Affected by GO-2023-2065 and 4 other vulnerabilities

GO-2023-2065: Cross-Site Request Forgery (CSRF) in usememos/memos in github.com/usememos/memos

GO-2024-3046: memos vulnerable to Server-Side Request Forgery in /api/resource in github.com/usememos/memos

GO-2024-3047: memos vulnerable to Server-Side Request Forgery in /o/get/httpmeta in github.com/usememos/memos

GO-2024-3049: memos vulnerable to Server-Side Request Forgery and Cross-site Scripting in github.com/usememos/memos

GO-2024-3088: memos CORS Misconfiguration in server.go (GHSL-2024-034) in github.com/usememos/memos

auth

package

v0.13.2 Latest Latest Go to latest Published: Jul 1, 2023 License: MIT Imports: 7 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/usememos/memos

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func GenerateAPIToken(userName string, userID int, secret string) (string, error)
func GenerateAccessToken(userName string, userID int, secret string) (string, error)
func GenerateRefreshToken(userName string, userID int, secret string) (string, error)
func GenerateTokensAndSetCookies(c echo.Context, user *store.UserMessage, secret string) error
func RemoveTokensAndCookies(c echo.Context)

Constants ¶

View Source

const (

	// AccessTokenAudienceName is the audience name of the access token.
	AccessTokenAudienceName = "user.access-token"
	// RefreshTokenAudienceName is the audience name of the refresh token.
	RefreshTokenAudienceName = "user.refresh-token"

	// RefreshThresholdDuration is the threshold duration for refreshing token.
	RefreshThresholdDuration = 1 * time.Hour

	// CookieExpDuration expires slightly earlier than the jwt expiration. Client would be logged out if the user
	// cookie expires, thus the client would always logout first before attempting to make a request with the expired jwt.
	// Suppose we have a valid refresh token, we will refresh the token in 2 cases:
	// 1. The access token is about to expire in <<refreshThresholdDuration>>
	// 2. The access token has already expired, we refresh the token so that the ongoing request can pass through.
	CookieExpDuration = refreshTokenDuration - 1*time.Minute
	// AccessTokenCookieName is the cookie name of access token.
	AccessTokenCookieName = "access-token"
	// RefreshTokenCookieName is the cookie name of refresh token.
	RefreshTokenCookieName = "refresh-token"
	// UserIDCookieName is the cookie name of user ID.
	UserIDCookieName = "user"
)

Variables ¶

This section is empty.

Functions ¶

func GenerateAPIToken ¶

func GenerateAPIToken(userName string, userID int, secret string) (string, error)

GenerateAPIToken generates an API token.

func GenerateAccessToken ¶

func GenerateAccessToken(userName string, userID int, secret string) (string, error)

GenerateAccessToken generates an access token for web.

func GenerateRefreshToken ¶

func GenerateRefreshToken(userName string, userID int, secret string) (string, error)

GenerateRefreshToken generates a refresh token for web.

func GenerateTokensAndSetCookies ¶ added in v0.13.2

func GenerateTokensAndSetCookies(c echo.Context, user *store.UserMessage, secret string) error

GenerateTokensAndSetCookies generates jwt token and saves it to the http-only cookie.

func RemoveTokensAndCookies ¶ added in v0.13.2

func RemoveTokensAndCookies(c echo.Context)

RemoveTokensAndCookies removes the jwt token and refresh token from the cookies.

Types ¶

This section is empty.

Source Files ¶

View all Source files

auth.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL