Affected by GO-2026-4480 and 21 other vulnerabilities

GO-2026-4480: Vikunja Vulnerable to XSS Via Task Preview in code.vikunja.io/api

GO-2026-4551: Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change in code.vikunja.io/api

GO-2026-4552: Vikunja has Reflected HTML Injection via filter Parameter in its Projects Module in code.vikunja.io/api

GO-2026-4553: Vikunja: Stored XSS via Unsanitized SVG Attachment Upload Leads to Token Exposure in code.vikunja.io/api

GO-2026-4556: Vikunja has Path Traversal in CLI Restore in code.vikunja.io/api

GO-2026-4575: Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse in code.vikunja.io/api

GO-2026-4791: Vikunja has a Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers in code.vikunja.io/api

GO-2026-4794: Vikunja has a 2FA Bypass via Caldav Basic Auth in code.vikunja.io/api

GO-2026-4795: Vikunja read-only users can delete project background images via broken object-level authorization in code.vikunja.io/api

GO-2026-4797: Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments in code.vikunja.io/api

GO-2026-4798: Vikunja’s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement in code.vikunja.io/api

GO-2026-4805: Vikunja has TOTP Reuse During Validity Window in code.vikunja.io/api

GO-2026-4811: Vikunja Affected by DoS via Image Preview Generation in code.vikunja.io/api

GO-2026-4846: Vikjuna: Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API in code.vikunja.io/api

GO-2026-4847: Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read in code.vikunja.io/api

GO-2026-4848: Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation in code.vikunja.io/api

GO-2026-4849: Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect in code.vikunja.io/api

GO-2026-4850: Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share Deletion in code.vikunja.io/api

GO-2026-4851: Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal Network Resources in code.vikunja.io/api

GO-2026-4852: Vikjuna Bypasses Webhook SSRF Protections During OpenID Connect Avatar Download in code.vikunja.io/api

GO-2026-4853: Vikjuna: IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion in code.vikunja.io/api

GO-2026-4855: Vikunja: Unauthenticated Instance-Wide Data Breach via Link Share Hash Disclosure Chained with Cross-Project Attachment IDOR in code.vikunja.io/api

openid

package

v0.22.1 Latest Latest Go to latest Published: Jan 28, 2024 License: AGPL-3.0 Imports: 20 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

git.kolaente.de/vikunja/api

Links

Open Source Insights

Documentation ¶

Index ¶

func CleanupSavedOpenIDProviders()
func HandleCallback(c echo.Context) error
type Callback
type Provider
- func GetAllProviders() (providers []*Provider, err error)
- func GetProvider(key string) (provider *Provider, err error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func CleanupSavedOpenIDProviders ¶ added in v0.21.0

func CleanupSavedOpenIDProviders()

func HandleCallback ¶

func HandleCallback(c echo.Context) error

HandleCallback handles the auth request callback after redirecting from the provider with an auth code @Summary Authenticate a user with OpenID Connect @Description After a redirect from the OpenID Connect provider to the frontend has been made with the authentication `code`, this endpoint can be used to obtain a jwt token for that user and thus log them in. @ID get-token-openid @tags auth @Accept json @Produce json @Security JWTKeyAuth @Param callback body openid.Callback true "The openid callback" @Param provider path int true "The OpenID Connect provider key as returned by the /info endpoint" @Success 200 {object} auth.Token @Failure 500 {object} models.Message "Internal error" @Router /auth/openid/{provider}/callback [post]

Types ¶

type Callback ¶

type Callback struct {
	Code        string `query:"code" json:"code"`
	Scope       string `query:"scop" json:"scope"`
	RedirectURL string `json:"redirect_url"`
}

Callback contains the callback after an auth request was made and redirected

type Provider ¶

type Provider struct {
	Name            string `json:"name"`
	Key             string `json:"key"`
	OriginalAuthURL string `json:"-"`
	AuthURL         string `json:"auth_url"`
	LogoutURL       string `json:"logout_url"`
	ClientID        string `json:"client_id"`
	ClientSecret    string `json:"-"`

	Oauth2Config *oauth2.Config `json:"-"`
	// contains filtered or unexported fields
}

Provider is the structure of an OpenID Connect provider

func GetAllProviders ¶

func GetAllProviders() (providers []*Provider, err error)

GetAllProviders returns all configured providers

func GetProvider ¶

func GetProvider(key string) (provider *Provider, err error)

GetProvider retrieves a provider from keyvalue

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL