mirrors/forgejo
1
1
Fork 1
mirror of https://codeberg.org/forgejo/forgejo synced 2025-09-17 01:32:52 +02:00
Code Issues Projects Releases Packages Wiki Activity
forgejo/routers/web/auth
History
Exact
BtbN fd849bb9f2 Reject password reset attempts for OAuth2 users without a current password (#9060) 
Currently, if a user signed up via OAuth2 and then somehow gets their E-Mail account compromised, their Forgejo account can be taken over by requesting a password reset for their Forgejo account.
This PR changes the logic so that a password reset request is denied for a user using OAuth2 if they do not already have a password set.
Which should be the case for all users who only ever log in via their Auth-Provider.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9060
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: BtbN <btbn@btbn.de>
Co-committed-by: BtbN <btbn@btbn.de>
2025-09-12 00:08:29 +02:00
..
2fa.go fix: do 2FA on OpenID connect 2025-08-30 09:41:20 +02:00
auth.go fix: email comments are removed from email addresses (#9074) 2025-08-30 13:15:30 +02:00
auth_test.go
linkaccount.go chore: add email blocklist unit test 2025-08-30 09:45:19 +02:00
main_test.go
oauth.go fix: store code challenge correctly in session (#8678) 2025-07-26 05:16:55 +02:00
oauth_test.go
openid.go fix: do 2FA on OpenID connect 2025-08-30 09:41:20 +02:00
password.go Reject password reset attempts for OAuth2 users without a current password (#9060) 2025-09-12 00:08:29 +02:00
webauthn.go fix: do 2FA on OpenID connect 2025-08-30 09:41:20 +02:00