mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-12-03 17:30:04 +03:00
51988ef52b
- The current architecture is inherently insecure, because you can
construct the 'secret' cookie value with values that are available in
the database. Thus provides zero protection when a database is
dumped/leaked.
- This patch implements a new architecture that's inspired from: [Paragonie Initiative](https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#secure-remember-me-cookies).
- Integration testing is added to ensure the new mechanism works.
- Removes a setting, because it's not used anymore.
(cherry-pick from
|
||
|---|---|---|
| .. | ||
| actions.go | ||
| actions_test.go | ||
| admin.go | ||
| api.go | ||
| asset_dynamic.go | ||
| asset_static.go | ||
| attachment.go | ||
| attachment_test.go | ||
| cache.go | ||
| camo.go | ||
| config_env.go | ||
| config_env_test.go | ||
| config_provider.go | ||
| config_provider_test.go | ||
| cors.go | ||
| cron.go | ||
| cron_test.go | ||
| database.go | ||
| database_sqlite.go | ||
| database_test.go | ||
| federation.go | ||
| forgejo_storage_test.go | ||
| git.go | ||
| git_test.go | ||
| highlight.go | ||
| i18n.go | ||
| incoming_email.go | ||
| indexer.go | ||
| indexer_test.go | ||
| lfs.go | ||
| lfs_test.go | ||
| log.go | ||
| log_test.go | ||
| mailer.go | ||
| mailer_test.go | ||
| markup.go | ||
| metrics.go | ||
| migrations.go | ||
| mime_type_map.go | ||
| mirror.go | ||
| oauth2.go | ||
| other.go | ||
| packages.go | ||
| packages_test.go | ||
| path.go | ||
| path_test.go | ||
| picture.go | ||
| project.go | ||
| proxy.go | ||
| queue.go | ||
| repository.go | ||
| repository_archive.go | ||
| repository_archive_test.go | ||
| security.go | ||
| server.go | ||
| service.go | ||
| service_test.go | ||
| session.go | ||
| setting.go | ||
| setting_test.go | ||
| ssh.go | ||
| storage.go | ||
| storage_test.go | ||
| task.go | ||
| time.go | ||
| ui.go | ||
| webhook.go | ||