forgejo/modules
Gusted 64f053f383
[SECURITY] Rework long-term authentication
- This is a 'front-port' of the already existing patch on v1.21 and
v1.20, but applied on top of what Gitea has done to rework the LTA
mechanism. Forgejo will stick with the reworked mechanism by the Forgejo
Security team for the time being. The removal of legacy code (AES-GCM) has been
left out.
- The current architecture is inherently insecure, because you can
construct the 'secret' cookie value with values that are available in
the database. Thus provides zero protection when a database is
dumped/leaked.
- This patch implements a new architecture that's inspired from: [Paragonie Initiative](https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#secure-remember-me-cookies).
- Integration testing is added to ensure the new mechanism works.
- Removes a setting, because it's not used anymore.

(cherry picked from commit e3d6622a63)
(cherry picked from commit fef1a6dac5)
(cherry picked from commit b0c5165145)
(cherry picked from commit 7ad51b9f8d)
2023-12-18 15:12:41 +01:00
..
actions
activitypub
analyze
assetfs
auth
avatar
base
cache
charset
container
context
contexttest
csv
doctor
emoji
eventsource
generate
git
gitgraph
graceful
hcaptcha
highlight
hostmatcher
html
httpcache
httplib
indexer
issue/template
json
label
lfs
log
markup
mcaptcha
metrics
migration
nosql
options
packages
paginator
pprof
private
process
proxy
proxyprotocol
public
queue
recaptcha
references
regexplru
repository
secret
session
setting
sitemap
ssh
storage
structs
svg
sync
system
templates
test
testlogger
timeutil
translation
turnstile
typesniffer
updatechecker
upload
uri
user
util
validation
web
webhook