Commit graph

167 commits

Author SHA1 Message Date
Earl Warren
e2ae389184 Merge pull request '[CHORE] Move to new sessioner library' (#5090) from gusted/forgejo-sessioner-fork into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5090
Reviewed-by: Otto <otto@codeberg.org>
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-08-26 07:31:56 +00:00
Gusted
fc40a5e242
[CHORE] Move to new sessioner library
- Moves to a fork of gitea.com/go-chi/session that removed support for
couchbase (and ledis, but that was never made available in Forgejo)
along with other code improvements.
f8ce677595..main
- The rationale for removing Couchbase is quite simple. Its not licensed
under FOSS
license (https://www.couchbase.com/blog/couchbase-adopts-bsl-license/)
and therefore cannot be tested by Forgejo and shouldn't be supported.
This is a similair vein to the removal of MSSQL
support (https://codeberg.org/forgejo/discussions/issues/122)
- A additional benefit is that this reduces the Forgejo binary by ~600Kb.
2024-08-25 03:47:08 +02:00
Gusted
0692cc2cc1
[BUG] First user created through reverse proxy should be admin
- Currently users created through the reverse proxy aren't created
trough the normal route of `createAndHandleCreatedUser` as this does a
lot of other routines which aren't necessary for the reverse proxy auth,
however one routine is important to have: the first created user should
be an admin. This patch adds that code
- Adds unit test.
- Resolves #4437
2024-08-19 21:04:35 +02:00
Marcell Mars
d6647f710f tests additional grant scopes
- parsing scopes in `grantAdditionalScopes`
- read basic user info if `read:user`
- fail reading repository info if only `read:user`
- read repository info if `read:repository`
- if `setting.OAuth2.EnabledAdditionalGrantScopes` not provided it reads
  all groups (public+private)
- if `setting.OAuth2.EnabledAdditionalGrantScopes` provided it reads
  only public groups
- if `setting.OAuth2.EnabledAdditionalGrantScopes` and `read:organization`
 provided it reads all groups
2024-08-09 14:58:15 +02:00
Marcell Mars
4eb8d8c496 OAuth2 provider: support for granular scopes
- `CheckOAuthAccessToken` returns both user ID and additional scopes
- `grantAdditionalScopes` returns AccessTokenScope ready string (grantScopes)
   compiled from requested additional scopes by the client
- `userIDFromToken` sets returned grantScopes (if any) instead of default `all`
2024-08-09 14:58:15 +02:00
TheFox0x7
4de909747b Add testifylint to lint checks (#4535)
go-require lint is ignored for now

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4535
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: TheFox0x7 <thefox0x7@gmail.com>
Co-committed-by: TheFox0x7 <thefox0x7@gmail.com>
2024-07-30 19:41:10 +00:00
Rowan Bohde
21fdd28f08
allow synchronizing user status from OAuth2 login providers (#31572)
This leverages the existing `sync_external_users` cron job to
synchronize the `IsActive` flag on users who use an OAuth2 provider set
to synchronize. This synchronization is done by checking for expired
access tokens, and using the stored refresh token to request a new
access token. If the response back from the OAuth2 provider is the
`invalid_grant` error code, the user is marked as inactive. However, the
user is able to reactivate their account by logging in the web browser
through their OAuth2 flow.

Also changed to support this is that a linked `ExternalLoginUser` is
always created upon a login or signup via OAuth2.

Ideally, we would also refresh permissions from the configured OAuth
provider (e.g., admin, restricted and group mappings) to match the
implementation of LDAP. However, the OAuth library used for this `goth`,
doesn't seem to support issuing a session via refresh tokens. The
interface provides a [`RefreshToken`
method](https://github.com/markbates/goth/blob/master/provider.go#L20),
but the returned `oauth.Token` doesn't implement the `goth.Session` we
would need to call `FetchUser`. Due to specific implementations, we
would need to build a compatibility function for every provider, since
they cast to concrete types (e.g.
[Azure](https://github.com/markbates/goth/blob/master/providers/azureadv2/azureadv2.go#L132))

---------

Co-authored-by: Kyle D <kdumontnu@gmail.com>
(cherry picked from commit 416c36f3034e228a27258b5a8a15eec4e5e426ba)

Conflicts:
	- tests/integration/auth_ldap_test.go
	  Trivial conflict resolved by manually applying the change.
	- routers/web/auth/oauth.go
	  Technically not a conflict, but the original PR removed the
	  modules/util import, which in our version, is still in use. Added it
	  back.
2024-07-22 15:44:13 +02:00
silverwind
9792a377e4
Fix tautological conditions (#30735)
As discovered by https://github.com/go-gitea/gitea/pull/30729.

