- When people click on the logout button, a event is sent to all
browser tabs (actually to a shared worker) to notify them of this
logout. This is done in a blocking fashion, to ensure every registered
channel (which realistically should be one for every user because of the
shared worker) for a user receives this message. While doing this, it
locks the mutex for the eventsource module.
- Codeberg is currently observing a deadlock that's caused by this
blocking behavior, a channel isn't receiving the logout event. We
currently don't have a good theory of why this is being caused. This in
turn is causing that the logout functionality is no longer working and
people no longer receive notifications, unless they refresh the page.
- This patchs makes this message non-blocking and thus making it
consistent with the other messages. We don't see a good reason why this
specific event needs to be blocking and the commit introducing it
doesn't offer a rationale either.
This leverages the existing `sync_external_users` cron job to
synchronize the `IsActive` flag on users who use an OAuth2 provider set
to synchronize. This synchronization is done by checking for expired
access tokens, and using the stored refresh token to request a new
access token. If the response back from the OAuth2 provider is the
`invalid_grant` error code, the user is marked as inactive. However, the
user is able to reactivate their account by logging in the web browser
through their OAuth2 flow.
Also changed to support this is that a linked `ExternalLoginUser` is
always created upon a login or signup via OAuth2.
Ideally, we would also refresh permissions from the configured OAuth
provider (e.g., admin, restricted and group mappings) to match the
implementation of LDAP. However, the OAuth library used for this `goth`,
doesn't seem to support issuing a session via refresh tokens. The
interface provides a [`RefreshToken`
method](https://github.com/markbates/goth/blob/master/provider.go#L20),
but the returned `oauth.Token` doesn't implement the `goth.Session` we
would need to call `FetchUser`. Due to specific implementations, we
would need to build a compatibility function for every provider, since
they cast to concrete types (e.g.
[Azure](https://github.com/markbates/goth/blob/master/providers/azureadv2/azureadv2.go#L132))
---------
Co-authored-by: Kyle D <kdumontnu@gmail.com>
(cherry picked from commit 416c36f3034e228a27258b5a8a15eec4e5e426ba)
Conflicts:
- tests/integration/auth_ldap_test.go
Trivial conflict resolved by manually applying the change.
- routers/web/auth/oauth.go
Technically not a conflict, but the original PR removed the
modules/util import, which in our version, is still in use. Added it
back.
Related to #2773
Related to Refactor URL detection [gitea#29960](https://github.com/go-gitea/gitea/pull/29960)
Related to Refactor external URL detection [gitea#29973](https://github.com/go-gitea/gitea/pull/29973)
I added a bunch of tests to `httplib.TestIsRiskyRedirectURL` and some cases should be better handled (however it is not an easy task).
I also ported the removal of `utils.IsExternalURL`, since it prevents duplicated (subtle) code.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3167
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: oliverpool <git@olivier.pfad.fr>
Co-committed-by: oliverpool <git@olivier.pfad.fr>
Since `modules/context` has to depend on `models` and many other
packages, it should be moved from `modules/context` to
`services/context` according to design principles. There is no logic
code change on this PR, only move packages.
- Move `code.gitea.io/gitea/modules/context` to
`code.gitea.io/gitea/services/context`
- Move `code.gitea.io/gitea/modules/contexttest` to
`code.gitea.io/gitea/services/contexttest` because of depending on
context
- Move `code.gitea.io/gitea/modules/upload` to
`code.gitea.io/gitea/services/context/upload` because of depending on
context
(cherry picked from commit 29f149bd9f517225a3c9f1ca3fb0a7b5325af696)
Conflicts:
routers/api/packages/alpine/alpine.go
routers/api/v1/repo/issue_reaction.go
routers/install/install.go
routers/web/admin/config.go
routers/web/passkey.go
routers/web/repo/search.go
routers/web/repo/setting/default_branch.go
routers/web/user/home.go
routers/web/user/profile.go
tests/integration/editor_test.go
tests/integration/integration_test.go
tests/integration/mirror_push_test.go
trivial context conflicts
also modified all other occurrences in Forgejo specific files
During registration, one may be required to give their email address, to
be verified and activated later. However, if one makes a mistake, a
typo, they may end up with an account that cannot be activated due to
having a wrong email address.
They can still log in, but not change the email address, thus, no way to
activate it without help from an administrator.
To remedy this issue, lets allow changing the email address for logged
in, but not activated users.
This fixes gitea#17785.
Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit aaaece28e4c6a8980cef932e224e84933d7c9262)
(cherry picked from commit 639dafabec0a5c1f943b44ca02f72c5ba2fc5e10)
(cherry picked from commit d699c12cebea7dbbda950ae257a46d53c39f22ea)
[GITEA] Allow changing the email address before activation (squash) cache is always active
This needs to be revisited because the MailResendLimit is not enforced
and turns out to not be tested.
See e7cb8da2a8 * Always enable caches (#28527)
(cherry picked from commit 43ded8ee30ab5c7a40a456600cdaa8a0fbdccec2)
Rate limit pre-activation email change separately
Changing the email address before any email address is activated should
be subject to a different rate limit than the normal activation email
resending. If there's only one rate limit for both, then if a newly
signed up quickly discovers they gave a wrong email address, they'd have
to wait three minutes to change it.
With the two separate limits, they don't - but they'll have to wait
three minutes before they can change the email address again.
The downside of this setup is that a malicious actor can alternate
between resending and changing the email address (to something like
`user+$idx@domain`, delivered to the same inbox) to effectively halving
the rate limit. I do not think there's a better solution, and this feels
like such a small attack surface that I'd deem it acceptable.
The way the code works after this change is that `ActivatePost` will now
check the `MailChangeLimit_user` key rather than `MailResendLimit_user`,
and if we're within the limit, it will set `MailChangedJustNow_user`. The
`Activate` method - which sends the activation email, whether it is a
normal resend, or one following an email change - will check
`MailChangedJustNow_user`, and if it is set, it will check the rate
limit against `MailChangedLimit_user`, otherwise against
`MailResendLimit_user`, and then will delete the
`MailChangedJustNow_user` key from the cache.
Fixes#2040.
Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit e35d2af2e56f4ecb3a4f6d1109d02c8aa1a6d182)
(cherry picked from commit 03989418a70d3445e0edada7fbe5a4151d7836b1)
(cherry picked from commit f50e0dfe5e90d6a31c5b59e687580e8b2725c22b)
(cherry picked from commit cad9184a3653e6c80de2e006a0d699b816980987)
(cherry picked from commit e2da5d7fe13a685606913a131687a94f9f5fcfeb)
(cherry picked from commit 3a80534d4db523efe56b368489f81dc1cb2c99f7)
Sends email with information on the new user (time of creation and time of last sign-in) and a link to manage the new user from the admin panel
closes: https://codeberg.org/forgejo/forgejo/issues/480
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/1371
Co-authored-by: Aravinth Manivannan <realaravinth@batsense.net>
Co-committed-by: Aravinth Manivannan <realaravinth@batsense.net>
(cherry picked from commit c721aa828ba6aec5ef95459cfc632a0a1f7463e9)
(cherry picked from commit 6487efcb9da61be1f802f1cd8007330153322770)
Conflicts:
modules/notification/base/notifier.go
modules/notification/base/null.go
modules/notification/notification.go
https://codeberg.org/forgejo/forgejo/pulls/1422
(cherry picked from commit 7ea66ee1c5dd21d9e6a43f961e8adc71ec79b806)
Conflicts:
services/notify/notifier.go
services/notify/notify.go
services/notify/null.go
https://codeberg.org/forgejo/forgejo/pulls/1469
(cherry picked from commit 7d2d9970115c94954dacb45684f9e3c16117ebfe)
(cherry picked from commit 435a54f14039408b315c99063bdce28c7ef6fe2f)
(cherry picked from commit 8ec7b3e4484383445fa2622a28bb4f5c990dd4f2)
[GITEA] notifies admins on new user registration (squash) performance bottleneck
Refs: https://codeberg.org/forgejo/forgejo/issues/1479
(cherry picked from commit 97ac9147ff3643cca0a059688c6b3c53479e28a7)
(cherry picked from commit 19f295c16bd392aa438477fa3c42038d63d1a06a)
(cherry picked from commit 3367dcb2cf5328e2afc89f7d5a008b64ede1c987)
[GITEA] notifies admins on new user registration (squash) cosmetic changes
Co-authored-by: delvh <dev.lh@web.de>
(cherry picked from commit 9f1670e040b469ed4346aa2689a75088e4e71c8b)
(cherry picked from commit de5bb2a224ab2ae9be891de1ee88a7454a07f7e9)
(cherry picked from commit 8f8e52f31a4da080465521747a2c5c0c51ed65e3)
(cherry picked from commit e0d51303129fe8763d87ed5f859eeae8f0cc6188)
(cherry picked from commit f1288d6d9bfc9150596cb2f7ddb7300cf7ab6952)
