forgejo-tickets

History

Matthew Knight 199642242f Fix security vulnerabilities identified in pre-deployment audit - Regenerate session ID on login to prevent session fixation (H1) - Add mutex to login lockout counters to fix race condition (H2) - Validate issuer/audience claims on Apple ID tokens (M2) - Verify comment belongs to ticket's issue to prevent attachment IDOR (M4) - Stop SSO from re-approving admin-disapproved users (M3) - Add Content-Security-Policy header (M1) - Configure trusted proxies via TRUSTED_PROXIES env var (M6) - Cap password length at 128 for bcrypt truncation (L1) - Set Secure flag on flash cookies over HTTPS (L2) - Rate-limit POST /reset-password (L3) - Add authenticated password change at /account/password (L4) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-18 12:30:23 -08:00
..
config.go	Fix security vulnerabilities identified in pre-deployment audit	2026-02-18 12:30:23 -08:00
config_test.go	Remove dead code	2026-02-17 17:07:32 -08:00

Matthew Knight 199642242f

Fix security vulnerabilities identified in pre-deployment audit

- Regenerate session ID on login to prevent session fixation (H1)
- Add mutex to login lockout counters to fix race condition (H2)
- Validate issuer/audience claims on Apple ID tokens (M2)
- Verify comment belongs to ticket's issue to prevent attachment IDOR (M4)
- Stop SSO from re-approving admin-disapproved users (M3)
- Add Content-Security-Policy header (M1)
- Configure trusted proxies via TRUSTED_PROXIES env var (M6)
- Cap password length at 128 for bcrypt truncation (L1)
- Set Secure flag on flash cookies over HTTPS (L2)
- Rate-limit POST /reset-password (L3)
- Add authenticated password change at /account/password (L4)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-02-18 12:30:23 -08:00

config.go

Fix security vulnerabilities identified in pre-deployment audit

2026-02-18 12:30:23 -08:00

config_test.go

Remove dead code

2026-02-17 17:07:32 -08:00