* Do not display the raw OpenID error in the UI
If there are no `WHITELIST_URIS` or `BLACKLIST_URIS` set in the openid
section of the app.ini, it is possible that gitea can leak sensitive
information about the local network through the error provided by the
UI. This PR hides the error information and logs it.
Fix#4973
Signed-off-by: Andrew Thornton <art27@cantab.net>
* Update auth_openid.go
Place error log within the `err != nil` branch.
* add migration and basic UI for changing a user's theme
* update user themem
* use right text on button
* load theme based on users' selection
* load theme based on users' selection in pwa too
* update sample config
* delete older theme loading
* implement AfterLoad to set users' theme properly
* set up default theme when creating a user. This uses the installation wide theme
* use flash messages for error
* set default theme when creating a user from the cli
* fix @lunny review
* Show either sign up OR sign in
* disambiguate fresh start from adding recovery options
* use tabs to switch between account link flows
* add active to tab body as well
* changes as per discussion
* handle specific error; fix missing err typo
* Added basic heatmap data
* Added extra case for sqlite
* Built basic heatmap into user profile
* Get contribution data from api & styling
* Fixed lint & added extra group by statements for all database types
* generated swagger spec
* generated swagger spec
* generated swagger spec
* fixed swagger spec
* fmt
* Added tests
* Added setting to enable/disable user heatmap
* Added locale for loading text
* Removed UseTiDB
* Updated librejs & moment.js
* Fixed import order
* Fixed heatmap in postgresql
* Update docs/content/doc/advanced/config-cheat-sheet.en-us.md
Co-Authored-By: kolaente <konrad@kola-entertainments.de>
* Added copyright header
* Fixed a bug to show the heatmap for the actual user instead of the currently logged in
* Added integration test for heatmaps
* Added a heatmap on the dashboard
* Fixed timestamp parsing
* Hide heatmap on mobile
* optimized postgresql group by query
* Improved sqlite group by statement
* redirect to login page after successfully activating account
* force users to change password if account was created by an admin
* force users to change password if account was created by an admin
* fixed build
* fixed build
* fix pending issues with translation and wrong routes
* make sure path check is safe
* remove unneccessary newline
* make sure users that don't have to view the form get redirected
* move route to use /settings prefix so as to make sure unauthenticated users can't view the page
* update as per @lafriks review
* add necessary comment
* remove unrelated changes
* support redirecting to location the user actually want to go to before being forced to change his/her password
* run make fmt
* added tests
* improve assertions
* add assertion
* fix copyright year
Signed-off-by: Lanre Adelowo <yo@lanre.wtf>
* Fix open redirect vulnerability on login screen
Signed-off-by: Jonas Franz <info@jonasfranz.software>
* Reorder imports
Signed-off-by: Jonas Franz <info@jonasfranz.software>
* Replace www. from Domain too
Signed-off-by: Jonas Franz <info@jonasfranz.software>
* Add LDAP Key Synchronization feature
Signed-off-by: Magnus Lindvall <magnus@dnmgns.com>
* Add migration: add login source id column for public_key table
* Only update keys if needed
* Add function to only list pubkey synchronized from ldap
* Only list pub ssh keys synchronized from ldap. Do not sort strings as ExistsInSlice does it.
* Only get keys belonging to current login source id
* Set default login source id to 0
* Some minor cleanup. Add integration tests (updete dep testify)
* Add support for U2F
Signed-off-by: Jonas Franz <info@jonasfranz.software>
* Add vendor library
Add missing translations
Signed-off-by: Jonas Franz <info@jonasfranz.software>
* Minor improvements
Signed-off-by: Jonas Franz <info@jonasfranz.software>
* Add U2F support for Firefox, Chrome (Android) by introducing a custom JS library
Add U2F error handling
Signed-off-by: Jonas Franz <info@jonasfranz.software>
* Add U2F login page to OAuth
Signed-off-by: Jonas Franz <info@jonasfranz.software>
* Move U2F user settings to a separate file
Signed-off-by: Jonas Franz <info@jonasfranz.software>
* Add unit tests for u2f model
Renamed u2f table name
Signed-off-by: Jonas Franz <info@jonasfranz.software>
* Fix problems caused by refactoring
Signed-off-by: Jonas Franz <info@jonasfranz.software>
* Add U2F documentation
Signed-off-by: Jonas Franz <info@jonasfranz.software>
* Remove not needed console.log-s
Signed-off-by: Jonas Franz <info@jonasfranz.software>
* Add default values to app.ini.sample
Add FIDO U2F to comparison
Signed-off-by: Jonas Franz <info@jonasfranz.software>
* refactor setting router code
splitted up one huge router settings file into the smaller files
representing the actual page structure
* move code to subfolder
* rename functions
* renamed files
* add copyright information
* moved avatar to profile page
* combined password change, email and account deletion into account settings page
* combined totp, access tokens, linked accounts and openid into security settings page
* move access tokens to applications settings page
* small change to restart drone build
* fix change avatar url on profile page
* redirect old settings urls to new ones
* enforce only one autofocus attribute on settings pages
* set correct redirect status code
* fmt fix
* Added user language setting
* Added translation string for setting
* Fixed import order + typo
* improved checking if the user has a language saved in the db
* The current saved language is now set a default inside the dropdown
* fmt
* When a user signs in and doesn't have a language saved, the current browser language is saved
* updated gitea-sdk
* Merge branch 'master' of https://github.com/go-gitea/gitea into save-user-language
# Conflicts:
# models/migrations/migrations.go
# models/migrations/v62.go
* Made tests work again
* trigger CI
* trigger CI
* fmt
* re-trigger that FUCKING CI SO IT REALLY PICKS UP THE LATEST COMMIT ISTEAD OF PREDENDING TO DO SO
* re-trigger that FUCKING CI SO IT REALLY PICKS UP THE LATEST COMMIT ISTEAD OF PREDENDING TO DO SO
* When loggin in, only the language col gets updated instead of everything
* Extended LANDINGPAGE config variable to logged in users and added switch for 'organizations' in addition to 'home' and 'explore'.
