summaryrefslogtreecommitdiffstats
path: root/services/auth
Commit message (Collapse)AuthorAgeFilesLines
* allow the actions user to login via the jwt token (#32527) (#32580)Rowan Bohde2024-11-212-0/+78
| | | | | | | | | | | | | | | | | | Backport #32527 We have some actions that leverage the Gitea API that began receiving 401 errors, with a message that the user was not found. These actions use the `ACTIONS_RUNTIME_TOKEN` env var in the actions job to authenticate with the Gitea API. The format of this env var in actions jobs changed with go-gitea/gitea/pull/28885 to be a JWT (with a corresponding update to `act_runner`) Since it was a JWT, the OAuth parsing logic attempted to parse it as an OAuth token, and would return user not found, instead of falling back to look up the running task and assigning it to the actions user. Make ACTIONS_RUNTIME_TOKEN in action runners could be used, attempting to parse Oauth JWTs. The code to parse potential old `ACTION_RUNTIME_TOKEN` was kept in case someone is running an older version of act_runner that doesn't support the Actions JWT.
* Fix basic auth with webauthn (#32531) (#32536)Giteabot2024-11-161-0/+10
| | | | | | | | | Backport #32531 by @lunny WebAuthn should behave the same way as TOTP. When enabled, basic auth with username/password should need to WebAuthn auth, otherwise returned 401. Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
* Disable Oauth check if oauth disabled (#32368) (#32480)wxiaoguang2024-11-121-0/+3
| | | Partially backport Disable Oauth check if oauth disabled #32368
* Don't init singing keys if oauth2 provider disabled (#32177)Lunny Xiao2024-10-031-2/+6
| | | Backport #32148
* Fix nuget/conan/container packages upload bugs (#31967) (#31982)Giteabot2024-09-051-1/+26
| | | | | Backport #31967 by @lunny Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
* Enable more `revive` linter rules (#30608)silverwind2024-04-221-1/+0
| | | | | | | | | | | Noteable additions: - `redefines-builtin-id` forbid variable names that shadow go builtins - `empty-lines` remove unnecessary empty lines that `gofumpt` does not remove for some reason - `superfluous-else` eliminate more superfluous `else` branches Rules are also sorted alphabetically and I cleaned up various parts of `.golangci.yml`.
* fix: Fix to delete cookie when AppSubURL is non-empty (#30375)Jonathan Tran2024-04-141-1/+2
| | | | | | | | Cookies may exist on "/subpath" and "/subpath/" for some legacy reasons (eg: changed CookiePath behavior in code). The legacy cookie should be removed correctly. --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Kyle D <kdumontnu@gmail.com>
* Migrate margin and padding helpers to tailwind (#30043)silverwind2024-03-243-4/+4
| | | | | | | | | | | | | This will conclude the refactor of 1:1 class replacements to tailwind, except `gt-hidden`. Commands ran: ```bash perl -p -i -e 's#gt-(p|m)([lrtbxy])?-0#tw-$1$2-0#g' {web_src/js,templates,routers,services}/**/* perl -p -i -e 's#gt-(p|m)([lrtbxy])?-1#tw-$1$2-0.5#g' {web_src/js,templates,routers,services}/**/* perl -p -i -e 's#gt-(p|m)([lrtbxy])?-2#tw-$1$2-1#g' {web_src/js,templates,routers,services}/**/* perl -p -i -e 's#gt-(p|m)([lrtbxy])?-3#tw-$1$2-2#g' {web_src/js,templates,routers,services}/**/* perl -p -i -e 's#gt-(p|m)([lrtbxy])?-4#tw-$1$2-4#g' {web_src/js,templates,routers,services}/**/* perl -p -i -e 's#gt-(p|m)([lrtbxy])?-5#tw-$1$2-8#g' {web_src/js,templates,routers,services}/**/* ```
* Fix the bug that user may logout if he switch pages too fast (#29962)Lunny Xiao2024-03-211-17/+9
| | | | | | | | | | | | This PR fixed a bug when the user switching pages too fast, he will logout automatically. The reason is that when the error is context cancelled, the previous code think user hasn't login then the session will be deleted. Now it will return the errors but not think it's not login. --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
* Replace more gt- with tw- (#29678)silverwind2024-03-081-1/+1
| | | This will conclude the trivial class replacements.
* Move some asymkey functions to service layer (#28894)Lunny Xiao2024-03-042-4/+6
| | | | After the moving, all models will not depend on `util.Rename` so that I can do next step refactoring.
