summaryrefslogtreecommitdiffstats
path: root/services/auth
Commit message (Collapse)AuthorAgeFilesLines
...
* Let web and API routes have different auth methods group (#19168)Lunny Xiao2022-03-284-78/+24
| | | | | | | | | | | | | * remove the global methods but create dynamiclly * Fix lint * Fix windows lint * Fix windows lint * some improvements Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
* Update HTTP status codes to modern codes (#18063)KN4CK3R2022-03-231-1/+1
| | | | | | * 2xx/3xx/4xx/5xx -> http.Status... * http.StatusFound -> http.StatusTemporaryRedirect * http.StatusMovedPermanently -> http.StatusPermanentRedirect
* Use `ctx` instead of `db.DefaultContext` in some ↵wxiaoguang2022-03-221-1/+1
| | | | | | | | | | | | packages(routers/services/modules) (#19163) * Remove `db.DefaultContext` usage in routers, use `ctx` directly * Use `ctx` directly if there is one, remove some `db.DefaultContext` in `services` * Use ctx instead of db.DefaultContext for `cmd` and some `modules` packages * fix incorrect context usage
* Fix login with email panic when email is not exist (#18941)Lunny Xiao2022-02-281-1/+1
|
* Fix ldap user sync missed email in email_address table (#18786)Lunny Xiao2022-02-241-1/+2
| | | | | * Fix ldap user sync missed email in email_address table * Fix test
* Fix login with email for ldap users (#18800)Lunny Xiao2022-02-201-1/+1
| | | `authenticator.Authenticate` has assume the login name is not an email, but `username` maybe an email. So when we find the user via email address, we should use `user.LoginName` instead of `username` which is an email address.
* Fix ldap loginname (#18789)Johan Van de Wauw2022-02-182-6/+11
| | | | | | | | | | | | | | | | | | | | * Use email_address table to check user's email when login with email adress * Update services/auth/signin.go * Fix test * Fix test * Fix logging in with ldap username != loginname * Fix if user does not exist yet * Make more clear this is loginName * Fix formatting Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: zeripath <art27@cantab.net>
* Add LDAP group sync to Teams, fixes #1395 (#16299)Sven Seeberg2022-02-116-27/+244
| | | | | | | | | | * Add setting for a JSON that maps LDAP groups to Org Teams. * Add log when removing or adding team members. * Sync is being run on login and periodically. * Existing group filter settings are reused. * Adding and removing team members. * Sync not existing LDAP group. * Login with broken group map JSON.
* Use `ImagedProvider` for gplus oauth2 provider (#18504)Gusted2022-02-011-2/+2
| | | | | Use `ImagedProvider` for gplus' oauthv2 provider, as the image isn't "gplus.png" but "google.png". Resolves #18494
* Refactor jwt.StandardClaims to RegisteredClaims (#18344)zeripath2022-01-202-7/+5
| | | | | | | | | | | | | | | * Refactor jwt.StandardClaims to RegisteredClaims go-jwt/jwt has deprecated the StandardClaims interface to use RegisteredClaims instead. This PR migrates to use this new format. Signed-off-by: Andrew Thornton <art27@cantab.net> * Apply suggestions from code review Co-authored-by: Gusted <williamzijl7@hotmail.com> Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: Gusted <williamzijl7@hotmail.com>
* format with gofumpt (#18184)65432022-01-2013-25/+15
| | | | | | | | | | | * gofumpt -w -l . * gofumpt -w -l -extra . * Add linter * manual fix * change make fmt
* Support webauthn (#17957)Lunny Xiao2022-01-143-3/+8
| | | | | | | Migrate from U2F to Webauthn Co-authored-by: Andrew Thornton <art27@cantab.net> Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
* Increase Salt randomness (#18179)Gusted2022-01-041-1/+3
| | | | | | | | | | | - The current implementation of `RandomString` doesn't give you a most-possible unique randomness. It gives you 6*`length` instead of the possible 8*`length` bits(or as `length`x bytes) randomness. This is because `RandomString` is being limited to a max value of 63, this in order to represent the random byte as a letter/digit. - The recommendation of pbkdf2 is to use 64+ bit salt, which the `RandomString` doesn't give with a length of 10, instead of increasing 10 to a higher number, this patch adds a new function called `RandomBytes` which does give you the guarentee of 8*`length` randomness and thus corresponding of `length`x bytes randomness. - Use hexadecimal to store the bytes value in the database, as mentioned, it doesn't play nice in order to convert it to a string. This will always be a length of 32(with `length` being 16). - When we detect on `Authenticate`(source: db) that a user has the old format of salt, re-hash the password such that the user will have it's password hashed with increased salt. Thanks to @zeripath for working out the rouge edges from my first commit 😄. Co-authored-by: lafriks <lauris@nix.lv> Co-authored-by: zeripath <art27@cantab.net>
* Refactor auth package (#17962)Lunny Xiao2022-01-0225-129/+129
|
* Reset Session ID on login (#18018)zeripath2021-12-202-1/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | * Reset Session ID on login When logging in the SessionID should be reset and the session cleaned up. Signed-off-by: Andrew Thornton <art27@cantab.net> * with new session.RegenerateID function Signed-off-by: Andrew Thornton <art27@cantab.net> * update go-chi/session Signed-off-by: Andrew Thornton <art27@cantab.net> * Ensure that session id is changed after oauth data is set and between account linking pages too Signed-off-by: Andrew Thornton <art27@cantab.net> * placate lint Signed-off-by: Andrew Thornton <art27@cantab.net> * as per review Signed-off-by: Andrew Thornton <art27@cantab.net>
* Add Option to synchronize Admin & Restricted states from OIDC/OAuth2 along ↵zeripath2021-12-144-16/+37
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | with Setting Scopes (#16766) * Add setting to OAuth handlers to override local 2FA settings This PR adds a setting to OAuth and OpenID login sources to allow the source to override local 2FA requirements. Fix #13939 Signed-off-by: Andrew Thornton <art27@cantab.net> * Fix regression from #16544 Signed-off-by: Andrew Thornton <art27@cantab.net> * Add scopes settings Signed-off-by: Andrew Thornton <art27@cantab.net> * fix trace logging in auth_openid Signed-off-by: Andrew Thornton <art27@cantab.net> * add required claim options Signed-off-by: Andrew Thornton <art27@cantab.net> * Move UpdateExternalUser to externalaccount Signed-off-by: Andrew Thornton <art27@cantab.net> * Allow OAuth2/OIDC to set Admin/Restricted status Signed-off-by: Andrew Thornton <art27@cantab.net> * Allow use of the same group claim name for the prohibit login value Signed-off-by: Andrew Thornton <art27@cantab.net> * fixup! Move UpdateExternalUser to externalaccount * as per wxiaoguang Signed-off-by: Andrew Thornton <art27@cantab.net> * add label back in Signed-off-by: Andrew Thornton <art27@cantab.net> * adjust localisation Signed-off-by: Andrew Thornton <art27@cantab.net> * placate lint Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
* Move keys to models/asymkey (#17917)Lunny Xiao2021-12-102-10/+10
| | | | | | | | | | | | | | | | | | | * Move keys to models/keys * Rename models/keys -> models/asymkey * change the missed package name * Fix package alias * Fix test * Fix docs * Fix test * Fix test * merge
* Move repository model into models/repo (#17933)Lunny Xiao2021-12-105-10/+5
| | | | | | | | | | | | | | | * Some refactors related repository model * Move more methods out of repository * Move repository into models/repo * Fix test * Fix test * some improvements * Remove unnecessary function
* Move more model into models/user (#17826)Lunny Xiao2021-11-281-2/+1
| | | | | | | | * Move more model into models/user * Remove unnecessary comment Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
* Fix code formating (#17830)mscherer2021-11-271-3/+3
| | | * fix formatter, format imports first, then go fmt
* Move user related model into models/user (#17781)Lunny Xiao2021-11-2419-96/+108
| | | | | | | | | | | | | * Move user related model into models/user * Fix lint for windows * Fix windows lint * Fix windows lint * Move some tests in models * Merge
* Remove unnecessary attributes of User struct (#17745)Lunny Xiao2021-11-224-8/+13
| | | | | | | | | | | | | | | * Remove unnecessary functions of User struct * Move more database methods out of user struct * Move more database methods out of user struct * Fix template failure * Fix bug * Remove finished FIXME * remove unnecessary code
* Extract constant names out for the ReverseProxy and Basic authentication ↵zeripath2021-11-202-2/+8
| | | | | | | | | methods (#17735) In order to reduce load on the GC extract out the constant names of the Basic and ReverseProxy methods. As mentioned in https://github.com/go-gitea/gitea/pull/15119#discussion_r730352176 Signed-off-by: Andrew Thornton <art27@cantab.net>
* A better go code formatter, and now `make fmt` can run in Windows (#17684)wxiaoguang2021-11-173-2/+3
| | | | * go build / format tools * re-format imports
* Minor readability patch. (#17627)Michael Grigoryan2021-11-121-1/+1
|
* Move EmailAddress & UserRedirect into models/user/ (#17607)Lunny Xiao2021-11-112-3/+5
