* WeChat QR Sign Up, Login, and Unbind
* Add QR Refresh Icon
* refactor wechat QR login, and apply Gitea `APIContexter`
* GET /api/wechat/official-account/generate-qr-code?qrExpireSeconds=${qrExpireSeconds}&sceneStr=${sceneStr}
* [Fix] QR Expiration Mask too dark
* [Refactor] Deprecated in-memory cache, ready for Redis
* [Doc] Resolve WeChat QR config conflict in k8s mode
* [Fix] WeChat QR Login by default
* Improvement: use commit SHA to tag artifact
* bugFix: inconsistent collation
* Added Database migration for DevStar Studio 1.0
* Updated Transaction for table `user_wechat_official_account_openid`
* WeChat Official Account binding/updating done
* WeChat Official Account QR login Success
------
Squashed commit of the following:
commit b6108854f87c72832b4ccf65f2b02cfa79818d28
Author: DAI Mingchen <daimingchen@mail.ustc.edu.cn>
Date: Tue Jul 30 11:43:27 2024 +0000
Wechat QR scan prototype done: frontend and backend
commit ace0cbbc75c5441c77121463a658115c59292727
Author: DAI Mingchen <daimingchen@mail.ustc.edu.cn>
Date: Tue Jul 30 07:53:47 2024 +0000
Updated ICP license for https://*.devstar.cn
commit eab20f110c1f89447ad7bea9dd1f325a99e1f196
Author: DAI Mingchen <daimingchen@mail.ustc.edu.cn>
Date: Tue Jul 30 04:14:11 2024 +0000
updated wechat callback and changed sceneStr with higher entropy
commit dd04b3b21b613d470d0ae27edbcead9aa2958861
Author: DAI Mingchen <daimingchen@mail.ustc.edu.cn>
Date: Mon Jul 29 14:33:04 2024 +0000
WeChat callback interfaces
commit 320ba2225a420feb58c3668d4afca96fcbfe5c79
Author: DAI Mingchen <daimingchen@mail.ustc.edu.cn>
Date: Mon Jul 29 13:16:16 2024 +0000
updated env settings
commit 2ed4e3e307
Author: DAI Mingchen <daimingchen@mail.ustc.edu.cn>
Date: Thu Jul 25 11:48:00 2024 +0000
resolved WARN NoEmptyContinuation (grammar mistakes), and removed trivial unit test for hCAPTCHA
commit 690157811b
Author: DAI Mingchen <daimingchen@mail.ustc.edu.cn>
Date: Thu Jul 25 10:21:39 2024 +0000
fix: checkout the corresponding branch(master or dev)
commit 046ff63e42
Author: DAI Mingchen <daimingchen@mail.ustc.edu.cn>
Date: Thu Jul 25 10:01:24 2024 +0000
test new CI pipeline workflow in the org repo, with a bunch of ENV vars
commit faf7f51d85
Author: 戴明辰 <daimingchen@mail.ustc.edu.cn>
Date: Thu Jul 25 07:59:31 2024 +0000
!1 DevStar Studio 界面原型 + CI流水线测试通过
* finalize this PoC repo, and migrate to the main repo (as a dev branch)
* bugFix: nullptr dereference @ routers/web/auth/wechat_utils.go
* bugFix: CAPTCHA needs manual reloading
* Updated UI
* Changed logo and favicon
* Made WeChat QR optional (will not cause HTTP 500 Internal Error), and …
* Added Unit Test in CI workflow, and removed redundant tests in dev container
* Compliance with open source licensing requirements
* Fix workflow: only exec 'docker rm' if there are dangling volumes
* Removed Magic values about: Docker registry(URL, username), k8s(nanesp…
* fix mistakes: git checkout branch should be master rather than the sta…
* Updated UI layouts and build scripts
* Updated copyright info and ICP License ID at page footer
* Updated ICP License ID at page footer
* Updated code ownership: web footer, logo and favicon
* Updated Internationalization(i18n): removed languages other than CN an…
commit 2ed4e3e307
Author: DAI Mingchen <daimingchen@mail.ustc.edu.cn>
Date: Thu Jul 25 11:48:00 2024 +0000
resolved WARN NoEmptyContinuation (grammar mistakes), and removed trivial unit test for hCAPTCHA
commit 690157811b
Author: DAI Mingchen <daimingchen@mail.ustc.edu.cn>
Date: Thu Jul 25 10:21:39 2024 +0000
fix: checkout the corresponding branch(master or dev)
commit 046ff63e42
Author: DAI Mingchen <daimingchen@mail.ustc.edu.cn>
Date: Thu Jul 25 10:01:24 2024 +0000
test new CI pipeline workflow in the org repo, with a bunch of ENV vars
commit faf7f51d85
Author: 戴明辰 <daimingchen@mail.ustc.edu.cn>
Date: Thu Jul 25 07:59:31 2024 +0000
!1 DevStar Studio 界面原型 + CI流水线测试通过
* finalize this PoC repo, and migrate to the main repo (as a dev branch)
* bugFix: nullptr dereference @ routers/web/auth/wechat_utils.go
* bugFix: CAPTCHA needs manual reloading
* Updated UI
* Changed logo and favicon
* Made WeChat QR optional (will not cause HTTP 500 Internal Error), and …
* Added Unit Test in CI workflow, and removed redundant tests in dev container
* Compliance with open source licensing requirements
* Fix workflow: only exec 'docker rm' if there are dangling volumes
* Removed Magic values about: Docker registry(URL, username), k8s(nanesp…
* fix mistakes: git checkout branch should be master rather than the sta…
* Updated UI layouts and build scripts
* Updated copyright info and ICP License ID at page footer
* Updated ICP License ID at page footer
* Updated code ownership: web footer, logo and favicon
* Updated Internationalization(i18n): removed languages other than CN an…
This PR only does "renaming":
* `Route` should be `Router` (and chi router is also called "router")
* `Params` should be `PathParam` (to distingush it from URL query param, and to match `FormString`)
* Use lower case for private functions to avoid exposing or abusing
This commit forces the resource owner (user) to always approve OAuth 2.0
authorization requests if the client is public (e.g. native
applications).