---------

Co-authored-by: Giteabot <teabot@gitea.io>
(cherry picked from commit 610802df85933e7a190a705bc3f7800da87ce868)

Conflicts:
	tests/integration/git_test.go
	trivial conflict because of https://codeberg.org/forgejo/forgejo/pulls/2834
2024-05-05 08:59:40 +01:00
Earl Warren
79ffb2de47 Merge pull request '[gitea] week 2024-18 cherry pick (gitea-github/main -> forgejo)' (#3513) from earl-warren/wcp/2024-18 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3513
Reviewed-by: jean-daricade <jean-daricade@noreply.codeberg.org>
2024-04-30 06:42:26 +00:00
oliverpool
e1d93950ad feat: implement PKCE when acting as oauth2 client (for user login)
Closes #2766
2024-04-29 11:20:26 +02:00
silverwind
12b199c5e5
Enable more revive linter rules (#30608)
Noteable additions:

- `redefines-builtin-id` forbid variable names that shadow go builtins
- `empty-lines` remove unnecessary empty lines that `gofumpt` does not
remove for some reason
- `superfluous-else` eliminate more superfluous `else` branches

Rules are also sorted alphabetically and I cleaned up various parts of
`.golangci.yml`.

(cherry picked from commit 74f0c84fa4245a20ce6fb87dac1faf2aeeded2a2)

Conflicts:
	.golangci.yml
	apply the linter recommendations to Forgejo code as well
2024-04-28 15:39:00 +02:00
Baptiste Daroussin
08f5a25d3b ldap: default domain name (#3414)
When the ldap synchronizer is look for an email address and fails at
finding one, it falls back at creating one using "localhost.local"
domain.

This new field makes this domain name configurable.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3414
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Baptiste Daroussin <bapt@FreeBSD.org>
Co-committed-by: Baptiste Daroussin <bapt@FreeBSD.org>
2024-04-26 22:38:58 +00:00
Earl Warren
7cabc5670d
Implement remote user login source and promotion to regular user
A remote user (UserTypeRemoteUser) is a placeholder that can be
promoted to a regular user (UserTypeIndividual). It represents users
that exist somewhere else. Although the UserTypeRemoteUser already
exists in Forgejo, it is neither used or documented.

A new login type / source (Remote) is introduced and set to be the login type
of remote users.

Type        UserTypeRemoteUser
LogingType  Remote

The association between a remote user and its counterpart in another
environment (for instance another forge) is via the OAuth2 login
source:

LoginName   set to the unique identifier relative to the login source
LoginSource set to the identifier of the remote source

For instance when migrating from GitLab.com, a user can be created as
if it was authenticated using GitLab.com as an OAuth2 authentication
source.

When a user authenticates to Forejo from the same authentication
source and the identifier match, the remote user is promoted to a
regular user. For instance if 43 is the ID of the GitLab.com OAuth2
login source, 88 is the ID of the Remote loging source, and 48323
is the identifier of the foo user:

Type        UserTypeRemoteUser
LogingType  Remote
LoginName   48323
LoginSource 88
Email       (empty)
Name        foo

Will be promoted to the following when the user foo authenticates to
the Forgejo instance using GitLab.com as an OAuth2 provider. All users
with a LoginType of Remote and a LoginName of 48323 are examined. If
the LoginSource has a provider name that matches the provider name of
GitLab.com (usually just "gitlab"), it is a match and can be promoted.

The email is obtained via the OAuth2 provider and the user set to:

Type        UserTypeIndividual
LogingType  OAuth2
LoginName   48323
LoginSource 43
Email       foo@example.com
Name        foo

Note: the Remote login source is an indirection to the actual login
source, i.e. the provider string my be set to a login source that does
not exist yet.
2024-04-25 13:03:49 +02:00
Jonathan Tran
7ff74a47c8
fix: Fix to delete cookie when AppSubURL is non-empty (#30375)
Cookies may exist on "/subpath" and "/subpath/" for some legacy reasons (eg: changed CookiePath behavior in code). The legacy cookie should be removed correctly.

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Kyle D <kdumontnu@gmail.com>
(cherry picked from commit b18c04ebde94e23d97da4958173faea843d5344f)
2024-04-15 20:01:36 +02:00
silverwind
c82bef515e
Migrate margin and padding helpers to tailwind (#30043)
This will conclude the refactor of 1:1 class replacements to tailwind,
except `gt-hidden`. Commands ran:

```bash
perl -p -i -e 's#gt-(p|m)([lrtbxy])?-0#tw-$1$2-0#g'   {web_src/js,templates,routers,services}/**/*
perl -p -i -e 's#gt-(p|m)([lrtbxy])?-1#tw-$1$2-0.5#g' {web_src/js,templates,routers,services}/**/*
perl -p -i -e 's#gt-(p|m)([lrtbxy])?-2#tw-$1$2-1#g'   {web_src/js,templates,routers,services}/**/*
perl -p -i -e 's#gt-(p|m)([lrtbxy])?-3#tw-$1$2-2#g'   {web_src/js,templates,routers,services}/**/*
perl -p -i -e 's#gt-(p|m)([lrtbxy])?-4#tw-$1$2-4#g'   {web_src/js,templates,routers,services}/**/*
perl -p -i -e 's#gt-(p|m)([lrtbxy])?-5#tw-$1$2-8#g'   {web_src/js,templates,routers,services}/**/*
```

(cherry picked from commit 68ec9b48592fe88765bcc3a73093d43c98b315de)

Conflicts:
	routers/web/repo/view.go
	templates/base/head_navbar.tmpl
	templates/repo/code/recently_pushed_new_branches.tmpl
	templates/repo/diff/box.tmpl
	templates/repo/diff/compare.tmpl
	templates/repo/diff/conversation.tmpl
	templates/repo/header.tmpl
	templates/repo/issue/filter_list.tmpl
	templates/repo/issue/view_content/conversation.tmpl
	templates/repo/issue/view_content/sidebar.tmpl
	templates/repo/settings/options.tmpl
	templates/repo/view_file.tmpl
	templates/shared/user/blocked_users.tmpl
	templates/status/500.tmpl
	web_src/js/components/DashboardRepoList.vue
	resolved by prefering Forgejo version and applying the
	commands to all files
2024-03-30 07:17:29 +01:00
Lunny Xiao
cb656d1a43
Fix the bug that user may logout if he switch pages too fast (#29962)
This PR fixed a bug when the user switching pages too fast, he will
logout automatically.

The reason is that when the error is context cancelled, the previous
code think user hasn't login then the session will be deleted. Now it
will return the errors but not think it's not login.

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit 82db9a2ba77d2a6c470b62be3c82b73c0a544fcc)
2024-03-26 19:04:26 +01:00
silverwind
0802784744
Replace more gt- with tw- (#29678)
This will conclude the trivial class replacements.

(cherry picked from commit 82e102f8b09faf1ac2786ccad36d4a20fcb392b8)
2024-03-11 23:36:59 +07:00
6543
e2371743d5
remove util.OptionalBool and related functions (#29513)
and migrate affected code

_last refactoring bits to replace **util.OptionalBool** with
**optional.Option[bool]**_

(cherry picked from commit a3f05d0d98408bb47333b19f505b21afcefa9e7c)

Conflicts:
	services/repository/branch.go
	trivial context conflict
2024-03-06 12:10:46 +08:00
Lunny Xiao
894d9b2836
Move context from modules to services (#29440)
Since `modules/context` has to depend on `models` and many other
packages, it should be moved from `modules/context` to
`services/context` according to design principles. There is no logic
code change on this PR, only move packages.

