Commit graph

4889 commits

Author SHA1 Message Date
006b0003b4 fix typos (singing key -> signing key) 2024-09-30 17:54:51 -07:00
a2e959dabb add kid header to JWT 2024-09-30 14:47:46 -07:00
6c10f85fb5 fix query param 2024-09-30 11:11:41 -07:00
b14f3946e2 Use existing JWT signing key code 2024-09-30 09:11:45 -07:00
c024df7867 address additional linter concern 2024-09-29 16:58:23 -07:00
b6b488ef54 address linter concern 2024-09-29 16:36:34 -07:00
d91299d6d3 address linter concerns 2024-09-29 16:36:34 -07:00
6351ceaaee only provide token to jobs with id-token: write permission 2024-09-29 16:36:33 -07:00
b265b40680 back to ed25519 keys 2024-09-29 16:35:23 -07:00
3d4ad65bbb switch to RSA key to be in line with GitHub 2024-09-29 16:35:23 -07:00
e4dfb8c1c7 inject the vars and secrets into the job - should be environment variables eventually 2024-09-29 16:35:22 -07:00
20af05b0c6 Add some TODOs 2024-09-29 16:35:22 -07:00
ebcf74ecbb fix time-related jwt fields 2024-09-29 16:35:22 -07:00
7a94dac274 Fix router, other misc fixes found in local testing 2024-09-29 16:35:22 -07:00
2e3ffc5c07 fix paths and set jwt expiry time to match github's 2024-09-29 16:35:22 -07:00
84777880f2 wip job tokens 2024-09-29 16:35:22 -07:00
Exploding Dragon
89742c4913 feat: add architecture-specific removal support for arch package (#5351)
- [x] add architecture-specific removal support
- [x] Fix upload competition
- [x] Fix not checking input when downloading

docs: https://codeberg.org/forgejo/docs/pulls/874

### Release notes

- [ ] I do not want this change to show in the release notes.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5351
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Exploding Dragon <explodingfkl@gmail.com>
Co-committed-by: Exploding Dragon <explodingfkl@gmail.com>
2024-09-27 08:21:22 +00:00
Lunny Xiao
f709de2403
Fix wrong last modify time (#32102)
(cherry picked from commit a802508f88e546bf18990559e44bf27a09c869ee)
2024-09-27 08:42:48 +02:00
KN4CK3R
526054332a
Fix incorrect /tokens api (#32085)
Fixes #32078

- Add missing scopes output.
- Disallow empty scope.

---------

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
(cherry picked from commit 08adbc468f8875fd4763c3656b334203c11adc0a)
2024-09-27 08:42:48 +02:00
wxiaoguang
1ae3b127fc
Refactor CSRF protector (#32057)
Remove unused CSRF options, decouple "new csrf protector" and "prepare"
logic, do not redirect to home page if CSRF validation falis (it
shouldn't happen in daily usage, if it happens, redirecting to home
doesn't help either but just makes the problem more complex for "fetch")

(cherry picked from commit 1fede04b83288d8a91304a83b7601699bb5cba04)

Conflicts:
	options/locale/locale_en-US.ini
	tests/integration/repo_branch_test.go
  trivial context conflicts
2024-09-27 08:42:48 +02:00
Zettat123
961766744b
Check if the due_date is nil when editing issues (#32035)
(cherry picked from commit 3a51c37672d2fbad1f222922e75ce704d5a1ac71)
2024-09-22 09:05:15 +02:00
Kemal Zebari
eb765dabfd
Handle invalid target when creating releases using API (#31841)
A 500 status code was thrown when passing a non-existent target to the
create release API. This snapshot handles this error and instead throws
a 404 status code.

Discovered while working on #31840.

(cherry picked from commit f05d9c98c4cb95e3a8a71bf3e2f8f4529e09f96f)
2024-09-14 18:45:18 +02:00
Daniel
5c7b85a981
Failed authentications are logged to level Warning (#32016)
PR for issue #31968
Replaces PR #31983 to comply with gitea's error definition

Failed authentications are now logged to level `Warning` instead of
`Info`.

(cherry picked from commit 64298dcb9e72a5a87a4680563d91fae5b90e0160)
2024-09-14 17:55:25 +02:00
Shiny Nematoda
14abf65269 feat: set created_by as the default filter for /issues and /pulls (#5286)
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5286
Reviewed-by: Otto <otto@codeberg.org>
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Co-authored-by: Shiny Nematoda <snematoda.751k2@aleeas.com>
Co-committed-by: Shiny Nematoda <snematoda.751k2@aleeas.com>
2024-09-13 12:55:39 +00:00
Denys Konovalov
8857da871e Remove urls from translations (#31950)
Part of #27700

Removes all URLs from translation strings to easy up changing them in
the future and to exclude people injecting malicious URLs through
translations. First measure as long as #24402 is out of scope.

