Commit graph

4948 commits

Author SHA1 Message Date
hiifong
14a5d177e1
Add User-Agent for gitea's self-implemented lfs client. (#32832)
(cherry picked from commit 82c59d52ea650ce42bbca2c6740d9449d06e77be)
2024-12-15 10:14:21 +01:00
hiifong
4be37a986e
Fix lfs migration (#32812)
Fix: #32803
(cherry picked from commit 0b8a8941a01ed4bf914843c88740ad6203550b85)
2024-12-15 09:47:10 +01:00
Kemal Zebari
b0d6a7f07b
Implement update branch API (#32433)
Resolves #22526.

Builds upon #23061.

---------

Co-authored-by: sillyguodong <33891828+sillyguodong@users.noreply.github.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit 01b1896bf5eacfd7f4f64d9ebb0ad165e3e60a5c)

Conflicts:
	routers/api/v1/api.go
  context conflict + s/PathParam/Params/
	templates/swagger/v1_json.tmpl
  make generate-swagger
2024-12-15 09:24:31 +01:00
Gusted
3e1b03838e
fix: ensure correct ssh public key is used for authentication
- The root cause is described in b4f1988a35
- Move to a fork of `github.com/gliderlabs/ssh` that exposes the
permissions that was chosen by `x/crypto/ssh` after succesfully
authenticating, this is the recommended mitigation by the Golang
security team. The fork exposes this, since `gliderlabs/ssh` instead
relies on context values to do so, which is vulnerable to the same
attack, although partially mitigated by the fix in `x/crypto/ssh` it
would not be good practice and defense deep to rely on it.
- Existing tests covers that the functionality is preserved.
- No tests are added to ensure it fixes the described security, the
exploit relies on non-standard SSH behavior it would be too hard to
craft SSH packets to exploit this.
2024-12-12 05:54:07 +01:00
dragon
37a300b105 Add support for indexing arch files 2024-12-09 11:34:50 +08:00
wxiaoguang
b84a59b3cd Use 8 as default value for git lfs concurrency (#32421) 2024-12-06 00:17:57 +01:00
Royce Remer
f6273e2250 Make LFS http_client parallel within a batch. (#32369)
Signed-off-by: Royce Remer <royceremer@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2024-12-06 00:17:57 +01:00
Otto
ab00d875b8 Merge pull request 'fix: remove softbreak from github legacy callout' (#6152) from gusted/forgejo-callout into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6152
Reviewed-by: Otto <otto@codeberg.org>
2024-12-04 23:11:59 +00:00
Gusted
216a542bfb
fix: remove softbreak from github legacy callout
- A softbreak was being preserved during the github legacy callout (this
is likely due to a change in Goldmark) while it should not. This caused
an `<br>` to be present between the attention title and attention content.
- Added unit test.
2024-12-04 22:08:38 +01:00
Gusted
9bcf9502ef
feat: highlight Gradle Kotlin as Kotlin
- Grade Kotlin is almost the as Kotlin syntax, so render it as such.
- Resolves #6138
- Unit test added.
2024-12-04 22:06:33 +01:00
Earl Warren
56007ff3a2 Merge pull request '[gitea] week 2024-49 cherry pick (gitea/main -> forgejo)' (#6110) from earl-warren/wcp/2024-49 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6110
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-12-03 15:06:55 +00:00
Rowan Bohde
2e00ae4cdd
Validate OAuth Redirect URIs (#32643)
This fixes a TODO in the code to validate the RedirectURIs when adding
or editing an OAuth application in user settings.

This also includes a refactor of the user settings tests to only create
the DB once per top-level test to avoid reloading fixtures.

(cherry picked from commit 16a7d343d78807e39df124756e5d43a69a2203a3)

Conflicts:
	services/forms/user_form.go
	tests/integration/user_settings_test.go
  simple conflicts
2024-12-03 10:19:22 +01:00
Gusted
45cec645de Merge pull request 'fix: return correct type in GetSubModule' (#6114) from gusted/forgejo-submodule-entry into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6114
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-12-03 03:24:01 +00:00
Gusted
e7cffc378f
Fix: return correct type in GetSubModule
- `GetSubModules` already solely stores the URL of the submodule and not
a `*SubModule` entry, so don't try to type assert it to be a struct.
- I am not able to pinpoint when this was regressed but if I had to
guess it might be #4941.
- Added integration test.
2024-12-02 01:08:09 +01:00
Gusted
d35bc0e636 Merge pull request 'feat: Add option to disable builtin authentication' (#6112) from squel/forgejo-disable-internal-signin into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6112
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
2024-12-01 19:02:05 +00:00
George Tsiamasiotis
a126477e86 feat: Add option to disable builtin authentication.
Setting ENABLE_INTERNAL_SIGNIN to false will disable the built-in
signin form, should the administrator prefer to limit users to SSO.

