaction commit 2026-03-03 12:46:34 +01:00
websocket feat(websocket): add notification event with XORM AfterInsert dispatch 2026-04-02 16:30:23 +00:00
webtests fix(security): enforce HTTP method and path in scoped API token matcher 2026-04-09 15:17:20 +00:00
yaegi_symbols test(plugins): add yaegi plugin integration tests 2026-03-30 20:44:46 +00:00