7 commits

Author	SHA1	Message	Date
Christoph Mewes	023a894677	chore: fix typos throughout the codebase (#10753) ... This PR fixes a number of typos throughout the entire repository. Running https://github.com/crate-ci/typos and then changing all occurrences that I naively deemed "safe enough". Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10753 Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: Christoph Mewes <christoph@kubermatic.com> Co-committed-by: Christoph Mewes <christoph@kubermatic.com>	2026-01-26 22:57:33 +01:00
Gusted	a4642af51a	feat: replace cross origin protection (#9830) ... Replace the anti-CSRF token with a [cross origin protection by Go](https://go.dev/doc/go1.25#nethttppkgnethttp) that uses a stateless way of verifying if a request was cross origin or not. This allows is to remove al lot of code and replace it with a few lines of code and we no longer have to hand roll this protection. The new protection uses indicators by the browser itself that indicate if the request is cross-origin, thus we no longer have to take care of ensuring the generated CSRF token is passed back to the server any request by the the browser will have send this indicator. Resolves forgejo/forgejo#3538 Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9830 Reviewed-by: oliverpool <oliverpool@noreply.codeberg.org> Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org> Co-authored-by: Gusted <postmaster@gusted.xyz> Co-committed-by: Gusted <postmaster@gusted.xyz>	2025-10-29 22:43:22 +01:00
Renovate Bot	fed2d81c44	Update module github.com/golangci/golangci-lint/cmd/golangci-lint to v2 (forgejo) (#7367) ... Co-authored-by: Renovate Bot <forgejo-renovate-action@forgejo.org> Co-committed-by: Renovate Bot <forgejo-renovate-action@forgejo.org>	2025-03-28 22:22:21 +00:00
Gusted	2457f5ff22	chore: branding import path (#7337) ... - Massive replacement of changing `code.gitea.io/gitea` to `forgejo.org`. - Resolves forgejo/discussions#258 Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7337 Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org> Reviewed-by: Michael Kriese <michael.kriese@gmx.de> Reviewed-by: Beowulf <beowulf@beocode.eu> Reviewed-by: Panagiotis "Ivory" Vasilopoulos <git@n0toose.net> Co-authored-by: Gusted <postmaster@gusted.xyz> Co-committed-by: Gusted <postmaster@gusted.xyz>	2025-03-27 19:40:14 +00:00
Gusted	1ce33aa38d	fix: extend forgejo_auth_token table ... - Add a `purpose` column, this allows the `forgejo_auth_token` table to be used by other parts of Forgejo, while still enjoying the no-compromise architecture. - Remove the 'roll your own crypto' time limited code functions and migrate them to the `forgejo_auth_token` table. This migration ensures generated codes can only be used for their purpose and ensure they are invalidated after their usage by deleting it from the database, this also should help making auditing of the security code easier, as we're no longer trying to stuff a lot of data into a HMAC construction. -Helper functions are rewritten to ensure a safe-by-design approach to these tokens. - Add the `forgejo_auth_token` to dbconsistency doctor and add it to the `deleteUser` function. - TODO: Add cron job to delete expired authorization tokens. - Unit and integration tests added.	2024-11-15 10:59:36 +01:00
TheFox0x7	4de909747b	Add testifylint to lint checks (#4535) ... go-require lint is ignored for now Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4535 Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: TheFox0x7 <thefox0x7@gmail.com> Co-committed-by: TheFox0x7 <thefox0x7@gmail.com>	2024-07-30 19:41:10 +00:00
Gusted	c6a53c3172	[SECURITY] Rework long-term authentication ... - This is a 'front-port' of the already existing patch on v1.21 and v1.20, but applied on top of what Gitea has done to rework the LTA mechanism. Forgejo will stick with the reworked mechanism by the Forgejo Security team for the time being. The removal of legacy code (AES-GCM) has been left out. - The current architecture is inherently insecure, because you can construct the 'secret' cookie value with values that are available in the database. Thus provides zero protection when a database is dumped/leaked. - This patch implements a new architecture that's inspired from: [Paragonie Initiative](https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#secure-remember-me-cookies). - Integration testing is added to ensure the new mechanism works. - Removes a setting, because it's not used anymore. (cherry picked from commit e3d6622a63) (cherry picked from commit fef1a6dac5) (cherry picked from commit b0c5165145) (cherry picked from commit 7ad51b9f8d) (cherry picked from commit 64f053f383) (cherry picked from commit f5e78e4c20) Conflicts: services/auth/auth_token_test.go https://codeberg.org/forgejo/forgejo/pulls/2069 (cherry picked from commit f69fc23d4b) (cherry picked from commit d955ab3ab0) (cherry picked from commit 9220088f90) (cherry picked from commit c73ac63696) (cherry picked from commit 747a176048) Conflicts: models/user/user.go routers/web/user/setting/account.go https://codeberg.org/forgejo/forgejo/pulls/2295	2024-02-05 15:06:15 +01:00