happyz
/
memos
mirror of https://github.com/usememos/memos.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
memos/server/router
History
memoclaw 9d3a74bccc fix(api): make credentials write-only and restrict sensitive settings to admins 
Security fixes for credential leakage across three resources:

- NOTIFICATION setting: restrict GetInstanceSetting to admin-only
  (was publicly accessible, exposing SMTP credentials)
- SMTP password: never return SmtpPassword in API responses (write-only)
- S3 secret: never return AccessKeySecret in API responses (write-only)
- OAuth2 ClientSecret: never return in API responses for any role
  (was previously returned to admins); remove redactIdentityProviderResponse
  in favor of omitting the field at the conversion layer
- Preserve-on-empty: when updating settings with an empty credential
  field, preserve the existing stored value instead of overwriting
  (applies to SmtpPassword, AccessKeySecret, and ClientSecret)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 		2026-03-29 07:34:00 +08:00
..
api/v1 fix(api): make credentials write-only and restrict sensitive settings to admins 2026-03-29 07:34:00 +08:00
fileserver fix(api): switch user resource names to usernames (#5779) 2026-03-25 09:11:17 +08:00
frontend chore: upgrade Echo v4 to v5.0.3 2026-02-10 09:15:27 +08:00
mcp fix(api): switch user resource names to usernames (#5779) 2026-03-25 09:11:17 +08:00
rss chore: optimize multi-user RSS feed generation by fixing N+1 query (#5749) 2026-03-20 18:09:24 +08:00