chore(deps): bump the go_modules group in /backend/pb with 2 updates

[dependabot]

Bumps the go_modules group in /backend/pb with 2 updates: github.com/pocketbase/pocketbase and golang.org/x/image.

Updates github.com/pocketbase/pocketbase from 0.22.8 to 0.22.14

Release notes

Sourced from github.com/pocketbase/pocketbase's releases.

v0.22.14 Release

To update the prebuilt executable you can run ./pocketbase update.

• Added OAuth2 POST redirect support (in case of response_mode=form_post) to allow specifying scopes for the Apple OAuth2 integration.

  Note 1: If you are using the "Manual code exchange" flow with Apple (aka. authWithOAuth2Code()), you need to either update your custom redirect handler to accept POST requests OR if you want to keep the old behavior and don't need the Apple user's email - replace in the Apple authorization url response_mode=form_post back to response_mode=query.

  Note 2: Existing users that have already logged in with Apple may need to revoke their access in order to see the email sharing options as shown in this screenshot. If you want to force the new consent screen you could register a new Apple OAuth2 app.

• ⚠️ Fixed a security vulnerability related to the OAuth2 email autolinking (thanks to @​dalurness for reporting it).

  Just to be safe I've also published a GitHub security advisory (may take some time to show up in the related security databases).

  In order to be exploited you must have both OAuth2 and Password auth methods enabled.

  A possible attack scenario could be:

  • a malicious actor register with the targeted user's email (it is unverified)
  • at some later point in time the targeted user stumble on your app and decides to sign-up with OAuth2 (this step could be also initiated by the attacker by sending an invite email to the targeted user)
  • on successful OAuth2 auth we search for an existing PocketBase user matching with the OAuth2 user's email and associate them
  • because we haven't changed the password of the existing PocketBase user during the linking, the malicious actor has access to the targeted user account and will be able to login with the initially created email/password

  To prevent this for happening we now reset the password for this specific case if the previously created user wasn't verified (an exception to this is if the linking is explicit/manual, aka. when you send Authorization:TOKEN with the OAuth2 auth call).

  Additionally to warn users we now send an email alert in case the user has logged in with password but has at least one OAuth2 account linked. It looks something like:

  Hello, Just to let you know that someone has logged in to your Acme account using a password while you already have OAuth2 GitLab auth linked. If you have recently signed in with a password, you may disregard this email. If you don't recognize the above action, you should immediately change your Acme account password. Thanks, Acme team

  The flow will be further improved with the ongoing refactoring and we will start sending emails for "unrecognized device" logins (OTP and MFA is already implemented and will be available with the next v0.23.0 release in the near future).

v0.22.14-rc Prerelease

⚠️ This is a prerelease intended primarily for test purposes.

• Added OAuth2 POST redirect support (in case of response_mode=form_post) to allow specifying scopes for the Apple OAuth2 integration.

Need help with testing that the above change actually works with the Apple OAuth2 provider. Please see pocketbase/pocketbase#5074.

v0.22.13 Release

To update the prebuilt executable you can run ./pocketbase update.

• Fixed rules inconsistency for text literals when inside parenthesis (#5017).

• Updated Go deps.

v0.22.12 Release

... (truncated)

Changelog

Sourced from github.com/pocketbase/pocketbase's changelog.

v0.22.14

• Added OAuth2 POST redirect support (in case of response_mode=form_post) to allow specifying scopes for the Apple OAuth2 integration.

  Note 1: If you are using the "Manual code exchange" flow with Apple (aka. authWithOAuth2Code()), you need to either update your custom redirect handler to accept POST requests OR if you want to keep the old behavior and don't need the Apple user's email - replace in the Apple authorization url response_mode=form_post back to response_mode=query.

  Note 2: Existing users that have already logged in with Apple may need to revoke their access in order to see the email sharing options as shown in this screenshot. If you want to force the new consent screen you could register a new Apple OAuth2 app.

• ⚠️ Fixed a security vulnerability related to the OAuth2 email autolinking (thanks to @​dalurness for reporting it).

  Just to be safe I've also published a GitHub security advisory (may take some time to show up in the related security databases).

  In order to be exploited you must have both OAuth2 and Password auth methods enabled.

  A possible attack scenario could be:

  • a malicious actor register with the targeted user's email (it is unverified)
  • at some later point in time the targeted user stumble on your app and decides to sign-up with OAuth2 (this step could be also initiated by the attacker by sending an invite email to the targeted user)
  • on successful OAuth2 auth we search for an existing PocketBase user matching with the OAuth2 user's email and associate them
  • because we haven't changed the password of the existing PocketBase user during the linking, the malicious actor has access to the targeted user account and will be able to login with the initially created email/password

  To prevent this for happening we now reset the password for this specific case if the previously created user wasn't verified (an exception to this is if the linking is explicit/manual, aka. when you send Authorization:TOKEN with the OAuth2 auth call).

  Additionally to warn users we now send an email alert in case the user has logged in with password but has at least one OAuth2 account linked. It looks something like:

  Hello, Just to let you know that someone has logged in to your Acme account using a password while you already have OAuth2 GitLab auth linked. If you have recently signed in with a password, you may disregard this email. If you don't recognize the above action, you should immediately change your Acme account password. Thanks, Acme team

  The flow will be further improved with the ongoing refactoring and we will start sending emails for "unrecognized device" logins (OTP and MFA is already implemented and will be available with the next v0.23.0 release in the near future).

v0.22.13

• Fixed rules inconsistency for text literals when inside parenthesis (#5017).

• Updated Go deps.

v0.22.12

• Fixed calendar picker grid layout misalignment on Firefox (#4865).

• Updated Go deps and bumped the min Go version in the GitHub release action to Go 1.22.3 since it comes with some minor security fixes.

... (truncated)

Commits

• 76b43eb updated changelog
• 9fae8c9 updated go deps
• 58ace5d updated the rules when linking OAuth2 by email
• af9cf33 #5074 redirect with 303 in case of a POST OAuth2 callback
• d417b86 added POST OAuth2 redirect test
• 9d84767 added support for OAuth2 post redirect
• 970b000 updated go deps and bumped app version
• 1682db5 updated ui/dist and go deps
• 5acaa0a #4865 fixed Firefox calendar picker grid layout
• 8a75a9a Merge branch 'master' into develop
• Additional commits viewable in compare view

Updates golang.org/x/image from 0.15.0 to 0.17.0

Commits

• 6c5fa46 go.mod: update golang.org/x dependencies
• 55c4ab6 go.mod: update golang.org/x dependencies
• 0057a93 tiff: fix function name in comment
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.