git724/forgejo
1
0
Fork 0
Code Issues Pull requests 3 Projects 1 Releases Packages Wiki Activity
forgejo/routers/web
History
Exact
BtbN fd849bb9f2 Reject password reset attempts for OAuth2 users without a current password (#9060) 
Currently, if a user signed up via OAuth2 and then somehow gets their E-Mail account compromised, their Forgejo account can be taken over by requesting a password reset for their Forgejo account.
This PR changes the logic so that a password reset request is denied for a user using OAuth2 if they do not already have a password set.
Which should be the case for all users who only ever log in via their Auth-Provider.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9060
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: BtbN <btbn@btbn.de>
Co-committed-by: BtbN <btbn@btbn.de>
2025-09-12 00:08:29 +02:00
..
admin chore: add email blocklist unit test 2025-08-30 09:45:19 +02:00
auth Reject password reset attempts for OAuth2 users without a current password (#9060) 2025-09-12 00:08:29 +02:00
devtest chore(ui): clean up hashbox CSS, small design changes (#7822) 2025-05-25 12:51:27 +02:00
events chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
explore fix(code-search): fix broken pagination. (#9000) 2025-08-23 13:06:41 +02:00
feed fix: correct release link in feed (#8802) 2025-08-06 17:51:36 +02:00
healthcheck chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
misc feat: bump the minimum required Git version from 2.0.0 to 2.34.1 (#8328) 2025-06-29 00:44:18 +02:00
moderation feat!: Abusive content reporting (#6977) 2025-05-18 08:05:16 +00:00
org feat: allow any README for .profile (#8798) 2025-09-01 13:58:00 +02:00
repo Update module code.forgejo.org/forgejo/runner/v9 to v11 (forgejo) (#9218) 2025-09-10 22:02:55 +02:00
shared fix: package cleanup rules are not applied when there are more than 200 packages (depends on MAX_RESPONSE_ITEMS) (#9219) 2025-09-09 17:39:35 +02:00
user feat: allow any README for .profile (#8798) 2025-09-01 13:58:00 +02:00
base.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
githttp.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
goget.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
home.go feat: Global 2FA enforcement (#8753) 2025-08-15 10:56:45 +02:00
metrics.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
nodeinfo.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
swagger_json.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
web.go feat: ability to view previous logs for Actions runs that have been retried (#9017) 2025-09-04 22:46:22 +02:00
webfinger.go fix: trim trailing slash in WebFinger OIDC issuer link (#8794) 2025-08-06 14:50:51 +02:00