mattnite
/
forgejo-tickets
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
forgejo-tickets/internal/handlers/public
History
Matthew Knight 199642242f
Fix security vulnerabilities identified in pre-deployment audit 
- Regenerate session ID on login to prevent session fixation (H1)
- Add mutex to login lockout counters to fix race condition (H2)
- Validate issuer/audience claims on Apple ID tokens (M2)
- Verify comment belongs to ticket's issue to prevent attachment IDOR (M4)
- Stop SSO from re-approving admin-disapproved users (M3)
- Add Content-Security-Policy header (M1)
- Configure trusted proxies via TRUSTED_PROXIES env var (M6)
- Cap password length at 128 for bcrypt truncation (L1)
- Set Secure flag on flash cookies over HTTPS (L2)
- Rate-limit POST /reset-password (L3)
- Add authenticated password change at /account/password (L4)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 		2026-02-18 12:30:23 -08:00
..
auth.go Fix security vulnerabilities identified in pre-deployment audit 2026-02-18 12:30:23 -08:00
home.go Init 2026-02-12 15:00:17 -08:00
oauth.go Merge pull request 'Remove dummy user_id from OAuth state sessions' (#55) from fix/oauth-state-session into main 2026-02-18 00:35:25 +00:00
routes.go Fix security vulnerabilities identified in pre-deployment audit 2026-02-18 12:30:23 -08:00
sso.go Fix security vulnerabilities identified in pre-deployment audit 2026-02-18 12:30:23 -08:00
tickets.go Fix security vulnerabilities identified in pre-deployment audit 2026-02-18 12:30:23 -08:00
webhook.go Fixes #7 2026-02-18 09:24:42 -08:00