Michelle/redlight
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 11 Wiki Activity

feat(calendar): store only token hash in database to enhance security
All checks were successful
Build & Push Docker Image / build (push) Successful in 6m25s
Details

Browse Source 
feat(federation): escape LIKE special characters in originDomain to prevent wildcard injection

feat(oauth): redirect with token in hash fragment to avoid exposure in logs

feat(OAuthCallback): retrieve token from hash fragment for improved security
This commit is contained in:
Michelle
2026-03-04 13:41:40 +01:00
parent 6aa01d39f4
commit 8edcb7d3df
4 changed files with 27 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
server/routes/oauth.js
View File

@@ -248,9 +248,10 @@ router.get('/callback', callbackLimiter, async (req, res) => {
// Generate JWT
const token = generateToken(user.id);
// Redirect to frontend callback page with token
// Redirect to frontend callback page with token.
// Use a hash fragment so the token is never sent to the server (not logged, not in Referer headers).
const returnTo = stateData.return_to || '/dashboard';
res.redirect(`${baseUrl}/oauth/callback?token=${encodeURIComponent(token)}&return_to=${encodeURIComponent(returnTo)}`);
res.redirect(`${baseUrl}/oauth/callback#token=${encodeURIComponent(token)}&return_to=${encodeURIComponent(returnTo)}`);
} catch (err) {
log.auth.error(`OAuth callback error: ${err.message}`);
const baseUrl = getBaseUrl(req);