Continuation of forgejo/forgejo#6076
2024-12-01 15:50:10 +01:00
FermeLeLundi
1151ff1b26 Update modules/keying/keying.go
Remove trailing whitespace
2024-11-29 15:42:17 +00:00
Fermé le Lundi
75f703326f Merge branch 'forgejo' into forgejo 2024-11-29 15:37:59 +00:00
Mathieu Fenniak
77fafbe578 Add a "summary card" to issues & PRs for consumption by OpenGraph clients (#6053)
## Overview

Hi all, I'm a first-time contributor to Forgejo.  I was looking for something interesting to contribute and the first thing that caught my attention was https://codeberg.org/forgejo/forgejo/issues/6043, a request for an enhancement to include "issue previews" when publishing links to social media platforms.  As a bit of background, the way these platforms work is that they search for meta tags in the posted link's content, and if they find a meta `og:image` (along with other meta tags) they'll pull the image to include in the social media post.  Forgejo currently provides an `og:image` tag but it just renders the repository or repository-owner's avatar.

This PR will render `og:image` for an issue or PR into a link to `{...}/summary-card`, which is a dynamically generated image that contains a summary of the issue.

## Design Notes

### Rendering / Rasterization

The tricky part of solving this problem is rendering an image that combines some text, some images, and some layout elements.  To address this, I've created a `card` module which allows for a handful of operations:
- Create a new rendered image (a "Card")
- Add a margin to a card
- Split the card, horizontally or vertically, into two pieces with a proportional layout (eg. 70%/30%, as desired), each of which are "Cards" that render into the same root image
- Render text into a card, with line-wrapping and text-alignment capabilities
- Render an image onto a card
- Fetches an external image as safely as possible (for server-side fetch of Gravatar, etc.)

The card module can be reused to create `og:image` summary cards for any object in the future, although obviously it's capabilities are limited.  The current implementation is on issues/PRs.

I considered a few alternative approaches before taking this approach, and here's why I rejected those options:
- Provide the summary card as an SVG object which could be rendered much more easily with a template file -- however, support for SVG isn't defined as positive for OpenGraph, and a quick look through some existing implementations suggest that it is not widely supported, if at all
- Rendering as HTML/CSS, or SVG, and then using an external tool to convert into a PNG (or other static) image -- this would be much nicer and easier to implement, but would require tying in some very heavy-weight dependencies
- Rendering using a more sophisticated graphics library, eg. cairo -- also would be nicer and easier to implement, but again a heavy dependency for a small functionality

As a result of the limited capabilities of the new card module, summary cards don't have icons on them (which would require SVG rasterization) or pretty status badges with colors and rounded rects.  In the future if better drawing capabilities were added, the graphics could be improved, but it doesn't seem too important.

### External Avatars

In order to rasterize a user's avatar onto the summary card, it might have to be retrieved by the server from the external source (eg. Gravatar).  A `fetchExternalImage` routine attempts to do this in the safest way possible to protect the server from any possible security exposure from this; (a) verifying that the content-types are acceptable, (b) ensuring that the file-size and image-size are within the safe bounds that are used for custom avatars, (c) using a very-short timeout to avoid stalling the server if an external dependency is offline.

### Caching

Summary cards are cached after rendered.  This has the downside of causing updates to statuses, avatars, titles, etc. being stale on the summary card for the cache TTL.  However, during testing I found that some social media engines like Mastodon will cause the summary card to be accessed a significant number of times after being referenced by a post, causing a mini-tornado of requests.  The cache compensates for this to avoid server load in this situation.

### Scope

I'm considering out-of-scope:
- Summary cards on other objects (eg. repos, users) can be left for future implementation

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- ~~I added test coverage for JavaScript changes...~~ n/a, no JS changes
  - [x] ~~in `web_src/js/*.test.js` if it can be unit tested.~~
  - [x] ~~in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).~~
- Manual testing
  - [x] Access & attach screenshots of both an issue and a pull-request's summary card; see below
  - [x] Ensure reasonable (non-crash) behavior of rendering text with glyphs outside the font -- correctly rendered as replacement unicode chars
  - [x] Using a public test instance, verify that og:image behavior looks good on platforms like Mastodon and BlueSky
    - [x] Bluesky: 
    - [x] Mastodon:    (Note that the summary card will be requested many times as the post is federated; either each server, or each client, will fetch it itself)
    - [x] OpenGraph test site (https://www.opengraph.xyz/): 
    - [x] Discord: Looks OK ; needs "twitter:card" to be set to "summary_large_image" to display the large-scale image, but (a) that's probably annoying to use, (b) probably wrong because it doesn't match Twitter Card's spec for a "photographic image", and (c) don't want to encourage/continue use of vendor-specific tag
  - [x] Verify cases with user avatar missing (or autogen), and repo avatar missing (falls back to repo owner avatar)

Pull request summary card:
![image](/attachments/b64283e3-9a3c-4f19-9d00-961662ffe86b)

Issue summary card:
![image](/attachments/318ce589-02e0-493e-b10c-5b2cb2627db2)

(images to the right are the custom repo avatar, w/ fallback to the repo owner avatar)

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.
  - OpenGraph capabilities are expected to work in the background without user awareness, and so there is no need for documentation to explain the capabilities for users.

### Release notes

- [ ] I do not want this change to show in the release notes.
- [x] I want the title to show in the release notes with a link to this pull request.
- [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6053
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
2024-11-29 15:02:03 +00:00
FermeLeLundi
9ae95d7bbb Update modules/keying/keying_test.go
Typo
2024-11-28 10:35:55 +00:00
FermeLeLundi
229cb20f68 Update modules/keying/keying.go
Typo
2024-11-28 10:34:08 +00:00
FermeLeLundi
893c2f2d90 Update modules/git/repo_commit.go
Typo
2024-11-28 10:31:28 +00:00
FermeLeLundi
0f64c5a806 Update modules/indexer/code/elasticsearch/elasticsearch.go
Typo
2024-11-28 10:29:18 +00:00
FermeLeLundi
eef6d55877 Update modules/typesniffer/typesniffer.go
Typo
2024-11-28 10:27:33 +00:00
Earl Warren
22d08c62f1 Merge pull request 'feat: migrate TOTP secrets to keying' (#6074) from gusted/forgejo-totp-keying into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6074
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-11-27 18:31:35 +00:00
Gusted
7aeb1ba1d5
fix: normalize guessed languages from enry
- In the case that Enry correctly recognized the language, but returns
the language name in a way that isn't recognized by enry. Although
overkill I've added a map such that new entries should be easier to add.
- Resolves #6077
- Added unit test
2024-11-27 17:57:02 +01:00
Gusted
a8c61532d2
feat: migrate TOTP secrets to keying
- Currently the TOTP secrets are stored using the `secrets` module with
as key the MD5 hash of the Secretkey, the `secrets` module uses general
bad practices. This patch migrates the secrets to use the `keying`
module (#5041) which is easier to use and use better practices to store
secrets in databases.
- Migration test added.
- Remove the Forgejo migration databases, and let the gitea migration
databases also run forgejo migration databases. This is required as the
Forgejo migration is now also touching tables that the forgejo migration
didn't create itself.
2024-11-27 00:34:16 +01:00
Earl Warren
e5417fdede Merge pull request '[gitea] week 2024-48 cherry pick (gitea/main -> forgejo)' (#6062) from earl-warren/wcp/2024-48 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6062
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-11-26 16:42:38 +00:00
Benedikt Straub
cc8e02edda
Add Low German to list of default languages 2024-11-25 18:36:14 +01:00
Rowan Bohde
eb0645f185
disable gravatar in test (#32529)
When running e2e tests on flaky networks, gravatar can cause a timeout
and test failures. Turn off, and populate avatars on e2e test suite run
to make them reliable.

(cherry picked from commit 9ac74a1a408136455a9e0586fb8e65163048597b)

Conflicts:
	models/fixtures/user.yml
	services/repository/contributors_graph_test.go
  trivial context conflicts
2024-11-24 15:42:36 +00:00
Lunny Xiao
6482429091
Fix submodule parsing
(cherry picked from commit 33850a83fe4ebd23a762a7aac81614c42e303bfa)

This really is just the cherry pick of 407b6e6dfc7ee9ebb8a16c7f1a786e4c24d0516e
which is the first commit of the pull request, the one with the
change. The rest of the changes is a refactor that is unrelated to the
bug fix.

