mirror of
https://github.com/go-vikunja/vikunja.git
synced 2026-05-02 18:06:54 +00:00
d58dd7a7c6
The OIDC callback handler previously issued a JWT without ever checking TOTP state. For installations with EmailFallback (or UsernameFallback) enabled, this allowed an attacker who could authenticate at the IdP with a matching email to log in as a local user with TOTP enrolled, bypassing the second factor entirely. HandleCallback now runs enforceTOTPIfRequired after resolving the user and before any team sync writes, returning 412/1017 when the passcode is missing or invalid. Clients resubmit the OIDC flow with the totp_passcode field populated. Fixes GHSA-8jvc-mcx6-r4cg