| | | | | | | | | | | | | | | | | | | | | * Move EmailAddress into models/user/ * Fix test * rename user_mail to user_email * Fix test * Move UserRedirect into models/user/ * Fix lint & test * Fix lint * Fix lint * remove nolint comment * Fix lint
* Move oauth2 error to oauth2 service package (#17603)Lunny Xiao2021-11-111-2/+19
|
* Move webhook into models/webhook/ (#17579)Lunny Xiao2021-11-102-5/+6
|
* Simplify Gothic to use our session store instead of creating a different ↵zeripath2021-11-032-18/+98
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | store (#17507) * Simplify Gothic to use our session store instead of creating a different store We have been using xormstore to provide a separate session store for our OAuth2 logins however, this relies on using gorilla context and some doubling of our session storing. We can however, simplify and simply use our own chi-based session store. Thus removing a cookie and some of the weirdness with missing contexts. Signed-off-by: Andrew Thornton <art27@cantab.net> * as per review Signed-off-by: Andrew Thornton <art27@cantab.net> * as per review Signed-off-by: Andrew Thornton <art27@cantab.net> * Handle MaxTokenLength Signed-off-by: Andrew Thornton <art27@cantab.net> * oops Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: techknowlogick <techknowlogick@gitea.io> Co-authored-by: Lauris BH <lauris@nix.lv>
* Add groups scope/claim to OIDC/OAuth2 Provider (#17367)Nico Schieder2021-10-221-0/+3
| | | | | | | | | | | * Add groups scope/claim to OICD/OAuth2 Add support for groups claim as part of the OIDC/OAuth2 flow. Groups is a list of "org" and "org:team" strings to allow clients to authorize based on the groups a user is part of. Signed-off-by: Nico Schieder <code@nico-schieder.de> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
* Use a variable but a function for IsProd because of a slight performance ↵Lunny Xiao2021-10-201-1/+1
| | | | increment (#17368)
* Avatar refactor, move avatar code from `models` to `models.avatars`, remove ↵wxiaoguang2021-10-061-1/+2
| | | | | | | | | | | | | | | | duplicated code (#17123) Why this refactor The goal is to move most files from `models` package to `models.xxx` package. Many models depend on avatar model, so just move this first. And the existing logic is not clear, there are too many function like `AvatarLink`, `RelAvatarLink`, `SizedRelAvatarLink`, `SizedAvatarLink`, `MakeFinalAvatarURL`, `HashedAvatarLink`, etc. This refactor make everything clear: * user.AvatarLink() * user.AvatarLinkWithSize(size) * avatars.GenerateEmailAvatarFastLink(email, size) * avatars.GenerateEmailAvatarFinalLink(email, size) And many duplicated code are deleted in route handler, the handler and the model share the same avatar logic now.
* Allow LDAP Sources to provide Avatars (#16851)zeripath2021-09-264-6/+41
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Allow LDAP Sources to provide Avatars Add setting to LDAP source to allow it to provide an Avatar. Currently this is required to point to the image bytes. Fix #4144 Signed-off-by: Andrew Thornton <art27@cantab.net> * Rename as Avatar Attribute (drop JPEG) Signed-off-by: Andrew Thornton <art27@cantab.net> * Always synchronize avatar if there is change Signed-off-by: Andrew Thornton <art27@cantab.net> * Actually get the avatar from the ldap Signed-off-by: Andrew Thornton <art27@cantab.net> * clean-up Signed-off-by: Andrew Thornton <art27@cantab.net> * use len()>0 rather than != "" Signed-off-by: Andrew Thornton <art27@cantab.net> * slight shortcut in IsUploadAvatarChanged Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
* Add SkipLocal2FA option to pam and smtp sources (#17078)zeripath2021-09-266-4/+16
| | | | | | | | | | | | | * Add SkipLocal2FA option to other pam and smtp sources Extend #16954 to allow setting skip local 2fa on pam and SMTP authentication sources Signed-off-by: Andrew Thornton <art27@cantab.net> * make SkipLocal2FA omitempty Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: 6543 <6543@obermui.de>
* Move login related structs and functions to models/login (#17093)Lunny Xiao2021-09-2422-78/+135
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Move login related structs and functions to models/login * Fix test * Fix lint * Fix lint * Fix lint of windows * Fix lint * Fix test * Fix test * Only load necessary fixtures when preparing unit tests envs * Fix lint * Fix test * Fix test * Fix error log * Fix error log * Fix error log * remove unnecessary change * fix error log * merge main branch
* refactor: move from io/ioutil to io and os package (#17109)Eng Zer Jun2021-09-221-2/+1
