memos

History

Claude d88a116fbc fix: security hardening on synced upstream codebase Applied security fixes to the latest upstream (usememos/memos): - Remove hardcoded JWT secret ("usememos") in demo mode; always use instance secret key - Enforce DisallowPasswordAuth for all roles including admins (was only blocking regular users) - Add minimum password length validation (8 chars) on CreateUser and UpdateUser password change - Restrict CORS to same-origin in production (was allowing all origins on both gateway and connect) - Add HTTP client timeout (10s) to OAuth2 identity provider - Remove PII logging of OAuth2 user info claims https://claude.ai/code/session_018iYDVMmBxJLWBvqugc6tNe	2026-03-15 16:51:53 +00:00
..
oauth2.go	fix: security hardening on synced upstream codebase	2026-03-15 16:51:53 +00:00
oauth2_test.go	feat(auth): add PKCE support and enhance OAuth security	2025-12-01 00:04:26 +08:00

fix: security hardening on synced upstream codebase

Applied security fixes to the latest upstream (usememos/memos):

- Remove hardcoded JWT secret ("usememos") in demo mode; always use instance secret key
- Enforce DisallowPasswordAuth for all roles including admins (was only blocking regular users)
- Add minimum password length validation (8 chars) on CreateUser and UpdateUser password change
- Restrict CORS to same-origin in production (was allowing all origins on both gateway and connect)
- Add HTTP client timeout (10s) to OAuth2 identity provider
- Remove PII logging of OAuth2 user info claims

https://claude.ai/code/session_018iYDVMmBxJLWBvqugc6tNe

2026-03-15 16:51:53 +00:00

oauth2.go

fix: security hardening on synced upstream codebase

2026-03-15 16:51:53 +00:00

oauth2_test.go

feat(auth): add PKCE support and enhance OAuth security

2025-12-01 00:04:26 +08:00