1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2024-11-28 09:21:13 -05:00
forgejo/services
Gusted 9508aa7713
Improve usage of HMAC output for mailer tokens
- If the incoming mail feature is enabled, tokens are being sent with
outgoing mails. These tokens contains information about what type of
action is allow with such token (such as replying to a certain issue
ID), to verify these tokens the code uses the HMAC-SHA256 construction.
- The output of the HMAC is truncated to 80 bits, because this is
recommended by RFC2104, but RFC2104 actually doesn't recommend this. It
recommends, if truncation should need to take place, it should use
max(80, hash_len/2) of the leftmost bits. For HMAC-SHA256 this works out
to 128 bits instead of the currently used 80 bits.
- Update to token version 2 and disallow any usage of token version 1,
token version 2 are generated with 128 bits of HMAC output.
- Add test to verify the deprecation of token version 1 and a general
MAC check test.
2024-11-15 10:59:36 +01:00
..
actions fix: Actions PR workflows must update the commit status 2024-11-04 11:27:14 +01:00
agit fix(agit): run full pr checks on force-push 2024-08-12 09:00:41 +02:00
asymkey tests: improve actvititypub integration test code 2024-11-01 22:39:49 +01:00
attachment tests: improve actvititypub integration test code 2024-11-01 22:39:49 +01:00
auth Merge pull request 'fix: use ValidateEmail as binding across web forms' (#5158) from solomonv/consolidate-email-validation into forgejo 2024-10-21 14:31:32 +00:00
automerge Add branch auto deletion for scheduled PRs 2024-10-31 03:49:15 +01:00
context fix: extend forgejo_auth_token table 2024-11-15 10:59:36 +01:00
contexttest [TESTS] Fix usage of LoadRepoCommit 2024-08-26 08:03:48 +02:00
convert tests: improve actvititypub integration test code 2024-11-01 22:39:49 +01:00
cron Clear up old Actions logs (#31735) 2024-08-04 18:24:10 +02:00
doctor fix: extend forgejo_auth_token table 2024-11-15 10:59:36 +01:00
externalaccount allow synchronizing user status from OAuth2 login providers (#31572) 2024-07-22 15:44:13 +02:00
f3 feat: upgrade F3 to v3.7.0 2024-08-18 19:39:20 +02:00
federation feat: access ActivityPub client through interfaces to facilitate mocking in unit tests (#4853) 2024-08-07 05:45:24 +00:00
feed tests: improve actvititypub integration test code 2024-11-01 22:39:49 +01:00
forgejo tests: improve actvititypub integration test code 2024-11-01 22:39:49 +01:00
forms [FEAT] Trim spaces from repository name 2024-11-05 23:13:17 +01:00
gitdiff improve performance of diffs (#32393) 2024-11-05 09:39:21 +01:00
indexer Update issue indexer after merging a PR (#30715) 2024-05-12 20:03:10 +02:00
issue [PORT] Fix code owners will not be mentioned when a pull request comes from a forked repository (gitea#30476) 2024-11-09 00:46:48 +01:00
lfs Fix missing signature key error when pulling Docker images with SERVE_DIRECT enabled (#32365) 2024-11-05 09:33:15 +01:00
mailer Improve usage of HMAC output for mailer tokens 2024-11-15 10:59:36 +01:00
markup Add testifylint to lint checks (#4535) 2024-07-30 19:41:10 +00:00
migrations Merge pull request 'test: enable gitea migration tests' (#5817) from viceice/test/migrations/gitea into forgejo 2024-11-05 10:55:30 +00:00
mirror [PORT] Fix git error handling (gitea#32401) 2024-11-03 16:47:44 +01:00
notify Clean up log messages (#30313) 2024-04-15 20:01:35 +02:00
org Add testifylint to lint checks (#4535) 2024-07-30 19:41:10 +00:00
packages Fix missing signature key error when pulling Docker images with SERVE_DIRECT enabled (#32365) 2024-11-05 09:33:15 +01:00
pull tests: improve actvititypub integration test code 2024-11-01 22:39:49 +01:00
release tests: improve actvititypub integration test code 2024-11-01 22:39:49 +01:00
remote Enable unparam linter (#31277) 2024-06-16 13:42:58 +02:00
repository test: fix test linting 2024-11-11 12:44:36 +01:00
secrets Refactor deletion (#28610) 2023-12-25 21:25:29 +01:00
shared/automerge create "shared" package to workaround import loop issues 2024-10-31 03:49:14 +01:00
task feat(quota): Quota enforcement 2024-08-02 11:10:34 +02:00
uinotification Penultimate round of db.DefaultContext refactor (#27414) 2023-10-11 04:24:07 +00:00
user fix: extend forgejo_auth_token table 2024-11-15 10:59:36 +01:00
webhook [CHORE] Use forked binding library 2024-11-05 22:47:34 +01:00
wiki git-grep: support regexp 2024-09-16 16:20:40 +02:00