Affected by GO-2023-2065 and 14 other vulnerabilities

GO-2023-2065: Cross-Site Request Forgery (CSRF) in usememos/memos in github.com/usememos/memos

GO-2024-3046: memos vulnerable to Server-Side Request Forgery in /api/resource in github.com/usememos/memos

GO-2024-3047: memos vulnerable to Server-Side Request Forgery in /o/get/httpmeta in github.com/usememos/memos

GO-2024-3049: memos vulnerable to Server-Side Request Forgery and Cross-site Scripting in github.com/usememos/memos

GO-2024-3088: memos CORS Misconfiguration in server.go (GHSL-2024-034) in github.com/usememos/memos

GO-2025-3492: Memos Server-Side Request Forgery (SSRF) in github.com/usememos/memos

GO-2025-3831: Memos has Cross-Site Scripting (XSS) Vulnerability in Image URLs in github.com/usememos/memos

GO-2025-3936: Memos Vulnerable to Path Traversal via the CreateResource Endpoint in github.com/usememos/memos

GO-2025-3937: Memos Vulnerable to Stored Cross-Site Scripting in github.com/usememos/memos

GO-2025-4127: Memos' Access Tokens Stay Valid after User Password Change in github.com/usememos/memos

GO-2025-4215: memos vulnerability allows arbitrarily reactions deletion in github.com/usememos/memos

GO-2025-4216: memos vulnerability allows arbitrarily modification or deletion of attachments in github.com/usememos/memos

GO-2025-4217: memos vulnerability allows the creation of arbitrary accounts in github.com/usememos/memos

GO-2025-4218: memos lacks file name validation or verification in github.com/usememos/memos

GO-2025-4220: memos vulnerability allows arbitrarily modification or deletion registered identity providers in github.com/usememos/memos

auth

package

v0.14.4 Latest Latest Go to latest Published: Aug 13, 2023 License: MIT Imports: 1 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/usememos/memos

Links

Documentation ¶

Index ¶

Constants

Constants ¶

View Source

const (
	// The key name used to store user id in the context
	// user id is extracted from the jwt token subject field.
	UserIDContextKey = "user-id"
	// issuer is the issuer of the jwt token.
	Issuer = "memos"
	// Signing key section. For now, this is only used for signing, not for verifying since we only
	// have 1 version. But it will be used to maintain backward compatibility if we change the signing mechanism.
	KeyID = "v1"
	// AccessTokenAudienceName is the audience name of the access token.
	AccessTokenAudienceName = "user.access-token"
	AccessTokenDuration     = 7 * 24 * time.Hour

	// CookieExpDuration expires slightly earlier than the jwt expiration. Client would be logged out if the user
	// cookie expires, thus the client would always logout first before attempting to make a request with the expired jwt.
	CookieExpDuration = AccessTokenDuration - 1*time.Minute
	// AccessTokenCookieName is the cookie name of access token.
	AccessTokenCookieName = "memos.access-token"
)

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

This section is empty.

Source Files ¶

View all Source files

auth.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL