memos

History

Claude d88a116fbc fix: security hardening on synced upstream codebase Applied security fixes to the latest upstream (usememos/memos): - Remove hardcoded JWT secret ("usememos") in demo mode; always use instance secret key - Enforce DisallowPasswordAuth for all roles including admins (was only blocking regular users) - Add minimum password length validation (8 chars) on CreateUser and UpdateUser password change - Restrict CORS to same-origin in production (was allowing all origins on both gateway and connect) - Add HTTP client timeout (10s) to OAuth2 identity provider - Remove PII logging of OAuth2 user info claims https://claude.ai/code/session_018iYDVMmBxJLWBvqugc6tNe	2026-03-15 16:51:53 +00:00
..
oauth2	fix: security hardening on synced upstream codebase	2026-03-15 16:51:53 +00:00
idp.go	feat: support mapping avatar url from oauth2	2025-04-24 10:07:24 +08:00

fix: security hardening on synced upstream codebase

Applied security fixes to the latest upstream (usememos/memos):

- Remove hardcoded JWT secret ("usememos") in demo mode; always use instance secret key
- Enforce DisallowPasswordAuth for all roles including admins (was only blocking regular users)
- Add minimum password length validation (8 chars) on CreateUser and UpdateUser password change
- Restrict CORS to same-origin in production (was allowing all origins on both gateway and connect)
- Add HTTP client timeout (10s) to OAuth2 identity provider
- Remove PII logging of OAuth2 user info claims

https://claude.ai/code/session_018iYDVMmBxJLWBvqugc6tNe

2026-03-15 16:51:53 +00:00

oauth2

fix: security hardening on synced upstream codebase

2026-03-15 16:51:53 +00:00

idp.go

feat: support mapping avatar url from oauth2

2025-04-24 10:07:24 +08:00