summaryrefslogtreecommitdiffstats
path: root/modules/setting/setting.go
Commit message (Collapse)AuthorAgeFilesLines
* Prevent security failure due to bad APP_ID (#18678) (#18682)zeripath2022-02-101-3/+7
| | | | | | | | | | | | Backport #18678 WebAuthn may cause a security exception if the provided APP_ID is not allowed for the current origin. Therefore we should reattempt authentication without the appid extension. Also we should allow [u2f] as-well as [U2F] sections. Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
* Support webauthn (#17957)Lunny Xiao2022-01-141-7/+4
| | | | | | | Migrate from U2F to Webauthn Co-authored-by: Andrew Thornton <art27@cantab.net> Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
* Simplify parameter types (#18006)Gusted2021-12-201-2/+2
| | | Remove repeated type declarations in function definitions.
* allways set a message-id on mails (#17900)Garionion2021-12-081-5/+11
| | | | | | | * allways set a message-id on mails * Add unit tests for mailer & Message-ID Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
* Replace "unix" by "http+unix" for PROTOCOL (#17771)mscherer2021-12-051-19/+18
|
* Improve install code to avoid low-level mistakes. (#17779)wxiaoguang2021-12-011-43/+45
| | | | | | | | | | | | | | * Improve install code to avoid low-level mistakes. If a user tries to do a re-install in a Gitea database, they gets a warning and double check. When Gitea runs, it never create empty app.ini automatically. Also some small (related) refactoring: * Refactor db.InitEngine related logic make it more clean (especially for the install code) * Move some i18n strings out from setting.go to make the setting.go can be easily maintained. * Show errors in CLI code if an incorrect app.ini is used. * APP_DATA_PATH is created when installing, and checked when starting (no empty directory is created any more).
* Handle relative unix socket paths (#17836)zeripath2021-11-271-3/+10
| | | | | | | | | | | | Make relative unix sockets absolute by making them absolute against the AppWorkPath Fix #17833 ## :warning: BREAKING :warning: Prior to this PR relative unix sockets would have been asserted to be relative to the current working directory that gitea, gitea serv, hook and manager etc were running in. Hooks and Serv would have failed to work properly under this situation so we expect that although this is a technically breaking change the previous situation was already broken. Signed-off-by: Andrew Thornton <art27@cantab.net>
* Make SSL cipher suite configurable (#17440)zeripath2021-11-201-0/+8
|
* Sync gitea app path for git hooks and authorized keys when starting (#17335)wxiaoguang2021-10-211-0/+12
| | | | | | | | | | | Gitea writes its own AppPath into git hook scripts. If Gitea's AppPath changes, then the git push will fail. This PR: * Introduce an AppState module, it can persist app states into database * During GlobalInit, Gitea will check if the current AppPath is the same as last one. If they don't match, Gitea will sync git hooks. * Refactor some code to make them more clear. * Also, "Detect if gitea binary's name changed" #11341 is related, we call models.RewriteAllPublicKeys to update ssh authorized_keys file
* Use a variable but a function for IsProd because of a slight performance ↵Lunny Xiao2021-10-201-5/+2
| | | | increment (#17368)
* Add protection to disable Gitea when run as root (#17168)techknowlogick2021-10-071-0/+12
| | | | Co-authored-by: delvh <dev.lh@web.de> Co-authored-by: 6543 <6543@obermui.de>
* Add metrics to get issues by repository (#17225)Romain2021-10-051-6/+8
|
* Add metrics to get issues by label (#17201)Romain2021-10-031-4/+6
| | | | | | | | | | | | | | | | | | | | | * Add metrics to get issues by label * Add comment on IssueByLabelCount * Code review - Unify "AS" in SQL (#17201) * Code review - Remove useless join (#17201) * Code review - Disable issue_by_label by default in settings (#17201) * use e * restore empty line * update docs Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
* Add nodeinfo endpoint for federation purposes (#16953)techknowlogick2021-09-281-0/+1
| | | | | | | | | | | | | | | | Nodeinfo is a way to expose certain metadata about a server for use of discovery regarding functionality of its federation capabilities. Two endpoints are required: 1. `/.well-known/nodeinfo` which informs client where it can find the location of the location of its metadata (including which version of the schema is used) 2. the endpoint which exposes the metadata in json format according to schema. Notes: * `openRegistrations` is a required field, but I propose to set to false as default in case someone writes a crawler to discover "open" gitea instances * to limit data leakage I also propose to not include the `usage` field (note it is required so it should be included, but left as empty). More info: https://github.com/jhass/nodeinfo https://github.com/jhass/nodeinfo/tree/main/schemas/2.1 http://nodeinfo.diaspora.software/protocol.html
