Go to file
Gusted c73ac63696
[SECURITY] Rework long-term authentication
- This is a 'front-port' of the already existing patch on v1.21 and
v1.20, but applied on top of what Gitea has done to rework the LTA
mechanism. Forgejo will stick with the reworked mechanism by the Forgejo
Security team for the time being. The removal of legacy code (AES-GCM) has been
left out.
- The current architecture is inherently insecure, because you can
construct the 'secret' cookie value with values that are available in
the database. Thus provides zero protection when a database is
dumped/leaked.
- This patch implements a new architecture that's inspired from: [Paragonie Initiative](https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#secure-remember-me-cookies).
- Integration testing is added to ensure the new mechanism works.
- Removes a setting, because it's not used anymore.

(cherry picked from commit e3d6622a63)
(cherry picked from commit fef1a6dac5)
(cherry picked from commit b0c5165145)
(cherry picked from commit 7ad51b9f8d)
(cherry picked from commit 64f053f383)
(cherry picked from commit f5e78e4c20)

Conflicts:
	services/auth/auth_token_test.go
	https://codeberg.org/forgejo/forgejo/pulls/2069
(cherry picked from commit f69fc23d4b)
(cherry picked from commit d955ab3ab0)
(cherry picked from commit 9220088f90)
2024-01-22 13:41:21 +00:00
.devcontainer
.forgejo [CI] Forgejo Actions based CI for PR & branches (squash) install git >= 2.42 2024-01-22 12:42:44 +00:00
.gitea [WORKFLOW] yaml issue templates 2024-01-22 13:41:21 +00:00
assets
build
cmd [CLI] implement forgejo-cli 2024-01-22 12:18:30 +00:00
contrib
custom/conf [FEAT] Use OpenStreetMap in USER_LOCATION_MAP_URL by default 2024-01-22 13:41:20 +00:00
docker
docs
models [SECURITY] Rework long-term authentication 2024-01-22 13:41:21 +00:00
modules [SECURITY] Rework long-term authentication 2024-01-22 13:41:21 +00:00
options Add missing exclusive in advanced label options (#28322) 2024-01-22 07:56:17 +00:00
public [API] Forgejo API /api/forgejo/v1 2024-01-22 13:41:20 +00:00
releases/images [DOCS] RELEASE-NOTES.md 2024-01-22 13:41:20 +00:00
routers [SECURITY] Rework long-term authentication 2024-01-22 13:41:21 +00:00
services [SECURITY] Rework long-term authentication 2024-01-22 13:41:21 +00:00
snap
templates [FEAT] allow setting the update date on issues and comments 2024-01-22 13:41:21 +00:00
tests [SECURITY] Rework long-term authentication 2024-01-22 13:41:21 +00:00
web_src [API] Forgejo API /api/forgejo/v1 2024-01-22 13:41:20 +00:00
.air.toml
.changelog.yml
.deadcode-out [SECURITY] Rework long-term authentication 2024-01-22 13:41:21 +00:00
.dockerignore
.editorconfig
.eslintrc.yaml
.gitattributes [META] Use correct language for .tmpl 2024-01-22 13:41:20 +00:00
.gitignore [DEADCODE] Add deadcode linter 2024-01-22 13:41:21 +00:00
.gitpod.yml
.golangci.yml
.ignore
.markdownlint.yaml
.npmrc
.spectral.yaml
.stylelintrc.yaml
.yamllint.yaml
BSDmakefile
build.go
CHANGELOG.md
CODEOWNERS [META] Add CODEOWNERS files 2024-01-22 13:41:21 +00:00
CONTRIBUTING.md [DOCS] CONTRIBUTING 2024-01-22 13:41:20 +00:00
DCO
Dockerfile [CI] Forgejo Actions based release process 2024-01-22 12:18:31 +00:00
Dockerfile.rootless [CI] Forgejo Actions based release process 2024-01-22 12:18:31 +00:00
go.mod
go.sum
LICENSE [DOCS] LICENSE: add Forgejo Authors 2024-01-22 13:41:20 +00:00
main.go [SEMVER] store SemVer in ForgejoSemVer after a database upgrade 2024-01-22 13:41:20 +00:00
MAINTAINERS
Makefile [CLEANUP] Reuse ForgejoVersion variable 2024-01-22 13:41:21 +00:00
package-lock.json Revert adding htmx until we finaly decide to add it (#28879) 2024-01-21 21:42:35 +08:00
package.json Revert adding htmx until we finaly decide to add it (#28879) 2024-01-21 21:42:35 +08:00
playwright.config.js
poetry.lock
poetry.toml
pyproject.toml
README.md [DOCS] README 2024-01-22 13:41:20 +00:00
RELEASE-NOTES.md [DOCS] RELEASE-NOTES.md 2024-01-22 13:41:20 +00:00
vitest.config.js
webpack.config.js [API] Forgejo API /api/forgejo/v1 2024-01-22 13:41:20 +00:00

Welcome to Forgejo

Hi there! Tired of big platforms playing monopoly? Providing Git hosting for your project, friends, company or community? Forgejo (/for'd͡ʒe.jo/ inspired by forĝejo the Esperanto word for forge) has you covered with its intuitive interface, light and easy hosting and a lot of builtin functionality.

Forgejo was created in 2022 because we think that the project should be owned by an independent community. If you second that, then Forgejo is for you! Our promise: Independent Free/Libre Software forever!

What does Forgejo offer?

If you like any of the following, Forgejo is literally meant for you:

  • Lightweight: Forgejo can easily be hosted on nearly every machine. Running on a Raspberry? Small cloud instance? No problem!
  • Project management: Besides Git hosting, Forgejo offers issues, pull requests, wikis, kanban boards and much more to coordinate with your team.
  • Publishing: Have something to share? Use releases to host your software for download, or use the package registry to publish it for docker, npm and many other package managers.
  • Customizable: Want to change your look? Change some settings? There are many config switches to make Forgejo work exactly like you want.
  • Powerful: Organizations & team permissions, CI integration, Code Search, LDAP, OAuth and much more. If you have advanced needs, Forgejo has you covered.
  • Privacy: From update checker to default settings: Forgejo is built to be privacy first for you and your crew.
  • Federation: (WIP) We are actively working to connect software forges with each other through ActivityPub, and create a collaborative network of personal instances.

Learn more

Dive into the documentation, subscribe to releases and blog post on our website, find us on the Fediverse or hop into our Matrix room if you have any questions or want to get involved.

Get involved

If you are interested in making Forgejo better, either by reporting a bug or by changing the governance, please take a look at the contribution guide.