Conflicts:
	modules/git/commit_test.go
  trivial context conflict
2024-11-24 11:00:06 +00:00
Nirmal Kumar R
9057100182 fix: Preview picture not visible on Markdown file (#5781)
Extend API MarkupOptions to contain branch path.

The `api.MarkupOptions{}`  to have `BranchPath` which contains the
current branch. The `RenderMarkup` function utilizes a struct since there
are too many variables passed as arguments and that is not a good sign
for readability.

And `repo-editor.js` will contain a new form data which is `branch-path`
which will then be utilized by `edit.tmpl` as `data-branch-path`.

Closes: #4510

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I added test coverage for JavaScript changes...
  - [ ] in `web_src/js/*.test.js` if it can be unit tested.
  - [x] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [ ] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] I do not want this change to show in the release notes.
- [x] I want the title to show in the release notes with a link to this pull request.
- [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5781
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Nirmal Kumar R <tildezero@gmail.com>
Co-committed-by: Nirmal Kumar R <tildezero@gmail.com>
2024-11-23 15:00:18 +00:00
Earl Warren
1597dc078d Merge pull request '[gitea] week 2024-47 cherry pick (gitea/main -> forgejo)' (#5997) from earl-warren/wcp/2024-47 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5997
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-11-21 18:15:34 +00:00
James Hatfield
16d06705b3 feat: add setting to block disposable emails
- Add a new setting `EMAIL_DOMAIN_BLOCK_DISPOSABLE` that will append a list of
  domains that are known for being used by temporary or disposable email
  services.

- Add a utility to automatically download and format the list of domains from
  the disposable-email-domains project on github.

  (https://github.com/disposable-email-domains/disposable-email-domains)
  license: CC0 1.0 Universal (CC0 1.0) [Public Domain]

  from README:
  """
  This repo contains a list of disposable and temporary email address domains often used to register dummy users in order to spam or abuse some services.

  We cannot guarantee all of these can still be considered disposable but we do basic checking so chances are they were disposable at one point in time.
  """
2024-11-20 23:17:37 -06:00
JakobDev
45fa9e5ae9 fix: Allow Organisations to remove the Email Address (#5517)
It is possible to set a Email for a Organization. This Email is optional and only used to be displayed on the profile page. However, once you set an EMail, you can no longer remove it. This PR fixes that.

While working on the tests, I found out, that the API returns a 500 when trying to set an invalid EMail. I fixed that too. It returns a 422 now.

Fixes #4567

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5517
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Reviewed-by: Otto <otto@codeberg.org>
Co-authored-by: JakobDev <jakobdev@gmx.de>
Co-committed-by: JakobDev <jakobdev@gmx.de>
2024-11-20 12:31:34 +00:00
JakobDev
f90928507a [FEAT]Allow changing git notes (#4753)
Git has a cool feature called git notes. It allows adding a text to a commit without changing the commit itself. Forgejo already displays git notes. With this PR you can also now change git notes.

<details>
<summary>Screenshots</summary>

![grafik](/attachments/53a9546b-c4db-4b07-92ae-eb15b209b21d)
![grafik](/attachments/1bd96f2c-6178-45d2-93d7-d19c7cbe5898)
![grafik](/attachments/9ea73623-25d1-4628-a43f-f5ecbd431788)
![grafik](/attachments/efea0c9e-43c6-4441-bb7e-948177bf9021)

</details>

## Checklist

The [developer guide](https://forgejo.org/docs/next/developer/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I added test coverage for JavaScript changes...
  - [ ] in `web_src/js/*.test.js` if it can be unit tested.
  - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] I do not want this change to show in the release notes.
- [x] I want the title to show in the release notes with a link to this pull request.
- [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title.

<!--start release-notes-assistant-->

## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Features
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/4753): <!--number 4753 --><!--line 0 --><!--description QWxsb3cgY2hhbmdpbmcgZ2l0IG5vdGVz-->Allow changing git notes<!--description-->
<!--end release-notes-assistant-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4753
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: JakobDev <jakobdev@gmx.de>
Co-committed-by: JakobDev <jakobdev@gmx.de>
2024-11-18 22:56:17 +00:00
Earl Warren
b9697f5227
fix(test): TestGitAttributeCheckerError must allow broken pipe
Early cancelation can lead to two kinds of error. Either canceled or
broken pipe, depending on when the goroutine stops.