* Use light/dark theme based on system preference (#17051)Gwyneth Morgan2021-09-271-2/+2
| | | | | | | | Add a new default theme `auto`, which will automatically switch between `gitea` (light) and `arc-green` (dark) themes depending on the user's operating system settings. Closes: #8183
* refactor: move from io/ioutil to io and os package (#17109)Eng Zer Jun2021-09-221-3/+2
| | | | | | | | | The io/ioutil package has been deprecated as of Go 1.16, see https://golang.org/doc/go1.16#ioutil. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
* Enable Malayalam, Greek, Persian, Hungarian & Indonesian by default (#16998)65432021-09-091-2/+4
|
* Make mirror feature more configurable (#16957)65432021-09-071-17/+1
| | | | | | | | | | | Rename`[repository]` `DISABLE_MIRRORS` to `[mirror]` `DISABLE_NEW_PULL` and add `ENABLED` and `DISABLE_NEW_PUSH` with the below meanings: - `ENABLED`: **true**: Enables the mirror functionality. Set to **false** to disable all mirrors. - `DISABLE_NEW_PULL`: **false**: Disable the creation of **new** mirrors. Pre-existing mirrors remain valid. - `DISABLE_NEW_PUSH`: **false**: Disable the creation of **new** push mirrors. Pre-existing mirrors remain valid. Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: delvh <dev.lh@web.de>
* Add proxy settings and support for migration and webhook (#16704)Lunny Xiao2021-08-181-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | * Add proxy settings and support for migration and webhook * Fix default value * Add newline for example ini * Add lfs proxy support * Fix lint * Follow @zeripath's review * Fix git clone * Fix test * missgin http requests for proxy * use empty Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: zeripath <art27@cantab.net>
* Add API Token Cache (#16547)zeripath2021-08-171-0/+2
| | | | | | | | | | | | | | | | | One of the issues holding back performance of the API is the problem of hashing. Whilst banning BASIC authentication with passwords will help, the API Token scheme still requires a PBKDF2 hash - which means that heavy API use (using Tokens) can still cause enormous numbers of hash computations. A slight solution to this whilst we consider moving to using JWT based tokens and/or a session orientated solution is to simply cache the successful tokens. This has some security issues but this should be balanced by the security issues of load from hashing. Related #14668 Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
* Add an abstract json layout to make it's easier to change json library (#16528)Lunny Xiao2021-07-241-2/+1
| | | | | | | | | | | * Add an abstract json layout to make it's easier to change json library * Fix import * Fix import sequence * Fix blank lines * Fix blank lines
* Add forge emojies (#16296)65432021-07-021-2/+2
| | | | | | | * codeberg :codeberg: * gitlab :gitlab: * git :git: * github :github: * gogs :gogs:
* Add custom emoji support (#16004)65432021-06-291-1/+9
|
* Make app.ini more restrictive on new installations (#16266)Steven2021-06-271-0/+13
| | | Signed-off-by: Steven Kriegler <61625851+justusbunsi@users.noreply.github.com>
* Add --quiet and --verbose to gitea web to control initial logging (#16260)zeripath2021-06-261-1/+2
| | | | | | | | | | | | | | | | | | | | | | One of the repeatedly reported issues has been that gitea produces too much console logging during set up even if the console logger is turned off. Fundamentally this is due to some otherwise very helpful logging that has to occur before logging is set up. This has come to a head with the merging of #16243 where otherwise potentially helpful Trace logging in the git module now appears on the console. This PR proposes three things: 1. Change the initial default logger to Info not Trace. 2. Change the logging for the AppPath things to Info in recompense. 3. Add two new command line options to gitea web: --quiet and --verbose `gitea web -q` or `gitea web --quiet` will only log Fatal level initially. `gitea web -verbose` will log at Trace. Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
* Use data path instead of config path (#16227)KN4CK3R2021-06-231-1/+1
|
* Add asymmetric JWT signing (#16010)KN4CK3R2021-06-171-16/+6
| | | | | | | | | | | * Added asymmetric token signing. * Load signing key from settings. * Added optional kid parameter. * Updated documentation. * Add "kid" to token header.
