feat(calendar): store only token hash in database to enhance security
All checks were successful
Build & Push Docker Image / build (push) Successful in 6m25s
All checks were successful
Build & Push Docker Image / build (push) Successful in 6m25s
feat(federation): escape LIKE special characters in originDomain to prevent wildcard injection feat(oauth): redirect with token in hash fragment to avoid exposure in logs feat(OAuthCallback): retrieve token from hash fragment for improved security
This commit is contained in:
@@ -751,8 +751,9 @@ router.post('/caldav-tokens', authenticateToken, async (req, res) => {
|
||||
const token = crypto.randomBytes(32).toString('hex');
|
||||
const tokenHash = crypto.createHash('sha256').update(token).digest('hex');
|
||||
const result = await db.run(
|
||||
'INSERT INTO caldav_tokens (user_id, token, token_hash, name) VALUES (?, ?, ?, ?)',
|
||||
[req.user.id, token, tokenHash, name.trim()],
|
||||
// Store only the hash — never the plaintext — to limit exposure on DB breach.
|
||||
'INSERT INTO caldav_tokens (user_id, token, token_hash, name) VALUES (?, NULL, ?, ?)',
|
||||
[req.user.id, tokenHash, name.trim()],
|
||||
);
|
||||
res.status(201).json({
|
||||
token: { id: result.lastInsertRowid, name: name.trim() },
|
||||
|
||||
Reference in New Issue
Block a user