(cherry picked from commit 1db4736fd7cd75027f3cdf805e0f86c3a5f69c9d)
(cherry picked from commit e8dcbb6cd68064209cdbe054d5886710cbe2925d)
(cherry picked from commit 09625d647629b85397270e14dfe22258df2bcc43)
[GITEA] notifies admins on new user registration (squash) ctx.Locale
(cherry picked from commit dab7212fad44a252a1acf8da71b254b1a6715121)
(cherry picked from commit 9b7bbae8c4cd5dc4d36726f10870462c8985e543)
(cherry picked from commit f750b71d3db9a24dc2722effb8bbc2dded657cbb)
(cherry picked from commit f79af366796a8ab581bbfa1f5609dc721798ae68)
(cherry picked from commit e76eee334e446a45d841caf19a7c18eab89ca457)
[GITEA] notifies admins on new user registration (squash) fix locale
(cherry picked from commit 54cd100d8da37ccb0a545e2545995066f92180f0)
(cherry picked from commit 053dbd3d50d3c7d1afae8d31c25bda92ceb8f8c0)
[GITEA] notifies admins on new user registration (squash) fix URL
1. Use absolute URL in the admin panel link sent on new registrations
2. Include absolute URL of the newly signed-up user's profile.
New email looks like this:
<details><summary>Please click to expand</summary>
```
--153937b1864f158f4fd145c4b5d4a513568681dd489021dd466a8ad7b770
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=UTF-8
User Information: @realaravinth ( http://localhost:3000/realaravinth )
----------------------------------------------------------------------
* Created: 2023-12-13 19:36:50 +05:30
Please click here ( http://localhost:3000/admin/users/9 ) to manage the use=
r from the admin panel.
--153937b1864f158f4fd145c4b5d4a513568681dd489021dd466a8ad7b770
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html>
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dutf-8">
<title>New user realaravinth just signed up</title>
<style>
blockquote { padding-left: 1em; margin: 1em 0; border-left: 1px solid gre=
y; color: #777}
.footer { font-size:small; color:#666;}
</style>
</head>
<body>
<ul>
<h3>User Information: <a href=3D"http://localhost:3000/realaravinth">@rea=
laravinth</a></h3>
<li>Created: <relative-time format=3D"datetime" weekday=3D"" year=3D"nume=
ric" month=3D"short" day=3D"numeric" hour=3D"numeric" minute=3D"numeric" se=
cond=3D"numeric" datetime=3D"2023-12-13T19:36:50+05:30">2023-12-13 19:36:50=
+05:30</relative-time></li>
</ul>
<p> Please <a href=3D"http://localhost:3000/admin/users/9" rel=3D"nofollow=
">click here</a> to manage the user from the admin panel. </p>
</body>
</html>
--153937b1864f158f4fd145c4b5d4a513568681dd489021dd466a8ad7b770--
```
</details>
fixes: https://codeberg.org/forgejo/forgejo/issues/1927
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/1940
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Aravinth Manivannan <realaravinth@batsense.net>
Co-committed-by: Aravinth Manivannan <realaravinth@batsense.net>
(cherry picked from commit b8d764e36a0cd8e60627805f87b84bb04152e9c1)
(cherry picked from commit d48b84f623e369222e5e15965f22e27d74ff4243)
Conflicts:
routers/web/auth/auth.go
https://codeberg.org/forgejo/forgejo/pulls/2034
(cherry picked from commit 02d3c125ccc97638849af33c7df315cbcb368127)
(cherry picked from commit 367374ecc3832bb47d29ff79370103f907d0ca99)
Conflicts:
models/user/user_test.go
https://codeberg.org/forgejo/forgejo/pulls/2119
(cherry picked from commit 4124fa5aa41c36b3ab3cc1c65d0e3d5e05ec4086)
(cherry picked from commit 7f12610ff63d4907631d8cddcd7a49ae6f6e1508)
[GITEA] notifies admins on new user registration (squash) DeleteByID
trivial conflict because of
778ad795fd Refactor deletion (#28610)
(cherry picked from commit 05682614e5ef2462cbb6a1635ca01e296fe03d23)
(cherry picked from commit 64bd374803a76c97619fe1e28bfc74f99ec91677)
(cherry picked from commit 63d086f666a880b48d034b129e535fcfc82acf7d)
(cherry picked from commit 3cd48ef4d53c55a81c97f1b666b8d4ba16a967c4)
Conflicts:
options/locale/locale_en-US.ini
https://codeberg.org/forgejo/forgejo/pulls/2249
(cherry picked from commit 6578ec4ed64c8624bc202cefb18d67870eec1336)
Conflicts:
routers/web/auth/auth.go
https://codeberg.org/forgejo/forgejo/pulls/2300
- This is a 'front-port' of the already existing patch on v1.21 and
v1.20, but applied on top of what Gitea has done to rework the LTA
mechanism. Forgejo will stick with the reworked mechanism by the Forgejo
Security team for the time being. The removal of legacy code (AES-GCM) has been
left out.
