0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2024-12-23 07:43:18 -05:00
forgejo/modules
KN4CK3R c6c829fe3f
Enhanced auth token / remember me (#27606)
Closes #27455

> The mechanism responsible for long-term authentication (the 'remember
me' cookie) uses a weak construction technique. It will hash the user's
hashed password and the rands value; it will then call the secure cookie
code, which will encrypt the user's name with the computed hash. If one
were able to dump the database, they could extract those two values to
rebuild that cookie and impersonate a user. That vulnerability exists
from the date the dump was obtained until a user changed their password.
> 
> To fix this security issue, the cookie could be created and verified
using a different technique such as the one explained at
https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#secure-remember-me-cookies.

The PR removes the now obsolete setting `COOKIE_USERNAME`.
2023-10-14 00:56:41 +00:00
..
actions chore(actions): support cron schedule task (#26655) 2023-08-24 03:06:51 +00:00
activitypub make writing main test easier (#27270) 2023-09-28 01:38:53 +00:00
analyze Rename code_langauge.go to code_language.go (#26377) 2023-08-07 15:00:53 -04:00
assetfs Use Set[Type] instead of map[Type]bool/struct{}. (#26804) 2023-08-30 06:55:25 +00:00
auth Next round of db.DefaultContext refactor (#27089) 2023-09-16 14:39:12 +00:00
avatar Remove nfnt/resize and oliamb/cutter (#25999) 2023-07-20 19:52:42 +08:00
base Replace interface{} with any (#25686) 2023-07-04 18:36:08 +00:00
cache improve unit test for caching (#26185) 2023-07-27 22:24:40 +02:00
charset Replace interface{} with any (#25686) 2023-07-04 18:36:08 +00:00
container
context Enhanced auth token / remember me (#27606) 2023-10-14 00:56:41 +00:00
contexttest Replace assert.Fail with assert.FailNow (#27578) 2023-10-11 11:02:24 +00:00
csv
doctor Penultimate round of db.DefaultContext refactor (#27414) 2023-10-11 04:24:07 +00:00
emoji
eventsource More db.DefaultContext refactor (#27265) 2023-09-29 12:12:54 +00:00
generate Handle base64 decoding correctly to avoid panic (#26483) 2023-08-14 10:30:16 +00:00
git Replace assert.Fail with assert.FailNow (#27578) 2023-10-11 11:02:24 +00:00
gitgraph More db.DefaultContext refactor (#27265) 2023-09-29 12:12:54 +00:00
graceful Allow the use of alternative net.Listener implementations by downstreams (#25855) 2023-07-24 07:18:17 +00:00
hcaptcha
highlight Upgrade go dependencies (#25819) 2023-07-14 11:00:31 +08:00
hostmatcher
html Refactor backend SVG package and add tests (#26335) 2023-08-05 04:34:59 +00:00
httpcache Less naked returns (#25713) 2023-07-07 05:31:56 +00:00
httplib Less naked returns (#25713) 2023-07-07 05:31:56 +00:00
indexer Replace assert.Fail with assert.FailNow (#27578) 2023-10-11 11:02:24 +00:00
issue/template Replace interface{} with any (#25686) 2023-07-04 18:36:08 +00:00
json Replace interface{} with any (#25686) 2023-07-04 18:36:08 +00:00
label
lfs Refactor lfs requests (#26783) 2023-09-18 08:40:50 +00:00
log Reduce some allocations in type conversion (#26772) 2023-08-29 00:43:16 +08:00
markup fix media description render for orgmode (#26895) 2023-09-13 05:44:59 +00:00
mcaptcha
metrics Reduce usage of db.DefaultContext (#27073) 2023-09-14 17:09:32 +00:00
migration Replace interface{} with any (#25686) 2023-07-04 18:36:08 +00:00
nosql Update tool dependencies, lock govulncheck and actionlint (#25655) 2023-07-09 11:58:06 +00:00
options
packages Use docs.gitea.com instead of docs.gitea.io (#26739) 2023-08-27 11:59:12 +00:00
paginator
pprof
private Replace interface{} with any (#25686) 2023-07-04 18:36:08 +00:00
process Replace assert.Fail with assert.FailNow (#27578) 2023-10-11 11:02:24 +00:00
proxy
proxyprotocol
public Serve pre-defined files in "public", add "security.txt", add CORS header for ".well-known" (#25974) 2023-07-21 12:14:20 +00:00
queue Increase queue length (#27555) 2023-10-10 18:47:49 +08:00
recaptcha
references Replace 'userxx' with 'orgxx' in all test files when the user type is org (#27052) 2023-09-14 02:59:53 +00:00
regexplru Upgrade go dependencies (#25819) 2023-07-14 11:00:31 +08:00
repository Refactor system setting (#27000) 2023-10-05 09:08:19 +08:00
secret
session Next round of db.DefaultContext refactor (#27089) 2023-09-16 14:39:12 +00:00
setting Enhanced auth token / remember me (#27606) 2023-10-14 00:56:41 +00:00
sitemap
ssh restrict certificate type for builtin SSH server (#26789) 2023-09-01 13:45:22 +00:00
storage Fix object storage path handling (#27024) 2023-09-13 01:18:52 +00:00
structs Restore warning commit status (#27504) 2023-10-08 22:16:06 +00:00
svg Refactor backend SVG package and add tests (#26335) 2023-08-05 04:34:59 +00:00
sync
system make writing main test easier (#27270) 2023-09-28 01:38:53 +00:00
templates Improve feed icons and feed merge text color (#27498) 2023-10-07 23:26:27 +00:00
test Move web/api context related testing function into a separate package (#26859) 2023-09-01 11:26:07 +00:00
testlogger Replace interface{} with any (#25686) 2023-07-04 18:36:08 +00:00
timeutil
translation Replace interface{} with any (#25686) 2023-07-04 18:36:08 +00:00
turnstile
typesniffer Detect ogg mime-type as audio or video (#26494) 2023-08-15 10:31:25 +08:00
updatechecker
upload
uri
user
util Refactor lfs requests (#26783) 2023-09-18 08:40:50 +00:00
validation Check blocklist for emails when adding them to account (#26812) 2023-08-30 10:46:49 -05:00
web Remove some dead code (#27196) 2023-09-22 23:30:31 +08:00
webhook