* Add user blocking (#29028)KN4CK3R2024-03-041-2/+2
| | | | | | | | | | | | | | | | | | | | | | Fixes #17453 This PR adds the abbility to block a user from a personal account or organization to restrict how the blocked user can interact with the blocker. The docs explain what's the consequence of blocking a user. Screenshots: ![grafik](https://github.com/go-gitea/gitea/assets/1666336/4ed884f3-e06a-4862-afd3-3b8aa2488dc6) ![grafik](https://github.com/go-gitea/gitea/assets/1666336/ae6d4981-f252-4f50-a429-04f0f9f1cdf1) ![grafik](https://github.com/go-gitea/gitea/assets/1666336/ca153599-5b0f-4b4a-90fe-18bdfd6f0b6b) --------- Co-authored-by: Lauris BH <lauris@nix.lv>
* remove util.OptionalBool and related functions (#29513)65432024-03-024-8/+7
| | | | | | and migrate affected code _last refactoring bits to replace **util.OptionalBool** with **optional.Option[bool]**_
* Move context from modules to services (#29440)Lunny Xiao2024-02-272-2/+2
| | | | | | | | | | | | | | | Since `modules/context` has to depend on `models` and many other packages, it should be moved from `modules/context` to `services/context` according to design principles. There is no logic code change on this PR, only move packages. - Move `code.gitea.io/gitea/modules/context` to `code.gitea.io/gitea/services/context` - Move `code.gitea.io/gitea/modules/contexttest` to `code.gitea.io/gitea/services/contexttest` because of depending on context - Move `code.gitea.io/gitea/modules/upload` to `code.gitea.io/gitea/services/context/upload` because of depending on context
* Revert "Support SAML authentication (#25165)" (#29358)65432024-02-249-560/+0
| | | | | | | | | | This reverts #25165 (5bb8d1924d77c675467694de26697b876d709a17), as there was a chance some important reviews got missed. so after reverting this patch it will be resubmitted for reviewing again https://github.com/go-gitea/gitea/pull/25165#issuecomment-1960670242 temporary Open #5512 again
* Fix tarball/zipball download bug (#29342)Zettat1232024-02-232-1/+6
| | | | | | | Fix #29249 ~~Use the `/repos/{owner}/{repo}/archive/{archive}` API to download.~~ Apply #26430 to archive download URLs.
* Start to migrate from `util.OptionalBool` to `optional.Option[bool]` (#29329)65432024-02-236-13/+13
| | | just create transition helper and migrate two structs
* Support SAML authentication (#25165)techknowlogick2024-02-239-0/+560
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Closes https://github.com/go-gitea/gitea/issues/5512 This PR adds basic SAML support - Adds SAML 2.0 as an auth source - Adds SAML configuration documentation - Adds integration test: - Use bare-bones SAML IdP to test protocol flow and test account is linked successfully (only runs on Postgres by default) - Adds documentation for configuring and running SAML integration test locally Future PRs: - Support group mapping - Support auto-registration (account linking) Co-Authored-By: @jackHay22 --------- Co-authored-by: jackHay22 <jack@allspice.io> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: KN4CK3R <admin@oldschoolhack.me> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Jason Song <i@wolfogre.com> Co-authored-by: morphelinho <morphelinho@users.noreply.github.com> Co-authored-by: Zettat123 <zettat123@gmail.com> Co-authored-by: Yarden Shoham <git@yardenshoham.com> Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: silverwind <me@silverwind.io>
* Fix c/p error in inline documentation (#29148)Johan Van de Wauw2024-02-191-1/+1
| | | | | | | Fix small copy/paste error in inline documentation --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
* Use general token signing secret (#29205)wxiaoguang2024-02-181-8/+1
| | | Use a clearly defined "signing secret" for token signing.
* Refactor JWT secret generating & decoding code (#29172)wxiaoguang2024-02-161-1/+2
| | | | | | | | Old code is not consistent for generating & decoding the JWT secrets. Now, the callers only need to use 2 consistent functions: NewJwtSecretWithBase64 and DecodeJwtSecretBase64 And remove a non-common function Base64FixedDecode from util.go
* Unify user update methods (#28733)KN4CK3R2024-02-043-25/+31
| | | | | | | | | | | Fixes #28660 Fixes an admin api bug related to `user.LoginSource` Fixed `/user/emails` response not identical to GitHub api This PR unifies the user update methods. The goal is to keep the logic only at one place (having audit logs in mind). For example, do the password checks only in one method not everywhere a password is updated. After that PR is merged, the user creation should be next.