(cherry picked from commit 83f37f630246e381eefd650fc2d4b1f3976ea882)
Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>

Conflicts:
	- options/locale/locale_en-US.ini
	  Resolved by manually applying the URL->%s changes to our translations.
	- routers/web/admin/hooks.go
	  templates/repo/settings/protected_branch.tmpl
	  templates/status/500.tmpl
	  Manually resolved.
	- templates/repo/settings/webhook/settings.tmpl
	  Applied the change to templates/webhook/shared-settings.tmpl
	  instead

Additional changes: Gitea-specific URLs have been replaced by their
Forgejo counterparts, lifted from the original translation text.
2024-09-12 17:28:58 +05:00
Earl Warren
abd08e6fd8 Merge pull request '[gitea] week 2024-37 cherry pick (gitea/main -> forgejo)' (#5263) from algernon/wcp/2024-37 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5263
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
2024-09-11 10:34:35 +00:00
Shiny Nematoda
6178a46fe2 feat: set fuzzy as default for issue search (#5270)
Closes #5225

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5270
Reviewed-by: Otto <otto@codeberg.org>
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Co-authored-by: Shiny Nematoda <snematoda.751k2@aleeas.com>
Co-committed-by: Shiny Nematoda <snematoda.751k2@aleeas.com>
2024-09-10 15:57:58 +00:00
Adam Majer
5f3a2aafdf
Return 404 instead of error when commit not exist (#31977)
Fix #31976

(cherry picked from commit bf7ae0429cdf236510aa6702e499878bc2345a6e)
2024-09-09 20:54:47 +02:00
6543
3c8eb46765
For consistency make repo search sort options case sensitive (#31951)
(cherry picked from commit 19af5344623ba999f418520fad1a3bde77980561)
2024-09-09 20:54:47 +02:00
6543
4098098f00
nix wording nit in todo code comment
(cherry picked from commit c0db47bf9b6eb59d822ad21b7dd8b1d6acd8ad8e)
2024-09-09 20:54:39 +02:00
yp05327
5a0bc35799
Fix sort order for organization home and user profile page (#31921)
Fix #31916

In #30876, `sortOrder` has been changed into a map, but it is only
implemented in explore.
~~But it seems that size sort order has no effect from long long ago,~~
not directly caused by the PR above.

I think it is still caused by #29231.
In #29231, it merged the sort orders from
`templates/explore/repo_search.tmpl` and
`templates/admin/repo/search.tmpl`.
In `templates/admin/repo/search.tmpl`, it contains size sort orders, but
not in `templates/explore/repo_search.tmpl`, which is used in non-admin
pages.
So `order by size` is added from #29231, but the handler was not added.

---------

Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit 661a1e10f7abd3527d2abc027dec936022db9379)
2024-09-09 20:54:39 +02:00
Lunny Xiao
4ee3a150a3
Fix search team (#31923)
Fix #20658

(cherry picked from commit 06c67c6d5a91176fe4b87fc884c96afc7c3597fa)
2024-09-01 08:19:04 +02:00
Gusted
63736e8301
[FEAT] Add support for webauthn credential level 3
- For WebAuthn Credential level 3, the `backup_eligible` and
`backup_state` flags are checked if they are consistent with the values
given on login. Forgejo never stored this data, so add a database
migration that makes all webauthn credentials 'legacy' and on the next
first use capture the values of `backup_eligible` and `backup_state`.
As suggested in https://github.com/go-webauthn/webauthn/discussions/219#discussioncomment-10429662
- Adds unit tests.
- Add E2E test.
2024-08-29 10:05:03 +02:00
Gusted
c87655b7ff Merge pull request '[CHORE] Move cache & captcha library' (#5146) from gusted/forgejo-captcha into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5146
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-08-29 08:02:09 +00:00
Gusted
5a871f6095
[SEC] Ensure propagation of API scopes for Conan and Container authentication
- The Conan and Container packages use a different type of
authentication. It first authenticates via the regular way (api tokens
or user:password, handled via `auth.Basic`) and then generates a JWT
token that is used by the package software (such as Docker) to do the
action they wanted to do. This JWT token didn't properly propagate the
API scopes that the token was generated for, and thus could lead to a
'scope escalation' within the Conan and Container packages, read
access to write access.
- Store the API scope in the JWT token, so it can be propagated on
subsequent calls that uses that JWT token.
- Integration test added.
- Resolves #5128
2024-08-28 10:33:32 +02:00
Gusted
0404662e99
[CHORE] Move captcha library
- This is a fork of https://github.com/dchest/captcha, as
https://gitea.com/go-chi/captcha is a fork of
github.com/go-macaron/captcha which is a fork (although not properly
credited) of a older version of https://github.com/dchest/captcha. Hence
why I've just forked the original.
- The fork includes some QoL improvements (uses standard library for
determistic RNG instead of rolling your own crypto), and removal of
audio support (500KiB unused data that bloated the binary otherwise).
Flips the image over the x-asis.
47270f2b55..main
- This move is needed for the next commit, because
gitea.com/go-chi/captcha included the gitea.com/go-chi/cache dependency.
2024-08-27 21:28:16 +02:00
Earl Warren
9addaedaf3 Merge pull request '[gitea] week 2024-35 cherry pick (gitea/main -> forgejo)' (#5109) from algernon/wcp/2024-35 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5109
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-08-27 06:09:19 +00:00
Otto
e5ea08b38b Merge pull request 'feat: Improve diffs generated by Forgejo' (#5110) from fnetx/better-diffs into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5110
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-08-26 18:47:21 +00:00
Gusted
d623126103 Merge pull request '[PORT] Refactor the usage of batch catfile (gitea#31754)' (#5122) from gusted/forgejo-port-gt-31754 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5122
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-08-26 16:04:47 +00:00
Gusted
58ee9fdc4a feat: Improve diff being generated
Add `DiffCleanupSemantic` into the mix when generated diffs (PR review,
commit view and issue/comment history). This avoids trying to produce a
optimal diff and tries to reduce the amount of edits, by combing them
into larger edits, which is nicer and easier to 'look at'. There's no
need for a perfect minimal diff, as the output isn't being parsed by a
computer, it's parsed by people.

