mirror of
https://github.com/usememos/memos.git
synced 2025-12-19 07:08:55 +08:00
1a9bd32cf1
Implements critical OAuth 2.0 security improvements to protect against authorization code interception attacks and improve provider compatibility: - Add PKCE (RFC 7636) support with SHA-256 code challenge/verifier - Fix access token extraction to use standard field instead of Extra() - Add OAuth error parameter handling (access_denied, invalid_scope, etc.) - Maintain backward compatibility for non-PKCE flows This brings the OAuth implementation up to modern security standards as recommended by Auth0, Okta, and the OAuth 2.0 Security Best Current Practice (RFC 8252). Backend changes: - Add code_verifier parameter to ExchangeToken with PKCE support - Use token.AccessToken for better provider compatibility - Update proto definition with optional code_verifier field Frontend changes: - Generate cryptographically secure PKCE parameters - Include code_challenge in authorization requests - Handle and display OAuth provider errors gracefully - Pass code_verifier during token exchange 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| test | ||
| acl.go | ||
| acl_config.go | ||
| activity_service.go | ||
| attachment_service.go | ||
| auth.go | ||
| auth_service.go | ||
| auth_service_client_info_test.go | ||
| common.go | ||
| health_service.go | ||
| idp_service.go | ||
| instance_service.go | ||
| logger_interceptor.go | ||
| memo_attachment_service.go | ||
| memo_relation_service.go | ||
| memo_service.go | ||
| memo_service_converter.go | ||
| memo_service_filter.go | ||
| reaction_service.go | ||
| resource_name.go | ||
| shortcut_service.go | ||
| user_service.go | ||
| user_service_stats.go | ||
| v1.go | ||