* Fix SSPI user creation (#28948)KN4CK3R2024-01-271-7/+3
| | | | | | Fixes #28945 Setting the avatar is wrong and creating a random password is equal to leave it empty.
* Refactor timeutil package (#28623)wxiaoguang2023-12-281-5/+5
| | | | | 1. make names more readable 2. remove unused FormatLong/FormatShort 3. use `FormatDate` instead of `Format "2006-01-02"`
* Deprecate query string auth tokens (#28390)Jack Hay2023-12-121-7/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ## Changes - Add deprecation warning to `Token` and `AccessToken` authentication methods in swagger. - Add deprecation warning header to API response. Example: ``` HTTP/1.1 200 OK ... Warning: token and access_token API authentication is deprecated ... ``` - Add setting `DISABLE_QUERY_AUTH_TOKEN` to reject query string auth tokens entirely. Default is `false` ## Next steps - `DISABLE_QUERY_AUTH_TOKEN` should be true in a subsequent release and the methods should be removed in swagger - `DISABLE_QUERY_AUTH_TOKEN` should be removed and the implementation of the auth methods in question should be removed ## Open questions - Should there be further changes to the swagger documentation? Deprecation is not yet supported for security definitions (coming in [OpenAPI Spec version 3.2.0](https://github.com/OAI/OpenAPI-Specification/issues/2506)) - Should the API router logger sanitize urls that use `token` or `access_token`? (This is obviously an insufficient solution on its own) --------- Co-authored-by: delvh <dev.lh@web.de>
* Use db.Find instead of writing methods for every object (#28084)Lunny Xiao2023-11-246-6/+12
| | | | For those simple objects, it's unnecessary to write the find and count methods again and again.
* Unify two factor check (#27915)KN4CK3R2023-11-061-2/+22
| | | | | | | | Fixes #27819 We have support for two factor logins with the normal web login and with basic auth. For basic auth the two factor check was implemented at three different places and you need to know that this check is necessary. This PR moves the check into the basic auth itself.
* Refactor Find Sources and fix bug when view a user who belongs to an ↵Lunny Xiao2023-11-035-24/+44
| | | | | | | | | | | | unactive auth source (#27798) The steps to reproduce it. First, create a new oauth2 source. Then, a user login with this oauth2 source. Disable the oauth2 source. Visit users -> settings -> security, 500 will be displayed. This is because this page only load active Oauth2 sources but not all Oauth2 sources.
* Replace more db.DefaultContext (#27628)Lunny Xiao2023-10-151-4/+4
| | | Target #27065
* Final round of `db.DefaultContext` refactor (#27587)JakobDev2023-10-143-12/+16
| | | Last part of #27065
* Enhanced auth token / remember me (#27606)KN4CK3R2023-10-143-0/+244
| | | | | | | | | | | | | | | | | Closes #27455 > The mechanism responsible for long-term authentication (the 'remember me' cookie) uses a weak construction technique. It will hash the user's hashed password and the rands value; it will then call the secure cookie code, which will encrypt the user's name with the computed hash. If one were able to dump the database, they could extract those two values to rebuild that cookie and impersonate a user. That vulnerability exists from the date the dump was obtained until a user changed their password. > > To fix this security issue, the cookie could be created and verified using a different technique such as the one explained at https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#secure-remember-me-cookies. The PR removes the now obsolete setting `COOKIE_USERNAME`.
