thepaperpilot/forgejo
1
0
Fork 0
Code Issues Pull requests Releases Activity Actions 3
forgejo/routers/web
History
M Hickford 14bc4d79c1
Parse OAuth Authorization header when request omits client secret (#21351) (#21374) 
Backport #21351

This fixes error "unauthorized_client: invalid client secret" when
client includes secret in Authorization header rather than request body.
OAuth spec permits both:
https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1

Clients in possession of a client password MAY use the HTTP Basic
authentication scheme ... Alternatively, the authorization server MAY
support including the client credentials in the request-body

Sanity validation that client id and client secret in request are
consistent with Authorization header.

Improve error descriptions. Error codes remain the same.

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: zeripath <art27@cantab.net>
2022-10-08 16:53:17 +08:00
..
admin Redirect if user does not exist on admin pages (#20981) (#21059) 2022-09-04 12:17:35 -04:00
auth Parse OAuth Authorization header when request omits client secret (#21351) (#21374) 2022-10-08 16:53:17 +08:00
dev Move user related model into models/user (#17781) 2021-11-24 17:49:20 +08:00
events Improve Stopwatch behavior (#18930) 2022-04-25 22:45:22 +02:00
explore In code search, get code unit accessible repos in one (main) query (#19764) 2022-06-16 02:24:10 +03:00
feed Use absolute links in feeds (#21229) (#21265) 2022-09-26 13:49:22 -04:00
healthcheck Update go-chi/cache to utilize Ping() (#19719) 2022-05-15 20:43:27 +02:00
misc Fix panic in team repos API (#19431) 2022-04-20 18:43:26 +08:00
org Fix SQL Query for SearchTeam (#20844) (#20872) 2022-08-21 19:31:51 +01:00
repo Tag list should include draft releases with existing tags (#21263) (#21365) 2022-10-07 18:59:42 +08:00
user Remove calls to load Mirrors in user.Dashboard (#20855) (#20897) 2022-08-22 09:46:56 +08:00
auth.go Remove legacy +build: constraint (#19582) 2022-05-02 23:22:45 +08:00
auth_windows.go Let web and API routes have different auth methods group (#19168) 2022-03-28 12:46:28 +08:00
base.go Add Cache-Control header to html and api responses, add no-transform (#20432) (#20459) 2022-07-23 11:58:58 +01:00
goget.go Refactor legacy unknwon/com package, improve golangci lint (#19284) 2022-04-01 16:47:50 +08:00
home.go Renamed ctx.User to ctx.Doer. (#19161) 2022-03-22 15:03:22 +08:00
metrics.go Update HTTP status codes to modern codes (#18063) 2022-03-23 12:54:07 +08:00
nodeinfo.go Add nodeinfo endpoint for federation purposes (#16953) 2021-09-28 01:38:06 +02:00
swagger_json.go Refactor routers directory (#15800) 2021-06-09 01:33:54 +02:00
web.go Add disable download source configuration (#20548) (#20579) 2022-08-12 23:53:10 +08:00
webfinger.go Move almost all functions' parameter db.Engine to context.Context (#19748) 2022-05-20 22:08:52 +08:00