1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2024-11-29 09:31:11 -05:00
forgejo/modules
Gusted 8d2dab94a6
[GITEA] rework long-term authentication
- The current architecture is inherently insecure, because you can
construct the 'secret' cookie value with values that are available in
the database. Thus provides zero protection when a database is
dumped/leaked.
- This patch implements a new architecture that's inspired from: [Paragonie Initiative](https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#secure-remember-me-cookies).
- Integration testing is added to ensure the new mechanism works.
- Removes a setting, because it's not used anymore.

(cherry picked from commit eff097448b)

[GITEA] rework long-term authentication (squash) add migration

Reminder: the migration is run via integration tests as explained
in the commit "[DB] run all Forgejo migrations in integration tests"

(cherry picked from commit 4accf7443c)
(cherry picked from commit 99d06e344ebc3b50bafb2ac4473dd95f057d1ddc)
(cherry picked from commit d8bc98a8f0)
(cherry picked from commit 6404845df9)
(cherry picked from commit 72bdd4f3b9)
(cherry picked from commit 4b01bb0ce8)
(cherry picked from commit c26ac31816)
2023-11-13 14:06:31 +01:00
..
actions [CI] Search .forgejo/workflows first 2023-11-13 11:52:15 +01:00
activitypub More refactoring of db.DefaultContext (#27083) 2023-09-15 06:13:19 +00:00
analyze Rename code_langauge.go to code_language.go (#26377) 2023-08-07 15:00:53 -04:00
assetfs Use Set[Type] instead of map[Type]bool/struct{}. (#26804) 2023-08-30 06:55:25 +00:00
auth [GITEA] Drop sha256-simd in favor of stdlib 2023-11-13 14:06:31 +01:00
avatar [GITEA] Drop sha256-simd in favor of stdlib 2023-11-13 14:06:31 +01:00
base [GITEA] Drop sha256-simd in favor of stdlib 2023-11-13 14:06:31 +01:00
cache improve unit test for caching (#26185) 2023-07-27 22:24:40 +02:00
charset Replace interface{} with any (#25686) 2023-07-04 18:36:08 +00:00
container Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
context [GITEA] rework long-term authentication 2023-11-13 14:06:31 +01:00
contexttest Avoid double-unescaping of form value (#26853) 2023-09-01 12:01:36 +00:00
csv Refactor locale number (#24134) 2023-04-17 11:37:23 +08:00
doctor Remove action runners on user deletion (#27902) (#27908) 2023-11-05 13:20:00 +00:00
emoji Update emoji set to Unicode 15 (#25595) 2023-06-29 16:29:48 +00:00
eventsource More db.DefaultContext refactor (#27265) (#27347) 2023-09-29 13:35:01 +00:00
generate Handle base64 decoding correctly to avoid panic (#26483) 2023-08-14 10:30:16 +00:00
git [GITEA] Drop sha256-simd in favor of stdlib 2023-11-13 14:06:31 +01:00
gitgraph More db.DefaultContext refactor (#27265) (#27347) 2023-09-29 13:35:01 +00:00
graceful Allow the use of alternative net.Listener implementations by downstreams (#25855) 2023-07-24 07:18:17 +00:00
hcaptcha Consume hcaptcha and pwn deps (#22610) 2023-01-29 09:49:51 -06:00
highlight Upgrade go dependencies (#25819) 2023-07-14 11:00:31 +08:00
hostmatcher Support allowed hosts for webhook to work with proxy (#27655) (#27675) 2023-10-18 15:07:52 +02:00
html Refactor backend SVG package and add tests (#26335) 2023-08-05 04:34:59 +00:00
httpcache Less naked returns (#25713) 2023-07-07 05:31:56 +00:00
httplib Less naked returns (#25713) 2023-07-07 05:31:56 +00:00
indexer [CI] disable meilisearch/elasticsearch test, no server yet in CI 2023-11-13 11:52:15 +01:00
issue/template Replace interface{} with any (#25686) 2023-07-04 18:36:08 +00:00
json Replace interface{} with any (#25686) 2023-07-04 18:36:08 +00:00
label Make label templates have consistent behavior and priority (#23749) 2023-04-10 16:44:02 +08:00