- The current architecture is inherently insecure, because you can
construct the 'secret' cookie value with values that are available in
the database. Thus provides zero protection when a database is
dumped/leaked.
- This patch implements a new architecture that's inspired from: [Paragonie Initiative](https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#secure-remember-me-cookies).
- Integration testing is added to ensure the new mechanism works.
- Removes a setting, because it's not used anymore.
(cherry picked from commit e3d6622a63da9c33eed1e3d102cf28a92ff653d6)
(cherry picked from commit fef1a6dac5e25579e42d40209c4cfc06879948b9)
(cherry picked from commit b0c5165145fa52f2f7bbec1f50b308bdf1d20ef3)
(cherry picked from commit 7ad51b9f8d0647eecacd258f6ee26155da3872e1)
(cherry picked from commit 64f053f3834e764112cde26bb0d16c5e88d6b2af)
(cherry picked from commit f5e78e4c204ce50b800645d614218b6b6096eecb)
Conflicts:
services/auth/auth_token_test.go
https://codeberg.org/forgejo/forgejo/pulls/2069
(cherry picked from commit f69fc23d4bbadf388c7857040ee0774b824e418e)
(cherry picked from commit d955ab3ab02cbb7f1245a8cddec426d64d3ac500)
(cherry picked from commit 9220088f902a25c4690bcabf5a40a8d02e784182)
(cherry picked from commit c73ac636962c41c71814c273510146f0533264ab)
(cherry picked from commit 747a176048ea93085b406429db0e25bb21912eda)
Conflicts:
models/user/user.go
routers/web/user/setting/account.go
https://codeberg.org/forgejo/forgejo/pulls/2295
Fixes#28660
Fixes an admin api bug related to `user.LoginSource`
Fixed `/user/emails` response not identical to GitHub api
This PR unifies the user update methods. The goal is to keep the logic
only at one place (having audit logs in mind). For example, do the
password checks only in one method not everywhere a password is updated.
After that PR is merged, the user creation should be next.
Nowadays, cache will be used on almost everywhere of Gitea and it cannot
be disabled, otherwise some features will become unaviable.
Then I think we can just remove the option for cache enable. That means
cache cannot be disabled.
But of course, we can still use cache configuration to set how should
Gitea use the cache.
The steps to reproduce it.
First, create a new oauth2 source.
Then, a user login with this oauth2 source.
Disable the oauth2 source.
Visit users -> settings -> security, 500 will be displayed.
This is because this page only load active Oauth2 sources but not all
Oauth2 sources.
Closes#27455
> The mechanism responsible for long-term authentication (the 'remember
me' cookie) uses a weak construction technique. It will hash the user's
hashed password and the rands value; it will then call the secure cookie
code, which will encrypt the user's name with the computed hash. If one
were able to dump the database, they could extract those two values to
rebuild that cookie and impersonate a user. That vulnerability exists
from the date the dump was obtained until a user changed their password.
>
> To fix this security issue, the cookie could be created and verified
using a different technique such as the one explained at
https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#secure-remember-me-cookies.
The PR removes the now obsolete setting `COOKIE_USERNAME`.
Part of #27065
This reduces the usage of `db.DefaultContext`. I think I've got enough
files for the first PR. When this is merged, I will continue working on
this.
Considering how many files this PR affect, I hope it won't take to long
to merge, so I don't end up in the merge conflict hell.
---------
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
The "modules/context.go" is too large to maintain.
This PR splits it to separate files, eg: context_request.go,
context_response.go, context_serve.go
This PR will help:
1. The future refactoring for Gitea's web context (eg: simplify the context)
2. Introduce proper "range request" support
3. Introduce context function
This PR only moves code, doesn't change any logic.
Close#24062
At the beginning, I just wanted to fix the warning mentioned by #24062
But, the cookie code really doesn't look good to me, so clean up them.
