mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-12-26 13:29:12 -05:00
8d2dab94a6
- The current architecture is inherently insecure, because you can construct the 'secret' cookie value with values that are available in the database. Thus provides zero protection when a database is dumped/leaked. - This patch implements a new architecture that's inspired from: [Paragonie Initiative](https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#secure-remember-me-cookies). - Integration testing is added to ensure the new mechanism works. - Removes a setting, because it's not used anymore. (cherry picked from commiteff097448b
) [GITEA] rework long-term authentication (squash) add migration Reminder: the migration is run via integration tests as explained in the commit "[DB] run all Forgejo migrations in integration tests" (cherry picked from commit4accf7443c
) (cherry picked from commit 99d06e344ebc3b50bafb2ac4473dd95f057d1ddc) (cherry picked from commitd8bc98a8f0
) (cherry picked from commit6404845df9
) (cherry picked from commit72bdd4f3b9
) (cherry picked from commit4b01bb0ce8
) (cherry picked from commitc26ac31816
)
25 lines
547 B
Go
25 lines
547 B
Go
// SPDX-License-Identifier: MIT
|
|
|
|
package forgejo_v1_20 //nolint:revive
|
|
|
|
import (
|
|
"code.gitea.io/gitea/modules/timeutil"
|
|
|
|
"xorm.io/xorm"
|
|
)
|
|
|
|
type AuthorizationToken struct {
|
|
ID int64 `xorm:"pk autoincr"`
|
|
UID int64 `xorm:"INDEX"`
|
|
LookupKey string `xorm:"INDEX UNIQUE"`
|
|
HashedValidator string
|
|
Expiry timeutil.TimeStamp
|
|
}
|
|
|
|
func (AuthorizationToken) TableName() string {
|
|
return "forgejo_auth_token"
|
|
}
|
|
|
|
func CreateAuthorizationTokenTable(x *xorm.Engine) error {
|
|
return x.Sync(new(AuthorizationToken))
|
|
}
|