mirror of
1
Fork 0
forgejo/modules/context
Gusted d8bc98a8f0
[GITEA] rework long-term authentication
- The current architecture is inherently insecure, because you can
construct the 'secret' cookie value with values that are available in
the database. Thus provides zero protection when a database is
dumped/leaked.
- This patch implements a new architecture that's inspired from: [Paragonie Initiative](https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#secure-remember-me-cookies).
- Integration testing is added to ensure the new mechanism works.
- Removes a setting, because it's not used anymore.

(cherry picked from commit eff097448b)

[GITEA] rework long-term authentication (squash) add migration

Reminder: the migration is run via integration tests as explained
in the commit "[DB] run all Forgejo migrations in integration tests"

(cherry picked from commit 4accf7443c)
(cherry picked from commit 99d06e344ebc3b50bafb2ac4473dd95f057d1ddc)
2023-10-09 22:12:50 +02:00
..
access_log.go Replace `interface{}` with `any` (#25686) 2023-07-04 18:36:08 +00:00
api.go More refactoring of `db.DefaultContext` (#27083) 2023-09-15 06:13:19 +00:00
api_org.go Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
api_test.go Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
base.go Introduce ctx.PathParamRaw to avoid incorrect unescaping (#26392) 2023-08-09 14:57:45 +08:00
captcha.go Replace `interface{}` with `any` (#25686) 2023-07-04 18:36:08 +00:00
context.go Make web context initialize correctly for different cases (#26726) 2023-08-25 19:07:42 +08:00
context_cookie.go [GITEA] rework long-term authentication 2023-10-09 22:12:50 +02:00
context_model.go Improve Gitea's web context, decouple "issue template" code into service package (#24590) 2023-05-09 01:30:14 +02:00
context_request.go Decouple the different contexts from each other (#24786) 2023-05-21 09:50:53 +08:00
context_response.go Start using template context function (#26254) 2023-08-08 01:22:47 +00:00
context_template.go Start using template context function (#26254) 2023-08-08 01:22:47 +00:00
context_test.go Use standard HTTP library to serve files (#24693) 2023-05-13 16:04:57 +02:00
csrf.go Refactor cookie (#24107) 2023-04-13 15:45:33 -04:00
org.go Another round of `db.DefaultContext` refactor (#27103) (#27262) 2023-09-25 19:24:35 +02:00
package.go Make web context initialize correctly for different cases (#26726) 2023-08-25 19:07:42 +08:00
pagination.go Replace `interface{}` with `any` (#25686) 2023-07-04 18:36:08 +00:00
permission.go Add context parameter to some database functions (#26055) 2023-07-22 22:14:27 +08:00
private.go Replace `interface{}` with `any` (#25686) 2023-07-04 18:36:08 +00:00
repo.go Add support for HEAD ref in /src/branch and /src/commit routes (#27384) (#27407) 2023-10-03 08:13:49 +00:00
response.go Refactor web package and context package (#25298) 2023-06-18 09:59:09 +02:00
utils.go Avoid double-unescaping of form value (#26853) 2023-09-01 12:01:36 +00:00
xsrf.go Update gitea-vet to check FSFE REUSE (#22004) 2022-12-02 22:14:57 +08:00
xsrf_test.go Update gitea-vet to check FSFE REUSE (#22004) 2022-12-02 22:14:57 +08:00