As detailed in [RFC 6749 Section 10.2](https://www.rfc-editor.org/rfc/rfc6749.html#section-10.2),
> The authorization server SHOULD NOT process repeated authorization
requests automatically (without active resource owner interaction)
without authenticating the client or relying on other measures to ensure
that the repeated request comes from the original client and not an
impersonator.
With the implementation prior to this patch, attackers with access to
the redirect URI (e.g., the loopback interface for
`git-credential-oauth`) can get access to the user account without any
user interaction if they can redirect the user to the
`/login/oauth/authorize` endpoint somehow (e.g., with `xdg-open` on
Linux).
Fixes#25061.
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Follow #30454
And fix#24957
When using "preferred_username", if no such field,
`extractUserNameFromOAuth2` (old `getUserName`) shouldn't return an
error. All other USERNAME options do not return such error.
And fine tune some logic and error messages, make code more stable and
more friendly to end users.
Since `modules/context` has to depend on `models` and many other
packages, it should be moved from `modules/context` to
`services/context` according to design principles. There is no logic
code change on this PR, only move packages.
- Move `code.gitea.io/gitea/modules/context` to
`code.gitea.io/gitea/services/context`
- Move `code.gitea.io/gitea/modules/contexttest` to
`code.gitea.io/gitea/services/contexttest` because of depending on
context
- Move `code.gitea.io/gitea/modules/upload` to
`code.gitea.io/gitea/services/context/upload` because of depending on
context
Follow #29165.
* Introduce JSONTemplate to help to render JSON templates
* Introduce JSEscapeSafe for templates. Now only use `{{ ... |
JSEscape}}` instead of `{{ ... | JSEscape | Safe}}`
* Simplify "UserLocationMapURL" useage
Clarify when "string" should be used (and be escaped), and when
"template.HTML" should be used (no need to escape)
And help PRs like #29059 , to render the error messages correctly.
Fixes#28660
Fixes an admin api bug related to `user.LoginSource`
Fixed `/user/emails` response not identical to GitHub api
This PR unifies the user update methods. The goal is to keep the logic
only at one place (having audit logs in mind). For example, do the
password checks only in one method not everywhere a password is updated.
After that PR is merged, the user creation should be next.
Nowadays, cache will be used on almost everywhere of Gitea and it cannot
be disabled, otherwise some features will become unaviable.
Then I think we can just remove the option for cache enable. That means
cache cannot be disabled.
But of course, we can still use cache configuration to set how should
Gitea use the cache.
The steps to reproduce it.
First, create a new oauth2 source.
Then, a user login with this oauth2 source.
Disable the oauth2 source.
Visit users -> settings -> security, 500 will be displayed.
This is because this page only load active Oauth2 sources but not all
Oauth2 sources.
Closes#27455
> The mechanism responsible for long-term authentication (the 'remember
me' cookie) uses a weak construction technique. It will hash the user's
hashed password and the rands value; it will then call the secure cookie
code, which will encrypt the user's name with the computed hash. If one
were able to dump the database, they could extract those two values to
rebuild that cookie and impersonate a user. That vulnerability exists
from the date the dump was obtained until a user changed their password.
>
> To fix this security issue, the cookie could be created and verified
using a different technique such as the one explained at
https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#secure-remember-me-cookies.
The PR removes the now obsolete setting `COOKIE_USERNAME`.
This PR removed `unittest.MainTest` the second parameter
`TestOptions.GiteaRoot`. Now it detects the root directory by current
working directory.
---------
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Part of #27065
This reduces the usage of `db.DefaultContext`. I think I've got enough
files for the first PR. When this is merged, I will continue working on
this.
Considering how many files this PR affect, I hope it won't take to long
to merge, so I don't end up in the merge conflict hell.
---------
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
