mattnite
/
forgejo-tickets
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
87 Commits 1 Branch 0 Tags 231 KiB
Commit Graph

87 Commits

Author SHA1 Message Date
Matthew Knight 51eeb4c9c1 Merge pull request 'Add pagination and filters to ticket tables' (#63) from pagination-and-filtering into main 
Reviewed-on: https://git.ts.mattnite.net/mattnite/forgejo-tickets/pulls/63
 2026-02-19 00:23:00 +00:00
Matthew Knight 537199169e
Add pagination and filters to ticket tables 2026-02-18 16:21:38 -08:00
Matthew Knight 0f4286032d Merge pull request 'Handle 201 when ensuring ticket is open' (#62) from update-fix into main 
Reviewed-on: https://git.ts.mattnite.net/mattnite/forgejo-tickets/pulls/62
 2026-02-18 23:40:02 +00:00
Matthew Knight ee703b08e4
Handle 201 when ensuring ticket is open 2026-02-18 15:38:49 -08:00
Matthew Knight a59088dc35 Merge pull request 'Fix security vulnerabilities identified in pre-deployment audit' (#61) from more-security-fixes into main 
Reviewed-on: https://git.ts.mattnite.net/mattnite/forgejo-tickets/pulls/61
 2026-02-18 20:31:34 +00:00
Matthew Knight 199642242f
Fix security vulnerabilities identified in pre-deployment audit 
- Regenerate session ID on login to prevent session fixation (H1)
- Add mutex to login lockout counters to fix race condition (H2)
- Validate issuer/audience claims on Apple ID tokens (M2)
- Verify comment belongs to ticket's issue to prevent attachment IDOR (M4)
- Stop SSO from re-approving admin-disapproved users (M3)
- Add Content-Security-Policy header (M1)
- Configure trusted proxies via TRUSTED_PROXIES env var (M6)
- Cap password length at 128 for bcrypt truncation (L1)
- Set Secure flag on flash cookies over HTTPS (L2)
- Rate-limit POST /reset-password (L3)
- Add authenticated password change at /account/password (L4)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-18 12:30:23 -08:00
Matthew Knight 08dd063049 Merge pull request 'Fixes #7' (#60) from email-settings into main 
Reviewed-on: https://git.ts.mattnite.net/mattnite/forgejo-tickets/pulls/60
 2026-02-18 17:26:03 +00:00
Matthew Knight 793b1883a9
Fixes #7 2026-02-18 09:24:42 -08:00
Matthew Knight 09a3155870 Merge pull request 'Remove dead code' (#59) from dead-code into main 
Reviewed-on: https://git.ts.mattnite.net/mattnite/forgejo-tickets/pulls/59
 2026-02-18 01:14:06 +00:00
Matthew Knight 8eaa27bb31
Remove dead code 2026-02-17 17:07:32 -08:00
Matthew Knight 86cfdcff52 Merge pull request 'Unify UI' (#58) from unify-ui into main 
Reviewed-on: https://git.ts.mattnite.net/mattnite/forgejo-tickets/pulls/58
 2026-02-18 00:48:42 +00:00
Matthew Knight d9eede4c15
Merge branch 'main' into unify-ui 2026-02-17 16:46:48 -08:00
Matthew Knight 413f3e0015 Merge pull request 'Configure file upload size limit' (#57) from fix/upload-size-limit into main 
