Commit graph

3 commits

Author SHA1 Message Date
Gusted
c6a53c3172
[SECURITY] Rework long-term authentication
- This is a 'front-port' of the already existing patch on v1.21 and
v1.20, but applied on top of what Gitea has done to rework the LTA
mechanism. Forgejo will stick with the reworked mechanism by the Forgejo
Security team for the time being. The removal of legacy code (AES-GCM) has been
left out.
- The current architecture is inherently insecure, because you can
construct the 'secret' cookie value with values that are available in
the database. Thus provides zero protection when a database is
dumped/leaked.
- This patch implements a new architecture that's inspired from: [Paragonie Initiative](https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#secure-remember-me-cookies).
- Integration testing is added to ensure the new mechanism works.
- Removes a setting, because it's not used anymore.

(cherry picked from commit e3d6622a63da9c33eed1e3d102cf28a92ff653d6)
(cherry picked from commit fef1a6dac5e25579e42d40209c4cfc06879948b9)
(cherry picked from commit b0c5165145fa52f2f7bbec1f50b308bdf1d20ef3)
(cherry picked from commit 7ad51b9f8d0647eecacd258f6ee26155da3872e1)
(cherry picked from commit 64f053f3834e764112cde26bb0d16c5e88d6b2af)
(cherry picked from commit f5e78e4c204ce50b800645d614218b6b6096eecb)

Conflicts:
	services/auth/auth_token_test.go
	https://codeberg.org/forgejo/forgejo/pulls/2069
(cherry picked from commit f69fc23d4bbadf388c7857040ee0774b824e418e)
(cherry picked from commit d955ab3ab02cbb7f1245a8cddec426d64d3ac500)
(cherry picked from commit 9220088f902a25c4690bcabf5a40a8d02e784182)
(cherry picked from commit c73ac636962c41c71814c273510146f0533264ab)
(cherry picked from commit 747a176048ea93085b406429db0e25bb21912eda)

Conflicts:
	models/user/user.go
	routers/web/user/setting/account.go
	https://codeberg.org/forgejo/forgejo/pulls/2295
2024-02-05 15:06:15 +01:00
Gusted
76c7df9630
[DB] forgejo migration v1: add blocked user migration
(cherry picked from commit 66afddd511d2821f648919925ea365cd085e4e77)
(cherry picked from commit 19da0dee9df87cb946d1c8e25b917f7283d95302)
(cherry picked from commit 0b725af693828bd7705b09433fb25d974fbb820e)
(cherry picked from commit 64d4de2b664a9f406b2927c6e6b465ee2b3a8915)
(cherry picked from commit 05bc9d3b7f8d00a37b41615f9caccca84a98c0ee)
(cherry picked from commit 5958553066d275c767018454fbed9470c2cf473d)
(cherry picked from commit c4f77e26c913eb3293bc702e1c65e2d09757cfe1)
(cherry picked from commit 3034832c6637965bf70c766d9169ca3c28c27cd3)
(cherry picked from commit d48931ec5b677989f8b2ef91752b2e3ef25ff2a2)
(cherry picked from commit b1e0d53c28369666367e2629b4226338a111e0e2)
(cherry picked from commit e3de35fe15c33d87f1a33e193fa7e038c5e3a724)
(cherry picked from commit 3b2712c3d6bd0884166787e8c257305d54247112)
(cherry picked from commit 00c6940851ca270934a95de0ccfff2eadf41096f)
(cherry picked from commit ac56c7a202b934d8d46d2eb578d83e953f3b50f5)
(cherry picked from commit d957fb66de9bb8d04cf184c88b4a3ca2ab7728eb)
(cherry picked from commit 01e9125f1b172c8a78a380c611d2244df104178f)
(cherry picked from commit 71675caecb545cda069d766f16feb6bd6924e9ec)
(cherry picked from commit 0313d02e50ee64729fdd3aa661b481ae5d32c029)
(cherry picked from commit d2952769c1217b984936a1bf6a0d4f072217e122)
(cherry picked from commit 63d080cdcfcaac34aa5a3040e00d33506224c112)
(cherry picked from commit 43ced29b28c2631d0d5ec7320ab7b40d9f8e06c9)
(cherry picked from commit e556074abdc39ec02156de47492a35ae3e278b9f)
(cherry picked from commit 165409d8ff75a06563447d490d66c69984e4a04a)
(cherry picked from commit 0a3f370162dcb6c945095864248b8dc55208120f)
2024-02-05 14:44:33 +01:00
Earl Warren
40b99a5f89
[DB] forgejo migration v2: create the forgejo_sem_ver table
(cherry picked from commit 86b26436af85e0eedb732e115e8be024e1d54ca6)
(cherry picked from commit 479cba59aca2b3b73a83e5acc0b754906230f0b2)
(cherry picked from commit 4765f9a889ce7324416b51e7d4524b2368459752)
(cherry picked from commit af771410bfaa511bbc97cbfeefbb279b3836158d)
(cherry picked from commit d1ea9305d8d653d637cbde6d383c095bdc4991f0)
(cherry picked from commit f77e1bb7abd6054851b811fc0d71bf0130085353)
(cherry picked from commit 0b95f8fe899ce14e19e5aeccd3e53e21b8bf8fc1)
(cherry picked from commit 4f8fb2390a415d2f9319c9f23ff653c31efd2409)
(cherry picked from commit 8ea0e22ff6e09f1e46d9a10f1325f7c6997c018b)
(cherry picked from commit 43ac19ac59044210906c96857194231ca7804c92)
(cherry picked from commit 0d2f63df4f9579c62ed21c807c53e689b1c71dbb)
(cherry picked from commit d02a8036fda2bfcf8791366198e25735547d6b3f)
(cherry picked from commit 1fe4c7db941b892df38be12249d4898248ff016e)
(cherry picked from commit d641cdeaf0f77ef12fb5fe5c27c20804757a74ef)
(cherry picked from commit 10e8a4f8b864961a700f2c3e6c816489bf4e4ac4)
(cherry picked from commit 8097bc40b3f90ed959adc9edd1982e5867856397)
(cherry picked from commit ee5cb37d7e9567c129fcf2a606175d425dacace1)
(cherry picked from commit 26d93b8e49270440a940cd2e12b36c449644af94)
(cherry picked from commit bc73195e5945a89bedb2faac579eac2cc403195e)
(cherry picked from commit a763fa5de29e6e5986e0f4971e0a9696aa98a024)
(cherry picked from commit 4b000cb435b1ddec2aee901b9d257e0af87b7698)
(cherry picked from commit 9f6d20e73f73fefd78e64d8fc11af9118bef9557)
(cherry picked from commit b5001edeeabf29d5b494da32fc09fa911b38cdb8)
(cherry picked from commit 76321718328532a4ed85a04839c339dd42b87d42)
(cherry picked from commit 816c5b0c4e7c599d513033bf5eb01bb6259dd144)
2024-02-05 14:44:33 +01:00