kawa/SharepointToolbox-Web
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0adc2d4300c472e54a305e9cd8cc82120121e0ae
SharepointToolbox-Web/Components/Pages
T
History
kawa 17f6010a93 Fix open-redirect token leak and related auth hardening 
Security review fixes:
- Constrain OAuth connect returnUrl to a site-relative path so the
  redeemable token_key can't be redirected off-domain (was a refresh-
  token leak / connection hijack)
- Route all login redirects (entra/dev/local) through ToLocalReturnUrl,
  also closing a protocol-relative // open redirect in local-login
- Neutralize CSV formula prefixes in both audit-log exporters via
  CsvSanitizer
- Force Secure flag on the prod auth cookie (Always, not SameAsRequest)
- Gate admin pages with an app_role-claim "Admin" policy instead of a
  render-time check

Findings and rationale recorded in SECURITY-TODO.md.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-11 11:39:20 +02:00
..
Account
Merge branch 'main' of https://git.azuze.fr/kawa/SharepointToolbox-Web
2026-06-03 09:50:25 +02:00
Admin
Fix open-redirect token leak and related auth hardening
2026-06-11 11:39:20 +02:00
BulkMembers.razor
Merge branch 'main' of https://git.azuze.fr/kawa/SharepointToolbox-Web
2026-06-03 11:04:23 +02:00
BulkSites.razor
Merge branch 'main' of https://git.azuze.fr/kawa/SharepointToolbox-Web
2026-06-03 11:04:23 +02:00
Duplicates.razor
Add scheduled reports + app-only cert auth; fix tenant-wide user-access audit
2026-06-08 17:55:28 +02:00
FileTransfer.razor
Merge branch 'main' of https://git.azuze.fr/kawa/SharepointToolbox-Web
2026-06-03 11:04:23 +02:00
FolderStructure.razor
Merge branch 'main' of https://git.azuze.fr/kawa/SharepointToolbox-Web
2026-06-03 09:50:25 +02:00
Home.razor
Merge branch 'main' of https://git.azuze.fr/kawa/SharepointToolbox-Web
2026-06-03 09:50:25 +02:00
NotFound.razor
Merge branch 'main' of https://git.azuze.fr/kawa/SharepointToolbox-Web
2026-06-03 09:50:25 +02:00
Permissions.razor
Merge branch 'main' of https://git.azuze.fr/kawa/SharepointToolbox-Web
2026-06-03 11:04:23 +02:00
Profiles.razor
Let standard techs use profiles without sign-in; flag unshared ones
2026-06-11 11:27:46 +02:00
Reports.razor
Add scheduled reports + app-only cert auth; fix tenant-wide user-access audit
2026-06-08 17:55:28 +02:00
ScheduledReports.razor
Add scheduled reports + app-only cert auth; fix tenant-wide user-access audit
2026-06-08 17:55:28 +02:00
Search.razor
Merge branch 'main' of https://git.azuze.fr/kawa/SharepointToolbox-Web
2026-06-03 11:04:23 +02:00
Settings.razor
Fixed site discovery process that did not return all the sites
2026-06-04 14:48:08 +02:00
Storage.razor
Merge branch 'main' of https://git.azuze.fr/kawa/SharepointToolbox-Web
2026-06-03 11:04:23 +02:00
Templates.razor
Merge branch 'main' of https://git.azuze.fr/kawa/SharepointToolbox-Web
2026-06-03 11:04:23 +02:00
UserAccessAudit.razor
Add scheduled reports + app-only cert auth; fix tenant-wide user-access audit
2026-06-08 17:55:28 +02:00
UserDirectory.razor
Merge branch 'main' of https://git.azuze.fr/kawa/SharepointToolbox-Web
2026-06-03 11:04:23 +02:00
VersionCleanup.razor
Merge branch 'main' of https://git.azuze.fr/kawa/SharepointToolbox-Web
2026-06-03 11:04:23 +02:00