rework long-term authentication #27455
Conversation
- The current architecture is inherently insecure, because you can construct the 'secret' cookie value with values that are available in the database. Thus provides zero protection when a database is dumped/leaked. - This patch implements a new architecture that's inspired from: [Paragonie Initiative](https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#secure-remember-me-cookies). - Integration testing is added to ensure the new mechanism works. - Removes a setting, because it's not used anymore. Refs: https://codeberg.org/forgejo/forgejo/pulls/1562
GiteaBot
added
the
lgtm/need 2
pull-request-size
bot
added
the
size/L
models/auth/auth_token.go
Outdated
| // Copyright 2023 The Gitea Authors. All rights reserved. | ||
| // Copyright 2023 The Forgejo Authors. All rights reserved. |
There was a problem hiding this comment.
| // Copyright 2023 The Gitea Authors. All rights reserved. | |
| // Copyright 2023 The Forgejo Authors. All rights reserved. | |
| // Copyright 2023 The Gitea Authors. All rights reserved. |
There was a problem hiding this comment.
Is it a requirement to remove copyright notices to contribute code to Gitea?
There was a problem hiding this comment.
That would require permission from the author(s) of the code.
There was a problem hiding this comment.
This has been explained many times already to you, and you have been warned as well in the last pull request to follow contribution guidelines. If you'd like to adhere to the contribution guidelines we'd be happy to have any contribution, however as you've shown to willfully disregard them action may need to be taken.
There was a problem hiding this comment.
where, in the contributions guidelines, can I find the requirement to remove an existing copyright notice from a MIT licensed code?
There was a problem hiding this comment.
We're not asking you to remove copyright, but instead asking for copyright assignment. If each of our contributors added to the headers of the file they touched then some files could have over 1000 listings, this is clearly untenable. We don't remove copyright, for example there is places where we used code from go and kept their headers because we took that code and adhered to the license, but as you are contributing the code that's where the difference is. If you don't have the rights to do so under DCO and contribution document then that prevents us from accepting code. This is following guidance from the Linux Foundation to ensure a codebase free of any conflict.
There was a problem hiding this comment.
I was not aware Gitea required a copyright assignment. Could you please let me know where this is explained in the contributions guidelines?
There was a problem hiding this comment.
For the past 7 years, Gitea has required the same policy on copyright headers; you've been told this in other PRs, and have modified your PRs to be accepted. Not adhering to it once or twice can be forgiven as an accident, however, continuing to do so, including after being warned, has to be treated as you not acting in good faith, especially in this PR for a security-related PR knowing it can't be merged as-is.
Thankfully we've been working on a PR for this as well, and we were going to send it over privately once ready, so we are able to resolve this issue via a different PR without code that is tainted by copyright issues.
As I've said before, we welcome all contributions as long as they adhere to the project standards, if you/Forgejo are refusing to do so that's unfortunate.
There was a problem hiding this comment.
I was not aware Gitea required a copyright assignment. Could you please let me know where this is explained in the contributions guidelines?
It has been documented 7 years ago: a90b252?short_path=eca12c0#diff-eca12c0a30e25b4b46522ebf89465a03ba72a03f540796c979137931d8f92055
And it has been updated to use SPDX format: https://github.com/go-gitea/gitea/blame/16a766cba10dcaf53cc413cee62a952031bef5bc/CONTRIBUTING.md#L430
|
I just would like to mention what I ever saw:
|
pull-request-size
bot
added
size/XL
GiteaBot
added
lgtm/blocked
|
The request that I remove the Forgejo copyright header is:
I have always consistently respected the Gitea guidelines in all my pull requests. @techknowlogick in your capacity as TOC member and Gitea Ltd. shareholder (sole owner of the domain and the trademark) you inform me that this is a hard requirement for the first time. You have authority to do so and I do not dispute this. However, please understand this is news to me and do not claim that I acted in bad faith or that I could have been informed of this requirement in the past. I will keep this PR open because I believe it is beneficial to Gitea users and will improve the security of the service they are running. Should you reconsider your position and agree that the copyright headers are kept as they are (just as many others which are already in the Gitea codebase) I will happily update the PR and resolve any conflicts. |
Please be realistic, and do not try to catch every chance to create friction. The contributing guideline has had this since 7 years ago: a90b252?short_path=eca12c0#diff-eca12c0a30e25b4b46522ebf89465a03ba72a03f540796c979137931d8f92055
And it has been updated to use SPDX format: https://github.com/go-gitea/gitea/blame/16a766cba10dcaf53cc413cee62a952031bef5bc/CONTRIBUTING.md#L430
This is an open-source community, please do not try to attack Gitea by your "company" speech.
This is not the first time. I also consider that's your bad action. Have you forgotten your PR " add Upload URL to release API #26663 " ? Some soft-fork people have created too many lies to Gitea and Gitea's contributors and really harmed Gitea. And quote from earl-warrn's discussion:
The definition of "lie": "an intentionally false statement" or "a statement made by somebody knowing that it is not true" (from dictionary, anyone who is interested could look it up in dictionaries) Let's see what happens in an old PR:
not the first time
it shows the correct reference.
it has a clear example, and that's how modern / civilized / great projects do.
this example is even clear: do not include other header, all orgs use the same standard.
everything has been explained and you have been warned kindly. If a person doesn't have difficulty in reading English, I think these comments are clear enough, that's not like some of you said: Selectively ignoring the the comments and keeping acting behaviors against it but saying "not be informed", it matches the definition of "lie": "an intentionally false statement". |
|
Temporarily locked the thread to prevent escalation. |
…ber-me Conflicts: models/migrations/migrations.go
with permission from the author of the commits, the Forgejo copyright headers are removed. This is done under protest and for the sake of the Gitea users who would otherwise be deprived of an important security fix.
Closes #27455 > The mechanism responsible for long-term authentication (the 'remember me' cookie) uses a weak construction technique. It will hash the user's hashed password and the rands value; it will then call the secure cookie code, which will encrypt the user's name with the computed hash. If one were able to dump the database, they could extract those two values to rebuild that cookie and impersonate a user. That vulnerability exists from the date the dump was obtained until a user changed their password. > > To fix this security issue, the cookie could be created and verified using a different technique such as the one explained at https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#secure-remember-me-cookies. The PR removes the now obsolete setting `COOKIE_USERNAME`.
Refs: https://codeberg.org/forgejo/forgejo/pulls/1562