lfs [GITEA] Drop sha256-simd in favor of stdlib 2023-11-13 14:06:31 +01:00
log Reduce some allocations in type conversion (#26772) 2023-08-29 00:43:16 +08:00
markup [GITEA] Use restricted sanitizer for repository description 2023-11-13 14:06:30 +01:00
mcaptcha Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
metrics Reduce usage of db.DefaultContext (#27073) 2023-09-14 17:09:32 +00:00
migration Replace interface{} with any (#25686) 2023-07-04 18:36:08 +00:00
nosql Update tool dependencies, lock govulncheck and actionlint (#25655) 2023-07-09 11:58:06 +00:00
options Use a general approach to access custom/static/builtin assets (#24022) 2023-04-12 18:16:45 +08:00
packages Close all hashed buffers (#27787) (#27790) 2023-10-25 22:24:25 +02:00
paginator Use more specific test methods (#24265) 2023-04-22 17:56:27 -04:00
pprof Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
private [CLI] implement forgejo-cli 2023-11-13 11:52:15 +01:00
process Less naked returns (#25713) 2023-07-07 05:31:56 +00:00
proxy Use proxy for pull mirror (#22771) 2023-02-11 08:39:50 +08:00
proxyprotocol Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
public Serve pre-defined files in "public", add "security.txt", add CORS header for ".well-known" (#25974) 2023-07-21 12:14:20 +00:00
queue [CI] disable redis test, no redis server yet in CI 2023-11-13 11:52:15 +01:00
recaptcha Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
references Replace 'userxx' with 'orgxx' in all test files when the user type is org (#27052) 2023-09-14 02:59:53 +00:00
regexplru Upgrade go dependencies (#25819) 2023-07-14 11:00:31 +08:00
repository Refactor system setting (#27000) (#27452) 2023-10-05 10:37:59 +00:00
secret [GITEA] Drop sha256-simd in favor of stdlib 2023-11-13 14:06:31 +01:00
session Next round of db.DefaultContext refactor (#27089) 2023-09-16 14:39:12 +00:00
setting [GITEA] rework long-term authentication 2023-11-13 14:06:31 +01:00
sitemap Fix sitemap (#22272) 2022-12-30 23:31:00 +08:00
ssh [GITEA] Remove SSH workaround 2023-11-13 14:06:31 +01:00
storage [CI] Forgejo Actions based CI for PR & branches 2023-11-13 11:52:15 +01:00
structs [FEAT] allow setting the update date on issues and comments 2023-11-13 12:33:49 +01:00
svg Refactor backend SVG package and add tests (#26335) 2023-08-05 04:34:59 +00:00
sync Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
system Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
templates Fix label render containing invalid HTML (#27752) (#27762) 2023-10-24 09:39:13 +08:00
test Move web/api context related testing function into a separate package (#26859) 2023-09-01 11:26:07 +00:00
testlogger Replace interface{} with any (#25686) 2023-07-04 18:36:08 +00:00
timeutil Fix incorrect webhook time and use relative-time to display it (#24477) 2023-05-03 19:53:43 -04:00
translation Replace interface{} with any (#25686) 2023-07-04 18:36:08 +00:00
turnstile Add new captcha: cloudflare turnstile (#22369) 2023-02-05 15:29:03 +08:00
typesniffer Detect ogg mime-type as audio or video (#26494) 2023-08-15 10:31:25 +08:00
updatechecker Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
upload Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
uri Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
user Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
util [GITEA] rework long-term authentication 2023-11-13 14:06:31 +01:00
validation [GITEA] add option for banning dots in usernames 2023-11-13 14:04:16 +01:00
web [GITEA] Use maintained gziphandler 2023-11-13 14:06:31 +01:00
webhook New webhook trigger for receiving Pull Request review requests (#24481) 2023-05-24 22:06:27 -04:00