forgejo/services/auth
Gusted 85e839e21d
fix: require password login for creation of new token
- The creation of new API tokens for users via the API is guarded behind
a extra check. This extra makes sure the user is authorized via the
reverse proxy method (if enabled) or via basic authorization.
- For, what seems to me, historical reasons the basic authorization also
handles logging in via the API token.
- This results in a API token (with `write:user` scope) or OAuth2 token
being able to create a new API token with escalated privileges.
- Add a new condition to this check to ensure the user logged in via
password.
- Change error to better indicate what went wrong.
2025-08-30 09:27:28 +02:00
..
source feat: add option to allow non-local users to change usernames (#8714) 2025-08-06 20:25:13 +02:00
additional_scopes_test.go tests additional grant scopes 2024-08-09 14:58:15 +02:00
auth.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
auth_test.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
basic.go fix: require password login for creation of new token 2025-08-30 09:27:28 +02:00
group.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
httpsign.go chore(cleanup): replaces unnecessary calls to formatting functions by non-formatting equivalents (#7994) 2025-05-29 17:34:29 +02:00
interface.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
main_test.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
oauth2.go Revert "feat: remove API authentication methods that uses the URL query (#7924)" (#8633) 2025-07-24 17:19:24 +02:00
oauth2_test.go fix: ASCII equal fold for authorization header (#8391) 2025-07-09 23:01:03 +02:00
reverseproxy.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
reverseproxy_test.go Update module github.com/golangci/golangci-lint/cmd/golangci-lint to v2 (forgejo) (#7367) 2025-03-28 22:22:21 +00:00
session.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
signin.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
source.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
sync.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00