thepaperpilot/forgejo
1
0
Fork 0
Code Issues Pull requests Releases Activity Actions
forgejo/modules/context
History
Gusted 72bdd4f3b9
[v1.21] [GITEA] rework long-term authentication 
- The current architecture is inherently insecure, because you can
construct the 'secret' cookie value with values that are available in
the database. Thus provides zero protection when a database is
dumped/leaked.
- This patch implements a new architecture that's inspired from: [Paragonie Initiative](https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#secure-remember-me-cookies).
- Integration testing is added to ensure the new mechanism works.
- Removes a setting, because it's not used anymore.

(cherry picked from commit eff097448b)

[GITEA] rework long-term authentication (squash) add migration

Reminder: the migration is run via integration tests as explained
in the commit "[DB] run all Forgejo migrations in integration tests"

(cherry picked from commit 4accf7443c)
(cherry picked from commit 99d06e344ebc3b50bafb2ac4473dd95f057d1ddc)
(cherry picked from commit d8bc98a8f0)
(cherry picked from commit 6404845df9)
2023-10-23 15:35:33 +02:00
..
access_log.go Replace interface{} with any (#25686) 2023-07-04 18:36:08 +00:00
api.go More refactoring of db.DefaultContext (#27083) 2023-09-15 06:13:19 +00:00
api_org.go
api_test.go
base.go Introduce ctx.PathParamRaw to avoid incorrect unescaping (#26392) 2023-08-09 14:57:45 +08:00
captcha.go Replace interface{} with any (#25686) 2023-07-04 18:36:08 +00:00
context.go Make web context initialize correctly for different cases (#26726) 2023-08-25 19:07:42 +08:00
context_cookie.go [v1.21] [GITEA] rework long-term authentication 2023-10-23 15:35:33 +02:00
context_model.go
context_request.go
context_response.go Start using template context function (#26254) 2023-08-08 01:22:47 +00:00
context_template.go Start using template context function (#26254) 2023-08-08 01:22:47 +00:00
context_test.go
csrf.go
org.go Another round of db.DefaultContext refactor (#27103) (#27262) 2023-09-25 19:24:35 +02:00
package.go Make web context initialize correctly for different cases (#26726) 2023-08-25 19:07:42 +08:00
pagination.go Replace interface{} with any (#25686) 2023-07-04 18:36:08 +00:00
permission.go Add context parameter to some database functions (#26055) 2023-07-22 22:14:27 +08:00
private.go Replace interface{} with any (#25686) 2023-07-04 18:36:08 +00:00
repo.go Add support for HEAD ref in /src/branch and /src/commit routes (#27384) (#27407) 2023-10-03 08:13:49 +00:00
response.go
utils.go Avoid double-unescaping of form value (#26853) 2023-09-01 12:01:36 +00:00
xsrf.go
xsrf_test.go