* Updated comments.
Signed-off-by: Mike Schaffer <mschaff@gmail.com>
* Extended LANDINGPAGE config variable to trigger when user logs in and added switch for 'organizations' in addition to 'home' and 'explore'.
Signed-off-by: Mike Schaffer <mschaff@gmail.com>
* Extended LANDINGPAGE config variable to logged in users and added switch for 'organizations' in addition to 'home' and 'explore'.
* Updated comments.
Signed-off-by: Mike Schaffer <mschaff@gmail.com>
* Extended LANDINGPAGE config variable to trigger when user logs in and added switch for 'organizations' in addition to 'home' and 'explore'.
Signed-off-by: Mike Schaffer <mschaff@gmail.com>
* Removed superfluous conditional and correct whitespace.
Signed-off-by: Mike Schaffer <mschaff@gmail.com>
* Update app.ini
Reverted new line.
* Formatting.
Signed-off-by: Mike Schaffer <mschaff@gmail.com>
* Add repo type option to /api/repo/search
* Add tests and fix result of collaborative filter in specific condition
* Fix/optimize search & tests
* Improve integration tests
* Fix lint errors
* Fix unit tests
* Change and improve internal implementation of repo search
* Use NonexistentID
* Make search api more general
* Change mirror and fork search behaviour
* Fix tests & typo in comment
* Implementation of all repositories of a user from user->settings
* Update message when no repository found
* Update according to comments
* Change UI to have a better look
* improved user repositories UI
* Display all organization from user settings
* fix Tab selection
* Update locale_en-US.ini
* Add a condition for display Create organization button
* Remove french translation
* Remove unnecessary admin flag
* Forgot password should use ResetPwdCodeLives, not ActiveCodeLives
* Improve documentation for different send mail functions related to password reset
* Improve documentation in conf/app.ini regarding xxx_CODE_LIVE_MINUTES settings
* add google+
* sort signin oauth2 providers based on the name so order is always the same
* update auth tip for google+
* add gitlab provider
* add bitbucket provider (and some go fmt)
* add twitter provider
* add facebook provider
* add dropbox provider
* add openid connect provider incl. new format of tips section in "Add New Source"
* lower the amount of disk storage for each session to prevent issues while building cross platform (and disk overflow)
* imports according to goimport and code style
* make it possible to set custom urls to gitlab and github provider (only these could have a different host)
* split up oauth2 into multiple files
* small typo in comment
* fix indention
* fix indentation
* fix new line before external import
* fix layout of signin part
* update "broken" dependency
* Allow ENABLE_OPENID_SIGNUP to depend on DISABLE_REGISTRATION
Omit the configuration variable (the default) to be dependent.
Fixes#1363
* Move OpenID settings under Service object
* Show OpenID SignUp and SignIn status in admin panel / configuration
Also renames `forgot_password` translation key to
`forgot_password_title` and `forget_password` to
`forgot_password`
Includes entry in CHANGELOG about the breaking change
(and some markdown fixes in there)
It's helpful when you forgot your password thus cannot change it
(can happen if you log in via OAuth2 or OpenID)
Also make sure that both the delete-account and password-change
links to forgot-password will have the primary email pre-filled
* fixes#1050 where linking an account to a 2fa enabled account failed because we forgot to really link the account when 2fa is completed
* handle errors
* initial stuff for oauth2 login, fails on:
* login button on the signIn page to start the OAuth2 flow and a callback for each provider
Only GitHub is implemented for now
* show login button only when the OAuth2 consumer is configured (and activated)
* create macaron group for oauth2 urls
* prevent net/http in modules (other then oauth2)
* use a new data sessions oauth2 folder for storing the oauth2 session data
* add missing 2FA when this is enabled on the user
* add password option for OAuth2 user , for use with git over http and login to the GUI
* add tip for registering a GitHub OAuth application
* at startup of Gitea register all configured providers and also on adding/deleting of new providers
* custom handling of errors in oauth2 request init + show better tip
* add ExternalLoginUser model and migration script to add it to database
* link a external account to an existing account (still need to handle wrong login and signup) and remove if user is removed
* remove the linked external account from the user his settings
* if user is unknown we allow him to register a new account or link it to some existing account
* sign up with button on signin page (als change OAuth2Provider structure so we can store basic stuff about providers)
* from gorilla/sessions docs:
"Important Note: If you aren't using gorilla/mux, you need to wrap your handlers with context.ClearHandler as or else you will leak memory!"
(we're using gorilla/sessions for storing oauth2 sessions)
* use updated goth lib that now supports getting the OAuth2 user if the AccessToken is still valid instead of re-authenticating (prevent flooding the OAuth2 provider)