* Ensure settings for Service and Mailer are read on the install page (#15943)zeripath2021-06-161-0/+6
| | | | | | | | | | | | | | * Ensure settings for Service and Mailer are read on the install page NewContext does not set the mailer or service settings so add a new function that will run this. Fix #15894 Signed-off-by: Andrew Thornton <art27@cantab.net> * placate lint Signed-off-by: Andrew Thornton <art27@cantab.net>
* Make command in authorized keys a template (#16003)zeripath2021-06-141-41/+49
| | | | | | | | Fix #15595 Replaces #15978 Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
* Set self-adjusting deadline for connection writing (#16068)zeripath2021-06-111-11/+21
| | | | | | | | | | | | | | | | | | | | | | | | | * Set self-adjusting deadline for connection writing In #16055 it appears that the simple 5s deadline doesn't work for large file writes. Now we can't - or at least shouldn't just set no deadline as go will happily let these connections block indefinitely. However, what seems reasonable is to set some minimum rate we expect for writing. This PR suggests the following algorithm: * Every write has a minimum timeout of 5s (adjustable at compile time.) * If there has been a previous write - then consider its previous deadline, add half of the minimum timeout + 2s per kb about to written. * If that new deadline is after the minimum timeout use that. Fix #16055 * Linearly increase timeout * Make PerWriteTimeout, PerWritePerKbTimeouts configurable Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: 6543 <6543@obermui.de>
* Unified custom config creation (#16012)KN4CK3R2021-05-291-40/+32
| | | | | | | * Unified custom config creation. * Fixed log message. Co-authored-by: techknowlogick <techknowlogick@gitea.io>
* add a new internal hook to save ssh log (#15787)a10121127962021-05-211-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | * add a new internal hook to save ssh log as title, when a ssh error ocure like #15785. only when switch ``RUN_MODE`` to dev can we found which error is ocure. But this way is not a good idea for production envirment. this changes try save ssh error mesage to the log file like other log by a new internal hook. I think it's usefull for find error message in production envirment. Thanks. Signed-off-by: a1012112796 <1012112796@qq.com> * rename and fix nit * Update modules/private/hook.go Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
* Add mimetype mapping settings (#15133)Adam Szatyin2021-05-101-0/+1
| | | | | | | | | | | | | * Fix APK's Content-Type header * Fix case sensitive comparison * Add custom mime type mapping for downloadable files * Add documentation for MIME type mapping * Rename download.mimetype.mapping configuration to repository.mimetype_mapping Co-authored-by: zeripath <art27@cantab.net>
* add `/assets` as root dir of public files (#15219)a10121127962021-04-281-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | * add `/assets` as root dir of public files Signed-off-by: a1012112796 <1012112796@qq.com> * move serviceworker.js * make fmt * fix some link * fix test * Apply suggestions from code review Co-authored-by: silverwind <me@silverwind.io> * Apply suggestions from code review Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: zeripath <art27@cantab.net>
