No description
- Go 50.1%
- CSS 26.9%
- HTML 22.4%
- Dockerfile 0.6%
Pierre-Olivier Mercier
57775bbf89
- Replace SHA512-based deterministic token with 32-byte crypto/rand token - Store tokens server-side with 1-hour expiry and single-use semantics - Remove genToken (previously broken due to time.Add immutability bug) - Add CSRF double-submit cookie protection to change/lost/reset forms - Remove token from form action URL (use hidden fields only, POST body) - Add MailFrom field and SMTP_FROM env var for configurable sender address - Add SMTP_PASSWORD_FILE env var for secure SMTP password loading - Add PUBLIC_URL env var and --public-url flag for configurable reset link domain - Use generic error messages in handlers to avoid information disclosure Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> |
||
|---|---|---|
| static | ||
| .drone.yml | ||
| .gitignore | ||
| addy.go | ||
| change.go | ||
| csrf.go | ||
| Dockerfile | ||
| go.mod | ||
| go.sum | ||
| ldap.go | ||
| login.go | ||
| lost.go | ||
| main.go | ||
| renovate.json | ||
| reset.go | ||
| static.go | ||