Reviewed-on: https://git.ts.mattnite.net/mattnite/forgejo-tickets/pulls/57
 2026-02-18 00:36:46 +00:00
Matthew Knight 3884124a3d Merge pull request 'Add logging for SSO user creation' (#56) from fix/sso-rate-logging into main 
Reviewed-on: https://git.ts.mattnite.net/mattnite/forgejo-tickets/pulls/56
 2026-02-18 00:35:54 +00:00
Matthew Knight 24f2522830 Merge pull request 'Remove dummy user_id from OAuth state sessions' (#55) from fix/oauth-state-session into main 
Reviewed-on: https://git.ts.mattnite.net/mattnite/forgejo-tickets/pulls/55
 2026-02-18 00:35:25 +00:00
Matthew Knight e5be422854 Merge pull request 'Verify Apple ID token signature against JWKS' (#53) from fix/apple-token-verification into main 
Reviewed-on: https://git.ts.mattnite.net/mattnite/forgejo-tickets/pulls/53
 2026-02-18 00:35:17 +00:00
Matthew Knight eee2a0c6dd Merge pull request 'Limit webhook body size to 1MB' (#52) from fix/webhook-body-limit into main 
Reviewed-on: https://git.ts.mattnite.net/mattnite/forgejo-tickets/pulls/52
 2026-02-18 00:35:11 +00:00
Matthew Knight 731a928316 Merge pull request 'Disable static file directory listing' (#51) from fix/static-dir-listing into main 
Reviewed-on: https://git.ts.mattnite.net/mattnite/forgejo-tickets/pulls/51
 2026-02-18 00:28:19 +00:00
Matthew Knight 8e0cbf196b Merge pull request 'Add server binary to .gitignore' (#50) from fix/gitignore-server into main 
Reviewed-on: https://git.ts.mattnite.net/mattnite/forgejo-tickets/pulls/50
 2026-02-18 00:27:28 +00:00
Matthew Knight dcea18bcac Merge pull request 'Add password complexity requirements' (#49) from fix/password-complexity into main 
Reviewed-on: https://git.ts.mattnite.net/mattnite/forgejo-tickets/pulls/49
 2026-02-18 00:26:40 +00:00
Matthew Knight 2b2f7b84f0 Merge pull request 'Add account lockout after failed login attempts' (#48) from fix/account-lockout into main 
Reviewed-on: https://git.ts.mattnite.net/mattnite/forgejo-tickets/pulls/48
 2026-02-18 00:25:49 +00:00
Matthew Knight 0982129bf1 Merge pull request 'Add periodic cleanup for expired email tokens' (#47) from fix/email-token-cleanup into main 
Reviewed-on: https://git.ts.mattnite.net/mattnite/forgejo-tickets/pulls/47
 2026-02-18 00:24:50 +00:00
Matthew Knight dca569b278 Merge pull request 'Use session-based flash messages instead of query params' (#46) from fix/session-flash into main 
Reviewed-on: https://git.ts.mattnite.net/mattnite/forgejo-tickets/pulls/46
 2026-02-18 00:24:02 +00:00
Matthew Knight 9449b271f5
Add periodic cleanup for expired email tokens 
Fixes #34
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-17 16:20:24 -08:00
Matthew Knight 8603b0bfb5
Use session-based flash messages instead of query params 
Fixes #33