* OAuth2 auto-register (#5123)Martin Michaelis2021-04-141-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Refactored handleOAuth2SignIn in routers/user/auth.go The function handleOAuth2SignIn was called twice but some code path could only be reached by one of the invocations. Moved the unnecessary code path out of handleOAuth2SignIn. * Refactored user creation There was common code to create a user and display the correct error message. And after the creation the only user should be an admin and if enabled a confirmation email should be sent. This common code is now abstracted into two functions and a helper function to call both. * Added auto-register for OAuth2 users If enabled new OAuth2 users will be registered with their OAuth2 details. The UserID, Name and Email fields from the gothUser are used. Therefore the OpenID Connect provider needs additional scopes to return the coresponding claims. * Added error for missing fields in OAuth2 response * Linking and auto linking on oauth2 registration * Set default username source to nickname * Add automatic oauth2 scopes for github and google * Add hint to change the openid connect scopes if fields are missing * Extend info about auto linking security risk Co-authored-by: Viktor Kuzmin <kvaster@gmail.com> Signed-off-by: Martin Michaelis <code@mgjm.de>
* Code Formats, Nits & Unused Func/Var deletions (#15286)65432021-04-091-5/+0
| | | | | | | | | | | | | | | * _ to unused func options * rm useless brakets * rm trifial non used models functions * rm dead code * rm dead global vars * fix routers/api/v1/repo/issue.go * dont overload import module
* Add Tabular Diff for CSV files (#14661)KN4CK3R2021-03-291-0/+9
| | | | | | | | | | | | | | | | | | | | | | | Implements request #14320 The rendering of CSV files does match the diff style. * Moved CSV logic into base package. * Added method to create a tabular diff. * Added CSV compare context. * Added CSV diff template. * Use new table style in CSV markup. * Added file size limit for CSV rendering. * Display CSV parser errors in diff. * Lazy read single file. * Lazy read rows for full diff. * Added unit tests for various CSV changes.
* use level config in main section when subsection not set level (#15176)a10121127962021-03-281-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | in previouse if a log subsetcion not set level it will use ``info`` as default value. this pr will make default value (``[log] -> LEVEL``) useable. example config: ```INI [log] MODE = console LEVEL = Trace [log.console] LEVEL = STDERR = false ``` previous result: ```JSON // console: { "level": "info", ................... } ``` after change: ```JSON // console: { "level": "track", ................... } ``` Signed-off-by: a1012112796 <1012112796@qq.com> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: Lauris BH <lauris@nix.lv>
* Add reverse proxy configuration support for remote IP address (#14959)Lauris BH2021-03-161-0/+10
| | | | | | | | | * Add reverse proxy configuration support for remote IP address validation * Trust all IP addresses in containerized environments by default * Use single option to specify networks and proxy IP addresses. By default trust all loopback IPs Co-authored-by: techknowlogick <techknowlogick@gitea.io>
* Make internal SSH server host key path configurable (#14918)zeripath2021-03-081-0/+7
| | | | | | | | | | | * Make SSH server host key path configurable * make it possible to have multiple keys * Make gitea.rsa the default key * Add some more logging Signed-off-by: Andrew Thornton <art27@cantab.net>
* Migrate to use jsoniter instead of encoding/json (#14841)zeripath2021-03-011-1/+2
| | | | | | | | | | * Migrate to use jsoniter * fix tests * update gitea.com/go-chi/binding Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: 6543 <6543@obermui.de>
* Prevent use of double sub-path and incorrect asset path in manifest (#14827)zeripath2021-02-281-1/+1
| | | | | | | | | | MakeAbsoluteAssetURL should just url join the static url prefix on to appurl if it is not an absolute path - this is because StaticURLPrefix is an absolute prefix not a relative prefix to the app sub url. Fix #14422 Signed-off-by: Andrew Thornton <art27@cantab.net>
* Clarify the suffices and prefixes of setting.AppSubURL and setting.AppURL ↵zeripath2021-02-191-14/+29