Fixes: forgejo/forgejo#6012
2024-11-18 08:20:10 +01:00
wxiaoguang
45435a8789
Fix and refactor markdown rendering (#32522)
(cherry picked from commit 5eebe1dc5fb29a162c51d050396fce7b14e47f4e)

Conflicts:
	models/repo/repo.go
	models/repo/repo_test.go
	modules/markup/html.go
	modules/markup/html_commit.go
	modules/markup/html_email.go
	modules/markup/html_emoji.go
	modules/markup/html_internal_test.go
	modules/markup/html_issue.go
	modules/markup/html_link.go
	modules/markup/html_node.go
	modules/markup/html_test.go
	modules/markup/markdown/goldmark.go
	modules/markup/markdown/markdown_test.go
	modules/markup/markdown/transform_image.go
	modules/markup/orgmode/orgmode.go
	modules/markup/orgmode/orgmode_test.go
	modules/markup/render.go
	modules/markup/render_links.go
	modules/templates/util_render.go
	modules/templates/util_render_test.go
	routers/common/markup.go
	routers/web/feed/convert.go
	routers/web/repo/wiki.go
  but a few lines survived and are useful
2024-11-17 20:34:28 +01:00
Gusted
da40383cf4 Revert defaulting to EdDSA
- Apparently JWT actually checks when doing a JWT operation if the key type is valid and not on startup, this caused errors unfortunately.
2024-11-17 00:42:31 +00:00
Gusted
e4eb82b738
fix: use better code to group UID and stopwatches
- Instead of having code that relied on the result being sorted (which
wasn't specified in the query and therefore not safe to assume so). Use
a map where it doesn't care if the result that we get from the database
is sorted or not.
- Added unit test.
2024-11-16 15:59:02 +01:00
Gusted
02a2dbef69
feat: default to generating EdDSA for OAuth JWT signing key 2024-11-16 15:03:28 +01:00
Gusted
7067cc7da4
fix: strict matching of allowed content for sanitizer
- _Simply_ add `^$` to regexp that didn't had it yet, this avoids any
content being allowed that simply had the allowed content as a
substring.
- Fix file-preview regex to have `$` instead of `*`.
2024-11-15 10:59:36 +01:00
Gusted
1ce33aa38d
fix: extend forgejo_auth_token table
- Add a `purpose` column, this allows the `forgejo_auth_token` table to
be used by other parts of Forgejo, while still enjoying the
no-compromise architecture.
- Remove the 'roll your own crypto' time limited code functions and
migrate them to the `forgejo_auth_token` table. This migration ensures
generated codes can only be used for their purpose and ensure they are
invalidated after their usage by deleting it from the database, this
also should help making auditing of the security code easier, as we're
no longer trying to stuff a lot of data into a HMAC construction.
-Helper functions are rewritten to ensure a safe-by-design approach to
these tokens.
- Add the `forgejo_auth_token` to dbconsistency doctor and add it to the
`deleteUser` function.
- TODO: Add cron job to delete expired authorization tokens.
- Unit and integration tests added.
2024-11-15 10:59:36 +01:00
Michael Kriese
969027e3f2
test: add trailing newline to testlogger.go:recordError message 2024-11-14 14:38:47 +01:00
Gusted
b86f6cae03 Merge pull request 'feat: Make AVIF Images work with Forgejo' (#5940) from JakobDev/forgejo:avif into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5940
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Reviewed-by: Otto <otto@codeberg.org>
2024-11-14 08:40:53 +00:00
Gusted
bb93d3e6c8
fix: handle renamed dependency for cargo registery
- When a dependency is renamed, specified via `package="actual-name"` in
Cargo.toml, this should become the name of the depedency when the
package is retrieved from the registery by cargo and the old name should
be available in the `package` field.
- The reference implementation also does this: 490e66a9d6/src/controllers/krate/publish.rs (L702-L705)
- Resolves #5936
- Unit test added.
2024-11-13 21:26:49 +01:00
JakobDev
19a27ded86
feat: Make AVIF Images work with Forgejo 2024-11-13 19:09:40 +01:00
Otto
3531710dc6 Merge pull request 'fix: Proper parsing of date for git commits' (#5892) from gusted/forgejo-port-32409 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5892
Reviewed-by: Otto <otto@codeberg.org>
2024-11-11 14:22:32 +00:00
Michael Kriese
c33cbae7cc
test: fix test linting
See forgejo/forgejo#5911
2024-11-11 12:44:36 +01:00
Gusted
a1762a6f9b
fix: Proper paring of date for git commits
- Properly parse the date of the git commit and pass that around.
2024-11-10 22:23:28 +01:00