0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2024-12-23 07:43:18 -05:00
forgejo/services
KN4CK3R c6c829fe3f
Enhanced auth token / remember me (#27606)
Closes #27455

> The mechanism responsible for long-term authentication (the 'remember
me' cookie) uses a weak construction technique. It will hash the user's
hashed password and the rands value; it will then call the secure cookie
code, which will encrypt the user's name with the computed hash. If one
were able to dump the database, they could extract those two values to
rebuild that cookie and impersonate a user. That vulnerability exists
from the date the dump was obtained until a user changed their password.
> 
> To fix this security issue, the cookie could be created and verified
using a different technique such as the one explained at
https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#secure-remember-me-cookies.

The PR removes the now obsolete setting `COOKIE_USERNAME`.
2023-10-14 00:56:41 +00:00
..
actions Penultimate round of db.DefaultContext refactor (#27414) 2023-10-11 04:24:07 +00:00
agit Penultimate round of db.DefaultContext refactor (#27414) 2023-10-11 04:24:07 +00:00
asymkey Penultimate round of db.DefaultContext refactor (#27414) 2023-10-11 04:24:07 +00:00
attachment Even more db.DefaultContext refactor (#27352) 2023-10-03 10:30:41 +00:00
auth Enhanced auth token / remember me (#27606) 2023-10-14 00:56:41 +00:00
automerge Improve queue and logger context (#24924) 2023-05-26 07:31:55 +00:00
context Another round of db.DefaultContext refactor (#27103) 2023-09-25 13:17:37 +00:00
convert Penultimate round of db.DefaultContext refactor (#27414) 2023-10-11 04:24:07 +00:00
cron Fix data-race bug when accessing task.LastRun (#27584) 2023-10-11 14:51:20 +00:00
externalaccount More db.DefaultContext refactor (#27265) 2023-09-29 12:12:54 +00:00
feed More db.DefaultContext refactor (#27265) 2023-09-29 12:12:54 +00:00
forms Add support for forking single branch (#25821) 2023-09-29 09:48:39 +08:00
gitdiff Even more db.DefaultContext refactor (#27352) 2023-10-03 10:30:41 +00:00
indexer Update status and code index after changing the default branch (#27018) 2023-09-13 04:43:31 +00:00
issue Penultimate round of db.DefaultContext refactor (#27414) 2023-10-11 04:24:07 +00:00
lfs Bump github.com/golang-jwt/jwt to v5 (#25975) 2023-07-19 09:57:10 +00:00
mailer Penultimate round of db.DefaultContext refactor (#27414) 2023-10-11 04:24:07 +00:00
markup make writing main test easier (#27270) 2023-09-28 01:38:53 +00:00
migrations Penultimate round of db.DefaultContext refactor (#27414) 2023-10-11 04:24:07 +00:00
mirror Even more db.DefaultContext refactor (#27352) 2023-10-03 10:30:41 +00:00
notify Update status and code index after changing the default branch (#27018) 2023-09-13 04:43:31 +00:00
org make writing main test easier (#27270) 2023-09-28 01:38:53 +00:00
packages Another round of db.DefaultContext refactor (#27103) 2023-09-25 13:17:37 +00:00
pull Replace assert.Fail with assert.FailNow (#27578) 2023-10-11 11:02:24 +00:00
release Even more db.DefaultContext refactor (#27352) 2023-10-03 10:30:41 +00:00
repository Penultimate round of db.DefaultContext refactor (#27414) 2023-10-11 04:24:07 +00:00
secrets Refactor secrets modification logic (#26873) 2023-09-05 15:21:02 +00:00
task Fix unexpected context canceled when migrating repository (#27368) 2023-10-01 12:04:35 +00:00
uinotification Penultimate round of db.DefaultContext refactor (#27414) 2023-10-11 04:24:07 +00:00
user Penultimate round of db.DefaultContext refactor (#27414) 2023-10-11 04:24:07 +00:00
webhook make writing main test easier (#27270) 2023-09-28 01:38:53 +00:00
wiki Even more db.DefaultContext refactor (#27352) 2023-10-03 10:30:41 +00:00