- Move `code.gitea.io/gitea/modules/context` to
`code.gitea.io/gitea/services/context`
- Move `code.gitea.io/gitea/modules/contexttest` to
`code.gitea.io/gitea/services/contexttest` because of depending on
context
- Move `code.gitea.io/gitea/modules/upload` to
`code.gitea.io/gitea/services/context/upload` because of depending on
context

(cherry picked from commit 29f149bd9f517225a3c9f1ca3fb0a7b5325af696)

Conflicts:
	routers/api/packages/alpine/alpine.go
	routers/api/v1/repo/issue_reaction.go
	routers/install/install.go
	routers/web/admin/config.go
	routers/web/passkey.go
	routers/web/repo/search.go
	routers/web/repo/setting/default_branch.go
	routers/web/user/home.go
	routers/web/user/profile.go
	tests/integration/editor_test.go
	tests/integration/integration_test.go
	tests/integration/mirror_push_test.go
	trivial context conflicts
	also modified all other occurrences in Forgejo specific files
2024-03-06 12:10:43 +08:00
Zettat123
826bf12bb4
Fix tarball/zipball download bug (#29342)
Fix #29249

~~Use the `/repos/{owner}/{repo}/archive/{archive}` API to download.~~

Apply #26430 to archive download URLs.

(cherry picked from commit b762a1f1b1f7941a7db2207552d7b441d868cbe9)
2024-02-26 22:30:26 +01:00
6543
8ff858b94b
Start to migrate from util.OptionalBool to optional.Option[bool] (#29329)
just create transition helper and migrate two structs

(cherry picked from commit 7fbdb60fc1152acc9a040dc04b1b0f5a3475b081)
2024-02-26 22:30:26 +01:00
Johan Van de Wauw
5fffab8d9d
Fix c/p error in inline documentation (#29148)
Fix small copy/paste error in inline documentation

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit 740c6a226c4df26432641018fbfd9186977d573f)
2024-02-19 22:58:33 +01:00
wxiaoguang
62d3e5255f
Port "Use general token signing secret"
Port of https://github.com/go-gitea/gitea/pull/29205

Use a clearly defined "signing secret" for token signing.

(cherry picked from commit 8be198cdef0a486f417663b1fd6878458d7e5d92)
2024-02-19 20:49:37 +01:00
Loïc Dachary
e57504f278
[BRANDING] X-Forgejo-OTP can be used instead of X-Gitea-OTP
(cherry picked from commit 7b0549cd70aa7cafec853e15b25270847c59850b)
(cherry picked from commit 13e10a65d974c7b594681bfa36402a6144862116)
(cherry picked from commit 65bdd73cf27895a9fb8db2a95ef4f5b08951481d)
(cherry picked from commit 64eba8bb923176b4c286b1d0c83792f3c3005ca8)
(cherry picked from commit 4c49b1a759abe3604afc1121e83c9a942016ad6a)
(cherry picked from commit 93b4d0640683ea986657453b1fce49a00c861764)
(cherry picked from commit e2bc5f36d958f4349160ec145719c302d4023cd0)
(cherry picked from commit 2bee76f9dfa998c83ea4fe648997fad0b6224fa9)
(cherry picked from commit 3d8a1b4a9fb9dc55bbd62fd8855ea85e58dc263f)
(cherry picked from commit 99dd092cd02d7af8374acf454833ce1c05fd4fd9)
(cherry picked from commit 0fdbd02204d533f907cd22c83c73bf0156ec4a88)
(cherry picked from commit 70b277a183c0d85966fa84e9b054f164ae2d2a44)
(cherry picked from commit 3eece7fbb4e67d970d8979d0d60a58ee2a195ea5)
(cherry picked from commit 4838fc9e1145a74c56926de68854234604b5e38f)
(cherry picked from commit b76ed541cf4d73702a83d6b96f8618b6f8c44393)
(cherry picked from commit dcdfb5b65c6fbf50798a0c49d0f879dd1285ee41)
(cherry picked from commit 377dc48cdc3b1c2bcc95f86a7bf3602468ac5c39)
(cherry picked from commit acc862f411c79f7832c8ba2c182af738f25f4f8b)
(cherry picked from commit ac75ef101f89d58442760cec21a3f3f9199d4710)
(cherry picked from commit 08f2d9f7c5b0d51358b009b0b38b626b231ec32b)
(cherry picked from commit e4096f0b6441ba68719146e5a48ef44233e27a86)
(cherry picked from commit bf5876f06224ac90e931f2f47b66a5b9c38b2a87)
(cherry picked from commit 7dc60637e5e097b5dbc38e068ee7ba553385b496)
(cherry picked from commit ef3101774ba5083e259d84db9997ff0aaddab14c)
(cherry picked from commit ecb9e8867c3503387cbaf97df27d8c60a840f4a4)
(cherry picked from commit 64f0ae72fec30ea443d73f8566c140682e7b9838)
(cherry picked from commit 8dd6ec786294741361f79c08b0c051d2258bda02)
(cherry picked from commit b36723e52b975d2e57af363db1d9118f48feade1)

