forgejo/services
Gusted b770282d45
fix: extend forgejo_auth_token table
- Add a `purpose` column, this allows the `forgejo_auth_token` table to
be used by other parts of Forgejo, while still enjoying the
no-compromise architecture.
- Remove the 'roll your own crypto' time limited code functions and
migrate them to the `forgejo_auth_token` table. This migration ensures
generated codes can only be used for their purpose and ensure they are
invalidated after their usage by deleting it from the database, this
also should help making auditing of the security code easier, as we're
no longer trying to stuff a lot of data into a HMAC construction.
-Helper functions are rewritten to ensure a safe-by-design approach to
these tokens.
- Add the `forgejo_auth_token` to dbconsistency doctor and add it to the
`deleteUser` function.
- TODO: Add cron job to delete expired authorization tokens.
- Unit and integration tests added.

(cherry picked from commit 1ce33aa38d)

v7: Removed migration - XORM can handle this case automatically without migration.

assert.Equal(t, `doesnotexist@example.com`, msgs[0].To) in tests
because v7 does not include the user name to the recipient.
2024-11-15 12:02:14 +01:00
..
actions enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
agit fix(agit): run full pr checks on force-push 2024-08-13 18:26:33 +00:00
asymkey enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
attachment enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
auth fix: Fix to delete cookie when AppSubURL is non-empty (#30375) (#30469) 2024-04-21 17:39:14 +02:00
automerge Simplify how git repositories are opened (#28937) 2024-01-27 21:09:51 +01:00
context fix: extend forgejo_auth_token table 2024-11-15 12:02:14 +01:00
contexttest enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
convert enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
cron enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
doctor fix: extend forgejo_auth_token table 2024-11-15 12:02:14 +01:00
externalaccount Final round of db.DefaultContext refactor (#27587) 2023-10-14 08:37:24 +00:00
feed enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
forgejo enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
forms Return access_denied error when an OAuth2 request is denied (#30974) 2024-06-05 17:19:22 +02:00
gitdiff enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
indexer Update issue indexer after merging a PR (#30715) 2024-05-14 16:00:57 +02:00
issue enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
lfs Fix #31185 try fix lfs download from bitbucket failed (#31201) 2024-08-18 07:01:03 +02:00
mailer fix: extend forgejo_auth_token table 2024-11-15 12:02:14 +01:00
markup enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
migrations enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
mirror test(mock): DeletePushMirrors & AddPushMirrorRemote 2024-06-02 15:45:31 +00:00
notify Clean up log messages (#30313) 2024-04-15 16:11:14 +02:00
org enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
packages [SEC] Ensure propagation of API scopes for Conan and Container authentication 2024-08-28 08:44:58 +00:00
pull fix(agit): run full pr checks on force-push 2024-08-13 18:26:33 +00:00
release enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
repository security: add permission check to 'delete branch after merge' 2024-10-28 06:32:10 +01:00
secrets Refactor deletion (#28610) 2023-12-25 21:25:29 +01:00
task Fix incorrect ctx usage in defer function (#27740) 2023-10-22 14:12:27 +00:00
uinotification Penultimate round of db.DefaultContext refactor (#27414) 2023-10-11 04:24:07 +00:00
user fix: extend forgejo_auth_token table 2024-11-15 12:02:14 +01:00
webhook enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
wiki enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00