forks/forgejo
1
0
Fork 0
Code Releases Activity
forgejo/modules
History
Gusted c26ac31816
[GITEA] rework long-term authentication 
- The current architecture is inherently insecure, because you can
construct the 'secret' cookie value with values that are available in
the database. Thus provides zero protection when a database is
dumped/leaked.
- This patch implements a new architecture that's inspired from: [Paragonie Initiative](https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#secure-remember-me-cookies).
- Integration testing is added to ensure the new mechanism works.
- Removes a setting, because it's not used anymore.

(cherry picked from commit eff097448b)

[GITEA] rework long-term authentication (squash) add migration

Reminder: the migration is run via integration tests as explained
in the commit "[DB] run all Forgejo migrations in integration tests"

(cherry picked from commit 4accf7443c)
(cherry picked from commit 99d06e344ebc3b50bafb2ac4473dd95f057d1ddc)
(cherry picked from commit d8bc98a8f0)
(cherry picked from commit 6404845df9)
(cherry picked from commit 72bdd4f3b9)
(cherry picked from commit 4b01bb0ce8)
2023-11-06 17:12:23 +01:00
..
actions [CI] Search .forgejo/workflows first 2023-11-06 14:12:41 +01:00
activitypub
analyze
assetfs
auth [GITEA] Drop sha256-simd in favor of stdlib 2023-11-06 17:12:22 +01:00
avatar [GITEA] Drop sha256-simd in favor of stdlib 2023-11-06 17:12:22 +01:00
base [GITEA] Drop sha256-simd in favor of stdlib 2023-11-06 17:12:22 +01:00
cache
charset
container
context [GITEA] rework long-term authentication 2023-11-06 17:12:23 +01:00
contexttest
csv
doctor Remove action runners on user deletion (#27902) (#27908) 2023-11-05 13:20:00 +00:00
emoji
eventsource More db.DefaultContext refactor (#27265) (#27347) 2023-09-29 13:35:01 +00:00
generate
git [GITEA] Drop sha256-simd in favor of stdlib 2023-11-06 17:12:22 +01:00
gitgraph More db.DefaultContext refactor (#27265) (#27347) 2023-09-29 13:35:01 +00:00
graceful
hcaptcha
highlight
hostmatcher Support allowed hosts for webhook to work with proxy (#27655) (#27675) 2023-10-18 15:07:52 +02:00
html
httpcache
httplib
indexer [CI] disable meilisearch/elasticsearch test, no server yet in CI 2023-11-06 14:12:41 +01:00
issue/template
json
label
lfs [GITEA] Drop sha256-simd in favor of stdlib 2023-11-06 17:12:22 +01:00
log
markup [GITEA] Use restricted sanitizer for repository description 2023-11-06 17:12:22 +01:00
mcaptcha
metrics
migration
nosql
options
packages Close all hashed buffers (#27787) (#27790) 2023-10-25 22:24:25 +02:00
paginator
pprof
private [CLI] implement forgejo-cli 2023-11-06 14:12:40 +01:00
process
proxy
proxyprotocol
public
queue [CI] disable redis test, no redis server yet in CI 2023-11-06 14:12:41 +01:00
recaptcha
references
regexplru
repository Refactor system setting (#27000) (#27452) 2023-10-05 10:37:59 +00:00
secret [GITEA] Drop sha256-simd in favor of stdlib 2023-11-06 17:12:22 +01:00
session
setting [GITEA] rework long-term authentication 2023-11-06 17:12:23 +01:00
sitemap
ssh [GITEA] Remove SSH workaround 2023-11-06 17:12:22 +01:00
storage [CI] Forgejo Actions based CI for PR & branches 2023-11-06 14:12:41 +01:00
structs [FEAT] allow setting the update date on issues and comments 2023-11-06 14:56:38 +01:00
svg
sync
system
templates Fix label render containing invalid HTML (#27752) (#27762) 2023-10-24 09:39:13 +08:00
test
testlogger
timeutil
translation
turnstile
typesniffer
updatechecker
upload
uri
user
util [GITEA] rework long-term authentication 2023-11-06 17:12:23 +01:00
validation [GITEA] add option for banning dots in usernames 2023-11-06 15:41:19 +01:00
web [GITEA] Use maintained gziphandler 2023-11-06 17:12:23 +01:00
webhook