mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-12-29 18:34:25 +01:00
1ce33aa38d
- Add a `purpose` column, this allows the `forgejo_auth_token` table to be used by other parts of Forgejo, while still enjoying the no-compromise architecture. - Remove the 'roll your own crypto' time limited code functions and migrate them to the `forgejo_auth_token` table. This migration ensures generated codes can only be used for their purpose and ensure they are invalidated after their usage by deleting it from the database, this also should help making auditing of the security code easier, as we're no longer trying to stuff a lot of data into a HMAC construction. -Helper functions are rewritten to ensure a safe-by-design approach to these tokens. - Add the `forgejo_auth_token` to dbconsistency doctor and add it to the `deleteUser` function. - TODO: Add cron job to delete expired authorization tokens. - Unit and integration tests added.
56 lines
1.7 KiB
Go
56 lines
1.7 KiB
Go
// Copyright 2023 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package context
|
|
|
|
import (
|
|
"net/http"
|
|
"strings"
|
|
|
|
auth_model "code.gitea.io/gitea/models/auth"
|
|
user_model "code.gitea.io/gitea/models/user"
|
|
"code.gitea.io/gitea/modules/setting"
|
|
"code.gitea.io/gitea/modules/timeutil"
|
|
"code.gitea.io/gitea/modules/web/middleware"
|
|
)
|
|
|
|
const CookieNameFlash = "gitea_flash"
|
|
|
|
func removeSessionCookieHeader(w http.ResponseWriter) {
|
|
cookies := w.Header()["Set-Cookie"]
|
|
w.Header().Del("Set-Cookie")
|
|
for _, cookie := range cookies {
|
|
if strings.HasPrefix(cookie, setting.SessionConfig.CookieName+"=") {
|
|
continue
|
|
}
|
|
w.Header().Add("Set-Cookie", cookie)
|
|
}
|
|
}
|
|
|
|
// SetSiteCookie convenience function to set most cookies consistently
|
|
// CSRF and a few others are the exception here
|
|
func (ctx *Context) SetSiteCookie(name, value string, maxAge int) {
|
|
middleware.SetSiteCookie(ctx.Resp, name, value, maxAge)
|
|
}
|
|
|
|
// DeleteSiteCookie convenience function to delete most cookies consistently
|
|
// CSRF and a few others are the exception here
|
|
func (ctx *Context) DeleteSiteCookie(name string) {
|
|
middleware.SetSiteCookie(ctx.Resp, name, "", -1)
|
|
}
|
|
|
|
// GetSiteCookie returns given cookie value from request header.
|
|
func (ctx *Context) GetSiteCookie(name string) string {
|
|
return middleware.GetSiteCookie(ctx.Req, name)
|
|
}
|
|
|
|
// SetLTACookie will generate a LTA token and add it as an cookie.
|
|
func (ctx *Context) SetLTACookie(u *user_model.User) error {
|
|
days := 86400 * setting.LogInRememberDays
|
|
lookup, validator, err := auth_model.GenerateAuthToken(ctx, u.ID, timeutil.TimeStampNow().Add(int64(days)), auth_model.LongTermAuthorization)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
ctx.SetSiteCookie(setting.CookieRememberName, lookup+":"+validator, days)
|
|
return nil
|
|
}
|