git724/forgejo
1
0
Fork 0
Code Issues Pull requests 3 Projects 1 Releases Packages Wiki Activity
forgejo/routers
History
Exact
BtbN fd849bb9f2 Reject password reset attempts for OAuth2 users without a current password (#9060) 
Currently, if a user signed up via OAuth2 and then somehow gets their E-Mail account compromised, their Forgejo account can be taken over by requesting a password reset for their Forgejo account.
This PR changes the logic so that a password reset request is denied for a user using OAuth2 if they do not already have a password set.
Which should be the case for all users who only ever log in via their Auth-Provider.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9060
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: BtbN <btbn@btbn.de>
Co-committed-by: BtbN <btbn@btbn.de>
2025-09-12 00:08:29 +02:00
..
api fix(api): set default pagination and Link header for repoListTags (#9201) 2025-09-09 02:24:07 +02:00
common feat: add tracing logs after process is complete (#8680) 2025-07-26 05:44:58 +02:00
install chore: use sharp to generate images (#7512) 2025-04-11 15:12:50 +00:00
private feat(log): better parseable and configurable ssh-logs (#9056) 2025-09-11 18:59:24 +02:00
utils [PORT] drop utils.IsExternalURL (and expand IsRiskyRedirectURL tests) (#3167) 2024-04-15 13:03:08 +00:00
web Reject password reset attempts for OAuth2 users without a current password (#9060) 2025-09-12 00:08:29 +02:00
init.go Add ActivityPub Person follow from distant (#8720) 2025-08-03 11:55:01 +02:00