* Penultimate round of `db.DefaultContext` refactor (#27414)JakobDev2023-10-116-14/+14
| | | | | | | Part of #27065 --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
* Fix attachment download bug (#27486)Lunny Xiao2023-10-105-12/+20
|
* Fix ldap admin privileges update bug (#27051)CaiCandong2023-10-011-10/+7
| | | | | | | | | | | | When the user does not set a username lookup condition, LDAP will get an empty string `""` for the user, hence the following code ``` if isExist, err := user_model.IsUserExist(db.DefaultContext, 0, sr.Username) ``` The user presence determination will always be nonexistent, so updates to user information will never be performed. Fix #27049
* Allow get release download files and lfs files with oauth2 token format (#26430)Lunny Xiao2023-10-011-1/+3
| | | | Fix #26165 Fix #25257
* Another round of `db.DefaultContext` refactor (#27103)JakobDev2023-09-253-6/+5
| | | | | | | Part of #27065 --------- Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
* Increase auth provider icon size on login page (#27122)silverwind2023-09-193-9/+11
| | | | | | | | | | | | | | | | | | Before, 20px: <img width="474" alt="Screenshot 2023-09-19 at 00 10 05" src="https://github.com/go-gitea/gitea/assets/115237/4bed4edb-219d-4844-9d3c-0d747033b09f"> After, 28px: <img width="576" alt="Screenshot 2023-09-19 at 00 20 40" src="https://github.com/go-gitea/gitea/assets/115237/f482ac09-38ae-4c84-80d9-0bd39b7f9772"> Dropdown in account settings is unchanged at 20px: <img width="157" alt="Screenshot 2023-09-19 at 00 09 11" src="https://github.com/go-gitea/gitea/assets/115237/9c998cdf-eeed-4118-9262-664faaa56092"> --------- Co-authored-by: Giteabot <teabot@gitea.io>
* Make SSPI auth mockable (#27036)wxiaoguang2023-09-173-16/+63
| | | | | | Before, the SSPI auth is only complied for Windows, it's difficult to test and it breaks a lot. Now, make the SSPI auth mockable and testable.
* More refactoring of `db.DefaultContext` (#27083)JakobDev2023-09-152-12/+12
| | | Next step of #27065
* Reduce usage of `db.DefaultContext` (#27073)JakobDev2023-09-1413-33/+41
| | | | | | | | | | | | | | Part of #27065 This reduces the usage of `db.DefaultContext`. I think I've got enough files for the first PR. When this is merged, I will continue working on this. Considering how many files this PR affect, I hope it won't take to long to merge, so I don't end up in the merge conflict hell. --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
* Extract auth middleware from service (#27028)KN4CK3R2023-09-121-255/+0
| | | | | | Related #27027 Extract the router logic from `services/auth/middleware.go` into `routers/web` <-> `routers/common` <-> `routers/api`.
* Improve LDAP group config documentation, fixes #21159 (#21227)Sven Seeberg2023-09-051-4/+5
| | | | Improve the wording of the LDAP group attributes documentation and expand the examples.
* Remove `Named` interface (#26913)KN4CK3R2023-09-058-21/+4
| | | | `Named` is implemented by every `Method` and future implementations should implement the method too.
* Update team invitation email link (#26550)Jack Hay2023-08-311-2/+2
| | | | | Co-authored-by: Kyle D <kdumontnu@gmail.com> Co-authored-by: Jonathan Tran <jonnytran@gmail.com>
* Use `Set[Type]` instead of `map[Type]bool/struct{}`. (#26804)KN4CK3R2023-08-301-3/+4
|
* Use `object-fit: contain` for oauth2 custom icons (#26493)wxiaoguang2023-08-141-1/+1
|
* Handle base64 decoding correctly to avoid panic (#26483)wxiaoguang2023-08-141-10/+1
| | | Fix the panic if the "base64 secret" is too long.
* Bump github.com/golang-jwt/jwt to v5 (#25975)harryzcy2023-07-192-2/+5
| | | | | | | | | | | | | | | | Bumping `github.com/golang-jwt/jwt` from v4 to v5. `github.com/golang-jwt/jwt` v5 is bringing some breaking changes: - standard `Valid()` method on claims is removed. It's replaced by `ClaimsValidator` interface implementing `Validator()` method instead, which is called after standard validation. Gitea doesn't seem to be using this logic. - `jwt.Token` has a field `Valid`, so it's checked in `ParseToken` function in `services/auth/source/oauth2/token.go` --------- Co-authored-by: Giteabot <teabot@gitea.io>
* Fix SSPI auth panic (#25955)wxiaoguang2023-07-181-2/+2
| | | | | Try to fix #25952 Co-authored-by: Giteabot <teabot@gitea.io>
* Fix the error message when the token is incorrect (#25701)caicandong2023-07-112-24/+41
| | | | | | | | | | | | | | | we refactored `userIDFromToken` for the token parsing part into a new function `parseToken`. `parseToken` returns the string `token` from request, and a boolean `ok` representing whether the token exists or not. So we can distinguish between token non-existence and token inconsistency in the `verfity` function, thus solving the problem of no proper error message when the token is inconsistent. close #24439 related #22119 --------- Co-authored-by: Jason Song <i@wolfogre.com> Co-authored-by: Giteabot <teabot@gitea.io>