Ref: https://codeberg.org/forgejo/forgejo/issues/4996
2024-08-26 13:58:17 +02:00
Earl Warren
190b5a3859 Merge pull request '[FIX] Don't allow SSH authentication without ssh executable' (#5123) from gusted/forgejo-prevent-no-ssh into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5123
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-08-26 08:03:52 +00:00
Earl Warren
e2ae389184 Merge pull request '[CHORE] Move to new sessioner library' (#5090) from gusted/forgejo-sessioner-fork into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5090
Reviewed-by: Otto <otto@codeberg.org>
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-08-26 07:31:56 +00:00
Gusted
1a68d14cf8
[FIX] Don't allow SSH authentication without ssh executable
- Follow up of #4819
- When no `ssh` executable is present, disable the UI and backend bits
that allow the creation of push mirrors that use SSH authentication. As
this feature requires the usage of the `ssh` binary.
- Integration test added.
2024-08-26 08:58:35 +02:00
Gusted
b44dcf553c
[TESTS] Fix usage of LoadRepoCommit
It loads the Commit with a temporary open GitRepo. This is incorrect,
the GitRepo should be open as long as the Commit can be used. This
mainly removes the usage of this function as it's not needed.
2024-08-26 08:03:48 +02:00
Lunny Xiao
3ade4d9b2b
Don't return 500 if mirror url contains special chars (#31859)
Fix #31640

(cherry picked from commit d158472a5a9ead8052095b153821a9f26c294452)
2024-08-25 11:56:35 +02:00
Rowan Bohde
1b845b2722
add CfTurnstileSitekey context data to all captcha templates (#31874)
In the OpenID flows, the "CfTurnstileSitekey" wasn't populated, which
caused those flows to fail if using Turnstile as the Captcha
implementation.

This adds the missing context variables, allowing Turnstile to be used
in the OpenID flows.

(cherry picked from commit 0d24c9f383255605d68a92cc5f087c3f16a1d735)
2024-08-25 10:47:02 +02:00
Gusted
fc40a5e242
[CHORE] Move to new sessioner library
- Moves to a fork of gitea.com/go-chi/session that removed support for
couchbase (and ledis, but that was never made available in Forgejo)
along with other code improvements.
f8ce677595..main
- The rationale for removing Couchbase is quite simple. Its not licensed
under FOSS
license (https://www.couchbase.com/blog/couchbase-adopts-bsl-license/)
and therefore cannot be tested by Forgejo and shouldn't be supported.
This is a similair vein to the removal of MSSQL
support (https://codeberg.org/forgejo/discussions/issues/122)
- A additional benefit is that this reduces the Forgejo binary by ~600Kb.
2024-08-25 03:47:08 +02:00
Gusted
5dbacb70f4 Merge pull request 'Allow pushmirror to use publickey authentication' (#4819) from ironmagma/forgejo:publickey-auth-push-mirror into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4819
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-08-24 16:53:56 +00:00
Bram Hagens
7f62acb4d9 ui: fix go to citation button url (#4597)
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4597
Reviewed-by: Ghost <twenty-panda@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Bram Hagens <bram@bramh.me>
Co-committed-by: Bram Hagens <bram@bramh.me>
2024-08-22 15:36:12 +00:00
Philip Peterson
03508b33a8
[FEAT] Allow pushmirror to use publickey authentication
- Continuation of https://github.com/go-gitea/gitea/pull/18835 (by
@Gusted, so it's fine to change copyright holder to Forgejo).
- Add the option to use SSH for push mirrors, this would allow for the
deploy keys feature to be used and not require tokens to be used which
cannot be limited to a specific repository. The private key is stored
encrypted (via the `keying` module) on the database and NEVER given to
the user, to avoid accidental exposure and misuse.
- CAVEAT: This does require the `ssh` binary to be present, which may
not be available in containerized environments, this could be solved by
adding a SSH client into forgejo itself and use the forgejo binary as
SSH command, but should be done in another PR.
- CAVEAT: Mirroring of LFS content is not supported, this would require
the previous stated problem to be solved due to LFS authentication (an
attempt was made at forgejo/forgejo#2544).
- Integration test added.
- Resolves #4416
2024-08-22 17:05:07 +02:00