Conflicts:
	modules/context/api.go
	https://codeberg.org/forgejo/forgejo/pulls/1466
(cherry picked from commit 5c378e0cb823f2bad52224859ca326afb33bfd4b)
(cherry picked from commit 1d87602819be9f87bf9d06203c37160568c18e78)
(cherry picked from commit 0f72002d667224a75a4924ebb5557eca8bddbe70)
(cherry picked from commit da2556eb13a2c976d1630315dbee8c3bc5444a11)
(cherry picked from commit c01688cd900369b8cbed961f6a841ea536b07207)
(cherry picked from commit af4bba832962ce4db3327c140283ce5b8d2cf6a5)
(cherry picked from commit 33ca322c2ea7b05fcab084e06f8b3a6d65125808)

Conflicts:
	modules/context/api.go
	https://codeberg.org/forgejo/forgejo/pulls/1739
(cherry picked from commit c18e374d4481592681ae127b723f11076c37bb91)
(cherry picked from commit 27c4797c9fb3c42be252223ac0add0605f18acba)
(cherry picked from commit 46588e0fea8f505de6c1a4384ae88f1cd661eea2)
(cherry picked from commit b8a02ef220e3fb034d4204d5c70ffe4df72e7afd)
(cherry picked from commit 05e2f49b78214d7fd48f4b31d1c9b1a7917a5e10)
(cherry picked from commit e4df86d312b32f38753bf7ce1ae7953e49095d5c)
(cherry picked from commit f36e06da43110c177e5e9db21a50cc96885f3e2c)
(cherry picked from commit 64d336c287880a774d8eaa41193cad84e291e4b5)
(cherry picked from commit 2af1cbb017f372e41482240cf0cb0af51d77e2cf)
(cherry picked from commit 920741a9d667bb3b61665669932b449722883fab)
(cherry picked from commit 6cbb37c8c47eb32289d0d65ad9de3cd7fff947fe)
(cherry picked from commit 539cceca39f475c66d7d4fc64e10667664731f76)
2024-02-05 16:05:01 +01:00
Gusted
c6a53c3172
[SECURITY] Rework long-term authentication
- This is a 'front-port' of the already existing patch on v1.21 and
v1.20, but applied on top of what Gitea has done to rework the LTA
mechanism. Forgejo will stick with the reworked mechanism by the Forgejo
Security team for the time being. The removal of legacy code (AES-GCM) has been
left out.
- The current architecture is inherently insecure, because you can
construct the 'secret' cookie value with values that are available in
the database. Thus provides zero protection when a database is
dumped/leaked.
- This patch implements a new architecture that's inspired from: [Paragonie Initiative](https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#secure-remember-me-cookies).
- Integration testing is added to ensure the new mechanism works.
- Removes a setting, because it's not used anymore.

(cherry picked from commit e3d6622a63da9c33eed1e3d102cf28a92ff653d6)
(cherry picked from commit fef1a6dac5e25579e42d40209c4cfc06879948b9)
(cherry picked from commit b0c5165145fa52f2f7bbec1f50b308bdf1d20ef3)
(cherry picked from commit 7ad51b9f8d0647eecacd258f6ee26155da3872e1)
(cherry picked from commit 64f053f3834e764112cde26bb0d16c5e88d6b2af)
(cherry picked from commit f5e78e4c204ce50b800645d614218b6b6096eecb)

Conflicts:
	services/auth/auth_token_test.go
	https://codeberg.org/forgejo/forgejo/pulls/2069
(cherry picked from commit f69fc23d4bbadf388c7857040ee0774b824e418e)
(cherry picked from commit d955ab3ab02cbb7f1245a8cddec426d64d3ac500)
(cherry picked from commit 9220088f902a25c4690bcabf5a40a8d02e784182)
(cherry picked from commit c73ac636962c41c71814c273510146f0533264ab)
(cherry picked from commit 747a176048ea93085b406429db0e25bb21912eda)

