happyz
/
memos
mirror of https://github.com/usememos/memos.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
memos/server/router/api/v1/test
History
memoclaw 9d3a74bccc fix(api): make credentials write-only and restrict sensitive settings to admins 
Security fixes for credential leakage across three resources:

- NOTIFICATION setting: restrict GetInstanceSetting to admin-only
  (was publicly accessible, exposing SMTP credentials)
- SMTP password: never return SmtpPassword in API responses (write-only)
- S3 secret: never return AccessKeySecret in API responses (write-only)
- OAuth2 ClientSecret: never return in API responses for any role
  (was previously returned to admins); remove redactIdentityProviderResponse
  in favor of omitting the field at the conversion layer
- Preserve-on-empty: when updating settings with an empty credential
  field, preserve the existing stored value instead of overwriting
  (applies to SmtpPassword, AccessKeySecret, and ClientSecret)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 		2026-03-29 07:34:00 +08:00
..
attachment_service_test.go fix: prevent local attachment uploads from overwriting files 2026-03-26 21:46:51 +08:00
auth_test.go refactor: user auth improvements (#5360) 2025-12-18 18:15:51 +08:00
idp_service_test.go fix(api): make credentials write-only and restrict sensitive settings to admins 2026-03-29 07:34:00 +08:00
instance_admin_cache_test.go feat: update instance profile to use admin user instead of initialized flag 2026-01-28 23:27:53 +08:00
instance_service_test.go fix(api): make credentials write-only and restrict sensitive settings to admins 2026-03-29 07:34:00 +08:00
memo_attachment_service_test.go fix(security): implement security review recommendations (#5228) 2025-11-06 23:32:27 +08:00
memo_relation_service_test.go fix(security): implement security review recommendations (#5228) 2025-11-06 23:32:27 +08:00
memo_service_test.go fix(api): switch user resource names to usernames (#5779) 2026-03-25 09:11:17 +08:00
memo_share_service_test.go feat(memo): add share links for private memos (#5742) 2026-03-19 23:47:22 +08:00
reaction_service_test.go fix(api): switch user resource names to usernames (#5779) 2026-03-25 09:11:17 +08:00
shortcut_service_test.go fix(api): switch user resource names to usernames (#5779) 2026-03-25 09:11:17 +08:00
sse_handler_test.go refactor(sse): move status indicator to avatar badge 2026-03-03 23:25:01 +08:00
test_helper.go perf: batch load memo relations when listing memos (#5692) 2026-03-07 11:19:19 +08:00
user_email_visibility_test.go fix(api): restrict user email exposure to self and admins (#5784) 2026-03-25 22:02:08 +08:00
user_notification_test.go fix(api): switch user resource names to usernames (#5779) 2026-03-25 09:11:17 +08:00
user_resource_name_test.go fix(api): switch user resource names to usernames (#5779) 2026-03-25 09:11:17 +08:00
user_service_registration_test.go fix(api): switch user resource names to usernames (#5779) 2026-03-25 09:11:17 +08:00
user_service_stats_test.go fix(api): switch user resource names to usernames (#5779) 2026-03-25 09:11:17 +08:00