| | | | | | | | | The io/ioutil package has been deprecated as of Go 1.16, see https://golang.org/doc/go1.16#ioutil. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
* Move db related basic functions to models/db (#17075)Lunny Xiao2021-09-194-4/+8
| | | | | | | | | | | | | | | | | | | | | | | | | * Move db related basic functions to models/db * Fix lint * Fix lint * Fix test * Fix lint * Fix lint * revert unnecessary change * Fix test * Fix wrong replace string * Use *Context * Correct committer spelling and fix wrong replaced words Co-authored-by: zeripath <art27@cantab.net>
* Make LDAP be able to skip local 2FA (#16954)zeripath2021-09-177-15/+34
| | | | | | This PR extends #16594 to allow LDAP to be able to be set to skip local 2FA too. The technique used here would be extensible to PAM and SMTP sources. Signed-off-by: Andrew Thornton <art27@cantab.net>
* Improve LDAP synchronization efficiency (#16994)zeripath2021-09-152-18/+28
| | | | | | | The current LDAP sync routine has order n^2 efficiency. This change reduces this to order n.log n. Signed-off-by: Andrew Thornton <art27@cantab.net>
* Report the associated filter if there is an error in LDAP (#17014)zeripath2021-09-111-2/+2
| | | | | | If there is an error when performing the admin or restricted filter search ensure that the filter and the userDN are reported. Signed-off-by: Andrew Thornton <art27@cantab.net>
* Add setting to OAuth handlers to skip local 2FA authentication (#16594)zeripath2021-09-101-0/+1
| | | | | | | | This PR adds a setting to OAuth and OpenID login sources to allow the source to skip local 2FA authentication. Fix #13939 Signed-off-by: Andrew Thornton <art27@cantab.net>
* Allow BASIC authentication access to /:owner/:repo/releases/download/* (#16916)zeripath2021-09-024-10/+14
| | | | | | | Duplicate #15987 to allow access to releases download through BASIC authentication. Fix #16914 Signed-off-by: Andrew Thornton <art27@cantab.net>
* Decoupled code from DefaultSigningKey (#16743)KN4CK3R2021-08-272-9/+9
| | | Decoupled code from `DefaultSigningKey`. Makes testing a little bit easier and is cleaner.
* Add EdDSA JWT signing algorithm (#16786)Aliaksandr Mianzhynski2021-08-251-6/+73
| | | | | | | | * Add EdDSA signing algorithm * Fix typo Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
* Add bundle download for repository (#14538)John Olheiser2021-08-241-0/+1
| | | | | | | | | | | | | | | | | * Add bundle download Signed-off-by: jolheiser <john.olheiser@gmail.com> * Fix fmt Signed-off-by: jolheiser <john.olheiser@gmail.com> * Fix build tags Signed-off-by: jolheiser <john.olheiser@gmail.com> * Download specific commit Signed-off-by: jolheiser <john.olheiser@gmail.com>
* Fix openidConnect source regression from #16544 (#16759)zeripath2021-08-221-1/+1
| | | | | | | | | Unfortunately there is bug in #16544 meaning that openid connects aren't being matched properly as the capitalisation in that PR is incorrect. This PR changes the capitalisation back to what is expected. Signed-off-by: Andrew Thornton <art27@cantab.net>
* Added introspection endpoint. (#16752)KN4CK3R2021-08-201-1/+11
| | | Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
* Use github token URL when fetching oauth token (#16709)techknowlogick2021-08-171-1/+1
| | | Fixes regression from #16544
* Send registration email on user autoregistration (#16523)zeripath2021-08-125-3/+32
| | | | | | | | | | | When users login and are autoregistered send email notification. Fix #16178 * Protect public functions within the mailer by testing if the mailer is configured Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: 6543 <6543@obermui.de>
* Improve SMTP authentication and Fix user creation bugs (#16612)zeripath2021-08-114-37/+73
| | | | | | | | | | | | | | | | | | | | | | | | | | | | * Improve SMTP authentication, Fix user creation bugs and add LDAP cert/key options This PR has two parts: Improvements for SMTP authentication: * Default to use SMTPS if port is 465, and allow setting of force SMTPS. * Always use STARTTLS if available * Provide CRAM-MD5 mechanism * Add options for HELO hostname disabling * Add options for providing certificates and keys * Handle application specific password response as a failed user login instead of as a 500. Close #16104 Fix creation of new users: * A bug was introduced when allowing users to change usernames which prevents the creation of external users. * The LoginSource refactor also broke this page. Close #16104 Signed-off-by: Andrew Thornton <art27@cantab.net>
generated by cgit v1.2.3 (git 2.39.1) at 2025-04-12 10:45:32 +0000