Conflicts:
	models/user/user.go
	routers/web/user/setting/account.go
	https://codeberg.org/forgejo/forgejo/pulls/2295
2024-02-05 15:06:15 +01:00
KN4CK3R
f8b471ace1
Unify user update methods (#28733)
Fixes #28660
Fixes an admin api bug related to `user.LoginSource`
Fixed `/user/emails` response not identical to GitHub api

This PR unifies the user update methods. The goal is to keep the logic
only at one place (having audit logs in mind). For example, do the
password checks only in one method not everywhere a password is updated.

After that PR is merged, the user creation should be next.
2024-02-04 13:29:09 +00:00
KN4CK3R
fc1bae00a4
Fix SSPI user creation (#28948)
Fixes #28945

Setting the avatar is wrong and creating a random password is equal to
leave it empty.
2024-01-27 09:27:34 +00:00
wxiaoguang
e743570f65
Refactor timeutil package (#28623)
1. make names more readable
2. remove unused FormatLong/FormatShort
3. use `FormatDate` instead of `Format "2006-01-02"`
2023-12-28 10:09:57 +00:00
Jack Hay
4e879fed90
Deprecate query string auth tokens (#28390)
## Changes
- Add deprecation warning to `Token` and `AccessToken` authentication
methods in swagger.
- Add deprecation warning header to API response. Example: 
  ```
  HTTP/1.1 200 OK
  ...
  Warning: token and access_token API authentication is deprecated
  ...
  ```
- Add setting `DISABLE_QUERY_AUTH_TOKEN` to reject query string auth
tokens entirely. Default is `false`

## Next steps
- `DISABLE_QUERY_AUTH_TOKEN` should be true in a subsequent release and
the methods should be removed in swagger
- `DISABLE_QUERY_AUTH_TOKEN` should be removed and the implementation of
the auth methods in question should be removed

## Open questions
- Should there be further changes to the swagger documentation?
Deprecation is not yet supported for security definitions (coming in
[OpenAPI Spec version
3.2.0](https://github.com/OAI/OpenAPI-Specification/issues/2506))
- Should the API router logger sanitize urls that use `token` or
`access_token`? (This is obviously an insufficient solution on its own)

---------

Co-authored-by: delvh <dev.lh@web.de>
2023-12-12 03:48:53 +00:00
Lunny Xiao
df1e7d0067
Use db.Find instead of writing methods for every object (#28084)
For those simple objects, it's unnecessary to write the find and count
methods again and again.
2023-11-24 03:49:41 +00:00
KN4CK3R
4f4fea734c
Unify two factor check (#27915)
Fixes #27819

We have support for two factor logins with the normal web login and with
basic auth. For basic auth the two factor check was implemented at three
different places and you need to know that this check is necessary. This
PR moves the check into the basic auth itself.
2023-11-06 08:22:39 +00:00
Lunny Xiao
1bf5527eac
Refactor Find Sources and fix bug when view a user who belongs to an unactive auth source (#27798)
The steps to reproduce it.

First, create a new oauth2 source.
Then, a user login with this oauth2 source.
Disable the oauth2 source.
Visit users -> settings -> security, 500 will be displayed.
This is because this page only load active Oauth2 sources but not all
Oauth2 sources.
2023-11-03 01:41:00 +00:00
Lunny Xiao
cddf245c12
Replace more db.DefaultContext (#27628)
Target #27065
2023-10-15 17:46:06 +02:00
JakobDev
76a85a4ce9
Final round of db.DefaultContext refactor (#27587)
Last part of #27065
2023-10-14 08:37:24 +00:00
KN4CK3R
c6c829fe3f
Enhanced auth token / remember me (#27606)
Closes #27455

> The mechanism responsible for long-term authentication (the 'remember
me' cookie) uses a weak construction technique. It will hash the user's
hashed password and the rands value; it will then call the secure cookie
code, which will encrypt the user's name with the computed hash. If one
were able to dump the database, they could extract those two values to
rebuild that cookie and impersonate a user. That vulnerability exists
from the date the dump was obtained until a user changed their password.
> 
> To fix this security issue, the cookie could be created and verified
using a different technique such as the one explained at
https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#secure-remember-me-cookies.