Complete the TODO on `SetCookie`:
> TODO: Copied from gitea.com/macaron/macaron and should be improved
after macaron removed.
This PR refactors and improves the password hashing code within gitea
and makes it possible for server administrators to set the password
hashing parameters
In addition it takes the opportunity to adjust the settings for `pbkdf2`
in order to make the hashing a little stronger.
The majority of this work was inspired by PR #14751 and I would like to
thank @boppy for their work on this.
Thanks to @gusted for the suggestion to adjust the `pbkdf2` hashing
parameters.
Close#14751
---------
Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: delvh <dev.lh@web.de>
Co-authored-by: John Olheiser <john.olheiser@gmail.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
On activating local accounts, the error message didn't differentiate
between using a wrong or expired token, or a wrong password. The result
could already be obtained from the behaviour (different screens were
presented), but the error message was misleading and lead to confusion
for new users on Codeberg with Forgejo.
Now, entering a wrong password for a valid token prints a different
error message.
The problem was introduced in 0f14f69e60.
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Change all license headers to comply with REUSE specification.
Fix#16132
Co-authored-by: flynnnnnnnnnn <flynnnnnnnnnn@github>
Co-authored-by: John Olheiser <john.olheiser@gmail.com>
Enable this to require captcha validation for user login. You also must
enable `ENABLE_CAPTCHA`.
Summary:
- Consolidate CAPTCHA template
- add CAPTCHA handle and context
- add `REQUIRE_CAPTCHA_FOR_LOGIN` config and docs
- Consolidate CAPTCHA set-up and verification code
Partially resolved#6049
Signed-off-by: Xinyu Zhou <i@sourcehut.net>
Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: Andrew Thornton <art27@cantab.net>
- Completely remove U2F support from 1.18.0, 1.17.0 will be the last
release that U2F is somewhat supported. Users who used U2F would already
be warned about using U2F for a while now and should hopefully already
be migrated. But starting 1.18 definitely remove it.
* Prototyping
* Start work on creating offsets
* Modify tests
* Start prototyping with actual MPH
* Twiddle around
* Twiddle around comments
* Convert templates
* Fix external languages
* Fix latest translation
* Fix some test
* Tidy up code
* Use simple map
* go mod tidy
* Move back to data structure
- Uses less memory by creating for each language a map.
* Apply suggestions from code review
Co-authored-by: delvh <dev.lh@web.de>
* Add some comments
* Fix tests
* Try to fix tests
* Use en-US as defacto fallback
* Use correct slices
* refactor (#4)
* Remove TryTr, add log for missing translation key
* Refactor i18n
- Separate dev and production locale stores.
- Allow for live-reloading in dev mode.
Co-authored-by: zeripath <art27@cantab.net>
* Fix live-reloading & check for errors
* Make linter happy
* live-reload with periodic check (#5)
* Fix tests
Co-authored-by: delvh <dev.lh@web.de>
Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: zeripath <art27@cantab.net>
The cache service can be disabled - at which point ctx.Cache will be nil
and the use of it will cause an NPE.
The main part of this PR is that the cache is used for restricting
resending of activation mails and without this we cache we cannot
restrict this. Whilst this code could be re-considered to use the db and
probably should be, I think we can simply disable this code in the case
that the cache is disabled.
There are also several bug fixes in the /nodeinfo API endpoint.
Signed-off-by: Andrew Thornton <art27@cantab.net>
* Apply DefaultUserIsRestricted in CreateUser
* Enforce system defaults in CreateUser
Allow for overwrites with CreateUserOverwriteOptions
* Fix compilation errors
* Add "restricted" option to create user command
* Add "restricted" option to create user admin api
* Respect default setting.Service.RegisterEmailConfirm and setting.Service.RegisterManualConfirm where needed
* Revert "Respect default setting.Service.RegisterEmailConfirm and setting.Service.RegisterManualConfirm where needed"
This reverts commit ee95d3e8dc9e9fff4fa66a5111e4d3930280e033.
Do a refactoring to the CSRF related code, remove most unnecessary functions.
Parse the generated token's issue time, regenerate the token every a few minutes.
* Remove `db.DefaultContext` usage in routers, use `ctx` directly
* Use `ctx` directly if there is one, remove some `db.DefaultContext` in `services`
* Use ctx instead of db.DefaultContext for `cmd` and some `modules` packages
* fix incorrect context usage
If the mailer is configured then even if Manual confirm is set an activation email
is still being sent because `handleUserCreated` is not checking for this case.
Fix#17263
Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>