mirror of
1
Fork 0
forgejo/modules
KN4CK3R c6c829fe3f
Enhanced auth token / remember me (#27606)
Closes #27455

> The mechanism responsible for long-term authentication (the 'remember
me' cookie) uses a weak construction technique. It will hash the user's
hashed password and the rands value; it will then call the secure cookie
code, which will encrypt the user's name with the computed hash. If one
were able to dump the database, they could extract those two values to
rebuild that cookie and impersonate a user. That vulnerability exists
from the date the dump was obtained until a user changed their password.
> 
> To fix this security issue, the cookie could be created and verified
using a different technique such as the one explained at
https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#secure-remember-me-cookies.

The PR removes the now obsolete setting `COOKIE_USERNAME`.
2023-10-14 00:56:41 +00:00
..
actions chore(actions): support cron schedule task (#26655) 2023-08-24 03:06:51 +00:00
activitypub make writing main test easier (#27270) 2023-09-28 01:38:53 +00:00
analyze Rename code_langauge.go to code_language.go (#26377) 2023-08-07 15:00:53 -04:00
assetfs Use `Set[Type]` instead of `map[Type]bool/struct{}`. (#26804) 2023-08-30 06:55:25 +00:00
auth Next round of `db.DefaultContext` refactor (#27089) 2023-09-16 14:39:12 +00:00
avatar Remove nfnt/resize and oliamb/cutter (#25999) 2023-07-20 19:52:42 +08:00
base Replace `interface{}` with `any` (#25686) 2023-07-04 18:36:08 +00:00
cache improve unit test for caching (#26185) 2023-07-27 22:24:40 +02:00
charset Replace `interface{}` with `any` (#25686) 2023-07-04 18:36:08 +00:00
container Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
context Enhanced auth token / remember me (#27606) 2023-10-14 00:56:41 +00:00
contexttest Replace assert.Fail with assert.FailNow (#27578) 2023-10-11 11:02:24 +00:00
csv Refactor locale number (#24134) 2023-04-17 11:37:23 +08:00
doctor Penultimate round of `db.DefaultContext` refactor (#27414) 2023-10-11 04:24:07 +00:00
emoji Update emoji set to Unicode 15 (#25595) 2023-06-29 16:29:48 +00:00
eventsource More `db.DefaultContext` refactor (#27265) 2023-09-29 12:12:54 +00:00
generate Handle base64 decoding correctly to avoid panic (#26483) 2023-08-14 10:30:16 +00:00
git Replace assert.Fail with assert.FailNow (#27578) 2023-10-11 11:02:24 +00:00
gitgraph More `db.DefaultContext` refactor (#27265) 2023-09-29 12:12:54 +00:00
graceful Allow the use of alternative net.Listener implementations by downstreams (#25855) 2023-07-24 07:18:17 +00:00
hcaptcha Consume hcaptcha and pwn deps (#22610) 2023-01-29 09:49:51 -06:00
highlight Upgrade go dependencies (#25819) 2023-07-14 11:00:31 +08:00
hostmatcher Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
html Refactor backend SVG package and add tests (#26335) 2023-08-05 04:34:59 +00:00
httpcache Less naked returns (#25713) 2023-07-07 05:31:56 +00:00
httplib Less naked returns (#25713) 2023-07-07 05:31:56 +00:00
indexer Replace assert.Fail with assert.FailNow (#27578) 2023-10-11 11:02:24 +00:00
issue/template Replace `interface{}` with `any` (#25686) 2023-07-04 18:36:08 +00:00
json Replace `interface{}` with `any` (#25686) 2023-07-04 18:36:08 +00:00
label Make label templates have consistent behavior and priority (#23749) 2023-04-10 16:44:02 +08:00
lfs Refactor lfs requests (#26783) 2023-09-18 08:40:50 +00:00
log Reduce some allocations in type conversion (#26772) 2023-08-29 00:43:16 +08:00
markup fix media description render for orgmode (#26895) 2023-09-13 05:44:59 +00:00
mcaptcha Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
metrics Reduce usage of `db.DefaultContext` (#27073) 2023-09-14 17:09:32 +00:00
migration Replace `interface{}` with `any` (#25686) 2023-07-04 18:36:08 +00:00
nosql Update tool dependencies, lock govulncheck and actionlint (#25655) 2023-07-09 11:58:06 +00:00
options Use a general approach to access custom/static/builtin assets (#24022) 2023-04-12 18:16:45 +08:00
packages Use docs.gitea.com instead of docs.gitea.io (#26739) 2023-08-27 11:59:12 +00:00
paginator Use more specific test methods (#24265) 2023-04-22 17:56:27 -04:00
pprof Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
private Replace `interface{}` with `any` (#25686) 2023-07-04 18:36:08 +00:00
process Replace assert.Fail with assert.FailNow (#27578) 2023-10-11 11:02:24 +00:00
proxy Use proxy for pull mirror (#22771) 2023-02-11 08:39:50 +08:00
proxyprotocol Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
public Serve pre-defined files in "public", add "security.txt", add CORS header for ".well-known" (#25974) 2023-07-21 12:14:20 +00:00
queue Increase queue length (#27555) 2023-10-10 18:47:49 +08:00
recaptcha Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
references Replace 'userxx' with 'orgxx' in all test files when the user type is org (#27052) 2023-09-14 02:59:53 +00:00
regexplru Upgrade go dependencies (#25819) 2023-07-14 11:00:31 +08:00
repository Refactor system setting (#27000) 2023-10-05 09:08:19 +08:00
secret Improve decryption failure message (#24573) 2023-05-07 19:29:43 +08:00
session Next round of `db.DefaultContext` refactor (#27089) 2023-09-16 14:39:12 +00:00
setting Enhanced auth token / remember me (#27606) 2023-10-14 00:56:41 +00:00
sitemap Fix sitemap (#22272) 2022-12-30 23:31:00 +08:00
ssh restrict certificate type for builtin SSH server (#26789) 2023-09-01 13:45:22 +00:00
storage Fix object storage path handling (#27024) 2023-09-13 01:18:52 +00:00
structs Restore warning commit status (#27504) 2023-10-08 22:16:06 +00:00
svg Refactor backend SVG package and add tests (#26335) 2023-08-05 04:34:59 +00:00
sync Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
system make writing main test easier (#27270) 2023-09-28 01:38:53 +00:00
templates Improve feed icons and feed merge text color (#27498) 2023-10-07 23:26:27 +00:00
test Move web/api context related testing function into a separate package (#26859) 2023-09-01 11:26:07 +00:00
testlogger Replace `interface{}` with `any` (#25686) 2023-07-04 18:36:08 +00:00
timeutil Fix incorrect webhook time and use relative-time to display it (#24477) 2023-05-03 19:53:43 -04:00
translation Replace `interface{}` with `any` (#25686) 2023-07-04 18:36:08 +00:00
turnstile Add new captcha: cloudflare turnstile (#22369) 2023-02-05 15:29:03 +08:00
typesniffer Detect ogg mime-type as audio or video (#26494) 2023-08-15 10:31:25 +08:00
updatechecker Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
upload Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
uri Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
user Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
util Refactor lfs requests (#26783) 2023-09-18 08:40:50 +00:00
validation Check blocklist for emails when adding them to account (#26812) 2023-08-30 10:46:49 -05:00
web Remove some dead code (#27196) 2023-09-22 23:30:31 +08:00
webhook New webhook trigger for receiving Pull Request review requests (#24481) 2023-05-24 22:06:27 -04:00