| | | | | | | | (#12999) Also removes some unnecessary uses of fmt.Sprintf and adds documentation strings Signed-off-by: Andrew Thornton <art27@cantab.net>
* Turn default hash password algorightm back to pbkdf2 from argon2 until we ↵Lunny Xiao2021-02-131-1/+1
| | | | | | | found a better one (#14673) * Turn default hash password algorightm back to pbkdf2 from argon2 until we found a better one * Add a warning on document
* Added option to disable webhooks (#13176)Paweł Bogusławski2021-02-111-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | * Added option to disable web hooks This mod introduces DISABLE_WEB_HOOKS parameter in [security] section of app.ini (by default set to false). If set to true it disables web hooks feature. Any existing undelivered web hook tasks will be cancelled. Any existing web hook definitions will be left untouched in db but its delivery tasks will be ignored. Author-Change-Id: IB#1105130 * Webhook spelling fixed Webhook spelling fixed. Fixes: 07df6614dc84cdd2e9f39c57577fa1062bd70012 Related: https://github.com/go-gitea/gitea/pull/13176#pullrequestreview-510868421 Author-Change-Id: IB#1105174 * Parameter description fixed Parameter description fixed. Fixes: 07df6614dc84cdd2e9f39c57577fa1062bd70012 Related: https://github.com/go-gitea/gitea/pull/13176#pullrequestreview-514086107 Author-Change-Id: IB#1105174
* Update docs and comments to remove macaron (#14491)Lunny Xiao2021-01-291-2/+0
|
* Add support for ed25519_sk and ecdsa_sk SSH keys (#13462)Artemis Tosini2021-01-201-1/+1
| | | | | | | | | | | | | | * Add support for ed25519_sk and ecdsa_sk SSH keys These start with sk-ssh-ed25519@openssh.com and sk-ecdsa-sha2-nistp256@openssh.com. They are supported in recent versions of go x/crypto/ssh and OpenSSH 8.2 or higher. * skip ssh-keygen Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: Andrew Thornton <art27@cantab.net>
* Use IsProd instead of testing if it's equal. (#14336)Lunny Xiao2021-01-141-1/+5
| | | | Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: zeripath <art27@cantab.net>
* Display SVG files as images instead of text (#14101)Jonathan Tran2021-01-121-0/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Change to display SVG files as images * Remove unsafe styles from SVG CSP * Add integration test to test SVG headers * Add config setting to disable SVG rendering * Add test for img tag when loading SVG image * Remove the Raw view button for svg files since we don't fully support this * Fix copyright year * Rename and move config setting * Add setting to cheat sheet in docs * Fix so that comment matches cheat sheet * Add allowing styles in CSP based on pull request feedback * Re-enable raw button since we show SVG styles now * Change so that SVG files are editable * Add UI to toggle between source and rendered image for SVGs * Change to show blame button for SVG images * Fix to update ctx data * Add test for DetectContentType when file is longer than sniffLen Co-authored-by: Jonathan Tran <jon@allspice.io> Co-authored-by: Kyle D <kdumontnu@gmail.com>
* Consolidate Logos and update README header (#14136)silverwind2021-01-011-14/+4
| | | | | | | | | | | | | | | | | | | | * Consolidate Logos and update README header - Remove unused `logo-lg.png`, `logo-sm.png` and `logo-192.png`. - Consolidate `favicon.svg` and `logo.svg` to just `logo.svg`. - Remove Safari Mask icon, it seems to work fine with just `favicon.png` (no SVG support). - Remove Fluid Icon. It only served Firefox and SVG works just fine there. - Update customization instructions. - Update README.md to use SVG icon, increase logo size and center it and badges. * Update README_ZH.md Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> * Update README_ZH.md Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io>