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-17 16:19:06 -08:00
Matthew Knight 9e4eef294a Merge pull request 'Add security response headers' (#45) from fix/security-headers into main 
Reviewed-on: https://git.ts.mattnite.net/mattnite/forgejo-tickets/pulls/45
 2026-02-18 00:17:41 +00:00
Matthew Knight 576d44427a Merge pull request 'Pin Mermaid.js version with SRI integrity hash' (#44) from fix/mermaid-sri into main 
Reviewed-on: https://git.ts.mattnite.net/mattnite/forgejo-tickets/pulls/44
 2026-02-18 00:16:51 +00:00
Matthew Knight f258429557
Add account lockout after failed login attempts 
Fixes #32

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-17 16:15:02 -08:00
Matthew Knight ec94d94453 Merge pull request 'Sanitize Content-Disposition filename in downloads' (#43) from fix/content-disposition-injection into main 
Reviewed-on: https://git.ts.mattnite.net/mattnite/forgejo-tickets/pulls/43
 2026-02-18 00:14:50 +00:00
Matthew Knight cba9b5c408
Add password complexity requirements 
Require at least one uppercase letter, one lowercase letter, and one
digit in addition to the existing 8-character minimum.

Fixes #31
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-17 16:14:01 -08:00
Matthew Knight fdcccce476 Merge pull request 'Validate proxy download URL host to prevent SSRF' (#42) from fix/ssrf-proxy-download into main 
Reviewed-on: https://git.ts.mattnite.net/mattnite/forgejo-tickets/pulls/42
 2026-02-18 00:13:09 +00:00
Matthew Knight b8ff9df7ca
Add server binary to .gitignore 
Fixes #29
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-17 16:13:02 -08:00
Matthew Knight f839444d3b
Disable static file directory listing 
Fixes #28
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-17 16:12:47 -08:00
Matthew Knight 5761872988
Pin Mermaid.js version with SRI integrity hash 
Fixes #27
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-17 16:12:25 -08:00
Matthew Knight f1b20edbe3 Merge pull request 'Require minimum 32-byte SESSION_SECRET' (#41) from fix/session-secret-validation into main 
Reviewed-on: https://git.ts.mattnite.net/mattnite/forgejo-tickets/pulls/41
 2026-02-18 00:11:21 +00:00
Matthew Knight d33c138867 Merge pull request 'Escape user-supplied values in HTML email templates' (#40) from fix/email-html-injection into main 
Reviewed-on: https://git.ts.mattnite.net/mattnite/forgejo-tickets/pulls/40
 2026-02-18 00:10:34 +00:00
Matthew Knight c56b803010
Validate proxy download URL host to prevent SSRF 
Fixes #26
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-17 16:07:31 -08:00
Matthew Knight d780a3403a
Verify Apple ID token signature against JWKS 
Fixes #25

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-17 16:06:41 -08:00
Matthew Knight c24f712cb6
Remove dummy user_id from OAuth state sessions 
Use a simple signed cookie for OAuth state instead of PGStore,
which required a dummy user_id placeholder to satisfy the session
store's save logic.

Fixes #24
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-17 16:05:33 -08:00
Matthew Knight 1c0eb3be86
Configure file upload size limit 
Fixes #23
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-17 16:04:35 -08:00
Matthew Knight b6c15e4d5c
Add logging for SSO user creation 
Fixes #22
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-17 16:04:08 -08:00
Matthew Knight f4049d3015
Limit webhook body size to 1MB 
Fixes #21
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-17 16:03:43 -08:00
Matthew Knight 1af9d67525
Require minimum 32-byte SESSION_SECRET 
Fixes #20
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-17 16:03:05 -08:00
Matthew Knight 244e530d4a
Escape user-supplied values in HTML email templates 
Fixes #19

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-17 16:02:01 -08:00
Matthew Knight bcc912077d
Add security response headers 
Fixes #18

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-17 16:00:56 -08:00
Matthew Knight ace0c06362
Sanitize Content-Disposition filename in downloads 
Fixes #17

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-17 15:59:54 -08:00
Matthew Knight e3ef03ddcd Merge pull request 'Add rate limiting to authentication endpoints' (#39) from fix/auth-rate-limiting into main 
Reviewed-on: https://git.ts.mattnite.net/mattnite/forgejo-tickets/pulls/39
 2026-02-17 23:59:36 +00:00
Matthew Knight 9b2a812d95
Add rate limiting to authentication endpoints 
Fixes #15

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-17 15:55:34 -08:00
Matthew Knight fc2a3880c4 Merge pull request 'Add CSRF protection to admin panel' (#38) from fix/admin-csrf into main 
Reviewed-on: https://git.ts.mattnite.net/mattnite/forgejo-tickets/pulls/38
 2026-02-17 23:54:46 +00:00
Matthew Knight a0fa170a40 Merge pull request 'Set Secure flag on session cookie for HTTPS' (#37) from fix/session-secure-flag into main 
Reviewed-on: https://git.ts.mattnite.net/mattnite/forgejo-tickets/pulls/37
 2026-02-17 23:54:40 +00:00