The PR removes the now obsolete setting `COOKIE_USERNAME`.
2023-10-14 00:56:41 +00:00
JakobDev
ebe803e514
Penultimate round of db.DefaultContext refactor (#27414)
Part of #27065

---------

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-10-11 04:24:07 +00:00
Lunny Xiao
5c9fbcca00
Fix attachment download bug (#27486) 2023-10-10 15:33:56 +00:00
CaiCandong
7ad31567cd
Fix ldap admin privileges update bug (#27051)
When the user does not set a username lookup condition, LDAP will get an
empty string `""` for the user, hence the following code
```
if isExist, err := user_model.IsUserExist(db.DefaultContext, 0, sr.Username)
```
The user presence determination will always be nonexistent, so updates
to user information will never be performed.


Fix #27049
2023-10-01 11:32:12 +00:00
Lunny Xiao
6e87a44034
Allow get release download files and lfs files with oauth2 token format (#26430)
Fix #26165
Fix #25257
2023-10-01 10:41:52 +00:00
JakobDev
7047df36d4
Another round of db.DefaultContext refactor (#27103)
Part of #27065

---------

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
2023-09-25 13:17:37 +00:00
silverwind
1b1c55f73f
Increase auth provider icon size on login page (#27122)
Before, 20px:
<img width="474" alt="Screenshot 2023-09-19 at 00 10 05"
src="https://github.com/go-gitea/gitea/assets/115237/4bed4edb-219d-4844-9d3c-0d747033b09f">

After, 28px:
<img width="576" alt="Screenshot 2023-09-19 at 00 20 40"
src="https://github.com/go-gitea/gitea/assets/115237/f482ac09-38ae-4c84-80d9-0bd39b7f9772">


Dropdown in account settings is unchanged at 20px:
<img width="157" alt="Screenshot 2023-09-19 at 00 09 11"
src="https://github.com/go-gitea/gitea/assets/115237/9c998cdf-eeed-4118-9262-664faaa56092">

---------

Co-authored-by: Giteabot <teabot@gitea.io>
2023-09-19 21:47:13 +00:00
wxiaoguang
8531ca0837
Make SSPI auth mockable (#27036)
Before, the SSPI auth is only complied for Windows, it's difficult to
test and it breaks a lot.

Now, make the SSPI auth mockable and testable.
2023-09-17 23:32:56 +00:00
JakobDev
c548dde205
More refactoring of db.DefaultContext (#27083)
Next step of #27065
2023-09-15 06:13:19 +00:00
JakobDev
76659b1114
Reduce usage of db.DefaultContext (#27073)
Part of #27065

This reduces the usage of `db.DefaultContext`. I think I've got enough
files for the first PR. When this is merged, I will continue working on
this.

Considering how many files this PR affect, I hope it won't take to long
to merge, so I don't end up in the merge conflict hell.

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2023-09-14 17:09:32 +00:00
KN4CK3R
591f586bf1
Extract auth middleware from service (#27028)
Related #27027

Extract the router logic from `services/auth/middleware.go` into
`routers/web` <-> `routers/common` <-> `routers/api`.
2023-09-12 08:15:16 +02:00
Sven Seeberg
5f7fa27a44
Improve LDAP group config documentation, fixes #21159 (#21227)
Improve the wording of the LDAP group attributes documentation and
expand the examples.
2023-09-05 13:18:53 -04:00
KN4CK3R
0eebeeec90
Remove Named interface (#26913)
`Named` is implemented by every `Method` and future implementations
should implement the method too.
2023-09-05 15:58:30 +00:00
Jack Hay
c0ab7070e5
Update team invitation email link (#26550)
Co-authored-by: Kyle D <kdumontnu@gmail.com>
Co-authored-by: Jonathan Tran <jonnytran@gmail.com>
2023-08-31 16:26:13 +00:00
KN4CK3R
5315153059
Use Set[Type] instead of map[Type]bool/struct{}. (#26804) 2023-08-30 06:55:25 +00:00
wxiaoguang
c91a7e8dbb
Use object-fit: contain for oauth2 custom icons (#26493) 2023-08-14 16:21:04 +00:00