mirror of
https://codeberg.org/forgejo/forgejo
synced 2024-05-19 02:32:13 +02:00
51988ef52b
- The current architecture is inherently insecure, because you can
construct the 'secret' cookie value with values that are available in
the database. Thus provides zero protection when a database is
dumped/leaked.
- This patch implements a new architecture that's inspired from: [Paragonie Initiative](https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#secure-remember-me-cookies).
- Integration testing is added to ensure the new mechanism works.
- Removes a setting, because it's not used anymore.
(cherry-pick from
|
||
---|---|---|
.. | ||
actions | ||
agit | ||
asymkey | ||
attachment | ||
auth | ||
automerge | ||
context | ||
convert | ||
cron | ||
externalaccount | ||
forgejo | ||
forms | ||
gitdiff | ||
issue | ||
lfs | ||
mailer | ||
markup | ||
migrations | ||
mirror | ||
org | ||
packages | ||
pull | ||
release | ||
repository | ||
task | ||
user | ||
webhook | ||
wiki |