mirror of
https://github.com/orris-inc/orris.git
synced 2026-06-17 18:32:41 +08:00
229e1112e5
Password login revealed account state before verifying the password: locked, OAuth-only and inactive accounts returned distinct errors, letting an attacker enumerate accounts by submitting any password. Reorder the checks so lockout and OAuth-only accounts return the generic credential error, and only surface an inactive-account error after the password is confirmed. Sensitive auth endpoints shared a single lenient per-IP limiter and the OAuth init/callback routes had none. Add a stricter dedicated limit for login, forgot-password and reset-password, and apply the default limiter to the OAuth routes. The subscription generator logged the full subscription token in plaintext; truncate it for logging like the repository layer already does.
Orris
Quick Install
curl -fsSL https://raw.githubusercontent.com/orris-inc/orris/main/install.sh | bash
Or specify domain and admin credentials:
curl -fsSL https://raw.githubusercontent.com/orris-inc/orris/main/install.sh | \
DOMAIN=orris.example.com \
ADMIN_EMAIL=admin@example.com \
ADMIN_PASSWORD=your-password \
bash
Detailed Installation
See INSTALL.md for detailed installation instructions.
Update
Update to the latest version:
# From your Orris installation directory
./install.sh update
# Or remotely
curl -fsSL https://raw.githubusercontent.com/orris-inc/orris/main/install.sh | bash -s -- update
This will:
- Pull the latest Docker images
- Run database migrations
- Restart all services
Common Commands
docker compose ps # Check status
docker compose logs -f # View logs
docker compose down # Stop services
docker compose up -d # Start services
./install.sh update # Update to latest version
./install.sh help # Show help